Determine The Method Of Study Based On Data Flow Agreement

In this paper, we implement a method of Dynamic Application-Layer Protocol Analysis through using regular expressions to describe the characteristic of agreement fingerprinting and executing the pattern matching in integrated context. Appling such technology, the corresponding protocol analyzer can be accurate to play its role and reduce the additional overhead. In that way, it effectively enhances the capacity of intrusion detection, intrusion detection defense and virus defense.This paper is dedicated to analyzing key techniques such as principles of network monitoring, packet capture, IP regrouping, TCP regrouping, automata, pattern matching and others. Meanwhile, using web analyzer software such as Sniffer Pro, current network communications protocol is studied. Principle of work and feature of relevant protocol is concluded according to RFC introduction document. Besides feature identity code is concluded according to requirement of the system, protocol signature is described with regular expression as the base of protocol judging system realization. Rapid protocol judging model based on data flow is proposed and on which an efficient, strong and extendable protocol judging system through plug-ins is realized.This system contains three parts:1. Data reorganization:Using the source address, destination address, source port, and destination port set up the uniqueness of the conversation. Data messages collected from web data messages reorganize messages into a complete context based on conversation as a unit.2. Protocol judgment:matching protocol finger print is carried out in data regrouping, so that realizes protocol judgment irrelevant to port. Through a series of signature conversing with typical protocol, system will inspect efficient payload in the flow to search correct analyzer. If a signature is matched, relevant analyzer is opened and protocol signature is described in regular expression.3. Abnormal treatment:if abnormity is occurred to protocol judgment, analyzer can be shut down while protocol judgment is carried out with port matching. This protocol judging system can distinguish some protocol on application layer and offer support to subsequent treatment as in invasion inspection, virus scan and data restoring.In the Gigabit Ethernet environment, protocol judgment as a Plug-ins applies to Fine-grained Gigabit Intrusion Detection System. Various analyzers realized by dynamic protocol detective technique are capable of determining the type of conversation accurately, while protocol judgment and intrusion detection can achieve wire-speed performance.