Research And Implementation Of Application Layer Protocol Identification In High-speed Network Environment

With the rapid development and popularization of the Internet, new protocols of network communication continue to emerge, the new protocols of network communications is no longer using the public port but using the dynamic port. In addition, because of network information security or personal privacy, more and more new network protocols adopt encryption technology, which makes the limitations of traditional protocol identification technology more and more obvious. The problems of protocol identification and the problems to be solved are more and more complex.In order to meet the demand of network traffic protocol identification in high-speed network environment, this paper proposes a faster pattern recognition method based on Sunday algorithm. At the same time, the paper which utilize software and hardware hierarchical processing system architecture, make the improvement based on the traditional network flow protocol identification method. This paper mainly completed the following work:(1)This paper studies the current status of network traffic protocol identification technology and deeply studies the realization principle and advantages and disadvantages of various protocol recognition methods.Combined with the current requirements for real-time network traffic protocol identification, this paper expounds the problem that the network traffic protocol identification method needs to solve: high efficiency.(2)An improved string matching algorithm based on the Sunday algorithm is proposed. Compared with the Sunday algorithm, the algorithm has fewer character matching times and larger matching steps,which makes the pattern matching faster.(3)Aiming at the characteristics of high traffic flow in high-speed network environment, an efficient flow protocol recognition mechanism combining software and hardware is proposed to speed up the processing of high-speed network traffic. The system takes more advantage of the excellent performance of the multi-core and multi-thread processor to process the network data message. Adopting the hierarchical processing architecture and accomplishing the pre-parsing and general matching of network traffic by high-speed network traffic collecting card, including zero-copy packet capture,low-level traffic analysis, traffic load balancing and protocol key rules to identify the characteristics of such operations. Then the high-speed network traffic collecting card deliver the processed traffic to the upper layer software module for traffic management and application layer protocol identification to achieve the effect of layered processing software and hardware combination.(4)A high-speed network traffic protocol identification system is designed and implemented in combination with the high-speed network traffic protocol identification method and processing architecture proposed in this paper. In the realization of the system, the hardware part of the overall use of the "LoongSon high-performance network processing platform and NETFIRM high-speed network traffic capture card". In the whole, the system is divided into five functional modules,including bottom high-speed matching module, stream reorganization module, rule analysis module, protocol recognition and result of protocol identification displaying. In the real high-speed network environment, the flow protocol identification system is deployed, and the accuracy and the efficiency of the system are verified by the test of function and performance.