CN102325078B - Application identification method and device - Google Patents
Application identification method and device Download PDFInfo
- Publication number
- CN102325078B CN102325078B CN201110177554.5A CN201110177554A CN102325078B CN 102325078 B CN102325078 B CN 102325078B CN 201110177554 A CN201110177554 A CN 201110177554A CN 102325078 B CN102325078 B CN 102325078B
- Authority
- CN
- China
- Prior art keywords
- record
- keyword
- priority
- matched
- connection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 55
- 239000000203 mixture Substances 0.000 claims description 16
- 238000012795 verification Methods 0.000 claims description 5
- 230000003247 decreasing effect Effects 0.000 claims description 4
- 238000012937 correction Methods 0.000 claims description 2
- 230000008569 process Effects 0.000 description 9
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 1
- 150000001875 compounds Chemical class 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000013011 mating Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
Images
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention provides an application identification method and device. The method comprises the following steps: acquiring keywords to be matched from a first message of a new connection; looking up records corresponding to the keywords to be matched in a preset connection and application tracking relationship; and taking the application type recorded by the record with the highest propriety in the records as the application type of the new connection. The device comprises an acquisition module, a looking-up module and an identification module. By adopting the method provided by the invention, the application identification rate of the first message of the new connection is effectively improved.
Description
Technical field
The embodiment of the present invention relates to communication technical field, relates in particular to a kind of application and identification method and equipment.
Background technology
Application identification refers to according to the feature of application itself, by the depth detection of message, the different application being carried on same protocol suite is distinguished.Application route refers to according to different application carries out the directed process forwarding.Application route need to be take application identification as basis.
In realizing process of the present invention, inventor finds that in prior art, at least there are the following problems:
The difficult point of application identification is, need to carry out depth detection to message, need to spy upon message load data; For the unconspicuous application of feature, need the mutual ability of a plurality of messages finally to identify.Yet the scene of application route requires: application identification must just identify correct application at first message of newly-built connection, thereby determine the routing of this newly-built stream, if cannot identify correct application at first message of newly-built connection, probably cause applying route DeGrain, availability is not high.
Summary of the invention
The embodiment of the present invention provides a kind of application and identification method and equipment, in order to solve problems of the prior art, effectively improves the newly-built connection civilian discrimination of reporting for the first time.
The embodiment of the present invention provides a kind of application and identification method, comprising:
In the literary composition of reporting for the first time of newly-built connection, obtain keyword to be matched;
In default connection and application tracking relation, search the record corresponding with described keyword to be matched, described connection is with the keyword that comprises connection in application tracking relation and connect corresponding application type;
Using described, record application type that record that medium priority is the highest records as the application type of described newly-built connection.
The embodiment of the present invention provides a kind of application identification equipment, comprising:
Acquisition module, obtains keyword to be matched for the literary composition of reporting for the first time in newly-built connection;
Search module, for the connection default and application tracking relation, search the record corresponding with described keyword to be matched;
Identification module, for using described search module searches to record application type that record that medium priority is the highest records as the application type of described newly-built connection.
The application and identification method of the embodiment of the present invention and equipment, by obtain keyword to be matched in the literary composition of reporting for the first time of newly-built connection, and in default connection and application tracking relation, search the record corresponding with keyword to be matched, using recording application type that record that medium priority is the highest the records application type as this newly-built connection, effectively improved the application identification rate that newly-built connection is reported for the first time civilian.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, to the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described below, apparently, accompanying drawing in the following describes is some embodiments of the present invention, for those of ordinary skills, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
The method flow diagram of the application identification that Fig. 1 provides for the embodiment of the present invention;
The application and identification method flow chart that Fig. 2 provides for another embodiment of the present invention
The application and identification method flow chart that Fig. 3 provides for another embodiment of the present invention;
Fig. 4 is the flow chart of the present invention's application and identification method that also embodiment provides;
The structural representation of the application identification equipment that Fig. 5 provides for the embodiment of the present invention.
Embodiment
For making object, technical scheme and the advantage of the embodiment of the present invention clearer, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Embodiment based in the present invention, those of ordinary skills, not making the every other embodiment obtaining under creative work prerequisite, belong to the scope of protection of the invention.
The method flow diagram of the application identification that Fig. 1 provides for the embodiment of the present invention, as shown in Figure 1, the method comprises:
Step 101: obtain keyword to be matched in the literary composition of reporting for the first time of newly-built connection.
Wherein, keyword to be matched can be the five-tuple getting from the literary composition of reporting for the first time, and comprises source IP, object IP, protocol number, source port number and destination slogan.Under a kind of execution mode, can be using the protocol number in five-tuple and Target IP as the first keyword to be matched, using the destination port number in five-tuple as the second keyword to be matched, using the source IP of five-tuple as the 3rd keyword to be matched.The mode of the multiple keyword of above-mentioned differentiation is only an example, not in order to limit protection scope of the present invention.
Step 102: in default connection and application tracking relation, search the record corresponding with keyword to be matched, comprise the keyword of connection in connection and application tracking relation and connect corresponding application type.
Connection and application tracking relation existence form can have multiple, and the form of take in the present embodiment describes as example.Connection as shown in table 1 and application tracking table:
Table 1
Wherein, an execution mode searching the record corresponding with keyword to be matched can be: search the record that the first keyword in default connection and application tracking relation and the first keyword to be matched are identical.
Step 103: record application type that record that medium priority is the highest records as the application type of newly-built connection using above-mentioned.
Can determine the record that priority is the highest by following several method:
First, if identical with the first keyword and the first keyword to be matched that only find a record in application tracking relation in default connection in step 102, this unique record is the record that priority is the highest.
Secondly, if identical with the first keyword and the first keyword to be matched that find a more than record in application tracking relation in default connection in step 102, definite the highest record of priority in a plurality of records in the following way.Search the second keyword to the N (N is more than or equal to 2 positive integer) keyword that numerical priority value is successively decreased step by step.The priority of the second keyword is much larger than the priority of the 3rd keyword, and the priority of the 3rd keyword is much larger than the priority of the 4th keyword, and can be by that analogy.For example, the numerical priority value of the second keyword is that the numerical priority value of 1000, the three keywords is that the numerical value of 100, the four keywords is 10 etc.Above-mentioned numerical value is only schematic example, not in order to limit the application's protection range.Calculate in a plurality of records the numerical priority value sum with the successful keyword of keyword match to be matched, the record of numerical priority value sum maximum is the record that priority is the highest.
When the destination port number of five-tuple is as the second keyword to be matched, and/or, using the source IP in five-tuple as the 3rd keyword to be matched, the recording areas of searching can be divided into first kind record, Equations of The Second Kind record, the 3rd class record etc.Difference is that the record of how many classes is relevant with the number of keyword to be matched.The keyword to be matched of take comprises that three as example, and the first kind is recorded as: the second keyword in record is identical with the second keyword to be matched, and the 3rd keyword in record is identical with the 3rd keyword to be matched.Equations of The Second Kind is recorded as: the second keyword in record is identical with the second keyword to be matched, but the 3rd keyword in record is different from the 3rd keyword to be matched.The 3rd class is recorded as: the second keyword in record is different from the second keyword to be matched, but record in the 3rd keyword identical with the 3rd keyword to be matched.Wherein, the priority of first kind record is higher than the priority of Equations of The Second Kind record, and the priority of Equations of The Second Kind record is higher than the priority of the 3rd class record, and the rest may be inferred.In other words can be understood as: the priority of the first keyword match is the priority higher than the 3rd keyword match higher than the priority of the second keyword match, and the rest may be inferred.The first keyword is always override coupling, and must mate.It should be noted that, in the second keyword to the N keyword, can be not only an element in five-tuple, can be also the combination of a plurality of elements, and for example, the second keyword is destination port number and source IP etc.
In connection and application tracking relation, can also comprise errors number, errors number is fewer so, and to record priority higher, and errors number is minimum, and to record priority the highest.
In connection and application tracking relation, also comprise Record ID, Record ID can be used for identifying the time that this record produces, and Record ID is larger, represents that the time gap current time of this record generation is nearer.Generally, in connection and application tracking relation, often increase a record newly, the numerical value of its Record ID adds 1 compared to the numerical value of the Record ID of last record.The numerical value of Record ID is larger so, also record newer to record priority higher, Record ID maximum to record priority the highest.
If both comprised keyword in connection and application tracking relation, comprise again errors number, also comprise Record ID, a kind of preferred mode of determining that limit priority records is: take keyword match as primary priority judgment mode.In the identical situation of keyword match, errors number is less, and to record priority higher.Under errors number also identical situation, the larger priority of numerical value of Record ID is higher.Certainly also have other mode to determine the priority recording, for example, still take keyword match as primary priority judgment mode.In the identical situation of keyword match, do not distinguish the numerical value of Record ID and the priority between errors number and select, using both one of as the judgment mode of priority.Again or, consider the numerical value of errors number and Record ID, for example, the numerical priority value of aforementioned said keyword of take is example, the numerical value of errors number and Record ID of usining considers as numerical priority value respectively, and the numerical priority value sum that the numerical priority value of a record can equal keyword deducts the numerical value that errors number is added Record ID.In a word, keyword match is of paramount importance priority judgment mode, and the numerical value of errors number and Record ID is as the priority judgment mode of alternate key coupling, and its concrete occupation mode can be made a concrete analysis of selection as the case may be.
The application and identification method flow chart that another embodiment of the present invention as shown in Figure 2 provides, after step 103, the method can also comprise:
Step 104: whether the application type identifying in checking procedure 103 is correct application type;
If not, increase the errors number of the record that this priority is the highest.
Concrete checking procedure can be used general application identification process, completes the final application identification of this newly-built connection, and this general application identification process can comprise: continue spying upon and following the tracks of of a plurality of message interactions.With file transfer protocol (FTP) (File Transfer Protocol, referred to as: FTP) be identified as example, its judgement can be through three processes: 1) first message target port is 21; 2) in second message, match user field (user name); 3) the 3rd message coupling pass field (password).Above-mentioned general application identification process can adopt prior art to complete, so do not repeat.
The application and identification method flow chart that another embodiment of the present invention as shown in Figure 3 provides, after step 104, can also comprise:
Step 105: whether the errors number that judges the record that this priority is the highest surpasses default threshold values;
If surpassed, delete the record that this priority is the highest.
If errors number is too many, illustrate that the application type that records its record that this priority is the highest is wrong, therefore it need to be deleted from default connection and application tracking table.
Further, the application and identification method providing for the embodiment of the present invention you need to add is that:
If in step 102, in default connection and application tracking relation, search less than the record corresponding with keyword to be matched, this newly-built connection is carried out to application identification, obtain the application type of this newly-built connection, using the application type of the keyword of this newly-built connection and acquisition as new record, add to be connected with application tracking relation in.
The embodiment of the present invention provides a kind of application and identification method, by obtain keyword to be matched in the literary composition of reporting for the first time of newly-built connection, and in default connection and application tracking relation, search the record corresponding with keyword to be matched, using recording application type that record that medium priority is the highest the records application type as this newly-built connection, effectively improved the application identification speed that newly-built connection is reported for the first time civilian.
Fig. 4 is the flow chart of the present invention's application and identification method that also embodiment provides, and Fig. 4 is a kind of concrete manifestation form of said method embodiment.As shown in Figure 4, the method comprises:
Step 401: application identification equipment obtains keyword to be matched from civilian five-tuple is reported for the first time in newly-built connection.
Wherein, to can be, but not limited to be the equipment such as computer, palmtop PC, mobile phone to application identification equipment.Take protocol number in five-tuple and Target IP carries out the explanation of the present embodiment as the first keyword to be matched, target port as the second keyword to be matched, source IP as the 3rd keyword to be matched as example, but not in order to limit the present embodiment for the protection range of keyword number, compound mode, arrangement mode.
Step 402: application identification equipment is in default connection and apply in matching relationship the record that search key is corresponding with keyword to be matched;
If find corresponding record, the civilian identification successfully of reporting for the first time is described, execution step 403;
If searched less than corresponding record, the civilian recognition failures of reporting for the first time is described, execution step 409.
Wherein, in order to obtain faster and better corresponding record from connecting and applying matching relationship, can represent connecting the form of showing with application matching relationship employing Hash (Hash).For example, adopt above-mentioned the first keyword as index, for mating fast at Hash table.
Step 403: select the record that priority is the highest from above-mentioned record, its Record ID is preserved and preserved to the application type using the application type of its record as newly-built connection.
Wherein, suppose the newly-built connection in step 401, its first keyword to be matched is: protocol number TCP, Target IP 202.102.224.136, the second keyword to be matched is: destination port number 80, the 3rd keyword to be matched is: source IP192.168.1.4.In connection and application tracking relation, obtain the record that the first keyword is identical with the first keyword to be matched in newly-built connection, as shown in table 2:
Table 2
According to definite method of the limit priority providing in a upper embodiment of the method, can obtain, the priority of record 3 is the highest, therefore, selecting record 3 is the highest record of priority, and the application type of its preservation " common HTTP " is preserved as the application type of newly-built connection.
Step 404: utilize general application and identification method, newly-built connection is carried out to application identification, obtain the practical application type of this newly-built connection.
Step 405: whether the application type obtaining in determining step 403 is identical with the application type obtaining in step 404;
If identical, illustrate that the literary composition identification of reporting for the first time is correct, finish the method flow process;
If different, the civilian identification error of reporting for the first time is described, execution step 406.
Step 406: according to Record ID, obtain the highest record of above-mentioned priority in connection and application tracking relation, increase the errors number of this record.
Step 407: judge that whether its errors number that records that this priority is the highest surpasses default threshold values;
If surpassed, illustrate that this record is wrong, execution step 408;
If do not surpassed, finish the method flow process.
Wherein, the default threshold values of errors number can be that those skilled in the art rule of thumb carry out predefined, concrete numerical value and can carry out different values according to different situations.
Step 408: the record that this priority is the highest is deleted from connection and application tracking relation, and finished the method flow process.
Step 409: utilize general application and identification method to carry out application identification to newly-built connection, obtain the application type of this newly-built connection; Using the application type of the corresponding keyword in newly-built connection and acquisition as new record, add to be connected with application tracking relation in.
Wherein, in adding new record to connection and application tracking relation before, need to judge whether to exist duplicate record, if there is no duplicate record, adds new record in connection and application tracking relation to.Here can by Hash table, realize the quick judgement of duplicate record, for example, using a plurality of keywords as index.
For the connection in the embodiment of the present invention and application tracking relation, also you need to add is that the foundation of connection and application tracking relation can, from blank, be added toward the inside according to application identification result; Also database file (maintenance of data communication manufacturer) that can be based on a continuous renewal, can first read this database file and set up a basic connection and application tracking relation, and then add other new identification content when the network equipment plays machine.
The embodiment of the present invention provides a kind of application and identification method, by obtain keyword to be matched in the literary composition of reporting for the first time of newly-built connection, and in default connection and application tracking relation, search the record corresponding with keyword to be matched, using recording application type that record that medium priority is the highest the records application type as this newly-built connection, effectively improved the application identification rate that newly-built connection is reported for the first time civilian.
The structural representation of the application identification equipment that Fig. 5 provides for the embodiment of the present invention, this equipment is the special body of carrying out said method embodiment, concrete method implementation is not so repeat, and this equipment comprises: acquisition module 501, search module 502 and identification module 503.Wherein, acquisition module 501 obtains keyword to be matched for the literary composition of reporting for the first time in newly-built connection, search module 502 for the connection default and application tracking relation, search the record corresponding with keyword to be matched, in connection and application tracking relation, protect the keyword connecting and connect corresponding application type; Identification module 503 is for searching the application type that records the record record that medium priority is the highest that module 502 the finds application type as newly-built connection.
Under a kind of execution mode, this acquisition module 501 can comprise acquiring unit, for the literary composition of reporting for the first time in newly-built connection, obtains five-tuple, using the protocol number in five-tuple and Target IP as the first keyword to be matched.
On the basis of above-mentioned execution mode, searching module 502 can comprise: search unit, for the connection default and application tracking relation, search the record that the first keyword is identical with the first keyword to be matched.
On the basis of above-mentioned execution mode, acquiring unit can also be for: five-tuple is obtained to the second keyword to the N keyword that numerical priority value is successively decreased step by step, and N is wherein more than or equal to 2 positive integer; Identification module 503 can be determined and record the record that medium priority is the highest in the following way: calculate in record the numerical priority value sum with the successful keyword of keyword match to be matched, numerical priority value sum maximum be recorded as the record that priority is the highest.
