WO2004017595A2 - Procede de reconnaissance et d'analyse de protocols dans des reseaux de donnees - Google Patents
Procede de reconnaissance et d'analyse de protocols dans des reseaux de donnees Download PDFInfo
- Publication number
- WO2004017595A2 WO2004017595A2 PCT/FR2003/002075 FR0302075W WO2004017595A2 WO 2004017595 A2 WO2004017595 A2 WO 2004017595A2 FR 0302075 W FR0302075 W FR 0302075W WO 2004017595 A2 WO2004017595 A2 WO 2004017595A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- protocol
- name
- data structure
- self
- connection
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/18—Multiprotocol handlers, e.g. single devices capable of handling multiple protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/18—Protocol analysers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0254—Stateful filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Definitions
- the field of the invention is that of controlling data networks.
- a task of observing data packets is assigned to a network node such as for example a delegated server (proxy server in English) through which pass connections which generate these data packets .
- a network node such as for example a delegated server (proxy server in English) through which pass connections which generate these data packets .
- a problem which arises is that of the recognition of the implicit protocols.
- a protocol is said to be implicit when it is not explicitly identifiable with certainty by a protocol header which precedes it in the protocol stack. This is the case for many application-level protocols such as Pointcast or Kazaa whose use in the protocol stack of a connection depends on the context of the connection generally established by prior negotiations, difficult to compile with real-time scanning over the wire. water, packets circulating within the connection.
- Some known protocols such as HTTP, Telnet, FTP, are today at the limit of explicit and implicit protocols. These protocols can be considered as explicit when a reserved port number appearing in a TCP protocol header gives a destination indicator which makes it possible to identify with certainty the protocol which is transported, for example a number 80 corresponding to the HTTP protocol.
- a conventional architecture is known for using the Telnet protocol by stacking the ordered sequence of ethernet, IP, TCP, Telnet protocols.
- Other architectures are possible by stacking the ordered suite of ethernet, IP, TCP, HTTP, Telnet protocols or even ethernet, IP, IP, TCP, HTTP, Telnet to manage roaming.
- the computer core submits the information conveyed to each self-identifying mechanism associated with a name from the list of child protocol names until one of the self-mechanisms identifier declares that it recognizes decisive information or until no self-identifying mechanism can declare that it recognizes decisive information.
- the connection with which it is associated is classified by type of application level. This allows for example a firewall to block any connection of file transfer type or a network manager to measure a volume of connections of type navigation on the web (WWW for World Wide Web in English).
- the computer core establishes in said first table a second associative correspondence between each current signature and a even signature whose source indicators are the destination indicators of the current signature and whose destination indicators are the source indicators of the current signature.
- the computer core traverses the names of protocols used in the ordered sequence in the data structure which it constructs to detect each name of protocol with dynamic connection, for each name of protocol with dynamic connection detected, the computer core submits the information conveyed to the self-identifying mechanism associated with the detected name so as to determine whether there is a subsequent dynamic connection and if a subsequent connection exists, to associate it with a second data structure arranged to contain an ordered sequence of names of potential protocols which begins with the so-called basic protocol name.
- the computer core also constructs the first data structure: by seeking the ordered sequences of names of potential protocols in which is included the ordered sequence of names of protocols used and, when there is an ordered sequence names of potential protocols whose potential signature corresponds to the current signature, by completing the first data structure by means of the second data structure.
- the list of names of child protocols, associated with the name Ipv6, contains the names of protocols Ipv6, Ipv4, TCP, UDP and ICMP each pointed respectively in line 007, 008, 009, 010, 011 by the pointers located respectively in column 105, 106, 107,
- Ipv ⁇ is both the name of the father protocol and the name of the child protocol. This materializes a possibility of putting a network layer on top of a network layer of identical protocol to manage roaming in a known way by creating a network tunnel. A network layer with a different protocol can also be put on top of a network layer to manage differences in compatibility between networks, for example example an Ipv4 compatible network on which to pass Ipv6 connections.
- the computer core extracts a signature from the packet by subjecting the contents of the packet to a self-identifying mechanism associated with the protocol used by the physical coupler which receives the packet.
- the computer core requests the self-identifying mechanism to return a source indicator, a destination indicator and a transported protocol name.
- the self-identifying mechanism has filters arranged to recognize the source and destination indicators in the packet, for example MAC addresses in the case of an Ethernet type physical coupler, Virtual Circuit Identifiers (VCI) and way virtual (VPI for Virtual Path Identifier in English) in the case of physical coupler type ATM, calling and called telephone numbers in the case of physical coupler type PPP.
- VCI Virtual Circuit Identifiers
- VPN Virtual Path Identifier
- the destination indicator is that which corresponds to the physical address of the coupler of the computer system.
- a physical layer protocol being generally explicit nature, self identifier mechanism has' also filter arranged to recognize the protocol transported.
- the computer core receives the source and destination indicators from the self-identifying mechanism, the computer core generates a network-level signature that contains the source and destination identifiers.
- the computer core submits the packet data to the associated self-identifying mechanism to generate, as before, a corresponding level signature and repeat the operations described above. until a self-identifying mechanism signals that it cannot give a transported protocol name.
- Some protocols implement fragmentation, i.e. divide a packet into several packets of size compatible with lower layer protocols. This is for example the case a higher level protocol handles packets larger than the maximum size of the data that can be contained in a physical frame (MTU (Maximum Transfer Unit in English)). It is recalled that in the fragments of the same package, the original header is not entirely reproduced on all the fragments. Thus, when a packet which presents itself in fact constitutes only a fragment of packet, it does not necessarily contain all the information making it possible to generate the signature specific to a connection. For example, in the case of the UDP protocol over IP, a UDP fragment can appear without it containing the UDP header, in particular the source and destination ports which allow a signature calculation.
- MTU Maximum Transfer Unit in English
- the computer core checks in step 1002 whether the packet whose signature is extracted, belongs to an already existing connection listed in the associative table of current connections.
- the computer kernel creates a line in the associative table 1 by establishing a correspondence of the detected connection with the global signature extracted in step 1001.
- the computer kernel initializes in the created line, the first data structure with an orderly protocols names used after that started the protocol named Base.
- the first data structure also comprises a chain of binary variables each assigned to a column of table 101 starting from column 105.
- the computer core calculates an even connection signature so that each source indicator of the even connection signature is the corresponding level destination indicator which appears in the global signature and so that each indicator destination of the even connection signature, ie the corresponding level source indicator which appears in the global signature.
- the computer core searches in the associative table 1 if there is a correspondence with the even connection signature.
- step 2005 the computer core retrieves, in the second ordered sequence, the protocol name or names which succeed the parent protocol name while keeping the order.
- the computer kernel then deletes the second sequence ordered in associative table 2 and then activates step 2003.
- step 2003 the computer kernel adds the child protocol name or the child protocol names to the first ordered sequence of names of protocols used while keeping their order.
- the computer kernel positions the variables in the binary variable chain for the last name of protocol added to the ordered sequence of protocol names used.
Abstract
Description
Claims
Priority Applications (6)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU2003267510A AU2003267510A1 (en) | 2002-07-29 | 2003-07-04 | Method for protocol recognition and analysis in data networks |
CN038202700A CN1703890B (zh) | 2002-07-29 | 2003-07-04 | 数据网络中识别和分析协议的方法 |
JP2004528561A JP4203012B2 (ja) | 2002-07-29 | 2003-07-04 | データネットワークにおけるプロトコルの認識及び分析方法 |
EP03748200A EP1574000B1 (fr) | 2002-07-29 | 2003-07-04 | Procédé de reconnaissance et d'analyse de protocoles dans des réseaux de données |
ES03748200T ES2408158T3 (es) | 2002-07-29 | 2003-07-04 | Procedimiento de reconocimiento y de análisis de protocolos en redes de datos |
US10/523,339 US7522530B2 (en) | 2002-07-29 | 2003-07-04 | Method for protocol recognition and analysis in data networks |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR02/09599 | 2002-07-29 | ||
FR0209599A FR2842970B1 (fr) | 2002-07-29 | 2002-07-29 | Procede de reconnaissance et d'analyse de protocoles dans des reseaux de donnees |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2004017595A2 true WO2004017595A2 (fr) | 2004-02-26 |
WO2004017595A3 WO2004017595A3 (fr) | 2005-08-11 |
Family
ID=30011563
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/FR2003/002075 WO2004017595A2 (fr) | 2002-07-29 | 2003-07-04 | Procede de reconnaissance et d'analyse de protocols dans des reseaux de donnees |
Country Status (9)
Country | Link |
---|---|
US (1) | US7522530B2 (fr) |
EP (1) | EP1574000B1 (fr) |
JP (1) | JP4203012B2 (fr) |
KR (1) | KR100957827B1 (fr) |
CN (1) | CN1703890B (fr) |
AU (1) | AU2003267510A1 (fr) |
ES (1) | ES2408158T3 (fr) |
FR (1) | FR2842970B1 (fr) |
WO (1) | WO2004017595A2 (fr) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100367722C (zh) * | 2004-12-10 | 2008-02-06 | 中兴通讯股份有限公司 | 一种通信协议一致性测试系统 |
CN101176306B (zh) * | 2005-05-13 | 2010-09-15 | 科斯莫斯公司 | 通信业务分析系统以及检查网络通信业务流的方法 |
WO2011161340A1 (fr) | 2010-06-23 | 2011-12-29 | Qosmos | Dispositif de collecte de donnees pour la surveillance de flux dans un reseau de donnees |
WO2012131229A1 (fr) | 2011-03-25 | 2012-10-04 | Qosmos | Procede et dispositif d'extraction de donnees d'un flux de donnees circulant sur un reseau ip |
JP2021529470A (ja) * | 2018-07-06 | 2021-10-28 | コスモス・テック | データストリームのプロトコルの識別 |
Families Citing this family (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050065915A1 (en) * | 2003-09-23 | 2005-03-24 | Allen Wayne J. | Method and system to add protocol support for network traffic tools |
US7519718B2 (en) * | 2004-02-27 | 2009-04-14 | International Business Machines Corporation | Server-side protocol configuration of accessing clients |
US8793390B2 (en) * | 2006-05-23 | 2014-07-29 | Blue Coat Systems, Inc. | Systems and methods for protocol detection in a proxy |
US8108844B2 (en) * | 2006-06-20 | 2012-01-31 | Google Inc. | Systems and methods for dynamically choosing a processing element for a compute kernel |
FR2925807B1 (fr) | 2007-12-20 | 2010-02-19 | Inst Nat Rech Inf Automat | Moniteur de systeme de communication par messages ameliore |
CN101577704A (zh) * | 2008-05-08 | 2009-11-11 | 北京东华合创数码科技股份有限公司 | 一种网络应用层协议识别方法和系统 |
US8284786B2 (en) * | 2009-01-23 | 2012-10-09 | Mirandette Olivier | Method and system for context aware deep packet inspection in IP based mobile data networks |
US8724473B2 (en) | 2010-07-16 | 2014-05-13 | Ixia | Locating signatures in packets |
US8347391B1 (en) * | 2012-05-23 | 2013-01-01 | TrustPipe LLC | System and method for detecting network activity of interest |
US8873753B2 (en) * | 2012-08-27 | 2014-10-28 | Verizon Patent And Licensing Inc. | Analysis of network operation |
DE102014201234A1 (de) * | 2014-01-23 | 2015-07-23 | Siemens Aktiengesellschaft | Verfahren, Verwaltungsvorrichtung und Gerät zur Zertifikat-basierten Authentifizierung von Kommunikationspartnern in einem Gerät |
CN104023018A (zh) * | 2014-06-11 | 2014-09-03 | 中国联合网络通信集团有限公司 | 一种文本协议的逆向解析方法和系统 |
FR3126830A1 (fr) * | 2021-09-07 | 2023-03-10 | Nano Corp | Procede et système d’analyse de flux de données |
CN114024868B (zh) * | 2022-01-06 | 2022-03-25 | 北京安博通科技股份有限公司 | 流量统计方法、流量质量分析方法及装置 |
Family Cites Families (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5802065A (en) * | 1995-10-23 | 1998-09-01 | Kawasaki Steel Corporation | Data receiving device |
US5793954A (en) * | 1995-12-20 | 1998-08-11 | Nb Networks | System and method for general purpose network analysis |
FI105985B (fi) * | 1997-12-18 | 2000-10-31 | Nokia Networks Oy | Menetelmä tunnistaa ilmarajapinnan verkkokerroksen protokollatietoyksikkö solukkoradioverkossa |
US6157955A (en) * | 1998-06-15 | 2000-12-05 | Intel Corporation | Packet processing system including a policy engine having a classification unit |
ATE496341T1 (de) * | 1999-06-30 | 2011-02-15 | Apptitude Inc | Verfahren und gerät um den netzwerkverkehr zu überwachen |
US6598034B1 (en) * | 1999-09-21 | 2003-07-22 | Infineon Technologies North America Corp. | Rule based IP data processing |
US7006452B2 (en) * | 2001-05-22 | 2006-02-28 | Intel Corporation | Matching DSL data link layer protocol detection |
US7289498B2 (en) * | 2002-06-04 | 2007-10-30 | Lucent Technologies Inc. | Classifying and distributing traffic at a network node |
-
2002
- 2002-07-29 FR FR0209599A patent/FR2842970B1/fr not_active Expired - Lifetime
-
2003
- 2003-07-04 AU AU2003267510A patent/AU2003267510A1/en not_active Abandoned
- 2003-07-04 JP JP2004528561A patent/JP4203012B2/ja not_active Expired - Lifetime
- 2003-07-04 CN CN038202700A patent/CN1703890B/zh not_active Expired - Lifetime
- 2003-07-04 KR KR1020057001676A patent/KR100957827B1/ko active IP Right Grant
- 2003-07-04 ES ES03748200T patent/ES2408158T3/es not_active Expired - Lifetime
- 2003-07-04 EP EP03748200A patent/EP1574000B1/fr not_active Expired - Lifetime
- 2003-07-04 WO PCT/FR2003/002075 patent/WO2004017595A2/fr active Application Filing
- 2003-07-04 US US10/523,339 patent/US7522530B2/en active Active
Non-Patent Citations (1)
Title |
---|
None |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100367722C (zh) * | 2004-12-10 | 2008-02-06 | 中兴通讯股份有限公司 | 一种通信协议一致性测试系统 |
CN101176306B (zh) * | 2005-05-13 | 2010-09-15 | 科斯莫斯公司 | 通信业务分析系统以及检查网络通信业务流的方法 |
WO2011161340A1 (fr) | 2010-06-23 | 2011-12-29 | Qosmos | Dispositif de collecte de donnees pour la surveillance de flux dans un reseau de donnees |
WO2012131229A1 (fr) | 2011-03-25 | 2012-10-04 | Qosmos | Procede et dispositif d'extraction de donnees d'un flux de donnees circulant sur un reseau ip |
JP2021529470A (ja) * | 2018-07-06 | 2021-10-28 | コスモス・テック | データストリームのプロトコルの識別 |
Also Published As
Publication number | Publication date |
---|---|
EP1574000A2 (fr) | 2005-09-14 |
US20060106583A1 (en) | 2006-05-18 |
CN1703890A (zh) | 2005-11-30 |
WO2004017595A3 (fr) | 2005-08-11 |
AU2003267510A1 (en) | 2004-03-03 |
US7522530B2 (en) | 2009-04-21 |
EP1574000B1 (fr) | 2013-03-20 |
JP4203012B2 (ja) | 2008-12-24 |
FR2842970B1 (fr) | 2005-03-18 |
ES2408158T3 (es) | 2013-06-18 |
KR20050033637A (ko) | 2005-04-12 |
CN1703890B (zh) | 2010-05-12 |
JP2005537705A (ja) | 2005-12-08 |
KR100957827B1 (ko) | 2010-05-13 |
FR2842970A1 (fr) | 2004-01-30 |
AU2003267510A8 (en) | 2004-03-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP1574000B1 (fr) | Procédé de reconnaissance et d'analyse de protocoles dans des réseaux de données | |
CN112714045B (zh) | 一种基于设备指纹和端口的快速协议识别方法 | |
EP2548337B1 (fr) | Procédé d'identification d'un protocole à l'origine d'un flux de données | |
US20060212942A1 (en) | Semantically-aware network intrusion signature generator | |
EP1667360A1 (fr) | Découverte générique pour réseaux d'ordinateurs | |
CN108429761B (zh) | 智慧协同网络中资源适配解析服务器DDoS攻击检测防御方法 | |
EP1842389B1 (fr) | Procédé, dispositif et programme de détection d'usurpation d'adresse dans un réseau sans fil | |
EP2689560B1 (fr) | Procede et dispositif d'extraction de donnees d'un flux de donnees circulant sur un reseau ip | |
EP1566043B1 (fr) | Procede et systeme informatique pour declencher une action sur des donnees de communications numerique | |
CN112054992B (zh) | 恶意流量识别方法、装置、电子设备及存储介质 | |
CN112231700B (zh) | 行为识别方法和装置、存储介质及电子设备 | |
EP3627795A1 (fr) | Procede de detection et filtrage de flux illegitimes dans un reseau de communication par satellite | |
CN110121175A (zh) | 一种用于移动物联网智能终端的数据监测方法及系统 | |
WO2006103337A1 (fr) | Procede de controle d’une table de flots adaptative et de detection d’une attaque par inondation d’un reseau de transmission de donnees par paquets a large bande et equipement d’analyse correspondant | |
EP2225853B1 (fr) | Moniteur de système de communication par messages amélioré | |
Iqbal et al. | Light-weight, real-time internet traffic classification | |
FR2857539A1 (fr) | Description de contenu de paquets dans un reseau de communication par paquets | |
FR2847404A1 (fr) | Procede d'analyse recursive et statistique de communications reseaux | |
CN116451138A (zh) | 基于多模态学习的加密流量分类方法、装置及存储介质 | |
FR3116980A1 (fr) | Procédé de détermination de quantités pour la détection d’attaques dans un réseau de communication, dispositif de détermination associé | |
CN114760216A (zh) | 一种扫描探测事件确定方法、装置及电子设备 | |
Alshammari | Automatically classifying encrypted network traffic: A case study of ssh | |
Bailey | Identifying application level protocols by analyzing communication patterns over multiple ports | |
WO2010052406A1 (fr) | Procede d'observation de flots transmis a travers un reseau de communication par paquets |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A2 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A2 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 1020057001676 Country of ref document: KR |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2004528561 Country of ref document: JP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2003748200 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 20038202700 Country of ref document: CN |
|
WWP | Wipo information: published in national office |
Ref document number: 1020057001676 Country of ref document: KR |
|
ENP | Entry into the national phase |
Ref document number: 2006106583 Country of ref document: US Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 10523339 Country of ref document: US |
|
WWP | Wipo information: published in national office |
Ref document number: 2003748200 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 10523339 Country of ref document: US |