CN104796406A - Method and device for identifying application - Google Patents
Method and device for identifying application Download PDFInfo
- Publication number
- CN104796406A CN104796406A CN201510125029.7A CN201510125029A CN104796406A CN 104796406 A CN104796406 A CN 104796406A CN 201510125029 A CN201510125029 A CN 201510125029A CN 104796406 A CN104796406 A CN 104796406A
- Authority
- CN
- China
- Prior art keywords
- application
- list item
- server
- identities
- feature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
Abstract
The invention provides a method and a device for identifying application. The method and the device are applied to network safety equipment. The method includes receiving application requests transmitted by the terminal equipment to an application server; judging whether first application table items with server characteristics identical to server characteristics of the application server are available in first application tables or not; determining whether the first application table items are usable or not when the first application table items with the server characteristics identical to the server characteristics of the application server are available in the first application tables; identifying the application according to application identifiers in the first application table items when the first application table items are usable. The server characteristics of the application server are carried in the application requests. Table items in the first application tables are the first application table items, and corresponding relations between the server characteristics and the application identifiers are stored in the first application table items. The application corresponds to the application requests. The method and the device have the advantage that the application identifying efficiency can be effectively improved.
Description
Technical field
The application relates to network communication technology field, particularly relates to a kind of application and identification method and device.
Background technology
At present, get more and more, comprising the firewall technology based on application based on the network management of applying and control.Fire compartment wall, carrying out based on application first will identifying application when intrusion detection, anti-virus detection, information filtering and traffic policing etc. control, therefore, identifies that application is most important rapidly and accurately.
Existing application identification technology mainly comprises port identification technology and the depth recognition technology based on message content.Wherein, port identification technology can only identify basic application, cannot realize the identification to more in-depth application; And expend time in long based on the depth recognition technology of message content, and all need to carry out depth recognition to message content when the new connection of each foundation, recognition efficiency is low, cannot meet the application scenarios high to requirement of real-time.
Summary of the invention
In view of this, the application provides a kind of application and identification method and device.
Particularly, the application is achieved by the following technical solution:
The application provides a kind of application and identification method, is applied to Network Security Device, and the method comprises:
The application request that receiving terminal apparatus sends to application server, carries the server feature of described application server in described application request;
To judge in the first application table whether presence server feature identical with the server feature of described application server first apply list item, the list item that described first application table comprises is the first application list item, preserves the corresponding relation of server feature and application identities in described first application list item;
When presence server feature in described first application table identical with the server feature of described application server first apply list item time, determine this first application list item whether can use;
When this first application list item can be used, the application that application request is corresponding according to the application identities identification in this first application list item.
The application also provides a kind of application identification device, is applied to Network Security Device, and this device comprises:
Receiving element, for the application request that receiving terminal apparatus sends to application server, carries the server feature of described application server in described application request;
Judging unit, for to judge in the first application table whether presence server feature identical with the server feature of described application server first apply list item, the list item that described first application table comprises is the first application list item, preserves the corresponding relation of server feature and application identities in described first application list item;
Determining unit, for when presence server feature in described first application table identical with the server feature of described application server first apply list item time, determine this first application list item whether can use;
Recognition unit, for when this first application list item can be used, the application that application request is corresponding according to the application identities identification in this first application list item.
As can be seen from foregoing description, server feature in the application request that terminal equipment sends by the application mates with the server feature in the first application table of local maintenance, obtain the first application list item that the match is successful, according to the application identities identification application in this first application list item, improve application identification efficiency.
Accompanying drawing explanation
Fig. 1 is the network safety system schematic diagram shown in the application one exemplary embodiment;
Fig. 2 is a kind of application and identification method flow chart shown in the application one exemplary embodiment;
Fig. 3 is the hardware configuration schematic diagram of a kind of networking security equipment shown in the application one exemplary embodiment;
Fig. 4 is the structural representation of a kind of application identification device shown in the application one exemplary embodiment.
Embodiment
Here will be described exemplary embodiment in detail, its sample table shows in the accompanying drawings.When description below relates to accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawing represents same or analogous key element.Execution mode described in following exemplary embodiment does not represent all execution modes consistent with the application.On the contrary, they only with as in appended claims describe in detail, the example of apparatus and method that some aspects of the application are consistent.
Only for describing the object of specific embodiment at term used in this application, and not intended to be limiting the application." one ", " described " and " being somebody's turn to do " of the singulative used in the application and appended claims is also intended to comprise most form, unless context clearly represents other implications.It is also understood that term "and/or" used herein refer to and comprise one or more project of listing be associated any or all may combine.
Term first, second, third, etc. may be adopted although should be appreciated that to describe various information in the application, these information should not be limited to these terms.These terms are only used for the information of same type to be distinguished from each other out.Such as, when not departing from the application's scope, the first information also can be called as the second information, and similarly, the second information also can be called as the first information.Depend on linguistic context, word as used in this " if " can be construed as into " ... time " or " when ... time " or " in response to determining ".
Figure 1 shows that network safety system schematic diagram.Wherein, PC is subscriber's main station; NSD is Network Security Device, such as, and fire compartment wall; Server1 ~ ServerN is application server, such as, and QQ server, micro-telecommunications services device etc.The access of user's application server need be carried out after based on the detection of applying, filtration through Network Security Device, just can communicate with application server, therefore, require that Network Security Device possesses application identification ability fast and accurately.
At present, application identification technology mainly comprises: the identification based on port and the identification based on message content.Wherein, the identification based on message content belongs to depth recognition technology, and identifiable design goes out embody rule, but all carries out depth recognition during each newly-built connection, and recognition efficiency is not high, cannot the high application scenarios of requirement of real time.
For the problems referred to above, the embodiment of the present application proposes a kind of application and identification method, the method is by sending to the server feature obtaining application server in the application request of application server from terminal equipment, according to the application table that this application server characteristic query this locality is preserved, when the application list item that presence server feature in local application table is identical with the server feature of application server, and this application list item can with time, the application corresponding according to this application request of application identities identification in this application list item.
See Fig. 2, be an embodiment flow chart of the application's application and identification method, this embodiment is described application identification processing procedure.
Step 201, the application request that receiving terminal apparatus sends to application server, carries the server feature of described application server in described application request.
Application server is as the term suggests be the network equipment providing service for a certain embody rule, such as, QQ server-specific is in providing QQ related service, and micro-telecommunications services device is exclusively used in provides micro-letter related service, therefore, by obtaining the relevant information identification embody rule of application server.The embodiment of the present application is after receiving the application request that terminal equipment sends to application server, obtain the server feature of the application server carried in this application request, this server feature can be the triplet information of application server, comprise host-host protocol, the IP address of application server and port numbers, IP address and the port numbers of usually serving the application server of a certain application immobilize.
Step 202, to judge in the first application table whether presence server feature identical with the server feature of described application server first apply list item, the list item that described first application table comprises is the first application list item, preserves the corresponding relation of server feature and application identities in described first application list item.
Dynamic Maintenance first application table in Network Security Device, preserves the corresponding relation of server feature and the application identities determined in this first application table.Network Security Device inquires about the first application table after getting the server feature of application server, judges whether to exist in the first application table the first application list item comprising this server feature, carries out subsequent treatment according to judged result.
Step 203, when presence server feature in described first application table identical with the server feature of described application server first apply list item time, determine this first application list item whether can use.
When presence server feature in the first application table identical with the server feature of application server first apply list item time, illustrate that other terminal equipment existing and this application server connect, and identified embody rule corresponding to this application server and be saved in the first application table, therefore, can according to the application identities identification application in the first application list item inquired.
But, before according to the application identities identification application in the first application list item, also need to determine whether this first application list item can be used.This is because, both other terminal equipment existing and this application server had been made to connect and identify embody rule, but still there is the possibility that application server changes, such as, the application type change of application server, or the IP address change of application server, or application server is stopped using, when there is above-mentioned situation, the server feature set up in first application list item and the corresponding relation of application identities lost efficacy, if still None-identified is gone out correct application according to this first application list item identification application, therefore, before according to the first application list item identification application, need determine whether the first application list item can be used, concrete deterministic process is as follows:
In one embodiment, using the use duration of the first application list item as determine the first application list item whether can foundation.Be specially: judge that use first is applied the duration that list item carries out application identification and whether is greater than default duration threshold value, if the duration using the first application list item to carry out application identification is greater than default duration threshold value, then determine that this first application list item is unavailable; If the duration using the first application list item to carry out application identification is not more than default duration threshold value, then determine that this first application list item can be used.The embodiment of the present application upgrades the corresponding relation of server feature and application identities in the first application list item by preset duration threshold period, situation about changing to answer application server, ensures the validity of the first application list item.Such as, suppose that the duration threshold value preset is 1 minute, then when the use duration of the first application list item is greater than 1 minute, determine that this first application list item is unavailable, start deep message and detect identification application (introducing in subsequent descriptions), re-establish the corresponding relation of server feature and application identities.
