TWI685231B - Packet classification method - Google Patents

Packet classification method Download PDF

Info

Publication number
TWI685231B
TWI685231B TW108114194A TW108114194A TWI685231B TW I685231 B TWI685231 B TW I685231B TW 108114194 A TW108114194 A TW 108114194A TW 108114194 A TW108114194 A TW 108114194A TW I685231 B TWI685231 B TW I685231B
Authority
TW
Taiwan
Prior art keywords
network data
network
data
content
parser
Prior art date
Application number
TW108114194A
Other languages
Chinese (zh)
Other versions
TW202040969A (en
Inventor
周立德
黃啟澤
Original Assignee
國立中央大學
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 國立中央大學 filed Critical 國立中央大學
Priority to TW108114194A priority Critical patent/TWI685231B/en
Application granted granted Critical
Publication of TWI685231B publication Critical patent/TWI685231B/en
Publication of TW202040969A publication Critical patent/TW202040969A/en

Links

Images

Abstract

The present disclosure provides a packet classification method, comprising: parsing a network data by a first parser to determine whether the network data comprises a data link layer content; parsing the network data by a second parser in response to the network data comprising the data link layer content, to determine whether the network data comprises a network layer content; parsing the network data by a third parser in response to the network data comprising the network layer content, to determine whether the network data comprises a transport layer content; parsing an application type of the network data by a forth parser in response to the network data comprising transport layer content; configuring, by a classifying module, a classifying tag of the network data according to the application type; and storing the network data and the classifying tag in a tag look-up table to provide a network platform managing traffic.

Description

封包分類方法 Packet classification method

本揭示文件係有關於一種網路管理方法,且特別是有關於一種網路節點的封包分類方法。 The present disclosure relates to a network management method, and particularly to a packet classification method for network nodes.

在網路環境中為了達到網路管理,一般會對封包進行解析,並針對封包的通訊埠來分類封包。然而,若封包是由未知的點對點協定所封裝,或者封包是使用動態通訊埠或偽裝的通訊埠,將會錯誤地解析封包,而誤判封包類型。據此,對於如何根據封包中攜帶的內容來精準地識別封包類別係亟需解決的問題。 In order to achieve network management in a network environment, packets are generally parsed and packets are classified according to the communication ports of the packets. However, if the packet is encapsulated by an unknown peer-to-peer protocol, or if the packet uses a dynamic communication port or a masqueraded communication port, the packet will be parsed incorrectly, and the packet type will be misjudged. Accordingly, how to accurately identify the packet type according to the content carried in the packet is an urgent problem to be solved.

發明內容旨在提供本揭示內容的簡化摘要,以使閱讀者對本揭示內容具備基本的理解。此發明內容並非本揭示內容的完整概述,且其用意並非在指出本發明實施例的重要/關鍵元件或界定本發明的範圍。 The summary of the present invention aims to provide a simplified summary of the disclosure so that the reader can have a basic understanding of the disclosure. This summary of the invention is not a complete overview of the disclosure, and it is not intended to point out important/critical elements of embodiments of the invention or to define the scope of the invention.

根據本揭示文件之一實施例,揭示一種封包分類方法,包含以下步驟:透過一第一剖析器解析一網 路資料,以判斷該網路資料是否包含一資料鏈結層內容;於判斷該網路資料包含該資料鏈結層內容,則透過一第二剖析器解析該網路資料,以判斷該網路資料是否包含一網路層內容;於判斷該網路資料包含該網路層內容,則透過一第三剖析器解析該網路資料,以判斷該網路資料是否包含一傳輸層內容;於判斷該網路資料包含該傳輸層內容,透過一第四剖析器解析該網路資料之一應用類型;透過一分類模組根據該應用類型設定一分類標籤至該網路資料;以及儲存該網路資料及該分類標籤於一標籤查找表,以提供網路平台進行訊務管理。 According to an embodiment of this disclosure, a packet classification method is disclosed, which includes the following steps: parsing a web through a first parser Road data to determine whether the network data contains a data link layer content; when determining that the network data contains the data link layer content, the network data is analyzed by a second parser to determine the network Whether the data contains a network layer content; when it is judged that the network data contains the network layer content, the network data is parsed through a third parser to determine whether the network data contains a transport layer content; The network data includes the content of the transmission layer, analyzes an application type of the network data through a fourth parser; sets a classification label to the network data according to the application type through a classification module; and stores the network The data and the classification label are in a label look-up table to provide a network platform for communication management.

為讓本揭示內容之上述和其他目的、特徵、優點與實施例能更明顯易懂,所附符號之說明如下: In order to make the above and other objects, features, advantages and embodiments of the disclosure more comprehensible, the attached symbols are described as follows:

100‧‧‧網路節點 100‧‧‧Network node

110‧‧‧剖析模組 110‧‧‧Analysis Module

111‧‧‧防火牆模組 111‧‧‧Firewall module

112‧‧‧監聽模組 112‧‧‧Monitoring module

113‧‧‧第一剖析器 113‧‧‧First profiler

114‧‧‧第二剖析器 114‧‧‧Second profiler

115‧‧‧第三剖析器 115‧‧‧The third profiler

116‧‧‧第四剖析器 116‧‧‧The fourth profiler

117‧‧‧標籤名稱產生器 117‧‧‧ tag name generator

120‧‧‧分類模組 120‧‧‧ Classification module

121‧‧‧區域封包過濾器 121‧‧‧Regional packet filter

122‧‧‧第七層分類器 122‧‧‧ Layer 7 classifier

123‧‧‧第三/四層分類器 123‧‧‧third/fourth classifier

130‧‧‧網路平台 130‧‧‧Network platform

131‧‧‧前端模組 131‧‧‧Front end module

132‧‧‧服務品質模組 132‧‧‧Service Quality Module

133‧‧‧路由選擇模組 133‧‧‧Routing module

140‧‧‧資料庫管理程式 140‧‧‧ database management program

150‧‧‧網域名稱服務資料庫 150‧‧‧Domain Name Service Database

160‧‧‧分類資料庫 160‧‧‧ Classification database

170‧‧‧路由模組 170‧‧‧Routing module

S310~S390‧‧‧步驟 S310~S390‧‧‧Step

以下詳細描述結合隨附圖式閱讀時,將有利於較佳地理解本揭示文件之態樣。應注意,根據說明上實務的需求,圖式中各特徵並不一定按比例繪製。實際上,出於論述清晰之目的,可能任意增加或減小各特徵之尺寸。 The following detailed description, when read in conjunction with the accompanying drawings, will facilitate a better understanding of the present document. It should be noted that, according to the requirements of the practical description, the features in the drawings are not necessarily drawn to scale. In fact, for clarity of discussion, the size of each feature may be arbitrarily increased or decreased.

第1圖繪示根據本揭示文件一些實施例中在網路通訊環境中的一種網路節點及網路節點的功能方塊示意圖。 FIG. 1 shows a schematic diagram of a network node and a functional block of the network node in a network communication environment according to some embodiments of the present disclosure.

第2圖繪示根據本揭示文件一些實施例中如第1圖的網路節點執行封包分類之功能方塊示意圖。 FIG. 2 illustrates a functional block diagram of a network node as shown in FIG. 1 performing packet classification according to some embodiments of the present disclosure.

第3圖繪示根據本揭示文件一些實施例中的一種封包分類方法之流程示意圖。 FIG. 3 is a schematic flowchart of a packet classification method according to some embodiments of the present disclosure.

以下揭示內容提供許多不同實施例或實例,以便實施本發明之不同特徵。下文描述元件及排列之特定實例以簡化本發明。當然,該等實例僅為示例性且並不欲為限制性。舉例而言,以下描述中在第二特徵上方或第二特徵上形成第一特徵可包括以直接接觸形成第一特徵及第二特徵的實施例,且亦可包括可在第一特徵與第二特徵之間形成額外特徵使得第一特徵及特徵可不處於直接接觸的實施例。另外,本發明可在各實例中重複元件符號及/或字母。此重複係出於簡明性及清晰之目的,且本身並不指示所論述之各實施例及/或配置之間的關係。 The following disclosure provides many different embodiments or examples to implement different features of the present invention. Specific examples of elements and arrangements are described below to simplify the invention. Of course, these examples are only exemplary and are not intended to be limiting. For example, in the following description, forming the first feature above or on the second feature may include an embodiment in which the first feature and the second feature are formed in direct contact, and may also include the first feature and the second feature. Embodiments in which additional features are formed between features so that the first feature and the features may not be in direct contact. In addition, the present invention may repeat element symbols and/or letters in each example. This repetition is for simplicity and clarity, and does not in itself indicate the relationship between the various embodiments and/or configurations discussed.

進一步地,為了便於描述,本文可使用空間相對性術語(諸如「之下」、「下方」、「較低」、「上方」、「較高」及類似者)來描述諸圖中所圖示一個元件或特徵與另一元件(或多個元件)或特徵(或多個特徵)之關係。除了諸圖所描繪之定向外,空間相對性術語意欲包含使用或操作中裝置之不同定向。設備可經其他方式定向(旋轉90度或處於其他定向上)且因此可同樣解讀本文所使用之空間相對性描述詞。 Further, for ease of description, spatial relative terms (such as "below", "below", "lower", "above", "higher", and the like) may be used to describe the illustrations in the figures The relationship between an element or feature and another element (or elements) or feature (or features). In addition to the orientation depicted in the figures, spatially relative terms are intended to include different orientations of the device in use or operation. The device can be oriented in other ways (rotated 90 degrees or in other orientations) and therefore the spatially relative descriptors used herein can also be interpreted.

請參照第1圖,其繪示根據本揭示文件一些實施例中在網路通訊環境中的一種網路節點100及網路節點100的功能方塊示意圖。網路節點100可設置於對外 部網路連接的廣域網路(WAN)和/或對內部網路連接的區域網路(LAN)。在一些實施例中,網路節點100可以為但不限於路由器、閘道器、具備網路層處理功能的交換器等。在另一些實施例中,網路節點100可以為設置在網路邊緣(network edge)的邊緣節點(edge node)。值得一提的是,本揭示文件提及有關於第二層、第三層、第四層、第七層係指開放系統互聯模型(Open System Interconnection,OSI)之資料鏈結層、網路層、傳輸層、應用層,在實施例中可交換地使用而不改變實質的涵義。 Please refer to FIG. 1, which illustrates a network node 100 and a functional block diagram of the network node 100 in a network communication environment according to some embodiments of the present disclosure. The network node 100 can be set externally A wide area network (WAN) connected to an internal network and/or a local area network (LAN) connected to an internal network. In some embodiments, the network node 100 may be, but not limited to, a router, a gateway, a switch with network layer processing functions, and the like. In other embodiments, the network node 100 may be an edge node disposed on a network edge. It is worth mentioning that this disclosure refers to the second, third, fourth, and seventh layers referring to the Open System Interconnection (OSI) data link layer and network layer. , The transport layer and the application layer are used interchangeably in the embodiment without changing the essential meaning.

如第1圖所示,網路節點100在通訊網路中接收來自廣域網路WAN或區域網路LAN的網路資料,以對網路資料執行封包分類。 As shown in FIG. 1, the network node 100 receives network data from a wide area network WAN or a local area network LAN in a communication network to perform packet classification on the network data.

網路節點100包含剖析模組110、分類模組120、網路平台130、網域名稱服務資料庫150、以及分類資料庫160。剖析模組110用以解析網路資料的內容,據以取得關於網路資料的關鍵分類訊息。在一實施例中,剖析模組110還會進一步根據網路資料的內容來查詢網域名稱服務資料庫150,以供後續取得關鍵分類訊息。 The network node 100 includes an analysis module 110, a classification module 120, a network platform 130, a domain name service database 150, and a classification database 160. The analysis module 110 is used to analyze the content of the network data and obtain key classification information about the network data. In one embodiment, the analysis module 110 will further query the domain name service database 150 according to the content of the network data, so as to obtain key classification information later.

分類模組120用以根據關鍵分類訊息,產生對應該網路資料的分類標籤,並將分類標籤與對應的網路資料儲存於分類資料庫160。 The classification module 120 is used to generate a classification label corresponding to the network data according to the key classification information, and store the classification label and the corresponding network data in the classification database 160.

網域名稱服務資料庫150可以為但不限於網域名稱系統元數據庫(domain name system metadata, DNS metadata)。在一實施例中,網域名稱服務資料庫150用於記錄DNS回應訊息和完全合格域名(fully qualified domain name,FQDN)的分類訊息。舉例來說,DNS回應訊息包含DNS正解之IP地址訊息(A訊息)、別名訊息(CNAME訊息)、及DNS反解之域名訊息(PTR訊息)。FQDN的分類訊息包含各FQDN及其對應的分類標籤。 The domain name service database 150 may be, but not limited to, a domain name system metadata (domain name system metadata, DNS metadata). In one embodiment, the domain name service database 150 is used to record DNS response messages and classified messages of fully qualified domain names (FQDN). For example, the DNS response message includes the IP address message (A message), the alias message (CNAME message), and the DNS reverse domain name message (PTR message). The classification information of FQDN contains each FQDN and its corresponding classification label.

網路平台130用以存取分類資料庫160中的分類標籤,以控管網路節點100經歷的網路資料以及目前的網路狀態,針對各網路資料的應用類型執行控管。 The network platform 130 is used to access the classification tags in the classification database 160 to control the network data experienced by the network node 100 and the current network status, and execute control for the application type of each network data.

網路節點100可以透過資料庫管理程式140產生多個執行程序來讀取網域名稱服務資料庫150與分類資料庫160,以同時執行多個封包分類。舉例來說,透過資料庫管理程式140同時查詢分類資料庫160中網際網路協定位址(IP address)對應的網域名稱或FQDN,而同時對多個封包進行分類判斷。在一些實施例中,資料庫管理程式140可以為但不限於SQLite3程式。 The network node 100 can generate multiple execution procedures through the database management program 140 to read the domain name service database 150 and the classification database 160 to simultaneously perform multiple packet classifications. For example, the database management program 140 simultaneously queries the domain name or FQDN corresponding to the Internet protocol address (IP address) in the classification database 160, and classifies multiple packets at the same time. In some embodiments, the database management program 140 may be, but not limited to, a SQLite3 program.

網路節點100還包含路由模組170。路由模組170用於執行路由器功能。在一實施例中,路由模組170包含網路封包管理模組(未繪示)及轉換模組(未繪示)。網路封包管理模組用於管理網路節點100中有關於網路封包的轉址、阻擋、傳送等的封包管控。網路封包管理模組可以為但不限於Linux系統的iptables程式、ip6tables程式、ipchains程式、ipwadm程式等。轉換模組用於執行IP位址的轉換。轉換模組可以為但不限於網路位址轉 換(network address translation,NAT)程式。在一實施例中,在網路節點100接收到網路資料時,先透過路由模組170執行轉址、阻擋、傳送等路由處理,再由剖析模組110進行分類程序。 The network node 100 also includes a routing module 170. The routing module 170 is used to perform router functions. In one embodiment, the routing module 170 includes a network packet management module (not shown) and a conversion module (not shown). The network packet management module is used to manage the packet management and control of the network node 100 regarding the forwarding, blocking, and transmission of network packets. The network packet management module may be, but not limited to, the iptables program, ip6tables program, ipchains program, ipwadm program, etc. of the Linux system. The conversion module is used to perform IP address conversion. The conversion module can be, but not limited to, network address conversion NAT (network address translation, NAT) program. In one embodiment, when the network node 100 receives the network data, the routing module 170 first performs routing processing such as forwarding, blocking, and transmission, and then the analysis module 110 performs the classification process.

請參照第2圖,其繪示根據本揭示文件一些實施例中如第1圖的網路節點100執行封包分類之功能方塊示意圖。如第2圖所示,剖析模組110包含防火牆模組111、監聽模組122、第一剖析器113、第二剖析器114、第三剖析器115、第四剖析器116、以及標籤名稱產生器117。剖析模組110處理網路資料時,在一實施例中,由防火牆模組111開始分析網路資料,若通過一定條件或規則,則繼續由其他元件執行網路資料的分析。若網路資料不符合剖析模組110中任一元件的條件或判斷,代表網路資料不屬於封包分類的範圍,而將會被丟棄,並中斷對該網路資料的封包分類。 Please refer to FIG. 2, which illustrates a functional block diagram of the network node 100 as shown in FIG. 1 performing packet classification according to some embodiments of the present disclosure. As shown in FIG. 2, the parsing module 110 includes a firewall module 111, a listening module 122, a first parser 113, a second parser 114, a third parser 115, a fourth parser 116, and tag name generation器117. When the profiling module 110 processes the network data, in one embodiment, the firewall module 111 starts analyzing the network data, and if certain conditions or rules are passed, the network data analysis is continued by other components. If the network data does not meet the conditions or judgments of any element in the analysis module 110, it means that the network data does not fall within the scope of packet classification, and will be discarded, and the packet classification of the network data is interrupted.

防火牆模組111用於對網路資料執行防火牆規則(firewall),以判斷網路資料是否為垃圾封包。舉例來說,網路節點100接收來自廣域網路WAN的網路資料,若防火牆模組判定網路資料為拒絕服務攻擊封包,例如同步洪水攻擊(SYN Flooding)之SYN封包、網際網路控制訊息協定洪水攻擊(ICMP Flooding)之封包等。因此,讓此些由非由區域網路發起的連線封包在此階段被阻擋,可以將不需要被分類的網路資料先行過濾。防火牆模組111將通過防火牆規則的網路資料傳送至監聽模 組122。 The firewall module 111 is used to execute firewall rules on the network data to determine whether the network data is a junk packet. For example, the network node 100 receives network data from a wide area network WAN. If the firewall module determines that the network data is a denial of service attack packet, such as a SYN packet for SYN Flooding, Internet Control Message Protocol Packets such as ICMP Flooding. Therefore, by allowing these connection packets not initiated by the local network to be blocked at this stage, network data that does not need to be classified can be filtered in advance. The firewall module 111 transmits the network data passing through the firewall rules to the monitoring module Group 122.

監聽模組122用於對網路資料執行監聽規則(sniffer)。舉例來說,監聽模組122直接擷取網路資料,不執行鏡像複製該網路資料的前提下直接轉送網路資料至第一剖析器113。如此一來,可以避免在對網路資料執行鏡像所導致的效能低落問題。 The monitoring module 122 is used to execute monitoring rules (sniffer) on network data. For example, the monitoring module 122 directly captures network data, and directly transfers the network data to the first parser 113 without performing mirror copying of the network data. In this way, the performance degradation caused by mirroring network data can be avoided.

第一剖析器113用於判斷網路資料是否包含資料鏈結層內容。在一實施例中,第一剖析器113為資料鏈結層(data link layer)的剖析器。第一剖析器113解封裝網路資料,以判斷網路資料是否為乙太網路訊框(Ethernet frame)。舉例來說,若第一剖析器113可以從網路資料中取得媒體存取控制位址(media access address,MAC),則網路資料屬於乙太網路訊框,即判定網路資料包含資料鏈結層內容。在另一實施例中,第一剖析器113可根據乙太網路協定來檢測網路資料,而不以MAC位址為限。第一剖析器113將判定為乙太網路訊框的網路資料傳送至第二剖析器114。如此一來,剖析模組110只會針對乙太網路類型的網路資料進行封包分類,不屬於乙太網路類型的網路資料則會在此時被過濾。 The first parser 113 is used to determine whether the network data includes data link layer content. In one embodiment, the first parser 113 is a parser of the data link layer. The first parser 113 decapsulates the network data to determine whether the network data is an Ethernet frame. For example, if the first parser 113 can obtain a media access address (MAC) from the network data, the network data belongs to the Ethernet frame, that is, the network data includes data Link layer content. In another embodiment, the first parser 113 can detect network data according to the Ethernet protocol, not limited to the MAC address. The first parser 113 transmits the network data determined as the Ethernet frame to the second parser 114. In this way, the analysis module 110 will only perform packet classification on network data of the Ethernet type, and network data that does not belong to the Ethernet type will be filtered at this time.

第二剖析器114用以判斷網路資料是否包含網路層內容。在一實施例中,第二剖析器114為網路層(network layer)的剖析器。第二剖析器114解封裝網路資料,以判斷網路資料是否為乙太網路封包(packet)。舉例 來說,若第二剖析器114可以從網路資料中取得網際網路協定位址(internet protocol address,IP address),則判定網路資料包含網路層內容。接著,第二剖析器114會進一步地解析網路層內容的來源端IP位址及目標端IP位址,並將此些IP位址透過第1圖的資料庫管理程式140儲存至分類資料庫160。 The second parser 114 is used to determine whether the network data includes network layer content. In one embodiment, the second parser 114 is a network layer parser. The second parser 114 decapsulates the network data to determine whether the network data is an Ethernet packet. Examples In other words, if the second parser 114 can obtain the internet protocol address (IP address) from the network data, it is determined that the network data includes network layer content. Then, the second parser 114 will further analyze the source IP address and the target IP address of the content of the network layer, and store these IP addresses to the classification database through the database management program 140 of FIG. 1 160.

此外,第二剖析器114會根據來源端IP位址及目標端IP位址來判斷網路資料傳送的訊務(traffic)方向。舉例來說,若來源端IP位址屬於公開IP位址(public IP address)而目標端IP位址屬於私有IP位址(private IP address),則判定訊務方向為流向內部區域網路方向。反之,則判定訊務方向為流向外部廣域網路方向。值得一提的是,此判斷方式僅為實施例說明,本揭示文件不以此為限。如此一來,剖析模組110只會針對包含網路層內容的網路資料進行封包分類,其餘的網路資料則會在此時被過濾。第二剖析器114將符合條件的網路封包傳送至第三剖析器115。 In addition, the second parser 114 determines the traffic direction of network data transmission according to the source IP address and the target IP address. For example, if the source IP address belongs to a public IP address and the destination IP address belongs to a private IP address, then the direction of traffic is determined to flow to the internal LAN. Otherwise, it is determined that the direction of the traffic is to the direction of the external wide area network. It is worth mentioning that this method of judgment is only an example, and this disclosure does not limit it. In this way, the parsing module 110 will only classify packets for the network data containing the content of the network layer, and the remaining network data will be filtered at this time. The second parser 114 sends the qualified network packet to the third parser 115.

第三剖析器115用於判斷網路資料是否包含傳輸層內容。在一實施例中,第三剖析器115為傳輸層(transport layer)的剖析器。第三剖析器115解封裝網路資料,以判斷網路資料是否為傳輸層區段(segment)。舉例來說,若第三剖析器115可以從網路資料中取得傳輸控制協定(Transmission Control Protocol,TCP)訊息或使用者資料包協定(user datagram protocol,UDP)訊息,則判定 網路資料為傳輸層區段。接著,若網路資料中包含TCP訊息,則第三剖析器115根據TCP訊息判斷目前之連線握手類型(例如透過SYN、SYN/ACK、ACK、FIN/ACK封包來判斷目前的TCP連線握手階段)以及連線握手序號(例如擷取seq與ack數字來判斷目前的TCP連線階段),接著將網路資料傳送至第四剖析器116。另一方面,若網路資料包含UDP訊息,則第三剖析器115直接將網路封包傳送至第四剖析器116。 The third parser 115 is used to determine whether the network data includes transport layer content. In one embodiment, the third parser 115 is a parser for the transport layer. The third parser 115 decapsulates the network data to determine whether the network data is a transmission layer segment. For example, if the third parser 115 can obtain transmission control protocol (TCP) messages or user datagram protocol (UDP) messages from the network data, it is determined Network data is the transport layer segment. Then, if the network data includes TCP messages, the third parser 115 determines the current connection handshake type based on the TCP messages (for example, through SYN, SYN/ACK, ACK, FIN/ACK packets to determine the current TCP connection handshake Stage) and the connection handshake sequence number (for example, extract the seq and ack numbers to determine the current TCP connection stage), and then send the network data to the fourth parser 116. On the other hand, if the network data includes UDP messages, the third parser 115 directly sends the network packet to the fourth parser 116.

在一實施例中,第四剖析器116為應用層(application layer)的剖析器。第四剖析器116解封裝網路資料,以擷取網路資料之應用類型。舉例來說,應用類型可以為但不限於超文本傳輸協定(Hypert Text Transfer Protocol,HTTP)、超文本傳輸安全協定(Hypertext Transfer Protocol Secure,HTTPS)、DNS請求/回應、快速UDP網路連線(Quick UDP Internet Connections,QUIC)、Google快速UDP網路連線(GQUIC)、傳輸層安全協定(Transport Layer Security)、安全外殼協定(Secure Shell,SSL)等。第四剖析器116會根據不同的應用類型來取得對應的關鍵分類訊息。 In one embodiment, the fourth parser 116 is a parser for the application layer. The fourth parser 116 decapsulates the network data to retrieve the application type of the network data. For example, the application type may be, but not limited to, Hypertext Transfer Protocol (HTTP), Hypertext Transfer Protocol Secure (HTTPS), DNS request/response, fast UDP network connection ( Quick UDP Internet Connections (QUIC), Google Quick UDP Network Connections (GQUIC), Transport Layer Security Protocol (Transport Layer Security), Secure Shell Protocol (Secure Shell, SSL), etc. The fourth parser 116 will obtain corresponding key classification information according to different application types.

在一實施例中,當第四剖析器116判斷網路資料的應用類型為HTTP,則取得網路資料之主機(host)資料。當第四剖析器116判斷應用類型為DNS請求/回應,則取得網路資料之網域名稱服務資料。當第四剖析器116判斷應用類型為QUIC/GUIC、TLS及SSL中任一 者,則取得網路資料之伺服器名稱符(Server Name Indication,SNI)。在此實施例中,第四剖析器116取得的關鍵分類訊息包含主機資料、網域名稱服務資料、及伺服器名稱符。值得一提的是,上述僅為實施例例示性說明,本揭示文件不以此些應用類型與關鍵分類訊息為限。 In one embodiment, when the fourth parser 116 determines that the application type of the network data is HTTP, it obtains the host data of the network data. When the fourth parser 116 determines that the application type is a DNS request/response, it obtains the domain name service data of the network data. When the fourth profiler 116 determines that the application type is any of QUIC/GUIC, TLS, and SSL Otherwise, the Server Name Indication (SNI) of the network data is obtained. In this embodiment, the key classification information obtained by the fourth parser 116 includes host data, domain name service data, and server name identifier. It is worth mentioning that the above is only an exemplary description of the embodiment, and the present disclosure does not limit these application types and key classification information.

標籤名稱產生器117用以根據主機資料、網路名稱服務資料、伺服器名稱符中任一者,產生對應該網路資料的分類標籤。在一實施例中,標籤名稱產生器117會根據關鍵分類訊息來查詢資料庫(例如維基百科),以獲得分類標籤。舉例來說,假設網路節點100收到一個DNS請求封包,為請求查詢IP:31.13.87.38的訊息。在網路節點100在轉發DNS請求訊息之後,收到有DNS回應的網路資料。剖析模組110解析網路資料的應用類型為DNS回應,而此DNS回應包含兩筆訊息:www.facebook.com CNAME star-z-mini.c10r.facebook.com star-z-mini.c10r.facebook.com A 31.13.87.38也就是說,針對查詢IP:31.13.87.38,會收到兩個訊息:www.facebook.com以及star-z-mini.c10r.facebook.com。實際上,這兩個訊息均代表facebook的伺服器。標籤名稱產生器117將此二個訊息查詢例如維基百科之後,得到facebook此一結果。因此,將此兩個DNS回應訊息設定相同的分類標籤,即facebook。換句話說,標籤名稱產生器117透過前面的剖析器取得的關鍵分類訊息於資料 庫中查詢,可以使得原本看似不一樣的關鍵分類訊息,透過標註分類標籤,將多個關鍵分類訊息為相同類別。 The label name generator 117 is used to generate a classification label corresponding to network data according to any one of host data, network name service data, and server name identifier. In one embodiment, the tag name generator 117 queries a database (such as Wikipedia) according to key classification information to obtain classification tags. For example, assume that the network node 100 receives a DNS request packet and queries the IP: 31.13.87.38 message for the request. After the network node 100 forwards the DNS request message, it receives network data with a DNS response. The application type of the parsing module 110 to parse network data is a DNS response, and this DNS response contains two messages: www.facebook.com CNAME star-z-mini.c10r.facebook.com star-z-mini.c10r.facebook .com A 31.13.87.38 In other words, for the query IP: 31.13.87.38, you will receive two messages: www.facebook.com and star-z-mini.c10r.facebook.com. In fact, both messages represent Facebook's server. The tag name generator 117 queries the two messages, for example, Wikipedia, and obtains the result of facebook. Therefore, the two DNS response messages are set to the same classification label, namely facebook. In other words, the key classification information obtained by the tag name generator 117 through the previous parser is in the data The query in the database can make the original key classification information look different, by labeling the classification label, the multiple key classification information can be classified into the same category.

請復參照第2圖,分類模組120包含區域封包過濾器121、第七層分類器122、及第三/四層分類器123。在一實施例中,區域封包過濾器121用於判斷網路資料是否屬於區域網路通訊封包(例如ARP、DDSP、DHCP、LLMNR、NetBIOS等)或與應用程式無正相關的協定(例如SSH協定、FTP協定等)。若判定該網路資料屬於區域網路通訊封包,則丟棄該網路資料。如此一來,可避免對僅用於內部協定或無關於應用程式的網路資料作分類,提升分類過程的準確度。 Referring back to FIG. 2, the classification module 120 includes a regional packet filter 121, a seventh layer classifier 122, and a third/fourth layer classifier 123. In one embodiment, the regional packet filter 121 is used to determine whether the network data belongs to a local area network communication packet (such as ARP, DDSP, DHCP, LLMNR, NetBIOS, etc.) or a protocol that has no positive correlation with the application (such as the SSH protocol , FTP protocol, etc.). If it is determined that the network data belongs to a local network communication packet, the network data is discarded. In this way, it is possible to avoid the classification of network data that is only used for internal agreements or irrelevant to the application, and improve the accuracy of the classification process.

在一實施例中,第七層分類器122用於判斷網路資料是否包含第七層開放系統互連訊息。第七層分類器122於判定該網路資料包含第七層開放系統互連訊息時,則根據主機(host)資料與伺服器名稱符(SNI),分類該網路資料。 In one embodiment, the seventh layer classifier 122 is used to determine whether the network data includes the seventh layer open system interconnection message. The seventh layer classifier 122 classifies the network data according to the host data and the server name identifier (SNI) when determining that the network data includes the seventh layer open system interconnection message.

在一實施例中,第三/四層分類器123用於判定該網路資料不包含第七層開放系統互連訊息時,則根據網域名稱服務資料取得網際網路協定位址以及對應於網際網路協定位址之完全合格域名(FQDN)資料。 In one embodiment, when the third/fourth layer classifier 123 is used to determine that the network data does not contain the seventh layer open system interconnection message, the Internet protocol address and the corresponding Fully qualified domain name (FQDN) data for Internet Protocol addresses.

請復參照第2圖,網路平台130包含前端模組131、服務品質模組132、及路由選擇模組133。前端模組131接收管理指令,以執行相關的封包控管程序。舉例來說,若管理指令為頻寬管控指令,則服務品質模組 132被操作以執行相關的頻寬控制,以對指定訊務進行頻寬限制或保證。若管理指令為封鎖指令,則路由選擇模組133被操作以封鎖指定的訊務,以避免網路節點100存取到惡意網域。 Please refer to FIG. 2 again. The network platform 130 includes a front-end module 131, a service quality module 132, and a routing module 133. The front-end module 131 receives management commands to execute related packet control procedures. For example, if the management command is a bandwidth control command, the service quality module 132 is operated to perform related bandwidth control to limit or guarantee the bandwidth of the designated traffic. If the management command is a blocking command, the routing module 133 is operated to block the specified traffic to prevent the network node 100 from accessing the malicious domain.

請參照第3圖,其繪示根據本揭示文件一些實施例中的一種封包分類方法之流程示意圖。請一併參照第2圖,封包分類方法之流程步驟如下: Please refer to FIG. 3, which illustrates a schematic flowchart of a packet classification method according to some embodiments of the present disclosure. Please refer to Figure 2 as well. The process steps of the packet classification method are as follows:

在步驟S310中,防火牆模組111執行防火牆規則以過濾網路資料。 In step S310, the firewall module 111 executes firewall rules to filter network data.

在步驟S320中,監聽模組112監聽已通過防火牆規則之網路資料,並將該網路資料傳送至第一剖析器113。 In step S320, the monitoring module 112 monitors the network data that has passed the firewall rules, and sends the network data to the first parser 113.

在步驟S330中,第一剖析器113判斷網路資料是否包含資料鏈結層內容。若判斷網路資料包含資料鏈結層內容,則執行步驟S340。若否,則到步驟S390,結束封包分類方法。 In step S330, the first parser 113 determines whether the network data includes data link layer content. If it is determined that the network data includes data link layer content, step S340 is executed. If not, go to step S390 to end the packet classification method.

在步驟S340中,第二剖析器114判斷網路資料是否包含網路層內容。若判斷判斷網路資料包含網路層內容,則執行步驟S350。若否,則到步驟S390,結束封包分類方法。 In step S340, the second parser 114 determines whether the network data includes network layer content. If it is determined that the network data includes network layer content, step S350 is executed. If not, go to step S390 to end the packet classification method.

在步驟S350中,第三剖析器115判斷網路資料是否包含傳輸層內容。若判斷網路資料包含傳輸層內容,則執行步驟S360。若否,則到步驟S390,結束封包分類方法。 In step S350, the third parser 115 determines whether the network data includes transport layer content. If it is determined that the network data includes the content of the transport layer, step S360 is executed. If not, go to step S390 to end the packet classification method.

在步驟S360中,第四剖析器116解析網路資料之應用類型。接著,在步驟S370中,標籤名稱產生器117根據應用類型設定分類標籤至網路資料。 In step S360, the fourth parser 116 analyzes the application type of the network data. Next, in step S370, the label name generator 117 sets the classification label to the network data according to the application type.

在步驟S380中,標籤名稱產生器117儲存網路資料及分類標籤於標籤查找表,以供網路平台130進行訊務管理。 In step S380, the label name generator 117 stores the network data and the classification label in the label lookup table for the network platform 130 to perform traffic management.

綜上所述,本揭示文件的網路節點及操作於網路節點100的封包分類方法,基於合格網域名稱的資訊以及對於網路資料的各層資訊的追蹤與處理,將真正對應到相同來源的訊息賦予相同的分類標籤。如此一來,在後續的網路資料進到網路節點100後,可以透過分類標籤快速地推斷訊務類型。 In summary, the network nodes of this disclosure and the packet classification method operating on the network node 100, based on the information of qualified domain names and the tracking and processing of information at various layers of network data, will truly correspond to the same source Messages are given the same category label. In this way, after the subsequent network data enters the network node 100, the type of traffic can be quickly inferred through the classification label.

此外,本揭示文件不需要預先訓練規則,而可直接對網路資料或訊務進行分類,簡化封包分類的程序並降地運算成本。另外,透過設置軟體路由器來實現本揭示文件的封包分類方法,可減少網路延遲對分類機制所造成的效能不佳的問題。以及,由於設置分類標籤使得網路管理人員不需要親自檢查封包內容即可知道訊務類型,使得網路管理者可以直接專注在網路控管,提升對整體網路訊務狀態的掌握度。 In addition, the disclosed document does not require pre-training rules, but can directly classify network data or traffic, simplifying the process of packet classification and reducing the computational cost. In addition, by setting up a software router to implement the packet classification method of the disclosed document, the problem of poor performance caused by the network delay to the classification mechanism can be reduced. And, because the classification label is set, the network administrator can know the type of traffic without personally checking the packet content, so that the network administrator can directly focus on the network control and improve the mastery of the overall network traffic status.

上文概述若干實施例之特徵,使得熟習此項技術者可更好地理解本發明之態樣。熟習此項技術者應瞭解,可輕易使用本發明作為設計或修改其他製程及結構的基礎,以便實施本文所介紹之實施例的相同目的及 /或實現相同優勢。熟習此項技術者亦應認識到,此類等效結構並未脫離本發明之精神及範疇,且可在不脫離本發明之精神及範疇的情況下產生本文的各種變化、替代及更改。 The above summarizes the features of several embodiments so that those skilled in the art can better understand the aspect of the present invention. Those skilled in the art should understand that the present invention can be easily used as a basis for designing or modifying other processes and structures in order to carry out the same purposes of the embodiments described herein and /Or achieve the same advantage. Those skilled in the art should also realize that such equivalent structures do not depart from the spirit and scope of the present invention, and that various changes, substitutions, and alterations herein can be made without departing from the spirit and scope of the present invention.

100‧‧‧網路節點 100‧‧‧Network node

110‧‧‧剖析模組 110‧‧‧Analysis Module

120‧‧‧分類模組 120‧‧‧ Classification module

130‧‧‧網路平台 130‧‧‧Network platform

140‧‧‧資料庫管理程式 140‧‧‧ database management program

150‧‧‧網域名稱服務資料庫 150‧‧‧Domain Name Service Database

160‧‧‧分類資料庫 160‧‧‧ Classification database

170‧‧‧路由模組 170‧‧‧Routing module

Claims (10)

一種封包分類方法,包含:透過一第一剖析器解析一網路資料,以判斷該網路資料是否包含一資料鏈結層內容;於判斷該網路資料包含該資料鏈結層內容,則透過一第二剖析器解析該網路資料,以判斷該網路資料是否包含一網路層內容;於判斷該網路資料包含該網路層內容,則透過一第三剖析器解析該網路資料,以判斷該網路資料是否包含一傳輸層內容;於判斷該網路資料包含該傳輸層內容,透過一第四剖析器解析該網路資料之一應用類型;透過一分類模組根據該應用類型設定一分類標籤至該網路資料;以及儲存該網路資料及該分類標籤於一標籤查找表,以提供網路平台進行訊務管理。 A packet classification method includes: parsing a network data through a first parser to determine whether the network data includes a data link layer content; when determining that the network data includes the data link layer content, through A second parser parses the network data to determine whether the network data includes a network layer content; when determining that the network data includes the network layer content, parses the network data through a third parser To determine whether the network data contains a transport layer content; to determine whether the network data contains the transport layer content, to analyze an application type of the network data through a fourth parser; according to the application through a classification module The type sets a classification label to the network data; and stores the network data and the classification label in a label lookup table to provide a network platform for traffic management. 如請求項1所述之封包分類方法,其中於判斷該網路資料是否包含該資料鏈結層內容之前,還包含:透過一防火牆模組執行一防火牆規則以過濾該網路資料。 The packet classification method as described in claim 1, wherein before determining whether the network data includes the data link layer content, the method further includes: executing a firewall rule through a firewall module to filter the network data. 如請求項2所述之封包分類方法,於 判斷該網路資料是否包含該資料鏈結層內容之前,還包含:透過一監聽模組對通過該防火牆規則之該網路資料執行一監聽規則;以及透過該監聽模組傳送該網路資料至該第一剖析器,以透過該第一剖析器判斷該網路資料是否包含該資料鏈結層內容。 The packet classification method as described in claim 2, in Before determining whether the network data includes the content of the data link layer, it also includes: executing a monitoring rule on the network data passing through the firewall rule through a monitoring module; and transmitting the network data to the network through the monitoring module The first parser determines whether the network data includes the data link layer content through the first parser. 如請求項1所述之封包分類方法,其中判斷該網路資料是否包含該資料鏈結層內容的步驟還包含:根據一乙太網路協定檢測該網路資料;以及若該網路資料符合該乙太網路協定,則判定該網路資料包含該資料鏈結層內容。 The packet classification method according to claim 1, wherein the step of determining whether the network data includes the content of the data link layer further includes: detecting the network data according to an Ethernet protocol; and if the network data conforms The Ethernet protocol determines that the network data includes the content of the data link layer. 如請求項1所述之封包分類方法,其中判斷該網路資料是否包含該網路層內容的步驟還包含:根據一網路層協定檢測該網路資料;以及若該網路資料符合該網路層協定,則判定該網路資料包含該網路層內容。 The packet classification method according to claim 1, wherein the step of determining whether the network data includes the content of the network layer further includes: detecting the network data according to a network layer protocol; and if the network data conforms to the network The road layer protocol determines that the network data contains the content of the network layer. 如請求項5所述之封包分類方法,其中判定該網路資料包含該網路層內容的步驟還包含: 解析該網路資料之該網路層內容的一來源端網際網路協定位址以及一目標端網際網路協定位址;根據該來源端網際網路協定位址以及該目標端網際網路協定位址,判斷該網路資料的一訊務方向,其中該訊務方向包含一往廣域網路方向及一往區域網路方向;以及記錄該來源端網際網路協定位址以及該目標端網際網路協定位址於一分類資料庫。 The packet classification method according to claim 5, wherein the step of determining that the network data includes the content of the network layer further includes: Parsing a source-side Internet protocol address and a target-side Internet protocol address of the network-layer content of the network data; based on the source-side Internet protocol address and the target-side Internet protocol Address, to determine a traffic direction of the network data, where the traffic direction includes a direction toward the wide area network and a direction toward the local area network; and record the source internet protocol address and the destination internet The road agreement address is in a classified database. 如請求項1所述之封包分類方法,其中判斷該網路資料是否包含該傳輸層內容的步驟還包含:解析該網路資料之該傳輸層內容是否包含一傳輸控制協定訊息與一使用者資料包協定訊息;當該傳輸層內容包含該傳輸控制協定訊息,則根據該傳輸控制協定訊息判斷目前之一連線握手類型以及一連線握手序號;以及當該傳輸層內容包含該使用者資料包協定訊息,則傳送該網路資料至該第四剖析器。 The packet classification method according to claim 1, wherein the step of determining whether the network data includes the transport layer content further includes: parsing whether the transport layer content of the network data includes a transmission control protocol message and a user data Packet agreement message; when the transport layer content includes the transmission control protocol message, then determine a current connection handshake type and a connection handshake sequence number according to the transmission control protocol message; and when the transmission layer content includes the user data packet Agreement message, then send the network data to the fourth parser. 如請求項1所述之封包分類方法,其中根據該網路資料之該應用類型設定該分類標籤的步驟包含:當該應用類型為超文本傳輸協定請求,則取得該網路資料之一主機資料; 當該應用類型為網域名稱系統請求/回應,則取得該網路資料之一網域名稱系統資料;以及當該應用類型為快速UDP網路連線、傳輸層安全協定及安全外殼協定中任一者,則取得該網路資料之一伺服器名稱符。 The packet classification method according to claim 1, wherein the step of setting the classification label according to the application type of the network data includes: when the application type is a hypertext transfer protocol request, acquiring host data of the network data ; When the application type is a domain name system request/response, one of the network data is obtained; and when the application type is any of fast UDP network connection, transport layer security protocol, and secure shell protocol One is to obtain a server name identifier of the network data. 如請求項8所述之封包分類方法,其中根據該網路資料之該應用類型設定該分類標籤的步驟還包含:根據該主機資料、該網域名稱服務資料、及該伺服器名稱符中任一者,透過一標籤名稱產生器產生該分類標籤;以及設定對應之該分類標籤至該網路資料。 The packet classification method according to claim 8, wherein the step of setting the classification label according to the application type of the network data further includes: according to any of the host data, the domain name service data, and the server name character One, the classification label is generated by a label name generator; and the corresponding classification label is set to the network data. 如請求項9所述之封包分類方法,其中於設定對應之該分類標籤至該網路資料之後,還包含:透過該分類模組之一區域封包過濾器於判定該網路資料屬於一區域網路通訊封包,則丟棄該網路資料;透過該分類模組之一第七層分類器於判定該網路資料包含一第七層開放系統互連訊息時,根據該主機資料與該伺服器名稱符分類該網路資料;以及透過該分類模組之一第三/四層分類器於判定該網路資料不包含該第七層開放系統互連訊息時,根據該網 域名稱服務資料取得一網際網路協定位址與對應於該網際網路協定位址之一完全合格域名資料。 The packet classification method according to claim 9, wherein after setting the corresponding classification label to the network data, the method further includes: determining that the network data belongs to a regional network through a regional packet filter of the classification module Network communication packet, the network data is discarded; when it is determined that the network data includes a seventh layer open system interconnection message through a layer 7 classifier of the classification module, the host data and the server name are used according to the host data Character classifies the network data; and when a third/fourth layer classifier of the classification module determines that the network data does not contain the seventh layer open system interconnection message, the The domain name service data obtains an Internet protocol address and a fully qualified domain name data corresponding to the Internet protocol address.
TW108114194A 2019-04-23 2019-04-23 Packet classification method TWI685231B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW108114194A TWI685231B (en) 2019-04-23 2019-04-23 Packet classification method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW108114194A TWI685231B (en) 2019-04-23 2019-04-23 Packet classification method

Publications (2)

Publication Number Publication Date
TWI685231B true TWI685231B (en) 2020-02-11
TW202040969A TW202040969A (en) 2020-11-01

Family

ID=70413591

Family Applications (1)

Application Number Title Priority Date Filing Date
TW108114194A TWI685231B (en) 2019-04-23 2019-04-23 Packet classification method

Country Status (1)

Country Link
TW (1) TWI685231B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI765428B (en) * 2020-11-24 2022-05-21 啟碁科技股份有限公司 Quality of service adjusting method based on application categories and system thereof

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040010612A1 (en) * 2002-06-11 2004-01-15 Pandya Ashish A. High performance IP processor using RDMA
US20060002386A1 (en) * 2004-06-30 2006-01-05 Zarlink Semiconductor Inc. Combined pipelined classification and address search method and apparatus for switching environments
US7188168B1 (en) * 1999-04-30 2007-03-06 Pmc-Sierra, Inc. Method and apparatus for grammatical packet classifier
WO2012021723A2 (en) * 2010-08-12 2012-02-16 Steve Jackowski Systems and methods for quality of service of encrypted network traffic
TW201246867A (en) * 2011-05-06 2012-11-16 Ralink Technology Corp Packet processing accelerator and method thereof

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7188168B1 (en) * 1999-04-30 2007-03-06 Pmc-Sierra, Inc. Method and apparatus for grammatical packet classifier
US20040010612A1 (en) * 2002-06-11 2004-01-15 Pandya Ashish A. High performance IP processor using RDMA
US20060002386A1 (en) * 2004-06-30 2006-01-05 Zarlink Semiconductor Inc. Combined pipelined classification and address search method and apparatus for switching environments
WO2012021723A2 (en) * 2010-08-12 2012-02-16 Steve Jackowski Systems and methods for quality of service of encrypted network traffic
CN103384991A (en) * 2010-08-12 2013-11-06 思杰系统有限公司 Systems and methods for quality of service of encrypted network traffic
TW201246867A (en) * 2011-05-06 2012-11-16 Ralink Technology Corp Packet processing accelerator and method thereof

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI765428B (en) * 2020-11-24 2022-05-21 啟碁科技股份有限公司 Quality of service adjusting method based on application categories and system thereof

Also Published As

Publication number Publication date
TW202040969A (en) 2020-11-01

Similar Documents

Publication Publication Date Title
US10320619B2 (en) Method and system for discovery and mapping of a network topology
US10270691B2 (en) System and method for dataplane-signaled packet capture in a segment routing environment
WO2021032207A1 (en) Method and system for entrapping network threat, and forwarding device
US8705362B2 (en) Systems, methods, and apparatus for detecting a pattern within a data packet
US7742406B1 (en) Coordinated environment for classification and control of network traffic
KR101888831B1 (en) Apparatus for collecting device information and method thereof
US9419889B2 (en) Method and system for discovering a path of network traffic
US7706267B2 (en) Network service monitoring
JP5047536B2 (en) Protocol general-purpose interception network device
Masoud et al. On preventing ARP poisoning attack utilizing Software Defined Network (SDN) paradigm
US20090138968A1 (en) Distributed network protection
US20210194894A1 (en) Packet metadata capture in a software-defined network
PT2139187E (en) Method, communication system and device for arp packet processing
TWI685231B (en) Packet classification method
US20170353486A1 (en) Method and System For Augmenting Network Traffic Flow Reports
WO2019196914A1 (en) Method for discovering forwarding path, and related device thereof
Mavrakis Passive asset discovery and operating system fingerprinting in industrial control system networks
Najjar et al. Reliable behavioral dataset for IPv6 neighbor discovery protocol investigation
WO2020052499A1 (en) Method, device, and system for anti-phishing attack check
Zhou et al. Research on network topology discovery algorithm for Internet of Things based on multi-protocol
Rincón et al. Semantics based analysis of botnet activity from heterogeneous data sources
Schindler et al. HoneydV6: A low-interaction IPv6 honeypot
JP4167866B2 (en) Data transmission method, data transmission system, and data transmission apparatus
Bernaille et al. Implementation issues of early application identification
RU181257U1 (en) Data Clustering Firewall