Search

CN-121309493-B - SAP application flow automatic identification method and system

CN121309493BCN 121309493 BCN121309493 BCN 121309493BCN-121309493-B

Abstract

The invention provides an SAP application flow automatic identification method and system, and belongs to the field of network communication and intelligent flow identification. The method comprises the steps of obtaining communication flow data, extracting basic information, carrying out SAP preliminary analysis, carrying out application layer analysis on candidate SAP application flows which meet preset characteristics, judging whether the SAP communication mode is met, confirming the SAP application flows if the SAP application flows are met, extracting key characteristics capable of reflecting the SAP application flows based on application layer analysis results, matching the key characteristics with SAP characteristics with scene information, confirming an environment scene based on matching rules, calculating identification scores and credibility of the matching results, generating standardized labels of the SAP application flows in the current environment scene when the threshold is met, fusing the standardized labels with the communication modes in the current environment scene, and outputting automatic identification results of the SAP application flows. The invention supports non-standard port and cross-environment identification, and improves the identification efficiency and the identification accuracy.

Inventors

  • Hai Wanxue
  • LI JINGJING

Assignees

  • 北京网深科技有限公司

Dates

Publication Date
20260508
Application Date
20250924

Claims (9)

  1. 1. An automatic SAP application traffic identification method, comprising the steps of: step S1, acquiring real and complete communication flow data which can be used for subsequent analysis, and extracting basic information of the communication flow data; Step S2, performing SAP preliminary analysis on communication flow data according to the extracted basic information, and taking the communication flow data as candidate SAP application flow which accords with preset characteristics, wherein the preset characteristics at least comprise port number characteristics, wherein the port number characteristics comprise a port number which is an SAP standard port, an SAP extended non-standard port and a user-defined port; step S3, carrying out application layer analysis on the candidate SAP application flow to judge whether the SAP communication mode is met, if so, confirming the SAP application flow, and if not, canceling the candidate qualification, wherein the SAP communication mode at least comprises a preset identification basis in an encryption scene, and the preset identification basis in the encryption scene comprises a message time sequence characteristic, certificate information, an SNI domain name and an application handshake mode; step S4, extracting key features capable of reflecting SAP application flow based on an application layer analysis result; step S5, matching the key features with SAP features with scene information built in on the basis of matching rules, confirming an environment scene to which the current SAP application flow belongs on the basis of environment expansion features in the key features, calculating an identification score of a matching result on the basis of the matching rules, and calculating the credibility, wherein the corresponding environment scene comprises an Internet of things environment and a metauniverse scene; Step S6, judging whether the identification score and the credibility reach a threshold value, if so, generating a standardized label of SAP application flow in the current environment scene according to the key characteristics, entering step S7, and if not, updating the matching rule, and entering step S5; and S7, fusing the standardized label with the communication mode in the current environment scene, and outputting an SAP application flow automatic identification result.
  2. 2. The method according to claim 1, characterized in that in step S1 the traffic is captured in real time by capturing network data packets at an IoT gateway, an edge computing node of an industrial site, a virtual network probe or a cloud platform monitoring point through a mirror port, a bypass probe or a virtual switch interface.
  3. 3. The method of claim 1, wherein the predetermined features of step S2 further comprise transport layer features including features that conform to SAP application traffic attributes.
  4. 4. The method of claim 1, wherein the determining of the SAP communication mode in step S3 further comprises a protocol type in an unencrypted scenario, wherein the protocol type in the unencrypted scenario comprises a RFC protocol for remote function calls, a DIAG protocol for interactions between SAPGUI and an application server, a SAPRouter protocol based on a routing and forwarding mechanism, and an HTTP/HTTPS protocol based on a Web SAPNETWEAVER or WebGUI interface.
  5. 5. The method according to claim 1, wherein the key features in step S4 include SAP semantic features and environmental expansion features; the SAP semantic features comprise SAP system identifications SAPSID, transaction codes TCode and remote function call names ABAPFunction, and the environment expansion features comprise expansion features preset in any environment scene.
  6. 6. The method according to claim 1, wherein in step S5, when the key feature is matched with the SAP feature with the scene information embedded therein, the matching rule includes an embedded protocol fingerprint library and a regular expression rule.
  7. 7. The method according to claim 1, wherein the recognition result in step S7 includes standardized tags and communication modes under different environmental scenarios.
  8. 8. The method of claim 7, wherein the communication mode in the scene of the Internet of things is equipment startup, parameter issuing, state acquisition and closing, and the communication mode in the scene of the meta space is virtual user login, menu navigation, operation interaction and session exit.
  9. 9. An SAP application flow automatic identification system is characterized by comprising a memory and a processor; The memory and the processor are communicatively connected to each other, the memory stores computer instructions, and the processor executes the computer instructions to perform the SAP application flow automatic identification method according to any one of claims 1 to 8.

Description

SAP application flow automatic identification method and system Technical Field The invention belongs to the field of network communication and intelligent flow identification, and particularly relates to an SAP application flow automatic identification method and system. Background The Siepu (System Applications and Products, SAP) system is a set of integrated management software which is developed by German SAP company and covers the whole business process of enterprises, is a global leading enterprise resource planning (ENTERPRISE RESOURCE PLANNING, ERP) software, and realizes the digital coordination of the core business processes such as finance, supply chain, production, manpower resource and the like through integrated management. With the wide application of industrial internet and internet of things, SAP system has become a core business support platform for industries such as manufacturing, energy, traffic, finance, etc. In IIoT and meta-universe scenarios, the SAP system is not only accessed through a traditional data center, but also interacts with edge devices, intelligent terminals, virtual digital twin systems, and the like. Therefore, it is also becoming increasingly important to accurately identify SAP application traffic and secure SAP traffic in network communications. In the prior art, the identification of the SAP application flow is generally carried out through protocol identification, including standard port number identification or shallow layer feature identification, but the identification method cannot accurately identify the SAP flow when the identification method is used for communication of a non-standard port, an encryption channel or an over-internet of things (IoT)/virtual environment, has low identification precision, and is difficult to meet the requirements of industrial internet security, intelligent operation and maintenance and meta-universe application asset management. Disclosure of Invention In view of the above-mentioned drawbacks or shortcomings in the prior art, the present invention aims to provide a method and a system for automatically identifying SAP application flow, which are based on network security, internet of things application identification and artificial intelligence flow analysis, and automatically identify SAP system communication flow in industrial internet of things and metauniverse virtual environments by deeply analyzing network flow characteristics and combining machine learning models and behavior pattern modeling, thereby improving accuracy and precision of SAP application flow identification, further ensuring safety and use of SAP flow, and being particularly suitable for internet of things and metauniverse interaction environments. In order to achieve the above purpose, the embodiment of the present invention adopts the following technical scheme: in a first aspect, an embodiment of the present invention provides a method for automatically identifying SAP application traffic, where the method includes the following steps: step S1, acquiring real and complete communication flow data which can be used for subsequent analysis, and extracting basic information of the communication flow data; step S2, performing SAP preliminary analysis on the communication flow data according to the extracted basic information, and using the communication flow data as candidate SAP application flow meeting preset characteristics; Step S3, carrying out application layer analysis on the candidate SAP application flow, judging whether the SAP communication mode is met, if so, confirming the SAP application flow, and if not, canceling the candidate qualification; step S4, extracting key features capable of reflecting SAP application flow based on an application layer analysis result; Step S5, matching the key features with the SAP features with scene information, and confirming the environment scene of the current SAP application flow based on the environment expansion features in the key features, and calculating the identification score of the matching result and the credibility based on the matching rules; Step S6, judging whether the identification score and the credibility reach a threshold value, if so, generating a standardized label of SAP application flow in the current environment scene according to the key characteristics, entering step S7, and if not, updating the matching rule, and entering step S5; and S7, fusing the standardized label with the communication mode in the current environment scene, and outputting an SAP application flow automatic identification result. As a preferred embodiment of the present invention, the traffic in step S1 is captured in real time by capturing network data packets at an IoT gateway, an edge computing node of an industrial site, a virtual network probe, or a cloud platform monitoring point through a mirror port, a bypass probe, or a virtual switch interface. As a preferred embodiment of the present invention, the p