| CPC H04L 67/146 (2013.01) [H04L 69/18 (2013.01); H04L 69/22 (2013.01)] | 19 Claims |
|
1. A method for analysing a data stream of batches of packets received via a communications network, wherein the data stream comprises batches of packets each defined by a chain of communication protocols attached to at least one session, wherein the method comprises a protocol analysis (DAP) according to the following steps:
analysing the first protocol Pi of a chain of communication protocols according to an explicit detection classification step configured to check whether the first protocol (Pi) announces the next communication protocol (Pi+1) of the protocol chain:
in the case of announcement, the next protocol (Pi+1) thus announced is identified;
wherein in the case of non-announcement, analysing the next protocol (Pi+1) according to a session detection classification step;
analysing according to a session detection classification step, configured to check whether the protocol Pi+1 is attached to a known protocol chain according to a dynamic decision-making tree by querying a dynamic session database (BDDS) comprising identified protocol chains:
in the case of attachment, the protocol Pi+1 is identified, and the protocol Pi+2 is analysed by repeating the explicit detection classification step and session detection classification step;
wherein in the case of non-attachment, analysing the protocol Pi+1 according to a deep packet inspection classification step;
analysing the protocol Pi+1 according to a deep packet inspection classification step, configured to identify the packet communication protocol Pi+1 according to a dynamic decision-making tree correlated to a knowledge database (BDC) comprising protocol analysis parameters and a database of markers specific to each known protocol;
if the protocol Pi+1 is not identified, issuing a list of potential candidate protocols to be taken into account according to at least two detection branches, each detection being attached to a sub-session determined to analyse the next protocol or protocols Pi+n with n≥2 by repeating the steps of explicit detection classification, session detection classification, and deep packet inspection classification until at least one protocol, the identity of which is certain, is identified;
if a protocol Pi+n, the identity of which is certain, is identified on a detection branch, retrospectively validating the detection branch, and discarding the remaining non-validated detection branches;
in the case of failure to identify a protocol Pi+n, the identity of which is certain, on a detection branch, retrospectively classifying the protocol Pi+1 as unknown; and
associating a label with the data packets according to each session for which the protocols have been identified.
|