CN103200045B - A kind of method based on real-time behavioural characteristic identification P2P flow - Google Patents
A kind of method based on real-time behavioural characteristic identification P2P flow Download PDFInfo
- Publication number
- CN103200045B CN103200045B CN201310094611.2A CN201310094611A CN103200045B CN 103200045 B CN103200045 B CN 103200045B CN 201310094611 A CN201310094611 A CN 201310094611A CN 103200045 B CN103200045 B CN 103200045B
- Authority
- CN
- China
- Prior art keywords
- applies
- port
- identification
- connection
- flow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 25
- 230000003542 behavioural effect Effects 0.000 title claims abstract description 11
- 238000009826 distribution Methods 0.000 claims abstract description 32
- 238000005070 sampling Methods 0.000 claims abstract description 5
- 230000002776 aggregation Effects 0.000 abstract description 3
- 238000004220 aggregation Methods 0.000 abstract description 3
- 238000001514 detection method Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 2
- 239000013589 supplement Substances 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 230000004907 flux Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a kind of method based on real-time behavioural characteristic identification P2P flow, the method comprises: the information of all connections under acquisition current IP; According to the link information obtained, judge whether the port connected has occurred Assembled distribution phenomenon or sequence Distribution Phenomena; Check the affiliated application of the connection occurring port aggregation Distribution Phenomena or sequence Distribution Phenomena, if occur, P2P applies, be then that described P2P applies by described linkage identification, if do not occur, P2P applies, be then " other P2P applies " by described linkage identification; Sequential sampling tracking is carried out to described " other P2P applies ", and carries out association identification.Precondition that port association associates with transfer of data is not met but the identification problem belonging to P2P flow by the invention solves.
Description
Technical field
The present invention relates to Internet technical field, particularly a kind of method based on real-time behavioural characteristic identification P2P flow.
Background technology
Traditional P2P method for recognizing flux mainly relies on the methods such as application layer data feature detection method, fixed port detection method, rely on application layer data feature detection method can only identify flow when P2P software is connected and fixed domain name or main frame, and for fixed port detection method, current most of P2P agreement uses random port or agreement camouflage, and the precision of the method is very poor.
In order to effectively identify P2P flow, also been proposed the method for port association or transfer of data association, the prerequisite of port association is that listening port or the connection belonging to newly-built contiguous port must meet and have at least a connection by content aware condition, otherwise cannot be able to associate.And the prerequisite of transfer of data association is some common trait that first must meet P2P flow, but these common traits are not also suitable for all P2P flows, the conditional request protocol port of such as common trait is greater than 4096, but not all P2P flow can meet this condition.That is, port association or transfer of data association all just can must associate when meeting certain precondition, if do not meet these conditions, these P2P flows can not successfully be identified.
Summary of the invention
(1) technical problem to be solved
Object of the present invention, for providing a kind of method utilizing real-time behavioural characteristic identification P2P flow, solves and does not meet precondition that port association associates with transfer of data but the identification problem belonging to P2P flow.
(2) technical scheme
The invention provides a kind of method based on real-time behavioural characteristic identification P2P flow, described method comprises:
The information of all connections under S1, acquisition current IP;
S2, according to obtain link information, judge connection port whether there is Assembled distribution phenomenon or sequence Distribution Phenomena;
S3, check the affiliated application of the connection occurring port aggregation Distribution Phenomena or sequence Distribution Phenomena, if occur, P2P applies, be then that described P2P applies by described linkage identification, if do not occur, P2P applies, be then " other P2P applies " by described linkage identification;
S4, sequential sampling tracking is carried out to described " other P2P applies ", and carry out association and identify.
Wherein, the described information in step S1 comprises: the five-tuple information of connection, affiliated application and creation-time.
Wherein, described step S2 comprises: if connect for UDP connects, then the number that connects on statistics same port, and the ratio of all connections accounted under described current IP according to the number of described connection judges whether to occur the Assembled distribution phenomenon of port; If connect for TCP connects, then account for according to being close to the number that port connects the sequence Distribution Phenomena that the ratio of all connections under described current IP and the Annual distribution of connection judge whether to occur port.
(3) beneficial effect
Traditional content recognition can only identify little a part of flow of P2P agreement, and do not meet precondition that port association associates with transfer of data but really belong to the connection of P2P flow and not within minority, the present invention proposes a kind of method utilizing real-time behavioural characteristic identification P2P agreement, compared with conventional method, this invention can abandon port association associates " first identifying a wherein part " constraint with transfer of data, directly the Traffic identification meeting phenomenon is become " other P2P applies ", and then carry out association identification, thus improve protocol identification rate, manufacture one to the existing cognitron of P2P effectively to supplement.
Accompanying drawing explanation
Fig. 1 is the flow chart of steps that the invention provides method.
Embodiment
Below in conjunction with the drawings and specific embodiments, the present invention is described in further details.
The invention provides a kind of method of the identification P2P flow based on real-time behavioural characteristic, real-time behavioural characteristic is: the sequence distribution of tcp port and the Assembled distribution of udp port are the real-time behavioural characteristics of P2P agreement.The sequence distribution of tcp port refers to: the connection of the Transmission Control Protocol of application, and its port presents sequence Distribution Phenomena, and as occurred, the TCP that multiport is respectively 4945,4947,4912,4943 etc. connects, and namely port is contiguous; The Assembled distribution of udp port refers to: the connection of the udp protocol of application, and its port is just the same, and as occurred, multiport is the UDP connection of 4015.As shown in Figure 1, steps of the method are:
The information of all connections under S1, acquisition current IP;
Obtain the information of all connections, information comprises: the five-tuple information of connection, the creation-time of connection, the application etc. belonging to connection.
S2, according to obtain link information, judge connection port whether there is Assembled distribution phenomenon or sequence Distribution Phenomena;
According to the link information obtained, connect for UDP connection, then the number that connects on statistics same port if judge, the ratio of all connections accounted under described current IP according to the number of described connection judges whether to occur the Assembled distribution phenomenon of port; If connect for TCP connects, then account for according to being close to the number that port connects the sequence Distribution Phenomena that the ratio of all connections under described current IP and the Annual distribution of connection judge whether to occur port.Here not all connection all needs to judge, only to need the connection paid close attention to comprise P2P agreement, unknown protocol, Data Transport Protocol connection judge.
The process of concrete judgement udp port clustering phenomena a: UDP connects, obtain its five-tuple information, and then learn the port of connection, be assumed to be A, when carrying out next UDP and connecting, obtain its five-tuple information, if its port is also A, by that analogy, if occur port be all the UDP of A connect account for this IP under all connections when reaching certain ratio, that just thinks that Assembled distribution has appearred in the port that these connect, and " certain ratio " can experimentally result constantly be debugged here, the value when experimental result is best, judge the process of the sequence Distribution Phenomena of tcp port: a TCP connects, get its five-tuple information, learn this port connected, be assumed to be 4015, when coming next and connecting, get its five-tuple information, suppose that its port is 4018, by that analogy, namely if when under occurring port all the connection of port adjacent (such as port difference is positive and negative 32) accounting for this IP in certain scope, all connections reach certain ratio, and these creation-times connected must be close, at this moment just think that sequence distribution has appearred in the port that these connect, here multiple constraint is adopted, make identification more accurate, the sequence distribution having occurred port in short time range is described.
S3, check the affiliated application of the connection occurring port aggregation Distribution Phenomena or sequence Distribution Phenomena, if occur, P2P applies, be then that described P2P applies by described linkage identification, if do not occur, P2P applies, be then " other P2P applies " by described linkage identification;
When there is port distribution phenomenon, if these P2P that are applied as affiliated in connecting apply, as a sudden peal of thunder, so these connections are all identified as a sudden peal of thunder, be unknown applications or data transmission applications if not P2P application, so these connections are all identified as " other P2P applies ".
S4, sequential sampling tracking is carried out to described " other P2P applies ", and carry out association and identify.
For the packet inside the connection of " other P2P applies ", such as: one bar of the 1st bag connected participates in once identifying, the 8th bag participates in once identifying, the 16th bag participates in once identifying ... and be not that each bag carries out identification process.Sampling tracking is to save performance, if each packet of the connection of " other P2P applies " carries out associating the flow process identified, can expend very much performance and there is no need.
Final purpose of the present invention is to identify concrete P2P application, is first " other P2P applies " by linkage identification, then uses relation mechanism to do further identification, improve accuracy of identification, supplement existing knowledge method for distinguishing in the present invention.
The above is only the preferred embodiment of the present invention; it should be pointed out that for those skilled in the art, under the prerequisite not departing from the technology of the present invention principle; can also make some improvement and replacement, these improve and replace and also should be considered as protection scope of the present invention.
Claims (3)
1., based on a method for real-time behavioural characteristic identification P2P flow, it is characterized in that, described method comprises:
The information of all connections under S1, acquisition current IP;
S2, according to obtain link information, judge connection port whether there is sequence Distribution Phenomena;
S3, check the affiliated application of the connection occurring port sequence Distribution Phenomena, if occur, P2P applies, be then that described P2P applies by described linkage identification, if do not occur, P2P applies, be then " other P2P applies " by described linkage identification;
S4, sequential sampling tracking is carried out to described " other P2P applies ", and carry out association and identify.
2. method as claimed in claim 1, it is characterized in that, the described information in step S1 comprises: the five-tuple information of connection, affiliated application and creation-time.
3. method as claimed in claim 1, it is characterized in that, described step S2 comprises: if connect for TCP connects, then account for according to being close to the number that port connects the sequence Distribution Phenomena that the ratio of all connections under described current IP and the Annual distribution of connection judge whether to occur port.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310094611.2A CN103200045B (en) | 2013-03-22 | 2013-03-22 | A kind of method based on real-time behavioural characteristic identification P2P flow |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310094611.2A CN103200045B (en) | 2013-03-22 | 2013-03-22 | A kind of method based on real-time behavioural characteristic identification P2P flow |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103200045A CN103200045A (en) | 2013-07-10 |
| CN103200045B true CN103200045B (en) | 2016-04-20 |
Family
ID=48722411
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310094611.2A Expired - Fee Related CN103200045B (en) | 2013-03-22 | 2013-03-22 | A kind of method based on real-time behavioural characteristic identification P2P flow |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103200045B (en) |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7120691B2 (en) * | 2002-03-15 | 2006-10-10 | International Business Machines Corporation | Secured and access controlled peer-to-peer resource sharing method and apparatus |
| CN102055627B (en) * | 2011-01-04 | 2012-06-13 | 深信服网络科技(深圳)有限公司 | Method and device for identifying peer-to-peer (P2P) application connection |
-
2013
- 2013-03-22 CN CN201310094611.2A patent/CN103200045B/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN103200045A (en) | 2013-07-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101841440B (en) | Peer-to-peer network flow identification method based on support vector machine and deep packet inspection | |
| CN101282331B (en) | P2P network traffic identification method based on transport layer characteristics | |
| Reiss et al. | Data triage: An adaptive architecture for load shedding in telegraphcq | |
| CN103312565B (en) | A kind of peer-to-peer network method for recognizing flux based on autonomous learning | |
| CN102291279B (en) | P2P network traffic detection method | |
| CN105306463B (en) | Modbus TCP intrusion detection methods based on support vector machines | |
| CN102611706A (en) | Network protocol identification method and system based on semi-supervised learning | |
| CN104092588B (en) | A kind of exception flow of network detection method combined based on SNMP with NetFlow | |
| CN107147535A (en) | A Distributed Statistical Analysis Method of Network Measurement Data | |
| CN108289125A (en) | TCP sessions recombination based on Stream Processing and statistical data extracting method | |
| CN104333483A (en) | Identification method, system and identification device for internet application flow | |
| CN111526101A (en) | A machine learning-based dynamic traffic classification method for the Internet of Things | |
| CN102752216A (en) | Method for identifying dynamic characteristic application flow | |
| CN110034966A (en) | A kind of method for classifying data stream and system based on machine learning | |
| Pekar et al. | Knowledge discovery: Can it shed new light on threshold definition for heavy-hitter detection? | |
| CN104333461A (en) | Identification method, system and identification device for internet application flow | |
| CN103200045B (en) | A kind of method based on real-time behavioural characteristic identification P2P flow | |
| CN101710898B (en) | Method for describing characteristics of communication protocol of application software | |
| CN100452728C (en) | Method for distinguishing RTP/RTCP flow capacity | |
| CN101674192B (en) | Method for identifying VoIP based on flow statistics | |
| CN102984242B (en) | A kind of automatic identifying method of application protocol and device | |
| CN101459695B (en) | P2P service recognition method and apparatus | |
| CN103532908A (en) | P2P protocol identification method based on secondary decision tree | |
| Jin et al. | Inferring applications at the network layer using collective traffic statistics | |
| CN103731416A (en) | Protocol recognition method and system based on network flows |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160420 Termination date: 20180322 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |