KR101605187B1 - Apparatus and method for collecting unknown traffic flow to analysis application traffic - Google Patents
Apparatus and method for collecting unknown traffic flow to analysis application traffic Download PDFInfo
- Publication number
- KR101605187B1 KR101605187B1 KR1020150061909A KR20150061909A KR101605187B1 KR 101605187 B1 KR101605187 B1 KR 101605187B1 KR 1020150061909 A KR1020150061909 A KR 1020150061909A KR 20150061909 A KR20150061909 A KR 20150061909A KR 101605187 B1 KR101605187 B1 KR 101605187B1
- Authority
- KR
- South Korea
- Prior art keywords
- traffic
- unknown
- service
- information
- unit
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0805—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/026—Capturing of monitoring data using flow identification
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Environmental & Geological Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
BACKGROUND OF THE
As the number of Internet users increases, the spread of high-speed networks and the popularization of smart mobile devices, network traffic is rapidly increasing. At the same time, the use of non-standard internet protocols such as live streaming such as broadcast and sports relay, peer-to-peer and game service as well as Internet service by standard protocol is increasing, The use of a mixture or the use of a service that causes a large amount of Internet traffic is becoming common. In addition, the life cycle (appearance - change - disappearance) of Internet service is rapidly accelerating. As the traffic increases, the importance of traffic monitoring and analysis through application service identification of internet traffic is increasing for effective network management and security.
To identify the traffic application, the traffic analysis system analyzes the internet traffic using the application identification signature characteristic of the application service traffic. The application identification signature is a characteristic pattern unique to each application in the traffic, and an application program generating the traffic using the application identification signature can be inversely analyzed and identified.
A traffic analysis system for effective network management should be able to guarantee a certain level of application identification and high analysis performance for Internet traffic. However, due to the rapid increase of the new type of Internet service and the increase of the generation of unclassified (non-classified) traffic due to the change, difficulties are encountered in providing and maintaining the traffic analysis performance, have. In particular, in order to extract and apply the application identification signature to the new Internet service, the traffic generated when the new service is used must be collected and analyzed based on the flows of the server and the terminal. However, Team) of the user. Korean Patent Laid-Open Publication No. 10-2013-0054511 discloses a method for solving a network analysis problem, but it does not solve the problem of unknown traffic, merely deciding whether to maintain or delete the signature according to the usefulness of the signature.
A problem to be solved by the present invention is to provide an unknown traffic flow collecting device and a collecting method for collecting and classifying unclassified traffic so as to improve the analyzing performance in the traffic analyzing process and solve a quick response request for new Internet service traffic .
The unknown traffic flow collecting device for analyzing application traffic according to the present invention extracts flow information from unknown traffic of internet service traffic and delivers the flow information to the unknown service using terminal information based on the received unknown service information, A traffic analysis unit for classifying and delivering packets of unknown traffic that do not match the previously stored application identification signatures among the traffic between the unknown service using terminal and the unknown service server end; An unknown traffic management unit for extracting unknown service information providing the service traffic and delivering the unknown service information to the traffic analysis unit, and an unknown traffic packet generated from a predetermined number or more of the user terminals of the unknown traffic received from the traffic analysis unit An unknown traffic storing unit for generating and storing a traffic packet file for each unknown service using terminal, and an unknown traffic storing unit for collecting unknown traffic packets collected by the unknown traffic collecting unit based on the flow information received from the traffic analyzing unit, And a known traffic statistics unit for managing statistics of known flows.
The unknown traffic collecting unit collects unknown traffic packets of the unknown service using terminal until it satisfies the unknown service collecting policy received from the unknown traffic managing unit. The traffic analysis unit can distinguish well-known service traffic and unknown traffic among a plurality of Internet service traffic through a previously stored application identification signature. .
The unknown traffic flow collection method for application traffic analysis according to the present invention extracts flow information from unknown traffic of Internet service traffic and extracts unknown service information from the extracted flow information. Then, unknown service use terminal information connected to the destination address included in the extracted unknown service information is extracted. When unknown service information and unknown service use terminal information are extracted, one or more unidentified traffic that is not transmitted from the unknown service server to unknown service using terminal included in unknown service information, . The traffic packet generation unit collects unknown traffic packets that are commonly generated by a predetermined number or more of the user terminals of the classified one or more unknown traffic packets, and generates and stores a traffic packet file for each unknown service using terminal.
The unknown traffic flow collecting device and the collecting method for application traffic analysis according to the present invention can expect the effect of improving the response ability of the traffic analysis process for the new Internet service and the service method change by automatically collecting and storing the unknown classified traffic have. The present invention can be expected to improve the accuracy of application identification signature extraction by collecting and storing application service traffic packets, which are indispensable for application identification signature extraction, in units of flow by server-terminal reference common attribute. In addition, the present invention can be utilized as a core technology in the development of automatic traffic collection, analysis, and application to a new Internet server in the traffic analysis process by linking with the application identification signature automatic extraction technology.
1 is a block diagram illustrating an example of a traffic analysis system using an unknown traffic
FIG. 2 is a block diagram showing an embodiment of an unknown traffic
3 is a view for explaining a traffic classification process of an unknown traffic
4 is a diagram illustrating an example of an unknown service collection policy of an unknown traffic
5 is a flowchart illustrating an unknown traffic flow collection process of an unknown traffic
6 is a flowchart illustrating an unknown traffic flow collection method for application traffic analysis according to an embodiment of the present invention.
Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings. The terms and words used in the present specification are selected in consideration of the functions in the embodiments, and the meaning of the terms may vary depending on the intention or custom of the invention. Therefore, the terms used in the following embodiments are defined according to their definitions when they are specifically defined in this specification, and unless otherwise specified, they should be construed in a sense generally recognized by those skilled in the art.
1 is a block diagram illustrating an example of a traffic analysis system using an unknown traffic
Referring to FIG. 1, a service providing model using the Internet includes P2P (peer to peer, GRID, client / server model, etc.), and all Internet service models necessarily include one or more Internet servers. To collect the traffic that occurs between both ends, collect and store unknown traffic so that it can be used to create a signature that can identify a new service. The traffic generated through the internet service can be divided into well-known traffic and unknown traffic. The known traffic includes the type of the Internet service, that is, the type of service and the provider This means that it is the confirmed service traffic that can be confirmed. As the Internet service applications that are not compatible with the signature identification, means new Internet services and service structure of the traffic changed service.
The unknown traffic
FIG. 2 is a block diagram showing an embodiment of an unknown traffic
2, an unknown traffic
The
When receiving an unknown service packet collection request from the unknown
The
The unknown
Also, the unknown
The unknown
Through such a process, it is possible to increase the reliability of the collected unknown traffic and to reduce unnecessary operations by excluding traffic generated only in a small number of specific terminals and collecting traffic generated commonly by a predetermined number or more of user terminals. The unknown
The unknown
The unknown
3 is a view for explaining a traffic classification process of an unknown traffic
3, the
In FIG. 3, the
4 is a diagram illustrating an example of an unknown service collection policy of an unknown traffic
4, the unknown
The unknown service collection policy may include the components shown in Table 1. The unknown service collection policy is a condition set in advance by the user, which is transmitted to the unknown
5 is a flowchart illustrating an unknown traffic flow collection process of an unknown traffic
5, the unknown traffic flow collection process of the unknown traffic
First, the
When receiving an unknown service packet collection request from the
Next, the unknown
However, when requesting the unknown service packet collection request to all unknown service addresses, the
When receiving an unknown service packet collection request based on an unknown service address (dIP) from the unknown
In other words, the
Next, the unknown
The unknown
6 is a flowchart illustrating an unknown traffic flow collection method for application traffic analysis according to an embodiment of the present invention.
Referring to FIG. 6, an unknown traffic flow collection method for analyzing application traffic using an unknown traffic flow collection apparatus for application traffic analysis according to an embodiment of the present invention includes a
When the flow information is extracted from the unknown traffic, unknown service information is extracted from the extracted flow information (S603). The unknown service information includes the unknown service address, and the unknown service address corresponds to the destination IP of the unknown traffic transmitted from the user terminal. Next, the user terminal information connected to the unknown Internet service is extracted based on the received unknown service information (S604). When the user terminal information using the unknown Internet service is extracted, the traffic between the terminal using the unknown service and the unknown service providing the unknown Internet service is compared with the application identification signature to filter out traffic that does not correspond thereto (S605). The traffic between the user terminal and the unknown service address corresponding to the extracted user terminal address is compared with the predetermined application identification signature to exclude traffic corresponding to the application identification signature and only the traffic that does not correspond to the application identification signature is classified as unknown traffic do. Next, in step S606, unknown traffic packets commonly generated by a predetermined number or more of user terminals among the filtered unknown traffic are collected. In step S607, a flow for each user terminal and unknown service server is generated for the collected unknown traffic, and an unknown traffic flow storage file is stored in accordance with the network traffic packet storage file format such as PCAP.
The present invention including the above-described contents can be written in a computer program. And the code and code segment constituting the program can be easily deduced by a computer programmer of the field. In addition, the created program can be stored in a computer-readable recording medium or an information storage medium, and can be read and executed by a computer to implement the method of the present invention. And the recording medium includes all types of recording media readable by a computer.
While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, but, on the contrary, It is possible.
100: unknown traffic flow collecting device for application traffic analysis
110: traffic analysis unit 120: unknown traffic management unit
130: unknown traffic collecting unit 140: unknown traffic storing unit
150: main traffic statistics section
Claims (10)
An unknown traffic manager for extracting service information for providing unknown service traffic based on the flow information received from the traffic analyzer and delivering an unknown service address of the extracted unknown service information to the traffic analyzer; And
An unknown traffic collecting unit for collecting unknown traffic packets only for unknown service addresses commonly generated by a predetermined number or more of user terminals among a plurality of unknown traffic packets received from the traffic analyzing unit;
/ RTI >
Wherein the unknown traffic management unit extracts a packet of the unknown traffic and overlays the packet based on the destination address.
An unknown traffic storage unit for generating and storing a traffic packet file for each unknown service using terminal by collecting unknown traffic packets collected by the unknown traffic collecting unit;
Further comprising: an unknown traffic flow collecting unit for analyzing application traffic.
The unknown traffic collecting unit,
And collects unknown traffic packets of the unknown service using terminal until the unknown service collection policy received from the unknown traffic management unit is satisfied.
Wherein the traffic analyzer identifies well-known service traffic and unknown traffic among a plurality of Internet service traffic through a previously stored application identification signature.
Wherein the traffic analysis unit includes at least two traffic analysis engines for receiving a plurality of lines and processing a plurality of analyzes in parallel.
The unknown traffic management unit
And the statistics of unknown flows are managed based on the flow information received from the traffic analyzing unit.
Extracting unknown service information from the extracted flow information;
Extracting unknown service use terminal information connected to an unknown service address included in the extracted unknown service information;
Classifying an unknown traffic packet that does not match an already stored application identification signature among an unknown service address included in the unknown service information and one or more unknown traffic between unknown service using terminals; And
Collecting only unknown traffic packets for unknown service addresses that are common to a predetermined number or more of user terminals among a plurality of classified unknown traffic packets;
/ RTI >
Wherein the step of classifying packets of the unknown traffic comprises extracting packets of the unknown traffic and overlaying the packets based on a destination address of the unknown IP service.
The step of extracting the flow information from the unknown traffic of the Internet service traffic includes:
Comparing the received Internet service traffic with pre-stored application identification signatures to classify them into known traffic and unknown traffic; And
Extracting flow information from the unknown traffic;
The method comprising the steps of: (a)
A step of generating and storing a traffic packet file for each unknown service using terminal by collecting unknown traffic packets collected by the unknown traffic collecting unit
The method comprising the steps of: (a) receiving traffic flow information from a user;
The step of collecting the unknown traffic packet
And collecting unknown traffic packets of the unknown service using terminal until the unknown service collection policy is satisfied.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150061909A KR101605187B1 (en) | 2015-04-30 | 2015-04-30 | Apparatus and method for collecting unknown traffic flow to analysis application traffic |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150061909A KR101605187B1 (en) | 2015-04-30 | 2015-04-30 | Apparatus and method for collecting unknown traffic flow to analysis application traffic |
Publications (1)
Publication Number | Publication Date |
---|---|
KR101605187B1 true KR101605187B1 (en) | 2016-03-21 |
Family
ID=55651161
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020150061909A KR101605187B1 (en) | 2015-04-30 | 2015-04-30 | Apparatus and method for collecting unknown traffic flow to analysis application traffic |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR101605187B1 (en) |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100869887B1 (en) * | 2007-06-13 | 2008-11-24 | 주식회사 케이티 | Traffic identification system and method with analysis on signature of packets |
-
2015
- 2015-04-30 KR KR1020150061909A patent/KR101605187B1/en active IP Right Grant
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100869887B1 (en) * | 2007-06-13 | 2008-11-24 | 주식회사 케이티 | Traffic identification system and method with analysis on signature of packets |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106815112B (en) | Massive data monitoring system and method based on deep packet inspection | |
CN105591973B (en) | Application identification method and device | |
US9210090B1 (en) | Efficient storage and flexible retrieval of full packets captured from network traffic | |
CN106972985B (en) | Method for accelerating data processing and forwarding of DPI (deep packet inspection) equipment and DPI equipment | |
CN106789242B (en) | Intelligent identification application analysis method based on mobile phone client software dynamic feature library | |
CN108900374B (en) | Data processing method and device applied to DPI equipment | |
CN104994016B (en) | Method and apparatus for packet classification | |
CN111222019B (en) | Feature extraction method and device | |
CN111953552B (en) | Data flow classification method and message forwarding equipment | |
CN102739457A (en) | Network flow recognition system and method based on DPI (Deep Packet Inspection) and SVM (Support Vector Machine) technology | |
US11650994B2 (en) | Monitoring network traffic to determine similar content | |
CN106330584A (en) | Identification method and identification device of business flow | |
CN103618733A (en) | Data filtering system and method applied to mobile internet | |
CN102938764A (en) | Application identification processing method and device | |
CN106535240A (en) | Mobile APP centralized performance analysis method based on cloud platform | |
CN112019449A (en) | Traffic identification packet capturing method and device | |
CN108322354B (en) | Method and device for identifying running-stealing flow account | |
CN114338600A (en) | Equipment fingerprint selection method and device, electronic equipment and medium | |
CN101668035B (en) | Method for recognizing various P2P-TV application video flows in real time | |
CN111224891B (en) | Flow application identification system and method based on dynamic learning triples | |
KR101605187B1 (en) | Apparatus and method for collecting unknown traffic flow to analysis application traffic | |
CN105703930A (en) | Session log processing method and session log processing device based on application | |
CN111106980B (en) | Bandwidth binding detection method and device | |
CN111163184B (en) | Method and device for extracting message features | |
CN114153807A (en) | Message processing method and device, electronic equipment and computer readable storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
E701 | Decision to grant or registration of patent right | ||
GRNT | Written decision to grant |