Device for classifying and recognizing network application flow quantity and method thereof

Abstract

A network application flow classifying recognizing device includes a dynamic flow classifying device which builds a hash table by taking the IP five-tuple array contained in a massage as the key assignments and searches a network flow table by making use of the hash table; a (address, port ) checking matching device which searches an information table of the address to carry through matching on the received messages; a service terminal matching device which carries through matching on the received messages by searching a service port table, a flow / action characteristic matching device which counts the flow characteristic and action characteristic aiming at the front M messages of the flow and carries through matching with the information in a flow / action characteristic mode library; a protocol characteristic code matching device which carries through matching on the front L bytes of the message payload and the protocol characteristic codes of a protocol characteristic code library; a decision device which comprehensively analyzes and judges the application type or application protocol that a network flow belongs to; a network topology detecting device which searches the currently active nodes and uses a node information to dynamically update the information table of the address aiming at various application service.

Description

technical field [0001] The invention relates to a network application traffic classification and identification device and a method thereof, in particular to a network application traffic classification identification device and a method in the fields of computer networks and data communications. Background technique [0002] Network application traffic classification and identification is a key common technology of many core network services. It distinguishes traffic belonging to different application types or application protocols in the aggregated traffic so that the system can process them separately. Taking network monitoring as an example, people need to collect and record specific application information from traffic, understand the actual status of the application and study its impact on the network, so as to guide the planning, configuration and management of the network and the Internet. For another example, differentiated services (Diffserv) provide different ser...

AI Technical Summary

Problems solved by technology

[0003] In recent years, with the rapid development of the Internet and network applications, especially the emergence and popularization of emerging network technologies such as Peer-to-Peer (P2P) networks, cascaded networks, and anonymous networks, traditional network application traffic classification and identification technologies Faced with increasingly severe challenges, a single technical approach based on service ports or protocol signatures can no longer meet business needs, mainly in the following areas: (1) Due to the limited number of TCP / UDP ports available for registration, a large number of emerging application protocols are no longer registered The default service port; (2) For the sake of security and flexibility, many application protocols adopt dynamic port negotiation or custom port registration mechanism; (3) In order to pass through the firewall, some application protocols will occupy some other protocols ( (such as HTTP protocol) common service ports (such as TCP port 80) for communication; (4) application protocols are more and more complex, and many private protocols do not disclose complete protocol specifications, and the extraction of protocol feature codes becomes very difficult. Difficult; (5) Some application protocols use payload encryption technology for communication security, which is difficult to identify based on protocol signatures

Images