CN103780610A - Network data recovery method based on protocol characteristics - Google Patents
Network data recovery method based on protocol characteristics Download PDFInfo
- Publication number
- CN103780610A CN103780610A CN201410021473.XA CN201410021473A CN103780610A CN 103780610 A CN103780610 A CN 103780610A CN 201410021473 A CN201410021473 A CN 201410021473A CN 103780610 A CN103780610 A CN 103780610A
- Authority
- CN
- China
- Prior art keywords
- data
- message
- protocol
- network
- identifier
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 33
- 238000011084 recovery Methods 0.000 title claims abstract description 28
- 238000004458 analytical method Methods 0.000 claims description 30
- 230000005540 biological transmission Effects 0.000 claims description 6
- 238000013480 data collection Methods 0.000 claims description 5
- 238000012544 monitoring process Methods 0.000 abstract description 6
- 230000009286 beneficial effect Effects 0.000 abstract description 2
- 238000007726 management method Methods 0.000 description 11
- 238000004891 communication Methods 0.000 description 5
- 101001094649 Homo sapiens Popeye domain-containing protein 3 Proteins 0.000 description 4
- 101000608234 Homo sapiens Pyrin domain-containing protein 5 Proteins 0.000 description 4
- 101000578693 Homo sapiens Target of rapamycin complex subunit LST8 Proteins 0.000 description 4
- 102100027802 Target of rapamycin complex subunit LST8 Human genes 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000013500 data storage Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000003111 delayed effect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005206 flow analysis Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000008521 reorganization Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明涉及互联网技术领域,具体公开了一种基于协议特征的网络数据恢复方法。本发明包括如下步骤:确定数据报文标识符与数据流标识符;完成基于协议特征的数据恢复;数据流分类;应用层解析;根据应用层解析的结果判断该数据报文是否是传输某个数据流的首个报文,如果是,则为其创建一个新的数据流,否则,丢弃该数据报文;数据报文重组。与现有技术相比,本发明的有益效果是:实现了网络数据实时采集与恢复,为网络管理、网络安全监控、以及网络在线取证提供强大的技术支持。
The invention relates to the technical field of the Internet, and specifically discloses a method for recovering network data based on protocol features. The present invention includes the following steps: determining the data message identifier and the data stream identifier; completing data recovery based on protocol features; classifying data streams; analyzing the application layer; The first message of the data flow, if it is, create a new data flow for it, otherwise, discard the data message; the data message is reassembled. Compared with the prior art, the invention has the beneficial effects of realizing real-time collection and recovery of network data, and providing strong technical support for network management, network security monitoring, and network online evidence collection.
Description
技术领域technical field
本发明涉及互联网技术领域,具体公开了一种基于协议特征的网络数据恢复方法。The invention relates to the technical field of the Internet, and specifically discloses a method for recovering network data based on protocol features.
背景技术Background technique
互联网的迅速发展给社会生产和人们生活方式带来了巨大的变革,用户通过网络,可以快速地交互信息与数据,但在这个过程中也存着巨大的安全隐患。网络黑客常常利用互联网来传播各种恶意软件,例如将木马病毒等放在网页中让用户下载,或者将它们附加在电子邮件中发送给用户。因此有必要对网络中传输的数据流进行监控,分析网络运行的状态及用户行为,帮助网络管理员及时发现其中的安全问题,保证网络正常运行。The rapid development of the Internet has brought huge changes to social production and people's lifestyles. Users can quickly exchange information and data through the Internet, but there are also huge security risks in the process. Network hackers often use the Internet to spread various malicious software, such as placing Trojan horse viruses on web pages for users to download, or attaching them to emails and sending them to users. Therefore, it is necessary to monitor the data flow transmitted in the network, analyze the status of network operation and user behavior, and help network administrators find security problems in time to ensure the normal operation of the network.
数据恢复是将网络数据报文进行过滤和重组,恢复出这些数据报文所携带的原始数据流。目前的数据恢复方法主要根据各应用层协议通常使用的端口来判断该数据包所使用的应用层协议,例如80端口判断为HTTP协议,21端口判断为FTP协议。这种方法的缺陷在于无法准确全面的分析出数据包的应用层协议,因为HTTP协议可以使用其它端口,而80端口也可能被其它协议所使用。特别是现在端口转换技术的广泛使用以及隐蔽通信技术的不断提高,网络中大部分流量已经不再使用标准端口进行传输。Data recovery is to filter and reassemble network data packets, and restore the original data streams carried by these data packets. The current data recovery method mainly judges the application layer protocol used by the data packet according to the commonly used ports of each application layer protocol. For example, port 80 is judged as HTTP protocol, and port 21 is judged as FTP protocol. The defect of this method is that the application layer protocol of the data packet cannot be accurately and comprehensively analyzed, because the HTTP protocol can use other ports, and port 80 may also be used by other protocols. Especially with the widespread use of port conversion technology and the continuous improvement of covert communication technology, most traffic in the network no longer uses standard ports for transmission.
针对现有数据恢复方法存在的问题,本发明实现了一种基于协议特征的数据恢复方法,该方法能够根据应用层协议的特征将截获的数据报文进行实时的缓存、分析及重组,从而准确完整地恢复出数据流。该方法广泛应用于网络管理、安全监控、网络行为分析等领域。Aiming at the problems existing in the existing data recovery methods, the present invention implements a data recovery method based on protocol features, which can cache, analyze and reorganize intercepted data messages in real time according to the features of the application layer protocol, thereby accurately Completely restore the data stream. This method is widely used in network management, security monitoring, network behavior analysis and other fields.
