CN111884876A - Method, device, equipment and medium for detecting protocol type of network protocol - Google Patents
Method, device, equipment and medium for detecting protocol type of network protocol Download PDFInfo
- Publication number
- CN111884876A CN111884876A CN202010711737.XA CN202010711737A CN111884876A CN 111884876 A CN111884876 A CN 111884876A CN 202010711737 A CN202010711737 A CN 202010711737A CN 111884876 A CN111884876 A CN 111884876A
- Authority
- CN
- China
- Prior art keywords
- protocol
- network
- target
- detection
- protocol type
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/18—Protocol analysers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a method, a device, equipment and a computer readable storage medium for detecting the protocol type of a network protocol, wherein the method comprises the following steps: acquiring detection plug-ins respectively corresponding to different protocol types in advance; the detection plug-in is provided with protocol information and matching verification information of a corresponding network protocol; acquiring message data in a network data stream of a target network; and calling each detection plug-in, performing matching detection on the message data by using each matching verification information, and determining the target protocol type of the target network. In the method, when a new type of network protocol exists, only the corresponding detection plug-in is needed to be newly added, the detection plug-in can be called, and the matching verification information is utilized to carry out matching detection on the message data, so that the target protocol type of the target network is determined, not only are the manpower resources saved, but also the convenience for detecting the protocol type of the network protocol can be improved, the efficiency for detecting the protocol type is improved, and the expandability is enhanced.
Description
Technical Field
The present invention relates to the field of protocol type detection, and in particular, to a method, an apparatus, a device, and a computer-readable storage medium for detecting a protocol type of a network protocol.
Background
Intrusion detection is an important means for network security protection, and is usually deployed in a key network or at a network boundary, and is used for capturing message data in the network or entering and exiting the network in real time, performing intelligent analysis, and discovering intrusion behaviors in time. Protocol deep parsing techniques are widely used in current mainstream intrusion detection products. The precondition of the deep protocol analysis is protocol type detection, and the deep protocol analysis is further carried out based on the detected protocol type.
At present, a method for detecting a type of a network protocol generally detects the type of the network protocol according to a feature packet, that is, a protocol type is determined by matching a protocol feature of the network protocol extracted from a target network with a known feature library. However, in actual operation, it is often the case that a network protocol is modified/added, and in such a case, a function of performing type detection on a newly added type of network protocol needs to be added. In the prior art, by re-modifying the source code, a function code for performing type detection on a newly added type network protocol is added, and compiling and testing are performed to generate an incremental upgrade package or upgrade is performed in a dynamic library manner. Therefore, when the type of a newly added network protocol needs to be detected in the prior art, not only are the processes of re-compiling source codes, compiling and testing complex and tedious, and a large amount of human resources are consumed, but also the efficiency of detecting the protocol type is low, and the expandability is poor.
Therefore, how to improve the convenience of detecting the protocol type of the network protocol, improve the efficiency of detecting the protocol type, and enhance the expandability on the basis of saving human resources is a technical problem that needs to be solved by technical personnel in the field at present.
Disclosure of Invention
In view of this, an object of the present invention is to provide a method for detecting a protocol type of a network protocol, which can improve convenience for detecting the protocol type of the network protocol, improve efficiency for detecting the protocol type, and enhance expandability on the basis of saving human resources; another object of the present invention is to provide a device, an apparatus and a computer-readable storage medium for detecting a protocol type of a network protocol, all of which have the above advantages.
In order to solve the above technical problem, the present invention provides a method for detecting a protocol type of a network protocol, including:
acquiring detection plug-ins respectively corresponding to different protocol types in advance; the detection plug-in is provided with protocol information and matching verification information of a corresponding network protocol;
acquiring message data in a network data stream of a target network;
and calling each detection plug-in, and performing matching detection on the message data by using each matching verification information to determine the target protocol type of the target network.
Preferably, the step of calling each detection plug-in, performing matching detection on the packet data by using each matching verification information, and determining the target protocol type of the target network specifically includes:
calling each detection plug-in, and matching identification information in each matching verification information with target identification information of the message data respectively;
and determining a protocol type corresponding to the identification information matched with the target identification information as the target protocol type of the target network.
Preferably, before the matching the identification information in each of the matching verification information with the target identification information of the packet data, the method further includes:
respectively matching preset keywords in the matched verification information with target keywords of the message data, and determining a protocol type set to be confirmed according to a network protocol of the preset keywords matched with the target keywords;
and screening out the corresponding detection plug-ins to be confirmed from the detection plug-ins according to the protocol type set to be confirmed, and performing the step of respectively matching the identification information in each piece of matching verification information with the target identification information of the message data.
Preferably, after the calling each detection plug-in, performing matching detection on the packet data by using each matching verification information, and determining a target protocol type of the target network, the method further includes:
acquiring the actual protocol length of the network protocol of the target network;
judging whether the actual protocol length is consistent with the standard protocol length of the network protocol corresponding to the target protocol type;
and if the network protocol is consistent with the target protocol type, the network protocol of the target network is represented as the target protocol type.
Preferably, after the calling each detection plug-in, performing matching detection on the packet data by using each matching verification information, and determining a target protocol type of the target network, the method further includes:
acquiring the actual protocol state of the network protocol of the target network;
judging whether the actual protocol state is consistent with the standard protocol state of the network protocol corresponding to the target protocol type;
and if the network protocol is consistent with the target protocol type, the network protocol of the target network is represented as the target protocol type.
Preferably, after the calling each detection plug-in, performing matching detection on the packet data by using each matching verification information, and determining a target protocol type of the target network, the method further includes:
acquiring actual characteristic information corresponding to a network protocol of the target network;
judging whether the actual characteristic information is consistent with standard characteristic information of a network protocol corresponding to the target protocol type;
and if the network protocol is consistent with the target protocol type, the network protocol of the target network is represented as the target protocol type.
Preferably, the process of acquiring the message data in the network data stream of the target network specifically includes:
acquiring mirror image flow of the network data flow of the target network;
recombining the data packets in the mirror image flow through a flow session technology to obtain data packets of ordered sessions;
and acquiring the message data in the data packet of the ordered session.
In order to solve the above technical problem, the present invention further provides a device for detecting a protocol type of a network protocol, including:
the detection plug-in setting module is used for acquiring detection plug-ins respectively corresponding to different protocol types in advance; the detection plug-in is provided with protocol information and matching verification information of a corresponding network protocol;
the message data acquisition module is used for acquiring message data in a network data stream of a target network;
and the matching detection module is used for calling each detection plug-in, performing matching detection on the message data by using each matching verification information and determining the target protocol type of the target network.
In order to solve the above technical problem, the present invention further provides a device for detecting a protocol type of a network protocol, including:
a memory for storing a computer program;
a processor for implementing the steps of the protocol type detection method of any one of the above network protocols when executing the computer program.
In order to solve the above technical problem, the present invention further provides a computer-readable storage medium, wherein a computer program is stored on the computer-readable storage medium, and when being executed by a processor, the computer program implements the steps of the protocol type detection method of any one of the above network protocols.
The invention provides a type detection method of a network protocol, which is characterized in that detection plug-ins respectively corresponding to different protocol types are obtained in advance; the detection plug-in is provided with protocol information and matching verification information of a corresponding network protocol; after the message data in the network data stream of the target network is obtained, calling each detection plug-in, and performing matching detection on the message data by using each matching verification information to determine the target protocol type of the target network. Therefore, in the method, when a new type of network protocol is added, only the corresponding detection plug-in is needed to be added, the detection plug-in can be called, and the matching verification information is utilized to carry out matching detection on the message data, so that the target protocol type of the target network is determined, the processes of rewriting source codes, compiling and testing in the prior art are avoided, the human resources are saved, the convenience for detecting the protocol type of the network protocol can be improved, the efficiency for detecting the protocol type is improved, and the expandability is enhanced.
In order to solve the technical problem, the invention also provides a device, equipment and a computer readable storage medium for detecting the protocol type of the network protocol, which have the beneficial effects.
Drawings
In order to more clearly illustrate the embodiments or technical solutions of the present invention, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a protocol type detection method of a network protocol according to an embodiment of the present invention;
fig. 2 is a structural diagram of a protocol type detection apparatus of a network protocol according to an embodiment of the present invention;
fig. 3 is a structural diagram of a protocol type detection device of a network protocol according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The core of the embodiment of the invention is to provide a protocol type detection method of a network protocol, and the core of the embodiment of the invention is to provide a protocol type detection method of a network protocol, which can be used for detecting the protocol type of the network protocol; another core of the present invention is to provide a device, an apparatus and a computer-readable storage medium for detecting a protocol type of a network protocol, which all have the above advantages.
In order that those skilled in the art will better understand the disclosure, the invention will be described in further detail with reference to the accompanying drawings and specific embodiments.
Fig. 1 is a flowchart of a protocol type detection method of a network protocol according to an embodiment of the present invention. As shown in fig. 1, a method for detecting a protocol type of a network protocol includes:
s10: acquiring detection plug-ins respectively corresponding to different protocol types in advance;
the detection plug-in is provided with protocol information and matching verification information of a corresponding network protocol.
Specifically, in actual operation, corresponding scripts are required to be written respectively according to different types of network protocols, namely different protocol types, and are used as detection plug-ins and stored in a system designated path; the detection plug-in is provided with protocol information of a network protocol of a protocol type corresponding to the detection plug-in and corresponding matching verification information. When the system runs, acquiring plug-in information of all the detection plug-ins by traversing the specified path, wherein the plug-in information comprises plug-in names and plug-in versions; and detecting protocol information set in the plug-in, such as protocol type, protocol ID; and detecting matching verification information set in the plug-in, such as preset keywords, identification information and the like. It should be noted that, in this embodiment, it is preferable to write a Lua script as the detection plug-in, where the Lua script language is a small script language, and is written by standard C, and can be compiled and run on almost all operating systems and platforms, and has the characteristics of light weight, easy expansion, and high execution efficiency.
After the detection plug-ins are set, registering each detection plug-in by utilizing a protocol. Registering preset keywords by using a protocol.register FastPattern interface, and registering identification information by using the protocol.register Pattern interface so as to be convenient for calling matching verification information in a detection plug-in unit to operate subsequently; by packaging the host language and the interaction flow of the Lua script, a uniform interface is provided for the outside, all the detection plug-ins are taken over, and the subsequent detection plug-ins are deleted, added, updated and the like; when a certain detection plug-in is not needed any more, the plug-in can be deleted on the page, and the main program realizes the unloading work of the detection plug-in by utilizing a protocol.
It should be noted that each detection plug-in corresponds to one network protocol, and when each detection plug-in is registered in the main program, each detection plug-in generates a corresponding node correspondingly. When the detection plug-ins are installed for the first time, the detection plug-ins are uniformly placed below the designated path, when the detection plug-ins are newly added subsequently, the newly added detection plug-ins can be uploaded through the operation interface, and then the newly added detection plug-ins are registered under the condition that the verification is passed.
S20: acquiring message data in a network data stream of a target network;
s30: and calling each detection plug-in, performing matching detection on the message data by using each matching verification information, and determining the target protocol type of the target network.
Specifically, after the registration process of the detection plug-in is completed, the protocol type detection operation may be performed on the target network.
Firstly, message data in a network data stream of a target network is acquired so as to carry out matching detection according to the message data. After the message data are obtained, the detection plug-ins which are registered in advance are called, matching detection is carried out on the message data by utilizing matching verification information preset in each detection plug-in, matching verification information matched with the message data is determined, and then a corresponding protocol type is determined according to the detection plug-in corresponding to the matching verification information, wherein the protocol type is a target protocol type of a network protocol of a target network. It should be noted that, in actual operation, after the detection plug-in corresponding to the matching verification information is determined, the detection plug-in is used to obtain corresponding protocol information, such as a protocol name, a protocol ID, and the like, that is, a corresponding protocol type is determined; and if the matching verification information matched with the message data is not detected, returning an abnormal value.
The embodiment of the invention provides a method for detecting the type of a network protocol, which comprises the steps of obtaining detection plug-ins respectively corresponding to different protocol types in advance; the detection plug-in is provided with protocol information and matching verification information of a corresponding network protocol; after the message data in the network data stream of the target network is obtained, calling each detection plug-in, and performing matching detection on the message data by using each matching verification information to determine the target protocol type of the target network. Therefore, in the method, when a new type of network protocol is added, only the corresponding detection plug-in is needed to be added, the detection plug-in can be called, and the matching verification information is utilized to carry out matching detection on the message data, so that the target protocol type of the target network is determined, the processes of rewriting source codes, compiling and testing in the prior art are avoided, the human resources are saved, the convenience for detecting the protocol type of the network protocol can be improved, the efficiency for detecting the protocol type is improved, and the expandability is enhanced.
On the basis of the foregoing embodiment, this embodiment further describes and optimizes the technical solution, and specifically, in this embodiment, the process of invoking each detection plug-in, performing matching detection on the packet data by using each matching verification information, and determining the target protocol type of the target network specifically includes:
calling each detection plug-in, and respectively matching the identification information in each matching verification information with the target identification information of the message data;
and determining the protocol type corresponding to the identification information matched with the target identification information as the target protocol type of the target network.
Specifically, matching verification information is set in each detection plug-in unit in advance, where the matching verification information includes identification information, and the identification information may be a character string, a feature code, a hexadecimal number of a preset digit, and the like uniquely corresponding to each protocol type.
Specifically, target identification information of the message data is acquired, and then each detection plug-in is called to match each identification information in each detection plug-in with the target identification information respectively, so as to determine identification information corresponding to the target identification information, wherein the protocol type of the detection plug-in corresponding to the determined identification information is the target protocol type corresponding to the target identification information, and the target protocol type is the network protocol type of the target network.
In this embodiment, a Boyer Moor algorithm is generally used to perform single-mode matching, so as to implement matching of identification information. It should be noted that if the system adopts a processor with an Intel x86 architecture, a faster high-performance regular expression matching library Hyperscan be used. In the registration process of the detection plug-ins, identification information corresponding to each protocol type is registered by calling protocol.
Therefore, the embodiment performs matching detection by using the identification information to determine the target protocol type corresponding to the target network, and the matching process is convenient and accurate.
As a preferred implementation manner, in this embodiment, before matching the identification information in each piece of matching verification information with the target identification information of the message data, the method further includes:
matching preset keywords in the matched verification information with target keywords of the message data respectively, and determining a protocol type set to be confirmed according to a network protocol of the preset keywords matched with the target keywords;
and screening out the corresponding detection plug-in to be confirmed from the detection plug-ins according to the protocol type set to be confirmed, and performing the step of respectively matching the identification information in each piece of matching verification information with the target identification information of the message data.
Specifically, in this embodiment, matching verification information is set in each detection plug-in advance, where the matching verification information further includes a keyword corresponding to a protocol type of a network protocol corresponding to the corresponding detection plug-in, and the keyword refers to a word related to a protocol type of a network protocol to be distinguished, and this embodiment does not limit the specific type of the identification information.
Specifically, target keywords of the message data are obtained, then, each preset keyword in each detection plug-in is matched with the target identification information by calling each detection plug-in, preset keywords matched with the target keywords are determined, and the protocol types of the detection plug-ins corresponding to the preset keywords matched with the target keywords are set as a protocol type set to be confirmed.
It should be noted that, when a plurality of preset keywords are set in one detection plug-in, the plurality of preset keywords in the same detection plug-in are used as a group, and each group of preset keywords are respectively matched with a target keyword to determine a plurality of groups of preset keywords corresponding to the target keyword, where a set of protocol types of the detection plug-in corresponding to the plurality of groups of preset keywords respectively is a set of protocol types to be confirmed.
And screening out the to-be-confirmed detection plug-ins corresponding to the protocol types in the to-be-confirmed protocol type set from the detection plug-ins, and determining the target detection plug-ins corresponding to the target network from the to-be-confirmed detection plug-ins by utilizing the target identification information so as to determine the target protocol types corresponding to the target network.
That is to say, in this embodiment, a fast matching process is performed on each detection plug-in by using a target keyword of a target network, a corresponding detection plug-in to be confirmed is determined by matching the screened set of protocol types to be confirmed, and then a target protocol type corresponding to the target network is determined based on the detection plug-in to be confirmed. In this embodiment, the fast matching process may be performed by using a multi-mode matching algorithm, such as an Aho-Corasick algorithm; it should be noted that if the system adopts a processor with Intelx86 architecture, a faster high-performance regular expression matching library Hyperscan be used. In the registration process of the detection plug-ins, preset keywords corresponding to each protocol type are registered by calling the protocol.
Therefore, in the embodiment, the protocol type set to be confirmed is screened out through the rapid matching process, and the corresponding detection plug-ins to be confirmed are determined, so that the number of detection plug-ins to be detected in the subsequent process of matching by using the identification information and confirming the target protocol type is reduced, and the detection efficiency can be improved.
In actual operation, a protocol.
On the basis of the foregoing embodiment, this embodiment further describes and optimizes the technical solution, and specifically, after invoking each detection plug-in, performing matching detection on the packet data by using each matching verification information, and determining the target protocol type of the target network, this embodiment further includes:
acquiring the actual protocol length of a network protocol of a target network;
judging whether the actual protocol length is consistent with the standard protocol length of the network protocol corresponding to the target protocol type;
if the network protocol is consistent with the target protocol type, the network protocol of the target network is the target protocol type.
Specifically, in this embodiment, after invoking each detection plug-in, performing matching detection on the message data by using each matching verification information, and determining the target protocol type of the target network, further obtaining the actual protocol length of the network protocol of the target network, then obtaining the standard protocol length of the network protocol corresponding to the determined target protocol type, and then judging whether the actual protocol length is consistent with the standard protocol length; if the network protocol is consistent with the target protocol type, further determining that the network protocol of the target network is the target protocol type; if not, the network protocol of the target network is not the target protocol type.
On the basis of the foregoing embodiment, this embodiment further describes and optimizes the technical solution, and specifically, after invoking each detection plug-in, performing matching detection on the packet data by using each matching verification information, and determining the target protocol type of the target network, this embodiment further includes:
acquiring an actual protocol state of a network protocol of a target network;
judging whether the actual protocol state is consistent with the standard protocol state of the network protocol corresponding to the target protocol type;
if the network protocol is consistent with the target protocol type, the network protocol of the target network is the target protocol type.
It should be noted that, when the target network operates with different network protocols, the protocol states corresponding to the respective time points may be different. Specifically, in this embodiment, after invoking each detection plug-in, performing matching detection on the message data by using each matching verification information, and determining the target protocol type of the target network, further acquiring an actual protocol state of the network protocol of the target network, then acquiring a standard protocol state of the network protocol corresponding to the target protocol type, and determining whether the actual protocol state is consistent with the standard protocol state; if the network protocol is consistent with the target protocol type, further determining that the network protocol of the target network is the target protocol type; if not, the network protocol of the target network is not the target protocol type.
On the basis of the foregoing embodiment, this embodiment further describes and optimizes the technical solution, and specifically, after invoking each detection plug-in, performing matching detection on the packet data by using each matching verification information, and determining the target protocol type of the target network, this embodiment further includes:
acquiring actual characteristic information corresponding to a network protocol of a target network;
judging whether the actual characteristic information is consistent with the standard characteristic information of the network protocol corresponding to the target protocol type;
if the network protocol is consistent with the target protocol type, the network protocol of the target network is the target protocol type.
It should be noted that the characteristic information of the network protocol corresponding to different protocol types is different. In this embodiment, after invoking each detection plug-in, performing matching detection on the message data by using each matching verification information, and determining the target protocol type of the target network, further acquiring actual feature information of the network protocol of the target network according to the message data of the target network, then acquiring standard feature information of the network protocol corresponding to the target protocol type, and then judging whether the actual feature information is consistent with the standard feature information; if the network protocol is consistent with the target protocol type, further determining that the network protocol of the target network is the target protocol type; if not, the network protocol of the target network is not the target protocol type.
It can be seen that the embodiment passes through the actual protocol length and/or the actual protocol status and/or the actual characteristic information
And further checking the determined target protocol type through the information, further confirming the protocol type through multi-azimuth checking, and further ensuring the accuracy of determining the network type corresponding to the target network.
On the basis of the foregoing embodiment, this embodiment further describes and optimizes the technical solution, and specifically, in this embodiment, the process of acquiring the packet data in the network data stream of the target network specifically includes:
acquiring mirror image flow of a network data stream of a target network;
recombining the data packets in the mirror image flow through a flow session technology to obtain data packets of ordered sessions;
and acquiring message data in the data packet of the ordered session.
Specifically, in this embodiment, the process of acquiring the message data in the network data stream of the target network specifically includes acquiring a mirror flow of the network data stream of the target network; because the data packets in the network data flow are propagated in a disordered and unordered manner, the data packets in the mirror flow are recombined through the flow session technology to obtain the data packets of the ordered session; and then acquiring message data of the target network according to the data packet of the ordered session. It can be understood that Mirroring (Mirroring) is a type of redundancy, a copy stored in the second storage location and identical to the data information stored in the first storage location is mirror data, and common mirror file formats are ISO, BIN, IMG, TAO, DAO, CIF, and FCD; and the message data is acquired based on the mirror image flow, so the message data is also mirror image message data.
Therefore, the message data is determined by collecting the mirror image flow of the network data stream of the target network, and the message data for protocol type detection can be obtained without affecting the normal processing of the message data by the system, so that the stability of the system can be relatively guaranteed.
The above detailed description is made on the embodiments of the method for detecting the protocol type of the network protocol provided by the present invention, and the present invention also provides a device, an apparatus, and a computer-readable storage medium for detecting the protocol type of the network protocol corresponding to the method.
Fig. 2 is a structural diagram of a protocol type detection apparatus of a network protocol according to an embodiment of the present invention, and as shown in fig. 2, the protocol type detection apparatus of the network protocol includes:
a detection plug-in acquisition module 21, configured to acquire in advance detection plug-ins corresponding to different protocol types; the detection plug-in is provided with protocol information and matching verification information of a corresponding network protocol;
a message data obtaining module 22, configured to obtain message data in a network data stream of a target network;
and the matching detection module 23 is configured to invoke each detection plug-in, perform matching detection on the message data by using each matching verification information, and determine the target protocol type of the target network.
The protocol type detection device of the network protocol provided by the embodiment of the invention has the beneficial effect of the protocol type detection method of the network protocol.
As a preferred embodiment, the matching detection module specifically includes:
the first matching module is used for calling each detection plug-in and matching the identification information in each matching verification information with the target identification information of the message data;
and the first determining module is used for determining the protocol type corresponding to the identification information matched with the target identification information as the target protocol type of the target network.
As a preferred embodiment, a protocol type detection apparatus of a network protocol further includes:
the second matching module is used for matching preset keywords in the matching verification information with target keywords of the message data respectively and determining a protocol type set to be confirmed according to a network protocol of the preset keywords matched with the target keywords;
and the second determining module is used for screening the corresponding to-be-confirmed detection plug-ins from the detection plug-ins according to the to-be-confirmed protocol type set and calling the first matching module.
As a preferred embodiment, a protocol type detection apparatus of a network protocol further includes:
the first acquisition module is used for acquiring the actual protocol length of the network protocol of the target network;
the first judging module is used for judging whether the actual protocol length is consistent with the standard protocol length of the network protocol corresponding to the target protocol type; if the network protocol is consistent with the target protocol type, the network protocol of the target network is the target protocol type.
As a preferred embodiment, a protocol type detection apparatus of a network protocol further includes:
the second acquisition module is used for acquiring the actual protocol state of the network protocol of the target network;
the second judgment module is used for judging whether the actual protocol state is consistent with the standard protocol state of the network protocol corresponding to the target protocol type; if the network protocol is consistent with the target protocol type, the network protocol of the target network is the target protocol type.
As a preferred embodiment, a protocol type detection apparatus of a network protocol further includes:
the third acquisition module is used for acquiring actual characteristic information corresponding to the network protocol of the target network;
the third judging module is used for judging whether the actual characteristic information is consistent with the standard characteristic information of the network protocol corresponding to the target protocol type;
if the network protocol is consistent with the target protocol type, the network protocol of the target network is the target protocol type.
Fig. 3 is a structural diagram of a protocol type detection device of a network protocol according to an embodiment of the present invention, and as shown in fig. 3, the protocol type detection device of a network protocol includes:
a memory 31 for storing a computer program;
a processor 33 for implementing the steps of the protocol type detection method of the network protocol as described above when executing the computer program.
The protocol type detection device of the network protocol provided by the embodiment of the invention has the beneficial effect of the protocol type detection method of the network protocol.
In order to solve the above technical problem, the present invention further provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the steps of the protocol type detection method of the network protocol.
The computer-readable storage medium provided by the embodiment of the invention has the beneficial effect of the protocol type detection method of the network protocol.
The method, apparatus, device and computer readable storage medium for detecting the protocol type of the network protocol provided by the present invention are described in detail above. The principles and embodiments of the present invention are explained herein using specific examples, which are set forth only to help understand the method and its core ideas of the present invention. It should be noted that, for those skilled in the art, it is possible to make various improvements and modifications to the present invention without departing from the principle of the present invention, and those improvements and modifications also fall within the scope of the claims of the present invention.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
Claims (10)
1. A method for detecting a protocol type of a network protocol is characterized by comprising the following steps:
acquiring detection plug-ins respectively corresponding to different protocol types in advance; the detection plug-in is provided with protocol information and matching verification information of a corresponding network protocol;
acquiring message data in a network data stream of a target network;
and calling each detection plug-in, and performing matching detection on the message data by using each matching verification information to determine the target protocol type of the target network.
2. The method according to claim 1, wherein the process of calling each detection plug-in, performing matching detection on the packet data by using each matching verification information, and determining the target protocol type of the target network specifically includes:
calling each detection plug-in, and matching identification information in each matching verification information with target identification information of the message data respectively;
and determining a protocol type corresponding to the identification information matched with the target identification information as the target protocol type of the target network.
3. The method according to claim 2, wherein before the matching the identification information in each of the matching verification information with the target identification information of the packet data, the method further comprises:
respectively matching preset keywords in the matched verification information with target keywords of the message data, and determining a protocol type set to be confirmed according to a network protocol of the preset keywords matched with the target keywords;
and screening out the corresponding detection plug-ins to be confirmed from the detection plug-ins according to the protocol type set to be confirmed, and performing the step of respectively matching the identification information in each piece of matching verification information with the target identification information of the message data.
4. The method according to claim 1, wherein after the invoking each of the detection plug-ins, performing matching detection on the packet data using each of the matching verification information, and determining a target protocol type of the target network, further comprises:
acquiring the actual protocol length of the network protocol of the target network;
judging whether the actual protocol length is consistent with the standard protocol length of the network protocol corresponding to the target protocol type;
and if the network protocol is consistent with the target protocol type, the network protocol of the target network is represented as the target protocol type.
5. The method according to claim 1, wherein after the invoking each of the detection plug-ins, performing matching detection on the packet data using each of the matching verification information, and determining a target protocol type of the target network, further comprises:
acquiring the actual protocol state of the network protocol of the target network;
judging whether the actual protocol state is consistent with the standard protocol state of the network protocol corresponding to the target protocol type;
and if the network protocol is consistent with the target protocol type, the network protocol of the target network is represented as the target protocol type.
6. The method according to claim 1, wherein after the invoking each of the detection plug-ins, performing matching detection on the packet data using each of the matching verification information, and determining a target protocol type of the target network, further comprises:
acquiring actual characteristic information corresponding to a network protocol of the target network;
judging whether the actual characteristic information is consistent with standard characteristic information of a network protocol corresponding to the target protocol type;
and if the network protocol is consistent with the target protocol type, the network protocol of the target network is represented as the target protocol type.
7. The method according to any one of claims 1 to 6, wherein the process of obtaining the message data in the network data flow of the target network specifically includes:
acquiring mirror image flow of the network data flow of the target network;
recombining the data packets in the mirror image flow through a flow session technology to obtain data packets of ordered sessions;
and acquiring the message data in the data packet of the ordered session.
8. A protocol type detection apparatus for a network protocol, comprising:
the detection plug-in acquisition module is used for acquiring detection plug-ins respectively corresponding to different protocol types in advance; the detection plug-in is provided with protocol information and matching verification information of a corresponding network protocol;
the message data acquisition module is used for acquiring message data in a network data stream of a target network;
and the matching detection module is used for calling each detection plug-in, performing matching detection on the message data by using each matching verification information and determining the target protocol type of the target network.
9. A protocol type detection device of a network protocol, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the protocol type detection method of the network protocol according to any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the protocol type detection method of a network protocol according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010711737.XA CN111884876A (en) | 2020-07-22 | 2020-07-22 | Method, device, equipment and medium for detecting protocol type of network protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010711737.XA CN111884876A (en) | 2020-07-22 | 2020-07-22 | Method, device, equipment and medium for detecting protocol type of network protocol |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111884876A true CN111884876A (en) | 2020-11-03 |
Family
ID=73155816
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010711737.XA Pending CN111884876A (en) | 2020-07-22 | 2020-07-22 | Method, device, equipment and medium for detecting protocol type of network protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111884876A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112637223A (en) * | 2020-12-26 | 2021-04-09 | 曙光网络科技有限公司 | Application protocol identification method and device, computer equipment and storage medium |
| CN114448685A (en) * | 2022-01-13 | 2022-05-06 | 绿盟科技集团股份有限公司 | Method and device for generating network protocol message protection strategy |
| CN114465741A (en) * | 2020-11-09 | 2022-05-10 | 腾讯科技(深圳)有限公司 | Anomaly detection method and device, computer equipment and storage medium |
| CN114721929A (en) * | 2021-01-04 | 2022-07-08 | 腾讯科技(深圳)有限公司 | Test method, test device, storage medium and equipment |
| CN116643812A (en) * | 2023-07-26 | 2023-08-25 | 北京麟卓信息科技有限公司 | Dynamic library loading optimization method based on minimum symbol redundancy |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB0103604D0 (en) * | 2001-02-14 | 2001-03-28 | 3Com Corp | Automatic detector of media interface protocol type |
| CN101426000A (en) * | 2007-10-30 | 2009-05-06 | 北京启明星辰信息技术有限公司 | General protocol parsing method and system |
| CN107341096A (en) * | 2017-06-28 | 2017-11-10 | 百度在线网络技术(北京)有限公司 | The generation method and device of journal file, computer equipment and storage medium |
| CN107592303A (en) * | 2017-08-28 | 2018-01-16 | 北京明朝万达科技股份有限公司 | A kind of high speed mirror is as the extracting method and device of outgoing document in network traffics |
| CN108494752A (en) * | 2018-03-09 | 2018-09-04 | 万帮充电设备有限公司 | A kind of analysis method and device of agreement |
| CN108900327A (en) * | 2018-06-20 | 2018-11-27 | 昆明理工大学 | A kind of chronometer data acquisition and real-time processing method based on DPDK |
| CN108900374A (en) * | 2018-06-22 | 2018-11-27 | 网宿科技股份有限公司 | A kind of data processing method and device applied to DPI equipment |
| CN110784456A (en) * | 2019-10-17 | 2020-02-11 | 南方电网数字电网研究院有限公司 | Automatic identification method and communication method for communication protocol |
-
2020
- 2020-07-22 CN CN202010711737.XA patent/CN111884876A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB0103604D0 (en) * | 2001-02-14 | 2001-03-28 | 3Com Corp | Automatic detector of media interface protocol type |
| CN101426000A (en) * | 2007-10-30 | 2009-05-06 | 北京启明星辰信息技术有限公司 | General protocol parsing method and system |
| CN107341096A (en) * | 2017-06-28 | 2017-11-10 | 百度在线网络技术(北京)有限公司 | The generation method and device of journal file, computer equipment and storage medium |
| CN107592303A (en) * | 2017-08-28 | 2018-01-16 | 北京明朝万达科技股份有限公司 | A kind of high speed mirror is as the extracting method and device of outgoing document in network traffics |
| CN108494752A (en) * | 2018-03-09 | 2018-09-04 | 万帮充电设备有限公司 | A kind of analysis method and device of agreement |
| CN108900327A (en) * | 2018-06-20 | 2018-11-27 | 昆明理工大学 | A kind of chronometer data acquisition and real-time processing method based on DPDK |
| CN108900374A (en) * | 2018-06-22 | 2018-11-27 | 网宿科技股份有限公司 | A kind of data processing method and device applied to DPI equipment |
| CN110784456A (en) * | 2019-10-17 | 2020-02-11 | 南方电网数字电网研究院有限公司 | Automatic identification method and communication method for communication protocol |
Non-Patent Citations (1)
| Title |
|---|
| 葛玉森: "《基于应用层协议识别的IDS研究与实现》", 《中国优秀硕士学位论文全文数据库》 * |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114465741A (en) * | 2020-11-09 | 2022-05-10 | 腾讯科技(深圳)有限公司 | Anomaly detection method and device, computer equipment and storage medium |
| CN114465741B (en) * | 2020-11-09 | 2023-09-26 | 腾讯科技(深圳)有限公司 | Abnormality detection method, abnormality detection device, computer equipment and storage medium |
| CN112637223A (en) * | 2020-12-26 | 2021-04-09 | 曙光网络科技有限公司 | Application protocol identification method and device, computer equipment and storage medium |
| CN114721929A (en) * | 2021-01-04 | 2022-07-08 | 腾讯科技(深圳)有限公司 | Test method, test device, storage medium and equipment |
| CN114448685A (en) * | 2022-01-13 | 2022-05-06 | 绿盟科技集团股份有限公司 | Method and device for generating network protocol message protection strategy |
| CN114448685B (en) * | 2022-01-13 | 2023-11-03 | 绿盟科技集团股份有限公司 | Method and device for generating network protocol message protection strategy |
| CN116643812A (en) * | 2023-07-26 | 2023-08-25 | 北京麟卓信息科技有限公司 | Dynamic library loading optimization method based on minimum symbol redundancy |
| CN116643812B (en) * | 2023-07-26 | 2023-09-19 | 北京麟卓信息科技有限公司 | Dynamic library loading optimization method based on minimum symbol redundancy |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111884876A (en) | Method, device, equipment and medium for detecting protocol type of network protocol | |
| US7926114B2 (en) | Testing software applications with schema-based fuzzing | |
| US10185650B1 (en) | Testing service with control testing | |
| CN111144839B (en) | Project construction method, continuous integration system and terminal equipment | |
| CN111967017B (en) | Method, device, terminal equipment and storage medium for generating dependency relationship | |
| CN109445837B (en) | Application program publishing method and device | |
| KR101972825B1 (en) | Method and apparatus for automatically analyzing vulnerable point of embedded appliance by using hybrid analysis technology, and computer program for executing the method | |
| CN111447224A (en) | Web vulnerability scanning method and vulnerability scanner | |
| CN111651352B (en) | Warehouse code merging method and device | |
| CN112925524A (en) | Method and device for detecting unsafe direct memory access in driver | |
| CN110287700B (en) | iOS application security analysis method and device | |
| CN112363936A (en) | Method and device for testing differential coverage rate, computer equipment and storage medium | |
| JP4587976B2 (en) | Application vulnerability inspection method and apparatus | |
| Jiang et al. | Assuring the model evolution of protocol software specifications by regression testing process improvement | |
| CN112800194A (en) | Interface change identification method, device, equipment and storage medium | |
| CN117435480A (en) | Binary file detection method and device, electronic equipment and storage medium | |
| CN112363939A (en) | Method, system and equipment for quickly generating fuzzy test network protocol template | |
| US10931693B2 (en) | Computation apparatus and method for identifying attacks on a technical system on the basis of events of an event sequence | |
| KR101625890B1 (en) | Test automation system and test automation method for detecting change for signature of internet application traffic protocol | |
| CN111258562A (en) | Java code quality inspection method, device, equipment and storage medium | |
| CN116225622A (en) | Docker-based PaaS application parameter template testing method | |
| CN117009972A (en) | Vulnerability detection method, vulnerability detection device, computer equipment and storage medium | |
| CN115310087A (en) | Website backdoor detection method and system based on abstract syntax tree | |
| CN113037521B (en) | Method for identifying state of communication equipment, communication system and storage medium | |
| CN113672514A (en) | Test method, test device, server and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201103 |