WO2014187238A1 - Application type identification method and network device - Google Patents

Application type identification method and network device Download PDF

Info

Publication number
WO2014187238A1
WO2014187238A1 PCT/CN2014/076914 CN2014076914W WO2014187238A1 WO 2014187238 A1 WO2014187238 A1 WO 2014187238A1 CN 2014076914 W CN2014076914 W CN 2014076914W WO 2014187238 A1 WO2014187238 A1 WO 2014187238A1
Authority
WO
WIPO (PCT)
Prior art keywords
server
information
application
address
address information
Prior art date
Application number
PCT/CN2014/076914
Other languages
French (fr)
Chinese (zh)
Inventor
陈浩
都林
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2014187238A1 publication Critical patent/WO2014187238A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/026Capturing of monitoring data using flow identification
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/028Capturing of monitoring data by filtering

Definitions

  • DPI Deep Packet Inspection
  • IP Internet Protocol
  • IP packets IP packets.
  • IP packets IP packets.
  • the text usually consists of IP quintuple and application layer data.
  • the network device can detect and analyze the source IP address, destination IP address, source port number, destination port number, and transport layer protocol in the quintuple, and can The application layer data of the IP packet is analyzed to identify the specific application of the IP packet.
  • the application type identification method and the network device are provided in the embodiment of the present invention to solve the problem that the application layer protocol type identification efficiency in the prior art is not high.
  • an application type identification method includes:
  • the method before the extracting the first server address information from the first data packet of the received data stream, the method further includes:
  • the server application information is saved to a server information database.
  • the obtaining, by using the data packet of the different data streams, the server application information includes:
  • the TCP data packet is identified as a WEB application for accessing the network WEB server.
  • HTTP hypertext transfer protocol
  • the URL address is analyzed to obtain an application type of the WEB server corresponding to the URL address.
  • the method further includes:
  • the first server application information is obtained by identifying a subsequent packet of the data stream to which the first data packet belongs.
  • the first server address information is extracted from the first data packet of the received data stream, specifically: the quintuple information of the first data packet from the received data stream And extracting a destination internet protocol IP address and a destination port number of the first data packet.
  • a network device in a second aspect, includes:
  • An extracting unit configured to extract first server address information from a first data packet of the received data stream; a matching unit, configured to match the first server address information extracted by the extracting unit with server application information
  • the server application information stores a correspondence between the server address information and the application type; the identification unit is configured to: when the matching unit matches the first server address information from the server application information, The application type corresponding to the first server address information is identified as the application type of the data stream.
  • the device further includes: The obtaining unit is configured to obtain the server application information by identifying the data packet of the different data streams, and the saving unit is configured to save the server application information obtained by the obtaining unit to the server information database.
  • the obtaining unit includes:
  • a TCP data packet determining subunit configured to determine that a TCP data packet is received
  • a WEB application message identification subunit configured to: when the application layer protocol of the TCP data packet is HTTP,
  • the TCP data packet When the TCP data packet includes the URL address, the TCP data packet is identified as a WEB application packet that accesses the WEB server.
  • the address information obtaining sub-unit is configured to obtain the destination address of the TCP data packet as the server address information, and the application type analysis sub-unit, configured to analyze the URL address to obtain an application type of the WEB server corresponding to the URL address.
  • the obtaining unit is further used to When the matching unit does not match the first server address information from the server application information, the first server application information is obtained by identifying a subsequent packet of the data stream to which the first data packet belongs;
  • the saving unit is further configured to save the first server application information obtained by the obtaining unit to the server information database.
  • the extracting unit is specifically configured to extract, from the quintuple information of the first data packet of the received data stream, a destination IP address and a destination port number of the first data packet. .
  • a network device in a third aspect, includes: a bus, and a memory, a network interface, and a processor connected through the bus, where
  • the memory is configured to save server application information
  • the network interface is configured to receive a first data packet of a data stream
  • the processor is configured to extract first server address information from the first data packet, match the first server address information with the server application information, and save the server address in the server application information Corresponding relationship between the information and the application type, when the first server address information is matched from the server application information, the application type corresponding to the first server address information is identified as the application type of the data flow.
  • the processor is further configured to pass Identifying data packets of different data streams, obtaining server application information, and saving the server application information to a server information database in the memory.
  • the processor is specifically configured to determine that the TCP data packet is received, when the TCP data packet is received.
  • the application layer protocol is HTTP
  • the TCP data packet includes the URL address
  • the TCP data packet is identified as a WEB application packet that accesses the WEB server, and the destination address of the TCP data packet is obtained as a server address.
  • the processor is further used when When the server information is matched to the first server address information, the first server application information is obtained by identifying a subsequent packet of the data stream to which the first data packet belongs, and the first server is obtained. Server application information is saved to the server information database.
  • the processor is specifically configured to extract, from the quintuple information of the first data packet, a destination IP address and a destination port number of the first data packet.
  • the first server address information is extracted from the first data packet of the received data stream, and the first server address information is matched with the server application information, and the first server is matched from the server application information.
  • the application type corresponding to the first server address information is identified as the application type of the data stream.
  • the server application information is established, so that when the data packet is received, no keyword extraction and rule matching are needed, but the server address information of the data packet is matched with the server application information, thereby quickly identifying The application type of the data stream to which the data packet belongs is improved, and the application type identification efficiency of the message is improved.
  • FIG. 1A is a schematic diagram of an application scenario according to an embodiment of the present invention
  • IB is a flowchart of an embodiment of an application type identification method according to the present invention
  • FIG. 2 is a flow chart of another embodiment of an application type identification method according to the present invention.
  • FIG. 3 is a flow chart of another embodiment of an application type identification method according to the present invention.
  • FIG. 4 is a block diagram of an embodiment of a network device of the present invention.
  • Figure 5 is a block diagram of another embodiment of a network device of the present invention.
  • FIG. 6 is a block diagram of another embodiment of a network device of the present invention.
  • FIG. 1A is a schematic diagram of an application scenario according to an embodiment of the present invention:
  • the terminal accesses the network device through the network, and the network device is connected to the server.
  • the terminal can be specifically a personal computer or a mobile phone; the network device can be specifically a gateway device, a routing device, a firewall device, etc.; the server can be specifically a TOB application server.
  • the network device can save the correspondence between the server address information and the application type through the database.
  • the network device sends the data stream to the network device, and the network device can send the server address in the data stream packet.
  • the information is matched with the database, and the application type of the data stream is directly identified, that is, the application type of the application on the server to be accessed by the data stream is obtained.
  • FIG. 1B it is a flowchart of an embodiment of an application type identification method according to the present invention.
  • the embodiment describes a process of identifying a data packet application from a network device side:
  • Step 101 Extract the first server address information from the first data packet of the received data stream.
  • each data packet of the data stream carries five-tuple information, where the quintuple information includes a source IP address, a destination IP address, a source port number, a destination port number, and a transport layer protocol, and the transport layer protocol mainly includes Transmit ssion Control Protocol (TCP) and User Datagram Protocol (UDP).
  • TCP Transmit ssion Control Protocol
  • UDP User Datagram Protocol
  • the network device that receives the data packet may specifically refer to a gateway device, a routing device, a firewall device, and the like.
  • the network device may extract the destination IP address and the destination port number of the first data packet from the received quintuple information of the first data packet, and use the extracted information as the first server address information.
  • the first data packet of the data stream in this embodiment may be the first packet of the data stream, or may belong to the data stream. Other data messages except the first message.
  • Step 102 Match the first server address information with the server application information, where the server application information stores the correspondence between the server address information and the application type.
  • the server application information may be information obtained by the network device after identifying the data packets that access different TOB servers before identifying the first data packet.
  • the server application information stores the correspondence between the server address information and the application type.
  • the server address information may include the IP address and port number of the TOB server, and the application type mainly refers to the types of applications that the TOB server can provide, for example, video application, social Application, Peer to Peer (P2P) service application, etc.
  • P2P Peer to Peer
  • Step 103 When the first server address information is matched from the server application information, the application type corresponding to the first server address information is identified as the application type of the data stream to which the first data packet belongs.
  • the server application information since the server application information stores the correspondence between the server address information and the application type, when the first server address information of the first data packet is found from the server application information, the first server address information is used.
  • the corresponding application type can be directly identified as the application type of the data stream to which the first data message belongs.
  • the server application information is established in this embodiment, so that when the data packet is received, no keyword extraction and rule matching are needed, but the server address information of the data packet and the server application information are used. Matching, thereby quickly identifying the application type of the data stream to which the data message belongs, and improving the application type identification efficiency of the message.
  • FIG. 2 it is a flowchart of another embodiment of an application type identification method according to the present invention.
  • the embodiment describes in detail a process of establishing server application information before applying data type identification to a data packet:
  • Step 201 Determine that a TCP data packet is received.
  • each data packet carries quintuple information
  • the quintuple information includes a source IP address, a destination IP address, a source port number, a destination port number, and a transport layer protocol
  • the transport layer protocol mainly includes TCP and UDP.
  • the network device that receives the data packet may specifically refer to a gateway device, a routing device, a firewall device, and the like.
  • the network device may determine whether to receive the TCP data packet according to the transport layer protocol in the quintuple information of the data packet.
  • Step 202 Determine whether the TCP data packet is a TOB application message, and if yes, execute step 203; otherwise, end the current process.
  • the network device After the network device identifies the TCP data packet, it further identifies whether the TCP data packet is a TOB application packet.
  • the condition for identifying the TOB application message may include: the application layer protocol of the TCP data message is a Hypertext Transfer Protocol (HTTP), and the TCP data message includes a Uniform Resource Locator (URL).
  • HTTP Hypertext Transfer Protocol
  • URL Uniform Resource Locator
  • Step 203 Obtain a destination address of the TCP data packet as server address information.
  • the destination device to be accessed by the TCP data packet is a TOB server, and the network device extracts the destination IP address from the quintuple information of the TCP data packet.
  • the destination port number, the destination IP address and the destination port number are the server address information of the TOB server.
  • Step 204 Analyze the URL address of the TCP data packet to obtain the application type of the TOB server corresponding to the URL address.
  • the URL address is the webpage address
  • the URL address of the TCP data packet reflects the webpage address of the application on the TOB server to be accessed by the TCP data packet.
  • the application type of the TOB server can be obtained by analyzing the webpage address, and the application type can be Including video applications, social applications, peer-to-peer applications, and more. For example, if the URL address of the TCP data message is "www.tv. ***.com", then by analyzing the keyword "tv" contained in the URL address, it can be determined that the TCP data message is to be accessed on the TOB server.
  • the application type of the app is a video app.
  • a TOB server has an IP address
  • a TOB server may have more than one application, and each application may correspond to a port number, that is, an IP address and a port number may correspond to a TOB server.
  • Step 205 Save the correspondence between the server address information and the application type as the server application information to the server information database, and end the current process.
  • FIG. 3 is a flowchart of another embodiment of an application type identification method according to the present invention.
  • the embodiment identifies the application of the received data packet based on the server application information saved in the embodiment shown in FIG. 2: Step 301: The network device receives the first data packet of the data stream.
  • the network device that receives the data packet may specifically refer to a gateway device, a routing device, a firewall device, and the like.
  • the first data packet of the data stream may be the first packet of the data stream.
  • Step 302 Extract the destination IP address and the destination port number from the quintuple information of the first data packet.
  • each data packet carries quintuple information
  • the quintuple information includes a source IP address, a destination IP address, a source port number, a destination port number, and a transport layer protocol
  • the transport layer protocol mainly includes TCP and UDP.
  • the network device may extract the destination IP address and the destination port number of the first data packet from the quintuple information of the first data packet, and use the extracted information as the first server address information of the first data packet.
  • Step 303 Match the destination IP address and the destination port number with the server application information saved in the server information database.
  • the server application information of the server information database in the server application information of the server information database, the correspondence between the server address information and the application type is saved.
  • the destination IP address and the destination port number of the first data packet extracted in step 302 are matched with the saved server application information, so as to determine whether the destination address can be found from the server address information of the server application information. IP address and destination port number.
  • Step 304 Determine whether the destination IP address and the destination port number are matched from the server application information. If yes, go to step 305; otherwise, go to step 306.
  • Step 305 Identify the application type corresponding to the destination IP address and the destination port number as the application type of the data stream to which the first data packet belongs, and end the current process.
  • the application type corresponding to the destination IP address and the destination port number is directly identified as the application of the data stream to which the first data packet belongs. Types of.
  • Step 306 Determine whether the subsequent packet of the data stream to which the first data packet belongs is a TOB application packet, and if yes, execute step 307; otherwise, end the current process.
  • the data stream to which the first data packet belongs is a data stream that is not recognized by the network device, and the network device receives the data stream.
  • the subsequent packet of the data stream it is determined whether the subsequent packet is a WEB application packet, so as to further identify the application of the data stream.
  • the condition for identifying the TOB application message may include: when the application layer protocol of the TCP data packet is HTTP, and the TCP data packet includes the URL address, the TCP data packet may be identified as a TOB application report that accesses the TOB server. Text.
  • Step 307 Analyze the application type of the TOB server corresponding to the URL address included in the subsequent message.
  • the destination device to which the first data packet belongs is a WEB server, and the destination IP address and the destination port number of the subsequent packet are the TOB server.
  • Server address information; and, by analyzing the URL, an application type of the TOB server may be obtained, and the application type may include a video application, a social application, a peer-to-peer service application, and the like.
  • the data stream to which the first data packet belongs is used as a new data stream to identify the application type, and the recognition result is saved, and the specific process is not described again.
  • the network device may identify the application of the data stream to which the first data packet belongs according to the identification method in the prior art, which is not described in this embodiment.
  • Step 308 Save the correspondence between the destination IP address and the destination port number of the subsequent packet and the application type as the server application information to the server information database, and end the current process.
  • the subsequent network device receives the same application as the data stream to which the first data packet belongs.
  • the network device can quickly identify the application type of the data stream by searching the server information database.
  • the server application information is established in this embodiment, so that when the data packet is received, no keyword extraction and rule matching are needed, but the server address information of the data packet and the server application information are used. Matching, thereby quickly identifying the application type of the data stream to which the data message belongs, and improving the application type identification efficiency of the message.
  • the present invention also provides an embodiment of a network device that performs the application type identifying method.
  • FIG. 4 it is a block diagram of an embodiment of a network device according to the present invention:
  • the network device includes: an extracting unit 410, a matching unit 420, and an identifying unit 430.
  • the extracting unit 410 is configured to extract first server address information from the first data packet of the received data stream;
  • the matching unit 420 is configured to match the first server address information extracted by the extracting unit 410 with server application information, where the server application information stores the server address information and the application type. Correspondence relationship
  • the identifying unit 430 is configured to identify, when the matching unit 420 matches the first server address information from the server application information, an application type corresponding to the first server address information as the data stream. App types.
  • the extracting unit 410 is specifically configured to extract, from the quintuple information of the received first data packet, a destination IP address and a destination port number of the first data packet.
  • FIG. 5 it is a block diagram of another embodiment of a network device according to the present invention:
  • the network device includes: an obtaining unit 510, a saving unit 520, an extracting unit 530, a matching unit 540, and an identifying unit 550.
  • the obtaining unit 510 is configured to obtain the server application information by identifying data packets of different data streams.
  • the saving unit 520 is configured to save the server application information obtained by the obtaining unit 510 to a server information database;
  • the extracting unit 530 is configured to extract first server address information from the first data packet of the received data stream
  • the matching unit 540 is configured to match the first server address information extracted by the extracting unit 530 with the server application information, where the server application information stores a correspondence between the server address information and the application type.
  • the identifying unit 550 is configured to identify, when the matching unit 540 matches the first server address information from the server application information, an application type corresponding to the first server address information as the first data.
  • the obtaining unit 510 may include (not shown in FIG. 5): a TCP data packet determining subunit, configured to determine that a TCP data packet is received; and a TOB application message identifying subunit, configured to be used as the TCP datagram
  • the application layer protocol of the text is HTTP
  • the TCP data packet includes the URL address
  • the TCP data packet is identified as a TOB application packet for accessing the WEB server
  • the address information obtaining subunit is configured to acquire the TCP
  • the destination address of the data packet is used as server address information.
  • the application type analysis sub-unit is configured to analyze the URL address to obtain an application type of the TOB server corresponding to the URL address.
  • the obtaining unit 510 may be further configured to: when the matching unit does not use the server application information When the first server address information is configured, the first server application information is obtained by identifying a subsequent packet of the data stream to which the first data packet belongs;
  • the saving unit 520 is further configured to save the first server application information obtained by the obtaining unit 510 to the server information database.
  • the extracting unit 530 may be specifically configured to extract a destination IP address and a destination port number of the first data packet from the quintuple information of the first data packet of the received data stream.
  • FIG. 6 a block diagram of another embodiment of a network device according to the present invention:
  • the network device includes: a bus 610, and a memory 620, a network interface 630, and a processor 640 connected by the bus 610.
  • the memory 620 is configured to save server application information.
  • the network interface 630 is configured to receive a first data packet of the data stream.
  • the processor 640 is configured to extract first server address information from the first data packet, match the first server address information with the server application information, and save the server in the server application information. Corresponding relationship between the address information and the application type, when the first server address information is matched from the server application information, identifying an application type corresponding to the first server address information as an application type of the data flow .
  • the processor 640 is further configured to: obtain server application information by identifying data packets of different data streams, and save the server application information to a server information database in the memory.
  • the processor 640 may be specifically configured to determine that the TCP data packet is received.
  • the application layer protocol of the TCP data packet is HTTP
  • the TCP data packet includes a URL address
  • the TCP data is identified.
  • the message is a TOB application message that accesses the TOB server, obtains a destination address of the TCP data packet as server address information, and analyzes the URL address to obtain an application type of the TOB server corresponding to the URL address.
  • the processor 640 is further configured to: after the first server address information is not matched from the server application information, identify, by obtaining, a subsequent packet of the data stream to which the first data packet belongs First server application information, and saving the first server application information to the server information data Library.
  • the processor 640 is specifically configured to extract a destination IP address and a destination port number of the first data packet from the quintuple information of the first data packet.
  • the first server address information is extracted from the first data packet of the received data stream, the first server address information is matched with the server application information, and the first server is matched from the server application information.
  • the application type corresponding to the first server address information is identified as the application type of the data stream to which the first data message belongs.
  • the server application information is established, so that when the data packet is received, no keyword extraction and rule matching are needed, but the server address information of the data packet is matched with the server application information, thereby quickly identifying The application type of the data stream to which the data packet belongs is improved, and the application type identification efficiency of the message is improved.
  • the technology in the embodiments of the present invention can be implemented by means of software plus a necessary general hardware platform.
  • the technical solution in the embodiments of the present invention may be embodied in the form of a software product in essence or in the form of a software product, and the computer software product may be stored in a storage medium, such as a ROM/RAM. , a diskette, an optical disk, etc., comprising instructions for causing a computer device (which may be a personal computer, server, or network device, etc.) to perform the methods described in various embodiments of the present invention or in certain portions of the embodiments.
  • a computer device which may be a personal computer, server, or network device, etc.

Abstract

Disclosed in an embodiment of the present invention are an application type identification method and network device, the method comprising: extracting the first server address information from the first data packet of a received data stream; matching the first server address information with server application information, the server application information storing a corresponding relationship between the server address information and an application type therein; and when the first server address information is matched in the server application information, identifying the application type corresponding to the first server address information as the application type of the data stream. The embodiment of the present invention establishes server application information, so that upon receipt of a data packet, the server address information of the data packet is matched with the server application information, without keyword extraction or rule matching, thus quickly identifying the application type of a data stream of the data packet, and improving the efficiency of identifying the application type of a packet.

Description

应用类型识别方法及网络设备 本申请要求于 2013年 5月 24日提交中国专利局、 申请号为 201310198561. 2、发明 名称为 "应用类型识别方法及网络设备"的中国专利申请的优先权, 其全部内容通过引 用结合在本申请中。 技术领域 本发明涉及网络通信技术领域, 特别涉及应用类型识别方法及网络设备。 背景技术 深度包检测 (De印 Packet Inspection, DPI ) 技术是一种基于应用层的流量检测 和控制技术, 网络设备可以通过 DPI技术对互联网协议 (Internet Protocol , IP) 报 文进行协议识别, IP报文通常由 IP五元组和应用层数据组成, 网络设备可以对五元组 中的源 IP地址、 目的 IP地址、源端口号、 目的端口号、传输层协议等进行检测和分析, 并且可以对 IP报文的应用层数据进行分析, 从而识别出 IP报文的具体应用。  Application type identification method and network device The application claims to be submitted to the Chinese Patent Office on May 24, 2013, the application number is 201310198561. 2. The priority of the Chinese patent application entitled "application type identification method and network device" is The entire contents are incorporated herein by reference. TECHNICAL FIELD The present invention relates to the field of network communication technologies, and in particular, to an application type identification method and a network device. BACKGROUND OF THE INVENTION Deep Packet Inspection (DPI) technology is an application layer-based traffic detection and control technology. Network devices can use the DPI technology to identify Internet Protocol (IP) packets, and IP packets. The text usually consists of IP quintuple and application layer data. The network device can detect and analyze the source IP address, destination IP address, source port number, destination port number, and transport layer protocol in the quintuple, and can The application layer data of the IP packet is analyzed to identify the specific application of the IP packet.
现有技术中, 在对报文的应用进行识别时, 需要从报文的应用层数据中提取关键字 信息, 将该关键字信息与规则数据库中的规则进行匹配, 并根据匹配结果识别报文的应 用。 但是, 由于规则数据库中记录的规则数量庞大, 且关键字信息匹配过程中需要运行 匹配算法, 因此处理过程较慢, 并且将耗费大量处理资源, 从而导致应用类型识别效率 不高。 发明内容  In the prior art, when the application of the packet is identified, the keyword information needs to be extracted from the application layer data of the packet, the keyword information is matched with the rule in the rule database, and the packet is identified according to the matching result. Applications. However, due to the large number of rules recorded in the rule database and the need to run a matching algorithm in the keyword information matching process, the processing process is slow and consumes a large amount of processing resources, resulting in inefficient application type identification. Summary of the invention
本发明实施例中提供了应用类型识别方法及网络设备, 以解决现有技术中应用层协 议类型识别效率不高的问题。  The application type identification method and the network device are provided in the embodiment of the present invention to solve the problem that the application layer protocol type identification efficiency in the prior art is not high.
为了解决上述技术问题, 本发明实施例公开了如下技术方案:  In order to solve the above technical problem, the embodiment of the present invention discloses the following technical solutions:
第一方面, 提供一种应用类型识别方法, 所述方法包括:  In a first aspect, an application type identification method is provided, where the method includes:
从接收到的数据流的第一数据报文中提取第一服务器地址信息;  Extracting first server address information from the first data packet of the received data stream;
将所述第一服务器地址信息与服务器应用信息进行匹配,所述服务器应用信息中保 存了服务器地址信息与应用类型的对应关系;  Matching the first server address information with the server application information, where the server application information stores a correspondence between the server address information and the application type;
当从所述服务器应用信息中匹配到所述第一服务器地址信息时,将与所述第一服务 器地址信息对应的应用类型识别为所述数据流的应用类型。 结合第一方面, 在第一方面的第一种可能的实现方式中, 所述从接收到的数据流的 第一数据报文中提取第一服务器地址信息之前, 所述方法还包括: When the first server address information is matched from the server application information, the application type corresponding to the first server address information is identified as an application type of the data stream. With reference to the first aspect, in a first possible implementation manner of the first aspect, before the extracting the first server address information from the first data packet of the received data stream, the method further includes:
通过对不同数据流的数据报文进行识别, 获得所述服务器应用信息;  Obtaining the server application information by identifying data packets of different data streams;
将所述服务器应用信息保存到服务器信息数据库。  The server application information is saved to a server information database.
结合第一方面的第一种可能的实现方式, 在第一方面的第二种可能的实现方式中, 所述通过对不同数据流的数据报文进行识别, 获得所述服务器应用信息, 包括:  With the first possible implementation of the first aspect, in a second possible implementation manner of the first aspect, the obtaining, by using the data packet of the different data streams, the server application information, includes:
确定接收到传输控制协议 TCP数据报文;  Determining that a transmission control protocol TCP data message is received;
当所述 TCP数据报文的应用层协议为超文本传输协议 HTTP,且所述 TCP数据报文中 包含统一资源定位符 URL地址时, 识别所述 TCP数据报文为访问网络 WEB服务器的 WEB 应用报文;  When the application layer protocol of the TCP data packet is a hypertext transfer protocol (HTTP), and the TCP data packet includes a uniform resource locator URL address, the TCP data packet is identified as a WEB application for accessing the network WEB server. Message
获取所述 TCP数据报文的目的地址作为服务器地址信息; 以及  Obtaining a destination address of the TCP data packet as server address information;
分析所述 URL地址获得与所述 URL地址对应的 WEB服务器的应用类型。  The URL address is analyzed to obtain an application type of the WEB server corresponding to the URL address.
结合第一方面的第一种可能的实现方式, 或第一方面的第二种可能的实现方式, 在 第一方面的第三种可能的实现方式中, 所述方法还包括:  With reference to the first possible implementation of the first aspect, or the second possible implementation of the first aspect, in a third possible implementation manner of the first aspect, the method further includes:
当未从所述服务器应用信息中匹配到所述第一服务器地址信息时,通过对所述第一 数据报文所属数据流的后续报文进行识别, 获得第一服务器应用信息;  When the first server address information is not matched from the server application information, the first server application information is obtained by identifying a subsequent packet of the data stream to which the first data packet belongs.
将所述第一服务器应用信息保存到所述服务器信息数据库。  Saving the first server application information to the server information database.
结合第一方面, 或第一方面的第一种可能的实现方式, 或第一方面的第二种可能的 实现方式, 或第一方面的第三种可能的实现方式, 在第一方面的第四种可能的实现方式 中, 所述从接收到的数据流的第一数据报文中提取第一服务器地址信息, 具体为: 从接 收到的数据流的第一数据报文的五元组信息中提取所述第一数据报文的目的互联网协 议 IP地址和目的端口号。  With reference to the first aspect, or the first possible implementation of the first aspect, or the second possible implementation of the first aspect, or the third possible implementation of the first aspect, in the first aspect In the four possible implementation manners, the first server address information is extracted from the first data packet of the received data stream, specifically: the quintuple information of the first data packet from the received data stream And extracting a destination internet protocol IP address and a destination port number of the first data packet.
第二方面, 提供一种网络设备, 所述网络设备包括:  In a second aspect, a network device is provided, where the network device includes:
提取单元, 用于从接收到的数据流的第一数据报文中提取第一服务器地址信息; 匹配单元,用于将所述提取单元提取的所述第一服务器地址信息与服务器应用信息 进行匹配, 所述服务器应用信息中保存了服务器地址信息与应用类型的对应关系; 识别单元,用于当所述匹配单元从所述服务器应用信息中匹配到所述第一服务器地 址信息时, 将与所述第一服务器地址信息对应的应用类型识别为所述数据流的应用类 型。  An extracting unit, configured to extract first server address information from a first data packet of the received data stream; a matching unit, configured to match the first server address information extracted by the extracting unit with server application information The server application information stores a correspondence between the server address information and the application type; the identification unit is configured to: when the matching unit matches the first server address information from the server application information, The application type corresponding to the first server address information is identified as the application type of the data stream.
结合第二方面, 在第二方面的第一种可能的实现方式中, 所述装置还包括: 获得单元,用于通过对不同数据流的数据报文进行识别,获得所述服务器应用信息; 保存单元, 用于将所述获得单元获得的服务器应用信息保存到服务器信息数据库。 结合第二方面的第一种可能的实现方式, 在第二方面的第二种可能的实现方式中, 所述获得单元包括: With reference to the second aspect, in a first possible implementation manner of the second aspect, the device further includes: The obtaining unit is configured to obtain the server application information by identifying the data packet of the different data streams, and the saving unit is configured to save the server application information obtained by the obtaining unit to the server information database. With reference to the first possible implementation of the second aspect, in a second possible implementation manner of the second aspect, the obtaining unit includes:
TCP数据报文确定子单元, 用于确定接收到 TCP数据报文;  a TCP data packet determining subunit, configured to determine that a TCP data packet is received;
WEB应用报文识别子单元, 用于当所述 TCP数据报文的应用层协议为 HTTP, 且所述 a WEB application message identification subunit, configured to: when the application layer protocol of the TCP data packet is HTTP,
TCP数据报文中包含 URL地址时, 识别所述 TCP数据报文为访问 WEB服务器的 WEB应用 报文; When the TCP data packet includes the URL address, the TCP data packet is identified as a WEB application packet that accesses the WEB server.
地址信息获取子单元,用于获取所述 TCP数据报文的目的地址作为服务器地址信息; 应用类型分析子单元,用于分析所述 URL地址获得与所述 URL地址对应的 WEB服务 器的应用类型。  The address information obtaining sub-unit is configured to obtain the destination address of the TCP data packet as the server address information, and the application type analysis sub-unit, configured to analyze the URL address to obtain an application type of the WEB server corresponding to the URL address.
结合第二方面的第一种可能的实现方式, 或第二方面的第二种可能的实现方式, 在 第二方面的第三种可能的实现方式中, 所述获得单元, 还用于当所述匹配单元未从所述 服务器应用信息中匹配到所述第一服务器地址信息时,通过对所述第一数据报文所属数 据流的后续报文进行识别, 获得第一服务器应用信息;  With reference to the first possible implementation of the second aspect, or the second possible implementation of the second aspect, in a third possible implementation manner of the second aspect, the obtaining unit is further used to When the matching unit does not match the first server address information from the server application information, the first server application information is obtained by identifying a subsequent packet of the data stream to which the first data packet belongs;
所述保存单元,还用于将所述获得单元获得的所述第一服务器应用信息保存到所述 服务器信息数据库。  The saving unit is further configured to save the first server application information obtained by the obtaining unit to the server information database.
结合第二方面, 或第二方面的第一种可能的实现方式, 或第二方面的第二种可能的 实现方式, 或第二方面的第三种可能的实现方式, 在第二方面的第四种可能的实现方式 中, 所述提取单元, 具体用于从接收到的数据流的第一数据报文的五元组信息中提取所 述第一数据报文的目的 IP地址和目的端口号。  With reference to the second aspect, or the first possible implementation of the second aspect, or the second possible implementation of the second aspect, or the third possible implementation of the second aspect, in the second aspect In the four possible implementation manners, the extracting unit is specifically configured to extract, from the quintuple information of the first data packet of the received data stream, a destination IP address and a destination port number of the first data packet. .
第三方面, 提供一种网络设备, 所述网络设备包括: 总线, 以及通过所述总线连接 的存储器、 网络接口和处理器, 其中,  In a third aspect, a network device is provided, where the network device includes: a bus, and a memory, a network interface, and a processor connected through the bus, where
所述存储器, 用于保存服务器应用信息;  The memory is configured to save server application information;
所述网络接口, 用于接收数据流的第一数据报文;  The network interface is configured to receive a first data packet of a data stream;
所述处理器, 用于从所述第一数据报文中提取第一服务器地址信息, 将所述第一服 务器地址信息与所述服务器应用信息进行匹配,所述服务器应用信息中保存了服务器地 址信息与应用类型的对应关系, 当从所述服务器应用信息中匹配到所述第一服务器地址 信息时, 将与所述第一服务器地址信息对应的应用类型识别为所述数据流的应用类型。  The processor is configured to extract first server address information from the first data packet, match the first server address information with the server application information, and save the server address in the server application information Corresponding relationship between the information and the application type, when the first server address information is matched from the server application information, the application type corresponding to the first server address information is identified as the application type of the data flow.
结合第三方面, 在第三方面的第一种可能的实现方式中, 所述处理器, 还用于通过 对不同数据流的数据报文进行识别, 获得服务器应用信息, 并将所述服务器应用信息保 存到所述存储器中的服务器信息数据库。 In conjunction with the third aspect, in a first possible implementation manner of the third aspect, the processor is further configured to pass Identifying data packets of different data streams, obtaining server application information, and saving the server application information to a server information database in the memory.
结合第三方面的第一种可能的实现方式, 在第三方面的第二种可能的实现方式中, 所述处理器, 具体用于确定接收到 TCP数据报文, 当所述 TCP数据报文的应用层协议为 HTTP, 且所述 TCP数据报文中包含 URL地址时, 识别所述 TCP数据报文为访问 WEB服务 器的 WEB应用报文, 获取所述 TCP数据报文的目的地址作为服务器地址信息, 并分析所 述 URL地址获得与所述 URL地址对应的 WEB服务器的应用类型。  With reference to the first possible implementation manner of the third aspect, in a second possible implementation manner of the third aspect, the processor is specifically configured to determine that the TCP data packet is received, when the TCP data packet is received. When the application layer protocol is HTTP, and the TCP data packet includes the URL address, the TCP data packet is identified as a WEB application packet that accesses the WEB server, and the destination address of the TCP data packet is obtained as a server address. Information, and analyzing the URL address to obtain an application type of the WEB server corresponding to the URL address.
结合第三方面的第一种可能的实现方式, 或第三方面的第二种可能的实现方式, 在 第三方面的第三种可能的实现方式中, 所述处理器, 还用于当未从所述服务器应用信息 中匹配到所述第一服务器地址信息时,通过对所述第一数据报文所属数据流的后续报文 进行识别, 获得第一服务器应用信息, 并将所述第一服务器应用信息保存到所述服务器 信息数据库。  With reference to the first possible implementation of the third aspect, or the second possible implementation of the third aspect, in a third possible implementation manner of the third aspect, the processor is further used when When the server information is matched to the first server address information, the first server application information is obtained by identifying a subsequent packet of the data stream to which the first data packet belongs, and the first server is obtained. Server application information is saved to the server information database.
结合第三方面, 或第三方面的第一种可能的实现方式, 或第三方面的第二种可能的 实现方式, 或第三方面的第三种可能的实现方式, 在第三方面的第四种可能的实现方式 中, 所述处理器, 具体用于从所述第一数据报文的五元组信息中提取所述第一数据报文 的目的 IP地址和目的端口号。  With reference to the third aspect, or the first possible implementation of the third aspect, or the second possible implementation of the third aspect, or the third possible implementation of the third aspect, in the third aspect In the four possible implementation manners, the processor is specifically configured to extract, from the quintuple information of the first data packet, a destination IP address and a destination port number of the first data packet.
本发明实施例中, 从接收到的数据流的第一数据报文中提取第一服务器地址信 息, 将第一服务器地址信息与服务器应用信息进行匹配, 当从服务器应用信息中匹 配到第一服务器地址信息时, 将与第一服务器地址信息对应的应用类型识别为数据 流的应用类型。 本发明实施例中通过建立服务器应用信息, 从而在接收到数据报文 时, 无需进行关键字提取和规则匹配, 而是通过将数据报文的服务器地址信息与服 务器应用信息进行匹配, 从而快速识别出数据报文所属数据流的应用类型, 提高了 报文的应用类型识别效率。 附图说明 为了更清楚地说明本发明实施例或现有技术中的技术方案, 下面将对实施例或 现有技术描述中所需要使用的附图作简单地介绍, 显而易见地, 对于本领域普通技 术人员而言, 在不付出创造性劳动性的前提下, 还可以根据这些附图获得其他的附 图。  In the embodiment of the present invention, the first server address information is extracted from the first data packet of the received data stream, and the first server address information is matched with the server application information, and the first server is matched from the server application information. When the address information is used, the application type corresponding to the first server address information is identified as the application type of the data stream. In the embodiment of the present invention, the server application information is established, so that when the data packet is received, no keyword extraction and rule matching are needed, but the server address information of the data packet is matched with the server application information, thereby quickly identifying The application type of the data stream to which the data packet belongs is improved, and the application type identification efficiency of the message is improved. BRIEF DESCRIPTION OF THE DRAWINGS In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the prior art description will be briefly described below, and it is obvious that it is common in the art. For the technicians, other drawings can be obtained based on these drawings without paying for creative labor.
图 1A为本发明实施例的应用场景示意图; 图 IB为本发明应用类型识别方法的一个实施例流程图; FIG. 1A is a schematic diagram of an application scenario according to an embodiment of the present invention; IB is a flowchart of an embodiment of an application type identification method according to the present invention;
图 2为本发明应用类型识别方法的另一个实施例流程图;  2 is a flow chart of another embodiment of an application type identification method according to the present invention;
图 3为本发明应用类型识别方法的另一个实施例流程图;  3 is a flow chart of another embodiment of an application type identification method according to the present invention;
图 4为本发明网络设备的一个实施例框图;  4 is a block diagram of an embodiment of a network device of the present invention;
图 5为本发明网络设备的另一个实施例框图;  Figure 5 is a block diagram of another embodiment of a network device of the present invention;
图 6为本发明网络设备的另一个实施例框图。 具体实施方式 为了使本技术领域的人员更好地理解本发明实施例中的技术方案, 并使本发明 实施例的上述目的、 特征和优点能够更加明显易懂, 下面结合附图对本发明实施例 中技术方案作进一步详细的说明。  6 is a block diagram of another embodiment of a network device of the present invention. The above described objects, features and advantages of the embodiments of the present invention will become more apparent and understood. The technical solution is described in further detail.
参见图 1A, 为本发明实施例的应用场景示意图:  FIG. 1A is a schematic diagram of an application scenario according to an embodiment of the present invention:
图 1A中, 终端通过网络接入网络设备, 网络设备与服务器相连。 其中, 终端可 以具体为个人电脑、 手机登; 网络设备可以具体为网关设备、 路由设备、 防火墙设 备等; 服务器可以具体为 TOB应用服务器。 本实施例中, 网络设备可以通过数据库 保存服务器地址信息与应用类型的对应关系, 当终端需要访问服务器上的应用时, 向网络设备发送数据流, 网络设备可以将数据流报文中的服务器地址信息与数据库 进行匹配, 直接识别该数据流的应用类型, 即获得该数据流所要访问服务器上应用 的应用类型。  In FIG. 1A, the terminal accesses the network device through the network, and the network device is connected to the server. The terminal can be specifically a personal computer or a mobile phone; the network device can be specifically a gateway device, a routing device, a firewall device, etc.; the server can be specifically a TOB application server. In this embodiment, the network device can save the correspondence between the server address information and the application type through the database. When the terminal needs to access the application on the server, the network device sends the data stream to the network device, and the network device can send the server address in the data stream packet. The information is matched with the database, and the application type of the data stream is directly identified, that is, the application type of the application on the server to be accessed by the data stream is obtained.
参见图 1B, 为本发明应用类型识别方法的一个实施例流程图, 该实施例从网络 设备侧描述了数据报文的应用进行识别的过程:  Referring to FIG. 1B, it is a flowchart of an embodiment of an application type identification method according to the present invention. The embodiment describes a process of identifying a data packet application from a network device side:
步骤 101 : 从接收到的数据流的第一数据报文中提取第一服务器地址信息。 本实施例中, 数据流的每个数据报文都携带五元组信息, 五元组信息包括源 IP 地址、 目的 IP地址、 源端口号、 目的端口号、 传输层协议, 传输层协议主要包括传 输控制协议 (Transmi ssion Control Protocol , TCP ) 和用户数据报协议 (User Datagram Protocol , UDP ) 。 本实施例中, 接收数据报文的网络设备可以具体指网 关设备、 路由设备、 防火墙设备等。  Step 101: Extract the first server address information from the first data packet of the received data stream. In this embodiment, each data packet of the data stream carries five-tuple information, where the quintuple information includes a source IP address, a destination IP address, a source port number, a destination port number, and a transport layer protocol, and the transport layer protocol mainly includes Transmit ssion Control Protocol (TCP) and User Datagram Protocol (UDP). In this embodiment, the network device that receives the data packet may specifically refer to a gateway device, a routing device, a firewall device, and the like.
其中, 网络设备可以从接收到的第一数据报文的五元组信息中提取该第一数据 报文的目的 IP地址和目的端口号, 将提取的上述信息作为第一服务器地址信息。 本 实施例中数据流的第一数据报文可以是该数据流的首报文, 也可以是属于该数据流 的除首报文之外的其他数据报文。 The network device may extract the destination IP address and the destination port number of the first data packet from the received quintuple information of the first data packet, and use the extracted information as the first server address information. The first data packet of the data stream in this embodiment may be the first packet of the data stream, or may belong to the data stream. Other data messages except the first message.
步骤 102 : 将第一服务器地址信息与服务器应用信息进行匹配, 该服务器应用 信息中保存了服务器地址信息与应用类型的对应关系。  Step 102: Match the first server address information with the server application information, where the server application information stores the correspondence between the server address information and the application type.
本发明实施例中, 服务器应用信息可以是网络设备在对第一数据报文进行识别 前, 通过对多个访问不同 TOB服务器的数据报文进行识别后获得的信息。 服务器应 用信息保存了服务器地址信息与应用类型的对应关系, 其中, 服务器地址信息可以 包括 TOB服务器的 IP地址和端口号, 应用类型主要指 TOB服务器可以提供的应用的种 类, 例如, 视频应用、 社交应用、 对等 (Peer to Peer, P2P ) 服务应用等。 本实 施例通过建立服务器应用信息, 可以对访问 TOB服务器的 TOB应用报文所属数据流的 应用类型进行快速匹配识别。  In the embodiment of the present invention, the server application information may be information obtained by the network device after identifying the data packets that access different TOB servers before identifying the first data packet. The server application information stores the correspondence between the server address information and the application type. The server address information may include the IP address and port number of the TOB server, and the application type mainly refers to the types of applications that the TOB server can provide, for example, video application, social Application, Peer to Peer (P2P) service application, etc. In this embodiment, by establishing server application information, the application type of the data stream to which the TOB application message accessing the TOB server belongs can be quickly matched and identified.
步骤 103 : 当从服务器应用信息中匹配到第一服务器地址信息时, 将与第一服 务器地址信息对应的应用类型识别为第一数据报文所属数据流的应用类型。  Step 103: When the first server address information is matched from the server application information, the application type corresponding to the first server address information is identified as the application type of the data stream to which the first data packet belongs.
本实施例中, 由于服务器应用信息中保存了服务器地址信息与应用类型的对应 关系, 因此当从服务器应用信息中找到第一数据报文的第一服务器地址信息时, 与 该第一服务器地址信息对应的应用类型即可直接识别为第一数据报文所属数据流 的应用类型。  In this embodiment, since the server application information stores the correspondence between the server address information and the application type, when the first server address information of the first data packet is found from the server application information, the first server address information is used. The corresponding application type can be directly identified as the application type of the data stream to which the first data message belongs.
由上述实施例可见, 该实施例中通过建立服务器应用信息, 从而在接收到数据 报文时, 无需进行关键字提取和规则匹配, 而是通过将数据报文的服务器地址信息 与服务器应用信息进行匹配, 从而快速识别出数据报文所属数据流的应用类型, 提 高了报文的应用类型识别效率。  It can be seen from the foregoing embodiment that the server application information is established in this embodiment, so that when the data packet is received, no keyword extraction and rule matching are needed, but the server address information of the data packet and the server application information are used. Matching, thereby quickly identifying the application type of the data stream to which the data message belongs, and improving the application type identification efficiency of the message.
参见图 2, 为本发明应用类型识别方法的另一个实施例流程图, 该实施例详细 描述了在对数据报文进行应用类型识别前, 建立服务器应用信息的过程:  Referring to FIG. 2, it is a flowchart of another embodiment of an application type identification method according to the present invention. The embodiment describes in detail a process of establishing server application information before applying data type identification to a data packet:
步骤 201 : 确定接收到 TCP数据报文。  Step 201: Determine that a TCP data packet is received.
本实施例中, 每个数据报文都携带五元组信息, 五元组信息包括源 IP地址、 目 的 IP地址、 源端口号、 目的端口号、 传输层协议, 传输层协议主要包括 TCP和 UDP。 本实施例中, 接收数据报文的网络设备可以具体指网关设备、 路由设备、 防火墙设 备等。 网络设备接收到每个数据报文时, 可以根据该数据报文的五元组信息中的传 输层协议确定是否接收到 TCP数据报文。 本实施例中, 由于每个数据流的首报文中 一般不包含应用数据, 因此在对该数据流的应用进行识别时, 确定接收到的 TCP数 据报文通常为该数据流的首报文的后续报文。 步骤 202 : 判断 TCP数据报文是否为 TOB应用报文, 若是, 则执行步骤 203 ; 否则, 结束当前流程。 In this embodiment, each data packet carries quintuple information, and the quintuple information includes a source IP address, a destination IP address, a source port number, a destination port number, and a transport layer protocol, and the transport layer protocol mainly includes TCP and UDP. . In this embodiment, the network device that receives the data packet may specifically refer to a gateway device, a routing device, a firewall device, and the like. When receiving the data packet, the network device may determine whether to receive the TCP data packet according to the transport layer protocol in the quintuple information of the data packet. In this embodiment, since the first packet of each data stream does not generally include application data, when the application of the data stream is identified, it is determined that the received TCP data packet is usually the first packet of the data stream. Follow-up message. Step 202: Determine whether the TCP data packet is a TOB application message, and if yes, execute step 203; otherwise, end the current process.
当网络设备识别出 TCP数据报文后, 进一步识别 TCP数据报文是否为 TOB应用报 文。 识别 TOB应用报文的条件可以包括: TCP数据报文的应用层协议为超文本传输协 议 (Hypertext Transfer Protocol , HTTP ) , 且该 TCP数据报文中包含统一资源定 位符 (Uniform Resource Locator , URL ) 地址时, 可以识别该 TCP数据报文为访问 WEB服务器的 TOB应用报文。  After the network device identifies the TCP data packet, it further identifies whether the TCP data packet is a TOB application packet. The condition for identifying the TOB application message may include: the application layer protocol of the TCP data message is a Hypertext Transfer Protocol (HTTP), and the TCP data message includes a Uniform Resource Locator (URL). When the address is obtained, the TCP data packet can be identified as a TOB application packet that accesses the WEB server.
步骤 203 : 获取该 TCP数据报文的目的地址作为服务器地址信息。  Step 203: Obtain a destination address of the TCP data packet as server address information.
当识别出 TCP数据报文为 TOB应用报文时, 说明该 TCP数据报文所要访问的目的 设备为 TOB服务器, 此时网络设备从该 TCP数据报文的五元组信息中提取目的 IP地址 和目的端口号, 该目的 IP地址和目的端口号即为 TOB服务器的服务器地址信息。  When the TCP data packet is identified as a TOB application packet, the destination device to be accessed by the TCP data packet is a TOB server, and the network device extracts the destination IP address from the quintuple information of the TCP data packet. The destination port number, the destination IP address and the destination port number are the server address information of the TOB server.
步骤 204: 分析 TCP数据报文的 URL地址获得与该 URL地址对应的 TOB服务器的应 用类型。  Step 204: Analyze the URL address of the TCP data packet to obtain the application type of the TOB server corresponding to the URL address.
URL地址即为网页地址, TCP数据报文的 URL地址反映了该 TCP数据报文所要访问 的 TOB服务器上的应用所在的网页地址, 通过分析该网页地址可以获得 TOB服务器的 应用类型, 应用类型可以包括视频应用、 社交应用、 对等服务应用等。 例如, TCP 数据报文的 URL地址为 "www. tv. ***. com" , 则通过分析该 URL地址中包含的关键字 " tv " , 可以确定该 TCP数据报文所要访问的 TOB服务器上应用的应用类型为视频应 用。 本实施例中, 一个 TOB服务器具有一个 IP地址, 一个 TOB服务器上包含的应用可 以不止一种, 每一种应用可以对应一个端口号, 即一个 IP地址和一个端口号可以对 应一个 TOB服务器上的一种应用。  The URL address is the webpage address, and the URL address of the TCP data packet reflects the webpage address of the application on the TOB server to be accessed by the TCP data packet. The application type of the TOB server can be obtained by analyzing the webpage address, and the application type can be Including video applications, social applications, peer-to-peer applications, and more. For example, if the URL address of the TCP data message is "www.tv. ***.com", then by analyzing the keyword "tv" contained in the URL address, it can be determined that the TCP data message is to be accessed on the TOB server. The application type of the app is a video app. In this embodiment, a TOB server has an IP address, and a TOB server may have more than one application, and each application may correspond to a port number, that is, an IP address and a port number may correspond to a TOB server. An application.
步骤 205 : 将服务器地址信息与应用类型的对应关系作为服务器应用信息保存 到服务器信息数据库, 结束当前流程。  Step 205: Save the correspondence between the server address information and the application type as the server application information to the server information database, and end the current process.
将步骤 203中获得的 TOB服务器的服务器地址信息与该 TOB服务器的应用类型之 间的对应关系保存到服务器信息数据库, 对于后续访问同一 TOB服务器的数据报文, 通过查找该服务器信息数据库, 即可快速识别出该数据报文所属数据流的应用类 型。  Saving the correspondence between the server address information of the TOB server obtained in step 203 and the application type of the TOB server to the server information database, and for the subsequent access to the data packet of the same TOB server, by searching the server information database, The application type of the data stream to which the data message belongs is quickly identified.
由上述实施例可见, 该实施例通过识别 TOB应用报文, 建立服务器应用信息, 以便网络设备对后续接收到的数据报文的 WEB应用进行快速识别, 从而可以提高报 文的应用类型识别效率。 参见图 3, 为本发明应用类型识别方法的另一个实施例流程图, 该实施例基于 图 2所示实施例保存的服务器应用信息, 对接收到的数据报文的应用进行识别: 步骤 301 : 网络设备接收数据流的第一数据报文。 As can be seen from the foregoing embodiment, the embodiment establishes the server application information by identifying the TOB application message, so that the network device can quickly identify the WEB application of the subsequently received data message, thereby improving the application type identification efficiency of the message. FIG. 3 is a flowchart of another embodiment of an application type identification method according to the present invention. The embodiment identifies the application of the received data packet based on the server application information saved in the embodiment shown in FIG. 2: Step 301: The network device receives the first data packet of the data stream.
本实施例中, 接收数据报文的网络设备可以具体指网关设备、 路由设备、 防火 墙设备等。 优选的, 数据流的第一数据报文可以是该数据流的首报文。  In this embodiment, the network device that receives the data packet may specifically refer to a gateway device, a routing device, a firewall device, and the like. Preferably, the first data packet of the data stream may be the first packet of the data stream.
步骤 302: 从第一数据报文的五元组信息中提取目的 IP地址和目的端口号。 本实施例中, 每个数据报文都携带五元组信息, 五元组信息包括源 IP地址、 目 的 IP地址、 源端口号、 目的端口号、 传输层协议, 传输层协议主要包括 TCP和 UDP。 其中, 网络设备可以从第一数据报文的五元组信息中提取该第一数据报文的目的 IP 地址和目的端口号, 将提取的上述信息作为第一数据报文的第一服务器地址信息。  Step 302: Extract the destination IP address and the destination port number from the quintuple information of the first data packet. In this embodiment, each data packet carries quintuple information, and the quintuple information includes a source IP address, a destination IP address, a source port number, a destination port number, and a transport layer protocol, and the transport layer protocol mainly includes TCP and UDP. . The network device may extract the destination IP address and the destination port number of the first data packet from the quintuple information of the first data packet, and use the extracted information as the first server address information of the first data packet. .
步骤 303 : 将目的 IP地址和目的端口号与服务器信息数据库中保存的服务器应 用信息进行匹配。  Step 303: Match the destination IP address and the destination port number with the server application information saved in the server information database.
由前述图 2示出的实施例可知, 在服务器信息数据库的服务器应用信息中, 保 存了服务器地址信息与应用类型的对应关系。 本实施例中, 将步骤 302中提取的第 一数据报文的目的 IP地址和目的端口号与保存的服务器应用信息进行匹配, 以便判 断是否能够从服务器应用信息的服务器地址信息中查找到该目的 IP地址和目的端 口号。  As can be seen from the embodiment shown in Fig. 2, in the server application information of the server information database, the correspondence between the server address information and the application type is saved. In this embodiment, the destination IP address and the destination port number of the first data packet extracted in step 302 are matched with the saved server application information, so as to determine whether the destination address can be found from the server address information of the server application information. IP address and destination port number.
步骤 304: 判断是否从服务器应用信息中匹配到目的 IP地址和目的端口号, 若 是, 则执行步骤 305 ; 否则, 执行步骤 306。  Step 304: Determine whether the destination IP address and the destination port number are matched from the server application information. If yes, go to step 305; otherwise, go to step 306.
步骤 305 : 将与目的 IP地址和目的端口号对应的应用类型识别为第一数据报文 所属数据流的应用类型, 结束当前流程。  Step 305: Identify the application type corresponding to the destination IP address and the destination port number as the application type of the data stream to which the first data packet belongs, and end the current process.
当从服务器应用信息中匹配到第一数据报文的目的 IP地址和目的端口号时, 直 接将与该目的 IP地址和目的端口号对应的应用类型识别为第一数据报文所属数据 流的应用类型。  When the destination IP address and the destination port number of the first data packet are matched from the server application information, the application type corresponding to the destination IP address and the destination port number is directly identified as the application of the data stream to which the first data packet belongs. Types of.
步骤 306:判断第一数据报文所属数据流的后续报文是否为 TOB应用报文,若是, 则执行步骤 307 ; 否则, 结束当前流程。  Step 306: Determine whether the subsequent packet of the data stream to which the first data packet belongs is a TOB application packet, and if yes, execute step 307; otherwise, end the current process.
当从服务器应用信息中未匹配到第一数据报文的目的 IP地址和目的端口号时, 说明该第一数据报文所属数据流为网络设备未识别过的数据流, 此时网络设备接收 到该数据流的后续报文后, 判断该后续报文是否为 WEB应用报文, 以便进一步识别 该数据流的应用。 其中, 识别 TOB应用报文的条件可以包括: TCP数据报文的应用层协议为 HTTP, 且该 TCP数据报文中包含 URL地址时, 可以识别该 TCP数据报文为访问 TOB服务器的 TOB应用报文。 When the destination IP address and the destination port number of the first data packet are not matched, the data stream to which the first data packet belongs is a data stream that is not recognized by the network device, and the network device receives the data stream. After the subsequent packet of the data stream, it is determined whether the subsequent packet is a WEB application packet, so as to further identify the application of the data stream. The condition for identifying the TOB application message may include: when the application layer protocol of the TCP data packet is HTTP, and the TCP data packet includes the URL address, the TCP data packet may be identified as a TOB application report that accesses the TOB server. Text.
步骤 307 : 分析后续报文中包含的 URL地址对应的 TOB服务器的应用类型。  Step 307: Analyze the application type of the TOB server corresponding to the URL address included in the subsequent message.
当识别出后续报文为 TOB应用报文时, 说明该第一数据报文所属数据流所要访 问的目的设备为 WEB服务器, 则该后续报文的目的 IP地址和目的端口号即为 TOB服务 器的服务器地址信息; 并且, 通过分析该 URL可以获得 TOB服务器的应用类型, 应用 类型可以包括视频应用、 社交应用、 对等服务应用等。 本步骤中对后续报文的识别 过程可以参见图 2实施例的描述, 即将该第一数据报文所属数据流作为新的数据流 进行应用类型识别, 并保存识别结果, 具体过程不再赘述。  When the subsequent packet is identified as a TOB application packet, the destination device to which the first data packet belongs is a WEB server, and the destination IP address and the destination port number of the subsequent packet are the TOB server. Server address information; and, by analyzing the URL, an application type of the TOB server may be obtained, and the application type may include a video application, a social application, a peer-to-peer service application, and the like. For the process of identifying the subsequent packets in this step, refer to the description of the embodiment of FIG. 2, that is, the data stream to which the first data packet belongs is used as a new data stream to identify the application type, and the recognition result is saved, and the specific process is not described again.
当识别出后续报文不是 WEB应用报文时, 则网络设备可以按照现有技术中的识 别方式对第一数据报文所属数据流的应用进行识别, 对此本实施例不再赘述。  When it is identified that the subsequent packet is not a WEB application packet, the network device may identify the application of the data stream to which the first data packet belongs according to the identification method in the prior art, which is not described in this embodiment.
步骤 308 : 将后续报文的目的 IP地址和目的端口号与该应用类型的对应关系作 为服务器应用信息保存到服务器信息数据库, 结束当前流程。  Step 308: Save the correspondence between the destination IP address and the destination port number of the subsequent packet and the application type as the server application information to the server information database, and end the current process.
将步骤 307中获得的 TOB服务器的服务器地址信息与该 TOB服务器的应用类型之 间的对应关系保存到服务器信息数据库, 当后续网络设备接收到与该第一数据报文 所属数据流的应用一样的数据流的数据报文时, 网络设备通过查找该服务器信息数 据库, 即可快速识别出该数据流的应用类型。  Saving the correspondence between the server address information of the TOB server obtained in step 307 and the application type of the TOB server to the server information database, and the subsequent network device receives the same application as the data stream to which the first data packet belongs. When the data packet of the data stream is used, the network device can quickly identify the application type of the data stream by searching the server information database.
由上述实施例可见, 该实施例中通过建立服务器应用信息, 从而在接收到数据 报文时, 无需进行关键字提取和规则匹配, 而是通过将数据报文的服务器地址信息 与服务器应用信息进行匹配, 从而快速识别出数据报文所属数据流的应用类型, 提 高了报文的应用类型识别效率。  It can be seen from the foregoing embodiment that the server application information is established in this embodiment, so that when the data packet is received, no keyword extraction and rule matching are needed, but the server address information of the data packet and the server application information are used. Matching, thereby quickly identifying the application type of the data stream to which the data message belongs, and improving the application type identification efficiency of the message.
与本发明应用类型识别方法的实施例相对应, 本发明还提供了执行该应用类型 识别方法的网络设备的实施例。  Corresponding to the embodiment of the application type identifying method of the present invention, the present invention also provides an embodiment of a network device that performs the application type identifying method.
参见图 4, 为本发明网络设备的一个实施例框图:  Referring to FIG. 4, it is a block diagram of an embodiment of a network device according to the present invention:
该网络设备包括: 提取单元 410、 匹配单元 420和识别单元 430。  The network device includes: an extracting unit 410, a matching unit 420, and an identifying unit 430.
其中, 提取单元 410, 用于从接收到的数据流的第一数据报文中提取第一服务 器地址信息;  The extracting unit 410 is configured to extract first server address information from the first data packet of the received data stream;
匹配单元 420, 用于将所述提取单元 410提取的所述第一服务器地址信息与服务 器应用信息进行匹配, 所述服务器应用信息中保存了服务器地址信息与应用类型的 对应关系; The matching unit 420 is configured to match the first server address information extracted by the extracting unit 410 with server application information, where the server application information stores the server address information and the application type. Correspondence relationship
识别单元 430, 用于当所述匹配单元 420从所述服务器应用信息中匹配到所述第 一服务器地址信息时, 将与所述第一服务器地址信息对应的应用类型识别为所述数 据流的应用类型。  The identifying unit 430 is configured to identify, when the matching unit 420 matches the first server address information from the server application information, an application type corresponding to the first server address information as the data stream. App types.
可选的, 所述提取单元 410, 可以具体用于从接收到的第一数据报文的五元组 信息中提取所述第一数据报文的目的 IP地址和目的端口号。  Optionally, the extracting unit 410 is specifically configured to extract, from the quintuple information of the received first data packet, a destination IP address and a destination port number of the first data packet.
参见图 5, 为本发明网络设备的另一个实施例框图:  Referring to FIG. 5, it is a block diagram of another embodiment of a network device according to the present invention:
该网络设备包括: 获得单元 510、 保存单元 520、 提取单元 530、 匹配单元 540和 识别单元 550。  The network device includes: an obtaining unit 510, a saving unit 520, an extracting unit 530, a matching unit 540, and an identifying unit 550.
其中, 获得单元 510, 用于通过对不同数据流的数据报文进行识别, 获得所述 服务器应用信息;  The obtaining unit 510 is configured to obtain the server application information by identifying data packets of different data streams.
保存单元 520, 用于将所述获得单元 510获得的服务器应用信息保存到服务器信 息数据库;  The saving unit 520 is configured to save the server application information obtained by the obtaining unit 510 to a server information database;
提取单元 530, 用于从接收到的数据流的第一数据报文中提取第一服务器地址 信息;  The extracting unit 530 is configured to extract first server address information from the first data packet of the received data stream;
匹配单元 540, 用于将所述提取单元 530提取的所述第一服务器地址信息与服务 器应用信息进行匹配, 所述服务器应用信息中保存了服务器地址信息与应用类型的 对应关系;  The matching unit 540 is configured to match the first server address information extracted by the extracting unit 530 with the server application information, where the server application information stores a correspondence between the server address information and the application type.
识别单元 550, 用于当所述匹配单元 540从所述服务器应用信息中匹配到所述第 一服务器地址信息时, 将与所述第一服务器地址信息对应的应用类型识别为所述第 一数据报文所属数据流的应用类型。  The identifying unit 550 is configured to identify, when the matching unit 540 matches the first server address information from the server application information, an application type corresponding to the first server address information as the first data. The application type of the data stream to which the message belongs.
在一个可选的实现方式中:  In an optional implementation:
所述获得单元 510可以包括 (图 5中未示出) : TCP数据报文确定子单元, 用于 确定接收到 TCP数据报文; TOB应用报文识别子单元, 用于当所述 TCP数据报文的应 用层协议为 HTTP , 且所述 TCP数据报文中包含 URL地址时, 识别所述 TCP数据报文为 访问 WEB服务器的 TOB应用报文; 地址信息获取子单元, 用于获取所述 TCP数据报文 的目的地址作为服务器地址信息; 应用类型分析子单元, 用于分析所述 URL地址获 得与所述 URL地址对应的 TOB服务器的应用类型。  The obtaining unit 510 may include (not shown in FIG. 5): a TCP data packet determining subunit, configured to determine that a TCP data packet is received; and a TOB application message identifying subunit, configured to be used as the TCP datagram When the application layer protocol of the text is HTTP, and the TCP data packet includes the URL address, the TCP data packet is identified as a TOB application packet for accessing the WEB server; and the address information obtaining subunit is configured to acquire the TCP The destination address of the data packet is used as server address information. The application type analysis sub-unit is configured to analyze the URL address to obtain an application type of the TOB server corresponding to the URL address.
在另一个可选的实现方式中:  In another alternative implementation:
所述获得单元 510, 还可以用于当所述匹配单元未从所述服务器应用信息中匹 配到所述第一服务器地址信息时, 通过对所述第一数据报文所属数据流的后续报文 进行识别, 获得第一服务器应用信息; The obtaining unit 510 may be further configured to: when the matching unit does not use the server application information When the first server address information is configured, the first server application information is obtained by identifying a subsequent packet of the data stream to which the first data packet belongs;
所述保存单元 520, 还可以用于将所述获得单元 510获得的所述第一服务器应用 信息保存到所述服务器信息数据库。  The saving unit 520 is further configured to save the first server application information obtained by the obtaining unit 510 to the server information database.
在另一个可选的实现方式中:  In another alternative implementation:
所述提取单元 530, 可以具体用于从接收到的数据流的第一数据报文的五元组 信息中提取所述第一数据报文的目的 IP地址和目的端口号。  The extracting unit 530 may be specifically configured to extract a destination IP address and a destination port number of the first data packet from the quintuple information of the first data packet of the received data stream.
参见图 6, 为本发明网络设备的另一个实施例框图:  Referring to FIG. 6, a block diagram of another embodiment of a network device according to the present invention:
该网络设备包括: 总线 610, 以及通过所述总线 610连接的存储器 620、 网络接 口 630和处理器 640。  The network device includes: a bus 610, and a memory 620, a network interface 630, and a processor 640 connected by the bus 610.
其中, 所述存储器 620, 用于保存服务器应用信息;  The memory 620 is configured to save server application information.
所述网络接口 630, 用于接收数据流的第一数据报文;  The network interface 630 is configured to receive a first data packet of the data stream.
所述处理器 640, 用于从所述第一数据报文中提取第一服务器地址信息, 将所 述第一服务器地址信息与所述服务器应用信息进行匹配, 所述服务器应用信息中保 存了服务器地址信息与应用类型的对应关系, 当从所述服务器应用信息中匹配到所 述第一服务器地址信息时, 将与所述第一服务器地址信息对应的应用类型识别为所 述数据流的应用类型。  The processor 640 is configured to extract first server address information from the first data packet, match the first server address information with the server application information, and save the server in the server application information. Corresponding relationship between the address information and the application type, when the first server address information is matched from the server application information, identifying an application type corresponding to the first server address information as an application type of the data flow .
在一个可选的实现方式中:  In an optional implementation:
所述处理器 640, 还可以用于通过对不同数据流的数据报文进行识别, 获得服 务器应用信息, 并将所述服务器应用信息保存到所述存储器中的服务器信息数据 库。  The processor 640 is further configured to: obtain server application information by identifying data packets of different data streams, and save the server application information to a server information database in the memory.
在另一个可选的实现方式中:  In another alternative implementation:
所述处理器 640, 可以具体用于确定接收到 TCP数据报文, 当所述 TCP数据报文 的应用层协议为 HTTP , 且所述 TCP数据报文中包含 URL地址时, 识别所述 TCP数据报 文为访问 TOB服务器的 TOB应用报文, 获取所述 TCP数据报文的目的地址作为服务器 地址信息, 并分析所述 URL地址获得与所述 URL地址对应的 TOB服务器的应用类型。  The processor 640 may be specifically configured to determine that the TCP data packet is received. When the application layer protocol of the TCP data packet is HTTP, and the TCP data packet includes a URL address, the TCP data is identified. The message is a TOB application message that accesses the TOB server, obtains a destination address of the TCP data packet as server address information, and analyzes the URL address to obtain an application type of the TOB server corresponding to the URL address.
在另一个可选的实现方式中:  In another alternative implementation:
所述处理器 640, 还可以用于当未从所述服务器应用信息中匹配到所述第一服 务器地址信息时, 通过对所述第一数据报文所属数据流的后续报文进行识别, 获得 第一服务器应用信息, 并将所述第一服务器应用信息保存到所述服务器信息数据 库。 The processor 640 is further configured to: after the first server address information is not matched from the server application information, identify, by obtaining, a subsequent packet of the data stream to which the first data packet belongs First server application information, and saving the first server application information to the server information data Library.
在另一个可选的实现方式中:  In another alternative implementation:
所述处理器 640, 可以具体用于从所述第一数据报文的五元组信息中提取所述 第一数据报文的目的 IP地址和目的端口号。  The processor 640 is specifically configured to extract a destination IP address and a destination port number of the first data packet from the quintuple information of the first data packet.
由上述实施例可见, 从接收到的数据流的第一数据报文中提取第一服务器地址 信息, 将第一服务器地址信息与服务器应用信息进行匹配, 当从服务器应用信息中 匹配到第一服务器地址信息时, 将与第一服务器地址信息对应的应用类型识别为第 一数据报文所属数据流的应用类型。 本发明实施例中通过建立服务器应用信息, 从 而在接收到数据报文时, 无需进行关键字提取和规则匹配, 而是通过将数据报文的 服务器地址信息与服务器应用信息进行匹配, 从而快速识别出数据报文所属数据流 的应用类型, 提高了报文的应用类型识别效率。  It can be seen from the foregoing embodiment that the first server address information is extracted from the first data packet of the received data stream, the first server address information is matched with the server application information, and the first server is matched from the server application information. In the address information, the application type corresponding to the first server address information is identified as the application type of the data stream to which the first data message belongs. In the embodiment of the present invention, the server application information is established, so that when the data packet is received, no keyword extraction and rule matching are needed, but the server address information of the data packet is matched with the server application information, thereby quickly identifying The application type of the data stream to which the data packet belongs is improved, and the application type identification efficiency of the message is improved.
本领域的技术人员可以清楚地了解到本发明实施例中的技术可借助软件加必 需的通用硬件平台的方式来实现。 基于这样的理解, 本发明实施例中的技术方案本 质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来, 该计算机 软件产品可以存储在存储介质中, 如 R0M/RAM、 磁碟、 光盘等, 包括若干指令用以 使得一台计算机设备 (可以是个人计算机, 服务器, 或者网络设备等) 执行本发明 各个实施例或者实施例的某些部分所述的方法。  Those skilled in the art can clearly understand that the technology in the embodiments of the present invention can be implemented by means of software plus a necessary general hardware platform. Based on such understanding, the technical solution in the embodiments of the present invention may be embodied in the form of a software product in essence or in the form of a software product, and the computer software product may be stored in a storage medium, such as a ROM/RAM. , a diskette, an optical disk, etc., comprising instructions for causing a computer device (which may be a personal computer, server, or network device, etc.) to perform the methods described in various embodiments of the present invention or in certain portions of the embodiments.
本说明书中的各个实施例均采用递进的方式描述, 各个实施例之间相同相似的 部分互相参见即可, 每个实施例重点说明的都是与其他实施例的不同之处。 尤其, 对于系统实施例而言, 由于其基本相似于方法实施例, 所以描述的比较简单, 相关 之处参见方法实施例的部分说明即可。 以上所述的本发明实施方式, 并不构成对本发明保护范围的限定。 任何在本发 明的精神和原则之内所作的修改、 等同替换和改进等, 均应包含在本发明的保护范 围之内。  The various embodiments in the present specification are described in a progressive manner, and the same or similar parts between the various embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment. The embodiments of the present invention described above are not intended to limit the scope of the present invention. Any modifications, equivalent substitutions and improvements made within the spirit and scope of the invention are intended to be included within the scope of the invention.

Claims

权利要求 Rights request
1、 一种应用类型识别方法, 其特征在于, 所述方法包括: 1. An application type identification method, characterized in that the method includes:
从接收到的数据流的第一数据报文中提取第一服务器地址信息; Extract the first server address information from the first data packet of the received data stream;
将所述第一服务器地址信息与服务器应用信息进行匹配,所述服务器应用信息中保 存了服务器地址信息与应用类型的对应关系; Match the first server address information with server application information, and the server application information stores the corresponding relationship between the server address information and the application type;
当从所述服务器应用信息中匹配到所述第一服务器地址信息时,将与所述第一服务 器地址信息对应的应用类型识别为所述数据流的应用类型。 When the first server address information is matched from the server application information, the application type corresponding to the first server address information is identified as the application type of the data flow.
2、 根据权利要求 1所述的方法, 其特征在于, 所述从接收到的数据流的第一数据报 文中提取第一服务器地址信息之前, 所述方法还包括: 2. The method according to claim 1, characterized in that, before extracting the first server address information from the first data message of the received data stream, the method further includes:
通过对不同数据流的数据报文进行识别, 获得所述服务器应用信息; Obtain the server application information by identifying data packets of different data streams;
将所述服务器应用信息保存到服务器信息数据库。 Save the server application information to a server information database.
3、 根据权利要求 2所述的方法, 其特征在于, 所述通过对不同数据流的数据报文进 行识别, 获得所述服务器应用信息, 包括: 3. The method of claim 2, wherein the server application information is obtained by identifying data packets of different data streams, including:
确定接收到传输控制协议 TCP数据报文; Confirm receipt of Transmission Control Protocol TCP data message;
当所述 TCP数据报文的应用层协议为超文本传输协议 HTTP, 且所述 TCP数据报文中包 含统一资源定位符 URL地址时, 识别所述 TCP数据报文为访问网络 WEB服务器的 WEB应用报 文; When the application layer protocol of the TCP data message is Hypertext Transfer Protocol HTTP, and the TCP data message contains a uniform resource locator URL address, the TCP data message is identified as a WEB application accessing the network WEB server. message;
获取所述 TCP数据报文的目的地址作为服务器地址信息; 以及 Obtain the destination address of the TCP data message as server address information; and
分析所述 URL地址获得与所述 URL地址对应的 WEB服务器的应用类型。 Analyze the URL address to obtain the application type of the WEB server corresponding to the URL address.
4、 根据权利要求 2或 3所述的方法, 其特征在于, 所述方法还包括: 4. The method according to claim 2 or 3, characterized in that the method further includes:
当未从所述服务器应用信息中匹配到所述第一服务器地址信息时,通过对所述第一 数据报文所属数据流的后续报文进行识别, 获得第一服务器应用信息; When the first server address information is not matched from the server application information, the first server application information is obtained by identifying subsequent messages of the data flow to which the first data message belongs;
将所述第一服务器应用信息保存到所述服务器信息数据库。 Save the first server application information to the server information database.
5、 根据权利要求 1至 4任意一项所述的方法, 其特征在于, 所述从接收到的数据流 的第一数据报文中提取第一服务器地址信息, 具体为: 从接收到的数据流的第一数据报 文的五元组信息中提取所述第一数据报文的目的互联网协议 IP地址和目的端口号。 5. The method according to any one of claims 1 to 4, characterized in that: extracting the first server address information from the first data message of the received data stream, specifically: extracting the first server address information from the received data The destination Internet Protocol IP address and destination port number of the first data message are extracted from the five-tuple information of the first data message of the flow.
6、 一种网络设备, 其特征在于, 所述网络设备包括: 6. A network device, characterized in that, the network device includes:
提取单元, 用于从接收到的数据流的第一数据报文中提取第一服务器地址信息; 匹配单元,用于将所述提取单元提取的所述第一服务器地址信息与服务器应用信息 进行匹配, 所述服务器应用信息中保存了服务器地址信息与应用类型的对应关系; 识别单元,用于当所述匹配单元从所述服务器应用信息中匹配到所述第一服务器地 址信息时, 将与所述第一服务器地址信息对应的应用类型识别为所述数据流的应用类 型。 An extraction unit, configured to extract the first server address information from the first data packet of the received data stream; A matching unit, configured to match the first server address information extracted by the extraction unit with the server application information , the server application information stores the corresponding relationship between the server address information and the application type; the identification unit is used to match the first server address information with the matching unit when the matching unit matches the first server address information from the server application information. The application type corresponding to the first server address information is identified as the application type of the data flow.
7、 根据权利要求 6所述的网络设备, 其特征在于, 所述装置还包括: 7. The network device according to claim 6, characterized in that the device further includes:
获得单元,用于通过对不同数据流的数据报文进行识别,获得所述服务器应用信息; 保存单元, 用于将所述获得单元获得的服务器应用信息保存到服务器信息数据库。 The obtaining unit is used to obtain the server application information by identifying data packets of different data streams; the saving unit is used to save the server application information obtained by the obtaining unit to the server information database.
8、 根据权利要求 7所述的网络设备, 其特征在于, 所述获得单元包括: 8. The network device according to claim 7, characterized in that the obtaining unit includes:
TCP数据报文确定子单元, 用于确定接收到 TCP数据报文; TCP data message determination subunit, used to determine receipt of the TCP data message;
WEB应用报文识别子单元,用于当所述 TCP数据报文的应用层协议为 HTTP,且所述 TCP 数据报文中包含 URL地址时, 识别所述 TCP数据报文为访问 WEB服务器的 WEB应用报文; 地址信息获取子单元,用于获取所述 TCP数据报文的目的地址作为服务器地址信息; 应用类型分析子单元, 用于分析所述 URL地址获得与所述 URL地址对应的 WEB服务器 的应用类型。 WEB application message identification subunit, used to identify the TCP data message as a WEB accessing the WEB server when the application layer protocol of the TCP data message is HTTP and the TCP data message contains a URL address. Application message; Address information acquisition subunit, used to obtain the destination address of the TCP data message as server address information; Application type analysis subunit, used to analyze the URL address to obtain the WEB server corresponding to the URL address application type.
9、 根据权利要求 7或 8所述的网络设备, 其特征在于, 9. The network device according to claim 7 or 8, characterized in that,
所述获得单元,还用于当所述匹配单元未从所述服务器应用信息中匹配到所述第一 服务器地址信息时, 通过对所述第一数据报文所属数据流的后续报文进行识别, 获得第 —服务器应用信息; The obtaining unit is also configured to identify subsequent messages of the data flow to which the first data message belongs when the matching unit does not match the first server address information from the server application information. , obtain the application information of the first server;
所述保存单元,还用于将所述获得单元获得的所述第一服务器应用信息保存到所述 服务器信息数据库。 The saving unit is also configured to save the first server application information obtained by the obtaining unit to the server information database.
10、 根据权利要求 6至 9任意一项所述的网络设备, 其特征在于, 10. The network device according to any one of claims 6 to 9, characterized in that,
所述提取单元, 具体用于从接收到的数据流的第一数据报文的五元组信息中提取所 述第一数据报文的目的 IP地址和目的端口号。 The extraction unit is specifically configured to extract the five-tuple information of the first data message of the received data stream. Describe the destination IP address and destination port number of the first data message.
PCT/CN2014/076914 2013-05-24 2014-05-07 Application type identification method and network device WO2014187238A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310198561.2 2013-05-24
CN2013101985612A CN103297270A (en) 2013-05-24 2013-05-24 Application type recognition method and network equipment

Publications (1)

Publication Number Publication Date
WO2014187238A1 true WO2014187238A1 (en) 2014-11-27

Family

ID=49097618

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/076914 WO2014187238A1 (en) 2013-05-24 2014-05-07 Application type identification method and network device

Country Status (2)

Country Link
CN (1) CN103297270A (en)
WO (1) WO2014187238A1 (en)

Families Citing this family (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103297270A (en) * 2013-05-24 2013-09-11 华为技术有限公司 Application type recognition method and network equipment
CN103701809A (en) * 2013-12-27 2014-04-02 山石网科通信技术有限公司 Application identification method and device
CN103916294B (en) * 2014-04-29 2018-05-04 华为技术有限公司 The recognition methods of protocol type and device
CN105227599B (en) * 2014-06-12 2017-12-26 腾讯科技(深圳)有限公司 The recognition methods of Web applications and device
CN105592137B (en) * 2015-10-14 2019-04-09 新华三技术有限公司 A kind of recognition methods of application type and device
CN105939287A (en) * 2016-05-23 2016-09-14 杭州迪普科技有限公司 Message processing method and apparatus
CN107787003A (en) * 2016-08-24 2018-03-09 中兴通讯股份有限公司 A kind of method and apparatus of flow detection
CN106330768B (en) * 2016-08-31 2019-04-12 成都飞鱼星科技股份有限公司 A kind of application and identification method based on cloud computing
CN106254384B (en) * 2016-09-14 2019-12-06 新华三技术有限公司 Service access method and device
CN106506400B (en) * 2016-11-04 2019-12-06 锐捷网络股份有限公司 data stream identification method and outlet device
CN108063692B (en) * 2016-11-08 2019-11-26 中国移动通信有限公司研究院 Method for recognizing flux and device
CN107547437B (en) * 2017-05-11 2020-09-08 新华三信息安全技术有限公司 Application identification method and device
CN107222369A (en) * 2017-07-07 2017-09-29 北京小米移动软件有限公司 Recognition methods, device, switch and the storage medium of application program
CN107707549B (en) * 2017-09-30 2020-07-28 迈普通信技术股份有限公司 Device and method for automatically extracting application characteristics
CN107864127B (en) * 2017-10-30 2020-07-10 北京神州绿盟信息安全科技股份有限公司 Application program identification method and device
CN108282414B (en) * 2017-12-29 2020-05-29 网宿科技股份有限公司 Data stream guiding method, server and system
CN108418758B (en) * 2018-01-05 2021-01-29 网宿科技股份有限公司 Single packet identification method and flow guiding method
CN108900374B (en) * 2018-06-22 2021-05-25 网宿科技股份有限公司 Data processing method and device applied to DPI equipment
CN109067762B (en) * 2018-08-29 2020-10-27 深信服科技股份有限公司 Identification method, device and equipment of Internet of things equipment
CN111404768A (en) * 2019-01-02 2020-07-10 中国移动通信有限公司研究院 DPI recognition realization method and equipment
CN111953552B (en) * 2019-05-14 2022-12-13 华为技术有限公司 Data flow classification method and message forwarding equipment
CN112564991A (en) * 2019-09-10 2021-03-26 华为技术有限公司 Application identification method and device and storage medium
CN110808921B (en) * 2019-11-05 2023-01-03 赵宇飞 Application identification method, system and network equipment
CN111177595B (en) * 2019-12-20 2024-04-05 杭州九略智能科技有限公司 Method for extracting asset information by templating HTTP protocol
CN111143743B (en) * 2019-12-26 2023-09-26 杭州迪普科技股份有限公司 Method and device for automatically expanding application identification library
CN112653740A (en) * 2020-12-11 2021-04-13 北京金山云网络技术有限公司 Load balancing method and device supporting QUIC connection migration and computer product
CN114979073B (en) * 2021-08-30 2023-09-05 中移互联网有限公司 Address information acquisition system, method, electronic device and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101183988A (en) * 2007-11-19 2008-05-21 华为技术有限公司 Method of identifying packet corresponding service types and device thereof
CN101202652A (en) * 2006-12-15 2008-06-18 北京大学 Device for classifying and recognizing network application flow quantity and method thereof
CN102195882A (en) * 2011-05-18 2011-09-21 深信服网络科技(深圳)有限公司 Method and device for selecting route according to data stream application type
US8121030B2 (en) * 2007-03-06 2012-02-21 Hewlett-Packard Development Company, L.P. Network service monitoring
CN103297270A (en) * 2013-05-24 2013-09-11 华为技术有限公司 Application type recognition method and network equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101202652A (en) * 2006-12-15 2008-06-18 北京大学 Device for classifying and recognizing network application flow quantity and method thereof
US8121030B2 (en) * 2007-03-06 2012-02-21 Hewlett-Packard Development Company, L.P. Network service monitoring
CN101183988A (en) * 2007-11-19 2008-05-21 华为技术有限公司 Method of identifying packet corresponding service types and device thereof
CN102195882A (en) * 2011-05-18 2011-09-21 深信服网络科技(深圳)有限公司 Method and device for selecting route according to data stream application type
CN103297270A (en) * 2013-05-24 2013-09-11 华为技术有限公司 Application type recognition method and network equipment

Also Published As

Publication number Publication date
CN103297270A (en) 2013-09-11

Similar Documents

Publication Publication Date Title
WO2014187238A1 (en) Application type identification method and network device
US10348631B2 (en) Processing packet header with hardware assistance
US20190075049A1 (en) Determining Direction of Network Sessions
CN106936791B (en) Method and device for intercepting malicious website access
WO2015165296A1 (en) Method and device for identifying protocol type
US10498618B2 (en) Attributing network address translation device processed traffic to individual hosts
WO2014000303A1 (en) Method for receiving message, and deep packet inspection device and system
CN106778229B (en) VPN-based malicious application downloading interception method and system
EP3128713B1 (en) Page push method and system
TW201626759A (en) Method for detecting a number of the devices of a plurality of client terminals selected by a WEB server with additional non-specified domain name from the internet request traffics sharing the public IP address and system for detecting selectively
RU2621961C2 (en) Gateway and corresponding method, computer program and storage media
TW201312369A (en) Method for filetring web page content and network equipment
WO2017005118A1 (en) Method, device, terminal and server for maintaining communication connection
CN106961393B (en) Detection method and device for UDP (user Datagram protocol) message in network session
CN113285920B (en) Service access method, device, equipment and storage medium
JP5925287B1 (en) Information processing apparatus, method, and program
EP3319288A1 (en) Protocol detection by parsing layer-4 packets in a network security system
EP2860911B1 (en) Method and device for classifying encrypted data flows between at least one web client and at least one web server
JP2021529470A (en) Data stream protocol identification
WO2014201789A1 (en) Service processing method, apparatus and system
CN116582590A (en) Data transmission method and device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14801186

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14801186

Country of ref document: EP

Kind code of ref document: A1