论文总字数:37158字
摘 要
近年来,随着互联网技术的不断发展与推广,各类网络应用不断涌现。但是,在人们获取了更好的上网体验的同时,许多隐患也随之而来,比如一些应用非法获取用户隐私,大量吞噬网络带宽等,因此应用软件的识别技术对于网络管理人员甚至对于用户本身而言显得尤为重要。
本文研究并实现了基于流量分析的应用软件识别工具,通过Wireshark抓包工具抓取网络流量并提取流量特征以区分应用软件。该工具的实现主要分为三个步骤:应用协议的识别,应用软件的识别以及应用信息的识别。其中,应用协议的识别借鉴了网络入侵检测系统Snort的正则表达式来编写协议识别规则,最终识别了HTTP、FTP、OICQ、SMTP、POP3等常见的应用协议。应用软件的识别则是根据流量包中的主机名Host值进行识别,实现了50多款常见软件的识别。而应用信息的识别实现了对用户名、用户id、软件版本、操作系统信息等应用信息的定位与识别。最后,本文通过大量实验验证了本应用软件识别工具的准确性。
本文所设计的轻量级的应用软件识别工具能够以插件的形式部署于网络应用中,为网络监管提供最直接有效的帮助。
关键词:流量分析,协议识别,软件识别,规则匹配
Design and Implementation of Software Identification Tool Based on Traffic Analysis
Abstract
With the continuous development and promotion of Internet technology, various network applications emerges in large numbers during recent years. However, a number of risks follows while people get a better Internet experience, such as illegal access to user privacy, swallowing up the bandwidth of networks and so on, so the identification technology of applications becomes really very important for network administrators even for customers themselves.
This paper designs and implements a software identification tool based on traffic analysis which captures network traffic using a capture tool called Wireshark and extracts traffic characteristics to distinguish among application software. Implementation of this tool is mainly divided into three steps: identification of application protocol, identification of application software and identification of application information. The identification of application protocol draws on the experience of a network intrusion detection system called Snort and uses its regular expression to write the rules of protocol identification and finally we can identify some common application protocol such as HTTP, FTP, OICQ, SMTP, POP3. The identification of application software distinguishes among application software according to the “Host” value in traffic packages. We can identify more than 50 common software now. The identification of application information has implemented the location and identification of username, user id, software version, operating system and so on. Finally, a large number of experiments have been done to verify the accuracy of this software identification tool.
This lightweight software identification tool can be deployed in network applications as a plug-in and promote network monitoring directly and effectively.
KEY WORDS: Traffic Analysis, Protocol Identification, Software Identification, Rule Matching
目录
摘要 i
Abstract ii
第一章 绪论 1
1.1 研究背景与意义 1
1.2 研究现状 1
1.2.1传统的基于网络端口映射的识别 1
1.2.2基于数据包有效负载的识别 2
1.2.3基于数据流统计特征的识别 3
1.2.4基于机器学习的识别 3
1.3 研究目标和内容 4
1.4 论文组织结构 4
第二章 系统总体设计 5
2.1 系统结构设计 5
2.2 系统核心模块设计 5
2.2.1 应用协议识别模块的设计 5
2.2.2 应用软件识别模块的设计 8
2.2.3 应用信息识别模块的设计 8
2.3 本章小结 10
第三章 系统实现 11
3.1 应用协议识别模块的实现 11
3.1.1 HTTP 11
3.1.2 FTP 12
3.1.3 OICQ 15
3.1.4 SMTP 16
3.1.5 POP3 18
3.2 应用软件识别模块的实现 20
3.3 应用信息识别模块的实现 23
3.3.1 HTTP 23
3.3.2 FTP 25
3.3.3 OICQ 26
3.3.4 SMTP 26
3.3.5 POP3 27
3.4 本章小结 28
第四章 系统测试和结果分析 29
4.1 实验环境部署 29
4.2 应用协议识别模块的测试分析 29
4.3 应用软件识别及应用信息识别模块的测试分析 31
4.3.1 HTTP 31
4.3.2 FTP 34
4.3.3 OICQ 36
4.3.4 SMTP 40
4.3.5 POP3 42
4.4 本章小结 44
第五章 总结与展望 45
5.1 论文工作总结 45
5.2 工作展望 45
致谢 47
参考文献 49
- 绪论
1.1 研究背景与意义
截至2015年12月,中国网民规模达6.88亿,互联网普及率达到50.3%,半数中国人已接入互联网,其中,通过台式电脑和笔记本电脑接入互联网的比例分别为67.6%和38.7%。同时,移动互联网塑造了全新的社会生活形态,“互联网 ”行动计划不断助力企业发展,互联网对于整体社会的影响已进入到新的阶段[1],然而,随着人们对互联网依赖性的增强与网络流量每年呈几何倍的增长,网络安全和流量控制等问题越来越多。
剩余内容已隐藏,请支付后下载全文,论文总字数:37158字
该课题毕业论文、开题报告、外文翻译、程序设计、图纸设计等资料可联系客服协助查找;