CN103746867A - Primary function-based network protocol analyzing method - Google Patents

Primary function-based network protocol analyzing method Download PDF

Info

Publication number
CN103746867A
CN103746867A CN201310718896.2A CN201310718896A CN103746867A CN 103746867 A CN103746867 A CN 103746867A CN 201310718896 A CN201310718896 A CN 201310718896A CN 103746867 A CN103746867 A CN 103746867A
Authority
CN
China
Prior art keywords
function
protocol
mode
data
target protocol
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201310718896.2A
Other languages
Chinese (zh)
Other versions
CN103746867B (en
Inventor
王巍
曹春杰
许小丰
杨红娃
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CETC 36 Research Institute
Original Assignee
CETC 36 Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CETC 36 Research Institute filed Critical CETC 36 Research Institute
Priority to CN201310718896.2A priority Critical patent/CN103746867B/en
Publication of CN103746867A publication Critical patent/CN103746867A/en
Application granted granted Critical
Publication of CN103746867B publication Critical patent/CN103746867B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Communication Control (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a primary function-based network protocol analyzing method. The method comprises the following steps that: a primary function library and a primary function mode combination mode library of a protocol with the known structure are established; when data sent by a target network are received, a structure of a target protocol corresponding to the target network is characterized by the data and the existing primary function mode combination mode; determination is carried out based on the structure of the target protocol; and if the data are data of the protocol with the known structure, the target protocol is analyzed by using a layering method; and if the data are data of the protocol with unknown structure, a primary function mode combination mode corresponding to the target protocol is generated by using the existing primary function or a new primary function. According to the invention, problems of rapid protocol identification and precise analyzing processing can be solved.

Description

A kind of network protocol analysis method based on basic function
Technical field
The present invention relates to field of computer technology, relate in particular to a kind of network protocol analysis method based on basic function.
Background technology
Network protocol analysis is the key problem of numerous focus of attentions in network management and network security research field.Network protocol analysis is by catching the packet in network, analyze the stem of packet and details and the statistics that data field provides agreement, and then data are sorted out and analyzed, thereby further help the potential potential safety hazard of discovering network, and accident analysis information can be provided when network breaks down.Network protocol analysis can make network management personnel locate rapidly and accurately failure cause, finds out the network node, procotol and the network link that cause fault, recovers the normal operation of network with the fastest speed.In addition, network protocol analysis can also be by analyzing network service situation and network connection state, and the reasonable distribution to network performance and resource provides reliable basis for planning and adjusting network.
But because existing network protocol presents variation, privatization, protocal analysis personnel are faced with the problem that protocol type is more and more, protocol status space becomes increasingly complex.
Existing a lot of protocal analysis method is used the method for string matching mostly, because this method has been used a large amount of matching process, so speed is slower.And there is based on statistical protocal analysis method the shortcoming that accuracy is not high in other.In addition the proprietary protocol that these methods all can not Dui Gejia network company is analyzed.
Summary of the invention
In view of above-mentioned analysis, the present invention aims to provide a kind of network protocol analysis method based on basic function, the slow and not high problem of accuracy of protocol identification speed that the protocol type existing in current network analysis field is various in order to solve, protocol status spatial complex, proprietary protocol are underground etc. brings.
Object of the present invention is mainly achieved through the following technical solutions:
The invention provides a kind of network protocol analysis method based on basic function, comprising:
Set up the primary function mode compound mode storehouse of basic function storehouse and known structure agreement;
When receiving data that objective network sends as input data, utilize these data and existing primary function mode compound mode to characterize the structure of the target protocol that this objective network is corresponding;
According to the structure of this target protocol, judge: if the agreement that this target protocol is known structure adopts the method for layering to analyze this target protocol; If the agreement that this target protocol is unknown structure, utilizes existing basic function or new basic function to generate primary function mode compound mode corresponding to this target protocol.
Further, utilize walsh function to set up the primary function mode compound mode storehouse of basic function storehouse and known structure agreement.Specifically comprise:
Walsh function is defined as follows:
If with wal (k, t) (k=0,1 ...) represent interval t ∈ [0,1) on walsh function, it is defined as following formula:
wal(2k,t)=wal(k,2t)+(-1) kwal(k,2t-1),k=1,2,…
wal(2k+1,t)=wal(k,2t)+(-1) k+1wal(k,2t-1),k=0,1,…
wal ( 0 , t ) = 1 , 0 &le; t < 1 0 , t < 0 , t &GreaterEqual; 1
Be defined as follows conversion by walsh function ± 1 be converted to 0,1 bit stream:
f ( w ) = 1 , w = - 1 0 , w = 1
Adopt conversion f (x) obtain one group of orthogonal basis function base (k, t) (k=0,1 ...):
base(2k,t)=f(wal(2k,t)),k=1,2,…
base(2k+1,t)=f(wal(2k+1,t)),k=0,1,…
base(0,t)=f(wal(0,t))
This group orthogonal basis function base is basic function storehouse, utilizes the various combination pattern of this group orthogonal basis function to explain all known protocols, just obtains the primary function mode compound mode storehouse of known structure agreement.
Further, the described step of utilizing existing primary function mode compound mode to characterize the structure of target protocol specifically comprises:
The data of the objective network that utilizes existing primary function mode compound mode and receive, the mode of employing time slip is described the time m-structure distribution figure of this target protocol;
According to the time m-structure distribution figure of target protocol, be described and obtain primary function mode combination-matching rate distribution map, by this primary function mode combination-matching rate branch relation, characterize the structure of target protocol.
Further, according to following method, obtain m-structure distribution figure when above-mentioned:
Suppose that C is the set of set of basis function syntype, to each existing set of basis function syntype c 1, c 2..., c cn∈ C, the employing time mode of sliding and the data that receive are carried out XOR add operation, obtain the structured value under every kind of integrated mode, for a certain integrated mode with input data I={ b 1, b 2..., b n, calculate
Figure BDA0000444450940000032
if n>cf makes i repeat from 1 to cf here, i.e. i=1~cf, 1~cf..., thus obtain inputting the time m-structure distribution figure of data.
Further, according to following method, obtain above-mentioned primary function mode combination-matching rate distribution map:
To different set of basis function syntype c i, by input data time m-structure distribution figure all data be added, obtain the structure matching numerical value (c of each set of basis function syntype i, m i), i ∈ 1,2 ..., c n;
Utilize the structure matching numerical value of all known set of basis function syntypes to draw set of basis function syntype-matching rate distribution map, wherein abscissa is known set of basis function syntype, and ordinate is structure matching numerical value.
Further, the step judging according to the structure of target protocol specifically comprises:
Maximum matching rate numerical value m in primary function mode combination-matching rate distribution map and the first predetermined threshold t1 are compared:
If m is more than or equal to t1, think that this target protocol is the agreement of known structure, adopt the method for layering to analyze this target protocol;
If m is less than t1, think that this target protocol is proprietary protocol, utilize existing basic function or new basic function to generate primary function mode compound mode corresponding to this target protocol.
Further, the step that the method for employing layering is analyzed this target protocol specifically comprises:
(0) data that objective network sent are as input data d;
(1), for input data d, utilize its set of basis function syntype to extract the outermost layer protocol characteristic field f of input data d 1, f 2..., f fn, the input protocol information receiving is divided into protocol header fields H and upper-layer protocol data supD;
(2) resolve all feature field that header field H comprises;
(3) judge whether upper-layer protocol data supD length is 0, is to stop;
(4) the upper-layer protocol data supD obtaining after cutting apart is carried out to protocol architecture sign;
(5) using by the upper-layer protocol data of structural characterization as input data, turn (1);
Until these data are all processed complete.
Further, the step of utilizing existing basic function or new basic function to generate primary function mode compound mode corresponding to this target protocol specifically comprises:
If F is basic function set, C is the set of set of basis function syntype
1) first utilize existing basic function f 1, f 2..., f cf∈ F, adopts and is different from the new integrated mode in integrated mode storehouse
Figure BDA0000444450940000041
get at random new k ivalue, makes new c not belong to C, describes the structure distribution figure of target protocol;
2) utilize the structure matching numerical value of all new set of basis function syntype c to draw primary function mode combination-matching rate distribution map;
3) more maximum matching rate numerical value m and the second predetermined threshold t2:
If m is more than or equal to t2, by new primary function mode integrated mode c corresponding to this agreement nadd set of basis function syntype storehouse C, stop;
If m is less than t2, the dimension of basic function is added to 1, obtaining new basic function f cf+1add basic function storehouse F, go to step 1).
Beneficial effect of the present invention is as follows:
The invention provides a kind of network protocol analysis method based on basic function, the problem of can resolution protocol identify fast, Accurate Analysis being processed.
Other features and advantages of the present invention will be set forth in the following description, and, the becoming apparent from specification of part, or understand by implementing the present invention.Object of the present invention and other advantages can be realized and be obtained by specifically noted structure in the specification write, claims and accompanying drawing.
Accompanying drawing explanation
Fig. 1 is the schematic flow sheet of method described in the embodiment of the present invention;
Fig. 2 is described in the embodiment of the present invention in method, the time m-structure distribution figure of input data;
Fig. 3 is described in the embodiment of the present invention in method, set of basis function syntype-matching rate distribution map;
Fig. 4 is described in the embodiment of the present invention in method, agreement is carried out to the schematic diagram of bed-by-bed analysis;
Fig. 5 is described in the embodiment of the present invention in method, the result schematic diagram that protocol data is analyzed.
Embodiment
The method of the invention mainly comprises: the primary function mode compound mode storehouse of setting up basic function storehouse and known structure agreement; When the data that receive objective network and send, utilize these data and existing primary function mode compound mode to characterize the structure of the target protocol that this objective network is corresponding; According to the structure of this target protocol, judge: if the agreement that this target protocol is known structure adopts the method for layering to analyze this target protocol; If the agreement that this target protocol is unknown structure, utilizes existing basic function or new basic function to generate primary function mode compound mode corresponding to this target protocol.
Below in conjunction with accompanying drawing, specifically describe the preferred embodiments of the present invention, wherein, accompanying drawing forms the application's part, and together with embodiments of the present invention for explaining principle of the present invention.
As shown in Figure 1, Fig. 1 is the schematic flow sheet of method described in the embodiment of the present invention, specifically can comprise the steps:
Step 101: utilize walsh function to set up the primary function mode compound mode storehouse of basic function storehouse and known structure agreement:;
Because the feature field of existing protocol is varied, thus need to use a small amount of information to explain the feature field of a large amount of agreements, thus provide basis for the analysis of agreement.
Because Walsh (Walsh) function cording has functional value, be ± 1, the feature such as orthogonality, so adopt Walsh (Walsh) function as basic function, protocol architecture to be characterized in the embodiment of the present invention, certainly, adopt other similar functions also passable.
Walsh (Walsh) function definition is as follows:
If with wal (k, t) (k=0,1 ...) represent interval t ∈ [0,1) on walsh function, it is defined as following formula:
wal(2k,t)=wal(k,2t)+(-1) kwal(k,2t-1),k=1,2,…
wal(2k+1,t)=wal(k,2t)+(-1) k+1wal(k,2t-1),k=0,1,…
wal ( 0 , t ) = 1 , 0 &le; t < 1 0 , t < 0 , t &GreaterEqual; 1
After having had Walsh (Walsh) function, the embodiment of the present invention be defined as follows conversion by walsh function ± 1 be converted to 0,1 bit stream:
f ( w ) = 1 , w = - 1 0 , w = 1
Adopt conversion f (x) can obtain one group of orthogonal basis function base (k, t) (k=0,1 ...):
base(2k,t)=f(wal(2k,t)),k=1,2,…
base(2k+1,t)=f(wal(2k+1,t)),k=0,1,…
base(0,t)=f(wal(0,t))
Because the protocol data of known structure agreement can be expressed as 0,1 yard of string, thus can explain all known protocols by the various combination pattern of orthogonal basis function base, for the protocol data d={x of certain known structure 1x 2... x n, x i{ 0,1} always can find real number c to ∈ imake
Figure BDA0000444450940000072
wherein M is the quantity of orthogonal basis function base, thereby can set up the primary function mode compound mode storehouse of basic function storehouse and known structure agreement.
Step 102: the data that receiving target network sends are as input data;
Step 103: utilize these data and existing primary function mode compound mode to characterize the structure of the target protocol that this objective network is corresponding;
Be exactly specifically, on the basis of basic function and conversion f (x), the data of the objective network that utilizes existing primary function mode compound mode and receive, the mode of employing time slip is described the time m-structure distribution figure of this target protocol, during then according to this, m-structure distribution figure describes primary function mode combination-matching rate distribution map, thereby whether the data that judge this objective network are protocol datas of known structure, can judge it is whether the agreement that this objective network adopts is known structure agreement.
Suppose that C is the set of set of basis function syntype,
(1) to each existing set of basis function syntype c 1, c 2..., c cn∈ C, the input data that receive in the mode that the employing time slides and step 102 are carried out XOR add operation, obtain every kind of structured value under integrated mode, for a certain integrated mode
Figure BDA0000444450940000081
with input data I={ b 1, b 2..., b n, calculate
(if n>cf makes i repeat from 1 to cf here, i.e. i=1~cf, 1~cf...), thus obtain inputting the time m-structure distribution figure of data, as shown in Figure 2;
(2) to different set of basis function syntype c i, by input data time m-structure distribution figure all data be added, obtain the structure matching numerical value (c of each set of basis function syntype i, m i), i ∈ 1,2 ..., c n;
(3) utilize the structure matching numerical value of all known set of basis function syntypes to draw set of basis function syntype-matching rate distribution map, as shown in Figure 3, wherein abscissa is known set of basis function syntype, and ordinate is structure matching numerical value.
Step 104: find maximum matching rate numerical value in pattern-matching rate distribution map, more maximum matching rate numerical value m and the first predetermined threshold t1:
If m is more than or equal to t1, think that these data are the data of known structure agreement, the target protocol that this objective network is corresponding is known structure agreement, forwards step 105 to, flow process finishes; If m is less than t1, think that these data are the data of proprietary protocol, the target protocol that this objective network is corresponding is proprietary protocol, forwards step 106 to, carries out self study;
Wherein, the first predetermined threshold t1 can manually specify, and it affects the accuracy rate of protocal analysis, generally can be taken as 0.8.
Step 105: the layered protocol analysis based on set of basis function syntype;
Be exactly specifically, because existing communication protocol has layering encapsulation, so adopt set of basis function syntype thought in the embodiment of the present invention, the protocol data receiving is carried out to bed-by-bed analysis, analytic method can adopt this area to have mature technology scheme, and concrete steps are as follows:
105-0: the data that objective network is sent are as input data d;
105-1: for input data d, utilize its set of basis function syntype to extract the outermost layer protocol characteristic field f of input data d 1, f 2..., f fn, the input protocol information receiving is divided into protocol header fields H and upper-layer protocol data supD;
105-2: resolve all feature field that header field H comprises;
105-3: judge whether upper-layer protocol data supD length is 0, is to stop;
105-4: utilize the method for a upper joint to carry out protocol architecture sign to the upper-layer protocol data supD obtaining after cutting apart;
105-5: using by the upper-layer protocol data of structural characterization as input data, turn (1);
That is, be equivalent to (1)-(4) processed a layer protocol, and from outermost layer agreement, every circulation primary, just processes a layer protocol, until data are all handled.
As shown in Figure 4,4 provided the schematic diagram that agreement is carried out to bed-by-bed analysis.As can be seen from Figure 4,, when target protocol is carried out to bed-by-bed analysis, each analysis only adopts basic function to extract the partial information of whole agreement, can reduce like this data volume of processing, accelerates the speed of protocal analysis.
By said method, target protocol is carried out the structural analysis of layering, can simplify the complexity of protocal analysis, and reach accurate object step by step, strengthen the accuracy of protocal analysis.
Step 106: basic function and integrated mode extended method thereof that can self study
Be exactly specifically, due to the uncertainty of proprietary protocol structure, need design to have basic function and the integrated mode extended method thereof of self-learning capability, the self study analytical method that the embodiment of the present invention adopts can be divided into following step:
If F is basic function set, C is the set of set of basis function syntype
106-1: first utilize existing basic function f 1, f 2..., f cf∈ F, adopts and is different from the new integrated mode in integrated mode storehouse
Figure BDA0000444450940000101
get at random new k ivalue, makes new c not belong to C, describes the structure distribution figure of target protocol;
106-2: utilize the structure matching numerical value of all new set of basis function syntype c to draw primary function mode combination-matching rate distribution map;
106-3: more maximum matching rate numerical value m and the second predetermined threshold t2:
If m is more than or equal to t2, explanation can be by the new integrated mode c of existing basic function ntarget protocol is characterized, by new primary function mode integrated mode c corresponding to this agreement nadd set of basis function syntype storehouse C, stop;
If m is less than t2, explanation cannot characterize target protocol by existing basic function, the dimension of basic function is added to 1, obtaining new basic function f cf+1add basic function storehouse F, turn (1);
Wherein, the second predetermined threshold t2 can manually specify, and it affects the accuracy rate that agreement characterizes, and generally can be taken as 0.8.
Above-mentioned self study basic function and integrated mode extended method thereof can form new basic function and mode combinations mode thereof, in order to set up the characteristic manner of proprietary protocol.If after this run into same agreement, can to this agreement, carry out fast characterizing and analysis by set of basis function syntype storehouse.
The protocal analysis method based on the basic function below embodiment of the present invention being proposed is carried out validity explanation.Fig. 5 has provided the result of using matching process, statistical method and put forward the methods to analyze protocol data, and wherein abscissa is the protocol data quantity of input, and ordinate is analysis time.As can be seen from the figure the network protocol analysis method based on basic function that the embodiment of the present invention proposes is better than matching process, statistical method in performance.
In sum, the embodiment of the present invention provides a kind of network protocol analysis method based on basic function, first the sign of the agreement based on basic function thought is analyzed the Internet protocol data of needs analysis, judges that it is the data of known structure agreement or the data of proprietary protocol.Then for the feature of known structure agreement and proprietary protocol, process respectively, for known structure agreement, owing to having adopted in a large number the nested mentality of designing of protocol levels in network now, so the embodiment of the present invention has been used a kind of layered protocol analytical method; For proprietary protocol, the embodiment of the present invention is utilized the thought of self study, build new basic function and protocol data is characterized, and then the agreement that is converted into known structure is analyzed.The embodiment of the present invention can the quick identification of resolution protocol and the problem of Accurate Analysis processing.
The above; be only the present invention's embodiment preferably, but protection scope of the present invention is not limited to this, is anyly familiar with in technical scope that those skilled in the art disclose in the present invention; the variation that can expect easily or replacement, within all should being encompassed in protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claims.

Claims (9)

1. the network protocol analysis method based on basic function, is characterized in that, comprising:
Set up the primary function mode compound mode storehouse of basic function storehouse and known structure agreement;
When receiving data that objective network sends as input data, utilize these data and existing primary function mode compound mode to characterize the structure of the target protocol that this objective network is corresponding;
According to the structure of this target protocol, judge: if the agreement that this target protocol is known structure adopts the method for layering to analyze this target protocol; If the agreement that this target protocol is unknown structure, utilizes existing basic function or new basic function to generate primary function mode compound mode corresponding to this target protocol.
2. method according to claim 1, is characterized in that, utilizes walsh function to set up the primary function mode compound mode storehouse of basic function storehouse and known structure agreement.
3. method according to claim 2, is characterized in that, specifically comprises:
Walsh function is defined as follows:
If with wal (k, t) (k=0,1 ...) represent interval t ∈ [0,1) on walsh function, it is defined as following formula:
wal(2k,t)=wal(k,2t)+(-1) kwal(k,2t-1),k=1,2,…
wal(2k+1,t)=wal(k,2t)+(-1) k+1wal(k,2t-1),k=0,1,…
wal ( 0 , t ) = 1 , 0 &le; t < 1 0 , t < 0 , t &GreaterEqual; 1
Be defined as follows conversion by walsh function ± 1 be converted to 0,1 bit stream:
f ( w ) = 1 , w = - 1 0 , w = 1
Adopt conversion f (x) obtain one group of orthogonal basis function base (k, t) (k=0,1 ...):
base(2k,t)=f(wal(2k,t)),k=1,2,…
base(2k+1,t)=f(wal(2k+1,t)),k=0,1,…
base(0,t)=f(wal(0,t))
This group orthogonal basis function base is basic function storehouse, utilizes the various combination pattern of this group orthogonal basis function to explain all known protocols, just obtains the primary function mode compound mode storehouse of known structure agreement.
4. method according to claim 1, is characterized in that, the described step of utilizing existing primary function mode compound mode to characterize the structure of target protocol specifically comprises:
The data of the objective network that utilizes existing primary function mode compound mode and receive, the mode of employing time slip is described the time m-structure distribution figure of this target protocol;
According to the time m-structure distribution figure of target protocol, be described and obtain primary function mode combination-matching rate distribution map, by this primary function mode combination-matching rate branch relation, characterize the structure of target protocol.
5. method according to claim 4, is characterized in that, according to following method, obtains m-structure distribution figure when above-mentioned:
Suppose that C is the set of set of basis function syntype, to each existing set of basis function syntype c 1, c 2..., c cn∈ C, the employing time mode of sliding and the data that receive are carried out XOR add operation, obtain the structured value under every kind of integrated mode, for a certain integrated mode
Figure FDA0000444450930000021
with input data I={ b 1, b 2..., b n, calculate
Figure FDA0000444450930000022
if n>cf makes i repeat from 1 to cf here, i.e. i=1~cf, 1~cf..., thus obtain inputting the time m-structure distribution figure of data.
6. method according to claim 5, is characterized in that, according to following method, obtains above-mentioned primary function mode combination-matching rate distribution map:
To different set of basis function syntype c i, by input data time m-structure distribution figure all data be added, obtain the structure matching numerical value (c of each set of basis function syntype i, m i), i ∈ 1,2 ..., c n;
Utilize the structure matching numerical value of all known set of basis function syntypes to draw set of basis function syntype-matching rate distribution map, wherein abscissa is known set of basis function syntype, and ordinate is structure matching numerical value.
7. method according to claim 4, is characterized in that, the step judging according to the structure of target protocol specifically comprises:
Maximum matching rate numerical value m in primary function mode combination-matching rate distribution map and the first predetermined threshold t1 are compared:
If m is more than or equal to t1, think that this target protocol is the agreement of known structure, adopt the method for layering to analyze this target protocol;
If m is less than t1, think that this target protocol is proprietary protocol, utilize existing basic function or new basic function to generate primary function mode compound mode corresponding to this target protocol.
8. according to the method described in any one in claim 1 to 7, it is characterized in that, the step that the method for employing layering is analyzed this target protocol specifically comprises:
(0) data that objective network sent are as input data d;
(1), for input data d, utilize its set of basis function syntype to extract the outermost layer protocol characteristic field f of input data d 1, f 2..., f fn, the input protocol information receiving is divided into protocol header fields H and upper-layer protocol data supD;
(2) resolve all feature field that header field H comprises;
(3) judge whether upper-layer protocol data supD length is 0, is to stop;
(4) the upper-layer protocol data supD obtaining after cutting apart is carried out to protocol architecture sign;
(5) using by the upper-layer protocol data of structural characterization as input data, turn (1);
Until these data are all processed complete.
9. according to the method described in any one in claim 1 to 7, it is characterized in that, the step of utilizing existing basic function or new basic function to generate primary function mode compound mode corresponding to this target protocol specifically comprises:
If F is basic function set, C is the set of set of basis function syntype
1) first utilize existing basic function f 1, f 2..., f cf∈ F, adopts and is different from the new integrated mode in integrated mode storehouse
Figure FDA0000444450930000041
get at random new k ivalue, makes new c not belong to C, describes the structure distribution figure of target protocol;
2) utilize the structure matching numerical value of all new set of basis function syntype c to draw primary function mode combination-matching rate distribution map;
3) more maximum matching rate numerical value m and the second predetermined threshold t2:
If m is more than or equal to t2, by new primary function mode integrated mode c corresponding to this agreement nadd set of basis function syntype storehouse C, stop;
If m is less than t2, the dimension of basic function is added to 1, obtaining new basic function f cf+1add basic function storehouse F, go to step 1).
CN201310718896.2A 2013-12-23 2013-12-23 A kind of network protocol analysis method based on basic function Active CN103746867B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310718896.2A CN103746867B (en) 2013-12-23 2013-12-23 A kind of network protocol analysis method based on basic function

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310718896.2A CN103746867B (en) 2013-12-23 2013-12-23 A kind of network protocol analysis method based on basic function

Publications (2)

Publication Number Publication Date
CN103746867A true CN103746867A (en) 2014-04-23
CN103746867B CN103746867B (en) 2016-09-21

Family

ID=50503858

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310718896.2A Active CN103746867B (en) 2013-12-23 2013-12-23 A kind of network protocol analysis method based on basic function

Country Status (1)

Country Link
CN (1) CN103746867B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107689899A (en) * 2017-09-01 2018-02-13 南京南瑞集团公司 A kind of unknown protocol recognition methods and system based on bit stream
CN110445750A (en) * 2019-06-18 2019-11-12 国家计算机网络与信息安全管理中心 A kind of car networking protocol traffic recognition methods and device
CN116032809A (en) * 2022-12-28 2023-04-28 上海天旦网络科技发展有限公司 Network protocol analysis method and system using Wasm

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050001215A1 (en) * 1999-11-30 2005-01-06 Semiconductor Energy Laboratory Co., Ltd. Electric device
CN102045347A (en) * 2010-11-30 2011-05-04 华为技术有限公司 Method and device for identifying protocol
CN103281291A (en) * 2013-02-19 2013-09-04 电子科技大学 Application layer protocol identification method based on Hadoop

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050001215A1 (en) * 1999-11-30 2005-01-06 Semiconductor Energy Laboratory Co., Ltd. Electric device
CN102045347A (en) * 2010-11-30 2011-05-04 华为技术有限公司 Method and device for identifying protocol
CN103281291A (en) * 2013-02-19 2013-09-04 电子科技大学 Application layer protocol identification method based on Hadoop

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107689899A (en) * 2017-09-01 2018-02-13 南京南瑞集团公司 A kind of unknown protocol recognition methods and system based on bit stream
CN110445750A (en) * 2019-06-18 2019-11-12 国家计算机网络与信息安全管理中心 A kind of car networking protocol traffic recognition methods and device
CN116032809A (en) * 2022-12-28 2023-04-28 上海天旦网络科技发展有限公司 Network protocol analysis method and system using Wasm
CN116032809B (en) * 2022-12-28 2024-04-30 上海天旦网络科技发展有限公司 Network protocol analysis method and system using Wasm

Also Published As

Publication number Publication date
CN103746867B (en) 2016-09-21

Similar Documents

Publication Publication Date Title
CN102025563B (en) Network flow identification method based on Hash collision compensation
CN103532940A (en) Network security detection method and device
CN107786994B (en) User perception quality difference analysis method and system for end-to-end wireless service
CN104038375A (en) Alarm processing analysis system and method of broadcasting and TV access network
CN102123044A (en) Detection device and method of network topology consistency based on topology discovery technology
CN106253950A (en) A kind of bandwidth carrier platform district&#39;s recognition methods
CN105024993A (en) Protocol comparison method based on vector operation
CN104599060A (en) Secondary circuit file comparison based intelligent substation debugging scheme generation method
CN105491018A (en) System and method for network data security analysis based on DPI technology
CN103746867A (en) Primary function-based network protocol analyzing method
CN108881042A (en) Data transmission method and data transmission device
Li et al. Detecting anomaly in large-scale network using mobile crowdsourcing
CN106131153A (en) Business recognition method based on intelligent gateway and device
CN102437959B (en) Stream forming method based on dual overtime network message
CN103235791A (en) Optimizing positioning method for fingerprint-matching based on rank order
CN101252477A (en) Determining method and analyzing apparatus of network fault root
CN105357118A (en) Rule based flow classifying method and system
CN103368786B (en) Method and device for testing controller local area network bus data
CN103279816A (en) Active window-based terminal work efficiency statistical method and system
CN107204892B (en) Power communication network operation data processing method and device
CN103023591B (en) Sensing node sampling method and sampling device used for frequency spectrum detection
CN102833772A (en) Method and device for judging base transceiver station single-route and service configuration hidden trouble
CN104680425A (en) Method for establishing improved functional decomposition-based secondary system risk quantification model
CN107992590B (en) Big data system beneficial to information comparison
CN110912767B (en) Single-point measurement method of network flow

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant