Summary of the invention
The present invention provides a kind of application protocol detection method and equipment, to solve in the prior art using DPI technology and
DFI technology is difficult to the case where accurately identifying OS belonging to the flow that each App is generated, and avoids the stream for identifying that each App is generated
The low problem of the accuracy rate of OS belonging to amount, improves the fine granularity and accuracy using identification.
In a first aspect, providing a kind of application protocol detection method, comprising:
Obtain the affiliated session of detection messages;
If the affiliated session of detection messages does not include operating system OS mark, from the source IP of Internet protocol session and
The corresponding OS mark of the affiliated session of the detection messages is searched in the mapping table of OS mark;
If from the corresponding OS mark of source IP found in the mapping table in the affiliated session of the detection messages,
The corresponding OS mark of the source IP inquired is written in the affiliated session of the detection messages.
With reference to first aspect, in the first possible implementation of the first aspect, described from the mapping table
In find the corresponding OS mark of source IP in the affiliated session of the detection messages after, the source IP that will be inquired is corresponding
Before OS mark is written in the affiliated session of the detection messages, further includes:
Determine OS renewal time in the source IP corresponding table item of the affiliated session of the detection messages inquired and it is current when
Between between time difference be less than setting duration.
The possible implementation of with reference to first aspect the first, in second of possible implementation of first aspect
In, after the corresponding OS mark of source IP that will be inquired is written in the affiliated session of the detection messages, further includes:
Time when session affiliated according to the OS mark write-in detection messages, update the detection messages institute inquired
Belong to the OS renewal time in the source IP corresponding table item of session.
With reference to first aspect or the first possible implementation of first aspect, the third in first aspect are possible
Implementation in, it is described from the corresponding OS of source IP found in the mapping table in the affiliated session of the detection messages
After mark, further includes:
If it is determined that the OS renewal time in the source IP corresponding table item of the affiliated session of the detection messages inquired, and it is current
Time difference between time is more than setting duration, it is determined that the OS indicating failure inquired.
With reference to first aspect or the first possible implementation of first aspect is to the third possible implementation
In any possible implementation, in a fourth possible implementation of the first aspect, the detection messages be TCP
(transmission control protocol) message;
This method further include:
If not finding the source IP pair in the affiliated session of the detection messages from the mapping table that source IP and OS identify
The OS mark answered or the determining OS indicating failure inquired then judge whether the TCP message is synchronizing sequence number SYN report
Text;
If the TCP message is the SYN message, and have in OS regular collection with the OS of the SYN message matching rule,
Then the OS mark in matched OS rule is written in the affiliated session of detection messages, and by the affiliated session of the detection messages
In source IP, the OS mark in matched OS rule and after the temporal binding in the affiliated session of the detection messages is written
It is inserted into the mapping table.
The 4th kind of possible implementation with reference to first aspect, in the 5th kind of possible implementation of first aspect
In, whether searched according to following manner has the OS rule met with the SYN message in OS regular collection:
The OS regular collection is searched according to the value for corresponding to each field in OS rule dictionary format in the SYN message
In whether have meet OS rule;
If corresponding to the OS of the value of each field and the OS regular collection in OS rule dictionary format in the SYN message
The value matching of corresponding field in rule, then the OS mark of the affiliated session of SYN message are identified with the OS in corresponding OS rule
It is identical, and determine have in the OS regular collection and the matched OS rule of the affiliated session of SYN message.
With reference to first aspect or the first possible implementation of first aspect is to the 4th kind of possible implementation
In any possible implementation, in the sixth possible implementation of the first aspect, OS regular collection is establishing it
Preceding is null set, does not include OS rule;
It establishes before OS regular collection, further includes: initialization OS rule dictionary format;
OS regular collection is established according to following manner:
Judge whether have in OS regular collection and the OS of the target SYN message matching in training set rule;
If according to the corresponding value of field each in OS rule field format and the OS rule in the target SYN message
The value of corresponding field matches one by one on field value in OS rule in set, and described meets field value matched OS rule one by one
OS mark in then is identical as the OS mark of the target SYN message, it is determined that is present in target SYN report in the engagement of OS rule
The matched OS rule of text, otherwise it is assumed that mismatching;It is advised if existed in OS regular collection with the OS of target SYN message matching
Then, then ignore target SYN message, and using next SYN message as target SYN message;
If in OS regular collection there is no with the OS of target SYN message matching rule, and in OS regular collection not
Meet the matching one by one on field value there are OS rule, then by the target SYN message in the training set with institute
The field of the OS rule dictionary format is written in the value for stating the corresponding field of all fields of OS rule dictionary format, and will be described
The corresponding OS information of target SYN message in training set and the OS rule dictionary format in OS rule and its corresponding field
After value is bound, forms new OS rule and be added in OS regular collection.
If in OS regular collection there is no with the OS of target SYN message matching rule, and deposited in OS regular collection
Meet the matching one by one on field value in OS rule, but it is identical to be unsatisfactory for the OS mark, then it is assumed that the OS
Rule will lead to wrong report, it is deleted in OS regular collection, and update OS rule dictionary format, and advise according to updated OS
Then dictionary format and target SYN message create new OS rule and are added in OS regular collection.
The 6th kind of possible implementation with reference to first aspect, in the 7th kind of possible implementation of first aspect
In, the initialization OS rule dictionary format, comprising:
Using weight in Key value set near two preceding fields as in the corresponding OS rule dictionary format of the OS rule
Field, and delete in the Key value set weight near two preceding fields.
The 7th kind of possible implementation with reference to first aspect, in the 8th kind of possible implementation of first aspect
In, further includes:
If in the target SYN message in the training set it is corresponding with all fields of OS rule dictionary format value with it is described
The value of the field of OS rule dictionary format corresponding to OS rule is identical in OS regular collection, and the target in the training set
The corresponding OS information of SYN message is different from the OS information of OS rule in the OS regular collection, then will weigh in the Key value set
It is worth the newer field near a preceding field as the corresponding OS rule dictionary format of the OS rule and expands OS rule dictionary lattice
Formula, and weight is deleted in the Key value set near a preceding field;It deletes in the OS regular collection and meets the target
The OS rule SYN of message.
Second aspect, a kind of equipment of application protocol detection, the equipment include:
Module is obtained, the affiliated session of detection messages is used for;
Searching module, if not including operating system OS mark for the affiliated session of the detection messages, from internet protocol
The corresponding OS mark of the affiliated session of the detection messages is searched in the source IP of parliament's words and the mapping table of OS mark;
Writing module, if for from the source IP pair found in the mapping table in the affiliated session of the detection messages
Then the corresponding OS mark of the source IP inquired is written in the affiliated session of the detection messages for the OS mark answered.
In conjunction with second aspect, in the first possible implementation of the second aspect, the write module is also used to:
Determine OS renewal time in the source IP corresponding table item of the affiliated session of the detection messages inquired and it is current when
Between between time difference be less than setting duration.
In conjunction with the first possible implementation of second aspect, in second of possible implementation of second aspect
In, the write module is also used to:
Time when session affiliated according to the OS mark write-in detection messages, update the detection messages institute inquired
Belong to the OS renewal time in the source IP corresponding table item of session.
In conjunction with the possible implementation of the first of second aspect or second aspect, the third in second aspect may
Implementation in, the write module is also used to:
If it is determined that the OS renewal time in the source IP corresponding table item of the affiliated session of the detection messages inquired, and it is current
Time difference between time is more than setting duration, it is determined that the OS indicating failure inquired.
In conjunction with the possible implementation of the first of second aspect or second aspect to the third possible implementation
In any possible implementation, in the fourth possible implementation of the second aspect, the detection messages be TCP
(transmission control protocol) message;Further include:
Judgment module, if for not finding meeting belonging to the detection messages from the mapping table that source IP and OS identify
The corresponding OS mark of source IP or the determining OS indicating failure inquired in words, then judge whether the TCP message is synchronous sequence
Column number SYN message;
Binding module if being the SYN message for the TCP message, and has and the SYN message in OS regular collection
Then the OS mark in matched OS rule is written in the affiliated session of detection messages for matched OS rule, and by the inspection
It observes and predicts the source IP in session belonging to text, the OS mark in the matched OS rule and the affiliated session of the detection messages is written
In temporal binding after be inserted into the mapping table.
In conjunction with the 4th kind of possible implementation of second aspect, in the 5th kind of possible implementation of second aspect
In, the binding module is specifically used for:
The OS regular collection is searched according to the value for corresponding to each field in OS rule dictionary format in the SYN message
In whether have meet OS rule;
If corresponding to the OS of the value of each field and the OS regular collection in OS rule dictionary format in the SYN message
The value matching of corresponding field in rule, then the OS mark of the affiliated session of SYN message are identified with the OS in corresponding OS rule
It is identical, and determine have in the OS regular collection and the matched OS rule of the affiliated session of SYN message.
With reference to first aspect or the first possible implementation of first aspect is to the 4th kind of possible implementation
In any possible implementation, in the sixth possible implementation of the second aspect, OS regular collection is establishing it
Preceding is null set, does not include OS rule;
The binding module is specifically used for:
Initialize OS rule dictionary format;
Judge whether have in OS regular collection and the OS of the target SYN message matching in training set rule;
If according to the corresponding value of field each in OS rule field format and the OS rule in the target SYN message
The value of corresponding field matches one by one on field value in OS rule in set, and described meets field value matched OS rule one by one
OS mark in then is identical as the OS mark of the target SYN message, it is determined that is present in target SYN report in the engagement of OS rule
The matched OS rule of text, otherwise it is assumed that mismatching;It is advised if existed in OS regular collection with the OS of target SYN message matching
Then, then ignore target SYN message, and using next SYN message as target SYN message;
If in OS regular collection there is no with the OS of target SYN message matching rule, and in OS regular collection not
Meet the matching one by one on field value there are OS rule, then by the target SYN message in the training set with institute
The field of the OS rule dictionary format is written in the value for stating the corresponding field of all fields of OS rule dictionary format, and will be described
The corresponding OS information of target SYN message in training set and the OS rule dictionary format in OS rule and its corresponding field
After value is bound, forms new OS rule and be added in OS regular collection.
If in OS regular collection there is no with the OS of target SYN message matching rule, and deposited in OS regular collection
Meet the matching one by one on field value in OS rule, but it is identical to be unsatisfactory for the OS mark, then it is assumed that the OS
Rule will lead to wrong report, it is deleted in OS regular collection, and update OS rule dictionary format, and advise according to updated OS
Then dictionary format and target SYN message create new OS rule and are added in OS regular collection.
In conjunction with the 6th kind of possible implementation of second aspect, in the 7th kind of possible implementation of second aspect
In, the binding module is specifically used for:
Using weight in Key value set near two preceding fields as in the corresponding OS rule dictionary format of the OS rule
Field, and delete in the Key value set weight near two preceding fields.
In conjunction with the 7th kind of possible implementation of second aspect, in the 8th kind of possible implementation of second aspect
In, the binding module is specifically used for:
If in the target SYN message in the training set it is corresponding with all fields of OS rule dictionary format value with it is described
The value of the field of OS rule dictionary format corresponding to OS rule is identical in OS regular collection, and the target in the training set
The corresponding OS information of SYN message is different from the OS information of OS rule in the OS regular collection, then will weigh in the Key value set
It is worth the newer field near a preceding field as the corresponding OS rule dictionary format of the OS rule and expands OS rule dictionary lattice
Formula, and weight is deleted in the Key value set near a preceding field;It deletes in the OS regular collection and meets the target
The OS rule SYN of message.
In the above embodiment of the present invention, the mark of operating system OS belonging to detection messages is obtained;If detection messages are not wrapped
The mark of OS containing operating system, then search detection messages institute from the mapping table that the source IP and OS of Internet protocol session identify
Belong to the corresponding OS mark of source IP of session;If finding the corresponding OS of source IP of the affiliated session of detection messages from mapping table
Mark is lost then by the corresponding OS mark write-in affiliated session of detection messages of source IP in the detection messages inquired if searching
It loses, then again detection messages is carried out with the detection of affiliated OS mark.Due to what can be identified from Internet protocol session source IP and OS
The corresponding OS mark of detection messages is searched in mapping table, and the OS inquired is identified in write-in detection messages, is made it possible to
It is enough accurately to inquire the corresponding OS mark of the affiliated session of detection messages, so as to avoid the cumbersome detection to detection messages
Journey significantly improves the detection performance of OS belonging to recognition detection message.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is
A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art
Every other embodiment obtained without creative efforts, shall fall within the protection scope of the present invention.
In the above embodiment of the present invention, the mark of operating system OS belonging to detection messages is obtained;If detection messages are not wrapped
The mark of OS containing operating system, then search detection messages institute from the mapping table that the source IP and OS of Internet protocol session identify
Belong to the corresponding OS mark of source IP of session;If finding the corresponding OS of source IP of the affiliated session of detection messages from mapping table
Mark is lost then by the corresponding OS mark write-in affiliated session of detection messages of source IP in the detection messages inquired if searching
It loses, then again detection messages is carried out with the detection of affiliated OS mark.Due to what can be identified from Internet protocol session source IP and OS
The corresponding OS mark of detection messages is searched in mapping table, and the OS inquired is identified in write-in detection messages, is made it possible to
It is enough accurately to inquire the corresponding OS mark of the affiliated session of detection messages, so as to avoid the cumbersome detection to detection messages
Journey significantly improves the detection performance of OS belonging to recognition detection message.
In the above embodiment of the present invention, the source IP found in the detection messages in the corresponding relationship is corresponding
After OS mark, the OS renewal time of binding is identified in determining OS corresponding with the source IP in the detection messages inquired,
Duration between current time is less than setting duration, then marks the corresponding OS of source IP in the detection messages inquired
Know and is written in the detection messages, so that in the setting duration, the detection messages that are found in the corresponding relationship
Source IP corresponding OS mark be it is effective, so that it is determined that the OS that the detection messages use within the set duration is stable.
In the above embodiment of the present invention, the time of the detection messages is written according to OS mark, updates and inquires
The OS renewal time of the corresponding OS mark binding of source IP in the detection messages, so that the corresponding relationship is from OS renewal time
It rises, is effective within the set duration, to increase the effective time of corresponding relationship, reduce being detected in detection messages
Time.
In the above embodiment of the present invention, what the corresponding OS mark of source IP in the detection messages inquired was bound
When duration between OS renewal time and current time is more than setting duration, the OS mark failure inquired is determined, so as to institute
It states detection messages and carries out OS rule detection, to update the corresponding OS mark of source IP in detection messages described in the corresponding relationship
The OS renewal time of knowledge and binding O S mark.
In the above embodiment of the present invention, when the detection messages are TCP message, in the corresponding pass identified from source IP and OS
When not finding the corresponding OS mark of the source IP in the detection messages in system or determining the OS indicating failure inquired, need to sentence
Whether the TCP message of breaking is SYN message, if so, and OS rule in there are the detection messages to meet OS rule, by what is met
OS mark in OS rule is written in affiliated detection messages, makes it possible to be accurately identified the detection by the OS mark of write-in
OS belonging to message, and by the detection messages source IP, meet OS rule in OS identify and write-in belonging to detection
It is added to after temporal binding in message in the corresponding relationship, allows and pass through when being detected to next detection messages
The corresponding relationship is inquired, the corresponding OS mark of source IP in the detection messages is quickly inquired, to accurately identify
OS belonging to the detection messages out.
In the above embodiment of the present invention, due to searching the OS according to the OS rule dictionary format in the detection messages
The OS rule dictionary format met in rule with the detection messages, and the word in the detection messages with OS rule dictionary format
It is identical as the value of field of OS rule dictionary format that detection messages meet in the value and OS rule of section corresponding field, and institute
The OS mark stated in detection messages is identical as the OS mark in the OS rule, so that it is determined that having the inspection in the OS rule out
The OS rule that text meets is observed and predicted, therefore is effectively for next institute with the OS rule that the detection messages meet in OS rule
It states detection messages and OS rule detection is carried out according to the OS rule.
In the above embodiment of the present invention, if the OS rule that the target SYN message in OS rule in training set meets, after
Continue using next SYN message as target SYN message, and returns to the target SYN report for judging whether to have in OS rule in training set
The step for the OS rule that text meets;So that carrying out the continuous iteration of OS rule detection most to each SYN message in training set
Make OS rule that can reach convergence in the case where choosing limited field eventually, and can accurately identify all in training set
The OS information of SYN packet;If the OS rule that the target SYN message in OS rule in training set does not meet, by the training
The OS rule dictionary is written in the value of field corresponding with the field of the OS rule dictionary format in the target SYN message of concentration
The field of format, due to by the OS rule dictionary lattice in the OS information and OS rule in the object message in the training set
It after the value of formula and its corresponding field is bound, is added in OS rule, so that by the training set being not present in OS rule
The OS rule that target SYN message meets is added in OS rule after being bound, and is updated to OS rule and perfect, so that
When next target SYN message in training set carries out OS rule detection, it can accurately identify that the OS of object message is related
Information.
In the above embodiment of the present invention, if due to the OS rule dictionary format met in OS rule with the detection messages
Field value be not present or the detection messages in advised with the value of the field corresponding field of OS rule dictionary format and the OS
The value of field of the OS rule dictionary format met in then from detection messages is different, then by weight in key Key value set near preceding
Two fields as the OS rule dictionary format in OS rule, and delete in the Key value set weight near preceding
Two fields, so that by the OS rule dictionary format and the corresponding value of field of the OS rule not met in OS rule in detection messages
It is updated and saves, to carry out OS rule detection to next SYN message in training set;If in the detection messages with
The OS rule dictionary format met in the value of the field corresponding field of OS rule dictionary format and OS rule with detection messages
Field value it is identical, then weight in the Key value set is advised near a preceding field as the OS in OS rule
Then the newer field of dictionary format is added to the OS rule dictionary format in the OS rule, so that regular with OS in detection messages
The field of the OS rule dictionary format met in the value of the field corresponding field of dictionary format and OS rule with detection messages
Value it is identical when, OS is carried out to the OS information in the detection messages using newer field and is accurately identified, and deletes the Key value
Weight is near a preceding field in set;According to the newer field of the OS rule dictionary format in OS rule, described in update
OS rule dictionary format in OS rule;So as to update in Key value set, weight is near preceding field, so that next detection is reported
The OS rule word met in the value of the field corresponding field of Wen Zhongyu OS rule dictionary format and OS rule with detection messages
When the value of the field of allusion quotation format is identical, to next detection messages add again updated Key value combine in weight near preceding
Field is identified the OS in detection messages.
In order to which technical problem, technical solution and beneficial effect solved by the invention is more clearly understood, tie below
Accompanying drawings and embodiments are closed, the present invention is described in more detail.It should be appreciated that specific embodiment described herein is only used to
It explains the present invention, is not intended to limit the present invention.
The method of application protocol detection based on the above embodiment, due to being examined to the corresponding application protocol of detection messages
The precondition of survey is that OS rule is perfect, therefore the embodiment of the present invention is directed to how to establish perfect OS rule respectively, and such as
What carries out detection process to detection messages to be described.
One, establish perfect OS rule
In the embodiment of the present invention, before establishing perfect OS rule, also needs to initialize OS rule, obtain initial
The OS rule dictionary format of OS rule after change and its value of OS rule dictionary format corresponding field, as shown in Figure 1, for the present invention
A kind of OS rule initial phase schematic diagram that embodiment provides.
S101 obtains Key value set;The Key value set for obtaining Key value is established, each field in the set is from SYN
It is chosen in the field for capableing of OS mark in recognition detection message that the head IP and TCP message head of packet include, and according to energy
The accuracy of the OS mark of enough recognition detection messages is to each field distribution weight, and the word that will be arranged according to weight size descending
Section collection is used as key value set;
S102 deletes Key value set the first two field;The first two field refers in Key value set in the Key value set
Weight is near two preceding fields;
S103 constructs OS rule dictionary format;It is constructed according to the weight deleted in Key value set near two preceding fields
OS rule dictionary format;The field of the OS dictionary format is the weight of deletion near two preceding fields;
S104 obtains training set;Regular perfect of determination and OS of the training set for Key value;
S105 determines the message of every kind of OS from training set;The message of every kind of OS is first as initialization OS rule
Beginningization message;
S106, initialization OS rule;It will meet in the message of the every kind of OS determined in training set with OS rule dictionary format
Field the corresponding field of value write-in OS rule dictionary format, and the OS rule of every kind of OS initialization is added in OS rule,
To carry out the OS rule that OS rule detection improves to training set.
It should be noted that in embodiments of the present invention in step s101, it being capable of recognition detection report in Key value set
The field of OS mark in text can be ttl field, WSize field and WSCALE field etc., can be in recognition detection message
The field of OS mark is not limited to the field in above-described embodiment, other fields for capableing of recognition detection message are suitable for this
Inventive embodiments.
For example, the OS rule after initialization is as shown in table 1.
Different operating systems according to embodiments of the present invention, the ttl field of initialization and the value of WSize field are corresponding
Difference, wherein OS information be detection messages in source IP and corresponding OS mark.
In step s 103, this duration of OS rule dictionary format only includes to be deleted in Key value set near preceding two
Field.
In step S104, the training set of acquisition is the flow comprising Windows, Android and iOS, in the training set
Every flow all include complete TCP session, and OS information described in TCP session is it has been determined that the training set is used for Key value
Determination and OS rule it is perfect.
In step s 106, according to OS rule dictionary format by the flow of Windows, Android and iOS in training set
In the value of the field of OS rule dictionary format in the value write-in OS rule of the field of corresponding OS rule dictionary format, it is established that
For three initialization OS rules of these operating systems of Windows, Android and iOS, and add it in OS rule
OS rule detection is once carried out to message all in training set.
After the initialization of OS rule, start once to carry out OS rule detection to every SYN message in training set, so as to
Obtain perfect OS rule.OS detection is carried out to the SYN message in training set separately below, is illustrated in figure 2 implementation of the present invention
A kind of method schematic diagram for acquisition OS rule that example provides.
S201 obtains training set;Training set in the training set and step S101 is same training set;
Whether S202, the target SYN message that training of judgement is concentrated have traversed twice, if so, process terminates, have otherwise executed
S203;
S203 obtains a target SYN message in training set, while executing S204 and S205 to object message;
S204 obtains the OS information in target SYN message;
S205 carries out OS rule detection to target SYN message according to the OS rule after initialization;
S206 judges the OS rule for whether having target SYN message to meet in OS rule, executes S202 if so, returning, otherwise
Execute S207;
S207, the OS information in target SYN message obtained according to S204, judges object message and OS rule dictionary format
Field corresponding field value it is whether identical, if so, return execute S202, otherwise execute S208;
S208 updates OS rule dictionary format;
S209 deletes the existing OS rule of error detection and by new OS rule and is added in OS rule, continues to return and executes
S202。
In the step S202 that aforementioned present invention is implemented, whether the target SYN message that training of judgement is concentrated has been traversed twice
It is in order to carry out continuous iteration to OS rule, so that the OS rule dictionary format in last OS rule is choosing limited field
In the case where the corresponding value of its field OS that can reach convergence, and can be recognized accurately in all SYN messages in training set
Information;In addition, enabling if as long as training set is sufficiently large and obtaining stable OS rule and energy by sufficiently big training set
If the enough OS information accurately detected in target SYN message, also training set only can once be traversed, can also be thought
Obtained OS rule is effectively, in the operating result of actual motion, to also demonstrate what the sufficiently big training set of basis obtained
The accuracy that OS rule carries out when the OS in all SYN messages is identified is very high, to improve belonging to recognition detection message
The accuracy rate of OS.
In step S206, determine OS rule in there is target SYN message to meet OS rule the following steps are included:
It is searched in the OS rule according to the OS rule dictionary format in the detection messages and is met with the detection messages
OS rule dictionary format, determine the value of the field of OS rule dictionary format met in OS rule with the detection messages;
If in the detection messages in the value of the field corresponding field of OS rule dictionary format and OS rule with inspection
The value for observing and predicting the field for the OS rule dictionary format that text meets is identical, and the OS mark in the detection messages and the OS rule
In OS mark it is identical, it is determined that the OS rule for thering are the detection messages to meet in OS rule.
In the above embodiment of the present invention, after the OS rule for thering is target SYN message to meet in determining OS rule, return
Before step S202, further includes: the OS mark in the OS met rule is written in the detection messages, and the detection is reported
It is added to after source IP in text, the OS mark in the OS met rule and the temporal binding that is written in the detection messages described
In corresponding relationship.
In step S208, OS rule dictionary format is updated according to following situations:
If the value of the field of the OS rule dictionary format met in the OS rule with the detection messages is not present or institute
State in detection messages with meet with detection messages in the value of the field corresponding field of OS rule dictionary format and OS rule
The value of the field of OS rule dictionary format is different, then using weight in key Key value set near two preceding fields as the OS
OS rule dictionary format in rule, and weight is deleted in the Key value set near two preceding fields;Or
If in the detection messages and in the value of the field corresponding field of OS rule dictionary format and OS rule
It is identical as the value of field of OS rule dictionary format that detection messages meet, then by weight in the Key value set near preceding
One field is added to the OS rule word in the OS rule as the newer field of the OS rule dictionary format in the OS rule
Allusion quotation format, and weight is deleted in the Key value set near a preceding field;According to the OS rule dictionary in the OS rule
The newer field of format updates the OS rule dictionary format in the OS rule.
In step S209, the OS rule for not having target SYN message to meet in determining OS rule, then by the training set
In target SYN message in the value of field corresponding with the field of the OS rule dictionary format OS rule dictionary lattice are written
The field of formula, and by the OS information and OS rule in the object message in the training set OS rule dictionary format and
After the value of its corresponding field is bound, it is added in OS rule.
In the embodiments of the present invention, by the successively traversal to training set, final OS rule is obtained, so that in OS
OS rule dictionary format in the rule value of its corresponding field in the case where choosing limited field can reach convergence, and
It can accurately identify the OS information in all SYN messages in training set, improve OS's belonging to recognition detection message
Accuracy rate.
Perfect OS rule is obtained in the above-mentioned embodiment of the present invention, in the precondition with perfect OS rule
Under, application protocol detection is carried out to the detection messages that needs detect, below for how to detection messages progress application protocol inspection
Survey process is described.
Two, application protocol detection is carried out to detection messages
Based on perfect OS rule obtained above, the side of the first application protocol detection provided in the embodiment of the present invention
Method schematic diagram, as shown in Figure 3.
S301 obtains detection messages;
S302 is identified if the detection messages do not include operating system OS mark from source internet protocol IP and OS
The corresponding OS mark of source IP in the detection messages is searched in corresponding relationship;
S303, if will be looked into from the corresponding OS mark of source IP found in the corresponding relationship in the detection messages
The corresponding OS mark of the source IP in the detection messages ask is written in the detection messages.
It should be noted that the corresponding relationship in the embodiment of the present invention can be OS Hash table, but it is not limited to above-mentioned
OS Hash sheet form in embodiment, other forms for being able to reflect the corresponding relationship are suitable for the embodiment of the present invention
In.
In the OS Hash table of foundation, which will save the source IP in detection messages, OS mark and OS renewal time, such as
Source IP is src_ip, and OS is identified as os_id and OS renewal time as os_upt_time;Wherein, source IP src_ip preservation is
For client-side including TCP message and UDP message in each conversation procedure to the cryptographic Hash of source IP, it is by wrapping that OS, which identifies os_id,
The last session containing the source IP src_ip in detection messages detects successfully that (including OS rule detection and OS Hash table are inquired
Detection) after determined by corresponding OS platform, OS renewal time os_upt_time is by comprising the source IP in detection messages
What the last session write-in OS mark os_id corresponding time of src_ip determined.
Optionally, in step S303, if corresponding from the source IP found in the corresponding relationship in the detection messages
OS mark after, determine the OS renewal time that OS corresponding with the source IP in the detection messages inquired mark is bound,
Duration between current time is less than setting duration, then marks the corresponding OS of source IP in the detection messages inquired
Know and is written in the detection messages;And the time of the detection messages, the inspection for updating and inquiring are written according to OS mark
Observe and predict the OS renewal time of the corresponding OS mark binding of source IP in text.
In the above embodiment of the present invention, due to can be assumed that the source IP inside local area network used in a period of time
Operating system is stable, that is to say, that user will not the frequent switching operating system in a source IP, it is possible to assert
Information corresponding to the every message saved in OS Hash table in the embodiments of the present invention setting duration section in be all
Effectively, for example, setting duration can be current_time-os_upt_time < 40s.
Optionally, in step S303, if corresponding from the source IP found in the corresponding relationship in the detection messages
OS mark after, however, it is determined that when the OS of OS corresponding with the source IP in the detection messages inquired mark binding updates
Between duration between current time be more than setting duration, it is determined that the OS indicating failure inquired.
In the above embodiment of the present invention, if the OS corresponding with the source IP in detection messages inquired is identified write-in inspection
Observe and predict the OS renewal time in text and the duration between current time be more than setting duration, i.e., it is described between duration do not exist
In the time range of current_time-os_upt_time < 40s, it is determined that the OS mark failure inquired then continues to test
Next detection messages.
In the above embodiment of the invention, within a period after detecting and alarm unlatching, due in OS Hash table
There is no the information such as the corresponding OS mark of source IP in detection messages, thus within a period after detecting and alarm unlatching can pair
Most of TCP flow amount carries out OS rule detection in local area network, then marks source IP src_ip, OS in obtained detection messages
Os_id and OS renewal time os_upt_time, which is known, as an information is inserted into OS Hash table.After a period of time (under normal circumstances
It is number of seconds grade) most of online source IP can all complete OS detection in local area network, and the information in OS Hash table can also tend towards stability.?
After this, TCP session and the corresponding detection messages of UDP session in local area network mainly will determine to examine by inquiry OS Hash table
OS belonging to text is observed and predicted, constantly updates the os_upt_time of every information in OS Hash table at the same time, in the process only
Have and some is unsatisfactory for OS renewal time os_upt_time or the corresponding detection messages of session not in OS Hash table will do it OS
Rule detection.The performance of detecting and alarm will be so significantly improved, so as to avoid the cumbersome detection process to detection messages, together
When complete to the OS of UDP flow amount detection, significantly improve the accuracy rate of OS belonging to recognition detection message.
The method schematic diagram of second of application protocol detection provided in an embodiment of the present invention is as shown in Figure 4.
S401 obtains detection messages;
S402 carries out transport layer protocol detection to detection messages;
S403 judges whether detection messages are UDP message, if so, step S404 is executed, it is no to then follow the steps S410;
S404 judges OS mark whether is written in detection messages, if so, testing process terminates, otherwise executes S405;
S405 searches the corresponding OS being consistent with source IP in corresponding relationship according to the source IP in detection messages and identifies;
S406 identifies whether to search successfully from OS corresponding with the source IP in detection messages is searched in corresponding relationship, if so,
S407 is executed, S409 is otherwise executed;
Detection messages will be written from OS corresponding with the source IP in the detection messages mark inquired in corresponding relationship in S407
In;
S408 identifies the time of write-in detection messages according to OS, updates corresponding with the source IP in the detection messages inquired
OS mark binding OS renewal time, and update corresponding relationship;
OS detection is written in detection messages and unsuccessfully identifies by S409;
S410 judges whether detection messages are TCP messages, if so, executing S404 to S408, otherwise terminates testing process;
S411, if detection messages are TCP messages, if searching corresponding relationship failure, execute S411 and sentences in step S406
Whether disconnected detection messages are SYN message, if so, executing S412, otherwise execute S409;
S412 carries out OS rule detection to SYN message according to OS rule;
S413 judges whether to detect successfully detection messages, if so, executing step S414, otherwise executes S409;
S414, OS corresponding with the source IP in the detection messages mark write-in detection messages that will be detected from OS rule
In;
The time that OS mark is written is tied to OS corresponding with the source IP in detection messages as OS renewal time by S415
In mark, this binding relationship is inserted into corresponding relationship.
In the above embodiment of the present invention, detection messages are obtained;If detection messages do not include operating system OS mark, from source
The corresponding OS mark of source IP in detection messages is searched in the corresponding relationship of Internet protocol IP and OS mark;If from corresponding relationship
In find the corresponding OS mark of source IP in detection messages, then the corresponding OS of source IP in the detection messages inquired is identified
It is written in detection messages.Since detection messages do not include operating system OS mark, then identified from source internet protocol IP and OS
The corresponding OS mark of source IP in detection messages is searched in corresponding relationship, and the source IP in the detection messages inquired is corresponding
In OS mark write-in detection messages, make it possible to accurately inquire the corresponding OS mark of source IP in detection messages, to avoid
To the cumbersome detection process of detection messages, the accuracy rate of OS belonging to recognition detection message is significantly improved.
Based on the same technical idea, above-mentioned side can be performed in the equipment that the embodiment of the present invention provides a kind of application protocol detection
Method embodiment.A kind of equipment structure chart such as Fig. 5 of application protocol detection provided in an embodiment of the present invention shows.
A kind of equipment of application protocol detection provided in an embodiment of the present invention, the equipment include:
Module S501 is obtained, for obtaining detection messages;
Searching module S502, if not including operating system OS mark for the detection messages, from source internet protocol
The corresponding OS mark of source IP in the detection messages is searched in the corresponding relationship of IP and OS mark;
Writing module S503, if for from the corresponding OS of source IP found in the corresponding relationship in the detection messages
Then the corresponding OS mark of source IP in the detection messages inquired is written in the detection messages for mark.
Optionally, write module S503 is also used to:
If after the source IP found in the corresponding relationship in the detection messages corresponding OS mark, determine with
Duration between the OS renewal time and current time of the corresponding OS mark binding of the source IP in the detection messages inquired
It is less than setting duration.
Optionally, write module S503 is also used to:
After the corresponding OS mark of source IP in the detection messages inquired is written in the detection messages, root
The time that the detection messages are written according to OS mark updates OS mark corresponding with the source IP in the detection messages inquired
The OS renewal time of binding.
Optionally, write module S503 is also used to:
If it is determined that the OS renewal time of OS mark binding corresponding with the source IP in the detection messages inquired, and work as
Duration between the preceding time is more than setting duration, it is determined that the OS indicating failure inquired.
Optionally, the equipment further include:
Judgment module, if for not finding the source IP in the detection messages from the corresponding relationship that source IP and OS identify
Corresponding OS mark determines the OS indicating failure inquired, then judges whether the TCP message is synchronizing sequence number SYN report
Text;
Binding module if being the SYN message for the TCP message, and has the detection messages to meet in OS rule
OS rule, then the OS mark in the OS met rule is written in the detection messages, and by the source in the detection messages
The corresponding relationship is added to after OS mark and the temporal binding that is written in the detection messages in IP, the OS met rule
In.
Optionally, the binding module is specifically used for:
It is searched in the OS rule according to the OS rule dictionary format in the detection messages and is met with the detection messages
OS rule dictionary format, determine the value of the field of OS rule dictionary format met in OS rule with the detection messages;
If in the detection messages in the value of the field corresponding field of OS rule dictionary format and OS rule with inspection
The value for observing and predicting the field for the OS rule dictionary format that text meets is identical, and the OS mark in the detection messages and the OS rule
In OS mark it is identical, it is determined that the OS rule for thering are the detection messages to meet in OS rule.
Optionally, the binding module is specifically used for:
Judge the OS rule for whether thering is the target SYN message in training set to meet in OS rule;
If so, then using next SYN message as target SYN message, and return and judge whether there is training in OS rule
The step for the OS rule that the target SYN message of concentration meets;
If it is not, by the field pair in the target SYN message in the training set with the OS rule dictionary format
The value for the field answered is written the field of the OS rule dictionary format, and by the OS information in the object message in the training set
After being bound with the value of OS rule dictionary format and its corresponding field in the OS rule, it is added in OS rule.
Optionally, the binding module is specifically used for:
If the value of the field of the OS rule dictionary format met in the OS rule with the detection messages is not present or institute
State in detection messages with meet with detection messages in the value of the field corresponding field of OS rule dictionary format and OS rule
The value of the field of OS rule dictionary format is different, then using weight in key Key value set near two preceding fields as the OS
OS rule dictionary format in rule, and weight is deleted in the Key value set near two preceding fields;Or
If in the detection messages and in the value of the field corresponding field of OS rule dictionary format and OS rule
It is identical as the value of field of OS rule dictionary format that detection messages meet, then by weight in the Key value set near preceding
One field is added to the OS rule word in the OS rule as the newer field of the OS rule dictionary format in the OS rule
Allusion quotation format, and weight is deleted in the Key value set near a preceding field;According to the OS rule dictionary in the OS rule
The newer field of format updates the OS rule dictionary format in the OS rule.
In the above embodiment of the present invention, detection messages are obtained;If the detection messages do not include operating system OS mark,
The corresponding OS mark of source IP in the detection messages is then searched from the corresponding relationship that source internet protocol IP and OS are identified;If
From the corresponding OS mark of source IP found in the corresponding relationship in the detection messages, then the detection report that will be inquired
The corresponding OS mark of source IP in text is written in the detection messages.Since the detection messages do not include operating system OS mark
Know, then searches the corresponding OS mark of source IP in the detection messages from the corresponding relationship that source IP and OS identify, and will inquiry
To the detection messages in source IP corresponding OS mark be written in the detection messages, make it possible to accurately inquire detection
The corresponding OS mark of source IP in message, so as to avoid the cumbersome detection process to detection messages, significantly improves identification
The accuracy rate of OS belonging to detection messages.
The present invention be referring to according to the method for the embodiment of the present invention, the process of equipment (system) and computer program product
Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions
The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs
Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real
The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
Although preferred embodiments of the present invention have been described, it is created once a person skilled in the art knows basic
Property concept, then additional changes and modifications may be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as
It selects embodiment and falls into all change and modification of the scope of the invention.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art
Mind and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies
Within, then the present invention is also intended to include these modifications and variations.