Classifications

• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L67/00—Network arrangements or protocols for supporting network services or applications
  • H04L67/01—Protocols
  • H04L67/10—Protocols in which an application is distributed across nodes in the network
  • H04L67/104—Peer-to-peer [P2P] networks
  • H04L67/1087—Peer-to-peer [P2P] networks using cross-functional networking aspects
  • H04L67/1091—Interfacing with client-server systems or between P2P systems
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L43/00—Arrangements for monitoring or testing data switching networks
  • H04L43/18—Protocol analysers
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
  • H04L41/06—Management of faults, events, alarms or notifications
  • H04L41/0604—Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
  • H04L41/0627—Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time by acting on the notification or alarm source
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
  • H04L65/1066—Session management
  • H04L65/1101—Session protocols
  • H04L65/1104—Session initiation protocol [SIP]
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L67/00—Network arrangements or protocols for supporting network services or applications
  • H04L67/01—Protocols
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L67/00—Network arrangements or protocols for supporting network services or applications
  • H04L67/01—Protocols
  • H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L67/00—Network arrangements or protocols for supporting network services or applications
  • H04L67/50—Network services
  • H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
  • H04L67/61—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources taking into account QoS or priority requirements

Definitions

• the present invention relates to data processing in telecommunications networks, and in particular the recognition of data flow protocols.
• data flow means any set of data exchanged between two network entities, for example between a client and a server, or between two clients (so-called peer-to-peer flows, or P2P).
• flow analyzers can be arranged intercepted in network access points, such as Wi-Fi stations, firewalls or proxy servers for example.
• the configuration of a security system can be based on the recognition of the properties of certain protocols in order to prevent certain types of transfer.
• a data flow analyzer thus provides the firewall with a classification of the data flow based on recognized protocols.
• a traffic analysis system between two entities includes a first network 100 comprising a first entity 11 2 (of the client type for example) connected to a second network 1 10 comprising a second entity 1 1 1 (of the server type for example) by a communication link 120.
• the link 120 is analyzed by an analyzer 300, which measures and analyzes traffic in both directions or in a single direction between the first network 100 and second network 1 10.
• the traffic between networks 100 and 1 10 can be of the order of Gigabit per second, Gbps, in corporate networks, but can reach ten Gbps in the core of 'a network of an operator.
• the amount of data passing through a telecommunications network also makes analysis and classification costly in terms of resources.
• the measurement and analysis capacity of the analyzer 300 is determined by the number N of simultaneous flows and the flow rate T of each flow.
• N directly affects the amount of memory required to manage the context of the recorded streams
• T directly impacts the computing power required to implement the analysis and classification without significant loss of packets and without delaying the stream.
• T defines the quantity of packets to be processed in a given period of time and, thus, the quantity of processing resources which can be allocated to each packet.
• N and T both increase proportionally in existing computer networks.
• patent EP1722509 proposes a hierarchical analysis based on recognition of a protocol which is explicit firstly, and implicitly secondly, if explicit recognition is not possible. .
• Explicit recognition is notably implemented when a layer of given level explicitly indicates the protocol used for the layer of higher level that it encapsulates.
• the Ethernet layer explicitly indicates whether the upper layer is IPv4 or IPv6, and IP indicates whether the upper layer is TCP or UDP.
• IP indicates whether the upper layer is TCP or UDP.
• identifying protocols such as SMTP and HTTP is easier and less resource intensive than identifying a protocol such as Bittorrent, whose data is encrypted.
• the classification of data flows should therefore be optimized by reducing complexity without reducing reliability.
• the present invention improves the situation.
• a grammatical analysis consumes little computing resources and makes it possible to identify most of the protocols which cannot be identified explicitly.
• the signature-based analysis method which consumes more computing resources, is only implemented in the event of grammatical analysis failure, which optimizes the use of resources during implicit identification of a protocol.
• the invention can further comprise, in the event of failure to identify the protocol of the data stream by consulting the signature engine, the application of a statistical method of protocol recognition in order to '' identify the data flow protocol.
• Such a method also consumes computing resources, and is not completely reliable. It is therefore advantageously implemented if the first two methods fail. It also allows to recognize encrypted protocols such as Bittorrent, which cannot be recognized by the two previous methods.
• the identified protocol can be an application level protocol.
• the application level protocols and more generally the protocols of layers 5 to 7 of the OSI model, are not explicitly indicated by the lower level layers, and the method is therefore advantageously applied to them according to this embodiment.
• the method may further comprise a step of identifying protocol data by the application of a simple algorithm switches to contextual elements of the data flow according to the identified protocol.
• Such an algorithm consumes few resources, and thus makes it possible, for a given identified protocol, to differentiate the data that they transport between different types of protocol data.
• the method may further comprise consulting a signature engine matching protocol data with corresponding signatures, and the sequential application of the signatures to the data stream to identify the protocol data of the data stream.
• the signature-based analysis method which consumes more computing resources, is only implemented in the event of grammatical analysis failure, which makes it possible to optimize the use of resources during implicit identification of protocol data.
• the method can further comprise a step of processing the data stream on the basis of the identified protocol of the data stream.
• differential treatment by protocol can be applied.
• processing the data flow can include at least one of the following steps:
• a second aspect of the invention relates to a computer program product comprising instructions for implementing the method according to the first aspect of the invention, when this program is executed by a processor.
• a third aspect of the invention relates to a device for identifying a protocol of a data stream exchanged between two entities of a telecommunications network, the device comprising:
• - a processor configured for:
• FIG. 1 illustrates a general architecture of a system according to an embodiment of the invention
• FIG. 2 is a diagram showing the steps of a treatment method according to an embodiment of the invention.
• FIG. 3 illustrates the structure of a data processing device according to an embodiment of the invention.
• the invention can be implemented in a protocol identification device such as the analyzer 300 illustrated in FIG. 1.
• the identification device will be presented in more detail with reference to FIG. 3.
• FIG. 2 presents the steps of a protocol identification method according to an embodiment of the invention.
• a step 200 one or more packets of a flow are received by the identification device, for example following an interception of the packets by the analyzer 300 on the communication link 200.
• a received data packet can be identified to be associated with an existing stream or to create a new entry in a table listing the current data streams. For example, an IP address (and possibly a port number) of a source entity and an IP address (and possibly a port number) of a recipient entity can be taken into account to identify the flow corresponding to the packet.
• IP address and possibly a port number
• IP address and possibly a port number
• the source or recipient entity can designate either a client or a server.
• the client can be a laptop or desktop computer, a touch pad, a Smartphone or any electronic device comprising an interface making it possible to communicate in the network 100 or 110, such as the Internet for example.
• the two communicating entities can be in two separate networks as illustrated in FIG. 1 or can belong to the same network.
• the lower layer protocols of the data stream can be determined in step 201 by explicit recognition.
• explicit recognition requires little computing power in that the protocol of a layer of a given level can be explicitly indicated by the layer of the level which is directly below it.
• the IPv4 or IPv6 protocol is used from data of the Ethernet layer.
• the IP layer indicates whether the UDP or TCP protocol is used.
• the method according to the invention aims to identify a protocol which is not explicitly signaled by the layers of lower levels. Such identification is therefore implicit. For example, the recognition of a layer protocol from level 5 to 7 of the OSI level, and in particular of level 7 (application), is considered.
• the identification device implements a grammatical analysis of the data of the data stream, contained in the packet or packets of the data stream, with a view to identifying a protocol of the data flow.
• some application-level protocols have a grammar that is easily identifiable by implementing low computing power. This is for example the case of the SMTP and HTTP protocols.
• Such protocols have contextual elements useful for their recognition. For example, they both use a handshake process for establishing the flow.
• Other protocols such as SSL or SIP can also be identified by recognition of their grammar. It should be noted that statistically, 90% of the protocols for applying the flows to be classified can be recognized by using step 203. Using such a recognition method first makes it possible to recognize a large number of protocols with a low computing power.
• step 203 it is checked whether the data flow protocol has been successfully identified by grammar analysis.
• the method may further comprise a step 204 of identifying protocol data by applying a single pass algorithm (“one pass” or “single pass” in English) to contextual elements of the data flow according to the identified protocol.
• the single pass algorithm may depend on the protocol identified.
• the identification of the protocol data can be considered as the identification of an application or sub-application of a layer higher than the layer of the protocol identified in step 203.
• the protocol identified as being HTTP the upper layer sub-application, or protocol data, can be Facebook TM data for example.
• the application of the single pass algorithm can consist of the injection of contextual elements of the flow (for example, for HTTP, the contextual elements can be elements such as the URL, User Agent, etc.) in a rules.
• a flow context element is any header or payload element in the data flow.
• the engine rules can return a set of rules that can be tested on the protocol data identified in step 102 to identify the protocol data. For example, after identifying the HTTP protocol in step 202, the protocol data can be identified as Facebook TM data.
• a step 212 it is checked whether the protocol data have been identified in the step 204 by means of the single pass algorithm. If successful, the process continues with step 205. If it fails, the process proceeds to step 206 described below.
• Steps 204 and 205 are optional and the method can pass directly from step 203 to 205 in the event of positive identification in step 203.
• the method can comprise the application of a step 205 of processing the data stream as a function of the identified protocol, and possibly as a function of the application data.
• the processing of the flow can for example consist in applying a quality of service policy depending on the identified protocol or in authorizing or prohibiting the flow of data on the basis of the identified protocol, or can more generally consist in classifying the flow according to the identified protocol .
• the classification can be transmitted to a processing device external to the protocol identification device.
• the method according to the invention comprises a step 206 of consulting a signature engine matching protocols with corresponding signatures.
• the signatures are applied sequentially to the data flow in order to identify the application level protocol of the data flow. Such a sequential application is more costly in terms of resources, and is therefore advantageously applied only if the grammatical analysis in step 202 fails.
• such a signature search method provides access to half of the 10% of application protocols that could not be identified by the grammatical analysis method (i.e. 5% of the protocols). Although more expensive in computing resources, the search method of signatures nevertheless remains reliable.
• the steps 206 and 207 can also be applied to the protocol data in the event of failure to identify in step 204.
• the protocol data are compared with signatures for their identification.
• a step 208 it is checked whether the data flow protocol has been successfully identified by the signature search method.
• an embodiment of the invention may provide an additional step 209 of applying a statistical protocol recognition method in order to identify the application protocol of the data flow (or the protocol data) .
• a statistical protocol recognition method notably makes it possible to identify encrypted protocols, such as Bittorrent.
• Such a method is costly in computing power (sequential search) and is not completely reliable. However, it makes it possible to identify 1 to 2% of the protocols or protocol data which have not been identified by the methods implemented previously.
• a step 210 it is checked whether the data flow protocol has been successfully identified by the statistical method.
• a predefined processing can be applied in a step 211 in the event of failure. For example, as a precaution, the data flow may be blocked.
• FIG. 3 represents a protocol identification device 301 according to an embodiment of the invention.
• the identification device 301 can be implemented in the analyzer 300 located in interception between the networks 100 and 110 of FIG. 1. More generally, it is capable of receiving data from data streams passing between two network entities.
• the identification device comprises a random access memory 305 and a processor 304, as well as a memory 301 for storing instructions allowing the implementation of the steps of the method described above with reference to FIG. 2.
• the processor can include sub-entities 304.1 to 304.3 respectively dedicated to the three recognition methods described above.
• the memory 301 can also store data used by the processor for the implementation of the method, in particular:
• the identification device 301 further comprises an input interface 302 intended to receive the data of data flow circulating on the communication link 200 or in a given network.
• the identification device 301 further comprises an output interface 303 capable of providing a protocol identification result, or a command determined from the identified protocol.

Landscapes

• Engineering & Computer Science (AREA)
• Computer Networks & Wireless Communication (AREA)
• Signal Processing (AREA)
• Business, Economics & Management (AREA)
• General Business, Economics & Management (AREA)
• Multimedia (AREA)
• Computing Systems (AREA)
• Data Exchanges In Wide-Area Networks (AREA)
• Computer And Data Communications (AREA)
• Communication Control (AREA)
• Maintenance And Management Of Digital Transmission (AREA)

Applications Claiming Priority (2)

Publications (1)

Family

ID=65031381

Family Applications (1)

Country Status (7)

Families Citing this family (2)

Family Cites Families (13)

• 2018
  • 2018-07-06 FR FR1856240A patent/FR3083659B1/fr active Active
• 2019
  • 2019-07-05 CA CA3103363A patent/CA3103363A1/fr active Pending
  • 2019-07-05 JP JP2020572750A patent/JP7412363B2/ja active Active
  • 2019-07-05 EP EP19748867.9A patent/EP3818676A1/de active Pending
  • 2019-07-05 WO PCT/FR2019/051682 patent/WO2020008159A1/fr unknown
  • 2019-07-05 KR KR1020207036935A patent/KR20210043498A/ko unknown
• 2020
  • 2020-12-17 US US17/124,724 patent/US11265372B2/en active Active

Also Published As

Similar Documents

Legal Events