In order to improve flow-identifying performance,a flow-identifying algorithm for TCP (Transmission Control Protocol) traffic was proposed.This algorithm constructs bidirectional-flow finite state automaton based on TCP communication process and judges flow-termination according to TCP protocol rules and flow states by this automaton.Meanwhile,the algorithm adds filtering mechanism and timeout strategy to identify single-packet flows and abnormal interrupt flows.This algorithm is lower in memory overhead,the total overhead of memory and computing resources than the classic algorithm FT (Fixed Timeout strategy) and the similar representative algorithm TSAT (Two-level Self-Adaptive Timeout).Furthermore,this algorithm is higher than TSAT in accuracy and only loses little accuracy compared to the default accuracy standard.Our algorithm identifies TCP flows based on protocol rules,so it can obtain high identifying accuracy and can save extra flow keeping-time.And our algorithm is especially suitable for situations when the proportion of small flows,medium flows or irregular flows is larger,so it can ensure flow-identifying system to work normally when network anomalies occur,such as worm infection,DDoS attack,and so on.%为提升网络流识别性能,本文提出了一种TCP流识别算法.该算法基于传输控制协议(Transmission Control Protocol,TCP)下网络通信双方的交互过程构建双向流自动机,由该自动机根据TCP协议规则和网络流当前状态判断TCP流终止,同时以基于规则的过滤机制和超时策略为辅助措施,快速识别单包流和异常中断流.该算法内存开销、计算和内存总开销均低于经典算法固定超时策略(Fixed Timeout strategy,FT)和同类代表性算法两层自适应超时策略(Two-level Self-Adaptive Timeout,TSAT),同时该算法精度高于TSAT,且仅比默认精度标准略有下降.该算法基于协议规则识别TCP流,既保证了流的准确性,又节省了流的超时等待时间,而且算法尤其适合中流、小流和不规则TCP流比重较大的情况,使得识别系统在面临DDoS攻击、蠕虫爆发等网络异常时仍能正常运行.
展开▼
