CN103281291B - A kind of application protocol recognition method based on Hadoop - Google Patents
A kind of application protocol recognition method based on Hadoop Download PDFInfo
- Publication number
- CN103281291B CN103281291B CN201310053824.0A CN201310053824A CN103281291B CN 103281291 B CN103281291 B CN 103281291B CN 201310053824 A CN201310053824 A CN 201310053824A CN 103281291 B CN103281291 B CN 103281291B
- Authority
- CN
- China
- Prior art keywords
- characteristic value
- application layer
- layer protocol
- feature
- feature string
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a kind of application protocol recognition method based on Hadoop, with HBase database storage feature value table 0 and 1, these two tables have fully used the various dimensions of HBase database, towards the feature that row store, and deposit by the mode of front 4 character clusters of first feature field in table 0, more efficiently characteristic value is chosen like this, simultaneously based on the recognition methods of application layer protocol packet feature string, the type of application layer protocol can be identified accurately.
Description
Technical field
The invention belongs to application-level protocol identification technical field, more specifically say, relate to a kind of application protocol recognition method based on Hadoop.
Background technology
Along with the develop rapidly of the Internet, some new demands in the Internet, are there is.Along with these demands, there is day by day serious Network Information Security Problem, such as: the propagation, malicious virus propagation etc. of network intrusions, violence and reaction content.Application layer protocol type exactly in recognition network, to carrying out intrusion detection, flow control, raising network service quality have great importance.
Identify that the method for application layer protocol mainly contains: the identification based on port, the identification based on load, based on the identification estimated and the identification based on Application signature.The current recognition technology based on Application signature has become the main stream approach of protocol identification.
Cisco company predicts, by 2016, the whole world will produce the network traffics of 1.3ZB, was 4 times of global network flow in 2011, and the average network speed in the whole world brings up to 34Mbps by from present 9Mbps.The inbound traffics moon peak value that CERNET2NOC director's Wang Jilong writes CNGI-CERNET2 outlet in " rise of CNGI-CERNET2 backbone network flow " of " Chinese education network " 07 phase in 2012 is 5.792Gbps, the peak value of outflow every day a little more than inbound traffics, the moon peak value be 6.331Gbps.In the face of the network data that day by day increases, we need to process the network data of these magnanimity more efficiently, wherein, just need the application layer protocol type in recognition network accurately and efficiently, carry out process lay a good foundation for follow-up network data.
Summary of the invention
The object of the invention is to overcome the deficiencies in the prior art, a kind of application protocol recognition method based on Hadoop is provided, to identify application layer protocol efficiently and accurately.
For achieving the above object, the present invention is based on the application protocol recognition method of Hadoop, it is characterized in that comprising the following steps:
(1), the feature string of known application layer protocol packet is put into HBase database, the form of described feature string be feature field 1, side-play amount 1, feature field 2, side-play amount 2 ..., feature field n, side-play amount n, wherein, side-play amount i is the deviation post of character pair field i relative to application layer protocol packet initial, i=1,2,, the quantity of the feature field that n, n comprise for feature string, with separators between feature field and side-play amount, to distinguish;
If the side-play amount of first of feature string feature field and feature field 1 is 0, then the explanation belonging to that application layer protocol of this feature string and feature string is put into the table 0 of HBase database, concrete Store form is that front 2 characters of first feature field are as row race, 3rd, 4 characters are as line unit, simultaneously, row modifier is adopted to be numbered this feature string, wherein, row modifier numbering is from 1, to distinguish the identical feature string of front four characters, the explanation belonging to that application layer protocol of whole feature string and feature string is put into row race as characteristic value, in line unit and form corresponding to row modifier,
Otherwise, the explanation belonging to that application layer protocol of whole feature string and feature string is put into the table 1 of HBase database;
(2), first with the Map function of Hadoop platform, preliminary treatment is carried out to the packet of catching from network, extract application layer protocol packet, then the application layer protocol packet of extraction is carried out cluster, same application-level packet is identified as a packet, which reduces the time that whole program is run;
(3), with the Reduce function of Hadoop platform, the application layer protocol packet after cluster is identified:
Extract front 4 characters of the application layer protocol packet after cluster, with front 2 characters of these 4 characters as row race, the 3rd, 4 character, as line unit, extracts characteristic value from the table 0 of HBase database, and leaves set A 1 li in;
If set A 1 is not empty, then mate with the feature string of the characteristic value in set A 1 successively with the application layer protocol packet after cluster, if each feature field of the feature string of characteristic value finds in application layer protocol packet according to its side-play amount, the match is successful then to think feature string, once feature string the match is successful, the feature string of characteristic value is belonged to returning of that application layer protocol; Otherwise think that feature string coupling is unsuccessful;
If set A 1 is empty or set A 1 is not empty but feature string coupling is unsuccessful, then from the table 1 of HBase database, extract characteristic value, and leave in set A 2, then mate with the feature string of the characteristic value in set A 2 successively with the application layer protocol packet after cluster, if each feature field of the feature string of characteristic value finds in application layer protocol packet according to its side-play amount, the match is successful then to think feature string, once feature string the match is successful, the feature string of characteristic value is belonged to returning of that application layer protocol; Otherwise think that feature string coupling is unsuccessful, returning the application layer protocol packet after cluster can not identify.
Goal of the invention of the present invention is achieved in that
The present invention is based on the application protocol recognition method of Hadoop, the feature string of known application layer protocol packet is put into two of HBase and is table i.e. table 0 and table 1, first feature field side-play amount deposited by table 0 is the feature string of 0, Store form is that front 2 characters of first feature field are as row race, 3rd, 4 characters are as line unit, for distinguishing the identical feature string of front four characters, by row modifier numbering from 1 open numbering, then the explanation of whole feature string and feature string puts into form corresponding to row race, line unit and row modifier as characteristic value; First feature field side-play amount deposited by table 1 is not the feature string of 0 and the explanation of feature string.Utilize the Map function of Hadoop platform, the application layer protocol packet extracted from the packet that network is caught cluster, then identify: according to front 4 characters of application layer protocol data, corresponding characteristic value collection is obtained from table 0, mate with the feature string in characteristic value collection, if set is for sky or it fails to match, obtain characteristic value collection from table 1, mate with the feature string in characteristic value collection, if current set is empty or it fails to match illustrate that the feature string in existing HBase database can not identify this application layer protocol packet, the application layer protocol packet of failing to identify is put into unidentified protocol data APMB package.If the match is successful for this application layer protocol packet and one of table 0, table 1, just identify successfully, the packet of identification is put into identification protocol packet file.
The present invention HBase database storage feature value table 0 and 1, these two tables have fully used the various dimensions of HBase database, towards the feature that row store, and deposit by the mode of front 4 character clusters of first feature field in table 0, more efficiently characteristic value is chosen like this, simultaneously based on the recognition methods of application layer protocol packet feature string, the type of application layer protocol can be identified accurately.
Accompanying drawing explanation
Fig. 1 is the general frame of a kind of embodiment of the application protocol recognition method that the present invention is based on Hadoop;
Fig. 2 is conceptual view and the Physical View of table 0 in the database of HBase shown in Fig. 1;
Fig. 3 is the conceptual view of table 1 in the database of HBase shown in Fig. 1;
Fig. 4 is the Physical View of table 1 in the database of HBase shown in Fig. 1;
Fig. 5 is the detail flowchart of the step of protocol identification shown in Fig. 1;
Fig. 6 is a kind of embodiment flow chart of the coupling of feature string shown in Fig. 1.
Embodiment
Below in conjunction with accompanying drawing, the specific embodiment of the present invention is described, so that those skilled in the art understands the present invention better.Requiring particular attention is that, in the following description, when perhaps the detailed description of known function and design can desalinate main contents of the present invention, these are described in and will be left in the basket here.
The application protocol recognition method that the present invention is based on Hadoop is based on Hadoop platform and HBsae database, mainly make use of the various dimensions of Map, Reduce function and HBase, towards row memory model, identifies application layer protocol packet.Specifically implementing overload, Map function and Reduce function being rewritten, makes it meet data handling requirements of the present invention.
Fig. 1 is the general frame of a kind of embodiment of the application protocol recognition method that the present invention is based on Hadoop.
In the present embodiment, as shown in Figure 1, the application protocol recognition method that the present invention is based on Hadoop comprises the following steps:
1, HBase database is built
Have two tables of the feature string depositing known application layer protocol packet in HBase database, table 0 is Table0 and table 1 is Table1.
In Table0, in storage feature string, first feature field side-play amount is the characteristic value of 0, concrete Store form is: front 2 characters of first feature field are as row race, 3rd, 4 characters are as line unit, whole feature string and feature string, from 1 open numbering, are belonged to the explanation of that application layer protocol as value by row modifier.
The feature string of the application layer protocol packet of the get requesting method of example application layer protocol as is known and HTTP1.1 agreement is 47455420_0_20485454502f312e31_a, wherein first feature field is 47455420, side-play amount is 0, second feature field is 20485454502f312e31, side-play amount a represents does not have fixing side-play amount, namely the position of this feature field in application layer protocol bag is not fixed, so in table 0, at row, race is 47, line unit is 45, row modifier is ascend the throne in the form of 1 to be set up, be 47455420_0_20485454502f312e31_a_GETHTTP/1.1 by characteristic value, wherein GETHTTP/1.1 is the explanation this feature string being belonged to that application layer protocol.Feature field, feature field side-play amount and between illustrating with separator _ separate.
In Table1, in storage feature string, first feature field side-play amount is not the characteristic value of 0, in order to not identical with line unit with the row race in Table0, adopt h1 as row race, hhh is as line unit, here h1 and hhh only plays the effect of difference, the explanation belonging to that application layer protocol of whole feature string and feature string, from 1 open numbering, is put into the table 1 of HBase database by row modifier.
Such as: the feature string of X1 application layer protocol is 323638_4_565845_a, and so the row race of this feature string is h1, and line unit is hhh, and row modifier is 1, and characteristic value is 323638_4_565845_a_X1.
In order to more understand Table0 and Table1, provide conceptual view and the Physical View of two tables respectively for some examples.
The characteristic value of table 0 has:
47455420_0_20485454502f312e31_a_GETHTTP/1.1
485454502f312e3120323030_0_HTTP/1.1200
485454502f312e3120323031_0_HTTP/1.1201
53544154_0_FTPSTAT
The characteristic of table 1 has:
323638_4_565845_a_X1
333837_10_3e5446_a_X2
As shown in Figure 2 (a) shows, corresponding Physical View is as shown in Fig. 2 (b)-(c) for the conceptual view of table 0.Because front four characters of feature string 485454502f312e3120323030_0, feature string 485454502f312e3120323031_0 are identical, therefore in table 0, the row in row race 53 are respectively 48:1,48:2, and wherein 1,2 is row modifier.For not having the identical feature string of four character front with feature string 53544154_0, therefore, row race 53 in be classified as 53:1,1 is row modifier.
As shown in Figure 3, as shown in Figure 4, because table 1 only has Ge Lie race and a line unit, its conceptual view and Physical View are identical to corresponding Physical View to the conceptual view of table 1, for different feature string, adopt row modifier to distinguish.
2, preliminary treatment is carried out to the packet of catching
With the Map function of Hadoop platform, preliminary treatment is carried out to the packet of catching from network, extract application layer protocol packet, then the application layer protocol packet of extraction is carried out cluster, same application-level packet is identified as a packet, which reduces the time that whole program is run
3, application-level protocol identification
In the present embodiment, the detailed process of application-level protocol identification as shown in Figure 5, after utilizing process, front 2 conducts of front 4 characters of application layer protocol packet arrange races, rear 2 as line unit, extract from the table 0 of HBase database and have the same column race characteristic value strong with row, and these characteristic values are left in set A 1, whether be that sky judges to set A 1, if set A 1 does not have the same column race characteristic value strong with row for having in sky and table 0, so application layer protocol packet and set A 1 are carried out feature string coupling; If each feature field of the feature string of characteristic value finds in application layer protocol packet according to its side-play amount, the match is successful then to think feature string, once feature string the match is successful, the feature string of characteristic value is belonged to returning of that application layer protocol, application-level protocol identification success, otherwise think that feature string coupling is unsuccessful.
If set A 1 is empty or set A 1 is not empty but feature string coupling is unsuccessful, then application layer protocol is not also identified, then from the table 1 of HBase database, extract characteristic value, and leave in set A 2, then mate with the feature string of the characteristic value in set A 2 successively with the application layer protocol packet after cluster, if each feature field of the feature string of characteristic value finds in application layer protocol packet according to its side-play amount, the match is successful then to think feature string, once feature string the match is successful, the feature string of characteristic value is belonged to returning of that application layer protocol, otherwise think that feature string coupling is unsuccessful, returning the application layer protocol packet after cluster can not identify.
The detailed process of feature string coupling as shown in Figure 6, by application layer protocol packet successively with characteristic value collection A1 or A2(for convenience of description, all represent with characteristic value collection A) in the feature string of characteristic value mate, need all in each feature field in feature string that the match is successful, this feature string just thinks that the match is successful, is specially:
1) be, 0 to variable i assignment;
2), whether judgment variable i be greater than scope and the characteristic value quantity of characteristic value collection, if be greater than, then it fails to match for feature string, if be not more than, then carries out step 3);
3) i-th characteristic value of characteristic value collection A, is got;
4), to characteristic value according to separator be separated, obtain feature field 1, side-play amount 1, feature field 2, side-play amount 2 ..., feature field n, side-play amount n and feature string belong to the explanation of that application layer protocol, and successively stored in array vals;
5), be 0 to variable j assignment, be false to variable b assignment;
6), whether judgment variable j is greater than array vals number of elements-2; If so, then represent that this characteristic value has been mated, enter step 7), otherwise enter step 8);
7), whether the value of judgment variable b be true, be then feature string the match is successful, the feature string of characteristic value is belonged to returning of that application layer protocol; Otherwise variable i is added 1 i.e. i=i+1, return step 2);
8) do you, judge that array jth+1 element and vals [j+1] are a?
If so, then search in application layer protocol packet, see whether there is element vals [j+1], exist, then variable b assignment is true, and variable j adds 2, returns step 6), does not exist, then variable b assignment is false, and variable i adds 1, returns step 2), namely carry out next feature string coupling;
If not, then judge that whether the side-play amount of element vals [j] in application layer protocol packet be equal with element vals [j+1], equal, then variable b assignment is true, and variable j adds 2, return step 6), unequal, then variable b assignment is false, and variable i adds 1, return step 2), namely carry out next feature string coupling.
As shown in Figure 1,5, recognition result, for generating identification protocol file, for storing the explanation of application layer protocol packet and the application layer protocol identified, generates unidentified document of agreement, for storing unrecognized protocol data bag.
Example 1
Packet on network is caught, in this example, characteristic only containing HTTP and FTP two kinds of agreements in HBase database, therefore, HTTP, FTP and OICQ tri-kinds of application layer protocol packets are therefrom selected from the packet of catching, size is 12.9MB, has 28111 packets and tests.
The application-level protocol identification result that table 1 is.
Table 1
Application-level protocol identification data in his-and-hers watches 1 are described:
313530204865726520636f6d657320746865206469726563746f7279 206c697374696e672e0d0a_FTP150, in 1343_identified:
313530204865726520636f6d657320746865206469726563746f7279 206c697374696e672e0d0a be preliminary treatment after application layer protocol packet, FTP150 represents the protocol type that packet is corresponding, 1343 represent these application layer protocol packets whole for 28111 application layer protocol packets of example in occurred 1343 times, identified represents that this packet is successfully identified, unidentified represents that this packet is unrecognized.
As can be seen from Table 1, the result data of the example adopting the present invention to obtain, can identify protocol type accurately.
Although be described the illustrative embodiment of the present invention above; so that those skilled in the art understand the present invention; but should be clear; the invention is not restricted to the scope of embodiment; to those skilled in the art; as long as various change to limit and in the spirit and scope of the present invention determined, these changes are apparent, and all innovation and creation utilizing the present invention to conceive are all at the row of protection in appended claim.
Claims (2)
1., based on an application protocol recognition method of Hadoop, it is characterized in that comprising the following steps:
(1), the feature string of known application layer protocol packet is put into HBase database, the form of described feature string be feature field 1, side-play amount 1, feature field 2, side-play amount 2 ..., feature field n, side-play amount n, with separators between feature field and side-play amount, to distinguish;
If the side-play amount of first of feature string feature field and feature field 1 is 0, then the explanation of the application layer protocol generic of this feature string and feature string is put into the table 0 of HBase database, concrete Store form is that front 2 characters of first feature field are as row race, 3rd, 4 characters are as line unit, simultaneously, row modifier is adopted to be numbered this feature string, wherein, row modifier numbering is from 1, to distinguish the identical feature string of front four characters, the explanation of the application layer protocol generic of whole feature string and feature string is put into row race as characteristic value, in line unit and form corresponding to row modifier,
Otherwise, the explanation of the application layer protocol generic of whole feature string and feature string is put into the table 1 of HBase database;
(2), first with the Map function of Hadoop platform, preliminary treatment is carried out to the packet of catching from network, extract application layer protocol packet, then the application layer protocol packet of extraction is carried out cluster, same application-level packet is identified as a packet, which reduces the time that whole program is run;
(3), with the Reduce function of Hadoop platform, the application layer protocol packet after cluster is identified:
Extract front 4 characters of the application layer protocol packet after cluster, with front 2 characters of these 4 characters as row race, the 3rd, 4 character, as line unit, extracts characteristic value from the table 0 of HBase database, and leaves set A 1 li in;
If set A 1 is not empty, then mate with the feature string of the characteristic value in set A 1 successively with the application layer protocol packet after cluster, if each feature field of the feature string of characteristic value finds in application layer protocol packet according to its side-play amount, the match is successful then to think characteristic value, once characteristic value the match is successful, the feature string application layer protocol generic of characteristic value is returned; Otherwise think that characteristic value coupling is unsuccessful;
If set A 1 is empty or set A 1 is not empty but characteristic value coupling is unsuccessful, then from the table 1 of HBase database, extract characteristic value, and leave in set A 2, then mate with the feature string of the characteristic value in set A 2 successively with the application layer protocol packet after cluster, if each feature field of the feature string of characteristic value finds in application layer protocol packet according to its side-play amount, the match is successful then to think characteristic value, once characteristic value the match is successful, the feature string application layer protocol generic of characteristic value is returned; Otherwise think that characteristic value coupling is unsuccessful, returning the application layer protocol packet after cluster can not identify.
2. application protocol recognition method according to claim 1, is characterized in that, described feature string coupling is:
1), arranging variable i, is 0 to variable i assignment;
2), whether judgment variable i be greater than scope and the characteristic value quantity of characteristic value collection, if be greater than, then it fails to match for feature string, if be not more than, then carry out step 3);
3), get i-th characteristic value of characteristic value collection A, described characteristic value collection A is set A 1 or set A 2;
4), characteristic value is separated according to separator, obtain feature field 1, side-play amount 1, feature field 2, side-play amount 2 ..., feature field n, side-play amount n and feature string the explanation of application layer protocol generic, and successively stored in array vals;
5), arranging variable j, be 0, arrange variable b to variable j assignment, is false to variable b assignment;
6), whether judgment variable j is greater than array vals number of elements-2; If so, then represent that this characteristic value has been mated, enter step 7), otherwise enter step 8);
7), whether the value of judgment variable b be true, be then feature string the match is successful, the feature string application layer protocol generic of characteristic value is returned; Otherwise variable i is added 1 i.e. i=i+1, return step 2);
8), judge whether array jth+1 element and vals [j+1] are character " a ";
If, then search in application layer protocol packet, see whether there is element vals [j+1], exist, then variable b assignment is true, variable j adds 2, returns step 6), do not exist, then variable b assignment is false, variable i adds 1, returns step 2), namely carry out next feature string coupling;
If not, then judge that whether the side-play amount of element vals [j] in application layer protocol packet be equal with element vals [j+1], equal, then variable b assignment is true, and variable j adds 2, return step 6), unequal, then variable b assignment is false, and variable i adds 1, return step 2), namely carry out next feature string coupling.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310053824.0A CN103281291B (en) | 2013-02-19 | 2013-02-19 | A kind of application protocol recognition method based on Hadoop |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310053824.0A CN103281291B (en) | 2013-02-19 | 2013-02-19 | A kind of application protocol recognition method based on Hadoop |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103281291A CN103281291A (en) | 2013-09-04 |
CN103281291B true CN103281291B (en) | 2016-04-20 |
Family
ID=49063739
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310053824.0A Expired - Fee Related CN103281291B (en) | 2013-02-19 | 2013-02-19 | A kind of application protocol recognition method based on Hadoop |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103281291B (en) |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103746867B (en) * | 2013-12-23 | 2016-09-21 | 中国电子科技集团公司第三十六研究所 | A kind of network protocol analysis method based on basic function |
CN103761167B (en) * | 2014-01-23 | 2017-04-05 | 浪潮(北京)电子信息产业有限公司 | A kind of method and apparatus for realizing data center backup |
CN104159232B (en) * | 2014-09-01 | 2015-06-03 | 电子科技大学 | Method of recognizing protocol format of binary message data |
CN106850349B (en) * | 2017-02-08 | 2020-01-03 | 杭州迪普科技股份有限公司 | Feature information extraction method and device |
CN106777387B (en) * | 2017-02-16 | 2020-10-30 | 江苏海平面数据科技有限公司 | HBase-based Internet of things big data access method |
CN113053085B (en) * | 2021-02-04 | 2022-06-03 | 北京戴纳实验科技有限公司 | Hospital refrigerator supervisory system |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101547207A (en) * | 2009-05-07 | 2009-09-30 | 杭州迪普科技有限公司 | Protocol identification control method and equipment based on application behavior mode |
CN103248606A (en) * | 2012-02-02 | 2013-08-14 | 哈尔滨安天科技股份有限公司 | Network virus detection method and system for IPv4 (Internet Protocol Version 4) and IPv6 (Internet Protocol Version 6) |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100477513B1 (en) * | 2002-11-25 | 2005-03-17 | 전자부품연구원 | Architecture and method of a common protocol for transferring data between different network protocols and a common protocol packet |
WO2005094191A2 (en) * | 2004-03-31 | 2005-10-13 | Lg Electronics, Inc. | Data processing method for network layer |
-
2013
- 2013-02-19 CN CN201310053824.0A patent/CN103281291B/en not_active Expired - Fee Related
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101547207A (en) * | 2009-05-07 | 2009-09-30 | 杭州迪普科技有限公司 | Protocol identification control method and equipment based on application behavior mode |
CN103248606A (en) * | 2012-02-02 | 2013-08-14 | 哈尔滨安天科技股份有限公司 | Network virus detection method and system for IPv4 (Internet Protocol Version 4) and IPv6 (Internet Protocol Version 6) |
Non-Patent Citations (1)
Title |
---|
《基于特征串的应用层协议识别》;陈亮等;《计算机工程与应用》;20061231(第24期);第16-19页 * |
Also Published As
Publication number | Publication date |
---|---|
CN103281291A (en) | 2013-09-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103281291B (en) | A kind of application protocol recognition method based on Hadoop | |
CN109960729B (en) | Method and system for detecting HTTP malicious traffic | |
CN101267313B (en) | Flooding attack detection method and detection device | |
CN104579974B (en) | The Hash Bloom Filter and data forwarding method of Name Lookup towards in NDN | |
CN105224692A (en) | Support the system and method for the SDN multilevel flow table parallel search of polycaryon processor | |
WO2016201938A1 (en) | Multi-stage phishing website detection method and system | |
CN103942308A (en) | Method and device for detecting large-scale social network communities | |
CN104012063A (en) | Controller for flexible and extensible flow processing in software-defined networks | |
CN102722726A (en) | Multi-class support vector machine classification method based on dynamic binary tree | |
CN105099918B (en) | A kind of matched method and apparatus of data search | |
CN102405622A (en) | Methods and devices for binary tree construction, compression and lookup | |
CN102468987B (en) | NetFlow characteristic vector extraction method | |
CN103324886B (en) | A kind of extracting method of fingerprint database in network intrusion detection and system | |
CN107547671A (en) | A kind of URL matching process and device | |
CN104618132A (en) | Generation method and generation device for application program recognition rule | |
CN103763198A (en) | Data packet classification method | |
CN109756467A (en) | A kind of recognition methods of fishing website and device | |
CN103685222A (en) | A data matching detection method based on a determinacy finite state automation | |
CN103414603B (en) | Ipv6 deep packet inspection method based on Hash method for folding | |
CN201937611U (en) | Network attack source positioning and protection system | |
CN106227741B (en) | A kind of extensive URL matching process based on multilevel hash index chained list | |
CN113645238B (en) | DDoS defense method for Handle identification system | |
CN101764754B (en) | Sample acquiring method in business identifying system based on DPI and DFI | |
CN103095718B (en) | Application layer protocol characteristic extracting method based on Hadoop | |
CN104794158A (en) | Domain name data repeated detection and fast index method in boundscript window |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160420 Termination date: 20190219 |
|
CF01 | Termination of patent right due to non-payment of annual fee |