CN114465743B - Data flow monitoring and analyzing method - Google Patents
Data flow monitoring and analyzing method Download PDFInfo
- Publication number
- CN114465743B CN114465743B CN202011391397.3A CN202011391397A CN114465743B CN 114465743 B CN114465743 B CN 114465743B CN 202011391397 A CN202011391397 A CN 202011391397A CN 114465743 B CN114465743 B CN 114465743B
- Authority
- CN
- China
- Prior art keywords
- data packet
- flow
- module
- data
- analysis
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a data flow monitoring and analyzing method, which can realize flow monitoring and analyzing of data packet level and comprises the steps of data packet acquisition, strategy configuration, data packet analysis, link information statistics, flow statistics, abnormal access monitoring and statistical information presentation. The invention overcomes the defect that special equipment is required to be configured independently or the user terminal cannot be monitored only by-pass monitoring of the switch, and realizes the analysis and processing of the windows desktop data traffic.
Description
Technical Field
The invention relates to the technical field of computer communication, in particular to a data flow monitoring and analyzing method.
Background
With the rapid development of internet services, enterprise networks face various threats, and the network performance of enterprises also becomes difficult to control with the diversification of user behaviors and applications. The flow statistics and analysis of the enterprise network are particularly important, and an analysis network administrator can know the flow distribution condition of the network protocol, know the data such as the access quantity and response of application operation, quickly find out abnormal network behaviors such as illegal flow and attack flow of a user, provide a basis for formulating security policies of the enterprise network and carrying out flow shaping, and further solve the phenomenon of slowness of the enterprise network. In the prior art, a great deal of research is carried out on data flow analysis, a main stream manufacturer monitors the data flow of a core switch or key network facilities through designing a special hardware-level network processor, and a network service provider deploys data flow analysis software on network equipment such as a switch, a router and the like to analyze and process the data flow of the whole local area network.
The invention patent number ZL 200510004247.1 relates to a flow analysis method based on a Linux kernel, which is realized in a mode that the kernel can be loaded in the Linux, and can realize flow analysis of a datagram level and a flow level. The invention specifically introduces the following technical means: the network card receives the data packet and sends an interrupt request to the CPU, the CPU obtains the arrived data packet from the network card buffer according to the interrupt request, the data packet is transmitted to the kernel space through the PCI bus, a corresponding node is created in the data packet kernel buffer, and finally the data packet is analyzed by the data packet analysis function registered in the kernel, so as to obtain the flow analysis index analyzed by the data packet analysis function. The prior art realizes analysis of data traffic to a certain extent, but cannot comprehensively cover traffic management and analysis of various user equipment terminals in a complex network environment, and data traffic analysis operation works are performed in a kernel space, so that the performance and safety of equipment are greatly affected.
Disclosure of Invention
The invention aims at providing a data flow monitoring and analyzing method aiming at the data flow management requirement of a multi-terminal complex network environment mainly based on windows in a local area network.
The invention aims at realizing the following technical scheme:
the data flow monitoring and analyzing method comprises the steps of data packet acquisition, strategy configuration, data packet analysis, link information statistics, flow statistics, abnormal access monitoring and statistical information presentation:
the data packet acquisition step is to register a packet receiving function of the network card bridge in the kernel space through the bridge module by the data packet acquisition module, wherein the packet receiving function is responsible for processing the flow mirrored from the network equipment to the user terminal; the data packet acquisition module registers a character driving file in the kernel space, and performs mmap memory mapping on the character driving file at the application layer; the data packet acquisition module copies the data packet to the mapping file through a packet receiving function, so that the data packet is transmitted from the kernel to the application layer;
the policy configuration step configures a protocol used for analyzing the data packet, a data packet analysis range and a security domain and application which are forbidden to be accessed through a policy configuration module;
the data packet analysis step is to access the mapping file through the data packet analysis module to realize the analysis of the data packet, and extract the source IP address, the destination IP address, the source port, the destination port and the protocol of the data packet according to the protocol characteristics determined by the strategy configuration;
the link information statistics step is to make statistics on the client IP address, the server IP address, the client port, the server port, the transport layer protocol, the application layer protocol, the number of the client-side received data packets, the number of the server-side received data packets, the client-side received traffic, the server-side received traffic, whether the traffic is illegal or not, the state of the end of the flow, the time of the new flow establishment and the time information of the end of the flow, which are obtained through the data packet analysis step, through a link information statistics module;
the flow statistics step is used for carrying out statistics on the uplink flow, the downlink flow and the protocol flow information obtained by the data packet analysis step through a flow statistics module;
the abnormal access monitoring step detects whether the data traffic in the network accesses the security domain and the application which are set by the policy configuration step and are prohibited from accessing through the abnormal access monitoring module;
and the statistical information presentation step is to present statistical results in a form and graph visualization mode according to various information of time periods, IP address intervals, flow types, violation alarm conditions, equipment types and protocol types by a statistical information presentation module.
Further, the technical scheme of the invention is suitable for one or more network devices in a switch, a router and a network server.
Further, when the invention is applied to monitoring and analyzing the data flow of the windows equipment user terminal, the data packet analysis module analyzes the data packet according to the TCP/IP protocol in the user space application layer.
The invention has the following beneficial effects:
the data packets are mapped from the kernel space to the user space through the mmap technology, so that data flow detection and analysis of the local area network multi-type network equipment and the user equipment terminal are realized, management of local area network sensitive information and resources is realized through strategy configuration and abnormal access monitoring, and conditions such as network load, flow structure and the like are counted, so that a network administrator can conveniently perform corresponding adjustment and optimization.
Drawings
FIG. 1 is a schematic diagram of the steps of the data flow monitoring and analyzing method of the present invention;
fig. 2 is a flowchart of a specific implementation of the data traffic monitoring and analyzing method of the present invention.
Detailed Description
The invention is described below with reference to the accompanying drawings.
As shown in fig. 1 and fig. 2, a data traffic monitoring and analyzing method includes the steps of data packet acquisition 1, policy configuration 2, data packet analysis 3, link information statistics 4, traffic statistics 5, abnormal access monitoring 6 and statistical information presentation 7:
the step 1 of data packet acquisition, in which a packet receiving function 102 of a network card bridge is registered through a bridge module 101 by a data packet acquisition module 10, the packet receiving function 102 is responsible for processing the flow mirrored from network equipment to a user terminal; the data packet obtaining module 10 registers a character driving file 103 in the kernel space, and performs mmap memory mapping on the character driving file at the application layer; the data packet acquisition module 10 copies the data packet to the mapping file 301 through the packet receiving function 102, so as to transmit the data packet from the kernel to the application layer;
the policy configuration 2 step configures the protocol used for data packet analysis, the data packet analysis range, and the security domain and application to which access is prohibited through the policy configuration module 20;
the data packet analysis 3 step is to access the mapping file through the data packet analysis module 30 to realize the analysis of the data packet, and extract the source IP address, the destination IP address, the source port, the destination port and the protocol of the data packet according to the protocol characteristics determined by the policy configuration 2;
the link information statistics 4 step is to make statistics on the client end IP address, the server IP address, the client end port, the server end port, the transmission layer protocol, the application layer protocol, the number of client end received data packets, the number of server end received data packets, the client end received traffic, the server end received traffic, whether the traffic is illegal or not, the state of ending the flow, the new time of the flow and the time information of ending the flow obtained in the step 3 through the link information statistics module 40;
the flow statistics 5 step is to make statistics on the uplink flow, the downlink flow and the protocol flow information obtained in the data packet analysis 3 step through the flow statistics module 50;
the step of abnormal access monitoring 6 is to detect whether the data traffic in the network accesses the security domain and the application which are set in the step of strategy configuration 2 and are prohibited from accessing through the abnormal access monitoring module 60;
the step 7 of statistical information presentation presents the statistical result in a form and graph visualization mode according to the time period, the IP address interval, the flow type, the violation alert condition, the equipment type and the protocol type by the statistical information presentation module 70.
When the data flow of the user terminal needs to be monitored and analyzed, the data packet acquisition module 10 transmits the data packet to be analyzed and processed from the kernel space to the user space application layer to complete the data packet acquisition 1 step, the policy configuration module 20 issues the policy to implement the policy configuration 2 step on the local area network, the data packet analysis module 30 operates on the application layer and identifies the protocol flow according to the protocol characteristics and analyzes the data packet to obtain information to realize the data packet analysis 4 step, the link information statistics module 40 stores and counts the data flow information to realize the link information statistics 4 step when the single data packet flow ends, the flow statistics module 50 counts the uplink flow, the downlink flow and the protocol flow to realize the flow statistics 5 step of the equipment terminal, the abnormal access monitoring module 60 monitors the illegal behavior according to the preset settings to complete the abnormal access monitoring 6 step, and the statistical information presentation module 70 provides the statistical results of various display modes for the network administrator according to the visualized graphic tables to implement the statistical information presentation 7 step.
Claims (3)
1. The data flow monitoring and analyzing method comprises the steps of data packet acquisition, strategy configuration, data packet analysis, link information statistics, flow statistics, abnormal access monitoring and statistical information presentation, and is characterized in that:
the data packet acquisition step is to register a packet receiving function of the network card bridge in the kernel space through the bridge module by the data packet acquisition module, wherein the packet receiving function is responsible for processing the flow mirrored from the network equipment to the user terminal; the data packet acquisition module registers a character driving file in the kernel space, and performs mmap memory mapping on the character driving file at the application layer; the data packet acquisition module copies the data packet to the mapping file through a packet receiving function, so that the data packet is transmitted from the kernel to the application layer;
the policy configuration step configures a protocol used for analyzing the data packet, a data packet analysis range and a security domain and application which are forbidden to be accessed through a policy configuration module;
the data packet analysis step is to access the mapping file through the data packet analysis module to realize the analysis of the data packet, and extract the source IP address, the destination IP address, the source port, the destination port and the protocol of the data packet according to the protocol characteristics determined by the strategy configuration;
the link information statistics step is to make statistics on the client IP address, the server IP address, the client port, the server port, the transport layer protocol, the application layer protocol, the number of the client-side received data packets, the number of the server-side received data packets, the client-side received traffic, the server-side received traffic, whether the traffic is illegal or not, the state of the end of the flow, the time of the new flow establishment and the time information of the end of the flow, which are obtained through the data packet analysis step, through a link information statistics module;
the flow statistics step is used for carrying out statistics on the uplink flow, the downlink flow and the protocol flow information obtained by the data packet analysis step through a flow statistics module;
the abnormal access monitoring step detects whether the data traffic in the network accesses the security domain and the application which are set by the policy configuration step and are prohibited from accessing through the abnormal access monitoring module;
and the statistical information presentation step is to present statistical results in a form and graph visualization mode according to various information of time periods, IP address intervals, flow types, violation alarm conditions, equipment types and protocol types by a statistical information presentation module.
2. The data traffic monitoring and analysis method according to claim 1, wherein: the network equipment is one or more of a switch, a router and a network server.
3. The data traffic monitoring and analysis method according to claim 1, wherein: the data packet analysis module analyzes the data packet according to the TCP/IP protocol at the application layer.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011391397.3A CN114465743B (en) | 2020-12-01 | 2020-12-01 | Data flow monitoring and analyzing method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011391397.3A CN114465743B (en) | 2020-12-01 | 2020-12-01 | Data flow monitoring and analyzing method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114465743A CN114465743A (en) | 2022-05-10 |
| CN114465743B true CN114465743B (en) | 2023-08-01 |
Family
ID=81404257
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011391397.3A Active CN114465743B (en) | 2020-12-01 | 2020-12-01 | Data flow monitoring and analyzing method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114465743B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115118624B (en) * | 2022-06-28 | 2024-04-05 | 平安银行股份有限公司 | Method and device for diverting production flow, electronic equipment and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101567888A (en) * | 2008-12-29 | 2009-10-28 | 郭世泽 | Safety protection method of network feedback host computer |
| CN105099730A (en) * | 2014-04-23 | 2015-11-25 | 北京奇虎科技有限公司 | Terminal equipment and network flow calculation method and system based on terminal equipment |
| KR101602189B1 (en) * | 2015-04-28 | 2016-03-11 | 주식회사 넷커스터마이즈 | traffic analysis and network monitoring system by packet capturing of 10-giga bit data |
| CN106656838A (en) * | 2016-10-19 | 2017-05-10 | 赛尔网络有限公司 | Data flow analyzing method and system |
| CN106789442A (en) * | 2017-01-12 | 2017-05-31 | 上海新炬网络信息技术有限公司 | LAN client performance analysis method based on data on flows |
| US10015205B1 (en) * | 2014-07-23 | 2018-07-03 | Microsoft Israel Research And Development (2002) Ltd. | Techniques for traffic capture and reconstruction |
| CN110912943A (en) * | 2019-12-30 | 2020-03-24 | 北京明朝万达科技股份有限公司 | Cross-network traffic analysis system |
| CN111371640A (en) * | 2020-02-24 | 2020-07-03 | 深圳供电局有限公司 | SDN controller-based traffic collection analysis method and system |
-
2020
- 2020-12-01 CN CN202011391397.3A patent/CN114465743B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101567888A (en) * | 2008-12-29 | 2009-10-28 | 郭世泽 | Safety protection method of network feedback host computer |
| CN105099730A (en) * | 2014-04-23 | 2015-11-25 | 北京奇虎科技有限公司 | Terminal equipment and network flow calculation method and system based on terminal equipment |
| US10015205B1 (en) * | 2014-07-23 | 2018-07-03 | Microsoft Israel Research And Development (2002) Ltd. | Techniques for traffic capture and reconstruction |
| KR101602189B1 (en) * | 2015-04-28 | 2016-03-11 | 주식회사 넷커스터마이즈 | traffic analysis and network monitoring system by packet capturing of 10-giga bit data |
| CN106656838A (en) * | 2016-10-19 | 2017-05-10 | 赛尔网络有限公司 | Data flow analyzing method and system |
| CN106789442A (en) * | 2017-01-12 | 2017-05-31 | 上海新炬网络信息技术有限公司 | LAN client performance analysis method based on data on flows |
| CN110912943A (en) * | 2019-12-30 | 2020-03-24 | 北京明朝万达科技股份有限公司 | Cross-network traffic analysis system |
| CN111371640A (en) * | 2020-02-24 | 2020-07-03 | 深圳供电局有限公司 | SDN controller-based traffic collection analysis method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114465743A (en) | 2022-05-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10257224B2 (en) | Method and apparatus for providing forensic visibility into systems and networks | |
| EP3603032B1 (en) | Detecting domain name system (dns) tunneling based on dns logs and network data | |
| US10432650B2 (en) | System and method to protect a webserver against application exploits and attacks | |
| US8402529B1 (en) | Preventing propagation of malicious software during execution in a virtual machine | |
| US8059532B2 (en) | Data and control plane architecture including server-side triggered flow policy mechanism | |
| US10666680B2 (en) | Service overload attack protection based on selective packet transmission | |
| CA2990910A1 (en) | Dynamic assessment and control of system activity | |
| US20150067764A1 (en) | Whitelist-based network switch | |
| US9253153B2 (en) | Anti-cyber hacking defense system | |
| CN107360198B (en) | Suspicious domain name detection method and system | |
| WO2016032491A1 (en) | Distributed detection of malicious cloud actors | |
| CN111600865A (en) | Abnormal communication detection method and device, electronic equipment and storage medium | |
| CN110620690A (en) | Network attack event processing method and electronic equipment thereof | |
| CN114465743B (en) | Data flow monitoring and analyzing method | |
| US8463921B2 (en) | Method and system for controlling a computer application program | |
| Ono et al. | A proposal of port scan detection method based on Packet‐In Messages in OpenFlow networks and its evaluation | |
| US20240089272A1 (en) | Detection of cybersecurity threats utilizing established baselines | |
| EP3971748A1 (en) | Network connection request method and apparatus | |
| CN113242255B (en) | Intelligent flow analysis method and system based on enterprise security | |
| JP5926413B1 (en) | Information processing apparatus, information processing method, and program | |
| JP6145588B2 (en) | Information processing apparatus, information processing method, and program | |
| JP5992643B2 (en) | Information processing apparatus, information processing method, and program | |
| US20230129367A1 (en) | Method of analysing anomalous network traffic | |
| TWI764618B (en) | Cyber security protection system and related proactive suspicious domain alert system | |
| US20230379342A1 (en) | System and method for detecting malicious activity based on set detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |