CN103051501A - Detection method for identifying network data according to network data recovery manner - Google Patents
Detection method for identifying network data according to network data recovery manner Download PDFInfo
- Publication number
- CN103051501A CN103051501A CN201310029949XA CN201310029949A CN103051501A CN 103051501 A CN103051501 A CN 103051501A CN 201310029949X A CN201310029949X A CN 201310029949XA CN 201310029949 A CN201310029949 A CN 201310029949A CN 103051501 A CN103051501 A CN 103051501A
- Authority
- CN
- China
- Prior art keywords
- data
- network
- mode
- detection method
- packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a detection method for identifying network data according to a network data recovery manner. The detection method comprises the following steps of: connecting detection equipment to a network node to be detected in the manner of straight-path monitoring or bypass monitoring, and capturing a data packet in a network by utilizing a data packet collection device in the detection equipment; extracting a source IP (Internet Protocol) address, a source port, a destination IP address, a destination port and a transport layer protocol number in the data packet; matching data in the data pocket by using a pattern matching mode so as to identify and recover a designation data message in the data packet; after the destination data message is identified, intelligently recovering the whole data according to a file format type, or recovering the whole data according to the way of a feature head and a feature tail; and recombining the data, and analyzing an identification result. As the detection method does not depend on a network protocol, the data is analyzed directly; no matter which way is adopted by a user, so long as the data passes through a gateway in the way of the network data, the data can be directly exposed under the monitoring; and thus, the network monitoring precision and efficiency are improved.
Description
Technical field
The present invention relates to a kind of detection method of recognition network data, relate in particular to a kind of detection method of the mode recognition network data according to network data recovery.
Background technology
Along with the development of science and technology, the more and more maturation of Internet technology, people are also becoming more and more higher to the degree of dependence of the Internet.People have had dependence to internet communication in the various aspects of life, work, shopping.The data volume that the Internet transmits is also in improving rapidly.According to Moore's Law, the data volume of the Internet circulation will double in per 18 months.Therefore, avoid net crime, strengthen the monitoring to the Internet, become the problem pendulum of a sternness in face of people.
The mode of conventional internet monitoring is according to the Internet seven layer protocols, to the data analysis that the Internet listens to, destructing.Its defective is: not only can not satisfy the demand of present network monitoring on processing speed, and in monitoring intensity, particularly poly-talented user be adopted on the monitoring intensity of any special measures the transmission of data, great deficiency is arranged.The hacker often can the mode such as carry secretly by forgery, walks around monitoring, infringement internet use person's interests.
Summary of the invention
Purpose of the present invention do not rely on procotol with regard to being to provide in order to address the above problem a kind of, according to the detection method of the mode recognition network data of network data recovery.
In order to achieve the above object, the present invention has adopted following technical scheme:
The detection method of the mode recognition network data according to network data recovery of the present invention may further comprise the steps:
(1) checkout equipment is monitored with forthright or the mode of monitor bypass is connected in network node to be detected, utilized the packet in the packet capture device capture network in the checkout equipment;
(2) extract source IP address, source port, purpose IP address, destination interface and transport layer protocol number in the packet;
(3) with the data in the mode matched data bag of pattern matching, with the specific data message in identification and the recovery data packets;
(4) recognize after the specific data message, go out whole data according to file format type intelligence restoration, perhaps the mode according to feature head and feature tail recovers whole data;
(5) recombination data is resolved recognition result.
Resolve to identify and recover the mode of data message than traditional data-driven bag, the present invention only need to extract the element of several necessity in the packet, and being used for carrying out the restructuring of packet fragment can finish, very little to the dependence of procotol.
As preferably, in the described step (3), described pattern matching is used for the transport behavior of recognition data and the position of location-sensitive data, its method is: the mode for the treatment of monitored data feature head by analysis, sum up a feature attribute of data to be identified, in network, identify the relevant sensitization data by the information of these feature heads; The algorithm of described pattern matching adopts regular expression or character string.
Particularly, in the described step (5), the method for recombination data is: by the mode that TCP stream is resolved, restructuring TCP stream is finished recombination data; Perhaps, by the parsing to the data content, the mode of intelligence restoration sorted to the sequencing of each packet in the network according to data format to be analyzed during data-driven recovered, and finished recombination data.
Beneficial effect of the present invention is:
Because the present invention does not rely on procotol, the Direct Analysis data, no matter which kind of mode the user adopts, as long as pass through gateway in the mode of network data, all can be directly exposed under the monitoring, has improved network monitoring precision and efficient.
Description of drawings
Fig. 1 is the network design schematic diagram among the embodiment of the present invention.
Embodiment
Below in conjunction with specific embodiment the present invention is further described in detail:
In certain company's network environment, there is the computer of some storage internal files to come to store company profile for the company personnel.According to the regulation of company, these inner data are forbidden to send to public network by network.Therefore company has disposed network data analyzer in the position of this network egress.
As shown in Figure 1, the concrete deployment of the said firm's network is a kind of monitoring framework very common in company's network monitoring.The data interaction of all computers of company and public network all can be passed through gateway B, and data analytics server A catches network outlet data bag based on gateway B simultaneously, and it is analyzed.
Like this, if the computer F of intra-company has sent to the internet with intra-company's file by the Internet.Simultaneously, what computer F adopted is to encrypt rear mode with a kind of breakpoint transmission, and employed segmentation protocol only has the recipient of computer F and the Internet end just to know.But the encryption method that adopts is a kind of encryption method of routine, such as the ciphered compressed mode.
At this moment, resolution data APMB package according to the conventional method, what we can see that computer F sends to the outside is the data that seem very " normally ", does not have document transmission process, does not also relate to the sensitive word transmission simultaneously.Naturally just can not report to the police to computer F behavior yet.Like this, computer F has just escaped the monitoring of data analytics server A, reaches hidden purpose.
But according to the thought that data of the present invention are recovered, we can see clearly what data computer F has passed and gone out, and seeing simultaneously can complete preserves file.Concrete operating procedure is as follows:
(1) data analytics server A being connected in network node to be detected in the mode of monitor bypass is gateway B, utilizes the packet in the packet capture device capture network in the data analytics server A, and this step is consistent with conventional method;
(2) extract source IP address, source port, purpose IP address, destination interface and transport layer protocol number in the packet;
(3) data analytics server A is in the process of network data analysis, and the file header match pattern by in the data recovery thought navigates to the file data that computer F once outwards sent;
(4) recognize after the specific data message, the related data that computer F sends is all collected, and it is carried out big and heavy group, the purpose in this step is to get rid of other extraneous data (irrelevant data are defined as extraneous data with this file transfer passage), to this step, what we obtained is the fragment that disperses one by one of this document;
(5) cross intelligence restoration principle commonly used in the data recovery, according to the conventional form of rar file, calculate the position at each fragment place in original document, then these fragments are pieced together, finally splice complete file, finish data recombination;
(6) file is kept on the hard disk, checks for the network manager.
So far, intra-company's file that computer F sends to the Internet is being restored by data analytics server A from cover to cover just, is stored on the hard disk.
Claims (3)
1. detection method according to the mode recognition network data of network data recovery is characterized in that: may further comprise the steps:
(1) checkout equipment is monitored with forthright or the mode of monitor bypass is connected in network node to be detected, utilized the packet in the packet capture device capture network in the checkout equipment;
(2) extract source IP address, source port, purpose IP address, destination interface and transport layer protocol number in the packet;
(3) with the data in the mode matched data bag of pattern matching, with the specific data message in identification and the recovery data packets;
(4) recognize after the specific data message, go out whole data according to file format type intelligence restoration, perhaps the mode according to feature head and feature tail recovers whole data;
(5) recombination data is resolved recognition result.
2. the detection method of the mode recognition network data according to network data recovery according to claim 1, it is characterized in that: in the described step (3), described pattern matching is used for the transport behavior of recognition data and the position of location-sensitive data, its method is: the mode for the treatment of monitored data feature head by analysis, sum up a feature attribute of data to be identified, in network, identify the relevant sensitization data by the information of these feature heads; The algorithm of described pattern matching adopts regular expression or character string.
3. the detection method of the mode recognition network data according to network data recovery according to claim 1, it is characterized in that: in the described step (5), the method for recombination data is: by the mode that TCP stream is resolved, restructuring TCP stream is finished recombination data; Perhaps, by the parsing to the data content, the mode of intelligence restoration sorted to the sequencing of each packet in the network according to data format to be analyzed during data-driven recovered, and finished recombination data.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310029949.XA CN103051501B (en) | 2013-01-25 | 2013-01-25 | Detection method for identifying network data according to network data recovery manner |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310029949.XA CN103051501B (en) | 2013-01-25 | 2013-01-25 | Detection method for identifying network data according to network data recovery manner |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103051501A true CN103051501A (en) | 2013-04-17 |
CN103051501B CN103051501B (en) | 2015-07-15 |
Family
ID=48064006
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310029949.XA Expired - Fee Related CN103051501B (en) | 2013-01-25 | 2013-01-25 | Detection method for identifying network data according to network data recovery manner |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103051501B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107480553A (en) * | 2017-07-28 | 2017-12-15 | 北京明朝万达科技股份有限公司 | A kind of data exploration system, method, equipment and storage medium |
CN107666486A (en) * | 2017-09-27 | 2018-02-06 | 清华大学 | A kind of network data flow restoration methods and system based on message protocol feature |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1980240A (en) * | 2006-12-08 | 2007-06-13 | 杭州华为三康技术有限公司 | Data-flow mode matching method and apparatus |
CN101060462A (en) * | 2007-04-12 | 2007-10-24 | 杭州华三通信技术有限公司 | A data recovery method, device, storage server and DHCP server |
CN102045209A (en) * | 2009-10-20 | 2011-05-04 | 中兴通讯股份有限公司 | Network application monitoring method and system |
CN102685098A (en) * | 2012-02-24 | 2012-09-19 | 华南理工大学 | Recombination-free multi-mode matching method for out-of-order data package flow |
CN102768632A (en) * | 2011-05-03 | 2012-11-07 | 厦门市美亚柏科信息股份有限公司 | Method and device for recovering data of mobile terminal |
-
2013
- 2013-01-25 CN CN201310029949.XA patent/CN103051501B/en not_active Expired - Fee Related
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1980240A (en) * | 2006-12-08 | 2007-06-13 | 杭州华为三康技术有限公司 | Data-flow mode matching method and apparatus |
CN101060462A (en) * | 2007-04-12 | 2007-10-24 | 杭州华三通信技术有限公司 | A data recovery method, device, storage server and DHCP server |
CN102045209A (en) * | 2009-10-20 | 2011-05-04 | 中兴通讯股份有限公司 | Network application monitoring method and system |
CN102768632A (en) * | 2011-05-03 | 2012-11-07 | 厦门市美亚柏科信息股份有限公司 | Method and device for recovering data of mobile terminal |
CN102685098A (en) * | 2012-02-24 | 2012-09-19 | 华南理工大学 | Recombination-free multi-mode matching method for out-of-order data package flow |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107480553A (en) * | 2017-07-28 | 2017-12-15 | 北京明朝万达科技股份有限公司 | A kind of data exploration system, method, equipment and storage medium |
CN107666486A (en) * | 2017-09-27 | 2018-02-06 | 清华大学 | A kind of network data flow restoration methods and system based on message protocol feature |
Also Published As
Publication number | Publication date |
---|---|
CN103051501B (en) | 2015-07-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Meidan et al. | ProfilIoT: A machine learning approach for IoT device identification based on network traffic analysis | |
CN111277578B (en) | Encrypted flow analysis feature extraction method, system, storage medium and security device | |
CN109639481B (en) | Deep learning-based network traffic classification method and system and electronic equipment | |
WO2020119662A1 (en) | Network traffic classification method | |
CN113259313A (en) | Malicious HTTPS flow intelligent analysis method based on online training algorithm | |
CN107370752B (en) | Efficient remote control Trojan detection method | |
CN111147394B (en) | Multi-stage classification detection method for remote desktop protocol traffic behavior | |
CN112217763A (en) | Hidden TLS communication flow detection method based on machine learning | |
CN106330584A (en) | Identification method and identification device of business flow | |
CN104022924A (en) | Method for detecting HTTP (hyper text transfer protocol) communication content | |
CN101977235A (en) | URL (Uniform Resource Locator) filtering method aiming at HTTPS (Hypertext Transport Protocol Server) encrypted website access | |
CN109450721A (en) | A kind of Network anomalous behaviors recognition methods based on deep neural network | |
CN111611280A (en) | Encrypted traffic identification method based on CNN and SAE | |
CN115134250B (en) | Network attack tracing evidence obtaining method | |
CN112381119B (en) | Multi-scene classification method and system based on decentralized application encryption flow characteristics | |
Kong et al. | Identification of abnormal network traffic using support vector machine | |
CN105959328A (en) | Evidence graph and vulnerability reasoning combined network evidence collection method and system | |
CN106789728A (en) | A kind of voip traffic real-time identification method based on NetFPGA | |
CN103051501B (en) | Detection method for identifying network data according to network data recovery manner | |
Han et al. | An effective encrypted traffic classification method based on pruning convolutional neural networks for cloud platform | |
CN117911782A (en) | Hidden network traffic classification method and system based on multi-mode fusion | |
CN103501302A (en) | Method and system for automatically extracting worm features | |
JP2004312083A (en) | Learning data generating apparatus, intrusion detection system, and its program | |
CN113382003B (en) | RTSP mixed intrusion detection method based on two-stage filter | |
Kapoor et al. | Detecting VoIP data streams: approaches using hidden representation learning |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20150715 Termination date: 20220125 |
|
CF01 | Termination of patent right due to non-payment of annual fee |