CN115580565A - Application protocol analysis method, device and storage medium - Google Patents
Application protocol analysis method, device and storage medium Download PDFInfo
- Publication number
- CN115580565A CN115580565A CN202211228937.5A CN202211228937A CN115580565A CN 115580565 A CN115580565 A CN 115580565A CN 202211228937 A CN202211228937 A CN 202211228937A CN 115580565 A CN115580565 A CN 115580565A
- Authority
- CN
- China
- Prior art keywords
- application protocol
- basic
- protocol
- service application
- determining
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 96
- 238000000034 method Methods 0.000 claims abstract description 39
- 238000004590 computer program Methods 0.000 claims description 17
- 238000012795 verification Methods 0.000 abstract description 6
- 238000007726 management method Methods 0.000 description 22
- 230000006870 function Effects 0.000 description 18
- 238000012545 processing Methods 0.000 description 15
- 238000004891 communication Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 239000012634 fragment Substances 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 2
- 238000003672 processing method Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000013139 quantization Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/18—Protocol analysers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Communication Control (AREA)
Abstract
The invention provides an application protocol analysis method, an application protocol analysis device and a storage medium, wherein the method comprises the following steps: identifying the applied flow data and determining a basic application protocol; analyzing the basic application protocol to determine basic information elements of the basic application protocol; under the condition that the basic application protocol bears a service application protocol, performing secondary identification on an analysis result based on the basic cell, and determining the type of the service application protocol; and carrying out secondary analysis on the service application protocol based on the type of the service application protocol. According to the application protocol analysis method, the device and the storage medium, provided by the invention, the application flow data is primarily identified, and the analyzer is used for protocol verification, so that the identification accuracy is ensured, and the identified application protocol is secondarily identified and analyzed, so that a refined application protocol can be obtained.
Description
Technical Field
The present invention relates to the field of internet technologies, and in particular, to an application protocol parsing method, an application protocol parsing device, and a storage medium.
Background
Nowadays, internet application protocols exhibit the characteristics of quantization and multilevel, and a large number of application protocols are borne on protocols such as hypertext Transfer Protocol (HTTP), message queue Telemetry Transport Protocol (MQTT), session Initiation Protocol (SIP), and Transport Layer Security (TLS), and exhibit the characteristic of output port multiplexing, and a large number of application Protocol multiplexing standard ports cause that the connection between ports and application protocols hardly exists.
The characteristics of the internet application protocol enable the traditional method for identifying the application protocol according to the port and the characteristic word to have high misjudgment and difficult fine identification, so that the method for analyzing the application protocol by using a specific protocol analyzer is difficult to deal with massive application protocols.
Disclosure of Invention
The invention provides an application protocol analysis method, an application protocol analysis device and a storage medium, which are used for solving the defect of high misjudgment of mass application protocols in the prior art and realizing the refined identification and analysis of the mass application protocols.
The invention provides an application protocol analysis method, which comprises the following steps:
identifying the applied flow data and determining a basic application protocol;
analyzing the basic application protocol to determine basic information elements of the basic application protocol;
under the condition that the basic application protocol bears a service application protocol, performing secondary identification on an analysis result based on the basic cell, and determining the type of the service application protocol;
and carrying out secondary analysis on the service application protocol based on the type of the service application protocol.
In some embodiments, the identifying traffic data of the application and determining the basic application protocol include:
and identifying the applied flow data based on the protocol characteristic words and the non-multiplexing standard port, and determining a basic application protocol.
In some embodiments, the parsing the base application protocol to determine the base information element of the base application protocol includes:
and analyzing the basic application protocols in sequence based on a preset basic protocol analyzer, and determining the basic cells corresponding to the basic application protocols.
In some embodiments, in the case that the basic application protocol carries a service application protocol, performing secondary identification on an analysis result based on the basic information element, and determining the type of the service application protocol includes:
and carrying out secondary identification on an analysis result based on a multidimensional feature set formed by the basic cells, and determining the service application protocol and the type of the service application protocol.
In some embodiments, the performing the secondary parsing on the service application protocol based on the type of the service application protocol includes:
determining a corresponding service application resolver based on the type of the service application protocol;
and carrying out secondary analysis on the service application protocol based on the corresponding service application analyzer.
The invention also provides an application protocol analysis device, which comprises:
the first identification module is used for identifying the flow data of the application and determining a basic application protocol;
the first analysis module is used for analyzing the basic application protocol and determining a basic cell of the basic application protocol;
the second identification module is used for carrying out secondary identification on an analysis result based on the basic cell under the condition that the basic application protocol bears a service application protocol, and determining the type of the service application protocol;
and the second analysis module is used for carrying out secondary analysis on the service application protocol based on the type of the service application protocol.
In some embodiments, the first identification module is specifically configured to:
and identifying the applied flow data based on the protocol characteristic words and the non-multiplexing standard port, and determining a basic application protocol.
The invention also provides an electronic device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the program to realize the application protocol analysis method.
The present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements an application protocol parsing method as described in any of the above.
The invention also provides a computer program product comprising a computer program which, when executed by a processor, implements the application protocol parsing method as described in any of the above.
According to the application protocol analysis method, device and storage medium provided by the invention, the application flow data is primarily identified, and the protocol is verified by the analyzer, so that the identification accuracy is ensured, and the identified application protocol is secondarily identified and analyzed, so that a refined application protocol can be obtained.
Drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a schematic flowchart of an application protocol parsing method according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of an application protocol parsing system according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of an application protocol parsing apparatus according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention provides an application protocol analysis method, which comprises the following steps:
102, analyzing the basic application protocol to determine a basic cell of the basic application protocol;
103, under the condition that the basic application protocol bears a service application protocol, performing secondary identification on an analysis result based on the basic cell to determine the type of the service application protocol;
and 104, performing secondary analysis on the service application protocol based on the type of the service application protocol.
It should be noted that the execution subject of the application protocol parsing method provided by the present invention may be an electronic device, a component in an electronic device, an integrated circuit, or a chip. The electronic device may be a mobile electronic device or a non-mobile electronic device. By way of example, the mobile electronic device may be a mobile phone, a tablet computer, a notebook computer, a palm top computer, a vehicle-mounted electronic device, a wearable device, an ultra-mobile personal computer (UMPC), a netbook or a Personal Digital Assistant (PDA), and the like, and the non-mobile electronic device may be a server, a Network Attached Storage (NAS), a Personal Computer (PC), a Television (TV), a teller machine or a self-service machine, and the like, and the present invention is not particularly limited.
Optionally, in the embodiment of the present invention, the massive application protocol is divided into two layers, which are a basic application protocol layer and a service application protocol layer.
The basic application protocol refers to a protocol format standard or a protocol format-specific application protocol, for example: file Transfer Protocol (FTP), simple Mail Transfer Protocol (SMTP), HTTP, MQTT, TLS, and the like. The underlying application protocol that can carry the service application protocol, for example: HTTP, TLS and the like are also called basic bearer protocols, the number of basic application protocols is small, and the format standard is clear.
The service application protocol refers to an application protocol carried on a basic application protocol, the number of the service application protocols is particularly huge, the format standard of the carrying protocol is clear, but the format of the service application data is mostly a privatization agreement.
Optionally, in step 101, the traffic data of the application is identified, and the basic application protocol is determined.
The traffic data of the application can be identified by using the characteristics of the basic application protocol, and the basic application protocol is identified.
The underlying application protocol feature may be a protocol feature word and a non-multiplexed standard port.
In step 102, the basic application protocol is parsed to determine basic information elements of the basic application protocol.
When the identification of the basic application protocol is successful, a corresponding specific basic application protocol analyzer is used for analyzing, information of the basic application protocol is analyzed, and basic information elements of the basic application protocol, such as domain names of HTTP (hyper text transport protocol), uniform Resource Locators (URLs), and the like, are determined.
The characteristics of the basic application protocol are simple and single, and the unique basic application protocol cannot be determined. When the basic application protocol features correspond to a plurality of basic application protocols, a plurality of basic application protocol resolvers corresponding to the basic application protocol features need to be traversed until the resolution is successful or all the basic application protocol resolvers are traversed.
In step 103, under the condition that the basic application protocol carries a service application protocol, performing secondary identification on an analysis result based on the basic cell, and determining the type of the service application protocol.
Under the condition that the basic application protocol bears the service application protocol, namely the basic application protocol is the basic bearing protocol, secondary fine identification and analysis are needed, namely the service application identification and analysis.
