CN112637017A - Network data analysis method based on application layer data - Google Patents
Network data analysis method based on application layer data Download PDFInfo
- Publication number
- CN112637017A CN112637017A CN202011565158.5A CN202011565158A CN112637017A CN 112637017 A CN112637017 A CN 112637017A CN 202011565158 A CN202011565158 A CN 202011565158A CN 112637017 A CN112637017 A CN 112637017A
- Authority
- CN
- China
- Prior art keywords
- application layer
- data
- layer data
- data packet
- analysis
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/026—Capturing of monitoring data using flow identification
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F40/00—Handling natural language data
- G06F40/20—Natural language analysis
- G06F40/253—Grammatical analysis; Style critique
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F40/00—Handling natural language data
- G06F40/20—Natural language analysis
- G06F40/279—Recognition of textual entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/028—Capturing of monitoring data by filtering
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computational Linguistics (AREA)
- Health & Medical Sciences (AREA)
- Artificial Intelligence (AREA)
- Audiology, Speech & Language Pathology (AREA)
- Signal Processing (AREA)
- General Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a network data analysis method based on application layer data, which comprises the following steps: screening out an application layer: capturing and reading network data through Next Generation Firewalls, NGFW, loading and analyzing current data packet information by using an identification engine, judging whether an application layer data packet is contained, and if the current data packet is the application layer data packet, loading and analyzing the application layer data of each application layer data packet by using the identification engine; analyzing an application layer: filtering the selected application layer data by using Next Generation Firewalls, NGFW to obtain application layer data meeting requirements; the invention utilizes Next Generation Firewalls, NGFW to capture and read network data, which is a new Generation technology, can break through the encryption of the existing data surface, can effectively capture and read the network data, reduces the failure rate of network data analysis, performs cluster analysis in the analysis process, and then analyzes the situation of application layer data in detail respectively according to the needs.
Description
Technical Field
The invention relates to the technical field of network data, in particular to a network data analysis method based on application layer data.
Background
The network data is divided into four layers: an application layer, a transport layer, a network layer, and a link layer. At present, network analysis software widely used in the industry includes Wireshark, Sniffer and the like, but most of the current network data analysis methods capture and read network data based on traditional related software, the capture and read principle is a technology of many years ago, the existing network data package and encrypt the data in order to enhance data security, so that the failure rate of the traditional network data analysis method is high, errors are easy to occur, and the data is not classified, so that the analysis results are mixed together, and the data confusion is easy to occur.
Disclosure of Invention
The invention aims to provide a network data analysis method based on application layer data, which solves the problems that the conventional network data analysis method is mostly based on the conventional related software, the capture and reading principle is the technology of many years ago, the conventional network data encapsulates and encrypts the data in order to enhance the data security, the conventional network data analysis method has high failure rate and is easy to make mistakes, and the analysis results are mixed together and are easy to cause data confusion because the data is not classified.
In order to achieve the purpose, the invention provides the following technical scheme: a network data analysis method based on application layer data comprises the following steps:
step 1: screening out an application layer: capturing and reading network data through Next Generation Firewalls, NGFW, loading and analyzing current data packet information by using an identification engine, judging whether an application layer data packet is contained, and if the current data packet is the application layer data packet, loading and analyzing the application layer data of each application layer data packet by using the identification engine;
step 2: analyzing an application layer: filtering the selected application layer data by using Next Generation Firewalls, NGFW to obtain application layer data meeting requirements, or displaying the application layer data meeting the requirements as a specific color to highlight the application layer data meeting the requirements;
and step 3: clustering analysis: performing clustering analysis on data of the selected application layer, extracting application layer data features and character string features, then performing clustering analysis, taking each class obtained by clustering as application layer data, mining key words and frequent key word sequences from each application layer data by adopting a data mining technology, constructing a prefix tree representing a conversation rule of the application layer by adopting the frequent key word sequences belonging to the same application layer data, wherein each connecting line in the prefix tree represents one key word, and each path represents a conversation process;
and 4, step 4: specific analysis: analyzing the message format of the application layer, regarding the application layer data of each data packet as a character string, then performing syntactic analysis on all the character strings to construct an automaton or a regular expression representing the message format of the application layer, predicting the state transition relation of the application layer, estimating a state transition probability matrix of the application layer by using a hidden Markov model parameter estimation algorithm and taking the keyword sequence of each stream as a training set, and generating the probability distribution of an observed value comprising a keyword, the length of the character string and a coding mode.
Preferably, in step 1, the capturing and reading process is to identify each data stream of the backbone, the gateway, and/or the aggregation point of the data streams of the network, and analyze the data of the application layer.
Preferably, in step 1, the data packet information is analyzed and judged, and the data packets of the network layer and the transmission layer are removed.
Preferably, in step 1, a five-tuple appears during the loading and parsing process, where the five-tuple includes a source IP address, a destination IP address, a source port, a destination port, and a transport layer protocol.
Preferably, in step 1, the quintuple and the application layer data of each packet are presented in a list form, and each packet occupies one line of the list.
Preferably, in step 1, the application layer data is displayed in a 16-ary manner, or in an ASCII manner.
Preferably, in step 2, for consecutive data packets, the color flag is set by using data whose data appearance is not changed or is changed regularly before and after the data packet.
Preferably, in step 4, the obtained sample flow is measured by using a hidden markov model of an application layer to obtain a normality distribution of the samples and normality of each sample, or to find an abnormal sample flow.
Compared with the prior art, the invention has the beneficial effects that: the invention utilizes Next Generation Firewalls, NGFW to capture and read network data, which is a new Generation technology, can break through the encryption of the existing data surface, can effectively capture and read the network data, reduces the failure rate of network data analysis, performs cluster analysis in the analysis process, and then analyzes the situation of application layer data in detail respectively according to the needs.
Detailed Description
The present invention will now be described in more detail by way of examples, which are given by way of illustration only and are not intended to limit the scope of the present invention in any way.
The invention provides a technical scheme that: a network data analysis method based on application layer data comprises the following steps:
step 1: screening out an application layer: capturing and reading network data through Next Generation Firewalls, NGFW, loading and analyzing current data packet information by using an identification engine, judging whether an application layer data packet is contained, and if the current data packet is the application layer data packet, loading and analyzing the application layer data of each application layer data packet by using the identification engine;
step 2: analyzing an application layer: filtering the selected application layer data by using Next Generation Firewalls, NGFW to obtain application layer data meeting requirements, or displaying the application layer data meeting the requirements as a specific color to highlight the application layer data meeting the requirements;
and step 3: clustering analysis: performing clustering analysis on data of the selected application layer, extracting application layer data features and character string features, then performing clustering analysis, taking each class obtained by clustering as application layer data, mining key words and frequent key word sequences from each application layer data by adopting a data mining technology, constructing a prefix tree representing a conversation rule of the application layer by adopting the frequent key word sequences belonging to the same application layer data, wherein each connecting line in the prefix tree represents one key word, and each path represents a conversation process;
and 4, step 4: specific analysis: analyzing the message format of the application layer, regarding the application layer data of each data packet as a character string, then performing syntactic analysis on all the character strings to construct an automaton or a regular expression representing the message format of the application layer, predicting the state transition relation of the application layer, estimating a state transition probability matrix of the application layer by using a hidden Markov model parameter estimation algorithm and taking the keyword sequence of each stream as a training set, and generating the probability distribution of an observed value comprising a keyword, the length of the character string and a coding mode.
The first embodiment is as follows:
screening out an application layer: capturing and reading network data through Next Generation Firewalls, NGFW, loading and analyzing current data packet information by using an identification engine, judging whether an application layer data packet is contained, and if the current data packet is the application layer data packet, loading and analyzing the application layer data of each application layer data packet by using the identification engine; analyzing an application layer: filtering the selected application layer data by using Next Generation Firewalls, NGFW to obtain application layer data meeting requirements, or displaying the application layer data meeting the requirements as a specific color to highlight the application layer data meeting the requirements; clustering analysis: performing clustering analysis on data of the selected application layer, extracting application layer data features and character string features, then performing clustering analysis, taking each class obtained by clustering as application layer data, mining key words and frequent key word sequences from each application layer data by adopting a data mining technology, constructing a prefix tree representing a conversation rule of the application layer by adopting the frequent key word sequences belonging to the same application layer data, wherein each connecting line in the prefix tree represents one key word, and each path represents a conversation process; specific analysis: analyzing the message format of the application layer, regarding the application layer data of each data packet as a character string, then performing syntactic analysis on all the character strings to construct an automaton or a regular expression representing the message format of the application layer, predicting the state transition relation of the application layer, estimating a state transition probability matrix of the application layer by using a hidden Markov model parameter estimation algorithm and taking the keyword sequence of each stream as a training set, and generating the probability distribution of an observed value comprising a keyword, the length of the character string and a coding mode.
Example two:
in the first embodiment, the following steps are added:
in step 1, the capturing and reading process is to identify each data stream of the backbone, the entrance and exit of the network and/or the convergence point of the data streams, and analyze the data of the application layer, so that enough data can be read, and the integrity of the data is guaranteed.
Screening out an application layer: capturing and reading network data through Next Generation Firewalls, NGFW, loading and analyzing current data packet information by using an identification engine, judging whether an application layer data packet is contained, and if the current data packet is the application layer data packet, loading and analyzing the application layer data of each application layer data packet by using the identification engine; analyzing an application layer: filtering the selected application layer data by using Next Generation Firewalls, NGFW to obtain application layer data meeting requirements, or displaying the application layer data meeting the requirements as a specific color to highlight the application layer data meeting the requirements; clustering analysis: performing clustering analysis on data of the selected application layer, extracting application layer data features and character string features, then performing clustering analysis, taking each class obtained by clustering as application layer data, mining key words and frequent key word sequences from each application layer data by adopting a data mining technology, constructing a prefix tree representing a conversation rule of the application layer by adopting the frequent key word sequences belonging to the same application layer data, wherein each connecting line in the prefix tree represents one key word, and each path represents a conversation process; specific analysis: analyzing the message format of the application layer, regarding the application layer data of each data packet as a character string, then performing syntactic analysis on all the character strings to construct an automaton or a regular expression representing the message format of the application layer, predicting the state transition relation of the application layer, estimating a state transition probability matrix of the application layer by using a hidden Markov model parameter estimation algorithm and taking the keyword sequence of each stream as a training set, and generating the probability distribution of an observed value comprising a keyword, the length of the character string and a coding mode.
Example three:
in the second embodiment, the following steps are added:
in step 1, the data packet information is analyzed and judged, the data packets of the network layer and the transmission layer are removed, and redundant data are removed, so that the next operation is facilitated.
Screening out an application layer: capturing and reading network data through Next Generation Firewalls, NGFW, loading and analyzing current data packet information by using an identification engine, judging whether an application layer data packet is contained, and if the current data packet is the application layer data packet, loading and analyzing the application layer data of each application layer data packet by using the identification engine; analyzing an application layer: filtering the selected application layer data by using Next Generation Firewalls, NGFW to obtain application layer data meeting requirements, or displaying the application layer data meeting the requirements as a specific color to highlight the application layer data meeting the requirements; clustering analysis: performing clustering analysis on data of the selected application layer, extracting application layer data features and character string features, then performing clustering analysis, taking each class obtained by clustering as application layer data, mining key words and frequent key word sequences from each application layer data by adopting a data mining technology, constructing a prefix tree representing a conversation rule of the application layer by adopting the frequent key word sequences belonging to the same application layer data, wherein each connecting line in the prefix tree represents one key word, and each path represents a conversation process; specific analysis: analyzing the message format of the application layer, regarding the application layer data of each data packet as a character string, then performing syntactic analysis on all the character strings to construct an automaton or a regular expression representing the message format of the application layer, predicting the state transition relation of the application layer, estimating a state transition probability matrix of the application layer by using a hidden Markov model parameter estimation algorithm and taking the keyword sequence of each stream as a training set, and generating the probability distribution of an observed value comprising a keyword, the length of the character string and a coding mode.
Example four:
in the third embodiment, the following steps are added:
in step 1, five tuples appear in the process of loading and analyzing, wherein the five tuples include a source IP address, a destination IP address, a source port, a destination port and a transport layer protocol, the five tuples and the application layer data of each data packet are displayed in a list form, each data packet occupies one line of the list for display, and the application layer data is displayed in a 16-system mode or an ASCII mode, so that the next analysis operation can be facilitated.
Screening out an application layer: capturing and reading network data through Next Generation Firewalls, NGFW, loading and analyzing current data packet information by using an identification engine, judging whether an application layer data packet is contained, and if the current data packet is the application layer data packet, loading and analyzing the application layer data of each application layer data packet by using the identification engine; analyzing an application layer: filtering the selected application layer data by using Next Generation Firewalls, NGFW to obtain application layer data meeting requirements, or displaying the application layer data meeting the requirements as a specific color to highlight the application layer data meeting the requirements; clustering analysis: performing clustering analysis on data of the selected application layer, extracting application layer data features and character string features, then performing clustering analysis, taking each class obtained by clustering as application layer data, mining key words and frequent key word sequences from each application layer data by adopting a data mining technology, constructing a prefix tree representing a conversation rule of the application layer by adopting the frequent key word sequences belonging to the same application layer data, wherein each connecting line in the prefix tree represents one key word, and each path represents a conversation process; specific analysis: analyzing the message format of the application layer, regarding the application layer data of each data packet as a character string, then performing syntactic analysis on all the character strings to construct an automaton or a regular expression representing the message format of the application layer, predicting the state transition relation of the application layer, estimating a state transition probability matrix of the application layer by using a hidden Markov model parameter estimation algorithm and taking the keyword sequence of each stream as a training set, and generating the probability distribution of an observed value comprising a keyword, the length of the character string and a coding mode.
Example five:
in the fourth example, the following steps were added:
in step 2, for the continuous data packets, the color marks are set for the data which is always unchanged or regularly changed before and after the occurrence of the data, so that the data packets to be analyzed can be marked, and the next operation and analysis are facilitated.
Screening out an application layer: capturing and reading network data through Next Generation Firewalls, NGFW, loading and analyzing current data packet information by using an identification engine, judging whether an application layer data packet is contained, and if the current data packet is the application layer data packet, loading and analyzing the application layer data of each application layer data packet by using the identification engine; analyzing an application layer: filtering the selected application layer data by using Next Generation Firewalls, NGFW to obtain application layer data meeting requirements, or displaying the application layer data meeting the requirements as a specific color to highlight the application layer data meeting the requirements; clustering analysis: performing clustering analysis on data of the selected application layer, extracting application layer data features and character string features, then performing clustering analysis, taking each class obtained by clustering as application layer data, mining key words and frequent key word sequences from each application layer data by adopting a data mining technology, constructing a prefix tree representing a conversation rule of the application layer by adopting the frequent key word sequences belonging to the same application layer data, wherein each connecting line in the prefix tree represents one key word, and each path represents a conversation process; specific analysis: analyzing the message format of the application layer, regarding the application layer data of each data packet as a character string, then performing syntactic analysis on all the character strings to construct an automaton or a regular expression representing the message format of the application layer, predicting the state transition relation of the application layer, estimating a state transition probability matrix of the application layer by using a hidden Markov model parameter estimation algorithm and taking the keyword sequence of each stream as a training set, and generating the probability distribution of an observed value comprising a keyword, the length of the character string and a coding mode.
Example six:
in the fifth example, the following steps were added:
in step 4, the obtained sample flow is measured by using the hidden markov model of the application layer to obtain the normality distribution of the sample and the normality of each sample, or an abnormal sample flow is found, so that the analysis efficiency is ensured.
Screening out an application layer: capturing and reading network data through Next Generation Firewalls, NGFW, loading and analyzing current data packet information by using an identification engine, judging whether an application layer data packet is contained, and if the current data packet is the application layer data packet, loading and analyzing the application layer data of each application layer data packet by using the identification engine; analyzing an application layer: filtering the selected application layer data by using Next Generation Firewalls, NGFW to obtain application layer data meeting requirements, or displaying the application layer data meeting the requirements as a specific color to highlight the application layer data meeting the requirements; clustering analysis: performing clustering analysis on data of the selected application layer, extracting application layer data features and character string features, then performing clustering analysis, taking each class obtained by clustering as application layer data, mining key words and frequent key word sequences from each application layer data by adopting a data mining technology, constructing a prefix tree representing a conversation rule of the application layer by adopting the frequent key word sequences belonging to the same application layer data, wherein each connecting line in the prefix tree represents one key word, and each path represents a conversation process; specific analysis: analyzing the message format of the application layer, regarding the application layer data of each data packet as a character string, then performing syntactic analysis on all the character strings to construct an automaton or a regular expression representing the message format of the application layer, predicting the state transition relation of the application layer, estimating a state transition probability matrix of the application layer by using a hidden Markov model parameter estimation algorithm and taking the keyword sequence of each stream as a training set, and generating the probability distribution of an observed value comprising a keyword, the length of the character string and a coding mode.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
Claims (8)
1. A network data analysis method based on application layer data is characterized in that: the method comprises the following steps:
step 1: screening out an application layer: capturing and reading network data through Next Generation Firewalls, NGFW, loading and analyzing current data packet information by using an identification engine, judging whether an application layer data packet is contained, and if the current data packet is the application layer data packet, loading and analyzing the application layer data of each application layer data packet by using the identification engine;
step 2: analyzing an application layer: filtering the selected application layer data by using Next Generation Firewalls, NGFW to obtain application layer data meeting requirements, or displaying the application layer data meeting the requirements as a specific color to highlight the application layer data meeting the requirements;
and step 3: clustering analysis: performing clustering analysis on data of the selected application layer, extracting application layer data features and character string features, then performing clustering analysis, taking each class obtained by clustering as application layer data, mining key words and frequent key word sequences from each application layer data by adopting a data mining technology, constructing a prefix tree representing a conversation rule of the application layer by adopting the frequent key word sequences belonging to the same application layer data, wherein each connecting line in the prefix tree represents one key word, and each path represents a conversation process;
and 4, step 4: specific analysis: analyzing the message format of the application layer, regarding the application layer data of each data packet as a character string, then performing syntactic analysis on all the character strings to construct an automaton or a regular expression representing the message format of the application layer, predicting the state transition relation of the application layer, estimating a state transition probability matrix of the application layer by using a hidden Markov model parameter estimation algorithm and taking the keyword sequence of each stream as a training set, and generating the probability distribution of an observed value comprising a keyword, the length of the character string and a coding mode.
2. The method according to claim 1, wherein the method comprises the following steps: in the step 1, the capturing and reading process is to identify each data stream of a backbone, an entrance and an exit of the network and/or a convergence point of the data streams, and analyze data of the application layer.
3. The method according to claim 1, wherein the method comprises the following steps: in the step 1, the data packet information is analyzed and judged, and the data packets of the network layer and the transmission layer are removed.
4. The method according to claim 1, wherein the method comprises the following steps: in step 1, a five-tuple appears during the loading and parsing process, where the five-tuple includes a source IP address, a destination IP address, a source port, a destination port, and a transport layer protocol.
5. The method according to claim 1, wherein the method comprises the following steps: in step 1, the quintuple and the application layer data of each data packet are displayed in a list form, and each data packet occupies one line of the list for display.
6. The method according to claim 1, wherein the method comprises the following steps: in step 1, the application layer data is displayed in a 16-ary manner or in an ASCII manner.
7. The method according to claim 1, wherein the method comprises the following steps: in step 2, for the continuous data packets, the color marks are set by the data which is always unchanged or regularly changed before and after the data appears.
8. The method according to claim 1, wherein the method comprises the following steps: in step 4, the obtained sample flow is measured by using the hidden markov model of the application layer to obtain the normality distribution of the samples and the normality of each sample, or to find an abnormal sample flow.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011565158.5A CN112637017B (en) | 2020-12-25 | 2020-12-25 | Network data analysis method based on application layer data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011565158.5A CN112637017B (en) | 2020-12-25 | 2020-12-25 | Network data analysis method based on application layer data |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112637017A true CN112637017A (en) | 2021-04-09 |
| CN112637017B CN112637017B (en) | 2022-02-08 |
Family
ID=75325108
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011565158.5A Active CN112637017B (en) | 2020-12-25 | 2020-12-25 | Network data analysis method based on application layer data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112637017B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1612135A (en) * | 2003-10-30 | 2005-05-04 | 中联绿盟信息技术(北京)有限公司 | Invasion detection (protection) product and firewall product protocol identifying technology |
| CN102970189A (en) * | 2012-12-06 | 2013-03-13 | 北京锐安科技有限公司 | Method and system for network data analysis based on application layer data |
| CN103746885A (en) * | 2014-01-28 | 2014-04-23 | 中国人民解放军信息安全测评认证中心 | Test system and test method oriented to next-generation firewall |
| CN108769084A (en) * | 2018-08-28 | 2018-11-06 | 山东超越数控电子股份有限公司 | A kind of processor and fire wall |
| US20190253387A1 (en) * | 2018-02-13 | 2019-08-15 | Palo Alto Networks, Inc. | Application layer signaling security with next generation firewall |
| CN111209564A (en) * | 2020-01-03 | 2020-05-29 | 深信服科技股份有限公司 | Cloud platform security state prediction method, device, equipment and storage medium |
-
2020
- 2020-12-25 CN CN202011565158.5A patent/CN112637017B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1612135A (en) * | 2003-10-30 | 2005-05-04 | 中联绿盟信息技术(北京)有限公司 | Invasion detection (protection) product and firewall product protocol identifying technology |
| CN102970189A (en) * | 2012-12-06 | 2013-03-13 | 北京锐安科技有限公司 | Method and system for network data analysis based on application layer data |
| CN103746885A (en) * | 2014-01-28 | 2014-04-23 | 中国人民解放军信息安全测评认证中心 | Test system and test method oriented to next-generation firewall |
| US20190253387A1 (en) * | 2018-02-13 | 2019-08-15 | Palo Alto Networks, Inc. | Application layer signaling security with next generation firewall |
| CN108769084A (en) * | 2018-08-28 | 2018-11-06 | 山东超越数控电子股份有限公司 | A kind of processor and fire wall |
| CN111209564A (en) * | 2020-01-03 | 2020-05-29 | 深信服科技股份有限公司 | Cloud platform security state prediction method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112637017B (en) | 2022-02-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111277578B (en) | Encrypted flow analysis feature extraction method, system, storage medium and security device | |
| CN109768952B (en) | Industrial control network abnormal behavior detection method based on credible model | |
| WO2020143226A1 (en) | Industrial control system intrusion detection method based on integrated learning | |
| CN101645806B (en) | Network flow classifying system and network flow classifying method combining DPI and DFI | |
| CN107438052B (en) | A kind of anomaly detection method towards unknown industrial communication protocol specification | |
| CN101741744B (en) | Network flow identification method | |
| CN111885059B (en) | Method for detecting and positioning abnormal industrial network flow | |
| CN105024985B (en) | A kind of message processing method and device | |
| CN111191767B (en) | Vectorization-based malicious traffic attack type judging method | |
| WO2011050545A1 (en) | Automatic analysis method for unknown application layer protocols | |
| CN113645232B (en) | Intelligent flow monitoring method, system and storage medium for industrial Internet | |
| CN110868409A (en) | Passive operating system identification method and system based on TCP/IP protocol stack fingerprint | |
| CN105099916B (en) | Open flows route exchange device and its processing method to data message | |
| CN113452672B (en) | Method for analyzing abnormal flow of terminal of Internet of things of electric power based on reverse protocol analysis | |
| CN110034966B (en) | Data flow classification method and system based on machine learning | |
| CN106330584A (en) | Identification method and identification device of business flow | |
| US11539620B2 (en) | Anomaly flow detection device and anomaly flow detection method | |
| CN111586075B (en) | Hidden channel detection method based on multi-scale stream analysis technology | |
| CN102611706A (en) | Network protocol identification method and system based on semi-supervised learning | |
| CN106789416A (en) | The recognition methods of industrial control system specialized protocol and system | |
| CN111723579A (en) | Industrial control protocol field and semantic reverse inference method | |
| CN112637017B (en) | Network data analysis method based on application layer data | |
| JP2007142767A (en) | Pattern matching device, its forming method, operation method of network incorrect intrusion detection device using it, and operation method of intrusion prevention system using it | |
| Erdenebaatar et al. | Analyzing traffic characteristics of instant messaging applications on android smartphones | |
| Wang et al. | A practical format and semantic reverse analysis approach for industrial control protocols |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |