Analysis Study Of Network Traffic Based On Deep Protocol Detect And Session Associate Model Method

Traffic analysis of network is an important means of network security audit.In this paper,an on-line analysis system for 10 GbE network is designed.The system packet capture is based on DPDK network packet capture technology.It can capture the network datagram in 10 GE network environment.The upper layer adopts the multi-thread hash table concatenation algorithm based on divide-and-conquer,Session re-routing algorithm and large-scale TCP concurrency session re-establishment technology,the "packet-flow-session" three-layer interactive depth protocol detection and protocol session association technology is implemented.In this paper,the details of the key technology of ONFA system are introduced in detail.The technology realization code is given in the DPDK network packet collection.On the large-scale TCP concurrent conversation online reorganization technology,the multi-thread hash index chain-free concurrency Algorithm and the session on-demand reorder algorithm based on multi-stream buffer reordering.The protocol association between depth protocol detection and protocol interaction is described in detail.The details of packet-flow-session three-layer interaction depth protocol detection and protocol session association are described in detail;Finally,the HTTP,Telnet,TFTP,SSL,FTP protocol depth detection technology to achieve the reference code.Experimental results show that the ONFA 10 G network traffic analysis system has the ability of real-time traffic analysis and processing in 10 GE network environment,which effectively solves the problems of the performance of the same system and the low recognition rate of the protocol and the subordinate conversation of the protocol.The main contributions of this paper are as follows:1.Based on DPDK 10 Gigabit network packet-line speed capture technology.Using a generic Gigabit Ethernet solution,do not rely on specific hardware devices,without the development of special FPGA board,low cost,packet capture performance to achieve 10 GE wire-speed processing capabilities.2.A locking algorithm based on divide-and-conquer multi-thread hash index chain is proposed,which realizes the large-scale TCP concurrency online reconfiguration technology of 8 million magnitude,and solves the problem of 10-Gigabit TCP reconfiguration.3.Based on the multi-stream buffer reordering algorithm and the packet-flow-session three-layer interactive depth protocol detection and protocol session association technology,the association of the protocol subordinate session is realized and the accuracy of network traffic analysis is improved.