CN120301804A - Conversation direction identification method, device, electronic device and storage medium - Google Patents
Conversation direction identification method, device, electronic device and storage medium Download PDFInfo
- Publication number
- CN120301804A CN120301804A CN202510786980.0A CN202510786980A CN120301804A CN 120301804 A CN120301804 A CN 120301804A CN 202510786980 A CN202510786980 A CN 202510786980A CN 120301804 A CN120301804 A CN 120301804A
- Authority
- CN
- China
- Prior art keywords
- information
- message
- destination
- session
- syn
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Computer And Data Communications (AREA)
Abstract
本申请提供一种会话方向识别方法、装置、电子设备及存储介质,方法包括:在两个设备建立会话连接后,获取两个设备相互传输的报文;在检测到第一目的IP信息和第一目的端口信息存在于信息缓存表的情况下,确定第一目的IP信息对应的设备为报文接收方,第一个报文的第一源IP信息对应的设备为报文发送方;在检测到第一目的IP信息和第一目的端口信息不存在于信息缓存表的情况下,根据第一个报文的第一协议类型信息检测两个设备进行的会话是否为TCP会话;在检测到两个设备进行的会话为TCP会话的情况下,根据获取到的前N个报文的协议类型信息确定两个设备中的报文接收方和报文发送方。本申请能够实现两个设备间会话方向快速、准确的识别。
The present application provides a method, device, electronic device and storage medium for identifying the direction of a session, the method comprising: after two devices establish a session connection, obtaining messages transmitted between the two devices; in the case where it is detected that the first destination IP information and the first destination port information exist in the information cache table, determining that the device corresponding to the first destination IP information is the message receiver, and the device corresponding to the first source IP information of the first message is the message sender; in the case where it is detected that the first destination IP information and the first destination port information do not exist in the information cache table, detecting whether the session between the two devices is a TCP session according to the first protocol type information of the first message; in the case where it is detected that the session between the two devices is a TCP session, determining the message receiver and the message sender in the two devices according to the protocol type information of the first N messages obtained. The present application can realize fast and accurate identification of the direction of a session between two devices.
Description
Technical Field
The present application relates to the field of communications testing, and in particular, to a method and apparatus for identifying a session direction, an electronic device, and a storage medium.
Background
A session is a process with a start, an intermediate interaction, and an end, which may be performed between different devices, applications, or users. For example, in network chat, the whole process from when a user opens a chat window to start communication with the other party to when the user closes the window to end communication is a session. In the field of computer science and communications, a session refers to a series of related information exchange processes between two or more participants in order to accomplish a particular task or to interact with each other. In network communication, a data exchange process is performed between two nodes through a network protocol. Such as connection and data transmission between the client and the server through HTTP, TCP, etc., and the whole process from sending request to receiving response constitutes a network session like the user accessing the web site through the browser.
Session management refers to a series of processes for creating, maintaining, tracking, and controlling sessions in the fields of computer systems, network communications, and the like. The session direction in session management refers to the flow direction of data transmission or, more generally, the direction from a client to a server for initiating a session during network communication interaction. The identification of the session direction can better identify and manage the state of the session, identify the device attributes at both ends of the session establishment, and the like. For example, a computer (source IP:192.168.1.100, source port: 5000) sends a request to a server (destination IP:10.0.0.1, destination port: 80), and the session direction is from the computer to the server.
In the related art, the identification of the session direction is generally performed based on the IP address and the port number, that is, the source IP address and the source port number identify the sender of the message and the destination IP address and the destination port number identify the receiver of the message at the network layer and the transport layer. However, since the two devices perform the transmission of the message, the accuracy of identifying the session direction based on the IP address and the port number is not high, and the identification efficiency is low.
Disclosure of Invention
In view of the above, the present application provides a method, apparatus, electronic device and storage medium for identifying a session direction, which can implement rapid and accurate identification of a session direction between two devices.
The first aspect of the embodiment of the application provides a session direction identification method, which comprises the steps of acquiring messages transmitted by two devices after session connection is established between the two devices, wherein each message carries source IP information, source port information, destination IP information, destination port information and protocol type information, detecting whether the first destination IP information and the first destination port information of the acquired first message exist in an information cache table, storing historical destination ID information of a plurality of servers in the information cache table, storing at least one historical destination port information corresponding to each historical destination ID information, determining whether the device corresponding to the first destination IP information is a message receiver when detecting that the first destination IP information and the first destination port information exist in the information cache table, detecting whether the device corresponding to the first source IP information of the first message is a message sender when detecting that the first destination IP information and the first port information of the first message do not exist in the information cache table, and determining whether the device corresponding to the first destination IP information is a message buffer type and the protocol type N are the message according to the detected that the first IP information and the first destination port information are the protocol type N.
Compared with the related art, the embodiment of the application has the advantages that by establishing the information cache table, because the information cache table stores the historical destination ID information of a plurality of servers and at least one historical destination port information corresponding to each historical destination ID information, when the first destination IP information and the first destination port information are detected to exist in the information cache table, the first message is indicated to be sent to the server through the client, that is, the equipment corresponding to the first destination IP information can be determined to be a message receiver, and the equipment corresponding to the first source IP information is a message sender. On one hand, the method can rapidly detect the message sender and the message receiver based on the information carried by the first message and the information cache table, so that the efficiency of identifying the conversation direction is improved, and on the other hand, the information cache table stores historical data when historical equipment carries out conversation, so that the accuracy of identifying the conversation direction is improved. Under the condition that the first destination IP information and the first destination port information are detected not to exist in the information cache table, as each message carries protocol type information, whether the session carried out by two devices is a TCP session or not can be detected through the first protocol type information of the first message, and under the condition that the session carried out by the two devices is the TCP session, a message receiver and a message sender are determined based on the acquired protocol type information of the first N messages, and when the message receiver and the message sender cannot be determined based on the first destination IP information and the first destination port information, the message receiver and the message sender can be determined through the characteristics of the TCP session, so that the reliability of the session direction identification method is improved, and the session direction identification method provided by the application can accurately detect the session direction under different scenes.
In one possible implementation manner, the method for determining the message receiver and the message sender in the two devices according to the acquired protocol type information of the first N messages includes detecting whether a SYN message or a SYN-ACK message exists in the first N messages according to the protocol type information of the first N messages, executing a session direction determination policy when the SYN message or the SYN-ACK message exists is detected, wherein the session direction determination policy includes determining that a device corresponding to second destination IP information of the SYN message is the message receiver when the SYN message exists is detected, and determining that a device corresponding to second source IP information of the SYN message is the message sender when the SYN-ACK message exists, and determining that a device corresponding to third destination IP information of the SYN-ACK message is the message sender when the SYN-ACK message exists is detected.
In one possible implementation manner, the method for obtaining the messages transmitted by the two devices each other includes caching the messages transmitted by the two devices one by one, determining the message receiver and the message sender in the two devices according to the obtained protocol type information of the first N messages, determining the message receiver and the message sender in the two devices according to the cached protocol type information of the first N messages, and executing the session direction determination policy when detecting that the SYN message or the SYN-ACK message does not exist in the first N messages.
In one possible implementation manner, the method further comprises the steps of determining the interaction characteristic of the message when the conversation carried out by the two devices is detected to be not a TCP conversation or the SYN message or the SYN-ACK message is detected to be absent in the residual message, detecting whether the protocol of the conversation is an application layer protocol according to the interaction characteristic, and identifying the message receiver and the message sender according to the interaction characteristic when the protocol of the conversation is detected to be the application layer protocol.
In a possible implementation manner, the method further includes detecting whether the first destination IP information exists in the information cache table and whether the first destination port information is smaller than first source port information of the first message or not when it is detected that the protocol of the session is not the application layer protocol, and determining that a device corresponding to the first destination IP information and the first destination port information is the message receiver and a device corresponding to the first source IP information and the first source port information is the message sender when it is detected that the first destination IP information exists in the information cache table and the first destination port information is smaller than the first source port information.
In one possible implementation manner, the method further comprises detecting whether the first destination port information is greater than a first preset threshold value and whether the first source port information is smaller than a second preset threshold value or not when the first destination port information is detected not to exist in the information cache table or the first destination port information is greater than or equal to the first source port information, wherein the first preset threshold value is greater than the second preset threshold value, and determining that a device corresponding to the first destination port information and the first destination port information is the message sender and a device corresponding to the first source port information is the message receiver when the first destination port information is detected to be greater than the first preset threshold value and the first source port information is less than the second preset threshold value.
In one possible implementation manner, the method further includes determining that the device corresponding to the first destination IP information and the first destination port information is the message receiver, and the device corresponding to the first source IP information and the first source port information is the message sender, when the first destination port information is detected to be smaller than or equal to the first preset threshold value or the first source port information is detected to be larger than or equal to the second preset threshold value.
In a second aspect, the embodiment of the application further provides a session direction identifying device, which comprises an acquiring module, a first detecting module, a determining module and a second detecting module, wherein the acquiring module is used for acquiring messages transmitted by two devices after the two devices establish session connection, each message carries source IP information, source port information, destination IP information, destination port information and protocol type information, the first detecting module is used for detecting whether first destination IP information and first destination port information of an acquired first message exist in an information cache table, wherein the information cache table stores a plurality of historical destination ID information and at least one historical destination port information corresponding to each historical destination ID information, the determining module is used for determining that a device corresponding to the first destination IP information is a message when the first detecting module detects that the first destination IP information and the first destination port information exist in the information cache table, the first receiving party IP information is a message, the first detecting module is used for detecting that the first device corresponding to the first destination IP information is a first message, the first receiving party IP information is a device corresponding to the first message, the second receiving party IP information is used for detecting whether the first message is a first message, the second receiving party IP information is a device corresponding to the first message, the first message is a second message, the first receiving party IP information is used for detecting the first message, the first message is used for detecting the second message, the first message is not used for the first message, the first receiving party IP information is used for the first message, and the first message is used for the second message, and the second message is used for the second message, and the first message is used for the protocol detection, and the second message is used for the second message, and the second message is used for the protocol to determine, wherein N is an integer greater than 1.
In a third aspect, an embodiment of the present application further provides an electronic device, where the electronic device includes a processor and a memory, where the memory is configured to store instructions, and the processor is configured to invoke the instructions in the memory, so that the electronic device performs the session direction identification method according to the first aspect.
In a fourth aspect, embodiments of the present application further provide a storage medium, where a computer readable storage medium stores computer instructions, which when executed on an electronic device, cause the electronic device to perform the session direction identification method according to the first aspect.
The technical effects obtained by the second, third and fourth aspects are similar to the technical effects obtained by the corresponding technical means in the first aspect, and are not described herein.
Drawings
Fig. 1 is a flowchart illustrating a step of a session direction recognition method according to an embodiment of the present application.
Fig. 2 is an application scenario diagram of session direction identification according to an embodiment of the present application.
Fig. 3 is a flowchart illustrating another step of a session direction recognition method according to an embodiment of the present application.
Fig. 4 is a flowchart illustrating a further step of a session direction identification method according to an embodiment of the present application.
Fig. 5 is a flowchart illustrating a further step of a session direction identification method according to an embodiment of the present application.
Fig. 6 is a functional block diagram of a session direction recognition device according to an embodiment of the present application.
Fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order that the above-recited objects, features and advantages of the present application will be more clearly understood, a more particular description of the application will be rendered by reference to the appended drawings and appended detailed description. The embodiments of the present application and the features in the embodiments may be combined with each other without collision.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present application, and the described embodiments are merely some, rather than all, of the embodiments of the present application.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein in the description of the application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application.
It is further intended that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The term "at least one" in the present application means one or more, and "a plurality" means two or more. "and/or" describes an association relationship of associated objects, meaning that there may be three relationships, e.g., A and/or B may mean that A alone exists, while A and B together exist, and B alone exists, where A, B may be singular or plural. The terms "first," "second," "third," "fourth" and the like in the description and in the claims and drawings, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order.
In embodiments of the application, words such as "exemplary" or "such as" are used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" or "e.g." in an embodiment should not be taken as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete fashion.
For ease of understanding, a description of some of the concepts related to the embodiments of the application are given by way of example for reference.
TCP (Transmission Control Protocol ) a connection-oriented, secure, byte-stream-based transport layer communication protocol. When the TCP establishes a connection, the party opening the socket and monitoring is called a server, and the party opening the socket and actively initiating the connection is called a client. The process of establishing connection needs three times of data transmission, which is called three-time handshake, wherein the first handshake comprises that a client enters a SYN-SENT state and then sends a SYN message, the seq value in the message is a random value generated according to time, the second handshake comprises that a server side enters a SYN-RCVD state after receiving the SYN message and then returns a SYN-ACK message, the seq value is the random value of the server side, the ACK value is added by one to the received SYN message seq, and the third handshake comprises that the client side enters an ESTABLISHED state after receiving the SYN-ACK message of the server side, the connection is ESTABLISHED, and then the ACK message is SENT to the server side.
And the application layer protocol defines how application program processes running on different end systems mutually transmit messages. The application layer protocols include a Domain name system (Domain NAME SYSTEM, DNS) for implementing a network service for mapping a name to an IP address of a network device, a simple mail transfer Protocol (SIMPLE MAIL TRANSFER Protocol, SMTP) for implementing an electronic mailbox transfer function, a hypertext transfer Protocol (Hyper Text Transfer Protocol, HTTP) for implementing a WWW service, a simple network management Protocol (simple Network Management Protocol, SNMP) for managing and monitoring the network device, and a Telnet Protocol (Telnet) for implementing a Telnet function. It is understood that the application layer protocol also includes other protocols, not listed here.
Referring to fig. 1, fig. 1 is a flowchart illustrating steps of a method for identifying a session direction according to an embodiment of the application. The order of the steps in the flowchart may be changed and some steps may be omitted according to various needs. The method for identifying the conversation direction of the present application can be applied to a conversation direction identifying device, but is not limited thereto, and the embodiment of the present application is not limited thereto.
The specific flow of this embodiment is shown in fig. 1, and includes the following steps:
Step 101, after two devices establish session connection, obtaining messages transmitted by the two devices, where each message carries source IP information, source port information, destination IP information, destination port information, and protocol type information.
Specifically, the source IP information is a source IP address, i.e., an IP address of a computer that sends the data packet, for identifying a source of the data packet. The source port information is a source port number, i.e. a port number used by a computer sending the data packet, for identifying which application the data packet is sent from, the destination IP information is a destination IP address, i.e. an IP address of a computer receiving the data packet, for determining a destination of the data packet, the destination port information is a destination port number, i.e. a port number used by a computer receiving the data packet, for identifying which application the data packet should be submitted to for processing, and the protocol type information includes a transmission protocol, i.e. a protocol used when sending the data packet, such as TCP, UDP, etc.
In some embodiments, after two devices establish session connection, messages transmitted by the two devices are cached one by one. Specifically, in the process that two devices mutually transmit messages, the session direction recognition device caches the messages one by one according to the time sequence of message transmission.
Step 102, detecting whether the first destination IP information and the first destination port information of the obtained first message exist in the information cache table, executing step 103 if the first destination IP information and the first destination port information are detected to exist in the information cache table, otherwise executing step 104.
Specifically, the information cache table stores historical destination ID information of a plurality of servers and at least one historical destination port information corresponding to each historical destination ID information.
It can be understood that the information cache table in this embodiment is a server identification cache table, where the server identification cache table stores the history destination ID information and the history destination port information corresponding to the history confirmed message receiver, that is, the history IP address and the history port number of the server. It should be noted that, the IP address of one server may correspond to a plurality of port numbers.
Step 103, determining that the device corresponding to the first destination IP information is a message receiver, and determining that the device corresponding to the first source IP information of the first message is a message sender.
Step 104, detecting whether the session carried out by the two devices is a TCP session according to the first protocol type information of the first message, and determining a message receiver and a message sender in the two devices according to the acquired protocol type information of the first N messages when the session carried out by the two devices is detected to be the TCP session.
For ease of understanding, the following describes how the present application implements session direction identification in conjunction with fig. 2:
Referring to fig. 2, an application scenario diagram for session direction identification according to an embodiment of the present application is shown. The intranet equipment establishes session connection with the external network equipment through the core switch, and the session direction identification device is in communication connection with the core switch and is used for acquiring messages transmitted by the intranet equipment and the external network equipment when in session.
How to detect whether the session performed by the two devices is a TCP session according to the first protocol type information, and how to determine the message receiver and the message sender in the two devices according to the protocol type information of the first N messages are described in detail in the following embodiments, so that repetition is avoided, and details are not repeated here.
Compared with the related art, the embodiment of the application has the advantages that by establishing the information cache table, because the information cache table stores the historical destination ID information of a plurality of servers and at least one historical destination port information corresponding to each historical destination ID information, when the first destination IP information and the first destination port information are detected to exist in the information cache table, the first message is indicated to be sent to the server through the client, that is, the equipment corresponding to the first destination IP information can be determined to be a message receiver, and the equipment corresponding to the first source IP information is a message sender. On one hand, the method can rapidly detect the message sender and the message receiver based on the information carried by the first message and the information cache table, so that the efficiency of identifying the conversation direction is improved, and on the other hand, the information cache table stores historical data when historical equipment carries out conversation, so that the accuracy of identifying the conversation direction is improved. Under the condition that the first destination IP information and the first destination port information are detected not to exist in the information cache table, as each message carries protocol type information, whether the session carried out by two devices is a TCP session or not can be detected through the first protocol type information of the first message, and under the condition that the session carried out by the two devices is the TCP session, a message receiver and a message sender are determined based on the acquired protocol type information of the first N messages, and when the message receiver and the message sender cannot be determined based on the first destination IP information and the first destination port information, the message receiver and the message sender can be determined through the characteristics of the TCP session, so that the reliability of the session direction identification method is improved, and the session direction identification method provided by the application can accurately detect the session direction under different scenes.
Referring to fig. 3, fig. 3 is a flowchart illustrating steps of a method for identifying a session direction according to an embodiment of the application. The order of the steps in the flowchart may be changed and some steps may be omitted according to various needs. The session direction recognition method may be applied to the aforementioned session direction recognition device, but is not limited thereto, and the embodiment of the present application is not limited thereto.
This embodiment is a specific description of the foregoing embodiment, and mainly describes how to detect whether a session performed by two devices is a TCP session according to the first protocol type information, and how to determine a message receiver and a message sender in the two devices according to the protocol type information of the first N messages. By the method, the application scene of the conversation direction identification method can be enlarged, so that the reliability of the conversation direction identification method is further improved.
The specific flow of this embodiment is shown in fig. 3, and includes the following steps:
step 201, after two devices establish session connection, buffering the messages transmitted by the two devices one by one.
Step 202, detecting whether the first destination IP information and the first destination port information of the obtained first message exist in the information cache table, executing step 203 when detecting that the first destination IP information and the first destination port information exist in the information cache table, otherwise executing step 204.
Step 203, determining that the device corresponding to the first destination IP information is a message receiver, and the device corresponding to the first source IP information of the first message is a message sender.
Steps 201 to 203 of the present embodiment are similar to steps 101 to 103 of the foregoing embodiments, and are not repeated here.
Step 204, in the case that the session performed by the two devices is detected to be a TCP session according to the first protocol type information, detecting whether a SYN message or a SYN-ACK message exists in the first N messages according to the protocol type information of the first N messages, and executing step 205 in the case that the SYN message or the SYN-ACK message exists is detected, otherwise, executing step 206.
Specifically, N is an integer greater than 1.
In some embodiments, it is detected whether a SYN message or a SYN-ACK message exists in the first 3 messages according to the transmission protocol of the buffered first 3 messages.
Step 205, executing a session direction determination policy, where the session direction determination policy includes determining, when a SYN message is detected, a device corresponding to second destination IP information of the SYN message as a message receiver, and determining, when a SYN-ACK message is detected, a device corresponding to third destination IP information of the SYN-ACK message as a message sender, and determining, when a SYN-ACK message is detected, a device corresponding to third source IP information of the SYN-ACK message as a message receiver.
And 206, continuing to buffer the rest messages of the session carried out by the two devices.
Step 207, detecting whether there is SYN message or SYN-ACK message in the rest message, and executing the session direction determination strategy when detecting that there is SYN message or SYN-ACK message.
In some embodiments, after detecting a SYN message or a SYN-ACK message in the remaining messages, the destination IP information and destination port information corresponding to the determined message receiver are stored in the information cache table. By the method, when two identical devices perform the conversation in the same conversation direction next time, the message sender and the message receiver can be rapidly and accurately determined according to the detection mode in the step 202, so that the conversation direction identification efficiency is further improved.
Compared with the related art, the embodiment of the application has the advantages that by establishing the information cache table, because the information cache table stores the historical destination ID information of a plurality of servers and at least one historical destination port information corresponding to each historical destination ID information, when the first destination IP information and the first destination port information are detected to exist in the information cache table, the first message is indicated to be sent to the server through the client, that is, the equipment corresponding to the first destination IP information can be determined to be a message receiver, and the equipment corresponding to the first source IP information is a message sender. On one hand, the method can rapidly detect the message sender and the message receiver based on the information carried by the first message and the information cache table, so that the efficiency of identifying the conversation direction is improved, and on the other hand, the information cache table stores historical data when historical equipment carries out conversation, so that the accuracy of identifying the conversation direction is improved. Under the condition that the first destination IP information and the first destination port information are detected not to exist in the information cache table, as each message carries protocol type information, whether the session carried out by two devices is a TCP session or not can be detected through the first protocol type information of the first message, and under the condition that the session carried out by the two devices is the TCP session, a message receiver and a message sender are determined based on the acquired protocol type information of the first N messages, and when the message receiver and the message sender cannot be determined based on the first destination IP information and the first destination port information, the message receiver and the message sender can be determined through the characteristics of the TCP session, so that the reliability of the session direction identification method is improved, and the session direction identification method provided by the application can accurately detect the session direction under different scenes.
Referring to fig. 4, fig. 4 is a flowchart illustrating steps of a method for identifying a session direction according to an embodiment of the application. The order of the steps in the flowchart may be changed and some steps may be omitted according to various needs. The session direction recognition method may be applied to the aforementioned session direction recognition device, but is not limited thereto, and the embodiment of the present application is not limited thereto.
This embodiment is a further improvement over the previous embodiment in that in this embodiment, it is determined how to determine the session direction between two devices if it is detected that the session performed by the two devices is not a TCP session or if it is detected that the SYN message or the SYN-ACK message is not present in the remaining message. By the method, the application scene of the conversation direction identification method can be further expanded, so that the reliability of the conversation direction identification method is further improved.
The specific flow of this embodiment is shown in fig. 4, and includes the following steps:
Step 301, after two devices establish session connection, buffering the messages transmitted by the two devices one by one.
Step 302, detecting whether the first destination IP information and the first destination port information of the obtained first message exist in the information cache table, executing step 303 if the first destination IP information and the first destination port information are detected to exist in the information cache table, otherwise, executing step 304.
Step 303, determining that the device corresponding to the first destination IP information is a message receiver, and the device corresponding to the first source IP information of the first message is a message sender.
Step 304, detecting whether the session performed by the two devices is a TCP session according to the first protocol type information of the first message, executing step 305 if the session performed by the two devices is detected to be a TCP session, otherwise executing step 310.
Step 305, detecting whether there is a SYN message or a SYN-ACK message in the first N messages according to the protocol type information of the first N messages, executing step 306 if there is a SYN message or a SYN-ACK message, otherwise executing step 310.
Step 306, executing a session direction determining policy, where the session direction determining policy includes determining that a device corresponding to second destination IP information of the SYN message is a message receiver when it is detected that the SYN message exists, determining that a device corresponding to second source IP information of the SYN message is a message sender when it is detected that the SYN-ACK message exists, and determining that a device corresponding to third destination IP information of the SYN-ACK message is a message sender when it is detected that the SYN-ACK message exists, and determining that a device corresponding to third source IP information of the SYN-ACK message is a message receiver.
Step 307, continue to buffer the rest of the session messages of the two devices.
Step 308, detecting whether there is SYN message or SYN-ACK message in the rest message, executing step 309 if there is SYN message or SYN-ACK message, otherwise executing step 310.
Step 309, a session direction determination policy is executed.
Step 310, determining the interaction characteristics of the message.
In some embodiments, the application layer protocols HTTP, DNS, SMTP, POP, IMAP, TLS, TELNET, FTP, SNMP, DHCP, SAMBA, TFTP, NTP, LDAP, MYSQL, PGSQL, etc. are based on their protocol characteristics, and the client initiates a related request connection or operation, and the server responds, so that after the protocol of the session message is identified, the client and the server can be analyzed and confirmed based on the interaction characteristics of the message.
Step 311, detecting whether the protocol of the session is an application layer protocol according to the interaction characteristics, and executing step 312 if the protocol of the session is detected as the application layer protocol, otherwise executing step 313.
Step 312, the message receiver and the message sender are identified according to the interaction characteristics.
In some embodiments, after identifying the message receiver and the message sender according to the interaction characteristics, the determined destination IP information and destination port information corresponding to the message receiver are stored in an information cache table. By the method, when two identical devices perform the conversation in the same conversation direction next time, the message sender and the message receiver can be rapidly and accurately determined according to the detection mode in the step 302, so that the conversation direction identification efficiency is further improved.
For easy understanding, the following describes how to identify the message receiver and the message sender according to the interaction characteristics:
1. In the case that the application layer protocol is the HTTP protocol, since the client sends the request of HTTP GET, POST, etc. in the HTTP protocol interaction, the server responds similar to HTTP 1.1.200 OK after receiving and processing the relevant request. Through the interaction process, the party initiating the HTTP GET, POST and other requests can be confirmed to be the client, namely the message sender, and the data receiving end is the server, namely the message receiver.
2. In the case that the application layer protocol is DNS protocol, since the client sends a request such as DNS query in DNS protocol interaction, the server responds DNS query response after receiving and processing the related request. Through the interaction process, the party initiating the request such as the DNS query is confirmed to be the client, and the data receiving end is the server.
3. In the case that the application layer protocol is mail (SMTP, POP3, IMAP) protocol, since in the mail protocol interaction, after the TCP connection is successful, the server will send the mail server state, then the client initiates operations such as authentication request, and the server responds after receiving the request. Based on the interactive operation, the party which can confirm the request according to the interactive command is the client, and the data receiving end is the server.
Step 313, when it is detected that the first destination IP information exists in the information cache table and the first destination port information is smaller than the first source port information, determining that the device corresponding to the first destination IP information and the first destination port information is a message receiver, and the device corresponding to the first source IP information and the first source port information is a message sender.
Compared with the related art, the embodiment of the application has the advantages that by establishing the information cache table, because the information cache table stores the historical destination ID information of a plurality of servers and at least one historical destination port information corresponding to each historical destination ID information, when the first destination IP information and the first destination port information are detected to exist in the information cache table, the first message is indicated to be sent to the server through the client, that is, the equipment corresponding to the first destination IP information can be determined to be a message receiver, and the equipment corresponding to the first source IP information is a message sender. On one hand, the method can rapidly detect the message sender and the message receiver based on the information carried by the first message and the information cache table, so that the efficiency of identifying the conversation direction is improved, and on the other hand, the information cache table stores historical data when historical equipment carries out conversation, so that the accuracy of identifying the conversation direction is improved. Under the condition that the first destination IP information and the first destination port information are detected not to exist in the information cache table, as each message carries protocol type information, whether the session carried out by two devices is a TCP session or not can be detected through the first protocol type information of the first message, and under the condition that the session carried out by the two devices is the TCP session, a message receiver and a message sender are determined based on the acquired protocol type information of the first N messages, and when the message receiver and the message sender cannot be determined based on the first destination IP information and the first destination port information, the message receiver and the message sender can be determined through the characteristics of the TCP session, so that the reliability of the session direction identification method is improved, and the session direction identification method provided by the application can accurately detect the session direction under different scenes.
Referring to fig. 5, fig. 5 is a flowchart illustrating steps of a method for identifying a session direction according to an embodiment of the application. The order of the steps in the flowchart may be changed and some steps may be omitted according to various needs. The session direction recognition method may be applied to the aforementioned session direction recognition device, but is not limited thereto, and the embodiment of the present application is not limited thereto.
The present embodiment is a further improvement of the foregoing embodiment, and is mainly improved in that in the present embodiment, in the case where it is detected that the first destination IP information does not exist in the information cache table, or the first destination port information is greater than or equal to the first source port information, the identification of the session direction is performed. By the method, the application scene of the conversation direction identification method can be enlarged, so that the reliability of the conversation direction identification method is further improved.
The specific flow of this embodiment is shown in fig. 5, and includes the following steps:
Step 401, after two devices establish session connection, buffering the messages transmitted by the two devices one by one.
Step 402, detecting whether the first destination IP information and the first destination port information of the obtained first message exist in the information cache table, executing step 403 if the first destination IP information and the first destination port information are detected to exist in the information cache table, otherwise executing step 404.
Step 403, determining that the device corresponding to the first destination IP information is a message receiver, and the device corresponding to the first source IP information of the first message is a message sender.
Step 404, detecting whether the session carried out by the two devices is a TCP session according to the first protocol type information of the first message, executing step 405 if the session carried out by the two devices is detected to be the TCP session, otherwise executing step 410.
Step 405, according to the protocol type information of the first N buffered messages, detecting whether there is a SYN message or a SYN-ACK message in the first N messages, executing step 406 if there is a SYN message or a SYN-ACK message detected, otherwise, executing step 410.
Step 406, executing a session direction determination policy, where the session direction determination policy includes determining, when a SYN message is detected, a device corresponding to second destination IP information of the SYN message as a message receiver, and determining, when a SYN-ACK message is detected, a device corresponding to third destination IP information of the SYN-ACK message as a message sender, and determining, when a SYN-ACK message is detected, a device corresponding to third source IP information of the SYN-ACK message as a message receiver.
Step 407, continuing to buffer the rest messages of the session carried out by the two devices.
Step 408, detecting whether there is a SYN message or a SYN-ACK message in the remaining messages, executing step 409 if there is a SYN message or a SYN-ACK message, otherwise executing step 410.
Step 409, a session direction determination policy is executed.
Step 410, determining the interaction characteristics of the message.
Step 411, detecting whether the protocol of the session is an application layer protocol according to the interaction characteristics, if so, executing step 412, otherwise, executing step 413.
Step 412, identifying the message receiver and the message sender according to the interaction characteristics.
Step 413, detecting whether the first destination IP information exists in the information cache table and whether the first destination port information is smaller than the first source port information of the first packet, if so, executing step 414, otherwise, executing step 415.
Step 414, determining that the device corresponding to the first destination IP information and the first destination port information is a message receiver, and the device corresponding to the first source IP information and the first source port information is a message sender.
Step 415, detecting whether the first destination port information is greater than a first preset threshold and the first source port information is less than a second preset threshold, executing step 416 if the first destination port information is detected to be greater than the first preset threshold and the first source port information is detected to be less than the second preset threshold, otherwise executing step 417.
Specifically, the first preset threshold is greater than the second preset threshold.
In some embodiments, the first preset threshold value is 30000 and the second preset threshold value is 10000. Comparing whether the first destination port information is larger than a first preset threshold value and whether the first source port information is smaller than a second preset threshold value, namely comparing whether the first destination port number is larger than 30000 and whether the first source port number is smaller than 10000.
Step 416, determining the device corresponding to the first destination IP information and the first destination port information as a message sender, and the device corresponding to the first source IP information and the first source port information as a message receiver.
In step 417, it is determined that the device corresponding to the first destination IP information and the first destination port information is a message receiver, and the device corresponding to the first source IP information and the first source port information is a message sender.
Compared with the related art, the embodiment of the application has the advantages that by establishing the information cache table, because the information cache table stores the historical destination ID information of a plurality of servers and at least one historical destination port information corresponding to each historical destination ID information, when the first destination IP information and the first destination port information are detected to exist in the information cache table, the first message is indicated to be sent to the server through the client, that is, the equipment corresponding to the first destination IP information can be determined to be a message receiver, and the equipment corresponding to the first source IP information is a message sender. On one hand, the method can rapidly detect the message sender and the message receiver based on the information carried by the first message and the information cache table, so that the efficiency of identifying the conversation direction is improved, and on the other hand, the information cache table stores historical data when historical equipment carries out conversation, so that the accuracy of identifying the conversation direction is improved. Under the condition that the first destination IP information and the first destination port information are detected not to exist in the information cache table, as each message carries protocol type information, whether the session carried out by two devices is a TCP session or not can be detected through the first protocol type information of the first message, and under the condition that the session carried out by the two devices is the TCP session, a message receiver and a message sender are determined based on the acquired protocol type information of the first N messages, and when the message receiver and the message sender cannot be determined based on the first destination IP information and the first destination port information, the message receiver and the message sender can be determined through the characteristics of the TCP session, so that the reliability of the session direction identification method is improved, and the session direction identification method provided by the application can accurately detect the session direction under different scenes.
Based on the same ideas of the session direction identification method in the above embodiment, the present application also provides a session direction identification device that can be used to perform the above-described session direction identification method. For ease of illustration, only those portions of the structural schematic diagram of an embodiment of the session direction identification apparatus are shown, and those skilled in the art will appreciate that the illustrated structure is not limiting of the apparatus and may include more or fewer components than illustrated, or may combine certain components, or a different arrangement of components.
As shown in fig. 6, the session direction identifying apparatus 60 includes an acquisition module 601, a first detection module 602, a determination module 603, and a second detection module 604. In some embodiments, the modules described above may be programmable software instructions stored in memory and executable by a processor call. It will be appreciated that in other embodiments, the modules may be program instructions or firmware (firmware) that are resident in the processor.
An obtaining module 601, configured to obtain messages transmitted by two devices after session connection is established between the two devices, where each message carries source IP information, source port information, destination IP information, destination port information, and protocol type information;
A first detection module 602, configured to detect whether first destination IP information and first destination port information of an acquired first packet exist in an information cache table, where the information cache table stores a plurality of historical destination ID information and at least one historical destination port information corresponding to each of the historical destination ID information;
A determining module 603, configured to determine that, when the first detecting module 602 detects that the first destination IP information and the first destination port information exist in the information cache table, a device corresponding to the first destination IP information is a message receiver, and a device corresponding to the first source IP information of the first message is a message sender;
a second detection module 604, configured to detect, when the first detection module 602 detects that the first destination IP information and the first destination port information do not exist in the information cache table, whether a session performed by two devices is a TCP session according to first protocol type information of a first packet;
in the case that the second detection module 604 detects that the session performed by the two devices is a TCP session, the determining module 603 is further configured to determine the message receiving party and the message sending party in the two devices according to the acquired protocol type information of the first N messages, where N is an integer greater than 1.
Referring to fig. 7, fig. 7 is a schematic diagram of an electronic device according to an embodiment of the application.
The electronic device 100 comprises a memory 20, a processor 30 and a computer program 40 stored in the memory 20 and executable on the processor 30. The steps of the above-mentioned session direction identification method embodiment, for example, steps 101 to 104 shown in fig. 1, are implemented when the processor 30 executes the computer program 40.
By way of example, the computer program 40 may likewise be partitioned into one or more modules/units, which are stored in the memory 20 and executed by the processor 30. One or more of the modules/units may be a series of computer program instruction segments capable of performing particular functions to describe the execution of the computer program 40 in the electronic device 100. For example, it may be divided into an acquisition module 601, a first detection module 602, a determination module 603, and a second detection module 604 as shown.
It will be appreciated by those skilled in the art that the schematic diagram is merely an example of the electronic device 100 and does not constitute a limitation of the electronic device 100, and may include more or fewer components than shown, or may combine certain components, or different components, e.g., the electronic device 100 may further include an input-output device, a network access device, a bus, etc.
The Processor 30 may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors, digital signal processors (DIGITAL SIGNAL Processor, DSP), application SPECIFIC INTEGRATED Circuit (ASIC), off-the-shelf Programmable gate array (Field-Programmable GATE ARRAY, FPGA) or other Programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. The general purpose processor may be a microprocessor, a single-chip microcomputer or the processor 30 may be any conventional processor or the like.
The memory 20 may be used to store computer programs 40 and/or modules/units, and the processor 30 implements various functions of the electronic device 100 by running or executing the computer programs and/or modules/units stored in the memory 20, as well as invoking data stored in the memory 20. The memory 20 may mainly include a storage program area that may store an operating system, application programs required for at least one function (such as a sound playing function, an image playing function, etc.), etc., and a storage data area that may store data created according to the use of the electronic device 100 (such as audio data), etc. In addition, the memory 20 may include high-speed random access memory, and may also include non-volatile memory, such as a hard disk, memory, plug-in hard disk, smart memory card (SMART MEDIA CARD, SMC), secure Digital (SD) card, flash memory card (FLASH CARD), at least one magnetic disk storage device, flash memory device, or other non-volatile solid-state storage device.
The integrated modules/units of the electronic device 100 may be stored in a storage medium if implemented in the form of software functional units and sold or used as a stand-alone product. Based on such understanding, the present application may implement all or part of the flow of the method of the above embodiment, or may be implemented by a computer program to instruct related hardware, where the computer program may be stored in a storage medium, and the computer program may implement the steps of each method embodiment when executed by a processor. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, executable files or in some intermediate form, etc. The storage medium may include any entity or device capable of carrying computer program code, recording medium, USB flash disk, removable hard disk, magnetic disk, optical disk, computer Memory, read-Only Memory (ROM), random access Memory (RAM, random Access Memory), electrical carrier wave signals, telecommunications signals, software distribution media, and so forth. It should be noted that the content of the storage medium may be appropriately increased or decreased according to the requirements of the patent practice, for example, the storage medium does not include the electric carrier signal and the telecommunication signal according to the patent practice.
The session direction identifying method, apparatus, electronic device and storage medium provided by the present application have been described in detail, and specific examples are used herein to illustrate the principles and embodiments of the present application, and the description of the above examples is only for aiding in understanding the method and core concept of the present application, and meanwhile, for those skilled in the art, according to the concept of the present application, there are variations in the specific embodiments and application scope, and in summary, the present disclosure should not be construed as limiting the present application.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202510786980.0A CN120301804A (en) | 2025-06-13 | 2025-06-13 | Conversation direction identification method, device, electronic device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202510786980.0A CN120301804A (en) | 2025-06-13 | 2025-06-13 | Conversation direction identification method, device, electronic device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN120301804A true CN120301804A (en) | 2025-07-11 |
Family
ID=96267633
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202510786980.0A Pending CN120301804A (en) | 2025-06-13 | 2025-06-13 | Conversation direction identification method, device, electronic device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN120301804A (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120117646A1 (en) * | 2010-11-04 | 2012-05-10 | Electronics And Telecommunications Research Institute | Transmission control protocol flooding attack prevention method and apparatus |
| CN108259488A (en) * | 2018-01-11 | 2018-07-06 | 网宿科技股份有限公司 | A kind of method and apparatus for the protocol type for identifying message |
| CN109905486A (en) * | 2019-03-18 | 2019-06-18 | 杭州迪普科技股份有限公司 | A kind of application program identification methods of exhibiting and device |
| CN113839937A (en) * | 2021-09-15 | 2021-12-24 | 神州网云(北京)信息技术有限公司 | Method and system for detecting unknown Trojan horse by using cross-session technology based on network flow |
| CN115314325A (en) * | 2022-10-11 | 2022-11-08 | 科来网络技术股份有限公司 | Access relation analysis method, system, device and medium based on TCP communication |
| CN118611964A (en) * | 2024-06-25 | 2024-09-06 | 中国银联股份有限公司 | Session access control method, device, equipment, medium and program product |
| KR20240171436A (en) * | 2023-05-30 | 2024-12-09 | 엔시큐어 주식회사 | System for Analyzing Network and Service Failure Threats in Real-Time |
-
2025
- 2025-06-13 CN CN202510786980.0A patent/CN120301804A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120117646A1 (en) * | 2010-11-04 | 2012-05-10 | Electronics And Telecommunications Research Institute | Transmission control protocol flooding attack prevention method and apparatus |
| CN108259488A (en) * | 2018-01-11 | 2018-07-06 | 网宿科技股份有限公司 | A kind of method and apparatus for the protocol type for identifying message |
| CN109905486A (en) * | 2019-03-18 | 2019-06-18 | 杭州迪普科技股份有限公司 | A kind of application program identification methods of exhibiting and device |
| CN113839937A (en) * | 2021-09-15 | 2021-12-24 | 神州网云(北京)信息技术有限公司 | Method and system for detecting unknown Trojan horse by using cross-session technology based on network flow |
| CN115314325A (en) * | 2022-10-11 | 2022-11-08 | 科来网络技术股份有限公司 | Access relation analysis method, system, device and medium based on TCP communication |
| KR20240171436A (en) * | 2023-05-30 | 2024-12-09 | 엔시큐어 주식회사 | System for Analyzing Network and Service Failure Threats in Real-Time |
| CN118611964A (en) * | 2024-06-25 | 2024-09-06 | 中国银联股份有限公司 | Session access control method, device, equipment, medium and program product |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7990866B2 (en) | Server device, method for controlling a server device, and method for establishing a connection using the server device | |
| US9491124B2 (en) | Remote control using instant messaging | |
| US8856884B2 (en) | Method, apparatus, signals, and medium for managing transfer of data in a data network | |
| US8478890B2 (en) | System and method for reliable virtual bi-directional data stream communications with single socket point-to-multipoint capability | |
| US20050216587A1 (en) | Establishing trust in an email client | |
| CA2600710C (en) | Method for communication between an application and a client | |
| US20060120375A1 (en) | System and method for data transfer in a peer-to peer hybrid communication network | |
| US20150195381A1 (en) | Method and apparatus of identifying proxy ip address | |
| CN101834833A (en) | Server Protection against Distributed Denial of Service Attacks | |
| JP2018528679A (en) | Device and method for establishing a connection in a load balancing system | |
| CN110266678B (en) | Security attack detection method and device, computer equipment and storage medium | |
| US20060224673A1 (en) | Throttling inbound electronic messages in a message processing system | |
| CN102014110A (en) | Method for authenticating communication flows, communication system and protective device | |
| CN108028835B (en) | Automatic configuration server and server execution method | |
| CN109922144B (en) | Method and apparatus for processing data | |
| Rhodes et al. | Foundations of Python network programming | |
| US20180198870A1 (en) | Information processing apparatus, method for controlling the same, non-transitory computer-readable storage medium, and information processing system | |
| US8650313B2 (en) | Endpoint discriminator in network transport protocol startup packets | |
| EP1154610A2 (en) | Methods and system for defeating TCP Syn flooding attacks | |
| CN120301804A (en) | Conversation direction identification method, device, electronic device and storage medium | |
| JP3827415B2 (en) | Terminal device for e-mail system | |
| CN113676369B (en) | Network quality analysis method, data receiving server and storage medium | |
| US20180309673A1 (en) | Protocol to query for historical network information in a content centric network | |
| CN116647538A (en) | Connecting device capable of accessing different intranet services | |
| CN111935206B (en) | Message processing method, device and network equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |