[go: up one dir, main page]

CN103036773B - Network instant communication instrument flux recognition system and recognition methods - Google Patents

Network instant communication instrument flux recognition system and recognition methods Download PDF

Info

Publication number
CN103036773B
CN103036773B CN201210564693.8A CN201210564693A CN103036773B CN 103036773 B CN103036773 B CN 103036773B CN 201210564693 A CN201210564693 A CN 201210564693A CN 103036773 B CN103036773 B CN 103036773B
Authority
CN
China
Prior art keywords
network
instant messaging
messaging tool
network flow
udp
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201210564693.8A
Other languages
Chinese (zh)
Other versions
CN103036773A (en
Inventor
薛一波
袁振龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tsinghua University
Original Assignee
Tsinghua University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tsinghua University filed Critical Tsinghua University
Priority to CN201210564693.8A priority Critical patent/CN103036773B/en
Publication of CN103036773A publication Critical patent/CN103036773A/en
Application granted granted Critical
Publication of CN103036773B publication Critical patent/CN103036773B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种网络即时通信工具流量识别系统及识别方法,其系统包括:流量识别预处理模块:用于加载正则DFA算法以及将网络即时通信工具的强特征序列转换为正则表达式的形式;UDP网络流识别处理模块:根据正则DFA算法判断出网络即时通信工具的UDP网络流,并写入网络即时通信工具UDP的节点信息表;TCP网络流识别处理模块:根据所述网络即时通信工具UDP的节点信息表,判断出网络即时通信工具的TCP网络流,并写入网络即时通信工具TCP的节点信息表;网络流数据统计模块:用于统计网络即时通信工具UDP的节点信息表和网络即时通信工具TCP的节点信息表中流量数据,并显示。本发明具有快速识别的特点,非常易于对于网络中网络即时通信工具应用流量的管控和处理。

The invention discloses a network instant messaging tool traffic identification system and identification method. The system includes: a traffic identification preprocessing module: used to load a regular DFA algorithm and convert a strong feature sequence of a network instant messaging tool into a regular expression form UDP network flow recognition processing module: judge the UDP network flow of the network instant messaging tool according to the regular DFA algorithm, and write the node information table of the network instant messaging tool UDP; TCP network flow recognition processing module: according to the network instant messaging tool The node information table of UDP determines the TCP network flow of the network instant messaging tool, and writes it into the node information table of the network instant messaging tool TCP; the network flow data statistics module: is used to count the node information table and network of the network instant messaging tool UDP The traffic data in the node information table of the instant messaging tool TCP is displayed. The invention has the characteristics of fast identification, and is very easy to control and process the application traffic of the network instant messaging tool in the network.

Description

网络即时通信工具流量识别系统及识别方法Traffic identification system and identification method of network instant messaging tool

技术领域technical field

本发明涉及网络技术领域,特别涉及一种网络即时通信工具流量识别系统及识别方法。The invention relates to the field of network technology, in particular to a network instant messaging tool traffic identification system and identification method.

背景技术Background technique

在过去的十年时间里,网络即时通信工具作为一种方便、实用的通信工具由于其稳定的通话质量、安全的通信模式,因而获得了全世界范围的普及。在网络管理方面,也迫切需要对网络即时通信工具的网络性能进行优化,以提高互联网用户的体验。因此,研究如何在网络流量中识别和管理网络即时通信工具通信流量,具有很强的学术意义和实用价值,是学术界和工业界的研究热点。In the past ten years, as a convenient and practical communication tool, the instant messaging tool on the Internet has gained worldwide popularity due to its stable call quality and safe communication mode. In terms of network management, there is also an urgent need to optimize the network performance of network instant messaging tools, so as to improve the experience of Internet users. Therefore, research on how to identify and manage network instant messaging tool communication traffic in network traffic has strong academic significance and practical value, and is a research hotspot in academia and industry.

然而,网络管理者对于在网络流量中识别网络即时通信工具流量面临着极大的挑战,主要包含以下几点原因:1、网络即时通信工具是一个全球性的P2P VoIP网络,其主要构成成分包含普通节点(客户端)、超级节点(SN)以及登录服务器,采用传统流量识别技术的方法已经失效;2、网络即时通信工具具备多样化的通信模式,包括语音通话、即时消息、文件传输和视频会议,同时还可以正常工作在NAT和防火墙后;3、网络即时通信工具采用动态传输端口对数据流进行加密传输,能抵抗窥探等各种非法行为,并加大安全系数,以保护其不被逆向破解。However, network managers face great challenges in identifying the traffic of instant messaging tools in network traffic, mainly for the following reasons: 1. Instant messaging tools are a global P2P VoIP network, and its main components include: Ordinary nodes (clients), super nodes (SNs) and login servers, the method of using traditional traffic identification technology has failed; 2. Network instant messaging tools have a variety of communication modes, including voice calls, instant messages, file transfers and video Meetings can also work normally behind NAT and firewalls; 3. The network instant messaging tool uses dynamic transmission ports to encrypt and transmit data streams, which can resist various illegal activities such as snooping, and increase the safety factor to protect it from being blocked. reverse cracking.

综合以上原因,虽然已有大量的研究人员提出了多种方法来识别网络即时通信工具流量,但不幸的是,这些方法大多属于粗粒度的解决方案,不能很好地识别每一条网络即时通信工具产生的流量,在细粒度识别方面存在缺陷。Based on the above reasons, although a large number of researchers have proposed a variety of methods to identify the traffic of network instant messaging tools, unfortunately, most of these methods are coarse-grained solutions, which cannot identify every network instant messaging tool traffic well. The generated traffic has flaws in fine-grained identification.

因此,针对这些问题和需求,迫切需要引入新的思路和方法,来解决网络即时通信工具网络流的识别问题,并使之更适用于网络管理系统(NMS)。Therefore, in response to these problems and needs, it is urgent to introduce new ideas and methods to solve the problem of network flow identification of network instant messaging tools, and make it more suitable for network management systems (NMS).

发明内容Contents of the invention

(一)要解决的技术问题(1) Technical problems to be solved

本发明要解决的技术问题是,针对现有技术的不足,提供一种网络即时通信工具流量识别系统及识别方法,够有效识别网络即时通信工具在通信过程中产生的所有网络流,且具有准确度高、误报率低、识别快速的特点。The technical problem to be solved by the present invention is to provide a network instant messaging tool traffic identification system and identification method for the deficiencies of the prior art, which can effectively identify all network flows generated by the network instant messaging tool during the communication process, and have accurate It has the characteristics of high accuracy, low false alarm rate and fast recognition.

(二)技术方案(2) Technical solutions

本发明提供一种网络即时通信工具流量识别系统,包括:流量识别预处理模块、UDP网络流识别处理模块、TCP网络流识别处理模块和网络流数据统计模块,其中:The present invention provides a network instant communication tool traffic identification system, comprising: a traffic identification preprocessing module, a UDP network flow identification processing module, a TCP network flow identification processing module and a network flow data statistics module, wherein:

流量识别预处理模块,用于加载正则DFA算法以及将网络即时通信工具的强特征序列转换为正则表达式的形式;The traffic identification preprocessing module is used to load the regular DFA algorithm and convert the strong feature sequence of the network instant messaging tool into a regular expression form;

UDP网络流识别处理模块,根据正则DFA算法判断出网络即时通信工具的UDP网络流,并写入网络即时通信工具UDP的节点信息表;The UDP network flow identification processing module judges the UDP network flow of the network instant messaging tool according to the regular DFA algorithm, and writes it into the node information table of the network instant messaging tool UDP;

TCP网络流识别处理模块,根据所述网络即时通信工具UDP的节点信息表,判断出网络即时通信工具的TCP网络流,并写入网络即时通信工具TCP的节点信息表;TCP network flow recognition processing module, according to the node information table of described network instant messaging tool UDP, judge the TCP network flow of network instant messaging tool, and write the node information table of network instant messaging tool TCP;

网络流数据统计模块,用于统计网络即时通信工具UDP的节点信息表和网络即时通信工具TCP的节点信息表中流量数据,并显示。The network flow data statistics module is used to count and display the flow data in the node information table of the network instant communication tool UDP and the node information table of the network instant communication tool TCP.

其中,所述网络流量数据统计模块统计出的流量数据包括:网络流的大小和数据包的数目。Wherein, the traffic data counted by the network traffic data statistics module includes: the size of the network flow and the number of data packets.

本发明还一种网络即时通信工具流量识别方法,包括如下步骤:The present invention also provides a network instant messaging tool traffic identification method, comprising the following steps:

S1:流量识别预处理模块对网络流量处理接口系统加载,用于通过网络流量处理接口建立TCP和UDP流量表;S1: The traffic identification preprocessing module loads the network traffic processing interface system, and is used to establish TCP and UDP flow tables through the network traffic processing interface;

S2:流量识别预处理模块对加载正则DFA算法以及将网络即时通信工具的强特征序列转换为正则表达式的形式;S2: The traffic identification preprocessing module loads the regular DFA algorithm and converts the strong feature sequence of the network instant messaging tool into the form of a regular expression;

S3:UDP网络流识别处理模块根据五元组确定网络流,对每条所述网络流中的每个UDP数据包进行解析,并判断出所述UDP数据包所在的网络流为网络即时通信工具的网络流;S3: The UDP network flow identification processing module determines the network flow according to the quintuple, analyzes each UDP data packet in each network flow, and determines that the network flow where the UDP data packet is located is a network instant messaging tool network flow;

S4:UDP网络流识别处理模块根据S2中的正则DFA算法对S3中的网络即时通信工具网络流进行匹配判断出S3中的五元组网络流是否为网络即时通信工具网络流,如果是则写入网络即时通信工具UDP的节点信息表;S4: The UDP network flow identification processing module matches the network instant messaging tool network flow in S3 according to the regular DFA algorithm in S2 to determine whether the five-tuple network flow in S3 is a network instant messaging tool network flow, and if so, write Enter the node information table of the network instant messaging tool UDP;

S5:TCP网络流识别处理模块根据TCP服务器列表判断出TCP网络流是否为网络即时通信工具的TCP网络流,如果是则进入S6;S5: The TCP network flow identification processing module judges whether the TCP network flow is the TCP network flow of the network instant messaging tool according to the TCP server list, and if so, enters S6;

S6:TCP网络流识别处理模块根据网络即时通信工具UDP的节点信息表,判断S5中的网络即时通信工具的TCP网络流是否为网络即时通信工具的网络流,如果是则写入网络即时通信工具TCP的节点信息表;S6: TCP network flow recognition processing module judges whether the TCP network flow of the network instant messaging tool in S5 is the network flow of the network instant messaging tool according to the node information table of the network instant messaging tool UDP, and if so, writes the network instant messaging tool TCP node information table;

S7:根据S4和S6得到的网络即时通信工具UDP的节点信息表和网络即时通信工具TCP的节点信息表进行统计,统计出流量数据并显示。S7: Perform statistics according to the node information table of the network instant messaging tool UDP and the node information table of the network instant messaging tool TCP obtained in S4 and S6, and calculate and display the traffic data.

其中,S3具体包括:通过判断UDP数据包的纯载荷长度是否达到指定长度3,如果大于3个字节,则判断此UDP数据包所在的网络流为网络即时通信工具的网络流。Wherein, S3 specifically includes: by judging whether the pure payload length of the UDP data packet reaches the specified length 3, if it is greater than 3 bytes, then judging that the network flow where the UDP data packet is located is the network flow of the network instant messaging tool.

其中,S4具体包括:提取S2中正则加载的强特征序列转换为的正则表达式的第3个字节位置的字节值,将该字节值带入正则DFA算法进行匹配搜索,如果匹配成功,则证明五元组网络流是网络即时通信工具网络流,并写入网络即时通信工具UDP的节点信息表。Among them, S4 specifically includes: extracting the byte value of the third byte position of the regular expression converted from the strong feature sequence loaded regularly in S2, bringing the byte value into the regular DFA algorithm for matching search, if the match is successful , it proves that the five-tuple network flow is a network instant messaging tool network flow, and is written into the node information table of the network instant messaging tool UDP.

其中,S4中的匹配搜索步骤如下:Among them, the matching search steps in S4 are as follows:

S41:如果属于五元组网络流的首个数据包,则初始化此网络流的DFA状态值为0,此状态值代表正则有限状态机中的状态号,否则读取已保存的此网络流的DFA状态值;S41: If it belongs to the first data packet of the quintuple network flow, initialize the DFA state value of this network flow to 0, and this state value represents the state number in the regular finite state machine, otherwise read the saved network flow DFA status value;

S42:提取UDP数据包载荷中指定位置的字节值,将此字节值与所在网络流的DFA状态值作为形参共同传入DFA状态机进行状态转换,其中DFA状态值代表DFA状态机的指定状态,字节值代表此指定状态要输入的数据,通过这种状态转换,得到此网络流的新的状态值;S42: Extract the byte value at the specified position in the payload of the UDP packet, and pass this byte value and the DFA state value of the network flow as formal parameters into the DFA state machine for state transition, wherein the DFA state value represents the state of the DFA state machine Specifies the state, and the byte value represents the data to be input in the specified state. Through this state transition, the new state value of the network flow is obtained;

S43:判断此网络流新的状态值是否属于匹配成功状态,若是则返回匹配成功,若不是则返回新的状态值。S43: Determine whether the new state value of the network flow belongs to the matching success state, if so, return the matching success, if not, return the new state value.

其中,S5具体包括:Among them, S5 specifically includes:

S51:解析TCP网络流中的IP数据包,提取其IP源地址和目的地址;S51: Analyzing the IP data packet in the TCP network flow, extracting its IP source address and destination address;

S52:根据TCP服务器IP列表判断IP源和目的地址是否存在网络即时通信工具通信交互服务器,如果存在,则此网络流为网络即时通信工具的TCP网络流,否则执行S53;S52: Judging whether the IP source and the destination address have a network instant messaging tool communication interactive server according to the TCP server IP list, if there is, the network flow is the TCP network flow of the network instant messaging tool, otherwise execute S53;

S53:进一步通过机器学习的方法判断TCP网络流是否属于网络即时通信工具的TCP网络流。S53: Further judge whether the TCP network flow belongs to the TCP network flow of the network instant messaging tool by a machine learning method.

其中,S6具体包括:Among them, S6 specifically includes:

S61:查询网络即时通信工具UDP的节点信息表,如果IPA已被所述UDP网络流识别处理模块判断为网络即时通信工具节点,则IPA相关的TCP网络流则为网络即时通信工具的TCP网络流,如果IPB已被所述UDP网络流识别处理模块判断为非网络即时通信工具节点,则IPB相关的TCP网络流则确定为非网络即时通信工具的TCP网络流;S61: query the node information table of the network instant messaging tool UDP, if IP A has been judged as a network instant messaging tool node by the UDP network flow identification processing module, then the TCP network flow related to IP A is the TCP of the network instant messaging tool Network flow, if IP B has been judged as a non-network instant messaging tool node by the UDP network flow identification processing module, then the relevant TCP network flow of IP B is determined to be the TCP network flow of non-network instant messaging tool;

S62:如果网络即时通信工具UDP的节点信息表中未能找到IPC的信息,则默认为非网络即时通信工具的TCP网络流。S62: If the IPC information cannot be found in the node information table of the network instant messaging tool UDP, the default is the TCP network stream of the non - network instant messaging tool.

其中,在S7中流量数据包括:流量的大小以及数据包数目。Wherein, the traffic data in S7 includes: the size of the traffic and the number of data packets.

(三)有益效果(3) Beneficial effects

本发明的方法可以应用于网络即时通信工具应用的流量识别,由于采用的识别方法是基于强特征序列的,根据实验测试,它的准确率很高、且误报率极低。另外,因为用于网络即时通信工具的强特征序列只需要检测一条网络流的前几个数据包即可,因此具有快速识别的特点,非常易于对于网络中网络即时通信工具应用流量的管控和处理。The method of the present invention can be applied to the traffic identification of the network instant messaging tool application, because the identification method adopted is based on the strong feature sequence, and according to the experimental test, its accuracy rate is very high and the false alarm rate is extremely low. In addition, because the strong feature sequence used for network instant messaging tools only needs to detect the first few data packets of a network flow, it has the characteristics of rapid identification, and is very easy to control and process the application traffic of network instant messaging tools in the network .

附图说明Description of drawings

图1是本发明网络即时通信工具流量识别方法步骤流程图;Fig. 1 is a flow chart of the steps of the network instant messaging tool traffic identification method of the present invention;

图2是本发明网络即时通信工具强特征序列正则表达式示意图。Fig. 2 is a schematic diagram of a regular expression of a strong feature sequence of the network instant messaging tool of the present invention.

具体实施方式Detailed ways

下面结合附图和实施例,对本发明的具体实施方式作进一步详细描述。以下实施例用于说明本发明,但不用来限制本发明的范围。The specific implementation manners of the present invention will be further described in detail below in conjunction with the accompanying drawings and embodiments. The following examples are used to illustrate the present invention, but are not intended to limit the scope of the present invention.

本发明提供一种网络即时通信工具流量识别系统,包括:流量识别预处理模块、UDP网络流识别处理模块、TCP网络流识别处理模块和网络流数据统计模块,其中:The present invention provides a network instant communication tool traffic identification system, comprising: a traffic identification preprocessing module, a UDP network flow identification processing module, a TCP network flow identification processing module and a network flow data statistics module, wherein:

流量识别预处理模块,用于加载正则DFA算法以及将网络即时通信工具的强特征序列转换为正则表达式的形式;The traffic identification preprocessing module is used to load the regular DFA algorithm and convert the strong feature sequence of the network instant messaging tool into a regular expression form;

UDP网络流识别处理模块,根据正则DFA算法判断出网络即时通信工具的UDP网络流,并写入网络即时通信工具UDP的节点信息表;The UDP network flow identification processing module judges the UDP network flow of the network instant messaging tool according to the regular DFA algorithm, and writes it into the node information table of the network instant messaging tool UDP;

TCP网络流识别处理模块,根据所述网络即时通信工具UDP的节点信息表,判断出网络即时通信工具的TCP网络流,并写入网络即时通信工具TCP的节点信息表;TCP network flow recognition processing module, according to the node information table of described network instant messaging tool UDP, judge the TCP network flow of network instant messaging tool, and write the node information table of network instant messaging tool TCP;

网络流数据统计模块,用于统计网络即时通信工具UDP的节点信息表和网络即时通信工具TCP的节点信息表中流量数据,并显示。The network flow data statistics module is used to count and display the flow data in the node information table of the network instant communication tool UDP and the node information table of the network instant communication tool TCP.

其中,所述网络流量数据统计模块统计出的流量数据包括:网络流的大小和数据包的数目。Wherein, the traffic data counted by the network traffic data statistics module includes: the size of the network flow and the number of data packets.

如图1所示,本发明还一种网络即时通信工具流量识别方法,包括如下步骤:As shown in Fig. 1, the present invention is also a kind of network instant messaging tool traffic identification method, comprises the following steps:

S1:流量识别预处理模块对网络流量处理接口系统加载,用于通过网络流量处理接口建立TCP和UDP流量表;S1: The traffic identification preprocessing module loads the network traffic processing interface system, and is used to establish TCP and UDP flow tables through the network traffic processing interface;

S2:流量识别预处理模块对加载正则DFA算法以及将网络即时通信工具的强特征序列转换为正则表达式的形式(如图2所示);S2: The traffic identification preprocessing module loads the regular DFA algorithm and converts the strong feature sequence of the network instant messaging tool into the form of a regular expression (as shown in Figure 2);

S3:UDP网络流识别处理模块根据五元组确定网络流(五元组通常是指由源IP地址,源端口,目的IP地址,目的端口,和传输层协议号这五个量组成的一个集合),对每条所述网络流中的每个UDP数据包进行解析,并判断出所述UDP数据包所在的网络流为网络即时通信工具的网络流;S3: The UDP network flow identification processing module determines the network flow according to the quintuple (the quintuple usually refers to a set consisting of five quantities of source IP address, source port, destination IP address, destination port, and transport layer protocol number ), analyzing each UDP data packet in each said network flow, and judging that the network flow where said UDP data packet is located is a network flow of a network instant messaging tool;

S4:UDP网络流识别处理模块根据S2中的正则DFA算法对S3中的网络即时通信工具网络流进行匹配判断出S3中的五元组网络流是否为网络即时通信工具网络流,如果是则写入网络即时通信工具UDP的节点信息表;S4: The UDP network flow identification processing module matches the network instant messaging tool network flow in S3 according to the regular DFA algorithm in S2 to determine whether the five-tuple network flow in S3 is a network instant messaging tool network flow, and if so, write Enter the node information table of the network instant messaging tool UDP;

S5:TCP网络流识别处理模块根据TCP服务器列表判断出TCP网络流是否为网络即时通信工具的TCP网络流,如果是则进入S6;S5: The TCP network flow identification processing module judges whether the TCP network flow is the TCP network flow of the network instant messaging tool according to the TCP server list, and if so, enters S6;

S6:TCP网络流识别处理模块根据网络即时通信工具UDP的节点信息表,判断S5中的网络即时通信工具的TCP网络流是否为网络即时通信工具的网络流,如果是则写入网络即时通信工具TCP的节点信息表;S6: TCP network flow recognition processing module judges whether the TCP network flow of the network instant messaging tool in S5 is the network flow of the network instant messaging tool according to the node information table of the network instant messaging tool UDP, and if so, writes the network instant messaging tool TCP node information table;

S7:根据S4和S6得到的网络即时通信工具UDP的节点信息表和网络即时通信工具TCP的节点信息表进行统计,统计出流量数据并显示。S7: Perform statistics according to the node information table of the network instant messaging tool UDP and the node information table of the network instant messaging tool TCP obtained in S4 and S6, and calculate and display the traffic data.

其中,S3具体包括:通过判断UDP数据包的纯载荷长度是否达到指定长度3,如果大于3个字节,则判断此UDP数据包所在的网络流为网络即时通信工具的网络流。Wherein, S3 specifically includes: by judging whether the pure payload length of the UDP data packet reaches the specified length 3, if it is greater than 3 bytes, then judging that the network flow where the UDP data packet is located is the network flow of the network instant messaging tool.

其中,S4具体包括:提取S2中正则加载的强特征序列转换为的正则表达式的第3个字节位置的字节值,将该字节值带入正则DFA算法进行匹配搜索,如果匹配成功,则证明五元组网络流是网络即时通信工具网络流,并写入网络即时通信工具UDP的节点信息表。Among them, S4 specifically includes: extracting the byte value of the third byte position of the regular expression converted from the strong feature sequence loaded regularly in S2, bringing the byte value into the regular DFA algorithm for matching search, if the match is successful , it proves that the five-tuple network flow is a network instant messaging tool network flow, and is written into the node information table of the network instant messaging tool UDP.

其中,S4中的匹配搜索步骤如下:Among them, the matching search steps in S4 are as follows:

S41:如果属于五元组网络流的首个数据包,则初始化此网络流的DFA状态值为0,此状态值代表正则有限状态机中的状态号,否则读取已保存的此网络流的DFA状态值;S41: If it belongs to the first data packet of the quintuple network flow, initialize the DFA state value of this network flow to 0, and this state value represents the state number in the regular finite state machine, otherwise read the saved network flow DFA status value;

S42:提取UDP数据包载荷中指定位置的字节值,将此字节值与所在网络流的DFA状态值作为形参共同传入DFA状态机进行状态转换,其中DFA状态值代表DFA状态机的指定状态,字节值代表此指定状态要输入的数据,通过这种状态转换,得到此网络流的新的状态值;S42: Extract the byte value at the specified position in the payload of the UDP packet, and pass this byte value and the DFA state value of the network flow as formal parameters into the DFA state machine for state transition, wherein the DFA state value represents the state of the DFA state machine Specifies the state, and the byte value represents the data to be input in the specified state. Through this state transition, the new state value of the network flow is obtained;

S43:判断此网络流新的状态值是否属于匹配成功状态,若是则返回匹配成功,若不是则返回新的状态值。S43: Determine whether the new state value of the network flow belongs to the matching success state, if so, return the matching success, if not, return the new state value.

其中,S5具体包括:Among them, S5 specifically includes:

S51:解析TCP网络流中的IP数据包,提取其IP源地址和目的地址;S51: Analyzing the IP data packet in the TCP network flow, extracting its IP source address and destination address;

S52:根据TCP服务器IP列表判断IP源和目的地址是否存在网络即时通信工具通信交互服务器,如果存在,则此网络流为网络即时通信工具的TCP网络流,否则执行S53;S52: Judging whether the IP source and the destination address have a network instant messaging tool communication interactive server according to the TCP server IP list, if there is, the network flow is the TCP network flow of the network instant messaging tool, otherwise execute S53;

S53:进一步通过机器学习的方法判断TCP网络流是否属于网络即时通信工具的TCP网络流。S53: Further judge whether the TCP network flow belongs to the TCP network flow of the network instant messaging tool by a machine learning method.

其中,S6具体包括:Among them, S6 specifically includes:

S61:查询网络即时通信工具UDP的节点信息表,如果IPA已被所述UDP网络流识别处理模块判断为网络即时通信工具节点,则IPA相关的TCP网络流则为网络即时通信工具的TCP网络流,如果IPB已被所述UDP网络流识别处理模块判断为非网络即时通信工具节点,则IPB相关的TCP网络流则确定为非网络即时通信工具的TCP网络流;S61: query the node information table of the network instant messaging tool UDP, if IP A has been judged as a network instant messaging tool node by the UDP network flow identification processing module, then the TCP network flow related to IP A is the TCP of the network instant messaging tool Network flow, if IP B has been judged as a non-network instant messaging tool node by the UDP network flow identification processing module, then the relevant TCP network flow of IP B is determined to be the TCP network flow of non-network instant messaging tool;

S62:如果网络即时通信工具UDP的节点信息表中未能找到IPC的信息,则默认为非网络即时通信工具的TCP网络流。S62: If the IPC information cannot be found in the node information table of the network instant messaging tool UDP, the default is the TCP network stream of the non - network instant messaging tool.

其中,在S7中流量数据包括:流量的大小以及数据包数目。Wherein, the traffic data in S7 includes: the size of the traffic and the number of data packets.

以上实施方式仅用于说明本发明,而并非对本发明的限制,有关技术领域的普通技术人员,在不脱离本发明的精神和范围的情况下,还可以做出各种变化和变型,因此所有等同的技术方案也属于本发明的范畴,本发明的专利保护范围应由权利要求限定。The above embodiments are only used to illustrate the present invention, but not to limit the present invention. Those of ordinary skill in the relevant technical field can make various changes and modifications without departing from the spirit and scope of the present invention. Therefore, all Equivalent technical solutions also belong to the category of the present invention, and the scope of patent protection of the present invention should be defined by the claims.

Claims (8)

1.一种网络即时通信工具流量识别系统,其特征在于,包括:流量识别预处理模块、UDP网络流识别处理模块、TCP网络流识别处理模块和网络流量数据统计模块,其中: 1. A network instant communication tool traffic identification system, is characterized in that, comprises: traffic identification preprocessing module, UDP network flow identification processing module, TCP network flow identification processing module and network flow data statistics module, wherein: 流量识别预处理模块,用于加载正则DFA算法以及将网络即时通信工具的强特征序列转换为正则表达式的形式; The traffic identification preprocessing module is used to load the regular DFA algorithm and convert the strong feature sequence of the network instant messaging tool into a regular expression form; UDP网络流识别处理模块,用于根据五元组确定网络流,对每条所述网络流中的每个UDP数据包进行解析,并判断出所述UDP数据包所在的网络流为网络即时通信工具的网络流,根据所述正则DFA算法对所述网络即时通信工具网络流进行匹配判断出五元组网络流是否为网络即时通信工具网络流,如果是则写入网络即时通信工具UDP的节点信息表; The UDP network flow identification processing module is used to determine the network flow according to the quintuple, analyze each UDP data packet in each said network flow, and judge that the network flow where the UDP data packet is located is a network instant communication The network flow of the tool, according to the regular DFA algorithm, matches the network flow of the network instant messaging tool to determine whether the five-tuple network flow is a network instant messaging tool network flow, and if so, writes to the node of the network instant messaging tool UDP Information Sheet; TCP网络流识别处理模块,用于根据TCP服务器列表判断出TCP网络流是否为网络即时通信工具的TCP网络流,根据网络即时通信工具UDP的节点信息表,判断所述网络即时通信工具的TCP网络流是否为网络即时通信工具的网络流,如果是则写入网络即时通信工具TCP的节点信息表; TCP network flow identification processing module, for judging whether TCP network flow is the TCP network flow of network instant messaging tool according to TCP server list, according to the node information table of network instant messaging tool UDP, judge the TCP network of described network instant messaging tool Whether the flow is the network flow of the network instant messaging tool, if so, write the node information table of the network instant messaging tool TCP; 网络流量数据统计模块,用于统计网络即时通信工具UDP的节点信息表和网络即时通信工具TCP的节点信息表中流量数据,并显示; The network flow data statistical module is used to count the traffic data in the node information table of the network instant communication tool UDP and the node information table of the network instant communication tool TCP, and display; 所述UDP网络流识别处理模块,还用于提取正则加载的强特征序列转换为的正则表达式的第3个字节位置的字节值,将该字节值带入正则DFA算法进行匹配搜索,如果匹配成功,则证明五元组网络流是网络即时通信工具网络流,并写入网络即时通信工具UDP的节点信息表。 The UDP network flow identification processing module is also used to extract the byte value of the third byte position of the regular expression converted from the strong feature sequence loaded by the regular, and bring the byte value into the regular DFA algorithm for matching search , if the match is successful, it proves that the five-tuple network flow is a network instant messaging tool network flow, and writes it into the node information table of the network instant messaging tool UDP. 2.如权利要求1所述的系统,其特征在于,所述网络流量数据统计模块统计出的流量数据包括:网络流的大小和数据包的数目。 2. The system according to claim 1, wherein the traffic data counted by the network traffic data statistics module includes: the size of the network flow and the number of data packets. 3.一种网络即时通信工具流量识别方法,其特征在于,包括如 下步骤: 3. A network instant messaging tool flow identification method, is characterized in that, comprises the steps: S1:流量识别预处理模块对网络流量处理接口系统加载,用于通过网络流量处理接口建立网络即时通信工具UDP的节点信息表和网络即时通信工具UDP的节点信息表; S1: The traffic identification preprocessing module loads the network traffic processing interface system, and is used to establish the node information table of the network instant messaging tool UDP and the node information table of the network instant messaging tool UDP through the network traffic processing interface; S2:流量识别预处理模块对加载正则DFA算法以及将网络即时通信工具的强特征序列转换为正则表达式的形式; S2: The traffic identification preprocessing module loads the regular DFA algorithm and converts the strong feature sequence of the network instant messaging tool into the form of a regular expression; S3:UDP网络流识别处理模块根据五元组确定网络流,对每条所述网络流中的每个UDP数据包进行解析,并判断出所述UDP数据包所在的网络流为网络即时通信工具的网络流; S3: The UDP network flow identification processing module determines the network flow according to the quintuple, analyzes each UDP data packet in each network flow, and determines that the network flow where the UDP data packet is located is a network instant messaging tool network flow; S4:UDP网络流识别处理模块根据S2中的正则DFA算法对S3中的网络即时通信工具网络流进行匹配判断出S3中的五元组网络流是否为网络即时通信工具网络流,如果是则写入网络即时通信工具UDP的节点信息表; S4: The UDP network flow identification processing module matches the network instant messaging tool network flow in S3 according to the regular DFA algorithm in S2 to determine whether the five-tuple network flow in S3 is a network instant messaging tool network flow, and if so, write Enter the node information table of the network instant messaging tool UDP; S5:TCP网络流识别处理模块根据TCP服务器列表判断出TCP网络流是否为网络即时通信工具的TCP网络流,如果是则进入S6; S5: The TCP network flow identification processing module judges whether the TCP network flow is the TCP network flow of the network instant messaging tool according to the TCP server list, and if so, enters S6; S6:TCP网络流识别处理模块根据网络即时通信工具UDP的节点信息表,判断S5中的网络即时通信工具的TCP网络流是否为网络即时通信工具的网络流,如果是则写入网络即时通信工具TCP的节点信息表; S6: TCP network flow recognition processing module judges whether the TCP network flow of the network instant messaging tool in S5 is the network flow of the network instant messaging tool according to the node information table of the network instant messaging tool UDP, and if so, writes the network instant messaging tool TCP node information table; S7:根据S4和S6得到的网络即时通信工具UDP的节点信息表和网络即时通信工具TCP的节点信息表进行统计,统计出流量数据并显示; S7: perform statistics according to the node information table of the network instant messaging tool UDP obtained in S4 and S6 and the node information table of the network instant messaging tool TCP, count the flow data and display; 其中,S4具体包括:提取S2中正则加载的强特征序列转换为的正则表达式的第3个字节位置的字节值,将该字节值带入正则DFA算法进行匹配搜索,如果匹配成功,则证明五元组网络流是网络即时通信工具网络流,并写入网络即时通信工具UDP的节点信息表。 Among them, S4 specifically includes: extracting the byte value of the third byte position of the regular expression converted from the strong feature sequence loaded regularly in S2, bringing the byte value into the regular DFA algorithm for matching search, if the match is successful , it proves that the five-tuple network flow is a network instant messaging tool network flow, and is written into the node information table of the network instant messaging tool UDP. 4.如权利要求3所述的方法,其特征在于,S3具体包括:通过 判断UDP数据包的纯载荷长度是否达到指定长度3,如果大于3个字节,则判断此UDP数据包所在的网络流为网络即时通信工具的网络流。 4. The method according to claim 3, wherein S3 specifically comprises: by judging whether the pure load length of the UDP packet reaches the specified length 3, if it is greater than 3 bytes, then judging the network where the UDP packet is located Flow is the network flow of the network instant messenger. 5.如权利要求3所述的方法,其特征在于,S4中的匹配搜索步骤如下: 5. The method according to claim 3, characterized in that, the matching search step in S4 is as follows: S41:如果属于五元组网络流的首个数据包,则初始化此网络流的DFA状态值为0,此状态值代表正则有限状态机中的状态号,否则读取已保存的此网络流的DFA状态值; S41: If it belongs to the first data packet of the quintuple network flow, initialize the DFA state value of this network flow to 0, and this state value represents the state number in the regular finite state machine, otherwise read the saved network flow DFA status value; S42:提取UDP数据包载荷中指定位置的字节值,将此字节值与所在网络流的DFA状态值作为形参共同传入DFA状态机进行状态转换,其中DFA状态值代表DFA状态机的指定状态,字节值代表此指定状态要输入的数据,通过这种状态转换,得到此网络流的新的状态值; S42: Extract the byte value at the specified position in the payload of the UDP packet, and pass this byte value and the DFA state value of the network flow as formal parameters into the DFA state machine for state transition, wherein the DFA state value represents the state of the DFA state machine Specifies the state, and the byte value represents the data to be input in the specified state. Through this state transition, the new state value of the network flow is obtained; S43:判断此网络流新的状态值是否属于匹配成功状态,若是则返回匹配成功,若不是则返回新的状态值。 S43: Determine whether the new state value of the network flow belongs to the matching success state, if so, return the matching success, if not, return the new state value. 6.如权利要求3所述的方法,其特征在于,S5具体包括: 6. The method according to claim 3, characterized in that S5 specifically comprises: S51:解析TCP网络流中的IP数据包,提取其IP源地址和目的地址; S51: Analyzing the IP data packet in the TCP network flow, extracting its IP source address and destination address; S52:根据TCP服务器IP列表判断IP源和目的地址是否存在网络即时通信工具通信交互服务器,如果存在,则此网络流为网络即时通信工具的TCP网络流,否则执行S53; S52: Judging whether the IP source and the destination address have a network instant messaging tool communication interaction server according to the TCP server IP list, if there is, the network flow is the TCP network flow of the network instant messaging tool, otherwise execute S53; S53:进一步通过机器学习的方法判断TCP网络流是否属于网络即时通信工具的TCP网络流。 S53: Further judge whether the TCP network flow belongs to the TCP network flow of the network instant messaging tool by a machine learning method. 7.如权利要求3所述的方法,其特征在于,S6具体包括: 7. The method according to claim 3, characterized in that S6 specifically comprises: S61:查询网络即时通信工具UDP的节点信息表,如果IPA已被所述UDP网络流识别处理模块判断为网络即时通信工具节点,则IPA相关的TCP网络流则为网络即时通信工具的TCP网络流,如果IPB 已被所述UDP网络流识别处理模块判断为非网络即时通信工具节点,则IPB相关的TCP网络流则确定为非网络即时通信工具的TCP网络流; S61: query the node information table of the network instant messaging tool UDP, if IP A has been judged as a network instant messaging tool node by the UDP network flow identification processing module, then the TCP network flow related to IP A is the TCP of the network instant messaging tool Network flow, if IP B has been judged as a non-network instant messaging tool node by the UDP network flow identification processing module, then the relevant TCP network flow of IP B is determined to be the TCP network flow of non-network instant messaging tool; S62:如果网络即时通信工具UDP的节点信息表中未能找到IPC的信息,则默认为非网络即时通信工具的TCP网络流。 S62: If the IPC information cannot be found in the node information table of the network instant messaging tool UDP, the default is the TCP network stream of the non - network instant messaging tool. 8.如权利要求3所述的方法,其特征在于,在S7中流量数据包括:流量的大小以及数据包数目。 8. The method according to claim 3, characterized in that, in S7, the flow data includes: the size of the flow and the number of data packets.
CN201210564693.8A 2012-12-21 2012-12-21 Network instant communication instrument flux recognition system and recognition methods Active CN103036773B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210564693.8A CN103036773B (en) 2012-12-21 2012-12-21 Network instant communication instrument flux recognition system and recognition methods

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210564693.8A CN103036773B (en) 2012-12-21 2012-12-21 Network instant communication instrument flux recognition system and recognition methods

Publications (2)

Publication Number Publication Date
CN103036773A CN103036773A (en) 2013-04-10
CN103036773B true CN103036773B (en) 2015-08-12

Family

ID=48023280

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210564693.8A Active CN103036773B (en) 2012-12-21 2012-12-21 Network instant communication instrument flux recognition system and recognition methods

Country Status (1)

Country Link
CN (1) CN103036773B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105071984B (en) * 2015-07-21 2019-06-14 王秋晨 A kind of net flow assorted and application and identification method of automatic excavating bit granularity feature
CN106953792A (en) * 2017-02-15 2017-07-14 北京浩瀚深度信息技术股份有限公司 The instant messaging business recognition method and server added up based on weak feature
CN115102884B (en) * 2022-06-23 2023-07-21 青岛联众芯云科技有限公司 Remote data flow statistics method and device for industrial personal computer application program

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101136839A (en) * 2006-08-31 2008-03-05 中兴通讯股份有限公司 Method and equipment for discovering and controlling terminal-to-terminal equity network user flux
CN101668034A (en) * 2009-09-28 2010-03-10 中国人民解放军理工大学指挥自动化学院 Method for recognizing two voice flows of Skype in real time
CN102546548A (en) * 2010-12-22 2012-07-04 中兴通讯股份有限公司 Method and device for recognizing layer protocol

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101136839A (en) * 2006-08-31 2008-03-05 中兴通讯股份有限公司 Method and equipment for discovering and controlling terminal-to-terminal equity network user flux
CN101668034A (en) * 2009-09-28 2010-03-10 中国人民解放军理工大学指挥自动化学院 Method for recognizing two voice flows of Skype in real time
CN102546548A (en) * 2010-12-22 2012-07-04 中兴通讯股份有限公司 Method and device for recognizing layer protocol

Also Published As

Publication number Publication date
CN103036773A (en) 2013-04-10

Similar Documents

Publication Publication Date Title
CN101656677B (en) Message diversion processing method and device
CN102098227B (en) Packet capture method and kernel module
CN106209870A (en) A kind of Network Intrusion Detection System for distributed industrial control system
CN101282331A (en) P2P network traffic identification method based on transport layer characteristics
CN104104561A (en) SDN (self-defending network) firewall state detecting method and system based on OpenFlow protocol
US10284460B1 (en) Network packet tracing
CN104579823A (en) Large-data-flow-based network traffic abnormality detection system and method
CN102571946B (en) Realization method of protocol identification and control system based on P2P (peer-to-peer network)
CN103428224A (en) Method and device for intelligently defending DDoS attacks
CN105099916B (en) Open flows route exchange device and its processing method to data message
CN110351238A (en) Industry control honey pot system
CN101997700A (en) Internet protocol version 6 (IPv6) monitoring equipment based on deep packet inspection and deep flow inspection
CN105488396B (en) A kind of intelligent grid service security gateway system based on data stream association analytical technology
CN103036773B (en) Network instant communication instrument flux recognition system and recognition methods
CN101388848A (en) Traffic identification method based on network processor combined with general processor
CN100452728C (en) Method for distinguishing RTP/RTCP flow capacity
WO2020187295A1 (en) Monitoring of abnormal host
TW201312369A (en) Method for filetring web page content and network equipment
CN202424749U (en) Intranet flow control system
CN102185758A (en) Protocol recognizing method based on Ares message tagged word
CN114567687A (en) Message forwarding method, device, equipment, medium and program product
CN115001827A (en) Cloud-combined IoT botnet detection prototype system and method
CN115514683A (en) Method and device for determining packet loss reason, exchange chip and storage medium
CN102523139B (en) High-speed network protocol deep detection device and detection method
CN101364895A (en) High-performance broadband Internet network behavior real-time analysis and management system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant