CN103491025B - A kind of method and device of application traffic identification - Google Patents
A kind of method and device of application traffic identification Download PDFInfo
- Publication number
- CN103491025B CN103491025B CN201310418298.3A CN201310418298A CN103491025B CN 103491025 B CN103491025 B CN 103491025B CN 201310418298 A CN201310418298 A CN 201310418298A CN 103491025 B CN103491025 B CN 103491025B
- Authority
- CN
- China
- Prior art keywords
- agreement
- packet
- string
- target string
- application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention discloses the method and device of a kind of application traffic identification, specifically include that and filter out, from a large amount of agreements of definition, the agreement mated with this application for the state of character string and the feature of packet in each packet in the session that application produces, and then the agreement medium priority mated with this application the highest agreement agreement as this application institute foundation is selected according to treaty override level, the agreement that agreement owing to finally selecting is with this application is mated and priority is the highest, therefore, identify that application can be effectively improved the accuracy that application identifies according to the agreement finally selected.
Description
Technical field
The present invention relates to communication technical field, particularly relate to the method and device of a kind of application traffic identification.
Background technology
In existing flow identification technology based on application, it is necessary first to determine that the application producing packet is
Which kind of application, therefore, need to be analyzed the content in the packet that application produces, determines the data of generation
The agreement that bag is based on, and then according to the corresponding relation between agreement and application, identify and produce packet
Application.Here agreement includes the content in the host-host protocol of standard and some the specific association for this application
View content.
But, along with the development of communication technology, the quantity of application and increasing of classification, due to agreement
The degree of homogenization is more and more higher, utilizes conventional application identification technology possibly cannot identify agreement exactly same
The application that matterization is higher, the higher application of described agreement homogeneity refers to the agreement that the packet produced is based on
The application that content is relatively similar.
Such as: QQ Video Applications and QQ voice application are the application that two homogeneities are higher, as two visitors
When family end carries out QQ video and the application of QQ voice the two respectively with server, in order to the two is applied
The packet produced carries out flow-control, and the packet in the session that first need to produce the two application is carried out
Analyzing, which kind of application identifies the two application is.But, due to QQ video and QQ voice the two
Application uses identical agreement (such as to operate in same QQ server, and produce respectively in some scenarios
Raw video data bag and the standard transmission protocol of VoP and a certain for instant messaging service
Specific protocol is identical), therefore, easily QQ Video Applications and QQ voice application are all identified as QQ language
Sound application (or being all identified as QQ Video Applications), causes the identification of application wrong report occur, simultaneously because not
Two kinds of same application are identified as same application, cause the identification of application to occur failing to report.
The most such as, http protocol is built upon on Transmission Control Protocol, therefore, based on http protocol
Application and application based on Transmission Control Protocol are the application that homogeneity is higher.As: video web page browse application is
It is based on HTTP, if but the agreement that is based on of the packet produced is defined as Transmission Control Protocol, then
Easily video web page browse application is identified as the video tour application of client so that application identifies occur by mistake
Report.
In sum, due to quantity and the increase of classification of application, occur in that more and more homogeneity is higher
Application, causes the rate of false alarm of application identification and rate of failing to report to increase.
Summary of the invention
The embodiment of the present invention provides the method and device of a kind of application traffic identification, in order to solve in prior art
The relatively low problem of accuracy that the application caused due to the homogeneity of agreement existed identifies.
The embodiment of the present invention is by the following technical solutions:
Method for distinguishing is known in a kind of application traffic, and the method includes:
In the session produce application, each packet operates successively below the execution of pending packet:
According to string assemble set in advance, determine that the character string in pending packet is in described character string
The target string subclass of hit in set;
Find out from default assembly of protocols and each target string in described target string subclass
The agreement joined, wherein, the targeted character string of the agreement that finds out is including at least described target string subset
A target string in conjunction;
For screening conditions and the described target string subset of character string in the agreement found out described in judgement
Whether the state in pending packet of each target string in conjunction mates, and determines screening conditions and institute
State the agreement of the state coupling in pending packet of the target string in target string subclass;
For screening conditions and the described pending packet of packet in the agreement determined described in judgement
Whether feature mates, and selects the agreement of screening conditions and the characteristic matching of pending packet;
From the described agreement selected, extract the agreement that priority is the highest, and by this agreement with cached
Agreement carries out priority ratio relatively, and agreement the highest for priority is defined as the agreement that described session is corresponding;
After packets all in described session are carried out above operation, according to finally determine for described session
Agreement identifies described application.
In embodiments of the present invention, for the state sum of character string in each packet in the session of application generation
Filter out, from a large amount of agreements of definition, the agreement mated with this application according to the feature of bag, so excellent according to agreement
First level selects the agreement medium priority mated with this application the highest agreement association as this application institute foundation
View, the agreement that the agreement owing to finally selecting is with this application is mated and priority is the highest, therefore, root
Identify that application can be effectively improved the accuracy of application traffic identification according to the agreement finally selected.
Preferably, in the agreement found out described in, the screening conditions for character string include: described target character
Target string side-play amount in pending packet in string subclass or hunting zone, and pending
When packet comprises the multiple target string in described target string subclass, each target string it
Between logical relation;
For screening conditions and the described target string subset of character string in the agreement found out described in judgement
Whether the state in pending packet of each target string in conjunction mates, and determines for character string
Screening conditions and the target string in the described target string subclass state in pending packet
The agreement of coupling, specifically includes:
Following operation is performed successively, until the institute's protocols having found out has been carried out for the agreement found out
Finish: determine the target string being included in described target string subclass that an agreement is targeted;Should
For the side-play amount specified in the screening conditions of character string or hunting zone and logical relation in agreement, and really
Side-play amount that the described target string made is actual in pending packet or hunting zone and logic
Relation compares, when comparative result is identical, using this agreement as the agreement determined.
In embodiments of the present invention, by screening conditions for character string in agreement, it may be assumed that in agreement for
Side-play amount specified by character string or hunting zone and logical relation, with the described target string determined
Side-play amount actual in pending packet or hunting zone and logical relation compare, by comparing
Result and then determine accurate agreement, this step is that the application traffic that the present invention provides is known in method for distinguishing
Preliminary screening process, improve the accuracy of agreement to a certain extent.
Preferably, in the agreement determined described in, the screening conditions for packet include: transport-type, end
Mouthful type and whether rely on other agreements;
For screening conditions and the described pending packet of packet in the agreement determined described in judgement
Whether feature mates, and selects the agreement of screening conditions and the characteristic matching of pending packet, specifically includes:
Following operation is performed successively, until the institute's protocols having determined has been carried out for the agreement determined
Finish: determine in an agreement for the transport-type specified in the screening conditions of packet, port type and be
Other agreements of no dependence, transport-type, the port type actual with pending packet and whether rely on it
He compares agreement, when comparative result is identical, using this agreement as the agreement selected.
In embodiments of the present invention, by screening conditions for packet in agreement, it may be assumed that in agreement for
Transport-type, the port type specified in the screening conditions of packet and whether rely on other agreements, and treat
Process packet actual transport-type, port type and whether rely on other agreements and compare, passing through
Comparative result and then determine accurate agreement, this step is the side of the application traffic identification that the present invention provides
The agreement screening process carried out for packet in method, improves the accuracy of agreement to a certain extent.
Preferably, the agreement that the priority that this extracted is the highest carries out priority ratio with the agreement cached
Relatively, specifically include: the highest agreement of priority that this is extracted with perform for last data bag described
It is that the agreement that described session determines compares during operation.
In embodiments of the present invention, the agreement this determined with determine for other packets before
The highest agreement of priority carries out priority screening again, can improve protocol identification accuracy on the basis of,
Improve agreement screening efficiency.
Preferably, after this extracts, from the described agreement selected, the agreement that priority is the highest, and pin
Before extracting, when latter data bag is performed described operation, the agreement that priority is the highest, described method is also wrapped
Include: this agreement extracting priority the highest from the described agreement selected is cached.
In embodiments of the present invention, agreement the highest for the priority every time extracted all is buffered in default delaying
Deposit district, in order to after extracting the agreement that priority is the highest next time, directly carry out with the agreement in this buffer area
Relatively.
A kind of device of application traffic identification, this device includes:
Packet reads unit, for being successively read each packet in the session that application produces, and will read
Packet be sent to string searching unit as pending packet;
String searching unit, for according to string assemble set in advance, determines receive pending
The target string subclass that character string in packet is hit in described string assemble;
Agreement searches unit, true with described string searching unit for finding out from default assembly of protocols
The agreement of each target character String matching in fixed target string subclass, wherein, the agreement institute pin found out
To character string including at least a target string in described target string subclass;
First screening unit, for judging that described agreement is searched in the agreement that unit finds out for character string
Each target string in the target string subclass that screening conditions and described string searching unit determine
Whether the state in pending packet mates, and determines screening conditions and described target string subclass
In target string in pending packet state coupling agreement;
Second screening unit, for judging in the agreement that described first screening unit is determined for packet
Whether screening conditions mate with the feature of described pending packet, select screening conditions and pending data
The agreement of the characteristic matching of bag;
Third filtering unit, for extracting priority from the agreement that described second screening unit is selected
High agreement, and this agreement is carried out priority ratio relatively, by agreement the highest for priority with the agreement cached
It is defined as the agreement that described session is corresponding;
Application recognition unit, for reading unit by all packets in described session all when described packet
After being successively read, the agreement finally determined according to described third filtering unit identifies described application.
In embodiments of the present invention, for the state sum of character string in each packet in the session of application generation
Filter out, from a large amount of agreements of definition, the agreement mated with this application according to the feature of bag, so excellent according to agreement
First level selects the agreement medium priority mated with this application the highest agreement association as this application institute foundation
View, the agreement that the agreement owing to finally selecting is with this application is mated and priority is the highest, therefore, root
Identify that application can be effectively improved the accuracy of application traffic identification according to the agreement finally selected.
Preferably, described first screening unit, specifically for performing following behaviour successively for the agreement found out
Make, until institute's protocols having that described agreement lookup unit finds out is carried out complete:
Determine the target string being included in described target string subclass that an agreement is targeted, should
For the side-play amount specified in the screening conditions of character string or hunting zone and logical relation in agreement, and really
Side-play amount that the described target string made is actual in pending packet or hunting zone and logic
Relation compares, when comparative result is identical, using this agreement as the agreement determined;
Wherein, in described agreement, screening conditions for character string include: in described target string subclass
Target string side-play amount in pending packet or hunting zone, and pending packet in wrap
During containing multiple target string in described target string subclass, the logic between each target string is closed
System.
In embodiments of the present invention, by screening conditions for character string in agreement, it may be assumed that in agreement for
Side-play amount specified by character string or hunting zone and logical relation, with the described target string determined
Side-play amount actual in pending packet or hunting zone and logical relation compare, by comparing
Result and then determine accurate agreement, this step is that the application traffic that the present invention provides is known in method for distinguishing
Preliminary screening process, improve the accuracy of agreement to a certain extent.
Preferably, described second screening unit, specifically for the association determined for described first screening unit
View performs following operation successively, until the institute's protocols having determined is carried out complete:
Determine in an agreement for the transport-type specified in the screening conditions of packet, port type and be
Other agreements of no dependence, transport-type, the port type actual with pending packet and whether rely on it
He compares agreement, when comparative result is identical, using this agreement as the agreement selected;
Wherein, in described agreement, screening conditions for packet include: transport-type, port type and
Whether rely on other agreements.
In embodiments of the present invention, by screening conditions for packet in agreement, it may be assumed that in agreement for
Transport-type, the port type specified in the screening conditions of packet and whether rely on other agreements, and treat
Process packet actual transport-type, port type and whether rely on other agreements and compare, passing through
Comparative result and then determine accurate agreement, this step is the side of the application traffic identification that the present invention provides
The agreement screening process carried out for packet in method, improves the accuracy of agreement to a certain extent.
Preferably, described third filtering unit, the agreement that priority specifically for this being extracted is the highest
Be that the agreement that described session determines compares for last data bag.
In embodiments of the present invention, the agreement this determined with determine for other packets before
The highest agreement of priority carries out priority screening again, can improve protocol identification accuracy on the basis of,
Improve agreement screening efficiency.
Preferably, described third filtering unit, it is additionally operable to excellent by extract from the described agreement selected
The agreement that first level is the highest caches.
In embodiments of the present invention, agreement the highest for the priority every time extracted all is buffered in default delaying
Deposit district, in order to after extracting the agreement that priority is the highest next time, directly carry out with the agreement in this buffer area
Relatively.
Accompanying drawing explanation
For the technical scheme being illustrated more clearly that in the embodiment of the present invention, institute in embodiment being described below
The accompanying drawing used is needed to briefly introduce, it should be apparent that, the accompanying drawing in describing below is only the present invention's
Some embodiments, from the point of view of those of ordinary skill in the art, in the premise not paying creative work
Under, it is also possible to other accompanying drawing is obtained according to these accompanying drawings.
Fig. 1 is the method step schematic diagram of the application traffic identification in the embodiment of the present invention one;
Fig. 2 is the flow chart of the step 106 carried out for agreement in the embodiment of the present invention one;
Fig. 3 is the flow chart of the step 106 carried out for character string in the embodiment of the present invention one;
Fig. 4 is the flow chart of the step 107 carried out for agreement in the embodiment of the present invention one;
Fig. 5 is the apparatus structure schematic diagram of the application traffic identification in the embodiment of the present invention two.
Detailed description of the invention
In order to make the object, technical solutions and advantages of the present invention clearer, below in conjunction with accompanying drawing to this
Bright it is described in further detail, it is clear that described embodiment is only a part of embodiment of the present invention,
Rather than whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not doing
Go out all other embodiments obtained under creative work premise, broadly fall into the scope of protection of the invention.
In order to improve the accuracy that application identifies, reducing rate of false alarm and rate of failing to report, the embodiment of the present invention proposes one
Plant application traffic identifying schemes, before carrying out application traffic identification, be the association that each application definition is corresponding in advance
View, and write the state to the character string in packet, the feature of packet and association in the agreement of definition
The priority of view, in order to when identifying a certain application, each packet in the session that can produce for this application
The state of middle character string and the feature of packet filter out from a large amount of agreements of definition mates with this application
Agreement, and then the agreement work that the agreement medium priority mated with this application is the highest is selected according to treaty override level
For the agreement of this application institute foundation, the agreement owing to finally selecting be mate with this application and priority
According to the agreement finally selected, high agreement, therefore, identifies that application can be effectively improved the standard that application identifies
Really property.
In embodiments of the present invention, need to be the agreement that each application definition is corresponding in advance, concrete way include but
It is not limited to:
First, the agreement of correspondence is defined respectively for each application, for arbitrary agreement, the protocol contents of definition
Include but not limited to:
(1), agreement for the screening conditions of character string, the screening conditions herein for character string include two
Point content:
Part I content refers to: the character string that agreement is targeted, can be for one or more in an agreement
Character string.
The second part refers to: the screening conditions of the character string that agreement is targeted, the screening of described character string
Condition is character string state in the packet, such as: character string side-play amount in the packet or search model
Enclose (i.e. character string position in the packet), more such as: the logical relation between multiple character strings is (many
The relation of and or or between individual character string).
Above two parts content can essentially be embodied by the screening conditions of character string, by the sieve of character string
Select the targeted character string of condition as above-mentioned Part I content.
(2), agreement for the screening conditions of packet, the screening conditions of described packet are the spy of packet
Levy, such as transport-type, including: transmission control protocol (Transmission Control Protocal, TCP)
Transport-type, the transport-type etc. of UDP (User Datagram Protocol, UDP).
It addition, the feature of packet can also be port type and whether rely on other agreements etc..
(3), the priority of agreement.
Then, the agreement of definition is stored to the memory space opened up in advance, and the agreement for storage is named,
The each protocol name making storage is orthogonal, it is ensured that it is right uniquely to find out according to protocol name (such as App ID)
The agreement answered.
In described memory space except storage protocol contents and protocol name in addition to, also can store agreement with should
Corresponding relation, specifically, can reflect by setting up the corresponding relation of protocol name and Apply Names
Agreement and the corresponding relation of application.
Below in conjunction with specific embodiment, the present invention program is described in detail, needs explanation all, the present invention
It is not limited to following example.
Embodiment one:
The embodiment of the present invention one provides a kind of application traffic identification method, as it is shown in figure 1, mainly include with
Lower step:
Step 101: determine the packet in the session that application produces.
Step 102: judge whether to have in described session untreated packet, if having, then performs step
103;Otherwise, step 110 is performed.
In this step 102, can data for multiple application, in the session parallel multiple application produced
Bag processes, and the processing mode for each session is identical.
Step 103: using a most untreated packet as pending packet.
In this step 103, owing to the packet in session is arranged in order in order, therefore, originally
Step 103 can putting in order according to packet, primary by the most untreated packet is arranged in
Packet is as pending packet.
Step 104: according to string assemble set in advance, determines that the character string in pending packet exists
The target string subclass of hit in described string assemble.
In this step 104, the multimode matching algorithms such as such as AC algorithm can be used to determine pending data
The target string subclass that character string in bag is hit in string assemble.
As a example by AC algorithm, described AC algorithm refers to: for character string and the word of given a length of n
Symbol set of strings P{p1, p2 ... pm}, in regular hour complexity, finds the character string of a length of n
All target strings in described string assemble.Scheme in conjunction with the present embodiment one, it is assumed that character string
Set comprises character string 1, character string 2 ... this m character string of character string m, obtaining pending number
After bag, for character string (generally, the word of pending packet comprised in pending packet
Symbol string can be considered the character string of a length of n), from described string assemble, find all of target string,
Described target string is formed target string subclass.
Step 105: find out from default assembly of protocols and each target in described target string subclass
The agreement of string matching, wherein, the targeted character string of the agreement that finds out is including at least described target word
A target string in symbol string subclass.
Described default assembly of protocols refers to: the set that each agreement stored is formed.
Owing to the content in predefined agreement contains the targeted character string of this agreement, (agreement can
With can also be for multiple character strings for a character string), therefore, in this step 105, can distinguish
Character string targeted for each with assembly of protocols for each target string agreement is mated, finds out coupling
Agreement.Assume the target string subclass determined at step 104 comprises three target strings,
It is respectively target string 1, target string 2 and target string 3, then can find out 10 agreements,
Including at least target string 1, target string in the character string that in these 10 agreements, arbitrary agreement is targeted
2 and target string 3 in one.
Step 106: for screening conditions and the described target word of character string in the agreement found out described in judgement
Whether the state in pending packet of each target string in symbol string subclass mates, and determines screening
Condition is mated with the state in pending packet of the target string in described target string subclass
Agreement.
This step 106 is the Preliminary screening process of the agreement finding out step 105.
Owing to agreement is should be for defining according to corresponding, in agreement, the screening conditions for character string are these
Agreement corresponding application produce packet in character string it suffices that condition, therefore, in this step 105
In, the agreement that the screening conditions of character string are mated with target string state in pending packet may
It is to produce the agreement that the application of this pending packet is based on.
Step 107: in the agreement determined described in judgement, the screening conditions for packet are pending with described
Whether the feature of packet mates, and selects the agreement of screening conditions and the characteristic matching of pending packet.
This step 107 is the further screening process that the selection result to step 106 is done.
In agreement, screening conditions for packet are that the packet that application corresponding to this agreement produces should have
Some features, therefore, in this step 107, the screening conditions of packet and the feature of pending packet
The agreement of coupling is probably and produces the agreement that the application of this pending packet is based on.
Step 108: extract, from the described agreement selected, the agreement that priority is the highest.
This step 108 is the further screening process that the selection result to step 107 is done.
If the selection result of step 107 is multiple agreement, then this step 108 is therefrom selected priority
High agreement;If the selection result of step 107 is an agreement, then directly by selection in this step 108
One agreement is as the highest agreement of priority.
Through the scheme of step 103 to step 108, complete the analysis of content in pending packet
Journey, content analysis to this pending packet according to the agreement determined in this step 108, obtain
Produce the possible corresponding agreement of application of this pending packet.
Step 109: the described agreement extracted is carried out priority ratio relatively with the agreement cached, will be preferential
The highest agreement of level is defined as the agreement that described session is corresponding, and jumps to step 102.
Specifically, the protocol name of the agreement determined for described session can be write in the label of described session,
The agreement that this session is corresponding is determined according to the protocol name write in the label of session.
The present embodiment one is the process being analyzed packet each in session successively, to treating of currently determining
When process data packet analysis completes, several packets may be carried out analysis before, the most right
The result that packet is analyzed (extracts after the packet execution step 103 before i.e. to step 107
Agreement) it is buffered in buffer area.This is because, the processing procedure for next pending packet may
The agreement that a pending packet filters out in step 107 can be relied on, but the agreement relied on differs
Surely it is the agreement that the priority determined in step 108 is the highest, therefore, each pending packet can be existed
The protocol cache filtered out in step 107 in the buffer, certainly, can distinguish the preferential of each agreement during caching
Level, such as, according to the priority of agreement by protocol cache in different buffer areas.
The association cached in the agreement that this pending packet execution step 108 is extracted and buffer area
View is comprehensively analyzed, and determines the agreement that in the produced session of this application, most probable is corresponding, this step
109 agreements determined are probably the agreement that step 108 is currently determined, it is also possible to cached is a certain
Agreement, no matter which agreement is the highest agreement of the priority that finally determines of this step 109 be, can be by
The agreement that step 108 is currently determined also caches to buffer area.
Preferably, when by protocol cache to buffer area, can identify the most slow by the protocol name of this agreement
The agreement deposited.
Preferably, perform step 103 at this for pending packet and extract priority to step 108
After the highest agreement, it is also possible to do not carry out priority ratio relatively with the institute's protocols having cached, and and last data
The agreement that bag performs to determine for described session after step 109 compares, will this for pending data
It is the highest with the priority cached that bag execution step 103 to step 108 extracts the highest agreement of priority
Agreement compares.
Step 110: identify described application according to the agreement finally determined for described session.
By the scheme of the embodiment of the present invention one, the agreement of application is carried out explication, and utilizes character string
And the screening conditions for character string, the screening bar for packet in corresponding relation between agreement, agreement
Part and according to priority carry out the condition screened, it is achieved that for the accurate sieve of each packet in session
According to the agreement finally selected, choosing, identifies that application can be effectively improved the accuracy of application traffic identification, fall
The rate of false alarm of low application traffic identification and rate of failing to report;Further, it is also possible to identification based on step 110
As a result, the packet in described session is carried out flow-control, the situation that accuracy at recognition result is higher
Under, the effectiveness of flow-control can be effectively improved.
Below by concrete example step 106 in the present embodiment one and step 107 implemented process
It is illustrated.
In embodiment one, the screening conditions for character string involved by step 106 include but not limited to:
In target string side-play amount in pending packet or hunting zone, and pending packet
When comprising the multiple target string in described target string subclass, the logic between each target string
Relation.
Specifically, the implementation of described step 106 includes following sub-step, as shown in Figure 2:
Sub-step A1: judge whether the agreement that step 105 finds out has been made screening, the most then
Perform step A5;If it is not, then perform step A2.
Sub-step A2: determine the most garbled agreement targeted be included in described target string
Target string in set.
Sub-step A3: the target string state of reality and this agreement in pending packet that will determine
The screening conditions of character string are mated, if coupling, then perform sub-step A4, otherwise, abandon this agreement,
And jump to sub-step A1.
Specifically, by this agreement for the side-play amount specified in the screening conditions of character string or hunting zone with
And logical relation, the side-play amount actual in pending packet with the described target string determined or search
Rope scope and logical relation compare, and when determining that result is identical, perform sub-step A4, really
When determining result for differing, abandon this agreement.
Sub-step A4: determine that this agreement is the agreement by this character string selection, and jump to sub-step
A1。
Sub-step A5: determine all agreements by this character string selection, and terminate.
Above sub-step A1 to sub-step A5 is successively each agreement to be carried out character string selection, this step
Agreement can also be screened by 106 for target string, as it is shown on figure 3, specifically, it may include with
Lower sub-step:
Sub-step B1: judge whether the target string that step 104 is determined was made screening, if
It is then to perform sub-step B4;If it is not, then perform sub-step B2.
Sub-step B2: determine the most garbled target string, and the association found out from step 105
View is determined the agreement that targeted character string is this most garbled target string.
Sub-step B3: by actual in pending packet for this target string state respectively with determine
Character string selection condition in agreement is mated, if coupling, then performs sub-step B4, otherwise, abandons
This agreement, and jump to sub-step B1.
Sub-step B4: determine that this agreement is the agreement by this character string selection, and jump to sub-step
B1。
Sub-step B5: determine all agreements by this character string selection, and terminate.
In embodiment one, the screening conditions for packet involved by step 107 include but not limited to:
The transport-type of packet, port type and whether rely on other agreements.
Specifically, the implementation of described step 107 includes following sub-step, as shown in Figure 4:
Sub-step C1: judge whether the agreement that step 106 is determined has been made screening, the most then
Perform step C5;If it is not, then perform step C2.
Sub-step C2: determine in the most garbled agreement for packet in the screening conditions of packet
Feature.
Specifically, the feature of packet may include that transport-type, port type and whether relies on other
Agreement.
Sub-step C3: enter with the feature of pending packet for the feature of packet in the agreement that will determine
Row coupling, if coupling, then performs sub-step C4, otherwise, abandons this agreement, and jump to sub-step C1.
Sub-step C4: determine that this agreement is the agreement screened by this packet, and jump to sub-step
C1。
Sub-step C5: determine all agreements screened by this packet, and terminate.
By the process of above Cycle Screening, to may qualified agreement repeatedly screen, Jin Erke
To improve the accuracy of agreement, it is simple to follow-up application is effectively identified.
Method for distinguishing is known in the application traffic provided corresponding to the embodiment of the present invention one, and the embodiment of the present invention two also carries
Supply the device of a kind of application traffic identification.Following example two are discussed in detail this device.
Embodiment two:
As it is shown in figure 5, be the concrete structure schematic diagram of device in the embodiment of the present invention two, mainly include data
Bag read unit 201, string searching unit 202, agreement search unit the 203, first screening unit 204,
Second screening unit 205, third filtering unit 206 and application recognition unit 207, wherein:
Packet reads unit 201, for being successively read each packet in the session that application produces, and will
The packet read is sent to string searching unit 202 as pending packet.
String searching unit 202, for according to string assemble set in advance, determines that receive treats
Process the target string subclass that the character string in packet is hit in described string assemble.
Agreement searches unit 203, for finding out from default assembly of protocols and described string searching list
In the target string subclass that unit 202 determines, the agreement of each target character String matching, wherein, finds out
The targeted character string of agreement is including at least a target string in described target string subclass.
First screening unit 204, for judge described agreement search in the agreement that finds out of unit 203 for
Each in the target string subclass that the screening conditions of character string and described string searching unit 202 determine
Whether target string state in pending packet mates, and determines screening conditions and described target word
The agreement of the state coupling in pending packet of the target string in symbol string subclass.
Second screening unit 205, for judge in the agreement that described first screening unit 204 is determined for
Whether the screening conditions of packet mate with the feature of described pending packet, select screening conditions and treat
Process the agreement of the characteristic matching of packet.
Third filtering unit 206, for extracting from the agreement that described second screening unit 205 is selected
The agreement that priority is the highest, and this agreement is carried out priority ratio relatively with the agreement cached, by priority
High agreement is defined as the agreement that described session is corresponding.
Preferably, described third filtering unit 206 is specifically for the highest association of the priority that this extracted
Discuss be that the agreement that described session determines compares for last data bag, by true for agreement the highest for priority
It is set to the agreement that described session is corresponding.
Preferably, described third filtering unit 206 is additionally operable to extract from the described agreement selected
The agreement that priority is the highest caches, in order to enter for the available agreement cached of packet afterwards
The screening again of row major level.
Application recognition unit 207, for reading unit 201 by owning in described session when described packet
After packet is all successively read, the agreement finally determined according to described third filtering unit 206 identifies described
Application.
Preferably, described application traffic identification device can also include flow controlling unit, for according to described
The recognition result of application recognition unit 207 carries out flow-control to the packet in described session.
Preferably, described first screening unit 204 specifically for performing successively for the agreement found out below
Operation, until institute's protocols having that described agreement lookup unit 202 finds out is carried out complete:
Determine the target string being included in described target string subclass that an agreement is targeted, should
For the side-play amount specified in the screening conditions of character string or hunting zone and logical relation in agreement, and really
Side-play amount that the described target string made is actual in pending packet or hunting zone and logic
Relation compares, when comparative result is identical, using this agreement as the agreement determined;
Wherein, in described agreement, screening conditions for character string include: in described target string subclass
Target string side-play amount in pending packet or hunting zone, and pending packet in wrap
During containing multiple target string in described target string subclass, the logic between each target string is closed
System.
Preferably, described second screening unit 205 is specifically for determining for described first screening unit 204
The agreement gone out performs following operation successively, until the institute's protocols having determined is carried out complete:
Determine in an agreement for the transport-type specified in the screening conditions of packet, port type and be
Other agreements of no dependence, transport-type, the port type actual with pending packet and whether rely on it
He compares agreement, when comparative result is identical, using this agreement as the agreement selected;
Wherein, in described agreement, screening conditions for packet include: transport-type, port type and
Whether rely on other agreements.
Preferably, inside the device of the embodiment of the present invention, can also have memory element, for storage be in advance
The agreement of each application definition, including the corresponding relation between protocol name, protocol contents and agreement and application
Deng.Certainly, described memory element can not also be deployed in the content of device, but can lead to device
The stand-alone network elements of letter.
Device described in the embodiment of the present invention two has the ability realizing each step of embodiment one, above-mentioned logic
The function that unit does not comprises can also be realized by other logical blocks in device, and here is omitted.
Those skilled in the art are it should be appreciated that embodiments of the invention can be provided as method, system or meter
Calculation machine program product.Therefore, the present invention can use complete hardware embodiment, complete software implementation or knot
The form of the embodiment in terms of conjunction software and hardware.And, the present invention can use and wherein wrap one or more
Computer-usable storage medium containing computer usable program code (include but not limited to disk memory,
CD-ROM, optical memory etc.) form of the upper computer program implemented.
The present invention is with reference to method, equipment (system) and computer program product according to embodiments of the present invention
The flow chart of product and/or block diagram describe.It should be understood that can by computer program instructions flowchart and
/ or block diagram in each flow process and/or flow process in square frame and flow chart and/or block diagram and/
Or the combination of square frame.These computer program instructions can be provided to general purpose computer, special-purpose computer, embedding
The processor of formula datatron or other programmable data processing device is to produce a machine so that by calculating
The instruction that the processor of machine or other programmable data processing device performs produces for realizing at flow chart one
The device of the function specified in individual flow process or multiple flow process and/or one square frame of block diagram or multiple square frame.
These computer program instructions may be alternatively stored in and computer or the process of other programmable datas can be guided to set
In the standby computer-readable memory worked in a specific way so that be stored in this computer-readable memory
Instruction produce and include the manufacture of command device, this command device realizes in one flow process or multiple of flow chart
The function specified in flow process and/or one square frame of block diagram or multiple square frame.
These computer program instructions also can be loaded in computer or other programmable data processing device, makes
Sequence of operations step must be performed to produce computer implemented place on computer or other programmable devices
Reason, thus the instruction performed on computer or other programmable devices provides for realizing flow chart one
The step of the function specified in flow process or multiple flow process and/or one square frame of block diagram or multiple square frame.
Although preferred embodiments of the present invention have been described, but those skilled in the art once know base
This creativeness concept, then can make other change and amendment to these embodiments.So, appended right is wanted
Ask and be intended to be construed to include preferred embodiment and fall into all changes and the amendment of the scope of the invention.
Obviously, those skilled in the art can carry out various change and modification without deviating from this to the present invention
Bright spirit and scope.So, if the present invention these amendment and modification belong to the claims in the present invention and
Within the scope of its equivalent technologies, then the present invention is also intended to comprise these change and modification.
Claims (10)
1. method for distinguishing is known in an application traffic, it is characterised in that described method includes:
In the session produce application, each packet operates successively below the execution of pending packet:
According to string assemble set in advance, determine that the character string in pending packet is in described character string
The target string subclass of hit in set;
Find out from default assembly of protocols and each target string in described target string subclass
The agreement joined, wherein, the targeted character string of the agreement that finds out is including at least described target string subset
A target string in conjunction;
For screening conditions and the described target string subset of character string in the agreement found out described in judgement
Whether the state in pending packet of each target string in conjunction mates, and determines screening conditions and institute
State the agreement of the state coupling in pending packet of the target string in target string subclass;
For screening conditions and the described pending packet of packet in the agreement determined described in judgement
Whether feature mates, and selects the agreement of screening conditions and the characteristic matching of pending packet;
From the described agreement selected, extract the agreement that priority is the highest, and by this agreement with cached
Agreement carries out priority ratio relatively, and agreement the highest for priority is defined as the agreement that described session is corresponding;Wherein,
The described agreement that cached is that packet before pending packet described in described session performs above-mentioned behaviour
The agreement determined after work;
After packets all in described session are carried out above operation, according to finally determine for described session
Agreement identifies described application.
2. the method for claim 1, it is characterised in that for the sieve of character string in described agreement
Condition is selected to include:
The target string in described target string subclass side-play amount in pending packet or search
Rope scope, and pending packet comprise the multiple target strings in described target string subclass
Time, the logical relation between each target string;
For screening conditions and the described target string subset of character string in the agreement found out described in judgement
Whether the state in pending packet of each target string in conjunction mates, and determines for character string
Screening conditions and the target string in the described target string subclass state in pending packet
The agreement of coupling, specifically includes:
Following operation is performed successively, until the institute's protocols having found out has been carried out for the agreement found out
Finish:
Determine the target string being included in described target string subclass that an agreement is targeted;
By in this agreement for the side-play amount specified in the screening conditions of character string or hunting zone and logic
Relation, the side-play amount actual in pending packet with the described target string determined or hunting zone
And logical relation compares, when comparative result is identical, using this agreement as the agreement determined.
3. the method for claim 1, it is characterised in that for the sieve of packet in described agreement
Condition is selected to include:
Transport-type, port type and whether rely on other agreements;
For screening conditions and the described pending packet of packet in the agreement determined described in judgement
Whether feature mates, and selects the agreement of screening conditions and the characteristic matching of pending packet, specifically includes:
Following operation is performed successively, until the institute's protocols having determined has been carried out for the agreement determined
Finish:
Determine in an agreement for the transport-type specified in the screening conditions of packet, port type and be
Other agreements of no dependence, transport-type, the port type actual with pending packet and whether rely on it
He compares agreement, when comparative result is identical, using this agreement as the agreement selected.
4. the method for claim 1, it is characterised in that the priority this extracted is the highest
Agreement carry out priority ratio relatively with the agreement cached, specifically include:
The agreement that the priority that this extracted is the highest with when performing described operation for last data bag is
The agreement that described session determines compares.
5. the method for claim 1, it is characterised in that described method also includes:
Agreement the highest for the priority extracted from the described agreement selected is cached.
6. the device of an application traffic identification, it is characterised in that described device includes:
Packet reads unit, for being successively read each packet in the session that application produces, and will read
Packet be sent to string searching unit as pending packet;
String searching unit, for according to string assemble set in advance, determines receive pending
The target string subclass that character string in packet is hit in described string assemble;
Agreement searches unit, true with described string searching unit for finding out from default assembly of protocols
The agreement of each target character String matching in fixed target string subclass, wherein, the agreement institute pin found out
To character string including at least a target string in described target string subclass;
First screening unit, for judging that described agreement is searched in the agreement that unit finds out for character string
Each target string in the target string subclass that screening conditions and described string searching unit determine
Whether the state in pending packet mates, and determines screening conditions and described target string subclass
In target string in pending packet state coupling agreement;
Second screening unit, for judging in the agreement that described first screening unit is determined for packet
Whether screening conditions mate with the feature of described pending packet, select screening conditions and pending data
The agreement of the characteristic matching of bag;
Third filtering unit, for extracting priority from the agreement that described second screening unit is selected
High agreement, and this agreement is carried out priority ratio relatively, by agreement the highest for priority with the agreement cached
It is defined as the agreement that described session is corresponding;Wherein, the described agreement cached is to wait to locate described in described session
The agreement that packet before reason packet determines after described device processes;
Application recognition unit, for reading unit by all packets in described session all when described packet
After being successively read, the agreement finally determined according to described third filtering unit identifies described application.
7. device as claimed in claim 6, it is characterised in that
Described first screening unit, specifically for performing following operation successively for the agreement found out, until
Institute's protocols having that described agreement lookup unit finds out is carried out complete:
Determine the target string being included in described target string subclass that an agreement is targeted, should
For the side-play amount specified in the screening conditions of character string or hunting zone and logical relation in agreement, and really
Side-play amount that the described target string made is actual in pending packet or hunting zone and logic
Relation compares, when comparative result is identical, using this agreement as the agreement determined;
Wherein, in described agreement, screening conditions for character string include: in described target string subclass
Target string side-play amount in pending packet or hunting zone, and pending packet in wrap
During containing multiple target string in described target string subclass, the logic between each target string is closed
System.
8. device as claimed in claim 6, it is characterised in that
Described second screening unit, holds successively specifically for the agreement determined for described first screening unit
The following operation of row, until the institute's protocols having determined is carried out complete:
Determine in an agreement for the transport-type specified in the screening conditions of packet, port type and be
Other agreements of no dependence, transport-type, the port type actual with pending packet and whether rely on it
He compares agreement, when comparative result is identical, using this agreement as the agreement selected;
Wherein, in described agreement, screening conditions for packet include: transport-type, port type and
Whether rely on other agreements.
9. device as claimed in claim 6, it is characterised in that
Described third filtering unit, the highest agreement of priority specifically for this is extracted with for front
One packet is that the agreement that described session determines compares.
10. device as claimed in claim 6, it is characterised in that
Described third filtering unit, is additionally operable to the priority by extracting from the described agreement selected the highest
Agreement cache.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310418298.3A CN103491025B (en) | 2013-09-13 | 2013-09-13 | A kind of method and device of application traffic identification |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310418298.3A CN103491025B (en) | 2013-09-13 | 2013-09-13 | A kind of method and device of application traffic identification |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103491025A CN103491025A (en) | 2014-01-01 |
CN103491025B true CN103491025B (en) | 2016-10-19 |
Family
ID=49830994
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310418298.3A Active CN103491025B (en) | 2013-09-13 | 2013-09-13 | A kind of method and device of application traffic identification |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103491025B (en) |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104038389A (en) * | 2014-06-19 | 2014-09-10 | 高长喜 | Multiple application protocol identification method and device |
CN107508764B (en) * | 2017-07-03 | 2020-04-10 | 网宿科技股份有限公司 | Network data traffic type identification method and device |
CN108377223B (en) | 2018-01-05 | 2019-12-06 | 网宿科技股份有限公司 | multi-packet identification method, data packet identification method and flow guiding method |
CN110300065B (en) * | 2019-07-12 | 2022-11-11 | 中国电信集团工会上海市委员会 | Application flow identification method and system based on software defined network |
CN111131320B (en) * | 2019-12-31 | 2022-06-14 | 奇安信科技集团股份有限公司 | Asset identification method, device, system and medium |
CN115412532B (en) * | 2022-08-15 | 2023-07-21 | 深圳市风云实业有限公司 | Method for identifying and processing session control flow of SIP and extension protocol |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101854330A (en) * | 2009-04-02 | 2010-10-06 | 上海互联网络交换中心 | Method and system for collecting and analyzing network applications of Internet |
CN102325078A (en) * | 2011-06-28 | 2012-01-18 | 北京星网锐捷网络技术有限公司 | Application identification method and device |
CN103227756A (en) * | 2013-04-17 | 2013-07-31 | 华为技术有限公司 | On-line protocol optimization method and device |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7953895B1 (en) * | 2007-03-07 | 2011-05-31 | Juniper Networks, Inc. | Application identification |
-
2013
- 2013-09-13 CN CN201310418298.3A patent/CN103491025B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101854330A (en) * | 2009-04-02 | 2010-10-06 | 上海互联网络交换中心 | Method and system for collecting and analyzing network applications of Internet |
CN102325078A (en) * | 2011-06-28 | 2012-01-18 | 北京星网锐捷网络技术有限公司 | Application identification method and device |
CN103227756A (en) * | 2013-04-17 | 2013-07-31 | 华为技术有限公司 | On-line protocol optimization method and device |
Non-Patent Citations (1)
Title |
---|
网络流量识别关键技术研究;林冠洲;《中国博士学位论文电子期刊网》;20111215;全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN103491025A (en) | 2014-01-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103491025B (en) | A kind of method and device of application traffic identification | |
CN105516113B (en) | System and method for automatic network fishing detected rule evolution | |
US7813350B2 (en) | System and method to process data packets in a network using stateful decision trees | |
CN106453438B (en) | Network attack identification method and device | |
CN102857493A (en) | Content filtering method and device | |
CN107257390B (en) | URL address resolution method and system | |
CN109271793A (en) | Internet of Things cloud platform device class recognition methods and system | |
CN104753909B (en) | Method for authenticating after information updating, Apparatus and system | |
CN110177114A (en) | The recognition methods of network security threats index, unit and computer readable storage medium | |
CN107547671A (en) | A kind of URL matching process and device | |
US9043264B2 (en) | Scanning data streams in real-time against large pattern collections | |
CN110417729A (en) | A kind of service and application class method and system encrypting flow | |
CN111935081B (en) | Data packet desensitization method and device | |
CN109951354A (en) | A kind of terminal device recognition methods, system and storage medium | |
CN110287696A (en) | A kind of detection method, device and the equipment of the shell process that rebounds | |
CN107103237A (en) | A kind of detection method and device of malicious file | |
CN110096013A (en) | A kind of intrusion detection method and device of industrial control system | |
CN104580109B (en) | Generation clicks the method and device of identifying code | |
US11616759B2 (en) | Increased coverage of application-based traffic classification with local and cloud classification services | |
CN112866279B (en) | Webpage security detection method, device, equipment and medium | |
US7779464B2 (en) | System security approaches utilizing a hierarchical memory system | |
CN106293862B (en) | A kind of analysis method and device of expandable mark language XML data | |
CN111061972A (en) | AC searching optimization method and device for URL path matching | |
CN106954264B (en) | A kind of downlink physical shares the method for mapping resource and system of channel PDSCH | |
CN110620682B (en) | Resource information acquisition method and device, storage medium and terminal |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CP01 | Change in the name or title of a patent holder |
Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Patentee after: NSFOCUS Technologies Group Co.,Ltd. Patentee after: NSFOCUS TECHNOLOGIES Inc. Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Patentee before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd. Patentee before: NSFOCUS TECHNOLOGIES Inc. |
|
CP01 | Change in the name or title of a patent holder |