CN101753639A - Service role recognition method based on flow communication mode - Google Patents
Service role recognition method based on flow communication mode Download PDFInfo
- Publication number
- CN101753639A CN101753639A CN200910262842A CN200910262842A CN101753639A CN 101753639 A CN101753639 A CN 101753639A CN 200910262842 A CN200910262842 A CN 200910262842A CN 200910262842 A CN200910262842 A CN 200910262842A CN 101753639 A CN101753639 A CN 101753639A
- Authority
- CN
- China
- Prior art keywords
- address
- node
- source
- place
- source port
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a service role recognition method based on flow communication mode, which is characterized in that: in a time scale of 5 min, in a hash linked list, the corresponding former two different source IP addresses of a measured flow maintenance (source IP address and source port) node and each identical node (source IP address and source port), if two different source IP addresses are recorded in a node (source IP address and source port), the source IP address transmits traffic flow to at least two other different hosts through the source port, so the source IP address is considered as the server party, the service port thereof is the source port, the method can efficiently recognize the service roles in the network flow and can recognize the service roles of different types of network flow data.
Description
Technical field
The present invention relates to be used for the recognition methods of network service host, especially a kind of service role recognition method based on flow communication mode.
Background technology
Can in flow application classification, the side of service and port thereof be important measure values of traffic classification, correctly identify the side of service and port has material impact to the flow application type; (2) variation of the host role of network manager in can real-time tracking institute managed network outwards provides service alone to prevent client computer, influences the normal operation of network; (3), help to judge the unusual or normal of main frame behavior according to main frame.
The legacy hosts role recognition method has three kinds: TCP SYN packet identification method, port identification method and communicating pair flow size identification method.TCP SYN packet identification method is meant that host A is broadcasted the SYN message to host B if host A intercoms mutually with host B, and host B is replied the SYN+ACK message to host A, is customer and host A is service side according to the Transmission Control Protocol host A.There are two problems in this method of measurement: at first, middle measuring appliance must send to the SYN message of host B and the SYN+ACK message that host B sends to A to host A by energy measurement, if lose this two each and every one message, then can not correctly discern service host.Secondly, if the flow of communicating by letter between host A and the host B is a UDP flow and be non-Transmission Control Protocol, role that can't identification communication main frame both sides.
Second kind of service side's recognition methods is directly according to port identification, it is well-known port that Internet distributor gear (IANA) distributes the port between 1~1023, these well-known ports are all used in the service that ICP/IP protocol provided, so two ports of a stream, if one of them port is less than 1024, and another port then can use port method identification host role more than or equal to 1024, port numbers is service side less than a side of 1024, and port numbers is the customer greater than a side of 1024.The problem of this method is that the well-known port below 1024 is not adopted in now a lot of application services, and employing is greater than 5000 port numbers, in addition, some is used and adopts the dynamic assignment port, and therefore directly the accuracy rate of the method identification service side of employing port numbers is more and more lower.
The third side's of service recognition methods is to discern according to the flow size of communicating pair, service side mainly provides data and downloads use for the customer under most situation, thereby the flow that service side sends to the customer is greater than the flow that the customer sends to service side, therefore side's host role that transmitted traffic is big is identified as service side, and the little side of transmitted traffic is the customer.This method is effective for most of network applications, as web access, flow download, Online Video etc., is exactly the speed of surfing the Net with the raising user according to this principle bandwidth that up link is different with downlink allocation as ADSL.But some network application customer flow is greater than service side, as file upload, send Email etc., or both sides' flow size is approaching, as P2P, TELNET, SSH flow etc.
Summary of the invention
The present invention proposes a kind of service role recognition method based on flow communication mode, and the present invention can identify the service side of network traffics efficiently and accurately.
The present invention adopts following technical scheme:
A kind of service role recognition method based on flow communication mode, it is characterized in that: in 5 minutes scopes of a time scale, flow maintenance { source IP address and source port } node for measuring in ltsh chain table, and preceding two different IP addresses, place of writing down its correspondence for the node of each identical { source IP address and source port }, if write down two different IP addresses, place in { source IP address and source port } node, illustrate this source IP address from this source port at least 2 other different main frame transmitted traffics, think that then this source IP address is service side, its serve port is this source port, and concrete steps are as follows:
The first step: parameter setting
An array of pointers A[n is set], n is the size of array of pointers A, and n=2 is set
m, wherein m is the positive integer greater than 0, each element assignment of array A is a null pointer, the Bit String S of one 48 bit length is set, a hash function F is set, and the input of hash function F is the Bit String S of 48 bit lengths, and the cryptographic Hash of hash function F output is that a span is 0 to 2
mPositive integer between-1, hash function F adopts present computer MD5 hash function commonly used, MD represents informative abstract, it is the hash function that is widely used by Ron Rivest design, the input of MD5 hash function is the Bit String of a random length, output is 128 informative abstracts, hash function F chooses preceding m bit of MD5 hash function cryptographic Hash and exports cryptographic Hash as it, a structure B is set, this structure B comprises four integer variables and a pointer variable, four integer variables of structure B write down host IP address respectively, source port number, IP address, first place, IP address, second place, the pointer variable of structure B is pointed to next node, measure beginning,, entered for second step if a new discharge record arrives;
Second step: handle arriving discharge record
Read source IP address, source port and the IP address, place of this discharge record, preceding 32 bits with source IP address assignment to 48 a Bit String S, back 16 bits with source port assignment to 48 a Bit String S, with the input of 48 Bit String S as hash function F, calculate cryptographic Hash i, i the pointer of reading pointer array A, if this pointer is a null pointer, generate a new node according to structure B, this newly-generated node of i pointed with array of pointers A, entered for the 3rd step,, then entered for the 4th step if this pointer is not empty;
The 3rd step: the new node of initialization
The source IP address of the source IP address of this new node for this discharge record is set, the source port of this new node is the source port of this discharge record, the IP address, first place of this new node is the IP address, place of this discharge record, second place IP address setting of this new node is 0, the pointer that this new node is set is a null pointer, enters for the 6th step;
The 4th step: search the pointer chained list
Search the node chained list of i the pointed of array of pointers A, if in this chained list, find a node, the source IP address of this node equals the source IP address of this discharge record, the source port of this node equals the source port of this discharge record, entered for the 5th step, otherwise generate a new node according to structure B,, got back to for the 3rd step this newly-generated node of last pointed of i the pointed node chained list of array of pointers A;
The 5th step: upgrade node
Search the IP address, first place of this node, if this discharge record place IP equals the IP address, first place of this node, then entered for the 6th step, otherwise search the IP address, second place of this node, if the IP address, second place of this node is 0, then IP address, second place assignment with this node is the IP address, place of this discharge record, enters for the 6th step, if the IP address, second place of this node is not 0, then directly entered for the 6th step;
The 6th step: measure and finish
Finish if measure, entered for the 7th step, do not finish, wait for that a new discharge record arrives,, got back to for second step if a new discharge record arrives if measure;
The 7th step: measurement result output
Search all nodes among the array of pointers A, if the IP address, second place of a node is not 0, illustrate that then pairing source IP address of this node and source port number are in the Measuring Time scope, to at least two chummage IP address transmitted traffics not, the source IP address of this node and source port are service side, export the source IP address and the source port of this node.
Compared with prior art, the present invention has following advantage and beneficial effect:
1, the advantage of this method is to discern the service role of Transmission Control Protocol and udp protocol flow simultaneously, only need extracting part shunt volume data can accurately discern the traffic service role, can carry out service role identification according to the original message data and also can adopt stream data such as NetFlow to carry out service role identification;
2, this method can be carried out efficient identification to the service role in the network traffics, can discern sampling or gather the service role of number of different types datas on flows such as flow, message or flow data, UDP flow or TCP flow entirely;
3; this method can be according to network traffic information; identify the service role of flow communication exactly; promptly identify service IP and serve port; the flow application that accurately is identified in of service IP and serve port is classified; significant in network management and the network security; in the flow application classification; service IP and serve port are correctly discerned an important measure index of flow application type; in network management; the variation of the host role of network manager in can real-time tracking institute managed network; to prevent that client computer from outwards providing service alone; influence the normal operation of network, variation that simultaneously can the monitoring host computer role is to judge the unusual or normal of main frame behavior.
Description of drawings
Fig. 1 is to use the ltsh chain table schematic diagram of setting up based on the service role recognition method of flow communication mode, Hash linked list array size is 16 among the figure, one has 5 nodes, handled 8 datas on flows, each data on flows source IP, source port, place IP} tlv triple be 3,7,5}, 5,5,4}, 4,1,7}, 9,2,2}, 3,1,4}, 3,7,1}, 4,1,5}, 3,1,7}.
Fig. 2 is based on the flow chart of the service role recognition method of flow communication mode.
Embodiment
A kind of service role recognition method based on flow communication mode, it is characterized in that: in 5 minutes scopes of a time scale, flow maintenance { source IP address and source port } node for measuring in ltsh chain table, and preceding two different IP addresses, place of writing down its correspondence for the node of each identical { source IP address and source port }, if write down two different IP addresses, place in { source IP address and source port } node, illustrate this source IP address from this source port at least 2 other different main frame transmitted traffics, think that then this source IP address is service side, its serve port is this source port, and concrete steps are as follows:
The first step: parameter setting
An array of pointers A[n is set], n is the size of array of pointers A, and n=2 is set
m, wherein m is the positive integer greater than 0, each element assignment of array A is a null pointer, the Bit String S of one 48 bit length is set, a hash function F is set, and the input of hash function F is the Bit String S of 48 bit lengths, and the cryptographic Hash of hash function F output is that a span is 0 to 2
mPositive integer between-1, hash function F adopts present computer MD5 hash function commonly used, hash function F chooses preceding m bit of MD5 hash function cryptographic Hash and exports cryptographic Hash as it, a structure B is set, this structure B comprises four integer variables and a pointer variable, four integer variables of structure B write down host IP address, source port number, IP address, first place, IP address, second place respectively, the pointer variable of structure B is pointed to next node, measure beginning, if a new discharge record arrives, entered for second step;
Second step: handle arriving discharge record
Read source IP address, source port and the IP address, place of this discharge record, preceding 32 bits with source IP address assignment to 48 a Bit String S, back 16 bits with source port assignment to 48 a Bit String S, with the input of 48 Bit String S as hash function F, calculate cryptographic Hash i, i the pointer of reading pointer array A, if this pointer is a null pointer, generate a new node according to structure B, this newly-generated node of i pointed with array of pointers A, entered for the 3rd step,, then entered for the 4th step if this pointer is not empty;
The 3rd step: the new node of initialization
The source IP address of the source IP address of this new node for this discharge record is set, the source port of this new node is the source port of this discharge record, the IP address, first place of this new node is the IP address, place of this discharge record, second place IP address setting of this new node is 0, the pointer that this new node is set is a null pointer, enters for the 6th step;
The 4th step: search the pointer chained list
Search the node chained list of i the pointed of array of pointers A, if in this chained list, find a node, the source IP address of this node equals the source IP address of this discharge record, the source port of this node equals the source port of this discharge record, entered for the 5th step, otherwise generate a new node according to structure B,, got back to for the 3rd step this newly-generated node of last pointed of i the pointed node chained list of array of pointers A;
The 5th step: upgrade node
Search the IP address, first place of this node, if this discharge record place IP equals the IP address, first place of this node, then entered for the 6th step, otherwise search the IP address, second place of this node, if the IP address, second place of this node is 0, then IP address, second place assignment with this node is the IP address, place of this discharge record, enters for the 6th step, if the IP address, second place of this node is not 0, then directly entered for the 6th step;
The 6th step: measure and finish
Finish if measure, entered for the 7th step, do not finish, wait for that a new discharge record arrives,, got back to for second step if a new discharge record arrives if measure;
The 7th step: measurement result output
Search all nodes among the array of pointers A, if the IP address, second place of a node is not 0, illustrate that then pairing source IP address of this node and source port number are in the Measuring Time scope, to at least two chummage IP address transmitted traffics not, the source IP address of this node and source port are service side, export the source IP address and the source port of this node.
Fig. 1, Fig. 2 are based on schematic diagram and the flow chart that relates in the service role recognition method embodiment of flow communication mode, and Hash linked list array size is 16, one to have 5 nodes among Fig. 1, has handled 8 datas on flows,
Handle { the source IP of each data on flows in this example, source port, place IP} tlv triple is { 3,7,5}, { 5,5,4}, { 4,1,7}, { 9,2,2}, { 3,1,4}, { 3,7,1}, { 4,1,5}, { 3,1,7}, wherein source IP be 3 and source port be that 7 pairing 48 bit string S are 0x000700000003, source IP be 5 and source port be that 5 pairing 48 bit string S are 0x000500000005, source IP be 4 and source port be that 1 pairing 48 bit string S are 0x000100000004, source IP be 9 and source port be that 2 pairing 48 bit string S are 0x000200000009, source IP be 3 and source port be that 1 pairing 48 bit string S are 0x000100000003, suppose that simultaneously hash function F is 1 for the cryptographic Hash of input S=0x000700000003, the cryptographic Hash of input S=0x000500000005 is 4, the cryptographic Hash of input S=0x000100000004 is 7, the cryptographic Hash of input S=0x000200000009 is 13, the cryptographic Hash of input S=0x000100000003 is 13
The concrete technical step that the invention process is given an example is as follows:
(1) first step: parameter setting
An array of pointers A[n is set], n is the size of array of pointers A, and n=2 is set
m=16, wherein m=4 is the positive integer greater than 0, each element assignment of array A is a null pointer, the Bit String S of one 48 bit length is set, a hash function F is set, the input of hash function F is the Bit String S of 48 bit lengths, the cryptographic Hash of hash function F output is that a span is the positive integer between 0 to 15, hash function F adopts present computer MD5 hash function commonly used, hash function F chooses preceding 4 bits of MD5 hash function cryptographic Hash and exports cryptographic Hash as it, a structure B is set, this structure B comprises four integer variables and a pointer variable, four integer variables of structure B write down host IP address respectively, source port number, IP address, first place, IP address, second place, the pointer variable of structure B is pointed to next node, measure beginning,, entered for (2) second steps if a new discharge record arrives;
(2) second steps: handle arriving discharge record
The source IP address that reads this discharge record is 3, source port be 7 and IP address, place be 5, preceding 32 bits with source IP address assignment to 48 a Bit String S, back 16 bits with source port assignment to 48 a Bit String S, S=0x000700000003, with the input of 48 Bit String S as hash function F, calculating cryptographic Hash i is 1, the 1st pointer of reading pointer array A, this pointer is a null pointer, generate a new node according to structure B, with the 1st this newly-generated node of pointed of array of pointers A, entered for (3) the 3rd steps;
(3) the 3rd steps: the new node of initialization
The source IP address that this new node is set is that the source IP address of this discharge record is 3, the source port of this new node is 7 for the source port of this discharge record, the IP address, first place of this new node is 5 for the IP address, place of this discharge record, second place IP address setting of this new node is 0, the pointer that this new node is set is a null pointer, enters for (4) the 6th steps;
(4) the 6th steps: measure and finish
Do not measure and finish, a new discharge record arrives, and gets back to for (5) second steps;
(5) second steps: handle arriving discharge record
The source IP address that reads this discharge record is 5, source port be 5 and IP address, place be 4, preceding 32 bits with source IP address assignment to 48 a Bit String S, back 16 bits with source port assignment to 48 a Bit String S, S=0x000500000005, with the input of 48 Bit String S as hash function F, calculating cryptographic Hash i is 4, the 4th pointer of reading pointer array A, this pointer is a null pointer, generate a new node according to structure B, with the 4th this newly-generated node of pointed of array of pointers A, entered for (6) the 3rd steps;
(6) the 3rd steps: the new node of initialization
The source IP address that this new node is set is that the source IP address of this discharge record is 5, the source port of this new node is 5 for the source port of this discharge record, the IP address, first place of this new node is 4 for the IP address, place of this discharge record, second place IP address setting of this new node is 0, the pointer that this new node is set is a null pointer, enters for (7) the 6th steps;
(7) the 6th steps: measure and finish
Do not measure and finish, a new discharge record arrives, and gets back to for (8) second steps;
(8) second steps: handle arriving discharge record
The source IP address that reads this discharge record is 4, source port be 1 and IP address, place be 7, preceding 32 bits with source IP address assignment to 48 a Bit String S, back 16 bits with source port assignment to 48 a Bit String S, S=0x000100000004, with the input of 48 Bit String S as hash function F, calculating cryptographic Hash i is 7, the 7th pointer of reading pointer array A, this pointer is a null pointer, generate a new node according to structure B, with the 7th this newly-generated node of pointed of array of pointers A, entered for (9) the 3rd steps;
(9) the 3rd steps: the new node of initialization
The source IP address that this new node is set is that the source IP address of this discharge record is 4, the source port of this new node is 1 for the source port of this discharge record, the IP address, first place of this new node is 7 for the IP address, place of this discharge record, second place IP address setting of this new node is 0, the pointer that this new node is set is a null pointer, enters for (10) the 6th steps;
(10) the 6th steps: measure and finish
Do not measure and finish, a new discharge record arrives, and gets back to for (11) second steps;
(11) second steps: handle arriving discharge record
The source IP address that reads this discharge record is 9, source port be 2 and IP address, place be 2, preceding 32 bits with source IP address assignment to 48 a Bit String S, back 16 bits with source port assignment to 48 a Bit String S, S=0x000200000009, with the input of 48 Bit String S as hash function F, calculating cryptographic Hash i is 13, the 13rd pointer of reading pointer array A, this pointer is a null pointer, generate a new node according to structure B, with the 13rd this newly-generated node of pointed of array of pointers A, entered for (12) the 3rd steps;
(12) the 3rd steps: the new node of initialization
The source IP address that this new node is set is that the source IP address of this discharge record is 9, the source port of this new node is 2 for the source port of this discharge record, the IP address, first place of this new node is 2 for the IP address, place of this discharge record, second place IP address setting of this new node is 0, the pointer that this new node is set is a null pointer, enters for (13) the 6th steps;
(13) the 6th steps: measure and finish
Do not measure and finish, a new discharge record arrives, and gets back to for (14) second steps;
(14) second steps: handle arriving discharge record
The source IP address that reads this discharge record is 3, source port be 1 and IP address, place be 4, preceding 32 bits with source IP address assignment to 48 a Bit String S, back 16 bits with source port assignment to 48 a Bit String S, S=0x000100000003, with the input of 48 Bit String S as hash function F, calculating cryptographic Hash i is 13, the 13rd pointer of reading pointer array A, this pointer is not empty, then enters for (15) the 4th steps;
(15) the 4th steps: search the pointer chained list
Search the node chained list of the 13rd pointed of array of pointers A, in this chained list, can not find a node, the source IP address of this node equals the source IP address 3 of this discharge record, the source port of this node equals the source port 1 of this discharge record, generate a new node according to structure B, with this newly-generated node of last pointed of the 13rd the pointed node chained list of array of pointers A, got back to for (16) the 3rd steps;
(16) the 3rd steps: the new node of initialization
The source IP address that this new node is set is that the source IP address of this discharge record is 3, the source port of this new node is 1 for the source port of this discharge record, the IP address, first place of this new node is 4 for the IP address, place of this discharge record, second place IP address setting of this new node is 0, the pointer that this new node is set is a null pointer, enters for (17) the 6th steps;
(17) the 6th steps: measure and finish
Do not measure and finish, a new discharge record arrives, and gets back to for (18) second steps;
(18) second steps: handle arriving discharge record
The source IP address that reads this discharge record is 3, source port be 7 and IP address, place be 1, preceding 32 bits with source IP address assignment to 48 a Bit String S, back 16 bits with source port assignment to 48 a Bit String S, S=0x000700000003, with the input of 48 Bit String S as hash function F, calculating cryptographic Hash i is 1, the 1st pointer of reading pointer array A, this pointer is not empty, then enters for (19) the 4th steps;
(19) the 4th steps: search the pointer chained list
Search the node chained list of the 1st pointed of array of pointers A, in this chained list, find a node, the source IP address of this node equals the source IP address 3 of this discharge record, and the source port of this node equals the source port 7 of this discharge record, enters for (20) the 5th steps;
(20) the 5th steps: upgrade node
Search the IP address, first place of this node, this IP address, discharge record place 1 is not equal to the IP address, first place 5 of this node, search the IP address, second place of this node, the IP address, second place of this node is 0, be 1 for the IP address, place of this discharge record then, entered for (21) the 6th steps IP address, second place assignment of this node;
(21) the 6th steps: measure and finish
Do not measure and finish, a new discharge record arrives, and gets back to for (22) second steps;
(22) second steps: handle arriving discharge record
The source IP address that reads this discharge record is 4, source port be 1 and IP address, place be 5, preceding 32 bits with source IP address assignment to 48 a Bit String S, back 16 bits of source port assignment to 48 a Bit String S, S=0x000100000004, with the input of 48 Bit String S as hash function F, calculating cryptographic Hash i is 7, the 7th pointer of reading pointer array A, this pointer is not empty, enters for (23) the 4th steps;
(23) the 4th steps: search the pointer chained list
Search the node chained list of the 7th pointed of array of pointers A, in this chained list, find a node, the source IP address of this node equals the source IP address 4 of this discharge record, and the source port of this node equals the source port 1 of this discharge record, enters for (24) the 5th steps;
(24) the 5th steps: upgrade node
Search the IP address, first place of this node, this IP address, discharge record place 5 is not equal to the IP address, first place 7 of this node, search the IP address, second place of this node, the IP address, second place of this node is 0, be 5 for the IP address, place of this discharge record then, entered for (25) the 6th steps IP address, second place assignment of this node;
(25) the 6th steps: measure and finish
Do not measure and finish, a new discharge record arrives, and gets back to for (26) second steps;
(26) second steps: handle arriving discharge record
The source IP address that reads this discharge record is 3, source port be 1 and IP address, place be 7, preceding 32 bits with source IP address assignment to 48 a Bit String S, back 16 bits with source port assignment to 48 a Bit String S, S=0x000100000003, with the input of 48 Bit String S as hash function F, calculating cryptographic Hash i is 13, the 13rd pointer of reading pointer array A, this pointer is not empty, then enters for (27) the 4th steps;
(27) the 4th steps: search the pointer chained list
Search the node chained list of the 13rd pointed of array of pointers A, in this chained list, find a node, the source IP address of this node equals the source IP address 3 of this discharge record, and the source port of this node equals the source port 1 of this discharge record, enters for (28) the 5th steps;
(28) the 5th steps: upgrade node
Search the IP address, first place of this node, this IP address, discharge record place 7 is not equal to the IP address, first place 4 of this node, search the IP address, second place of this node, the IP address, second place of this node is 0, be 7 for the IP address, place of this discharge record then, entered for (29) the 6th steps IP address, second place assignment of this node;
(29) the 6th steps: measure and finish
Measure and finish, entered for (30) the 7th steps;
(30) the 7th steps: measurement result output
Search all nodes among the array of pointers A, if the IP address, second place of a node is not 0, illustrate that then pairing source IP address of this node and source port number are in the Measuring Time scope, to at least two chummage IP address transmitted traffics not, the source IP address of this node and source port are service side, export the source IP address and the source port of this node.
The result is as follows in output:
Source IP address service side, the side of service source port number
3 7
4 1
3 1
Claims (1)
1. service role recognition method based on flow communication mode, it is characterized in that: in 5 minutes scopes of a time scale, flow maintenance { source IP address and source port } node for measuring in ltsh chain table, and preceding two different IP addresses, place of writing down its correspondence for the node of each identical { source IP address and source port }, if write down two different IP addresses, place in { source IP address and source port } node, illustrate this source IP address from this source port at least 2 other different main frame transmitted traffics, think that then this source IP address is service side, its serve port is this source port, and concrete steps are as follows:
The first step: parameter setting
An array of pointers A[n is set], n is the size of array of pointers A, and n=2 is set
m, wherein m is the positive integer greater than 0, each element assignment of array A is a null pointer, the Bit String S of one 48 bit length is set, a hash function F is set, and the input of hash function F is the Bit String S of 48 bit lengths, and the cryptographic Hash of hash function F output is that a span is 0 to 2
mPositive integer between-1, hash function F adopts the MD5 hash function, hash function F chooses preceding m bit of MD5 hash function cryptographic Hash and exports cryptographic Hash as it, a structure B is set, this structure B comprises four integer variables and a pointer variable, four integer variables of structure B write down host IP address, source port number, IP address, first place, IP address, second place respectively, the pointer variable of structure B is pointed to next node, measure beginning, if a new discharge record arrives, entered for second step;
Second step: handle arriving discharge record
Read source IP address, source port and the IP address, place of this discharge record, preceding 32 bits with source IP address assignment to 48 a Bit String S, back 16 bits with source port assignment to 48 a Bit String S, with the input of 48 Bit String S as hash function F, calculate cryptographic Hash i, i the pointer of reading pointer array A, if this pointer is a null pointer, generate a new node according to structure B, this newly-generated node of i pointed with array of pointers A, entered for the 3rd step,, then entered for the 4th step if this pointer is not empty;
The 3rd step: the new node of initialization
The source IP address of the source IP address of this new node for this discharge record is set, the source port of this new node is the source port of this discharge record, the IP address, first place of this new node is the IP address, place of this discharge record, second place IP address setting of this new node is 0, the pointer that this new node is set is a null pointer, enters for the 6th step;
The 4th step: search the pointer chained list
Search the node chained list of i the pointed of array of pointers A, if in this chained list, find a node, the source IP address of this node equals the source IP address of this discharge record, the source port of this node equals the source port of this discharge record, entered for the 5th step, otherwise generate a new node according to structure B,, got back to for the 3rd step this newly-generated node of last pointed of i the pointed node chained list of array of pointers A;
The 5th step: upgrade node
Search the IP address, first place of this node, if the place IP of this discharge record equals the IP address, first place of this node, then entered for the 6th step, otherwise search the IP address, second place of this node, if the IP address, second place of this node is 0, then IP address, second place assignment with this node is the IP address, place of this discharge record, enters for the 6th step, if the IP address, second place of this node is not 0, then directly entered for the 6th step;
The 6th step: measure and finish
Finish if measure, entered for the 7th step, do not finish, wait for that a new discharge record arrives,, got back to for second step if a new discharge record arrives if measure;
The 7th step: measurement result output
Search all nodes among the array of pointers A, if the IP address, second place of a node is not 0, illustrate that then pairing source IP address of this node and source port number are in the Measuring Time scope, to at least two chummage IP address transmitted traffics not, the source IP address of this node and source port are service side, export the source IP address and the source port of this node.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102628423A CN101753639B (en) | 2009-12-11 | 2009-12-11 | Service role recognition method based on flow communication mode |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102628423A CN101753639B (en) | 2009-12-11 | 2009-12-11 | Service role recognition method based on flow communication mode |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101753639A true CN101753639A (en) | 2010-06-23 |
| CN101753639B CN101753639B (en) | 2013-01-02 |
Family
ID=42480026
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009102628423A Expired - Fee Related CN101753639B (en) | 2009-12-11 | 2009-12-11 | Service role recognition method based on flow communication mode |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101753639B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015062345A1 (en) * | 2013-11-01 | 2015-05-07 | 北京奇虎科技有限公司 | Method and device for recognizing ip address of designated category, and defence method and system |
| CN106161339A (en) * | 2015-03-26 | 2016-11-23 | 腾讯科技(深圳)有限公司 | Obtain the method and device of IP access relation |
| CN107357843A (en) * | 2017-06-23 | 2017-11-17 | 东南大学 | Mass network data search method based on data flow architecture |
| CN107368527A (en) * | 2017-06-09 | 2017-11-21 | 东南大学 | More property index methods based on data flow |
| CN110417801A (en) * | 2019-08-06 | 2019-11-05 | 北京智维盈讯网络科技有限公司 | Server-side recognition methods and device, equipment and storage medium |
| CN112261168A (en) * | 2020-09-30 | 2021-01-22 | 厦门市美亚柏科信息股份有限公司 | Multi-IP port user information searching method, terminal equipment and storage medium |
| CN113438267A (en) * | 2020-03-23 | 2021-09-24 | 华为技术有限公司 | Method and equipment for analyzing stream data |
| CN113542035A (en) * | 2021-08-04 | 2021-10-22 | 四川英得赛克科技有限公司 | Service port identification method and system |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE60128059T2 (en) * | 2001-03-20 | 2007-12-27 | Sap Ag | Method and product for providing a service-to-role assignment to invoke application services in a role-based computer system |
| CN101442541B (en) * | 2008-12-30 | 2011-11-23 | 合肥昊特信息科技有限公司 | Method for recognizing P2P application encipher flux |
-
2009
- 2009-12-11 CN CN2009102628423A patent/CN101753639B/en not_active Expired - Fee Related
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10033694B2 (en) | 2013-11-01 | 2018-07-24 | Beijing Qihoo Technology Company Limited | Method and device for recognizing an IP address of a specified category, a defense method and system |
| WO2015062345A1 (en) * | 2013-11-01 | 2015-05-07 | 北京奇虎科技有限公司 | Method and device for recognizing ip address of designated category, and defence method and system |
| CN106161339A (en) * | 2015-03-26 | 2016-11-23 | 腾讯科技(深圳)有限公司 | Obtain the method and device of IP access relation |
| CN106161339B (en) * | 2015-03-26 | 2018-10-09 | 腾讯科技(深圳)有限公司 | Obtain the method and device of IP access relations |
| CN107368527B (en) * | 2017-06-09 | 2020-06-30 | 东南大学 | Multi-attribute index method based on data stream |
| CN107368527A (en) * | 2017-06-09 | 2017-11-21 | 东南大学 | More property index methods based on data flow |
| CN107357843A (en) * | 2017-06-23 | 2017-11-17 | 东南大学 | Mass network data search method based on data flow architecture |
| CN107357843B (en) * | 2017-06-23 | 2020-06-16 | 东南大学 | Massive network data searching method based on data stream structure |
| CN110417801A (en) * | 2019-08-06 | 2019-11-05 | 北京智维盈讯网络科技有限公司 | Server-side recognition methods and device, equipment and storage medium |
| CN110417801B (en) * | 2019-08-06 | 2022-02-01 | 北京智维盈讯网络科技有限公司 | Server side identification method and device, equipment and storage medium |
| CN113438267A (en) * | 2020-03-23 | 2021-09-24 | 华为技术有限公司 | Method and equipment for analyzing stream data |
| CN113438267B (en) * | 2020-03-23 | 2023-02-28 | 华为技术有限公司 | Method and equipment for analyzing stream data |
| CN112261168A (en) * | 2020-09-30 | 2021-01-22 | 厦门市美亚柏科信息股份有限公司 | Multi-IP port user information searching method, terminal equipment and storage medium |
| CN113542035A (en) * | 2021-08-04 | 2021-10-22 | 四川英得赛克科技有限公司 | Service port identification method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101753639B (en) | 2013-01-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101753639B (en) | Service role recognition method based on flow communication mode | |
| US11700275B2 (en) | Detection of malware and malicious applications | |
| CN101383737B (en) | Method and system for link quality detection based on link layer discovery protocol | |
| US10237192B2 (en) | Apparatus and system for optimizing communication networks | |
| KR100997182B1 (en) | Flow information restricting apparatus and method | |
| CN104580222A (en) | DDoS attack distributed detection and response system and method based on information entropy | |
| CN106815112A (en) | A kind of mass data monitoring system and method based on deep-packet detection | |
| WO2012147909A1 (en) | Network device, communication system, method for detecting abnormal traffic, and program | |
| CN105357071B (en) | A kind of network complexity method for recognizing flux and identifying system | |
| US11388631B2 (en) | Data reduction in a system | |
| CN108206788B (en) | Traffic service identification method and related equipment | |
| CN101753456B (en) | Method and system for detecting flow of peer-to-peer network | |
| KR102423039B1 (en) | Real-time packet data storing method and apparatus for mass network monitoring | |
| US20200092167A1 (en) | Communications network performance | |
| Lukashin et al. | Distributed packet trace processing method for information security analysis | |
| Topor-Kaminski et al. | Selected methods of measuring the delay in data transmission systems with wireless network interfaces | |
| KR102423038B1 (en) | Real-time packet data collection method and apparatus for mass network monitoring | |
| CN102984749A (en) | RFC2544 protocol standard method for performance test of wireless equipments | |
| KR101950374B1 (en) | Non-standard protocol reverse engineering analysis apparatus | |
| CN104702470B (en) | Baud rate online test method based on FPGA | |
| CN103414611B (en) | A kind of flow statistical method of high speed laod network equalizing system | |
| CN103528627A (en) | SNMP (simple network management protocol) based humiture detection instrument and method for detecting humiture by humiture detection instrument | |
| Gulhane et al. | Data center transmission control protocol an efficient packet transport for the commoditized data center | |
| CN116781530A (en) | Dynamic generation method, system, equipment and storage medium for digital asset network topology structure | |
| Zhang et al. | Performance analysis of available bandwidth estimation algorithm based on ewma and kalman filter |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: SOWTHEAST UNIV. Effective date: 20131018 Owner name: NANTONG DALISHEN CONSTRUCTION AND MACHINERY JOINT Free format text: FORMER OWNER: SOWTHEAST UNIV. Effective date: 20131018 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 210096 NANJING, JIANGSU PROVINCE TO: 226600 NANTONG, JIANGSU PROVINCE |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20131018 Address after: 226600, Nantong County, Jiangsu City, Haian Province, pier Town, pier West Village five groups Patentee after: NANTONG DALISHEN CONSTRUCTION AND MACHINERY JOINT VENTURE Patentee after: SOUTHEAST University Address before: 210096 Jiangsu city Nanjing Province four pailou No. 2 Patentee before: Southeast University |
|
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130102 Termination date: 20211211 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |