CN114465743A - Data flow monitoring and analyzing method - Google Patents

Data flow monitoring and analyzing method Download PDF

Info

Publication number
CN114465743A
CN114465743A CN202011391397.3A CN202011391397A CN114465743A CN 114465743 A CN114465743 A CN 114465743A CN 202011391397 A CN202011391397 A CN 202011391397A CN 114465743 A CN114465743 A CN 114465743A
Authority
CN
China
Prior art keywords
data packet
flow
module
protocol
statistics
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011391397.3A
Other languages
Chinese (zh)
Other versions
CN114465743B (en
Inventor
罗治华
李正耀
田超华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Infogo Tech Co ltd
Original Assignee
Hangzhou Infogo Tech Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Infogo Tech Co ltd filed Critical Hangzhou Infogo Tech Co ltd
Priority to CN202011391397.3A priority Critical patent/CN114465743B/en
Publication of CN114465743A publication Critical patent/CN114465743A/en
Application granted granted Critical
Publication of CN114465743B publication Critical patent/CN114465743B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a data flow monitoring and analyzing method, which can realize the flow monitoring and analysis at the data packet level and comprises the steps of data packet acquisition, strategy configuration, data packet analysis, link information statistics, flow statistics, abnormal access monitoring and statistical information presentation. The invention overcomes the defect that special equipment needs to be configured independently or the user terminal cannot be monitored only by a switch bypass, and realizes the analysis and processing of the windows desktop data flow.

Description

Data flow monitoring and analyzing method
Technical Field
The invention relates to the technical field of computer communication, in particular to a data flow monitoring and analyzing method.
Background
With the rapid development of internet services, enterprise networks face various threats, and the network performance of enterprises becomes difficult to control with the diversification of user behaviors and applications. The method is particularly important for carrying out traffic statistics and analysis on the network of the enterprise, a network administrator can know the traffic distribution condition of a network protocol and know data such as access amount and response of application operation through analysis, abnormal network behaviors of a user, such as illegal traffic and attack traffic, can be quickly found, a basis is provided for formulating a security strategy of the enterprise network and carrying out flow shaping, and the problem of slowness of the enterprise network is further solved. In the prior art, a great deal of research is carried out on data traffic analysis, mainstream manufacturers design a special hardware-level network processor to monitor data traffic of a core switch or a key network facility, and network service providers deploy data traffic analysis software on network equipment such as a switch and a router to analyze and process data traffic of the whole local area network.
The invention patent of patent number ZL 200510004247.1 relates to a flow analysis method based on a Linux kernel, which is realized by adopting a mode that the kernel can be loaded in Linux, and can realize flow analysis at a datagram level and a flow level. The invention specifically introduces the following technical means: the network card sends an interrupt request to the CPU when receiving the data packet, the CPU obtains the arrived data packet from the network card cache according to the interrupt request, the data packet is transmitted to the kernel space through the PCI bus, a corresponding node is established in the kernel cache of the data packet, and finally the data packet is analyzed by a data packet analysis function registered in the kernel, so that a flow analysis index analyzed by the data packet analysis function is obtained. The prior art realizes the analysis of data traffic to a certain extent, but the prior art cannot comprehensively cover the traffic management and analysis of various user equipment terminals in a complex network environment, and the data traffic analysis operation work is carried out in a kernel space, so that the performance and the safety of equipment are greatly influenced.
Disclosure of Invention
The invention aims to provide a data flow monitoring and analyzing method aiming at the data flow management requirement of a multi-terminal complex network environment mainly based on windows in a local area network.
The purpose of the invention is realized by the following technical scheme:
a data flow monitoring and analyzing method comprises the steps of data packet acquisition, strategy configuration, data packet analysis, link information statistics, flow statistics, abnormal access monitoring and statistical information presentation:
in the data packet acquisition step, a data packet acquisition module registers a packet receiving function of a network card bridge in a kernel space through a bridge module, and the packet receiving function is responsible for processing the flow mirrored from the network equipment to the user terminal; the data packet acquisition module registers a character drive file in a kernel space and performs mmap memory mapping on the character drive file at an application layer; the data packet acquisition module copies the data packet to a mapping file through a packet receiving function, so that the data packet is transmitted to an application layer from the kernel;
in the strategy configuration step, a protocol used by data packet analysis, a data packet analysis range, a security domain forbidden to access and an application are configured through a strategy configuration module;
in the data packet analyzing step, a mapping file is accessed through a data packet analyzing module to realize the analysis of a data packet, and a source IP address, a destination IP address, a source port, a destination port and a protocol of the data packet are extracted according to protocol features determined by strategy configuration;
link information statistics step, link information statistics module is used for carrying out statistics on client IP address, server IP address, client port, server port, transmission layer protocol, application layer protocol, client receiving data packet number, server receiving data packet number, client receiving flow, server receiving flow, whether flow is illegal, flow ending state, flow newly-built time and flow ending time information obtained in the data packet analysis step;
in the flow counting step, the uplink flow, the downlink flow and the protocol flow information obtained in the data packet analyzing step are counted through a flow counting module;
in the abnormal access monitoring step, an abnormal access monitoring module is used for detecting whether data traffic in the network accesses a security domain and an application which are set in the policy configuration step and are forbidden to access;
and in the statistical information presentation step, various types of information are counted by a statistical information presentation module according to time periods, IP address intervals, flow types, violation alarm conditions, equipment types and protocol types, and statistical results are presented in a table and graph visualization mode.
Furthermore, the technical scheme of the invention is suitable for one or more network devices in a switch, a router and a network server.
Furthermore, when the method is applied to monitoring and analyzing the data flow of the user terminal of the windows equipment, the data packet analyzing module analyzes the data packet according to the TCP/IP protocol in the user space application layer.
The invention has the following beneficial effects:
the data packets are mapped to the user space from the kernel space through the mmap technology, data flow detection and analysis of the LAN multi-type network equipment and the user equipment terminal are achieved, management of LAN sensitive information and resources is achieved through policy configuration and abnormal access monitoring, and network load, flow structure and other conditions are counted to facilitate corresponding adjustment and optimization of a network administrator.
Drawings
FIG. 1 is a schematic diagram illustrating steps of a data flow monitoring and analyzing method according to the present invention;
fig. 2 is a flow chart of a specific implementation of the data traffic monitoring and analyzing method of the present invention.
Detailed Description
The invention is described below with reference to the accompanying drawings.
As shown in fig. 1 and fig. 2, a data traffic monitoring and analyzing method includes the steps of data packet acquisition 1, policy configuration 2, data packet parsing 3, link information statistics 4, traffic statistics 5, abnormal access monitoring 6, and statistical information presentation 7:
in the data packet acquisition 1 step, a data packet acquisition module 10 registers a packet receiving function 102 of a network card bridge through a bridge module 101, and the packet receiving function 102 is responsible for processing the flow mirrored from network equipment to a user terminal; the data packet obtaining module 10 registers a character driving file 103 in the kernel space, and performs mmap memory mapping on the character driving file in the application layer; the data packet obtaining module 10 copies the data packet to the mapping file 301 through the packet receiving function 102, so as to transmit the data packet from the kernel to the application layer;
in the step of policy configuration 2, a protocol used for data packet analysis, a data packet analysis range, and a security domain and an application which are forbidden to be accessed are configured through a policy configuration module 20;
in the data packet analysis 3 step, the mapping file is accessed through the data packet analysis module 30 to realize the analysis of the data packet, and the source IP address, the destination IP address, the source port, the destination port and the protocol of the data packet are extracted according to the protocol characteristics determined by the strategy configuration 2;
link information statistics 4, link information statistics module 40 is used for carrying out statistics on client IP address, server IP address, client port, server port, transport layer protocol, application layer protocol, client receiving data packet number, server receiving data packet number, client receiving flow, server receiving flow, whether flow is illegal or not, flow ending state, flow newly-built time and flow ending time information obtained in the data packet analysis 3;
flow statistics 5 step is to count the information of uplink flow, downlink flow and protocol flow obtained by the data packet analysis 3 step through a flow statistics module 50;
in the step 6, the abnormal access monitoring module 60 detects whether the data traffic in the network accesses the security domain and the application which are set in the step 2 and are prohibited from accessing;
and 7, counting various types of information according to the time period, the IP address interval, the traffic type, the violation warning condition, the equipment type and the protocol type through a statistical information presentation module 70, and presenting a statistical result in a table and graph visualization mode.
When the data flow of the user terminal needs to be monitored and analyzed, a data packet acquisition module 10 transmits a data packet to be analyzed and processed from a kernel space to a user space application layer to complete the data packet acquisition 1 step, a strategy configuration module 20 sends a strategy implementation strategy configuration 2 step under a local area network, a data packet analysis module 30 operates in the application layer and identifies protocol flow according to protocol characteristics and analyzes data packet acquisition information to realize data packet analysis 4 steps, a link information statistics module 40 stores and counts data flow information to realize link information statistics 4 steps when the flow of a single data packet is finished, a flow statistics module 50 performs statistics on the uplink flow, the downlink flow and the protocol flow of the equipment terminal to realize flow statistics 5 steps, an abnormal access monitoring module 60 completes the abnormal access monitoring 6 steps according to preset monitoring behaviors, and a statistical information presentation module 70 provides statistical results of various display modes for a network administrator by using a visual graph-text table, so that the statistical results of various display modes are provided for the network administrator The step of statistical information presentation 7 is implemented.

Claims (3)

1. A data flow monitoring and analyzing method comprises the steps of data packet acquisition, strategy configuration, data packet analysis, link information statistics, flow statistics, abnormal access monitoring and statistical information presentation, and is characterized in that:
in the data packet acquisition step, a data packet acquisition module registers a packet receiving function of a network card bridge in a kernel space through a bridge module, and the packet receiving function is responsible for processing the flow mirrored from the network equipment to the user terminal; the data packet acquisition module registers a character drive file in a kernel space and performs mmap memory mapping on the character drive file at an application layer; the data packet acquisition module copies the data packet to a mapping file through a packet receiving function, so that the data packet is transmitted to an application layer from the kernel;
in the strategy configuration step, a protocol used by data packet analysis, a data packet analysis range, a security domain forbidden to access and an application are configured through a strategy configuration module;
in the data packet analyzing step, a mapping file is accessed through a data packet analyzing module to realize the analysis of a data packet, and a source IP address, a destination IP address, a source port, a destination port and a protocol of the data packet are extracted according to protocol features determined by strategy configuration;
link information statistics step, link information statistics module is used for carrying out statistics on client IP address, server IP address, client port, server port, transmission layer protocol, application layer protocol, client receiving data packet number, server receiving data packet number, client receiving flow, server receiving flow, whether flow is illegal, flow ending state, flow newly-built time and flow ending time information obtained in the data packet analysis step;
the flow statistics step is used for carrying out statistics on the uplink flow, the downlink flow and the protocol flow information obtained in the data packet analysis step through a flow statistics module;
in the abnormal access monitoring step, an abnormal access monitoring module is used for detecting whether data traffic in the network accesses a security domain and an application which are set in the policy configuration step and are forbidden to access;
and in the statistical information presentation step, various types of information are counted by a statistical information presentation module according to time periods, IP address intervals, flow types, violation alarm conditions, equipment types and protocol types, and statistical results are presented in a table and graph visualization mode.
2. The data flow monitoring and analyzing method of claim 1, wherein: the network equipment is one or more of a switch, a router and a network server.
3. The data flow monitoring and analyzing method of claim 1, wherein: and the data packet analysis module analyzes the data packet according to a TCP/IP protocol at an application layer.
CN202011391397.3A 2020-12-01 2020-12-01 Data flow monitoring and analyzing method Active CN114465743B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011391397.3A CN114465743B (en) 2020-12-01 2020-12-01 Data flow monitoring and analyzing method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011391397.3A CN114465743B (en) 2020-12-01 2020-12-01 Data flow monitoring and analyzing method

Publications (2)

Publication Number Publication Date
CN114465743A true CN114465743A (en) 2022-05-10
CN114465743B CN114465743B (en) 2023-08-01

Family

ID=81404257

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011391397.3A Active CN114465743B (en) 2020-12-01 2020-12-01 Data flow monitoring and analyzing method

Country Status (1)

Country Link
CN (1) CN114465743B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115118624A (en) * 2022-06-28 2022-09-27 平安银行股份有限公司 Production flow shunting method and device, electronic equipment and storage medium

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101567888A (en) * 2008-12-29 2009-10-28 郭世泽 Safety protection method of network feedback host computer
CN105099730A (en) * 2014-04-23 2015-11-25 北京奇虎科技有限公司 Terminal equipment and network flow calculation method and system based on terminal equipment
KR101602189B1 (en) * 2015-04-28 2016-03-11 주식회사 넷커스터마이즈 traffic analysis and network monitoring system by packet capturing of 10-giga bit data
CN106656838A (en) * 2016-10-19 2017-05-10 赛尔网络有限公司 Data flow analyzing method and system
CN106789442A (en) * 2017-01-12 2017-05-31 上海新炬网络信息技术有限公司 LAN client performance analysis method based on data on flows
US10015205B1 (en) * 2014-07-23 2018-07-03 Microsoft Israel Research And Development (2002) Ltd. Techniques for traffic capture and reconstruction
CN110912943A (en) * 2019-12-30 2020-03-24 北京明朝万达科技股份有限公司 Cross-network traffic analysis system
CN111371640A (en) * 2020-02-24 2020-07-03 深圳供电局有限公司 SDN controller-based traffic collection analysis method and system

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101567888A (en) * 2008-12-29 2009-10-28 郭世泽 Safety protection method of network feedback host computer
CN105099730A (en) * 2014-04-23 2015-11-25 北京奇虎科技有限公司 Terminal equipment and network flow calculation method and system based on terminal equipment
US10015205B1 (en) * 2014-07-23 2018-07-03 Microsoft Israel Research And Development (2002) Ltd. Techniques for traffic capture and reconstruction
KR101602189B1 (en) * 2015-04-28 2016-03-11 주식회사 넷커스터마이즈 traffic analysis and network monitoring system by packet capturing of 10-giga bit data
CN106656838A (en) * 2016-10-19 2017-05-10 赛尔网络有限公司 Data flow analyzing method and system
CN106789442A (en) * 2017-01-12 2017-05-31 上海新炬网络信息技术有限公司 LAN client performance analysis method based on data on flows
CN110912943A (en) * 2019-12-30 2020-03-24 北京明朝万达科技股份有限公司 Cross-network traffic analysis system
CN111371640A (en) * 2020-02-24 2020-07-03 深圳供电局有限公司 SDN controller-based traffic collection analysis method and system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115118624A (en) * 2022-06-28 2022-09-27 平安银行股份有限公司 Production flow shunting method and device, electronic equipment and storage medium
CN115118624B (en) * 2022-06-28 2024-04-05 平安银行股份有限公司 Method and device for diverting production flow, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN114465743B (en) 2023-08-01

Similar Documents

Publication Publication Date Title
US11743289B2 (en) Managing transmissions of virtual machines using a network interface controller
US8059532B2 (en) Data and control plane architecture including server-side triggered flow policy mechanism
US11374835B2 (en) Apparatus and process for detecting network security attacks on IoT devices
US8997231B2 (en) Preventive intrusion device and method for mobile devices
US10432650B2 (en) System and method to protect a webserver against application exploits and attacks
US6499107B1 (en) Method and system for adaptive network security using intelligent packet analysis
US20170054686A1 (en) Agentless Security of Virtual Machines using a Filtering Platform
CN108111487B (en) Safety monitoring method and system
US20060198313A1 (en) Method and device for detecting and blocking unauthorized access
US20100132041A1 (en) Interception-based client data network security system
CN104038466B (en) Intruding detection system, method and apparatus for cloud computing environment
EP3111616A1 (en) Detecting and managing abnormal data behavior
US10951637B2 (en) Distributed detection of malicious cloud actors
CN110620690A (en) Network attack event processing method and electronic equipment thereof
US20090187666A1 (en) Method and system for controlling a computer application program
CN114465743B (en) Data flow monitoring and analyzing method
CN112769739A (en) Database operation violation processing method, device and equipment
Peng Research of network intrusion detection system based on snort and NTOP
CN114374838A (en) Network camera monitoring method, device, equipment and medium
CA3130584A1 (en) Network connection request method and apparatus
CA3122328A1 (en) A system for, and a method of creating cybersecurity situational awareness, threat detection and risk detection within the internet-of-things space
Peng et al. Design and implementation of network instruction detection system based on snort and NTOP
KR102352187B1 (en) Passive fingerprinting method and device
KR101453728B1 (en) Method and apparatus for providing network security policy based nat ip process
CN116112295B (en) Method and device for researching and judging external connection type attack result

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant