HTTP data characteristic analysis method and system

Abstract

The invention discloses an HTTP data characteristic analysis method and system. The method comprises: S1, judging whether injected internet data is HTTP data or not; S2, when the injected internet data is not judged as the HTTP data, enabling the internet data to go into a DPI (Deep Packet Inspection) engine to run a deep packet characteristic inspection; S3, when the injected internet data is judged as the HTTP data, identifying a body domain and a head of the HTTP data; S4, enabling the body domain to directly go into the DPI engine to run the deep packet characteristic inspection without subsection analysis; and S5, enabling the head to go into an HTTP_DPI engine to run analysis, wherein the HTTP_DPI engine divides the head into a plurality of pointer structures, performs independent parallel analysis according to the pointer structures, and marks the data matched with a characteristic fingerprint database as an application showed by a characteristic fingerprint after the characteristic fingerprint database is matched. According to the HTTP data characteristic analysis method and system, large consumption and high dependency of the system resource are effectively decreased; meanwhile all the data is effectively covered, especially the HTTP data, the risk of the characteristic false positives and false negatives is decreased, and the identification ability of the application is improved.

Description

technical field [0001] The invention relates to a data feature analysis method and system, in particular to an HTTP data feature analysis method and system. Background technique [0002] Deep Packet Inspection (Deep Packet Inspection, hereinafter referred to as DPI) is a traffic analysis and detection technology oriented to application layer analysis. DPI technology has become the standard configuration of high-end network equipment, and is used for fine-grained control and monitoring of network traffic. analyze. [0003] However, due to the constraints of hardware performance, function adaptation, system architecture and other factors, DPI has not been widely used in a large number of low-end network devices (such as home routers, commercial WIFI, thin APs, etc.), mainly due to traditional DPI technology. When performing data analysis, most do not care about the specific data structure of the upper-layer application. The source data is scanned byte by byte from the head of...

AI Technical Summary

Problems solved by technology

[0003] However, due to the constraints of hardware performance, function adaptation, system architecture and other factors, DPI has not been widely used in a large number of low-end network devices (such as home routers, commercial WIFI, thin APs, etc.), mainly due to traditional DPI technology. When performing data analysis, most do not care about the specific data structure of the upper-layer application. The source data is scanned byte by byte from the head of the data until the end of the data or the specified number of bytes, and then judge whether it is consistent with the data from the scanned data. Match the fingerprint library to obtain the identification of the source data

[0004] Starting from the first byte of data to scan, the whole process has high requirements on system resources, so DPI technology can only be applied to large-scale network devices with abundant resources, but cannot be used for small network devices such as home gateways and commercial WiFi, resulting in The lack of advanced traffic optimization and service improvement for the majority of end users, so it is necessary to implement deep packet inspection technology that can be adapted to low-end network equipment

[0005] In addition, since more than 80% of the current Internet data, especially mobile Internet data, is application data based on the HTTP protocol, the in-depth analysis of the HTTP protocol will greatly affect the performance consumption and recognition ability of DPI

[0006] In order to achieve both performance, it is often impossible to achieve full data coverage during data scanning, especially the problem that HTTP protocol data cannot be fully covered, so the risk of feature misjudgment and missed judgment will increase, making application identification Decrease in ability