Research On Terminal Equipment Identification Based On Network Traffic

With the development of network technology,the massive access of Io T terminal devices,the intelligent transformation of people's lifestyles,and the types and quantities of terminal devices used have also steadily increased.With the advent of the 5G era,this growth trend will continue,and the number and category of access terminals will continue to go up for a long time.Different terminals have different functions,performance,cost and users.Analysis of the structure of the network terminal can help operators to understand the current situation and changes of the users using the terminal.Then the mobile operator can provide different services for different users and can guide the transformation of the terminal structure according to the user's usage,can optimize the terminal structure,and promote the development of the subsequent service.The user terminal device identification technology refers to a technology which can identify terminal types by collecting device information and operating environment information.The traditional terminal identification based on the MAC address is to identify the physical information of the device.However,in the real networkenvironment,there are a large number of layer 3 switches,routers,and NAT devices.The detection software and data collection devices need to be deployed layer by layer to obtain the entire network topology,MAC address of the devices.This method is simple,but it has limited effect in a real network environment.Another method use feature field of the protocol stack to identify the device operating system type,and the identification granularity of the terminal device is insufficient.Different from the existing terminal identification method,this paper mainly studies the network traffic data collection and analysis,collects hardware information including the terminal device,operating system information,application information,and related protocol stack parameter information,and uses machine learning to correlate The algorithm establishes a classification model for network terminal device identification.The main research work of this paper includes the following three aspects:Firstly,the distributed high-speed real-time network traffic data collection,analysis and storage technology is studied.Based on the open source network analysis framework Zeek(Pervious name Bro),we solve the problems of distributed acquisition and storage of high-speed real-time network traffic and some commonly used protocols are deeply analysis.As an example,we identified and analyzed the popular instant messaging protocols such as QQ.The identification of the application information is completed from the content of the protocol information field and the identity of the application.Finally,we developed a Python program to analyze the user-Agent related to the device,the operating system information,the web access record and other data,and the fingerprint data of the network terminal device were extracted.Secondly,based on the traffic data analysis of the instant messagingapplication in the network traffic,we can identify the NAT device.On the one hand,NAT technology alleviates the shortage of IPv4 addresses,and also hides the information of the behind terminal devices.The NAT devices provide convenience for accessing the network and provide opportunities for illegal access.This paper proposes and implements a simple and efficient NAT device identification method and system based on instant messaging application,and effectively identifies the NAT device.After identifying the NAT device,the specific model of the terminal device can be further identified.Finally,different terminals will produce different network traffic with different features,based on this consideration,we proposed a a network terminal device identification model and method based on random forest.Combined with NAT device identification,network traffic analysis,device fingerprint extraction,construction of training set and testing set,we construct a network terminal identification model.Through the model,the general steps of network terminal identification using random forest are given,and the advantages and disadvantages of the method are analyzed and compared.