Under a kind of execution mode, acquiring unit is used for: using the destination port number of five-tuple as the second keyword to be matched, and/or, using the source IP in five-tuple as the 3rd keyword to be matched, in identification module 503, can comprise: the first priority determining unit, for determining, search the record that medium priority is the highest that records that module 502 finds; Wherein, the priority of first kind record is higher than the priority of Equations of The Second Kind record; The priority of Equations of The Second Kind record is higher than the priority of the 3rd class record; It is identical with the second keyword to be matched that the first kind is recorded as the second keyword, and the 3rd keyword record identical with the 3rd keyword to be matched; It is identical with the second keyword to be matched that Equations of The Second Kind is recorded as the second keyword, but the 3rd keyword record different from the 3rd keyword to be matched; It is different from the second keyword to be matched that the 3rd class is recorded as the second keyword, but the 3rd keyword record identical with the 3rd keyword to be matched.
Under a kind of execution mode, in connection and application tracking relation, can also comprise errors number, in identification module 503, can comprise: the second priority determining unit, for determining in the following way, record the record that medium priority is the highest: errors number is fewer, and to record priority higher, errors number is minimum, and to record priority the highest.
Under a kind of execution mode, in connection and application tracking relation, can also comprise Record ID, in identification module 503, can also comprise: the 3rd priority determining unit, for determining in the following way, record the record that medium priority is the highest: Record ID is larger, and to record priority higher, Record ID maximum to record priority the highest.
On the basis of above-mentioned execution mode, this application identification equipment can also comprise: correction verification module, whether the application type identifying for verification identification module 503 is correct application type, if not, increases the errors number of the record that priority is the highest.
Further, this equipment can also comprise: removing module, for judging whether the errors number of the record that priority is the highest surpasses default threshold values; If so, delete the highest record of priority.
Under a kind of execution mode, this equipment can also comprise: update module, if for searching module 502 in default connection and application tracking relation, while searching less than corresponding with keyword to be matched record, newly-built connection is carried out to application identification, obtains the application type of newly-built connection: using the application type of the newly-built connection of the keyword in newly-built connection and acquisition as new record, add to be connected with application tracking relation in.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can complete by the relevant hardware of program command, aforesaid program can be stored in a computer read/write memory medium, this program, when carrying out, is carried out the step that comprises said method embodiment; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CDs.
Finally it should be noted that: above embodiment only, in order to technical scheme of the present invention to be described, is not intended to limit; Although the present invention is had been described in detail with reference to previous embodiment, those of ordinary skill in the art is to be understood that: its technical scheme that still can record aforementioned each embodiment is modified, or part technical characterictic is wherein equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution depart from the spirit and scope of various embodiments of the present invention technical scheme.
Claims (14)
1. an application and identification method, is characterized in that, comprising:
In the literary composition of reporting for the first time of newly-built connection, obtain keyword to be matched;
In default connection and application tracking relation, search the record corresponding with described keyword to be matched, described connection with the keyword that comprises connection in application tracking relation, connect corresponding application type and errors number;
Using described, record application type that record that medium priority is the highest records as the application type of described newly-built connection, wherein, errors number is fewer, and to record priority higher, and errors number is minimum, and to record priority the highest;
Described in verification, whether application type is correct application type;
If not, increase the errors number of the record that described priority is the highest;
Whether the errors number that judges the record that described priority is the highest surpasses default threshold values;
If surpassed, delete the highest record of described priority.
2. method according to claim 1, is characterized in that, describedly in the literary composition of reporting for the first time of newly-built connection, obtains keyword to be matched and comprises:
In the literary composition of reporting for the first time of newly-built connection, obtain five-tuple;
Using the protocol number in described five-tuple and Target IP as the first keyword to be matched.
3. method according to claim 2, is characterized in that, described in default connection and application tracking relation, searches the record corresponding with described keyword to be matched, comprising:
In default connection and application tracking relation, search the record that the first keyword is identical with described the first keyword to be matched.
4. according to the method in claim 2 or 3, it is characterized in that, describedly in the literary composition of reporting for the first time of newly-built connection, obtain keyword to be matched and also comprise: obtain the second keyword to the N keyword that numerical priority value to be matched is successively decreased step by step, described N is more than or equal to 2 positive integer;
Determine in the following way the described record that medium priority is the highest that records:
Calculate in record the numerical priority value sum with the successful keyword of keyword match to be matched, numerical priority value sum maximum be recorded as the record that priority is the highest.
5. method according to claim 4, is characterized in that, using the destination port number in described five-tuple as the second keyword to be matched; And/or, using the source IP in described five-tuple as the 3rd keyword to be matched; , determine in the following way the described record that medium priority is the highest that records:
The priority of first kind record is higher than the priority of Equations of The Second Kind record;
The priority of Equations of The Second Kind record is higher than the priority of the 3rd class record;
Wherein, it is identical with described the second keyword to be matched that the first kind is recorded as the second keyword, and the 3rd keyword record identical with described the 3rd keyword to be matched; It is identical with described the second keyword to be matched that Equations of The Second Kind is recorded as the second keyword, but the 3rd keyword record different from described the 3rd keyword to be matched; It is different from described the second keyword to be matched that the 3rd class is recorded as the second keyword, but the 3rd keyword record identical with described the 3rd keyword to be matched.
6. method according to claim 1, is characterized in that, in described connection and application tracking relation, also comprises Record ID, determines in the following way the described record that medium priority is the highest that records:
Record ID is larger, and to record priority higher, Record ID maximum to record priority the highest.
7. method according to claim 1 and 2, is characterized in that, if in described default connection and application tracking relation, searches less than the record corresponding with described keyword to be matched, and described method also comprises:
Described newly-built connection is carried out to application identification, obtain the application type of described newly-built connection;
Using the application type of the described newly-built connection of the keyword in described newly-built connection and acquisition as new record, add in described connection and application tracking relation.
8. an application identification equipment, is characterized in that, comprising:
Acquisition module, obtains keyword to be matched for the literary composition of reporting for the first time in newly-built connection;
Search module, for the connection default and application tracking relation, search the record corresponding with described keyword to be matched, described connection with the keyword that comprises connection in application tracking relation, connect corresponding application type and errors number;
Identification module, for using described search module searches to record application type that record that medium priority is the highest records as the application type of described newly-built connection, wherein, described errors number is fewer, and to record priority higher, and described errors number is minimum, and to record priority the highest;
Correction verification module, whether the application type identifying for identification module described in verification is correct application type, if not, increases the errors number of the record that described priority is the highest;
Removing module, for judging whether the errors number of the record that described priority is the highest surpasses default threshold values; If so, delete the highest record of described priority.
9. equipment according to claim 8, is characterized in that, described acquisition module comprises:
Acquiring unit, obtains five-tuple for the literary composition of reporting for the first time in newly-built connection, using the protocol number in described five-tuple and Target IP as the first keyword to be matched.
10. equipment according to claim 9, is characterized in that, described in search module and comprise:
Search unit, for the connection default and application tracking relation, search the record that the first keyword is identical with described the first keyword to be matched.
11. according to the equipment described in claim 9 or 10, it is characterized in that, described acquiring unit also for: at described five-tuple, obtain the second keyword to the N keyword that numerical priority value is successively decreased step by step, described N is more than or equal to 2 positive integer;
Described identification module is for determining in the following way the described record that medium priority is the highest that records: calculate the numerical priority value sum of record and the successful keyword of keyword match to be matched, numerical priority value sum maximum be recorded as the record that priority is the highest.
12. equipment according to claim 11, is characterized in that, described acquiring unit is used for: using the destination port number of described five-tuple as the second keyword to be matched; And/or using the source IP in described five-tuple as the 3rd keyword to be matched, described identification module comprises: the first priority determining unit;
Described the first priority determining unit for search described in determining module searches to record the record that medium priority is the highest;
Wherein, the priority of first kind record is higher than the priority of Equations of The Second Kind record; The priority of Equations of The Second Kind record is higher than the priority of the 3rd class record; It is identical with described the second keyword to be matched that the described first kind is recorded as the second keyword, and the 3rd keyword record identical with described the 3rd keyword to be matched; It is identical with described the second keyword to be matched that described Equations of The Second Kind is recorded as the second keyword, but the 3rd keyword record different from described the 3rd keyword to be matched; It is different from described the second keyword to be matched that described the 3rd class is recorded as the second keyword, but the 3rd keyword record identical with described the 3rd keyword to be matched.
13. equipment according to claim 8, is characterized in that, in described connection and application tracking relation, also comprise Record ID, and described identification module comprises: the 3rd priority determining unit;
Described the 3rd priority determining unit is for determining in the following way the described record that medium priority is the highest that records: Record ID is larger, and to record priority higher, Record ID maximum to record priority the highest.
14. equipment according to claim 8 or claim 9, it is characterized in that, described equipment also comprises: update module, if search module in described default connection and application tracking relation described in being used for, while searching less than corresponding with described keyword to be matched record, described newly-built connection is carried out to application identification, obtain the application type of described newly-built connection: using the application type of the described newly-built connection of the keyword in described newly-built connection and acquisition as new record, add in described connection and application tracking relation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110177554.5A CN102325078B (en) | 2011-06-28 | 2011-06-28 | Application identification method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110177554.5A CN102325078B (en) | 2011-06-28 | 2011-06-28 | Application identification method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102325078A CN102325078A (en) | 2012-01-18 |
| CN102325078B true CN102325078B (en) | 2014-04-02 |
Family
ID=45452751
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110177554.5A Expired - Fee Related CN102325078B (en) | 2011-06-28 | 2011-06-28 | Application identification method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102325078B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103491025B (en) * | 2013-09-13 | 2016-10-19 | 北京神州绿盟信息安全科技股份有限公司 | A kind of method and device of application traffic identification |
| CN104796406B (en) * | 2015-03-20 | 2018-06-12 | 新华三技术有限公司 | A kind of application and identification method and device |
| CN105592137B (en) * | 2015-10-14 | 2019-04-09 | 新华三技术有限公司 | A kind of recognition methods of application type and device |
| CN105591973B (en) * | 2015-12-31 | 2019-12-20 | 杭州数梦工场科技有限公司 | Application identification method and device |
| CN108418758B (en) * | 2018-01-05 | 2021-01-29 | 网宿科技股份有限公司 | Single packet identification method and flow guiding method |
| WO2019152348A1 (en) * | 2018-01-30 | 2019-08-08 | Parker-Hannifin Corporation | Method and apparatus for configuring i/o modules connected to a fieldbus controller |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101183988A (en) * | 2007-11-19 | 2008-05-21 | 华为技术有限公司 | Method of identifying packet corresponding service types and device thereof |
| CN101202652A (en) * | 2006-12-15 | 2008-06-18 | 北京大学 | Device for classifying and recognizing network application flow quantity and method thereof |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2004005269A (en) * | 2002-05-31 | 2004-01-08 | Toshiba Corp | Data acquiring method, electronic apparatus and data acquiring program |
-
2011
- 2011-06-28 CN CN201110177554.5A patent/CN102325078B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101202652A (en) * | 2006-12-15 | 2008-06-18 | 北京大学 | Device for classifying and recognizing network application flow quantity and method thereof |
| CN101183988A (en) * | 2007-11-19 | 2008-05-21 | 华为技术有限公司 | Method of identifying packet corresponding service types and device thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102325078A (en) | 2012-01-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102325078B (en) | Application identification method and device | |
| CN108664480B (en) | Multi-data-source user information integration method and device | |
| CN103973810A (en) | Data processing method and device based on IP disk | |
| CN105447030B (en) | A kind of index process method and apparatus | |
| CN111083179A (en) | Internet of things cloud platform, and equipment interaction method and device based on same | |
| CN104573434A (en) | Account protection method, device and system | |
| CN108900554A (en) | Http protocol asset detecting method, system, equipment and computer media | |
| CN107580032A (en) | Data processing method, device and equipment | |
| CN110209562A (en) | A kind of log analysis method and Analysis server | |
| CN113191784A (en) | Abnormal enterprise identification method and device, electronic equipment and storage medium | |
| CN115238062A (en) | Technical property right matching method and system | |
| CN106528830B (en) | A kind of method and apparatus for restoring file index catalogue | |
| CN112272184B (en) | Industrial flow detection method, device, equipment and medium | |
| CN107145421A (en) | A kind of abnormal information acquisition methods and device | |
| CN116958267B (en) | Pose processing method and device, electronic equipment and storage medium | |
| CN112559483A (en) | HDFS-based data management method and device, electronic equipment and medium | |
| CN104573132A (en) | Method and device for finding songs | |
| CN111628996A (en) | Electronic data communication method and system based on Internet of things | |
| CN111368128A (en) | Target picture identification method and device and computer readable storage medium | |
| US11687495B2 (en) | System and method for managing collaborative multiuser document editing via a distributed ledger | |
| CN111371818B (en) | Data request verification method, device and equipment | |
| CN109947578B (en) | System docking method and device | |
| CN111953637B (en) | Application service method and device | |
| KR102141411B1 (en) | The content based clean cloud systems and method | |
| JP2017045106A (en) | Information processing device and information processing program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20140402 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |