CN114465743A - Data flow monitoring and analyzing method - Google Patents
Data flow monitoring and analyzing method Download PDFInfo
- Publication number
- CN114465743A CN114465743A CN202011391397.3A CN202011391397A CN114465743A CN 114465743 A CN114465743 A CN 114465743A CN 202011391397 A CN202011391397 A CN 202011391397A CN 114465743 A CN114465743 A CN 114465743A
- Authority
- CN
- China
- Prior art keywords
- data packet
- flow
- module
- protocol
- statistics
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a data flow monitoring and analyzing method, which can realize the flow monitoring and analysis at the data packet level and comprises the steps of data packet acquisition, strategy configuration, data packet analysis, link information statistics, flow statistics, abnormal access monitoring and statistical information presentation. The invention overcomes the defect that special equipment needs to be configured independently or the user terminal cannot be monitored only by a switch bypass, and realizes the analysis and processing of the windows desktop data flow.
Description
Technical Field
The invention relates to the technical field of computer communication, in particular to a data flow monitoring and analyzing method.
Background
With the rapid development of internet services, enterprise networks face various threats, and the network performance of enterprises becomes difficult to control with the diversification of user behaviors and applications. The method is particularly important for carrying out traffic statistics and analysis on the network of the enterprise, a network administrator can know the traffic distribution condition of a network protocol and know data such as access amount and response of application operation through analysis, abnormal network behaviors of a user, such as illegal traffic and attack traffic, can be quickly found, a basis is provided for formulating a security strategy of the enterprise network and carrying out flow shaping, and the problem of slowness of the enterprise network is further solved. In the prior art, a great deal of research is carried out on data traffic analysis, mainstream manufacturers design a special hardware-level network processor to monitor data traffic of a core switch or a key network facility, and network service providers deploy data traffic analysis software on network equipment such as a switch and a router to analyze and process data traffic of the whole local area network.
The invention patent of patent number ZL 200510004247.1 relates to a flow analysis method based on a Linux kernel, which is realized by adopting a mode that the kernel can be loaded in Linux, and can realize flow analysis at a datagram level and a flow level. The invention specifically introduces the following technical means: the network card sends an interrupt request to the CPU when receiving the data packet, the CPU obtains the arrived data packet from the network card cache according to the interrupt request, the data packet is transmitted to the kernel space through the PCI bus, a corresponding node is established in the kernel cache of the data packet, and finally the data packet is analyzed by a data packet analysis function registered in the kernel, so that a flow analysis index analyzed by the data packet analysis function is obtained. The prior art realizes the analysis of data traffic to a certain extent, but the prior art cannot comprehensively cover the traffic management and analysis of various user equipment terminals in a complex network environment, and the data traffic analysis operation work is carried out in a kernel space, so that the performance and the safety of equipment are greatly influenced.
Disclosure of Invention
The invention aims to provide a data flow monitoring and analyzing method aiming at the data flow management requirement of a multi-terminal complex network environment mainly based on windows in a local area network.
The purpose of the invention is realized by the following technical scheme:
a data flow monitoring and analyzing method comprises the steps of data packet acquisition, strategy configuration, data packet analysis, link information statistics, flow statistics, abnormal access monitoring and statistical information presentation:
in the data packet acquisition step, a data packet acquisition module registers a packet receiving function of a network card bridge in a kernel space through a bridge module, and the packet receiving function is responsible for processing the flow mirrored from the network equipment to the user terminal; the data packet acquisition module registers a character drive file in a kernel space and performs mmap memory mapping on the character drive file at an application layer; the data packet acquisition module copies the data packet to a mapping file through a packet receiving function, so that the data packet is transmitted to an application layer from the kernel;
in the strategy configuration step, a protocol used by data packet analysis, a data packet analysis range, a security domain forbidden to access and an application are configured through a strategy configuration module;
in the data packet analyzing step, a mapping file is accessed through a data packet analyzing module to realize the analysis of a data packet, and a source IP address, a destination IP address, a source port, a destination port and a protocol of the data packet are extracted according to protocol features determined by strategy configuration;
link information statistics step, link information statistics module is used for carrying out statistics on client IP address, server IP address, client port, server port, transmission layer protocol, application layer protocol, client receiving data packet number, server receiving data packet number, client receiving flow, server receiving flow, whether flow is illegal, flow ending state, flow newly-built time and flow ending time information obtained in the data packet analysis step;
in the flow counting step, the uplink flow, the downlink flow and the protocol flow information obtained in the data packet analyzing step are counted through a flow counting module;
in the abnormal access monitoring step, an abnormal access monitoring module is used for detecting whether data traffic in the network accesses a security domain and an application which are set in the policy configuration step and are forbidden to access;
and in the statistical information presentation step, various types of information are counted by a statistical information presentation module according to time periods, IP address intervals, flow types, violation alarm conditions, equipment types and protocol types, and statistical results are presented in a table and graph visualization mode.
Furthermore, the technical scheme of the invention is suitable for one or more network devices in a switch, a router and a network server.
Furthermore, when the method is applied to monitoring and analyzing the data flow of the user terminal of the windows equipment, the data packet analyzing module analyzes the data packet according to the TCP/IP protocol in the user space application layer.
The invention has the following beneficial effects:
the data packets are mapped to the user space from the kernel space through the mmap technology, data flow detection and analysis of the LAN multi-type network equipment and the user equipment terminal are achieved, management of LAN sensitive information and resources is achieved through policy configuration and abnormal access monitoring, and network load, flow structure and other conditions are counted to facilitate corresponding adjustment and optimization of a network administrator.
Drawings
FIG. 1 is a schematic diagram illustrating steps of a data flow monitoring and analyzing method according to the present invention;
fig. 2 is a flow chart of a specific implementation of the data traffic monitoring and analyzing method of the present invention.
Detailed Description
The invention is described below with reference to the accompanying drawings.
As shown in fig. 1 and fig. 2, a data traffic monitoring and analyzing method includes the steps of data packet acquisition 1, policy configuration 2, data packet parsing 3, link information statistics 4, traffic statistics 5, abnormal access monitoring 6, and statistical information presentation 7:
in the data packet acquisition 1 step, a data packet acquisition module 10 registers a packet receiving function 102 of a network card bridge through a bridge module 101, and the packet receiving function 102 is responsible for processing the flow mirrored from network equipment to a user terminal; the data packet obtaining module 10 registers a character driving file 103 in the kernel space, and performs mmap memory mapping on the character driving file in the application layer; the data packet obtaining module 10 copies the data packet to the mapping file 301 through the packet receiving function 102, so as to transmit the data packet from the kernel to the application layer;
in the step of policy configuration 2, a protocol used for data packet analysis, a data packet analysis range, and a security domain and an application which are forbidden to be accessed are configured through a policy configuration module 20;
in the data packet analysis 3 step, the mapping file is accessed through the data packet analysis module 30 to realize the analysis of the data packet, and the source IP address, the destination IP address, the source port, the destination port and the protocol of the data packet are extracted according to the protocol characteristics determined by the strategy configuration 2;
in the step 6, the abnormal access monitoring module 60 detects whether the data traffic in the network accesses the security domain and the application which are set in the step 2 and are prohibited from accessing;
and 7, counting various types of information according to the time period, the IP address interval, the traffic type, the violation warning condition, the equipment type and the protocol type through a statistical information presentation module 70, and presenting a statistical result in a table and graph visualization mode.
When the data flow of the user terminal needs to be monitored and analyzed, a data packet acquisition module 10 transmits a data packet to be analyzed and processed from a kernel space to a user space application layer to complete the data packet acquisition 1 step, a strategy configuration module 20 sends a strategy implementation strategy configuration 2 step under a local area network, a data packet analysis module 30 operates in the application layer and identifies protocol flow according to protocol characteristics and analyzes data packet acquisition information to realize data packet analysis 4 steps, a link information statistics module 40 stores and counts data flow information to realize link information statistics 4 steps when the flow of a single data packet is finished, a flow statistics module 50 performs statistics on the uplink flow, the downlink flow and the protocol flow of the equipment terminal to realize flow statistics 5 steps, an abnormal access monitoring module 60 completes the abnormal access monitoring 6 steps according to preset monitoring behaviors, and a statistical information presentation module 70 provides statistical results of various display modes for a network administrator by using a visual graph-text table, so that the statistical results of various display modes are provided for the network administrator The step of statistical information presentation 7 is implemented.
Claims (3)
1. A data flow monitoring and analyzing method comprises the steps of data packet acquisition, strategy configuration, data packet analysis, link information statistics, flow statistics, abnormal access monitoring and statistical information presentation, and is characterized in that:
in the data packet acquisition step, a data packet acquisition module registers a packet receiving function of a network card bridge in a kernel space through a bridge module, and the packet receiving function is responsible for processing the flow mirrored from the network equipment to the user terminal; the data packet acquisition module registers a character drive file in a kernel space and performs mmap memory mapping on the character drive file at an application layer; the data packet acquisition module copies the data packet to a mapping file through a packet receiving function, so that the data packet is transmitted to an application layer from the kernel;
in the strategy configuration step, a protocol used by data packet analysis, a data packet analysis range, a security domain forbidden to access and an application are configured through a strategy configuration module;
in the data packet analyzing step, a mapping file is accessed through a data packet analyzing module to realize the analysis of a data packet, and a source IP address, a destination IP address, a source port, a destination port and a protocol of the data packet are extracted according to protocol features determined by strategy configuration;
link information statistics step, link information statistics module is used for carrying out statistics on client IP address, server IP address, client port, server port, transmission layer protocol, application layer protocol, client receiving data packet number, server receiving data packet number, client receiving flow, server receiving flow, whether flow is illegal, flow ending state, flow newly-built time and flow ending time information obtained in the data packet analysis step;
the flow statistics step is used for carrying out statistics on the uplink flow, the downlink flow and the protocol flow information obtained in the data packet analysis step through a flow statistics module;
in the abnormal access monitoring step, an abnormal access monitoring module is used for detecting whether data traffic in the network accesses a security domain and an application which are set in the policy configuration step and are forbidden to access;
and in the statistical information presentation step, various types of information are counted by a statistical information presentation module according to time periods, IP address intervals, flow types, violation alarm conditions, equipment types and protocol types, and statistical results are presented in a table and graph visualization mode.
2. The data flow monitoring and analyzing method of claim 1, wherein: the network equipment is one or more of a switch, a router and a network server.
3. The data flow monitoring and analyzing method of claim 1, wherein: and the data packet analysis module analyzes the data packet according to a TCP/IP protocol at an application layer.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011391397.3A CN114465743B (en) | 2020-12-01 | 2020-12-01 | Data flow monitoring and analyzing method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011391397.3A CN114465743B (en) | 2020-12-01 | 2020-12-01 | Data flow monitoring and analyzing method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114465743A true CN114465743A (en) | 2022-05-10 |
CN114465743B CN114465743B (en) | 2023-08-01 |
Family
ID=81404257
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011391397.3A Active CN114465743B (en) | 2020-12-01 | 2020-12-01 | Data flow monitoring and analyzing method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114465743B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115118624A (en) * | 2022-06-28 | 2022-09-27 | 平安银行股份有限公司 | Production flow shunting method and device, electronic equipment and storage medium |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101567888A (en) * | 2008-12-29 | 2009-10-28 | 郭世泽 | Safety protection method of network feedback host computer |
CN105099730A (en) * | 2014-04-23 | 2015-11-25 | 北京奇虎科技有限公司 | Terminal equipment and network flow calculation method and system based on terminal equipment |
KR101602189B1 (en) * | 2015-04-28 | 2016-03-11 | 주식회사 넷커스터마이즈 | traffic analysis and network monitoring system by packet capturing of 10-giga bit data |
CN106656838A (en) * | 2016-10-19 | 2017-05-10 | 赛尔网络有限公司 | Data flow analyzing method and system |
CN106789442A (en) * | 2017-01-12 | 2017-05-31 | 上海新炬网络信息技术有限公司 | LAN client performance analysis method based on data on flows |
US10015205B1 (en) * | 2014-07-23 | 2018-07-03 | Microsoft Israel Research And Development (2002) Ltd. | Techniques for traffic capture and reconstruction |
CN110912943A (en) * | 2019-12-30 | 2020-03-24 | 北京明朝万达科技股份有限公司 | Cross-network traffic analysis system |
CN111371640A (en) * | 2020-02-24 | 2020-07-03 | 深圳供电局有限公司 | SDN controller-based traffic collection analysis method and system |
-
2020
- 2020-12-01 CN CN202011391397.3A patent/CN114465743B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101567888A (en) * | 2008-12-29 | 2009-10-28 | 郭世泽 | Safety protection method of network feedback host computer |
CN105099730A (en) * | 2014-04-23 | 2015-11-25 | 北京奇虎科技有限公司 | Terminal equipment and network flow calculation method and system based on terminal equipment |
US10015205B1 (en) * | 2014-07-23 | 2018-07-03 | Microsoft Israel Research And Development (2002) Ltd. | Techniques for traffic capture and reconstruction |
KR101602189B1 (en) * | 2015-04-28 | 2016-03-11 | 주식회사 넷커스터마이즈 | traffic analysis and network monitoring system by packet capturing of 10-giga bit data |
CN106656838A (en) * | 2016-10-19 | 2017-05-10 | 赛尔网络有限公司 | Data flow analyzing method and system |
CN106789442A (en) * | 2017-01-12 | 2017-05-31 | 上海新炬网络信息技术有限公司 | LAN client performance analysis method based on data on flows |
CN110912943A (en) * | 2019-12-30 | 2020-03-24 | 北京明朝万达科技股份有限公司 | Cross-network traffic analysis system |
CN111371640A (en) * | 2020-02-24 | 2020-07-03 | 深圳供电局有限公司 | SDN controller-based traffic collection analysis method and system |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115118624A (en) * | 2022-06-28 | 2022-09-27 | 平安银行股份有限公司 | Production flow shunting method and device, electronic equipment and storage medium |
CN115118624B (en) * | 2022-06-28 | 2024-04-05 | 平安银行股份有限公司 | Method and device for diverting production flow, electronic equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN114465743B (en) | 2023-08-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11743289B2 (en) | Managing transmissions of virtual machines using a network interface controller | |
US8059532B2 (en) | Data and control plane architecture including server-side triggered flow policy mechanism | |
US11374835B2 (en) | Apparatus and process for detecting network security attacks on IoT devices | |
US8997231B2 (en) | Preventive intrusion device and method for mobile devices | |
US10432650B2 (en) | System and method to protect a webserver against application exploits and attacks | |
US6499107B1 (en) | Method and system for adaptive network security using intelligent packet analysis | |
US20170054686A1 (en) | Agentless Security of Virtual Machines using a Filtering Platform | |
CN108111487B (en) | Safety monitoring method and system | |
US20060198313A1 (en) | Method and device for detecting and blocking unauthorized access | |
US20100132041A1 (en) | Interception-based client data network security system | |
CN104038466B (en) | Intruding detection system, method and apparatus for cloud computing environment | |
EP3111616A1 (en) | Detecting and managing abnormal data behavior | |
US10951637B2 (en) | Distributed detection of malicious cloud actors | |
CN110620690A (en) | Network attack event processing method and electronic equipment thereof | |
US20090187666A1 (en) | Method and system for controlling a computer application program | |
CN114465743B (en) | Data flow monitoring and analyzing method | |
CN112769739A (en) | Database operation violation processing method, device and equipment | |
Peng | Research of network intrusion detection system based on snort and NTOP | |
CN114374838A (en) | Network camera monitoring method, device, equipment and medium | |
CA3130584A1 (en) | Network connection request method and apparatus | |
CA3122328A1 (en) | A system for, and a method of creating cybersecurity situational awareness, threat detection and risk detection within the internet-of-things space | |
Peng et al. | Design and implementation of network instruction detection system based on snort and NTOP | |
KR102352187B1 (en) | Passive fingerprinting method and device | |
KR101453728B1 (en) | Method and apparatus for providing network security policy based nat ip process | |
CN116112295B (en) | Method and device for researching and judging external connection type attack result |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |