CN106506400B - data stream identification method and outlet device - Google Patents
data stream identification method and outlet device Download PDFInfo
- Publication number
- CN106506400B CN106506400B CN201610971015.1A CN201610971015A CN106506400B CN 106506400 B CN106506400 B CN 106506400B CN 201610971015 A CN201610971015 A CN 201610971015A CN 106506400 B CN106506400 B CN 106506400B
- Authority
- CN
- China
- Prior art keywords
- record
- service application
- application library
- newly
- library
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 32
- 238000013507 mapping Methods 0.000 claims description 21
- 230000001360 synchronised effect Effects 0.000 description 8
- 101150012579 ADSL gene Proteins 0.000 description 5
- 102100020775 Adenylosuccinate lyase Human genes 0.000 description 5
- 108700040193 Adenylosuccinate lyases Proteins 0.000 description 5
- 239000013307 optical fiber Substances 0.000 description 5
- 238000010586 diagram Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000007689 inspection Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- APTZNLHMIGJTEW-UHFFFAOYSA-N pyraflufen-ethyl Chemical compound C1=C(Cl)C(OCC(=O)OCC)=CC(C=2C(=C(OC(F)F)N(C)N=2)Cl)=C1F APTZNLHMIGJTEW-UHFFFAOYSA-N 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2475—Traffic characterised by specific attributes, e.g. priority or QoS for supporting traffic characterised by the type of applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2483—Traffic characterised by specific attributes, e.g. priority or QoS involving identification of individual flows
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the invention provides a data stream identification method and outlet equipment. Acquiring the latest service application library from the server to be used as a local service application library locally; receiving a first message of a newly-built flow, performing application identification on a subsequent message of the newly-built flow when no effective record exists in the local service application library of the first message, and establishing a record to be newly built in a local service application library record to update the local service application library when any message in the subsequent message of the newly-built flow is matched with any rule in a characteristic rule library record through the application identification; from the perspective of an application service providing end, identification information among multiple devices is integrated on the server by means of cooperation of the server and the outlet device in the network, and the corresponding relation between the service port and the application type in the network is dynamically constructed, so that the first packet rate of application identification is improved, the identification speed is improved, and the consumption of application identification performance is integrally reduced.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a data stream identification method and an egress device.
Background
with the development of networks, most companies or network application sites rarely adopt a single line as an exit. The multi-line condition means that there are quality problems between the lines, for example, the optical fiber line is better than the ADSL line. Several scenarios may occur:
A company has two lines, a main fiber and an ADSL line. The ADSL of main optical fibers and other services such as video conferences, OA of companies, webpage access and the like is expected to be carried out;
in some internet cafes, the main fiber is small (due to its high cost) and there are multiple ADSL's (low cost). Hopefully, only the game goes to the main optical fiber, and the others go to ADSL;
The server of a certain network application service provider comprises a plurality of operator lines, and because the price of the operator A is higher, the price of the operator B is lower. The service provider does not need to cross the operator for the application which is expected to be sensitive to the time delay, but other flows need to go to the operator B, so that the operation cost is reduced;
Application offloading is a user-configured policy that offloads traffic for a given application onto an appropriate egress link. For example, in the scene of an internet bar, an outlet is generally provided with an optical fiber link and a plurality of common dialing lines; the key application of the internet bar, such as an internet game, is shunted to the optical fiber line by the application shunt; applications requiring large bandwidth, such as video, are shunted to the dial-up line. By application shunting, different shunting strategies are configured aiming at different applications, so that network resources can be effectively utilized, and network experience is improved.
According to the TCP/IP protocol, the TCP link requires three handshakes first. No application layer data exists in the handshaking process, a depth recognition technology (namely DPI) based on the message content cannot recognize the specific application type, and the specific application can be recognized only by at least the fourth message. For UDP links, the DPI is required to identify a specific application in the first packet.
however, the prior art also has the following problems:
1) For the application shunting scene, if the flow identified by the first message is too low, the flow of the application shunting is low, and the demand of the on-demand shunting scene cannot be met. This scenario presents a significant challenge to conventional DPI. For UDP streams, it is required that the specific application type is identified in the preamble; for TCP flows, many current implementations implement forking by proxy or the like, but proxy performance is not optimistic and requires a specific application to be identified in the fourth packet. In general, the application of the split scenario puts higher requirements on the recognition speed of application recognition.
2) with the development of networks and the continuous enrichment of network applications, the outlet flow is larger and larger. The deep recognition technology based on the message content has large recognition calculation amount, needs to consume more CPU resources, and is easy to cause the DPI to become a performance bottleneck for an environment with larger flow or equipment with lower configuration. The existing scheme is generally a scene, and single equipment realizes application identification. The application of the single device to the above problem is generally realized based on the following method:
1. Based on deep Packet inspection, dpi, (deep Packet inspection). And judging the application type of the message by analyzing the fingerprint characteristics in the load message. 2. DFI (deep Flow inspection) based on depth Flow detection. And judging the application type of the flow by analyzing the behavior characteristics of the flow. However, the two methods generally have low recognition efficiency, low first packet recognition rate, and consume a large amount of CPU to process, and the performance is likely to become a bottleneck.
disclosure of Invention
The embodiment of the invention provides a data flow identification method and outlet equipment, wherein the data flow identification method and the outlet equipment comprise the following steps:
acquiring the latest service application library from the server to be used as a local service application library locally; wherein the up-to-date service application library is formed from respective locally updated service application libraries uploaded by all egress devices in the network;
Receiving a head message of a newly-built flow, and performing application identification on a subsequent message of the newly-built flow when no effective record exists in the local service application library, wherein the effective record is a mapping relation record of an application type corresponding to the head message in the local service application library record;
When any message in the subsequent messages of the newly established flow is matched with any rule in the records of the feature rule base through the application identification, establishing a record to be newly established in the records of the local service application base so as to update the local service application base; and the record to be newly created is a mapping relation record of an application type pointed by any rule corresponding to any message.
According to the method of the present invention, the downloading the latest service application library from the server to the local service application library as a local service application library includes:
And downloading the latest service application library corresponding to the application scene from the server to be used as a local service application library locally according to the local application scene.
the method according to the present invention further includes:
and when the record to be newly created is established in the local service application library record so as to update the local service application library, uploading the locally updated service application library to the server so as to update the service application library on the server.
according to the method of the present invention, the creating a record to be newly created in the local service application library record includes:
acquiring a user IP address and a service port number of a record to be newly created according to any message, taking the user IP address and the service port number as indexes of the record to be newly created, and directly recording and newly creating the record to be newly created in a local service application library if the record corresponding to the user IP address and the service port number does not exist in the local service application library record, wherein the newly created record is defaulted as an effective record; or,
acquiring a user IP address and a service port number of a record to be newly created according to any message, taking the user IP address and the service port number as indexes of the record to be newly created, if a local service application library record has a record corresponding to the user IP address and the service port number, and the record corresponding to the user IP address and the service port number in the local service application library record is invalid, newly creating the record to be newly created in the local service application library, and defaulting the newly created record as a valid record; or,
acquiring a user IP address and a service port number of a record to be newly created according to any message, taking the user IP address and the service port number as an index of the record to be newly created, if a local service application library record has a record corresponding to the user IP address and the service port number, and the record corresponding to the user IP address and the service port number in the local service application library record is valid, judging whether an application type recorded in the record corresponding to the user IP address and the service port number in the local service application library record is the same as an application type of the record to be newly created, if so, selecting a larger value in valid time of the record corresponding to the service application library and the record to be newly created as valid time of the newly created record, and defaulting the newly created record as the valid record; and if not, modifying the record corresponding to the service application library into an invalid record, and taking the smaller value of the effective time of the record in the record corresponding to the selected service application library and the record to be newly built as the effective time of the newly built record.
According to the above method of the present invention, the method further comprises: and when the first message of the newly-built flow has an effective record in the local service application library record, the subsequent message of the newly-built flow is not subjected to application identification any more.
according to another aspect of the present invention, there is also provided an outlet device comprising:
the acquisition module is used for acquiring the latest service application library from the server to be used as a local service application library locally; wherein the up-to-date service application library is formed from respective locally updated service application libraries uploaded by all egress devices in the network;
the application identification module is used for receiving a first message of a newly-built flow, and performing application identification on a subsequent message of the newly-built flow when no effective record exists in the local service application library, wherein the effective record is a mapping relation record of an application type corresponding to the first message in the local service application library record;
A new building module, which builds a record to be newly built in the local service application library record to update the local service application library when any message in the subsequent messages of the new built flow is matched with any rule in the characteristic rule library record through the application identification; and the record to be newly created is a mapping relation record of an application type pointed by any rule corresponding to any message.
according to another aspect of the present invention, the obtaining module is specifically configured to:
And downloading the latest service application library corresponding to the application scene from the server to be used as a local service application library locally according to the local application scene.
according to another aspect of the invention, further comprising an update module for:
and when the record to be newly created is established in the local service application library record so as to update the local service application library, uploading the locally updated service application library to the server so as to update the service application library on the server.
According to another aspect of the present invention, the newly-built module is specifically configured to:
acquiring a user IP address and a service port number of a record to be newly created according to any message, taking the user IP address and the service port number as indexes of the record to be newly created, and directly recording and newly creating the record to be newly created in a local service application library if the record corresponding to the user IP address and the service port number does not exist in the local service application library record, wherein the newly created record is defaulted as an effective record; or,
acquiring a user IP address and a service port number of a record to be newly created according to any message, taking the user IP address and the service port number as indexes of the record to be newly created, and recording to newly create the record to be newly created in a local service application library if the local service application library record has a record corresponding to the user IP address and the service port number and the record corresponding to the user IP address and the service port number in the local service application library record is invalid, and defaulting the newly created record as a valid record; or,
Acquiring a user IP address and a service port number of a record to be newly created according to any message, taking the user IP address and the service port number as an index of the record to be newly created, if a local service application library record has a record corresponding to the user IP address and the service port number, and the record corresponding to the user IP address and the service port number in the local service application library record is valid, judging whether an application type recorded in the record corresponding to the user IP address and the service port number in the local service application library record is the same as an application type of the record to be newly created, if so, selecting a larger value in valid time of the record corresponding to the service application library and the record to be newly created as valid time of the newly created record, and defaulting the newly created record as the valid record; and if not, modifying the record corresponding to the service application library into an invalid record, and taking the smaller value of the effective time of the record in the record corresponding to the selected service application library and the record to be newly built as the effective time of the newly built record.
according to another aspect of the invention, the application identification module is specifically configured to:
And when the first message of the newly-built flow has an effective record in the local service application library record, the subsequent message of the newly-built flow is not subjected to application identification any more.
According to the technical scheme provided by the embodiment of the invention, the embodiment of the invention obtains the latest service application library from the server to be used as the local service application library locally; wherein the up-to-date service application library is formed from respective locally updated service application libraries uploaded by all egress devices in the network; receiving a head message of a newly-built flow, and performing application identification on a subsequent message of the newly-built flow when no effective record exists in the local service application library, wherein the effective record is a mapping relation record of an application type corresponding to the head message in the local service application library record; when any message in the subsequent messages of the newly established flow is matched with any rule in the records of the feature rule base through the application identification, establishing a record to be newly established in the records of the local service application base so as to update the local service application base; and the record to be newly created is a mapping relation record of an application type pointed by any rule corresponding to any message. According to the scheme, from the perspective of an application service providing end, identification information among multiple devices is integrated on the server by means of cooperation of the server and the outlet device in the network, the corresponding relation between the service port and the application type in the network is dynamically constructed, the first package identification rate of application identification is improved, the identification speed is improved, and the consumption of application identification performance is integrally reduced.
drawings
in order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive labor.
FIG. 1 is a diagram of an application scenario in the prior art;
Fig. 2 is a processing flow chart of a data stream identification method according to an embodiment of the present invention;
fig. 3 is a block diagram of an outlet device according to a second embodiment of the present invention.
Detailed Description
for the convenience of understanding the embodiments of the present invention, the following description will be further explained by taking several specific embodiments as examples in conjunction with the drawings, and the embodiments are not to be construed as limiting the embodiments of the present invention.
Example one
The method of the embodiment is applied to an exit device, and the application of the method in a certain scene is shown in the attached figure 1; when a local service application library to be newly created and updated is established in the local service application library record of each outlet device, uploading the locally updated service application library to a server to update the service application library on the server, wherein the server is used for storing the locally updated service application libraries uploaded by the outlet devices in each network;
the service application library is used for recording the mapping relation of the application types corresponding to the user messages. This embodiment provides an implementation manner of a service application library, which is shown in the following table: recording a user IP address, a service port number and a corresponding application type identifier corresponding to a user message, effective time and an identifier indicating whether the user IP address and the service port number are effective records;
each action is a record indexed by a table of IP addresses and service Port numbers (IP, Port). Wherein the application type identifier represents an application type; each record represents an application type mapping relationship for a service port in the network.
and the effective time is the effective time for recording the record, the service application library is refreshed periodically, the effective time of all the records is reduced by 1 until 0 every time of refreshing, and the record is deleted when the effective time is 0. The records in the service application library on the server are uploaded from each outlet device; the service application library on the egress device records from other egress devices synchronized on the server and the locally generated records. The outlet device downloads the latest service application library record on the server to the local as a local service application library record.
this embodiment provides a process flow of a data flow identification method as shown in figure 2,
Step 11, acquiring the latest service application library from the server to be used as a local service application library locally; wherein the up-to-date service application library is formed from respective locally updated service application libraries uploaded by all egress devices in the network;
For each new flow, before determining whether an effective record exists in a local service application library record of a first message of the new flow, downloading the latest service application library record on a server to the local as the local service application library record; specifically, the latest service application library is downloaded from the server to be locally used as the local service application library, and preferably, the latest service application library corresponding to the application scenario is downloaded from the server to be locally used as the local service application library according to the local application scenario.
specifically, when the egress device is initially configured to power on, a local application scenario of the egress device is set, for example: the outlet equipment downloads the latest service application library corresponding to the application scene from the server to the local serving as a local service application library according to the local application scene; for example: when the local application scene is an internet bar scene, two major service application libraries, namely a game and a video, can be synchronized; when the local application scene is an application scene of a college, service application libraries of chat tools, games, videos and the like can be synchronized; when the local application scene is an enterprise scene, application service libraries such as OA office chat tools and the like can be synchronized; for the service application libraries synchronized in each scene, a part of the application service libraries can be synchronized according to the needs of the scene, and all the application service libraries on the server can also be synchronized.
meanwhile, whether a service application library of the local outlet equipment is shared or not can be set on the local outlet equipment, and an account password is set; it may also be set from which egress devices the service application library is to be synchronized by the egress device.
when the first message of the newly-built flow has an effective record in the local service application library record, the subsequent message of the newly-built flow is not subjected to application identification; the effective record is a mapping relation record of an application type corresponding to the header message in the local service application library record; more specifically, a user IP address with a record identifier exists in a service application library, a service port number corresponds to a header message, the record has a corresponding application type identifier and a corresponding valid time, and the record identifier is valid;
Specifically, the header of the flow enters a local service application library for matching; before matching, extracting a target IP in a first message from an IP header of the message; extracting a destination PORT number PORT from a TCP (transmission control protocol) header or a UDP (user datagram protocol) header of a header message; searching whether an effective record corresponding to a first message (a target IP and a target PORT) exists in a service application library by taking the target IP and the target PORT number PORT of the first message as indexes;
If the effective record is found, the matching is successful, the application type is the application type corresponding to the first message, and the application identification stage is finished. Otherwise the application identification is entered as in step 12 below.
Step 12, receiving a head message of a newly-built flow, and performing application identification on a subsequent message of the newly-built flow when no effective record exists in the local service application library of the head message, wherein the effective record is a mapping relation record of an application type corresponding to the head message in a local service application library record;
Step 13, when any message in the subsequent messages of the newly established flow is matched with any rule in the records of the feature rule base through the application identification, establishing a record to be newly established in the records of the local service application base so as to update the local service application base; and the record to be newly created is a mapping relation record of an application type pointed by any rule corresponding to any message.
preferably, when the local service application library to be newly created is established in the local service application library record and the local service application library is updated, the locally updated service application library is uploaded to the server to update the service application library on the server.
the method for identifying an application in this embodiment is mainly based on DPI identification, but is not limited thereto, and specifically, the process of DPI identification refers to distinguishing different applications loaded on a packet according to characteristics of the packet itself generated by the application. The feature rule base contains a series of feature rules, each rule defining a load feature for an application, and each rule pointing to an application type. For example, the following 3 rules:
1: com "where the load is shifted by 10 bytes identifies the application type as QQ
2: the occurrence of "Qzone" where the load is offset by 20 bytes identifies the application type as QQ
3: the occurrence of "Xunlei" where the load is shifted by 20 bytes identifies the application type as thunderbolt
Taking the mapping relation record of the application type pointed by any rule corresponding to any message as a record to be newly created, wherein when the record to be newly created needs to be created, the content to be newly created in the record to be newly created comprises a user IP address, a service port number, and an identifier, valid time and valid record of the corresponding application type;
wherein,
Acquiring a user IP address and a service port number of a record to be newly created according to any message, taking the user IP address and the service port number as indexes of the record to be newly created, judging whether a local service application library record has a record corresponding to the user IP address and the service port number, if not, directly recording to newly create the record to be newly created in the local service application library, and defaulting the newly created record as an effective record; if the record exists, judging whether the record corresponding to the user IP address and the service port number in the local service application library record is valid, if the record is invalid, newly building the record to be newly built in the local service application library record, and defaulting the newly built record as a valid record; if the effective time of the newly-built record is the same, the larger value of the effective time of the record corresponding to the service application library and the record to be newly built is selected as the effective time of the newly-built record, and the newly-built record is defaulted to be the effective record; and if not, modifying the record corresponding to the service application library into an invalid record, and taking the smaller value of the effective time of the record in the record corresponding to the selected service application library and the record to be newly built as the effective time of the newly built record.
specifically, assume that the record to be newly created is: (IP1, Port1, ID1, T1), the flow of the insert operation is:
Judging whether a local service application library record exists (IP1, Port1) corresponding record, if not, directly establishing (IP1, Port1, ID1, T1);
if the record (IP1, Port1, ID, T) corresponding to the IP1 and the Port1 exists, judging whether the record is valid; if the record is invalid, directly creating (IP1, Port1, ID1, T1);
If the record is valid, judging whether the ID of the application type recorded by the record (IP1, Port1) corresponding to the service application library (IP1, Port1, ID, T) is the same as the ID1 of the application type recorded by the record (IP1, Port1, ID1, T1) to be newly created, and if so, selecting the larger value of the valid time T and the T1 recorded by the record (IP1, Port1, ID, T) corresponding to the service application library and the record (IP1, Port1, ID1, T1) to be newly created as the valid time of the newly created record;
when the ID of the application type recorded by the record (IP1, Port1, ID, T) corresponding to the service application library (IP1, Port1) is judged to be different from the ID1 of the application type recorded by the record (IP1, Port1, ID1, T1) to be newly created, whether the effective record of the record (IP1, Port1, ID, T) corresponding to the service application library (IP1, Port1) is invalid is modified, and the smaller value of the effective time T and the effective time T1 recorded in the record (IP1, Port1, ID, T) corresponding to the selected service application library and the record (IP1, Port1, ID1, T1) to be newly created is taken as the effective time of the newly created record;
and before the application identification is carried out on the subsequent message of the newly-built flow, acquiring the latest feature rule base from a server and loading the latest feature rule base into a DPI engine.
example two
The embodiment provides an outlet device, and a specific implementation structure of the outlet device is shown in fig. 3, and specifically may include the following modules:
An obtaining module 21, configured to obtain the latest service application library from the server to the local as a local service application library; wherein the up-to-date service application library is formed from respective locally updated service application libraries uploaded by all egress devices in the network;
The application identification module 22 is configured to receive a header message of a newly-created flow, and perform application identification on a subsequent message of the newly-created flow when no valid record exists in the local service application library, where the valid record is a mapping relationship record of an application type corresponding to the header message in a local service application library record;
a newly building module 23, configured to build a record to be newly built in the local service application library record to update a local service application library when any one of the subsequent messages of the newly built flow matches any one of the rules in the feature rule library record through the application identification; and the record to be newly created is a mapping relation record of an application type pointed by any rule corresponding to any message.
The obtaining module 21 is specifically configured to:
And downloading the latest service application library corresponding to the application scene from the server to be used as a local service application library locally according to the local application scene.
The outlet device of this embodiment further includes an updating module 24, which is specifically configured to:
And when the local service application library is established in the local service application library record and the local service application library is updated by the record to be newly established, uploading the locally updated service application library to the server so as to update the service application library on the server.
the newly-built module 23 is specifically configured to:
Acquiring a user IP address and a service port number of a record to be newly created according to any message, taking the user IP address and the service port number as indexes of the record to be newly created, and directly recording and newly creating the record to be newly created in a local service application library if the record corresponding to the user IP address and the service port number does not exist in the local service application library record, wherein the newly created record is defaulted as an effective record; or,
Acquiring a user IP address and a service port number of a record to be newly created according to any message, taking the user IP address and the service port number as indexes of the record to be newly created, and recording to newly create the record to be newly created in a local service application library if the local service application library record has a record corresponding to the user IP address and the service port number and the record corresponding to the user IP address and the service port number in the local service application library record is invalid, and defaulting the newly created record as a valid record; or,
Acquiring a user IP address and a service port number of a record to be newly created according to any message, taking the user IP address and the service port number as an index of the record to be newly created, if a local service application library record has a record corresponding to the user IP address and the service port number, and the record corresponding to the user IP address and the service port number in the local service application library record is valid, judging whether an application type recorded in the record corresponding to the user IP address and the service port number in the local service application library record is the same as an application type of the record to be newly created, if so, selecting a larger value in valid time of the record corresponding to the service application library and the record to be newly created as valid time of the newly created record, and defaulting the newly created record as a valid record; and if not, modifying the record corresponding to the service application library into an invalid record, and taking the smaller value of the effective time of the record in the record corresponding to the selected service application library and the record to be newly built as the effective time of the newly built record.
the application identification module 22 is specifically configured to:
When the first message of the newly-built flow has an effective record in the local service application library record, the subsequent message of the newly-built flow is not subjected to application identification; and the effective record is a mapping relation record of an application type corresponding to the header message in the local service application library record.
the specific process of identifying data stream by using the egress device of the embodiment of the present invention is similar to that of the foregoing method embodiment, and is not described here again.
In summary, in the embodiment of the present invention, the latest service application library is obtained from the server to be locally used as the local service application library; wherein the up-to-date service application library is formed from respective locally updated service application libraries uploaded by all egress devices in the network; receiving a head message of a newly-built flow, and performing application identification on a subsequent message of the newly-built flow when no effective record exists in the local service application library, wherein the effective record is a mapping relation record of an application type corresponding to the head message in the local service application library record; when any message in the subsequent messages of the newly established flow is matched with any rule in the records of the feature rule base through the application identification, establishing a record to be newly established in the records of the local service application base so as to update the local service application base; and the record to be newly created is a mapping relation record of an application type pointed by any rule corresponding to any message. According to the scheme, from the perspective of an application service providing end, identification information among multiple devices is integrated on the server by means of cooperation of the server and the outlet device in the network, the corresponding relation between the service port and the application type in the network is dynamically constructed, the first package identification rate of application identification is improved, the identification speed is improved, and the consumption of application identification performance is integrally reduced.
those of ordinary skill in the art will understand that: the figures are merely schematic representations of one embodiment, and the blocks or flow diagrams in the figures are not necessarily required to practice the present invention.
From the above description of the embodiments, it is clear to those skilled in the art that the present invention can be implemented by software plus necessary general hardware platform. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which may be stored in a storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for apparatus or system embodiments, since they are substantially similar to method embodiments, they are described in relative terms, as long as they are described in partial descriptions of method embodiments. The above-described embodiments of the apparatus and system are merely illustrative, and the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (8)
1. A data stream identification method, comprising:
acquiring the latest service application library from the server to be used as a local service application library locally; wherein the up-to-date service application library is formed from respective locally updated service application libraries uploaded by all egress devices in the network;
receiving a head message of a newly-built flow, and performing application identification on a subsequent message of the newly-built flow when no effective record exists in the local service application library, wherein the effective record is a mapping relation record of an application type corresponding to the head message in the local service application library record;
when any message in the subsequent messages of the newly established flow is matched with any rule in the records of the feature rule base through the application identification, establishing a record to be newly established in the records of the local service application base so as to update the local service application base; the record to be newly created is a mapping relation record of an application type pointed by any rule corresponding to any message;
wherein, still include:
And when the record to be newly created is established in the local service application library record so as to update the local service application library, uploading the locally updated service application library to the server so as to update the service application library on the server.
2. The data stream identification method according to claim 1, wherein the downloading the latest service application library from the server to the local service application library as a local service application library comprises:
And downloading the latest service application library corresponding to the application scene from the server to be used as a local service application library locally according to the local application scene.
3. the method of claim 1, wherein the creating a record to be created into the local service application library record comprises:
Acquiring a user IP address and a service port number of a record to be newly created according to any message, taking the user IP address and the service port number as indexes of the record to be newly created, and directly recording and newly creating the record to be newly created in a local service application library if the record corresponding to the user IP address and the service port number does not exist in the local service application library record, wherein the newly created record is defaulted as an effective record; or,
acquiring a user IP address and a service port number of a record to be newly created according to any message, taking the user IP address and the service port number as indexes of the record to be newly created, if a local service application library record has a record corresponding to the user IP address and the service port number, and the record corresponding to the user IP address and the service port number in the local service application library record is invalid, newly creating the record to be newly created in the local service application library, and defaulting the newly created record as a valid record; or,
Acquiring a user IP address and a service port number of a record to be newly created according to any message, taking the user IP address and the service port number as an index of the record to be newly created, if a local service application library record has a record corresponding to the user IP address and the service port number, and the record corresponding to the user IP address and the service port number in the local service application library record is valid, judging whether an application type recorded in the record corresponding to the user IP address and the service port number in the local service application library record is the same as an application type of the record to be newly created, if so, selecting a larger value in valid time of the record corresponding to the service application library and the record to be newly created as valid time of the newly created record, and defaulting the newly created record as the valid record; and if not, modifying the record corresponding to the service application library into an invalid record, and taking the smaller value of the effective time of the record in the record corresponding to the selected service application library and the record to be newly built as the effective time of the newly built record.
4. a data stream identification method according to any of claims 1-3, characterized in that the method further comprises: and when the first message of the newly-built flow has an effective record in the local service application library record, the subsequent message of the newly-built flow is not subjected to application identification any more.
5. An exit device, comprising:
The acquisition module is used for acquiring the latest service application library from the server to be used as a local service application library locally; wherein the up-to-date service application library is formed from respective locally updated service application libraries uploaded by all egress devices in the network;
the application identification module is used for receiving a first message of a newly-built flow, and performing application identification on a subsequent message of the newly-built flow when no effective record exists in the local service application library, wherein the effective record is a mapping relation record of an application type corresponding to the first message in the local service application library record;
a new building module, which builds a record to be newly built in the local service application library record to update the local service application library when any message in the subsequent messages of the new built flow is matched with any rule in the characteristic rule library record through the application identification; the record to be newly created is a mapping relation record of an application type pointed by any rule corresponding to any message;
Wherein, still include the update module, it is used for:
and when the record to be newly created is established in the local service application library record so as to update the local service application library, uploading the locally updated service application library to the server so as to update the service application library on the server.
6. the outlet device according to claim 5, wherein the obtaining module is specifically configured to:
and downloading the latest service application library corresponding to the application scene from the server to be used as a local service application library locally according to the local application scene.
7. the outlet device according to claim 5, wherein the newly-built module is specifically configured to:
acquiring a user IP address and a service port number of a record to be newly created according to any message, taking the user IP address and the service port number as indexes of the record to be newly created, and directly recording and newly creating the record to be newly created in a local service application library if the record corresponding to the user IP address and the service port number does not exist in the local service application library record, wherein the newly created record is defaulted as an effective record; or,
acquiring a user IP address and a service port number of a record to be newly created according to any message, taking the user IP address and the service port number as indexes of the record to be newly created, and recording to newly create the record to be newly created in a local service application library if the local service application library record has a record corresponding to the user IP address and the service port number and the record corresponding to the user IP address and the service port number in the local service application library record is invalid, and defaulting the newly created record as a valid record; or,
acquiring a user IP address and a service port number of a record to be newly created according to any message, taking the user IP address and the service port number as an index of the record to be newly created, if a local service application library record has a record corresponding to the user IP address and the service port number, and the record corresponding to the user IP address and the service port number in the local service application library record is valid, judging whether an application type recorded in the record corresponding to the user IP address and the service port number in the local service application library record is the same as an application type of the record to be newly created, if so, selecting a larger value in valid time of the record corresponding to the service application library and the record to be newly created as valid time of the newly created record, and defaulting the newly created record as the valid record; and if not, modifying the record corresponding to the service application library into an invalid record, and taking the smaller value of the effective time of the record in the record corresponding to the selected service application library and the record to be newly built as the effective time of the newly built record.
8. An exit device according to any of claims 5-7, characterized in that the application identification module is specifically configured to:
and when the first message of the newly-built flow has an effective record in the local service application library record, the subsequent message of the newly-built flow is not subjected to application identification any more.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610971015.1A CN106506400B (en) | 2016-11-04 | 2016-11-04 | data stream identification method and outlet device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610971015.1A CN106506400B (en) | 2016-11-04 | 2016-11-04 | data stream identification method and outlet device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106506400A CN106506400A (en) | 2017-03-15 |
| CN106506400B true CN106506400B (en) | 2019-12-06 |
Family
ID=58322028
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610971015.1A Active CN106506400B (en) | 2016-11-04 | 2016-11-04 | data stream identification method and outlet device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106506400B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107547437B (en) * | 2017-05-11 | 2020-09-08 | 新华三信息安全技术有限公司 | Application identification method and device |
| CN111404768A (en) * | 2019-01-02 | 2020-07-10 | 中国移动通信有限公司研究院 | DPI recognition realization method and equipment |
| CN113726689B (en) * | 2021-07-27 | 2023-06-13 | 新华三信息安全技术有限公司 | Security service processing method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103297270A (en) * | 2013-05-24 | 2013-09-11 | 华为技术有限公司 | Application type recognition method and network equipment |
| CN103475593A (en) * | 2013-08-20 | 2013-12-25 | 北京星网锐捷网络技术有限公司 | Data stream processing method and data stream processing device |
| CN103856574A (en) * | 2012-12-06 | 2014-06-11 | 中国电信股份有限公司 | Method, device and system for controlling services |
| CN105592137A (en) * | 2015-10-14 | 2016-05-18 | 杭州华三通信技术有限公司 | Application type identification method and device |
-
2016
- 2016-11-04 CN CN201610971015.1A patent/CN106506400B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103856574A (en) * | 2012-12-06 | 2014-06-11 | 中国电信股份有限公司 | Method, device and system for controlling services |
| CN103297270A (en) * | 2013-05-24 | 2013-09-11 | 华为技术有限公司 | Application type recognition method and network equipment |
| CN103475593A (en) * | 2013-08-20 | 2013-12-25 | 北京星网锐捷网络技术有限公司 | Data stream processing method and data stream processing device |
| CN105592137A (en) * | 2015-10-14 | 2016-05-18 | 杭州华三通信技术有限公司 | Application type identification method and device |
Non-Patent Citations (1)
| Title |
|---|
| 基于特征进程的P2P流量识别;张文 等;《计算机工程》;20080805;正文第3-4节 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106506400A (en) | 2017-03-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10027626B2 (en) | Method for providing authoritative application-based routing and an improved application firewall | |
| CN106815112B (en) | Massive data monitoring system and method based on deep packet inspection | |
| CA2947325C (en) | Protocol type identification method and apparatus | |
| US20130294449A1 (en) | Efficient application recognition in network traffic | |
| US9185033B2 (en) | Communication path selection | |
| US20110125749A1 (en) | Method and Apparatus for Storing and Indexing High-Speed Network Traffic Data | |
| CN101557329B (en) | Application layer-based data segmenting method and device thereof | |
| EP2482517B1 (en) | Method, apparatus and system for protocol identification | |
| CN106972985B (en) | Method for accelerating data processing and forwarding of DPI (deep packet inspection) equipment and DPI equipment | |
| US20090010277A1 (en) | Method and system for selecting a recording route in a multi-media recording environment | |
| CN112965824A (en) | Message forwarding method and device, storage medium and electronic equipment | |
| CN106506400B (en) | data stream identification method and outlet device | |
| CN111222019B (en) | Feature extraction method and device | |
| EP1950917B1 (en) | Methods for peer-to-peer application message identifying and operating realization and their corresponding devices | |
| CN103001964A (en) | Cache acceleration method under local area network environment | |
| CN103957207B (en) | A kind of session keeping method and device | |
| US20120047248A1 (en) | Method and System for Monitoring Flows in Network Traffic | |
| US20100250731A1 (en) | Systems and methods for application identification | |
| CN102857547B (en) | The method and apparatus of distributed caching | |
| CN108737407A (en) | A kind of method and device for kidnapping network flow | |
| CN113630418B (en) | Network service identification method, device, equipment and medium | |
| CN103746768B (en) | A kind of recognition methods of packet and equipment | |
| KR20130044002A (en) | Router and method for application awareness and traffic control on flow based router | |
| CN107888643A (en) | A kind of UDP load-balancing methods, device and system | |
| CN115190056B (en) | Method, device and equipment for identifying and analyzing programmable flow protocol |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |