CN101577704A - Network application-level protocol recognition method and system - Google Patents
Network application-level protocol recognition method and system Download PDFInfo
- Publication number
- CN101577704A CN101577704A CNA2008101060729A CN200810106072A CN101577704A CN 101577704 A CN101577704 A CN 101577704A CN A2008101060729 A CNA2008101060729 A CN A2008101060729A CN 200810106072 A CN200810106072 A CN 200810106072A CN 101577704 A CN101577704 A CN 101577704A
- Authority
- CN
- China
- Prior art keywords
- agreement
- recognition
- network application
- data structure
- identification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Communication Control (AREA)
Abstract
The invention discloses a network application-level protocol recognition method and a network application-level protocol recognition system, which can recognize multi-type and/or multi-state network application-level protocols. The system mainly comprises a description method interpreter for analyzing protocol recognition mode describing files, a Method List data structure module for storing an analyzed data structure Method List, and a protocol recognition operation executing module for recognizing the protocols according to the Method List, wherein the protocol recognition mode describing files are used for describing network application-level protocol recognition modes. The method and the system can be used for realizing the recognition of the multi-type protocols and the recognition of the multi-state protocols through state recognition, and simultaneously conveniently update characteristics and the recognition modes.
Description
Technical field
The present invention relates to a kind of describing method of network application-level protocol recognition modes and based on the agreement recognition system of this method.
Background technology
Along with popularizing and development of internet technology of network application, new network application business emerges in an endless stream, and the thing followed is the complicated of the variation of application-level flow measure feature and corresponding RM.Fixing serve port is used in traditional network application service, can carry out application layer protocol identification by application port easily.Along with P2P, the use of VOD and voip technology, the mode that network application agreement of today mainly is suitable for dynamic port communicates, and therefore traditional port that passes through realizes that the method for application protocol identification is no longer suitable.
For solving such situation, mainly contain two big class RMs now: first kind mode deep packet is resolved, mate the purpose that reaches identification by some feature to single or multiple packet contents, can discern very accurately, but recognition cycle is long relatively and need pass through the identification of many bag characteristic synthetics to some feature; The second class mode traffic statistics characteristic matching, by the average packet size to the target application flow, the feature analysis of statistics such as average flow speed is realized recognition function, recognition speed is fast but accuracy rate is low.At present another big characteristics of network application service then are that protocol update is frequent, thing followed problem then is that the agreement recognition system needs often recognition feature and even RM to be upgraded, and this has just proposed new requirement to the institutional framework to RM in the agreement recognition system.
The realization to the agreement RM at present mainly contains two kinds of structures: one, realize program by code at each agreement identification, and efficient is high but be difficult to more new feature.For such recognition system, the renewal of recognition feature or the change of RM are all needed to recompile recognizer at every turn.Its two, store feature by regular expression.Can realize that the feature that need not recompile upgrades, but the relative adaptation function of regular expression matching speed is slower, and can't mates, for example the correlated characteristic of packet content and data packet length for some feature.And the feature description mode of regular expression is comparatively abstract, has increased the difficulty that administrative staff increase RM voluntarily.Do comprehensive characteristics together and mate and realize by a plurality of packets being stored recombinant for the assemblage characteristic in a plurality of packets in the existing mode, this mode efficient is low, memory space requirements is big, has big performance deficiency when using in high-speed link.
At the frequent characteristics of the various protocol update of present network application service features, application layer traffic identification needs a kind of structure that can realize that polymorphic type and multi-mode RM are efficient simultaneously and be easy to upgrade.
Summary of the invention
The objective of the invention is to propose a kind of describing method AIMDL of the agreement RM to application layer, and the agreement recognition system of utilizing this describing method to make up.Main contents comprise that the essential element that designs AIMDL is to realize satisfying the convenient demand of upgrading simultaneously for effective description of polymorphic type and multi-mode agreement RM.Design and Implement the identification framework that can utilize the described RM of AIMDL to carry out application protocol identification work efficiently.
According to a first aspect of the invention, provide a kind of network application-level protocol recognition method, it is characterized in that, described recognition methods comprises the steps:
1) the agreement RM to network application layer is described, and generates corresponding RM description document;
2) description document of RM is resolved, generate corresponding M ethod List data structure; And
3) according to Method List data structure, network application-level protocol is finished identification.
Preferably, in the described step 1), also comprise: in the RM description document to provide the mode of operation that operation supports and the structure of RM to be described for agreement identification.
Preferably, the parsing described step 2) is based on the XML language platform.
Preferably, the Method List data structure in the described step 3) adopts the mode of dynamic link table and the combination of no type pointer.
According to a second aspect of the invention, a kind of network application-level protocol recognition system is provided, it is characterized in that, described recognition system comprises: to the describing method interpreter that agreement RM description document is resolved, wherein said RM description document is used for the agreement RM of network application layer is described; The MethodList data structure block of data structure Method List after the storing and resolving; The agreement identifying operation Executive Module of agreement being discerned according to Method List.
Preferably, described describing method interpreter is based on the XML language platform.
Preferably, described Method List data structure block adopts the structure of dynamic link table and the combination of no type pointer.
The present invention can be used for realizing eurypalynous agreement identification, can conveniently upgrade feature and RM again simultaneously; And can utilize recognition methods to realize the identification of multimode agreement based on state machine.
Description of drawings
Below with reference to accompanying drawings specific embodiments of the present invention is described in detail, wherein:
Fig. 1 is the work schematic diagram of application layer protocol recognition system of the present invention;
Fig. 2 is the flow chart of agreement RM describing method interpreter module of the present invention;
Fig. 3 is the structure chart of Method List data structure block of the present invention; And
Fig. 4 is the flow chart of agreement identifying operation Executive Module of the present invention.
Embodiment
In order to realize that polymorphic type and multi-mode network application-level protocol recognition modes can conveniently upgrade feature and RM again simultaneously, the invention provides a kind of describing method and reach agreement recognition system based on this method to network application-level protocol recognition modes.
The describing method summary
The describing method of application layer protocol RM (AIMDL) can constitute a complete complex operations by the combination of describing several basic identifying operations.These operations obtain by the prior protocols RM is analyzed.
An application layer data bag mainly comprises the payload content, data packet length, and these three of ports and affiliated protocol-dependent attribute, therefore basic identifying operation also mainly carries out at these three attributes.Feature also can be divided into two kinds by match objects: a kind of is content in the base attribute and the coupling between the static nature, such as occurring a certain feature field in the packet or communication port is certain characteristic value; Another kind of then be relation between the base attribute, for example there are the feature of certain particular kind of relationship in the data value of certain ad-hoc location and data packet length or communication port numbers among the payload.
It is to realize by framework and the interim storage of structure buffer based on state machine in AIMDL that many packages close the feature identification mode.In the RM based on the state machine realization, each group identifying operation characterizes can be confirmed to enter end-state from a state of state machine, illustrates when reaching end-state and discerns successfully.Therefore need and to operate pairing matching status to one group, and the relation between each state is described.AIMDL can describe the status recognition whether one group of operation belongs to state machine identification framework, and what the desired preceding paragraph state of this status recognition is, so just can independently explain each part that whole state machine is discerned framework.Some identifying operation based on state machine is to need some data of storage, and for example the data value of particular offset has the relation of the recognition feature of can be used as in the skew of certain in first packet and the follow-up data bag.Be by preserving data in agreement of the present invention identification framework, realize support this type of feature identification mode by the operation of in AIMDL, supporting relevant buffer in each stream record a buffer being set.
Comprise a lot of the RMs of using in the recognition system of an application layer, each is used and also comprises various feature flow, needs various feature identification mode.Therefore AIMDL has comprised the structure descriptive element structural relation between these different application and the different RM has been described.
Based on XML to be the specific descriptions method explanation of example
The describing method AIMDL of network application-level protocol recognition modes is a kind of description based on XML.By being set, specific element element tags reaches description to various structures.Below be example and detailed description to above-mentioned a few class description objects:
One. the static nature matching process is described
1.payload comprising the checked operation of feature field describes
<payload>
<content>BitTorrent?protocol</content>
<offset>1</offset>
<length>19</length>
</payload>
Comprise a payload feature field check in this element representation RM.Comprise three daughter elements:
" content ": the content of feature field is expressed as character string " BitTorrentprotocol " herein;
" offset ": feature field is positioned the position among the payload.If for negative number representation is an afterbody side-play amount forward from payload.Characteristic value " SEARCH " expression does not have constant offset, and the position of feature field in packet is unfixing.Second byte from payload represented in skew in the example, and first byte offset is 0;
" length ": the length of storage feature field, length 19 is the length of " BitTorrentprotocol " in the example.
2.payload being the checked operation of characteristic value, describes length
<payload_length>68</payload_length>
The verification of payload length feature is general to be used at first of one group of complete identifying operation.A lot of features only can appear in the packet with the long or a certain particular range of Bao Changwei of fixed packet.The value of its content representation characteristic bag is if comprise "〉' number then be expressed as the scope restriction.
3. port numbers is the checked operation description of characteristic value
<port>
<group>
<start>6881</start>
<end>6889</end>
</group>
<group>
<start>10044</start>
<end>10044</end>
</group>
</port>
The verification of port feature does not have the accuracy of definite agreement, mistake identification may take place with the agreement of dynamic port, so the RM of port is to use under the situation that other RMs can't correctly be discerned.
" group ": comprise two elements " start " and " end ", it all is the feature port of agreement that expression begins to the port of " end " from " start ".
Two. basic element correlated characteristic coupling describing method
1.payload content and bag long correlation
<content_length>
<offset>0</offset>
<byte_width>1</byte_width>
<multiple_number>1</multiple_number>
<differ_value>3</differ_value>
</content_length>
At the feature that comprises the payload length information in the payload content.
" offset ": payload characteristic position;
" byte_width ": expression data bit size, the expression of 1 in example data width is a byte;
" multiple_number ": multiple.Matching way is: payload length=payload content * multiple+difference;
" differ_value ": the difference in the expression following formula.
Size * the 1+3 of first byte of payload length=in the example;
2.payload content auto-correlation
<content_content>
<offset0>2</offset0>
<offset1>3</offset1>
<differ_value>3</differ_value>
</content_content>
The content_content element has the feature of fixed relationship in order to the data of describing two constant offsets among the payload.According to the analysis to packet content, relation generally is equal or droop is arranged, therefore designed corresponding element in order to describe such identifying operation.
" offsetX ": the position of two comparison object parameters.
" differ_value ": the fixedly description of difference is arranged between two comparison object.
Three. the state description method
<state>
<pre_state>NO_STATUS</pre_state>
<finalstate>0</finalstate>
<identifier_state>BT0</identifier_state>
</state>
The state label is used to realize the identification framework based on state.Its essential element comprises:
" pre_state ": in the RM based on state machine, the relation between the state is to realize the assurance of correct identifying operation.By describing the control of preceding paragraph state realization to the identification process in the multimode identifying.
" finalstate ": whether expression is last state of one group of multimode identification.If under the situation that the matching operation of finalstate is passed through, promptly be to have finished multi-mode coupling flow process.
" identifier_state ": the state tag to the stream by this group matching operation carries out assignment, makes follow-up data bag in the stream can enter follow-up state smoothly and carries out characteristic matching.
Four .buffer operate describing method
1.store buffer operates description
<store_buffer>
<buffer_offset>0</buffer_offset>
<payload_offset>2</payload_offset>
</store_buffer>
When being made things convenient for subsequent operation in buffer, the storage among the payload uses.
" payload_offset ": the deviation post of data to be stored among the payload.
" buffer_offset ": the position of desire storage data among the buffer.
2.Modify buffer operates description
<modify_buffer>
<buffer_offset>1</buffer_offset>
<add_value>1</add_value>
</modify_buffer>
Data are operated and then are mated in needing buffer in some matching process.This element is exactly in order to this generic operation is described.The feature of having only numerical value to increase according to analysis occurs.So it is as follows that element is set:
" buffer_offset ": be operated the buffer positions of elements
" add_value ": the amount of increase
3.judge buffer operates description
<judge_buffer>
<buffer_offset>2</buffer_offset>
<payload_offset>8</payload_offset>
<width>4</width>
</judge_buffer>
After in the operating process of preceding paragraph state, finishing storage and specific retouching operation, realize the purpose that application protocol features is mated by the data of coupling among the buffer and ad-hoc location data in the new detected data bag to data.
" buffer_offset ": among the buffer by the deviation post of matching characteristic data.
" payload_offset ": be used among the payload with buffer in the deviation post of the content data of mating.
" width ": the figure place of matched data.The data of 4 bytes of the expression of 4 in the example are carried out matching operation.
Five. the structrual description method of RM
<protocol_name>
<tcp>
...
</tcp>
<udp>
<method>
<statu>
...
</statu>
<payload_length>X</payload_length>
...
</method>
<method>
...
</method>
...
</udp>
</protocol_name>
The above-mentioned AIMDL of being to use describes a kind of file structure of RM of application:
Root element " protocol_name ": in order to represent this element is the RM of which kind of application of description.
Secondary label " tcp " and " udp ": the tcp and the different RM of udp stream that distinguish application of the same race.When making up agreement RM watch to different application layer protocols respectively construction feature matching process watch make identification process faster.
" method " label: the method label is made up of " state " label, " payload " label and other operation labels, represents an independently RM.This RM comprises long restriction of state information, bag of method correspondence thus and the microoperation combination that comprises.This independently method can determine whether it is a state or one group of operation can independently finishing a kind of application protocol identification of multimode identification according to its state information.The long restriction of bag can help to examine fast this packet and whether meet the basic requirement of carrying out subsequent examination.When operating, finishes remaining a group of being enumerated needed one a group of infinitesimal operation of complete independent RM.
Agreement recognition system summary
Application layer protocol recognition system of the present invention is to utilize the described RM of AIMDL to carry out the identification framework of application traffic identification work efficiently.
By network application agreement RM is added up and analyzed, some basic feature matching methods have been obtained.These modes are with the content that network packet was had, and bag is long, and these several attributes of port information are the characteristic matching object, realize at these attributes and static feature mate and these attributes between the feature verification operation of dependency relation.These basic identifying operations at network data the attribute and the matching operation that can be used to mate make up, so all existing agreement RMs can both be realized by these several basic operations are made up.Through the correctness that the agreement RM of reality is carried out this design of statistical testing of business cycles.Therefore can be by these several basic operations and corresponding parameters describing method thereof be designed the demand that realization utilizes AIMDL that any agreement RM is described in AIMDL.Changeable along with procotol, the recognition feature of a lot of agreements all is distributed in a plurality of packets, therefore these informixs could effectively need be realized recognition function together.The present invention has adopted based on the characteristic matching framework of state machine and temporary storage and has realized for this type of Feature Recognition function, has designed the relevant therewith operation and the representation function of element simultaneously in AIMDL.
By content interpret device and the agreement identification module of design, make it possible to utilize AIMDL to realize agreement recognition system efficiently based on AIMDL.AIMDL content interpret device can be with enterprise schema and the corresponding parameters information stores based on the basic identifying operation in the description document of the agreement RM of AIMDL, expand among the RM store data structure methodlist specially designed, can resolve AIMDL description document content on the one hand again and realize upgrading when upgrading operation, this structure provides the implementation of RM for the identifying operation Executive Module on the other hand.Agreement identifying operation Executive Module is correctly realized agreement identification work efficiently according to the content of method list.
Agreement recognition system of the present invention can be used to and realize polytype agreement RM conveniently upgrading simultaneously again to feature and RM.Make it possible in system, use unrestricted use RM efficiently by support to multiple RM, these various modes of while have can utilize AIMDL to describe easily, makes it possible to realize by simple renewal description document the renewal of RM.Utilize XML be easy to explain extendible characteristic, made things convenient for operating personnel's design and upgraded the process of RM.Realized having concurrently the application layer protocol identification framework of recognition efficiency and extensibility.On the other hand, can utilize state recognition to realize multimode agreement RM.There is not general multimode settling mode in the prior art.Have only and a plurality of packet contents are integrated into an integral body mate in order to realize similar function or to design specific multimode RM for specific protocol.
Fig. 1 is the work schematic diagram of application layer protocol recognition system of the present invention.As shown in Figure 1, this agreement recognition system comprises describing method interpreter, Method List data structure block, the agreement identifying operation Executive Module of agreement RM.The total system flow process is divided into following several stages:
1) according to the configuration file of RM in conjunction with NAIMDL syntax rule design correspondence;
2) program is called the content of interpreter module parsing configuration file and is made up method list data structure according to content in program in the initialization data process;
3) identification module of program calls the content realization agreement identifying operation in the method list structure.
With concrete structure explanation based on the agreement recognition system of XML platform
The describing method interpreter of one .AIMDL agreement RM
The AIMDL interpreter is responsible for parsing the RM tissue with corresponding parameter and be stored among the corresponding data structure method list from the RM description document.AIMDL designs based on XML, therefore the AIMDL interpreter utilizes existing XML interpreter to realize traversal of each XML basic element in the file and obtaining of content are finished interrelated logic to the parsing of contents semantic according to being set in of AIMDL and got final product in the program.Utilizing software library libxm12 by open source code on the specific implementation is the purpose that XML element content in traversal and the resolution file is realized on the basis, and to be the corresponding element content make up corresponding memory space in order to preservation information according to the project organization of grammer and method list to semantic resolving code in method list.
Fig. 2 illustrates the flow chart that agreement RM among Fig. 1 is described interpreter module; As shown in Figure 2, whole AIMDL parser modules just is made up of two parts.Obtain the description document structure in the stage 200, then a kind of agreement in the presence of the stage 202 judges whether if there is not a kind of agreement down, then enters the stage 210, and analysis program finishes; If exist, enter the stage 204, obtain state information, the long restriction of bag and make up protocol header and be carried among the method list.In the stage 206, then judge whether to exist a kind of agreement down, if not, jump to before stages 202 beginning; If, then enter the stage 208, obtain information such as basic operation parameter.Structure is loaded into the position of method list correspondence.Last concrete condition according to operation, or return before stages 206 beginning, or entering stages 210 analysis program finishes.
Two .Method list data structure block
Method list is in order to preserve RM in the agreement recognizer, its structure adopts dynamic link table and no type pointer to constitute, and makes things convenient for dynamic expansion agreement RM.Simultaneously by structure Design is realized the agreement identification process efficiently.
Fig. 3 illustrates the structure chart of the Method List data structure block among Fig. 1.As shown in Figure 3, its concrete structure figure has ignored the pointer element that connects between the linked list element.
RM head: guide one group of basic identifying operation to realize an independently RM.This mode can be can the Direct Recognition packet under stream also can be to the method for calibration of a certain state in the multimode RM for the mode of which kind of application protocol.The element that mainly comprises in this identification head is: the pointer of basic operation and next identification head under the state information of this mode, the long restricted information of bag, Apply Names and the sensing.Whether state information has been stored this RM is the part of multimode RM, if words what is to the requirement of preceding paragraph state, what these information is the state name of giving after the identification be.Wrap long restricted information represent this type of RM at be the long packet under certain restrictive condition of bag.Wrapping long restricted information and preceding paragraph state requires information can be effectively to carry out follow-up a succession of basic identifying operation and judge whether packet is qualified.This result can effectively accelerate the average detected flow process.
Basic identifying operation: according to its type and parameter, the identifying operation Executive Module can be finished each basic operation of RM.Because the basic operation type is more, each element of chained list uses no type pointer link, and next action type is in order to the content of the next basic operation element of correct parsing.
Three. agreement identifying operation Executive Module
Agreement identifying operation Executive Module uses the RM of storing among the method list to finish the agreement identifying operation in conjunction with status recognition information in the stream record under the information of object data bag and this packet and buffer content information.
Fig. 4 illustrates the flow chart of the agreement identifying operation Executive Module among Fig. 1.As shown in Figure 4, each packet is finished matching operation successively according to the matching process one by one of method list after entering identification process.Each independently in the matching operation according to:
1. the long restriction of bag detects;
2. state information detects;
3. the order of basic detecting operation is finished RM.
If by above-mentioned three detections, then application achievements withdraws from flow process under status recognition success or the identification.Not by next the group identifying operation in the continuation flow process that detects up to being identified or finishing whole identification process.
Process description based on the agreement recognition system of XML platform
Overall workflow below by a real example description protocol recognition system:
One. the RM description document content of a reality
<?xml?version=″1.0″encoding=″UTF-8″?>
<bittorrent>
<tcp>
<type?value=″1″>
<byte>
<content>0x13</content>
<offset>0</offset>
</byte>
<string>
<content>BitTorrent?protocol</content>
<offset>1</offset>
<string_length>19</string_length>
</string>
</type>
</tcp>
<udp>
<type?value=″1″>
<payload_length>21</payload_length>
<byte>
<content>0x00</content>
<offset>0</offset>
</byte>
<byte>
<content>0x00</content>
<offset>1</offset>
</byte>
<byte>
<content>0x04</content>
<offset>2</offset>
</byte>
<byte>
<content>0x01</content>
<offset>3</offset>
</byte>
</type>
</udp>
</bittorrent>
It more than is a configuration file of describing identification BT flow with the NAIMD realization.Here specific implementation at each a kind of feature identification mode of tcp and udp.They are respectively:
1.Payload the first byte content is 0x13, is character string " BitTorrent protocol " since 19 bytes of second byte, at be the tcp flow.
2.Payload length is 21 packet, first to four byte content is respectively 0x000x00 0x04 0x01
Two. initialization resolving
The Context resolution module will import the RM of describing in the file described in () according to configuration file.
1. at first determined to be about to the RM of introducing at the BT agreement according to host element content " bittorrent ";
2. extract the RM content under tcp and the udp label respectively, the RM that it is inner joins among the corresponding method list (comprise two methodlist in the system, represent the agreement RM of tcp and udp respectively);
3. be each in resolving " type " content under the label makes up a RM head (identifier_header) in method list, and the basic recognition element of each among the type is in the basic RM of this RM head link.For example the type under the TCP label 1 makes up a RM head, and linking two RMs is respectively to judge whether the first byte content is 0x13 and judge whether 19 byte content that second byte begins are " BitTorrentProtocol ".
Three. the identification implementation
In concrete identification implementation, the identification Executive Module is realized concrete identification work according to the content among the method list.
Idiographic flow is as follows:
1. determine to carry out identification work according to transport layer protocol with reference to the method list of TCP or UDP;
2. stream information under packet content and its is carried out identification work with some essential informations of the RM head appointment among the method list and one group of basic identifying operation of link; If do not finish any one independently identifying operation just be considered to satisfy this RM characteristic of correspondence, judge so continue to enter the RM of next the bar RM head appointment among the method list.If finished an all operations that the RM head is specified, then be considered to satisfy recognition feature (or having satisfied the feature that enters NextState in the multimode identification), then this stream just can be identified not corresponding flow.
Four. the workflow that example is complete
When a packet with and after the information of affiliated stream enters testing process, the identification Executive Module carries out flow identification according to method list information to it.At first select corresponding method list (tcp and udp have safeguarded a methodlist separately) according to the transport layer protocol under it.The RM of the RM head appointment in foundation method list carries out identifying operation, if when a packet is detected by first type appointed method of the tcp in the above-mentioned RM description document, whether at first carry out the first character of first operation detection is that (this operation store comprises this operation types and its pointer and makes the identification Executive Module can correctly find this to store the structure of this operation in first operating structure of RM head appointment 0x13 in the RM head.Having stored its comparative parameter in this structure is 0x13, so Executive Module carries out characteristic matching according to parameter and action type to packet and stream information).If do not meet the identifying operation that this feature just directly finishes this RM head appointment, enter in the identifying of next RM head appointment.Just continuing follow-up identifying operation if meet this feature, whether be character string " BitTorrent Protocol ", if not just entering in next RM if beginning such as second byte of comparison.If then inform the identification Executive Module, finish characteristic matching, the stream that this packet belongs to can be identified as and belong to the BT application.
More than specific descriptions of the present invention are intended to illustrate the implementation of specific embodiments can not be interpreted as it is limitation of the present invention.Those of ordinary skills can make various variants on the basis of the embodiment that describes in detail under instruction of the present invention, these variants all should be included within the design of the present invention.The present invention's scope required for protection is only limited by described claims.
Claims (10)
1. a network application-level protocol recognition method is characterized in that, described recognition methods comprises the steps:
1) the agreement RM to network application layer is described, and generates corresponding RM description document;
2) the RM description document is resolved, generate corresponding M ethod List data structure; And
3) according to Method List data structure, network application-level protocol is discerned.
2. recognition methods according to claim 1 is characterized in that, described network application-level protocol recognition modes is polymorphic type and/or multi-mode agreement RM.
3. recognition methods according to claim 1 is characterized in that, in the described step 1), also comprises: in the RM description document to provide the mode of operation that operation supports and the structure of RM to be described for agreement identification.
4. recognition methods according to claim 1 is characterized in that: the parsing described step 2) is based on the XML language platform.
5. recognition methods according to claim 1 is characterized in that: the Method List data structure in the described step 3) adopts the mode of dynamic link table and the combination of no type pointer.
6. recognition methods according to claim 3 is characterized in that: the described mode of operation that identification provides operation to support to agreement comprises the buffer operation.
7. a network application-level protocol recognition system is characterized in that, described recognition system comprises:
To the describing method interpreter that agreement RM description document is resolved, wherein said RM description document is used for the agreement RM of network application layer is described;
The Method List data structure block of data structure Method List after the storing and resolving; And
The agreement identifying operation Executive Module of agreement being discerned according to Method List.
8. recognition system according to claim 7 is characterized in that: described describing method interpreter is based on the XML language platform.
9. recognition system according to claim 8 is characterized in that: described describing method interpreter calls the open code library of LIBXML2.
10. according to each described recognition system of claim 7 to 9, it is characterized in that: described Method List data structure block adopts the mode of dynamic link table and the combination of no type pointer.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008101060729A CN101577704A (en) | 2008-05-08 | 2008-05-08 | Network application-level protocol recognition method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008101060729A CN101577704A (en) | 2008-05-08 | 2008-05-08 | Network application-level protocol recognition method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101577704A true CN101577704A (en) | 2009-11-11 |
Family
ID=41272492
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2008101060729A Pending CN101577704A (en) | 2008-05-08 | 2008-05-08 | Network application-level protocol recognition method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101577704A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102413141A (en) * | 2011-11-30 | 2012-04-11 | 华为技术有限公司 | Network message parsing method and communication equipment |
| CN103780624A (en) * | 2014-01-26 | 2014-05-07 | 北京仿真中心 | General application layer network communication protocol application method for complicated system |
| CN106453131A (en) * | 2016-11-03 | 2017-02-22 | 瑞斯康达科技发展股份有限公司 | Method and device for generating matcher |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1703890A (en) * | 2002-07-29 | 2005-11-30 | 科斯莫斯公司 | Method for protocol recognition and analysis in data networks |
| CN1708017A (en) * | 2004-06-04 | 2005-12-14 | 安捷伦科技有限公司 | Protocol emulation system |
| CN1717915A (en) * | 2002-11-28 | 2006-01-04 | 科斯莫斯公司 | Method and computer system for triggering an action on digital communication data |
| CN1738257A (en) * | 2004-12-31 | 2006-02-22 | 北京大学 | Network intrusion detection system and method based on application protocol detection engine |
| CN1258723C (en) * | 1999-06-30 | 2006-06-07 | 倾向探测公司 | Method and apparatus for monitoring traffic in network |
| CN1845066A (en) * | 2006-05-16 | 2006-10-11 | 北京启明星辰信息技术有限公司 | Automatic protocol recognition method and system |
-
2008
- 2008-05-08 CN CNA2008101060729A patent/CN101577704A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1258723C (en) * | 1999-06-30 | 2006-06-07 | 倾向探测公司 | Method and apparatus for monitoring traffic in network |
| CN1703890A (en) * | 2002-07-29 | 2005-11-30 | 科斯莫斯公司 | Method for protocol recognition and analysis in data networks |
| CN1717915A (en) * | 2002-11-28 | 2006-01-04 | 科斯莫斯公司 | Method and computer system for triggering an action on digital communication data |
| CN1708017A (en) * | 2004-06-04 | 2005-12-14 | 安捷伦科技有限公司 | Protocol emulation system |
| CN1738257A (en) * | 2004-12-31 | 2006-02-22 | 北京大学 | Network intrusion detection system and method based on application protocol detection engine |
| CN1845066A (en) * | 2006-05-16 | 2006-10-11 | 北京启明星辰信息技术有限公司 | Automatic protocol recognition method and system |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102413141A (en) * | 2011-11-30 | 2012-04-11 | 华为技术有限公司 | Network message parsing method and communication equipment |
| US9819719B2 (en) | 2011-11-30 | 2017-11-14 | Huawei Technologies Co., Ltd. | Method for parsing network message and communication device |
| CN103780624A (en) * | 2014-01-26 | 2014-05-07 | 北京仿真中心 | General application layer network communication protocol application method for complicated system |
| CN103780624B (en) * | 2014-01-26 | 2017-10-17 | 北京仿真中心 | A kind of common application layer network communication protocol application process towards complication system |
| CN106453131A (en) * | 2016-11-03 | 2017-02-22 | 瑞斯康达科技发展股份有限公司 | Method and device for generating matcher |
| CN106453131B (en) * | 2016-11-03 | 2019-06-28 | 瑞斯康达科技发展股份有限公司 | A kind of method and apparatus that adaptation generates |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10783082B2 (en) | Deploying a smart contract | |
| CN103294652B (en) | A kind of data transfer device and system | |
| US20020143529A1 (en) | Method and apparatus utilizing speech grammar rules written in a markup language | |
| CN110704063B (en) | Method and device for compiling and executing intelligent contract | |
| JP6238494B2 (en) | Grammar compilation method, semantic analysis method, and apparatus | |
| CN1526104B (en) | Analyze structured data | |
| CN110688122B (en) | Method and device for compiling and executing intelligent contract | |
| US7437666B2 (en) | Expression grouping and evaluation | |
| CN101329665A (en) | Method for analyzing marking language document and analyzer | |
| US20070016897A1 (en) | Methods, apparatus and computer programs for optimized parsing and service invocation | |
| CN103001971B (en) | A kind of network packet analytic method | |
| US20050091589A1 (en) | Hardware/software partition for high performance structured data transformation | |
| CN110334326B (en) | A kind of method and system for identifying recipe file and being converted into XML file | |
| US20050091588A1 (en) | Device for structured data transformation | |
| CN102375826A (en) | Structured query language script analysis method, device and system | |
| CN109189381A (en) | A kind of creation method and device of Business Stream component | |
| CN103902677A (en) | Cross-platform database access method | |
| CN104598619A (en) | Service compositional verification method based on constraint solver | |
| CN101577704A (en) | Network application-level protocol recognition method and system | |
| CN101980546B (en) | Intelligent network platform, service execution method and method for analyzing service abnormality | |
| CN101577706A (en) | Recognition method for network application-level protocol recognition modes | |
| CN101202736A (en) | Method for realizing encoding-decoding in communication network | |
| CN102799528B (en) | A kind of script debugging method for circuit board level test, device and system thereof | |
| CN106790109B (en) | Data matching method and device, protocol data analysis method, device and system | |
| US20080201351A1 (en) | Automated transformations for style normalization of schemas |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20091111 |