CN101582897A - Deep packet inspection method and device - Google Patents
Deep packet inspection method and device Download PDFInfo
- Publication number
- CN101582897A CN101582897A CNA2009101078229A CN200910107822A CN101582897A CN 101582897 A CN101582897 A CN 101582897A CN A2009101078229 A CNA2009101078229 A CN A2009101078229A CN 200910107822 A CN200910107822 A CN 200910107822A CN 101582897 A CN101582897 A CN 101582897A
- Authority
- CN
- China
- Prior art keywords
- business
- message
- nested
- configuration file
- bearing type
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the field of data communication, in particular to a deep packet inspection method and a device. A feature character configuration file is operated in a server for configuring a file to identify the type of a packet. The method comprises the following steps: the server firstly carries out inspection of bearer type service feature characters on the packet according to the feature character configuration file, if the inspection result confirms the bearer type service, the inspection of nested type service feature characters is further carried out on the packet according to the settings of the feature character configuration file. The method and the device respectively carry out bearer type and nested type service inspection on the packet by configuring progressive search relationship, thereby improving the inspection hit rate. Furthermore, the combination of the feature characters is simple, the modification is easy and the expansion is convenient.
Description
Technical field
The present invention relates to data communication field, especially relate to and improve a kind of deep message detection method and the device that message detects hit rate in traffic identification and the control system.
Background technology
Along with the fast development of Internet technology, the content of carrying on network is more and more abundanter, and Internet service provider provides increasing service content to the client, and these services can be distinguished into different application.This just requires the network equipment that complicated message processing capability can be provided, and distinguishes different application, and the bandwidth of different stage is provided for different application.
In the past, the network equipment all was to distinguish no application by the heading information below 4 layers, and commonly used have two layer MAC address, a five-tuple etc.But along with network application is more and more abundanter, the simple heading information by below 4 layers can not be distinguished different application completely, at this moment just need check more than 4 layers or even message content, application layer is analyzed, and then distinguish different application, the generation of deep message detection that Here it is.
The major technique means of deep packet inspection technology are that message is carried out tagged word coupling and the application layer protocol of message is analyzed.Tagged word can be configured according to user's self demand, but in actual applications, the randomness of message content is very strong, and user configured tagged word may not reach effect, can cause mistake to a certain extent to hit.Mistake is hit and can be caused some flows are taked unsuitable strategy, and traffic affecting is normal.
There are a lot of business all to belong to the nested business at present, promptly carrying is another kind of in a kind of application uses, such as BT (Bit Torrent) distribution protocol, POCO (People Connection) point-to-point service, the a lot of mutual message of SIP application such as (The Session Initiation Protocol session initiation protocols) all is to carry by HTTP (Hypertext Transfer Protocol HTML (Hypertext Markup Language)) agreement, HTTP just belongs to the bearing type business, and real business is BT in fact, POCO, VOIP (Voice over Internet Protocol interactive voice agreement) etc.Present deep message detection method all is to carry out based on the combination of one or more tagged words fairly simplely, and this detection method is difficult to detect the nested business.
In the prior art for actual services being detected; usually can dispose the complex features word makes up and detects; can influence the performance of software so greatly,, under the big situation of flow, also have the packet loss phenomenon such as having reduced speed that tagged word searching speed and message transmit etc.And if that more bad detection just of the business of multinest.
Summary of the invention
The objective of the invention is to disclose a kind of deep message detection method and device, improved the detection hit rate by the configuration search relationship of going forward one by one.
The invention discloses a kind of deep message detection method, operation characteristic word configuration file identification type of message in server; Comprise the steps: that described server at first carries out bearing type service feature word to message according to described tagged word configuration file and detects, if testing result is confirmed as the bearing type business, further message is carried out nested service feature word according to being provided with of described tagged word configuration file and detect.
The setting of described tagged word configuration file is after definite bearing type type of service, to detect nested service feature word again.
Deep message detection method disclosed by the invention also comprises: determine type of service according to testing result, again according to described type of service distributing policy.
Described bearing type business comprises the http hypertext transfer protocol business; Described nested business comprises BT distribution protocol business, POCO point-to-point service and SIP session initiation protocol business.。
The invention also discloses a kind of deep message checkout gear, be used to move the tagged word configuration file of identification type of message; Comprise the tagged word detection module that is used to deposit the memory modules of described tagged word configuration file and is used for message is carried out the tagged word detection; Described tagged word detection module at first carries out bearing type service feature word to message according to described tagged word configuration file and detects, if testing result is confirmed as the bearing type business, further message is carried out nested service feature word according to being provided with of described tagged word configuration file again and detect.
The also disclosed deep message checkout gear of the present invention also comprises: the policy distribution module, described policy distribution module is determined type of service according to the testing result of described tagged word detection module output, according to described type of service distributing policy.
The internal memory list item of described tagged word configuration file in described memory modules deposited described bearing type service feature word for 1 li, and the internal memory list item in described memory modules is deposited described nested service feature word for 2 li; Described tagged word detection module detects message according to the described bearing type service feature word in the internal memory list item 1 earlier, hit after the described bearing type service feature word, automatically according to the described nested service feature word in the described internal memory list item 2 message is detected again, if hit again then be defined as the nested business, issue the nested business game; Otherwise be defined as the bearing type business, issue the bearing type business game.
Described bearing type business comprises the http hypertext transfer protocol business; Described nested business comprises BT distribution protocol business, POCO business and SIP session initiation protocol business
A kind of deep message detection method disclosed by the invention and device carry out respectively to message by the configuration search relationship of going forward one by one that bearing type and nested are professional to be detected, and have improved the detection hit rate.Its advantage is as follows: can effectively improve the hit rate that deep message detects, reduce mistake and hit; The tagged word combination is simple; Revise easily, be convenient to expansion.
Description of drawings
Fig. 1 is the flow chart of deep message detection method of the present invention.
Fig. 2 is the functional block diagram of deep message checkout gear of the present invention.
Embodiment
The treatment step of the method for the invention is as follows:
The first step, analyze bearing type service application (as HTTP etc.), determine traffic performance and can discern tagged word that bearer service uses etc.;
Second step, analysis nested service application, the definite tagged word that can discern the service application of every level can be in conjunction with a plurality of key combinations configurations in every layer of search procedure;
The 3rd the step, for the identification of nested business, determine the lookup scheme of going forward one by one (that is, detecting basic bearer service type earlier, the type of service that deep again bed-by-bed analysis is real) of final traffic identification in conjunction with the characteristic recognition method of every level;
The 4th step, dispose the search relationship of going forward one by one by order line, as for the HTTP business, by disposing its characteristic, indication also needs to carry out tagged word once more and searches after determining to be the HTTP service application, and finally determines possible actual services;
The 5th the step, preserve amended configuration file, action command comes into force configuration file.
Below in conjunction with the drawings and specific embodiments the present invention is described in further details.
Be the flow chart of deep message detection method of the present invention as shown in Figure 1, the embodiment of deep message detection method of the present invention is as follows:
Step 102, determine bearing type service application and nested service application;
Step 102 specifically is achieved in that in actual environment these business of operation, intercepts and captures mutual message in the communication process by packet catcher, analyzes message content, clear and definite which be the bearing type business, which is the nested business;
Step 104, at the nested business, the payload of its message of labor, the relation between clear and definite each level business finds the field that best embodies each level service feature respectively, and with this tagged word as each level business;
The tagged word of step 105, configuration bearing type business disposes the tagged word of each level in the nested business again, by flag bit is set the tagged word between professional each level of nested is associated together effectively more at last;
If the user need adopt different transmission and forwarding strategy to different business, for example the bearing type business is taked strategy 1, the nested business is taked strategy 2, so just can realize that (tagged word of supposing the bearing type business is A by the configuration search relationship of going forward one by one, the tagged word of nested business is B): by the attribute of bearing type business and nested business is set, equipment can parse their tagged word and the progressive relationship between the tagged word automatically; For example equipment is by after resolving automatically, deposit the tagged word A of bearing type business 1 li of internal memory list item, 2 li tagged word B that deposit the nested business of internal memory list item, progressive relationship just is embodied in: equipment can go earlier the internal memory list item to search for 1 li, can turn to the internal memory list item to search for 2 li after hitting tagged word A automatically again; If hit tagged word B again, so just can determine it is the nested service application, take strategy 2, otherwise just think the bearing type service application, take strategy 1; So just can detect real service application, thereby issue correct strategy, reduce mistake and hit.
Step 106, preserve amended configuration file, action command comes into force it, obtains the final configuration of current miscellaneous service attribute and tagged word thereof.
Being applied as example with POCO below describes practical application of the present invention:
At first, being nested among the HTTP application because POCO uses, is the bearing type business so earlier clear and definite HTTP uses, and it is the nested business that POCO uses, and they have tagged word separately; If only wherein a kind of application of care does not then need to dispose the search relationship of going forward one by one, be concerned about this two kinds of application simultaneously, current configuration can not meet the demands, and therefore just needs to dispose the search relationship of going forward one by one.
Secondly, under the configuration interface of order line or webmaster, each application has corresponding attribute, acquiescence all is the plain edition business, when the attribute of configuration HTTP application is the bearing type business, show when identifying be that the words that HTTP uses also will then judge whether carried other application, promptly also needs should to be used as further tagged word to this and search.
Moreover, POCO application and HTTP association are got up, show that it is that the nested that is carried under the HTTP application is used that POCO uses.After determining the HTTP application, need to do further tagged word and search, identify the tagged word that relevant POCO uses, then just determine it is that POCO uses, otherwise just determine it is the HTTP application if search for the second time.
Certainly, if exist multistage above nested, such as, POCO in using nested again other use, need then the attribute that POCO uses also is configured to that bearing type is professional to get final product.
Claims (8)
1. deep message detection method, operation characteristic word configuration file identification type of message in server; It is characterized in that, comprise the steps:
Described server at first carries out bearing type service feature word to message according to described tagged word configuration file and detects, if testing result is confirmed as the bearing type business, further message is carried out nested service feature word according to being provided with of described tagged word configuration file and detect.
2. detection method as claimed in claim 1 is characterized in that, the setting of described tagged word configuration file is after definite bearing type type of service, to detect nested service feature word again.
3. detection method as claimed in claim 1 or 2 is characterized in that, also comprises the steps:
Determine type of service according to testing result, again according to described type of service distributing policy.
4. detection method as claimed in claim 3 is characterized in that, described bearing type business comprises the http hypertext transfer protocol business; Described nested business comprises BT distribution protocol business, POCO point-to-point service and SIP session initiation protocol business.
5. a deep message checkout gear is used to move the tagged word configuration file of discerning type of message; It is characterized in that, comprise the tagged word detection module that is used to deposit the memory modules of described tagged word configuration file and is used for message is carried out the tagged word detection; Described tagged word detection module at first carries out bearing type service feature word to message according to described tagged word configuration file and detects, if testing result is confirmed as the bearing type business, further message is carried out nested service feature word according to being provided with of described tagged word configuration file again and detect.
6. checkout gear as claimed in claim 5 is characterized in that, described device also comprises:
The policy distribution module, described policy distribution module is determined type of service according to the testing result of described tagged word detection module output, according to described type of service distributing policy.
7. as claim 5 or 6 described checkout gears, it is characterized in that, the internal memory list item of described tagged word configuration file in described memory modules deposited described bearing type service feature word for 1 li, and the internal memory list item in described memory modules is deposited described nested service feature word for 2 li; Described tagged word detection module detects message according to the described bearing type service feature word in the internal memory list item 1 earlier, hit after the described bearing type service feature word, automatically according to the described nested service feature word in the described internal memory list item 2 message is detected again, if hit again then be defined as the nested business, issue the nested business game; Otherwise be defined as the bearing type business, issue the bearing type business game.
8. checkout gear as claimed in claim 7 is characterized in that, described bearing type business comprises the http hypertext transfer protocol business; Described nested business comprises BT distribution protocol business, POCO business and SIP session initiation protocol business.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2009101078229A CN101582897A (en) | 2009-06-02 | 2009-06-02 | Deep packet inspection method and device |
| PCT/CN2010/072897 WO2010139237A1 (en) | 2009-06-02 | 2010-05-18 | Method and device for deep packet inspection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2009101078229A CN101582897A (en) | 2009-06-02 | 2009-06-02 | Deep packet inspection method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101582897A true CN101582897A (en) | 2009-11-18 |
Family
ID=41364860
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2009101078229A Pending CN101582897A (en) | 2009-06-02 | 2009-06-02 | Deep packet inspection method and device |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN101582897A (en) |
| WO (1) | WO2010139237A1 (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010139237A1 (en) * | 2009-06-02 | 2010-12-09 | 中兴通讯股份有限公司 | Method and device for deep packet inspection |
| CN102137022A (en) * | 2011-04-01 | 2011-07-27 | 华为技术有限公司 | Method for identifying information of data packet, crawler engine and network system |
| CN102891810A (en) * | 2012-09-14 | 2013-01-23 | 四川省电力公司信息通信公司 | Method for dynamically distributing satellite channels by modifying Internet protocol (IP) message header |
| CN103248530A (en) * | 2012-02-09 | 2013-08-14 | 深圳市恒扬科技有限公司 | Testing method and device for distribution of tagged word based on floating position |
| CN104219238A (en) * | 2014-08-30 | 2014-12-17 | 华为技术有限公司 | Message processing method and device |
| CN103618792B (en) * | 2013-11-29 | 2017-04-19 | 华为技术有限公司 | Data stream identification method and device |
| CN114900350A (en) * | 2022-04-29 | 2022-08-12 | 北京元数智联技术有限公司 | Message transmission method, device, equipment, storage medium and program product |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106941474B (en) * | 2016-01-04 | 2020-01-14 | ***通信集团公司 | Session initiation protocol server overload control method and server |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101072174A (en) * | 2007-03-23 | 2007-11-14 | 南京邮电大学 | Tencent voice identifying method based on pay load deep detection and session correlating technology |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100493094C (en) * | 2006-08-25 | 2009-05-27 | 清华大学 | P2P data message detection method based on character code |
| CN101360090B (en) * | 2007-08-01 | 2012-05-23 | 中国科学院声学研究所 | Application protocol recognition method |
| CN101414939B (en) * | 2008-11-28 | 2011-12-28 | 武汉虹旭信息技术有限责任公司 | Internet application recognition method based on dynamical depth package detection |
| CN101582897A (en) * | 2009-06-02 | 2009-11-18 | 中兴通讯股份有限公司 | Deep packet inspection method and device |
-
2009
- 2009-06-02 CN CNA2009101078229A patent/CN101582897A/en active Pending
-
2010
- 2010-05-18 WO PCT/CN2010/072897 patent/WO2010139237A1/en active Application Filing
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101072174A (en) * | 2007-03-23 | 2007-11-14 | 南京邮电大学 | Tencent voice identifying method based on pay load deep detection and session correlating technology |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010139237A1 (en) * | 2009-06-02 | 2010-12-09 | 中兴通讯股份有限公司 | Method and device for deep packet inspection |
| CN102137022A (en) * | 2011-04-01 | 2011-07-27 | 华为技术有限公司 | Method for identifying information of data packet, crawler engine and network system |
| CN102137022B (en) * | 2011-04-01 | 2013-11-06 | 华为技术有限公司 | Method for identifying information of data packet, crawler engine and network system |
| CN103248530B (en) * | 2012-02-09 | 2015-12-16 | 深圳市恒扬科技股份有限公司 | A kind of shunting detection method of the tagged word based on floating position and device |
| CN103248530A (en) * | 2012-02-09 | 2013-08-14 | 深圳市恒扬科技有限公司 | Testing method and device for distribution of tagged word based on floating position |
| CN102891810B (en) * | 2012-09-14 | 2015-04-15 | 四川省电力公司信息通信公司 | Method for dynamically distributing satellite channels by modifying Internet protocol (IP) message header |
| CN102891810A (en) * | 2012-09-14 | 2013-01-23 | 四川省电力公司信息通信公司 | Method for dynamically distributing satellite channels by modifying Internet protocol (IP) message header |
| CN103618792B (en) * | 2013-11-29 | 2017-04-19 | 华为技术有限公司 | Data stream identification method and device |
| US10250521B2 (en) | 2013-11-29 | 2019-04-02 | Huawei Technologies Co., Ltd. | Data stream identifying method and device |
| CN104219238A (en) * | 2014-08-30 | 2014-12-17 | 华为技术有限公司 | Message processing method and device |
| CN104219238B (en) * | 2014-08-30 | 2018-05-29 | 华为技术有限公司 | Message processing method and device |
| CN114900350A (en) * | 2022-04-29 | 2022-08-12 | 北京元数智联技术有限公司 | Message transmission method, device, equipment, storage medium and program product |
| CN114900350B (en) * | 2022-04-29 | 2024-02-20 | 北京元数智联技术有限公司 | Message transmission method, device, equipment, storage medium and program product |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2010139237A1 (en) | 2010-12-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101582897A (en) | Deep packet inspection method and device | |
| CN103139315A (en) | Application layer protocol analysis method suitable for home gateway | |
| CN102307123B (en) | NAT (Network Address Translation) flow identification method based on transmission layer flow characteristic | |
| CN112714045B (en) | Rapid protocol identification method based on device fingerprint and port | |
| CN101282331B (en) | Method for recognizing P2P network flow based on transport layer characteristics | |
| CN104320304B (en) | A kind of core network user flow application recognition methods of the multimode fusion easily extended | |
| CN106936791B (en) | Method and device for intercepting malicious website access | |
| CN101414939B (en) | Internet application recognition method based on dynamical depth package detection | |
| CN101960780B (en) | In-bound mechanism that monitors end-to-end QOE of services with application awareness | |
| CN102724317A (en) | Network data flow classification method and device | |
| WO2014187120A1 (en) | Method for detecting brand counterfeit websites based on webpage icon matching | |
| CN103297270A (en) | Application type recognition method and network equipment | |
| CN103873356B (en) | Application and identification method, system and home gateway based on home gateway | |
| CN106789242A (en) | A kind of identification application intellectual analysis engine based on mobile phone client software behavioral characteristics storehouse | |
| CN106330584A (en) | Identification method and identification device of business flow | |
| CN101184000A (en) | Packet sampling and application signature based internet application flux identifying method | |
| CN102571946B (en) | Realization method of protocol identification and control system based on P2P (peer-to-peer network) | |
| CN104348638B (en) | Identify method, system and the equipment of the type of service of session traffic | |
| CN102624878B (en) | Method and system for identifying P2P (peer-to-peer) protocol on basis of DNS (domain name server) protocol | |
| CN108173705A (en) | First packet recognition methods, device, equipment and the medium of flow drainage | |
| CN105933208A (en) | Message processing method and device | |
| CN109302340A (en) | One kind burying point data report method, device and computer readable storage medium | |
| CN108901035A (en) | The recognition methods of internet-of-things terminal and device | |
| CN103425930B (en) | A kind of online script detection method and system in real time | |
| JP5955943B2 (en) | Method and apparatus for extracting data from a data stream moving over an IP network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20091118 |