Method and system of accurate recognition in P2P protocol based on behavior characteristics

A recognition method and behavior technology, applied in the network field, can solve the problems of lack of precise recognition function, inaccurate matching and recognition, etc., and achieve the effect of simple and convenient expansion

Inactive Publication Date: 2007-12-26
BEIJING VENUS INFORMATION TECH
View PDF0 Cites 16 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Many users, enterprises and institutions put forward high requirements for accurate identification and auditing of P2P protocols and software usage, which makes identification based on original port location or static message feature matching inaccurate
Most of the commonly used intrusion detection or auditing systems currently identify P2P protocols based on port location or static message feature matching, and products with complete and flexible P2P protocol accurate identification functions are very scarce

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method and system of accurate recognition in P2P protocol based on behavior characteristics
  • Method and system of accurate recognition in P2P protocol based on behavior characteristics

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0031] A method for accurately identifying P2P protocols based on behavioral characteristics, including:

[0032] The steps of establishing the protocol behavior characteristic model;

[0033] Steps for locating the specific operating status;

[0034] The steps of behavioral model state transition;

[0035] Steps of intrusion detection.

[0036] The steps in the establishment stage of the protocol behavior feature model mainly include the extraction of specific P2P application protocol behavior features and the establishment of a protocol operating state model;

[0037] The specific operation state positioning is mainly to judge the current protocol used by the P2P application through the transmission data or control message information obtained in the actual network communication process, and match it with the established behavior model to determine the current state of the protocol operation;

[0038] In the behavior model state transition stage, judge the next step behav...

Embodiment 2

[0049] The protocol format anomaly detection process of the present invention mainly includes four working stages: the establishment of the protocol behavior characteristic model, the specific operation state location, the state transition of the behavior model, and the detection. The steps of each stage are as follows (see Figure 1):

[0050] The establishment phase of the protocol behavior characteristic model:

[0051] Combining the existing port location and mining the behavior characteristics of a certain step in the specific P2P operation process of the data message, this stage includes all the control information of the P2P operation, the port used, and the characteristics contained in the specific data message (such as specific field lengths, etc.).

[0052] Edonkey2000's P2P software behavior feature extraction steps:

[0053] 1) Edonkey2000 uses a lot of 6-byte long UDP packets to send server status request packets (the client request server status step feature ind...

Embodiment 3

[0068] Embodiment 3: Netease popo login stage behavior characteristic state model establishment steps: (see figure 4)

[0069] 1) The client and the server perform a TCP handshake connection (usually 220.181.28.238: 443)

[0070] 2) Use the SSL protocol to negotiate the session key used in subsequent communications (the client sends a Clienth*llo to initiate a handshake. This message contains a list of algorithms that can be implemented by itself and other required messages, and the SSL server will respond A Serverh*llo, which determines the algorithm required for this communication, and then sends its own certificate (which contains its identity and its own public key). After receiving this message, the Client will generate a secret message, using SSL The server's public key is encrypted and transmitted, and the SSL server decrypts it with its own private key. The session key negotiation is successful, and the two parties can use the same session key to communicate.

[0071]...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

In the network protocol communication process, the invention can extracts the behavior feature from the information carried by the captured message, and based on the behavior feature, realizes the accurate identification to P2P protocol. The method comprises behavior feature model base, protocol state location multi mode match module, protocol state migration module, attach detection/audit module. Said protocol behavior feature model base is used to create the matching feature of protocol dedicated state; the protocol state location module is used to use multi mode matching approach to realize the location for protocol state of data message; the protocol state migration module is used to realize the migration tracing for the protocol running state; the attack detection/auditing module is used to call the relevant detection or auditing function according to the pre-stage output result.

Description

technical field [0001] The present invention relates to a P2P protocol accurate identification method and system based on behavioral characteristics that can be used in intrusion detection and defense (IDS / IPS) and audit products. Accurate identification and auditing of P2P protocols and software based on protocol behavior characteristics belongs to the field of network technology. Background technique [0002] As an important means of network security protection, intrusion detection / protection system (Intrusion Detection / Protection System, IDS / IPS) is usually deployed at the entrance of key network interior / network boundary, and captures the packet data flow in or in and out of the network in real time and conducts Intelligent comprehensive analysis, discover possible intrusion behavior and block it in real time. Audit products generally analyze the data flow in and out of the network to identify and record specific user behaviors. At present, most intrusion detection or ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06
Inventor 孙海波李永泉杨海清胡斌
Owner BEIJING VENUS INFORMATION TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap