KR100869887B1 - Traffic identification system and method with analysis on signature of packets - Google Patents

Abstract

A traffic analyzing system and a method through analysis on signature of packets are provided to analyze the signature of a packet instead of the port number of the packet by using the signature of the payload of packet and analyze the signature of the packet which carries out statistics. A pattern collecting and analyzing part(10) collects and analyzes a packet generated by a analysis object service, extracts the signature of a packet and stores signature location information. A traffic collection part(40) extracts classification the specific number of object packets from the traffic flow generated by a user based on the order of the packet included in the traffic flow. A traffic analysis part(50) classifies the flow into the flow of the analysis object service.

Description

Traffic identification system and method with analysis on signature of packets

1 is a conceptual diagram showing the overall configuration of a traffic analysis system through the signature analysis of the packet according to the present invention.

Figure 2 is a block diagram showing the structure of the packet of the traffic analysis system through the signature analysis of the packet according to the present invention and the packet is stored in a database composed of a flow.

3 is a flowchart illustrating a traffic analysis method through signature analysis of a packet according to the present invention.

※ Explanation of code about main part of drawing ※

1: Internet 10: Pattern Collection and Analysis Department

20: pattern conversion unit 30: database

40: traffic collecting unit 50: traffic analysis unit

60: statistical analysis unit 100: traffic analysis system

200: user PC

The present invention relates to a traffic analysis system and method of the Internet network.

Traffic engineering in an IP network requires an accurate understanding of the nature and changing patterns of traffic flowing through the network. In this case, the traffic engineering is a task of distributing the flow of traffic to each link in order to avoid congestion caused by unbalanced flow of traffic on several links.

In order to accurately understand the properties and changing patterns of the traffic flowing in the network as described above, the packet application classification method for identifying the port number such as TCP / UDP of the application layer protocol that transmitted the packet, which is the basic unit of the traffic, is mainly used. It is used for traffic fluctuations and subscriber usage analysis, and it is used for network operation management such as traffic engineering, link capacity design and supply.

However, due to the complexity of the Internet environment, packet application classifications (eg, 80 port web, 21 port telnet, 4662 port edonkey) are used to identify the port number of the application protocol that sent the packet. As the traffic is diverted by using open ports to avoid firewalls, and the P2P program that can set a random port number appears, the classification accuracy is lowered. There is a problem of becoming unreliable.

Therefore, there is a limitation in classifying traffic using only the port number recorded in the header of the packet used in the packet application classification as described above. Therefore, the payload part of the packet analyzes the characteristics of individual services to analyze the traffic. There is a need to classify.

The present invention has been proposed to solve the problems of the prior art as described above,

Traffic analysis that performs signature classification by deriving signature (signal unique pattern of packet) through analysis of packet payload, away from the conventional method of classifying packet application using port number of header information of user-generated packet It is an object to provide a system and a method thereof.

It is also an object of the present invention to configure the signature in the form of a regular expression that is easy to search.

In addition, an object of the present invention is to reduce the object of the signature search by configuring the user-generated packet as a flow that is a packet aggregate that satisfies a specific condition.

In addition, an object of the present invention is to improve the accuracy of the classification in parallel with the application classification by the port number even if the application classification by the signature fails.

Traffic analysis system through the signature analysis of the packet according to the present invention for achieving the above object
A pattern collection and analysis unit which collects and analyzes generated packets for each analysis target service to derive a signature of the packet and stores the signature and the signature location information;
A traffic collecting unit for extracting a predetermined number of classified packets based on the order of packets included in the traffic flow from the traffic flow generated by the user;

The signature is searched for at a specific position of the payload of the packet to be classified using the signature position information. When the signature is found at the payload of the packet to be classified, the analysis object is included in the flow. It is characterized by including a traffic analysis unit for classifying the flow of services.

delete

delete

The signature may be a specific string included in a payload of a packet of an individual analysis target service, and the signature may be length information of a specific packet included in a payload of a packet of an individual analysis target service, and the signature may be an individual service. It may also be a message (keyword) used when transmitting and receiving a packet included in the payload of the packet.

The traffic analysis system may further include a pattern conversion unit for converting a signature into a regular expression form and constructing it in a database so that the traffic analysis unit can search for the presence of a signature in a packet to be classified using a regular expression.

The regular expression may be a combination of an identifier and a signature representing any one or more of the quantity, location, or type of the signature.

On the other hand, the traffic analysis system may further include a statistical analysis unit for analyzing and statistics the user-generated packets for each analysis target service classified by the traffic analysis unit.

Meanwhile, the packet to be classified may be a predetermined number of packets selected as samples from among flows generated by merging when a specific condition among packets generated by a user is satisfied.

In this flow, the classification target packet is characterized in that about 10 or so.

On the other hand, the traffic analysis method using the traffic analysis system through the signature analysis of the packet of the present invention as described above
a) deriving the signature of the packet by collecting and analyzing the generated packets for each service to be analyzed using the pattern collecting and analyzing unit;
b) extracting a predetermined number of classified packets based on the order of packets included in the traffic flow from the traffic flow generated by the user using the traffic collecting unit; and

c) search for the signature at a specific position of the payload of the packet to be classified using the signature location information using the traffic analysis unit; and if the signature is found in the payload of the packet to be classified, the flow is detected. Characterized in that it comprises the step of classifying the flow of the analysis target service containing the signature.

delete

delete

The traffic analysis system further includes the step of converting the signature of the generated packet for each analysis target service derived from the pattern collecting and analyzing unit into a regular expression form by using the pattern converting unit in b) and constructing it in a database. In the step, the traffic analysis unit may enable the search for the presence of a signature in the packet to be classified using a regular expression.

And c)) re-applying the classification of the packet to be classified using the port number of the packet to be classified if the signature of the packet generated by the analysis service is not detected in the packet to be classified in c). It may further include.

On the other hand, the traffic analysis system may further include the step of analyzing and statistically analyzing the user-generated packet for each analysis target service classified by the traffic analysis unit using the statistical analysis unit.

When the classified packet is classified as a packet of the corresponding analysis target service, the traffic analysis system constructs all header information, payload, and additional information of the classified packet in a database, and causes a statistical analyzer to use the additional information. And it may further include the step e) to be reflected in the statistical information.

The traffic analysis system collects packets from the traffic collecting unit in b), configures packets satisfying a specific condition among the collected packets into flows, and classifies a predetermined number of packets selected as samples among the flows. B ') may be additionally included.

First, a packet, which is a term consistently used in the present invention, will be briefly described with reference to FIG. 2. The packet is a smallest structural unit generating traffic, and includes a header and a payload.

Herein, the information included in the header is composed of a source address, a destination address, a source port, a destination port, and a protocol.

And the payload is a portion that contains the actual data of the packet.

In this case, when collecting packets through the packet analysis and collection unit to be described later, the total number of packets, the traffic amount, the packet direction, and the like may be configured as additional information and constructed in the database as shown in FIG. 2.

The flow refers to a collection of packets having the same source and destination addresses, the same source and destination ports, the same protocol, and the same range of capture time, among the header information of the plurality of collected packets.

In more detail, the flow of millions of packets is transmitted in a few seconds even on a 1 Gbps link in an IP network. Therefore, searching and analyzing all of the millions of individual packets may be difficult in terms of system performance.

Therefore, the same source and destination addresses, the same source and destination ports, and the same protocol are used in the header information among the plurality of packets, but the last time is based on the capture time recorded when the packet is collected by the traffic analysis and collection unit described later. A packet that arrives after a packet will generate a set of packets in a flow within 30 seconds.

Here, the reference capture time in the flow can be easily changed to any time by those skilled in the art even if it is not necessarily 30 seconds, even if a packet generated within the reference capture time by setting a separate active timeout, a predetermined time, that is, 30 minutes, The collected packet can be excluded from the packet of the flow.

Application classification refers to classifying a specific packet as a packet of a corresponding service.

The search used in the present invention is a concept including both a case where a search word is included in a part of a search word and a case that means a perfect match between the search word and the search word.

Hereinafter, a detailed configuration of the present invention will be described with reference to the accompanying drawings.

1 is a conceptual diagram illustrating the overall configuration of a traffic analysis system 100 through signature analysis of a packet according to the present invention.

As shown in FIG. 1, the traffic analysis system 100 (hereinafter, referred to as a 'traffic analysis system' in the detailed description of the present invention) through signature analysis of a packet according to the present invention is basically a pattern collecting and analyzing unit 10. ), A pattern converter 20, a database 30, a traffic collector 40, a traffic analyzer 50, and a statistical analyzer 60 are provided.

The pattern collecting and analyzing unit 10 collects packets for each Internet service and analyzes pattern information of payloads of the collected packets.

Here, the Internet (1) service refers to the web, web hard, P2P, streaming, management, messenger, etc. that can be reflected in the statistics by analyzing the packet in the Internet, hereinafter referred to as 'analysis target service' in the specification of the present invention. do.

Here, the pattern collection and analysis unit 10 runs a packet capturing program in the user's personal computer (PC) 200 to collect generated packets for each service to be analyzed, and then analyzes P2P for example, edonkey, sound sea, and the like. By actually executing and using the service, the packet capture program captures and collects packets generated from the target service.

The collected packet of the analysis target service includes information such as packet pattern information (payload information, length information, location information), port number, system IP address, and signature by analyzing the analysis scenario in a manner that constitutes an analysis scenario. Column results.

The analysis scenario is a variety of functions (for example, file download, detailed search, and webpage) after the first execution of the analysis target service (visiting and logging into the homepage of the analysis target service) to collect and analyze various packets generated by the analysis target service. Click on the keyboard).

As a result, the packet analysis generated by the analysis scenario may derive a signature of a packet distinguished from other analysis services.

The signature derived as above

1) It may be a specific string included in the payload of a packet of a specific analysis target service.

For example, in the case of the packet of BITTORRENT, a peer-to-peer file sharing program, the first string of the TCP payload includes a specific string called BITTORRENT PROTOCOL consisting of 19 bytes.

Therefore, the signature of the BITTORRENT packet consists of a specific string called BITTORRENT PROTOCOL. If the packet contains the string BITTORRENT PROTOCOL, this packet can be classified as an BITTORRENT service.

Meanwhile, the signature may be 2) length information of a packet included in a payload of a packet of an individual analysis target service.

For example, a packet of a program called edonkey includes an identifier of 1 byte and packet length information represented by 4 bytes.

Therefore, the signature of edonkey is based on the packet length information including the length of the remaining packets except for 5 bytes (packet length information + identifier) including the length of 4 bytes and the length of 1 byte in the total packet length. Application analysis can be classified by using the method of confirming that the packet length matches the indicated packet.

Finally, the signature may consist of a control message (keyword) included in the payload of the packet of the analysis target service or a combination thereof.

For example, Gnutella, a distributed P2P protocol, uses a protocol similar to HTTP. Therefore, the application classification of the service can be performed by retrieving the messages (keywords) of the control message used for the TCP connection included in the payload.

In the case of the control message of Gnutella as described above, the request message for the TCP connection is CONNECT <protocol version string> / n / n, and the response message for the TCP connection is Gnutella ok / n / n. The initial request message for file download is GET / get / <file index> / <file name>, and the HTTP response header for the reply message is HTTP 200 OK / r / n.

Therefore, the control message (keyword) or a combination of control messages (keyword) becomes the signature of Gnutell.

As described above, the signature of the packet of the analysis target service collected and analyzed by the pattern collecting and analyzing unit 10 may be variable in the location of the packet, and in this case, the signature may be difficult to specify.

Accordingly, the pattern conversion unit 20 converts the signature of the generated packet for each analysis target service derived from the pattern collection and analysis unit into a regular expression form and constructs it in a database.

Here, the regular expression can be easily obtained through a known technical idea of expressing a set or character string of a specific character by using a symbol.

The regular expression is composed of a combination of one or more identifiers and signatures representing the quantity, location and type of the signature, and is used as a kind of search expression for determining whether the signature exists in a user-generated packet.

Here, the signature class refers to specifying a range of possible characters instead of specifying each character one by one. For example, if you want to match any character between j and z, you can use brackets to specify the range of j-z.

For example, the identifier of the regular expression as described above is as follows.

^: Mark the beginning of a line or the beginning of a string. For example, if you include aaa at the beginning of the string, ^ aaa will be searched, otherwise it will not be searched.

. : Display one random character. For example, ^ a.c will be searched if you include abc, adc at the beginning of the string, and not aa.

$: Mark end of line or end of string. For example, aaa $ would be searched if you included aaa at the end of the string, and not aaa.

When the signature is configured as a regular expression using the above identifier, it is as follows.

The regular expression in BitTorrent described earlier

BitTorrent: becomes ^ \ x13bittorrent protocol,

Gnutella's regular expression is ^ (gnd [\ x01 \ x02]?.?.? \ X01 | gnutella connect / [012] \. [0-9] \ x0d \ x0a | get / urires / n2r \? Urn: sha1: get /.*user-agent: (gtkgnutella | bearshare | mactella | gnucleus | gnotella | limewire | imesh) | get /.*content-type:application/x-gnutella-packets|giv [0-9] *: [ 0-9a-f] * / | queue [0-9a-f] * [1-9] [0-9]? [0-9]? \. [1-9] [0-9]? [0 -9]? \. [1-9] [0-9]? [0-9]? \. [1-9] [0-9]? [0-9]?: [1-9] [0 -9]? [0-9]? [0-9]? | Gnutella. * Content-type: application / x-gnutella | .................. lime) Becomes

As described above, since a variety of identifiers are combined with the signature to constitute a regular expression, a detailed description thereof will be omitted.

As described above, when the signature for the generated packet is analyzed for each service to be analyzed by the pattern conversion unit 20 and constructed in the database 30 by a regular expression, the preprocessing for traffic analysis of the present invention is finished.

Meanwhile, a traffic collector 40 is provided to collect and analyze the classification target packet generated by the user in real time.

The traffic collecting unit 40 is implemented by using a tap or mirroring device, which is a known technique for copying and collecting traffic generated in real time without influence of communication.

Here, as described in the terminology of the specification of the present invention, the traffic collection unit 40 of the present invention is a packet generated by a separate flow generation unit (not shown) in accordance with a specific condition of the collected packets The application classification to the corresponding service of the present invention is performed through a predetermined number of classification target packets selected as samples in the flow of the aggregate chain.

This method analyzes the payload information of a certain number of classified packets by analyzing whether the number of packets in the flow is analyzed by the experiment to determine whether the system is effective in performance. This is specified by the payload information of the flow.

At this time, the classification target packet is usually composed of about 10 in the flow, which has the advantage of increasing the ratio of the application classification by reducing the unclassified packet if the number of packets too many patterns to be described later, but it takes a lot of system resources and time Since there is a problem, it is preferable to select about 10 classification target packets in one flow, but the number of analysis target packets can be applied in various numbers according to the design of the analysis system.

In general, signatures mainly exist in the payload of a packet in front of the flow, and thus, the packet to be classified mainly analyzes the packet in front of the flow, and analyzes the packet mainly in the case where the front packet is smaller than the minimum byte. In addition, 10 packets are searched in order based on the packet with payload except the packet existing only in the header.

Subsequently, when the traffic collecting unit 40 collects a user-generated classification target packet in the flow configured as described above, the classification target packet starts a corresponding application classification through a pattern search for a payload.

The classification target packet through the pattern search as described above includes a traffic analysis unit 50 for application classification.

The traffic analysis unit 50 searches whether the signature of the packet generated by the analysis target service exists in the payload of the classification target packet generated by the user using a regular expression of the signature for each analysis target service built in the database 30. Pattern search will be performed.

The pattern search with the signature and regular expression is preferably implemented using the RegEx library, which is a well-known technique, and thus detailed description thereof will be omitted.

 According to the pattern search of the traffic analysis unit 50 as described above, if the signature of the generated packet for each analysis service is detected in the payload of the packet to be classified, the corresponding packet to be classified belongs to the service to be analyzed, and the corresponding analysis object The application is classified as a service.

However, if the signature of the packet generated by the analysis service is not detected in the packet to be classified, the packet to be classified is analyzed again using the port number recorded in the header of the packet to be classified.

Here, the well-known port whose port number recorded in the header of the classification packet is known is assigned only to a limited famous application, and the general application cannot be assigned a well-known port. Therefore, in the case of the well-known port number, the classified target packet is classified as an application packet to the corresponding analysis target service. If the port number recorded in the header is not the well-known port number, the classified packet is specified as unclassified traffic.

When the application classification of the packet to be classified is successful as described above, the traffic analyzer analyzes the header information, the payload of the packet to be classified successfully, and the total number of packets and the traffic volume recorded when the packet is collected by the packet collection and analysis unit. , Packet direction, etc. are configured as additional information, and all of them are constructed in a database so that the statistical analysis unit described later can be reflected in the statistical information for each classification using the additional information.

On the other hand, the traffic analysis unit 50 is provided with a statistical analysis unit 60 for analyzing and statistically generating the packet generated by the analysis target service generated by the user.

The statistical analysis unit 60 uses the header information, payload and additional information of the packet whose application classification is successful, and statistics for each service (packet number, packet direction, traffic volume, port usage statistics), and service group statistics. It provides data such as P2P service series, web hard service series, and messenger series.

A traffic analysis method through pattern classification and analysis of a packet according to the present invention using the traffic analysis system as described above will be described with reference to FIG. 3.

First, by using the pattern collecting and analyzing unit 10 to collect the packet generated by the Internet analysis target service (S100), and to analyze the signature of the packet to derive (S102), using the pattern converter 20 to collect the pattern And the signature of the packet generated by the analysis target service derived from the analysis unit 10 is converted into a regular expression form (S104) is built in the database 30.

Next, the user collects and analyzes the packet generated by the user using the traffic collecting unit 40 (S106), determines whether the packet belongs to the already generated flow (S108), and generates a flow if it does not belong to the already generated flow. (S110), the matching with the signature is performed on the packet to be classified of the flow.

If the packet belongs to a flow that has already been generated in step S108, matching with a signature is performed on the packet to be classified in the flow.

If there is a pattern matching the search result between the classification target packet and the signature in step (S112), the corresponding flow classifies the application to a specific analysis target service (S116) and checks the end of the flow (S118).

However, if there is no pattern matching the search result between the classification target packet and the signature in step S112, the pattern search of the flow is terminated and the flow end check is performed (S118).

Next, the flow checks whether the end-checked flow is the application classification flow (S120), and if the flow is not the application classification, rescans using the port number (S122), and the port number of the packet to be classified is classified. It is determined whether or not the well-known port number (S124), if the determination result is the well-known port number, the application is classified as the analysis target service (S126), and if not the well-known port number, the flow is set to unclassified. (S125)

However, in the case of the flow of application classification in the step (S120) immediately ends.

Finally, the statistical analysis unit 60 may be reflected in the statistical information for each classification by using the header information, payload, and additional information of the packet to be classified in the database. Analyzes and statistics.

As mentioned above, although the present invention has been described by means of a limited configuration and drawings, the technical idea of the present invention is not limited to the above, and by those skilled in the art to which the present invention pertains, Various modifications and variations may be made without departing from the scope of the appended claims.

According to the present invention by the above configuration,

The present invention collects and analyzes generated packets for each analysis target service to derive a signature of the packet, and when the signature is retrieved from the payload of the classification target packet generated by the user, the classified packets are retrieved in real time. The application is classified into packets.

Therefore, when classifying an application by packet number using a conventional port number, unclassified traffic occupies 19.7% of the total traffic. However, when the application classification is performed using the signature of the packet of the present invention, the ratio is reduced to 11%. By classifying P2P and web hard traffic that could not be classified by number, it is possible to classify traffic with high accuracy.

In addition, the present invention performs a pattern search with a user-generated classification target packet through a regular expression consisting of a combination of the signature and the identifier indicating the number, location and type of the signature of the occurrence packet of the analysis target service.

Accordingly, the signature can be searched at a faster speed until the signature is placed at a fixed position in the payload and at a variable position, thereby enabling quick measurement of traffic without burdening the system. It can be effective.

In addition, the system classifies the application by selecting only a certain number of packets selected as samples from among flows generated by merging when the user meets a specific condition among the packets generated by the user, as a classification target packet. It is possible to exert the effect of making a quick traffic measurement without the need.

In addition, the present invention, if the signature search result, the signature of the packet generated by the analysis target service does not exist in the packet to be classified, the application is again performed using the port number included in the header information of the packet to be classified again, The effect can double the accuracy of the classification.

Claims (14)

A pattern collection and analysis unit for collecting the generated packets for each analysis target service and deriving signatures of the packets to store the signatures and the signature location information; A traffic collecting unit for extracting a predetermined number of classification target packets based on the order of packets included in the traffic flow from the traffic flow generated by the user; And The signature is searched for at a specific position of the payload of the packet to be classified using the signature position information. When the signature is found at the payload of the packet to be classified, the analysis object is included in the flow. Traffic analysis system through the signature analysis of the packet comprising a traffic analysis unit for classifying the flow of the service. The method of claim 1, The signature is a traffic analysis system through the signature analysis of the packet, characterized in that the specific string included in the payload of the packet of the individual analysis target service. The method of claim 1, The signature is a traffic analysis system through the signature analysis of the packet, characterized in that the length information of the packet included in the payload of the packet of the individual analysis target service. The method of claim 1, The signature is a traffic analysis system through the signature analysis of the packet, characterized in that the control message used when transmitting and receiving the packet included in the payload of the packet of the individual service. The method according to any one of claims 1 to 4, By converting the signature into a regular expression form and building in a database, the signature analysis of the packet further comprises a pattern conversion unit for allowing the traffic analysis unit to search for the presence of the signature in the packet to be classified using the regular expression. Traffic analysis system. The method of claim 5, The regular expression is a traffic analysis system through the signature analysis of the packet, characterized in that the combination of the signature and the identifier indicating any one or more of the quantity, location or type of the signature. The method of claim 1, Traffic analysis system through the signature analysis of the packet characterized in that it further comprises a statistical analysis unit for analyzing and statistically analyzing the user-generated packets for each analysis service classified by the traffic analysis unit. The method of claim 1, The classification target packet is determined as a predetermined first packet from the first packet among the packets included in the traffic flow. Traffic analysis system through signature analysis of packets. a) deriving a signature of a packet by collecting and analyzing generated packets for each service to be analyzed using the pattern collecting and analyzing unit; b) extracting a predetermined number of classification packets based on the order of packets included in the traffic flow from the traffic flow generated by the user using the traffic collecting unit; And c) search for the signature at a specific position of the payload of the packet to be classified using the signature location information using the traffic analysis unit; and if the signature is found in the payload of the packet to be classified, the flow is detected. Classifying the signature into a flow of an analysis target service including the signature; and analyzing the traffic of the packet through the signature analysis. The method of claim 9, In a) a ') converting the signature of the generated packet for each analysis target service derived from the pattern collecting and analyzing unit into a regular expression using a pattern converting unit, and constructing the signature in a database; Traffic analysis method through the signature analysis of the packet, characterized in that to enable the search for the presence of the signature in the packet to be classified using a regular expression. The method of claim 9 or 10, c ') searching for the signature at a specific position of the payload of the packet to be classified in step c), if the signature is not found in the payload of the packet to be classified, using the port number of the packet to be classified; Traffic analysis method through the signature analysis of the packet further comprising the step of re-executing the application classification of the packet to be classified. The method of claim 9, d) traffic analysis method through the signature analysis of the packet, characterized in that it further comprises the step of analyzing the user-generated packet for each analysis target service classified by the traffic analysis unit using a statistical analysis unit. The method of claim 9 or 10, e) When the classified packet is classified as a packet of the corresponding analysis target service, all header information, payload, and additional information of the classified packet are constructed in a database, and the statistical analysis unit uses the additional information to provide statistical information. Traffic analysis method through the signature analysis of the packet, characterized in that it further comprises the step of reflecting. The method of claim 9, In b) The classification target packet is determined as a predetermined first packet from the first packet among the packets included in the traffic flow. Traffic analysis method through signature analysis of packets.

Images