[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN108234345A - A kind of traffic characteristic recognition methods of terminal network application, device and system - Google Patents

A kind of traffic characteristic recognition methods of terminal network application, device and system Download PDF

Info

Publication number
CN108234345A
CN108234345A CN201611197500.4A CN201611197500A CN108234345A CN 108234345 A CN108234345 A CN 108234345A CN 201611197500 A CN201611197500 A CN 201611197500A CN 108234345 A CN108234345 A CN 108234345A
Authority
CN
China
Prior art keywords
feature
data packet
packet
protocol
characteristic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201611197500.4A
Other languages
Chinese (zh)
Other versions
CN108234345B (en
Inventor
王冼
廖振松
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Hubei Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Hubei Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Hubei Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201611197500.4A priority Critical patent/CN108234345B/en
Publication of CN108234345A publication Critical patent/CN108234345A/en
Application granted granted Critical
Publication of CN108234345B publication Critical patent/CN108234345B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2441Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Traffic characteristic recognition methods, device and system the invention discloses a kind of application of terminal network.This method includes:Single business data flow and single business conduct data flow are obtained in the source code flow applied from terminal network;Five-tuple information and packet information are extracted from single business data flow and single business conduct data flow;A part for five-tuple information and packet information is chosen as training set;IP port associations feature, data packet feature and protocol characteristic are obtained from training concentration training;Camouflaged data packet in single business data flow is identified according to IP port associations feature, data packet feature and/or protocol characteristic.The Camouflaged data packet in business data flow can be identified in the method provided according to embodiments of the present invention.

Description

A kind of traffic characteristic recognition methods of terminal network application, device and system
Technical field
The present invention relates to the knowledges of traffic characteristic that service traffics identification technology field more particularly to a kind of terminal network are applied Other methods, devices and systems.
Background technology
With being widely used for mobile terminal, thousands of money mobile Internet applications, the new business continued to bring out are increased newly daily Mobile Internet safety and business order are impacted, very big burden is caused to the network carrying of operator, also to it Business causes very big impact, therefore how simple accurately identification terminal network application flow just seems most important.
In existing technical solution, typically by obtaining the five-tuple information in network flow data packet, network is analyzed Traffic characteristic carries out the business of mobile terminal simple flow identification and matching, but the identification of this method and matching are imitated Fruit compares limitation, if network flow data packet can not carry out the traffic characteristic that the terminal network is applied accurate by camouflage True identification.
Invention content
The embodiment of the present invention provides a kind of traffic characteristic recognition methods of terminal network application, device and system, can be right Camouflaged data packet in business data flow is identified.
According to an aspect of the present invention, a kind of traffic characteristic recognition methods of terminal network application is provided, including:From terminal Single business data flow and single business conduct data flow are obtained in the source code flow of network application;From single business data flow and Five-tuple information and packet information are extracted in single business conduct data flow;Choose the one of five-tuple information and packet information Part is used as training set;IP port associations feature, data packet feature and protocol characteristic are obtained from training concentration training;According to IP ends Mouthful linked character, data packet feature and/or protocol characteristic identify the Camouflaged data packet in single business data flow.
According to another aspect of the present invention, a kind of traffic characteristic identification device of terminal network application is provided, including:Data Acquiring unit is flowed, is configured as obtaining single business data flow and single business conduct from the source code flow that terminal network is applied Data flow;Information acquisition unit is configured as extracting five-tuple from single business data flow and single business conduct data flow Information and packet information;Training set selection unit is configured as choosing five-tuple information and a part for packet information is made For training set;Feature trains extraction unit, is configured as obtaining IP port associations feature, data packet feature from training concentration training And protocol characteristic;Pretend packet recognition unit, be configured as according to IP port associations feature, data packet feature and/or protocol characteristic To identify the Camouflaged data packet in single business data flow.
In accordance with a further aspect of the present invention, a kind of traffic characteristic identifying system of terminal network application is provided, including:Storage Device is configured as storage program;Receiving unit is configured as receiving the source code flow of terminal network application;Processor is configured For the program stored in run memory, to perform following steps:Single business datum is obtained from the source code flow received Stream and single business conduct data flow;From single business data flow and single business conduct data flow extract five-tuple information and Packet information;A part for five-tuple information and packet information is chosen as training set;IP is obtained from training concentration training Port association feature, data packet feature and protocol characteristic;According to IP port associations feature, data packet feature and/or protocol characteristic To identify the Camouflaged data packet in single business data flow.
There is provided according to embodiments of the present invention terminal network application traffic characteristic recognition methods, device and system, from original Five-tuple information and packet information are extracted in beginning code stream, and training obtains IP port associations feature, data packet feature and agreement Feature, thus according to IP port associations feature, data packet feature and protocol characteristic to the Camouflaged data in single business data flow Packet is identified.
Description of the drawings
It to describe the technical solutions in the embodiments of the present invention more clearly, can be clearly below with reference to attached drawing Understand the feature and advantage of the embodiment of the present disclosure, and attached drawing is only illustrative, should not be construed as carrying out the disclosure any Limitation, in the accompanying drawings:
Fig. 1 is the flow chart of the traffic characteristic recognition methods for the terminal network application for showing one embodiment of the invention;
Fig. 2 is the flow chart of the traffic characteristic recognition methods for the terminal network application for showing another embodiment of the present invention;
Fig. 3 is the structural representation for the traffic characteristic identification device for showing terminal network application according to an embodiment of the invention Figure;
Fig. 4 is that the structure for the traffic characteristic identification device for showing terminal network application according to another embodiment of the present invention is shown It is intended to;
Fig. 5 is the structure diagram of IP port associations feature extraction unit in Fig. 4;
Fig. 6 is the structure diagram of data packet feature extraction unit in Fig. 4;
Fig. 7 is the structure diagram of protocol characteristic extraction unit in Fig. 4;
Fig. 8 is the hardware knot of traffic characteristic identifying system for showing to be applied according to the terminal network that one embodiment of invention provides Structure schematic diagram.
Specific embodiment
The feature and exemplary embodiment of various aspects of the invention is described more fully below, in order to make the mesh of the present invention , technical solution and advantage be more clearly understood, with reference to the accompanying drawings and embodiments, the present invention is further retouched in detail It states.It should be understood that specific embodiment described herein is only configured to explain the present invention, it is not configured as limiting the present invention. To those skilled in the art, the present invention can be real in the case of some details in not needing to these details It applies.The description of embodiment is used for the purpose of by showing that the example of the present invention is better understood from the present invention to provide below.
It should be noted that herein, relational terms such as first and second and the like are used merely to a reality Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation In any this practical relationship or sequence.Moreover, term " comprising ", "comprising" or its any other variant are intended to Non-exclusive inclusion, so that process, method, article or equipment including a series of elements not only will including those Element, but also including other elements that are not explicitly listed or further include as this process, method, article or equipment Intrinsic element.In the absence of more restrictions, the element limited by sentence " including ... ", it is not excluded that including Also there are other identical elements in the process of the element, method, article or equipment.
Below in conjunction with the accompanying drawings, the traffic characteristic identification side of terminal network application according to embodiments of the present invention is described in detail Method, device and system.
Fig. 1 is the flow chart of the traffic characteristic recognition methods for the terminal network application for showing one embodiment of the invention.Such as Fig. 1 It is shown, in the present embodiment traffic characteristic recognition methods 100 include the following steps:
Step S110 obtains single business data flow and single business conduct number from the source code flow of terminal network application According to stream;Step S120 extracts five-tuple information and data packet letter from single business data flow and single business conduct data flow Breath;Step S130 chooses a part for five-tuple information and packet information as training set;Step S140, from training set Training obtains IP port associations feature, data packet feature and protocol characteristic;Step S150, according to IP port associations feature, data Packet feature and/or protocol characteristic identify the Camouflaged data packet in single business data flow.
In step s 110, code stream refers to the byte stream of the software and server communication obtained by means such as packet capturings, and Source code flow refers to without the byte stream deleted and compressed.
In some embodiments, terminal network application can be logged in using auto-dial testing software, after logging in, testing software is certainly It is dynamic to click all operations showed on application interface, can also input behaviour be carried out on application interface according to the content set in advance Make, after the completion of scheduled test action, exit the terminal network application.
As an example, testing software is stepped on using packet catcher such as wireshark network packages analysis software The whole operation flow of the terminal network application in land carries out packet capturing, and is pcap texts by the source code flow default storage that packet capturing obtains Part.
After source code flow file is obtained, single business data flow and single business conduct can be obtained from source code flow Data flow.
In the step s 120, five-tuple information typically refers to source IP address, source port, purpose IP address, destination interface and Application protocol;Packet information can all information of pass are surrounded by with data, such as the length of data packet, quantity, data packet Response time, source address, destination address, the data portion in data packet and the terminal network marked in data packet apply into Quantity of request response time, number and data packet etc. during row specific behavior.
In this embodiment, specific behavior is applied related with specific terminal network, and as an example, specific behavior can To be to log in registration behavior, Operational Visit behavior, data update behavior, message conversation behavior etc..
In some embodiments, the IP port associations feature in step S140 can include destination IP cluster feature and destination Mouth start-stop feature.
Specifically, application protocol is obtained from the five-tuple information of training set, statistics uses the mesh of the application protocol obtained IP IP clusters features as a purpose;The destination interface for using acquired application protocol is counted, the mesh that statistics is obtained Port in minimum port numbers and maximum port numbers port start-stop feature as a purpose.
It should be noted that if the destination IP using the application protocol obtained is dynamic IP, can periodically count again The destination IP of application protocol.
In some embodiments, IP address library can be established for each application protocol, the IP address library for store from The IP extracted in training set, common application protocol use static IP, also have through DNS using dynamic IP cluster, analyze each It is static ip address to be used no in the single business data flow of terminal network application, if what single business data flow used IP is not static IP, can be spaced at every predetermined time, removes the IP address in address base, the IP address that timely updates library.
In some embodiments, the data packet feature in step S140 can further comprise data packet behavioural characteristic and data Packet numerical characteristics.
Specifically, can be by obtaining application protocol from the five-tuple information of training set, statistics application agreement is specific Data packet length, data packet number in behavior and interaction time and number with response are made requests on, obtain long data packet Feature, number-of-packet measure feature and data-bag interacting feature are spent as data packet behavioural characteristic;Believe from the data packet of training set The data packet length of single business data flow is obtained in breath, obtains number-of-packet value tag.
Specifically, number-of-packet value tag may further include minimum packet length feature, maximum packet length feature sum number According to packet length fluctuation characteristic.
Specifically, the minimum value sum number of data packet length can according to the data packet length of single business data flow, be obtained According to the maximum value of packet length respectively as minimum packet length feature and maximum packet length feature;According to the number of single business data flow According to a quarter median of packet length, 3/4ths medians, mean value and/or variance, data packet length fluctuation characteristic is obtained.
In some embodiments, obtaining load character feature from training concentration training can further comprise:Obtain Protocol Standard Know feature and agreement request response identification characteristics.
Specifically, by extracting the frequent character set of payload from the packet information of training set;And from payload Frequent character set extraction protocol-identifier and agreement request response mark, obtain protocol-identifier feature and agreement request response mark is special Sign is as load character feature.
In step S150, as an example, if data packet by camouflage, can by detection data packet feature and The Camouflaged data packet in protocol characteristic identification addition IP packet header;It as another example, can be by detecting IP port association features The data packet pretended using fixed character is identified with protocol characteristic or uses IP port associations feature, data packet simultaneously The business data packet in single business data flow is identified in feature and protocol characteristic identification.
It, can be to the business number applied from terminal network according to terminal network application traffic identification method provided by the invention According to stream and business conduct data flow in extract IP port associations feature, data packet feature and protocol characteristic, and this can be used Camouflaged data packet is identified in a little features.
Fig. 2 is the flow chart of the traffic characteristic recognition methods for the terminal network application for showing another embodiment of the present invention.Such as Shown in Fig. 2, traffic characteristic recognition methods 200 is substantially identical to traffic characteristic recognition methods 100, and the difference lies in flow is special Sign recognition methods 200 further includes:
Step S160, the remainder chosen in five-tuple information and packet information collect as verification.
IP port associations feature, data packet feature and protocol characteristic in verification are concentrated and verified by step S170.
Step S180 is if verification result is IP port associations feature, data packet feature and the protocol characteristic identified Correctly, IP port associations feature, data packet feature and protocol characteristic are preserved.
As alternative embodiment, if verification result is IP port associations feature, data packet feature and the agreement identified It is characterized in incorrect, then it is special from training concentration training obtains new IP port associations feature, data packet feature and agreement again Sign.
The traffic characteristic identification device applied below with reference to the terminal network in Fig. 3 descriptions according to embodiments of the present invention. Fig. 3 is the structure diagram for the traffic characteristic identification device for showing terminal network application according to embodiments of the present invention.
As shown in figure 3, the traffic characteristic identification device 300 that terminal network is applied in the present embodiment includes:Data flow obtains Unit 310 is configured as obtaining single business data flow and single business conduct number from the source code flow that terminal network is applied According to stream;Information acquisition unit 320 is configured as extracting five-tuple from single business data flow and single business conduct data flow Information and packet information;Training set selection unit 330 is configured as choosing a part for five-tuple information and packet information As training set;Feature trains extraction unit 340, is configured as obtaining IP port associations feature, data from training concentration training Packet feature and protocol characteristic;Pretend packet recognition unit 350, be configured as according to IP port associations feature, data packet feature and/or Protocol characteristic identifies the Camouflaged data packet in single business data flow.
The traffic characteristic identification device of terminal network application according to embodiments of the present invention, by from the list in source code flow In one business data flow and single business conduct data flow, it is special to obtain IP port associations feature, data packet feature and/or agreement Sign, for identifying the Camouflaged data packet in single business data flow.
Fig. 4 is the structural representation of the traffic characteristic identification device of terminal network application according to another embodiment of the present invention Figure.Component identical or equivalent with Fig. 3 Fig. 4 uses identical label.As shown in figure 4, feature training extraction unit 340 can be into one Step includes:
IP port associations feature extraction unit 341 is configured as extracting IP port association features from training set;Data packet Feature extraction unit 342 is configured as extracting data packet feature from training set;Protocol characteristic extraction unit 343, is configured as Protocol characteristic is extracted from training set.
As alternative embodiment, Fig. 5 shows the structure diagram of IP port associations feature extraction unit in Fig. 4.Such as Fig. 5 Shown, IP port associations feature extraction unit 341 can further comprise:Destination IP cluster feature extraction unit 3411 and destination interface Start-stop feature extraction unit 3412.
Specifically, destination IP cluster feature extraction unit 3411 is configured as obtaining from the five-tuple information of training set and answer With agreement, statistics using acquired application protocol destination IP IP clusters feature as a purpose;Destination interface start-stop feature extraction Unit 3412 is configured as counting the destination interface for using acquired application protocol, the destination that statistics is obtained Minimum port numbers and maximum port numbers in mouthful port start-stop feature as a purpose.
As alternative embodiment, Fig. 6 shows the structure diagram of data packet feature extraction unit in Fig. 4.Such as Fig. 6 institutes Show, data packet feature extraction unit 342 can further comprise:Data packet behavioural characteristic extraction unit 3421 and data packet numerical value are special Levy extraction unit 3422.
Specifically, data packet behavioural characteristic extraction unit 3421 is configured as obtaining from the five-tuple information of training set Application protocol, data packet length of the statistics application agreement in specific behavior, data packet number and makes requests on and response Interaction time and number obtain data packet length feature, number-of-packet measure feature and data-bag interacting feature as data packet Behavioural characteristic;Number-of-packet value tag extraction unit 3422 is configured as the single business number from the packet information of training set According to the data packet length of stream, number-of-packet value tag is obtained.
In some embodiments, number-of-packet value tag extraction unit 3422 can further comprise:
Minimum packet length feature extraction unit is configured as the data packet length according to single business data flow, obtains number According to the minimum value of packet length as minimum packet length feature.
Maximum packet length feature extraction unit is configured as the data packet length according to single business data flow, obtains number According to the maximum value of packet length as maximum packet length feature.
Packet length fluctuation characteristic extraction unit, be configured as data packet length according to single business data flow four/ One median, 3/4ths medians, mean value and/or variance, obtain data packet length fluctuation characteristic.
As alternative embodiment, Fig. 7 shows the structure diagram of protocol characteristic extraction unit in Fig. 4.As shown in fig. 7, Protocol characteristic extraction unit 343 can further comprise:
The frequent character set extraction unit 3431 of payload is configured as extracting from the packet information of training set effective The frequent character set of load.
Load character feature extraction unit 3432 is configured as from the frequent character set extraction protocol-identifier of payload and association Request-reply mark is discussed, obtains protocol-identifier feature and agreement request response identification characteristics as load character feature.
The device of offer according to embodiments of the present invention, can be to the business data flow and business row applied from terminal network To extract IP port associations feature, data packet feature and protocol characteristic in data flow, and these features can be used to camouflage Data packet is identified.
The above description is merely a specific embodiment, it is apparent to those skilled in the art that, For convenience of description and succinctly, the specific work process of the system of foregoing description, module and unit can refer to preceding method Corresponding process in embodiment, details are not described herein.
The traffic characteristic recognition methods applied with reference to Fig. 1 to Fig. 7 terminal networks according to embodiments of the present invention described and Device can be realized by the traffic characteristic identifying system that terminal network is applied.Fig. 8 is the end shown according to inventive embodiments Hold the hardware architecture diagram of the traffic characteristic identifying system of network application.
As shown in figure 8, the traffic characteristic identifying system 500 of the terminal network application in the present embodiment includes:Transmitting element 501st, processor 502, memory 503, receiving unit 504 and bus 510.Wherein, transmitting element 501, processor 502, deposit Reservoir 503 and receiving unit 504 are connected with each other by bus 510.Specifically, receiving unit 504 is received from the defeated of outside Enter information, and input information is transmitted to processor 502;Processor 502 is based on the program code stored in memory 503 to defeated Enter information to be handled to generate output information, output information is temporarily or permanently stored in memory 503, Ran Houtong It crosses transmitting element 501 and output information is output to the outside of the resource interface device 500 for users to use.
That is, the traffic characteristic identifying system 500 of terminal network application shown in Fig. 8 can also be implemented as wrapping It includes:Memory 503 is configured as storage program;Receiving unit 504 is configured as receiving the source code flow of terminal network application; Processor 502 is configured as the program stored in run memory, to perform following steps:From the source code flow received Obtain single business data flow and single business conduct data flow;From single business data flow and single business conduct data flow Extract five-tuple information and packet information;A part for five-tuple information and packet information is chosen as training set;From instruction Practice concentration training and obtain IP port associations feature, data packet feature and protocol characteristic;It is special according to IP port associations feature, data packet Sign and/or protocol characteristic identify the Camouflaged data packet in single business data flow.
The traffic characteristic identifying system of terminal network application provided through this embodiment, can be to from terminal network application Business data flow and business conduct data flow in extract IP port associations feature, data packet feature and protocol characteristic, and can To use these features that Camouflaged data packet is identified.
It should be clear that the invention is not limited in specific configuration described above and shown in figure and processing. For brevity, it is omitted here the detailed description to known method.In the above-described embodiments, several tools have been described and illustrated The step of body, is as example.But procedure of the invention is not limited to described and illustrated specific steps, this field Technical staff can be variously modified, modification and addition or suitable between changing the step after the spirit for understanding the present invention Sequence.
Structures described above frame functional block shown in figure can be implemented as hardware, software, firmware or their group It closes.When realizing in hardware, it may, for example, be electronic circuit, application-specific integrated circuit (ASIC), appropriate firmware, insert Part, function card etc..When being realized with software mode, element of the invention is used to perform program or the generation of required task Code section.Either code segment can be stored in machine readable media program or the data-signal by being carried in carrier wave is passing Defeated medium or communication links are sent." machine readable media " can include being capable of any medium of storage or transmission information. The example of machine readable media includes electronic circuit, semiconductor memory devices, ROM, flash memory, erasable ROM (EROM), soft Disk, CD-ROM, CD, hard disk, fiber medium, radio frequency (RF) link, etc..Code segment can be via such as internet, inline The computer network of net etc. is downloaded.
It should also be noted that, the exemplary embodiment referred in the present invention, is retouched based on a series of step or device State certain methods or system.But the present invention is not limited to the sequence of above-mentioned steps, that is to say, that can be according in embodiment The sequence referred to performs step, may also be distinct from that the sequence in embodiment or several steps are performed simultaneously.
The above description is merely a specific embodiment, it is apparent to those skilled in the art that, For convenience of description and succinctly, the specific work process of the system of foregoing description, module and unit can refer to preceding method Corresponding process in embodiment, details are not described herein.It should be understood that protection scope of the present invention is not limited thereto, it is any to be familiar with Those skilled in the art in the technical scope disclosed by the present invention, can readily occur in various equivalent modifications or substitutions, These modifications or substitutions should be covered by the protection scope of the present invention.

Claims (16)

1. a kind of traffic characteristic recognition methods of terminal network application, including:
Single business data flow and single business conduct data flow are obtained in the source code flow applied from terminal network;
Five-tuple information and packet information are extracted from the single business data flow and the single business conduct data flow;
A part for the five-tuple information and the packet information is chosen as training set;
IP port associations feature, data packet feature and protocol characteristic are obtained from the trained concentration training;
The single business is identified according to the IP port associations feature, the data packet feature and/or the protocol characteristic Camouflaged data packet in data flow.
2. it according to the method described in claim 1, further includes:
The remainder chosen in the five-tuple information and the packet information collects as verification;
The IP port associations feature, the data packet feature and the protocol characteristic in the verification are concentrated and verified;
If verification result is that the IP port associations feature, the data packet feature and the protocol characteristic identified is just True, preserve the IP port associations feature, the data packet feature and the protocol characteristic.
3. it according to the method described in claim 2, further includes:
If the verification result is the IP port associations feature, the data packet feature and the protocol characteristic identified It is incorrect, then obtains new IP port associations feature, data packet feature and agreement spy from the trained concentration training again Sign.
4. according to the method described in claim 1, wherein, the IP port associations feature includes destination IP cluster feature and destination Mouth start-stop feature, the method further include:
Application protocol is obtained from the five-tuple information of the training set, statistics is made using the destination IP of acquired application protocol For the destination IP cluster feature;
The destination interface for using acquired application protocol is counted, the minimum port in the destination interface that statistics is obtained Number and maximum port numbers as the destination interface start-stop feature.
5. according to the method described in claim 4, wherein,
If the destination IP using the application protocol is dynamic IP, periodically statistics uses acquired application association again The destination IP of view.
6. according to the method described in claim 1, wherein, the data packet feature includes data packet behavioural characteristic and number-of-packet Value tag, the method further include:
Application protocol is obtained from the five-tuple information of the training set, counts data of the application protocol in specific behavior Packet length, data packet number and the interaction time and number for making requests on and responding, obtain data packet length feature, data packet Quantative attribute and data-bag interacting feature are as the data packet behavioural characteristic;
The data packet length of the single business data flow is obtained from the packet information of the training set, is obtained and the number According to the corresponding number-of-packet value tag of packet length.
7. according to the method described in claim 6, wherein, the number-of-packet value tag includes minimum packet length feature, maximum Packet length feature and data packet length fluctuation characteristic, the method further include:
According to the data packet length of the single business data flow, the minimum value of the data packet length and the data packet are obtained The maximum value of length is respectively as the minimum packet length feature and the maximum packet length feature;
According to a quarter median of the data packet length of the single business data flow, 3/4ths medians, mean value and/ Or variance, obtain the data packet length fluctuation characteristic.
8. according to the method described in claim 1, wherein, the protocol characteristic includes load character feature, the method is also wrapped It includes:
The frequent character set of payload is extracted from the packet information of the training set;
From the frequent character set extraction protocol-identifier of the payload and agreement request response mark, it is special to obtain the protocol-identifier Agreement request of seeking peace response identification characteristics are as the load character feature.
9. a kind of traffic characteristic identification device of terminal network application, including:
Data flow acquiring unit is configured as obtaining single business data flow and single from the source code flow that terminal network is applied Business conduct data flow;
Information acquisition unit is configured as extracting five from the single business data flow and the single business conduct data flow Tuple information and packet information;
Training set selection unit is configured as choosing a part for the five-tuple information and the packet information as training Collection;
Feature trains extraction unit, is configured as obtaining IP port associations feature, data packet feature from the trained concentration training And protocol characteristic;
Pretend packet recognition unit, be configured as according to the IP port associations feature, the data packet feature and/or the agreement Feature identifies the Camouflaged data packet in the single business data flow.
10. device according to claim 9, further includes:
Verification collection acquiring unit, is configured as choosing the remainder conduct in the five-tuple information and the packet information Verification collection;
Signature verification unit is configured as existing the IP port associations feature, the data packet feature and the protocol characteristic The verification, which is concentrated, to be verified;
Feature storage unit, if it is the IP port associations feature, the data packet identified to be configured as verification result Feature and the protocol characteristic are correct, and it is special to preserve the IP port associations feature, the data packet feature and the agreement Sign.
11. device according to claim 9, wherein, the feature training extraction unit further includes:
IP port association feature extraction units are configured as extracting the IP port associations feature from the training set;
Data packet feature extraction unit is configured as extracting the data packet feature from the training set;
Protocol characteristic extraction unit is configured as extracting the protocol characteristic from the training set.
12. according to the devices described in claim 11, wherein, the IP port associations feature extraction unit further includes:
Destination IP cluster feature extraction unit is configured as obtaining application protocol from the five-tuple information of the training set, statistics Use the destination IP IP clusters feature as a purpose of acquired application protocol;
Destination interface start-stop feature extraction unit is configured as uniting to the destination interface for using acquired application protocol Meter, by the minimum port numbers counted in obtained destination interface and maximum port numbers port start-stop feature as a purpose.
13. according to the devices described in claim 11, wherein, the data packet feature extraction unit further includes:
Data packet behavioural characteristic extraction unit is configured as obtaining application protocol from the five-tuple information of the training set, system Count data packet length, data packet number and the interaction time that makes requests on and respond of the application protocol in specific behavior And number, data packet length feature, number-of-packet measure feature and data-bag interacting feature are obtained as data packet behavioural characteristic;
Number-of-packet value tag extraction unit is configured as obtaining the single business from the packet information of the training set The data packet length of data flow obtains the number-of-packet value tag.
14. device according to claim 13, wherein, the number-of-packet value tag extraction unit further includes:
Minimum packet length feature extraction unit is configured as the data packet length according to the single business data flow, obtains institute The minimum value of data packet length is stated as minimum packet length feature;
Maximum packet length feature extraction unit is configured as the data packet length according to the single business data flow, obtains institute The maximum value of data packet length is stated as maximum packet length feature;
Packet length fluctuation characteristic extraction unit, be configured as data packet length according to the single business data flow four/ One median, 3/4ths medians, mean value and/or variance, obtain data packet length fluctuation characteristic.
15. according to the devices described in claim 11, wherein, the protocol characteristic extraction unit further includes:
The frequent character set extraction unit of payload is configured as extracting payload from the packet information of the training set Frequent character set;
Load character feature extraction unit, being configured as please from the frequent character set extraction protocol-identifier of the payload and agreement Response is asked to identify, obtains the protocol-identifier feature and agreement request response identification characteristics as the load character feature.
16. a kind of traffic characteristic identifying system of terminal network application, including:
Memory is configured as storage program;
Receiving unit is configured as receiving the source code flow of terminal network application;
Processor is configured as running the described program stored in the memory, to perform following steps:
Single business data flow and single business conduct data flow are obtained from the source code flow received;
Five-tuple information and packet information are extracted from the single business data flow and the single business conduct data flow;
A part for the five-tuple information and the packet information is chosen as training set;
IP port associations feature, data packet feature and protocol characteristic are obtained from the trained concentration training;
The single business is identified according to the IP port associations feature, the data packet feature and/or the protocol characteristic Camouflaged data packet in data flow.
CN201611197500.4A 2016-12-21 2016-12-21 Traffic characteristic identification method, device and system for terminal network application Active CN108234345B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611197500.4A CN108234345B (en) 2016-12-21 2016-12-21 Traffic characteristic identification method, device and system for terminal network application

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611197500.4A CN108234345B (en) 2016-12-21 2016-12-21 Traffic characteristic identification method, device and system for terminal network application

Publications (2)

Publication Number Publication Date
CN108234345A true CN108234345A (en) 2018-06-29
CN108234345B CN108234345B (en) 2021-11-30

Family

ID=62656889

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611197500.4A Active CN108234345B (en) 2016-12-21 2016-12-21 Traffic characteristic identification method, device and system for terminal network application

Country Status (1)

Country Link
CN (1) CN108234345B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109067778A (en) * 2018-09-18 2018-12-21 东北大学 A kind of industry control scanner fingerprint identification method based on sweet network data
CN111355628A (en) * 2020-02-12 2020-06-30 深圳市博瑞得科技有限公司 Model training method, business recognition device and electronic device
CN111385342A (en) * 2018-12-29 2020-07-07 中国移动通信集团北京有限公司 Internet of things industry identification method and device, electronic equipment and storage medium
CN111510443A (en) * 2020-04-07 2020-08-07 全球能源互联网研究院有限公司 Terminal monitoring method and terminal monitoring device based on equipment portrait
CN111565311A (en) * 2020-04-29 2020-08-21 杭州迪普科技股份有限公司 Network traffic characteristic generation method and device
CN111835542A (en) * 2019-04-19 2020-10-27 四川大学 Method for automatically extracting and checking application program characteristics

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6735288B1 (en) * 2000-01-07 2004-05-11 Cisco Technology, Inc. Voice over IP voice mail system configured for placing an outgoing call and returning subscriber to mailbox after call completion
CN101202652A (en) * 2006-12-15 2008-06-18 北京大学 Device for classifying and recognizing network application flow quantity and method thereof
CN102315974A (en) * 2011-10-17 2012-01-11 北京邮电大学 Stratification characteristic analysis-based method and apparatus thereof for on-line identification for TCP, UDP flows
CN106209843A (en) * 2016-07-12 2016-12-07 工业和信息化部电子工业标准化研究院 A kind of data flow anomaly towards Modbus agreement analyzes method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6735288B1 (en) * 2000-01-07 2004-05-11 Cisco Technology, Inc. Voice over IP voice mail system configured for placing an outgoing call and returning subscriber to mailbox after call completion
CN101202652A (en) * 2006-12-15 2008-06-18 北京大学 Device for classifying and recognizing network application flow quantity and method thereof
CN102315974A (en) * 2011-10-17 2012-01-11 北京邮电大学 Stratification characteristic analysis-based method and apparatus thereof for on-line identification for TCP, UDP flows
CN106209843A (en) * 2016-07-12 2016-12-07 工业和信息化部电子工业标准化研究院 A kind of data flow anomaly towards Modbus agreement analyzes method

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109067778A (en) * 2018-09-18 2018-12-21 东北大学 A kind of industry control scanner fingerprint identification method based on sweet network data
CN109067778B (en) * 2018-09-18 2020-07-24 东北大学 Industrial control scanner fingerprint identification method based on honeynet data
CN111385342A (en) * 2018-12-29 2020-07-07 中国移动通信集团北京有限公司 Internet of things industry identification method and device, electronic equipment and storage medium
CN111385342B (en) * 2018-12-29 2023-04-07 中国移动通信集团北京有限公司 Internet of things industry identification method and device, electronic equipment and storage medium
CN111835542A (en) * 2019-04-19 2020-10-27 四川大学 Method for automatically extracting and checking application program characteristics
CN111835542B (en) * 2019-04-19 2022-02-11 四川大学 Method for automatically extracting and checking application program characteristics
CN111355628A (en) * 2020-02-12 2020-06-30 深圳市博瑞得科技有限公司 Model training method, business recognition device and electronic device
CN111355628B (en) * 2020-02-12 2023-05-09 博瑞得科技有限公司 Model training method, service identification method, device and electronic device
CN111510443A (en) * 2020-04-07 2020-08-07 全球能源互联网研究院有限公司 Terminal monitoring method and terminal monitoring device based on equipment portrait
CN111510443B (en) * 2020-04-07 2022-07-15 全球能源互联网研究院有限公司 Terminal monitoring method and terminal monitoring device based on equipment portrait
CN111565311A (en) * 2020-04-29 2020-08-21 杭州迪普科技股份有限公司 Network traffic characteristic generation method and device
CN111565311B (en) * 2020-04-29 2022-02-25 杭州迪普科技股份有限公司 Network traffic characteristic generation method and device

Also Published As

Publication number Publication date
CN108234345B (en) 2021-11-30

Similar Documents

Publication Publication Date Title
CN108234345A (en) A kind of traffic characteristic recognition methods of terminal network application, device and system
CN109951500B (en) Network attack detection method and device
US10795992B2 (en) Self-adaptive application programming interface level security monitoring
CN111277570A (en) Data security monitoring method and device, electronic equipment and readable medium
CN103888490B (en) A kind of man-machine knowledge method for distinguishing of full automatic WEB client side
CN110708215B (en) Deep packet inspection rule base generation method, device, network equipment and storage medium
US10332005B1 (en) System and method for extracting signatures from controlled execution of applications and using them on traffic traces
Dusi et al. Quantifying the accuracy of the ground truth associated with Internet traffic traces
CN110430226B (en) Network attack detection method and device, computer equipment and storage medium
CN108833437A (en) One kind being based on flow fingerprint and the matched APT detection method of communication feature
CN110245273B (en) Method for acquiring APP service feature library and corresponding device
CN110764980A (en) Log processing method and device
CN106330944A (en) Method and device for recognizing malicious system vulnerability scanner
CN110213124A (en) Passive operation system identification method and device based on the more sessions of TCP
CN109644146A (en) By the variance analysis of TCP telemetering come locating network fault
CN114143086B (en) Web application identification method and device, electronic equipment and storage medium
CN110417747A (en) A kind of detection method and device of Brute Force behavior
CN105959290A (en) Detection method and device of attack message
CN108768921A (en) A kind of malicious web pages discovery method and system of feature based detection
CN106921671B (en) network attack detection method and device
CN107209834A (en) Malicious communication pattern extraction apparatus, malicious communication schema extraction system, malicious communication schema extraction method and malicious communication schema extraction program
CN108206769A (en) Method, apparatus, equipment and the medium of screen quality alarm
US10419351B1 (en) System and method for extracting signatures from controlled execution of applications and application codes retrieved from an application source
CN108566384A (en) A kind of flow attacking means of defence, device, protection server and storage medium
CN109728977A (en) JAP anonymity flow rate testing methods and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant