CN105162626B - Network flow depth recognition system and recognition methods based on many-core processor - Google Patents
Network flow depth recognition system and recognition methods based on many-core processor Download PDFInfo
- Publication number
- CN105162626B CN105162626B CN201510514488.4A CN201510514488A CN105162626B CN 105162626 B CN105162626 B CN 105162626B CN 201510514488 A CN201510514488 A CN 201510514488A CN 105162626 B CN105162626 B CN 105162626B
- Authority
- CN
- China
- Prior art keywords
- rule
- module
- protocol
- matching
- protocol domain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Abstract
The invention discloses a kind of network flow depth recognition system based on many-core processor and corresponding recognition methods, first, semantic-based rule base is established by semantic-based rule module, the rule in rule base is parsed by rule parsing module, multilevel matching tree is then generated by multilevel matching tree module;Raw network data is obtained, and carry out ip fragmentation reorganization and TCP reorganizations successively by receiving module, obtains transport layer data;The protocol type according to used in the protocol specification regular expression of protocol specification module definition identifies transport layer data in application layer, then structuring processing is carried out to application layer data by structuring protocol data module;Rule match is carried out to the application layer data of structuring according to multilevel matching tree finally by matching engine modules, the result of successful match is given to user behavior statistical module and counts, complete network flow depth recognition.
Description
Technical field
The invention belongs to network flow management technical fields, are related to a kind of network flow depth based on many-core processor and know
Other system further relates to carry out network flow using above-mentioned identifying system the recognition methods of depth recognition.
Background technology
At present, major network operator is only limitted to the management of network flow extensive management.Many operators are to certainly
The management of body network is still rested on the basis using SNMP technologies, and the supervision of network flow is only limitted to own net
The considerations of device load-bearing capability, and for content specific in network flow, user behavior information included in flow is not
There is progress effectively to monitor and utilize.
The technology of method monitoring traffic in network of the previous use based on port, although use it is quick, simple, with
Exhausting for IPv4 addresses, the conversion of IP address and port is more and more frequent, in addition using end during application designer design application
The arbitrariness of mouth, the technology have become more and more unreliable;And this technology finally only recognizes transport layer data, can not
User behavior information is further obtained according to application layer data.Using machine learning method monitoring flow technology, for
Obscure with it is especially effective during encrypted flow.But the technology depends on to flow produced by specific application the monitoring of flow
Feature, and the extraction of traffic characteristic is needed, by long-term observation, just to find out the difference between different flow.
Current most reliable technology is a kind of traffic classification method based on flow load, by identifying in network packet
With identifying application using the more complicated syntactic match of relevant character string or execution.It can be by detecting network packet
In allow in those scopes of law can disclosed data, effectively to be supervised to network flow.Modern technology makes
The encryption to network packet is obtained, obscuring and encapsulating for agreement all becomes very easily, but due to expensive under high bandwidth
Computing cost so that the network flow under high bandwidth can not be handled on traditional platform in real time.This is the traffic classification based on load
Technology faced at present it is most direct the problem of.
Invention content
The object of the present invention is to provide a kind of network flow depth recognition system based on many-core processor, in many-core processing
Using a kind of traffic classification technology based on load on the platform of device, not only solving traditional network flux recognition system can only analyze
Flow protocol type cannot obtain the problem of detailed user behavioural information, and also solving traditional network flux recognition system can not
Real-time online handles the problem of high-speed network flow.
It is a further object to provide a kind of knowledges of the network flow depth recognition system based on many-core processor
Other method.
A technical solution of the present invention is a kind of network flow depth recognition system based on many-core processor
System, including obtaining the receiving module of raw network data and being stored with semantic-based rule module;Receiving module is connected with root
Identify transport layer data in the protocol specification module of protocol type used in application layer, agreement according to customized regular expression
Specification module is connected with the structural data module that structuring processing is carried out to application layer data;Semantic-based rule module connects
Be connected to can according to matching rule specific format word for word section parse each field content rule parsing module, rule solution
Analysis module is connected with the multilevel matching tree module of the rule generation multilevel matching tree of parsing;Structural data module and level
It is connected with tree module with data can be carried out with the matching engine modules of regular expression matching, matching engine modules are also connected with
There is the user behavior statistical module of the result of storage successful match.
The present invention also has the characteristics that:
(1) rule base in semantic-based rule module is to be stored in rule according to the form of every matching rule a line
It is formed in file;Matching rule is by service fields and identification field combination;
There are four fields in service fields:Apply Names, using behavior, operating system and agency, four fields pass through "@"
Symbol is spaced from each other;Apply Names and application behavior are defined by specific user behavior, and operating system and agency are assisted by network
View determines, for the operating system that can not be determined or agency, arbitrary operating system or agency are represented using All;Business word
Section concrete form be:Apply Names@application behavior@operating systems@is acted on behalf of;
Identify that there are three fields in field:The regular expression of agreement, protocol domain and protocol domain, agreement and protocol domain it is whole
The regular expression of body and protocol domain is spaced from each other by " | " symbol;In addition the concrete form after manner of decryption Decode is:
[agreement:Protocol domain 1, protocol domain 2, protocol domain 3] | [Decode] | [expression formula 1, expression formula 2, expression formula 3].
Another technical solution used in the present invention is to carry out depth recognition to network flow using above-mentioned identifying system
Recognition methods includes the following steps:
Step 1, rule parsing
Semantic-based rule base is established, then by rule parsing module in rule base by semantic-based rule module
Rule parsed, then generate multilevel matching tree;
Step 2, flow is received
Receiving module obtains raw network data, and carries out ip fragmentation reorganization and TCP successively to raw network data
Reorganization obtains transport layer data;
Step 3, multi-protocol analysis
Identify that transport layer data is made in application layer according to the protocol specification regular expression of protocol specification module definition
Protocol type according still further to the protocol type that judgement obtains, carries out application layer data by structuring protocol data module
Structuring is handled;
Step 4, engine is matched
It matches engine modules and rule match is carried out to the application layer data of structuring according to multilevel matching tree, by successful match
Result give user behavior statistical module and counted, complete network flow depth recognition.
The present invention also has the characteristics that:
(1) method for building up of semantic-based rule base is in step 1:
1) service fields of matching rule and identification field are defined respectively:
Define four fields in service fields:Apply Names, using behavior, operating system and agency use "@" symbol
Above four fields are separated;Apply Names and determined by specific user behavior using behavior, operating system and agency by
Procotol determines, for the operating system that can not be determined or agency, arbitrary operating system or agency are represented using All;
The concrete form of service fields is:Apply Names@application behavior@operating systems@is acted on behalf of;
Three fields in definition identification field:The regular expression of agreement, protocol domain and protocol domain, agreement and protocol domain
Entirety and the regular expression of protocol domain be spaced from each other by " | " symbol, in addition the concrete form after manner of decryption Decode
For:[agreement:Protocol domain 1, protocol domain 2, protocol domain 3] | [Decode] | [expression formula 1, expression formula 2, expression formula 3];
2) by service fields and identification field combination, and " | " symbol is used to separate, according to the lattice of every matching rule a line
Formula is stored in rule file, formation rule library.
(2) parsing is carried out in step 1 to the rule in rule base to include the service fields of rule are parsed and identified with field
Parsing:Each business subfield is separated by@in service fields, and it is corresponding to obtain corresponding service subfield by successively separating character string
Value;Identification field in respectively identify subfield by | separate, by successively separating character string obtain accordingly identify subfield value.
(3) multilevel matching tree specific method is generated in step 1 is:Entire rule set after parsing is divided according to protocol domain
Into multiple subsets, each subset builds an adaptation, after the completion of being matched according to previous adaptation possibly into it is next
A adaptation carrys out create-rule multilevel matching tree.
Further above multilevel matching tree can also be simplified, phase therewith no in each protocol domain field
Matched rule individually extracts, the regular multilevel matching tree after being simplified.
The beneficial effects of the invention are as follows:The network flow depth recognition system based on many-core processor of the present invention can not only
Enough identification application layer traffic protocol type, detailed user behavioural information also meet the real-time online processing to high-speed network flow
Ability.The identifying system of the present invention can be applied to various many-core processors, can realize and carry out depth recognition to network flow
Purpose.
Description of the drawings
Fig. 1 is the structure diagram of the network flow depth recognition system the present invention is based on many-core processor;
Fig. 2 is the method flow diagram of recognition methods of the present invention;
Fig. 3 is the flow chart of the network flow depth recognition of the embodiment of the present invention;
Fig. 4 is the schematic diagram that rule set is divided into multiple subsets of the embodiment of the present invention;
Fig. 5 is the multilevel matching tree of the embodiment of the present invention;
Fig. 6 is the multilevel matching tree after the embodiment of the present invention is simplified;
Fig. 7 is the result schematic diagram that application layer data of the embodiment of the present invention carries out structuring.
In figure, 1. receiving modules, 2. protocol specification modules, 3. structural data modules, 4. semantic-based rule modules,
5. rule parsing module, 6. multilevel matching tree modules, 7. matching engine modules, 8. user behavior statistical modules.
Specific embodiment
The present invention is described in further detail with reference to the accompanying drawings and detailed description.
The present invention provides a kind of network flow depth recognition system based on many-core processor, including 1 He of receiving module
Semantic-based rule module 4;Receiving module 1 is connected with protocol specification module 2 and structural data module 3 in turn;Based on language
The rule module 4 of justice is connected with rule parsing module 5 and multilevel matching tree module 6, structural data module 3 and level in turn
It is connected with tree module 6 with matching engine modules 7, matching engine modules 7 are also connected with user behavior statistical module 8, each module
Connection relation see Fig. 1.
Receiving module 1 obtains raw network data, and carries out ip fragmentation reorganization and TCP reorganizations to data packet,
Obtain transport layer data.
The definition of protocol specification module 2 identifies application there are many regular expression of protocol specification according to regular expression
The data packet of layer data is in protocol type used in application layer.
The data of the protocol type that structuring protocol data module 3 is defined according to the protocol type and RFC that identify
Form carries out structuring processing to application layer data.
Match engine modules 7 according to the multilevel matching tree that multilevel matching tree module generates to the application layer data after structure into
Row regular expression matching, the specific flow that matches is for the application layer data after structuring, is assisted respectively in multilevel matching tree
It discusses the corresponding regular expression in domain and performs regular expression pattern match.
Semantic-based rule module 4 is that the library of matching rule is stored according to certain format, is divided into two parts, a part is
The service fields of rule;Another part is the identification field of rule.
(1) service fields
There are four fields in service fields:Apply Names, using behavior, operating system and agency use "@" symbol will be with
Upper four fields separate.Apply Names and application behavior operating system and are acted on behalf of true by corresponding agreement using specific definition
It is fixed, for the operating system that can not be determined or agency, arbitrary operating system or agency are represented using All;Service fields
Concrete form is:
Apply Names@application behavior@operating systems@is acted on behalf of
(2) field is identified
Identify field include agreement, protocol domain, protocol domain three fields of regular expression, in addition manner of decryption Decode
Concrete form afterwards is:
[agreement:Protocol domain 1, protocol domain 2, protocol domain 3] | [Decode] | [expression formula 1, expression formula 2, expression formula 3]
By service fields and identification field combination, and " | " is used to separate, the rule defined, the rule every one
Row, is stored in formation rule library in a rule file.
The matching rule of single data packet is defined as follows:
Apply Names@application behavior@operating systems@is acted on behalf of | [agreement:Protocol domain 1, protocol domain 2, protocol domain 3] |
[Decode] | [expression formula 1, expression formula 2, expression formula 3]
The matching rule of multiple data packets is defined as follows:
Apply Names@application behavior@operating systems@is acted on behalf of | [agreement 1:Protocol domain 11, protocol domain 12, protocol domain 13] [association
View 2:Protocol domain 21, protocol domain 22, protocol domain 23] ... | [Decode1] [Decode2] ... | [expression formula 11, expression formula 12, table
Up to formula 13] [expression formula 21, expression formula 22, expression formula 23]
Rule parsing module 5 reads matching rule one by one from semantic-based rule base, then according to the specific of rule
Word for word section parses the content of each field to form.
Entire rule set is divided into multiple protocol domain subsets, each subset by multilevel matching tree module 6 according to protocol domain
Build an adaptation, according to previous adaptation match after the completion of possibly into next adaptation, to build rules layer
Secondary matching tree.
8 statistical match of user behavior statistical module is successfully as a result, by detailed user behavior information according to certain format
It preserves and is sent to monitoring client, for further analyzing.
It is entire to know the present invention also provides the recognition methods that above-mentioned identifying system is used to carry out depth recognition to network flow
Other flow such as Fig. 2, is as follows:
Step 1, rule parsing
Step 1-1 establishes semantic-based rule base by semantic-based rule module.
Rule base is the library that matching rule is stored according to certain format, is divided into two parts, and a part is the business word of rule
Section;Another part is the identification field of rule.
(1) service fields
There are four fields in service fields:Apply Names, using behavior, operating system and agency use "@" symbol will be with
Upper four fields separate.Apply Names and application behavior operating system and are acted on behalf of true by corresponding agreement using specific definition
It is fixed, for the operating system that can not be determined or agency, arbitrary operating system or agency are represented using All;Service fields
Concrete form is:
Apply Names@application behavior@operating systems@is acted on behalf of
(2) field is identified
Identify field include agreement, protocol domain, protocol domain three fields of regular expression, in addition manner of decryption Decode
Concrete form afterwards is:
[agreement:Protocol domain 1, protocol domain 2, protocol domain 3] | [Decode] | [expression formula 1, expression formula 2, expression formula 3]
By service fields and identification field combination, and " | " is used to separate, the rule defined, the rule every one
Row, is stored in formation rule library in a rule file.
Step 1-2 parses the rule in rule base by rule parsing module.
According to the rule schemata described in step 1-1, rule is successively parsed, parses and identifies including service fields
Field parses.
(1) service fields
A service fields are separated by@in service fields, and it is corresponding to obtain each service fields by successively separating character string
Value.
(2) field is identified
Identify field in agreement, manner of decryption and protocol domain regular expression between by | separate, pass through successively separating character
String obtains the value of respective field, obtains agreement, protocol domain, manner of decryption and the corresponding regular expression of protocol domain successively.
Entire rule set after parsing is divided into multiple subsets by step 1-3 according to protocol domain, each subset structure one
A adaptation, according to previous adaptation match after the completion of possibly into next adaptation, generate multilevel matching tree.
Further above multilevel matching tree can also be simplified, phase therewith no in each protocol domain field
Matched rule individually extracts, the regular multilevel matching tree after being simplified.
Step 2, flow is received
Step 2-1, receiving module obtain raw network data.
Network interface is initialized first, including initialization network interface resources, data packet buffer and packet receiving rule;Then
Network packet is obtained from corresponding network interface.
Step 2-2 carries out ip fragmentation reorganization and TCP reorganizations to data packet successively, obtains transport layer data.
Ip fragmentation recombination be responsible for inspection data packet network layer data packet header fragment flag bit, judge this IP packet whether be
Fragment message, if it is, the data of the fragment packets (identical source IP and No. id) subsequently from same packet are spliced into original
Data.
TCP sessions recombination is responsible for judging this message with the presence or absence of a TCP session, if it does not exist, then addition one is new
TCP sessions, then the value of SYN, FIN in transport layer data packet header and ACK flag position judge the shape of this TCP session
State (in the beginnings of TCP sessions, data transmission, TCP disconnect) finally according to the state of TCP sessions and combines TCP data packet
Sequence number restore the data of entire TCP ession for telecommunication.
Step 3, multi-protocol analysis
Step 3-1 identifies data packet in application layer according to the protocol specification regular expression of protocol specification module definition
Used protocol type.
The specification of a variety of application layer protocols defined in protocol specification module, it is specific as follows
Http protocol specification:"(POST|GET).*HTTP/(0\.9|1\.0|1\.1)";
Rtsp protocol specifications:" GET [x09- x0d-~] * Accept:application/x-rtsp-tunnelled";
Ftp protocol specifications:" ^220 [and x09- x0d-~x80- xfd] * ftp ".
Step 3-2 carries out structuring processing by structuring protocol data module to application layer data.
The protocol type according to used in protocol specification module judges application layer, according to this protocol type form, to application
Layer data carries out message format pretreatment.Such as http protocol, the content of digital section all has mostly in its consensus standard
The form of key-value pair can successively identify to obtain corresponding field value corresponding with the field, then by result according to key-value pair
Form storage.
Step 4, engine is matched
Step 4-1 corresponds to protocol domain in the application layer data of structuring and multilevel matching tree using matching engine modules
Regular expression carry out regular expression pattern match, obtain matching result.
The result of successful match is sent to user behavior statistical module, completes network flow depth recognition by step 4-2.
Embodiment
Below for identifying that Sina weibo refreshes the process of microblogging behavior, to the net based on many-core processor of the present invention
Network flux deepness identifying system describes in detail, and whole flow process is as shown in Figure 3.
The network flow depth recognition system is established on the platform of many-core processor, including receiving module, protocol specification
Module, structural data module, semantic-based rule module, rule parsing module, multilevel matching tree module, matching engine mould
Block and user behavior statistical module.
The many-core processor that the present embodiment uses is Tilera Gx-36 processors, which is capable of providing high performance
Processing capacity meets the real-time processing requirement to 10,000,000,000 network datas, mainly includes multinuclear Intelligent programmable data packet engine
(multicore Programmable Intelligent PacketEngine, mPIPE) and core processing unit Tile.Core
Intelligent programmable data packet engine is mainly responsible for classification and the load balancing of data packet, and data packet is sent to according to the pattern of formulation
Corresponding processor is handled.
TileraGx-36 processors are a kind of processors of iMesh frameworks, this is a kind of matrix type structure of improvement, can
To realize Lothrus apterus communication simultaneously between component two-by-two, this items selection Tilera Gx36 moneys multi-core network processor is as hard
Part platform, it is integrated with 36 tile processors on a single die, and each processor host frequency reaches 1.2GHZ, possesses 32K's
The 9M three-level Cache that the second-level cache of data Cache, 256K of Instruction Cache and 32K and 36 cores are shared, can support pair
The processing capacity of 40Gbps network bandwidths.
Step 1, rule parsing
Step 1-1 establishes semantic-based rule base.
The rule for refreshing Sina weibo is as follows:
Sina_Weibo@RefreshWeibo@All@All|[HTTP:URI,Host]|[None]|["
gettimeline":-1_-1,"weibo.cn":-1_-1]
Step 1-2 parses it according to rule schemata, and it is corresponding just to obtain respective field, protocol domain and protocol domain
Then expression formula.Such as Apply Names Sina_Weibo, user behavior RefreshWeibo, agreement HTTP, protocol domain URI, Host, association
Discuss domain corresponding regular expression gettimeline, weibo.cn.
Rule set after parsing is divided into multiple subsets, as shown in figure 4, each height by step 1-3 according to regular type
Collection one adaptation of structure, generates multilevel matching tree, as shown in Figure 5.Further above multilevel matching tree is simplified,
There is no matched rule individually to extract in each protocol domain field, the rule after being simplified such as Fig. 6 can be obtained
Multilevel matching tree.
Step 2, flow is received
Network interface is initialized first, including initialization network interface resources, data packet buffer and packet receiving rule;Then
Network packet is obtained from corresponding network interface.Raw network data packet is obtained from network interface, ip fragmentation recombination is carried out to data packet
Processing and TCP reorganizations, obtain transport layer data.
Step 3, multi-protocol analysis
Step 3-1 according to protocol specification module, judges application layer protocol type by transport layer data.
Step 3-2, according to the protocol type form that judgement obtains, structuring application layer data, result such as Fig. 7 institutes after processing
Show.
Step 4, engine is matched
According to the regular multilevel matching tree of generation, regular expression pattern match is carried out to the application layer data of structuring,
Obtain matching result;The result of successful match is sent to user behavior statistical module, completes network flow depth recognition.
Above description of the present invention is part case study on implementation, but the invention is not limited in above-mentioned specific embodiment parties
Formula.Above-mentioned specific embodiment is schematical, is not restricted.Every system and method using the present invention,
In the case of not departing from present inventive concept and scope of the claimed protection, all specific expansions belong to protection scope of the present invention
Within.
Claims (7)
1. a kind of network flow depth recognition system based on many-core processor, which is characterized in that including obtaining primitive network number
According to receiving module (1) and be stored with semantic-based rule module (4);Receiving module (1) be connected with according to it is customized just
Then expression identification transport layer data is in the protocol specification module (2) of protocol type used in application layer, protocol specification module
(2) it is connected with the structural data module (3) that structuring processing is carried out to application layer data;Semantic-based rule module (4)
Be connected with can according to matching rule specific format word for word section parse each field content rule parsing module (5),
Rule parsing module (5) is connected with the multilevel matching tree module (6) of the rule generation multilevel matching tree of parsing;Structural data
Matching engine modules (7) phase of module (3) and multilevel matching tree module (6) with data and regular expression matching can be carried out
Even, matching engine modules (7) are also associated with the user behavior statistical module (8) of the result of storage successful match.
2. the network flow depth recognition system according to claim 1 based on many-core processor, which is characterized in that described
Rule base in semantic-based rule module (4) is to be stored in shape in rule file according to the form of every matching rule a line
Into;The matching rule is by service fields and identification field combination;
There are four fields in the service fields:Apply Names, using behavior, operating system and agency, four fields pass through "@"
Symbol is spaced from each other;Apply Names and application behavior are defined by specific user behavior, and operating system and agency are assisted by network
View determines, for the operating system that can not be determined or agency, arbitrary operating system or agency are represented using All;Business word
Section concrete form be:Apply Names@application behavior@operating systems@is acted on behalf of;
There are three fields in the identification field:The regular expression of agreement, protocol domain and protocol domain, agreement and protocol domain it is whole
The regular expression of body and protocol domain is spaced from each other by " | " symbol;In addition the concrete form after manner of decryption Decode is:
[agreement:Protocol domain 1, protocol domain 2, protocol domain 3] | [Decode] | [expression formula 1, expression formula 2, expression formula 3].
3. a kind of recognition methods for carrying out depth recognition to network flow using identifying system as described in claim 1, special
Sign is, includes the following steps:
Step 1, rule parsing
Semantic-based rule base is established, then by rule parsing module to the rule in rule base by semantic-based rule module
It is then parsed, then generates multilevel matching tree;
Step 2, flow is received
Receiving module obtains raw network data, and carries out ip fragmentation reorganization and TCP recombinations successively to raw network data
Processing, obtains transport layer data;
Step 3, multi-protocol analysis
According to used in the protocol specification regular expression of protocol specification module definition identifies transport layer data in application layer
According still further to the protocol type that judgement obtains, structure is carried out by structuring protocol data module to application layer data for protocol type
Change is handled;
Step 4, engine is matched
It matches engine modules and rule match is carried out to the application layer data of structuring according to multilevel matching tree, by the knot of successful match
Fruit gives user behavior statistical module and is counted, and completes network flow depth recognition.
4. recognition methods according to claim 3, which is characterized in that semantic-based rule base builds described in step 1
Cube method is:
1) service fields of matching rule and identification field are defined respectively:
Define four fields in service fields:Apply Names, using behavior, operating system and agency use "@" symbol will be with
Upper four fields separate;Apply Names and application behavior are determined that operating system and agency are by network by specific user behavior
Agreement determines, for the operating system that can not be determined or agency, arbitrary operating system or agency are represented using All;Business
The concrete form of field is:Apply Names@application behavior@operating systems@is acted on behalf of;
Three fields in definition identification field:The regular expression of agreement, protocol domain and protocol domain, agreement and protocol domain it is whole
The regular expression of body and protocol domain is spaced from each other by " | " symbol, in addition the concrete form after manner of decryption Decode is:
[agreement:Protocol domain 1, protocol domain 2, protocol domain 3] | [Decode] | [expression formula 1, expression formula 2, expression formula 3];
2) by service fields and identification field combination, and " | " symbol is used to separate, is protected according to the form of every matching rule a line
There are in rule file, formation rule library.
5. recognition methods according to claim 3, which is characterized in that carried out described in step 1 to the rule in rule base
Parsing includes parsing the service fields of rule and identification field parsing;Each business subfield is separated by@in service fields, is passed through
Successively separating character string obtains the corresponding value of corresponding service subfield;Identification field in respectively identify subfield by | separate, by by
Layer separating character string obtains accordingly identifying the value of subfield.
6. recognition methods according to claim 3, which is characterized in that the specific side of multilevel matching tree is generated described in step 1
Method is:Entire rule set after parsing is divided into multiple subsets according to protocol domain, each subset builds an adaptation, root
According to previous adaptation match after the completion of possibly into next adaptation, carry out create-rule multilevel matching tree.
7. recognition methods according to claim 6, which is characterized in that the multilevel matching tree of the generation is simplified,
There is no matched rule individually to extract in each protocol domain field, the regular multilevel matching simplified
Tree.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510514488.4A CN105162626B (en) | 2015-08-20 | 2015-08-20 | Network flow depth recognition system and recognition methods based on many-core processor |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510514488.4A CN105162626B (en) | 2015-08-20 | 2015-08-20 | Network flow depth recognition system and recognition methods based on many-core processor |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105162626A CN105162626A (en) | 2015-12-16 |
| CN105162626B true CN105162626B (en) | 2018-07-06 |
Family
ID=54803388
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510514488.4A Expired - Fee Related CN105162626B (en) | 2015-08-20 | 2015-08-20 | Network flow depth recognition system and recognition methods based on many-core processor |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105162626B (en) |
Families Citing this family (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106897281B (en) * | 2015-12-17 | 2020-08-14 | 阿里巴巴集团控股有限公司 | Log fragmentation method and device |
| CN105635170B (en) * | 2016-01-26 | 2018-12-18 | 宝利九章(北京)数据技术有限公司 | The rule-based method and apparatus that network packet is identified |
| CN106341285A (en) * | 2016-11-25 | 2017-01-18 | 杭州华三通信技术有限公司 | Traffic identification method and device |
| US10548117B2 (en) * | 2016-12-22 | 2020-01-28 | Huawei Technologies Co., Ltd. | Apparatus and method for OS agent to optimize transmission over the air |
| CN108259371A (en) * | 2016-12-28 | 2018-07-06 | 亿阳信通股份有限公司 | A kind of network flow data analysis method and device based on stream process |
| CN109995740A (en) * | 2018-01-02 | 2019-07-09 | 国家电网公司 | Threat detection method based on depth protocal analysis |
| CN108737291B (en) * | 2018-05-09 | 2022-04-05 | 北京建筑大学 | Method and device for representing network flow |
| CN110855602B (en) * | 2018-08-21 | 2022-02-25 | 国家计算机网络与信息安全管理中心 | Internet of things cloud platform event identification method and system |
| CN110875897B (en) * | 2018-08-29 | 2022-12-06 | 阿里巴巴集团控股有限公司 | Data transmission method, device, server and storage medium |
| CN111355696A (en) * | 2018-12-24 | 2020-06-30 | 中移(杭州)信息技术有限公司 | Message identification method and device, DPI (deep packet inspection) equipment and storage medium |
| CN110224995A (en) * | 2019-05-17 | 2019-09-10 | 南京聚铭网络科技有限公司 | A kind of high-efficiency multi-function packet depth recognition method |
| CN111338812B (en) * | 2020-01-22 | 2023-07-21 | 中国民航信息网络股份有限公司 | Data processing method and device |
| CN112565262A (en) * | 2020-12-03 | 2021-03-26 | 恒安嘉新(北京)科技股份公司 | Flow data processing method, system, network equipment and storage medium |
| CN115277106B (en) * | 2022-06-30 | 2024-03-19 | 北京安博通科技股份有限公司 | User identification method and system of network equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101282362A (en) * | 2008-05-13 | 2008-10-08 | 中兴通讯股份有限公司 | Method and apparatus for detecting depth packet |
| CN101557329A (en) * | 2009-05-27 | 2009-10-14 | 杭州迪普科技有限公司 | Application layer-based data segmenting method and device thereof |
| CN103051725A (en) * | 2012-12-31 | 2013-04-17 | 华为技术有限公司 | Application identification method, data mining method, device and system |
| CN103795709A (en) * | 2013-12-27 | 2014-05-14 | 北京天融信软件有限公司 | Network security detection method and system |
| CN104348677A (en) * | 2013-08-05 | 2015-02-11 | 华为技术有限公司 | Deep packet inspection method and equipment and coprocessor |
-
2015
- 2015-08-20 CN CN201510514488.4A patent/CN105162626B/en not_active Expired - Fee Related
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101282362A (en) * | 2008-05-13 | 2008-10-08 | 中兴通讯股份有限公司 | Method and apparatus for detecting depth packet |
| CN101557329A (en) * | 2009-05-27 | 2009-10-14 | 杭州迪普科技有限公司 | Application layer-based data segmenting method and device thereof |
| CN103051725A (en) * | 2012-12-31 | 2013-04-17 | 华为技术有限公司 | Application identification method, data mining method, device and system |
| CN104348677A (en) * | 2013-08-05 | 2015-02-11 | 华为技术有限公司 | Deep packet inspection method and equipment and coprocessor |
| CN103795709A (en) * | 2013-12-27 | 2014-05-14 | 北京天融信软件有限公司 | Network security detection method and system |
Non-Patent Citations (2)
| Title |
|---|
| 基于DPI的LTE网络用户行为感知系统的设计与实现;王建;《电信科学》;20140731;全文 * |
| 深度包检测技术中模式匹配算法分析;杨荣;《软件导刊》;20140930;第13卷(第9期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105162626A (en) | 2015-12-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105162626B (en) | Network flow depth recognition system and recognition methods based on many-core processor | |
| CN112468370B (en) | High-speed network message monitoring and analyzing method and system supporting custom rules | |
| CN104320304B (en) | A kind of core network user flow application recognition methods of the multimode fusion easily extended | |
| CN102739457B (en) | Network flow recognition system and method based on DPI (Deep Packet Inspection) and SVM (Support Vector Machine) technology | |
| CN110347501A (en) | A kind of service testing method, device, storage medium and electronic equipment | |
| CN105122727A (en) | Systems and methods for detecting and mitigating threats to a structured data storage system | |
| CN102664935B (en) | Method and system for associated output of WEB class user behavior and user information | |
| CN106815112A (en) | A kind of mass data monitoring system and method based on deep-packet detection | |
| CN107360145A (en) | A kind of multinode honey pot system and its data analysing method | |
| CN105302885B (en) | full-text data extraction method and device | |
| CN102710504A (en) | Application identification method and application identification device | |
| CN112491917B (en) | Unknown vulnerability identification method and device for Internet of things equipment | |
| WO2017157335A1 (en) | Message identification method and device | |
| CN104994016A (en) | Method and apparatus for packet classification | |
| CN108289125A (en) | TCP sessions recombination based on Stream Processing and statistical data extracting method | |
| CN102571946A (en) | Realization method of protocol identification and control system based on P2P (peer-to-peer network) | |
| CN111865996A (en) | Data detection method and device and electronic equipment | |
| JP6548823B2 (en) | Real-time validation of JSON data applying tree graph properties | |
| CN110365659B (en) | Construction method of network intrusion detection data set in small sample scene | |
| CN102984242A (en) | Automatic identification method and device of application protocols | |
| JP5955943B2 (en) | Method and apparatus for extracting data from a data stream moving over an IP network | |
| CN109787866A (en) | A kind of method and device identifying port | |
| CN101771697B (en) | Network data stream identification method based on pattern matching method | |
| CN116389293A (en) | Information security method and device based on deep learning | |
| CN112887280B (en) | Network protocol metadata extraction system and method based on automaton |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20180706 Termination date: 20190820 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |