CN107948022B - Identification method and identification device for peer-to-peer network traffic - Google Patents

Identification method and identification device for peer-to-peer network traffic Download PDF

Info

Publication number
CN107948022B
CN107948022B CN201810024787.3A CN201810024787A CN107948022B CN 107948022 B CN107948022 B CN 107948022B CN 201810024787 A CN201810024787 A CN 201810024787A CN 107948022 B CN107948022 B CN 107948022B
Authority
CN
China
Prior art keywords
peer
message
source
flow
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810024787.3A
Other languages
Chinese (zh)
Other versions
CN107948022A (en
Inventor
肖庆伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Abt Networks Co ltd
Original Assignee
Beijing Abt Networks Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Abt Networks Co ltd filed Critical Beijing Abt Networks Co ltd
Priority to CN201810024787.3A priority Critical patent/CN107948022B/en
Publication of CN107948022A publication Critical patent/CN107948022A/en
Application granted granted Critical
Publication of CN107948022B publication Critical patent/CN107948022B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • H04L43/0888Throughput
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Environmental & Geological Engineering (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method and a device for identifying peer-to-peer network traffic, wherein the method comprises the following steps: acquiring the message quantity of a session flow to which a target message belongs; if the number of the messages is larger than a preset first threshold value, acquiring a first ratio of the number of the messages in the first direction of the conversation flow to which the target message belongs to and the number of the messages in the second direction of the conversation flow, and a second ratio of the data volume of the conversation flow in the first direction to the data volume of the conversation flow in the second direction; if the first ratio is larger than a preset second threshold and the second ratio is larger than a preset third threshold, acquiring a source IP address set of a known peer-to-peer network resource request behavior; and if the source IP address set contains the source IP address of the target message and the difference value between the time correspondingly stored together with the source IP address and the current time is less than or equal to a preset time threshold value, determining the flow of the session flow to which the target message belongs as the flow of the peer-to-peer network. By adopting the method, whether the flow of the session flow to which the encrypted message belongs is P2P flow can be accurately identified.

Description

Identification method and identification device for peer-to-peer network traffic
Technical Field
The present invention relates to the field of peer-to-peer network traffic identification technologies, and in particular, to a peer-to-peer network traffic identification method and device.
Background
Currently, Peer-to-Peer (Peer-to-Peer, P2P) has many advantages, such as low resource occupation, high resource sharing rate, high resource utilization rate, etc., so that the proportion of Peer-to-Peer network traffic occupied in network traffic is increasing. But as the network bandwidth occupied by peer-to-peer network traffic increases, a greater burden is placed on the network. Based on this, identification of peer-to-peer network traffic, and further management, is increasingly important.
In the prior art, a Deep Packet Inspection (DPI) method is usually adopted to identify peer-to-peer network traffic, but this method cannot identify encrypted packets. For the encrypted message, a recognition method based on flow statistical characteristics is usually adopted to perform statistical analysis on the session flow to which the encrypted message belongs, so as to recognize whether the flow of the session flow is the peer-to-peer network flow, but the method is easy to generate false recognition and has lower recognition accuracy.
Therefore, the existing identification method for the peer-to-peer network flow cannot accurately identify the flow of the encrypted message, and has poor applicability.
Disclosure of Invention
The invention provides a peer-to-peer network traffic identification method and a peer-to-peer network traffic identification device, which are used for solving the problems that the existing peer-to-peer network traffic identification method cannot accurately identify the traffic of an encrypted message and is poor in applicability.
In a first aspect, the present invention provides a method for identifying peer-to-peer network traffic, where the method includes: acquiring the message quantity of a session flow to which a target message belongs; if the number of the messages is larger than a preset first threshold value, acquiring a first ratio of the number of the messages in the first direction of the session flow to which the target message belongs to and the number of the messages in the second direction of the session flow to which the target message belongs, and a second ratio of the data volume of the session flow to which the target message belongs in the first direction to the data volume of the session flow to which the target message belongs in the second direction; if the first ratio is larger than a preset second threshold and the second ratio is larger than a preset third threshold, acquiring a source IP address set of a known peer-to-peer network resource request behavior; and if the source IP address set contains the source IP address of the target message and the difference value between the time correspondingly stored together with the source IP address and the current time is less than or equal to a preset time threshold value, determining the flow of the session flow to which the target message belongs as the flow of the peer-to-peer network.
Further, the identification method further comprises the following steps: matching the application behavior characteristics carried by the message to be detected with the application behavior characteristics contained in the known application behavior characteristic set, and determining the known application behavior corresponding to the message to be detected according to the matching result; and if the known application behavior corresponding to the message to be detected does not exist, determining the message to be detected as a target message.
Further, the identification method further comprises the following steps: and if the known application behavior corresponding to the message to be detected is a non-peer-to-peer network resource request behavior, determining the flow of the session flow to which the message to be detected belongs as the non-peer-to-peer network flow, and adding an application identifier of the known application behavior corresponding to the message to be detected on the session flow to which the message to be detected belongs.
Further, the identification method further comprises the following steps: and if the known application behavior corresponding to the message to be detected is a peer-to-peer network resource request behavior, correspondingly storing the source IP address of the message to be detected and the current time into a source IP address set of the known peer-to-peer network resource request behavior.
Further, the identification method further comprises the following steps: and if the source IP address set does not contain the source IP address of the target message, or the source IP address set contains the source IP address of the target message, and the difference value between the time which is correspondingly stored together with the source IP address and the current time is larger than a preset time threshold value, determining the flow of the session flow to which the target message belongs as the flow of the non-peer-to-peer network.
In a second aspect, the present invention further provides an apparatus for identifying peer-to-peer network traffic, where the apparatus includes: the message quantity acquisition module is used for acquiring the message quantity of the session flow to which the target message belongs; a ratio obtaining module, configured to obtain, if the number of packets is greater than a preset first threshold, a first ratio between the number of packets in the first direction of the session flow to which the target packet belongs and the number of packets in the second direction of the session flow to which the target packet belongs, and a second ratio between the data volume in the first direction of the session flow to which the target packet belongs and the data volume in the second direction of the session flow to which the target packet belongs; a source IP address set obtaining module, configured to obtain a source IP address set of a known peer-to-peer network resource request behavior if the first ratio is greater than a preset second threshold and the second ratio is greater than a preset third threshold; and the first flow determining module is used for determining the flow of the session flow to which the target message belongs as the peer-to-peer network flow if the source IP address set contains the source IP address of the target message and the difference value between the time correspondingly stored together with the source IP address and the current time is less than or equal to a preset time threshold value.
Further, the identification apparatus further includes: the known application behavior determining module is used for matching the application behavior characteristics carried by the message to be detected with the application behavior characteristics contained in the known application behavior characteristic set, and determining the known application behavior corresponding to the message to be detected according to the matching result; and the target message determining module is used for determining the message to be detected as the target message if the known application behavior corresponding to the message to be detected does not exist.
Further, the identification apparatus further includes: and a second traffic determination module, configured to determine, if the known application behavior corresponding to the to-be-detected packet is a non-peer-to-peer network resource request behavior, that the traffic of the session flow to which the to-be-detected packet belongs is a non-peer-to-peer network traffic, and add an application identifier of the known application behavior corresponding to the to-be-detected packet to the session flow to which the to-be-detected packet belongs.
Further, the identification apparatus further includes: and the storage module is used for correspondingly storing the source IP address of the message to be detected and the current time into the source IP address set of the known peer-to-peer network resource request behavior if the known application behavior corresponding to the message to be detected is the peer-to-peer network resource request behavior.
Further, the identification apparatus further includes: and a third flow determining module, configured to determine, if the source IP address set does not include the source IP address of the target packet, or the source IP address set includes the source IP address of the target packet and a difference between a time, which is stored correspondingly with the source IP address, and a current time is greater than a preset time threshold, a flow of a session flow to which the target packet belongs as a non-peer-to-peer network flow.
The technical scheme provided by the embodiment of the invention can have the following beneficial effects: the invention provides a peer-to-peer network traffic identification method and device. In the identification method, an identification device of peer-to-peer network flow determines whether the flow of the session flow to which the message belongs is peer-to-peer network flow or not by analyzing the number of messages transmitted on the session flow to which the received message belongs, the ratio of the number of messages transmitted in two directions of the session flow to which the message belongs, the ratio of the data volume transmitted in two directions of the session flow to which the message belongs, and whether the relationship between the source IP address of the message and the source IP address set of the known peer-to-peer network resource request behavior conforms to corresponding set conditions or not, so that the whole identification process is not influenced by message encryption for encrypted messages, whether the flow of the session flow to which the message belongs is peer-to-peer network flow or not can be accurately identified, and the applicability is better; in addition, the identification method can also screen out the messages corresponding to the known application behaviors in the messages received by the identification device of the peer-to-peer network traffic, and can reduce the false identification of the peer-to-peer network traffic and improve the accuracy of the peer-to-peer network traffic identification.
Drawings
In order to more clearly illustrate the technical solution of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious to those skilled in the art that other drawings can be obtained according to the drawings without any inventive exercise.
Fig. 1 is a block diagram illustrating a peer-to-peer network traffic identification system according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of an identification method for peer-to-peer network traffic according to an embodiment of the present invention;
fig. 3 is a block diagram of a peer-to-peer network traffic identification apparatus according to an embodiment of the present invention.
Detailed Description
The prior identification method for the peer-to-peer network flow has the defects of incapability of identifying the encrypted message or low accuracy of identifying the encrypted message. In order to overcome the defect, the invention provides a peer-to-peer network traffic identification method and a peer-to-peer network traffic identification device.
The peer-to-peer network traffic identification method and device provided by the invention are described in detail below with reference to the accompanying drawings.
When it is necessary to identify peer-to-peer network traffic in the network traffic, an identification device of peer-to-peer network traffic is typically connected in the communication network between the user terminal and the server in order to identify the network traffic of the communication network between the user terminal and the server. Therefore, before describing the method and device for identifying peer-to-peer network traffic provided by the present invention, a system for identifying peer-to-peer network traffic is first introduced, and the steps of the method for identifying peer-to-peer network traffic provided by the embodiment of the present invention can be implemented by using the system for identifying peer-to-peer network traffic.
Referring to fig. 1, fig. 1 is a block diagram illustrating a structure of an identification system for peer-to-peer network traffic according to an embodiment of the present invention. As can be seen in fig. 1, the identification system includes: the system comprises a user terminal 1, a server 2 and an identification device 3 of peer-to-peer network flow, wherein the identification device 3 of peer-to-peer network flow is connected in series in a communication network between the user terminal 1 and the server 2, messages sent to the server 2 by the user terminal 1 can all pass through the identification device 3 of peer-to-peer network flow, messages sent to the user terminal 1 by the server 2 can also all pass through the identification device 3 of peer-to-peer network flow, and the network flow of the communication network between the user terminal 1 and the server 2 can be identified by adopting the identification device 3 of peer-to-peer network flow.
Referring to fig. 2, fig. 2 is a flowchart illustrating an identification method for peer-to-peer network traffic according to an embodiment of the present invention, where the identification method is used on the side of an identification apparatus for peer-to-peer network traffic (for example, the identification apparatus 3 for peer-to-peer network traffic illustrated in fig. 1), and includes the following steps:
step 101, obtaining the message quantity of the session flow to which the target message belongs.
In some optional embodiments, any one of the messages received by the peer-to-peer network traffic identification apparatus may be a target message. The session flow to which the target message belongs refers to a complete session interaction process between a user terminal (e.g., the user terminal 1 shown in fig. 1) and a server (e.g., the server 2 shown in fig. 1), and is composed of a series of interaction messages, the target message is one of the series of interaction messages, and the number of messages of the session flow to which the target message belongs is the total number of the series of interaction messages.
In some other optional embodiments, before obtaining the number of packets of the session flow to which the target packet belongs, that is, before performing step 101, the identification method further includes: acquiring application behavior characteristics carried by a message to be detected, matching the application behavior characteristics with application behavior characteristics contained in a known application behavior characteristic set, and determining a known application behavior corresponding to the message to be detected according to a matching result; and if the known application behavior feature set does not have a feature signature file with application behavior features matched with the application behavior features carried by the message to be detected, namely the matching is unsuccessful, indicating that the known application behaviors corresponding to the message to be detected do not exist, determining the message to be detected as a target message. By adopting the method to determine the target message, the message corresponding to the known application behavior in the message received by the peer-to-peer network flow identification device can be screened out, the false identification of the peer-to-peer network flow can be reduced subsequently, and the accuracy of the peer-to-peer network flow identification is improved.
The message to be detected refers to a message received by the peer-to-peer network traffic identification device, and any message received by the peer-to-peer network traffic identification device can be used as the message to be detected. The known application behaviors refer to the operation behaviors of some known applications, such as accessing a known shopping website, downloading data through known downloading software, logging in known chatting software and the like. The known application behavior feature set refers to a set of feature signature files of known application behaviors, wherein each feature signature file in the set includes an application behavior feature and a name of a known application behavior corresponding to the application behavior feature. An application behavior feature refers to an identification of an application behavior, which is a sign that each application behavior is distinguished from other application behaviors. For example, the application behavior feature of the application behavior of accessing a known shopping website may be a domain name of the known shopping website.
Furthermore, the known application behavior feature set can be stored in the peer-to-peer network traffic identification device in advance, and can be directly called from the peer-to-peer network traffic identification device when in use. Of course, the set of known application behavior features may also be stored in other storage devices, which are not listed here.
Step 102, if the number of the messages is larger than a preset first threshold, obtaining a first ratio of the number of the messages in the first direction of the session flow to which the target message belongs to and the number of the messages in the second direction of the session flow to which the target message belongs, and a second ratio of the data volume of the session flow to which the target message belongs in the first direction to the data volume of the session flow to which the target message belongs in the second direction.
The first direction of the session flow to which the target packet belongs may be a direction from the user terminal to the server, or a direction from the server to the user terminal. The preset first threshold value can be set according to actual needs.
When the first direction of the session flow to which the target message belongs is from the user terminal to the server, the second direction of the session flow to which the target message belongs is from the server to the user terminal. The message quantity in the first direction of the session flow to which the target message belongs refers to the total number of messages sent to the server by the user terminal in the session flow to which the target message belongs, and the message quantity in the second direction of the session flow to which the target message belongs refers to the total number of messages sent to the user terminal by the server in the session flow to which the target message belongs. The data volume of the first direction of the session flow to which the target message belongs refers to the data volume sent to the server by the user terminal in the session flow to which the target message belongs, and the data volume of the second direction of the session flow to which the target message belongs refers to the data volume sent to the user terminal by the server in the session flow to which the target message belongs.
When the first direction of the session flow to which the target message belongs is from the server to the user terminal, the second direction of the session flow to which the target message belongs is from the user terminal to the server. The number of messages in the first direction of the session flow to which the target message belongs refers to the total number of messages sent to the user terminal by the server in the session flow to which the target message belongs, and the number of messages in the second direction of the session flow to which the target message belongs refers to the total number of messages sent to the server by the user terminal in the session flow to which the target message belongs. The data volume of the first direction of the session flow to which the target message belongs refers to the data volume sent to the user terminal by the server in the session flow to which the target message belongs, and the data volume of the second direction of the session flow to which the target message belongs refers to the data volume sent to the server by the user terminal in the session flow to which the target message belongs.
And 103, if the first ratio is greater than a preset second threshold and the second ratio is greater than a preset third threshold, acquiring a source IP address set of the known peer-to-peer network resource request behavior.
Wherein, the known peer-to-peer network resource request behavior refers to downloading data through some known downloading software. The source IP address set of the known peer-to-peer network resource request behavior is a set of source IP address storage files, each source IP address storage file in the set comprises a source IP address and time stored correspondingly together with the source IP address, wherein the source IP address is a source IP address of a user terminal downloading data through known downloading software, and the time stored correspondingly together with the source IP address is storage time for storing the source IP address into the source IP address storage file. The preset second threshold and the preset third threshold can be set according to actual needs.
And step 104, if the source IP address set contains the source IP address of the target message and the difference value between the time correspondingly stored together with the source IP address and the current time is less than or equal to a preset time threshold value, determining the flow of the session flow to which the target message belongs as the flow of the peer-to-peer network.
In specific implementation, a source IP address of a target message is firstly analyzed, then whether a source IP address storage file containing the source IP address exists in a source IP address set of a known peer-to-peer network resource request behavior is inquired, if the source IP address storage file containing the source IP address exists in the source IP address set of the known peer-to-peer network resource request behavior, it is indicated that the source IP address exists in the source IP address set of the known peer-to-peer network resource request behavior, whether a difference value between time contained in the source IP address storage file and current time is smaller than or equal to a preset time threshold value is determined, and if the difference value between the time contained in the source IP address storage file and the current time is smaller than or equal to the preset time threshold value, flow of a session flow to which the target message belongs is determined as peer-to-peer network flow. The preset time threshold can be set according to actual needs.
Further, after determining the traffic of the session flow to which the target packet belongs as the peer-to-peer network traffic, the identification method further includes: and adding a P2P flow identifier on the session flow to which the target message belongs.
In some other optional embodiments, the identification method further comprises: if the source IP address storage file containing the source IP address of the target message does not exist in the source IP address set of the known peer-to-peer network resource request behavior, the source IP address set of the known peer-to-peer network resource request behavior does not contain the source IP address of the target message, or a source IP address storage file containing the source IP address of the target message exists in the source IP address set of the known peer-to-peer network resource request behavior, but the difference between the time contained in the source IP address storage file and the current time is greater than the preset time threshold, which indicates that the source IP address set of the known peer-to-peer network resource request behavior contains the source IP address of the target message and the difference between the time correspondingly stored with the source IP address and the current time is greater than the preset time threshold, determining the flow of the session flow to which the target message belongs as the non peer-to-peer network flow, and adding a non-P2P flow identifier on the session flow to which the target message belongs.
In some other optional embodiments, the identification method further comprises: if the known application behavior feature set has a feature signature file with application behavior features matched with the application behavior features carried by the message to be detected, and the name of the known application behavior contained in the feature signature file is the name of a certain non-peer-to-peer network resource request behavior, which indicates that the known application behavior corresponding to the message to be detected is the non-peer-to-peer network resource request behavior, determining the flow of the session flow to which the message to be detected belongs as the non-peer-to-peer network flow, and adding the application identifier of the known application behavior corresponding to the message to be detected on the session flow to which the message to be detected belongs. The application identifier may be an application name corresponding to a known application behavior, for example, an application name corresponding to an application behavior of accessing a known shopping website is the name of the known shopping website.
In some other optional embodiments, the identification method further comprises: if the characteristic signature file with the application behavior characteristics matched with the application behavior characteristics carried by the message to be detected exists in the known application behavior characteristic set, and the name of the known application behavior contained in the characteristic signature file is the name of a certain known peer-to-peer network resource request behavior, which indicates that the known application behavior corresponding to the message to be detected is the peer-to-peer network resource request behavior, analyzing the source IP address of the message to be detected, correspondingly storing the source IP address and the current time of the message to be detected in the source IP address set of the known peer-to-peer network resource request behavior, determining the flow of the session flow to which the message to be detected belongs as the peer-to-peer network flow, and adding a P2P flow identifier on the session flow to which the message to be detected belongs.
In the method for identifying peer-to-peer network traffic provided in the embodiment of the present invention, the peer-to-peer network traffic identification apparatus determines whether the traffic of the session flow to which the message belongs is peer-to-peer network traffic by analyzing whether the number of messages transmitted on the session flow to which the received message belongs, the ratio of the number of messages transmitted in two directions of the session flow to which the message belongs, the ratio of the number of data transmitted in two directions of the session flow to which the message belongs, and the relationship between the source IP address of the message and the source IP address set of the known peer-to-peer network resource request behavior meet corresponding setting conditions, and for encrypted messages, the entire identification process is not affected by message encryption, and can accurately identify whether the traffic of the session flow to which the message belongs is peer-to-peer network traffic, so that the applicability is better; in addition, the identification method can also screen out the messages corresponding to the known application behaviors in the messages received by the identification device of the peer-to-peer network traffic, and can reduce the false identification of the peer-to-peer network traffic and improve the accuracy of the peer-to-peer network traffic identification.
Corresponding to the identification method of the peer-to-peer network flow provided by the invention, the invention also provides an identification device of the peer-to-peer network flow.
Referring to fig. 3, fig. 3 is a block diagram illustrating a structure of an apparatus for identifying peer-to-peer network traffic according to an embodiment of the present invention. As can be seen from fig. 3, the identification device includes: a message quantity obtaining module 301, configured to obtain a message quantity of a session flow to which a target message belongs; a ratio obtaining module 302, configured to obtain, if the number of packets is greater than a preset first threshold, a first ratio between the number of packets in the first direction of the session flow to which the target packet belongs and the number of packets in the second direction of the session flow to which the target packet belongs, and a second ratio between the data volume of the session flow to which the target packet belongs in the first direction and the data volume of the session flow to which the target packet belongs in the second direction; a source IP address set obtaining module 303, configured to obtain a source IP address set of a known peer-to-peer network resource request behavior if the first ratio is greater than a preset second threshold and the second ratio is greater than a preset third threshold; a first traffic determining module 304, configured to determine, if the source IP address set includes the source IP address of the target packet, and a difference between time correspondingly stored with the source IP address and current time is less than or equal to a preset time threshold, traffic of a session stream to which the target packet belongs as peer-to-peer network traffic.
Further, the identification apparatus further includes: a known application behavior determining module 305, configured to match application behavior features carried in a to-be-detected packet with application behavior features included in a known application behavior feature set, and determine a known application behavior corresponding to the to-be-detected packet according to a matching result; a target message determining module 306, configured to determine the message to be detected as a target message if there is no known application behavior corresponding to the message to be detected.
Further, the identification apparatus further includes: a second traffic determining module 307, configured to determine, if the known application behavior corresponding to the to-be-detected packet is a non-peer-to-peer network resource request behavior, that the traffic of the session flow to which the to-be-detected packet belongs is a non-peer-to-peer network traffic, and add an application identifier of the known application behavior corresponding to the to-be-detected packet to the session flow to which the to-be-detected packet belongs.
Further, the identification apparatus further includes: the storage module 308 is configured to, if the known application behavior corresponding to the packet to be detected is a peer-to-peer network resource request behavior, correspondingly store the source IP address of the packet to be detected and the current time into the source IP address set of the known peer-to-peer network resource request behavior.
Further, the identification apparatus further includes: a third flow determining module 309, configured to determine, if the source IP address set does not include the source IP address of the target packet, or the source IP address set includes the source IP address of the target packet and a difference between a time that is correspondingly stored with the source IP address and a current time is greater than a preset time threshold, a flow of a session flow to which the target packet belongs as a non-peer-to-peer network flow.
The peer-to-peer network traffic identification device provided by the embodiment of the invention can implement all the steps in the peer-to-peer network traffic identification method and obtain the same beneficial effect. The identification device for the peer-to-peer network flow is adopted to identify the flow of the encrypted message, the whole identification process is not influenced by message encryption, whether the flow of the session flow to which the message belongs is the peer-to-peer network flow or not can be accurately identified, and the applicability is better; in addition, the identification device can also screen out the messages corresponding to the known application behaviors in the received messages, and can reduce the false identification of the peer-to-peer network traffic subsequently and improve the accuracy of the peer-to-peer network traffic identification.
In specific implementation, the present invention further provides a computer storage medium, where the computer storage medium may store a program, and when the program is executed, the program may include some or all of the steps in each embodiment of the peer-to-peer network traffic identification method provided by the present invention. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM) or a Random Access Memory (RAM).
Those skilled in the art will readily appreciate that the techniques of the embodiments of the present invention may be implemented as software plus a required general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be essentially or partially implemented in the form of a software product, which may be stored in a storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The same and similar parts in the various embodiments in this specification may be referred to each other. Especially, for the embodiment of the identification apparatus of peer-to-peer network traffic, since it is basically similar to the embodiment of the method, the description is simple, and the relevant points can be referred to the description in the embodiment of the method.
The above-described embodiments of the present invention should not be construed as limiting the scope of the present invention.

Claims (8)

1. A method for identifying peer-to-peer network traffic, comprising:
acquiring the message quantity of a session flow to which a target message belongs;
if the number of the messages is larger than a preset first threshold value, acquiring a first ratio of the number of the messages in the first direction of the session flow to which the target message belongs to and the number of the messages in the second direction of the session flow to which the target message belongs, and a second ratio of the data volume of the session flow to which the target message belongs in the first direction to the data volume of the session flow to which the target message belongs in the second direction;
if the first ratio is larger than a preset second threshold and the second ratio is larger than a preset third threshold, acquiring a source IP address set of a known peer-to-peer network resource request behavior;
if the source IP address set contains the source IP address of the target message and the difference value between the time correspondingly stored together with the source IP address and the current time is less than or equal to a preset time threshold value, determining the flow of the session flow to which the target message belongs as the flow of the peer-to-peer network;
matching the application behavior characteristics carried by the message to be detected with the application behavior characteristics contained in the known application behavior characteristic set, and determining the known application behavior corresponding to the message to be detected according to the matching result;
and if the known application behavior corresponding to the message to be detected does not exist, determining the message to be detected as a target message.
2. The identification method of claim 1, further comprising: and if the known application behavior corresponding to the message to be detected is a non-peer-to-peer network resource request behavior, determining the flow of the session flow to which the message to be detected belongs as the non-peer-to-peer network flow, and adding an application identifier of the known application behavior corresponding to the message to be detected on the session flow to which the message to be detected belongs.
3. The identification method of claim 1, further comprising: and if the known application behavior corresponding to the message to be detected is a peer-to-peer network resource request behavior, correspondingly storing the source IP address of the message to be detected and the current time into a source IP address set of the known peer-to-peer network resource request behavior.
4. The identification method of claim 1, further comprising: and if the source IP address set does not contain the source IP address of the target message, or the source IP address set contains the source IP address of the target message, and the difference value between the time which is correspondingly stored together with the source IP address and the current time is larger than a preset time threshold value, determining the flow of the session flow to which the target message belongs as the flow of the non-peer-to-peer network.
5. An apparatus for identifying peer-to-peer network traffic, comprising:
the message quantity acquisition module is used for acquiring the message quantity of the session flow to which the target message belongs;
a ratio obtaining module, configured to obtain, if the number of packets is greater than a preset first threshold, a first ratio between the number of packets in the first direction of the session flow to which the target packet belongs and the number of packets in the second direction of the session flow to which the target packet belongs, and a second ratio between the data volume in the first direction of the session flow to which the target packet belongs and the data volume in the second direction of the session flow to which the target packet belongs;
a source IP address set obtaining module, configured to obtain a source IP address set of a known peer-to-peer network resource request behavior if the first ratio is greater than a preset second threshold and the second ratio is greater than a preset third threshold;
a first traffic determining module, configured to determine, if the source IP address set includes the source IP address of the target packet, and a difference between time stored correspondingly with the source IP address and current time is less than or equal to a preset time threshold, traffic of a session stream to which the target packet belongs as peer-to-peer network traffic;
the known application behavior determining module is used for matching the application behavior characteristics carried by the message to be detected with the application behavior characteristics contained in the known application behavior characteristic set, and determining the known application behavior corresponding to the message to be detected according to the matching result;
and the target message determining module is used for determining the message to be detected as the target message if the known application behavior corresponding to the message to be detected does not exist.
6. The identification device of claim 5, further comprising: and a second traffic determination module, configured to determine, if the known application behavior corresponding to the to-be-detected packet is a non-peer-to-peer network resource request behavior, that the traffic of the session flow to which the to-be-detected packet belongs is a non-peer-to-peer network traffic, and add an application identifier of the known application behavior corresponding to the to-be-detected packet to the session flow to which the to-be-detected packet belongs.
7. The identification device of claim 5, further comprising: and the storage module is used for correspondingly storing the source IP address of the message to be detected and the current time into the source IP address set of the known peer-to-peer network resource request behavior if the known application behavior corresponding to the message to be detected is the peer-to-peer network resource request behavior.
8. The identification device of claim 5, further comprising: and a third flow determining module, configured to determine, if the source IP address set does not include the source IP address of the target packet, or the source IP address set includes the source IP address of the target packet and a difference between a time, which is stored correspondingly with the source IP address, and a current time is greater than a preset time threshold, a flow of a session flow to which the target packet belongs as a non-peer-to-peer network flow.
CN201810024787.3A 2018-01-11 2018-01-11 Identification method and identification device for peer-to-peer network traffic Active CN107948022B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810024787.3A CN107948022B (en) 2018-01-11 2018-01-11 Identification method and identification device for peer-to-peer network traffic

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810024787.3A CN107948022B (en) 2018-01-11 2018-01-11 Identification method and identification device for peer-to-peer network traffic

Publications (2)

Publication Number Publication Date
CN107948022A CN107948022A (en) 2018-04-20
CN107948022B true CN107948022B (en) 2021-04-30

Family

ID=61938485

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810024787.3A Active CN107948022B (en) 2018-01-11 2018-01-11 Identification method and identification device for peer-to-peer network traffic

Country Status (1)

Country Link
CN (1) CN107948022B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111200520A (en) * 2019-12-27 2020-05-26 咪咕文化科技有限公司 Network monitoring method, server and computer readable storage medium
CN112272123B (en) * 2020-10-16 2022-04-15 北京锐安科技有限公司 Network traffic analysis method, system, device, electronic equipment and storage medium
CN114039928B (en) * 2021-11-02 2024-07-02 恒安嘉新(北京)科技股份公司 Network traffic identification method, device, equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101383829A (en) * 2008-10-17 2009-03-11 杭州华三通信技术有限公司 Stream recognition method and bandwidth management device
CN101505276A (en) * 2009-03-23 2009-08-12 杭州华三通信技术有限公司 Network application flow recognition method and apparatus and network application flow management apparatus
CN103457803A (en) * 2013-09-10 2013-12-18 杭州华三通信技术有限公司 Device and method for recognizing P2P flow
CN103746768A (en) * 2013-10-08 2014-04-23 北京神州绿盟信息安全科技股份有限公司 Data packet identification method and equipment thereof
CN103873320A (en) * 2013-12-27 2014-06-18 北京天融信科技有限公司 Encrypted flow rate recognizing method and device
KR20170048767A (en) * 2015-10-27 2017-05-10 삼성에스디에스 주식회사 Apparatus for generating barcode using homomorphic encryption and Method thereof

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101383829A (en) * 2008-10-17 2009-03-11 杭州华三通信技术有限公司 Stream recognition method and bandwidth management device
CN101505276A (en) * 2009-03-23 2009-08-12 杭州华三通信技术有限公司 Network application flow recognition method and apparatus and network application flow management apparatus
CN103457803A (en) * 2013-09-10 2013-12-18 杭州华三通信技术有限公司 Device and method for recognizing P2P flow
CN103746768A (en) * 2013-10-08 2014-04-23 北京神州绿盟信息安全科技股份有限公司 Data packet identification method and equipment thereof
CN103873320A (en) * 2013-12-27 2014-06-18 北京天融信科技有限公司 Encrypted flow rate recognizing method and device
KR20170048767A (en) * 2015-10-27 2017-05-10 삼성에스디에스 주식회사 Apparatus for generating barcode using homomorphic encryption and Method thereof

Also Published As

Publication number Publication date
CN107948022A (en) 2018-04-20

Similar Documents

Publication Publication Date Title
CN108900388B (en) Method, apparatus, and medium for monitoring network quality
CN104580406B (en) A kind of method and apparatus of synchronous logging state
CN107624233B (en) VPN transmission tunnel scheduling method and device and VPN client server
US9426049B1 (en) Domain name resolution
CN105812195B (en) The method and apparatus of computer identification batch account
CN107948022B (en) Identification method and identification device for peer-to-peer network traffic
CN106878108B (en) Network flow playback test method and device
CN105871947B (en) The method and device of cross-domain request data
CN104219230B (en) Identify method and the device of malicious websites
CN108809890A (en) Leak detection method, test server and client
CN110417747B (en) Method and device for detecting violent cracking behavior
CN112272164B (en) Message processing method and device
CN106713242B (en) Data request processing method and processing device
CN107592299B (en) Proxy internet access identification method, computer device and computer readable storage medium
CN112580730A (en) Terminal type identification method and device
CN114124773B (en) Port block address conversion test system and method
CN113630418B (en) Network service identification method, device, equipment and medium
CN113067802B (en) User identification method, device, equipment and computer readable storage medium
CN112202739B (en) Flow monitoring method and device
CN113098852A (en) Log processing method and device
CN113055420A (en) HTTPS service identification method and device and computing equipment
CN109981386B (en) Network quality testing method, testing server and testing system
CN113204449B (en) Session backup method, computer-readable storage medium and terminal device
Oudah et al. Using burstiness for network applications classification
CN112104765A (en) Illegal website detection method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant