CN103873320B - Encryption method for recognizing flux and device - Google Patents

Encryption method for recognizing flux and device Download PDF

Info

Publication number
CN103873320B
CN103873320B CN201310741617.4A CN201310741617A CN103873320B CN 103873320 B CN103873320 B CN 103873320B CN 201310741617 A CN201310741617 A CN 201310741617A CN 103873320 B CN103873320 B CN 103873320B
Authority
CN
China
Prior art keywords
bag
stream
long
statistical
packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310741617.4A
Other languages
Chinese (zh)
Other versions
CN103873320A (en
Inventor
高长喜
贾艳会
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN201310741617.4A priority Critical patent/CN103873320B/en
Publication of CN103873320A publication Critical patent/CN103873320A/en
Application granted granted Critical
Publication of CN103873320B publication Critical patent/CN103873320B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The embodiment of the invention discloses one kind encryption method for recognizing flux and device, wherein method includes that, by the deep-packet detection characteristic matching of each bar statistical rules in stream to be identified and statistical rules set, the statistical rules that will match to is generated as statistical rules subset;Stream to be identified is matched with the statistical flow characteristic of each bar statistical rules in the statistical rules subset, the statistical rules that will match to is generated as statistical rules identification collection;The corresponding application type of statistical rules with limit priority is concentrated to be identified as the application type of the stream to be identified statistical rules identification, the present invention can be used for encrypting the application type identification of flow, and with ONLINE RECOGNITION ability and the precisely characteristic such as discrimination high.

Description

Encryption method for recognizing flux and device
Technical field
The present invention relates to traffic classification and identification technology field, more particularly to a kind of encryption method for recognizing flux and device.
Background technology
Flow identification is in highly important position in network, and it is information filtering, flow analysis, bandwidth pipe in network Many bases such as the supervision of reason, secure communication and internet and O&M.So-called flow identification refers to using in stream and stream Some information of message(For example:Protocol characteristic, fingerprint, signature etc.)Stream on network is divided into set some classifications(Example Such as:The stream of various application types)Technology;Wherein stream refers to by a sight on network in a certain section of Fixed Time Interval The IP of measuring point(Internet Protocol, network interconnection agreement)The set of message, these messages have identical five-tuple (Source IP, source port, purpose IP, destination interface and protocol type)Mark;One of stream belongs to a part for flow.
Current flux is known mainly to be included otherwise:Flow RM, IP address-based stream based on port mapping Amount RM, based on DPI(Deep Packet Inspection, deep-packet detection)Flow RM and based on DFI (Deep Flow Inspection, deep stream detection)Flow RM.
Wherein the flow RM based on port mapping is using well-known port as protocol characteristic, for example:HTTP (Hypertext Transfer Protocol, HTTP)And DNS(Domain Name System, domain name system System)No. 80 and No. 53 ports, P2P(Peer to Peer, peer-to-peer network)Fixed service port of application etc., by intercepting number According to the port information in packet header, check whether linkage record applies these ports, if certain known port can be matched, can With Direct Recognition flow.But, current network application has been gradually introduced dynamic negotiation port, or using HTTP as application protocol Bottom bearing protocol carry out firewall-penetrating, these modes can cause the flow RM identification based on port mapping accurate The serious discounting of property.
Wherein IP address-based flow RM is will to serve as the network node IP of Core server role as association View feature, for example:Login service device, super node of P2P applications etc., but which can only be between recognition node and server Communication, and the direct communication between None- identified peer node, while super node has a large amount of property, dynamic and communication strong The characteristics such as encryption and cause IP address-based flow RM identification complexity high, influence real-time.
Wherein based on DPI flow RM be position is fixed or unfixed key-strings as application sign Name, the application layer payload segment for being deep into message carries out content detection, by multi-mode matching, matching regular expressions, agreement The matching long of feature bag carries out the association between not cocurrent flow to realize flow identification, and this generally needs byte-by-byte scanning complete Into.But, in order to realize secure communication, increasing application at present starts to carry out flow using consulting session key mechanism to add It is close, cause protocol massages feature partially or completely to be hidden, so as to cause the flow RM based on DPI to be answered for weak encryption With the identification of flow, a large amount of computing resources need to be consumed and either statically or dynamically decrypted to reduce agreement in plain text, and for strong encryption Application traffic then None- identified.
Wherein the flow RM based on DFI does not rely on message load content, but using application traffic behavior as Protocol characteristic, and carry out traffic classification using heuritic approach or statistical learning method.For example:P2P is calculated using heuristic identification Method uses transport layer connection mode(IP numbers, port number, host-host protocol etc.)As P2P traffic behavior features;Statistical learning method The traffic statistics feature of use includes single current aspect(It is the average and variance of Bao Changyu packet interarrival times, incoming/to spread out of byte Than etc.), multithread aspect(Stream duration, stream byte number, the average of stream bag sum and method etc.)And TCP(Transmission Control Protocol, transmission control protocol)Connection aspect(SYN(Synchronous, handshake)Bag and ACK(Confirm) The IP numbers of bag, port number and bag number etc.), and machine learning algorithm is used, for example:SVM(Support Vector Machine, SVMs), it is trained and classifies.But, the flow RM that should be based on DFI is only applicable to recognize major class application, Concrete application cannot be accurately recognized, and the extraction of statistical flow characteristic will take a long time(Even last till that stream terminates), because This is not also suitable for being recognized in linear flow rate.
The content of the invention
Embodiment of the present invention technical problem to be solved is, there is provided one kind encryption method for recognizing flux and device, tool There are ONLINE RECOGNITION ability and precisely discrimination high.
In order to solve the above-mentioned technical problem, the embodiment of the present invention provides a kind of encryption method for recognizing flux, for that will wait to know Liu not match to recognize the application type of stream to be identified with statistical rules;Wherein statistical rules includes:Regular head, deep-packet detection Feature and statistical flow characteristic, the regular head indicate the corresponding application type of this statistical rules and this statistical rules Priority;
It is described to match to recognize the application type of stream to be identified with statistical rules by stream to be identified, including:
By stream to be identified and the deep-packet detection characteristic matching of each bar statistical rules in statistical rules set, will match to Statistical rules is generated as statistical rules subset;
Stream to be identified is matched with the statistical flow characteristic of each bar statistical rules in the statistical rules subset, be will match to Statistical rules is generated as statistical rules identification collection;
The corresponding application type of statistical rules with limit priority is concentrated to be identified as institute statistical rules identification State the application type of stream to be identified.
Preferably, the deep-packet detection feature of the statistical rules includes an at least pre-filtering sub-rule and contained pre- mistake Logical relation between filter rule;
The pre-filtering sub-rule include it is following at least one:It is pre-filtering sub-rule based on character string, special based on agreement Levy bag pre-filtering sub-rule long, the pre-filtering sub-rule based on static dynamic decryption, based on the pre- mistake for having recognized stream contingency table Filter rule, the pre-filtering sub-rule based on port and IP address-based pre-filtering sub-rule;
When the stream to be identified matches with the pre-filtering sub-rule contained by statistical rules, and meet contained pre-filtering During logical relation between sub-rule, then the deep-packet detection characteristic matching of the stream to be identified and this statistical rules.
Preferably, the statistical flow characteristic is closed comprising the logic between an at least statistical model and contained statistical model System;
The statistical model is used to specify the bag distribution characteristics long of stream and the expectation bag for meeting bag distribution characteristics long to count;
When the number of the packet for meeting the bag distribution characteristics long that statistical model is specified in the stream to be identified reaches statistics When the expectation bag that pattern is specified is counted, then the stream to be identified is matched with the statistical model;
When the stream to be identified is matched with the statistical model contained by statistical rules, and between statistical model contained by meeting Logical relation when, then it is described it is to be identified stream matched with the statistical flow characteristic of this statistical rules.
Preferably, bag distribution characteristics long include it is following at least one:Translation specifications, packet of the packet in stream The bag of sequence signature and packet feature long;
Translation specifications of the packet in stream include:Bag direction and package location, wherein bag direction includes:Correspondence is up Flow direction uplink packet direction, the downstream packets direction in correspondence downstream direction and correspondence bidirectional flow direction without bag direction;Bao Wei Position Number when to refer to packet occur on direction is flowed is put, including:Single fixed position, position discrete series and position connect Continuous interval;
The sequence signature of the packet includes:Continuity and order;
The bag feature long of the packet includes:Wrap particular value long, wrap scope long and bag variable long.
Preferably, the statistical model include it is following at least one:Wrap sequence statistic pattern long, bag set statistics mould long Formula, bag be long repeat statistical model, the directional statistics pattern of position, bag counting statistics pattern, wrap average statistical model long, bag it is long and Statistical model is compared in Data-Statistics pattern, wheel bag long and Data-Statistics pattern and byte transmitting-receiving;
The bag sequence statistic pattern long is appointed as:There is the packet with bag feature long on stream direction, package location Sequence, and meet continuity and order constraint, wherein it is long to expect that bag counts the sequence of data packet for being appointed as having bag feature long Degree;
The bag set statistical model long is appointed as:Exist in stream direction, bag apparatus and expect that bag counts a packet, number A set for bag feature long is all contained according to the bag length of bag, and meets continuity and order constraint;
The bag repeat pattern long is appointed as:Exist on stream direction, package location and expect that bag counts a packet, packet Bag grow and be equal to same bag feature long, and meet continuity;
The directional statistics pattern of the position is appointed as:The bag direction of the packet on bidirectional flow direction, package location refers to Fixed bag direction, expects that bag counts the number for being set as package location;
The bag counting statistics pattern is appointed as:Exist on bidirectional flow direction, package location and expect that bag counts a packet, The bag direction of packet is all the same bag direction specified, and meets continuity;
The bag average statistical model long is appointed as:The packet bag of all packets is long on stream direction, package location Match with a bag feature long with value, expect that bag counts the number for being set to package location;
The wheel bag is long and Data-Statistics pattern is appointed as:By changing for the stream direction each time on bidirectional flow direction, package location The beginning of new round packet is regarded in change as, specify certain all packet of wheel packet bag it is long and value and one wrap feature phase long Matching, expects that bag counting is set to the wheel number;
The byte transmitting-receiving is appointed as than statistical model:Upstream direction byte number on bidirectional flow direction, package location with The ratio of downstream direction byte number matches with a bag feature long, expects that bag counts the number for being set to position.
Preferably, the stream to be identified is transmission control protocol TCP stream, and the packet is the data with pay(useful) load Bag, the encryption quanta recognition methods is at most identified to preceding 60 packets with pay(useful) load of stream to be identified.
A kind of encryption flow identifying device is the embodiment of the invention provides, including:Statistical rules deep-packet detection feature is pre- Filtering module, statistical rules statistical flow characteristic matching module and stream recognition result detection module;
Wherein described statistical rules deep-packet detection feature pre-filtering module, for being flowed to be identified and statistical rules set In each bar statistical rules deep-packet detection characteristic matching, the statistical rules that will match to is generated as statistical rules subset;
The statistical rules statistical flow characteristic matching module, for being flowed to be identified and each bar in the statistical rules subset The statistical flow characteristic matching of statistical rules, the statistical rules that will match to is generated as statistical rules identification collection;
The stream recognition result detection module, for statistical rules identification to be concentrated into the statistics with limit priority The corresponding application type of rule is identified as the application type of the stream to be identified.
Preferably, the statistical rules deep-packet detection feature pre-filtering module, including:The basic matching unit of feature and system The regular pre-filtering logic discrimination unit of meter;
The basic matching unit of feature includes:Long pre- of parallel character string single mode matching subelement, protocol characteristic bag Filtering coupling subelement, static dynamic decrypt coupling subelement, have recognized stream contingency table coupling subelement, port match subelement With IP address coupling subelement;
The statistical rules pre-filtering logic discrimination unit, for the son to being matched in the basic matching unit of the feature Logical relation between unit verified, generates statistical rules subset.
Preferably, bag distribution characteristics long include it is following at least one:Translation specifications, packet of the packet in stream The bag of sequence signature and packet feature long;
Translation specifications of the packet in stream include:The uplink packet direction of correspondence upstream direction, correspondence downstream The downstream packets direction in direction and correspondence bidirectional flow direction are without bag direction;
The sequence signature of the packet includes:Continuity and order;
The bag feature long of the packet includes:Wrap particular value long, wrap scope long and bag variable long.
Preferably, the statistical rules statistical flow characteristic matching module includes:Statistical model matching unit and statistical model Matching result logic discrimination unit;
The statistical model matching unit include it is following at least one:Wrap sequence statistic pattern match subelement long, bag length Set statistical model coupling subelement, bag repetition statistical model coupling subelement long, the directional statistics pattern match of position are single Unit, bag counting statistics pattern match subelement, bag average statistical model coupling subelement long, bag length and Data-Statistics pattern match Unit, wheel bag long and Data-Statistics pattern match subelement and byte transmitting-receiving are than statistical model coupling subelement;
The statistical model matching result logic discrimination unit, for the subelement matched to statistical model matching unit Between logical relation verified, generate statistical rules identification collection.
Preferably, sequence statistic pattern long is wrapped to be appointed as:There are the data with bag feature long on stream direction, package location Packet sequence, and meet continuity and order constraint, wherein expecting that bag counts the sequence of data packet for being appointed as having bag feature long Length;
Bag set statistical model long is appointed as:Exist in stream direction, bag apparatus and expect that bag counts a packet, packet Bag length be all contained in a set for bag feature long, and meet continuity and order constraint;
Repeat pattern long is wrapped to be appointed as:Exist on stream direction, package location and expect that bag counts a packet, the bag of packet Length is equal to same bag feature long, and meets continuity;
The directional statistics pattern of position is appointed as:What the bag direction of the packet on bidirectional flow direction, package location was specified Bag direction, expects that bag counts the number for being set as package location;
Bag counting statistics pattern is appointed as:Exist on bidirectional flow direction, package location and expect that bag counts a packet, data The bag direction of bag is all the same bag direction specified, and meets continuity;
Average statistical model long is wrapped to be appointed as:The packet bag of all packets is long on stream direction, package location and is worth Match with a bag feature long, expect that bag counts the number for being set to package location;
Wheel bag is long and Data-Statistics pattern is appointed as:The change in the direction of stream each time on bidirectional flow direction, package location is seen Make the beginning of new round packet, specify certain all packet of wheel packet bag it is long and value and one wrap feature phase long Match somebody with somebody, expect that bag counting is set to the wheel number;
Byte transmitting-receiving is appointed as than statistical model:Upstream direction byte number on bidirectional flow direction, package location with it is descending The ratio and a bag feature long for flowing direction byte number match, and expect that bag counts the number for being set to position.
Preferably, the stream to be identified is transmission control protocol TCP stream, and the packet is the data with pay(useful) load Bag, the encryption quanta identifying device is at most identified to preceding 60 packets with pay(useful) load of stream to be identified.
Implement the embodiment of the present invention, have the advantages that:
1. translation specifications provided in an embodiment of the present invention, sequence signature and bag feature long etc. wrap distribution characteristics long and statistics mould Formula meets the description demand of flexile encryption application traffic behavioral statisticses rule, can capture various encryption applications unique Traffic behavior feature and accurately recognized.
2. certainty sampling of the embodiment of the present invention based on stream carries out the checking of statistical identification model, without being instructed in advance Practice, and need to only count every stream it is preceding several(At most 60)Effective load data bag, therefore ONLINE RECOGNITION can be carried out, and can essence Really identification is specific encrypts application type.
3. the embodiment of the present invention will encrypt application traffic identification process and be divided into deep-packet detection pre-filtering and stream statistics spy Two stages of matching are levied, having been filtered out by pre-filtering need to proceed a small number of statistical rules of statistics identification first, while row Except unrelated flow, the scope of statistics identification flow is reduced, so as to improve the performance of encryption application traffic identification on the whole.
Stream to be identified is matched to recognize the application type of stream to be identified by the embodiment of the present invention with statistical rules, wherein counting Rule includes:Regular head, deep-packet detection feature and statistical flow characteristic, regular head indicate the corresponding application of this statistical rules The priority of type and this statistical rules, and by it is to be identified stream matched with statistical rules including:With deep-packet detection feature Matching and matched with statistical flow characteristic;The embodiment of the present invention, is recognized using statistical rules to stream to be identified, with The characteristics of line recognition capability and precisely discrimination high, and it is adapted to the application type identification of encryption stream.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing The accompanying drawing to be used needed for having technology description is briefly described, it should be apparent that, drawings in the following description are only this Some embodiments of invention, for those of ordinary skill in the art, without having to pay creative labor, may be used also Other accompanying drawings are obtained with according to these accompanying drawings.
Fig. 1 is the schematic flow sheet of the first embodiment for encrypting method for recognizing flux.
Fig. 2 is the schematic flow sheet of statistical model matching.
Fig. 3 is the schematic flow sheet of the second embodiment for encrypting method for recognizing flux.
Fig. 4 is the structural representation of the first embodiment for encrypting flow identifying device.
Fig. 5 is the structural representation of the first embodiment of statistical rules deep-packet detection feature pre-filtering module 1.
Fig. 6 is the structural representation of the second embodiment of statistical rules deep-packet detection feature pre-filtering module 1.
Fig. 7 is the structural representation of the embodiment of statistical rules statistical flow characteristic matching module 2.
Fig. 8 is the structural representation of the second embodiment for encrypting flow identifying device.
Specific embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Site preparation is described, it is clear that described embodiment is only a part of embodiment of the invention, rather than whole embodiments.It is based on Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under the premise of creative work is not made Embodiment, belongs to the scope of protection of the invention.
Stream to be identified is matched to recognize the application class of stream to be identified by the embodiment of the present invention, main use with statistical rules Type, wherein stream to be identified is primarily directed to TCP flow.Wherein statistical rules explanation and related notion are as follows.
There are many statistical rules in the embodiment of the present invention, these statistical rules constitute statistical rules set.It is wherein every The structure of bar statistical rules includes:Regular head, deep-packet detection feature and statistical flow characteristic.
Wherein regular head is mainly used in indicating the excellent of the corresponding application type of this statistical rules and this statistical rules First level.
Wherein, deep-packet detection feature mainly as statistical flow characteristic pre-filtering condition or entry condition, its include to Few logical relation between a pre-filtering sub-rule and contained pre-filtering sub-rule.Wherein, pre-filtering sub-rule includes as follows At least one:Sub-rule based on character string, based on protocol characteristic bag sub-rule long, the cuckoo based on static dynamic decryption Then, based on sub-rule, the sub-rule based on port and the IP address-based cuckoo for having recognized stream contingency table.Wherein, pre-filtering Logical relation between sub-rule includes:Logic it is entirely complete with, logic or, logical expression, wherein logical expression by logical AND, Logic or, the numbering composition of bracket and pre-filtering sub-rule.
Wherein, statistical flow characteristic includes the logical relation between an at least statistical model and contained statistical model.Wherein, Statistical model mainly specifies the bag distribution characteristics long of stream and meets the expectation bag counting of bag distribution characteristics long.Wherein count mould Logical relation between formula includes:Logic it is entirely complete with, logic or, logical expression, wherein logical expression is by logical AND, logic Or, the numbering composition of bracket and statistical model.
Wherein wrap distribution characteristics long include it is following at least one:Translation specifications, the sequence of packet of the packet in stream The bag feature long of feature and packet;Wherein expect that bag counting can be that single fixed value or value are interval.
Wherein translation specifications of the packet in stream include:Bag direction and package location, wherein bag direction refers to that packet exists The stream direction being located at when occurring in stream, including uplink packet direction, downstream packets direction or without bag direction;Wherein stream direction includes upper Row stream direction, downstream direction and bidirectional flow direction;Wherein, upstream direction refers to the stream side that user end to server is given out a contract for a project Refer to the stream direction that server is given out a contract for a project to client to, downstream direction, bidirectional flow direction refers to by upstream direction and descending Regard a direction entirety as in stream direction;Uplink packet direction is appointed as upstream direction, and downstream packets direction is appointed as downstream direction, Bidirectional flow direction is appointed as without bag direction.Wherein, package location refers to Position Number when packet occurs on direction is flowed, and Position Number is independently carried out on stream direction, and package location includes single fixed position, position discrete series and position continuum. It should be noted that:Statistical model may specify statistical model variable package location in addition to it can specify package location herein, also, Wherein, statistical model variable package location is the deviation post after package location when being hit relative to statistical model.Statistical model Hit is subsequently being illustrated.
The sequence signature of wherein packet includes:Continuity and order;Wherein continuity refers to certain sequence of data packet Or the packet in set occurs position one by one incessantly on certain stream direction, position continuum;Wherein order is Refer to the packet in certain sequence of data packet or set in certain stream direction, package location(Position discrete series or position continuum Between)On occur successively according to specified sequencing.
Wherein, the bag of packet feature long includes:Wrap particular value long, wrap scope long and bag variable long.Wherein packet bag Length refers to the loaded length of the packet with pay(useful) load, and it refers to that packet bag is long or bag statistic long is equal to certain to wrap particular value long Individual determination value, it refers to that packet bag is long or bag statistic long is between two bag particular values long to wrap scope long, and wrapping variable long is Refer to that packet bag is long or to wrap the packet bag that statistic long is equal at certain package location long.
Wherein, statistical model include it is following at least one:Wrap sequence statistic pattern long, bag set statistical model long, bag length Repeat statistical model, the directional statistics pattern of position, bag counting statistics pattern, bag average statistical model long, bag length and Data-Statistics Statistical model is compared in pattern, wheel bag long and Data-Statistics pattern and byte transmitting-receiving.
Wherein, sequence statistic pattern long is wrapped to be appointed as:There is the packet with bag feature long on stream direction, package location Sequence, and meet continuity and order constraint, wherein it is long to expect that bag counts the sequence of data packet for being appointed as having bag feature long Degree;
Wherein, set statistical model long is wrapped to be appointed as:Exist in stream direction, bag apparatus and expect that bag counts a packet, The bag length of packet is all contained in a set for bag feature long, and meets continuity and order constraint;
Wherein, repeat pattern long is wrapped to be appointed as:Exist on stream direction, package location and expect that bag counts a packet, data The bag of bag is grown and is equal to same bag feature long, and meets continuity;
Wherein, the directional statistics pattern of position is appointed as:The bag direction of the packet on bidirectional flow direction, package location refers to Fixed bag direction, expects that bag counts the number for being set as package location;
Wherein, bag counting statistics pattern is appointed as:Exist on bidirectional flow direction, package location and expect that bag counts a data Bag, the bag direction of packet is all the same bag direction specified, and meets continuity;
Wherein, average statistical model long is wrapped to be appointed as:The packet bag of all packets is long on stream direction, package location Match with a bag feature long with value, expect that bag counts the number for being set to package location;
Wherein, wheel bag is long and Data-Statistics pattern is appointed as:By changing for the stream direction each time on bidirectional flow direction, package location The beginning of new round packet is regarded in change as, specify certain all packet of wheel packet bag it is long and value and one wrap feature phase long Matching, expects that bag counting is set to the wheel number;
Wherein, byte transmitting-receiving is appointed as than statistical model:Upstream direction byte number on bidirectional flow direction, package location with The ratio of downstream direction byte number matches with a bag feature long, expects that bag counts the number for being set to position.
Recognize based on more than, as shown in figure 1, being the first embodiment of the encryption method for recognizing flux of the embodiment of the present invention Schematic flow sheet.It includes:
Step S11, the deep-packet detection characteristic matching by each bar statistical rules in stream to be identified and statistical rules set, will The statistical rules for matching is generated as statistical rules subset.
Herein, stream to be identified matches with statistical rules and refers to:Stream hit to be identified is special with the deep-packet detection of statistical rules Contained pre-filtering sub-rule is levied, and hits the logical relation between pre-filtering sub-rule.
Step S12, by it is to be identified stream match with the statistical flow characteristic of each bar statistical rules in the statistical rules subset, general The statistical rules for matching is generated as statistical rules identification.
Herein, stream to be identified matches with statistical rules and refers to:The statistical model of stream hit statistical rules to be identified, and order Logical relation between middle statistical model.
Herein, stream hit statistical model to be identified refers to that stream to be identified meets the bag distribution characteristics long that statistical model is specified The number of packet reaches the expectation bag counting that statistical model is specified.
Step S13, the corresponding application type identification of the statistical rules by statistical rules identification concentration with limit priority It is the application type of stream to be identified.
Herein, after being matched according to step S11 and step S12, statistical rules may simultaneously hit multiple statistical rules, then Using the corresponding application type of the statistical rules with limit priority as stream to be identified application type.
The present embodiment, can recognize the application type of encryption flow, and with ONLINE RECOGNITION ability and precisely identification high The characteristics of rate.
The matching of the statistical model being related in step S12 in Fig. 1 can use flow as shown in Figure 2, and it includes:
Step S21, statistical model is chosen, the bag for being input into the packet of stream to be identified is grown, flows the information such as direction.
Step S22, grown according to the bag of current data packet and currently flow direction, judge current stream direction whether with the system chosen The stream direction that meter pattern is specified is consistent:If inconsistent, terminate;If consistent, go to step S23 and continue executing with.
Step S23, the matching status according to current stream direction and statistical model, update statistical model current package location and Statistical model variable package location.
The bag of step S24, the current package location according to statistical model and current data packet is long, extracts what statistical model was specified Wrap the corresponding bag length of characteristics of variables long.
Step S25, the current package location according to statistical model, judge whether to hit the package location that statistical model is specified:If Without hit, then terminate;If hit, goes to step S26 and continues executing with.
The bag of step S26, the current package location according to statistical model and current data packet is long, updates the current of statistical model Statistic long is wrapped, the bag distribution characteristics long such as bag feature long, bag direction, continuity and order that checking statistical model is specified is about Beam.
Step S27, the result for wrapping distribution characteristics long according to statistical model, update the continuous trait of statistical model State, order state and the currently active bag are counted.
Step S28, package location, the counting of expectation bag, current package location and the currently active bag meter specified according to statistical model Number, the matching result of decision statistic pattern.
Step S29, the completion status for updating statistical model, the matching status such as hit condition, then terminate.
As shown in figure 3, being the schematic flow sheet of the second embodiment of the encryption method for recognizing flux of the embodiment of the present invention. The concept of global flow table, stream node and stream statistics child node is introduced in Fig. 3, wherein stream node is stored in global flow table, it is right Answer stream to be identified;Stream statistics child node is stored in stream node, correspondence statistical rules.Specifically, Fig. 3 includes:
Step S31, the bag related with effective load data bag being input into stream to be identified are grown, load, stream five-tuple, stream side To grade context.
Step S32, the first order section into application identification streamline.
Herein, statistical rules deep-packet detection pre-filtering is combined into input and is flowed into to be identified with packet and statistical rules collection Row deep-packet detection pre-filtering, the statistical rules subset of the final hit of output.
If statistical rules subset non-NULL, stream needs to be identified carry out continuing executing with the matching of statistical rules statistical flow characteristic, Handling process goes to the next stage node using identification streamline, otherwise, stops this identification;
Step S33, the second level node into application identification streamline.
If in the presence of the statistical rules subset of new hit, stream statistics child node creates corresponding stream according to statistical rules subset Count child node and the statistical model matching status to stream statistics child node are initialized, multiple stream statistics child nodes are concatenated into Chained list is simultaneously stored in the corresponding stream node of stream to be identified in global flow table.
If the statistical rules subset without new hit, travels through the chained list of current stream statistics child node, to each stream statistics Handling process is gone to node four to five nodes using identification streamline.
Step S34, the third level node into application identification streamline.
The matching of statistical rules statistical flow characteristic is based on stream statistics child node current statistic pattern match state to stream statistics The statistical model that the statistical flow characteristic of the corresponding statistical rules of node is specified is matched, and statistical model matching status are carried out Update, judge stream statistics child node identification state.
Step S35, the fourth stage node into application identification streamline.
The detection of stream recognition result is using the multiple stream systems in the corresponding stream node of the stream to be identified being stored in global flow table The identification state for counting child node judges the identification state and recognition result of stream node.
If at least in the presence of an identification state for stream statistics child node to have recognized, judges the identification state of stream node as Recognized, flow node recognition result be judged as it is excellent in the corresponding statistical rules subset of all identified stream statistics child nodes The type of the encryption flow application specified by the regular head of first level highest statistical rules, now, the identification for flowing node has been completed, Otherwise, identification is proceeded.
This implementation is arranged, and at most preceding 60 packets with pay(useful) load only to stream to be identified are identified, if having recognized 60 packets but still be identified stream statistics child node in the absence of identification state, then judges the identification state of stream node as Fail.
Corresponding to foregoing embodiment of the method, as shown in figure 4, the encryption flow identifying device that the embodiment of the invention provides Embodiment structural representation.It includes:Statistical rules deep-packet detection feature pre-filtering module 1, statistical rules stream statistics Characteristic matching module 2 and stream recognition result detection module 3.
Wherein, statistical rules deep-packet detection feature pre-filtering module 1, for by stream to be identified and statistical rules set The deep-packet detection characteristic matching of each bar statistical rules, the statistical rules that will match to is generated as statistical rules subset.
Herein, stream to be identified matches with statistical rules and refers to:Stream hit to be identified is special with the deep-packet detection of statistical rules Contained pre-filtering sub-rule is levied, and hits the logical relation between pre-filtering sub-rule.
Wherein, statistical rules statistical flow characteristic matching module 2, for stream to be identified to be united with each bar in statistical rules subset The statistical flow characteristic matching of rule is counted, the statistical rules that will match to is generated as statistical rules identification collection.
Herein, stream to be identified matches with statistical rules and refers to:The statistical model of stream hit statistical rules to be identified, and order The logical relation between logical relation between middle statistical model.
Herein, stream hit statistical model to be identified refers to that stream to be identified meets the bag distribution characteristics long that statistical model is specified The number of packet reaches the expectation bag counting that statistical model is specified.
Wherein, stream recognition result detection module 3, for concentrating the statistics with limit priority to advise statistical rules identification Then corresponding application type is identified as the application type of the stream to be identified.
The present embodiment, can recognize the application type of encryption flow, and with ONLINE RECOGNITION ability and precisely identification high The characteristics of rate.
As shown in figure 5, statistical rules deep-packet detection feature pre-filtering module 1 includes in one embodiment:Feature base This matching unit 11 and statistical rules pre-filtering logic discrimination unit 12.
Wherein, the basic matching unit 11 of feature includes:Parallel character string single mode matching subelement, long of protocol characteristic bag With subelement, static dynamic decryption coupling subelement, stream contingency table coupling subelement, port match subelement and IP ground are recognized Location coupling subelement.
Wherein, statistical rules pre-filtering logic discrimination unit 12, for the son to being matched in the basic matching unit of feature Logical relation between unit is verified, to generate statistical rules subset.
Specifically, character string single mode matching subelement execution position in the packet application layer load of stream to be identified is fixed Or the matching of indefinite single character string.
Wherein, the agreement of protocol characteristic bag coupling subelement execution application traffic long levies bag checking long, protocol characteristic bag Length refers to that the value of certain fixed position of packet long with whole packet bag meets certain determination rule.
Wherein, static dynamic decryption coupling subelement is fixed first with default static keys or from certain of packet The dynamic key of position extraction is simultaneously iterated decryption acquisition clear data to packet according to default decipherment algorithm, then holds Line character string single mode matching or the matching long of protocol characteristic bag;Decipherment algorithm therein includes step-by-step XOR, displacement, plus-minus etc..
Wherein, recognized that stream contingency table coupling subelement is based on IP, port, the host-host protocol profit of the packet of stream to be identified With having recognized that stream contingency table performs association and table look-up matching, wherein, recognize that stream includes UDP flow and TCP flow, flow pass wherein having recognized Connection table is by having recognized the ltsh chain table that the IP of stream is generated with the tuple of port, IP and host-host protocol.
Wherein, port match subelement performs the checking of single port or port range.
Wherein, IP address coupling subelement performs the checking of single ip address or IP address range.
As shown in fig. 6, statistical rules deep-packet detection feature pre-filtering module 1 also includes in another embodiment:System The regular character string multimode matching unit 13 of meter and statistical rules characteristic synthetic matching unit 14.
Wherein, statistical rules character string multimode matching unit 13 and the input quilt of statistical rules characteristic synthetic matching unit 14 It is configured to be connected in parallel to the input of statistical rules deep-packet detection pre-filtering module 1, output end is then connected to simultaneously respectively The input of the basic matching unit 11 of feature and statistical rules pre-filtering result logic discrimination unit 12, the wherein pre- mistake of statistical rules The output end of filter logic discrimination unit 12 is then connected to the output end of statistical rules deep-packet detection pre-filtering module 1.
Wherein, the basic matching unit 11 of feature is that character string single mode matching subelement, protocol characteristic bag are long by parallel deployment Coupling subelement, static dynamic decryption coupling subelement, port match subelement, IP address coupling subelement are associated with stream has been known Table coupling subelement.
Wherein, the course of work of statistical rules deep-packet detection pre-filtering module 1 is commonly divided into pretreatment and pre-filtering Two stages.
In the pretreatment stage of statistical rules deep-packet detection pre-filtering module 1, by outside statistical rules set in advance The pre-filtering sub-rule that reason control module is specified to the deep-packet detection feature of the statistical rules in the statistical rules set of input Unification is pre-processed, and generates the shadow matching core of deep-packet detection engine double-core 15 as shown in Figure 8(Core i.e. in figure The heart 2), i.e. the character string multi-mode matching state machine and statistical rules characteristic synthetic of statistical rules character string multimode matching unit 13 The characteristic synthetic matching status machine of matching unit 14, and perform main matching core(Core 1 i.e. in figure)Core is matched with shadow Seamless hot-swap, shadow matching core is activated as new main matching core, and original main matching core be changed into it is new Shadow matching core is standby.
Wherein, character string multi-mode matching state machine is had most by certain of all of statistical rules in statistical rules set The pre-filtering sub-rule set of the composition of the pre-filtering sub-rule based on key-strings of character string long is generated by pretreatment.And And, statistical rules character string multimode matching unit 13 performs matching using character string multi-mode matching state machine, and to hit Character string carries out the checking of deviation post constraint in the packet.
Wherein, characteristic synthetic matching status machine does not add statistical rules character string multimode by all of in statistical rules set The pre-filtering sub-rule based on key-strings of the statistical rules of matching unit, based on protocol characteristic bag pre-filtering cuckoo long Then, the pre-filtering sub-rule based on static dynamic decryption, based on having known the pre-filtering sub-rule of stream contingency table, based on the pre- of port Filtering sub-rule, the generation of IP address-based pre-filtering sub-rule, and perform matching using the basic matching unit 11 of feature.
In the pre-filtering stage of statistical rules deep-packet detection pre-filtering module 1, statistical rules character string multimode matching list Unit 13 and statistical rules characteristic synthetic matching unit 14 are with the packet with pay(useful) load and statistical rules collection in stream to be sorted It is input to cooperate, and the basic matching unit 11 of union feature carries out deep-packet detection pre-filtering, exports the statistics rule of preliminary hits The then hit condition of the pre-filtering sub-rule of the statistical rules in subset and statistical rules subset, then, statistical rules pre-filtering As a result the logical relation between the pre-filtering sub-rule of the statistical rules of logic discrimination unit 12 pairs further verifies, so that Filter out the statistical rules subset of final hit and export.
As shown in fig. 7, wherein statistical rules statistical flow characteristic matching module 2 includes:Statistical model matching unit 21 and system Meter pattern match result logic discrimination unit 22.
Wherein, the input of statistical model matching unit 21 is configured to connect to statistical rules statistical flow characteristic matching mould The input of block 2, the output end of statistical model matching unit 21 is configured to connect to statistical model matching result logic discrimination The input of unit 22, the output end of statistical model matching result logic discrimination unit 22 is then connected to statistical rules stream statistics spy Levy the output end of matching module 2.
Wherein, statistical model matching unit 402 is bag sequence statistic pattern match subelement long, Bao Changji by parallel deployment Close statistical model coupling subelement, bag it is long repeat statistical model coupling subelement, the directional statistics pattern match subelement of position, Bag counting statistics pattern match subelement, bag average statistical model coupling subelement long, bag are long and Data-Statistics pattern match is single Unit, wheel bag long and Data-Statistics pattern match subelement and byte transmitting-receiving are than statistical model coupling subelement.
Wherein, the statistical rules statistical flow characteristic matching module 2 is sieved with statistical rules deep-packet detection pre-filtering module 1 The statistical rules selected is used as input, the multiple specified to the statistical flow characteristic of statistical rules using statistical model matching unit 21 Statistical model is matched, and updates statistical model matching status, the statistical model that the statistical flow characteristic according to statistical rules is specified Between logical relation using the decision statistic of statistical model matching result logic discrimination unit 22 rule corresponding stream statistics son section The identification state of point is simultaneously exported.
As shown in figure 8, being the structural representation of the second embodiment for encrypting flow identifying device.It mainly includes:Statistics Regular deep-packet detection pre-filtering module 1, statistical rules statistical flow characteristic matching module 2, stream statistics child node unit 4, stream are known Other result detection module 3.Wherein, statistical rules deep-packet detection pre-filtering module 1, statistical rules statistical flow characteristic matching module 2nd, stream recognition result detection module 3 is described foregoing, and stream statistics child node unit 4 is stressed herein.
Specifically, stream statistics child node unit 4 includes:The statistical model matching of stream statistics child node and stream statistics child node State.
Wherein, stream statistics child node is corresponding with the statistical rules that statistical rules deep-packet detection pre-filtering module 1 is hit, And it is stored in the stream section in the corresponding global flow table of stream to be identified that statistical rules deep-packet detection pre-filtering module 1 is filtered out Point in.Wherein same stream to be identified may be screened for more than 1 times by statistical rules deep-packet detection pre-filtering module and hit one Bar or a plurality of different statistical rules, the multiple stream statistics child nodes for belonging to same stream to be identified are concatenated into single-track link table.
Wherein, the statistical model matching status of stream statistics child node are each of the corresponding statistical rules of stream statistics child node The intermediate match state of statistical model, including the current package location of statistical model, the currently active bag count, current bag statistics long Amount, continuity status, order state, completion status, hit condition, the identification state of stream statistics child node, wherein, stream Counting the identification state of child node includes having recognized, having failed and pending status;The wherein statistical model of stream statistics child node Updated by statistical rules statistical flow characteristic matching module 2 with state.
Wherein, statistical rules statistical flow characteristic matching module 2 is matched using the statistical model of the stream statistics child node for preserving It is many that state and statistical model matching unit 21 include to the statistical flow characteristic that the corresponding statistical rules of stream statistics child node is specified Individual statistical model is matched, and updates the statistical model matching status of corresponding stream statistics child node, and according to statistical flow characteristic Logical relation between the statistical model specified judges stream statistics son section using statistical model matching result logic discrimination unit 22 The identification state of point.
Wherein, statistical model matching unit 21 performs bag sequence statistic pattern long, wraps set statistical model long, bag repetition long Statistical model, the directional statistics pattern of position, bag counting statistics pattern, bag average statistical model long, bag long and Data-Statistics pattern, The matching received and dispatched with Data-Statistics pattern, byte than statistical model long of wheel bag.
Specifically, direction is grown and currently flowed to statistical model matching unit 21 according to the bag of current data packet, current stream is judged Whether direction is consistent with the stream direction that statistical model is specified;Statistical model matching unit is according to current stream direction and the statistics quoted The matching status of pattern, update the current package location and statistical model variable package location of statistical model;Statistical model matching unit The bag of current package location and current data packet according to statistical model is long, extracts the bag characteristics of variables correspondence long that statistical model is specified Bag it is long;Statistical model matching unit judges whether to hit the bag that statistical model is specified according to the current package location of statistical model Position;Statistical model matching unit is long according to the current package location of statistical model and the bag of current data packet, updates statistical model Currently bag statistic long, the bag length such as described bag feature long, bag direction, continuity and order that checking statistical model is specified Distribution characteristics is constrained;Statistical model matching unit updates statistics mould according to the result of the bag distribution characteristics long of statistical model The continuity status of formula, order state and the currently active bag are counted;Statistical model matching unit is specified according to statistical model Package location, expectation bag are counted, current package location and the currently active bag are counted, and the matching result of decision statistic pattern simultaneously updates statistics The completion status of pattern, hit condition.
Wherein, statistical model matching result logic discrimination unit 22 utilizes the statistical model matching status of stream statistics child node Completion status, logical relation between hit condition, statistical model and judge stream statistics child node identification state.Its Middle statistical model matching result logic discrimination unit 22 pairs is pretreated as the logical expression of reverse Polish notation carries out logic Computing.
Wherein, stream recognition result detection module 3 utilizes the identification shape of the multiple stream statistics child nodes being stored in stream node State judges the identification state and recognition result of stream node, decides whether to continue to travel through stream statistics child node chained list, wherein, flow node Identification state include having recognized, failed, it is pending but without pending stream statistics child node, pending and have pending stream statistics Node.
Wherein, the recognition result for flowing node is judged as identified stream statistics son section by stream recognition result detection module 3 The type of the encryption flow application in the corresponding statistical rules subset of point specified by the regular head of the statistical rules of highest priority.
One of ordinary skill in the art will appreciate that all or part of flow in realizing above-described embodiment method, can be The hardware of correlation is instructed to complete by computer program, described program can be stored in a computer read/write memory medium In, the program is upon execution, it may include such as the flow of the embodiment of above-mentioned each method.Wherein, described storage medium can be magnetic Dish, CD, read-only memory(Read-Only Memory, ROM)Or random access memory(Random Access Memory, RAM)Deng.
Above disclosed is only a kind of preferred embodiment of the invention, can not limit the power of the present invention with this certainly Sharp scope, one of ordinary skill in the art will appreciate that realizing all or part of flow of above-described embodiment, and weighs according to the present invention Profit requires made equivalent variations, still falls within the covered scope of invention.

Claims (11)

  1. It is 1. a kind of to encrypt method for recognizing flux, it is characterised in that:Stream to be identified is matched to recognize stream to be identified with statistical rules Application type;Wherein statistical rules includes:Regular head, deep-packet detection feature and statistical flow characteristic, the regular head are indicated The priority of the corresponding application type of this statistical rules and this statistical rules;
    It is described to match to recognize the application type of stream to be identified with statistical rules by stream to be identified, including:
    By the deep-packet detection characteristic matching of each bar statistical rules in stream to be identified and statistical rules set, the statistics that will match to Rule is generated as statistical rules subset;
    Stream to be identified is matched with the statistical flow characteristic of each bar statistical rules in the statistical rules subset, the statistics that will match to Rule is generated as statistical rules identification collection;Wherein, the statistical flow characteristic includes an at least statistical model and contained statistics mould Logical relation between formula;The statistical model is used to specify the bag distribution characteristics long of stream and meets the phase of bag distribution characteristics long Wang Bao is counted;When the number of the packet for meeting the bag distribution characteristics long that statistical model is specified in the stream to be identified reaches statistics When the expectation bag that pattern is specified is counted, then the stream to be identified is matched with the statistical model;When the stream to be identified is advised with statistics Then contained statistical model matching, and when meeting the logical relation between contained statistical model, then the stream to be identified with The statistical flow characteristic matching of this statistical rules;
    The corresponding application type of statistical rules with limit priority is concentrated to be identified as described treating statistical rules identification Recognize the application type of stream.
  2. 2. encryption method for recognizing flux according to claim 1, it is characterised in that:The deep-packet detection of the statistical rules Feature includes the logical relation between an at least pre-filtering sub-rule and contained pre-filtering sub-rule;
    The pre-filtering sub-rule include it is following at least one:Pre-filtering sub-rule based on character string, based on protocol characteristic bag Pre-filtering sub-rule long, the pre-filtering sub-rule based on static dynamic decryption, based on pre-filtering for having recognized stream contingency table Rule, the pre-filtering sub-rule based on port and IP address-based pre-filtering sub-rule;
    When the stream to be identified matches with the pre-filtering sub-rule contained by statistical rules, and meet contained pre-filtering cuckoo During logical relation between then, then the deep-packet detection characteristic matching of the stream to be identified and this statistical rules.
  3. 3. encryption method for recognizing flux according to claim 1, it is characterised in that:The bag distribution characteristics long includes as follows At least one:The bag feature long of translation specifications, the sequence signature of packet and packet of the packet in stream;
    Translation specifications of the packet in stream include:Bag direction and package location, wherein bag direction includes:Correspondence upstream side To uplink packet direction, the downstream packets direction in correspondence downstream direction and correspondence bidirectional flow direction without bag direction;Package location is Position Number when referring to that packet occurs on direction is flowed, including:Single fixed position, position discrete series and position continuum Between;
    The sequence signature of the packet includes:Continuity and order;
    The bag feature long of the packet includes:Wrap particular value long, wrap scope long and bag variable long.
  4. 4. encryption method for recognizing flux according to claim 3, it is characterised in that:The statistical model is included as follows at least One:Wrap sequence statistic pattern long, bag set statistical model long, bag length and repeat statistical model, the directional statistics pattern of position, bag Counting statistics pattern, bag average statistical model long, bag long and Data-Statistics pattern, wheel bag length and Data-Statistics pattern and byte transmitting-receiving ratio Statistical model;
    The bag sequence statistic pattern long is appointed as:There is the sequence of data packet with bag feature long on stream direction, package location, And meet continuity and order constraint, wherein expecting that bag counts the sequence of data packet length for being appointed as having bag feature long;
    The bag set statistical model long is appointed as:Exist in stream direction, bag apparatus and expect that bag counts a packet, packet Bag length be all contained in a set for bag feature long, and meet continuity and order constraint;
    The bag repeat pattern long is appointed as:Exist on stream direction, package location and expect that bag counts a packet, the bag of packet Length is equal to same bag feature long, and meets continuity;
    The directional statistics pattern of the position is appointed as:What the bag direction of the packet on bidirectional flow direction, package location was specified Bag direction, expects that bag counts the number for being set as package location;
    The bag counting statistics pattern is appointed as:Exist on bidirectional flow direction, package location and expect that bag counts a packet, data The bag direction of bag is all the same bag direction specified, and meets continuity;
    The bag average statistical model long is appointed as:The packet bag of all packets is long on stream direction, package location and is worth Match with a bag feature long, expect that bag counts the number for being set to package location;
    The wheel bag is long and Data-Statistics pattern is appointed as:The change in the direction of stream each time on bidirectional flow direction, package location is seen Make the beginning of new round packet, specify certain all packet of wheel packet bag it is long and value and one wrap feature phase long Match somebody with somebody, expect that bag counting is set to the wheel number;
    The byte transmitting-receiving is appointed as than statistical model:Upstream direction byte number on bidirectional flow direction, package location with it is descending The ratio and a bag feature long for flowing direction byte number match, and expect that bag counts the number for being set to position.
  5. 5. encryption method for recognizing flux according to claim 1, it is characterised in that:The stream to be identified is biography transport control protocol View TCP flow, the packet is the packet with pay(useful) load, and the encryption quanta recognition methods is at most to before stream to be identified 60 The individual packet with pay(useful) load is identified.
  6. It is 6. a kind of to encrypt flow identifying device, it is characterised in that:Including:Statistical rules deep-packet detection feature pre-filtering module, Statistical rules statistical flow characteristic matching module and stream recognition result detection module;
    Wherein described statistical rules deep-packet detection feature pre-filtering module, for stream to be identified is each with statistical rules set The deep-packet detection characteristic matching of bar statistical rules, the statistical rules that will match to is generated as statistical rules subset;
    The statistical rules statistical flow characteristic matching module, for stream to be identified to be counted with each bar in the statistical rules subset The statistical flow characteristic matching of rule, the statistical rules that will match to is generated as statistical rules identification collection;Wherein, the stream statistics are special Levy comprising the logical relation between an at least statistical model and contained statistical model;The statistical model is used to specify the bag of stream Distribution characteristics long is counted with the expectation bag for meeting bag distribution characteristics long;When meeting what statistical model was specified in the stream to be identified When the number for wrapping the packet of distribution characteristics long reaches the expectation bag that statistical model specifies and counts, then the stream to be identified and the system Meter pattern match;When the stream to be identified is matched with the statistical model contained by statistical rules, and meet contained statistical model Between logical relation when, then it is described it is to be identified stream matched with the statistical flow characteristic of this statistical rules;
    The stream recognition result detection module, for statistical rules identification to be concentrated into the statistical rules with limit priority Corresponding application type is identified as the application type of the stream to be identified.
  7. It is 7. according to claim 6 to encrypt flow identifying device, it is characterised in that:The statistical rules deep-packet detection is special Pre-filtering module is levied, including:The basic matching unit of feature and statistical rules pre-filtering logic discrimination unit;
    The basic matching unit of feature includes:The pre-filtering long of parallel character string single mode matching subelement, protocol characteristic bag Coupling subelement, static dynamic decrypt coupling subelement, have recognized stream contingency table coupling subelement, port match subelement and IP Address coupling subelement;
    The statistical rules pre-filtering logic discrimination unit, for the subelement to being matched in the basic matching unit of the feature Between logical relation verified, generate statistical rules subset.
  8. It is 8. according to claim 6 to encrypt flow identifying device, it is characterised in that:The bag distribution characteristics long includes as follows At least one:The bag feature long of translation specifications, the sequence signature of packet and packet of the packet in stream;
    Translation specifications of the packet in stream include:The uplink packet direction of correspondence upstream direction, correspondence downstream direction Downstream packets direction and correspondence bidirectional flow direction without bag direction;
    The sequence signature of the packet includes:Continuity and order;
    The bag feature long of the packet includes:Wrap particular value long, wrap scope long and bag variable long.
  9. It is 9. according to claim 8 to encrypt flow identifying device, it is characterised in that:The statistical rules statistical flow characteristic Include with module:Statistical model matching unit and statistical model matching result logic discrimination unit;
    The statistical model matching unit include it is following at least one:Wrap the set long of sequence statistic pattern match subelement long, bag Statistical model coupling subelement, bag are long to repeat statistical model coupling subelement, the directional statistics pattern match subelement of position, bag Counting statistics pattern match subelement, bag average statistical model coupling subelement long, bag long and Data-Statistics pattern match subelement, Wheel bag is long to be received and dispatched than statistical model coupling subelement with Data-Statistics pattern match subelement and byte;
    The statistical model matching result logic discrimination unit, between the subelement that is matched to statistical model matching unit Logical relation verified, generate statistical rules identification collection.
  10. It is 10. according to claim 9 to encrypt flow identifying device, it is characterised in that:Sequence statistic pattern long is wrapped to be appointed as: There is the sequence of data packet with bag feature long on stream direction, package location, and meet continuity and order constraint, its mid-term Wang Bao counts the sequence of data packet length for being appointed as having bag feature long;
    Bag set statistical model long is appointed as:Exist in stream direction, bag apparatus and expect that bag counts a packet, the bag of packet Length is all contained in a set for bag feature long, and meets continuity and order constraint;
    Repeat pattern long is wrapped to be appointed as:Exist on stream direction, package location and expect that bag counts a packet, the bag of packet is grown all Equal to same bag feature long, and meet continuity;
    The directional statistics pattern of position is appointed as:The Bao Fang that the bag direction of the packet on bidirectional flow direction, package location is specified To expecting that bag is counted and be set as the number of package location;
    Bag counting statistics pattern is appointed as:Exist on bidirectional flow direction, package location and expect that bag counts a packet, packet Bag direction is all the same bag direction specified, and meets continuity;
    Average statistical model long is wrapped to be appointed as:The packet bag of all packets is long on stream direction, package location and is worth and one Wrap feature long to match, expect that bag counts the number for being set to package location;
    Wheel bag is long and Data-Statistics pattern is appointed as:The change in the direction of stream each time on bidirectional flow direction, package location is regarded as newly The beginning of one wheel packet, specify certain all packet of wheel packet bag it is long and value wrap feature long with one and match, the phase Wang Bao is counted and is set to the wheel number;
    Byte transmitting-receiving is appointed as than statistical model:Upstream direction byte number and downstream side on bidirectional flow direction, package location Match to the ratio and a bag feature long of byte number, expect that bag counts the number for being set to position.
  11. 11. encryption flow identifying devices according to claim 6, it is characterised in that:The stream to be identified is controlled for transmission Agreement TCP flow, the packet is the packet with pay(useful) load, and the encryption flow identifying device is at most to stream to be identified Preceding 60 packets with pay(useful) load are identified.
CN201310741617.4A 2013-12-27 2013-12-27 Encryption method for recognizing flux and device Active CN103873320B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310741617.4A CN103873320B (en) 2013-12-27 2013-12-27 Encryption method for recognizing flux and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310741617.4A CN103873320B (en) 2013-12-27 2013-12-27 Encryption method for recognizing flux and device

Publications (2)

Publication Number Publication Date
CN103873320A CN103873320A (en) 2014-06-18
CN103873320B true CN103873320B (en) 2017-06-13

Family

ID=50911465

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310741617.4A Active CN103873320B (en) 2013-12-27 2013-12-27 Encryption method for recognizing flux and device

Country Status (1)

Country Link
CN (1) CN103873320B (en)

Families Citing this family (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104954365B (en) * 2015-05-27 2018-10-16 北京亿赛通网络安全技术有限公司 A kind of method of fast automatic identification refined net behavior
CN106650760A (en) 2015-10-28 2017-05-10 华为技术有限公司 Method and device for recognizing user behavioral object based on flow analysis
CN105406993A (en) * 2015-10-28 2016-03-16 中国人民解放军信息工程大学 Encrypted stream recognition method and device
CN105245551B (en) * 2015-11-04 2018-11-02 深圳市蜂联科技有限公司 A kind of application and identification method based on DNS and the long combination of packet
CN105429819B (en) * 2015-11-04 2018-08-17 深圳市蜂联科技有限公司 A kind of long detection method of packet of application identification
CN106209506B (en) * 2016-06-30 2019-10-25 瑞斯康达科技发展股份有限公司 A kind of virtualization deep-packet detection flow analysis method and system
CN106534135B (en) * 2016-11-16 2020-07-17 新华三技术有限公司 Method and device for generating flow detection rule
CN106850344B (en) * 2017-01-22 2019-10-29 中国人民解放军信息工程大学 Encryption method for recognizing flux based on stream gradient guiding
CN107508764B (en) * 2017-07-03 2020-04-10 网宿科技股份有限公司 Network data traffic type identification method and device
CN107528837B (en) * 2017-08-17 2020-06-09 深信服科技股份有限公司 Encrypted video identification method and device, computer device and readable storage medium
CN114884738A (en) * 2017-11-17 2022-08-09 华为技术有限公司 Method and device for identifying encrypted data stream
CN109936512B (en) * 2017-12-15 2021-10-01 华为技术有限公司 Flow analysis method, public service flow attribution method and corresponding computer system
CN108377223B (en) * 2018-01-05 2019-12-06 网宿科技股份有限公司 multi-packet identification method, data packet identification method and flow guiding method
CN107948022B (en) * 2018-01-11 2021-04-30 北京安博通科技股份有限公司 Identification method and identification device for peer-to-peer network traffic
CN108833360B (en) * 2018-05-23 2019-11-08 四川大学 A kind of malice encryption method for recognizing flux based on machine learning
CN110768933B (en) * 2018-07-27 2022-08-09 深信服科技股份有限公司 Network flow application identification method, system and equipment and storage medium
CN108881306B (en) * 2018-08-08 2020-04-28 西安交通大学 Encrypted flow analysis defense method based on data packet size sequence
CN109275045B (en) * 2018-09-06 2020-12-25 东南大学 DFI-based mobile terminal encrypted video advertisement traffic identification method
CN109525587A (en) * 2018-11-30 2019-03-26 新华三信息安全技术有限公司 A kind of recognition methods of data packet and device
CN109672687B (en) * 2018-12-31 2021-04-13 南京理工大学 HTTP confusion flow detection method based on suspicion degree evaluation
CN111245850A (en) * 2020-01-15 2020-06-05 福建奇点时空数字科技有限公司 Encrypted P2P protocol identification method based on connection statistical rule analysis
CN112036518B (en) * 2020-11-05 2021-02-02 中国人民解放军国防科技大学 Application program flow classification method based on data packet byte distribution and storage medium
CN112994931B (en) * 2021-02-05 2023-01-17 绿盟科技集团股份有限公司 Rule matching method and equipment
CN112866289B (en) * 2021-03-02 2022-09-30 恒为科技(上海)股份有限公司 Method and system for extracting feature rule
CN113938436B (en) * 2021-09-26 2023-05-26 中国联合网络通信集团有限公司 Method and device for identifying service type of data
CN114584632B (en) * 2022-02-24 2023-05-16 成都北中网芯科技有限公司 Deep packet inspection method and device
CN115378741B (en) * 2022-10-25 2023-03-21 中国电子科技集团公司第三十研究所 Early identification method for fine-grained behavior flow of lightweight encryption application

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1764951A1 (en) * 2005-09-15 2007-03-21 Alcatel Statistical trace-based method, apparatus, node and system for real-time traffic classification
CN101594303A (en) * 2009-07-10 2009-12-02 清华大学 The quick net packet classifying method of traffic statistics information Network Based
CN101741644A (en) * 2009-12-16 2010-06-16 成都市华为赛门铁克科技有限公司 Flow detection method and apparatus
CN102255754A (en) * 2011-07-08 2011-11-23 中国人民解放军国防科学技术大学 Serial accessing high speed backbone network traffic acquisition and monitoring method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2013535895A (en) * 2010-07-23 2013-09-12 日本電気株式会社 Communication system, node, statistical information collecting apparatus, statistical information collecting method and program

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1764951A1 (en) * 2005-09-15 2007-03-21 Alcatel Statistical trace-based method, apparatus, node and system for real-time traffic classification
CN101594303A (en) * 2009-07-10 2009-12-02 清华大学 The quick net packet classifying method of traffic statistics information Network Based
CN101741644A (en) * 2009-12-16 2010-06-16 成都市华为赛门铁克科技有限公司 Flow detection method and apparatus
CN102255754A (en) * 2011-07-08 2011-11-23 中国人民解放军国防科学技术大学 Serial accessing high speed backbone network traffic acquisition and monitoring method

Also Published As

Publication number Publication date
CN103873320A (en) 2014-06-18

Similar Documents

Publication Publication Date Title
CN103873320B (en) Encryption method for recognizing flux and device
Dyer et al. Protocol misidentification made easy with format-transforming encryption
CN104038389A (en) Multiple application protocol identification method and device
CN109756501B (en) High-privacy network proxy method and system based on HTTP (hyper text transport protocol)
CN105162626B (en) Network flow depth recognition system and recognition methods based on many-core processor
Ji et al. A novel covert channel based on length of messages
CN102315974A (en) Stratification characteristic analysis-based method and apparatus thereof for on-line identification for TCP, UDP flows
WO2007109445A1 (en) Monitoring regular expressions on out-of-order streams
CN103873356B (en) Application and identification method, system and home gateway based on home gateway
CN102217251A (en) Data forwarding method, data processing method, system and device thereof
Limmer et al. Improving the performance of intrusion detection using dialog-based payload aggregation
CN104660592B (en) A kind of load distributing method based on secure socket layer protocol feature
US10333769B2 (en) Deployable linear bitwise protocol transformation
Liu et al. Fast and memory-efficient traffic classification with deep packet inspection in CMP architecture
Mehta et al. A survey of network based traffic classification methods
Aghaei-Foroushani et al. On evaluating ip traceback schemes: a practical perspective
CN101984635B (en) Method and system for flow identification of point to point (P2P) protocol
CN105049456B (en) A kind of secret communication method based on web page interlinkage request
CN101771697B (en) Network data stream identification method based on pattern matching method
CN101854366A (en) Peer-to-peer network flow-rate identification method and device
US20080175245A1 (en) Systems, methods, and computer program products for passively routing secure socket layer (SSL) encoded network traffic
CN110417804A (en) A kind of bidirectional identity authentication encryption communication method and system suitable for chip microcontroller
Kapoor et al. Rexactor: Automatic regular expression signature generation for stateless packet inspection
Li et al. Parsing application layer protocol with commodity hardware for SDN
Ciesla et al. URL extraction on the NetFPGA reference router

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C53 Correction of patent for invention or patent application
CB02 Change of applicant information

Address after: 100085 Haidian District East Road, No. three, China control building, floor, floor, 1

Applicant after: BEIJING TOPSEC TECHNOLOGY CO., LTD.

Address before: 100085 Haidian District East Road, No. three, China control building, floor, floor, 1

Applicant before: Beijing heaven melts letter Science Technologies Co., Ltd.

COR Change of bibliographic data

Free format text: CORRECT: APPLICANT; FROM: BEIJING HEAVEN MELTS LETTER SCIENCE TECHNOLOGIES CO., LTD. TO: BEIJING TOPSEC TECHNOLOGY CO., LTD.

C53 Correction of patent for invention or patent application
CB02 Change of applicant information

Address after: 100085 Haidian District East Road, No. three, China control building, floor, floor, 1

Applicant after: Beijing heaven melts letter Science Technologies Co., Ltd.

Address before: 100085 Haidian District East Road, No. three, China control building, floor, floor, 1

Applicant before: BEIJING TOPSEC TECHNOLOGY CO., LTD.

COR Change of bibliographic data

Free format text: CORRECT: APPLICANT; FROM: BEIJING TOPSEC TECHNOLOGY CO., LTD. TO: BEIJING HEAVEN MELTS LETTER SCIENCE TECHNOLOGIES CO., LTD.

CB02 Change of applicant information

Address after: 100085 Beijing, East Road, No. 1, building on the north side of the building, Room 301, room 3

Applicant after: BEIJING TOPSEC TECHNOLOGY CO., LTD.

Address before: 100085 Haidian District East Road, No. three, China control building, floor, floor, 1

Applicant before: Beijing heaven melts letter Science Technologies Co., Ltd.

COR Change of bibliographic data
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 100085 Beijing, East Road, No. 1, building on the north side of the building, Room 301, room 3

Applicant after: Beijing heaven melts letter Science Technologies Co., Ltd.

Address before: 100085 Beijing, East Road, No. 1, building on the north side of the building, Room 301, room 3

Applicant before: BEIJING TOPSEC TECHNOLOGY CO., LTD.

GR01 Patent grant
GR01 Patent grant