Truncated TCP stream splicing method

A destination and source address technology, applied in electrical components, transmission systems, etc., can solve problems such as truncation, and achieve the effect of enhancing accuracy and avoiding port scanning attacks.

Pending Publication Date: 2021-10-01
广州广电研究院有限公司
View PDF6 Cites 4 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0010] The purpose of the present invention is to overcome the deficiencies of the existing bypass flow collection and analysis technology, and propose a truncated TCP flow splicing method, aiming to solve the problem that a TCP flow is truncated in the prior art

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Truncated TCP stream splicing method
  • Truncated TCP stream splicing method

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 2

[0076] Embodiment 2 of the present invention: based on the TCP flow splicing method of analyzing the end state of the TCP flow and the direction of the TCP flow, the truncated TCP flow is spliced, including the following steps:

[0077] 1. The bypass data collection and analysis system collects mirrored traffic, receives the SYN packet sent by the first client, and adds a record to the TCP record queue.

[0078] 2. Then receive the SYN / ACK packet sent by the server. Since the delay time of the SYN / ACK exceeds the RTO set by the bypass data acquisition and analysis system, the system records the end state of the TCP stream as SYN_TIMEOUT. At this time, the system adds a record for the SYN / ACK packet in the record queue, and the direction of the new TCP flow record is reversed.

[0079] 3. The newly created TCP flow completes the three-way handshake and four-way wave, and the bypass data acquisition and analysis system records the end state of the TCP flow as NOMAL_CLOSE.

[00...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention relates to a truncated TCP stream splicing method, which comprises the following steps of: receiving network traffic through a bypass mirror image of a switch; deferring the processing of a message containing an RST flag bit in a TCP stream when analyzing the TCP traffic; solving the problem that the message containing the RST flag bit appears in one TCP stream and thus causes that the TCP stream is truncated, to reduce the situation that a bypass data acquisition and analysis system analyzes a large number of TCP streams only containing RST packets. By analyzing the end state of the TCP stream and the direction of the TCP stream, the problem that the delay time of a message in one TCP stream exceeds the RTO set by the bypass data acquisition and analysis system, resulting in that one TCP stream is truncated is solved, and the situation that originally safe TCP connection is mistaken as port scanning attack is avoided. By means of the method, the accuracy of data acquisition and the correctness of data analysis of the bypass data acquisition and analysis system can be enhanced, and cognition on the network security condition is improved.

Description

technical field [0001] The invention belongs to the technical field related to network security, and in particular relates to a truncated TCP flow splicing method. Background technique [0002] The TCP protocol is a connection-oriented and reliable transport layer protocol, which ensures the reliable transmission of data. One of the methods it uses is to confirm the data received from the other end, but both the data and the confirmation may be lost or wrong, and TCP solves this problem through the timeout and retransmission mechanism. The basic principle is to start a timer after sending a piece of data. If the ACK confirmation message of the sent data is not received within this time, the message will be retransmitted, and it will give up when it reaches a certain number of times without success. And send a RST reset message. [0003] When the bypass data acquisition and analysis system collects a TCP message, it uses the source address, destination address, source port,...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06
CPCH04L69/06H04L69/22H04L69/16
Inventor 高咏伦郭晓冬高才唐锡南
Owner 广州广电研究院有限公司
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap