CN103220329B - P2P protocol identification method based on protocol content identification and behavior identification - Google Patents
P2P protocol identification method based on protocol content identification and behavior identification Download PDFInfo
- Publication number
- CN103220329B CN103220329B CN201310070763.9A CN201310070763A CN103220329B CN 103220329 B CN103220329 B CN 103220329B CN 201310070763 A CN201310070763 A CN 201310070763A CN 103220329 B CN103220329 B CN 103220329B
- Authority
- CN
- China
- Prior art keywords
- application
- protocol
- identification
- identified
- agreement
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Abstract
The invention provides a P2P protocol identification method based on protocol content identification and behavior identification. The P2P protocol identification method based on the protocol content identification and the behavior identification comprises the following steps: (1) establishing a protocol characteristic database, extracting protocol content characteristics and behavior identification characteristics which are applied by a P2P protocol, carrying out loading and compiling, forming the protocol characteristic database, (2) monitoring flow of a host machine, matching an application to be identified with the protocol characteristic database, and confirming a protocol type applied by the application to be identified. According to the P2P protocol identification method based on the protocol content identification and the behavior identification, accuracy of the protocol content identification characteristics and high efficiency of an identification mechanism in a protocol behavior identification mode are utilized, the P2P application protocol is identified through delayed relevant technology, an identification rate of the P2P protocol is improved, the particle size of identification of the P2P protocol is refined, and therefore accurate control over the network flow of the application is achieved.
Description
Technical field
The present invention relates to computer network security field, known based on protocol contents particularly to a kind of
Not and Activity recognition P2P protocol recognition method.
Background technology
Protocol identification, refers to that the protocol type that the flow of transmission on network link is used is carried out
Identification.Traditional protocol identification mainly has two methods:One kind is to be entered based on scanning message content
The technology of row identification, the method is mainly using scanning message content and special with the agreement extracted in advance
The means levying storehouse contrast are identified, and such as BT protocol massages can comprise " BitTorrent
Protocol " keyword, is identified according to these keywords, and this recognition methodss accuracy rate is high,
But the application for encrypted link and no key characteristics, then inoperative.
Another kind of recognition methodss are the identification that the data model based on accounting message information is carried out, its
Object of statistics includes IP address, port, message load and message rate etc., and the method identifies
Efficiency high, and encrypted link can be identified, but its discrimination is poor, and false recognition rate is higher.
Based on this, prior art still needs to be improved.
Content of the invention
For the deficiencies in the prior art, the present invention provides a kind of protocol contents that are based on to identify and behavior
The P2P protocol recognition method of identification, it can improve the discrimination of P2P agreement, refines P2P agreement
The granularity of identification, and then realize the precise control to application network traffics.
For realizing object above, the present invention is achieved by the following technical programs:
The present invention provides a kind of P2P protocol identification side based on protocol contents identification and Activity recognition
Method is it is characterised in that comprise the following steps:
S1, set up protocol characteristic storehouse:Extract using P2P agreement the protocol contents feature of application and
Activity recognition feature, is loaded and is compiled, and forms protocol characteristic storehouse;
S2, monitoring host computer flow, application to be identified is mated with described protocol characteristic storehouse,
Determine the protocol type that described application to be identified adopts.
Preferably, described step S2 further includes:
Monitoring host computer flow, application to be identified is mated with described protocol characteristic storehouse, if institute
State the protocol contents characteristic matching in application to be identified and described protocol characteristic storehouse, then treat described
Identification application identities are the application using P2P agreement, and record the appearance thing of this application to be identified
Part, this identification described application is added in history P2P application identification events table, and abandons to institute
State the traffic monitoring of application to be identified.
Preferably, described step S2 further includes:It is added to the application identification of history P2P to described
Application setting time-out time in event table.
Preferably, described step S2 further includes:
Monitoring host computer flow, application to be identified is mated with described protocol characteristic storehouse, if institute
State the Activity recognition characteristic matching in application to be identified and described protocol characteristic storehouse, then wait to know by this
Other application identities are the application using class P2P agreement.
Preferably, described step S2 further includes:By the application of described employing class P2P agreement with
Application in described history P2P application identification events table is mated, if the match is successful, by institute
State the application that the application identities using class P2P agreement are using P2P agreement, and abandon the stream to it
Amount monitoring;If coupling is unsuccessful, flow is proceeded to the described application using class P2P agreement
Monitoring.
Preferably, described step S2 further includes:By the application of described employing class P2P agreement
When being mated with the application in described history P2P application identification events table, first judge described history
Whether the application in P2P application identification events table has exceeded default time-out time, if so, then jumps
Cross this application, if it is not, again should with described history P2P by the application of described employing class P2P agreement
Mated with the application in identification events table.
Preferably, described step S2 further includes:Default message amount threshold values, judges to be in
Whether the described application message number using class P2P agreement of traffic monitoring state exceedes described message
Quantity threshold values, if it is not, then continue to carry out traffic monitoring to it;If so, then abandon to its
Traffic monitoring, and this application is finally designated the application using class P2P agreement.
Preferably, described step S2 further includes:
Monitoring host computer flow, application to be identified is mated with described protocol characteristic storehouse, if institute
State to be identified application with described protocol characteristic storehouse in protocol contents feature and Activity recognition feature equal
Mismatch, then will described application identities to be identified be unknown applications.
The present invention passes through to provide a kind of P2P agreement knowledge based on protocol contents identification and Activity recognition
Other method, using accuracy and the agreement Activity recognition mode cognitron of protocol contents identification feature
The high efficiency of system, identifies P2P application protocol by postponing corresponding technology, improves P2P agreement
Discrimination, refined the granularity of P2P protocol identification, and then realized the essence to application network traffics
Really control.
Brief description
Fig. 1 is the flow chart of one embodiment of the invention.
Specific embodiment
Below for proposed by the invention a kind of based on protocol contents identification and Activity recognition
P2P protocol recognition method, describes in detail in conjunction with the accompanying drawings and embodiments.
As shown in figure 1, the present invention provides a kind of P2P based on protocol contents identification and Activity recognition
Protocol recognition method is it is characterised in that comprise the following steps:
S1, set up protocol characteristic storehouse:Extract using P2P agreement the protocol contents feature of application and
Activity recognition feature, is loaded and is compiled, and forms protocol characteristic storehouse;
S2, monitoring host computer flow, application to be identified is mated with described protocol characteristic storehouse,
Determine the protocol type that described application to be identified adopts.
Preferably, described step S2 further includes:
Monitoring host computer flow, application to be identified is mated with described protocol characteristic storehouse, if institute
State the protocol contents characteristic matching in application to be identified and described protocol characteristic storehouse, then treat described
Identification application identities are the application using P2P agreement, and record the appearance thing of this application to be identified
Part, this identification described application is added in history P2P application identification events table, and abandons to institute
State the traffic monitoring of application to be identified.
Preferably, described step S2 further includes:It is added to the application identification of history P2P to described
Application setting time-out time in event table.
Preferably, described step S2 further includes:
Monitoring host computer flow, application to be identified is mated with described protocol characteristic storehouse, if institute
State the Activity recognition characteristic matching in application to be identified and described protocol characteristic storehouse, then wait to know by this
Other application identities are the application using class P2P agreement.
Preferably, described step S2 further includes:By the application of described employing class P2P agreement with
Application in described history P2P application identification events table is mated, if the match is successful, by institute
State the application that the application identities using class P2P agreement are using P2P agreement, and abandon the stream to it
Amount monitoring;If coupling is unsuccessful, flow is proceeded to the described application using class P2P agreement
Monitoring.
Preferably, described step S2 further includes:By the application of described employing class P2P agreement
When being mated with the application in described history P2P application identification events table, first judge described history
Whether the application in P2P application identification events table has exceeded default time-out time, if so, then jumps
Cross this application, if it is not, again should with described history P2P by the application of described employing class P2P agreement
Mated with the application in identification events table.
Preferably, described step S2 further includes:Default message amount threshold values, judges to be in
Whether the described application message number using class P2P agreement of traffic monitoring state exceedes described message
Quantity threshold values, if it is not, then continue to carry out traffic monitoring to it;If so, then abandon to its
Traffic monitoring, and this application is finally designated the application using class P2P agreement.
Preferably, described step S2 further includes:
Monitoring host computer flow, application to be identified is mated with described protocol characteristic storehouse, if institute
State to be identified application with described protocol characteristic storehouse in protocol contents feature and Activity recognition feature equal
Mismatch, then will described application identities to be identified be unknown applications.
The present invention passes through to provide a kind of P2P agreement knowledge based on protocol contents identification and Activity recognition
Other method, using accuracy and the agreement Activity recognition mode cognitron of protocol contents identification feature
The high efficiency of system, identifies P2P application protocol by postponing corresponding technology, improves P2P agreement
Discrimination, refined the granularity of P2P protocol identification, and then realized the essence to application network traffics
Really control.
Embodiment of above is merely to illustrate the present invention, and not limitation of the present invention, relevant
The those of ordinary skill of technical field, without departing from the spirit and scope of the present invention,
Can also make a variety of changes and modification, therefore all equivalent technical schemes fall within the present invention
Category, the scope of patent protection of the present invention should be defined by the claims.
Claims (7)
1. a kind of P2P protocol recognition method based on protocol contents identification and Activity recognition, it is special
Levy and be, comprise the following steps:
S1, set up protocol characteristic storehouse:Extract the protocol contents feature of the application using P2P agreement
With Activity recognition feature, loaded and compiled, formed protocol characteristic storehouse;
S2, monitoring host computer flow, application to be identified is mated with described protocol characteristic storehouse,
Determine the protocol type that described application to be identified adopts;
Described step S2 further includes:
Monitoring host computer flow, application to be identified is mated with described protocol characteristic storehouse, if institute
State the protocol contents characteristic matching in application to be identified and described protocol characteristic storehouse, then treat described
Identification application identities are the application using P2P agreement, and record the appearance thing of this application to be identified
Part, by this identification described application be added in history P2P application identification events table, and abandon right
The traffic monitoring of described application to be identified.
2. the method for claim 1 is it is characterised in that described step S2 is further
Including:Time-out time is arranged to the described application being added in history P2P application identification events table.
3. method as claimed in claim 2 is it is characterised in that described step S2 is further
Including:
Monitoring host computer flow, application to be identified is mated with described protocol characteristic storehouse, if institute
State the Activity recognition characteristic matching in application to be identified and described protocol characteristic storehouse, then wait to know by this
Other application identities are the application using class P2P agreement.
4. method as claimed in claim 3 is it is characterised in that described step S2 is further
Including:
By in the application of described employing class P2P agreement and described history P2P application identification events table
Application mated, if the match is successful, by the application identities of described employing class P2P agreement
It is the application using P2P agreement, and abandon the traffic monitoring to it;If coupling is unsuccessful,
Traffic monitoring is proceeded to the described application using class P2P agreement.
5. method as claimed in claim 4 is it is characterised in that described step S2 is further
Including:By the application of described employing class P2P agreement and described history P2P application identification events
When application in table is mated, first judge answering in described history P2P application identification events table
With whether having exceeded default time-out time, if so, then skip this application, if it is not, again will
Application in the application of described employing class P2P agreement and described history P2P application identification events table
Mated.
6. method as claimed in claim 5 is it is characterised in that described step S2 is further
Including:
Default message amount threshold values, judges to be in the described employing class P2P association of traffic monitoring state
Whether the application message number of view exceedes described message amount threshold values, if it is not, then continuing it is entered
Row traffic monitoring;If so, then abandon the traffic monitoring to it, and this application is finally designated
Application using class P2P agreement.
7. the method for claim 1 is it is characterised in that described step S2 is further
Including:
Monitoring host computer flow, application to be identified is mated with described protocol characteristic storehouse, if institute
State to be identified application with described protocol characteristic storehouse in protocol contents feature and Activity recognition feature equal
Mismatch, then will described application identities to be identified be unknown applications.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310070763.9A CN103220329B (en) | 2013-03-07 | 2013-03-07 | P2P protocol identification method based on protocol content identification and behavior identification |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310070763.9A CN103220329B (en) | 2013-03-07 | 2013-03-07 | P2P protocol identification method based on protocol content identification and behavior identification |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103220329A CN103220329A (en) | 2013-07-24 |
CN103220329B true CN103220329B (en) | 2017-02-08 |
Family
ID=48817780
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310070763.9A Expired - Fee Related CN103220329B (en) | 2013-03-07 | 2013-03-07 | P2P protocol identification method based on protocol content identification and behavior identification |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103220329B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105657051B (en) * | 2016-03-03 | 2020-03-24 | 广东顺德中山大学卡内基梅隆大学国际联合研究院 | Identification control method and system for P2P application |
CN111245850A (en) * | 2020-01-15 | 2020-06-05 | 福建奇点时空数字科技有限公司 | Encrypted P2P protocol identification method based on connection statistical rule analysis |
CN112099867A (en) * | 2020-08-17 | 2020-12-18 | 北京天元特通科技有限公司 | APP identification framework supporting online dynamic update |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101094234A (en) * | 2007-07-20 | 2007-12-26 | 北京启明星辰信息技术有限公司 | Method and system of accurate recognition in P2P protocol based on behavior characteristics |
CN101202652A (en) * | 2006-12-15 | 2008-06-18 | 北京大学 | Device for classifying and recognizing network application flow quantity and method thereof |
CN101442519A (en) * | 2007-11-22 | 2009-05-27 | 北京启明星辰信息技术股份有限公司 | Method and system for monitoring P2P software |
CN101459695A (en) * | 2009-01-09 | 2009-06-17 | 中国人民解放军信息工程大学 | P2P service recognition method and apparatus |
CN101505314A (en) * | 2008-12-29 | 2009-08-12 | 成都市华为赛门铁克科技有限公司 | P2P data stream recognition method, apparatus and system |
CN101867601A (en) * | 2010-05-14 | 2010-10-20 | 北京理工大学 | File-level P2P network flow identification method |
CN102082699A (en) * | 2009-11-27 | 2011-06-01 | 上海博达数据通信有限公司 | P2P (peer-to-peer) protocol identification method on basis of active detection mode |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101814977B (en) * | 2010-04-22 | 2012-11-21 | 北京邮电大学 | TCP flow on-line identification method and device utilizing head feature of data stream |
-
2013
- 2013-03-07 CN CN201310070763.9A patent/CN103220329B/en not_active Expired - Fee Related
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101202652A (en) * | 2006-12-15 | 2008-06-18 | 北京大学 | Device for classifying and recognizing network application flow quantity and method thereof |
CN101094234A (en) * | 2007-07-20 | 2007-12-26 | 北京启明星辰信息技术有限公司 | Method and system of accurate recognition in P2P protocol based on behavior characteristics |
CN101442519A (en) * | 2007-11-22 | 2009-05-27 | 北京启明星辰信息技术股份有限公司 | Method and system for monitoring P2P software |
CN101505314A (en) * | 2008-12-29 | 2009-08-12 | 成都市华为赛门铁克科技有限公司 | P2P data stream recognition method, apparatus and system |
CN101459695A (en) * | 2009-01-09 | 2009-06-17 | 中国人民解放军信息工程大学 | P2P service recognition method and apparatus |
CN102082699A (en) * | 2009-11-27 | 2011-06-01 | 上海博达数据通信有限公司 | P2P (peer-to-peer) protocol identification method on basis of active detection mode |
CN101867601A (en) * | 2010-05-14 | 2010-10-20 | 北京理工大学 | File-level P2P network flow identification method |
Also Published As
Publication number | Publication date |
---|---|
CN103220329A (en) | 2013-07-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103312565B (en) | A kind of peer-to-peer network method for recognizing flux based on autonomous learning | |
CN110650128B (en) | System and method for detecting digital currency stealing attack of Etheng | |
CN102801697B (en) | Malicious code detection method and system based on plurality of URLs (Uniform Resource Locator) | |
CN101035111A (en) | Intelligent protocol parsing method and device | |
CN105022960A (en) | Multi-feature mobile terminal malicious software detecting method based on network flow and multi-feature mobile terminal malicious software detecting system based on network flow | |
CN104217164A (en) | Method and device for detecting malicious software of intelligent mobile terminal | |
CN103346972A (en) | Flow control device and method based on user terminal | |
CN103297433A (en) | HTTP botnet detection method and system based on net data stream | |
CN103220329B (en) | P2P protocol identification method based on protocol content identification and behavior identification | |
CN109413016B (en) | Rule-based message detection method and device | |
CN103209170A (en) | File type identification method and identification system | |
CN104980421B (en) | Batch request processing method and system | |
CN101997700A (en) | Internet protocol version 6 (IPv6) monitoring equipment based on deep packet inspection and deep flow inspection | |
CN103401845A (en) | Detection method and device for website safety | |
CN101605132A (en) | A kind of method for identifying network data stream | |
CN102571946A (en) | Realization method of protocol identification and control system based on P2P (peer-to-peer network) | |
CN102158499A (en) | Trojan-embedded website detection method based on hyper text transfer protocol (HTTP) traffic analysis | |
CN102624878A (en) | Method and system for identifying P2P (peer-to-peer) protocol on basis of DNS (domain name server) protocol | |
CN102750476B (en) | Method and system for identifying file security | |
CN101854330A (en) | Method and system for collecting and analyzing network applications of Internet | |
CN102111400A (en) | Trojan horse detection method, device and system | |
CN103902906A (en) | Mobile terminal malicious code detecting method and system based on application icon | |
CN101710898A (en) | Method for describing characteristics of communication protocol of application software | |
CN111224891B (en) | Flow application identification system and method based on dynamic learning triples | |
CN106789938B (en) | Method for monitoring search trace of browser at mobile phone end in real time |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
PP01 | Preservation of patent right | ||
PP01 | Preservation of patent right |
Effective date of registration: 20180823 Granted publication date: 20170208 |
|
PD01 | Discharge of preservation of patent | ||
PD01 | Discharge of preservation of patent |
Date of cancellation: 20210823 Granted publication date: 20170208 |
|
CF01 | Termination of patent right due to non-payment of annual fee | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20170208 Termination date: 20190307 |