Unlock instant, AI-driven research and patent intelligence for your innovation.

Method, device and storage device for accurately detecting network traffic

A technology of network traffic and detection methods, applied in the field of network security, can solve problems such as poor performance estimation accuracy and controllability, significant impact on detection efficiency, irregular changes in detection performance, etc., and achieve the effect of solving uncontrollable feature matching performance.

Inactive Publication Date: 2017-12-01
NAT COMP NETWORK & INFORMATION SECURITY MANAGEMENT CENT +1
View PDF6 Cites 19 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0007] The way of writing regular expressions, especially the way of writing regular expressions with complex features, has a great impact on the detection efficiency. With the increase of features, the detection performance changes irregularly, and the performance prediction accuracy and controllability are poor; moreover, regular expressions The writing of regular expressions is complicated, and different systems use different analysis methods. Custom features require professional knowledge and experience. It is difficult for general operation and maintenance personnel and analysts to quickly complete the writing of feature rules; at the same time, regular expressions are mainly for character string features. , not well suited for binary features

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method, device and storage device for accurately detecting network traffic
  • Method, device and storage device for accurately detecting network traffic
  • Method, device and storage device for accurately detecting network traffic

Examples

Experimental program
Comparison scheme
Effect test

example 1

[0053] In order to solve the problems caused by the definition and matching of regular expressions, the present invention proposes a method for accurate detection of network traffic, including:

[0054] Define a single feature with keywords or starting position, offset, length, and feature string as conditions, where the feature string can be a string or a binary string;

[0055] Define a rule with a logical relationship between multiple features, such as an AND or relationship;

[0056] All feature strings are stored in a set in memory or database, preferably, using an in-memory database (such as REDIS) to store a hash value set of feature strings;

[0057] Obtain the data packets to be detected in the network;

[0058] Extract the content in the data packet to be detected according to the position and the length, preferably, when multiple features are marked with keywords as the starting position, use a multi-pattern matching algorithm, such as AC (Aho-Corasiek) or WM (Wu-M...

example 2

[0062] figure 2 It is a schematic flow diagram of the method for accurately detecting network traffic in Example 2, and the specific description is as follows:

[0063] Step 201, rule customization;

[0064] First, pre-install and run the application software or executable program that generates network traffic to be analyzed to collect network traffic samples; then, manually analyze the load content of the network traffic samples, the plaintext load features are represented by strings, and the ciphertext loads can be used Binary string representation, record feature string and position (the unit can be byte or bit according to needs); when there are multiple features, specify the AND or relationship between features; finally, extract the features and feature relationships in the form of database fields or files Describe and store.

[0065] This embodiment takes a text format file as an example, the feature definition format example is: {fid, keyword or location identifier,...

example 3

[0085] This example describes a device for accurately detecting network traffic, which mainly includes:

[0086] Rule definition module: realize the feature definition in the format of {keyword or position, offset, length, string value} and the rule definition of multiple features and / or relationships through the Web or files;

[0087] Rule parsing module: parse the rule definition into three data sets such as extraction position set, feature string set, and feature relationship set for use in the detection process;

[0088] Content extraction module: perform content extraction in the data packet to be detected according to the extraction position set;

[0089] Feature matching module: query whether the extracted content exists in the feature string set, if it exists, the matching is successful;

[0090] Relationship calculation module: According to the matching result record, judge whether the matching result satisfies the relationship definition in the feature relationship ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The present invention provides a method, a device and a storage device for accurately detecting network traffic. The method includes: acquiring a data packet to be detected in a network; extracting a plurality of content strings in the data packet according to a preset extraction position set, wherein the extraction position set comprises a plurality of keywords or positions for extracting features and extraction lengths; matching the contents strings in a preset feature string to obtain a matching result for each of the content strings; judging whether a plurality of matching result meet a preset feature relationship or not; and when the matching results meet the preset feature relationship, representing that the data packet hits a rule corresponding to the preset feature relationship. In the definition and matching of features, the present invention adopts the method of first extracting and matching after query to effectively solve the problem that the definition of the regular expression is complex and the feature matching performance is uncontrollable.

Description

technical field [0001] The invention relates to the field of network security, in particular to a method, device and storage medium for accurately detecting network traffic. Background technique [0002] With the rapid development of the Internet, especially the mobile Internet, the scope of network applications and the scale of users are rapidly expanding, and there are more and more applications and scenarios that generate network traffic, and the network traffic has increased massively. The network is full of various data traffic, such as basic communication traffic, normal page browsing traffic, game traffic, peer-to-peer network (Peer ro Peer, P2P) traffic, instant messaging (Instant Massage, IM) traffic, etc., among which Mixed with suspicious traffic that needs to be focused on. [0003] At present, the detection and identification of network traffic mostly use the built-in feature rule library as the detection basis, mainly focusing on traffic control, application i...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): H04L12/26H04L12/813H04L47/20
CPCH04L43/028H04L43/04H04L43/08H04L43/0876H04L47/20
Inventor 孙波李轶夫姚珊姜栋鲁骁张建松张伟杜雄杰司成祥房婧李应博刘成胡晓旭王亿芳王梦禹刘斯宇李海峰陈朴杨亚南
Owner NAT COMP NETWORK & INFORMATION SECURITY MANAGEMENT CENT