[go: up one dir, main page]

CN119182597A - Operating system fingerprint identification method based on programmable switch - Google Patents

Operating system fingerprint identification method based on programmable switch Download PDF

Info

Publication number
CN119182597A
CN119182597A CN202411292399.5A CN202411292399A CN119182597A CN 119182597 A CN119182597 A CN 119182597A CN 202411292399 A CN202411292399 A CN 202411292399A CN 119182597 A CN119182597 A CN 119182597A
Authority
CN
China
Prior art keywords
data packet
header
operating system
tcp
fingerprint identification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202411292399.5A
Other languages
Chinese (zh)
Inventor
汤澹
陈可可
王嘉慧
秦拯
陶然
刘璐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hunan University
Original Assignee
Hunan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hunan University filed Critical Hunan University
Priority to CN202411292399.5A priority Critical patent/CN119182597A/en
Publication of CN119182597A publication Critical patent/CN119182597A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/90Buffering arrangements
    • H04L49/9057Arrangements for supporting packet reassembly or resequencing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Power Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an operating system fingerprint identification method based on a programmable switch, and belongs to the field of computer network security. Firstly, taking a p0f.fp file used by an operating system fingerprint identification tool p0f as an operating system fingerprint identification library, analyzing a TCP request module by a control plane, further transmitting an operating system fingerprint identification table entry to a programmable switch by the control plane, and storing the transmitted table entry by the programmable switch. Then, when the data packet in the network enters the programmable switch, the programmable switch analyzes the data packet, and the operating system fingerprint identification is performed by using the operating system fingerprint identification table issued by the control plane. And then updating the checksum of the data packet and reconstructing the data packet, and finally outputting the data packet. And finishing the fingerprint identification of the operating system of the TCP SYN data packet. The invention directly realizes the fingerprint identification function of the operating system on the data plane, and performs more accurate fingerprint identification of the operating system in real time at a linear rate in a network.

Description

Operating system fingerprint identification method based on programmable switch
Technical Field
The invention belongs to the field of computer network security, and particularly relates to an operating system fingerprint identification method based on a programmable switch.
Background
With the rapid development of the internet and the wide popularization of intelligent equipment, network traffic is exploded, and data transmission quantity is increased. In this case, increasing the processing capacity of network packets as much as possible has become a serious problem. At the same time, it is a necessary thing for the network administrator to be aware of the operating system information of all devices of the network managed by himself, in view of network security. This may help network administrators to timely learn about possible security threats and possible solutions in the network. It is important to somehow obtain information about the operating system that the remote host is running. Operating system fingerprinting is a technique that identifies, by characteristics, the type and version of an operating system running on a remote host.
Operating system fingerprinting techniques can be categorized into two categories, active detection and passive identification. Active probing determines the class and version of the operating system running on the host sending the response packet by sending the carefully structured packet and then receiving the packet with the special response. Passive identification speculates about the class and version of the operating system running on each host in the network by analyzing network traffic. Passive recognition does not place additional burden on the network compared to active recognition. Operating system identification is often performed on hosts throughout the network using passive identification methods. p0f is a well-known passive operating system fingerprinting tool, and p0f.fp is the operating system fingerprinting database used by p0f.
Along with the development of network programmability, a programmable data plane is proposed, which has independent data packet processing capability, can customize the processing logic of a data packet, does not need to be bound with any network protocol, has higher flexibility, and can reconstruct the data packet processing mode at any time. Programmable switches are a subordinate concept of programmable data planes. Unlike switches of a conventional Software Defined Network (SDN), programmable switches can be programmed to customize the flow of parsing and processing packets. The core functions of the programmable switch can be abstracted into matching-action pipelines, by continuously matching data with tables issued in the programmable switch, if matching is successful, the programmable switch can make corresponding action operations.
In conventional SDN, an operating system fingerprint identification method is often used. The traditional SDN performs fingerprint identification of an operating system through software deployed on a control plane, and compared with the processing of a common data packet, the traditional SDN has more communication time between the data plane and the control plane and more software analysis time. Based on the method, the invention provides an operating system identification method based on a programmable switch, according to a TCP request module of a P0f.fp file and a programming protocol independent message processor (Programming Protocol-INDEPENDENT PACKET Processors, P4) programming language, an operating system identification function of a TCP SYN packet is realized on the programmable switch, and operating system fingerprint identification can be directly carried out on a data plane, so that the operating system fingerprint identification can be carried out at a linear rate, the data packet is processed, the speed of processing the data packet during passive identification is improved, and the network processing capability during the operating system fingerprint identification is improved.
Disclosure of Invention
The invention provides an operating system fingerprint identification method based on a programmable switch. The method improves the fingerprint identification speed of the operating system without obviously reducing the fingerprint identification accuracy of the operating system.
The operating system fingerprint identification method comprises seven steps of analyzing an operating system fingerprint identification library, a control plane downlink list item, analyzing a data plane data packet, operating system fingerprint identification, updating a checksum, reorganizing the data packet and outputting the data packet by a control plane.
1. The control plane parses the operating system fingerprint recognition library. The control plane automatically converts each signature of a TCP request module in a p0f.fp file into a p0f_match table item defined by a data plane, wherein p0f_match is an operating system fingerprint identification table arranged on the data plane, data in the TCP request module can be divided into a label and a signature, the label corresponds to one type of operating system, the signature is a characteristic in a network data packet, and compared with the signature part of the TCP request module, the signature part of p0f_match is provided with a key of 'window size and maximum message segment length ratio'.
2. The control plane downloads the entry. And the generated p0f_match table entry is issued to the data plane.
3. And analyzing the data plane data packet. The data plane parses the data packet and gathers key information in the operating system fingerprint table, which may also be referred to as p0f metadata.
4. Operating system fingerprint identification. Continuously collecting key information, matching the collected key information with table items of an operating system fingerprint identification table stored in the switch, and obtaining processing actions of the data packet, wherein the processing actions comprise 4 types, and specifically comprise:
act 1, only outputting the identification result;
Step 2, discarding the data packet after outputting the identification result;
Act 3, after outputting the identification result, redirecting the data packet to a specific destination;
And 4, discarding all the data packets from the IP including the data packet after outputting the identification result.
5. The checksum is updated. The programmable switch also needs to modify the frame check sequence and the checksum of the network layer protocol after the processing action, since the processing action will at most modify the destination MAC address and the destination IP address.
6. And reorganizing the data packets. The original destination MAC address, destination IP address and checksum in the data packet are changed into the destination MAC address, destination IP address determined in 4 and the checksum finally determined in 5.
7. And outputting the data packet. Whether to forward the data packet is determined according to the determined processing action of the data packet, and the data packet is output from which port, specifically, the following is the case:
(1) Outputting the data packet from the corresponding port if the processing action is action 1;
(2) If the processing action is action 2, the data packet is sent to a discarding port for discarding;
(3) Redirecting the data packet to the corresponding port if the processing action is action 3;
(4) If the processing action is action 4, the data packet is output to the drop port for dropping, and if there is a data packet from the IP at a later time, all the data packets are dropped.
Advantageous effects
The invention provides an operating system fingerprint identification method based on a programmable switch, which utilizes a TCP request module of p0f.fp to carry out operating system fingerprint identification on a TCP SYN data packet, and a control plane analyzes the TCP request module of p0f.fp and issues the TCP request module to a data plane. On the data plane, for each data packet, the data plane firstly analyzes the data packet to collect the fingerprint identification key information of the operating system, matches the collected key information with the table entry of the fingerprint identification table of the operating system stored in the switch, acquires the processing action of the data packet, then updates the data packet and reassembles the data packet, and finally outputs the data packet according to the determined processing action of the data packet. The method can improve the fingerprint identification speed of the operating system without obviously reducing the accuracy.
Drawings
Fig. 1 is a flow chart of packet parsing based on the method of the present invention.
FIG. 2 is a flow chart of operating system fingerprinting based on the method of the present invention.
Fig. 3 is a general framework diagram of a programmable switch-based operating system fingerprinting method.
Detailed Description
The invention is further described below with reference to the accompanying drawings.
The process of the control plane resolving the operating system fingerprint identification library can be divided into two steps, conversion of a single fingerprint signature and aggregation of all fingerprint signatures. To achieve these two steps, two classes, P0fRuleSig and P0fRuleConverter, are designed, respectively. The signature of each TCP request module is converted into a P0fRuleSig type signature, and the P0fRuleConverter type converts the whole p0f.fp file TCP request module into a form suitable for control plane forwarding on the basis of the P0fRuleSig type. The TCP module lower signature field of the p0f.fp file comprises a network protocol version number, a survival time, an option length, a longest message segment length, a window size, a window expansion factor, a TCP option queue, a special value group and a payload size. The special value group includes df (no fragment flag is 1 in IPv 4), ecn (packet supports explicit congestion control), flow (IPv 6 flow ID is not 0), and so on.
The basic attributes of each P0fRuleSig class object are substantially identical to the signature fields of the TCP request module, except that each field in the special value set, except "bad", is listed separately, in parallel with the other large fields of the original signature. Each P0fRuleSig class instance can initially convert an original P0f signature into a signature object in a format suitable for the control plane downstream table entry by the function get_sig (self, org_sig). The get_sig (org_sig) function assigns corresponding values to the P0fRuleSig class object based on the values of the various fields in the original P0f signature. P0fRuleSig also has additional member variables that need to be provided to the control plane for issuing the flow entry, including the name of the action to which the signature corresponds, the parameters required for the action, the priority of signature matching, which additional member variables need to be determined in the second step.
