非默认端口网络协议识别系统的研究与实现
|
摘要
随着Internet的高速发展,互联网已成为国际化商业合作、信息交互和新技术发展的最为重要的组成部分。而随着越来越丰富多样的应用不断涌现,大大改变了互联网的流量结构和流量模式,使得网络应用的分析面临着严峻的挑战。这样,网络应用分析的准确性将大大影响网络流量的分析与预测结果。
然而,目前业界对网络业务分类技术的研究还远远不能赶上业务发展的步伐。第一代网络协议识别技术通常是采用基于端口号的方法进行的,由于当时的业务都能严格遵守IANA分配的端口号,因此基于端口的识别技术既准确,又能满足实时业务分类的需要。但是随着新业务的不断涌现,这些业务开始呈现伪装性和动态性的特征,此外,这些业务也会采用用户自定义业务或动态端口。这样,原先基于端口的协议识别技术就无能为力了。
本文作者在查阅和学习了TCP/IP协议栈、网络协议识别技术、网络流量管理技术以及Linux网络编程技术后,在原有协议识别技术的基础上,提出了一套行之有效的非默认端口网络协议识别方案。主要的研究内容如下:
(1)介绍和论述了网络协议的发展背景、网络协议识别工具的发展现状以及非默认端口网络协议识别的意义。
(2)针对FTP协议、HTTP协议、TELNET协议和SSH协议,提出了有效的非默认端口识别方案,其中采用了全新的初始条件表和扩展条件表的概念。
(3)综合多种应用层网络协议识别方案的特点,提出了一套适用于多种网络协议的非默认端口网络协议识别框架。
(4)为了实现负载均衡的目的,本系统采用了一种灵活度高的调度策略作为流量调度机制的雏形,旨在提高系统运行的效率和稳定性。
(5)在上述成果基础上,设计并实现了非默认端口网络协议识别系统,此套系统具有协议识别准确率高、支持负载均衡、协议识别方案可扩展性强、应用前景广泛等特点。
With the rapid development of Internet, the Internet has become the most important component for International commercial cooperation, information exchange and development of new technologies. However, with the increasingly diverse application emerging, it has changed the structure and pattern of network traffic dramatically, making the analysis of Web applications are faced with severe challenges. Therefore, the accuracy of network application analysis will significantly affect the network analysis and prediction results.
However, the current research of network application identification technology cannot catch up with the pace of development. First generation network protocol identification technology is usually based on default port number. Because most of applications at that time were strictly complied with the IANA port number allocation, port-based identification technology is not only accurate, but also can meet the needs of real-time application classification. However, with the continuous emergence of new applications, these applications began to show the camouflage and dynamic characteristic of. In addition, these applications will be using self-defined and dynamic ports. Therefore, port-based protocol identification technology becomes powerless.
In this thesis, after browsing and studying TCP/IP protocols stack, network protocol identification technology, network traffic management technology and Linux network programming technology, a set of effective non-default port based network protocol identification mechanism is proposed based on the original protocol identification technology. The main research contents are as follows:
(1) Introduce and discuss the background of network protocols, development status of network protocol identification tools and significance of non-default port based network protocol identification.
(2) Propose effective identification mechanisms for FTP, HTTP, TELNET and SSH, which uses new concepts of initial condition table and extensive condition table.
(3) Propose a set of non-default port based network protocols identification framework by integrating the characteristics of several application layer network protocol identification mechanisms.
(4) Adapt a highly flexible schedule strategy as the embryonic form of the traffic schedule mechanism, to achieve load balancing, with which it can improved the efficiency and stability of the system.
(5) On the basis of above results, design and implement a non-default port based network protocol identification system, which has the characteristics of high identification rate, support of traffic load balancing, protocol identification scheme scalability, broad application prospects and so on.
然而,目前业界对网络业务分类技术的研究还远远不能赶上业务发展的步伐。第一代网络协议识别技术通常是采用基于端口号的方法进行的,由于当时的业务都能严格遵守IANA分配的端口号,因此基于端口的识别技术既准确,又能满足实时业务分类的需要。但是随着新业务的不断涌现,这些业务开始呈现伪装性和动态性的特征,此外,这些业务也会采用用户自定义业务或动态端口。这样,原先基于端口的协议识别技术就无能为力了。
本文作者在查阅和学习了TCP/IP协议栈、网络协议识别技术、网络流量管理技术以及Linux网络编程技术后,在原有协议识别技术的基础上,提出了一套行之有效的非默认端口网络协议识别方案。主要的研究内容如下:
(1)介绍和论述了网络协议的发展背景、网络协议识别工具的发展现状以及非默认端口网络协议识别的意义。
(2)针对FTP协议、HTTP协议、TELNET协议和SSH协议,提出了有效的非默认端口识别方案,其中采用了全新的初始条件表和扩展条件表的概念。
(3)综合多种应用层网络协议识别方案的特点,提出了一套适用于多种网络协议的非默认端口网络协议识别框架。
(4)为了实现负载均衡的目的,本系统采用了一种灵活度高的调度策略作为流量调度机制的雏形,旨在提高系统运行的效率和稳定性。
(5)在上述成果基础上,设计并实现了非默认端口网络协议识别系统,此套系统具有协议识别准确率高、支持负载均衡、协议识别方案可扩展性强、应用前景广泛等特点。
With the rapid development of Internet, the Internet has become the most important component for International commercial cooperation, information exchange and development of new technologies. However, with the increasingly diverse application emerging, it has changed the structure and pattern of network traffic dramatically, making the analysis of Web applications are faced with severe challenges. Therefore, the accuracy of network application analysis will significantly affect the network analysis and prediction results.
However, the current research of network application identification technology cannot catch up with the pace of development. First generation network protocol identification technology is usually based on default port number. Because most of applications at that time were strictly complied with the IANA port number allocation, port-based identification technology is not only accurate, but also can meet the needs of real-time application classification. However, with the continuous emergence of new applications, these applications began to show the camouflage and dynamic characteristic of. In addition, these applications will be using self-defined and dynamic ports. Therefore, port-based protocol identification technology becomes powerless.
In this thesis, after browsing and studying TCP/IP protocols stack, network protocol identification technology, network traffic management technology and Linux network programming technology, a set of effective non-default port based network protocol identification mechanism is proposed based on the original protocol identification technology. The main research contents are as follows:
(1) Introduce and discuss the background of network protocols, development status of network protocol identification tools and significance of non-default port based network protocol identification.
(2) Propose effective identification mechanisms for FTP, HTTP, TELNET and SSH, which uses new concepts of initial condition table and extensive condition table.
(3) Propose a set of non-default port based network protocols identification framework by integrating the characteristics of several application layer network protocol identification mechanisms.
(4) Adapt a highly flexible schedule strategy as the embryonic form of the traffic schedule mechanism, to achieve load balancing, with which it can improved the efficiency and stability of the system.
(5) On the basis of above results, design and implement a non-default port based network protocol identification system, which has the characteristics of high identification rate, support of traffic load balancing, protocol identification scheme scalability, broad application prospects and so on.
引文
[1]谢希仁 计算机网络 北京 电子工业出版社 2004.
[2]http://www.Wireshark.org/
[3]http://17-filter.sourceforge.net
[4]T.Karagiannis,A.Broido,M.Faloutsos 等 Transport layer identification of P2P traffic.In ACM/SIGCOMM IMC 2004
[5]http://www.tepdump.org/
[6]http://www.ntop.org/
[7]http://www.packeteer.com/
[8]IETF RFC-959 FILE TRANSFER PROTOCOL 1985.
[9]IETF RFC-2616 HYPERTEXT TRANSFER PROTOCOL--HTTP/1.1 1999
[10]IETF RFC- 1945 HYPERTEXT TRANSFER PROTOCOL--HTTP/1.0 1996
[11]IETF RFC-854 TELNET PROTOCOL SPECIFICATION 1983
[12]IETF RFC-4251 THE SECURE SHELL(SSH) PROTOCOL 2006
[13]陈亮、龚俭、徐选 基于特征串的应用层协议识别 北京 计算机工程与应用2006
[14]Richard Stevens TCP/IP详解 北京 机械工业出版社.2004.
[15]李晟,甘勇 网络流量测量与分析研究现状及发展趋势 郑州轻工业学院学报(自然科学版) 2005
[16]范慧萍,宣蕾,陈曙晖等 基于正则表达式的应用层协议识别加速 计算机研究与发展 2008
[17]Thomas Karagiannis,Konstrantina Papagiannaki,Michalis Faloutsos.Multilevel Traffic Classfication in the Dark In SIGCOMM 2005
[18]梁鸿,刘芳 基于TCP/IP的网络流量检测系统模型的研究 计算机系统应用2006
[19]K.Claffy,H.-W.Braun,and G.Polyzos.A Parametrizable methodology for Internet traffic flow profiling In JSAC 1995.
[20]http://www.tcpdump.org/pcap3_man.html
[21]http://valgrind.org/
[22]http://www.mysql.com/
[23]http://www.ntop.org/nProbe.html
[2]http://www.Wireshark.org/
[3]http://17-filter.sourceforge.net
[4]T.Karagiannis,A.Broido,M.Faloutsos 等 Transport layer identification of P2P traffic.In ACM/SIGCOMM IMC 2004
[5]http://www.tepdump.org/
[6]http://www.ntop.org/
[7]http://www.packeteer.com/
[8]IETF RFC-959 FILE TRANSFER PROTOCOL 1985.
[9]IETF RFC-2616 HYPERTEXT TRANSFER PROTOCOL--HTTP/1.1 1999
[10]IETF RFC- 1945 HYPERTEXT TRANSFER PROTOCOL--HTTP/1.0 1996
[11]IETF RFC-854 TELNET PROTOCOL SPECIFICATION 1983
[12]IETF RFC-4251 THE SECURE SHELL(SSH) PROTOCOL 2006
[13]陈亮、龚俭、徐选 基于特征串的应用层协议识别 北京 计算机工程与应用2006
[14]Richard Stevens TCP/IP详解 北京 机械工业出版社.2004.
[15]李晟,甘勇 网络流量测量与分析研究现状及发展趋势 郑州轻工业学院学报(自然科学版) 2005
[16]范慧萍,宣蕾,陈曙晖等 基于正则表达式的应用层协议识别加速 计算机研究与发展 2008
[17]Thomas Karagiannis,Konstrantina Papagiannaki,Michalis Faloutsos.Multilevel Traffic Classfication in the Dark In SIGCOMM 2005
[18]梁鸿,刘芳 基于TCP/IP的网络流量检测系统模型的研究 计算机系统应用2006
[19]K.Claffy,H.-W.Braun,and G.Polyzos.A Parametrizable methodology for Internet traffic flow profiling In JSAC 1995.
[20]http://www.tcpdump.org/pcap3_man.html
[21]http://valgrind.org/
[22]http://www.mysql.com/
[23]http://www.ntop.org/nProbe.html