CN108234452A - A kind of system and method for network packet multi-layer protocol identification - Google Patents
A kind of system and method for network packet multi-layer protocol identification Download PDFInfo
- Publication number
- CN108234452A CN108234452A CN201711322465.9A CN201711322465A CN108234452A CN 108234452 A CN108234452 A CN 108234452A CN 201711322465 A CN201711322465 A CN 201711322465A CN 108234452 A CN108234452 A CN 108234452A
- Authority
- CN
- China
- Prior art keywords
- data
- protocol
- network packet
- agreement
- matrix
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/18—Protocol analysers
Abstract
The present invention provides a kind of network packet multi-layer protocol identification system and method, including:Data input module:The read data packet from data source, lower-layer protocols known to stripping extract unknown load, export several data packets, and the data packet each exported includes the known metamessage of unknown load and lower-layer protocols;Analysis module:Consecutive data block is extracted from the output of the data input module, protocol detection is performed to each consecutive data block fragment, the adjacent probability of agreement is counted according to protocol detection result.The present invention solves the defects of prior art can not sort out complete protocol stack.
Description
Technical field
The present invention relates to network traffic analysis counted fields, and in particular, to a kind of network packet multi-layer protocol identification
System and method.
Background technology
Net flow assorted technology refers to, by analyzing network flow data, judge the agreement belonging to network flow or application
Classification.It is the important means analyzed network carrying flow, carry out service feature analysis that classification is carried out to network flow.
At present in traffic classification field, usually more accurately method is the sorting technique based on load, based on load
Sorting technique carries out depth detection (DPI, Deep Packet Inspect ion) to the content of network packet, including:
1. using the application in feature (accurate profile and regular expression) the identification network flow of one group of load, it has
Very high accuracy of identification.Such as application No. is 200710152390.4 patent of invention " net flow assorted processing method and
Net flow assorted processing device ".
2. the sample for collecting agreement trains grader by machine learning techniques, to perform classification.Such as application No. is
201310414970.1 patent of invention " net flow assorted method and device " and application No. is 201510176138.1
Patent of invention " a kind of net flow assorted method ".
However as the development of technology, network flow becomes increasingly complex, and each layer of lower-layer protocols can carry a variety of differences
Upper-layer protocol.So the true classification of a data is likely to a protocol tree, and cannot simply with a classification come
Expression.
It gives one example, a complicated network protocol stack sample as shown in Figure 1, is that a typical website may wrap
The protocol stack contained.HTTP upper stratas may carry a variety of different flows, and comprising html page, JSON data, MIME is possibly used for
Upper transmitting file and submission form.Also there are many middlewares to carry a variety of different upper layer applications in enterprise applies.
In order to more accurately analyze network flow, when in particular for business information therein is parsed, simply
It provides a classification to be insufficient to, it is necessary to sort out complete protocol stack.
The prior art including three above-mentioned patents can only all provide a classification results, can not solve to sort out
The problem of complex protocol stack.
Invention content
For the defects in the prior art, it is the object of the present invention is to provide a kind of identification of network packet multi-layer protocol
System and method.
According to network packet multi-layer protocol provided by the invention identify system, including:
Data input module:The read data packet from data source, lower-layer protocols known to stripping extract unknown bear
It carries, exports several data packets, the data packet each exported includes the known metamessage of unknown load and lower-layer protocols;
Analysis module:Consecutive data block is extracted from the output of the data input module, to each consecutive data block point
Piece performs protocol detection, and the adjacent probability of agreement is counted according to protocol detection result.
Preferably, it is described that each consecutive data block fragment execution protocol detection is included:
Cutting consecutive data block is the data fragmentation of fixed size, to each data fragmentation detection protocol, is included if generating
The sorting sequence of dry classification;
A special sort is inserted on the head of the sorting sequence of generation, wherein, the special sort is represented known to upper strata
Classification.
Preferably, the adjacent probability of the statistics agreement includes:
The matrix of M*M is established with all different classifications, M is the number of all different classifications, and initialization matrix all values are
0;
According to each data fragmentation perform protocol detection obtain as a result, adjacent to each two in sorting sequence is sorted in
The value of matrix corresponding position adds 1.
Preferably, the analysis module further includes the protocol related figure of construction after the adjacent probability of statistics agreement:
By matrix conversion into figure, the node of figure corresponds to agreement, and the value in the weight homography on side, the root node of figure is institute
State special sort.
Preferably, enquiry module is further included:User interface is provided, query operator is performed according to search request input by user
Method exports query result.
Method for distinguishing is known according to network packet multi-layer protocol provided by the invention, including:
Data input step:The read data packet from data source, lower-layer protocols known to stripping extract unknown bear
It carries, exports several data packets, the data packet each exported includes the known metamessage of unknown load and lower-layer protocols;
Analytical procedure:Consecutive data block is extracted from the output of data input step, each consecutive data block fragment is held
Row protocol detection counts the adjacent probability of agreement according to protocol detection result.
Preferably, it is described that each consecutive data block fragment execution protocol detection is included:
Cutting consecutive data block is the data fragmentation of fixed size, to each data fragmentation detection protocol, is included if generating
The sorting sequence of dry classification;
A special sort is inserted on the head of the sorting sequence of generation, wherein, the special sort is represented known to upper strata
Classification.
Preferably, the adjacent probability of the statistics agreement includes:
The matrix of M*M is established with all different classifications, M is the number of all different classifications, and initialization matrix all values are
0;
According to each data fragmentation perform protocol detection obtain as a result, adjacent to each two in sorting sequence is sorted in
The value of matrix corresponding position adds 1.
Preferably, analytical procedure further includes the protocol related figure of construction after the adjacent probability of statistics agreement:
By matrix conversion into figure, the node of figure corresponds to agreement, and the value in the weight homography on side, the root node of figure is institute
State special sort.
Preferably, query steps are further included:User interface is provided, query operator is performed according to search request input by user
Method exports query result.
Compared with prior art, the present invention has following advantageous effect:
1st, the defects of prior art can not sort out complete protocol stack is solved;
2nd, classification results are preserved using graph data structure, accurately represents complicated protocol levels information in data, it can be with
According to different scenes, the result of different level of detail is extracted.
Description of the drawings
Upon reading the detailed description of non-limiting embodiments with reference to the following drawings, other feature of the invention,
Objects and advantages will become more apparent upon:
Fig. 1 is the schematic diagram of a complicated network protocol stack sample;
Fig. 2 is the module relation diagram of the system of network packet multi-layer protocol provided by the invention identification;
Fig. 3 is the work step schematic diagram of analysis module of the present invention;
Fig. 4 to Fig. 7 is the schematic diagram of analysis module data conversion process of the present invention;
Fig. 8 is the flow chart of search algorithm of the present invention;
Fig. 9 is a protocol related figure of the embodiment of the present invention.
Specific embodiment
With reference to specific embodiment, the present invention is described in detail.Following embodiment will be helpful to the technology of this field
Personnel further understand the present invention, but the invention is not limited in any way.It should be pointed out that the ordinary skill to this field
For personnel, without departing from the inventive concept of the premise, several changes and improvements can also be made.These belong to the present invention
Protection domain.
As shown in Fig. 2, the system of network packet multi-layer protocol identification provided by the invention includes three modules:Data are defeated
Enter module, analysis module and enquiry module.
First, data input module:
The read data packet from data source, lower-layer protocols known to stripping extract unknown load, if output
Dry data packet, each data packet contain the known metamessage of unknown load and lower-layer protocols.Data source can be but
It is not limited to capture from network interface card in real time, be read from file.
2nd, analysis module:
1st, a data fragment protocol detection sub-module is constructed, existing DPI software packages can be utilized or for examine
The proprietary protocol craft construction feature keyword rule of survey.
2nd, consecutive data block is extracted from the output of data input module, agreement inspection is performed to each consecutive data block fragment
It surveys, the adjacent probability of statistics agreement and the protocol related figure of construction.Wherein, we, which define, judges which association a data fragments are
The operation of view is protocol detection.
As shown in figure 3, the work step of analysis module is as follows:
Consecutive data block in step 1, extraction data packet, such as the load of a data packet can be used as one continuously
Data block is extracted;
Step 2 performs following operation for each consecutive data block:
Step 2.1, the data fragmentation that cutting consecutive data block is fixed size (such as 256 bytes), each data fragmentation
Data slot protocol detection submodule is called to perform protocol detection, generates the sorting sequence for including several classification, such as [P1,
P2];
Step 2.2 is inserted into a special sort P0 on the head of sorting sequence, and special sort P0 represents known point of upper strata
Class generates sorting sequence [P0, P1, P2].
Step 3, statistics and generation agreement neighbouring relations matrix, step are as follows:
Step 3.1, the matrix that M*M is established with all different classifications, numbers of the M for all different classifications, initial matrix
All values are 0;
Step 3.2, according to each data fragmentation perform protocol detection obtain as a result, adjacent to each two in sorting sequence
The value for being sorted in matrix corresponding position add 1, if testing result is P1, P2, then the value at matrix P1, P2 adds 1, if testing result is
P0, P1, P2, the then value at matrix P0, P1 and P1, P2 add 1.
Step 4, by matrix conversion into figure, the node of figure corresponds to agreement, the value in the weight homography on side, the root section of figure
Point is the special sort P0.
Fig. 4 to Fig. 7 is the flow of analysis module data conversion, corresponds to the data knot that above-mentioned steps 1 to step 4 exports respectively
Fruit.
Fig. 4 is to be numbered to use 16 systems in figure with corresponding data block data, data according to the data block that step 1 obtains
It represents.The data of Fig. 4 are obtained to data block number and the corresponding protocol path in Fig. 5 after step 2 is handled.By Fig. 5
Data by step 3 statistics after obtain the matrix of each agreement neighbouring relations number shown in fig. 6.With reference to the number of Fig. 5 and Fig. 6
According to being converted into the protocol related figure of Fig. 7 expressions by step 4, the weight on side is exactly corresponding cell in Fig. 6 in figure
Value, root node are the A being inserted into.
3rd, enquiry module:
Search algorithm is performed by the search request of user, analyzes protocol related figure, output meets the result of search request.
Search request input by user can include following condition:
The protocol levels number needed, is represented with D;Every layer of son node number at most retained, is represented with K;Side probability threshold value
(value on side in corresponding diagram 7), is represented with W.
Search algorithm flow is as shown in figure 8, this is a mutation of breadth first search (BFS) algorithm:
1st, initialization queue Q is sky, and initialization accessed node set V as sky, initialization result node set TN and knot
Fruit line set TE is sky;
2nd, root node is put into queue Q first;
3rd, go out to take out node N from queue Q heads;
3.1st, node N is added in TN, node N is added to V;
3.2nd, judge whether the node has reached depth D, if current layer number is more than or equal to D, terminate this step;
3.3rd, otherwise, following steps are performed;
3.3.1 the child list of the node, is performed into following two filterings;
3.3.1.1, the child node is not in set V;
3.3.1.2, the weight of present node to the child node is had to be larger than equal to W;
3.3.2 and then the weight sequencing according to node of the result after filtering to the side of child node, maximum K is taken out,
It is represented with TOP_CHILDREN;
3.3.3 the side of this node to TOP_CHILDREN, is added to TE.TOP_CHILDREN is added in queue Q;
If the 4, queue is sky, by TN, TE returns to user as a result, otherwise repeatedly step 3.
In order to facilitate the understanding of those skilled in the art, the present invention provides such as next specific implementation:
The 1st, one web-based interface is provided, a upload file form is provided.
2nd, the PCAP file that user uploads, after upload, Ethernet/IP/TCP known to parsing layers of information carries
The load on TCP upper stratas is taken, generates several data blocks.By analysis module, complete protocol related figure is generated, is shown to user.
The 3rd, one list on webpage is provided, allow user input query condition, includes following condition:
The protocol levels number needed, is represented with D;
Every layer of son node number at most retained, is represented with K;
In probability threshold value (value when in corresponding diagram), represented with W;
4th, the inquiry of user is performed, output meets the subgraph of inquiry, is shown to user.
Fig. 9 analyzes the protocol related figure come for above-mentioned process step 2, includes A, B, C, F and E totally 5 kinds of agreements, root node
For A.
Assuming that the querying condition of input is D=3, K=1, W=0.
Root node A is added in queue to be traversed.
Node is taken out from queue to be traversed, is node A, the level of A is 1, less than D, A is added in results set, A
It is respectively 5,100,50 there are three child node F, B, C weight, result is B, C, F from high to low after sequence.
Due to K=1, only retain node B, by A->B this edges are added in result set.B is added to queue to be traversed
In.
Node is taken out from queue to be traversed, is node B, the level of node B is 2, and less than D, B is added to result set
In conjunction.
From the child node C of B, E, weight is respectively 30,5, and result is C, E from high to low after sequence, due to K=1, is only retained
B → C this edges are added in results set by node C.C is added in queue to be traversed.
Node is taken out from queue to be traversed, is node C, since the level of node C is 3, equal to D, so C is added in
Into results set.But no longer traverse its child node.
The queue to be traversed to here has been empty, and inquiry is completed.Result set is this subtree of A → B → C, in fig.9
It is marked using the side of overstriking.
One skilled in the art will appreciate that in addition to realizing system provided by the invention in a manner of pure computer readable program code
It, completely can be by the way that method and step progress programming in logic be provided come the present invention and its other than each device, module, unit
System and its each device, module, unit with logic gate, switch, application-specific integrated circuit, programmable logic controller (PLC) and embedding
Enter the form of the controller that declines etc. to realize identical function.So system provided by the invention and its every device, module, list
Member is considered a kind of hardware component, and also may be used to the device for being used to implement various functions, module, the unit that include in it
To be considered as the structure in hardware component;The device for being used to implement various functions, module, unit can also be considered as either real
The software module of existing method can be the structure in hardware component again.
Specific embodiments of the present invention are described above.It is to be appreciated that the invention is not limited in above-mentioned
Particular implementation, those skilled in the art can make a variety of changes or change within the scope of the claims, this not shadow
Ring the substantive content of the present invention.In the absence of conflict, the feature in embodiments herein and embodiment can arbitrary phase
Mutually combination.
Claims (10)
1. a kind of system of network packet multi-layer protocol identification, which is characterized in that including:
Data input module:The read data packet from data source, lower-layer protocols known to stripping extract unknown load, defeated
Go out several data packets, the data packet each exported includes the known metamessage of unknown load and lower-layer protocols;
Analysis module:Consecutive data block is extracted from the output of the data input module, each consecutive data block fragment is held
Row protocol detection counts the adjacent probability of agreement according to protocol detection result.
2. the system of network packet multi-layer protocol identification according to claim 1, which is characterized in that described to each company
Continuous data block fragment performs protocol detection and includes:
Cutting consecutive data block is the data fragmentation of fixed size, to each data fragmentation detection protocol, is generated comprising several
The sorting sequence of classification;
A special sort is inserted on the head of the sorting sequence of generation, wherein, the special sort represents known point of upper strata
Class.
3. the system of network packet multi-layer protocol identification according to claim 2, which is characterized in that the statistics agreement
Adjacent probability includes:
The matrix of M*M is established with all different classifications, M is the number of all different classifications, and initialization matrix all values are 0;
According to each data fragmentation perform protocol detection obtain as a result, adjacent to each two in sorting sequence is sorted in matrix
The value of corresponding position adds 1.
4. the system of network packet multi-layer protocol identification according to claim 3, which is characterized in that the analysis module
The protocol related figure of construction is further included after the adjacent probability of statistics agreement:
By matrix conversion into figure, the node of figure corresponds to agreement, and the value in the weight homography on side, the root node of figure is the spy
Different classification.
5. the system of network packet multi-layer protocol identification according to claim 1, which is characterized in that further include inquiry mould
Block:User interface is provided, search algorithm is performed according to search request input by user, exports query result.
6. a kind of network packet multi-layer protocol knows method for distinguishing, which is characterized in that including:
Data input step:The read data packet from data source, lower-layer protocols known to stripping extract unknown load, defeated
Go out several data packets, the data packet each exported includes the known metamessage of unknown load and lower-layer protocols;
Analytical procedure:Consecutive data block is extracted from the output of data input step, association is performed to each consecutive data block fragment
View detection counts the adjacent probability of agreement according to protocol detection result.
7. network packet multi-layer protocol according to claim 6 knows method for distinguishing, which is characterized in that described to each company
Continuous data block fragment performs protocol detection and includes:
Cutting consecutive data block is the data fragmentation of fixed size, to each data fragmentation detection protocol, is generated comprising several
The sorting sequence of classification;
A special sort is inserted on the head of the sorting sequence of generation, wherein, the special sort represents known point of upper strata
Class.
8. network packet multi-layer protocol according to claim 7 knows method for distinguishing, which is characterized in that the statistics agreement
Adjacent probability includes:
The matrix of M*M is established with all different classifications, M is the number of all different classifications, and initialization matrix all values are 0;
According to each data fragmentation perform protocol detection obtain as a result, adjacent to each two in sorting sequence is sorted in matrix
The value of corresponding position adds 1.
9. network packet multi-layer protocol according to claim 8 knows method for distinguishing, which is characterized in that analytical procedure is being united
The protocol related figure of construction is further included after the adjacent probability of meter agreement:
By matrix conversion into figure, the node of figure corresponds to agreement, and the value in the weight homography on side, the root node of figure is the spy
Different classification.
10. network packet multi-layer protocol according to claim 6 knows method for distinguishing, which is characterized in that further includes inquiry
Step:User interface is provided, search algorithm is performed according to search request input by user, exports query result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711322465.9A CN108234452B (en) | 2017-12-12 | 2017-12-12 | System and method for identifying network data packet multilayer protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711322465.9A CN108234452B (en) | 2017-12-12 | 2017-12-12 | System and method for identifying network data packet multilayer protocol |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108234452A true CN108234452A (en) | 2018-06-29 |
| CN108234452B CN108234452B (en) | 2020-11-24 |
Family
ID=62649416
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711322465.9A Active CN108234452B (en) | 2017-12-12 | 2017-12-12 | System and method for identifying network data packet multilayer protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108234452B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110661682A (en) * | 2019-09-19 | 2020-01-07 | 上海天旦网络科技发展有限公司 | Automatic analysis system, method and equipment for universal interconnection data |
| CN113364647A (en) * | 2021-06-03 | 2021-09-07 | 上海天旦网络科技发展有限公司 | Rapid protocol stack identification method and system based on multitask network |
| CN114024868A (en) * | 2022-01-06 | 2022-02-08 | 北京安博通科技股份有限公司 | Flow statistical method, flow quality analysis method and device |
| CN114640611A (en) * | 2022-03-09 | 2022-06-17 | 西安电子科技大学 | Unknown heterogeneous industrial protocol detection and identification method, system, equipment and medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101707532A (en) * | 2009-10-30 | 2010-05-12 | 中山大学 | Automatic analysis method for unknown application layer protocol |
| WO2011143817A1 (en) * | 2010-05-19 | 2011-11-24 | 阿尔卡特朗讯 | Method and apparatus for identifying application protocol |
| CN103003792A (en) * | 2010-06-10 | 2013-03-27 | 美光科技公司 | Analyzing data using a hierarchical structure |
| CN104935567A (en) * | 2015-04-20 | 2015-09-23 | 中国电子科技集团公司第二十九研究所 | Unknown protocol message format deduction method |
| CN105100091A (en) * | 2015-07-13 | 2015-11-25 | 北京奇虎科技有限公司 | Protocol identification method and protocol identification system |
-
2017
- 2017-12-12 CN CN201711322465.9A patent/CN108234452B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101707532A (en) * | 2009-10-30 | 2010-05-12 | 中山大学 | Automatic analysis method for unknown application layer protocol |
| WO2011143817A1 (en) * | 2010-05-19 | 2011-11-24 | 阿尔卡特朗讯 | Method and apparatus for identifying application protocol |
| CN103003792A (en) * | 2010-06-10 | 2013-03-27 | 美光科技公司 | Analyzing data using a hierarchical structure |
| CN104935567A (en) * | 2015-04-20 | 2015-09-23 | 中国电子科技集团公司第二十九研究所 | Unknown protocol message format deduction method |
| CN105100091A (en) * | 2015-07-13 | 2015-11-25 | 北京奇虎科技有限公司 | Protocol identification method and protocol identification system |
Non-Patent Citations (2)
| Title |
|---|
| 徐莉;: ""利用统计特征的网络应用协议识别方法"", 《西安交通大学学报》 * |
| 程博: ""基于DPI的流量识别与控制系统的研究与设计"", 《中国优秀硕士学位论文全文数据库-信息科技辑》 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110661682A (en) * | 2019-09-19 | 2020-01-07 | 上海天旦网络科技发展有限公司 | Automatic analysis system, method and equipment for universal interconnection data |
| CN110661682B (en) * | 2019-09-19 | 2021-05-25 | 上海天旦网络科技发展有限公司 | Automatic analysis system, method and equipment for universal interconnection data |
| CN113364647A (en) * | 2021-06-03 | 2021-09-07 | 上海天旦网络科技发展有限公司 | Rapid protocol stack identification method and system based on multitask network |
| CN113364647B (en) * | 2021-06-03 | 2022-10-11 | 上海天旦网络科技发展有限公司 | Rapid protocol stack identification method and system based on multitask network |
| CN114024868A (en) * | 2022-01-06 | 2022-02-08 | 北京安博通科技股份有限公司 | Flow statistical method, flow quality analysis method and device |
| CN114640611A (en) * | 2022-03-09 | 2022-06-17 | 西安电子科技大学 | Unknown heterogeneous industrial protocol detection and identification method, system, equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108234452B (en) | 2020-11-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3544236B1 (en) | Method and system for training and validating machine learning algorithms in data network environments | |
| CN108234452A (en) | A kind of system and method for network packet multi-layer protocol identification | |
| CN104270392B (en) | A kind of network protocol identification method learnt based on three grader coorinated trainings and system | |
| CN101414939B (en) | Internet application recognition method based on dynamical depth package detection | |
| CN104618132B (en) | A kind of application program recognition rule generation method and device | |
| CN104468262B (en) | A kind of network protocol identification method and system based on semantic sensitivity | |
| CN111526099B (en) | Internet of things application flow detection method based on deep learning | |
| CN102315974A (en) | Stratification characteristic analysis-based method and apparatus thereof for on-line identification for TCP, UDP flows | |
| CN1716958A (en) | System safety realizing method and relative system using sub form automatic machine | |
| CN111030941A (en) | Decision tree-based HTTPS encrypted flow classification method | |
| CN105578488A (en) | Network data acquisition system and network data acquisition method | |
| CN109194677A (en) | A kind of SQL injection attack detection, device and equipment | |
| CN110245273B (en) | Method for acquiring APP service feature library and corresponding device | |
| CN105282123A (en) | Network protocol identification method and device | |
| CN115967504A (en) | Encrypted malicious traffic detection method and device, storage medium and electronic device | |
| CN102932203A (en) | Method and device for inspecting deep packets among heterogeneous platforms | |
| CN109040028B (en) | Industrial control full-flow analysis method and device | |
| CN113923026A (en) | Encrypted malicious flow detection model based on TextCNN and construction method thereof | |
| CN109101820B (en) | Web application security vulnerability prediction method based on execution flow graph | |
| CN112800424A (en) | Botnet malicious traffic monitoring method based on random forest | |
| CN108055227B (en) | WAF unknown attack defense method based on site self-learning | |
| CN104333461A (en) | Identification method, system and identification device for internet application flow | |
| CN107209834A (en) | Malicious communication pattern extraction apparatus, malicious communication schema extraction system, malicious communication schema extraction method and malicious communication schema extraction program | |
| CN107360062B (en) | DPI equipment identification result verification method and system and DPI equipment | |
| CN109977328A (en) | A kind of URL classification method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |