CN105516173A - Network application layer protocol identification method and system - Google Patents
Network application layer protocol identification method and system Download PDFInfo
- Publication number
- CN105516173A CN105516173A CN201510997641.3A CN201510997641A CN105516173A CN 105516173 A CN105516173 A CN 105516173A CN 201510997641 A CN201510997641 A CN 201510997641A CN 105516173 A CN105516173 A CN 105516173A
- Authority
- CN
- China
- Prior art keywords
- communication process
- hash
- agreement
- node
- hash table
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/18—Protocol analysers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/30—Definitions, standards or architectural aspects of layered protocol stacks
- H04L69/32—Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
- H04L69/322—Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions
- H04L69/329—Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the application layer [OSI layer 7]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network application layer protocol identification method and system. The method includes the following steps that: feature information of a communication process is acquired, wherein the feature information contains at least one kind of or the combination of information selected from the IP address, main feature code and protocol port of the communication process, as well as the length of data packets in the communication process; and the communication process is identified according to any one of a preset IP address hash table, main feature code hash table, protocol port hash table and length hash table of the data packets, or a preset identification plug-in, if the communication process is recognized, the protocol ID of the communication process is obtained, otherwise, the protocol of the communication process is marked as undefined. In an identification process of a communication process to be identified, a corresponding protocol ID can be queried in a hash table according to the hash value of the feature information of the communication process to be identified, and therefore, the application layer protocol ID in the communication process can be identified quickly and accurately.
Description
Technical field
The invention belongs to Internet technical field, the method and system of particularly a kind of network application-level protocol identification.
Background technology
Along with the fast development of internet, applications technology, internet, applications is extreme enrichment, increasing network application employs proprietary protocol, and these procotols do not disclose available protocol specification document, and this brings new challenge to procotol classification and accurate identification.More point-to-point (P2P) host-host protocol, audiovisual applications and various coded communication instrument.
In traditional client-server communication model, a typical communication process is that user end to server initiates request, and server carries out reception asks and replys, and most session request is initiated by client.Traditional procotol recognition technology is mainly comprised: Port detecting technology and DPI (deep-packet detection) technology.
After the extensive use of P2P technology, in point to point network model, without the concept of server and client side, only have the brother of node of equality, server and client side is served as to other node on network simultaneously.Traditional fast especially based on Port detecting technology recognition speed, but due to the unfixing transport layer port of many agreements, some agreement even adopts dynamic port or camouflage port technique, and the recognition methods accuracy rate based on port can not meet current demand.Traditional based on deep packet inspection technical, by identifying that accurate feature string can reach recognition effect more accurately, but recognition speed is comparatively slow, poor for some cryptographic protocol recognition effects.
Summary of the invention
Technical problem to be solved by this invention how to identify fast and accurately polytype application layer protocol.
The invention provides a kind of network application-level protocol for this technical problem and know method for distinguishing, comprising:
S1: the characteristic information of obtaining communication process, described characteristic information comprises following at least one or its combination: the length of the packet in the IP address of communication process, main condition code, protocol port, communication process;
S2: according to the arbitrary Hash table in the length Hash table of the IP Address-Hash table pre-set, main condition code Hash table, protocol port Hash table and packet, or the identification plug-in unit preset identifies described communication process, if identify described communication process, obtain the agreement ID of described communication process, otherwise the agreement marking described communication process is undefined.
Preferably, also comprised before described step S1:
Obtain the IP address of known communication procedures, Hash operation is carried out to IP address and obtains the first initial Hash value, the agreement ID association store of the corresponding known communication procedures of the first initial Hash value and IP address is generated described IP Address-Hash table;
Obtain the main condition code of known communication procedures, Hash operation is carried out to main condition code and obtains the second initial Hash value, the agreement ID association store of the second initial Hash value and the corresponding known communication procedures of main condition code is generated main condition code Hash table;
Obtain the protocol port of known communication procedures, Hash operation is carried out to protocol port and obtains the 3rd initial Hash value, the agreement ID association store of the 3rd initial Hash value and the corresponding known communication procedures of protocol port is generated protocol port Hash table;
Obtain the length of the packet of known communication procedures, Hash operation is carried out to the length of packet and obtains the 4th initial Hash value, the agreement ID association store of the corresponding known communication procedures of length of the 4th initial Hash value and packet is generated the length Hash table of packet.
Preferably, described step S2 comprises:
S21: according to described IP Address-Hash table, described communication process is identified, if identify described communication process, obtain the agreement ID of described communication process, otherwise, enter step S22;
S22: according to described main condition code Hash table, described communication process is identified, if identify described communication process, obtain the agreement ID of described communication process, otherwise, enter step S23;
S23: identify described communication process according to described protocol port Hash table, if identify described communication process, obtains the agreement ID of described communication process, otherwise, enter step S24;
S24: the length Hash table according to described packet identifies described communication process, if identify described communication process, obtains the agreement ID of described communication process, otherwise, enter step S25;
S25: identified described communication process by the identification plug-in unit being arranged on object protocol port or source protocol port, if identify described communication process, obtains the agreement ID of described communication process, otherwise the agreement marking described communication process is undefined.
Preferably, described step S21 comprises:
S211: carry out Hash operation by the object IP address in described IP address and obtain the first cryptographic Hash, the linked list head of the Hash bucket that inquiry is corresponding with the first cryptographic Hash in IP Address-Hash table, chained list corresponding to ergodic chain gauge outfit judges whether to there is the first node with described first Hash values match, if exist, verify the object protocol port of described communication process, if by verification, obtain the agreement ID that described first node is corresponding;
S212: do not pass through to verify with the node of described first Hash values match or object protocol port if do not exist in chained list, carry out Hash operation by the source IP address in described IP address and obtain the second cryptographic Hash, the linked list head of the Hash bucket that inquiry is corresponding with the second cryptographic Hash in IP Address-Hash table, chained list corresponding to ergodic chain gauge outfit judges whether to there is the Section Point with described second Hash values match, if exist, verify the source protocol port of described communication process, if by verification, obtain the agreement ID that described Section Point is corresponding.
Preferably, described step S22 comprises:
S221: the side-play amount array traveling through main condition code, circulates and take out side-play amount from described array;
S222, the packet content corresponding to the side-play amount of taking out is carried out Hash operation and is obtained the 3rd cryptographic Hash, according to the linked list head of the Hash bucket of the 3rd cryptographic Hash inquiry correspondence, judge whether chained list that linked list head is corresponding is empty, if not empty, chained list corresponding to ergodic chain gauge outfit judges whether to there is the 3rd node with described 3rd Hash values match, if exist, the subcharacter code of described communication process is verified, if by verification, obtain the agreement ID that described some node is corresponding;
S223: if Hash barrel chain table corresponding to linked list head is empty, or there is not the 3rd node in chained list, or described subcharacter code is by verification, returns step S221 and takes out next side-play amount.
Preferably, described step S23 comprises:
S231: carry out Hash operation by the object protocol port in described protocol port and obtain the 4th cryptographic Hash, the linked list head of the Hash bucket that inquiry is corresponding with the 4th cryptographic Hash in protocol port Hash table, chained list corresponding to ergodic chain gauge outfit judges whether to there is the 4th node with described 4th Hash values match, if exist, verify the subcharacter code of described communication process, if by verification, obtain the agreement ID that described 4th node is corresponding;
S232: if there is not the node with described 4th Hash values match in chained list, or subcharacter code is not by verification, carry out Hash operation by the source protocol port in described protocol port and obtain the 5th cryptographic Hash, the linked list head of the Hash bucket that inquiry is corresponding with the 5th cryptographic Hash in protocol port Hash table, chained list corresponding to ergodic chain gauge outfit judges whether to there is the 5th node with described 5th Hash values match, if exist, verify the subcharacter code of described communication process, if by verification, obtain the agreement ID that described 5th node is corresponding.
Preferably, described step S24 comprises:
S241: carry out Hash operation by the length of the packet in described communication process and obtain the 6th cryptographic Hash, the linked list head of the Hash bucket that inquiry is corresponding with the 6th cryptographic Hash in the length Hash table of packet, chained list corresponding to ergodic chain gauge outfit judges whether to there is the 6th node with described 6th Hash values match, if exist, judge in the sequence of all long data packet angle value corresponding to described 6th node, whether the length value of the packet in described communication process is positioned at the last of described sequence, if so, the agreement ID that described 6th node is corresponding is obtained;
S242: if chained list corresponding to ergodic chain gauge outfit does not exist with the node of described 6th Hash values match or in the sequence of all long data packet angle value corresponding to described 6th node, the length value of the packet in described communication process is not be positioned at described sequence last, enters step S25.
Preferably, also comprise before described step S1:
Obtain the quaternary group information of described communication process, in four-tuple Hash table, corresponding node is inquired about according to described quaternary group information, if corresponding node can be inquired, judge whether the agreement ID of this Nodes has definition, if have, obtain the agreement ID of agreement ID corresponding to described node as described communication process;
If do not inquire node or agreement ID corresponding to the node that inquires is undefined in four-tuple Hash table, in default tlv triple Hash table, corresponding node is inquired about according to the triplet information in described quaternary group information, if corresponding node can be inquired, described triplet information is supplemented as quaternary group information by the information according to described communication process, this node is transferred in four-tuple Hash table from tlv triple Hash table, obtains the agreement ID of agreement ID corresponding to this node as described communication process;
If all do not inquire node in four-tuple Hash table and tlv triple Hash table, create a new node according to described quaternary group information and add in described four-tuple Hash table, the agreement ID marking this communication process is undefined, enters step S1.
Preferably, also comprise:
If identify the agreement of described communication process, obtain the agreement ID of described communication process, and by node corresponding for this communication process in the agreement ID association store of this communication process to described four-tuple Hash table, then the application layer protocol of described communication process is decoded, judge the prediction communication process information that whether there is described communication process in its return value, if exist, then judge that whether the quaternary group information of described prediction communication process is complete, if complete, then by this quaternary group information and corresponding agreement ID association store to described four-tuple Hash table, otherwise, by in triplet information and corresponding agreement ID association store to described tlv triple Hash table,
If the agreement of described communication process is undefined, judge whether the identification number of times of described communication process exceedes threshold value, if, then no longer described communication process is identified, and the Protocol Standard of described communication process is designated as unknown protocol, otherwise, continue to identify described communication process.
On the other hand, the invention provides a kind of system of network application-level protocol identification, know method for distinguishing by above-mentioned network application-level protocol and communication process is identified.
The method and system of network application-level protocol identification provided by the invention, can according to the IP address of communication process, main condition code, protocol port, the application layer protocol of the characteristic informations such as length to communication process of the packet in communication process identifies, Hash table is generated by the cryptographic Hash of the agreement ID of known communication procedures and each characteristic information is carried out association store, when follow-up identification communication process to be identified, corresponding agreement ID can be inquired in Hash table according to the cryptographic Hash of the characteristic information of communication process to be identified, and then fast and accurately identify application layer protocol ID in communication process.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the schematic flow diagram of the network application-level protocol knowledge method for distinguishing that one embodiment of the invention provides;
Fig. 2 is the method flow diagram of the network application-level protocol identification that another embodiment of the present invention provides;
Fig. 3 is the method flow diagram of the network application-level protocol identification that another embodiment of the present invention provides;
Fig. 4 is the method flow diagram of the network application-level protocol identification that another embodiment of the present invention provides.
Embodiment
For making the object of the embodiment of the present invention, technical scheme and advantage clearly, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
Embodiment 1:
Fig. 1 is the flow chart of the network application-level protocol knowledge method for distinguishing that the present embodiment provides, and see Fig. 1, this network application-level protocol is known method for distinguishing and comprised:
Step S1: the characteristic information of obtaining communication process, described characteristic information comprises following at least one or its combination: the length of the packet in the IP address of communication process, main condition code, protocol port, communication process;
Step S2: according to the arbitrary Hash table in the length Hash table of the IP Address-Hash table pre-set, main condition code Hash table, protocol port Hash table and packet, or the identification plug-in unit preset identifies described communication process, if identify described communication process, obtain the agreement ID of described communication process, otherwise the agreement marking described communication process is undefined.
It should be noted that: IP address (also can be domain name) can comprise object IP address, source IP address; Condition code can comprise main condition code, main condition code side-play amount, subcharacter code, subcharacter code side-play amount etc.; Protocol port can comprise object protocol port, source protocol port etc.
The length Hash table of IP Address-Hash table, main condition code Hash table, protocol port Hash table and packet is in the initialization procedure of system, by the cryptographic Hash of the agreement ID of known communication procedures and each characteristic information being carried out association store generation.For communication process to be identified, its each characteristic information can be obtained, and then in the length Hash table of IP Address-Hash table, main condition code Hash table, protocol port Hash table and packet, namely can inquire corresponding agreement ID according to the cryptographic Hash (value obtained after Hash operation) of each characteristic information, thus realize the identification to communication process application layer protocol.
Carry out except protocol identification except using Hash table, the identification plug-in unit being arranged on destination interface or source port can also be utilized to carry out protocol identification to communication process, but because the process of the identification plug-in unit calling destination interface or source port is complicated, the efficiency of protocol identification may be made to reduce, generally do not adopt the method unless necessary.
In above-mentioned identifying, if identify the application layer protocol of this communication process, then obtain the agreement ID of this communication process, if unidentified go out agreement, the agreement marking this communication process is undefined.
The network application-level protocol that the present embodiment provides knows method for distinguishing, the characteristic information utilizing communication process different identifies from different angles agreement, the agreement that conventional method can not carry out identifying can be identified, fast and accurately can identify application layer protocol ID in communication process.
Embodiment 2:
On the basis of embodiment 1, the network application-level protocol that the present embodiment provides knows method for distinguishing, also comprises before step S1:
Obtain the IP address of known communication procedures, Hash operation is carried out to IP address and obtains the first initial Hash value, the agreement ID association store of the corresponding known communication procedures of the first initial Hash value and IP address is generated described IP Address-Hash table;
Obtain the main condition code of known communication procedures, Hash operation is carried out to main condition code and obtains the second initial Hash value, the agreement ID association store of the second initial Hash value and the corresponding known communication procedures of main condition code is generated main condition code Hash table;
Obtain the protocol port of known communication procedures, Hash operation is carried out to protocol port and obtains the 3rd initial Hash value, the agreement ID association store of the 3rd initial Hash value and the corresponding known communication procedures of main condition code is generated protocol port Hash table;
Obtain the length of the packet of known communication procedures, Hash operation is carried out to the length of packet and obtains the 4th initial Hash value, the agreement ID association store of the corresponding known communication procedures of length of the 4th initial Hash value and packet is generated the length Hash table of packet.
Before embodiment 1 identifies, initialization can be carried out to the Hash table of various characteristic information.Particularly, the protocol characteristic of known communication procedures is extracted: various actions (source port of such as communication process, destination interface, source IP address and object IP address etc. can be obtained) and the content characteristic (size of the packet in such as communication process can be obtained) of analyzing this known communication procedures, and according to the feature (such as main condition code and subcharacter code etc. can be obtained) of protocol communication, extract the feature of this agreement, as the feature of protocol identification, finally generate the description script of this agreement.
Description script is to be described in a particular format by protocol characteristic, is convenient to be read by the characteristic information of this description script to communication process and stored.
The description script of protocol identification mainly comprises five types: IP address descriptor script, main condition code description script, protocol port description script, data package size description script, and the form of corresponding script is as follows:
IP address descriptor script:
[freegate]
addr=type=dnsdomain=sss.aaa.nettransport=tcpsports=[443-443]cports=[1024-65535]
addr=type=staticsip=221.209.1.21transport=tcpsports=[443-443]cports=[1024-65535]
Main condition code description script:
[http]
Feature=transport=tcpsports=[0-0]cports=[1024-65535]maincodes=0x474554offsize=0subcodes=suboffsize=sid=0ctos=1pktlen=[0-1460]
Protocol port description script:
[qq]
feature=transport=udpsports=[8000-8000]cports=[4000-4010]maincodes=offsize=0subcodes=0x03suboffsize=-1sid=1ctos=1pktlen=[0-1460]
feature=transport=udpsports=[443-443]cports=[1024-65535]maincodes=offsize=0subcodes=0x03suboffsize=-1sid=2ctos=1pktlen=[0-1460]
Data package size description script:
[skype]
pkts=transport=tcppkt1={32-48,0}pkt2={58-64,1}pkt3={59-72,0}pkt4={68-80,0}pkt5={89-96,1}……pktn={80-92,0}averagelen={64,50}sports=[443-443]
Self-defined identification description script:
[exprotocol]
self=name=xxx1transport=tcpsports=[9000-9100]
self=name=xxx2transport=udpsports=[6000-6010]
Wherein, self-defined identification description script mainly adopts default identification plug-in unit to carry out identifying and needing in initialized process the description of the protocol characteristic information obtained to communication process.
The parameter of IP address descriptor comprises: the IP address of the type (domain name or static IP) of address, the domain name of server or server, the type (tcp, udp etc.) of transport layer protocol, Service-Port scope.
The parameter that main condition code describes mainly comprises: the type (tcp, udp etc.) of transport layer protocol, the main condition code of agreement and side-play amount, agreement subcharacter code and side-play amount, the direction of packet, packet content length when there is this group protocol characteristic.
The parameter of protocol port feature interpretation mainly comprises: the port range of the type (tcp, udp etc.) of transport layer protocol, the port range of server, client, agreement subcharacter code and side-play amount, the direction of packet, packet content length when there is this group protocol characteristic.
The parameter that data package size describes comprises: the mean size of the type (tcp, udp etc.) of transport layer protocol, the size and Orientation Service-Port scope of each packet, packet.
The parameter that custom protocol recognition methods describes comprises: the type (tcp, udp etc.) of protocol name, transport layer protocol, Service-Port scope.
Particularly, initialization procedure comprises:
Obtain the IP address of known communication procedures, Hash operation is carried out to IP address and obtains the first initial Hash value, the agreement ID association store of the corresponding known communication procedures of the first initial Hash value and IP address is generated described IP Address-Hash table.
Wherein, if have multiple node in the Hash bucket corresponding with the first initial Hash value, the mode process hash-collision of chained list is adopted in the Hash bucket that the first initial Hash value is corresponding, this chained list can pass through according to the order that IP address is descending in the Hash barrel chain table that the first initial Hash value is corresponding, is arranged from front to back by corresponding node and obtain in this first initial chained list.
Obtain the main condition code of known communication procedures, Hash operation is carried out to main condition code and obtains the second initial Hash value, the agreement ID association store of the second initial Hash value and the corresponding known communication procedures of main condition code is generated main condition code Hash table.
Wherein, if have multiple node in the second initial Hash bucket corresponding to the second initial Hash value, in the chained list of the Hash bucket corresponding to the second initial Hash value, adopt the mode of chained list to avoid hash-collision, this chained list can according to the descending order of main condition code length, by corresponding node in this chained list from front to back arrangement obtain.
Obtain the protocol port of known communication procedures, Hash operation is carried out to protocol port and obtains the 3rd initial Hash value, the agreement ID association store of the 3rd initial Hash value and the corresponding known communication procedures of main condition code is generated protocol port Hash table.
Wherein, if have multiple node in the Hash bucket corresponding to the 3rd initial Hash value, the mode process hash-collision of chained list is adopted in the chained list of the Hash bucket corresponding to the 3rd initial Hash value, this chained list can according to the descending order of subcharacter code length, by corresponding node in this chained list from front to back arrangement obtain.
Obtain the length of the packet of known communication procedures, Hash operation is carried out to the length of packet and obtains the 4th initial Hash value, the agreement ID association store of the corresponding known communication procedures of length of the 4th initial Hash value and packet is generated the length Hash table of packet.
Wherein, if have multiple node in the Hash bucket corresponding to the 4th start node, in order to process hash-collision in the chained list of the Hash bucket corresponding to the 4th start node, the value of the length producing the packet of hash-collision can be added to the afterbody of this chained list of Hash bucket.
Corresponding for communication process characteristic information is stored in corresponding Hash table by the initialization procedure of the protocol identification that the present embodiment provides, and can identify the agreement of communication process fast.
Embodiment 3:
Fig. 2 is the method flow diagram of the network application-level protocol identification that the present embodiment provides, and see Fig. 2, on the basis of embodiment 2, described step S2 comprises:
S21: according to described IP Address-Hash table, described communication process is identified, if identify described communication process, obtain the agreement ID of described communication process, otherwise, enter step S22;
S22: according to described main condition code Hash table, described communication process is identified, if identify described communication process, obtain the agreement ID of described communication process, otherwise, enter step S23;
S23: identify described communication process according to described protocol port Hash table, if identify described communication process, obtains the agreement ID of described communication process, otherwise, enter step S24;
S24: the length Hash table according to described packet identifies described communication process, if identify described communication process, obtains the agreement ID of described communication process, otherwise, enter step S25;
S25: identified described communication process by the identification plug-in unit being arranged on object protocol port or source protocol port, if identify described communication process, obtains the agreement ID of described communication process, otherwise the agreement marking described communication process is undefined.
It should be noted that: the network application-level protocol that the present embodiment provides is known in method for distinguishing, identify successively according to the length of the packet in the IP address of communication process, main condition code, protocol port, communication process, accelerate speed and the accuracy of protocol identification.
The priority of identifying considers the order of accuarcy in protocol identification process, for the communication process of an application layer protocol the unknown, first protocol identification is carried out with IP address, if IP address None-identified identifies by main condition code in consideration, if main condition code None-identified, the recognition methods of consideration protocol port, if the recognition methods None-identified of protocol port, the length of the packet in consideration communication process identifies.The order of this protocol identification has taken into full account the maximum likelihood that agreement is identified, and preferentially identifies with most probable recognition methods, if can not identify, in other method of consideration.The basis of the maximum likelihood that this RM is identified at guarantee agreement takes into full account the time of protocol identification.
The protocol recognition method that the present embodiment provides identifies the agreement of communication process according to 5 kinds of identifying orders successively, on the basis of the maximum likelihood that can be identified at guarantee agreement, identifies agreement fast and accurately.
Embodiment 4:
On the basis of embodiment 3, the network application-level protocol that the present embodiment provides is known step S21 described in method for distinguishing and is comprised:
S211: carry out Hash operation by the target ip address in described IP address and obtain the first cryptographic Hash, the linked list head of the Hash bucket that inquiry is corresponding with the first cryptographic Hash in IP Address-Hash table, chained list corresponding to ergodic chain gauge outfit judges whether to there is the first node with described first Hash values match, if exist, verify the object protocol port of described communication process, if by verification, obtain the agreement ID that described first node is corresponding;
S212: do not pass through to verify with the node of described first Hash values match or object protocol port if do not exist in chained list, carry out Hash operation by the source IP address in described IP address and obtain the second cryptographic Hash, the linked list head of the Hash bucket that inquiry is corresponding with the second cryptographic Hash in IP Address-Hash table, chained list corresponding to ergodic chain gauge outfit judges whether to there is the Section Point with described second Hash values match, if exist, verify the source protocol port of described communication process, if by verification, obtain the agreement ID that described Section Point is corresponding.
Described step S22 comprises:
S221: the side-play amount array traveling through main condition code, circulates and take out side-play amount from described array;
S222, the packet content corresponding to the side-play amount of taking out is carried out Hash operation and is obtained the 3rd cryptographic Hash, according to the linked list head of the Hash bucket of the 3rd cryptographic Hash inquiry correspondence, judge whether chained list that linked list head is corresponding is empty, if not empty, chained list corresponding to ergodic chain gauge outfit judges whether to there is the 3rd node with described 3rd Hash values match, if exist, the subcharacter code of described communication process is verified, if by verification, obtain the agreement ID that described node is corresponding;
S223: if Hash barrel chain table corresponding to linked list head is empty, or there is not the 3rd node in chained list, or described subcharacter code is by verification, returns step S221 and takes out next side-play amount.
Described step S23 comprises:
S231: carry out Hash operation by the object protocol port in described protocol port and obtain the 4th cryptographic Hash, the linked list head of the Hash bucket that inquiry is corresponding with the 4th cryptographic Hash in protocol port Hash table, chained list corresponding to ergodic chain gauge outfit judges whether to there is the 4th node with described 4th Hash values match, if exist, verify the subcharacter code of described communication process, if by verification, obtain the agreement ID that described 4th node is corresponding;
S232: if there is not the node with described 4th Hash values match in chained list, or subcharacter code is not by verification, carry out Hash operation by the source protocol port in described protocol port and obtain the 5th cryptographic Hash, the linked list head of the Hash bucket that inquiry is corresponding with the 5th cryptographic Hash in protocol port Hash table, chained list corresponding to ergodic chain gauge outfit judges whether to there is the 5th node with described 5th Hash values match, if exist, verify the subcharacter code of described communication process, if by verification, obtain the agreement ID that described 5th node is corresponding.
Described step S24 comprises:
S241: carry out Hash operation by the length of the packet in described communication process and obtain the 6th cryptographic Hash, the linked list head of the Hash bucket that inquiry is corresponding with the 6th cryptographic Hash in the length Hash table of packet, chained list corresponding to ergodic chain gauge outfit judges whether to there is the 6th node with described 6th Hash values match, if exist, judge in the sequence of all long data packet angle value corresponding to described 6th node, whether the length value of the packet in described communication process is positioned at the last of described sequence, if so, the agreement ID that described 6th node is corresponding is obtained;
S242: if chained list corresponding to ergodic chain gauge outfit does not exist with the node of described 6th Hash values match or in the sequence of all long data packet angle value corresponding to described 6th node, the length value of the packet in described communication process is not be positioned at described sequence last, enters step S25.
It should be noted that:
Step S25 comprises:
S251: carry out Hash operation by the object protocol port in described protocol port and obtain the 7th cryptographic Hash, the linked list head of the Hash bucket that inquiry is corresponding with the 7th cryptographic Hash in protocol port Hash table, chained list corresponding to ergodic chain gauge outfit judges whether to there is the 7th node with described 7th Hash values match, if exist, the identification plug-in unit that described in recursive call, the 7th node is corresponding identifies described communication process, if identify described communication process, obtain the agreement ID of described communication process;
S252: if unidentified go out the agreement of described communication process, carry out Hash operation by the source protocol port in described protocol port and obtain the 8th cryptographic Hash, the linked list head of the Hash bucket that inquiry is corresponding with the 8th cryptographic Hash in protocol port Hash table, chained list corresponding to ergodic chain gauge outfit judges whether to there is the 8th node with described 8th Hash values match, if exist, the identification plug-in unit that described in recursive call, the 8th node is corresponding identifies described communication process, if identify described communication process, obtain the agreement ID of described communication process, otherwise, the agreement marking described communication process is undefined.
It should be noted that: the object protocol port verifying described communication process in step S211 refers to and the port range of specifying of the object protocol port destination interface corresponding with this object IP address, first node place is compared, if this object protocol port is in this specified scope, then the verification of object protocol port is passed through.
The source protocol port verifying described communication process in step S212 refers to and the port range of specifying of the source protocol port source port corresponding with this source IP address of Section Point place is compared, if this source protocol port is in this specified scope, then the verification of source protocol port is passed through.
Verification carried out to the subcharacter code of described communication process refer in step S222, subcharacter code corresponding to the 3rd Nodes for the content of the amount of specifying Offsets (this side-play amount is defined by suboffsize item in the description script of protocol identification) in this communication procedure data bag is carried out binary system comparison, if specify the content of side-play amount identical with the binary code of the 3rd Nodes corresponding subcharacter code in this communication procedure data bag, then verification succeeds, otherwise, verify unsuccessfully.
Object IP and destination interface all refer to a side of reception information, and source IP address and source port all refer to a side of transmission information.In process due to P2P communication, the side that terminal both may receive information also may be a side of transmission information, so object IP, destination interface, source IP address and source port are all for communication process.
The network application-level protocol provided in this enforcement knows method for distinguishing, and identified by the agreement of various protocols recognition methods to communication process, in identifying, the application of Hash table improves the efficiency of identification.
Embodiment 5:
On the basis of above embodiment, also comprise before step S1:
Obtain the quaternary group information of described communication process, in default four-tuple Hash table, corresponding node is inquired about according to described quaternary group information, if corresponding node can be inquired, judge whether the agreement ID of this Nodes has definition, if have, obtain the agreement ID of agreement ID corresponding to described node as described communication process;
If do not inquire node or agreement ID corresponding to the node that inquires is undefined in four-tuple Hash table, in default tlv triple Hash table, corresponding node is inquired about according to the triplet information in described quaternary group information, if corresponding node can be inquired, described triplet information is supplemented as quaternary group information by the information according to described communication process, this node is transferred in four-tuple Hash table from tlv triple Hash table, obtains the agreement ID of agreement ID corresponding to this node as described communication process;
If all do not inquire node in four-tuple Hash table and tlv triple Hash table, create a new node according to described quaternary group information and add in described four-tuple Hash table, the agreement ID marking this communication process is undefined, enters step S1.
It should be noted that: quaternary group information comprises: object IP address, source IP address, destination interface and source port.Triplet information comprises: one in object IP address, source IP address, destination interface or source port.
From four-tuple or tlv triple Hash table during the agreement ID of query communication process, there are three kinds of possible results, respectively: inquire the node of this communication process and the agreement ID of this communication process have definition, inquire the node of this communication process and the agreement ID of this communication process undefined, inquire about node less than this communication process.
If inquire the node of this communication process and the agreement ID of this communication process has definition, the application layer protocol of this communication process is identified.If inquire the node of this communication process and the agreement ID of this communication process is undefined, then need to enter step S1, continue the agreement ID determining this communication process, if can determine, this communication process agreement ID be identified, simultaneously by the agreement ID association store that identifies to corresponding Nodes, again to search, if can not determine, then judge whether to continue to identify the agreement ID of this communication process according to identification number of times, if, then proceed to identify, to obtain the agreement ID of this communication process, otherwise the agreement marking this communication process is unknown protocol.If the agreement of communication process marked unknown protocol, the agreement None-identified of this communication process is described.
Network application-level protocol that the present embodiment provides knows method for distinguishing, adopts the agreement of combination to communication process of 5 kinds of identifyings in four-tuple and tlv triple Hash table and embodiment 1-7 to identify fast.Meanwhile, the present embodiment upgrades the protocol identification table in initialization, for the quick identification of communication process agreement provides the foundation.
Embodiment 6:
On the basis of embodiment 5, also comprise:
If identify the application layer protocol of described communication process, obtain the agreement ID of described communication process, and by Nodes corresponding for this communication process in the agreement ID association store of this communication process to described four-tuple Hash table.The corresponding communication process having identified agreement, decode to the application layer protocol of described communication process, judge the prediction communication process information that whether there is described communication process in its return value, if exist, then judge that whether the quaternary group information of described prediction communication process is complete, if complete, then by this quaternary group information and corresponding agreement ID association store to described default four-tuple Hash table, otherwise, by triplet information and corresponding agreement ID association store to described tlv triple Hash table;
If the agreement of described communication process is undefined, judge whether the identification number of times of described communication process exceedes threshold value, if, then no longer described communication process is identified, and the Protocol Standard of described communication process is designated as unknown protocol, otherwise, continue the application layer protocol identifying described communication process.
It should be noted that:
Other action that communication process may trigger and the new communication process that produces are the prediction communication processs of this communication process, and the communication process information of prediction communication process can obtain or carry out rationally supposition and obtain from the information of this communication process.
Owing to predicting that the quaternary group information of communication process may be imperfect, so when its four-tuple communication information is imperfect, its communication protocol and the communication information are stored in tlv triple Hash table.If quaternary group information and the triplet information of prediction communication process are all imperfect, in four-tuple Hash table or tlv triple Hash table, first can create the node of this communication process, store the corresponding communication information, treat supplementing or identifying of information of next time carrying out.
If the agreement ID of this communication process is not identified by four-tuple or tlv triple Hash table, then after the agreement ID of this communication process is identified by step S21-S25, according to the quaternary group information in this communication process, by the agreement ID association store of this session in four-tuple Hash table.To enable next time same communication process identify fast, improve recognition efficiency.
Communication process from recognize and obtain recognition result for once to identify, communication process often identifies once, and the result of system counts and the threshold value preset once, and compare, to determine whether continue to identify this communication process by system counts.Consider the efficiency of communication process identification, the protocol identification process of communication process has the corresponding restriction identifying number of times, if the number of times identified exceedes threshold value, then no longer identifies this communication process.
The network application-level protocol that the present embodiment provides is known method for distinguishing and is limited protocol identification number of times, carry out supplementing and upgrading to four-tuple or tlv triple Hash table simultaneously, to make the information of four-tuple or tlv triple Hash table more complete, improve the efficiency of protocol identification.
Embodiment 7:
This enforcement provides a kind of system of network application-level protocol identification, and this system adopts any one network application-level protocol in above embodiment to know method for distinguishing and identifies communication process.
The system of the network application-level protocol identification that the present embodiment provides, is identified by the agreement of various protocols recognition methods to communication process, can identify the agreement that conventional method can not carry out identifying.This system identifies according to the agreement of 5 kinds of identifyings to communication process successively, can identify agreement fast and accurately.In identifying, to unidentified go out the four-tuple of agreement in initialization system and triplet information upgrade and supplement, compensate for the defect of the basic recognition system of four-tuple and tlv triple.
Embodiment 8:
Fig. 3 is the method flow diagram of the network application-level protocol identification that the present embodiment provides, and see Fig. 3, in system to be measured, searches communication process, if do not find communication process, creates communication process, and identifies the communication process created.If find communication process and the agreement of this communication process need identify, the agreement of this communication process is identified.
Protocol identification is carried out to needing the communication process identified by traditional protocol recognition method or by protocol recognition method provided by the present invention.If identify the agreement of this communication process, obtain the agreement ID that this communication process agreement is corresponding.If do not identify the agreement of this communication process, judge whether the identification number of times of this agreement exceedes threshold value, if so, this communication protocol be labeled as unknown protocol and the state of this communication protocol be set to do not need to identify, no longer will carry out protocol identification to this communication process.If the identification number of times of this this agreement does not exceed threshold value, the state of this communication process is set to need to identify, to continue to carry out protocol identification to this communication process.
The network application-level protocol that the present embodiment provides knows method for distinguishing, the agreement of communication process is identified, by unidentified go out communication process agreement according to the number of times identified its state is set to the state that needs to identify or do not need to identify, to judge whether to need to carry out protocol identification to this communication process next time.
Embodiment 9:
Fig. 4 is the method flow diagram of the network application-level protocol identification that the present embodiment provides, see Fig. 4, undertaken in the process of protocol identification by identifying in provided by the invention 5, first search in IP Address-Hash table and whether have the node relevant to the IP address of this communication process, if have, port check bit is carried out to this communication process, if verification is passed through, obtains the agreement ID of this communication process.
If the node relevant to the IP address of this communication process or port check bit do not pass through in IP Address-Hash table, then in main condition code Hash table, search whether there be the node relevant to the main condition code of this communication process, if have, the subcharacter code of this communication process is verified, if verification is passed through, obtain the agreement ID of this communication process.
If the subcharacter code check searching the not node relevant to the main condition code of this communication process or this communication process in main condition code Hash table does not pass through, then in port Hash table, search whether there be the node relevant to the protocol port of this communication process, if have, the subcharacter code of this communication process is verified, if verification is passed through, obtain the agreement ID of this communication process.
If the subcharacter code check searching the not node relevant to the protocol port of this communication process or this communication process in port Hash table does not pass through, in data package size Hash table, then search the node whether had with the data package size of this communication process, if have, judge last whether at the matching sequence corresponding to this node of the value of the data package size of this communication process, if so, the agreement ID of this communication process is obtained.
If last not at the matching sequence corresponding with this node of the value of searching the data package size of the not node relevant to the data package size of this communication process or this communication process in data package size Hash table, the identification plug-in unit of port is adopted to identify communication process, if identify this communication process, obtain the agreement ID of this communication process, otherwise, the Protocol Standard of this communication process is designated as undefined.
5 kinds of recognition methodss that the present embodiment provides, according to the packet in the IP address of communication process, main condition code, protocol port, communication process length and corresponding identify that the agreement of plug-in unit to communication process identifies successively, can realize identifying fast and accurately communication process agreement.
The foregoing is only the preferred embodiments of the present invention, be not limited to the present invention, for a person skilled in the art, the present invention can have various modifications and variations.Within the spirit and principles in the present invention all, any amendment done, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (10)
1. network application-level protocol knows a method for distinguishing, it is characterized in that, comprising:
S1: the characteristic information of obtaining communication process, described characteristic information comprises following at least one or its combination: the length of the packet in the IP address of communication process, main condition code, protocol port, communication process;
S2: according to the arbitrary Hash table in the length Hash table of the IP Address-Hash table pre-set, main condition code Hash table, protocol port Hash table and packet, or the identification plug-in unit preset identifies described communication process, if identify described communication process, obtain the agreement ID of described communication process, otherwise the agreement marking described communication process is undefined.
2. network application-level protocol according to claim 1 knows method for distinguishing, it is characterized in that, also comprises before described step S1:
Obtain the IP address of known communication procedures, Hash operation is carried out to IP address and obtains the first initial Hash value, the agreement ID association store of the corresponding known communication procedures of the first initial Hash value and IP address is generated described IP Address-Hash table;
Obtain the main condition code of known communication procedures, Hash operation is carried out to main condition code and obtains the second initial Hash value, the agreement ID association store of the second initial Hash value and the corresponding known communication procedures of main condition code is generated main condition code Hash table;
Obtain the protocol port of known communication procedures, Hash operation is carried out to protocol port and obtains the 3rd initial Hash value, the agreement ID association store of the 3rd initial Hash value and the corresponding known communication procedures of protocol port is generated protocol port Hash table;
Obtain the length of the packet of known communication procedures, Hash operation is carried out to the length of packet and obtains the 4th initial Hash value, the agreement ID association store of the corresponding known communication procedures of length of the 4th initial Hash value and packet is generated the length Hash table of packet.
3. network application-level protocol according to claim 2 knows method for distinguishing, and it is characterized in that, described step S2 comprises:
S21: according to described IP Address-Hash table, described communication process is identified, if identify described communication process, obtain the agreement ID of described communication process, otherwise, enter step S22;
S22: according to described main condition code Hash table, described communication process is identified, if identify described communication process, obtain the agreement ID of described communication process, otherwise, enter step S23;
S23: identify described communication process according to described protocol port Hash table, if identify described communication process, obtains the agreement ID of described communication process, otherwise, enter step S24;
S24: the length Hash table according to described packet identifies described communication process, if identify described communication process, obtains the agreement ID of described communication process, otherwise, enter step S25;
S25: identified described communication process by the identification plug-in unit being arranged on object protocol port or source protocol port, if identify described communication process, obtains the agreement ID of described communication process, otherwise the agreement marking described communication process is undefined.
4. network application-level protocol according to claim 3 knows method for distinguishing, and it is characterized in that, described step S21 comprises:
S211: carry out Hash operation by the object IP address in described IP address and obtain the first cryptographic Hash, the linked list head of the Hash bucket that inquiry is corresponding with the first cryptographic Hash in IP Address-Hash table, chained list corresponding to ergodic chain gauge outfit judges whether to there is the first node with described first Hash values match, if exist, verify the object protocol port of described communication process, if by verification, obtain the agreement ID that described first node is corresponding;
S212: do not pass through to verify with the node of described first Hash values match or object protocol port if do not exist in chained list, carry out Hash operation by the source IP address in described IP address and obtain the second cryptographic Hash, the linked list head of the Hash bucket that inquiry is corresponding with the second cryptographic Hash in IP Address-Hash table, chained list corresponding to ergodic chain gauge outfit judges whether to there is the Section Point with described second Hash values match, if exist, verify the source protocol port of described communication process, if by verification, obtain the agreement ID that described Section Point is corresponding.
5. network application-level protocol according to claim 3 knows method for distinguishing, and it is characterized in that, described step S22 comprises:
S221: the side-play amount array traveling through main condition code, circulates and take out side-play amount from described array;
S222: the packet content corresponding to the side-play amount of taking out is carried out Hash operation and obtained the 3rd cryptographic Hash, according to the linked list head of the Hash bucket of the 3rd cryptographic Hash inquiry correspondence, judge whether the chained list that linked list head is corresponding is empty, if not empty, chained list corresponding to ergodic chain gauge outfit judges whether to there is the 3rd node with described 3rd Hash values match, if exist, verifies the subcharacter code of described communication process, if by verification, obtain the agreement ID that described some node is corresponding;
S223: if Hash barrel chain table corresponding to linked list head is empty, or there is not the 3rd node in chained list, or described subcharacter code is by verification, returns step S221 and takes out next side-play amount.
6. network application-level protocol according to claim 3 knows method for distinguishing, and it is characterized in that, described step S23 comprises:
S231: carry out Hash operation by the object protocol port in described protocol port and obtain the 4th cryptographic Hash, the linked list head of the Hash bucket that inquiry is corresponding with the 4th cryptographic Hash in protocol port Hash table, chained list corresponding to ergodic chain gauge outfit judges whether to there is the 4th node with described 4th Hash values match, if exist, verify the subcharacter code of described communication process, if by verification, obtain the agreement ID that described 4th node is corresponding;
S232: if there is not the node with described 4th Hash values match in chained list, or subcharacter code is not by verification, carry out Hash operation by the source protocol port in described protocol port and obtain the 5th cryptographic Hash, the linked list head of the Hash bucket that inquiry is corresponding with the 5th cryptographic Hash in protocol port Hash table, chained list corresponding to ergodic chain gauge outfit judges whether to there is the 5th node with described 5th Hash values match, if exist, verify the subcharacter code of described communication process, if by verification, obtain the agreement ID that described 5th node is corresponding.
7. network application-level protocol according to claim 3 knows method for distinguishing, and it is characterized in that, described step S24 comprises:
S241: carry out Hash operation by the length of the packet in described communication process and obtain the 6th cryptographic Hash, the linked list head of the Hash bucket that inquiry is corresponding with the 6th cryptographic Hash in the length Hash table of packet, chained list corresponding to ergodic chain gauge outfit judges whether to there is the 6th node with described 6th Hash values match, if exist, judge in the sequence of all long data packet angle value corresponding to described 6th node, whether the length value of the packet in described communication process is positioned at the last of described sequence, if so, the agreement ID that described 6th node is corresponding is obtained;
S242: if chained list corresponding to ergodic chain gauge outfit does not exist with the node of described 6th Hash values match or in the sequence of all long data packet angle value corresponding to described 6th node, the length value of the packet in described communication process is not be positioned at described sequence last, enters step S25.
8. network application-level protocol according to any one of claim 1 to 7 knows method for distinguishing, it is characterized in that, also comprises before described step S1:
Obtain the quaternary group information of described communication process, in four-tuple Hash table, corresponding node is inquired about according to described quaternary group information, if corresponding node can be inquired, judge whether the agreement ID of this Nodes has definition, if have, obtain the agreement ID of agreement ID corresponding to described node as described communication process;
If do not inquire node or agreement ID corresponding to the node that inquires is undefined in four-tuple Hash table, in default tlv triple Hash table, corresponding node is inquired about according to the triplet information in described quaternary group information, if corresponding node can be inquired, described triplet information is supplemented as quaternary group information by the information according to described communication process, this node is transferred in four-tuple Hash table from tlv triple Hash table, obtains the agreement ID of agreement ID corresponding to this node as described communication process;
If all do not inquire node in four-tuple Hash table and tlv triple Hash table, create a new node according to described quaternary group information and add in described four-tuple Hash table, the agreement ID marking this communication process is undefined, enters step S1.
9. network application-level protocol according to claim 8 knows method for distinguishing, it is characterized in that, also comprises:
If identify the agreement of described communication process, obtain the agreement ID of described communication process, and by Nodes corresponding for this communication process in the agreement ID association store of this communication process to described four-tuple Hash table, the application layer protocol of described communication process is decoded, judge the prediction communication process information that whether there is described communication process in its return value, if exist, then judge that whether the quaternary group information of described prediction communication process is complete, if complete, then by this quaternary group information and corresponding agreement ID association store to described four-tuple Hash table, otherwise, by in triplet information and corresponding agreement ID association store to described tlv triple Hash table,
If the agreement of described communication process is undefined, judge whether the identification number of times of described communication process exceedes threshold value, if, then no longer described communication process is identified, and the Protocol Standard of described communication process is designated as unknown protocol, otherwise, continue to identify described communication process.
10. a system for network application-level protocol identification, is characterized in that, adopts the network application-level protocol according to any one of claim 1 to 9 to know method for distinguishing and identifies communication process.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510997641.3A CN105516173B (en) | 2015-12-25 | 2015-12-25 | A kind of method and system of network application-level protocol identification |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510997641.3A CN105516173B (en) | 2015-12-25 | 2015-12-25 | A kind of method and system of network application-level protocol identification |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105516173A true CN105516173A (en) | 2016-04-20 |
| CN105516173B CN105516173B (en) | 2018-10-23 |
Family
ID=55723809
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510997641.3A Active CN105516173B (en) | 2015-12-25 | 2015-12-25 | A kind of method and system of network application-level protocol identification |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105516173B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106209775A (en) * | 2016-06-24 | 2016-12-07 | 深圳信息职业技术学院 | The application type recognition methods of a kind of SSL encryption network flow and device |
| CN106789416A (en) * | 2016-12-13 | 2017-05-31 | 中兴软创科技股份有限公司 | The recognition methods of industrial control system specialized protocol and system |
| CN107360062A (en) * | 2017-08-28 | 2017-11-17 | 上海国云信息科技有限公司 | Verification method, system and the DPI equipment of DPI equipment recognition results |
| CN112261168A (en) * | 2020-09-30 | 2021-01-22 | 厦门市美亚柏科信息股份有限公司 | Multi-IP port user information searching method, terminal equipment and storage medium |
| CN114338439A (en) * | 2021-12-27 | 2022-04-12 | 上海观安信息技术股份有限公司 | Universal network flow analysis device and method |
| CN115580579A (en) * | 2022-09-28 | 2023-01-06 | 杭州迪普科技股份有限公司 | Message forwarding method and device, electronic equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102075404A (en) * | 2009-11-19 | 2011-05-25 | 华为技术有限公司 | Message detection method and device |
| CN104038389A (en) * | 2014-06-19 | 2014-09-10 | 高长喜 | Multiple application protocol identification method and device |
| US20150012627A1 (en) * | 2007-06-14 | 2015-01-08 | Jonathan Rosenberg | Distributed Bootstrapping Mechanism for Peer-to-Peer Networks |
| CN104320304A (en) * | 2014-11-04 | 2015-01-28 | 武汉虹信技术服务有限责任公司 | Multimode integration core network user traffic application identification method easy to expand |
-
2015
- 2015-12-25 CN CN201510997641.3A patent/CN105516173B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150012627A1 (en) * | 2007-06-14 | 2015-01-08 | Jonathan Rosenberg | Distributed Bootstrapping Mechanism for Peer-to-Peer Networks |
| CN102075404A (en) * | 2009-11-19 | 2011-05-25 | 华为技术有限公司 | Message detection method and device |
| CN104038389A (en) * | 2014-06-19 | 2014-09-10 | 高长喜 | Multiple application protocol identification method and device |
| CN104320304A (en) * | 2014-11-04 | 2015-01-28 | 武汉虹信技术服务有限责任公司 | Multimode integration core network user traffic application identification method easy to expand |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106209775A (en) * | 2016-06-24 | 2016-12-07 | 深圳信息职业技术学院 | The application type recognition methods of a kind of SSL encryption network flow and device |
| CN106209775B (en) * | 2016-06-24 | 2019-05-24 | 深圳信息职业技术学院 | A kind of application type recognition methods of SSL encryption network flow and device |
| CN106789416A (en) * | 2016-12-13 | 2017-05-31 | 中兴软创科技股份有限公司 | The recognition methods of industrial control system specialized protocol and system |
| CN107360062A (en) * | 2017-08-28 | 2017-11-17 | 上海国云信息科技有限公司 | Verification method, system and the DPI equipment of DPI equipment recognition results |
| CN107360062B (en) * | 2017-08-28 | 2021-02-02 | 上海国云信息科技有限公司 | DPI equipment identification result verification method and system and DPI equipment |
| CN112261168A (en) * | 2020-09-30 | 2021-01-22 | 厦门市美亚柏科信息股份有限公司 | Multi-IP port user information searching method, terminal equipment and storage medium |
| CN114338439A (en) * | 2021-12-27 | 2022-04-12 | 上海观安信息技术股份有限公司 | Universal network flow analysis device and method |
| CN114338439B (en) * | 2021-12-27 | 2023-08-08 | 上海观安信息技术股份有限公司 | Universal network flow analysis device and method |
| CN115580579A (en) * | 2022-09-28 | 2023-01-06 | 杭州迪普科技股份有限公司 | Message forwarding method and device, electronic equipment and storage medium |
| CN115580579B (en) * | 2022-09-28 | 2024-06-04 | 杭州迪普科技股份有限公司 | Message forwarding method and device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105516173B (en) | 2018-10-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105516173A (en) | Network application layer protocol identification method and system | |
| CN102404197B (en) | Data path processing information included in the pseudowire layer of packets | |
| CN110855576B (en) | Application identification method and device | |
| CN110708215B (en) | Deep packet inspection rule base generation method, device, network equipment and storage medium | |
| CN105847078B (en) | A kind of HTTP flow fining recognition methods based on DPI self-study mechanism | |
| CN106126383B (en) | A kind of log processing method and device | |
| CN104486161A (en) | Method and device for network traffic identification | |
| WO2019134240A1 (en) | Method for identifying multiple packets, method for identifying data packet, and traffic guiding method | |
| CN109450733B (en) | Network terminal equipment identification method and system based on machine learning | |
| CN104008381A (en) | Identity recognition method and device | |
| CN101287010A (en) | Method and apparatus for identifying and verifying type of message protocol | |
| CN108173705A (en) | First packet recognition methods, device, equipment and the medium of flow drainage | |
| CN104333483A (en) | Identification method, system and identification device for internet application flow | |
| US20060106583A1 (en) | Method for protocol recognition and analysis in data networks | |
| CN104506450A (en) | Media resource feedback method and device | |
| WO2019134239A1 (en) | Method for identifying single packet, and traffic guiding method | |
| CN113825129A (en) | Industrial internet asset mapping method under 5G network environment | |
| CN105227348A (en) | A kind of Hash storage means based on IP five-tuple | |
| WO2016114750A1 (en) | Data link layer information | |
| CN109145588B (en) | Data processing method and device | |
| CN105939304B (en) | Tunnel message parsing method and device | |
| CN113055420B (en) | HTTPS service identification method and device and computing equipment | |
| Lee et al. | High performance payload signature-based Internet traffic classification system | |
| CN103841083B (en) | Strengthen the method and device of message recognition capability | |
| CN107181759B (en) | Authentication method and device for user equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |