Research On Classification Of Protocol Based On IP Flow’s Statistical Characteristics

The rapid development of the Internet and information technology has provided people with a large number of high-quality and fast services,narrowing the distance between people.At the same time,the network is full of a large number of malicious behaviors,which seriously affect the normal life order of people,such as the economic extortion of enterprises by ransomware,spam advertisements of bots,and Distributed Denial of Service(DDOS)attacks.and many more.The continuous strengthening of network attack methods and the continuous reduction of the cost of implementing network attacks have led to a rapid decline in the traditional network security defense capabilities.In response to this change,network security situational awareness technology came into being.According to the task requirements of network security situational awareness and situational understanding,this paper realizes the service situational awareness on the server.This paper analyzes the communication interaction characteristics of the IP flow records of the discovered servers in the CERNET security system to perceive the influence of the server and the user’s dependence on the service.At the same time,the paper classifies the intent of the service,combines the influence of the service,and tracks the important services to achieve the purpose of situational awareness.First of all,this paper realizes the protocol identification method of "port + protocol communication characteristics" by analyzing the communication characteristics of different protocols such as flow duration,the number of packets in the flow,and the size of the packets in the flow,combined with the ensemble learning method.This method can effectively improve the accuracy of protocol identification,and has been well used in the actual production environment.Next,in order to characterize the different characteristics of services,this paper analyzes the overall properties of different services from the three measures of popularity,activity,and stability.Through these three measures,it can be seen whether the service running on a server port is well known to most people for a period of time,whether it provides services frequently,and whether it provides stable services.Due to the change of external factors,the characteristics of different services behave differently in different periods.Therefore,this paper designs a multi-period service classification result fusion algorithm,which can obtain the most prominent service characteristics of services in multiple periods.Then classify the intention of the server to provide services.This article includes flow duration,average upstream packet size,average downstream packet size,total upstream bytes,total downstream bytes,upstream and downstream byte ratio,and context packet ratio,etc.7 This measure divides service intentions into simple information provision,resource download,information push,resource upload,brief interaction,and social.The combined analysis of service characteristics and service intent can provide network managers with accurate and timely server situation information for better security response.Finally,the paper designs a server situational awareness system,which realizes the function of continuously extracting relevant protocol information,service feature categories and service intent categories from IP flow records.The system applies the protocol identification and service classification algorithms used above to different modules of the system,and provides the service category distribution,geographical distribution,service feature category distribution,and service intent category distribution query functions of different servers,effectively displaying different time periods.Change laws and trends of segment services.