In another embodiment, using the access times of the first application list item as determine the first application list item whether can foundation.Be specially: judge that use first is applied the number of times that list item carries out application identification and whether is greater than default frequency threshold value, if the number of times using the first application list item to carry out application identification is greater than default frequency threshold value, then determine that this first application list item is unavailable; If the number of times using the first application list item to carry out application identification is not more than default frequency threshold value, then determines that this first application list item can be used, and the access times of this first application list item are added one.According to duration, principle judges whether the first application list item can, with identical, be all the abnormal conditions changed to solve application server with above-mentioned, ensure the validity of the first application list item, do not repeat them here.
Certainly, above-mentioned two kinds of execution modes can be used alone, and also can use simultaneously.Such as, accumulation duration and statistics number simultaneously, when wherein any one first reaches threshold value, determines that the first application list item is unavailable; Or, when both reaching threshold value respectively, determine that the first application list item is unavailable.
Step 204, when this first application list item can be used, the application that application request is corresponding according to the application identities identification in this first application list item.
In this step, according to step 203 to the first application list item whether can determination result, point following two kinds of situations process:
When the first application list item can be used, directly from the first application list item, obtain application identities, determine according to this application identities the application that this application request is corresponding.Visible, the embodiment of the present application, by the mode of mating with built vertical application list item, can accelerate the recognition efficiency of subsequent applications request.
When the first application list item is unavailable, delete this first application list item, start and detect the deep message of application request, detailed process is as follows: from the application request received, obtain application message, determine according to application message the application that this application request is corresponding.Wherein, application message refers to the information relevant to embody rule obtained from the message content of application request.For the application request of micro-letter uploaded videos, this application request is based on HTTP (Hyper Text Transfer Protocol, HTML (Hypertext Markup Language)) protocol realization, such as, GET short.weixin.qq.com/cgi-bin/micromsg-bin/uploadvideoHTTP/1.1, carry out deep message detection to this application request, and the application message obtained in message is short.weixin.qq.com, therefore, can determine this application request corresponding be applied as micro-letter.
After detecting identification application by deep message, the first application list item can be set up according to the application identities of the server feature of application server and the application identified, during the subsequently received application request to the transmission of same application server, to identify application fast.The embodiment of the present application, in order to improve the confidence level of application identification, adopted repeatedly deep message to detect with the confidence level improving application identification before setting up the first application list item.
Network Security Device except safeguarding that the first application table also safeguards second application table in this locality, comprises some second application list items, preserves the corresponding relation of server feature and application identities in the second application list item in this second application table.Second application list item, after carrying out confidence level process to the second application list item, adds in the first application table by the embodiment of the present application, so that as the first application list item identification application.
Wherein, the detailed process of confidence level process is: to judge in the second application table whether presence server feature identical with the server feature of application server second apply list item, divide following two kinds of situations to process according to judged result.
When in the second application table not the application identities of the application that the application request determined according to application message with this of the server feature of presence server feature and application server, application identities is corresponding all identical second apply list item time, then set up the second application list item according to the server feature of application server and the application identities of this application determined.This process is newly-built second application list item process, when the second application list item not finding server feature identical in the second application table, or, when the recognition result of the application request that the same application server of subtend sends is different, all need newly-built second application list item.
When the application identities of application corresponding to the application request that the server feature of presence server feature in the second application table and application server, application identities are determined according to application message with this all identical second apply list item time, then upgrade the reliability rating of this second application list item, when the reliability rating of the second application list item reaches default reliability rating threshold value, this the second application list item is added into the first application table, and from the second application table, deletes this second application list item.This process is the process of the second application list item mated being carried out to reliability rating renewal, when this second application list item is repeatedly matched to merit, illustrate that the corresponding relation of server feature and application identities in this second application list item has high confidence level, this second application list item can be used for application identification as the first application list item.
Above-mentioned processing procedure is the first application identification process when applying list item that presence server feature is identical with the server feature of application server in the first application table.When in the first application table not presence server feature identical with the server feature of application server first apply list item time, be handled as follows:
Application message is obtained, the application corresponding according to this application message determination application request from application request.To judge in the second application table whether presence server feature identical with the server feature of application server second apply list item.
When in the second application table not the application identities of the application that the application request determined according to application message with this of the server feature of presence server feature and application server, application identities is corresponding all identical second apply list item time, then set up the second application list item according to the server feature of application server and the application identities of this application determined.
When the application identities of application corresponding to the application request that the server feature of presence server feature in the second application table and application server, application identities are determined according to application message with this all identical second apply list item time, then upgrade the reliability rating of this second application list item, when the reliability rating of the second application list item reaches default reliability rating threshold value, this the second application list item is added into the first application table, and from the second application table, deletes this second application list item.
As can be seen from foregoing description, the first processing procedure and aforementioned first when applying list item that in first application table, presence server feature is not identical with the server feature of application server apply list item unavailable time processing procedure identical, the application request to receiving all is needed to carry out deep message detection, and comprise first of server feature and application identities corresponding relation and apply list item generating after repeated detection, do not repeat them here.
In addition, in the embodiment of the present application, aging duration is all preset to all application list items, when the first application list item is not mated in the aging duration preset, or second application list item preset aging duration in reliability rating constant time, delete corresponding application list item, releasing memory, avoids the unnecessary wasting of resources.
Now still for Fig. 1, introduce application identification process in detail.
Suppose, Server1 is micro-telecommunications services device, and IP address is 177.10.10.1, and other application server does not illustrate.
When PC sends application request, NSD tackles this application request, and carries out application identification to this application request.First, NSD obtains the triplet information of application server from this application request, supposes that this triplet information is tcp 177.10.10.1:80, inquires about the first application table, see table 1 according to this triplet information.
Table 1
Visible above-mentioned triplet information is mated with the 1st article of first server feature applied in list item.Now, need to judge whether this first application list item can be used further, suppose to use this first application list item to carry out the number of times of application identification as basis for estimation in the embodiment of the present application, and the frequency threshold value preset is 10.
If be not more than 10 times according to the number of times of the 1st article of first application list item identification application before this receives application request, then this application request received still can according to this first application list item identification application, namely from this first application list item, obtain application identities WX corresponding to server feature, according to this application identities can determine application request that this PC initiates corresponding be applied as micro-letter.
If be greater than 10 times according to the number of times of the 1st article of first application list item identification application before this receives application request, then the 1st article of first application list item in delete list 1, now, the first application table in NSD is as shown in table 2.
Table 2
After list item is applied in deletion first, deep message detection is carried out to this application request.Suppose, before receiving this application request, Server1 changes to excellent cruel server from micro-telecommunications services device, then carry out deep message detection to the message content of this application request, identify this application request corresponding be applied as extremely excellent.Meanwhile, the triplet information (tcp177.10.10.1:80) according to application server in this application request inquires about the second application table, as shown in table 3.
Table 3
Do not have server feature to mate with tcp 177.10.10.1:80 in this second application table second applies list item, therefore, foundation comprises second of application identities (application identities YK the represents excellent cruel) corresponding relation of server feature (tcp 177.10.10.1:80) and the application that identifies and applies list item, as shown in table 4.
Table 4
The 3rd article of second application list item in table 4 is the new list item added, and for this list item arranges initial trust grade, supposes that initial trust grade is 1.When the subsequently received application request to same application server (tcp177.10.10.1:80), continue to carry out deep message detection to application request, if the result identified is still for extremely excellent, then upgrade the reliability rating of the 3rd article of second application list item.Suppose, when the reliability rating of this second application list item reaches 3, when namely detecting that all to identify this application server be excellent cruel server by 3 deep messages, then think that the 3rd article of second corresponding relation applying server feature and application identities in list item in table 4 is believable, this the second application list item adds in the first application table, and the 3rd article of second application list item in delete list 4, see table 5 and table 6.
Table 5
Table 6
Therefore, when follow-up application server (tcp 177.10.10.1:80) sends application request, NSD is applied as extremely excellent according to article the first application list item identification of the 3rd in table 5.Visible, the application, when application server changes, still can ensure correctly to identify application.
As can be seen from foregoing description, server feature in the application request that terminal equipment sends by the application mates with the server feature in the first application table of local maintenance, obtain the first application list item that the match is successful, according to the application identities identification application in this first application list item, improve application identification efficiency.
Corresponding with the embodiment of aforementioned applications recognition methods, present invention also provides the embodiment of application identification device.
The embodiment of the application's application identification device can be applied on networking security equipment.Device embodiment can pass through software simulating, also can be realized by the mode of hardware or software and hardware combining.For software simulating, as the device on a logical meaning, be that computer program instructions corresponding in the processor run memory by its place equipment is formed.Say from hardware view, as shown in Figure 3, for a kind of hardware structure diagram of the application's application identification device place equipment, except the processor shown in Fig. 3, network interface and memory, in embodiment, the equipment at device place is usually according to the actual functional capability of this equipment, other hardware can also be comprised, this is repeated no more.
Please refer to Fig. 4, is the structural representation of the application identification device in the application's embodiment.This application identification device comprises receiving element 401, judging unit 402, determining unit 403 and recognition unit 404, wherein:
Receiving element 401, for the application request that receiving terminal apparatus sends to application server, carries the server feature of described application server in described application request;
Judging unit 402, for to judge in the first application table whether presence server feature identical with the server feature of described application server first apply list item, the list item that described first application table comprises is the first application list item, preserves the corresponding relation of server feature and application identities in described first application list item;
Determining unit 403, for when presence server feature in described first application table identical with the server feature of described application server first apply list item time, determine this first application list item whether can use;
Recognition unit 404, for when this first application list item can be used, the application that application request is corresponding according to the application identities identification in this first application list item.
Further, described application identification device also comprises:
Delete cells, for when the first application list item is unavailable, deletes this first application list item;
Described recognition unit 404, also for obtaining application message from described application request, determines according to described application message the application that described application request is corresponding;
Maintenance unit, for to judge in the second application table whether presence server feature identical with the server feature of described application server second apply list item, the list item that described second application table comprises is the second application list item, preserves the corresponding relation of server feature and application identities in described second application list item; When in the second application table not the application identities of the application that the application request determined according to application message with this of the server feature of presence server feature and described application server, application identities is corresponding all identical second apply list item time, then set up the second application list item according to the server feature of described application server and the application identities of this application determined; When the application identities of application corresponding to the application request that the server feature of presence server feature in described second application table and described application server, application identities are determined according to application message with this all identical second apply list item time, then upgrade the reliability rating of this second application list item, when the reliability rating of the second application list item reaches default reliability rating threshold value, this the second application list item is added into the first application table, and from the second application table, deletes this second application list item.
Further,
Described determining unit 403, specifically for judging that use first is applied the duration that list item carries out application identification and whether is greater than default duration threshold value; If the duration using the first application list item to carry out application identification is greater than default duration threshold value, then determine that this first application list item is unavailable; If the duration using the first application list item to carry out application identification is not more than default duration threshold value, then determine that this first application list item can be used.
Further,
Described determining unit 403, specifically for judging that use first is applied the number of times that list item carries out application identification and whether is greater than default frequency threshold value; If the number of times using the first application list item to carry out application identification is greater than default frequency threshold value, then determine that this first application list item is unavailable; If the number of times using the first application list item to carry out application identification is not more than default frequency threshold value, then determines that this first application list item can be used, and the access times of this first application list item are added one.
Further, described application identification device also comprises:
Described recognition unit 404, also for when in described first application table not presence server feature identical with the server feature of described application server first apply list item time, from described application request, obtain application message; The application that described application request is corresponding is determined according to described application message;
Maintenance unit, for to judge in the second application table whether presence server feature identical with the server feature of described application server second apply list item, the list item that described second application table comprises is the second application list item, preserves the corresponding relation of server feature and application identities in described second application list item; When in the second application table not the application identities of the application that the application request determined according to application message with this of the server feature of presence server feature and described application server, application identities is corresponding all identical second apply list item time, then set up the second application list item according to the server feature of described application server and the application identities of this application determined; When the application identities of application corresponding to the application request that the server feature of presence server feature in described second application table and described application server, application identities are determined according to application message with this all identical second apply list item time, then upgrade the reliability rating of this second application list item, when the reliability rating of the second application list item reaches default reliability rating threshold value, this the second application list item is added into the first application table, and from the second application table, deletes this second application list item.
In said apparatus, the implementation procedure of the function and efficacy of unit specifically refers to the implementation procedure of corresponding step in said method, does not repeat them here.
For device embodiment, because it corresponds essentially to embodiment of the method, so relevant part illustrates see the part of embodiment of the method.Device embodiment described above is only schematic, the wherein said unit illustrated as separating component or can may not be and physically separates, parts as unit display can be or may not be physical location, namely can be positioned at a place, or also can be distributed in multiple network element.Some or all of module wherein can be selected according to the actual needs to realize the object of the application's scheme.Those of ordinary skill in the art, when not paying creative work, are namely appreciated that and implement.
The foregoing is only the preferred embodiment of the application, not in order to limit the application, within all spirit in the application and principle, any amendment made, equivalent replacements, improvement etc., all should be included within scope that the application protects.
Claims (10)
1. an application and identification method, is applied to Network Security Device, it is characterized in that, the method comprises:
The application request that receiving terminal apparatus sends to application server, carries the server feature of described application server in described application request;
To judge in the first application table whether presence server feature identical with the server feature of described application server first apply list item, the list item that described first application table comprises is the first application list item, preserves the corresponding relation of server feature and application identities in described first application list item;
When presence server feature in described first application table identical with the server feature of described application server first apply list item time, determine this first application list item whether can use;
When this first application list item can be used, the application that application request is corresponding according to the application identities identification in this first application list item.
2. method according to claim 1, is characterized in that, described method also comprises:
When the first application list item is unavailable, delete this first application list item;
From described application request, obtain application message, determine according to described application message the application that described application request is corresponding;
To judge in the second application table whether presence server feature identical with the server feature of described application server second apply list item, the list item that described second application table comprises is the second application list item, preserves the corresponding relation of server feature and application identities in described second application list item;
When in the second application table not the application identities of the application that the application request determined according to application message with this of the server feature of presence server feature and described application server, application identities is corresponding all identical second apply list item time, then set up the second application list item according to the server feature of described application server and the application identities of this application determined;
When the application identities of application corresponding to the application request that the server feature of presence server feature in described second application table and described application server, application identities are determined according to application message with this all identical second apply list item time, then upgrade the reliability rating of this second application list item, when the reliability rating of the second application list item reaches default reliability rating threshold value, this the second application list item is added into the first application table, and from the second application table, deletes this second application list item.
3. method according to claim 1 and 2, is characterized in that, describedly determines that this first application list item whether can with being specially:
Judge that use first is applied the duration that list item carries out application identification and whether is greater than default duration threshold value;
If the duration using the first application list item to carry out application identification is greater than default duration threshold value, then determine that this first application list item is unavailable;
If the duration using the first application list item to carry out application identification is not more than default duration threshold value, then determine that this first application list item can be used.
4. method according to claim 1 and 2, is characterized in that, describedly determines that this first application list item whether can with being specially:
Judge that use first is applied the number of times that list item carries out application identification and whether is greater than default frequency threshold value;
If the number of times using the first application list item to carry out application identification is greater than default frequency threshold value, then determine that this first application list item is unavailable;
If the number of times using the first application list item to carry out application identification is not more than default frequency threshold value, then determines that this first application list item can be used, and the access times of this first application list item are added one.
5. the method for claim 1, is characterized in that, described method also comprises:
When in described first application table not presence server feature identical with the server feature of described application server first apply list item time, from described application request, obtain application message;
The application that described application request is corresponding is determined according to described application message;
To judge in the second application table whether presence server feature identical with the server feature of described application server second apply list item, the list item that described second application table comprises is the second application list item, preserves the corresponding relation of server feature and application identities in described second application list item;
When in the second application table not the application identities of the application that the application request determined according to application message with this of the server feature of presence server feature and described application server, application identities is corresponding all identical second apply list item time, then set up the second application list item according to the server feature of described application server and the application identities of this application determined;
When the application identities of application corresponding to the application request that the server feature of presence server feature in described second application table and described application server, application identities are determined according to application message with this all identical second apply list item time, then upgrade the reliability rating of this second application list item, when the reliability rating of the second application list item reaches default reliability rating threshold value, this the second application list item is added into the first application table, and from the second application table, deletes this second application list item.
6. an application identification device, is applied to Network Security Device, it is characterized in that, this device comprises:
Receiving element, for the application request that receiving terminal apparatus sends to application server, carries the server feature of described application server in described application request;
Judging unit, for to judge in the first application table whether presence server feature identical with the server feature of described application server first apply list item, the list item that described first application table comprises is the first application list item, preserves the corresponding relation of server feature and application identities in described first application list item;
Determining unit, for when presence server feature in described first application table identical with the server feature of described application server first apply list item time, determine this first application list item whether can use;
Recognition unit, for when this first application list item can be used, the application that application request is corresponding according to the application identities identification in this first application list item.
7. device according to claim 6, is characterized in that, described device also comprises:
Delete cells, for when the first application list item is unavailable, deletes this first application list item;
Described recognition unit, also for obtaining application message from described application request, determines according to described application message the application that described application request is corresponding;
Maintenance unit, for to judge in the second application table whether presence server feature identical with the server feature of described application server second apply list item, the list item that described second application table comprises is the second application list item, preserves the corresponding relation of server feature and application identities in described second application list item; When in the second application table not the application identities of the application that the application request determined according to application message with this of the server feature of presence server feature and described application server, application identities is corresponding all identical second apply list item time, then set up the second application list item according to the server feature of described application server and the application identities of this application determined; When the application identities of application corresponding to the application request that the server feature of presence server feature in described second application table and described application server, application identities are determined according to application message with this all identical second apply list item time, then upgrade the reliability rating of this second application list item, when the reliability rating of the second application list item reaches default reliability rating threshold value, this the second application list item is added into the first application table, and from the second application table, deletes this second application list item.
8. the device according to claim 6 or 7, is characterized in that:
Described determining unit, specifically for judging that use first is applied the duration that list item carries out application identification and whether is greater than default duration threshold value; If the duration using the first application list item to carry out application identification is greater than default duration threshold value, then determine that this first application list item is unavailable; If the duration using the first application list item to carry out application identification is not more than default duration threshold value, then determine that this first application list item can be used.
9. the device according to claim 6 or 7, is characterized in that:
Described determining unit, specifically for judging that use first is applied the number of times that list item carries out application identification and whether is greater than default frequency threshold value; If the number of times using the first application list item to carry out application identification is greater than default frequency threshold value, then determine that this first application list item is unavailable; If the number of times using the first application list item to carry out application identification is not more than default frequency threshold value, then determines that this first application list item can be used, and the access times of this first application list item are added one.
10. device as claimed in claim 6, it is characterized in that, described device also comprises:
Described recognition unit, also for when in described first application table not presence server feature identical with the server feature of described application server first apply list item time, from described application request, obtain application message; The application that described application request is corresponding is determined according to described application message;
Maintenance unit, for to judge in the second application table whether presence server feature identical with the server feature of described application server second apply list item, the list item that described second application table comprises is the second application list item, preserves the corresponding relation of server feature and application identities in described second application list item; When in the second application table not the application identities of the application that the application request determined according to application message with this of the server feature of presence server feature and described application server, application identities is corresponding all identical second apply list item time, then set up the second application list item according to the server feature of described application server and the application identities of this application determined; When the application identities of application corresponding to the application request that the server feature of presence server feature in described second application table and described application server, application identities are determined according to application message with this all identical second apply list item time, then upgrade the reliability rating of this second application list item, when the reliability rating of the second application list item reaches default reliability rating threshold value, this the second application list item is added into the first application table, and from the second application table, deletes this second application list item.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510125029.7A CN104796406B (en) | 2015-03-20 | 2015-03-20 | A kind of application and identification method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510125029.7A CN104796406B (en) | 2015-03-20 | 2015-03-20 | A kind of application and identification method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104796406A true CN104796406A (en) | 2015-07-22 |
| CN104796406B CN104796406B (en) | 2018-06-12 |
Family
ID=53560918
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510125029.7A Active CN104796406B (en) | 2015-03-20 | 2015-03-20 | A kind of application and identification method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104796406B (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105591973A (en) * | 2015-12-31 | 2016-05-18 | 杭州数梦工场科技有限公司 | Application recognition method and apparatus |
| CN106385402A (en) * | 2016-08-31 | 2017-02-08 | 东软集团股份有限公司 | Application identification method and device, application session table sending method and server |
| CN107133240A (en) * | 2016-02-29 | 2017-09-05 | 阿里巴巴集团控股有限公司 | Page monitoring method, apparatus and system |
| CN107306255A (en) * | 2016-04-21 | 2017-10-31 | 阿里巴巴集团控股有限公司 | Defend flow attacking method, the presets list generation method, device and cleaning equipment |
| CN107483411A (en) * | 2017-07-25 | 2017-12-15 | 中国联合网络通信集团有限公司 | Business recognition method and system |
| CN107787003A (en) * | 2016-08-24 | 2018-03-09 | 中兴通讯股份有限公司 | A kind of method and apparatus of flow detection |
| CN107864127A (en) * | 2017-10-30 | 2018-03-30 | 北京神州绿盟信息安全科技股份有限公司 | A kind of recognition methods of application program and device |
| CN110768875A (en) * | 2019-12-27 | 2020-02-07 | 北京安博通科技股份有限公司 | Application identification method and system based on DNS learning |
| CN111628984A (en) * | 2020-05-21 | 2020-09-04 | 网神信息技术(北京)股份有限公司 | Information processing method, apparatus, device, medium, and program product |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102025636A (en) * | 2010-12-09 | 2011-04-20 | 北京星网锐捷网络技术有限公司 | Message feature processing method and device as well as network equipment |
| CN102325078A (en) * | 2011-06-28 | 2012-01-18 | 北京星网锐捷网络技术有限公司 | Application identification method and device |
| CN103873356A (en) * | 2012-12-11 | 2014-06-18 | 中国电信股份有限公司 | Household gateway based application identification method and system, and household gateway |
-
2015
- 2015-03-20 CN CN201510125029.7A patent/CN104796406B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102025636A (en) * | 2010-12-09 | 2011-04-20 | 北京星网锐捷网络技术有限公司 | Message feature processing method and device as well as network equipment |
| CN102325078A (en) * | 2011-06-28 | 2012-01-18 | 北京星网锐捷网络技术有限公司 | Application identification method and device |
| CN103873356A (en) * | 2012-12-11 | 2014-06-18 | 中国电信股份有限公司 | Household gateway based application identification method and system, and household gateway |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105591973A (en) * | 2015-12-31 | 2016-05-18 | 杭州数梦工场科技有限公司 | Application recognition method and apparatus |
| CN105591973B (en) * | 2015-12-31 | 2019-12-20 | 杭州数梦工场科技有限公司 | Application identification method and device |
| CN107133240A (en) * | 2016-02-29 | 2017-09-05 | 阿里巴巴集团控股有限公司 | Page monitoring method, apparatus and system |
| CN107306255A (en) * | 2016-04-21 | 2017-10-31 | 阿里巴巴集团控股有限公司 | Defend flow attacking method, the presets list generation method, device and cleaning equipment |
| CN107787003A (en) * | 2016-08-24 | 2018-03-09 | 中兴通讯股份有限公司 | A kind of method and apparatus of flow detection |
| CN106385402A (en) * | 2016-08-31 | 2017-02-08 | 东软集团股份有限公司 | Application identification method and device, application session table sending method and server |
| CN107483411B (en) * | 2017-07-25 | 2020-01-31 | 中国联合网络通信集团有限公司 | Service identification method and system |
| CN107483411A (en) * | 2017-07-25 | 2017-12-15 | 中国联合网络通信集团有限公司 | Business recognition method and system |
| CN107864127A (en) * | 2017-10-30 | 2018-03-30 | 北京神州绿盟信息安全科技股份有限公司 | A kind of recognition methods of application program and device |
| CN107864127B (en) * | 2017-10-30 | 2020-07-10 | 北京神州绿盟信息安全科技股份有限公司 | Application program identification method and device |
| CN110768875A (en) * | 2019-12-27 | 2020-02-07 | 北京安博通科技股份有限公司 | Application identification method and system based on DNS learning |
| CN111628984A (en) * | 2020-05-21 | 2020-09-04 | 网神信息技术(北京)股份有限公司 | Information processing method, apparatus, device, medium, and program product |
| CN111628984B (en) * | 2020-05-21 | 2023-01-06 | 奇安信网神信息技术(北京)股份有限公司 | Information processing method, device, equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104796406B (en) | 2018-06-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104796406A (en) | Method and device for identifying application | |
| CN108768943B (en) | Method and device for detecting abnormal account and server | |
| KR101901911B1 (en) | Method and apparatus for detecting malware and medium record of | |
| CN101674293B (en) | Method and system for processing abnormal request in distributed application | |
| CN106339309B (en) | Application program testing method, client and system | |
| CN106936791B (en) | Method and device for intercepting malicious website access | |
| EP3396905B1 (en) | Method and device for securely sending a message | |
| US9137245B2 (en) | Login method, apparatus, and system | |
| CN110069911B (en) | Access control method, device, system, electronic equipment and readable storage medium | |
| CN108134816B (en) | Access to data on remote device | |
| CN105991412A (en) | Method and device for pushing message | |
| CN111614624A (en) | Risk detection method, device, system and storage medium | |
| CN108600145B (en) | Method and device for determining DDoS attack equipment | |
| CN108011779A (en) | The test method of Cloud Server task throughput under limited resources supplIes | |
| CN107707569A (en) | DNS request processing method and DNS systems | |
| CN112261111A (en) | Method and system for realizing cross-domain access of browser in application program | |
| US20230254146A1 (en) | Cybersecurity guard for core network elements | |
| CN109361712B (en) | Information processing method and information processing device | |
| CN113709136B (en) | Access request verification method and device | |
| CN113596105B (en) | Content acquisition method, edge node and computer readable storage medium | |
| US11363020B2 (en) | Method, device and storage medium for forwarding messages | |
| CN106803830B (en) | Method, device and system for identifying internet access terminal and User Identity Module (UIM) card | |
| CN108768987B (en) | Data interaction method, device and system | |
| JP2013069016A (en) | Information leakage prevention device and limitation information generation device | |
| CN106850701B (en) | Mobile terminal sharing isolation method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| EXSB | Decision made by sipo to initiate substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: Xinhua three Technology Co., Ltd. Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant before: Huasan Communication Technology Co., Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |