CN107360062B - DPI equipment identification result verification method and system and DPI equipment - Google Patents

DPI equipment identification result verification method and system and DPI equipment Download PDF

Info

Publication number
CN107360062B
CN107360062B CN201710749255.1A CN201710749255A CN107360062B CN 107360062 B CN107360062 B CN 107360062B CN 201710749255 A CN201710749255 A CN 201710749255A CN 107360062 B CN107360062 B CN 107360062B
Authority
CN
China
Prior art keywords
application protocol
data stream
target data
identification result
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710749255.1A
Other languages
Chinese (zh)
Other versions
CN107360062A (en
Inventor
郭海涛
季珂
刘双与
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Guoyun Information Technology Co ltd
Original Assignee
Shanghai Guoyun Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Guoyun Information Technology Co ltd filed Critical Shanghai Guoyun Information Technology Co ltd
Priority to CN201710749255.1A priority Critical patent/CN107360062B/en
Publication of CN107360062A publication Critical patent/CN107360062A/en
Application granted granted Critical
Publication of CN107360062B publication Critical patent/CN107360062B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/18Protocol analysers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/30Definitions, standards or architectural aspects of layered protocol stacks
    • H04L69/32Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
    • H04L69/322Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions
    • H04L69/329Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the application layer [OSI layer 7]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a method and a system for verifying a DPI equipment identification result and DPI equipment, wherein the method comprises the steps of detecting whether a client end establishing connection exists on a source IP address of a target data stream; when a client end which establishes connection exists on the source IP address, sending the four-tuple information of the target data stream to the client end; receiving a process name sent by the client; acquiring a matched application protocol according to the process name sent by the client; and verifying whether the matched application protocol is the same as the application protocol identification result of the DPI equipment. The DPI equipment identification result verification method and system and the DPI equipment can judge whether the application protocol fed back by the client is the same as the application protocol identification result of the DPI equipment or not, and acquire the related information of the abnormal data flow when the application protocol fed back by the client is different from the application protocol identification result of the DPI equipment, so that the extraction of the characteristic information of the application protocol and the establishment of a characteristic library are realized.

Description

DPI equipment identification result verification method and system and DPI equipment
Technical Field
The invention relates to the technical field of information processing, in particular to a method and a system for verifying a DPI equipment identification result and a DPI equipment.
Background
DPI (Deep Packet Inspection) is a 7-layer protocol analysis technique, which analyzes application layer data (including header and payload contents of IP/TCP/UDP packets) to match with the protocol characteristics of an application, thereby determining a data stream identification means of the application to which the Packet data stream belongs.
After the DPI equipment identifies the application to which the data flow belongs, the DPI equipment can perform accurate routing control, QOS control, security control, analysis and statistics and other operations on the message according to the requirements of a use scene. The effect of these operations is very dependent on the accuracy of DPI identification. The accuracy of DPI identification depends mainly on the accuracy of the protocol feature library in the DPI device.
Establishing a relatively comprehensive and accurate feature library is a complex and huge system engineering, and the construction period is long. In the prior art, protocol features of each application are generally extracted one by one in a laboratory environment. Because the number of application protocols needing to be identified is huge and new applications are continuously generated, the feature library cannot achieve 100% of application protocol identification, and an unrecognized application protocol is inevitably existed. The presence of these unknown flows can increase the fault tolerance cost of the existing network operation. In general, for a specific usage scenario of DPI devices, it is important to refine a feature library of the most common applications in a specific scenario. Even so, at least hundreds of common applications need to be identified to reduce the fault tolerance cost to an acceptable level.
The feature extraction process of each application protocol is also complicated, and the workload is large. In general, the following steps are included:
(1) the application to be identified is operated in a laboratory environment, all functions of the application are used as comprehensively as possible, and all data packets generated by the application are captured. This process needs to be repeated multiple times to obtain multiple data packet samples.
(2) And comparing the captured data packets by research personnel, analyzing the characteristics from the captured data packets, and coding the characteristics into a characteristic library.
(3) After the feature library is obtained, the above process is repeated again, the obtained feature library is checked, and features are extracted again for newly found unknown flow. After iteration is carried out for multiple times, a relatively comprehensive and accurate feature library of the application protocol can be finally obtained.
In addition, after the DPI equipment runs online, an effective method for judging the identification accuracy of the DPI equipment is not available all the time. Because the terminal executing the application and the DPI device are separate, the data flow connection is time-efficient, and most connections exist only for a short time, and a reliable feedback mechanism is lacking. Only when the message control action generated according to the recognition result and the corresponding control strategy has obvious deviation, the maintainer can realize that the recognition problem occurs. At this time, the user service is often affected, and the problem of identification needs to be solved only by extracting the proofreading feature library again for the corresponding application protocol in the laboratory environment. This typically takes days, which severely impacts the user experience. If the laboratory environment fails to capture the message with the wrong identification during the operation of the current network, the problem is more difficult to solve.
Disclosure of Invention
In view of the above drawbacks of the prior art, an object of the present invention is to provide a method and a system for verifying an identification result of a DPI device, and a DPI device, wherein information interaction is performed with a client to determine whether an application protocol fed back by the client is the same as the identification result of the application protocol of the DPI device, and when the two are different, collection of information related to an abnormal data flow is performed, so as to extract feature information of the application protocol and establish a feature library.
In order to achieve the above object and other related objects, the present invention provides a method for verifying an identification result of a DPI device, which is applied to a DPI device, wherein the DPI device is configured with information for matching a process name with an identification result of an application protocol; the verification method of the DPI equipment identification result comprises the following steps: detecting whether a client end establishing connection exists on a source IP address of a target data stream; when a client establishing connection exists on the source IP address, sending the quadruple information of the target data stream to the client so that the client can search a matched process name on the client according to the quadruple information; the four-tuple information comprises a protocol type, a destination IP address, a source port number and a target port number; receiving the quadruple information and the process name of the target data stream sent by the client; acquiring a matched application protocol based on the process name and application protocol identification result matching information according to the process name sent by the client; and verifying whether the matched application protocol is the same as the application protocol identification result of the DPI equipment.
In an embodiment of the present invention, the target data stream is obtained by performing a filtering according to one or more conditions of the application, the source IP address, the destination IP address, the source port number, and the destination port number.
In an embodiment of the present invention, the method further includes: and if the matched application protocol is different from the identification result of the application protocol of the DPI equipment, storing the quadruple information of the target data stream, the process name and the complete contents of the first data messages of the target data stream locally.
In an embodiment of the present invention, if the applications of the target data stream are all applications, a feature library of a DPI device is constructed according to locally stored quadruple information of the target data stream, a process name, and complete contents of a plurality of first data packets of the target data stream; if the application of the target data stream is a specific application, extracting feature information of a specific protocol according to locally stored quadruple information of the target data stream, the process name and the complete contents of the first data messages of the target data stream so as to update a feature library of an application protocol.
In an embodiment of the present invention, the method further includes: and if the matched application protocol is different from the application protocol identification result of the DPI equipment, correcting the application protocol identification result of the DPI equipment by using the matched application protocol.
Correspondingly, the invention also provides a verification system of the DPI equipment identification result, which is applied to the DPI equipment, wherein the DPI equipment is configured with process name and application protocol identification result matching information; the verification system of the DPI equipment identification result comprises a detection module, a sending module, a receiving module, a matching module and a verification module; the detection module is used for detecting whether a client end establishing connection exists on a source IP address of a target data stream; the sending module is used for sending the quadruplet information of the target data stream to the client when a client establishing connection exists on the source IP address so that the client can search a matched process name on the client according to the quadruplet information; the four-tuple information comprises a protocol type, a destination IP address, a source port number and a target port number; the receiving module is used for receiving the quadruple information and the process name of the target data stream sent by the client; the matching module is used for acquiring a matched application protocol based on the process name and the matching information of the identification result of the application protocol according to the process name sent by the client; the verification module is used for verifying whether the matched application protocol is the same as the application protocol identification result of the DPI equipment.
In an embodiment of the present invention, the target data stream is obtained by screening according to one or more conditions of the application, the source IP address, the destination IP address, the source port number, and the destination port number.
In an embodiment of the present invention, the data processing apparatus further includes a storage module, configured to store, when the matching application protocol is different from the application protocol identification result of the DPI device, the quadruple information of the target data stream, the process name, and the complete contents of the first data packets of the target data stream locally.
In an embodiment of the present invention, the DPI device further includes a modification module, configured to modify the application protocol identification result of the DPI device by using the matched application protocol when the matched application protocol is different from the application protocol identification result of the DPI device.
Finally, the invention also provides DPI equipment, which comprises a communicator, a processor and a memory; the communicator is used for carrying out data communication with a client; the memory is used for storing a computer program; the processor is used for executing the computer program stored in the memory according to the data communication between the communicator and the client so as to execute the verification method of the DPI equipment identification result.
As described above, the method, system and DPI device for verifying the DPI device identification result of the present invention have the following advantages:
(1) whether the application protocol fed back by the client is the same as the application protocol identification result of the DPI equipment or not is judged through information interaction with the client, so that the accuracy of the verification result is ensured;
(2) when the application protocol identification result obtained by the DPI equipment is inconsistent with the application protocol identification result verified by the client, acquiring related information of abnormal data flow, and extracting the characteristic information of the application protocol and constructing a characteristic library of the application protocol based on the related information of the abnormal data flow with a preset quantity;
(3) the workload of constructing the DPI feature library is greatly reduced, the construction period of the DPI feature library under a specific scene is shortened, and the workload of dozens of people per month is reduced to one person per month;
(4) the accuracy of the provided DPI service-based routing control, QOS control, security control, analysis and statistics and other operations is greatly improved, and the fault-tolerant cost is greatly reduced.
Drawings
Fig. 1 is a flowchart illustrating a method for verifying an identification result of a DPI device according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of an embodiment of a DPI device identification verification system according to the present invention;
figure 3 shows a schematic diagram of a further embodiment of a DPI device identification verification system according to the present invention;
figure 4 shows a schematic structural diagram of a DPI device in an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a verification system for DPI device identification result according to another embodiment of the present invention.
Description of the element reference numerals
Verification system for identification result of 1 DPI equipment
11 detection module
12 sending module
13 receiving module
14 matching module
15 authentication module
16 revision module
4 DPI equipment
41 communicator
42 processor
43 memory
Detailed Description
The embodiments of the present invention are described below with reference to specific embodiments, and other advantages and effects of the present invention will be easily understood by those skilled in the art from the disclosure of the present specification. The invention is capable of other and different embodiments and of being practiced or of being carried out in various ways, and its several details are capable of modification in various respects, all without departing from the spirit and scope of the present invention. It is to be noted that the features in the following embodiments and examples may be combined with each other without conflict.
It should be noted that the drawings provided in the following embodiments are only for illustrating the basic idea of the present invention, and the components related to the present invention are only shown in the drawings rather than drawn according to the number, shape and size of the components in actual implementation, and the type, quantity and proportion of the components in actual implementation may be changed freely, and the layout of the components may be more complicated.
The verification method of the DPI equipment identification result is applied to the DPI equipment, and the DPI equipment is configured with process name and application protocol identification result matching information. Specifically, the process name and application protocol identification result matching information may be displayed and derived in the form of a list.
As shown in fig. 1, in an embodiment, the method for verifying the DPI device identification result includes the following steps:
step S1, detecting whether there is a client that establishes a connection on the source IP address of the target data stream.
In an embodiment of the present invention, the DPI device selects a target data stream according to a certain screening condition. Preferably, the target data stream is obtained by screening according to one or more conditions of the application, the source IP address, the destination IP address, the source port number and the destination port number. The application may be an unknown application, one or more specific applications, or all applications. The DPI equipment performs different selections on the reported data streams according to different screening conditions to obtain different target data streams, so that different purposes are achieved. When the data flow information of all protocols is selected to be reported, a brand-new DPI feature library can be developed and constructed; when all unidentified data flow information is selected to be reported, the DPI feature library in operation can be helped to be rapidly completed and stably operated; when the reported data stream information is selected through the address, the protocol and the port number, the data stream of specific terminal equipment or specific application can be specially verified.
Specifically, the DPI device provides target data flow information including five-tuple information of each data flow, an application protocol identification result of the data flow, and complete contents of a plurality of previous data messages of the data flow according to the screening condition; and detecting whether a client connected with the DPI equipment exists on the source IP address in the five-tuple information. It should be noted that the client of the present invention can be operated on a terminal device such as a PC, a smart phone, etc., and can query information of all data streams on the terminal device. The quintuple information is a term well known in the communication field, and specifically includes a protocol type, a destination IP address, a source port number, and a destination port number of a data stream.
Preferably, the complete contents of the first several data packets of the target data stream may be the complete contents of the first or the first several data packets.
Step S2, when a client end which establishes connection exists on the source IP address, sending the four-tuple information of the target data stream to the client end so that the client end can search a matched process name on the client end according to the four-tuple information; the quadruplet information comprises a protocol type, a destination IP address, a source port number and a destination port number.
In particular, a connected client present at the source IP address may be used to enable verification of the DPI device identification result. The quadruple information of the target data stream is sent to the client. Wherein, the quadruplet information comprises other information except the source IP address in the quintuple information.
In an embodiment of the present invention, after receiving the quadruple information of the target data stream, the client may obtain all connection information of the current system by using a connection viewing tool provided by the operating system, so as to obtain the quintuple information of all data streams currently existing in the system. And comparing the quintuple information of all the data streams with the received quadruple information of the target data stream to obtain the process ID corresponding to the target data stream, and obtaining the process name corresponding to the process ID through a process list viewing tool provided by the operating system. And then, the client sends the four-tuple information to the DPI equipment together with the obtained process name. It should be noted that the source port in the above four-tuple information is the local port of the client.
And step S3, receiving the quadruple information and the process name of the target data stream sent by the client.
Specifically, the DPI device receives the quadruplet information and the process name of the target data stream sent by the client, so as to query the application protocol corresponding to the target data stream.
And step S4, acquiring a matched application protocol based on the process name and the matching information of the application protocol identification result according to the process name sent by the client.
The DPI equipment is configured with the matching information of the process name and the identification result of the application protocol, so that the matched application protocol can be inquired according to the process name sent by the client.
And step S5, verifying whether the matched application protocol is the same as the application protocol identification result of the DPI equipment.
Specifically, the obtained matching application protocol is compared with the application protocol identification result obtained by the DPI device to verify whether the application protocol identification result of the DPI device is accurate. If the two are the same, the identification result of the DPI equipment is accurate; if the two are different, it indicates that the identification result of the DPI device is wrong or the DPI device does not identify the target data stream. If the application protocol identification result obtained by the DPI equipment exists, the identification result of the DPI equipment is indicated to be wrong; and if the application protocol identification result obtained by the DPI equipment does not exist, indicating that the target data stream is not identified.
In an embodiment of the present invention, if the matching application protocol is different from the application protocol identification result of the DPI device, the quadruple information of the target data stream, the process name, and the complete contents of the first data packets of the target data stream are stored locally for query and display, so that a DPI device administrator can conveniently check the operating condition of the DPI device, and make a proper maintenance operation.
Preferably, if the applications of the target data stream are all applications, constructing a feature library of a DPI device according to locally stored quadruplet information of the target data stream, process names and complete contents of a plurality of previous data messages of the target data stream; therefore, the construction speed of the DPI equipment feature library can be increased, and the workload of repeatedly grabbing the package in a laboratory environment is saved.
Preferably, if the application of the target data stream is a specific application, extracting feature information of a specific protocol according to locally stored quadruple information of the target data stream, a process name and complete contents of a plurality of previous data packets of the target data stream to update a feature library of an application protocol. If the feature library of the DPI equipment does not have the feature information corresponding to the specific application, adding the extracted feature information into the feature library of the DPI equipment; and if the feature information of the specific application stored in the feature library of the DPI equipment is inconsistent with the extracted feature information, modifying the stored original feature information by using the extracted feature information.
In an embodiment of the present invention, if the matching application protocol is different from the application protocol recognition result of the DPI device, the matching application protocol is used to correct the application protocol recognition result of the DPI device, so as to ensure the normal operation of the application.
As shown in fig. 2, in an embodiment, the DPI device identification result verification system 1 of the present invention includes a detection module 11, a sending module 12, a receiving module 13, a matching module 14, and a verification module 15.
The detection module 11 is configured to detect whether a client that establishes a connection exists on a source IP address of the target data stream.
In an embodiment of the present invention, the DPI device selects a target data stream according to a certain screening condition. Preferably, the target data stream is obtained by screening according to one or more conditions of the application, the source IP address, the destination IP address, the source port number and the destination port number. The application may be an unknown application, one or more specific applications, or all applications. The DPI equipment performs different selections on the reported data streams according to different screening conditions to obtain different target data streams, so that different purposes are achieved. When the data flow information of all protocols is selected to be reported, a brand-new DPI feature library can be developed and constructed; when all unidentified data flow information is selected to be reported, the DPI feature library in operation can be helped to be rapidly completed and stably operated; when the reported data stream information is selected through a specific application, an address, a protocol and a port number, the data stream of the specific terminal equipment or the specific application can be specially verified.
Specifically, the DPI device provides target data flow information including five-tuple information of each data flow, an application protocol identification result of the data flow, and complete contents of a plurality of previous data messages of the data flow according to the screening condition; and detecting whether a client connected with the DPI equipment exists on the source IP address in the five-tuple information. It should be noted that the client of the present invention can be operated on a terminal device such as a PC, a smart phone, etc., and can query information of all data streams on the terminal device. The quintuple information is a term well known in the communication field, and specifically includes a protocol type, a destination IP address, a source port number, and a destination port number of a data stream.
Preferably, the complete contents of the first several data packets of the target data stream may be the complete contents of the first or the first several data packets.
The sending module 12 is connected to the detecting module 11, and configured to send the quadruple information of the target data stream to the client when a client that establishes a connection exists on the source IP address, so that the client searches for a matched process name in the client according to the quadruple information; the quadruplet information comprises a protocol type, a destination IP address, a source port number and a destination port number.
In particular, a connected client present at the source IP address may be used to enable verification of the DPI device identification result. The quadruple information of the target data stream is sent to the client. Wherein, the quadruplet information comprises other information except the source IP address in the quintuple information.
In an embodiment of the present invention, after receiving the quadruple information of the target data stream, the client may obtain all connection information of the current system by using a connection viewing tool provided by the operating system, so as to obtain the quintuple information of all data streams currently existing in the system. And comparing the quintuple information of all the data streams with the received quadruple information of the target data stream to obtain the process ID corresponding to the target data stream, and obtaining the process name corresponding to the process ID through a process list viewing tool provided by the operating system. And then, the client sends the four-tuple information to the DPI equipment together with the obtained process name. It should be noted that the source port in the above four-tuple information is the local port of the client.
The receiving module 13 is configured to receive the quadruple information and the process name of the target data stream sent by the client.
Specifically, the DPI device receives the quadruplet information and the process name of the target data stream sent by the client, so as to query the application protocol corresponding to the target data stream.
The matching module 14 is connected to the receiving module 13, and is configured to obtain a matched application protocol based on the process name sent by the client and the matching information of the identification result of the application protocol.
The DPI equipment is configured with the matching information of the process name and the identification result of the application protocol, so that the matched application protocol can be inquired according to the process name sent by the client.
The verification module 15 is connected to the matching module 14, and is configured to verify whether the matching application protocol is the same as the application protocol identification result of the DPI device.
Specifically, the obtained matching application protocol is compared with the application protocol identification result obtained by the DPI device to verify whether the application protocol identification result of the DPI device is accurate. If the two are the same, the identification result of the DPI equipment is accurate; if the two are different, it indicates that the identification result of the DPI device is wrong or the DPI device does not identify the target data stream. If the application protocol identification result obtained by the DPI equipment exists, the identification result of the DPI equipment is indicated to be wrong; and if the application protocol identification result obtained by the DPI equipment does not exist, indicating that the target data stream is not identified.
In an embodiment of the present invention, the DPI device further includes a storage module, configured to store the quadruple information of the target data stream, the process name, and the complete contents of the first data packets of the target data stream locally for query and display when the matching application protocol is different from the application protocol identification result of the DPI device, so as to facilitate a DPI device administrator to check the operation condition of the DPI device, so as to perform an appropriate maintenance operation.
Preferably, if the applications of the target data stream are all applications, constructing a feature library of a DPI device according to locally stored quadruplet information of the target data stream, process names and complete contents of a plurality of previous data messages of the target data stream; therefore, the construction speed of the DPI equipment feature library can be increased, and the workload of repeatedly grabbing the package in a laboratory environment is saved.
Preferably, if the application of the target data stream is a specific application, extracting feature information of a specific protocol according to locally stored quadruple information of the target data stream, a process name and complete contents of a plurality of previous data packets of the target data stream to update a feature library of an application protocol. If the feature library of the DPI equipment does not have the feature information corresponding to the specific application, adding the extracted feature information into the feature library of the DPI equipment; and if the feature information of the specific application stored in the feature library of the DPI equipment is inconsistent with the extracted feature information, modifying the stored original feature information by using the extracted feature information.
As shown in fig. 3, in another embodiment of the present invention, the DPI device further includes a revision module 16, configured to modify the application protocol identification result of the DPI device by using the matched application protocol when the matched application protocol is different from the application protocol identification result of the DPI device, so as to ensure normal operation of the application.
As shown in fig. 4, in one embodiment, DPI device 4 of the present invention includes a communicator 41, a processor 42 and a memory 43.
The communicator 41 is used for data communication with a client.
The memory 43 is used for storing a computer program. Preferably, the memory comprises: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
The processor 42 is connected to the communicator 41 and the memory 43, and is configured to execute the computer program stored in the memory 43 according to data communication between the communicator and the client, so as to perform the above-mentioned verification method for DPI device identification result.
Preferably, the processor 42 may be a general-purpose processor including a Central Processing Unit (CPU), a Network Processor (NP), and the like; the integrated circuit may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic device, or discrete hardware components.
Figure 5 shows another embodiment of the DPI device identification verification system of the present invention. The client can be a background program on a windows platform, and can also be an apple ios application program or an android application program which runs in the background. DPI devices are typically integrated inside a router and may include two parts, a DPI module and a processing module. The DPI module is used for realizing the functions of acquiring the target data stream and identifying the application protocol; the processing module is used for realizing the communication function with the client and the DPI module and the information processing and displaying function.
In summary, the method and system for verifying the DPI device identification result and the DPI device of the present invention perform information interaction with the client to determine whether the application protocol fed back from the client is the same as the application protocol identification result of the DPI device, thereby ensuring the accuracy of the verification result; when the application protocol identification result obtained by the DPI equipment is inconsistent with the application protocol identification result verified by the client, acquiring related information of abnormal data flow, and extracting the characteristic information of the application protocol and constructing a characteristic library of the application protocol based on the related information of the abnormal data flow with a preset quantity; the workload of constructing the DPI feature library is greatly reduced, the construction period of the DPI feature library under a specific scene is shortened, and the workload of dozens of people per month is reduced to one person per month; the accuracy of the provided DPI service-based routing control, QOS control, security control, analysis and statistics and other operations is greatly improved, and the fault-tolerant cost is greatly reduced. Therefore, the invention effectively overcomes various defects in the prior art and has high industrial utilization value.
The foregoing embodiments are merely illustrative of the principles and utilities of the present invention and are not intended to limit the invention. Any person skilled in the art can modify or change the above-mentioned embodiments without departing from the spirit and scope of the present invention. Accordingly, it is intended that all equivalent modifications or changes which can be made by those skilled in the art without departing from the spirit and technical spirit of the present invention be covered by the claims of the present invention.

Claims (5)

1. A verification method of DPI equipment identification result is applied to DPI equipment, wherein the DPI equipment is configured with process name and application protocol identification result matching information; the method is characterized in that: the verification method of the DPI equipment identification result comprises the following steps:
detecting whether a client end establishing connection exists on a source IP address of a target data stream;
when a client establishing connection exists on the source IP address, sending the quadruple information of the target data stream to the client so that the client can search a matched process name on the client according to the quadruple information; the four-tuple information comprises a protocol type, a destination IP address, a source port number and a target port number;
receiving the quadruple information and the process name of the target data stream sent by the client;
acquiring a matched application protocol based on the process name and application protocol identification result matching information according to the process name sent by the client;
verifying whether the matched application protocol is the same as the application protocol identification result of the DPI equipment or not;
further comprising: if the matched application protocol is different from the application protocol identification result of the DPI equipment, correcting the application protocol identification result of the DPI equipment by using the matched application protocol;
further comprising: if the matched application protocol is different from the identification result of the application protocol of the DPI equipment, storing the quadruple information of the target data stream, the process name and the complete contents of the first data messages of the target data stream locally;
if the applications of the target data stream are all applications, constructing a feature library of DPI equipment according to locally stored quadruple information and process names of the target data stream and complete contents of a plurality of previous data messages of the target data stream; if the application of the target data stream is a specific application, extracting feature information of a specific protocol according to locally stored quadruple information of the target data stream, the process name and the complete contents of the first data messages of the target data stream so as to update a feature library of an application protocol.
2. The method of verifying the identification result of a DPI device according to claim 1, wherein: and screening according to one or more conditions of the application, the source IP address, the destination IP address, the source port number and the destination port number to obtain the target data flow.
3. A verification system for DPI equipment identification results is applied to DPI equipment, and the DPI equipment is configured with process name and application protocol identification result matching information; the method is characterized in that: the verification system of the DPI equipment identification result comprises a detection module, a sending module, a receiving module, a matching module and a verification module;
the detection module is used for detecting whether a client end establishing connection exists on a source IP address of a target data stream;
the sending module is used for sending the quadruplet information of the target data stream to the client when a client establishing connection exists on the source IP address so that the client can search a matched process name on the client according to the quadruplet information; the four-tuple information comprises a protocol type, a destination IP address, a source port number and a target port number;
the receiving module is used for receiving the quadruple information and the process name of the target data stream sent by the client;
the matching module is used for acquiring a matched application protocol based on the process name and the matching information of the identification result of the application protocol according to the process name sent by the client;
the verification module is used for verifying whether the matched application protocol is the same as the application protocol identification result of the DPI equipment or not;
the modification module is used for modifying the application protocol identification result of the DPI equipment by using the matched application protocol when the matched application protocol is different from the application protocol identification result of the DPI equipment;
the storage module is used for locally storing the quadruple information, the process name and the complete contents of the first data messages of the target data stream when the matched application protocol is different from the application protocol identification result of the DPI equipment;
if the applications of the target data stream are all applications, constructing a feature library of DPI equipment according to locally stored quadruple information and process names of the target data stream and complete contents of a plurality of previous data messages of the target data stream; if the application of the target data stream is a specific application, extracting feature information of a specific protocol according to locally stored quadruple information of the target data stream, the process name and the complete contents of the first data messages of the target data stream so as to update a feature library of an application protocol.
4. The system for verifying the identification result of a DPI device according to claim 3, wherein: and the target data stream is obtained by screening according to one or more conditions of the application, the source IP address, the destination IP address, the source port number and the destination port number.
5. A DPI device, characterized by: the system comprises a communicator, a processor and a memory;
the communicator is used for carrying out data communication with a client;
the memory is used for storing a computer program;
the processor is configured to execute the memory-stored computer program to perform the method of verifying the DPI device identification result of any of claims 1 to 2 according to the data communication between the communicator and the client.
CN201710749255.1A 2017-08-28 2017-08-28 DPI equipment identification result verification method and system and DPI equipment Active CN107360062B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710749255.1A CN107360062B (en) 2017-08-28 2017-08-28 DPI equipment identification result verification method and system and DPI equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710749255.1A CN107360062B (en) 2017-08-28 2017-08-28 DPI equipment identification result verification method and system and DPI equipment

Publications (2)

Publication Number Publication Date
CN107360062A CN107360062A (en) 2017-11-17
CN107360062B true CN107360062B (en) 2021-02-02

Family

ID=60289296

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710749255.1A Active CN107360062B (en) 2017-08-28 2017-08-28 DPI equipment identification result verification method and system and DPI equipment

Country Status (1)

Country Link
CN (1) CN107360062B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109428774B (en) * 2017-08-22 2020-12-22 网宿科技股份有限公司 Data processing method of DPI equipment and related DPI equipment
CN108924159B (en) * 2018-07-31 2020-10-09 杭州迪普科技股份有限公司 Verification method and device of message feature recognition library
CN113890835A (en) * 2021-09-29 2022-01-04 杭州迪普科技股份有限公司 Method and device for processing DPI application test message

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN202696628U (en) * 2012-07-16 2013-01-23 北京国创富盛通信股份有限公司 Network optimization system
CN102984242A (en) * 2012-11-20 2013-03-20 杭州迪普科技有限公司 Automatic identification method and device of application protocols
CN103973636A (en) * 2013-01-28 2014-08-06 深圳市腾讯计算机***有限公司 Verification method, server and system
CN105516173A (en) * 2015-12-25 2016-04-20 北京中安智达科技有限公司 Network application layer protocol identification method and system
CN105812188A (en) * 2016-04-25 2016-07-27 北京网康科技有限公司 Traffic recognition method and device
CN105939305A (en) * 2015-06-24 2016-09-14 杭州迪普科技有限公司 Access control method and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN202696628U (en) * 2012-07-16 2013-01-23 北京国创富盛通信股份有限公司 Network optimization system
CN102984242A (en) * 2012-11-20 2013-03-20 杭州迪普科技有限公司 Automatic identification method and device of application protocols
CN103973636A (en) * 2013-01-28 2014-08-06 深圳市腾讯计算机***有限公司 Verification method, server and system
CN105939305A (en) * 2015-06-24 2016-09-14 杭州迪普科技有限公司 Access control method and device
CN105516173A (en) * 2015-12-25 2016-04-20 北京中安智达科技有限公司 Network application layer protocol identification method and system
CN105812188A (en) * 2016-04-25 2016-07-27 北京网康科技有限公司 Traffic recognition method and device

Also Published As

Publication number Publication date
CN107360062A (en) 2017-11-17

Similar Documents

Publication Publication Date Title
CN107426059B (en) DPI equipment feature library automatic updating method and system, DPI equipment and cloud server
US11301778B2 (en) Method and system for training and validating machine learning in network environments
CN112995196B (en) Method and system for processing situation awareness information in network security level protection
CN104506484B (en) A kind of proprietary protocol analysis and recognition methods
EP3364601B1 (en) Testing method, device and system
US8681640B2 (en) Systems and methods for extracting media from network traffic having unknown protocols
CN112491643B (en) Deep packet inspection method, device, equipment and storage medium
CN107360062B (en) DPI equipment identification result verification method and system and DPI equipment
CN107018001B (en) Application fault positioning method and device
EP3197100A1 (en) Multi cause correlation in wireless protocols
CN111526099B (en) Internet of things application flow detection method based on deep learning
JP2009017298A (en) Data analysis apparatus
CN110245273B (en) Method for acquiring APP service feature library and corresponding device
CN110868409A (en) Passive operating system identification method and system based on TCP/IP protocol stack fingerprint
CN110213124A (en) Passive operation system identification method and device based on the more sessions of TCP
CN111818049B (en) Botnet flow detection method and system based on Markov model
CN106535240A (en) Mobile APP centralized performance analysis method based on cloud platform
CN108234452A (en) A kind of system and method for network packet multi-layer protocol identification
CN107168844A (en) A kind of method and device of performance monitoring
KR101625890B1 (en) Test automation system and test automation method for detecting change for signature of internet application traffic protocol
CN106055571A (en) Method and system for website identification
CN111080362A (en) Advertisement monitoring system and method
KR20130126830A (en) System and method for creating real-time application signiture
CN110620682B (en) Resource information acquisition method and device, storage medium and terminal
CN111181797B (en) Block chain consensus mechanism verification method based on interceptor

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP02 Change in the address of a patent holder
CP02 Change in the address of a patent holder

Address after: Room 301-A02, Building 5, No. 3000 Longdong Avenue, China (Shanghai) Pilot Free Trade Zone, Pudong New Area, Shanghai, March 2012

Patentee after: SHANGHAI GUOYUN INFORMATION TECHNOLOGY CO.,LTD.

Address before: Room 908, No. 560, shengxia Road, China (Shanghai) pilot Free Trade Zone, Pudong New Area, Shanghai 201210

Patentee before: SHANGHAI GUOYUN INFORMATION TECHNOLOGY CO.,LTD.