Summary of the invention
The technical problem to be solved in the present invention is the P2P application of how effectively monitoring in local area network (LAN).
In order to address the above problem, the invention provides a kind of method for supervising of peer-to-peer network application, comprising:
Utilize behavioural characteristic to identify the Peer-to-Peer Network P2P node in described local area network (LAN);
TCP/UDP packet for identified P2P node transmitting-receiving, utilize behavioural characteristic or load characteristic to identify the network packet of P2P application;
According to predetermined policy, the network packet of the P2P application that clearance or blocking-up identify.
Alternatively, the described step of utilizing behavioural characteristic to identify the P2P node in described local area network (LAN) comprises:
For the one or more nodes in described local area network (LAN), in the time of statistics predetermined length, each node connects into power or broadcast packet number;
By the described node recognition that connects into power first predetermined condition or described broadcast packet number second predetermined condition, it is the P2P node.
Alternatively, the described TCP/UDP packet for identified P2P node transmitting-receiving, the step of utilizing behavioural characteristic or load characteristic to identify the network packet of P2P application comprises:
For each TCP/UDP packet of identified P2P node transmitting-receiving, record the five-tuple of this TCP/UDP packet, calculate the entropy of front 32 bytes in this TCP/UDP packet load;
When the entropy of TCP/UDP packet is less than predetermined entropy threshold value, if the loaded matching preassigned pattern of this TCP/UDP packet, the network packet that this TCP/UDP packet is the P2P application;
When the entropy of TCP/UDP packet is more than or equal to predetermined entropy threshold value, if in the five-tuple recorded, the ratio of IP number of addresses and port number is less than predetermined ratio threshold value, the network packet that this TCP/UDP packet is the P2P application.
Alternatively, described entropy threshold value is 0.35, and described ratio threshold value is 2.0.
Alternatively, described according to predetermined policy, the step of the network packet of the P2P application that clearance or blocking-up identify comprises:
Calculate the flow of the network packet of P2P application in described local area network (LAN), and the total flow of this local area network (LAN) gateway;
When described total flow is greater than the first flow threshold value, or the flow of the network packet of described P2P application is while being greater than the second flow threshold, the network packet of the P2P application that blocking-up identifies.
The present invention also provides a kind of supervisory control system of peer-to-peer network application, comprising:
The node recognition module, identify the P2P node of described local area network (LAN) for utilizing behavioural characteristic;
Application recognition module, for the TCP/UDP packet of the transmitting-receiving of the P2P node for identified, utilize behavioural characteristic or load characteristic to identify the network packet of P2P application;
The application controls module, for according to predetermined policy, let pass or the network packet of the P2P application that blocking-up identifies.
Alternatively, the P2P node that described node recognition module utilizes behavioural characteristic to identify in described local area network (LAN) refers to:
Described node recognition module is for the one or more nodes in described local area network (LAN), and in the time of statistics predetermined length, each node connects into power or broadcast packet number; By the described node recognition that connects into power first predetermined condition or described broadcast packet number second predetermined condition, it is the P2P node.
Alternatively, described application recognition module is for the TCP/UDP packet of identified P2P node transmitting-receiving, and the network packet of utilizing behavioural characteristic or load characteristic to identify the P2P application refers to:
Described application recognition module, for each TCP/UDP packet of identified P2P node transmitting-receiving, records the five-tuple of this TCP/UDP packet, calculates the entropy of front 32 bytes in this TCP/UDP packet load; When the entropy of TCP/UDP packet is less than predetermined entropy threshold value, if the loaded matching preassigned pattern of this TCP/UDP packet, the network packet that this TCP/UDP packet is the P2P application; When the entropy of TCP/UDP packet is more than or equal to predetermined entropy threshold value, if in the five-tuple recorded, the ratio of IP number of addresses and port number is less than predetermined ratio threshold value, the network packet that this TCP/UDP packet is the P2P application.
Alternatively, described entropy threshold value is 0.35, and described ratio threshold value is 2.0.
Alternatively, described application controls module is according to predetermined policy, and the network packet of the P2P application that clearance or blocking-up identify refers to:
Described application controls module is calculated the flow of the network packet of P2P application in described local area network (LAN), and the total flow of this local area network (LAN) gateway; When described total flow is greater than the first flow threshold value, or the flow of the network packet of described P2P application is while being greater than the second flow threshold, the network packet of the P2P application that blocking-up identifies.
Technical scheme of the present invention can solve P2P and seize the problem that Internet resources cause network blockage, affect other network application, makes user's obtaining information efficiently, improves user's experience of surfing the Net.
Embodiment
Below in conjunction with drawings and Examples, technical scheme of the present invention is described in detail.
It should be noted that, if do not conflict, each feature in the embodiment of the present invention and embodiment can mutually combine, all within protection scope of the present invention.In addition, although there is shown logical order in flow process, in some cases, can carry out step shown or that describe with the order be different from herein.
The method for supervising of embodiment mono-, a kind of P2P application as shown in Figure 1, comprising:
S101, utilize behavioural characteristic to identify the P2P node in described local area network (LAN);
S102, the TCP(transmission control protocol of receiving and dispatching for identified P2P node)/the UDP(User Datagram Protoco (UDP)) packet, utilize behavioural characteristic or load characteristic to identify the network packet of P2P application;
S103, according to predetermined policy, let pass or the network packet of the P2P application that blocking-up identifies.
The present embodiment is identified local area network (LAN) P2P node by behavioural characteristic, flow by behavioural characteristic or load characteristic identification P2P application, thereby further control the P2P application, the present embodiment can be managed the P2P application in local area network (LAN) effectively, the network bandwidth can be accessed rationally and take.
In an embodiment of the present embodiment, described step S104 specifically can comprise:
For the one or more nodes in described local area network (LAN), in the time of statistics predetermined length, each node connects into power or broadcast packet number;
By the described node recognition that connects into power first predetermined condition or described broadcast packet number second predetermined condition, it is the P2P node.
In present embodiment, that can after receiving monitored instruction, add up each node in time of predetermined length connects into power or broadcast packet number, also can be periodically or constantly record in the recent period each node connect into power or broadcast packet number.Can periodically identify the P2P node, also can be identified after receiving monitored instruction.
In present embodiment, can shake hands by SYN(in described network packet) message or ACK(confirm) number of message calculates the described power that connects into.In a kind of alternative of present embodiment, first predetermined condition refers to that connecting into power is less than 0.8; Also this first predetermined condition can be set separately in other alternative.
In present embodiment, can be by the ICMP(Internet Internet Control Message Protocol) bag number and TTL(life span) comparison value calculate described broadcast packet number.In a kind of alternative of present embodiment, second predetermined condition refers to that it is 1 that the broadcast packet number is greater than 5 and adjacent broadcast packet TTL difference; Also this second predetermined condition can be set separately in other alternative.
An object lesson of this execution mode as shown in Figure 2, is periodically to identify the P2P node in this example, comprises the following steps 201~208.
Step 201: whenever intercepting the network packet of transmitting between a local area network (LAN) and the Internet, resolve this network packet and determine whether SYN or ACK message, if it is perform step 202; If not determining whether the ICMP bag, if it is perform step 205, if not returning to step 201.
Step 202: the number of respective nodes in local area network (LAN) being received/sent out to SYN and ACK message adds one.
Step 203: obtain the current time, and start the difference of the time of statistics in calculating and this recognition cycle, judge whether to arrive recognition cycle, if arrive, perform step 204; If do not arrive and return to step 201.
Step 204: calculating the power that connects into of each node in local area network (LAN), whether be P2P node, perform step 208 if identifying respectively each node.
Step 205: the number of respective nodes in local area network (LAN) being received/sent out to ICMP bag adds one, judges whether ttl value (life span) was preserved, if not preserve this ttl value.
Step 206: obtain the current time, and start the difference of the time of statistics in calculating and this recognition cycle, judge whether recognition cycle, if arrive, perform step 204, if arrive and return to step 201.
Step 207: calculating ICMP bag number and the TTL comparison value of each node in local area network (LAN), whether be P2P node, perform step 208 if identifying respectively each node.
Step 208: IP address and the port of the P2P node that identifies are stored in the P2P node table; Described P2P informational table of nodes can comprise table name, IP address, port and creation-time field etc.Finish the identification of this recognition cycle, by the statistical value zero clearing.
In an embodiment of the present embodiment, described step S102 specifically can comprise:
For each TCP/UDP packet of identified P2P node transmitting-receiving, record the five-tuple of this TCP/UDP packet, calculate the entropy of front 32 bytes in this TCP/UDP packet load;
When the entropy of TCP/UDP packet is less than predetermined entropy threshold value, if the loaded matching preassigned pattern of this TCP/UDP packet, the network packet that this TCP/UDP packet is the P2P application;
When the entropy of TCP/UDP packet is more than or equal to predetermined entropy threshold value, if in the five-tuple recorded, the ratio of IP number of addresses and port number is less than predetermined ratio threshold value, the network packet that this TCP/UDP packet is the P2P application.
In a kind of alternative of the present embodiment, it is 0.35 that described entropy threshold value can be, but not limited to, and it is 2.0 that described ratio threshold value can be, but not limited to; Described entropy threshold value and described ratio threshold value also can be set in other alternative separately; Described preassigned pattern can be set to one or more common patterns of P2P application load according to statistical conditions or experience.
As shown in Figure 3, the identification that P2P is applied comprises the following steps 301~306 to an object lesson of this execution mode.
Step 301: for the P2P node identified, whenever intercepting the network packet of transmitting between a local area network (LAN) and the Internet, resolve this network packet, and store the five-tuple (source IP address, purpose IP address, source port, destination interface, agreement) of this network packet, judge whether this network packet comprises the TCP/UDP bag, if comprise perform step 302, if do not comprise finish.
Step 302: the source IP address of this network packet and source port, purpose IP address and destination interface are stored in P2P link information table; Described P2P link information table can comprise table name, source IP address, purpose IP address, source port, destination interface and creation-time field etc.
Step 303: the entropy that calculates front 32 bytes of this network data payload package; Judge whether this entropy is greater than the entropy threshold value, if be greater than perform step 304, if be less than perform step 305; If equal can be set to perform step any in 304,305.
Step 304: the ratio that calculates IP number of addresses and port number; If ratio is less than the ratio threshold value carry out step 306; If be not less than the ratio threshold value finish.
Step 305: the load to this network packet is carried out pattern matching, if the match is successful carry out step 306, if mate unsuccessful finish.
Step 306: this network packet is identified as to the network packet of P2P application, finishes.
In an embodiment of the present embodiment, described step S103 specifically can comprise:
Calculate the flow of the network packet of P2P application in described local area network (LAN), and the total flow of this local area network (LAN) gateway;
When described total flow is greater than the first flow threshold value, or the flow of the network packet of described P2P application is while being greater than the second flow threshold, the network packet of the P2P application that blocking-up identifies.
In a kind of alternative of present embodiment, described first flow threshold value can be, but not limited to can be, but not limited to as 80% of described total flow into 80%, the second flow threshold of described local area network (LAN) gateway total bandwidth.Also described first, second flow threshold can be set as required separately in other alternative.
As shown in Figure 4, the control of the network packet that P2P is applied comprises the following steps 401~404 to an object lesson of this execution mode.
Step 401: when network packet is identified as the network packet of P2P application, carry out step 402;
Step 402: the flow (hereinafter being called for short the P2P flow) of adding up total flow and the network packet that P2P applies of described local area network (LAN) gateway;
Step 403: if total flow and P2P flow all are less than corresponding threshold value, this network packet of letting pass.
Step 404: if in total flow and P2P flow, at least one is greater than corresponding threshold value, block this network packet.
The supervisory control system of embodiment bis-, a kind of P2P application as shown in Figure 5, comprising:
The node recognition module, identify the P2P node of described local area network (LAN) for utilizing behavioural characteristic;
Application recognition module, for the TCP/UDP packet of the transmitting-receiving of the P2P node for identified, utilize behavioural characteristic or load characteristic to identify the network packet of P2P application;
The application controls module, for according to predetermined policy, let pass or the network packet of the P2P application that blocking-up identifies.
In an embodiment of the present embodiment, described supervisory control system can also comprise:
Memory module, comprise an information bank, for storing P2P informational table of nodes and P2P link information table; The P2P informational table of nodes comprises table name, IP address, port and creation-time field; P2P link information table comprises table name, source IP address, purpose IP address, source port, destination interface and creation-time field.
Administration module, for the monitoring strategies of managing P2P application and be saved in information bank; Can be used for arranging each threshold value etc.;
Communication module, for tackling the network packet of transmitting between local area network (LAN) and the Internet, and, when described P2P application controls module clearance network packet, forward this network packet.
In an embodiment of the present embodiment, the P2P node that described node recognition module utilizes behavioural characteristic to identify in described local area network (LAN) specifically can refer to:
Described node recognition module is for the one or more nodes in described local area network (LAN), and in the time of statistics predetermined length, each node connects into power or broadcast packet number; By the described node recognition that connects into power first predetermined condition or described broadcast packet number second predetermined condition, it is the P2P node.
In present embodiment, can shake hands by SYN(in described network packet) message or ACK(confirm) number of message calculates the described power that connects into.In a kind of alternative of present embodiment, first predetermined condition refers to that connecting into power is less than 0.8; Also this first predetermined condition can be set separately in other alternative.
In present embodiment, can be by the ICMP(Internet Internet Control Message Protocol) bag number and TTL(life span) comparison value calculate described broadcast packet number.In a kind of alternative of present embodiment, second predetermined condition refers to that it is 1 that the broadcast packet number is greater than 5 and adjacent broadcast packet TTL difference; Also this second predetermined condition can be set separately in other alternative.
In an embodiment of the present embodiment, described application recognition module is for the TCP/UDP packet of identified P2P node transmitting-receiving, and the network packet of utilizing behavioural characteristic or load characteristic to identify the P2P application specifically can refer to:
Described application recognition module, for each TCP/UDP packet of identified P2P node transmitting-receiving, records the five-tuple of this TCP/UDP packet, calculates the entropy of front 32 bytes in this TCP/UDP packet load; When the entropy of TCP/UDP packet is less than predetermined entropy threshold value, if the loaded matching preassigned pattern of this TCP/UDP packet, the network packet that this TCP/UDP packet is the P2P application; When the entropy of TCP/UDP packet is more than or equal to predetermined entropy threshold value, if in the five-tuple recorded, the ratio of IP number of addresses and port number is less than predetermined ratio threshold value, the network packet that this TCP/UDP packet is the P2P application.
In a kind of alternative of the present embodiment, it is 0.35 that described entropy threshold value can be, but not limited to, and it is 2.0 that described ratio threshold value can be, but not limited to; Described entropy threshold value and described ratio threshold value also can be set in other alternative separately; Described preassigned pattern can be set to one or more common patterns of P2P application load according to statistical conditions or experience.
In an embodiment of the present embodiment, described application controls module is according to predetermined policy, and the network packet of the P2P application that clearance or blocking-up identify specifically can refer to:
Described application controls module is calculated the flow of the network packet of P2P application in described local area network (LAN), and the total flow of this local area network (LAN) gateway; When described total flow is greater than the first flow threshold value, or the flow of the network packet of described P2P application is while being greater than the second flow threshold, the network packet of the P2P application that blocking-up identifies.
In a kind of alternative of present embodiment, described first flow threshold value can be, but not limited to can be, but not limited to as 80% of described total flow into 80%, the second flow threshold of described local area network (LAN) gateway total bandwidth.Also described first, second flow threshold can be set as required separately in other alternative.
Figure 6 shows that the networking schematic diagram of the supervisory control system of the present embodiment.
Described local area network (LAN) comprises the network equipment, Network Security Device, main frame and terminal etc.; Wherein the network equipment can comprise router and switch etc.; Network Security Device can comprise fire compartment wall, VPN, Network anti-virus system and intruding detection system etc.; Main frame can comprise Web server, mail server and file server etc.; Terminal can comprise subscriber computer and self-aided terminal etc.
The Internet(the Internet), can comprise router, for transmitting and routing network traffic.
Described supervisory control system be connected to described the Internet and the local area network (LAN) that will monitor between, can intercept the network packet of transmitting between local area network (LAN) and the Internet.
As shown in Figure 7, the workflow of described supervisory control system comprises the following steps 601~607 to an object lesson of the present embodiment.
Step 601: carry out initialization, P2P application monitoring strategies is set in administration module and is stored in the information bank of memory module.
Step 602: receive the P2P packet in communication module.
Step 603: utilize behavioural characteristic identification local area network (LAN) P2P node in the node recognition module.
Step 604: the network packet of utilizing behavioural characteristic or load characteristic identification P2P application in application recognition module; So the network packet to the P2P application, perform step 605.
Step 605: in the application controls module, decision-making blocking-up or clearance P2P packet.
Step 606: correspondingly blocked or let pass.
Step 607: for the action of letting pass, communication module forwards the network packet of P2P application.
One of ordinary skill in the art will appreciate that all or part of step in said method can come the instruction related hardware to complete by program, described program can be stored in computer-readable recording medium, as read-only memory, disk or CD etc.Alternatively, all or part of step of above-described embodiment also can realize with one or more integrated circuits.Correspondingly, each the module/unit in above-described embodiment can adopt the form of hardware to realize, also can adopt the form of software function module to realize.The present invention is not restricted to the combination of the hardware and software of any particular form.
Certainly; the present invention also can have other various embodiments; in the situation that do not deviate from spirit of the present invention and essence thereof; those of ordinary skill in the art are when making according to the present invention various corresponding changes and distortion, but these corresponding changes and distortion all should belong to the protection range of claim of the present invention.