CN105634863B - A kind of method and apparatus of application protocol detection - Google Patents

A kind of method and apparatus of application protocol detection Download PDF

Info

Publication number
CN105634863B
CN105634863B CN201511001393.9A CN201511001393A CN105634863B CN 105634863 B CN105634863 B CN 105634863B CN 201511001393 A CN201511001393 A CN 201511001393A CN 105634863 B CN105634863 B CN 105634863B
Authority
CN
China
Prior art keywords
rule
mark
detection messages
field
syn message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201511001393.9A
Other languages
Chinese (zh)
Other versions
CN105634863A (en
Inventor
徐牧池
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhou Lvmeng Chengdu Technology Co ltd
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Original Assignee
NSFOCUS Information Technology Co Ltd
Beijing NSFocus Information Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NSFOCUS Information Technology Co Ltd, Beijing NSFocus Information Security Technology Co Ltd filed Critical NSFOCUS Information Technology Co Ltd
Priority to CN201511001393.9A priority Critical patent/CN105634863B/en
Publication of CN105634863A publication Critical patent/CN105634863A/en
Application granted granted Critical
Publication of CN105634863B publication Critical patent/CN105634863B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/18Protocol analysers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/06Generation of reports
    • H04L43/062Generation of reports related to network traffic

Abstract

The invention discloses a kind of method and apparatus of application protocol detection, comprising: obtains the affiliated session of detection messages;If the affiliated session of detection messages does not include operating system OS mark, the corresponding OS mark of the affiliated session of the detection messages is searched from the mapping table that the source IP and OS of Internet protocol session identify;If the corresponding OS mark of the source IP inquired is written in the affiliated session of the detection messages from the corresponding OS mark of source IP found in the mapping table in the affiliated session of the detection messages;It solves and is difficult to the case where accurately identifying OS belonging to the flow that each App is generated using DPI technology and DFI technology in the prior art, the problem for identifying that the accuracy rate of OS belonging to the flow of each App generation is low is avoided, the fine granularity and accuracy using identification are improved.

Description

A kind of method and apparatus of application protocol detection
Technical field
The present invention relates to the method and apparatus that field of information security technology more particularly to a kind of application protocol detect.
Background technique
With the rapid development of mobile Internet intelligent terminal technology, Android and iOS (iphone Operating System, Apple Macintosh operating system) accounting of the flow in current bandwidth be increasing.So far, more and more App (Application, using) is under the OS such as Windows, Android and iOS (Operating System, operating system) Release version simultaneously provides support, so that identifying that operating system belonging to the flow of each App generation is comparatively laborious, and time-consuming consumption Power, accuracy rate be not also high.
In the prior art, on the one hand using DPI (Deep Packet Inspection, deep-packet detection) technology to application Layer data packet carries out characteristic matching, port match and length matching etc., to reach the identification to App under different OS, but DPI skill Art is extremely difficult to recognition effect to the flow for using obfuscation, for example, using DPI technology to used UA (User Agent, User agent) forge technology technology HTTP (Hyper Text Transfer Protocol, hypertext transfer protocol) agreement Session will cause a large amount of wrong reports of affiliated OS when being detected because UA, which forges technology, to originally belong to Android stream It measures in the UA field of the HTTP request message of (also will appear similar situation in the HTTP flow of other OS) and iOS system occurs Using label (such as IPhone, iPad field), a large amount of wrong reports of identification OS are thereby resulted in;In another example using DPI technology to making When being detected with the feature session of SSL (Secure Sockets Layer, Secure Socket Layer) agreement, due to being assisted in SSL The domain name in conversation procedure, protocol fields and session identification etc. in view be all it is general, lead to accurately identify same App not It is difficult to identify with os release belonging to the SSL flow generated under OS.On the other hand, using DFI (Dynamic Flow Inspection, dynamic stream detection) technology to session carry out flow analysis when, due to same App different os releases often Common server, and identical transmission mode is used, for example, using identical UDP (User between different OS client releases Datagram Protocol, User Data Protocol) agreement progress coded communication, it is possible to cause each App identified to generate Flow belonging to os release it is wrong.
Therefore, in the prior art, when carrying out OS detection to session using DPI technology and DFI technology, it often will appear identification The case where wrong report of os release belonging to the flow that each App out is generated, to cause smart under multiple operating system network environment Really identify the low problem of each App accuracy rate.
Summary of the invention
The present invention provides a kind of application protocol detection method and equipment, to solve in the prior art using DPI technology and DFI technology is difficult to the case where accurately identifying OS belonging to the flow that each App is generated, and avoids the stream for identifying that each App is generated The low problem of the accuracy rate of OS belonging to amount, improves the fine granularity and accuracy using identification.
In a first aspect, providing a kind of application protocol detection method, comprising:
Obtain the affiliated session of detection messages;
If the affiliated session of detection messages does not include operating system OS mark, from the source IP of Internet protocol session and The corresponding OS mark of the affiliated session of the detection messages is searched in the mapping table of OS mark;
If from the corresponding OS mark of source IP found in the mapping table in the affiliated session of the detection messages, The corresponding OS mark of the source IP inquired is written in the affiliated session of the detection messages.
With reference to first aspect, in the first possible implementation of the first aspect, described from the mapping table In find the corresponding OS mark of source IP in the affiliated session of the detection messages after, the source IP that will be inquired is corresponding Before OS mark is written in the affiliated session of the detection messages, further includes:
Determine OS renewal time in the source IP corresponding table item of the affiliated session of the detection messages inquired and it is current when Between between time difference be less than setting duration.
The possible implementation of with reference to first aspect the first, in second of possible implementation of first aspect In, after the corresponding OS mark of source IP that will be inquired is written in the affiliated session of the detection messages, further includes:
Time when session affiliated according to the OS mark write-in detection messages, update the detection messages institute inquired Belong to the OS renewal time in the source IP corresponding table item of session.
With reference to first aspect or the first possible implementation of first aspect, the third in first aspect are possible Implementation in, it is described from the corresponding OS of source IP found in the mapping table in the affiliated session of the detection messages After mark, further includes:
If it is determined that the OS renewal time in the source IP corresponding table item of the affiliated session of the detection messages inquired, and it is current Time difference between time is more than setting duration, it is determined that the OS indicating failure inquired.
With reference to first aspect or the first possible implementation of first aspect is to the third possible implementation In any possible implementation, in a fourth possible implementation of the first aspect, the detection messages be TCP (transmission control protocol) message;
This method further include:
If not finding the source IP pair in the affiliated session of the detection messages from the mapping table that source IP and OS identify The OS mark answered or the determining OS indicating failure inquired then judge whether the TCP message is synchronizing sequence number SYN report Text;
If the TCP message is the SYN message, and have in OS regular collection with the OS of the SYN message matching rule, Then the OS mark in matched OS rule is written in the affiliated session of detection messages, and by the affiliated session of the detection messages In source IP, the OS mark in matched OS rule and after the temporal binding in the affiliated session of the detection messages is written It is inserted into the mapping table.
The 4th kind of possible implementation with reference to first aspect, in the 5th kind of possible implementation of first aspect In, whether searched according to following manner has the OS rule met with the SYN message in OS regular collection:
The OS regular collection is searched according to the value for corresponding to each field in OS rule dictionary format in the SYN message In whether have meet OS rule;
If corresponding to the OS of the value of each field and the OS regular collection in OS rule dictionary format in the SYN message The value matching of corresponding field in rule, then the OS mark of the affiliated session of SYN message are identified with the OS in corresponding OS rule It is identical, and determine have in the OS regular collection and the matched OS rule of the affiliated session of SYN message.
With reference to first aspect or the first possible implementation of first aspect is to the 4th kind of possible implementation In any possible implementation, in the sixth possible implementation of the first aspect, OS regular collection is establishing it Preceding is null set, does not include OS rule;
It establishes before OS regular collection, further includes: initialization OS rule dictionary format;
OS regular collection is established according to following manner:
Judge whether have in OS regular collection and the OS of the target SYN message matching in training set rule;
If according to the corresponding value of field each in OS rule field format and the OS rule in the target SYN message The value of corresponding field matches one by one on field value in OS rule in set, and described meets field value matched OS rule one by one OS mark in then is identical as the OS mark of the target SYN message, it is determined that is present in target SYN report in the engagement of OS rule The matched OS rule of text, otherwise it is assumed that mismatching;It is advised if existed in OS regular collection with the OS of target SYN message matching Then, then ignore target SYN message, and using next SYN message as target SYN message;
If in OS regular collection there is no with the OS of target SYN message matching rule, and in OS regular collection not Meet the matching one by one on field value there are OS rule, then by the target SYN message in the training set with institute The field of the OS rule dictionary format is written in the value for stating the corresponding field of all fields of OS rule dictionary format, and will be described The corresponding OS information of target SYN message in training set and the OS rule dictionary format in OS rule and its corresponding field After value is bound, forms new OS rule and be added in OS regular collection.
If in OS regular collection there is no with the OS of target SYN message matching rule, and deposited in OS regular collection Meet the matching one by one on field value in OS rule, but it is identical to be unsatisfactory for the OS mark, then it is assumed that the OS Rule will lead to wrong report, it is deleted in OS regular collection, and update OS rule dictionary format, and advise according to updated OS Then dictionary format and target SYN message create new OS rule and are added in OS regular collection.
The 6th kind of possible implementation with reference to first aspect, in the 7th kind of possible implementation of first aspect In, the initialization OS rule dictionary format, comprising:
Using weight in Key value set near two preceding fields as in the corresponding OS rule dictionary format of the OS rule Field, and delete in the Key value set weight near two preceding fields.
The 7th kind of possible implementation with reference to first aspect, in the 8th kind of possible implementation of first aspect In, further includes:
If in the target SYN message in the training set it is corresponding with all fields of OS rule dictionary format value with it is described The value of the field of OS rule dictionary format corresponding to OS rule is identical in OS regular collection, and the target in the training set The corresponding OS information of SYN message is different from the OS information of OS rule in the OS regular collection, then will weigh in the Key value set It is worth the newer field near a preceding field as the corresponding OS rule dictionary format of the OS rule and expands OS rule dictionary lattice Formula, and weight is deleted in the Key value set near a preceding field;It deletes in the OS regular collection and meets the target The OS rule SYN of message.
Second aspect, a kind of equipment of application protocol detection, the equipment include:
Module is obtained, the affiliated session of detection messages is used for;
Searching module, if not including operating system OS mark for the affiliated session of the detection messages, from internet protocol The corresponding OS mark of the affiliated session of the detection messages is searched in the source IP of parliament's words and the mapping table of OS mark;
Writing module, if for from the source IP pair found in the mapping table in the affiliated session of the detection messages Then the corresponding OS mark of the source IP inquired is written in the affiliated session of the detection messages for the OS mark answered.
In conjunction with second aspect, in the first possible implementation of the second aspect, the write module is also used to:
Determine OS renewal time in the source IP corresponding table item of the affiliated session of the detection messages inquired and it is current when Between between time difference be less than setting duration.
In conjunction with the first possible implementation of second aspect, in second of possible implementation of second aspect In, the write module is also used to:
Time when session affiliated according to the OS mark write-in detection messages, update the detection messages institute inquired Belong to the OS renewal time in the source IP corresponding table item of session.
In conjunction with the possible implementation of the first of second aspect or second aspect, the third in second aspect may Implementation in, the write module is also used to:
If it is determined that the OS renewal time in the source IP corresponding table item of the affiliated session of the detection messages inquired, and it is current Time difference between time is more than setting duration, it is determined that the OS indicating failure inquired.
In conjunction with the possible implementation of the first of second aspect or second aspect to the third possible implementation In any possible implementation, in the fourth possible implementation of the second aspect, the detection messages be TCP (transmission control protocol) message;Further include:
Judgment module, if for not finding meeting belonging to the detection messages from the mapping table that source IP and OS identify The corresponding OS mark of source IP or the determining OS indicating failure inquired in words, then judge whether the TCP message is synchronous sequence Column number SYN message;
Binding module if being the SYN message for the TCP message, and has and the SYN message in OS regular collection Then the OS mark in matched OS rule is written in the affiliated session of detection messages for matched OS rule, and by the inspection It observes and predicts the source IP in session belonging to text, the OS mark in the matched OS rule and the affiliated session of the detection messages is written In temporal binding after be inserted into the mapping table.
In conjunction with the 4th kind of possible implementation of second aspect, in the 5th kind of possible implementation of second aspect In, the binding module is specifically used for:
The OS regular collection is searched according to the value for corresponding to each field in OS rule dictionary format in the SYN message In whether have meet OS rule;
If corresponding to the OS of the value of each field and the OS regular collection in OS rule dictionary format in the SYN message The value matching of corresponding field in rule, then the OS mark of the affiliated session of SYN message are identified with the OS in corresponding OS rule It is identical, and determine have in the OS regular collection and the matched OS rule of the affiliated session of SYN message.
With reference to first aspect or the first possible implementation of first aspect is to the 4th kind of possible implementation In any possible implementation, in the sixth possible implementation of the second aspect, OS regular collection is establishing it Preceding is null set, does not include OS rule;
The binding module is specifically used for:
Initialize OS rule dictionary format;
Judge whether have in OS regular collection and the OS of the target SYN message matching in training set rule;
If according to the corresponding value of field each in OS rule field format and the OS rule in the target SYN message The value of corresponding field matches one by one on field value in OS rule in set, and described meets field value matched OS rule one by one OS mark in then is identical as the OS mark of the target SYN message, it is determined that is present in target SYN report in the engagement of OS rule The matched OS rule of text, otherwise it is assumed that mismatching;It is advised if existed in OS regular collection with the OS of target SYN message matching Then, then ignore target SYN message, and using next SYN message as target SYN message;
If in OS regular collection there is no with the OS of target SYN message matching rule, and in OS regular collection not Meet the matching one by one on field value there are OS rule, then by the target SYN message in the training set with institute The field of the OS rule dictionary format is written in the value for stating the corresponding field of all fields of OS rule dictionary format, and will be described The corresponding OS information of target SYN message in training set and the OS rule dictionary format in OS rule and its corresponding field After value is bound, forms new OS rule and be added in OS regular collection.
If in OS regular collection there is no with the OS of target SYN message matching rule, and deposited in OS regular collection Meet the matching one by one on field value in OS rule, but it is identical to be unsatisfactory for the OS mark, then it is assumed that the OS Rule will lead to wrong report, it is deleted in OS regular collection, and update OS rule dictionary format, and advise according to updated OS Then dictionary format and target SYN message create new OS rule and are added in OS regular collection.
In conjunction with the 6th kind of possible implementation of second aspect, in the 7th kind of possible implementation of second aspect In, the binding module is specifically used for:
Using weight in Key value set near two preceding fields as in the corresponding OS rule dictionary format of the OS rule Field, and delete in the Key value set weight near two preceding fields.
In conjunction with the 7th kind of possible implementation of second aspect, in the 8th kind of possible implementation of second aspect In, the binding module is specifically used for:
If in the target SYN message in the training set it is corresponding with all fields of OS rule dictionary format value with it is described The value of the field of OS rule dictionary format corresponding to OS rule is identical in OS regular collection, and the target in the training set The corresponding OS information of SYN message is different from the OS information of OS rule in the OS regular collection, then will weigh in the Key value set It is worth the newer field near a preceding field as the corresponding OS rule dictionary format of the OS rule and expands OS rule dictionary lattice Formula, and weight is deleted in the Key value set near a preceding field;It deletes in the OS regular collection and meets the target The OS rule SYN of message.
In the above embodiment of the present invention, the mark of operating system OS belonging to detection messages is obtained;If detection messages are not wrapped The mark of OS containing operating system, then search detection messages institute from the mapping table that the source IP and OS of Internet protocol session identify Belong to the corresponding OS mark of source IP of session;If finding the corresponding OS of source IP of the affiliated session of detection messages from mapping table Mark is lost then by the corresponding OS mark write-in affiliated session of detection messages of source IP in the detection messages inquired if searching It loses, then again detection messages is carried out with the detection of affiliated OS mark.Due to what can be identified from Internet protocol session source IP and OS The corresponding OS mark of detection messages is searched in mapping table, and the OS inquired is identified in write-in detection messages, is made it possible to It is enough accurately to inquire the corresponding OS mark of the affiliated session of detection messages, so as to avoid the cumbersome detection to detection messages Journey significantly improves the detection performance of OS belonging to recognition detection message.
Detailed description of the invention
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment Attached drawing is briefly introduced, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this For the those of ordinary skill in field, without any creative labor, it can also be obtained according to these attached drawings His attached drawing.
Fig. 1 is a kind of OS rule initial phase schematic diagram provided in an embodiment of the present invention;
Fig. 2 is a kind of method schematic diagram for obtaining OS rule provided in an embodiment of the present invention;
Fig. 3 is the method schematic diagram of the first application protocol provided in an embodiment of the present invention detection;
Fig. 4 is the method schematic diagram of second of application protocol provided in an embodiment of the present invention detection;
Fig. 5 is a kind of equipment structure chart of application protocol detection provided in an embodiment of the present invention.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art Every other embodiment obtained without creative efforts, shall fall within the protection scope of the present invention.
In the above embodiment of the present invention, the mark of operating system OS belonging to detection messages is obtained;If detection messages are not wrapped The mark of OS containing operating system, then search detection messages institute from the mapping table that the source IP and OS of Internet protocol session identify Belong to the corresponding OS mark of source IP of session;If finding the corresponding OS of source IP of the affiliated session of detection messages from mapping table Mark is lost then by the corresponding OS mark write-in affiliated session of detection messages of source IP in the detection messages inquired if searching It loses, then again detection messages is carried out with the detection of affiliated OS mark.Due to what can be identified from Internet protocol session source IP and OS The corresponding OS mark of detection messages is searched in mapping table, and the OS inquired is identified in write-in detection messages, is made it possible to It is enough accurately to inquire the corresponding OS mark of the affiliated session of detection messages, so as to avoid the cumbersome detection to detection messages Journey significantly improves the detection performance of OS belonging to recognition detection message.
In the above embodiment of the present invention, the source IP found in the detection messages in the corresponding relationship is corresponding After OS mark, the OS renewal time of binding is identified in determining OS corresponding with the source IP in the detection messages inquired, Duration between current time is less than setting duration, then marks the corresponding OS of source IP in the detection messages inquired Know and is written in the detection messages, so that in the setting duration, the detection messages that are found in the corresponding relationship Source IP corresponding OS mark be it is effective, so that it is determined that the OS that the detection messages use within the set duration is stable.
In the above embodiment of the present invention, the time of the detection messages is written according to OS mark, updates and inquires The OS renewal time of the corresponding OS mark binding of source IP in the detection messages, so that the corresponding relationship is from OS renewal time It rises, is effective within the set duration, to increase the effective time of corresponding relationship, reduce being detected in detection messages Time.
In the above embodiment of the present invention, what the corresponding OS mark of source IP in the detection messages inquired was bound When duration between OS renewal time and current time is more than setting duration, the OS mark failure inquired is determined, so as to institute It states detection messages and carries out OS rule detection, to update the corresponding OS mark of source IP in detection messages described in the corresponding relationship The OS renewal time of knowledge and binding O S mark.
In the above embodiment of the present invention, when the detection messages are TCP message, in the corresponding pass identified from source IP and OS When not finding the corresponding OS mark of the source IP in the detection messages in system or determining the OS indicating failure inquired, need to sentence Whether the TCP message of breaking is SYN message, if so, and OS rule in there are the detection messages to meet OS rule, by what is met OS mark in OS rule is written in affiliated detection messages, makes it possible to be accurately identified the detection by the OS mark of write-in OS belonging to message, and by the detection messages source IP, meet OS rule in OS identify and write-in belonging to detection It is added to after temporal binding in message in the corresponding relationship, allows and pass through when being detected to next detection messages The corresponding relationship is inquired, the corresponding OS mark of source IP in the detection messages is quickly inquired, to accurately identify OS belonging to the detection messages out.
In the above embodiment of the present invention, due to searching the OS according to the OS rule dictionary format in the detection messages The OS rule dictionary format met in rule with the detection messages, and the word in the detection messages with OS rule dictionary format It is identical as the value of field of OS rule dictionary format that detection messages meet in the value and OS rule of section corresponding field, and institute The OS mark stated in detection messages is identical as the OS mark in the OS rule, so that it is determined that having the inspection in the OS rule out The OS rule that text meets is observed and predicted, therefore is effectively for next institute with the OS rule that the detection messages meet in OS rule It states detection messages and OS rule detection is carried out according to the OS rule.
In the above embodiment of the present invention, if the OS rule that the target SYN message in OS rule in training set meets, after Continue using next SYN message as target SYN message, and returns to the target SYN report for judging whether to have in OS rule in training set The step for the OS rule that text meets;So that carrying out the continuous iteration of OS rule detection most to each SYN message in training set Make OS rule that can reach convergence in the case where choosing limited field eventually, and can accurately identify all in training set The OS information of SYN packet;If the OS rule that the target SYN message in OS rule in training set does not meet, by the training The OS rule dictionary is written in the value of field corresponding with the field of the OS rule dictionary format in the target SYN message of concentration The field of format, due to by the OS rule dictionary lattice in the OS information and OS rule in the object message in the training set It after the value of formula and its corresponding field is bound, is added in OS rule, so that by the training set being not present in OS rule The OS rule that target SYN message meets is added in OS rule after being bound, and is updated to OS rule and perfect, so that When next target SYN message in training set carries out OS rule detection, it can accurately identify that the OS of object message is related Information.
In the above embodiment of the present invention, if due to the OS rule dictionary format met in OS rule with the detection messages Field value be not present or the detection messages in advised with the value of the field corresponding field of OS rule dictionary format and the OS The value of field of the OS rule dictionary format met in then from detection messages is different, then by weight in key Key value set near preceding Two fields as the OS rule dictionary format in OS rule, and delete in the Key value set weight near preceding Two fields, so that by the OS rule dictionary format and the corresponding value of field of the OS rule not met in OS rule in detection messages It is updated and saves, to carry out OS rule detection to next SYN message in training set;If in the detection messages with The OS rule dictionary format met in the value of the field corresponding field of OS rule dictionary format and OS rule with detection messages Field value it is identical, then weight in the Key value set is advised near a preceding field as the OS in OS rule Then the newer field of dictionary format is added to the OS rule dictionary format in the OS rule, so that regular with OS in detection messages The field of the OS rule dictionary format met in the value of the field corresponding field of dictionary format and OS rule with detection messages Value it is identical when, OS is carried out to the OS information in the detection messages using newer field and is accurately identified, and deletes the Key value Weight is near a preceding field in set;According to the newer field of the OS rule dictionary format in OS rule, described in update OS rule dictionary format in OS rule;So as to update in Key value set, weight is near preceding field, so that next detection is reported The OS rule word met in the value of the field corresponding field of Wen Zhongyu OS rule dictionary format and OS rule with detection messages When the value of the field of allusion quotation format is identical, to next detection messages add again updated Key value combine in weight near preceding Field is identified the OS in detection messages.
In order to which technical problem, technical solution and beneficial effect solved by the invention is more clearly understood, tie below Accompanying drawings and embodiments are closed, the present invention is described in more detail.It should be appreciated that specific embodiment described herein is only used to It explains the present invention, is not intended to limit the present invention.
The method of application protocol detection based on the above embodiment, due to being examined to the corresponding application protocol of detection messages The precondition of survey is that OS rule is perfect, therefore the embodiment of the present invention is directed to how to establish perfect OS rule respectively, and such as What carries out detection process to detection messages to be described.
One, establish perfect OS rule
In the embodiment of the present invention, before establishing perfect OS rule, also needs to initialize OS rule, obtain initial The OS rule dictionary format of OS rule after change and its value of OS rule dictionary format corresponding field, as shown in Figure 1, for the present invention A kind of OS rule initial phase schematic diagram that embodiment provides.
S101 obtains Key value set;The Key value set for obtaining Key value is established, each field in the set is from SYN It is chosen in the field for capableing of OS mark in recognition detection message that the head IP and TCP message head of packet include, and according to energy The accuracy of the OS mark of enough recognition detection messages is to each field distribution weight, and the word that will be arranged according to weight size descending Section collection is used as key value set;
S102 deletes Key value set the first two field;The first two field refers in Key value set in the Key value set Weight is near two preceding fields;
S103 constructs OS rule dictionary format;It is constructed according to the weight deleted in Key value set near two preceding fields OS rule dictionary format;The field of the OS dictionary format is the weight of deletion near two preceding fields;
S104 obtains training set;Regular perfect of determination and OS of the training set for Key value;
S105 determines the message of every kind of OS from training set;The message of every kind of OS is first as initialization OS rule Beginningization message;
S106, initialization OS rule;It will meet in the message of the every kind of OS determined in training set with OS rule dictionary format Field the corresponding field of value write-in OS rule dictionary format, and the OS rule of every kind of OS initialization is added in OS rule, To carry out the OS rule that OS rule detection improves to training set.
It should be noted that in embodiments of the present invention in step s101, it being capable of recognition detection report in Key value set The field of OS mark in text can be ttl field, WSize field and WSCALE field etc., can be in recognition detection message The field of OS mark is not limited to the field in above-described embodiment, other fields for capableing of recognition detection message are suitable for this Inventive embodiments.
For example, the OS rule after initialization is as shown in table 1.
Different operating systems according to embodiments of the present invention, the ttl field of initialization and the value of WSize field are corresponding Difference, wherein OS information be detection messages in source IP and corresponding OS mark.
In step s 103, this duration of OS rule dictionary format only includes to be deleted in Key value set near preceding two Field.
In step S104, the training set of acquisition is the flow comprising Windows, Android and iOS, in the training set Every flow all include complete TCP session, and OS information described in TCP session is it has been determined that the training set is used for Key value Determination and OS rule it is perfect.
In step s 106, according to OS rule dictionary format by the flow of Windows, Android and iOS in training set In the value of the field of OS rule dictionary format in the value write-in OS rule of the field of corresponding OS rule dictionary format, it is established that For three initialization OS rules of these operating systems of Windows, Android and iOS, and add it in OS rule OS rule detection is once carried out to message all in training set.
After the initialization of OS rule, start once to carry out OS rule detection to every SYN message in training set, so as to Obtain perfect OS rule.OS detection is carried out to the SYN message in training set separately below, is illustrated in figure 2 implementation of the present invention A kind of method schematic diagram for acquisition OS rule that example provides.
S201 obtains training set;Training set in the training set and step S101 is same training set;
Whether S202, the target SYN message that training of judgement is concentrated have traversed twice, if so, process terminates, have otherwise executed S203;
S203 obtains a target SYN message in training set, while executing S204 and S205 to object message;
S204 obtains the OS information in target SYN message;
S205 carries out OS rule detection to target SYN message according to the OS rule after initialization;
S206 judges the OS rule for whether having target SYN message to meet in OS rule, executes S202 if so, returning, otherwise Execute S207;
S207, the OS information in target SYN message obtained according to S204, judges object message and OS rule dictionary format Field corresponding field value it is whether identical, if so, return execute S202, otherwise execute S208;
S208 updates OS rule dictionary format;
S209 deletes the existing OS rule of error detection and by new OS rule and is added in OS rule, continues to return and executes S202。
In the step S202 that aforementioned present invention is implemented, whether the target SYN message that training of judgement is concentrated has been traversed twice It is in order to carry out continuous iteration to OS rule, so that the OS rule dictionary format in last OS rule is choosing limited field In the case where the corresponding value of its field OS that can reach convergence, and can be recognized accurately in all SYN messages in training set Information;In addition, enabling if as long as training set is sufficiently large and obtaining stable OS rule and energy by sufficiently big training set If the enough OS information accurately detected in target SYN message, also training set only can once be traversed, can also be thought Obtained OS rule is effectively, in the operating result of actual motion, to also demonstrate what the sufficiently big training set of basis obtained The accuracy that OS rule carries out when the OS in all SYN messages is identified is very high, to improve belonging to recognition detection message The accuracy rate of OS.
In step S206, determine OS rule in there is target SYN message to meet OS rule the following steps are included:
It is searched in the OS rule according to the OS rule dictionary format in the detection messages and is met with the detection messages OS rule dictionary format, determine the value of the field of OS rule dictionary format met in OS rule with the detection messages;
If in the detection messages in the value of the field corresponding field of OS rule dictionary format and OS rule with inspection The value for observing and predicting the field for the OS rule dictionary format that text meets is identical, and the OS mark in the detection messages and the OS rule In OS mark it is identical, it is determined that the OS rule for thering are the detection messages to meet in OS rule.
In the above embodiment of the present invention, after the OS rule for thering is target SYN message to meet in determining OS rule, return Before step S202, further includes: the OS mark in the OS met rule is written in the detection messages, and the detection is reported It is added to after source IP in text, the OS mark in the OS met rule and the temporal binding that is written in the detection messages described In corresponding relationship.
In step S208, OS rule dictionary format is updated according to following situations:
If the value of the field of the OS rule dictionary format met in the OS rule with the detection messages is not present or institute State in detection messages with meet with detection messages in the value of the field corresponding field of OS rule dictionary format and OS rule The value of the field of OS rule dictionary format is different, then using weight in key Key value set near two preceding fields as the OS OS rule dictionary format in rule, and weight is deleted in the Key value set near two preceding fields;Or
If in the detection messages and in the value of the field corresponding field of OS rule dictionary format and OS rule It is identical as the value of field of OS rule dictionary format that detection messages meet, then by weight in the Key value set near preceding One field is added to the OS rule word in the OS rule as the newer field of the OS rule dictionary format in the OS rule Allusion quotation format, and weight is deleted in the Key value set near a preceding field;According to the OS rule dictionary in the OS rule The newer field of format updates the OS rule dictionary format in the OS rule.
In step S209, the OS rule for not having target SYN message to meet in determining OS rule, then by the training set In target SYN message in the value of field corresponding with the field of the OS rule dictionary format OS rule dictionary lattice are written The field of formula, and by the OS information and OS rule in the object message in the training set OS rule dictionary format and After the value of its corresponding field is bound, it is added in OS rule.
In the embodiments of the present invention, by the successively traversal to training set, final OS rule is obtained, so that in OS OS rule dictionary format in the rule value of its corresponding field in the case where choosing limited field can reach convergence, and It can accurately identify the OS information in all SYN messages in training set, improve OS's belonging to recognition detection message Accuracy rate.
Perfect OS rule is obtained in the above-mentioned embodiment of the present invention, in the precondition with perfect OS rule Under, application protocol detection is carried out to the detection messages that needs detect, below for how to detection messages progress application protocol inspection Survey process is described.
Two, application protocol detection is carried out to detection messages
Based on perfect OS rule obtained above, the side of the first application protocol detection provided in the embodiment of the present invention Method schematic diagram, as shown in Figure 3.
S301 obtains detection messages;
S302 is identified if the detection messages do not include operating system OS mark from source internet protocol IP and OS The corresponding OS mark of source IP in the detection messages is searched in corresponding relationship;
S303, if will be looked into from the corresponding OS mark of source IP found in the corresponding relationship in the detection messages The corresponding OS mark of the source IP in the detection messages ask is written in the detection messages.
It should be noted that the corresponding relationship in the embodiment of the present invention can be OS Hash table, but it is not limited to above-mentioned OS Hash sheet form in embodiment, other forms for being able to reflect the corresponding relationship are suitable for the embodiment of the present invention In.
In the OS Hash table of foundation, which will save the source IP in detection messages, OS mark and OS renewal time, such as Source IP is src_ip, and OS is identified as os_id and OS renewal time as os_upt_time;Wherein, source IP src_ip preservation is For client-side including TCP message and UDP message in each conversation procedure to the cryptographic Hash of source IP, it is by wrapping that OS, which identifies os_id, The last session containing the source IP src_ip in detection messages detects successfully that (including OS rule detection and OS Hash table are inquired Detection) after determined by corresponding OS platform, OS renewal time os_upt_time is by comprising the source IP in detection messages What the last session write-in OS mark os_id corresponding time of src_ip determined.
Optionally, in step S303, if corresponding from the source IP found in the corresponding relationship in the detection messages OS mark after, determine the OS renewal time that OS corresponding with the source IP in the detection messages inquired mark is bound, Duration between current time is less than setting duration, then marks the corresponding OS of source IP in the detection messages inquired Know and is written in the detection messages;And the time of the detection messages, the inspection for updating and inquiring are written according to OS mark Observe and predict the OS renewal time of the corresponding OS mark binding of source IP in text.
In the above embodiment of the present invention, due to can be assumed that the source IP inside local area network used in a period of time Operating system is stable, that is to say, that user will not the frequent switching operating system in a source IP, it is possible to assert Information corresponding to the every message saved in OS Hash table in the embodiments of the present invention setting duration section in be all Effectively, for example, setting duration can be current_time-os_upt_time < 40s.
Optionally, in step S303, if corresponding from the source IP found in the corresponding relationship in the detection messages OS mark after, however, it is determined that when the OS of OS corresponding with the source IP in the detection messages inquired mark binding updates Between duration between current time be more than setting duration, it is determined that the OS indicating failure inquired.
In the above embodiment of the present invention, if the OS corresponding with the source IP in detection messages inquired is identified write-in inspection Observe and predict the OS renewal time in text and the duration between current time be more than setting duration, i.e., it is described between duration do not exist In the time range of current_time-os_upt_time < 40s, it is determined that the OS mark failure inquired then continues to test Next detection messages.
In the above embodiment of the invention, within a period after detecting and alarm unlatching, due in OS Hash table There is no the information such as the corresponding OS mark of source IP in detection messages, thus within a period after detecting and alarm unlatching can pair Most of TCP flow amount carries out OS rule detection in local area network, then marks source IP src_ip, OS in obtained detection messages Os_id and OS renewal time os_upt_time, which is known, as an information is inserted into OS Hash table.After a period of time (under normal circumstances It is number of seconds grade) most of online source IP can all complete OS detection in local area network, and the information in OS Hash table can also tend towards stability.? After this, TCP session and the corresponding detection messages of UDP session in local area network mainly will determine to examine by inquiry OS Hash table OS belonging to text is observed and predicted, constantly updates the os_upt_time of every information in OS Hash table at the same time, in the process only Have and some is unsatisfactory for OS renewal time os_upt_time or the corresponding detection messages of session not in OS Hash table will do it OS Rule detection.The performance of detecting and alarm will be so significantly improved, so as to avoid the cumbersome detection process to detection messages, together When complete to the OS of UDP flow amount detection, significantly improve the accuracy rate of OS belonging to recognition detection message.
The method schematic diagram of second of application protocol detection provided in an embodiment of the present invention is as shown in Figure 4.
S401 obtains detection messages;
S402 carries out transport layer protocol detection to detection messages;
S403 judges whether detection messages are UDP message, if so, step S404 is executed, it is no to then follow the steps S410;
S404 judges OS mark whether is written in detection messages, if so, testing process terminates, otherwise executes S405;
S405 searches the corresponding OS being consistent with source IP in corresponding relationship according to the source IP in detection messages and identifies;
S406 identifies whether to search successfully from OS corresponding with the source IP in detection messages is searched in corresponding relationship, if so, S407 is executed, S409 is otherwise executed;
Detection messages will be written from OS corresponding with the source IP in the detection messages mark inquired in corresponding relationship in S407 In;
S408 identifies the time of write-in detection messages according to OS, updates corresponding with the source IP in the detection messages inquired OS mark binding OS renewal time, and update corresponding relationship;
OS detection is written in detection messages and unsuccessfully identifies by S409;
S410 judges whether detection messages are TCP messages, if so, executing S404 to S408, otherwise terminates testing process;
S411, if detection messages are TCP messages, if searching corresponding relationship failure, execute S411 and sentences in step S406 Whether disconnected detection messages are SYN message, if so, executing S412, otherwise execute S409;
S412 carries out OS rule detection to SYN message according to OS rule;
S413 judges whether to detect successfully detection messages, if so, executing step S414, otherwise executes S409;
S414, OS corresponding with the source IP in the detection messages mark write-in detection messages that will be detected from OS rule In;
The time that OS mark is written is tied to OS corresponding with the source IP in detection messages as OS renewal time by S415 In mark, this binding relationship is inserted into corresponding relationship.
In the above embodiment of the present invention, detection messages are obtained;If detection messages do not include operating system OS mark, from source The corresponding OS mark of source IP in detection messages is searched in the corresponding relationship of Internet protocol IP and OS mark;If from corresponding relationship In find the corresponding OS mark of source IP in detection messages, then the corresponding OS of source IP in the detection messages inquired is identified It is written in detection messages.Since detection messages do not include operating system OS mark, then identified from source internet protocol IP and OS The corresponding OS mark of source IP in detection messages is searched in corresponding relationship, and the source IP in the detection messages inquired is corresponding In OS mark write-in detection messages, make it possible to accurately inquire the corresponding OS mark of source IP in detection messages, to avoid To the cumbersome detection process of detection messages, the accuracy rate of OS belonging to recognition detection message is significantly improved.
Based on the same technical idea, above-mentioned side can be performed in the equipment that the embodiment of the present invention provides a kind of application protocol detection Method embodiment.A kind of equipment structure chart such as Fig. 5 of application protocol detection provided in an embodiment of the present invention shows.
A kind of equipment of application protocol detection provided in an embodiment of the present invention, the equipment include:
Module S501 is obtained, for obtaining detection messages;
Searching module S502, if not including operating system OS mark for the detection messages, from source internet protocol The corresponding OS mark of source IP in the detection messages is searched in the corresponding relationship of IP and OS mark;
Writing module S503, if for from the corresponding OS of source IP found in the corresponding relationship in the detection messages Then the corresponding OS mark of source IP in the detection messages inquired is written in the detection messages for mark.
Optionally, write module S503 is also used to:
If after the source IP found in the corresponding relationship in the detection messages corresponding OS mark, determine with Duration between the OS renewal time and current time of the corresponding OS mark binding of the source IP in the detection messages inquired It is less than setting duration.
Optionally, write module S503 is also used to:
After the corresponding OS mark of source IP in the detection messages inquired is written in the detection messages, root The time that the detection messages are written according to OS mark updates OS mark corresponding with the source IP in the detection messages inquired The OS renewal time of binding.
Optionally, write module S503 is also used to:
If it is determined that the OS renewal time of OS mark binding corresponding with the source IP in the detection messages inquired, and work as Duration between the preceding time is more than setting duration, it is determined that the OS indicating failure inquired.
Optionally, the equipment further include:
Judgment module, if for not finding the source IP in the detection messages from the corresponding relationship that source IP and OS identify Corresponding OS mark determines the OS indicating failure inquired, then judges whether the TCP message is synchronizing sequence number SYN report Text;
Binding module if being the SYN message for the TCP message, and has the detection messages to meet in OS rule OS rule, then the OS mark in the OS met rule is written in the detection messages, and by the source in the detection messages The corresponding relationship is added to after OS mark and the temporal binding that is written in the detection messages in IP, the OS met rule In.
Optionally, the binding module is specifically used for:
It is searched in the OS rule according to the OS rule dictionary format in the detection messages and is met with the detection messages OS rule dictionary format, determine the value of the field of OS rule dictionary format met in OS rule with the detection messages;
If in the detection messages in the value of the field corresponding field of OS rule dictionary format and OS rule with inspection The value for observing and predicting the field for the OS rule dictionary format that text meets is identical, and the OS mark in the detection messages and the OS rule In OS mark it is identical, it is determined that the OS rule for thering are the detection messages to meet in OS rule.
Optionally, the binding module is specifically used for:
Judge the OS rule for whether thering is the target SYN message in training set to meet in OS rule;
If so, then using next SYN message as target SYN message, and return and judge whether there is training in OS rule The step for the OS rule that the target SYN message of concentration meets;
If it is not, by the field pair in the target SYN message in the training set with the OS rule dictionary format The value for the field answered is written the field of the OS rule dictionary format, and by the OS information in the object message in the training set After being bound with the value of OS rule dictionary format and its corresponding field in the OS rule, it is added in OS rule.
Optionally, the binding module is specifically used for:
If the value of the field of the OS rule dictionary format met in the OS rule with the detection messages is not present or institute State in detection messages with meet with detection messages in the value of the field corresponding field of OS rule dictionary format and OS rule The value of the field of OS rule dictionary format is different, then using weight in key Key value set near two preceding fields as the OS OS rule dictionary format in rule, and weight is deleted in the Key value set near two preceding fields;Or
If in the detection messages and in the value of the field corresponding field of OS rule dictionary format and OS rule It is identical as the value of field of OS rule dictionary format that detection messages meet, then by weight in the Key value set near preceding One field is added to the OS rule word in the OS rule as the newer field of the OS rule dictionary format in the OS rule Allusion quotation format, and weight is deleted in the Key value set near a preceding field;According to the OS rule dictionary in the OS rule The newer field of format updates the OS rule dictionary format in the OS rule.
In the above embodiment of the present invention, detection messages are obtained;If the detection messages do not include operating system OS mark, The corresponding OS mark of source IP in the detection messages is then searched from the corresponding relationship that source internet protocol IP and OS are identified;If From the corresponding OS mark of source IP found in the corresponding relationship in the detection messages, then the detection report that will be inquired The corresponding OS mark of source IP in text is written in the detection messages.Since the detection messages do not include operating system OS mark Know, then searches the corresponding OS mark of source IP in the detection messages from the corresponding relationship that source IP and OS identify, and will inquiry To the detection messages in source IP corresponding OS mark be written in the detection messages, make it possible to accurately inquire detection The corresponding OS mark of source IP in message, so as to avoid the cumbersome detection process to detection messages, significantly improves identification The accuracy rate of OS belonging to detection messages.
The present invention be referring to according to the method for the embodiment of the present invention, the process of equipment (system) and computer program product Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates, Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one The step of function of being specified in a box or multiple boxes.
Although preferred embodiments of the present invention have been described, it is created once a person skilled in the art knows basic Property concept, then additional changes and modifications may be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as It selects embodiment and falls into all change and modification of the scope of the invention.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art Mind and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies Within, then the present invention is also intended to include these modifications and variations.

Claims (16)

1. a kind of method of application protocol detection characterized by comprising
Obtain the affiliated session of detection messages;
If the affiliated session of detection messages does not include operating system OS mark, marked from the source IP and OS of Internet protocol session The corresponding OS mark of the affiliated session of the detection messages is searched in the mapping table of knowledge;
If will be looked into from the corresponding OS mark of source IP found in the mapping table in the affiliated session of the detection messages The corresponding OS mark of the source IP ask is written in the affiliated session of the detection messages;
Wherein, the detection messages are TCP message;This method further include:
If the source IP not found in the affiliated session of the detection messages from the mapping table that source IP and OS identify is corresponding OS mark determines the OS indicating failure inquired, then judges whether the TCP message is synchronizing sequence number SYN message;If The TCP message is the SYN message, and have in OS regular collection with the OS of the SYN message matching rule, then will be matched OS mark in OS rule is written in the affiliated session of detection messages, and by the affiliated session of the detection messages source IP, Institute is inserted into after OS mark in the matched OS rule and the temporal binding being written in the affiliated session of the detection messages It states in mapping table.
2. the method as described in claim 1, which is characterized in that described to find the detection report from the mapping table After the corresponding OS mark of source IP in session belonging to text, the detection is written in the corresponding OS mark of source IP that will be inquired Before in the affiliated session of message, further includes:
Determine OS renewal time in the source IP corresponding table item of the affiliated session of the detection messages inquired and current time it Between time difference be less than setting duration.
3. method according to claim 2, which is characterized in that described in the corresponding OS mark write-in of source IP that will be inquired After in the affiliated session of detection messages, further includes:
Time when session affiliated according to the OS mark write-in detection messages, update meeting belonging to the detection messages inquired OS renewal time in the source IP corresponding table item of words.
4. method according to claim 2, which is characterized in that described to find the detection report from the mapping table After the corresponding OS mark of source IP in session belonging to text, further includes:
If it is determined that OS renewal time and current time in the source IP corresponding table item of the affiliated session of the detection messages inquired Between time difference be more than setting duration, it is determined that the OS indicating failure inquired.
5. the method as described in claim 1, which is characterized in that whether searched in OS regular collection according to following manner has and institute State the OS rule that SYN message meets:
Being searched in the OS regular collection according to the value for corresponding to each field in OS rule dictionary format in the SYN message is It is no to have the OS rule met;
If corresponding to the OS of the value of each field and OS regular collection rule in OS rule dictionary format in the SYN message The value of middle corresponding field matches, then the OS mark of the affiliated session of SYN message is identical as the OS mark in corresponding OS rule, And determine have in the OS regular collection and the matched OS rule of the affiliated session of SYN message.
6. the method as described in claim 1, which is characterized in that OS regular collection is null set before foundation, does not include OS Rule;
It establishes before OS regular collection, further includes: initialization OS rule dictionary format;
OS regular collection is established according to following manner:
Judge whether have in OS regular collection and the OS of the target SYN message matching in training set rule;
If according to the corresponding value of field each in OS rule field format and the OS regular collection in the target SYN message In OS rule in the value of corresponding field matched one by one on field value, and described meet field value one by one in matched OS rule OS mark it is identical with the OS mark of the target SYN message, it is determined that OS rule engage in be present in target SYN message The OS rule matched, otherwise it is assumed that mismatching;If regular in the presence of the OS with target SYN message matching in OS regular collection, Ignore target SYN message, and using next SYN message as target SYN message;
If in OS regular collection there is no with the OS of target SYN message matching rule, and be not present in OS regular collection OS rule meets the matching one by one on field value, then by the target SYN message in the training set with the OS The value of the corresponding field of all fields of regular dictionary format is written the field of the OS rule dictionary format, and by the training The corresponding OS information of target SYN message of concentration and the value of OS rule dictionary format and its corresponding field in OS rule into After row binding, forms new OS rule and be added in OS regular collection;
If in OS regular collection there is no with the OS of target SYN message matching rule, and there are OS in OS regular collection Rule meets the matching one by one on field value, but it is identical to be unsatisfactory for the OS mark, then it is assumed that the OS rule It will lead to wrong report, it deleted in OS regular collection, and update OS rule dictionary format, and according to updated OS rule word Allusion quotation format and target SYN message create new OS rule and are added in OS regular collection.
7. method as claimed in claim 6, which is characterized in that the initialization OS rule dictionary format, comprising:
Using weight in Key value set near two preceding fields as the word in the corresponding OS rule dictionary format of the OS rule Section, and weight is deleted in the Key value set near two preceding fields.
8. the method for claim 7, which is characterized in that further include:
If value corresponding with all fields of OS rule dictionary format is advised with the OS in the target SYN message in the training set Then the value of the field of OS rule dictionary format corresponding to OS rule is identical in set, and the target SYN report in the training set The corresponding OS information of text is different from the OS information of OS rule in the OS regular collection, then most by weight in the Key value set A forward field expands OS rule dictionary format as the newer field of the corresponding OS rule dictionary format of the OS rule, and Weight is deleted in the Key value set near a preceding field;It deletes in the OS regular collection and meets the object message OS rule SYN.
9. a kind of equipment of application protocol detection characterized by comprising
Module is obtained, the affiliated session of detection messages is used for;
Searching module, if not including operating system OS mark for the affiliated session of the detection messages, from internet protocol parliament The corresponding OS mark of the affiliated session of the detection messages is searched in the mapping table of source IP and the OS mark of words;
Writing module, if for corresponding from the source IP found in the mapping table in the affiliated session of the detection messages Then the corresponding OS mark of the source IP inquired is written in the affiliated session of the detection messages for OS mark;
Wherein, the detection messages are TCP;The equipment further include:
Judgment module, if for not found in the affiliated session of the detection messages from the mapping table that source IP and OS identify Source IP corresponding OS mark or determine the OS indicating failure inquired, then judge whether the TCP message is that synchronizing sequence is compiled Number SYN message;
Binding module if being the SYN message for the TCP message, and has and the SYN message matching in OS regular collection OS rule, then the OS mark in matched OS rule is written in the affiliated session of detection messages, and by detection report The OS in source IP, the matched OS rule in session belonging to text is identified and is written in the affiliated session of the detection messages It is inserted into after temporal binding in the mapping table.
10. equipment as claimed in claim 9, which is characterized in that the write module is also used to:
Determine OS renewal time in the source IP corresponding table item of the affiliated session of the detection messages inquired and current time it Between time difference be less than setting duration.
11. equipment as claimed in claim 10, which is characterized in that the write module is also used to:
Time when session affiliated according to the OS mark write-in detection messages, update meeting belonging to the detection messages inquired OS renewal time in the source IP corresponding table item of words.
12. equipment as claimed in claim 10, which is characterized in that the write module is also used to:
If it is determined that OS renewal time and current time in the source IP corresponding table item of the affiliated session of the detection messages inquired Between time difference be more than setting duration, it is determined that the OS indicating failure inquired.
13. equipment as claimed in claim 9, which is characterized in that the binding module is specifically used for:
Being searched in the OS regular collection according to the value for corresponding to each field in OS rule dictionary format in the SYN message is It is no to have the OS rule met;
If corresponding to the OS of the value of each field and OS regular collection rule in OS rule dictionary format in the SYN message The value of middle corresponding field matches, then the OS mark of the affiliated session of SYN message is identical as the OS mark in corresponding OS rule, And determine have in the OS regular collection and the matched OS rule of the affiliated session of SYN message.
14. equipment as claimed in claim 9, which is characterized in that OS regular collection is null set before foundation, does not include OS Rule;
The binding module is specifically used for:
Initialize OS rule dictionary format;
Judge whether have in OS regular collection and the OS of the target SYN message matching in training set rule;
If according to the corresponding value of field each in OS rule field format and the OS regular collection in the target SYN message In OS rule in the value of corresponding field matched one by one on field value, and described meet field value one by one in matched OS rule OS mark it is identical with the OS mark of the target SYN message, it is determined that OS rule engage in be present in target SYN message The OS rule matched, otherwise it is assumed that mismatching;If regular in the presence of the OS with target SYN message matching in OS regular collection, Ignore target SYN message, and using next SYN message as target SYN message;
If in OS regular collection there is no with the OS of target SYN message matching rule, and be not present in OS regular collection OS rule meets the matching one by one on field value, then by the target SYN message in the training set with the OS The value of the corresponding field of all fields of regular dictionary format is written the field of the OS rule dictionary format, and by the training The corresponding OS information of target SYN message of concentration and the value of OS rule dictionary format and its corresponding field in OS rule into After row binding, forms new OS rule and be added in OS regular collection;
If in OS regular collection there is no with the OS of target SYN message matching rule, and there are OS in OS regular collection Rule meets the matching one by one on field value, but it is identical to be unsatisfactory for the OS mark, then it is assumed that the OS rule It will lead to wrong report, it deleted in OS regular collection, and update OS rule dictionary format, and according to updated OS rule word Allusion quotation format and target SYN message create new OS rule and are added in OS regular collection.
15. equipment as claimed in claim 14, which is characterized in that the binding module is specifically used for:
Using weight in Key value set near two preceding fields as the word in the corresponding OS rule dictionary format of the OS rule Section, and weight is deleted in the Key value set near two preceding fields.
16. equipment as claimed in claim 15, which is characterized in that the binding module is specifically used for: if in the training set Target SYN message in it is corresponding with all fields of OS rule dictionary format value in the OS regular collection OS rule it is right The value of the field for the OS rule dictionary format answered is identical, and the corresponding OS information of target SYN message and institute in the training set The OS information for stating OS rule in OS regular collection is different, then using weight in the Key value set near a preceding field as The newer field of the regular corresponding OS rule dictionary format of the OS expands OS rule dictionary format, and deletes the Key value set Middle weight is near a preceding field;Delete the OS rule SYN for meeting the object message in the OS regular collection.
CN201511001393.9A 2015-12-28 2015-12-28 A kind of method and apparatus of application protocol detection Active CN105634863B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201511001393.9A CN105634863B (en) 2015-12-28 2015-12-28 A kind of method and apparatus of application protocol detection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201511001393.9A CN105634863B (en) 2015-12-28 2015-12-28 A kind of method and apparatus of application protocol detection

Publications (2)

Publication Number Publication Date
CN105634863A CN105634863A (en) 2016-06-01
CN105634863B true CN105634863B (en) 2019-09-17

Family

ID=56049393

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201511001393.9A Active CN105634863B (en) 2015-12-28 2015-12-28 A kind of method and apparatus of application protocol detection

Country Status (1)

Country Link
CN (1) CN105634863B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106411644A (en) * 2016-09-30 2017-02-15 苏州迈科网络安全技术股份有限公司 Network sharing device detection method and system based on DPI technology
CN107864119B (en) * 2017-09-04 2020-09-11 南京理工大学 Network traffic confusion method and system on Android platform
CN109729098A (en) * 2019-03-01 2019-05-07 国网新疆电力有限公司信息通信公司 Automatically the method for malice port scan is blocked in dns server
CN112202739B (en) * 2020-09-17 2021-12-14 腾讯科技(深圳)有限公司 Flow monitoring method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101035144A (en) * 2006-03-07 2007-09-12 冲电气工业株式会社 Parameter single generating device and computer program
CN101207604A (en) * 2006-12-20 2008-06-25 联想(北京)有限公司 Virtual machine system and communication processing method thereof
CN102811146A (en) * 2012-08-31 2012-12-05 飞天诚信科技股份有限公司 Method and device for detecting message processing environment
CN104869621A (en) * 2015-06-12 2015-08-26 联想(北京)有限公司 Method and device for network awareness

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5475180B1 (en) * 2013-09-30 2014-04-16 株式会社 ディー・エヌ・エー Server, system, and method for providing service using application

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101035144A (en) * 2006-03-07 2007-09-12 冲电气工业株式会社 Parameter single generating device and computer program
CN101207604A (en) * 2006-12-20 2008-06-25 联想(北京)有限公司 Virtual machine system and communication processing method thereof
CN102811146A (en) * 2012-08-31 2012-12-05 飞天诚信科技股份有限公司 Method and device for detecting message processing environment
CN104869621A (en) * 2015-06-12 2015-08-26 联想(北京)有限公司 Method and device for network awareness

Also Published As

Publication number Publication date
CN105634863A (en) 2016-06-01

Similar Documents

Publication Publication Date Title
CN105634863B (en) A kind of method and apparatus of application protocol detection
CN108400909B (en) Traffic statistical method, device, terminal equipment and storage medium
US10158733B2 (en) Automated DPI process
IN2014CN04292A (en)
CN104283723B (en) Network access log processing method and processing device
CN105245550B (en) Domain Hijacking determination method and device
MX2015011167A (en) Apparatus and method for processing multiple open apis.
CN104079571B (en) A kind of method and device for recognizing Android simulator
CN103023906A (en) Method and system aiming at remote procedure calling conventions to perform status tracking
CN109271793A (en) Internet of Things cloud platform device class recognition methods and system
CN108777679A (en) Flow access relation generation method, device and the readable storage medium storing program for executing of terminal
CN108055166B (en) Nested application layer protocol state machine extraction system and extraction method thereof
CN106130827B (en) The detection method and device of network equipment accessibility
US11178593B2 (en) Terminal, relay apparatus selection apparatus, communication method, relay apparatus selection method, and program
CN103036895B (en) A kind of status tracking method and system
CN104836700B (en) NAT host number detection methods based on IPID and probability statistics model
CN109951430A (en) A kind of data processing method and device
WO2018232910A1 (en) Method and system for determining data transmission routes between internet of things devices
CN103997518B (en) A kind of CDN node file synchronisation method and device
CN106534135B (en) Method and device for generating flow detection rule
CN106664305A (en) Determining the reputation of data
Pieters et al. TREsPASS: Plug-and-play attacker profiles for security risk analysis
CN105049437A (en) Method for filtering network application layer data
CN106506507B (en) Method and device for generating flow detection rule
CN105488289B (en) The method of Dynamic Graph structure matching under distributed environment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20200317

Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Co-patentee after: NSFOCUS TECHNOLOGIES Inc.

Patentee after: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd.

Co-patentee after: Shenzhou Lvmeng Chengdu Technology Co.,Ltd.

Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Co-patentee before: NSFOCUS TECHNOLOGIES Inc.

Patentee before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd.

CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Patentee after: NSFOCUS Technologies Group Co.,Ltd.

Patentee after: NSFOCUS TECHNOLOGIES Inc.

Patentee after: Shenzhou Lvmeng Chengdu Technology Co.,Ltd.

Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Patentee before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd.

Patentee before: NSFOCUS TECHNOLOGIES Inc.

Patentee before: Shenzhou Lvmeng Chengdu Technology Co.,Ltd.