Method for recognizing and tracking application based on keyword sequence

Abstract

The invention provides an application, identification and tracking method based on a keyword sequence, which comprises: firstly, establishing a keyword set; secondly, matching keywords with data in an application layer; thirdly, performing syntax tree judgment and evaluation on a keyword sequence obtained after matching; and fourthly, tracking the keyword sequence and identifying application types. The application, identification and tracking method based on the keyword sequence does not need manually understanding and programming an application layer protocol, manually analyzing unique characteristics of application and writing out a regular expression, can realize automatic modeling, identification and tracking of known or unknown application, and further realizes flow control and security defense of fine grain of the application and the application process.

Description

technical field

[0001] The invention belongs to the technical field of network security detection and network flow control, and in particular relates to an application identification and tracking method based on a keyword sequence. technical background

[0002] Existing methods for application layer protocol identification mainly include identification methods based on port numbers, methods based on manually established regular expressions, and methods based on statistical characteristics of flows. The method based on the protocol port number, because many standard applications use non-standard port numbers, and non-standard applications use standard port numbers, such as illegal applications and attacks that use well-known port numbers (such as port 80) to avoid firewall filtering and The limitation of traffic management equipment has made the method of identifying applications based on port numbers unsuitable. The regular expression-based application identification method...

Images