CN104333483A - Identification method, system and identification device for internet application flow - Google Patents
Identification method, system and identification device for internet application flow Download PDFInfo
- Publication number
- CN104333483A CN104333483A CN201410578118.2A CN201410578118A CN104333483A CN 104333483 A CN104333483 A CN 104333483A CN 201410578118 A CN201410578118 A CN 201410578118A CN 104333483 A CN104333483 A CN 104333483A
- Authority
- CN
- China
- Prior art keywords
- condition code
- data message
- information
- message
- verification rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an identification method, a system and an identification device for internet application flow, the system comprises an initialization module used for DPI processing thread and applying the flow table memory with preset size; an array search tree positioning module used for building feature code search tree according to the feature code information; a data message processing module used for analyzing the received data message to obtain the initial position address of the communication content of the data message, and merging the data message belonging to the same quintuple into the data flow; a feature code detecting module used for scanning the message for the beginning information of initial position address of the communication content through composite checking rule according to the feature code search tree and flow table information, searching the matched feature code, confirming the application of data message according to the matched feature code. Once message scanning operation can detect whether the data message has the applied feature code, and the multi-feature code scanning recognition efficiency can be improved.
Description
Technical field
The present invention relates to data analysis field, particularly a kind of internet, applications method for recognizing flux, system and recognition device.
Background technology
In tcp/ip communication field, the Internet, which flow accounting that what network management was taken notice of most be to provide in traffic service is larger, which flow can cause the congested of pipeline, in existing network management system, the flow accounting of which IP and port can be known by network traffics (Net flow) statistics of network element, but this can not meet the demand of network management far away, network manager more takes notice of that specifically which application (as communication software etc.) is taking valuable bandwidth, even has influence on the Priority Service content that some need to ensure.Need to identify the Internet pipeline flow content, just need to use DPI(Deep Packet Inspection, deep-packet detection) technology, and in DPI technology the most key be how use characteristic code technique to high-efficiency, accurately identify application belonging to flow.
The matching way of what current condition code identification generally adopted is regular expression, regular expression can mate the information of random length and position, and use and manage flexibly, shortcoming is inefficiency.Internet, applications, the particularly arrival of mobile Internet, internet, applications presents explosion type and increases severely, the condition code of coupling is needed also to get more and more, system needs to be directly proportional to the quantity of condition code to the number of times of data message scanning, and the quantity which results in recognition efficiency and condition code is inversely proportional to downward trend.
Summary of the invention
In view of above content, the present invention proposes a kind of internet, applications method for recognizing flux, system and recognition device, by stream table technology and feature code recognizing technology, a message scanning can detect the condition code whether comprising in data message and applied, thus improves the recognition efficiency of multiple features code scanning.
A kind of internet, applications method for recognizing flux, the method comprises: initialization step, creates deep-packet detection processing threads, and the stream table internal memory of size is preset in application; Array search tree positioning step, reads condition code information from the condition code configuration file preset, and sets up condition code search tree according to this condition code information; Data message treatment step one, resolves the data message received, obtains the starting position addresses of the Content of Communication of this data message; Data message treatment step two, sets up stream table information according to the five-tuple information preset, and the data message belonging to a five-tuple is merged into a data flow; Signature detection step, according to described condition code search tree and stream table information, by combined type verification rule, to the information and executing message scanning that the starting position addresses of described Content of Communication starts, the condition code of search coupling, described combined type verification rule comprises basic verification rule and additional verification rule; Signature detection step 2, determines the application belonging to this data message according to the condition code of coupling.
A kind of internet, applications flux recognition system, this system comprises: initialization module, and for creating deep-packet detection processing threads, and the stream table internal memory of size is preset in application; Array search tree locating module, for reading condition code information from the condition code configuration file preset, and sets up condition code search tree according to this condition code information; Data message processing module, for resolving the data message received, obtains the starting position addresses of the Content of Communication of this data message; Described data message processing module, also for setting up stream table information according to the five-tuple information preset, is merged into a data flow by the data message belonging to a five-tuple; Signature detection module, for according to described condition code search tree and stream table information, by combined type verification rule, to the information and executing message scanning that the starting position addresses of described Content of Communication starts, the condition code of search coupling, described combined type verification rule comprises basic verification rule and additional verification rule; Described signature detection module, also for determining the application belonging to this data message according to the condition code of coupling.
A kind of recognition device, this recognition device comprises: memory; Processor; And one or more module, described one or more module is stored in which memory and is configured to be performed by described processor, to complete to give an order: create deep-packet detection processing threads, and the stream table internal memory of size is preset in application; From the condition code configuration file preset, read condition code information, and set up condition code search tree according to this condition code information; The data message received is resolved, obtains the starting position addresses of the Content of Communication of this data message; Set up stream table information according to the five-tuple information preset, the data message belonging to a five-tuple is merged into a data flow; According to described condition code search tree and stream table information, by combined type verification rule, to the information and executing message scanning that the starting position addresses of described Content of Communication starts, the condition code of search coupling, described combined type verification rule comprises basic verification rule and additional verification rule; The application belonging to this data message is determined according to the condition code of coupling.
Compared to prior art, internet, applications method for recognizing flux of the present invention, system and recognition device, by stream table technology and feature code recognizing technology, a message scanning can detect the condition code whether comprising in data message and applied, thus improve the recognition efficiency of multiple features code scanning, to overcome the defect that in prior art, multiple features code scan efficiency is low.
Accompanying drawing explanation
Fig. 1 is the applied environment figure of internet, applications flux recognition system of the present invention;
Fig. 2 is internet, applications flux recognition system functional block diagram of the present invention;
Fig. 3 is the flow chart of internet, applications method for recognizing flux of the present invention.
Embodiment
For ease of the understanding of the present invention, first brief description is carried out to the key technology used in present embodiment below.
Array search tree location technology: the quick position being realized stream table, feature code table by array search tree technology, in the present embodiment, described array search tree is organized in array mode, comprises stream table search tree and feature code table search tree.By using stream table technology, reduction same session (session) data can be organized, and the data redundancy reducing same application detects.By feature code table technology, the Rapid matching applied can be realized.
Condition code coupling and ordering techniques: the quick identification and the combination of multiple detection means that are realized data message by position and ASCII byte comparison techniques, improve the data precision; By the condition code dynamic order technology of intelligent self-learning, the priority dynamic conditioning of realization character code identification, reaches performance optimization object.
As shown in Figure 1, be the applied environment figure of internet, applications flux recognition system of the present invention.This internet, applications flux recognition system 26(is hereinafter also referred to as " system ") be applied in recognition device 2, this recognition device 2 can with data acquisition interface 20 and coffret 22.Described recognition device 2 obtains the data message (as IP message) needing to resolve by data acquisition interface 20, and by coffret 22, analysis result is uploaded to miscellaneous equipment (as central server).Described recognition device 2 also comprises the memory 24 and processor 28 that are connected by data wire or holding wire.In the present embodiment, described recognition device 2 can be DPI(Deep Packet Inspection, deep-packet detection) equipment.It should be noted that, Fig. 1 schematically illustrating just to recognition device 2 software configuration and hardware configuration, recognition device 2 also comprises electronic devices and components and the application software of other necessity, and this is no longer going to repeat them.
Described internet, applications flux recognition system 26 is stored in the memory 24 of recognition device 2, for passing through stream table technology and feature code recognizing technology, one time message Scanning Detction goes out the condition code whether comprising in data message and applied, thus determine the application belonging to this data message, concrete grammar flow process consults the description of Fig. 3.It should be noted that, in other embodiments, described internet, applications flux recognition system 26 also can be arranged at other equipment, as in server.
In the present embodiment, described internet, applications flux recognition system 26 can provide one or more module, described one or more module to be stored in the memory 24 of described recognition device 2 and to be configured to be performed, to complete the present invention by one or more processor (the present embodiment is a processor 28).Such as, consult shown in Fig. 2, described internet, applications flux recognition system 26 comprises initialization module 261, array search tree locating module 262, data message processing module 263, signature detection module 264, condition code order module 265 and condition code hybrid detection module 266.Module alleged by the present invention has been the computer program code segments of a specific function, and be more suitable for describing software implementation in a computer than program, the concrete function about each module consults the description of Fig. 3.
As shown in Figure 3, be the flow chart of internet, applications method for recognizing flux of the present invention.
Step S101, initialization module 261 creates DPI(Deep Packet Inspection, deep-packet detection) processing threads, and the stream table internal memory of size is preset in application.
Typically, can a large amount of session connection of concurrent generation during internet access, each session connection, when DPI realizes, all needs to be kept in stream table, in order to promote Traffic identification performance and the generation preventing memory fragmentation, system can be used for the use of subsequent flows table by pre-first to file large memory block.
Step S102, array search tree locating module 262 reads condition code information from the condition code configuration file preset, and sets up condition code search tree according to this condition code information.In the present embodiment, described condition code configuration file can be a feature code table, and this feature code table adopts two-dimensional array structure, and wherein, the first dimension is the ascii character value of condition code, and the second dimension is condition code original position.
In the present embodiment, system sets up condition code search tree in advance, and for reaching the object of condition code Rapid matching, this condition code search tree is organized in array mode.Data due to Internet communication data message transmissions are binary ASCII character stream, and the ASCII character of a byte is between 0-255, therefore setting up 256 one-dimension array can the condition code of a quick position character feature, and setting up 65536 one-dimension array then can the condition code of quick position two continuous characteristic characters.In actual use, other features can also be added, such as TCP(Transmission Control Protocol, transmission control protocol), UDP(User Data Protocol, User Datagram Protoco (UDP)) etc. composition two-dimensional array or Multidimensional numerical, ensure the high dispersion rate of data.
In the present embodiment, for solving memory address collision problem, the condition code search tree end of array form tissue adds a string condition code pointer, such as, condition code pointer is C0:0x00, C2:0x03, C5:0xfe and C0:0x00, C4:0x04, C5:0xff, and this condition code pointer is articulated in the condition code search tree that array index is [0].N representative wherein in C<n> and the distance and position information of first tagged word, if n is negative, then represent the positional information from data message end inverse, C represents ascii character coupling, and 0x data are below ASCII character.In the condition code of reality, also can comprise some other features, such as P1:1035, representative verification destination interface is the data message of 1035; L2:512, representative verification content-length is data message of 512 etc.
Step S103, data message processing module 263 is resolved the data message received, and obtains the starting position addresses of the Content of Communication of this data message.Wherein, described data message is TCP/IP data message, and the starting position addresses of described Content of Communication is the owner pointer of described Content of Communication.
In the present embodiment, data message processing module 263 is gathered the TCP/IP data message flowing through the Internet pipeline by data acquisition interface 20, and the TCP/IP data message collected is resolved, according to ICP/IP protocol standard, peel off TCP/IP header packet information, obtain the starting position addresses of Content of Communication.Information after this starting position addresses is that recognition device 2(is as DPI equipment) content of Water demand identification.
Step S104, data message processing module 263 sets up stream table information according to the five-tuple information preset, and the data message belonging to a five-tuple is merged into a data flow (hereinafter also referred to as " stream ").In the present embodiment, a corresponding stream node of data flow.
Specifically, first, data message processing module 263 judges whether stream table exists.If stream table does not exist, then perform step S104, add stream node; If stream table exists, then do not perform step S104, directly perform step S105.
In the present embodiment, data message processing module 263 is according to TCP/IP five-tuple information (source IP, object IP, source port, destination interface, agreement) set up stream table information, the data message belonging to a five-tuple is referred to as a data flow, and the data message in this data flow necessarily belongs to same application.Therefore, as long as any one data message is detected feature in a data flow, the remaining data message in this data flow detects again with regard to not needing, and amplitude peak can promote detection efficiency.In the present embodiment, the Hash array (Hash array) that described stream table is is key assignments (Key) with five-tuple information, ensures its quick-searching ability.
In the present embodiment, adopt stream table technology to reduce identifying that the data message of application does invalid detection, thus improve entire system handling property.For example, list structure example is flowed as follows:
Struct SFlowNode // stream node structure
{
Unsigned int src_ip; // source IP address
Unsigned int dst_ip; // object IP address
Unsigned short src_port; // source port
Unsigned short dst_port; // destination interface
Unsigned char proto; //ip agreement
Unsigned int appid; // application ID
SFlowNode *n;
SFlowNode *p;
…
}PACK;
SFlowNode* m_hashFlowTable[MAX_OFF_SIZE][MAX_OFF1_SIZE][MAX_OFF2_SIZE];
In the stream list structure of above-mentioned example, stream table adopts three-dimensional array structure, and when limited memory space uses, ensure that data are enough discrete, promote recall precision, three-dimensional array forms corresponding Hash key assignments hash_key by five-tuple information, and example is as follows.
unsigned int ipadd = core.src_ip + core.dst_ip;
unsigned int port = core.src_port + core.dst_port;
unsigned int off = ipadd % MAX_OFF_SIZE;
unsigned int off1 = port % MAX_OFF1_SIZE;
unsigned int off2 = delta % MAX_OFF2_SIZE;
A stream table search tree can be built by described three-dimensional array, the structure size * MAX_OFF_SIZE* MAX_OFF1_SIZE* MAX_OFF2_SIZE of the EMS memory occupation size=stream table of this stream table search tree, different device memory can be met by adjustment macrodefinition to use, wherein, MAX_OFF_SIZE, MAX_OFF1_SIZE*, MAX_OFF2_SIZE represent the size of three dimensions (i.e. the first dimension, the second dimension, third dimension) in three-dimensional array respectively.
If certain data flow is not yet identified, then system carries out quick-searching according to feature code table, searches the application belonging to this data flow.Further, if this data flow is identified (matching stream node), then by arranging two monitoring (monitor) counters, can determine the hit-count of stream table, to judge the dispersion degree retrieved, example is as follows.
SFlowNode *p = m_hashFlowTable[off][off1][off2];
while (p)
{
// match stream node
if (ipadd == p->src_ip + p->dst_ip && port == (unsigned int)(p->dst_port + p->src_port) && core.proto == p->proto)
{
// five-tuple exists
}
p = p->n;
Monitor.flowsearchcnt++; // stream table hit-count counter
}
if(!p)
{
// set up stream table new node
Monitor.flowcnt++; // newly-built stream table counter
}
By the value of above-mentioned two monitoring counters (stream table hit-count counter and newly-built stream show counter), the dispersion degree retrieved can be judged.
Step S105, signature detection module 264 is according to described condition code search tree and stream table information, by single verification rule, to the information and executing message scanning (or being referred to as " once word for word scanning ") that the starting position addresses of described Content of Communication starts, the condition code of search coupling.In the present embodiment, described single verification rule is fixed position condition code identification, namely at the fixed position recognition feature code of data message.
Specifically, described signature detection module 26 performs a message scanning and comprises the steps: from the starting position addresses of described Content of Communication, obtain the byte ASCII value that current location is corresponding, this byte ASCII value is set to the subscript of condition code search tree array, and searches condition code node pointer according to this subscript.If this condition code node pointer is empty, the condition code that decision-making system does not have current location characteristic of correspondence word to start, directly searches the content of next position; If this condition code node pointer is not empty, then travel through all condition code node pointers, jump out circulation at once after hit condition code node, terminate scanning.
In the present embodiment, condition code node includes the positional information of each tagged word, is compared, can realize the function identical with regular expression in the most succinct mode by pointer offset and ASCII byte.
In the present embodiment, by signature detection technology, a message scanning can detect whether data message comprises the condition code applied, thus is reached through the object that data traffic identifies application belonging to this data message fast, and condition code list structure is as follows:
struct SCharcHeadMarkIndex
{
SCharc * CharcList; // agreement connects pointer chain array vector
};
// attribute byte string
struct SCharc
{
Unsigned int app_id; // application ID
Char charcs [MAX_PROTO_CHARC_LEN]; // condition code string
SMark * tab; Content after the decomposition of // condition code
SCharc * next; // next condition code
SCharc * pre; // upper condition code
Unsigned int hitscnt; // hit-count
};
SCharcHeadMarkIndex m_HeadDic [256] [100]; // condition code hash shows
In the present embodiment, condition code node is built by feature code table, and described feature code table adopts two-dimensional array structure, and the first dimension of this two-dimensional array is ascii character value, and the second dimension is condition code original position.Be illustrated for the condition code information scanning front 100 bytes in present embodiment, example is as follows.
for(int i=0;i<core->DataLength&&i<100;i++)
{
unsigned char value = (unsigned char)core->pData[i];
pIndex = &m_HeadDic[value][i];
if(pIndex->CharcList)
{
if(CheckCharc(core,pIndex,i) > 0)
return true;
}
}
In the present embodiment, directly search condition code string by the ASCII value of data message and positional information, example is as follows.
// mate each SCharc, successfully identify and return 1, otherwise return 0
int CAppProtoLib::CheckCharc(BizCore*core, SCharcHeadMarkIndex *pIndex,int offset)
{
SCharc *pCharc=pIndex->CharcList;
while(pCharc)
{
SMark *pMark = pCharc->tab;
If(MatchSChar (core, pMark))
{
PCharc-> hitscnt ++; // this condition code hit-count adds up
//sort Charc List
Return 1;
}
pCharc= pCharc-> next;
}
return 0;
}
Step S106, signature detection module 264 determines the application belonging to this data message according to the condition code of coupling.Such as, if the condition code of coupling belongs to the condition code of game class application, then determine to be applied as game belonging to this data message.
Step S107, condition code order module 265 adjusts the sequence of the condition code of coupling, and condition code the highest for hit rate is arranged in first place, and realization character code optimization sorts, and promotes recognition efficiency.
Specifically, in the present embodiment, be each condition code Node configuration one hit (hits) counter, the hit-count of each condition code node of this hit counter cumulative statistics, condition code node is often hit once, and this hit counter value adds 1.During each match hit, condition code order module 265 checks whether the hit counter value (i.e. hit-count) of the next node of condition code node pointer is greater than the hit counter value of present node.If the hit counter value of next node is greater than the hit counter value of present node, then before next node being moved on to present node, realization character code Optimization Sequencing; If the hit counter value of next node is less than or equal to the hit counter value of present node, be then left intact.
System is after adjustment after a while, and the condition code meeting auto arrangement shot straight in stem, thus reaches the object of Optimal performance.The sort method of this similar bubbling, adopts event driven manner, only moves a node pointer when the hit-count of next node is greater than the hit-count of present node, consumes any performance of processor 28 hardly.
It should be noted that, the order of described step S101 to step S107 can adjust, and some step also can be deleted, and such as, after step S107 can be placed on step S105, performs before S106, also can directly delete.
Further, in this second embodiment, step S105 also can replace with step S105': condition code hybrid detection module 266 is according to described condition code search tree and stream table information, by combined type verification rule, to the information and executing message scanning that the starting position addresses of described Content of Communication starts, the condition code of search coupling.
In this second embodiment, described combined type verification rule comprises basic verification rule and additional verification rule.Wherein, described basic verification rule comprises fixed position condition code identification, the verification rule namely adopted in step S105 in the first execution mode.Described additional verification rule comprises: floating position condition code identification, compare assigned address value with packet length, the message amount etc. that compares message port, compare message length, compare same characteristic features code prefix.
Below illustrate the concrete utilization method of described combined type verification rule:
int CAppProtoLib::MatchSChar(BizCore *core, SMark *pMark)
{
switch (pMark->type)
{
case 'C':
The condition code identification of // fixed position
break;
case 'F':
The condition code identification of // floating position
break;
case 'R':
// compare assigned address value and packet length, in regulation condition code, 2 byte representation length only used by R type, R: be low level above, after be high-order
break;
case 'r':
// compare assigned address value and packet length, in regulation condition code, 2 byte representation length only used by R type, r: be high-order above, after be low level
break;
case 'P':
// compare message port
break;
case 'L':
// compare message length
break;
case 'N':
// compare the message amount of same characteristic features code prefix
break;
default:
break;
}
return RSuccess;
}
Particularly, each verification rule definition is as follows:
C type: namely substantially verify rule (fixed position condition code identification), represents and occurs fixed character information in the fixed position of packet, be expressed as: Cx:Y.
Illustrate: x is the fixed position of data, i.e. an xth byte, wherein, the byte of data counts from 0; Y represents the content occurred in X byte, as C0:0xFE, represents that in the content of the 0th byte be 0xFE.
F type: i.e. floating position condition code identification, occur fixed character information for representing continuously at some relative position of packet, but position is not fixed, method for expressing is: F0:X0, F1:X1, F2:X2.
Illustrate: the numeral relative position after F, from 0, add up according to this.The character of the corresponding each relative position of the difference such as X0, X1, X2, as X1 represents the character of first relative position.
R/r type: namely compare assigned address value and packet length, comprises two kinds dissimilar (R type and r type), is expressed as: [R/r] [LOC]: [Value].
Illustrate: be made up of 3 elements, be described as follows.
R/r: an optional R type (first kind) or r type (Second Type), be all expressed as R type feature code;
LOC: be the starting position of the byte of designated length value, represents that 2 bytes of LOC and LOC+1 are length value; R type represents that last byte (LOC position) is low level, and a rear byte (LOC+1 position) is high-order, and r type represents that last byte is high-order, and a rear byte is low level, draws data length XX thus.
Value: the meaning of definition selectable value is as follows, can calculate data length YY.
0: the data portion length of representative data bag;
1: containing the data length of 2 bytes in LOC position, do not comprise the byte before LOC;
2: not containing the length of 2 bytes in LOC position, also do not comprise the byte before LOC.
Wherein, the rule of R/r type is: if XX=YY, then judge that condition code meets the demands.
P type: namely compare message port, for representing the port of transport layer protocol, method for expressing is: P:port.
L-type: namely compare message length, for representing the length check of application layer data bag, method for expressing is: L [val]: [length].
Length represents the length of application layer data bag, and Val has following three kinds of values, the detection computations mode of often kind of value determination identifying code.
0:length=practical application layer data packet length, then meet the requirements;
1:length is more than or equal to practical application layer data packet length, then meet the requirements;
2:length is less than or equal to practical application layer data packet length, then meet the requirements.
N-type: the message amount namely comparing same characteristic features code prefix, for representing the number restriction of uplink packet in individual traffic, method for expressing is: N:[second], second represents scope [1,15] arbitrary integer in, if the number <second of the uplink packet in individual traffic, then meet the requirements.
In the present embodiment, described combined type verification rule can choose multiple verification principle combinations from described basic verification rule and additional verification rule becomes a kind of condition code hybrid detection technology.By this condition code hybrid detection technology, system is when detecting condition code, not only in the character string of data message fixed position scan matching, also check length information, feature message length information implicit in data message further, port information, and in same flow, exceed the feature message etc. of some, by defining above-mentioned additional verification rule, the combinations matches of various features code can be realized, reduce the erroneous judgement of condition code identification, make application identification more reliable, and regular expression of the prior art can only accomplish the matching feature of character.
In sum, internet, applications method for recognizing flux of the present invention solves following technical problem and is: 1) solve the performance impact of multiple features code scanning to system; 2) long connection data stream signature scan is solved on the impact of systematic function; 3) solve multiple detection means identification internet traffic, avoid flow to judge by accident.
Owing to have employed above technical scheme, can realization character code quick-searching stationkeeping ability, have the following advantages: 1) increase with application, the quantity increase of condition code drops to minimum on the impact of system, for some long application connected, along with the identification of condition code, systematic function can get a promotion on the contrary, because after a certain data message one in data flow identifies condition code, the follow-up data message of this data flow does not need to detect again; 2) the stream recognition technology of many condition can be realized, avoid because single regular expression scanning causes system to judge by accident; 3) the data message handling property of high speed capaciated flow network is solved.
In addition, it is to be noted, internet, applications method for recognizing flux of the present invention is reliable, can by the conventional communication software of the packet condition code identification overwhelming majority of internet access, as IM(Instant Messsaging, instant messaging) software, Games Software, audio-visual playout software etc.This method simplicity of design, dependable performance, different business purposes can be reached by the mode of tuning hashed value, the method is at common 4 core dual processors, on the PC server of 32G internal memory, the discriminance analysis ability of 2*10Gbps flow can be met, solve the defect of multiple features code scan performance deficiency in prior art.
Above content is in conjunction with the detailed description made for the present invention of concrete preferred implementation, can not assert that concrete enforcement is confined to these explanations.For person of an ordinary skill in the technical field, without departing from the inventive concept of the premise, some simple deduction or replace can also be made, all should be considered as belonging to protection scope of the present invention.
Claims (10)
1. an internet, applications method for recognizing flux, is characterized in that, the method comprises:
Initialization step, creates deep-packet detection processing threads, and the stream table internal memory of size is preset in application;
Array search tree positioning step, reads condition code information from the condition code configuration file preset, and sets up condition code search tree according to this condition code information;
Data message treatment step one, resolves the data message received, obtains the starting position addresses of the Content of Communication of this data message;
Data message treatment step two, sets up stream table information according to the five-tuple information preset, and the data message belonging to a five-tuple is merged into a data flow;
Signature detection step, according to described condition code search tree and stream table information, by combined type verification rule, to the information and executing message scanning that the starting position addresses of described Content of Communication starts, the condition code of search coupling, described combined type verification rule comprises basic verification rule and additional verification rule; And
Signature detection step 2, determines the application belonging to this data message according to the condition code of coupling.
2. internet, applications method for recognizing flux according to claim 1, it is characterized in that, the method also comprises:
Condition code ordered steps, the sequence of the condition code of adjustment coupling, is arranged in first place by condition code the highest for hit rate.
3. internet, applications method for recognizing flux according to claim 2, is characterized in that, described condition code ordered steps comprises:
For each condition code Node configuration hit counter, the hit-count of each condition code node of this hit counter cumulative statistics;
During each match hit, check whether the hit counter value of the next node of condition code node pointer is greater than the hit counter value of present node; And
If the hit counter value of next node is greater than the hit counter value of present node, then before next node being moved on to present node.
4. internet, applications method for recognizing flux according to claim 1, it is characterized in that, described basic verification rule comprises fixed position condition code identification, described additional verification rule comprises floating position condition code identification, compare assigned address value with packet length, the message amount that compares message port, compare message length, compare same characteristic features code prefix.
5. internet, applications method for recognizing flux according to claim 4, is characterized in that:
The condition code identification of described fixed position, represents and occurs fixed character information in the fixed position of packet;
The condition code identification of described floating position, represents and occurs fixed character information continuously in the not fixed position of packet.
6. described in, compare assigned address value and packet length, represent in condition code only by two byte representation length, comprise the first kind and Second Type, it is low level that the described first kind defines last byte, a rear byte is high-order, it is high-order that described Second Type defines last byte, and a rear byte is low level;
Describedly compare message port, represent the port comparing transport layer protocol;
Describedly compare message length, represent the length check of application layer data bag; And
The described message amount comparing same characteristic features code prefix, represents the number comparing uplink packet in individual traffic.
7. an internet, applications flux recognition system, is characterized in that, this system comprises:
Initialization module, for creating deep-packet detection processing threads, and the stream table internal memory of size is preset in application;
Array search tree locating module, for reading condition code information from the condition code configuration file preset, and sets up condition code search tree according to this condition code information;
Data message processing module, for resolving the data message received, obtains the starting position addresses of the Content of Communication of this data message;
Described data message processing module, also for setting up stream table information according to the five-tuple information preset, is merged into a data flow by the data message belonging to a five-tuple;
Signature detection module, for according to described condition code search tree and stream table information, by combined type verification rule, to the information and executing message scanning that the starting position addresses of described Content of Communication starts, the condition code of search coupling, described combined type verification rule comprises basic verification rule and additional verification rule; And
Described signature detection module, also for determining the application belonging to this data message according to the condition code of coupling.
8. internet, applications flux recognition system according to claim 6, is characterized in that, this system also comprises:
Condition code order module, for adjusting the sequence of the condition code of coupling, is arranged in first place by condition code the highest for hit rate.
9. internet, applications flux recognition system according to claim 7, is characterized in that, the sequence of the condition code of described condition code order module adjustment coupling comprises:
For each condition code Node configuration hit counter, the hit-count of each condition code node of this hit counter cumulative statistics;
During each match hit, check whether the hit counter value of the next node of condition code node pointer is greater than the hit counter value of present node; And
If the hit counter value of next node is greater than the hit counter value of present node, then before next node being moved on to present node.
10. internet, applications flux recognition system according to claim 6; it is characterized in that; described basic verification rule comprises fixed position condition code identification, described additional verification rule comprises floating position condition code identification, compare assigned address value with packet length, the message amount that compares message port, compare message length, compare same characteristic features code prefix;
A kind of recognition device, it is characterized in that, this recognition device comprises:
Memory;
Processor; And
One or more module, described one or more module is stored in which memory and is configured to be performed by described processor, to complete to give an order:
Create deep-packet detection processing threads, and the stream table internal memory of size is preset in application;
From the condition code configuration file preset, read condition code information, and set up condition code search tree according to this condition code information;
The data message received is resolved, obtains the starting position addresses of the Content of Communication of this data message;
Set up stream table information according to the five-tuple information preset, the data message belonging to a five-tuple is merged into a data flow;
According to described condition code search tree and stream table information, by combined type verification rule, to the information and executing message scanning that the starting position addresses of described Content of Communication starts, the condition code of search coupling, described combined type verification rule comprises basic verification rule and additional verification rule; And
The application belonging to this data message is determined according to the condition code of coupling.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410578118.2A CN104333483A (en) | 2014-10-24 | 2014-10-24 | Identification method, system and identification device for internet application flow |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410578118.2A CN104333483A (en) | 2014-10-24 | 2014-10-24 | Identification method, system and identification device for internet application flow |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104333483A true CN104333483A (en) | 2015-02-04 |
Family
ID=52408141
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410578118.2A Pending CN104333483A (en) | 2014-10-24 | 2014-10-24 | Identification method, system and identification device for internet application flow |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104333483A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105262697A (en) * | 2015-11-24 | 2016-01-20 | 浪潮(北京)电子信息产业有限公司 | Network traffic shunting method and system |
| CN105515917A (en) * | 2015-12-31 | 2016-04-20 | 中国人民解放军国防科学技术大学 | Network protocol characteristic matching method based on index clustering |
| CN105553955A (en) * | 2015-12-09 | 2016-05-04 | 上海安吉星信息服务有限公司 | Data processing method and device |
| CN106789358A (en) * | 2017-02-15 | 2017-05-31 | 北京浩瀚深度信息技术股份有限公司 | Business recognition method and system based on DPI |
| CN108881036A (en) * | 2018-07-03 | 2018-11-23 | 电信科学技术第五研究所有限公司 | A kind of network communication fast matching method and equipment based on table lookup operations |
| CN112559824A (en) * | 2020-12-24 | 2021-03-26 | 北京嘀嘀无限科技发展有限公司 | Message processing method, device and equipment |
| CN114006719A (en) * | 2021-09-14 | 2022-02-01 | 国科信创科技有限公司 | AI verification method, device and system based on situation awareness |
| CN115334003A (en) * | 2022-08-10 | 2022-11-11 | 上海欣诺通信技术股份有限公司 | Data stream processing method and system based on convergence and diversion equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101420367A (en) * | 2007-10-24 | 2009-04-29 | 中国电信股份有限公司 | P2P flow control system and method |
| CN101505276A (en) * | 2009-03-23 | 2009-08-12 | 杭州华三通信技术有限公司 | Network application flow recognition method and apparatus and network application flow management apparatus |
| CN101741744A (en) * | 2009-12-17 | 2010-06-16 | 东南大学 | Network flow identification method |
| CN102201982A (en) * | 2011-04-29 | 2011-09-28 | 北京网康科技有限公司 | Application identification method and equipment thereof |
-
2014
- 2014-10-24 CN CN201410578118.2A patent/CN104333483A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101420367A (en) * | 2007-10-24 | 2009-04-29 | 中国电信股份有限公司 | P2P flow control system and method |
| CN101505276A (en) * | 2009-03-23 | 2009-08-12 | 杭州华三通信技术有限公司 | Network application flow recognition method and apparatus and network application flow management apparatus |
| CN101741744A (en) * | 2009-12-17 | 2010-06-16 | 东南大学 | Network flow identification method |
| CN102201982A (en) * | 2011-04-29 | 2011-09-28 | 北京网康科技有限公司 | Application identification method and equipment thereof |
Non-Patent Citations (1)
| Title |
|---|
| 张瀚: ""基于DPI技术的P2P流量监测系统设计"", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105262697A (en) * | 2015-11-24 | 2016-01-20 | 浪潮(北京)电子信息产业有限公司 | Network traffic shunting method and system |
| CN105553955A (en) * | 2015-12-09 | 2016-05-04 | 上海安吉星信息服务有限公司 | Data processing method and device |
| CN105515917A (en) * | 2015-12-31 | 2016-04-20 | 中国人民解放军国防科学技术大学 | Network protocol characteristic matching method based on index clustering |
| CN105515917B (en) * | 2015-12-31 | 2018-06-12 | 中国人民解放军国防科学技术大学 | Network protocol features matching process based on index sub-clustering |
| CN106789358A (en) * | 2017-02-15 | 2017-05-31 | 北京浩瀚深度信息技术股份有限公司 | Business recognition method and system based on DPI |
| CN108881036A (en) * | 2018-07-03 | 2018-11-23 | 电信科学技术第五研究所有限公司 | A kind of network communication fast matching method and equipment based on table lookup operations |
| CN108881036B (en) * | 2018-07-03 | 2020-06-16 | 电信科学技术第五研究所有限公司 | Network communication fast matching method and equipment based on table look-up operation |
| CN112559824A (en) * | 2020-12-24 | 2021-03-26 | 北京嘀嘀无限科技发展有限公司 | Message processing method, device and equipment |
| CN114006719A (en) * | 2021-09-14 | 2022-02-01 | 国科信创科技有限公司 | AI verification method, device and system based on situation awareness |
| CN114006719B (en) * | 2021-09-14 | 2023-10-13 | 国科信创科技有限公司 | AI verification method, device and system based on situation awareness |
| CN115334003A (en) * | 2022-08-10 | 2022-11-11 | 上海欣诺通信技术股份有限公司 | Data stream processing method and system based on convergence and diversion equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104333483A (en) | Identification method, system and identification device for internet application flow | |
| CN104333461A (en) | Identification method, system and identification device for internet application flow | |
| CN106209506B (en) | A kind of virtualization deep-packet detection flow analysis method and system | |
| CN105591973B (en) | Application identification method and device | |
| CN110708215B (en) | Deep packet inspection rule base generation method, device, network equipment and storage medium | |
| CN101414939B (en) | Internet application recognition method based on dynamical depth package detection | |
| CN100553206C (en) | Internet, applications method for recognizing flux based on packet sampling and application signature | |
| CN108701187A (en) | Mixed hardware software distribution threat analysis | |
| CN108900374B (en) | Data processing method and device applied to DPI equipment | |
| CN108400909A (en) | A kind of flow statistical method, device, terminal device and storage medium | |
| CN105871619B (en) | A kind of flow load type detection method based on n-gram multiple features | |
| CN102932203A (en) | Method and device for inspecting deep packets among heterogeneous platforms | |
| CN108063768B (en) | Network malicious behavior identification method and device based on network gene technology | |
| CN103841096A (en) | Intrusion detection method with matching algorithm automatically adjusted | |
| Zhang et al. | Toward unsupervised protocol feature word extraction | |
| CN102938764A (en) | Application identification processing method and device | |
| CN105100023B (en) | Data packet feature extracting method and device | |
| CN112861894A (en) | Data stream classification method, device and system | |
| CN110034970A (en) | The network equipment distinguishes method of discrimination and device | |
| CN101710898B (en) | Method for describing characteristics of communication protocol of application software | |
| CN110266603A (en) | Authentication business network flow analysis system and method based on http protocol | |
| CN111832661B (en) | Classification model construction method, device, computer equipment and readable storage medium | |
| CN112073364A (en) | DDoS attack identification method, system, equipment and readable storage medium based on DPI | |
| CN109905325A (en) | A kind of flow bootstrap technique and flow identify equipment | |
| CN105610655A (en) | Router flow monitoring and analyzing method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150204 |