发明内容Contents of the invention
本发明的目的是根据报文所使用的应用层协议特征对报文进行重组,从而完整准确地恢复出报文所负载的数据流,为网络管理、网络安全监控、以及网络在线取证提供技术支持。The purpose of the present invention is to reorganize the message according to the characteristics of the application layer protocol used by the message, thereby completely and accurately recovering the data flow carried by the message, and providing technical support for network management, network security monitoring, and online network forensics .
为了实现上述发明目的,本发明采用的技术方案如下:In order to realize the foregoing invention object, the technical scheme that the present invention adopts is as follows:
基于协议特征的网络数据恢复方法,包括步骤:A network data recovery method based on protocol features, comprising steps:
1、确定数据报文标识符与数据流标识符;1. Determine the data message identifier and data flow identifier;
数据报文标识符:数据报文标识符定义为一个四元组DataPacketID=<SrcIP,SrcPort,DstIP,DstPort>。Data packet identifier: The data packet identifier is defined as a quaternion DataPacketID=<SrcIP, SrcPort, DstIP, DstPort>.
其中SrcIP,SrcPort,DstIP,DstPort分别表示数据报文的源IP地址,源端口,目的IP地址和目的端口。数据报文标识符可以通过解析报文的网络层(IP)与传输层(TCP或UDP)头部获得。Among them, SrcIP, SrcPort, DstIP, and DstPort respectively represent the source IP address, source port, destination IP address and destination port of the data packet. The data packet identifier can be obtained by parsing the network layer (IP) and transport layer (TCP or UDP) headers of the packet.
在网络中,数据流通常被切分为多个数据报文进行传送,为了恢复出某个数据流,必须获得负载该数据流的所有报文。只有具有相同标识符的数据报文才能被用于重组某个数据流,遗漏或误判某个数据报文都会破坏恢复后数据流的正确性与完整性。In a network, a data flow is usually divided into multiple data packets for transmission. In order to restore a certain data flow, it is necessary to obtain all the packets carrying the data flow. Only data packets with the same identifier can be used to reassemble a certain data flow, and omission or misjudgment of a certain data packet will destroy the correctness and integrity of the restored data flow.
数据流标识符:数据流标识符定义为一个四元组DataFlowID=<Protocol,FlowName,Timestamp,DataPacketID>。Data flow identifier: The data flow identifier is defined as a quaternion DataFlowID=<Protocol, FlowName, Timestamp, DataPacketID>.
其中Protocol表示传输数据流的协议,FlowName表示被传输数据流的名称,Timestamp表示该输数据流第一个数据包的截获时间戳,DataPacketID表示传输该输数据流的数据包报文的标识符。数据流标识需要根据应用层协议的特点解析应用层数据获得。Among them, Protocol indicates the protocol for transmitting the data flow, FlowName indicates the name of the transmitted data flow, Timestamp indicates the interception timestamp of the first data packet of the output data flow, and DataPacketID indicates the identifier of the data packet message transmitting the output data flow. The data flow identification needs to be obtained by parsing the application layer data according to the characteristics of the application layer protocol.
数据流标识符(DataFlowID),用于标识两台计算机之间通过某种应用层协议传输的数据流。The data flow identifier (DataFlowID) is used to identify the data flow transmitted between two computers through a certain application layer protocol.
2、完成基于协议特征的数据恢复;2. Complete data recovery based on protocol features;
需要给内网的节点分配一个全局IP地址。A global IP address needs to be assigned to the nodes on the intranet.
(1)数据采集。数据采集的主要任务就是获取网络中所有的数据报文。在这个步骤中,可以使用任何抓包软件来截获网络中的数据报文;(1) Data collection. The main task of data collection is to obtain all data packets in the network. In this step, any packet capture software can be used to intercept data packets in the network;
(2)数据报文解析。数据采集过程在网络中捕获到的原始数据是一个以太网数据帧(报文格式如图2所示)。必须对以太网数据帧进行各层协议解析才能得到所需要的应用层报文,执行步骤如下:(2) Data packet analysis. The original data captured in the network during the data acquisition process is an Ethernet data frame (the message format is shown in Figure 2). The Ethernet data frame must be analyzed at each layer protocol to obtain the required application layer message. The steps are as follows:
①解析以太网数据帧。以目前使用最为广泛的是DIX Ethernet V2协议为例,解析出来后,其帧头含有6个字节的源MAC地址字段、6个字节的目的MAC地址字段以及2个字节的网络协议类型字段,帧尾的校验序列是一个长度为4个字节的字段;① Parse the Ethernet data frame. Taking the most widely used DIX Ethernet V2 protocol as an example, after parsing out, its frame header contains 6 bytes of source MAC address field, 6 bytes of destination MAC address field and 2 bytes of network protocol type Field, the check sequence at the end of the frame is a field with a length of 4 bytes;
②解析IP报文。去掉以太帧头部后的数据即为IP报文,目前使用的IP协议主要是IPv4。可以从IP报文的头部中获得IP头部的长度,报文源IP地址SrcIP以及目标IP地址DstIP;② Analyze IP packets. The data after removing the header of the Ethernet frame is an IP packet, and the currently used IP protocol is mainly IPv4. The length of the IP header, the source IP address SrcIP of the message and the destination IP address DstIP can be obtained from the header of the IP message;
③解析TCP/UDP报文。网络传输层有TCP和UDP两种协议,需要根据不同协议类型分别进行解析。以TCP报文为例,从TCP头部获得源端口、目的端口、序列号以及头部的长度。在执行完TCP报文的解析后,就可以获得该数据报文的标识符DataPacketID=<SrcIP,SrcPort,DstIP,DstPort>。③Analysis of TCP/UDP packets. The network transport layer has two protocols, TCP and UDP, which need to be parsed according to different protocol types. Taking a TCP packet as an example, the source port, destination port, sequence number, and length of the header are obtained from the TCP header. After the analysis of the TCP packet is executed, the identifier DataPacketID=<SrcIP, SrcPort, DstIP, DstPort> of the data packet can be obtained.
3、数据流分类。数据流分类的主要作用是对一个新截获到的数据报文进行分类。根据数据报文标识符DataPacketID对该报文进行分类,执行步骤如下:3. Data flow classification. The main function of data flow classification is to classify a newly intercepted data packet. Classify the message according to the data message identifier DataPacketID, the execution steps are as follows:
(1)如果DaraPacketID属于某个已存在数据流的后继报文,则将其插入该数据流的报文队列中,转步骤5;(1) If the DaraPacketID belongs to the successor message of a certain existing data flow, then insert it in the message queue of the data flow, go to step 5;
(2)否则,转步骤4;(2) Otherwise, go to step 4;
4、应用层解析。应用层协议解析是根据协议的特征对应用层报文进行分析,判断它们使用了哪个应用层协议,并从中提取所需要的特征信息,为其分配一个数据流标识符;4. Application layer analysis. Application layer protocol analysis is to analyze application layer messages according to the characteristics of the protocol, determine which application layer protocol they use, extract the required characteristic information from it, and assign a data flow identifier to it;
5、报文的取舍。根据应用层解析的结果判断该数据报文是否是传输某个数据流的首个报文,如果是,则为其创建一个新的数据流,否则,丢弃该数据报文;5. Message selection. Determine whether the data message is the first message to transmit a certain data flow according to the result of the application layer analysis, if so, create a new data flow for it, otherwise, discard the data message;
6、数据报文重组。数据报文重组主要负责提取数据包中的负载数据,重组成完整的数据包并提取出其中的应用层报文,然后根据应用层报文的标识符恢复出该报文负载的数据流。6. Data packet reassembly. Data message reassembly is mainly responsible for extracting the payload data in the data packet, reassembling into a complete data packet and extracting the application layer message in it, and then recovering the data flow of the message load according to the identifier of the application layer message.
与现有技术相比,本发明的有益效果是:Compared with prior art, the beneficial effect of the present invention is:
1、实现了网络数据实时采集与恢复,同时支持IPv4与IPv6网络,支持互联网常见协议(如ICMP、ICMPv6、TCP、UDP等)的分析与解码,支持HTTP、FTP、SMTP、POP3等常见协议的网络数据流分析、网络数据恢复、网络数据流实时同步播放、网络数据流重放、网络数据检索与归档;1. It realizes real-time collection and recovery of network data, supports both IPv4 and IPv6 networks, supports analysis and decoding of common Internet protocols (such as ICMP, ICMPv6, TCP, UDP, etc.), supports HTTP, FTP, SMTP, POP3 and other common protocols Network data flow analysis, network data recovery, real-time synchronous playback of network data flow, network data flow replay, network data retrieval and archiving;
2、提供应用编程接口API,可以方便地与入侵检测系统、攻击源追踪系统、在线取证系统等安全管理与安全监控系统实现数据交换与信息通信。本发明能够为网络管理、网络安全监控、以及网络在线取证提供强大的技术支持。2. Provide application programming interface API, which can easily realize data exchange and information communication with security management and security monitoring systems such as intrusion detection system, attack source tracking system, and online evidence collection system. The invention can provide strong technical support for network management, network security monitoring and network online evidence collection.
附图说明Description of drawings
图1为本发明的数据恢复方法流程图;Fig. 1 is a flow chart of the data recovery method of the present invention;
图2本发明的数据报文格式示意图;Fig. 2 is a schematic diagram of the data message format of the present invention;
图3本发明PSNDR结构图;Fig. 3 PSNDR structural diagram of the present invention;
图4为本发明的主要工作流程图;Fig. 4 is main working flowchart of the present invention;
图5为本发明PSNDR的报文解析流程示意图;Fig. 5 is the message parsing flowchart schematic diagram of PSNDR of the present invention;
图6为本发明PSNDR的数据交换与信息通信流程图。Fig. 6 is a flow chart of data exchange and information communication of the PSNDR of the present invention.
图7为本发明PSNDR的数据显示子系统界面示意图;Fig. 7 is the data display subsystem interface schematic diagram of PSNDR of the present invention;
图8为本发明的实施图例。Fig. 8 is an example of implementation of the present invention.
具体实施方式Detailed ways
下面结合具体实施方式对本发明的上述发明内容作进一步的详细描述。The above content of the invention of the present invention will be further described in detail below in conjunction with specific embodiments.
但不应将此理解为本发明上述主题的范围仅限于下述实施例。在不脱离本发明上述技术思想情况下,根据本领域普通技术知识和惯用手段,做出各种替换和变更,均应包括在本发明的范围内。However, it should not be construed that the scope of the above-mentioned subject matter of the present invention is limited to the following examples. Without departing from the above-mentioned technical idea of the present invention, various replacements and changes made according to common technical knowledge and customary means in this field shall be included in the scope of the present invention.
实施例Example
本实施例列举的基于协议特征的网络数据恢复方法,包括如下步骤:The network data recovery method based on the protocol feature that the present embodiment enumerates comprises the following steps:
1、基于协议特征的网络数据恢复系统结构与工作流程;1. Network data recovery system structure and workflow based on protocol features;
具体实施过程中,我们在一台Linux操作系统CentOS6.0上安装部署了基于本方法开发实现的基于协议特征的网络数据恢复系统PSNDR,如图3所示,PSNDR主要由数据采集、报文解析、数据流分类、应用层解析、报文重组、数据展示、数据存储、以及管理控制等模块组成。如图4所示,实施过程主要包括以下步骤:In the specific implementation process, we installed and deployed the network data recovery system PSNDR based on the protocol characteristics developed and realized based on this method on a Linux operating system CentOS6.0, as shown in Figure 3, PSNDR is mainly composed of data collection, message analysis , data flow classification, application layer analysis, message reassembly, data display, data storage, and management control modules. As shown in Figure 4, the implementation process mainly includes the following steps:
(1)基于协议特征的网络数据恢复系统启动后,开始监听网络数据,并进行初始化工作:开启数据采集模块,为了提高工作效率,系统使用Libpcap来截获网络中的数据报文;初始化报文标识符集合S_DataPacketID;初始化数据流标识符集合S_DataFlowID;(1) After the network data recovery system based on protocol features is started, it starts to monitor network data and perform initialization work: open the data acquisition module, in order to improve work efficiency, the system uses Libpcap to intercept data messages in the network; initialize message identification character set S_DataPacketID; initialize data flow identifier set S_DataFlowID;
(2)通过管理控制单元的调度,系统将采集到的原始数据交由报文解析模块进行分析处理;(2) Through the scheduling of the management control unit, the system submits the collected raw data to the message analysis module for analysis and processing;
(3)如图5所示,报文解析模块对收到的报文进行解析,依次解析出以太网数据帧、IP报文、TCP/UPD报文,最后获取数据报文的标识符;(3) As shown in Figure 5, the message parsing module parses the received message, and resolves the Ethernet data frame, IP message, TCP/UPD message in turn, and finally obtains the identifier of the data message;
(4)报文解析模块返回的报文标识符通过管理控制单元传递给数据流分类模块作为报文分类的特征。如果报文的标识符DataPacketID属于报文标识符集合S_DataPacketID,则DataPacketID属于某个已存在数据流的后继报文,则将其插入该数据流的报文队列中,转步骤(6);否则,需要对报文进行应用层解析,转步骤(5);(4) The message identifier returned by the message parsing module is passed to the data flow classification module through the management control unit as a feature of message classification. If the identifier DataPacketID of message belongs to message identifier collection S_DataPacketID, then DataPacketID belongs to the successor message of certain existing data flow, then it is inserted in the message queue of this data flow, turn step (6); Otherwise, It is necessary to analyze the application layer of the message, and go to step (5);
(5)应用层解析。应用层协议解析模块的主要功能是根据协议的特征对应用层报文进行分析,判断它们使用了哪个应用层协议,并从中提取所需要的特征信息,最后返回一个数据流标识符DataFlowID。应用层解析模块主要实现HTTP,FTP,SMTP和POP3等几种常见的应用层协议的解析过程:(5) Application layer analysis. The main function of the application layer protocol analysis module is to analyze the application layer messages according to the characteristics of the protocol, determine which application layer protocol they use, and extract the required characteristic information from it, and finally return a data flow identifier DataFlowID. The application layer analysis module mainly implements the analysis process of several common application layer protocols such as HTTP, FTP, SMTP and POP3:
①HTTP协议的解析。根据HTTP协议的规定,客户端向服务器端发送GET请求开始文件的传输会话,而文件内容则伴随着服务器端的响应发给客户端。本方法通过检查报文的数据载荷头部是否为“GET”来判断该报文是否属于HTTP文件传送的起始会话过程,然后将服务器端响应的数据流加入到缓存的流分类列表中。如果反方向的数据报文负载具有形如“HTTP/*.*200”的头部,则表示这些数据报文中负载了服务器所发送的文件的数据,需要将这部分报文缓存起来用于随后的数据重组。转步骤(6);① HTTP protocol analysis. According to the provisions of the HTTP protocol, the client sends a GET request to the server to start the file transfer session, and the file content is sent to the client along with the server's response. This method judges whether the message belongs to the initial session process of HTTP file transmission by checking whether the data load header of the message is "GET", and then adds the data flow responded by the server to the cached flow classification list. If the data packet load in the reverse direction has a header in the form of "HTTP/*.*200", it means that these data packets are loaded with the data of the file sent by the server, and this part of the packet needs to be cached for use. Subsequent data reorganization. Go to step (6);
②FTP协议的解析。FTP协议将控制与数据分为两个不同的网络连接,通讯双方在会话中协商数据连接的地址和端口号,因此必须连续监听控制连接的若干次会话才能够获得充足的信息。FTP传输文件的格式分为PORT和PASV两种模式,需要分别进行解析;②FTP protocol analysis. The FTP protocol divides the control and data into two different network connections, and the communication parties negotiate the address and port number of the data connection in the session. Therefore, it is necessary to continuously monitor several sessions of the control connection to obtain sufficient information. The format of the FTP transfer file is divided into two modes: PORT and PASV, which need to be parsed separately;
PORT模式的解析。PORT模式以载荷中“PORT”字符串开头为特征,其命令格式为“PORT h1,h2,h3,h4,p1,p2”(其中h1,h2,h3,h4分别对应服务器传输数据所使用的IP地址的四段十进制数,p1,p2表示服务器传输数据的端口的高8位与低8位的十进制数)。解析器从PORT命令获取网络地址及端口等信息,然后通过监听该连接中的RETR或STOR命令就可以获取所需的数据报文。转步骤(6);Parsing of PORT mode. The PORT mode is characterized by the beginning of the "PORT" string in the payload, and its command format is "PORT h1, h2, h3, h4, p1, p2" (where h1, h2, h3, and h4 respectively correspond to the IP addresses used by the server to transmit data. The four-segment decimal number of the address, p1, p2 represent the high 8-bit and low 8-bit decimal numbers of the port where the server transmits data). The parser obtains information such as the network address and port from the PORT command, and then obtains the required data packets by monitoring the RETR or STOR command in the connection. Go to step (6);
PASV模式的解析。PASV模式以载荷中“PASV”字符串开头为特征,传输数据所使用的网络地址与端口存在于PASV模式的227响应报文中,其格式为“Entering Passive Mode(h1,h2,h3,h4,p1,p2)”(其中参数的含义与PORT命令相同),此后客户端将在这个网络连接中会发送RETR或者STOR命令来上传或下载某个文件。转步骤(6)。Parsing of PASV mode. The PASV mode is characterized by the beginning of the "PASV" string in the payload. The network address and port used for data transmission exist in the 227 response message of the PASV mode, and its format is "Entering Passive Mode(h1, h2, h3, h4, p1, p2)" (the meaning of the parameter is the same as the PORT command), after which the client will send a RETR or STOR command to upload or download a file in this network connection. Go to step (6).
③SMTP协议。SMTP协议是邮件客户端向服务器发送邮件所使用的协议,根据协议的规定,当客户端向服务器端发送电子邮件时,负载电子邮件数据的报文以“DATA”开头,邮件的正文包括附件都会在同一个连接中沿同一方向传输。只需将该连接中的所有数据包文进行缓存后进行重组即可。转步骤(6);③ SMTP agreement. The SMTP protocol is the protocol used by the mail client to send mail to the server. According to the protocol, when the client sends an email to the server, the message carrying the email data starts with "DATA", and the text of the mail including the attachment will be Transmit in the same direction on the same connection. It only needs to reassemble after caching all the data packets in the connection. Go to step (6);
④POP3协议。POP3协议是邮件客户端向服务器端请求接收电子邮件时所使用的通讯协议。当客户端向服务器端发送接收请求时,请求报文以“Received”开头,而随后服务器端所发送过来的数据报文就负载了所请求的电子邮件的相关数据。只需要将这些数据报文缓存后进行重组即可。转步骤(6)。④ POP3 agreement. The POP3 protocol is a communication protocol used by the mail client to request the server to receive e-mail. When the client sends a receiving request to the server, the request message starts with "Received", and then the data message sent by the server is loaded with the relevant data of the requested email. It is only necessary to cache these data packets and then reassemble them. Go to step (6).
(6)根据解析结果判断该数据报文是否是传输某个数据流的首个报文,如果是,则为其创建一个新的数据流,否则丢弃该数据报文;(6) judge whether this data message is the first message of transmitting a certain data stream according to the analysis result, if yes, then create a new data stream for it, otherwise discard this data message;
(7)数据报文重组。数据报文重组模块主要负责提取数据包中的负载数据,重组成完整的数据包并提取出其中的应用层报文,然后根据应用层报文的标识符恢复出该报文负载的数据流。由于IP协议提供的是不可靠的无连接服务,经过网络传输,IP报文有可能丢失而无法到达目的,或者先发送的IP报文也有可能晚于后发送的IP分组到达。当一个IP报文PakN被截获时,可能出现以下几种情况,需要分别进行处理:(7) Data packet reassembly. The data message reassembly module is mainly responsible for extracting the payload data in the data packet, reorganizing into a complete data packet and extracting the application layer message in it, and then recovering the data flow of the message load according to the identifier of the application layer message. Since the IP protocol provides an unreliable connectionless service, the IP packet may be lost and fail to reach the destination after being transmitted through the network, or the IP packet sent first may arrive later than the IP packet sent later. When an IP packet PakN is intercepted, the following situations may occur, which need to be handled separately:
①PakN是重复报文。这种情况的处理最为简单,只需将重复报文PakN丢弃即可;①PakN is a repeated message. The handling of this situation is the simplest, only need to discard the duplicate packet PakN;
②PakN被截获时,其序号前一部分报文尚未被截获。对于这种情况,PakN应该暂时缓存,等待延迟报文被截获;② When PakN is intercepted, the part of the message before its serial number has not been intercepted. In this case, PakN should temporarily cache and wait for the delayed message to be intercepted;
③PakN是按照预期顺序被截获的。这种情况处理起来相对复杂,虽然新的报文无需重组,但是它可能会激活缓存中提前到达的分组,因此还需要对缓存中提前截获的数据报文进行处理,将其中序号符合重组要求的报文与之前的报文进行重组,直到获得最后一个数据报文为止。③PakN was intercepted in the expected order. This situation is relatively complicated to deal with. Although the new message does not need to be reassembled, it may activate the packets that arrived earlier in the cache. Therefore, it is also necessary to process the data packets intercepted in advance in the cache, and reorganize the packets whose serial numbers meet the reassembly requirements. The message is reassembled with previous messages until the last data message is obtained.
(8)数据存储与显示。传送数据流的数据流结束后,管理控制单元将数据报文重组模块返回的恢复后的完整数据流交由数据存储模块进行处理,将重组后的报文数据从缓存中写入磁盘,就可以恢复出原始的数据流了。同时,管理控制单元调用数据显示模块进行前端显示,如图7所示为数据显示子系统的一个截图,只需要输入。(8) Data storage and display. After the data flow of the transmission data flow ends, the management control unit will process the restored complete data flow returned by the data message reassembly module to the data storage module, and write the reorganized message data from the cache to the disk, and then the The original data flow is restored. At the same time, the management control unit invokes the data display module for front-end display, as shown in Figure 7 is a screenshot of the data display subsystem, which only needs to be input.
2、基于协议特征的网络数据恢复系统PSNDR运行实例2. Operation example of network data recovery system PSNDR based on protocol features
基于协议特征的网络数据恢复系统PSNDR运行后,前端系统主要包括协议分析与数据恢复管理子系统(如图7所示)与数据查询与显示子系统(如图8所示)。After the network data recovery system PSNDR based on protocol characteristics is running, the front-end system mainly includes the protocol analysis and data recovery management subsystem (as shown in Figure 7) and the data query and display subsystem (as shown in Figure 8).
如图7所示为PSNDR的协议分析与数据恢复管理子系统的管理界面,用户只需点击左侧窗格中的某个被监测对象,就能在右窗格中看到非常翔实丰富的内容,如原始数据、各层协议解码数据、被监测对象的访问目标、发生时间等反应被监测对象行为特征的数据。Figure 7 shows the management interface of the protocol analysis and data recovery management subsystem of PSNDR. Users only need to click a monitored object in the left pane to see very detailed and rich content in the right pane. , such as raw data, protocol decoding data of each layer, the access target of the monitored object, and the time of occurrence, etc., which reflect the behavior characteristics of the monitored object.
如图8所示为PSNDR的数据查询与显示子系统的主界面,当用户浏览网页时,PSNDR通过数据采集模块捕获用户的网络流量,经后台分析解码系统处理后在前端显示系统中同步显示用户所浏览的网页。Figure 8 shows the main interface of PSNDR's data query and display subsystem. When users browse the web, PSNDR captures the user's network traffic through the data acquisition module, and displays it synchronously in the front-end display system after being processed by the background analysis and decoding system. The pages viewed.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410021473.XA CN103780610A (en) | 2014-01-16 | 2014-01-16 | Network data recovery method based on protocol characteristics |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410021473.XA CN103780610A (en) | 2014-01-16 | 2014-01-16 | Network data recovery method based on protocol characteristics |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103780610A true CN103780610A (en) | 2014-05-07 |
Family
ID=50572440
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410021473.XA Pending CN103780610A (en) | 2014-01-16 | 2014-01-16 | Network data recovery method based on protocol characteristics |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103780610A (en) |
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104702622A (en) * | 2015-03-30 | 2015-06-10 | 武汉虹旭信息技术有限责任公司 | One-way big data transmission communication system and method for many-to-one internal and external networks |
| CN104702600A (en) * | 2015-03-02 | 2015-06-10 | 国家计算机网络与信息安全管理中心 | Method and device for parsing network data message |
| CN105338341A (en) * | 2014-08-12 | 2016-02-17 | 杭州海康威视系统技术有限公司 | Method and device for reproducing real-time video code stream |
| CN106911637A (en) * | 2015-12-23 | 2017-06-30 | 北京奇虎科技有限公司 | Cyberthreat treating method and apparatus |
| CN107018096A (en) * | 2017-05-03 | 2017-08-04 | 成都国腾实业集团有限公司 | The method that data analysis and reduction are carried out based on application layer protocol |
| WO2017212461A1 (en) * | 2016-06-10 | 2017-12-14 | International Business Machines Corporation | Persistent flow identifiers enabling disparate applications |
| CN107666486A (en) * | 2017-09-27 | 2018-02-06 | 清华大学 | A kind of network data flow restoration methods and system based on message protocol feature |
| CN108965267A (en) * | 2018-06-28 | 2018-12-07 | 北京车和家信息技术有限公司 | network attack processing method, device and vehicle |
| CN109818904A (en) * | 2017-11-21 | 2019-05-28 | 中兴通讯股份有限公司 | A kind of internet-of-things terminal data flow processing method and device |
| CN109902055A (en) * | 2019-01-16 | 2019-06-18 | 北京左江科技股份有限公司 | A kind of SLIP encoded data stream transmission method being applicable in narrow band data network |
| CN109995740A (en) * | 2018-01-02 | 2019-07-09 | 国家电网公司 | Threat detection method based on depth protocal analysis |
| CN110309698A (en) * | 2019-03-21 | 2019-10-08 | 绵阳师范学院 | Automatic identification method of abnormal behavior of moving human body |
| CN107682669B (en) * | 2017-09-26 | 2019-12-03 | 北京空间技术研制试验中心 | Multi-channel video parallel display method for the communication of world network video |
| CN110753050A (en) * | 2019-10-22 | 2020-02-04 | 网易(杭州)网络有限公司 | Method and device for generating protocol document, computer storage medium and electronic equipment |
| CN111800296A (en) * | 2020-06-30 | 2020-10-20 | 西安微电子技术研究所 | Method, system, equipment and storage medium for capturing and analyzing network data of real-time system |
| CN113242250A (en) * | 2021-05-19 | 2021-08-10 | 苏州瑞立思科技有限公司 | Multiplexing protocol and transmission method |
| CN113422699A (en) * | 2021-06-22 | 2021-09-21 | 中国电信股份有限公司 | Data stream processing method and device, computer readable storage medium and electronic equipment |
| CN114666253A (en) * | 2022-03-09 | 2022-06-24 | 成都安恒信息技术有限公司 | A method and system based on data packet parsing software and testing application |
| CN115277880A (en) * | 2022-06-17 | 2022-11-01 | 奇安信科技集团股份有限公司 | Network message analysis method and device |
| CN115277244A (en) * | 2022-08-05 | 2022-11-01 | 四川启睿克科技有限公司 | Industrial Internet intrusion detection system and method |
| CN116962551A (en) * | 2023-07-28 | 2023-10-27 | 中科驭数(北京)科技有限公司 | DPI safety detection method based on DPU application layer message recombination |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030105976A1 (en) * | 2000-11-30 | 2003-06-05 | Copeland John A. | Flow-based detection of network intrusions |
| CN101035111A (en) * | 2007-04-13 | 2007-09-12 | 北京启明星辰信息技术有限公司 | Intelligent protocol parsing method and device |
| CN101426000A (en) * | 2007-10-30 | 2009-05-06 | 北京启明星辰信息技术有限公司 | General protocol parsing method and system |
| CN101488960A (en) * | 2009-03-04 | 2009-07-22 | 哈尔滨工程大学 | Apparatus and method for TCP protocol and data recovery based on parallel processing |
| US20090235355A1 (en) * | 2008-03-17 | 2009-09-17 | Inventec Corporation | Network intrusion protection system |
| CN102761517A (en) * | 2011-04-25 | 2012-10-31 | 工业和信息化部电信传输研究所 | Content reduction method for high-speed network |
| CN102833263A (en) * | 2012-09-07 | 2012-12-19 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for intrusion detection and intrusion protection |
| CN103248606A (en) * | 2012-02-02 | 2013-08-14 | 哈尔滨安天科技股份有限公司 | Network virus detection method and system for IPv4 (Internet Protocol Version 4) and IPv6 (Internet Protocol Version 6) |
-
2014
- 2014-01-16 CN CN201410021473.XA patent/CN103780610A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030105976A1 (en) * | 2000-11-30 | 2003-06-05 | Copeland John A. | Flow-based detection of network intrusions |
| CN101035111A (en) * | 2007-04-13 | 2007-09-12 | 北京启明星辰信息技术有限公司 | Intelligent protocol parsing method and device |
| CN101426000A (en) * | 2007-10-30 | 2009-05-06 | 北京启明星辰信息技术有限公司 | General protocol parsing method and system |
| US20090235355A1 (en) * | 2008-03-17 | 2009-09-17 | Inventec Corporation | Network intrusion protection system |
| CN101488960A (en) * | 2009-03-04 | 2009-07-22 | 哈尔滨工程大学 | Apparatus and method for TCP protocol and data recovery based on parallel processing |
| CN102761517A (en) * | 2011-04-25 | 2012-10-31 | 工业和信息化部电信传输研究所 | Content reduction method for high-speed network |
| CN103248606A (en) * | 2012-02-02 | 2013-08-14 | 哈尔滨安天科技股份有限公司 | Network virus detection method and system for IPv4 (Internet Protocol Version 4) and IPv6 (Internet Protocol Version 6) |
| CN102833263A (en) * | 2012-09-07 | 2012-12-19 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for intrusion detection and intrusion protection |
Cited By (35)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105338341A (en) * | 2014-08-12 | 2016-02-17 | 杭州海康威视系统技术有限公司 | Method and device for reproducing real-time video code stream |
| CN105338341B (en) * | 2014-08-12 | 2019-06-21 | 杭州海康威视系统技术有限公司 | Restore the method and device of real-time video code stream |
| CN104702600B (en) * | 2015-03-02 | 2017-11-24 | 国家计算机网络与信息安全管理中心 | A kind of configurable successively message parsing method and device |
| CN104702600A (en) * | 2015-03-02 | 2015-06-10 | 国家计算机网络与信息安全管理中心 | Method and device for parsing network data message |
| CN104702622A (en) * | 2015-03-30 | 2015-06-10 | 武汉虹旭信息技术有限责任公司 | One-way big data transmission communication system and method for many-to-one internal and external networks |
| CN104702622B (en) * | 2015-03-30 | 2017-09-15 | 武汉虹旭信息技术有限责任公司 | Many-one type intranet and extranet big data one-way transmission communication means |
| CN106911637A (en) * | 2015-12-23 | 2017-06-30 | 北京奇虎科技有限公司 | Cyberthreat treating method and apparatus |
| WO2017212461A1 (en) * | 2016-06-10 | 2017-12-14 | International Business Machines Corporation | Persistent flow identifiers enabling disparate applications |
| US10693796B2 (en) | 2016-06-10 | 2020-06-23 | International Business Machines Corporation | Persistent flow identifiers enabling disparate applications |
| GB2566226A (en) * | 2016-06-10 | 2019-03-06 | Ibm | Persistent flow identifiers enabling disparate applications |
| US10250511B2 (en) | 2016-06-10 | 2019-04-02 | International Business Machines Corporation | Persistent flow identifiers enabling disparate applications |
| GB2566226B (en) * | 2016-06-10 | 2019-07-31 | Ibm | Persistent flow identifiers enabling disparate applications |
| CN107018096A (en) * | 2017-05-03 | 2017-08-04 | 成都国腾实业集团有限公司 | The method that data analysis and reduction are carried out based on application layer protocol |
| CN107682669B (en) * | 2017-09-26 | 2019-12-03 | 北京空间技术研制试验中心 | Multi-channel video parallel display method for the communication of world network video |
| CN107666486A (en) * | 2017-09-27 | 2018-02-06 | 清华大学 | A kind of network data flow restoration methods and system based on message protocol feature |
| CN109818904A (en) * | 2017-11-21 | 2019-05-28 | 中兴通讯股份有限公司 | A kind of internet-of-things terminal data flow processing method and device |
| CN109995740A (en) * | 2018-01-02 | 2019-07-09 | 国家电网公司 | Threat detection method based on depth protocal analysis |
| CN108965267A (en) * | 2018-06-28 | 2018-12-07 | 北京车和家信息技术有限公司 | network attack processing method, device and vehicle |
| CN108965267B (en) * | 2018-06-28 | 2021-04-02 | 北京车和家信息技术有限公司 | Network attack processing method and device and vehicle |
| CN109902055A (en) * | 2019-01-16 | 2019-06-18 | 北京左江科技股份有限公司 | A kind of SLIP encoded data stream transmission method being applicable in narrow band data network |
| CN109902055B (en) * | 2019-01-16 | 2023-01-10 | 北京左江科技股份有限公司 | SLIP coding data stream transmission method suitable for narrow-band data network |
| CN110309698A (en) * | 2019-03-21 | 2019-10-08 | 绵阳师范学院 | Automatic identification method of abnormal behavior of moving human body |
| CN110753050A (en) * | 2019-10-22 | 2020-02-04 | 网易(杭州)网络有限公司 | Method and device for generating protocol document, computer storage medium and electronic equipment |
| CN111800296A (en) * | 2020-06-30 | 2020-10-20 | 西安微电子技术研究所 | Method, system, equipment and storage medium for capturing and analyzing network data of real-time system |
| CN111800296B (en) * | 2020-06-30 | 2023-03-24 | 西安微电子技术研究所 | Method, system, equipment and storage medium for capturing and analyzing network data of real-time system |
| CN113242250A (en) * | 2021-05-19 | 2021-08-10 | 苏州瑞立思科技有限公司 | Multiplexing protocol and transmission method |
| CN113242250B (en) * | 2021-05-19 | 2023-10-24 | 苏州瑞立思科技有限公司 | Multiplexing protocol and transmission method |
| CN113422699A (en) * | 2021-06-22 | 2021-09-21 | 中国电信股份有限公司 | Data stream processing method and device, computer readable storage medium and electronic equipment |
| CN114666253A (en) * | 2022-03-09 | 2022-06-24 | 成都安恒信息技术有限公司 | A method and system based on data packet parsing software and testing application |
| CN115277880A (en) * | 2022-06-17 | 2022-11-01 | 奇安信科技集团股份有限公司 | Network message analysis method and device |
| CN115277880B (en) * | 2022-06-17 | 2024-04-19 | 奇安信科技集团股份有限公司 | Network message parsing method and device |
| CN115277244A (en) * | 2022-08-05 | 2022-11-01 | 四川启睿克科技有限公司 | Industrial Internet intrusion detection system and method |
| CN115277244B (en) * | 2022-08-05 | 2023-07-25 | 四川启睿克科技有限公司 | Intrusion detection system and method for industrial Internet |
| CN116962551A (en) * | 2023-07-28 | 2023-10-27 | 中科驭数(北京)科技有限公司 | DPI safety detection method based on DPU application layer message recombination |
| CN116962551B (en) * | 2023-07-28 | 2024-03-19 | 中科驭数(北京)科技有限公司 | DPI safety detection method based on DPU application layer message recombination |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103780610A (en) | Network data recovery method based on protocol characteristics | |
| CN107666486A (en) | A kind of network data flow restoration methods and system based on message protocol feature | |
| EP3304853B1 (en) | Detection of malware and malicious applications | |
| US9961095B2 (en) | System and method for extracting and preserving metadata for analyzing network communications | |
| CN101789931B (en) | Network intrusion detection system and method based on data mining | |
| US7486673B2 (en) | Method and system for reassembling packets prior to searching | |
| US7623466B2 (en) | Symmetric connection detection | |
| US9210090B1 (en) | Efficient storage and flexible retrieval of full packets captured from network traffic | |
| US8180916B1 (en) | System and method for identifying network applications based on packet content signatures | |
| KR101295708B1 (en) | Apparatus for capturing traffic and apparatus, system and method for analyzing traffic | |
| CN112039904A (en) | Network traffic analysis and file extraction system and method | |
| US20150304184A1 (en) | Systems and methods for extracting structured application data from a communications link | |
| CN106330584B (en) | A kind of recognition methods of Business Stream and identification device | |
| CN103905406B (en) | A kind of detection method and device of the firewall policy that fails | |
| CN105024971A (en) | A communication protocol conversion method and device | |
| CN102307123A (en) | NAT (Network Address Translation) flow identification method based on transmission layer flow characteristic | |
| CN114124551B (en) | Malicious encryption traffic identification method based on multi-granularity feature extraction under WireGuard protocol | |
| CN110661807A (en) | Automatic acquisition method and device for IPv6 address | |
| CN102316074A (en) | HTTP (hyper text transfer protocol) multithreading restoration method based on libnids | |
| CN115664833A (en) | Network hijacking detection method based on local area network security equipment | |
| CN101753456A (en) | Method and system for detecting flow of peer-to-peer network | |
| Wagener et al. | Towards an estimation of the accuracy of TCP reassembly in network forensics | |
| US20230254225A1 (en) | Generating hybrid network activity records | |
| KR101087761B1 (en) | Traffic classification device and method for classifying Skype traffic data | |
| Salem et al. | Transforming voluminous data flow into continuous connection vectors for IDS |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20140507 |
|
| WD01 | Invention patent application deemed withdrawn after publication |