For the service application protocol, the service application protocol features can be adopted for protocol identification. The service application protocol is mainly characterized by a plurality of important basic cells extracted by a basic application protocol, such as domain names of HTTP, uniform Resource Locators (URLs), and the like.
The service application protocol features adopt important basic cells to carry out multi-element combination, so that the service application protocol can be accurately determined.
And when the service application protocol is successfully identified, acquiring the service application protocol and the service application type, and performing protocol analysis by using a templated service application analyzer corresponding to the service application type.
In step 104, the service application protocol is secondarily parsed based on the type of the service application protocol.
The massive business application protocols can be classified into business application types such as instant messaging, games, live broadcasting, social contact and the like, each business application type uses a templated business application protocol parser, and the business application protocol parser can support a plurality of business application parses through templated configuration.
According to the application protocol analysis method provided by the embodiment of the invention, the application flow data is primarily identified, and the analyzer is used for protocol verification, so that the identification accuracy is ensured, and the identified application protocol is secondarily identified and analyzed, so that a refined application protocol can be obtained.
In some embodiments, the identifying traffic data of the application and determining the basic application protocol include:
and identifying the applied flow data based on the protocol characteristic words and the non-multiplexing standard port, and determining a basic application protocol.
Alternatively, the traffic Data of the application may be acquired using a Data Plane Development Kit (DPDK) technique. Using an Access Control List (ACL) to manage a flow, recombining Internet Protocol (IP) fragments, recombining Transmission Control Protocol (TCP) segments, and extracting necessary cells, such as IP and ports, for a bottom layer Protocol below an application layer.
And identifying the applied flow data by adopting the protocol characteristic words and the non-multiplexing standard ports according to the extracted necessary cells to determine a basic application protocol. Therefore, the corresponding basic application protocol analyzer can be adopted to analyze the basic application protocol.
In some embodiments, the parsing the base application protocol to determine the base information element of the base application protocol includes:
and analyzing the basic application protocols in sequence based on a preset basic protocol analyzer, and determining the basic cells corresponding to the basic application protocols.
And when the basic application protocol is successfully identified, analyzing by using a corresponding specific basic application protocol analyzer to analyze the information of the basic application protocol and determine the basic information element of the basic application protocol.
The characteristics of the basic application protocol are simple and single, and the unique basic application protocol cannot be determined. When the basic application protocol features correspond to a plurality of basic application protocols, a plurality of basic application protocol resolvers corresponding to the basic application protocol features need to be traversed until the resolution is successful or all the basic application protocol resolvers are traversed.
And if the identified basic application protocol is not successfully analyzed under the condition that all the basic application protocol analyzers are traversed, the identification result is considered to be wrong, and the application protocol corresponding to the flow data is considered to be the unknown application protocol.
The application protocol is divided into two levels of a basic application protocol and a service application protocol, the size of the basic application protocol set is controlled, and the accuracy of protocol identification and the efficiency of protocol analysis are improved.
According to the application protocol analysis method provided by the embodiment of the invention, the identification accuracy is ensured by initially identifying the applied flow data and simultaneously carrying out protocol verification by using the analyzer.
In some embodiments, in the case that the basic application protocol carries a service application protocol, performing secondary identification on an analysis result based on the basic information element, and determining the type of the service application protocol includes:
and carrying out secondary identification on an analysis result based on a multidimensional feature set formed by the basic cells, and determining the service application protocol and the type of the service application protocol.
Under the condition that the basic application protocol is loaded with the service application protocol, namely when the basic application protocol is the basic loading protocol, secondary fine identification and analysis are required, namely service application identification and analysis.
For the service application protocol, the service application protocol characteristics can be adopted for protocol identification. The service application protocol features are mainly a multidimensional feature set formed by a plurality of important basic cells extracted by a basic application protocol, such as a domain name of HTTP, a Uniform Resource Locator (URL), and the like. The service application protocol features adopt important basic cells to carry out multivariate combination to form a multidimensional feature set, and the service application protocol can be accurately determined.
And when the service application protocol is successfully identified, acquiring the service application protocol and the service application type, and performing protocol analysis by using a templated service application analyzer corresponding to the service application type.
According to the application protocol analysis method provided by the embodiment of the invention, the application flow data is primarily identified, and the analyzer is used for protocol verification, so that the identification accuracy is ensured, and the identified application protocol is secondarily identified and analyzed, so that a refined application protocol can be obtained.
In some embodiments, the performing the secondary parsing on the service application protocol based on the type of the service application protocol includes:
determining a corresponding business application resolver based on the type of the business application protocol;
and carrying out secondary analysis on the service application protocol based on the corresponding service application analyzer.
The massive business application protocols are classified into business application types such as instant messaging, games, live broadcast, social contact and the like, each business application type uses a templated business application protocol parser, and the business application protocol parser can support a plurality of business application parses through templated configuration.
By carrying out secondary analysis on different types of service application protocols by using different types of service application protocol analyzers, the analysis efficiency can be improved.
The application protocol analysis method provided by the embodiment of the invention has the advantages that the service application protocols are classified according to the application types, each application type is provided with one processing template, a large number of service application protocols to be processed can be conveniently configured through the templates, and the method has good expansibility.
Fig. 2 is an application protocol parsing system provided in an embodiment of the present invention, and referring to fig. 2, the application protocol parsing system provided in an embodiment of the present invention includes: the system comprises an input management module 10, a basic application identification and analysis module 20, a business application identification and analysis module 30, an unknown application protocol processing module 40, an output management module 50 and a knowledge base management module 60.
The input management module 10 is used to execute an original data stream processing method, and perform a large-flow message receiving function, a stream creating and managing function, an IP fragment reassembly function, a TCP stream ordering function, and a bottom layer information extraction function.
The basic application identification and parsing module 20 is configured to perform a method of performing initial identification and parsing on the traffic, and complete a basic protocol identification function and a basic protocol parsing function.
The service application identification and analysis module 30 is used for executing a secondary identification and analysis method for the primary analysis result, completing a secondary identification function of the service application for the basic bearer protocol, and completing an analysis function of the service application.
The unknown application protocol processing module 40 is configured to execute a miss data processing method, and perform a log function or an unknown application discarding function of an unknown application.
The output management module 50 is used for executing the processing result output method, and completing the templated output function of the protocol and the application processing result and the output template customization function.
The knowledge base management module 60 is used for executing the management method of the protocol feature base and the protocol analysis method base, and implementing the basic protocol identification feature management function, the basic protocol analyzer management function, the business protocol identification feature base management function, the business protocol analysis feature base management function, and the business application analyzer management function.
Specifically, the workflow of the application protocol parsing system is as follows:
s1, the knowledge base management module 60 initializes the knowledge base, and sequentially initializes various feature bases and various resolver bases.
The method specifically comprises the following steps: initializing a basic application protocol identification feature library (comprising a protocol feature library and a non-multiplexing standard port library), and initializing a basic application protocol resolver;
initializing a service application protocol identification feature library, initializing a service application type analyzer and initializing a service application protocol analysis template library.
S2, the input management module 10 uses DPDK technology to process large-flow input, uses ACL technology to manage flow, recombines IP fragments, recombines TCP segments, and extracts necessary cells, such as IP and ports, from the bottom layer protocol below the application layer. The processing result and the original traffic are forwarded to the basic application identification and parsing module 20.
And S3, the basic application identification and analysis module 20 performs initial identification on the flow, matches the basic application protocol identification feature library, analyzes the flow according to the pre-judged basic application protocol, and sequentially calls corresponding basic application protocol analyzers until the analysis is successful or the traversal is completed.
The method specifically comprises the following steps:
s3.1, initially identifying the flow, firstly using the HyperScan technology to match the feature library, using a port mapping table to match the port feature library in the case of miss, and when the identification features of the basic application protocol are hit, performing basic application analysis on the pre-judged basic application protocol and the flow, otherwise, forwarding the flow to an unknown application protocol processing module;
and S3.2, sequentially calling corresponding basic application protocol analyzers to analyze according to the obtained possible basic application protocols until the analysis is successful or the traversal is completed. And if the possible resolvers are traversed and the resolution is not successful, forwarding the flow to the unknown application protocol processing module.
If the analysis is successful and the protocol is not the basic bearer protocol, the analysis is completed and forwarded to the output management module.
If the analysis is successful and the protocol is the basic bearer protocol, the analysis result is forwarded to the service application identification and analysis module.
S4, the service application identification and analysis module 30 is used for realizing secondary identification of the matching service application protocol identification feature library of the primary analysis result, searching a corresponding service application type analyzer according to the service application type for secondary analysis, and forwarding the analysis result to the output management module;
the method specifically comprises the following steps:
s4.1, performing secondary identification on the primary analysis result by using the key cell combination, and if the secondary identification fails, forwarding the primary analysis result to an output management module. If the secondary identification is successful, performing service application analysis on the primary analysis result and the secondary identification result;
s4.2, searching a corresponding service type analyzer according to the service application type for analysis, and searching a corresponding service application protocol analysis template according to the service application protocol by the analyzer for secondary analysis. And the analysis result is forwarded to the output management module.
And S5, the unknown application protocol processing module 40 discards or forms a log according to the service requirement and forwards the log to the output management module.
The unknown application protocol processing module 40 reads the unknown protocol processing strategy, and directly discards the unknown application protocol if the unknown protocol processing strategy is a discarding strategy; if the policy is saved, the unknown application protocol trace forming log is forwarded to the output management module 50.
S6, the output management module 50 completes application protocol identification and analysis result output.
The output management module 50 reads the output template library and converts the application protocol recognition and analysis result into a format specified by the output template library for output.
The application protocol analysis system provided by the embodiment of the invention has the following beneficial effects:
(1) The method has the advantages that the method is advanced, the basic application protocol small set is processed in a protocol splitting mode, the massive business application protocol large set is processed in a classification mode, the processing performance of each layer is guaranteed through layered processing, and the matching performance is guaranteed through a multi-mode matching algorithm in each link.
(2) The reliability and the application recognition are accurate, the feature library is used for primary recognition, and the resolver is used for protocol verification, so that the recognition accuracy is ensured, the recognized application protocol is subjected to secondary recognition, and a refined application protocol can be obtained.
(3) The method has the advantages that the method is extensible, business application protocols are classified according to application types, each application type is provided with a set of processing template, a large number of business application protocols to be processed can be conveniently configured through the templates, and the method has good expansibility.
The application protocol analyzing apparatus provided by the present invention is described below, and the application protocol analyzing apparatus described below and the application protocol analyzing method described above may be referred to correspondingly.
Fig. 3 is an application protocol parsing apparatus provided in an embodiment of the present invention, and referring to fig. 3, the application protocol parsing apparatus provided in an embodiment of the present invention includes:
a first identification module 310, configured to identify flow data of an application and determine a basic application protocol;
a first parsing module 320, configured to parse the basic application protocol to determine a basic cell of the basic application protocol;
a second identifying module 330, configured to perform secondary identification on an analysis result based on the basic cell and determine a type of the service application protocol when the basic application protocol carries the service application protocol;
the second parsing module 340 is configured to perform secondary parsing on the service application protocol based on the type of the service application protocol.
The application protocol analysis device provided by the embodiment of the invention ensures the identification accuracy by carrying out primary identification on the applied flow data and carrying out protocol verification by using the analyzer, and can obtain a refined application protocol by carrying out secondary identification and analysis on the identified application protocol.
Optionally, the first identifying module 310 is specifically configured to:
and identifying the applied flow data based on the protocol feature words and the non-multiplexing standard port, and determining a basic application protocol.
Optionally, the first parsing module 320 is specifically configured to:
and analyzing the basic application protocols in sequence based on a preset basic protocol analyzer, and determining the basic cells corresponding to the basic application protocols.
Optionally, the second identifying module 330 is specifically configured to:
and carrying out secondary identification on an analysis result based on a multidimensional feature set formed by the basic cells, and determining the service application protocol and the type of the service application protocol.
Optionally, the second parsing module 340 is specifically configured to:
determining a corresponding business application resolver based on the type of the business application protocol;
and carrying out secondary analysis on the service application protocol based on the corresponding service application analyzer.
Fig. 4 illustrates a physical structure diagram of an electronic device, which may include, as shown in fig. 4: a processor (processor) 410, a communication Interface 420, a memory (memory) 430 and a communication bus 440, wherein the processor 410, the communication Interface 420 and the memory 430 are communicated with each other via the communication bus 440. The processor 410 may invoke logic instructions in the memory 430 to perform an application protocol parsing method comprising:
identifying the applied flow data and determining a basic application protocol;
analyzing the basic application protocol to determine basic information elements of the basic application protocol;
under the condition that the basic application protocol bears a service application protocol, performing secondary identification on an analysis result based on the basic cell, and determining the type of the service application protocol;
and carrying out secondary analysis on the service application protocol based on the type of the service application protocol.
In addition, the logic instructions in the memory 430 may be implemented in the form of software functional units and stored in a computer readable storage medium when the software functional units are sold or used as independent products. Based on such understanding, the technical solution of the present invention or a part thereof which substantially contributes to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In another aspect, the present invention also provides a computer program product, the computer program product including a computer program, the computer program being stored on a non-transitory computer-readable storage medium, wherein when the computer program is executed by a processor, a computer is capable of executing the application protocol parsing method provided by the above methods, and the method includes:
identifying the applied flow data and determining a basic application protocol;
analyzing the basic application protocol to determine basic cells of the basic application protocol;
under the condition that the basic application protocol bears a service application protocol, performing secondary identification on an analysis result based on the basic cell, and determining the type of the service application protocol;
and carrying out secondary analysis on the service application protocol based on the type of the service application protocol.
In yet another aspect, the present invention also provides a non-transitory computer readable storage medium, on which a computer program is stored, the computer program being implemented by a processor to execute the application protocol parsing method provided by the above methods, the method including:
identifying the applied flow data and determining a basic application protocol;
analyzing the basic application protocol to determine basic information elements of the basic application protocol;
under the condition that the basic application protocol bears a service application protocol, performing secondary identification on an analysis result based on the basic cell, and determining the type of the service application protocol;
and performing secondary analysis on the service application protocol based on the type of the service application protocol.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. An application protocol parsing method, comprising:
identifying the applied flow data and determining a basic application protocol;
analyzing the basic application protocol to determine basic information elements of the basic application protocol;
under the condition that the basic application protocol bears a service application protocol, performing secondary identification on an analysis result based on the basic cell, and determining the type of the service application protocol;
and carrying out secondary analysis on the service application protocol based on the type of the service application protocol.
2. The method according to claim 1, wherein the identifying the traffic data of the application and determining the base application protocol comprises:
and identifying the applied flow data based on the protocol characteristic words and the non-multiplexing standard port, and determining a basic application protocol.
3. The method of claim 1, wherein the parsing the base application protocol and determining the base information element of the base application protocol comprises:
and analyzing the basic application protocols in sequence based on a preset basic protocol analyzer, and determining the basic cells corresponding to the basic application protocols.
4. The method according to claim 3, wherein, in a case that the basic application protocol carries a service application protocol, performing secondary identification on an analysis result based on the basic information element to determine the type of the service application protocol, includes:
and carrying out secondary identification on an analysis result based on a multidimensional feature set formed by the basic cells, and determining the service application protocol and the type of the service application protocol.
5. The method according to claim 1, wherein the performing the secondary resolution on the service application protocol based on the type of the service application protocol comprises:
determining a corresponding business application resolver based on the type of the business application protocol;
and carrying out secondary analysis on the service application protocol based on the corresponding service application analyzer.
6. An application protocol parsing apparatus, comprising:
the first identification module is used for identifying the flow data of the application and determining a basic application protocol;
the first analysis module is used for analyzing the basic application protocol and determining a basic cell of the basic application protocol;
the second identification module is used for carrying out secondary identification on an analysis result based on the basic cell under the condition that the basic application protocol bears a service application protocol, and determining the type of the service application protocol;
and the second analysis module is used for carrying out secondary analysis on the service application protocol based on the type of the service application protocol.
7. The application protocol parsing device of claim 6, wherein the first identifying module is specifically configured to:
and identifying the applied flow data based on the protocol feature words and the non-multiplexing standard port, and determining a basic application protocol.
8. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the application protocol parsing method according to any one of claims 1 to 5 when executing the program.
9. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the computer program, when executed by a processor, implements the application protocol parsing method according to any one of claims 1 to 5.
10. A computer program product comprising a computer program, wherein the computer program, when executed by a processor, implements the application protocol parsing method of any one of claims 1 to 5.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211228937.5A CN115580565A (en) | 2022-10-09 | 2022-10-09 | Application protocol analysis method, device and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211228937.5A CN115580565A (en) | 2022-10-09 | 2022-10-09 | Application protocol analysis method, device and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN115580565A true CN115580565A (en) | 2023-01-06 |
Family
ID=84584298
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211228937.5A Pending CN115580565A (en) | 2022-10-09 | 2022-10-09 | Application protocol analysis method, device and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115580565A (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170208008A1 (en) * | 2015-12-31 | 2017-07-20 | F5 Networks, Inc. | Transparent control and transfer of network protocols |
CN110971487A (en) * | 2019-11-26 | 2020-04-07 | 武汉虹信通信技术有限责任公司 | Network protocol identification method and device |
CN112600844A (en) * | 2020-12-15 | 2021-04-02 | 北京天融信网络安全技术有限公司 | Data security detection method and device, storage medium and electronic equipment |
CN112887289A (en) * | 2021-01-19 | 2021-06-01 | 恒安嘉新(北京)科技股份公司 | Network data processing method and device, computer equipment and storage medium |
CN115086452A (en) * | 2022-06-14 | 2022-09-20 | 苏州市职业大学 | Campus network traffic identification method, device, equipment and storage medium |
-
2022
- 2022-10-09 CN CN202211228937.5A patent/CN115580565A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170208008A1 (en) * | 2015-12-31 | 2017-07-20 | F5 Networks, Inc. | Transparent control and transfer of network protocols |
CN110971487A (en) * | 2019-11-26 | 2020-04-07 | 武汉虹信通信技术有限责任公司 | Network protocol identification method and device |
CN112600844A (en) * | 2020-12-15 | 2021-04-02 | 北京天融信网络安全技术有限公司 | Data security detection method and device, storage medium and electronic equipment |
CN112887289A (en) * | 2021-01-19 | 2021-06-01 | 恒安嘉新(北京)科技股份公司 | Network data processing method and device, computer equipment and storage medium |
CN115086452A (en) * | 2022-06-14 | 2022-09-20 | 苏州市职业大学 | Campus network traffic identification method, device, equipment and storage medium |
Non-Patent Citations (1)
Title |
---|
金冬成;: "P2P检测控制系统中的协议分析", 中国新通信, no. 23, 5 December 2008 (2008-12-05), pages 14 - 17 * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108564339B (en) | Account management method, device, terminal equipment and storage medium | |
EP3447669B1 (en) | Information leakage detection method and device, server, and computer-readable storage medium | |
US9197523B2 (en) | Systems and methods for extracting media from network traffic having unknown protocols | |
US10164961B2 (en) | Dynamic web services server | |
CN106909811B (en) | Method and device for processing user identification | |
CN112468520A (en) | Data detection method, device and equipment and readable storage medium | |
CN111740923A (en) | Method and device for generating application identification rule, electronic equipment and storage medium | |
CN109862021B (en) | Method and device for acquiring threat information | |
CN111931188A (en) | Vulnerability testing method and system under login scene | |
CN111625837B (en) | Method, device and server for identifying system loopholes | |
CN110636038A (en) | Account number analysis method, account number analysis device, security gateway and system | |
CN109450880A (en) | Detection method for phishing site, device and computer equipment based on decision tree | |
CN114422271A (en) | Data processing method, device, equipment and readable storage medium | |
CN111314326B (en) | Method, device, equipment and medium for confirming HTTP vulnerability scanning host | |
CN113821692A (en) | Data processing method, device, server and storage medium | |
US9584537B2 (en) | System and method for detecting mobile cyber incident | |
CN115580565A (en) | Application protocol analysis method, device and storage medium | |
Ham et al. | Big Data Preprocessing Mechanism for Analytics of Mobile Web Log. | |
US7835728B2 (en) | Voice processing unit and system, and voice processing method | |
CN111680303A (en) | Vulnerability scanning method and device, storage medium and electronic equipment | |
CN115437930B (en) | Webpage application fingerprint information identification method and related equipment | |
CN114039776B (en) | Method and device for generating flow detection rule, electronic equipment and storage medium | |
CN113965408B (en) | Method, device, medium and equipment for extracting HTTP (hyper text transport protocol) message | |
CN116820845A (en) | API (application program interface) input verification test method, test device and electronic equipment | |
CN117389769B (en) | Browser-end rich text copying method and system based on cloud service and cloud platform |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |