A kind of monitoring method and system of peer-to-peer network application
Technical field
The present invention relates to areas of information technology, be specifically related to the monitoring of peer-to-peer network application in a kind of LAN
Method and system.
Background technology
At present, along with the fast development of network, P2P(peer-to-peer network) apply the master having become as the Internet
One of applying, the pattern of P2P also becomes the preferred mode of many new business, and P2P technology extensively should
For the fields such as file-sharing, Internet video, the networking telephone, resource-sharing and parallel transmission in a distributed manner
Feature, provided the user more resource, higher available bandwidth and more preferable service quality,
Meanwhile, P2P applies and brings problems with:
(1) P2P application alreadys more than Web application and occupies the network bandwidth of more than 50%, causes
Network congestion, have impact on user and surfs the Net experience;
(2) Internet resources are seized in P2P application so that other application in LAN cannot obtain due
Bandwidth, causing critical services cannot be guaranteed.
Summary of the invention
The technical problem to be solved in the present invention is how to effectively monitor the P2P application in LAN.
In order to solve the problems referred to above, the invention provides the monitoring method of a kind of peer-to-peer network application, including:
Behavior characteristics is utilized to identify the Peer-to-Peer Network P2P node in described LAN;
The TCP/UDP packet of the P2P node transmitting-receiving for being identified, utilizes behavior characteristics or load
Feature identification goes out the network packet of P2P application;
According to predetermined policy, let pass or block the network packet that identified P2P applies.
Alternatively, the described step utilizing behavior characteristics to identify the P2P node in described LAN includes:
For the one or more nodes in described LAN, each node in the time of statistics predetermined length
Connect into power or broadcast packet number;
The described power that connects into is met the first predetermined condition or described broadcast packet number meets the second predetermined bar
The node of part is identified as P2P node.
Alternatively, the TCP/UDP packet of the described P2P node transmitting-receiving for being identified, utilize row
It is characterized or load characteristic identifies the step of network packet of P2P application and includes:
Each TCP/UDP packet of the P2P node transmitting-receiving for being identified, records this TCP/UDP
The five-tuple of packet, calculates the entropy of front 32 bytes in this TCP/UDP data pack load;
When the entropy of TCP/UDP packet is less than predetermined entropy threshold value, if this TCP/UDP number
According to the loaded matching preassigned pattern of bag, then this TCP/UDP packet is the network packet of P2P application;
When the entropy of TCP/UDP packet is more than or equal to predetermined entropy threshold value, if recorded
In five-tuple, IP number of addresses and the ratio of port number are less than predetermined fractional threshold, then this TCP/UDP
Packet is the network packet of P2P application.
Alternatively, described entropy threshold value is 0.35, and described fractional threshold is 2.0.
Alternatively, described according to predetermined policy, let pass or block the network number that identified P2P applies
Include according to the step of bag:
Calculate the flow of the network packet of P2P application in described LAN, and this LAN gateway
Total flow;
When described total flow is more than first flow threshold value, or the flow of the network packet of described P2P application
During more than second flow threshold value, block the network packet of the P2P application identified.
Present invention also offers the monitoring system of a kind of peer-to-peer network application, including:
Node identification module, for utilizing behavior characteristics to identify the P2P node in described LAN;
Application recognition module, for the TCP/UDP packet of the P2P node transmitting-receiving for being identified,
Behavior characteristics or load characteristic is utilized to identify the network packet of P2P application;
Application controls module, for according to predetermined policy, lets pass or blocks identified P2P application
Network packet.
Alternatively, described node identification module utilizes the P2P joint that behavior characteristics identifies in described LAN
Point refers to:
Described node identification module, for the one or more nodes in described LAN, adds up predetermined length
Time in each node connect into power or broadcast packet number;Connect into power by described to meet first pre-
The node that fixed condition or described broadcast packet number meet the second predetermined condition is identified as P2P node.
Alternatively, the TCP/UDP of the described application recognition module P2P node transmitting-receiving for being identified
Packet, the network packet utilizing behavior characteristics or load characteristic to identify P2P application refers to:
Each TCP/UDP packet of the described application recognition module P2P node transmitting-receiving for being identified,
Record the five-tuple of this TCP/UDP packet, calculate front 32 bytes in this TCP/UDP data pack load
Entropy;When the entropy of TCP/UDP packet is less than predetermined entropy threshold value, if this TCP/UDP
The loaded matching preassigned pattern of packet, then this TCP/UDP packet is the network packet of P2P application;
When the entropy of TCP/UDP packet is more than or equal to predetermined entropy threshold value, if recorded five yuan
In group, IP number of addresses and the ratio of port number are less than predetermined fractional threshold, then these TCP/UDP data
Wrap the network packet for P2P application.
Alternatively, described entropy threshold value is 0.35, and described fractional threshold is 2.0.
Alternatively, described application controls module, according to predetermined policy, is let pass or blocks identified P2P
The network packet of application refers to:
Described application controls module calculates the flow of the network packet of P2P application in described LAN, with
And the total flow of this LAN gateway;When described total flow is more than first flow threshold value, or described P2P
When the flow of the network packet of application is more than second flow threshold value, block what the P2P identified applied
Network packet.
Technical scheme can solve the problem that P2P seizes Internet resources and causes network blockage, affects other
The problem of network application, allows users to obtain efficiently information, improves user and surfs the Net experience.
Accompanying drawing explanation
Fig. 1 is the schematic flow sheet of the monitoring method of the P2P application of embodiment one;
Fig. 2 be embodiment one example in the flow chart of P2P node identification;
Fig. 3 be embodiment one example in P2P application identify flow chart;
Fig. 4 be embodiment one example in the flow chart of P2P application controls;
Fig. 5 is the configuration diagram of the monitoring system of the P2P application of embodiment two;
Fig. 6 is the networking schematic diagram of the monitoring system of the P2P application of embodiment two;
Fig. 7 be embodiment two example in the main flow chart of monitoring system of P2P application.
Detailed description of the invention
Below in conjunction with drawings and Examples, technical scheme is described in detail.
If it should be noted that do not conflict, each feature in the embodiment of the present invention and embodiment can
To be combined with each other, all within protection scope of the present invention.Although it addition, showing in flow charts and patrol
Collect sequentially, but in some cases, can be to be different from shown or described by order execution herein
Step.
The monitoring method of embodiment one, a kind of P2P application, as it is shown in figure 1, include:
S101, behavior characteristics is utilized to identify the P2P node in described LAN;
S102, the TCP(transmission control protocol that the P2P node identified is received and dispatched)/UDP(use
User data datagram protocol) packet, utilize behavior characteristics or load characteristic to identify the network number of P2P application
According to bag;
S103, according to predetermined policy, let pass or block the network packet of identified P2P application.
The present embodiment passes through behavior characteristics identification LAN P2P node, by behavior characteristics or load characteristic
Identifying the flow of P2P application, thus control P2P application further, the present embodiment can manage effectively
P2P application in LAN, enables the network bandwidth rationally to be taken.
In an embodiment of the present embodiment, described step S104 specifically may include that
For the one or more nodes in described LAN, each node in the time of statistics predetermined length
Connect into power or broadcast packet number;
The described power that connects into is met the first predetermined condition or described broadcast packet number meets the second predetermined bar
The node of part is identified as P2P node.
In present embodiment, each node in the time that predetermined length can be added up after receiving monitoring instruction
Connect into power or broadcast packet number, it is also possible to periodically or record connecting into of recent each node constantly
Power or broadcast packet number.Can periodically identify P2P node, it is also possible to monitoring instruction is laggard receiving
Row identifies.
In present embodiment, can be shaken hands by SYN(in described network packet) message or ACK
The number of (confirmation) message connects into power described in calculating.In a kind of alternative of present embodiment,
Meet the first predetermined condition to refer to connect into power less than 0.8;Other alternative can also be arranged separately
This first predetermined condition.
In present embodiment, ICMP(Internet Internet Control Message Protocol can be passed through) bag number and TTL
The fiducial value of (life span) calculates described broadcast packet number.In a kind of alternative of present embodiment,
Meet the second predetermined condition and refer to that more than 5 and neighbouring broadcast bag TTL difference is 1 to broadcast packet number;Its
Its alternative can also arrange this second predetermined condition separately.
One object lesson of this embodiment is as in figure 2 it is shown, be periodically to identify P2P joint in this example
Point, comprises the following steps 201~208.
Step 201: whenever intercepting a network packet for transmission between LAN and the Internet, solve
Analyse this network packet and determine whether SYN or ACK message, if it is performing step 202;
If not then determining whether ICMP bag, if it is perform step 205, if not then returning step
Rapid 201.
Step 202: the number that respective nodes in LAN transmits/receives SYN and ACK message is added one.
Step 203: obtain current time, and calculate and start in this recognition cycle the difference of the time added up
Value, it may be judged whether arrive recognition cycle, if arriving, performs step 204;If not arriving, return step
201。
Step 204: calculate each node in LAN connects into power, identifies that whether each node is respectively
P2P node, performs step 208.
Step 205: the number that respective nodes in LAN transmits/receives ICMP bag is added one, it is judged that ttl value
(life span) preserved the most, without then preserving this ttl value.
Step 206: obtain current time, and calculate and start in this recognition cycle the difference of the time added up
Value, it may be judged whether to recognition cycle, if arriving, performs step 204, if not arriving, returns step 201.
Step 207: calculate the ICMP bag number of each node and TTL fiducial value in LAN, know respectively
Whether the most each node is P2P node, performs step 208.
Step 208: the IP address of the P2P node that will identify that and port store in P2P node table;
Described P2P informational table of nodes can include table name, IP address, port and establishment time field etc..Terminate
The identification of this recognition cycle, resets statistical value.
In an embodiment of the present embodiment, described step S102 specifically may include that
Each TCP/UDP packet of the P2P node transmitting-receiving for being identified, records this TCP/UDP
The five-tuple of packet, calculates the entropy of front 32 bytes in this TCP/UDP data pack load;
When the entropy of TCP/UDP packet is less than predetermined entropy threshold value, if this TCP/UDP number
According to the loaded matching preassigned pattern of bag, then this TCP/UDP packet is the network packet of P2P application;
When the entropy of TCP/UDP packet is more than or equal to predetermined entropy threshold value, if recorded
In five-tuple, IP number of addresses and the ratio of port number are less than predetermined fractional threshold, then this TCP/UDP
Packet is the network packet of P2P application.
In a kind of alternative of the present embodiment, described entropy threshold value can be, but not limited to be 0.35, described
Fractional threshold can be, but not limited to be 2.0;Other alternative can also arrange described entropy threshold value separately
And described fractional threshold;Described preassigned pattern can be set to P2P application according to statistical conditions or experience and carry
One or more patterns that lotus is common.
One object lesson of this embodiment is as it is shown on figure 3, the identification to P2P application includes following step
Rapid 301~306.
Step 301: for the P2P node identified, whenever intercept a LAN and the Internet it
Between transmission network packet, resolve this network packet, and store the five-tuple (source of this network packet
IP address, purpose IP address, source port, destination interface, agreement), it is judged that whether this network packet
Comprise TCP/UDP bag, if comprising, performing step 302, if do not comprised, terminating.
Step 302: by the source IP address of this network packet and source port, purpose IP address and destination
Mouth stores in P2P link information table;Described P2P link information table can include table name, source IP address,
Purpose IP address, source port, destination interface and establishment time field etc..
Step 303: calculate the entropy of 32 bytes before this network data payload package;Judge that this entropy is the biggest
In entropy threshold value, if greater than then performing step 304, if less than then performing step 305;If equal to
Then could be arranged to perform step 304, in 305 any one.
Step 304: calculate the ratio of IP number of addresses and port number;If ratio is less than fractional threshold, enter
Row step 306;If not less than fractional threshold, terminated.
Step 305: the load of this network packet is carried out pattern match, if the match is successful, is carried out
Step 306, if mating unsuccessful, terminates.
Step 306: this network packet is identified as the network packet of P2P application, terminates.
In an embodiment of the present embodiment, described step S103 specifically may include that
Calculate the flow of the network packet of P2P application in described LAN, and this LAN gateway
Total flow;
When described total flow is more than first flow threshold value, or the flow of the network packet of described P2P application
During more than second flow threshold value, block the network packet of the P2P application identified.
In a kind of alternative of present embodiment, described first flow threshold value can be, but not limited to as described
The 80% of LAN gateway total bandwidth, second flow threshold value can be, but not limited to as described total flow
80%.Other alternative can also arrange described first, second flow threshold the most separately.
One object lesson of this embodiment as shown in Figure 4, the control of network packet to P2P application
System comprises the following steps 401~404.
Step 401: when network packet is identified as the network packet of P2P application, carry out step
402;
Step 402: add up the total flow of described LAN gateway and the network packet of P2P application
Flow (hereinafter P2P flow);
Step 403: if total flow is both less than corresponding threshold value with P2P flow, then this network data of letting pass
Bag.
Step 404: at least one is more than corresponding threshold value if total flow is with P2P flow, then blocking should
Network packet.
The monitoring system of embodiment two, a kind of P2P application, as it is shown in figure 5, include:
Node identification module, for utilizing behavior characteristics to identify the P2P node in described LAN;
Application recognition module, for the TCP/UDP packet of the P2P node transmitting-receiving for being identified,
Behavior characteristics or load characteristic is utilized to identify the network packet of P2P application;
Application controls module, for according to predetermined policy, lets pass or blocks identified P2P application
Network packet.
In an embodiment of the present embodiment, described monitoring system can also include:
Memory module, including an information bank, is used for storing P2P informational table of nodes and P2P link information table;
P2P informational table of nodes includes table name, IP address, port and establishment time field;P2P link information table
Including table name, source IP address, purpose IP address, source port, destination interface and establishment time field.
Management module, for managing the monitoring strategies of P2P application and being saved in information bank;Can be used for setting
Put each threshold value etc.;
Communication module, for intercepting the network packet of transmission between LAN and the Internet, and works as institute
When stating P2P application controls module clearance network packet, forward this network packet.
In an embodiment of the present embodiment, described node identification module utilizes behavior characteristics to identify institute
The P2P node stated in LAN specifically may refer to:
Described node identification module, for the one or more nodes in described LAN, adds up predetermined length
Time in each node connect into power or broadcast packet number;Connect into power by described to meet first pre-
The node that fixed condition or described broadcast packet number meet the second predetermined condition is identified as P2P node.
In present embodiment, can be shaken hands by SYN(in described network packet) message or ACK
The number of (confirmation) message connects into power described in calculating.In a kind of alternative of present embodiment,
Meet the first predetermined condition to refer to connect into power less than 0.8;Other alternative can also be arranged separately
This first predetermined condition.
In present embodiment, ICMP(Internet Internet Control Message Protocol can be passed through) bag number and TTL
The fiducial value of (life span) calculates described broadcast packet number.In a kind of alternative of present embodiment,
Meet the second predetermined condition and refer to that more than 5 and neighbouring broadcast bag TTL difference is 1 to broadcast packet number;Its
Its alternative can also arrange this second predetermined condition separately.
In an embodiment of the present embodiment, described application recognition module is for the P2P joint identified
The TCP/UDP packet of some transmitting-receiving, utilizes behavior characteristics or load characteristic to identify the network of P2P application
Packet specifically may refer to:
Each TCP/UDP packet of the described application recognition module P2P node transmitting-receiving for being identified,
Record the five-tuple of this TCP/UDP packet, calculate front 32 bytes in this TCP/UDP data pack load
Entropy;When the entropy of TCP/UDP packet is less than predetermined entropy threshold value, if this TCP/UDP
The loaded matching preassigned pattern of packet, then this TCP/UDP packet is the network packet of P2P application;
When the entropy of TCP/UDP packet is more than or equal to predetermined entropy threshold value, if recorded five yuan
In group, IP number of addresses and the ratio of port number are less than predetermined fractional threshold, then these TCP/UDP data
Wrap the network packet for P2P application.
In a kind of alternative of the present embodiment, described entropy threshold value can be, but not limited to be 0.35, described
Fractional threshold can be, but not limited to be 2.0;Other alternative can also arrange described entropy threshold value separately
And described fractional threshold;Described preassigned pattern can be set to P2P application according to statistical conditions or experience and carry
One or more patterns that lotus is common.
In an embodiment of the present embodiment, described application controls module according to predetermined policy, let pass or
The network packet blocking the P2P application identified specifically may refer to:
Described application controls module calculates the flow of the network packet of P2P application in described LAN, with
And the total flow of this LAN gateway;When described total flow is more than first flow threshold value, or described P2P
When the flow of the network packet of application is more than second flow threshold value, block what the P2P identified applied
Network packet.
In a kind of alternative of present embodiment, described first flow threshold value can be, but not limited to as described
The 80% of LAN gateway total bandwidth, second flow threshold value can be, but not limited to as described total flow
80%.Other alternative can also arrange described first, second flow threshold the most separately.
Fig. 6 show the networking schematic diagram of the monitoring system of the present embodiment.
Described LAN includes the network equipment, Network Security Device, main frame and terminal etc.;Wherein network sets
For including router and switch etc.;Network Security Device can include fire wall, VPN, network
Anti-Virus and intruding detection system etc.;Main frame can include Web server, mail server and literary composition
Part server etc.;Terminal can include subscriber computer and self-aided terminal etc..
Internet(the Internet), router can be included, for transmitting and routing network traffic.
Described monitoring system is connected between described the Internet and LAN to be monitored, and can intercept office
The network packet of transmission between territory net and the Internet.
One object lesson of the present embodiment as it is shown in fig. 7, the workflow of described monitoring system include with
Lower step 601~607.
Step 601: initialize, arranges P2P application monitoring strategies in management module and is stored into
In the information bank of memory module.
Step 602: receive P2P packet in communication module.
Step 603: utilize behavior characteristics identification LAN P2P node in node identification module.
Step 604: utilize behavior characteristics or load characteristic identification P2P to apply in application recognition module
Network packet;Network packet to then P2P application, performs step 605.
Step 605: in application controls module, decision-making blocking-up or clearance P2P packet.
Step 606: block accordingly or let pass.
Step 607: for clearance action, communication module forwards the network packet of P2P application.
One of ordinary skill in the art will appreciate that all or part of step in said method can pass through program
Instructing related hardware to complete, described program can be stored in computer-readable recording medium, as read-only
Memorizer, disk or CD etc..Alternatively, all or part of step of above-described embodiment can also use
One or more integrated circuits realize.Correspondingly, each module/unit in above-described embodiment can use
The form of hardware realizes, it would however also be possible to employ the form of software function module realizes.The present invention is not restricted to appoint
The combination of the hardware and software of what particular form.
Certainly, the present invention also can have other various embodiments, spiritual and essence without departing substantially from the present invention
In the case of, those of ordinary skill in the art work as can make various corresponding change and deformation according to the present invention,
But these change accordingly and deform the scope of the claims that all should belong to the present invention.