CN106161098B - A kind of network behavior detection method and device - Google Patents

A kind of network behavior detection method and device Download PDF

Info

Publication number
CN106161098B
CN106161098B CN201610579391.6A CN201610579391A CN106161098B CN 106161098 B CN106161098 B CN 106161098B CN 201610579391 A CN201610579391 A CN 201610579391A CN 106161098 B CN106161098 B CN 106161098B
Authority
CN
China
Prior art keywords
network
layer
communication
dictionary tree
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610579391.6A
Other languages
Chinese (zh)
Other versions
CN106161098A (en
Inventor
黄勇
周安民
崔凯铜
欧晓聪
彭华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan Silent Information Technology Co Ltd
Original Assignee
Sichuan Silent Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan Silent Information Technology Co Ltd filed Critical Sichuan Silent Information Technology Co Ltd
Priority to CN201610579391.6A priority Critical patent/CN106161098B/en
Publication of CN106161098A publication Critical patent/CN106161098A/en
Application granted granted Critical
Publication of CN106161098B publication Critical patent/CN106161098B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/147Network analysis or design for predicting network behaviour

Abstract

The present invention provides a kind of network behavior detection method and device, belongs to network audit field.This method and device, multiple buffering area is opened up by lateral magnification acquisition buffer area technology, realize the high-speed data acquisition under 10,000,000,000 network environments, and network communication behavioural characteristic knowledge base is constructed based on tree-shaped logical model, and the Rapid matching of network communication behavioural characteristic is realized to improve multi-pattern matching algorithm AC-BM by establishing deterministic stresses to communication behavior feature knowledge library four dictionary trees for corresponding respectively to data link layer, network layer, transport layer and application layer obtained after parsing.This kind of network behavior detection method and device have higher characteristic matching efficiency and lower algorithm complexity, and the design of knowledge base is more reasonable relative to traditional data packet detection and Data Audit technology, are conducive to upgrading and extension.

Description

A kind of network behavior detection method and device
Technical field
The present invention relates to network audit fields, in particular to a kind of network behavior detection method and device.
Background technique
Along with the development of network technology, all kinds of novel network applications emerge one after another.Meanwhile network size is sharply swollen It is swollen, keep network bandwidth also increasing, in high speed network network application and network communication behavior identify, become net One new demand of network audit field.Currently, the detection method generallyd use in the industry is to complete height by special hardware The data capture of fast network and network communication behavioural analysis, or using traditional " message characteristic " matching process to regular special Feature in sign library is successively matched.Former detection mode hardware cost is high, the development cycle is long, be unfavorable for secondary development and Extension, the efficiency of algorithm of latter detection mode is low, and time space complexity is high, and feature database design is unreasonable, is unfavorable for Upgrading and extension.
Summary of the invention
In view of this, the present invention provides a kind of network behavior detection method and device.
On the one hand, present pre-ferred embodiments provide a kind of network behavior detection method, this method comprises: capture network number According to packet;Network communication behavioural characteristic is analyzed, and network communication behavioural characteristic knowledge base is constructed using tree-shaped logical model;Parsing institute State network communication behavioural characteristic knowledge base, with according to parsing result respectively in data link layer, network layer, transport layer and application layer Establish communication behavior characteristics dictionary tree corresponding with the protocol layer;Each described communication behavior characteristics dictionary tree is established true Determine finite automata;And protocol analysis is carried out to the network packet that captures, using multi-pattern matching algorithm by protocol analysis The institute of the byte stream to be matched for respectively corresponding data link layer, network layer, transport layer and application layer and the protocol layer that obtain afterwards It states communication behavior characteristics dictionary tree to be matched, obtains the network behavior testing result of the data packet.
On the other hand, present pre-ferred embodiments provide a kind of network behavior detection device, which includes: data acquisition Module, for capturing network packet;Construction of knowledge base module is patrolled for analyzing network communication behavioural characteristic, and using tree-shaped Collect model construction network communication behavioural characteristic knowledge base;Dictionary tree establishes module, for parsing the network communication behavioural characteristic Knowledge base, it is opposite with the protocol layer to be established respectively in data link layer, network layer, transport layer and application layer according to parsing result The communication behavior characteristics dictionary tree answered;Automatic machine establishes module, for establishing each described communication behavior characteristics dictionary tree Deterministic stresses;And matching module, for carrying out protocol analysis to the network packet captured, to use multi-mode The byte to be matched for respectively corresponding data link layer, network layer, transport layer and application layer that will be obtained after protocol analysis with algorithm Stream is matched with the communication behavior characteristics dictionary tree of the protocol layer, obtains the network behavior detection knot of the data packet Fruit.
Network behavior detection method and device provided by the invention are opened up multiple by lateral magnification acquisition buffer area technology The high-speed data acquisition under 10,000,000,000 network environments is realized in buffer area, and special based on the building network communication behavior of tree-shaped logical model Knowledge base is levied, and corresponds respectively to data link layer, net by four obtained after parsing to communication behavior feature knowledge library The dictionary tree of network layers, transport layer and application layer establishes deterministic stresses and improves multi-pattern matching algorithm AC-BM, realizes network The Rapid matching of communication behavior feature.This kind of network behavior detection method and device, relative to traditional data packet detection and number According to audit technique, there is higher characteristic matching efficiency and lower algorithm complexity, and the design of knowledge base is more reasonable, is conducive to Upgrading and extension.
Detailed description of the invention
In order to illustrate the technical solution of the embodiments of the present invention more clearly, below will be to needed in the embodiment attached Figure is briefly described, it should be understood that the following drawings illustrates only certain embodiments of the present invention, therefore is not construed as pair The restriction of range for those of ordinary skill in the art without creative efforts, can also be according to this A little attached drawings obtain other relevant attached drawings.
Fig. 1 is a kind of schematic block diagram for data processing equipment that present pre-ferred embodiments provide;
Fig. 2 is a kind of flow chart for network behavior detection method that present pre-ferred embodiments provide;
Data capture process in the network behavior detection method shown in Fig. 2 that Fig. 3 provides for present pre-ferred embodiments Schematic block diagram;
Tree-shaped logic knowledge base in the network behavior detection method shown in Fig. 2 that Fig. 4 provides for present pre-ferred embodiments Schematic diagram;
Fig. 5 be in the network behavior detection method shown in Fig. 2 that provides of present pre-ferred embodiments to network packet into The schematic diagram of row characteristic matching;
Fig. 6 is the functional block diagram for the network behavior detection device that present pre-ferred embodiments provide.
Appended drawing reference:
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is A part of the embodiment of the present invention, instead of all the embodiments.The present invention being usually described and illustrated herein in the accompanying drawings is implemented The component of example can be arranged and be designed with a variety of different configurations.
It should also be noted that similar label and letter indicate similar terms in following attached drawing, therefore, once a certain Xiang Yi It is defined in a attached drawing, does not then need that it is further defined and explained in subsequent attached drawing.
Therefore, the detailed description of the embodiment of the present invention provided in the accompanying drawings is not intended to limit below claimed The scope of the present invention, but be merely representative of selected embodiment of the invention.Based on the embodiments of the present invention, this field is common Technical staff's every other embodiment obtained without making creative work belongs to the model that the present invention protects It encloses.
As shown in Figure 1, being a kind of schematic block diagram for data processing equipment 100 that this preferred embodiment provides.It should Data processing equipment 100 includes memory 200, processor 300 and network behavior detection device 400.The data processing is set Standby 100 can be computer or any other calculating equipment with data-handling capacity.
It is directly or indirectly electrically connected between the memory 200 and processor 300, to realize the transmission or friendship of data Mutually.It is electrically connected for example, can be realized by one or more communication bus or signal wire.The network behavior detection device 400 The number can be stored in the memory 200 or is solidificated in including at least one in the form of software or firmware (firmware) According to the software function module in the operating system (operating system, OS) of processing equipment 100.The processor 300 is used The executable module stored in execution memory 200, such as the software function mould that the network behavior detection device 400 includes Block or computer program.The processor 300 executes the functional module or program, Xia Shuben after receiving and executing instruction Method performed by the server that the stream process that invention any embodiment discloses defines can be applied in processor 300, or It is realized by processor 300.
Referring to Fig. 2, being the flow chart for the network behavior detection method that present pre-ferred embodiments provide.It should illustrate It is that method of the present invention is not limitation with Fig. 2 and specific order as shown below.It below will be to specific stream shown in Fig. 2 Journey and step are described in detail.
Step S101 captures network packet.
It is deposited firstly, opening up multiple buffering area in memory using lateral magnification acquisition buffer area technology for carrying out data packet Storage, leads to data packetloss to avoid because instantaneous flow is excessive.Number is controlled using thread synchronization by thread control manager again The data acquisition under high speed network is realized according to capture thread and data analysis thread.
Specifically, as shown in figure 3, " data store array space " multiple being used for of indicating that application program opens up in memory The buffer area of storing data packet, each described buffer area can store a data packet, and " queue of data capture serial number " is used for Storage currently can be written into the serial number of the buffer area of data, and " analysis data sequence number queue " currently can be written into disk for storing Buffer area serial number.Data capture thread acquires the filtering of 10,000,000,000 Web contents based on zero duplication technology from communication channel and snaps past Network data after filter, and before reading captured network data, can be with from obtaining in " queue of data capture serial number " Carry out at least one destination buffer (i.e. buffer empty or data have been written into disk buffer area) of data storage, data After the destination buffer is written, the corresponding serial number in the destination buffer is deleted from " queue of data capture serial number ", is added Enter " analysis data sequence number queue ", disk can be written in the data of the buffer area by analysis thread in this way.Data analyze thread Cyclically " analysis data sequence number queue " is traversed, if there are the bufferings of disk to be written in " analysis data sequence number queue " Then disk is written in the data of the buffer area by the serial number in area, then by the serial number of this buffer area from " analysis data sequence number queue " It deletes, and is added in " queue of data capture serial number ".
The benefit of this kind of network packet catching method is: buffering can be written in collected data packet in time from network interface card Qu Zhong, without causing to lose because write buffer makes very much new data packet override the data that buffer area is not written in time slowly The case where losing network packet.Under traditional Linux environment in common packet capture development kit Libcap acquisition method, due to A data buffer zone is only existed, when network traffic data is larger, if the data packet in kernel spacing is slow without write-in in time The case where rushing area, being covered by new data packet, lead to serious data-bag lost generation.Therefore, lateral magnification acquisition buffer The method in area can effectively improve data acquisition efficiency relative to traditional collecting method, be suitable for high speed network (such as ten thousand Mbit ethernet) data acquisition under environment.
Step S103 analyzes network communication behavioural characteristic, and constructs network communication behavioural characteristic using tree-shaped logical model Knowledge base.
With the operating mechanism of reverse Research on Acquisition and Tracking Technologies network software, and use network traffic data statistical analysis technique The communication behavior feature of network software is analyzed, it is established that network communication behavioural characteristic knowledge base.
Specifically, it is assumed that a network communication behavior sample is denoted as xi, can determine that the characteristic item of the behavior includes network number According to five-tuple, network protocol, data packet number, data package size, behavioral characteristics string, static nature string etc., it is successively remembered For v1,v2,v3,...,vn, these characteristic items determining network communication behavior x after being combined with certain logical relationi, statement are as follows:
xi=fi(v1,v2,v3,...,vn)
Wherein, logical function fiIn include logical relations and the expression formula such as "AND" and "or".In this way, network communication behavior is special Knowledge base is levied by several different network behavior sample xiAnd logical function fiComposition, specifically can refer to a kind of signal shown in Fig. 4 The tree-shaped compound logic knowledge base model of property.
Based on the network communication behavioural characteristic knowledge base of tree-shaped logical model building, realize it is multi-level, be easy to extend Structure supports that increasing a behavior different behavioural characteristics combines, may include MAC layer, IP in the combination of each behavioural characteristic The feature of layer, transport layer and application layer supports the character string of regular length and the unfixed feature string of length, supports offset not The fixed and feature string with asterisk wildcard, and support to increase multiple network behaviors under the same software.
Step S105 parses the network communication behavioural characteristic knowledge base, with according to parsing result respectively in data link Layer, network layer, transport layer and application layer establish communication behavior characteristics dictionary tree corresponding with the protocol layer.
Parse network communication behavioural characteristic knowledge base, obtain it is multiple respectively with data link layer, network layer, transport layer and answer With the corresponding feature mode string of layer.The feature mode string for corresponding to different agreement layers is respectively stored in tree, To obtain communication behavior characteristics dictionary tree corresponding with the protocol layer.Each dictionary tree all has following features:
1) root node does not include character, and all nodes all only include a character in addition to root node;
2) each node includes the array of pointers ptr [256] that a length is 256, is the pointer for being directed toward child node, Assuming that the corresponding character of the node is P [i], then that stores in ptr [P [i+1]] is directed to the pointer of the node of storage P [i+1];
3) node can have 0,1 or multiple child nodes, and contain a flag bit, reach the knot with mark Whether pattern string is matched to when point.
When directlying adopt dictionary tree progress characteristic matching, if matched first byte need to be returned in a byte mismatch Next byte matched.Assuming that the length of longest feature mode string is L, the length of byte stream to be matched is N, then mode The cost matched is N*L, and matching efficiency is low.Thus, it is contemplated that deterministic stresses (DFA) is established to dictionary tree, to improve matching Efficiency, referring in particular to the detailed description of following step S107.
Step S107 establishes deterministic stresses each described communication behavior characteristics dictionary tree.
Record the substring of feature mode string corresponding to each node in the communication behavior characteristics dictionary tree, the substring The path as passed by from root node to the node, and the suffix substring of the substring is directed toward and is located at the father node of current node Other nodes of same layer.It is corresponding according to the byte to be matched of input and the current node when it fails to match for current node The suffix substring of the substring searches the destination node jumped.
Specifically, the building process of DFA uses top-down mode, carries out breadth first traversal to dictionary tree, i.e., first Next state of all possible inputs of root node is calculated, then calculates next state of all child nodes of root node, so It calculates next state of third layer node again afterwards, and guarantees when carrying out next state computation of current node, suffix The corresponding node of substring is to be located on the same floor secondary node with the father node of current node.It had been computed the knot of next state Point all possible input all can be obtained the pointer of the node of corresponding next state.
Step S109 carries out protocol analysis to the network packet that captures, using multi-pattern matching algorithm by agreement solution The byte stream to be matched for respectively corresponding data link layer, network layer, transport layer and application layer obtained after analysis and the protocol layer The communication behavior characteristics dictionary tree is matched, and the network behavior testing result of the data packet is obtained.
The schematic diagram that multi-mode matching is carried out to network packet referring to Figure 5, the net having been written into is extracted from disk Network data packet carries out protocol analysis to the data packet, obtains and correspond respectively to data link layer, network in the network packet Layer, transport layer and application layer byte stream to be matched protocol layer initial position and length, determination then has been established with corresponding The dictionary tree of finite automata carries out AC-BM multi-mode matching, obtains the network communication behavioral value result of the data packet.
Referring to Fig. 6, being the functional block diagram for the network behavior detection device 400 that present pre-ferred embodiments provide. The network behavior detection device 400 include data acquisition module 410, construction of knowledge base module 420, dictionary tree establish module 430, Automatic machine establishes module 440 and matching module 450.Each functional module shown in fig. 6 will be described in detail below.
The data acquisition module 410, for capturing network packet.Specifically, which can be used for Step S101 shown in Fig. 2 is executed, specific operating method can refer to the above-mentioned detailed description to step S101.
The construction of knowledge base module 420 is constructed for analyzing network communication behavioural characteristic, and using tree-shaped logical model Network communication behavioural characteristic knowledge base.Specifically, which can be used for executing step S103 shown in Fig. 2, Specific operating method can refer to the above-mentioned detailed description to step S103.
The dictionary tree establishes module 430, for parsing the network communication behavioural characteristic knowledge base, to be tied according to parsing Fruit establishes communication behavior tagged word corresponding with the protocol layer in data link layer, network layer, transport layer and application layer respectively Allusion quotation tree.Specifically, which can be used for executing step S105 shown in Fig. 2, and specific operating method can join According to the above-mentioned detailed description to step S105.
The automatic machine establishes module 440, limited for establishing determination each described communication behavior characteristics dictionary tree Automatic machine.Specifically, which, which establishes module 440, can be used for executing step S107 shown in Fig. 2, and specific operating method can Referring to the above-mentioned detailed description to step S107.
The matching module 450, for carrying out protocol analysis to the network packet captured, to use multi-mode matching The byte stream to be matched for respectively corresponding data link layer, network layer, transport layer and application layer that algorithm will obtain after protocol analysis It is matched with the communication behavior characteristics dictionary tree of the protocol layer, obtains the network behavior detection knot of the network packet Fruit.Specifically, which can be used for executing step S109 shown in Fig. 2, and specific operating method can refer to above-mentioned right The detailed description of step S109.
In conclusion network behavior detection method and device provided by the invention, pass through lateral magnification acquisition buffer area skill Art opens up multiple buffering area, realizes the high-speed data acquisition under 10,000,000,000 network environments, and construct network based on tree-shaped logical model Communication behavior feature knowledge library, and data are corresponded respectively to by four obtained after parsing to communication behavior feature knowledge library Link layer, network layer, transport layer and application layer dictionary tree establish deterministic stresses and improve multi-pattern matching algorithm AC- BM realizes the Rapid matching of network communication behavioural characteristic.This kind of network behavior detection method and device, relative to traditional data Packet detection and Data Audit technology have higher characteristic matching efficiency and lower algorithm complexity, and the design of knowledge base More rationally, it is conducive to upgrading and extension.
In several embodiments provided herein, it should be understood that disclosed device and method can also pass through Other modes are realized.The apparatus embodiments described above are merely exemplary, for example, flow chart and block diagram in attached drawing Show the device of multiple embodiments according to the present invention, the architectural framework in the cards of method and computer program product, Function and operation.In this regard, each box in flowchart or block diagram can represent the one of a module, section or code Part, a part of the module, section or code, which includes that one or more is for implementing the specified logical function, to be held Row instruction.It should also be noted that function marked in the box can also be to be different from some implementations as replacement The sequence marked in attached drawing occurs.For example, two continuous boxes can actually be basically executed in parallel, they are sometimes It can execute in the opposite order, this depends on the function involved.It is also noted that every in block diagram and or flow chart The combination of box in a box and block diagram and or flow chart can use the dedicated base for executing defined function or movement It realizes, or can realize using a combination of dedicated hardware and computer instructions in the system of hardware.
In addition, each functional module in each embodiment of the present invention can integrate one independent portion of formation together Point, it is also possible to modules individualism, an independent part can also be integrated to form with two or more modules.
It, can be with if the function is realized and when sold or used as an independent product in the form of software function module It is stored in a computer readable storage medium.Based on this understanding, technical solution of the present invention is substantially in other words The part of the part that contributes to existing technology or the technical solution can be embodied in the form of software products, the meter Calculation machine software product is stored in a storage medium, including some instructions are used so that a computer equipment (can be a People's computer, server or network equipment etc.) it performs all or part of the steps of the method described in the various embodiments of the present invention.
It should be noted that the terms "include", "comprise" or its any other variant are intended to the packet of nonexcludability Contain, so that the process, method, article or equipment for including a series of elements not only includes those elements, but also including Other elements that are not explicitly listed, or further include for elements inherent to such a process, method, article, or device. In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including the element Process, method, article or equipment in there is also other identical elements.
The foregoing is only a preferred embodiment of the present invention, is not intended to restrict the invention, for the skill of this field For art personnel, the invention may be variously modified and varied.All within the spirits and principles of the present invention, made any to repair Change, equivalent replacement, improvement etc., should all be included in the protection scope of the present invention.It should also be noted that similar label and letter exist Similar terms are indicated in following attached drawing, therefore, once being defined in a certain Xiang Yi attached drawing, are then not required in subsequent attached drawing It is further defined and explained.

Claims (10)

1. a kind of network behavior detection method, which is characterized in that this method comprises:
Capture network packet;
Network communication behavioural characteristic is analyzed, and network communication behavioural characteristic knowledge base is constructed using tree-shaped logical model;
Parse the network communication behavioural characteristic knowledge base, with according to parsing result respectively in data link layer, network layer, transmission Layer and application layer establish communication behavior characteristics dictionary tree corresponding with the protocol layer;
Deterministic stresses are established each described communication behavior characteristics dictionary tree;And
Protocol analysis, the difference that will be obtained after protocol analysis using multi-pattern matching algorithm are carried out to the network packet captured Corresponding data link layer, network layer, transport layer and the byte stream to be matched of application layer and the communication behavior of the protocol layer are special Sign dictionary tree is matched, and the network behavior testing result of the network packet is obtained.
2. network behavior detection method according to claim 1, which is characterized in that the step of the capture network packet Include:
Open up multiple buffering area;
Network data is acquired from the communication channel of high speed Ethernet using zero duplication technology;And
The write-in of collected network data is passed through at least one mesh in the multiple buffer area that preset algorithm is calculated Mark buffer area.
3. network behavior detection method according to claim 1, which is characterized in that the parsing network communication behavior Feature knowledge library, to be established and the protocol layer in data link layer, network layer, transport layer and application layer respectively according to parsing result The step of corresponding communication behavior characteristics dictionary tree includes:
Parse the network communication behavioural characteristic knowledge base, obtain it is multiple respectively with data link layer, network layer, transport layer and answer With the corresponding feature mode string of layer;And
The feature mode string for corresponding to different agreement layers is respectively stored in tree, to obtain and the protocol layer phase Corresponding communication behavior characteristics dictionary tree.
4. network behavior detection method according to claim 3, which is characterized in that described each communication behavior The step of characteristics dictionary tree establishes deterministic stresses include:
The substring of feature mode string corresponding to each node in the communication behavior characteristics dictionary tree is recorded, the substring Suffix substring is directed toward other nodes being located on the same floor with the father node of current node;
When it fails to match for current node, according to the byte to be matched of input and the suffix of the corresponding substring of the current node Substring searches the destination node jumped.
5. network behavior detection method according to claim 4, which is characterized in that carried out to the network packet captured The step of protocol analysis includes:
Obtain the word to be matched that data link layer, network layer, transport layer and application layer are corresponded respectively in the network packet The protocol layer initial position of throttling and length.
6. a kind of network behavior detection device, which is characterized in that the device includes:
Data acquisition module, for capturing network packet;
Construction of knowledge base module constructs network communication row for analyzing network communication behavioural characteristic, and using tree-shaped logical model It is characterized knowledge base;
Dictionary tree establishes module, for parsing the network communication behavioural characteristic knowledge base, with according to parsing result respectively in number Communication behavior characteristics dictionary tree corresponding with the protocol layer is established according to link layer, network layer, transport layer and application layer;
Automatic machine establishes module, for establishing deterministic stresses each described communication behavior characteristics dictionary tree;And
Matching module, for carrying out protocol analysis to the network packet captured, to use multi-pattern matching algorithm by agreement The byte stream to be matched and the protocol layer obtained after parsing for respectively corresponding data link layer, network layer, transport layer and application layer The communication behavior characteristics dictionary tree matched, obtain the network behavior testing result of the network packet.
7. network behavior detection device according to claim 6, which is characterized in that the data acquisition module captures network The mode of data packet includes:
Open up multiple buffering area;
Network data is acquired from the communication channel of high speed Ethernet using zero duplication technology;And
The write-in of collected network data is passed through at least one mesh in the multiple buffer area that preset algorithm is calculated Mark buffer area.
8. network behavior detection device according to claim 6, which is characterized in that the dictionary tree establishes module parsing institute State network communication behavioural characteristic knowledge base, with according to parsing result respectively in data link layer, network layer, transport layer and application layer The mode for establishing corresponding with protocol layer communication behavior characteristics dictionary tree includes:
Parse the network communication behavioural characteristic knowledge base, obtain it is multiple respectively with data link layer, network layer, transport layer and answer With the corresponding feature mode string of layer;And
The feature mode string for corresponding to different agreement layers is respectively stored in tree, to obtain and the protocol layer phase Corresponding communication behavior characteristics dictionary tree.
9. network behavior detection device according to claim 8, which is characterized in that the automatic machine establishes module to each The mode that a communication behavior characteristics dictionary tree establishes deterministic stresses includes:
The substring of feature mode string corresponding to each node in the communication behavior characteristics dictionary tree is recorded, the substring Suffix substring is directed toward other nodes being located on the same floor with the father node of current node;
When it fails to match for current node, according to the byte to be matched of input and the suffix of the corresponding substring of the current node Substring searches the destination node jumped.
10. network behavior detection device according to claim 9, which is characterized in that the matching module is to capturing Network packet carry out protocol analysis mode include:
Obtain the word to be matched that data link layer, network layer, transport layer and application layer are corresponded respectively in the network packet The protocol layer initial position of throttling and length.
CN201610579391.6A 2016-07-21 2016-07-21 A kind of network behavior detection method and device Active CN106161098B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610579391.6A CN106161098B (en) 2016-07-21 2016-07-21 A kind of network behavior detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610579391.6A CN106161098B (en) 2016-07-21 2016-07-21 A kind of network behavior detection method and device

Publications (2)

Publication Number Publication Date
CN106161098A CN106161098A (en) 2016-11-23
CN106161098B true CN106161098B (en) 2019-04-30

Family

ID=58060190

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610579391.6A Active CN106161098B (en) 2016-07-21 2016-07-21 A kind of network behavior detection method and device

Country Status (1)

Country Link
CN (1) CN106161098B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108023767A (en) * 2017-11-29 2018-05-11 四川无声信息技术有限公司 Internet behavior method for tracing, device and server
CN108040069A (en) * 2017-12-28 2018-05-15 成都数成科技有限公司 A kind of quick method for opening network data APMB package
CN109347808B (en) * 2018-09-26 2021-02-12 北京计算机技术及应用研究所 Safety analysis method based on user group behavior activity
CN109639592B (en) * 2018-12-11 2023-01-06 武汉奥浦信息技术有限公司 Rapid data analysis method and device based on ten-gigabit traffic
CN113812116A (en) * 2019-06-17 2021-12-17 西门子股份公司 Network behavior model construction method and device and computer readable medium
CN111181967B (en) * 2019-12-30 2023-07-04 奇安信科技集团股份有限公司 Data stream identification method, device, electronic equipment and medium
CN117097628B (en) * 2023-10-19 2023-12-22 中国电子科技集团公司第五十四研究所 Networking communication behavior identification method based on signal physical characteristic parameters

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101582817A (en) * 2009-06-29 2009-11-18 华中科技大学 Method for extracting network interactive behavioral pattern and analyzing similarity
CN103475653A (en) * 2013-09-05 2013-12-25 北京科能腾达信息技术股份有限公司 Method for detecting network data package
CN104410533A (en) * 2014-12-17 2015-03-11 乐山师范学院 Network user behavior identification system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5224953B2 (en) * 2008-07-17 2013-07-03 インターナショナル・ビジネス・マシーンズ・コーポレーション Information processing apparatus, information processing method, and program

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101582817A (en) * 2009-06-29 2009-11-18 华中科技大学 Method for extracting network interactive behavioral pattern and analyzing similarity
CN103475653A (en) * 2013-09-05 2013-12-25 北京科能腾达信息技术股份有限公司 Method for detecting network data package
CN104410533A (en) * 2014-12-17 2015-03-11 乐山师范学院 Network user behavior identification system

Also Published As

Publication number Publication date
CN106161098A (en) 2016-11-23

Similar Documents

Publication Publication Date Title
CN106161098B (en) A kind of network behavior detection method and device
CN107566206B (en) Flow measuring method, equipment and system
US7734775B2 (en) Method of semi-automatic data collection, data analysis, and model generation for the performance analysis of enterprise applications
Ediger et al. Massive streaming data analytics: A case study with clustering coefficients
CN102915347B (en) A kind of distributed traffic clustering method and system
CN109697456A (en) Business diagnosis method, apparatus, equipment and storage medium
CN107111625A (en) Realize the method and system of the efficient classification and exploration of data
CN105099916B (en) Open flows route exchange device and its processing method to data message
RU2753189C2 (en) System for preparing network traffic for quick analysis
CN105282123A (en) Network protocol identification method and device
Li et al. TMS-RFID: Temporal management of large-scale RFID applications
Al-mamory et al. On the designing of two grains levels network intrusion detection system
CN109684052A (en) Transaction analysis method, apparatus, equipment and storage medium
CN109254986A (en) A kind of determination method and device of abnormal data
CN112468365A (en) Data quality detection method, system and medium for network mirror flow
CN109587000A (en) High latency method for detecting abnormality and system based on collective intelligence network measurement data
Burkhardt Triangle centrality
CN108234452A (en) A kind of system and method for network packet multi-layer protocol identification
Groz et al. Deterministic regular expressions in linear time
CN114327833A (en) Efficient flow processing method based on software-defined complex rule
Jin et al. Ant colony optimization with markov random walk for community detection in graphs
CN114827030B (en) Flow classification device based on folded SRAM and table entry compression method
CN103823827B (en) Method and apparatus for capturing rich internet application
DurgaPrasad et al. Applications of Computer Science Based on Graph theory
Mao et al. Complex Event Processing on uncertain data streams in product manufacturing process

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant