KR101605187B1 - Apparatus and method for collecting unknown traffic flow to analysis application traffic - Google Patents

Apparatus and method for collecting unknown traffic flow to analysis application traffic Download PDF

Info

Publication number
KR101605187B1
KR101605187B1 KR1020150061909A KR20150061909A KR101605187B1 KR 101605187 B1 KR101605187 B1 KR 101605187B1 KR 1020150061909 A KR1020150061909 A KR 1020150061909A KR 20150061909 A KR20150061909 A KR 20150061909A KR 101605187 B1 KR101605187 B1 KR 101605187B1
Authority
KR
South Korea
Prior art keywords
traffic
unknown
service
information
unit
Prior art date
Application number
KR1020150061909A
Other languages
Korean (ko)
Inventor
조현구
최간호
Original Assignee
(주)시스메이트
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by (주)시스메이트 filed Critical (주)시스메이트
Priority to KR1020150061909A priority Critical patent/KR101605187B1/en
Application granted granted Critical
Publication of KR101605187B1 publication Critical patent/KR101605187B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0805Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/026Capturing of monitoring data using flow identification

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Environmental & Geological Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

An unknown traffic flow collecting device for an application traffic analysis according to the present invention comprises: a traffic analysis unit to extract flow information of an Internet service traffic and unknown service use terminal information connected to an unknown service based on unknown service information received and to classify and deliver an unknown traffic packet which is not matched with a pre-stored application distinguishing signature among traffics transmitted and received between an unknown service use terminal and an unknown service server; an unknown traffic management unit to extract the unknown service information which provides an unknown service traffic based on the flow information received from the traffic analysis unit and to deliver the unknown service information to the traffic analysis unit; and an unknown traffic collection unit to collect the unknown traffic packet which is commonly generated in the preset number of user terminals or more among the unknown traffic packets received from the traffic analysis unit.

Description

[0001] APPARATUS AND METHOD FOR COLLECTING UNKNOWN TRAFFIC FLOW TO ANALYSIS APPLICATION TRAFFIC [0002]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to network traffic analysis, and more particularly, to traffic flow collection and processing for network traffic analysis.

As the number of Internet users increases, the spread of high-speed networks and the popularization of smart mobile devices, network traffic is rapidly increasing. At the same time, the use of non-standard internet protocols such as live streaming such as broadcast and sports relay, peer-to-peer and game service as well as Internet service by standard protocol is increasing, The use of a mixture or the use of a service that causes a large amount of Internet traffic is becoming common. In addition, the life cycle (appearance - change - disappearance) of Internet service is rapidly accelerating. As the traffic increases, the importance of traffic monitoring and analysis through application service identification of internet traffic is increasing for effective network management and security.

To identify the traffic application, the traffic analysis system analyzes the internet traffic using the application identification signature characteristic of the application service traffic. The application identification signature is a characteristic pattern unique to each application in the traffic, and an application program generating the traffic using the application identification signature can be inversely analyzed and identified.

A traffic analysis system for effective network management should be able to guarantee a certain level of application identification and high analysis performance for Internet traffic. However, due to the rapid increase of the new type of Internet service and the increase of the generation of unclassified (non-classified) traffic due to the change, difficulties are encountered in providing and maintaining the traffic analysis performance, have. In particular, in order to extract and apply the application identification signature to the new Internet service, the traffic generated when the new service is used must be collected and analyzed based on the flows of the server and the terminal. However, Team) of the user. Korean Patent Laid-Open Publication No. 10-2013-0054511 discloses a method for solving a network analysis problem, but it does not solve the problem of unknown traffic, merely deciding whether to maintain or delete the signature according to the usefulness of the signature.

Korean Patent Publication No. 10-2013-0054511

A problem to be solved by the present invention is to provide an unknown traffic flow collecting device and a collecting method for collecting and classifying unclassified traffic so as to improve the analyzing performance in the traffic analyzing process and solve a quick response request for new Internet service traffic .

The unknown traffic flow collecting device for analyzing application traffic according to the present invention extracts flow information from unknown traffic of internet service traffic and delivers the flow information to the unknown service using terminal information based on the received unknown service information, A traffic analysis unit for classifying and delivering packets of unknown traffic that do not match the previously stored application identification signatures among the traffic between the unknown service using terminal and the unknown service server end; An unknown traffic management unit for extracting unknown service information providing the service traffic and delivering the unknown service information to the traffic analysis unit, and an unknown traffic packet generated from a predetermined number or more of the user terminals of the unknown traffic received from the traffic analysis unit An unknown traffic storing unit for generating and storing a traffic packet file for each unknown service using terminal, and an unknown traffic storing unit for collecting unknown traffic packets collected by the unknown traffic collecting unit based on the flow information received from the traffic analyzing unit, And a known traffic statistics unit for managing statistics of known flows.

The unknown traffic collecting unit collects unknown traffic packets of the unknown service using terminal until it satisfies the unknown service collecting policy received from the unknown traffic managing unit. The traffic analysis unit can distinguish well-known service traffic and unknown traffic among a plurality of Internet service traffic through a previously stored application identification signature. .

The unknown traffic flow collection method for application traffic analysis according to the present invention extracts flow information from unknown traffic of Internet service traffic and extracts unknown service information from the extracted flow information. Then, unknown service use terminal information connected to the destination address included in the extracted unknown service information is extracted. When unknown service information and unknown service use terminal information are extracted, one or more unidentified traffic that is not transmitted from the unknown service server to unknown service using terminal included in unknown service information, . The traffic packet generation unit collects unknown traffic packets that are commonly generated by a predetermined number or more of the user terminals of the classified one or more unknown traffic packets, and generates and stores a traffic packet file for each unknown service using terminal.

The unknown traffic flow collecting device and the collecting method for application traffic analysis according to the present invention can expect the effect of improving the response ability of the traffic analysis process for the new Internet service and the service method change by automatically collecting and storing the unknown classified traffic have. The present invention can be expected to improve the accuracy of application identification signature extraction by collecting and storing application service traffic packets, which are indispensable for application identification signature extraction, in units of flow by server-terminal reference common attribute. In addition, the present invention can be utilized as a core technology in the development of automatic traffic collection, analysis, and application to a new Internet server in the traffic analysis process by linking with the application identification signature automatic extraction technology.

1 is a block diagram illustrating an example of a traffic analysis system using an unknown traffic flow collection apparatus 100 for application traffic analysis according to the present invention.
FIG. 2 is a block diagram showing an embodiment of an unknown traffic flow collecting apparatus 100 for analyzing application traffic according to the present invention.
3 is a view for explaining a traffic classification process of an unknown traffic flow collection apparatus 100 for application traffic analysis according to an embodiment of the present invention.
4 is a diagram illustrating an example of an unknown service collection policy of an unknown traffic flow collection apparatus 100 for application traffic analysis according to an embodiment of the present invention.
5 is a flowchart illustrating an unknown traffic flow collection process of an unknown traffic flow collection apparatus 100 for application traffic analysis according to an embodiment of the present invention.
6 is a flowchart illustrating an unknown traffic flow collection method for application traffic analysis according to an embodiment of the present invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings. The terms and words used in the present specification are selected in consideration of the functions in the embodiments, and the meaning of the terms may vary depending on the intention or custom of the invention. Therefore, the terms used in the following embodiments are defined according to their definitions when they are specifically defined in this specification, and unless otherwise specified, they should be construed in a sense generally recognized by those skilled in the art.

1 is a block diagram illustrating an example of a traffic analysis system using an unknown traffic flow collection apparatus 100 for application traffic analysis according to the present invention.

Referring to FIG. 1, a service providing model using the Internet includes P2P (peer to peer, GRID, client / server model, etc.), and all Internet service models necessarily include one or more Internet servers. To collect the traffic that occurs between both ends, collect and store unknown traffic so that it can be used to create a signature that can identify a new service. The traffic generated through the internet service can be divided into well-known traffic and unknown traffic. The known traffic includes the type of the Internet service, that is, the type of service and the provider This means that it is the confirmed service traffic that can be confirmed. As the Internet service applications that are not compatible with the signature identification, means new Internet services and service structure of the traffic changed service.

The unknown traffic flow collecting apparatus 100 for analyzing application traffic according to the present invention analyzes traffic generated between a user terminal and a service in a traffic analysis process in which an application identification signature for identifying an existing Internet service (well-known service) Unknown traffic is extracted and overlapped on the basis of the address (destination IP) of the same Internet service server 10 by excluding traffic classified by receiving the classified traffic, Traffic can be identified as the same unknown service, and the server-to-terminal flow can be collected and stored.

FIG. 2 is a block diagram showing an embodiment of an unknown traffic flow collecting apparatus 100 for analyzing application traffic according to the present invention.

2, an unknown traffic flow collecting apparatus 100 for analyzing application traffic according to the present invention includes a traffic analyzing unit 110, an unknown traffic managing unit 120, an unknown traffic collecting unit 130, (140), and may further include a known traffic statistics unit (150).

The traffic analysis unit 110 includes at least one traffic analysis engine 111 that performs real-time analysis of Internet service traffic in a high-speed network environment. The traffic analysis unit 110 receives various Internet service traffic generated in the user terminal 20. [ Then, the traffic analyzer 110 compares the received Internet service traffic with the stored application identification signatures, and classifies the received Internet service traffic into known traffic and unknown traffic. The traffic analyzer 110 extracts flow information from the classified unknown traffic and transmits the extracted flow information to the unknown traffic manager 120. [ The flow information may include information such as a source IP (user terminal IP), a destination IP (IP) of the traffic, a number of packets, and an amount of data (bytes). The traffic analysis unit 110 delivers the extracted flow information to the unknown traffic management unit 120.

When receiving an unknown service packet collection request from the unknown traffic management unit 120, the traffic analysis unit 110 analyzes the unknown service (the destination address of the unknown traffic) identified through the received unknown service information and the user terminal information using the unknown service . The user terminal information may include a source address (source IP) for identifying a user terminal using the unknown service. The destination address is the address of the Internet service server 20 and the source address (source IP) is the address of the user terminal 20, .

The traffic analyzer 110 classifies the unknown traffic by applying a white box filter to the traffic between the user terminal (source IP) and the unknown service according to the extracted user terminal information. In other words, the traffic analyzing unit 110 compares the traffic between the user terminal and the unknown service according to the extracted user terminal with a predetermined application identification signature to exclude traffic corresponding to the application identification signature, and does not correspond to the application identification signature Only traffic is classified as unknown traffic. This filtering process is called a white box filter. The traffic between the user terminal and the unknown service may not necessarily be unknown traffic. For example, even if a change exists in the server providing the service and the destination address is classified as an unknown service, the traffic between the user terminal and the unknown service may be traffic corresponding to the conventional application identification signature. Accordingly, the traffic analyzing unit 110 can classify only the traffic that does not correspond to the application identification signature among the traffic delivered to the unknown service address as the unknown traffic through the white-box filtering process described above. The traffic analyzing unit 110 transmits the classified unknown traffic packet to the unknown traffic collecting unit 130.

The unknown traffic management unit 120 extracts unknown service information from the flow information received from the traffic analysis unit 110. The extracted unknown service information may include an unknown service address that is a destination address (Destination IP, dIP). Then, the unknown traffic management unit 120 transmits a request for collecting unknown service packets based on the unknown service address (dIP) to the traffic analysis unit 110, based on the extracted unknown service information. The unknown service packet based on the unknown service address means a packet of traffic generated at the unknown service address (destination address) included in the extracted unknown service information. In this process, the unknown traffic management unit 120 may transmit an unknown service packet collection request to all of the unknown service addresses (dIPs) included in the extracted unknown service information to the traffic analysis unit 110. [ However, when requesting the unknown service packet collection request to all unknown service addresses, the traffic analysis unit 110 must perform a classification process for a very large unknown service address. In particular, a classification process for an unknown service address that is rarely used may be unnecessary. Accordingly, the unknown traffic management unit 120 may notify the unknown service packets only for the traffic whose frequency or traffic amount is greater than or equal to the predetermined size, the traffic order is higher, or the ratio occupied by the total traffic is greater than or equal to the predetermined size, You may request a collection.

Also, the unknown traffic management unit 120 delivers the unknown service collection policy to the unknown traffic collection unit 130. The unknown service collection policy is a policy condition for the unknown traffic collection unit 130 to collect unknown traffic, and may include conditions for the number of source IPs to be collected, the number of packet logs to be collected, a size, and a destination IP address. The unknown service collection policy will be further described in FIG. 4 to be described later.

The unknown traffic collecting unit 130 collects unknown traffic packets of the unknown service using terminal received from the traffic analyzing unit 110 until the unknown traffic collecting unit 120 satisfies the unknown service collecting policy received from the unknown traffic managing unit 120. The unknown traffic collecting unit 130 performs black box filtering on the collected unknown traffic. Black box filtering represents a method of collecting only unknown traffic common to a predetermined number or more of user terminals. That is, the unknown traffic collecting unit 130 distinguishes only traffic transmitted from a predetermined number or more of user terminals among a plurality of unknown traffic received from the traffic analyzing unit 110.

Through such a process, it is possible to increase the reliability of the collected unknown traffic and to reduce unnecessary operations by excluding traffic generated only in a small number of specific terminals and collecting traffic generated commonly by a predetermined number or more of user terminals. The unknown traffic collecting unit 130 stores the unknown traffic according to the filtering result in a policy-specific storage memory (queue).

The unknown traffic storage unit 140 accesses the policy-specific storage memory of the unknown traffic collecting unit 130 to generate a flow for each user terminal and unknown service server and generates an unknown traffic flow storage file according to the network traffic packet storage file format such as PCAP . The unknown traffic flow storage file stored in the unknown traffic storage unit 140 may be applied to the analysis data pool for extracting and applying a new application identification signature to the unknown service. Accordingly, the present invention is combined with a conventional traffic classification system to automatically generate traffic classification for unclassified unknown services by generating and updating an application identification signature for unclassified unknown services.

The unknown traffic management unit 120 and the known traffic statistics unit 150 may calculate and store traffic statistics for the unknown traffic and the known traffic, respectively. The unknown traffic management unit 120 calculates traffic statistics based on the flow information of the unknown traffic received from the traffic analysis unit 110. The known traffic statistics unit 150 calculates traffic statistics based on the flow information of the known traffic received from the traffic analysis unit 110. The traffic statistics may be accumulated statistical information about the destination IP / source IP of the traffic, the traffic volume, the type of server per service, and the like.

3 is a view for explaining a traffic classification process of an unknown traffic flow collection apparatus 100 for application traffic analysis according to an embodiment of the present invention.

3, the traffic analysis unit 110 of the unknown traffic flow collecting apparatus 100 for analyzing application traffic according to an embodiment of the present invention receives a plurality of lines through two or more traffic analysis engines 111 Multiple analyzes can be processed in parallel. The traffic analysis unit 110 identifies the known traffic and the unknown traffic through mapping between a plurality of Internet service traffic and pre-stored application identification signatures received from each of the user terminals 21, 22, and 23. The one or more traffic analysis engines 111 classify the traffic corresponding to the stored application identification signatures into known traffic, and classify the traffic that does not correspond to the stored application identification signatures into unknown traffic.

In FIG. 3, the traffic analysis engine 111 classifies the traffic into well-known traffic that is clearly recognized by the pre-stored application identification signature in the case of Youtube, Facebook, P2P, and mail services. On the other hand, the traffic analysis engine 111 classifies the traffic that does not correspond to the previously stored application identification signature into unknown traffic (unknown0 to unknown3) whose service is not clearly recognized. The unknown traffic flow collecting apparatus 100 for analyzing the application traffic extracts a destination address corresponding to the address of the Internet service server with respect to the unknown traffic classified by the traffic analyzing unit 110 and transmits the unknown traffic to the extracted destination address The unknown traffic generated from various users can be identified and stored as the same unknown traffic.

4 is a diagram illustrating an example of an unknown service collection policy of an unknown traffic flow collection apparatus 100 for application traffic analysis according to an embodiment of the present invention.

4, the unknown traffic collecting unit 130 of the unknown traffic flow collecting apparatus 100 for analyzing the application traffic confirms whether the unknown service collecting policy is satisfied and transmits an unknown traffic packet Or not.

Unknown Service Collection Policy Component Component Explanation flags Whether the policy is enabled (0x8000) udId Item number of the Ud hash table PoId Applied policy ID unId Packet log session ID Destination IP Address Destination IP address LimitedLogTime Packet log timeout maxSipCount Maximum number of source IPs collected maxSessionCount Maximum number of sessions to collect per source IP maxLogPacketCount Maximum number of packets to collect per source IP maxLogPacketSize Maximum size of packet log to collect by source IP

The unknown service collection policy may include the components shown in Table 1. The unknown service collection policy is a condition set in advance by the user, which is transmitted to the unknown traffic collection unit 130 and used as an unknown traffic collection termination condition. In this process, the unknown service collection policy may be transmitted to the traffic analysis unit 110 for synchronization between the traffic analysis unit 110 and the unknown traffic collection unit 130.

5 is a flowchart illustrating an unknown traffic flow collection process of an unknown traffic flow collection apparatus 100 for application traffic analysis according to an embodiment of the present invention.

5, the unknown traffic flow collection process of the unknown traffic flow collection apparatus 100 for application traffic analysis includes a traffic analysis unit 110, an unknown traffic management unit 120, an unknown traffic collection unit 130, May be performed through the storage unit 140 in the following procedure.

First, the traffic analyzer 110 analyzes the traffic between the user terminal and the Internet service server to extract flow information (S501). In particular, the traffic analyzer 110 compares the received Internet service traffic with the stored application identification signature, and classifies the received Internet service traffic into classified traffic and unknown traffic. The traffic analyzer 110 extracts flow information from the classified unknown traffic and transmits the extracted flow information to the unknown traffic manager 120. [ The flow information may include information such as a source IP (user terminal IP), a destination IP (IP) and a packet number of traffic. Then, the traffic analysis unit 110 delivers the extracted flow information to the unknown traffic management unit 120 (S502).

When receiving an unknown service packet collection request from the traffic analysis unit 110, the unknown traffic management unit 120 calculates and manages traffic statistics of the unknown flow based on the received flow information (S503). The traffic statistics may be accumulated statistical information about the address (destination IP) of the Internet service that generates unknown traffic.

Next, the unknown traffic management unit 120 extracts unknown service information from the flow information received from the traffic analysis unit 110 (S504). The unknown service information may include a Destination IP (dIP). In step S505, the unknown traffic management unit 120 transmits an unknown service address collection request based on the unknown service address (dIP) to the traffic analysis unit 110 based on the unknown service address included in the extracted unknown service information. The unknown service packet based on the unknown service address means a packet of the Internet service traffic generated in the unknown service. In this process, the unknown traffic management unit 120 can transmit an unknown service packet collection request to all of the extracted unknown service addresses (dIPs) to the traffic analysis unit 110. [

However, when requesting the unknown service packet collection request to all unknown service addresses, the traffic analysis unit 110 must perform a classification process for a very large unknown service address. In particular, a classification process for an unknown service address that is rarely used may be unnecessary. Accordingly, the unknown traffic management unit 120 can request collection of unknown service packets only for a predetermined ratio or more of the extracted unknown service addresses, according to the ratio of the traffic to the total traffic. Also, the unknown traffic management unit 120 delivers the unknown service collection policy to the unknown traffic collection unit 130 (S506). The unknown service collection policy is a policy condition for the unknown traffic collection unit 130 to collect unknown traffic, and may include conditions for the number of source IPs to be collected, the number of packet logs to be collected, a size, and a destination IP address.

When receiving an unknown service packet collection request based on an unknown service address (dIP) from the unknown traffic management unit 120, the traffic analysis unit 110 uses the unknown unknown service address connected to the extracted unknown service address based on the received unknown service address And extracts the user terminal information (S507). The extracted user terminal information may include an address (source IP, sIP) of the user terminal. Then, the traffic analyzer 110 classifies the unknown traffic by applying a white box filter to the traffic of the user terminal address (source IP) included in the extracted user terminal information (S508).

In other words, the traffic analyzer 110 compares the traffic generated between the user terminal corresponding to the extracted user terminal address and the unknown service address with a predetermined application identification signature to exclude traffic corresponding to the application identification signature, Only traffic that does not correspond to the identification signature is classified as unknown traffic. This filtering process is called a white box filter. Even if the traffic is transmitted to the unknown service address extracted from the user terminal, the corresponding traffic may not necessarily be unknown traffic. For example, even if the destination address is classified as an unknown service address due to a change in the server providing the service, the traffic transmitted from the user terminal to the unknown service address may be the traffic corresponding to the conventional application identification signature. Therefore, the traffic analyzing unit 110 can classify only the traffic not corresponding to the application identification signature among the traffic between the unknown service address and the unknown service terminal as unknown traffic through the above-described white box filtering process. Then, the traffic analyzer 110 transmits the classified unknown traffic packet to the unknown traffic collector 130 (S509).

Next, the unknown traffic collecting unit 130 performs black box filtering on the collected unknown traffic (S511). Black box filtering represents a method of collecting only unknown traffic common to a predetermined number or more of user terminals. That is, the unknown traffic collecting unit 130 distinguishes only traffic transmitted from a predetermined number or more of user terminals among a plurality of unknown traffic received from the traffic analyzing unit 110. The unknown traffic collecting unit 130 stores the unknown traffic according to the filtering result in a policy-specific storage memory (queue).

The unknown traffic storage unit 140 accesses the policy-specific storage memory of the unknown traffic collecting unit 130 to generate a flow for each user terminal and unknown service server and stores the unknown traffic flow according to the network traffic packet storage file format such as PCAP And stores the file (S511).

6 is a flowchart illustrating an unknown traffic flow collection method for application traffic analysis according to an embodiment of the present invention.

Referring to FIG. 6, an unknown traffic flow collection method for analyzing application traffic using an unknown traffic flow collection apparatus for application traffic analysis according to an embodiment of the present invention includes a traffic analysis unit 110, The traffic between the service servers is compared with the stored application identification signatures, and the received internet service traffic is classified into known traffic and unknown traffic (S601). Then, the traffic analysis unit 110 extracts flow information from the classified unknown traffic (S602).

When the flow information is extracted from the unknown traffic, unknown service information is extracted from the extracted flow information (S603). The unknown service information includes the unknown service address, and the unknown service address corresponds to the destination IP of the unknown traffic transmitted from the user terminal. Next, the user terminal information connected to the unknown Internet service is extracted based on the received unknown service information (S604). When the user terminal information using the unknown Internet service is extracted, the traffic between the terminal using the unknown service and the unknown service providing the unknown Internet service is compared with the application identification signature to filter out traffic that does not correspond thereto (S605). The traffic between the user terminal and the unknown service address corresponding to the extracted user terminal address is compared with the predetermined application identification signature to exclude traffic corresponding to the application identification signature and only the traffic that does not correspond to the application identification signature is classified as unknown traffic do. Next, in step S606, unknown traffic packets commonly generated by a predetermined number or more of user terminals among the filtered unknown traffic are collected. In step S607, a flow for each user terminal and unknown service server is generated for the collected unknown traffic, and an unknown traffic flow storage file is stored in accordance with the network traffic packet storage file format such as PCAP.

The present invention including the above-described contents can be written in a computer program. And the code and code segment constituting the program can be easily deduced by a computer programmer of the field. In addition, the created program can be stored in a computer-readable recording medium or an information storage medium, and can be read and executed by a computer to implement the method of the present invention. And the recording medium includes all types of recording media readable by a computer.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, but, on the contrary, It is possible.

100: unknown traffic flow collecting device for application traffic analysis
110: traffic analysis unit 120: unknown traffic management unit
130: unknown traffic collecting unit 140: unknown traffic storing unit
150: main traffic statistics section

Claims (10)

Extracts flow information from unknown traffic of Internet service traffic, extracts flow information from unknown traffic of Internet service traffic, extracts unknown service use terminal information connected to the received unknown service address, and extracts stored application identification from unknown traffic between unknown service use terminal and unknown service A traffic analyzer for classifying and delivering packets of unknown traffic that do not match the signature;
An unknown traffic manager for extracting service information for providing unknown service traffic based on the flow information received from the traffic analyzer and delivering an unknown service address of the extracted unknown service information to the traffic analyzer; And
An unknown traffic collecting unit for collecting unknown traffic packets only for unknown service addresses commonly generated by a predetermined number or more of user terminals among a plurality of unknown traffic packets received from the traffic analyzing unit;
/ RTI >
Wherein the unknown traffic management unit extracts a packet of the unknown traffic and overlays the packet based on the destination address. The method according to claim 1,
An unknown traffic storage unit for generating and storing a traffic packet file for each unknown service using terminal by collecting unknown traffic packets collected by the unknown traffic collecting unit;
Further comprising: an unknown traffic flow collecting unit for analyzing application traffic. The method according to claim 1,
The unknown traffic collecting unit,
And collects unknown traffic packets of the unknown service using terminal until the unknown service collection policy received from the unknown traffic management unit is satisfied. The method according to claim 1,
Wherein the traffic analyzer identifies well-known service traffic and unknown traffic among a plurality of Internet service traffic through a previously stored application identification signature. The method according to claim 1,
Wherein the traffic analysis unit includes at least two traffic analysis engines for receiving a plurality of lines and processing a plurality of analyzes in parallel. The method according to claim 1,
The unknown traffic management unit
And the statistics of unknown flows are managed based on the flow information received from the traffic analyzing unit. Extracting flow information from unknown traffic of Internet service traffic;
Extracting unknown service information from the extracted flow information;
Extracting unknown service use terminal information connected to an unknown service address included in the extracted unknown service information;
Classifying an unknown traffic packet that does not match an already stored application identification signature among an unknown service address included in the unknown service information and one or more unknown traffic between unknown service using terminals; And
Collecting only unknown traffic packets for unknown service addresses that are common to a predetermined number or more of user terminals among a plurality of classified unknown traffic packets;
/ RTI >
Wherein the step of classifying packets of the unknown traffic comprises extracting packets of the unknown traffic and overlaying the packets based on a destination address of the unknown IP service. 8. The method of claim 7,
The step of extracting the flow information from the unknown traffic of the Internet service traffic includes:
Comparing the received Internet service traffic with pre-stored application identification signatures to classify them into known traffic and unknown traffic; And
Extracting flow information from the unknown traffic;
The method comprising the steps of: (a) 8. The method of claim 7,
A step of generating and storing a traffic packet file for each unknown service using terminal by collecting unknown traffic packets collected by the unknown traffic collecting unit
The method comprising the steps of: (a) receiving traffic flow information from a user; 8. The method of claim 7,
The step of collecting the unknown traffic packet
And collecting unknown traffic packets of the unknown service using terminal until the unknown service collection policy is satisfied.
KR1020150061909A 2015-04-30 2015-04-30 Apparatus and method for collecting unknown traffic flow to analysis application traffic KR101605187B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150061909A KR101605187B1 (en) 2015-04-30 2015-04-30 Apparatus and method for collecting unknown traffic flow to analysis application traffic

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150061909A KR101605187B1 (en) 2015-04-30 2015-04-30 Apparatus and method for collecting unknown traffic flow to analysis application traffic

Publications (1)

Publication Number Publication Date
KR101605187B1 true KR101605187B1 (en) 2016-03-21

Family

ID=55651161

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150061909A KR101605187B1 (en) 2015-04-30 2015-04-30 Apparatus and method for collecting unknown traffic flow to analysis application traffic

Country Status (1)

Country Link
KR (1) KR101605187B1 (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100869887B1 (en) * 2007-06-13 2008-11-24 주식회사 케이티 Traffic identification system and method with analysis on signature of packets

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100869887B1 (en) * 2007-06-13 2008-11-24 주식회사 케이티 Traffic identification system and method with analysis on signature of packets

Similar Documents

Publication Publication Date Title
CN106815112B (en) Massive data monitoring system and method based on deep packet inspection
CN105591973B (en) Application identification method and device
US9210090B1 (en) Efficient storage and flexible retrieval of full packets captured from network traffic
CN106972985B (en) Method for accelerating data processing and forwarding of DPI (deep packet inspection) equipment and DPI equipment
CN106789242B (en) Intelligent identification application analysis method based on mobile phone client software dynamic feature library
CN108900374B (en) Data processing method and device applied to DPI equipment
CN104994016B (en) Method and apparatus for packet classification
CN111222019B (en) Feature extraction method and device
CN111953552B (en) Data flow classification method and message forwarding equipment
CN102739457A (en) Network flow recognition system and method based on DPI (Deep Packet Inspection) and SVM (Support Vector Machine) technology
US11650994B2 (en) Monitoring network traffic to determine similar content
CN106330584A (en) Identification method and identification device of business flow
CN103618733A (en) Data filtering system and method applied to mobile internet
CN102938764A (en) Application identification processing method and device
CN106535240A (en) Mobile APP centralized performance analysis method based on cloud platform
CN112019449A (en) Traffic identification packet capturing method and device
CN108322354B (en) Method and device for identifying running-stealing flow account
CN114338600A (en) Equipment fingerprint selection method and device, electronic equipment and medium
CN101668035B (en) Method for recognizing various P2P-TV application video flows in real time
CN111224891B (en) Flow application identification system and method based on dynamic learning triples
KR101605187B1 (en) Apparatus and method for collecting unknown traffic flow to analysis application traffic
CN105703930A (en) Session log processing method and session log processing device based on application
CN111106980B (en) Bandwidth binding detection method and device
CN111163184B (en) Method and device for extracting message features
CN114153807A (en) Message processing method and device, electronic equipment and computer readable storage medium

Legal Events

Date Code Title Description
E701 Decision to grant or registration of patent right
GRNT Written decision to grant