Research And Implementation Based On Multiple-characteristics Of Application-layer Protocol Identification Method

In the premise of complex network, a large number of new business increasing, theapplication layer protocol emerge in endlessly, which put forward higher requirements forthe ability to control network traffic and network security. Identify application layerprotocol in network rapidly and accuratly is the premise and foundation of network securitymonitoring, intrusion detection, traffic control, billing management and other networkcontrol system. It’s important for network managers, researchers, service providers, usersand other data analysts. In recent years, the application layer protocol identification fornetwork monitoring, analysis, management provides detailed network application report,which is the necessary condition of the QoS and other network service, caused widespreadconcern in the academic community and become an independent field of research.Now commonly open source protocol recognition software have following problems:L7-filter only one recognition engine that can not describe the relationship between theplurality of data packets in a session, so that some more complex protocol features of theapplication will not be able to recognized or identified inaccurately; Opendpi used staticencoding, which is serial and difficult to expansion, although it is theoretically possible toidentify all the agreements, but the performance will decrease with the increasing of it. Onthe basis of existing technologies, we also combined the advantages of multiplecharacteristics, and optimized traditional serial regular matching. Data Domain offset wasdeemed as an important protocol characteristic. Firstly, the first8bytes and the last8bytein packet payload were built as a dfa graph to match according to experience to save time.In this paper, we design and implement a scalable framework for protocolidentification system. Each identification method is classified as a recognition engine basedon the concept of the engine. We placed a state writable protocol recognition engine tosupport the identification of cross-package matching. Through the combination of severalplugin-engine to recognize some sort of agreement, and improve the scope and efficiencyof the protocol identification.