Method and system to identify network protocols based on description of client-server interaction

IPC classes for russian patent Method and system to identify network protocols based on description of client-server interaction (RU 2485705):

H04L12/70 - Data switching networks (interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units G06F0013000000)

Another patents in same IPC classes:

Four-port backup device for coupling of circular networks of communication network / 2485704

Four-port backup device (FPBD), comprises two switchboards (2) of data packets, every of which is connected to the other switchboard (2) and with two ports (3 and 4), designed for connection into the first and second circular communications networks, and a clock synchronisation unit (5). To the unit (5) the outlets of two receivers (6) and (7) are connected, as well as inlets of two transmitters (8) and (9), designed for the first circular network, outlets of two receivers (10 and 11), inlets of two transmitters (12 and 13), designed for the second circular network, and the outlet of the receiver (14) of the external synchronisation signal. The unit (5) is made as capable of generation of a clock signal synchronised with output signals of receivers with introduction of a fixed delay of an output signal for each receiver, issue of a generated signal to inlets of transmitters, and as capable of translation of output signals of receivers to inlets of transmitters designed for the identical network. The device is equipped with a configuration interface (15) as capable of setting the receivers and transmitters of the synchronising signal, delay values of output signals of receivers and permit or prohibition of transmission of output signals of receivers to inlets of transmitters.

Three-port backup device for ring communication network / 2484593

Three-port backup device (1) has a data packet switch (2) connected to a port (3) for connecting to an intelligent electronic device, and with two ports (4) for connecting to a ring communication network, and a clock synchronisation unit (5). The unit (5) is connected to outputs of receivers (6), (7) and inputs of transmitters (8) and (9) for connecting to the ring communication network, the output of a receiver (10) for external synchronisation and the input of a transmitter (11) for connecting to an intelligent electronic device. The unit (5) is configured to generate a clock signal which is synchronised by output signals of receivers with introduction of a fixed delay of the output signal for the receiver, transmitting the generated signal to inputs of transmitters, and transmitting signals between receivers and transmitters. The three-port backup device is provided with a configuration interface (12) capable of assigning receivers and transmitters a synchronisation signal, delay values of output signals of receivers and allowing or prohibiting transmission of signals between receivers and transmitters.

Apparatus for detecting and eliminating faults when transmitting binary signals over two optical channel lines / 2484521

Apparatus has a first unit for relaying signals in a channel, having an optical signal coupler and a switch for selecting channel lines, which consists of four interconnected optical switches, and a second unit for detecting, allowing or prohibiting passage of external signals to the first unit, having a first unit for detecting presence of signals in two lines at the same time in the channel, presence of a signal in one line only, absence of signals in both lines during a given time interval, a second unit consisting of four delay elements for external signals, and a third unit consisting of four switches.

Visual mapping of field device message routes in wireless mesh network / 2483478

Control system uses a wireless mesh network to provide communication between a host computer and field devices. Performance of the wireless mesh network is monitored by collecting network performance data from each node, e.g. nodes with which it is communicating, received signal strengths over links to different nodes, the number of errors occurring on each link, and how frequently communication is occurring with each of the other nodes. A visual network map is generated using performance statistics based on the data gathered from the nodes of the wireless mesh network.

Message routing platform / 2483457

System for routing messages in a communication network includes a plurality of nodes, each including a plurality of servers connected to each other. Upon receipt of a packet for delivery to an intended recipient by a first server within the plurality of servers of a first node within the plurality of nodes, the system is configured to determine whether the intended recipient is connected to the first server. The packet is delivered if the recipient is connected to the first server. If it is determined that the intended recipient is not connected to the first selected server, the system is further configured to determine whether the packet contains a destination address and forward the packet to the destination address for delivery. If the packet does not contain a destination address, the system forwards the packet to a registry. The registry is configured to query at least one database to obtain the user profile of the intended recipient, and forward the packet to the intended recipient based on information contained in the user profile.

Method, apparatus and system for service identification / 2483352

Disclosed is a service identification method which comprises steps for receiving a service request, which includes a unified resource locator address and a field for indicating the type of service content from the service request, determining if the unified resource locator address is properly configured, solving the service request in order to identify the type of service from the service request in accordance with the field of the type of service content included in the service request if it is determined that the unified resource locator address is not properly configured, and a request is sent for the server address of the service which corresponds to the identified type of service.

Networks having multiple paths between nodes and nodes for said network / 2482614

Network (1) having a plurality of nodes (2, 3, 4), the plurality of nodes having a first node (A) and a second node (B), the first (A) and second (B) nodes being connected through the network of nodes (1) via a first path (2) and a second path (3), the first and second paths being different, wherein the network (1) has first and second modes of operation, a first mode (108) in which traffic between the first and second nodes is transmitted over the first path (2) and not the second path (3), and a second mode (106) where the traffic is transmitted over the first (2) and second (3) paths, wherein the network (1) has a mode selector (10) configured to select the mode of operation based on the required level of traffic between the first (A) and second (B) nodes.

Synchronising bearer context / 2481750

Bearer context maintained by an access terminal is synchronised with a network so that a change in the status of the bearer context may be reflected in the network. For example, if an access terminal determines that a resource previously requested by the access terminal is no longer needed, the access terminal may deactivate the bearer context locally in a case where the access terminal is unable to communicate with the network. In such a case, the access terminal may synchronise its bearer context with the network once the access terminal re-establishes communication with the network. For example, the access terminal may send a message to the network indicating that the access terminal has deactivated the bearer context.

Method for estimation of residual bandwidth / 2481718

In the method for estimation of residual bandwidth, which is the subject of the invention, network activity is measured and relevant statistics on network operation are obtained by exploiting the wireless nodes' inherent capability (originating from the nature of 802.11 protocol) of receiving/overhearing DATA-ACK messages transmitted on a radio channel but not destined for said nodes. In the presented method, wireless link residual bandwidth is calculated using analytical estimation techniques. When the residual bandwidth is estimated as a result of these calculations, it is possible to make more efficient routing decisions based on bandwidth (for example the link with higher residual bandwidth should be favoured in routing decisions) and/or to have availability prediction for the flow connection establishment control process (for example accept a new flow only if there is enough available route residual bandwidth).

Connection maintenance in ieee 802,16 networks with relays via cid encapsulation / 2477583

Disclosed is a method of transmitting data in a wireless network which involves generating a packet of data having a connection identification (CID) indicating a connection to a final destination for the packet of data. The desired route for transmitting the packet of data to the final destination is determined, said route including one or more relay stations. The generated packet of data is encapsulated in one or more capsules, each capsule having a CID indicating a connection to one or more relay stations along the desired route. The packet of data is sent along the desired route using multiple CIDs of the one or more capsules and the packet of data so as to arrive at the final destination. At each of the one or more relay stations, an outermost capsule having a CID corresponding to the present relay station is stripped from the packet of data.

Telecommunication multi-functional multiplexer / 2269154

Multiplexer has system block, wherein four-channeled telegraph one-polar and two-polar modules are positioned, as well as four-channeled standard-joint C2 module, bi-impulse one-channeled and two-channeled modules, one-channeled telephone module, m modules of four-channeled asynchronous adapter, group control electronic board, and also block for adjustment and control, and combination board.

Method for data acquisition on network topology / 2281612

Message requesting data acquisition on network topology that incorporates field limiting number of operations for message transfer from local station to adjacent ones is sent and following steps are repeated: request message receiving station returns response message and network topology data acquisition device finds out if number of message transfer operations has reached certain threshold value and terminates process if it is so, otherwise it sends request message to all adjacent stations.

Method for serial addressing by leading device of following devices in networks with bus topology with one leading device of network and several following devices / 2284087

Method for serial addressing by leading device of following devices in networks with bus topology with one network leading device and several following devices includes receipt by following devices of flush impulse, of information about address from leading device, comparison of received information about address by each following device with its own address and switching of one following device to data transfer mode if information received about address matches its own address. As information about address, received by following device, number of addressing impulses is used, and during transfer of one following device to data exchange mode other following devices are maintained in active mode.

Method for finding solutions concerning possibility of connection between network elements / 2285348

In accordance to method, each network element contains input ports and output ports, while each provides a set of connection points. Connection possibility tables contains data about possible internal connections between connection points of any input port and any output port of any network elements, controlled by network control system. Method allows each time during selection of certain network element for use in a route with its input port and its output port to receive solution at network control device level concerning connection capabilities for certain network element.

Method for complex protection of information / 2292122

Method for complex information protection is realized in following order: prior to transfer into communication channel or prior to recording into memory, state of used communication channel or information storage environment is analyzed, from M possible codes parameters of optimal (n,k) code for current status of channel or information storage end are determined, information subject to protection is split on q-nary symbols l bits long (q=2^l) for each q-nary system gamma combinations l bits long are formed independently from information source, for each set of k informational q-nary symbols (n-k) excessive q-nary symbols are formed in accordance to rules of source binary (n,k) code, each q-nary symbol is subjected to encrypting stochastic transformation with participation of gamma, after receipt from communication channel or after reading from memory for each q-nary symbol combination of gamma with length l is generated, synchronously with transferring side, reverse stochastic decrypting transformation is performed for each q-nary symbol with participation of gamma, by means of checking expressions of source binary code localized are correctly read from memory or received q-nary symbols, untrustworthily localized symbols are deleted, integrity of message is restored by correcting non-localized and erased q-nary symbols of each block, expressing their values through values of trustworthily localized or already corrected q-nary symbols, if trustworthy restoration of integrity of code block is impossible it is deleted, number of deleted blocks is counted, optimality is determined within observation interval of used code with correction of errors for current state of channel, if code optimum criterion exceeds given minimal and maximal limits, code is replaced with optimal code synchronously at transferring and receiving parts of channel in accordance to maximum transfer speed criterion.

Method and device for transmitting service messages in wireless communication system / 2300846

One of methods involves identification of service option number corresponding to set of broadcast transmission parameters. As an alternative, message identifies bit block corresponding to broadcast transmission parameters. Message can be transferred over service information transmission channel. Message for system supporting broadcast service identifies protocol stack for processing broadcast service and also identifies protocol stack for processing broadcast content.

Information client-server system and method for providing graphical user interface / 2313824

In accordance to the invention, expandable, usable with various client-server informational systems, system of dynamically created program objects is used, wherein program objects are divided onto a fixed number of categories, which are matched with predetermined program interfaces, where creation of request to server and processing of response from server represent predetermined chains of program object method calls.

System for controlling passage of documental information / 2314648

System for controlling passage of documental information contains station for managing system for controlling information passage with operative-dispatching equipment, data transmission lines and phone communication connecting lines, station for controlling passage of documental information based on duty workplace for controlling passage of documental information and workplaces of two dispatchers, where each one of aforementioned workplaces is equipped with personal computer, containing system block, monitor, standard keyboard, "mouse" type graphical manipulator, printer and interface expander, block of adapters, block for connecting and distributing communication lines, client and connecting lines of service communications, service communications equipment, consisting of line commutation block and three control panels, one for each of aforementioned workplaces for controlling passage of documental information and of first and second dispatchers, n client stations for transferring documental information, each one of which contains group equipment block, four telegrapher panels and four end talking panels, data transmission lines and client phone communication lines, connected in a certain way.

Multi-layered content delivery network and method for multi-layered content delivery / 2321956

In accordance to the invention the network contains a content release layer, content delivery layer with at least one level of delivery sub-layer and a layer of boundary servicing, where the service release layer contains at least one node of Internet service provider (ICP), and is connected to first level delivery sub-layer in the content delivery layer, each delivery sub-layer contains at least one delivery unit, and the delivery sub-layer of the lowest level is connected to boundary service layer, the boundary service layer contains at least one boundary service area, and content, which is subject to release in a content release layer, is distributed through delivery node of first level delivery sub-layer, which is connected to content release layer, and further downwards level after level until the boundary service layer is reached.

Method to prevent from frequent interaction operations of network selection in wireless local area network / 2324293

Each time when it is necessary to output information on available mobile telecommunication networks, it is required to determine if output of information on available mobile telecommunication networks is allowed on the basis of the number of information transmissions performed within certain period of time. If the transmission is allowed, information on available mobile telecommunication networks is transmitted and number of performed transmissions is registered; otherwise information transmission is stopped. When value of the period for decision making is changed, the record of transmission number is updated. If after stop of information transmission a request is received for information output, this request is left without answer or the information is transmitted after delay.

FIELD: radio engineering, communications.

SUBSTANCE: method of network protocols identification on the basis of a description of client-server interaction contains a description of available protocols of client-server interaction, collection of data on a bidirectional network interaction between the client and the server, simultaneous identification of packets related to multiple sessions of bidirectional interaction between the client and the server by identified protocols, analysis of parameters and the sequence of interaction of client-server components, identification of network protocols, according to which the client-server interaction is carried out.

EFFECT: increased efficiency of network protocols identification.

2 cl, 1 dwg

The invention relates to the field of computer systems, namely the description of the client-server interaction, the analysis of protocols and automated analysis network, including to identify network protocols.

Wireshark, formerly known as Ethereal, the most famous in the world of network Protocol analyzer used in the information technology industry, and for educational purposes. Wireshark captures network traffic directly by listening to network interface (via libpcap library functions) or by reading previously saved dump file traffic.

Wireshark performing analysis of network packets and identification of a variety of known protocols, provides a comprehensive user interface that provides functionality to select the source of network traffic (one of the installed network interfaces or the specified file), view the total data read network packets (upper layer Protocol, packet length), selected in accordance with the specification of the Protocol field of the packet, and a hex dump of the packet. The user interface also implements filtering of network protocols by the values of their individual fields. From other programs analyze the network traffic Wireshark distinguish additional functions: collection of packages relating the I-to-one connection TCP (Transmission Control Protocol, the transmission control Protocol), and the allocation of string data transmitted through this connection.

Based on the console version of Wireshark, TShark program built hardware and software traffic analyzer Cisco NX-OS Ethanalyzer. Device series Cisco Nexus 7000 is designed to perform the most complete control traffic in the network. This hardware system for the analysis of network traffic based on modern modular OC Cisco NX-OS is built on Linux kernel. Cisco Nexus 7000 provides the following key features: collection and analysis of network traffic in the network in real-time, packet filtering, resulting from the collection of traffic on the specified expression format BPF (Berkeley Packet Filter), the analysis and identification of network protocols, detailed output information about the analyzed network packets to the console, analysis of pre-stored in the dump file, network traffic, detailed analysis of individual packets of network traffic that meets the criteria defined by special rules.

Despite the fact that additional functionality described hardware and software tools for analyzing network traffic provides the ability to restore a session of interaction client-server component over TCP, as well as the ability to set such a package descriptions, which can be used to identifikaciyiyi protocols in General, there is no possibility to use the observed client-server interaction to identify the network application layer Protocol. This is due to lack of these means a universal view of client-server interaction and descriptions of sequences of groups of packages, which can be attributed to this interaction (Cisco Nexus 7000 Series Architecture: Built-in Wireshark Capability for Network Visibility and Control, URL: http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/ps9512/white_paper_c11-554444.html).

The device selected for the prototype, describes the embodiments of the system and method of adaptive classifying network traffic using historical context.

Uses the term "device monitoring network" (NMD). This device can monitor the network connection from client to server and back. The device can also extract information about the packages different levels of the Protocol stack. The device may combine to restore the data streams exchanged at each level of the Protocol stack, and run when you need to decrypt the data. The device can passively listen to network traffic or to divide and to relay the traffic flow as a mediator.

The device when performing traffic classification simultaneously processes the packets from easiest to many network connections. In one embodiment, the device performs a classification of the network traffic according to the communication network protocols. In another embodiment, the device categorizes the traffic type of the transmitted payload files, streaming audiovideoinformatsiynyy, access to databases, online interaction, online games, etc. Finally, the classifier may determine when the traffic corresponds to well-known network protocols such as HTTP, SMTP, RTP, TDS etc.

In a static system, if the traffic was once classified, then the decision of the classifier is not reviewed. Adaptive classification system may revise the previously adopted decisions. The system, which does not take into account the historical context, maybe a long time to classify the traffic correctly. The system, which incorporates the historical context, can already apply the decisions to the same or similar compounds. In one embodiment, compounds are similar if they have the same identifying characteristics. These characteristics can be hardware address, network address, or a range of network addresses, ports, protocols, transport layer or ranges of ports, etc. In another variant similar connections are established simultaneously or in a specified period of time.

In one variant of the method examines the packets, related to many of the same compounds, when performing identification protocols in network traffic. This method can also periodically examine and reevaluate already made the identification of protocols for such compounds (US 2009141634, H04L 12/56).

The disadvantages of the above solutions is that the historical context of client-server interaction is used to identify protocols on the basis of heuristic provisions similarity network packets and/or connections and extrapolation of the already taken decisions on such packets and connections, and the actual solution of the problem identification is performed on the basis of already known approaches: the correlation of the standard port number used by the services, Sodeistvie these ports, protocols; research payloads, including using signature search or description languages protocols; methods based on training, etc. Approach based on the use of standard port numbers, simple and effective, but is not very reliable; the study of the payload of the message imposes significant computational and time constraints on the mechanism of identification. While methods based on the learning and recognition of traffic using clustering unsuitable for the task of identifying known what's protocols, and the languages used to describe network protocols in commercial vehicles recognition, form an apparatus suitable for signature recognition of individual communications protocols (often even based on the analysis of ports), but not to check the correctness of the interaction between client and server according to the Protocol. Finally, a formal description languages form suitable for analysis of Protocol definitions, but these definitions generally applicable to the problem of identification of the communication protocols in the dumps network traffic. The basis of the invention is to provide a method of identifying network protocols on the basis of the description of the client-server interaction and systems for carrying out the method in which through the use of formal models of client-server interaction that incorporates analysis of such interaction, to create a description of network protocols application layer uses a unified view of the network Protocol, and identification protocols based on a comprehensive analysis of the interaction between client and server according to this description, which allows to improve the detection of network traffic patterns and the identification of the Internet Protocol, and also allows you to simplify the process of making the description of the application-level Protocol (use the th with further traffic analysis and identification protocols) and to reduce to a minimum the number of errors in this description.

The solution of a technical problem is provided by the fact that in the method for the identification of the network protocols based on the description of the client-server communication, including a description of known protocols client-server interaction, the collection of data on a bidirectional network between the client and the server, and simultaneous identification of packets belonging to the multiple sessions bidirectional communication between the client and the server identified protocols, analysis of parameters and sequence of the interaction client-server component, the identification of network protocols, in which the client-server communication, the description is made with the help of unified representation of the interaction client-server component, including the use of specialized language automatic or semi-automatic software generation of descriptions of the interaction of the client-server component and templates or blanks typical scenarios of client-server interaction, with the ability to add new answers not previously identified protocols, descriptions of the interaction of the client-server component; identification of additional protocols performed on the basis of uniform descriptions of client-server interaction recursive way DL is each layer, seven-layer model OSI protocols, thus mechanisms defragmentation, recovery, decompression, decryption, and such transformations automatically after identifying the Protocol of each level, after which the selected data is passed as the top-level package for the subsequent identification of the overlying Protocol.

In the identification system for network protocols on the basis of the description of the client-server communication, including module descriptions of known protocols client-server interaction, the data collection engine bi-directional network communication between the client and the server, the analysis module, the identification module network protocols, in which the client-server communication, the module description included block broadcast that implements the ability of the binary representation describing network protocols, block interaction made with the possibility of a unified view of the interaction of the client-server component, including specialized language, automated or semi-automated software-generated descriptions of the interaction of the client-server component and patterns or blanks typical scenarios of client-server interaction, with the ability to add new answers not previously identified protocols, descriptions of co is deystviya client-server component.

In the proposed solution the implementation of the claimed technical result is ensured by the fact that the approach to identification protocols based on the analysis of individual messages in the network traffic, and on a comprehensive analysis of the interaction between client and server according to the specified Protocol. This way of describing the interaction between client and server, including the sequence of messaging and appropriate restrictions based on a unified view of network protocols that can make the implementation of the claimed method are expanding both in terms of many of the identifiable protocols, and in the dialects of these protocols and specific usage scenarios of network protocols of various services and programs. Moreover, the possibility of describing arbitrary Protocol (and subsequent analysis according to this description) is strictly justified by formal proof of the existence of a generalized mechanism analysis of the interaction between client and server.

These benefits will improve detection of network traffic patterns and the identity of Internet protocols. Such decisions do not apply any of the known means of analysis of network traffic.

The invention is illustrated using figure 1, which shows the system identification and network protocols on the basis of the description of the client-server interaction.

The identification system network protocols on the basis of the description of the client-server interaction module includes descriptions of known protocols client-server interaction 1, the data collection engine bi-directional network communication between the client and the server 2, the analysis module 3, module identification of network protocols, in which the client-server communication 4. In the description module 1 includes a block broadcast 5A, implements the possibility of the binary representation describing network protocols, block interaction 6 made with the possibility of a unified view of the interaction of the client-server component, including specialized language, automated or semi-automated software-generated descriptions of the interaction of the client-server component and templates or blanks typical scenarios of client-server interaction, with the ability to add new answers not previously identified protocols, descriptions of the interaction of the client-server component. In another embodiment, the block broadcast is replaced by a block of interpreting descriptions 5B included in the analysis module. Specific technical performance depends on the properties description language interaction: compiled, interpreted.

The system runs the AK hardware unit, which to identify network protocols connected to the data bus in listening to network traffic or network connection relay traffic between the transmitting and receiving parties.

The method of identification of network protocols on the basis of the description of the client-server interaction is as follows.

The source is a description of known protocols client-server interaction using block interaction 6 (communication DEF user P and module descriptions 1 on the diagram of the system). Description produced using a unified view of the interaction client-server component, including specialized language, automated or semi-automated software-generated descriptions of the interaction of the client-server component and templates or blanks typical scenarios of client-server interaction, with the ability to add new answers not previously identified protocols, descriptions of the interaction of the client-server component. If block broadcast 5A checks syntax errors and the Assembly of the binary representation to describe the client-server interaction. The obtained image of the binary representation serves on the input analysis module. In the absence of b is Oka broadcast to the input of the analysis module is created description (communication SPEC on the system).

Then collect data on the bidirectional network communication between the client and the server (communication RT source network traffic T and the data collection module 2 on the diagram of the system). The data collection module 2 performs the initial split of traffic packets with the possible filtering and delivers the input to the analysis module packages in the order in which they are received from the network or other (communications PACK data capture module 2 and module analysis 3 system). Thus, using the analysis module 3 provide simultaneous processing of packets belonging to the multiple sessions bidirectional communication between client and server on the identified protocols. Using the analysis module 3 implementing the parsing network packets in accordance with the interpreted using block 5B description Protocol (or in accordance with a binary representation of this description without interpretation), there are the significant characteristics for all protocols that may be assigned this package, determine the location of the network packet in a session between the client and the server via these protocols. Characteristics for all possible protocols that can be attributed package, as well as the parameters of the current context of interaction between client and server via these protocols transmit m is the module identification 4 (communication DATA on the system).

Using the identification module 4 analyze the parameters and sequence of the interaction client-server component and carry out identification of network protocols, in which the client-server communication, and identification of additional protocols performed on the basis of uniform descriptions of client-server interaction recursive manner for each layer, seven-layer model OSI protocols, and the mechanisms defragmentation, recovery, decompression, decryption, and such transformations automatically after identifying the Protocol of each level, after which the selected data is passed as the top-level package for further analysis and identification of the overlying Protocol (communication PACK' on the system). The obtained results of the identification module 4 stores in an external database or transfer for further processing (RES link identification module 4 and database B on the diagram of the system).

The results of identification of the traffic network protocols most commonly used in the field of information security. In particular, the problem of identification can be used as one of the subtasks attack detection, as a component of automated intrusion detection systems. The inclusion of this component in the detection system attacks allow you to plug the t as to increase the accuracy of detection methods, based on the information about the Protocol used, and to increase the adaptability of the system to detect attacks.

In addition, traffic identification application protocols can be used to identify and block unwanted traffic. Unwanted traffic may include traffic generated by malicious software (VPO), as well as traffic, contrary to security policy, adopted by the organization (for example, peer-to-peer traffic or gaming network). In this regard, appropriate work identification module traffic Internet application protocols with a firewall. Identification of traffic Internet application protocols can also be used in billing systems for more accurate accounting of the types of traffic consumed by the user.

Prospects for the use of the method and system identify the network protocols on the basis of the description of the client-server interaction include, besides the already mentioned applications, performing security analysis of network protocols on the basis of their descriptions, and search for hidden channels of information leakage in the fields of these protocols, identification of unauthorized use of network protocols, including malicious software, as well as profiling and anomaly detection applications to network services in the Internet.

1. JV the property identification of the network protocols based on the description of the client-server interaction includes a description of known protocols client-server interaction, the collection of data on a bidirectional network between the client and the server, and simultaneous identification of packets belonging to the multiple sessions bidirectional communication between the client and the server identified protocols, analysis of parameters and sequence of the interaction client-server component, the identification of network protocols, in which the client-server communication, characterized in that description is produced using a unified view of the interaction client-server component, including specialized language, automated or semi-automated software-generated descriptions of the interaction of the client-server component and templates or blanks model scripting client-server interaction, with the ability to add new answers not previously identified protocols, descriptions of the interaction of the client-server component; identification of additional protocols performed on the basis of uniform descriptions of client-server interaction recursive manner for each layer, seven-layer model OSI protocols, and the mechanisms defragmentation, recovery, decompression, decryption, and such conversions is to work automatically after you identify the Protocol of each level, then the selected data is passed in as the top-level package for the subsequent identification of the overlying Protocol.

2. The identification system network protocols on the basis of the description of the client-server communication, including module descriptions of known protocols client-server interaction, the data collection engine bi-directional network communication between the client and the server, the analysis module, the identification module network protocols, in which the client-server communication, characterized in that the module description included block broadcast that implements the ability of the binary representation describing network protocols, block interaction made with the possibility of a unified view of the interaction of the client-server component, including specialized language, automated or semi-automated software-generated descriptions of the interaction of the client-the server component and templates or blanks typical scenarios of client-server interaction, with the ability to add new answers not previously identified protocols, descriptions of the interaction of the client-server component.