Four member variables are defined in the P0fRuleConverter class, tag list, signature-to-tag mapping list, application-to-operating system mapping dictionary. The value of the signature-to-tag mapping list is the index of the tag in the tag list. When a signature is added to the signature list, the index of the last bit in the current tag list is correspondingly added to the signature-to-tag mapping list. The tag under the TCP request module contains four fields, namely a type field, a category field, a name field and a further description field, wherein the type field is used for indicating whether the tag is specific or general, and the category field is used for indicating the operating system family corresponding to the tag, for example, win, unix, cisco. Software will also send packets and p0f fp will also collect a portion of the signature of the packets sent by the software, for which the value of the class in the tag it corresponds to is "|". When the field value of the category of the tag is "|", the operating system using the tool can be promptly obtained by applying to the operating system mapping dictionary. After each member variable in the P0fRuleConverter class is given a proper value, comparing the label corresponding to each signature with the type of the operating system which is set outside and needs to be specially processed, obtaining the action corresponding to the label and the parameter value which needs to be transmitted, and completing the assignment of the P0fRuleSig class member variable.
Next, each signature is assigned a matching priority, i.e., the attribute of the priority in the class P0fRuleSig object member variable is given an appropriate value. Two priority rules are set, namely ' match in all specific tags first and match in all general tags ' and ' priority is high between the same type of tags first. To handle the four fields of df, id-, id+, ecn in a special value group, an original signature with df or id-, or without id+ or ecn present for a special group part automatically generates a fuzzy signature with a lower priority than the corresponding signature of the same type of tag. Based on the priority rule, the priority base of the signature corresponding to the specific tag is set to be four times the length of the signature list plus 1, the priority base of the fuzzy signature corresponding to the specific tag is set to be three times the length of the signature list plus 1, the priority base of the signature corresponding to the general tag is set to be two times the length of the signature list plus 1, and the priority base of the fuzzy signature corresponding to the general tag is set to be the length of the signature list plus 1. The calculation formula of the true priority is as follows:
Signature priority = its corresponding priority base-the order in which the signatures appear in the class of signatures.
Fig. 1 is a flowchart of packet parsing based on the present invention, and the process can be divided into 4 steps, namely, extracting an ethernet header, extracting an IPv4 header, extracting an IPv6 header and an expansion header, and extracting a TCP header. And a part of the signature under the p0f.fp file TCP request module is related to the network layer protocol, and the other part of the signature is related to the transmission layer TCP protocol, so that the corresponding value of part of the fields in the p0f signature in the data packet can be obtained in the data packet analysis process. The specific process of data analysis is as follows:
(1) The method comprises the steps of extracting an Ethernet header, wherein the corresponding data packet has different parsing modes due to different IPv4 and IPv6 structures, entering different steps according to the value of a type field in the Ethernet header, if the type value is 0x0800, the network layer protocol corresponding to the data packet is IPv4, then entering the stage of extracting the IPv4 header, if the type value is 0x86dd, the network layer protocol corresponding to the data packet is IPv6, then entering the stage of extracting the IPv6 header, and if the type value is not 0x0800, directly entering the fingerprint identification stage of an operating system.
(2) Extracting an IPv4 header, firstly extracting the IPv4 header (excluding an option+filling field), and then judging whether the size of the IPv4 data packet header, namely an IHL value in the header, is more than or equal to 5. If the packet is smaller than 5, the data packet is a malformed data packet, the IPv4 header is reported to be too small, and then the packet is discarded and is not subjected to subsequent processing. If the value is greater than or equal to 5, the extraction of IPv4 option + filling field is started, then the next part is selected according to the value of the field of the protocol in the IPv4 protocol in the data packet, if the value is 0x06, the transmission layer protocol is TCP, a TCP header extraction stage is entered, and otherwise, the packet is discarded without subsequent processing.
(3) Extracting an IPv6 Header and an expansion Header, and then judging whether the value of a Next Header in the Header is the corresponding number 0x6 of the TCP protocol or not by the programmable switch. If yes, directly entering the stage of extracting TCP header, if not, continuing to analyze the IPv6 expansion header. In order to parse the IPv6 extension header, a "last extension header" variable is first set and initialized to an invalid value. Then, the programmable switch invokes a sub-parser to parse the IPv6 extension header and passes the "last extension header", the packet, the set of headers, and the metadata as parameters to the sub-parser. The sub-parser has several states, and the parsing of the IPv6 expansion header is realized through the state jump. When the first extension header is parsed, it is state 1, which is specifically set for identifying the first extension header. In state 1, the programmable switch may jump to the state of the parse extension header. And in the state, the corresponding expansion Header is analyzed, a variable of the Next expansion Header value is recorded in the sub-analyzer according to the Next Header in the expansion Header, and then the state of identifying the expansion Header is skipped. In this state, the next operation is performed according to the values of the variables for recording the values of the next extension header in the sub-parser. If the expansion Header corresponding to the variable is the expansion Header supported by the invention (except the No Next Header expansion Header), the sub-parser parses the corresponding IPv6 expansion Header part and parses the Next IPv6 expansion Header in the data packet. If the corresponding value is the No Next Header extension Header, then the sub-parser will receive the packet, directly enter the operating system fingerprinting stage. If the variable corresponds to a value of TCP, then the sub-parser receives the packet and proceeds to the extract TCP header stage.
(4) Extracting the TCP header, at this stage, firstly checking the data Offset field value of the TCP header, if the data Offset field value is smaller than 5, indicating that the data packet is a malformed data packet, reporting that the TCP header is too small, and then discarding the packet without performing subsequent operations. If not less than 5, the programmable switch invokes a sub-parser to parse the TCP "options+fill" field and passes the packet, header set, metadata as parameters in. The sub-parser maintains two variables, one for recording the number of bytes of the TCP "options + fills" field that remain to be parsed and one for recording the number of TCP "options + fills" fields that have been parsed at present, referred to as val1 and val2, respectively, in this specification. The initial value of val1 is the byte number of the parsed TCP "options+fill" field. If the initial value of the variable is 0, the sub-parser receives the data packet, which directly enters the operating system fingerprinting stage. If the value is greater than 0, then the sub-parser will begin identifying the first TCP option. If the identified TCP option is supported by the present invention, then the sub-parser jumps to parse the corresponding TCP option portion, parse the TCP option, and update the values associated with the option in val1, val2, and p0f metadata. After parsing a TCP option, the sub-parser will enter into determining if the value of val2 exceeds the maximum supported number value, if so, the sub-parser will accept the packet and enter into the operating system fingerprint identification stage. If not, the sub-parser may reenter the identify TCP options section, repeating the previous actions until an unsupported TCP option is encountered or the TCP "options+fill" field has been fully parsed or the maximum number of supported parses has been reached. After encountering these three cases, the sub-parser will receive the packet, entering the operating system fingerprinting stage.
FIG. 2 is a flow chart of operating system fingerprinting based on the method of the present invention. At this stage, the programmable switch may determine whether the data packet contains a TCP segment. If not, the update checksum phase is entered directly. If so, it is further checked whether the packet is a TCP SYN packet. If not, the update checksum phase is entered directly. If so, key information continues to be collected. After collection, the value of the variable of window size and maximum message segment length ratio is updated by calculation. The programmable switch then matches the collected key information with entries of an operating system fingerprint table stored inside the switch. If the successfully matched action is one of action 2, action 3, action 4, then the programmable switch will assign the packet to the associated dequeue. In the present invention, the implementation of act 4 is based on a bloom filter, which can retrieve whether an element is in a collection. The switch may determine whether to discard the packet by determining whether an IP is a recorded IP through a bloom filter. So if the successfully matched action is action 1, then it is next determined if the packet source IP field exists in a bloom filter maintained inside the switch. If so, the programmable switch will discard the data packet as well, and if not, the data packet will enter the normal forwarding queue and be forwarded normally.
Fig. 3 is a general framework diagram of a programmable switch-based operating system fingerprinting method. The whole process mainly comprises seven steps of analyzing an operating system fingerprint identification library, a control plane downlink list item, analyzing a data plane data packet, identifying the operating system fingerprint, updating a checksum, reorganizing the data packet and outputting the data packet. The method is used for carrying out operating system fingerprint identification on TCP SYN data packets, and a control plane converts data under a TCP request module of p0f.fp into a form which can be issued by the control plane by utilizing P0fRuleSig class and P0fRuleConverter class, and then issues a list item. Since in the signature under the p0f.fp file TCP request module, one part of the fields are related to the network layer protocol, and the other part of the fields are related to the transport layer protocol TCP. Therefore, the data plane needs to correctly analyze the data packet and collect the corresponding fingerprint identification key information of the operating system. And matching the collected key information with an entry of an operating system fingerprint identification table stored in the switch to obtain a processing action for the data packet, wherein the processing action comprises only outputting an identification object, discarding the data packet after outputting an identification result, redirecting the data packet to a specific destination after outputting the identification result, and discarding all the data packets from the IP including the data packet after outputting the identification result. Since the processing action includes an operation of redirecting the data packet to the destination, the destination MAC address and the destination IP address of the data packet may change, so that the checksum of the data packet needs to be updated after the processing action of the data packet is acquired. And then reorganizing the data packet, outputting the data packet, and finishing the fingerprint identification of the operating system of the TCP SYN data packet.

Claims (4)

1.一种基于可编程交换机的操作系统指纹识别方法,其特征在于,所述的一种基于可编程交换机的操作系统指纹识别方法包括以下7个步骤依次执行:1. A method for fingerprint identification of an operating system based on a programmable switch, characterized in that the method for fingerprint identification of an operating system based on a programmable switch comprises the following 7 steps executed in sequence: 步骤1、控制平面解析操作系统指纹数据库:控制平面自动将p0f.fp文件中TCP请求模块的每一个签名都转换为数据平面定义的p0f_match表项,其中p0f.fp文件为操作系统指纹数据库,p0f_match为在数据平面设置的操作系统指纹识别表,TCP请求模块中的数据可分为标签和签名两部分,标签对应一类操作系统,签名为网络数据包中的特征,对比TCP请求模块的签名部分,p0f_match的签名部分多出了一个“窗口大小与最大报文段长度比值”键;Step 1. The control plane parses the operating system fingerprint database: The control plane automatically converts each signature of the TCP request module in the p0f.fp file into the p0f_match table item defined by the data plane, where the p0f.fp file is the operating system fingerprint database, and p0f_match is the operating system fingerprint identification table set in the data plane. The data in the TCP request module can be divided into two parts: label and signature. The label corresponds to a type of operating system, and the signature is a feature in the network data packet. Compared with the signature part of the TCP request module, the signature part of p0f_match has an additional "ratio of window size to maximum segment length" key; 步骤2、控制平面下发表项:在控制平面,将步骤1生成的表项下发到数据平面上,依照在P4Runtime_lib中原先对IPv4的解析方法,增加了对IPv6地址的解析;Step 2: Control plane sends table entries: On the control plane, send the table entries generated in step 1 to the data plane. According to the original IPv4 parsing method in P4Runtime_lib, the parsing of IPv6 addresses is added. 步骤3、数据平面数据包解析:数据平面对数据包进行解析,收集操作系统指纹识别表中的键信息,键信息也可称为p0f元数据;Step 3: Data plane data packet analysis: The data plane analyzes the data packet and collects the key information in the operating system fingerprint identification table. The key information can also be called p0f metadata. 步骤4、操作系统指纹识别:在完成步骤3后,继续收集键信息,将收集的键信息与交换机内部存储的操作系统指纹识别表的表项进行匹配,获取对该数据包的处理动作,处理动作包括4种,具体包括:Step 4: Operating system fingerprint identification: After completing step 3, continue to collect key information, match the collected key information with the table entries of the operating system fingerprint identification table stored inside the switch, and obtain the processing action for the data packet. There are four types of processing actions, including: 动作1:仅输出识别结果;Action 1: Output only the recognition result; 动作2:输出识别结果之后丢弃数据包;Action 2: discard the data packet after outputting the recognition result; 动作3:输出识别结果之后将数据包重定向到特定目的地;Action 3: After outputting the identification result, redirect the data packet to a specific destination; 动作4:输出识别结果之后丢弃来自该IP包括该数据包的所有数据包;Action 4: After outputting the identification result, discard all data packets from the IP including the data packet; 步骤5、更新校验和:在完成步骤4后,操作系统指纹识别之后做出的动作至多是修改数据包的目的MAC地址和目标IP地址,对上层应用部分并不会发生修改,只需要修改帧校验序列和网络层协议的校验和;Step 5: Update the checksum: After completing step 4, the action taken by the operating system after fingerprint recognition is at most to modify the destination MAC address and target IP address of the data packet. The upper layer application part will not be modified. Only the frame check sequence and the checksum of the network layer protocol need to be modified. 步骤6、重组数据包:在完成步骤5后,数据包会进入“逆解析器”阶段,进行重组,将数据包中原本的目的MAC地址、目的IP地址和校验和改为在步骤4中确定的目的MAC地址、目的IP地址和在步骤5中最终决定的校验和;Step 6: Reassemble the data packet: After completing step 5, the data packet will enter the "reverse parser" stage for reassembly, changing the original destination MAC address, destination IP address and checksum in the data packet to the destination MAC address, destination IP address determined in step 4 and the checksum finally determined in step 5; 步骤7、输出数据包:在完成步骤6后,可编程交换机根据步骤4决定的对该数据包的处理动作决定是否转发该数据包,从哪个端口输出该数据包,具体情况如下:Step 7, output data packet: After completing step 6, the programmable switch decides whether to forward the data packet and from which port to output the data packet according to the processing action of the data packet determined in step 4. The specific situation is as follows: (1)如果处理动作为动作1,则将数据包从对应端口输出;(1) If the processing action is action 1, the data packet is output from the corresponding port; (2)如果处理动作为动作2,则将数据包运往丢弃端口进行丢弃;(2) If the processing action is action 2, the data packet is sent to the discard port for discarding; (3)如果处理动作为动作3,则将数据包重定向到对应端口;(3) If the processing action is action 3, redirect the data packet to the corresponding port; (4)如果处理动作为动作4,则可编程交换机会将数据包输出至丢弃端口进行丢弃,且以后如果有来自该IP的数据包,也会全部丢弃。(4) If the processing action is action 4, the programmable switch will output the data packet to the discard port for discarding, and any future data packets from this IP will also be discarded. 2.根据权利要求1中所述的基于可编程交换机的操作系统指纹识别方法,其特征在于,步骤1的标签转化设置定义了两个类,P0fRuleSig类和P0fRuleConverter类,其中P0fRuleSig类,集合所有用于转化的函数和转化后的属性,将每一个原始的签名转化为一个P0fRuleSig类“签名”,P0fRuleConverter类,定义了四个成员变量:标签列表、签名列表、签名到标签映射列表、应用到操作系统映射,将整个p0f.fp文件TCP请求模块转化为适合控制平面转发的形式。2. According to the operating system fingerprint identification method based on a programmable switch described in claim 1, it is characterized in that the label conversion setting of step 1 defines two classes, the P0fRuleSig class and the P0fRuleConverter class, wherein the P0fRuleSig class collects all functions used for conversion and the converted attributes, and converts each original signature into a P0fRuleSig class "signature", and the P0fRuleConverter class defines four member variables: label list, signature list, signature to label mapping list, application to operating system mapping, and converts the entire p0f.fp file TCP request module into a form suitable for control plane forwarding. 3.根据权利要求1中所述的基于可编程交换机的操作系统指纹识别方法,其特征在于,对于步骤3中的数据包解析具体可分为4个步骤:3. According to the programmable switch-based operating system fingerprint identification method of claim 1, it is characterized in that the data packet analysis in step 3 can be specifically divided into four steps: 步骤3.1、提取以太网首部,由于IPv4与IPv6结构不同,对应的数据包解析方式不同,根据以太网首部中类型字段的值进入不同步骤,如果类型值为0x0800,那么该数据包对应的网络层协议为IPv4,进入步骤3.2,如果类型值为0x86dd,那么该数据包对应的网络层协议为IPv6,进入步骤3.3;Step 3.1, extract the Ethernet header. Due to the different structures of IPv4 and IPv6, the corresponding data packet parsing methods are different. Enter different steps according to the value of the type field in the Ethernet header. If the type value is 0x0800, then the network layer protocol corresponding to the data packet is IPv4, and enter step 3.2. If the type value is 0x86dd, then the network layer protocol corresponding to the data packet is IPv6, and enter step 3.3. 步骤3.2、提取IPv4网络层首部和对应信息,该过程包括以下2个步骤:Step 3.2: Extract the IPv4 network layer header and corresponding information. This process includes the following two steps: 步骤3.2.1、可编程交换机提取不包括“选项+填充”字段的IPv4首部,判断IPv4数据包首部大小,即该首部中的“IHL”值是否大于等于5,如果该值大于等于5,则提取IPv4“选项+填充”字段,否则丢弃该包,不进行之后的处理;Step 3.2.1, the programmable switch extracts the IPv4 header that does not include the "option + padding" field, and determines the size of the IPv4 data packet header, that is, whether the "IHL" value in the header is greater than or equal to 5. If the value is greater than or equal to 5, the IPv4 "option + padding" field is extracted, otherwise the packet is discarded without further processing; 步骤3.2.2、通过数据包中IPv4协议中的“协议”字段的值来判断传输层协议是不是TCP,如果传输层协议是TCP,进入到步骤3.4,否则丢弃该包,不进行之后的处理;Step 3.2.2: Determine whether the transport layer protocol is TCP by the value of the "Protocol" field in the IPv4 protocol in the data packet. If the transport layer protocol is TCP, proceed to step 3.4; otherwise, discard the packet without further processing. 步骤3.3、提取IPv6首部和拓展首部,该过程包括以下2个步骤:Step 3.3: Extract the IPv6 header and extension header. This process includes the following two steps: 步骤3.3.1、提取IPv6首部,可通过IPv6首部的Next Header字段值判断直接后继首部的类型,如果后继首部的类型为TCP首部,那么进入步骤3.4,如果为其他首部类型,那么进入步骤3.3.2;Step 3.3.1, extract the IPv6 header, and determine the type of the direct successor header by the Next Header field value of the IPv6 header. If the type of the successor header is a TCP header, then go to step 3.4; if it is another header type, then go to step 3.3.2; 步骤3.3.2、解析IPv6拓展首部,利用Next Header字段值判断直接后继首部的类型,如果Next Header字段值为No Next Header,那么说明没有后继首部,直接进入步骤4,如果后继首部为TCP首部,那么进入步骤3.4,如果后继首部为其他类型的首部,则找到后继首部的位置,找到新的首部之后重复上述操作;Step 3.3.2, parse the IPv6 extension header, and use the Next Header field value to determine the type of the direct successor header. If the Next Header field value is No Next Header, it means that there is no successor header, and go directly to step 4. If the successor header is a TCP header, then go to step 3.4. If the successor header is another type of header, find the location of the successor header, and repeat the above operation after finding the new header; 步骤3.4、提取TCP首部和对应信息,由以下2个步骤组成:Step 3.4: Extract the TCP header and corresponding information, which consists of the following two steps: 步骤3.4.1、首先检查TCP首部的dataOffset字段值,即TCP首部大小,如果大于等于5,则继续解析TCP“选项+填充”字段,否则丢弃该包,不进行之后的处理;Step 3.4.1, first check the dataOffset field value of the TCP header, that is, the TCP header size. If it is greater than or equal to 5, continue to parse the TCP "option + padding" field, otherwise discard the packet without further processing; 步骤3.4.2、如果需要解析的TCP“选项+填充”字段的字节数为零,则进行步骤4,否则继续解析,解析过程中,记录已经解析的TCP“选项+填充”字段数目,如果遇到这三种情况,即遇到不支持的TCP选项、TCP“选项+填充”字段已经全部解析完成、已经达到最大支持解析数目,则进入步骤4,否则继续重复上述操作。Step 3.4.2. If the number of bytes of the TCP "option + padding" field to be parsed is zero, proceed to step 4, otherwise continue parsing. During the parsing process, record the number of TCP "option + padding" fields that have been parsed. If any of the following three situations are encountered, namely, an unsupported TCP option is encountered, all TCP "option + padding" fields have been parsed, and the maximum number of supported parsing has been reached, proceed to step 4, otherwise continue to repeat the above operations. 4.根据权利要求1中所述的基于可编程交换机的操作系统指纹识别方法,其特征在于,对于步骤4的继续收集操作系统指纹识别表键信息,包含以下2个步骤:4. According to the programmable switch-based operating system fingerprint identification method of claim 1, it is characterized in that the continued collection of operating system fingerprint identification table key information in step 4 comprises the following two steps: 步骤4.1、首先判断数据包是否包含TCP数据段,如果包含,进入步骤4.2,如果不包含,则进入步骤5;Step 4.1: First, determine whether the data packet contains a TCP data segment. If so, proceed to step 4.2; if not, proceed to step 5. 步骤4.2、可编程交换机进一步检验该数据包是否是一个TCP SYN数据包,如果不是,那么进入步骤5,如果是,则可编程交换机收集剩余的操作系统指纹识别表键信息,在收集完之后,可编程交换机更新“窗口大小与最大报文段长度比值”变量的值,进入步骤5。Step 4.2, the programmable switch further checks whether the data packet is a TCP SYN data packet. If not, then go to step 5. If so, the programmable switch collects the remaining operating system fingerprint identification table key information. After collecting, the programmable switch updates the value of the "window size to maximum segment length ratio" variable and goes to step 5.
CN202411292399.5A 2024-09-14 2024-09-14 Operating system fingerprint identification method based on programmable switch Pending CN119182597A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411292399.5A CN119182597A (en) 2024-09-14 2024-09-14 Operating system fingerprint identification method based on programmable switch

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411292399.5A CN119182597A (en) 2024-09-14 2024-09-14 Operating system fingerprint identification method based on programmable switch

Publications (1)

Publication Number Publication Date
CN119182597A true CN119182597A (en) 2024-12-24

Family

ID=93901408

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411292399.5A Pending CN119182597A (en) 2024-09-14 2024-09-14 Operating system fingerprint identification method based on programmable switch

Country Status (1)

Country Link
CN (1) CN119182597A (en)

Similar Documents

Publication Publication Date Title
US8412838B1 (en) Method of and system for analyzing the content of resource requests
US6954789B2 (en) Method and apparatus for monitoring traffic in a network
US6839751B1 (en) Re-using information from data transactions for maintaining statistics in network monitoring
US6771646B1 (en) Associative cache structure for lookups and updates of flow records in a network monitor
US6789116B1 (en) State processor for pattern matching in a network monitor device
US8964548B1 (en) System and method for determining network application signatures using flow payloads
CN110324245B (en) Method and device for forwarding message based on integrated flow table
CN102387045B (en) Embedded point to point (P2P) flow monitoring system and method thereof
CN108270699B (en) Message processing method, shunt switch and aggregation network
US7522530B2 (en) Method for protocol recognition and analysis in data networks
US6965574B1 (en) Network traffic data collection and query
CN110213124A (en) Passive operation system identification method and device based on the more sessions of TCP
CN114157502A (en) Terminal identification method and device, electronic equipment and storage medium
US20020191549A1 (en) Content intelligent network recognition system and method
CN115473850B (en) AI-based real-time data filtering method, system and storage medium
KR100501080B1 (en) A method and system for distinguishing higher layer protocols of the internet traffic
CN119182597A (en) Operating system fingerprint identification method based on programmable switch
Chen et al. IPzip: A stream-aware IP compression algorithm
AU2004201908B2 (en) A cache system
KR100621996B1 (en) Analysis method and system of internet service traffic
CN118842853A (en) Service feature recognition method, device, recognition equipment and readable storage medium
Zander et al. Design of DIFFUSE v0. 4-DIstributed firewall and flow-shaper using statistical evidence
KR20200080513A (en) Network device and method and systme for controlling network monitoring using the same

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination