CN100459579C - Method for detecting superlong signaling message based text code - Google Patents
Method for detecting superlong signaling message based text code Download PDFInfo
- Publication number
- CN100459579C CN100459579C CNB2005101208915A CN200510120891A CN100459579C CN 100459579 C CN100459579 C CN 100459579C CN B2005101208915 A CNB2005101208915 A CN B2005101208915A CN 200510120891 A CN200510120891 A CN 200510120891A CN 100459579 C CN100459579 C CN 100459579C
- Authority
- CN
- China
- Prior art keywords
- feature
- message
- separator
- overlength
- signaling message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Based on text coding, the method for detecting message of ultra long signaling includes steps: (1) based on signaling protocol of text coding to construct function for identifying ultra long message; (2) using the identifying function to identify whether the received signaling message is a ultra long message or not; (3) if yes, filtering it out; otherwise, continuing other processes. The identifying function includes character interval table, which denotes allowed maximal interval between two character separators, and constraint relation table for character separators, which denotes whether two character separators are allowed to appear continuously and repeatedly. Being implemented by software or hardware, the method is in use for detecting ultra long message at network entry. Replacing or adjusting corresponding parameters in the said two tables, the method is suitable to all text typed signaling message. The method prevents attack and destruction from hijacker.
Description
Technical field
The present invention relates to network information treatment technology, be specifically related to a kind of detection method of the superlong signaling message based on text code.
Background technology
Continuous enhancing along with network integration trend, with the IMS (abbreviation of IP Multimedia Subsystem, refer to IP Multimedia System) for the next generation network technology of core bringing flexibly network service easily for people when, the safety problem of next generation network has become the emphasis of industry concern.The safety of network boundary is the basis of whole network security.Next generation network is the network of a fusion, support the user at any time, access everywhere, so security boundary is even more important.Because next generation network occurs than later, also there is not special next generation network intrusion detection instrument at present, especially at the detection of signaling message.In next generation network, session initiation protocol (below be abbreviated as SIP), MGCP (below be abbreviated as MGCP) and Session Description Protocol signaling protocols such as (following abbreviation SDP) all are based on text code, are easy to be subjected to the attack of abnormal data bag.In the abnormal data packet attack, the ultra-long data bag is the most frequently used method and notable attribute.The assailant sends a large amount of ultra-long data bags to the other side's server, its objective is and causes server parses mistake or buffering area to overflow, and causes server end a fatal error to occur, or occurs crashing or server such as restarts suddenly at symptom.Below the sample of overlength deformity message:
INVITE sip:bob@biloxi.com
SIP/2.0
000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000
Via:SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bK776asdhds
Max-Forwards:70
To:Bob<sip:bob@biloxi.com>
From:Alice<sip:alice@atlanta.com>;tag=1928301774
Call-ID:a84b4c76e66710@pc33.atlanta.com
CSeq:314159 INVITE
Contact:<sip:alice@pc33.atlanta.com>
Content-Type:application/sdp
Content-Length:142
Wherein, underscore partly is the overlength part of this signaling, undoubtedly, this overlength message signaling may cause network efficiency to reduce so that cisco unity malfunction after entering system, and the signaling message that arrives is effectively detected is the effective good recipe that stops this lopsided message invasion, prior art can't provide the technology of the overlength deformity message that stops this malice, brings many hidden danger for the limit safety of next generation network.
Summary of the invention
The technical problem to be solved in the present invention is, use the ultra-long data packet attack at the hacker, a kind of detection method of network superlong signaling message has been proposed, can effectively lopsided message be stoped outside the network limit, in other words, the objective of the invention is to, how to analyze on the basis of summing up ultra-long data bag feature, propose the overlength method of message in a kind of identification and the processing signaling message.
The above-mentioned technical problem of the present invention solves like this, constructs a kind of detection method of the superlong signaling message based on text code, may further comprise the steps:
A, reception signaling message, whether spacing or the neighbouring relations of judging two adjacent feature separators in the described signaling message conform to corresponding parameters in the overlength message recognition function, described overlength message recognition function generates based on the feature separator, and described parameter comprises the maximum spacing or the unallowed neighbouring relations of any two feature separators;
If B conforms to, judge that described signaling message is the overlength message;
C, described overlength packet filtering is handled.
In according to above-mentioned detection method provided by the invention, described overlength message recognition function is specially the feature pitch table, described feature pitch table comprises the maximum spacing of any two feature separators, steps A is specially: receive signaling message, whether the spacing of judging two adjacent feature separators in the described signaling message is greater than described maximum spacing.
In according to above-mentioned detection method provided by the invention, described overlength message recognition function is specially feature separator restriction relation table, described feature separator restriction relation table comprises any two unallowed neighbouring relations of feature separator, steps A is specially: receive signaling message, judge whether the neighbouring relations of two adjacent feature separators in the described signaling message are unallowed.
In according to above-mentioned detection method provided by the invention, described steps A and B are specially step B23, and described step B23 carries out following steps to each with the row that the new line symbol finishes:
B231) extract first a feature separator S1 of one's own profession and a feature separator S2 thereafter;
B232) on the feature separator S1 that has extracted, S2 basis, form five-tuple (S1, F1, D, S2, F2), wherein, F1 is first character immediately following this first feature separator S1; D is the feature pitch between two feature separator S1 and the S2; F2 is first character of closelying follow behind second feature separator S2;
B233) five-tuple (S1, F1, D, S2, F2) is carried out three detections: if whether the neighbouring relations that F1 is the feature separator detects S1 and F1 are to satisfy to belong to unallowed in the described feature separator restriction relation table; If F2 is the feature separator, the neighbouring relations that detect S2 and F2 whether be satisfy in the described feature separator restriction relation table unallowed; Whether the detected characteristics space D satisfies greater than S1 that stipulates in the described feature pitch table and the maximum spacing between the S2; If there is any one condition to satisfy in three detections, confirm that then this message is the overlength message and withdraws from, otherwise, execution in step B234);
B234) detect whether arrive this line endings, as not arriving this line endings, then with current feature separator S2 as S1, the next feature separator of extraction as S2, turn back to step B232); As arriving this line endings, then forward step B235 to);
B235) judge whether to finish detection in all row, then select next row as unfinished, forward step B231 to); Then withdraw from as finishing the interior detection of all row.
In according to above-mentioned detection method provided by the invention, comprise also before the described step B23 and detect step B22 in the ranks that the described step B22 that detects may further comprise the steps in the ranks:
B221) to each carries out following steps B222-B223 repeatedly with the text chunk of embarking on journey that the new line symbol finishes in the incoming signalling message, be overlength message or incoming signalling ENMES up to definite current message;
B222) produce the five-tuple (S1, F1, D, S2, F2) of text chunk like this, make the initial character of this section of style of writing of winning or the previous row new line symbol of other row text chunk be S1, immediately following first character behind the S1 is F1, first new line symbol of getting behind the S1 is S2, getting first character of closelying follow behind the S2 is F2, and the spacing between symbol S1 and the symbol S2 is D;
B223) above-mentioned five-tuple being detected S1 and F1, whether to satisfy F1 be the feature separator, and it is unallowed whether the neighbouring relations of judging S1 and F1 simultaneously belong to described feature separator restriction relation table; Detecting S2 and F2, whether to satisfy F2 be the feature separator, and it is unallowed whether the neighbouring relations of judging S2 and F2 simultaneously belong to described feature separator restriction relation table; Whether the detected characteristics space D satisfies greater than S1 that stipulates in the described feature pitch table and the maximum spacing between the S2; Satisfy if any any one, confirm that then this message is the overlength message and withdraws from; Otherwise, take off delegation's text chunk, enter step B222.
In according to above-mentioned detection method provided by the invention, between described step B22 and described step B23, also comprise step B224) as current incoming signalling ENMES and do not confirm as the overlength message, then be formed for pointing out the position of each row text chunk of incoming signalling message and the capable distributing position table of length, comprise message initial character, right by the finite sequence of forming with respect to the side-play amount and the new line symbol of distance between the previous row new line symbol.
In according to above-mentioned detection method provided by the invention, described feature separator comprise " (", ") ", "<", ">", " @ ", ", ", "; ", ": ", "/", " [", "] ", "=", " { ", " } ", SP, wherein SP is the space.。
Detection method according to the superlong signaling message based on text code provided by the invention can realize with software, also can make the porch that special-purpose hardware detection is placed on network and implement to detect.Utilize the present invention that superlong signaling message is effectively screened and filters, can prevent attack and the destruction of hacker, guarantee the normal operation of network service server; Simultaneously, method of the present invention is applicable to that the overlength of all text type signaling messages detects, to different text signaling protocols, only need feature pitch table and feature separator restriction relation table changed and adjust relevant parameters and get final product, to guaranteeing network security, be that the malicious attack of feature has very significant effect especially to resisting with the overlength message.
Description of drawings
Fig. 1 is a principle logic diagram of realizing detection method of the present invention;
Fig. 2 is the schematic flow sheet that utilizes the inventive method that superlong signaling message is detected;
Fig. 3 is the schematic flow sheet that utilizes the inventive method to detect in the ranks;
Fig. 4 is the schematic flow sheet that utilizes the inventive method to detect in going;
Embodiment
As shown in Figure 1, detection method of the present invention is the detection that realizes based on the overlength deformity signaling message of text code, comprise filter engine 1, data contingency table 2, feature pitch table 3 and feature separator restriction relation table 4 four processes, message detects and can realize by program or block, also can realize or the realization of part hardware realization subprogram section by hardware unit, be used in the network boundary place, the signaling message that enters network is filtered, the signaling message that only meets the demands just can pass through, and promptly filters out superlong signaling message.Wherein, filter engine 1 receives incoming signalling message 5, form data contingency table 2, data contingency table 2 and feature pitch table 3, separator restriction relation table 4 are compared, whether make is the judgement of overlength message, if the overlength message abandons it, only output no longer comprises the signaling message 6 of overlength message.
The present invention is based on the detection of feature pitch to an aspect of the detection of overlength message data, promptly judges two length between the feature separator, corresponding to the feature pitch table 3 among Fig. 1.The present invention is based on the detection whether the feature separator allows the restriction relation that links to each other to another aspect of the detection of overlength message data, promptly judge between two adjacent feature separators whether be allowed to, the basis whether regulation allows the feature separator to link to each other is the feature separator restriction relation table 4 among Fig. 1.
Be applicable to all detections according to method of the present invention based on the overlength message of the signaling message appearance of text code, as long as according to concrete agreement, redefine in the feature pitch table 3 in length value between the separator and the feature separator restriction relation table 4 and forbid that the restriction relation that links to each other gets final product.
More particularly, in the present invention, superlong signaling message is for based on the signaling message of text code, and each signaling message generally is made up of one or several message field, the length of each message field all has a scope, and the signaling message that surpasses this scope is called superlong signaling message.In the present invention, character representation be the vestige whether certain entity or processing procedure (writing as agreement, virus, file, program) exist, comprise some byte streams and each other logical relation.Feature comprises byte feature and logical implication, is the base unit of characteristic matching.In the present invention, the feature separator is meant the separator that is used for judging message field length, and in superlong signaling message detected, we were that feature pitch is as the basis of detecting with the distance between the feature separator.Here Ding Yi feature separator comprises: " ("/") "/"<"/">"/" @ "/", "/"; "/": "/DQUOTE/"/"/" ["/"] "/"="/" { "/" } "/SP/CR/LF.After the definition of feature separator of identification superlong signaling message has been arranged, feature pitch being defined as the distance that allows between the feature separator, is that the present invention judges the whether foundation of overlength of signaling message.
Below, be example with session initiation protocol (English is Session Initiation Protocol, below is abbreviated as SIP), the feature pitch correspondence table that goes out as shown in table 1 is illustrated.
Table 1 session initiation protocol feature pitch correspondence table
| 1 | SP | : | @ | / | CR | LF | ; | = | < | > | “ | ” | , | …… | |
| 1 | 8 | 256 | |||||||||||||
| SP | 20 | 63 | 32 | 11 | 20 | 63 | 20 | 20 | |||||||
| : | 63 | 20 | 63 | 63 | |||||||||||
| @ | 63 | 63 | 63 | 63 | 63 | 63 | 63 | ||||||||
| / | 3 | 6 | 10 | ||||||||||||
| CR | 0 | ||||||||||||||
| LF | 19 | 256 | |||||||||||||
| ; | |||||||||||||||
| = | 40 | 20 | 10 | 20 | |||||||||||
| < | 4 | ||||||||||||||
| > | |||||||||||||||
| “ | 10 | 20 | 63 | ||||||||||||
| “ | |||||||||||||||
| , | |||||||||||||||
| …… |
His-and-hers watches 1 are described as follows:
1) first character of signaling message is represented in " 1 " in the table.
2) the feature separator of not using in the session initiation protocol is represented in " ... " in the table.
3) be the spacing size of unit with the byte between two the significant interval mansions of numeric representation in the table, adopt laterally judgement for each separator in the table, as the second line space lattice (SP), each separator is illustrated in first feature separator that the space occurs later, digital then represent possible maximum length between space and this separator, long measure is a byte, if there is not numeral to occur, represent not contact between two feature separators, can be used as to keep and use.
4) (English is: Media Gateway Control Protocol MGCP for MGCP, be abbreviated as MGCP), Session Description Protocol (English is Session DescriptionProtocol, be abbreviated as SDP) wait other signaling message based on text code, only need to adjust feature pitch and get final product according to agreement separately.
The present invention is based on feature separator restriction relation table to another aspect of the detection of overlength message data, corresponding to the feature separator restriction relation table 4 among Fig. 1.It detects principle is such, generally speaking, in based on the signaling message of text code, only allow a few feature separator can continuously or repeat (as colon space, branch space, comma space, a left side, space angle brackets, space double quotation marks and space, space etc.), if continuous two or more feature separator in signaling message, occurred, then can think a kind of long packets equally.Following table 2 has provided the restriction relation between the feature separator in the session initiation protocol.
The feature separator restriction relation table of table 2 session initiation protocol
| 0x20 | : | @ | / | CR | LF | ; | = | < | > | “ | ” | , | …… | |
| 0x20 | × | × | × | × | × | × | ||||||||
| : | × | × | × | × | × | × | × | × | × | × | ||||
| @ | × | × | × | × | × | × | × | × | × | × | × | |||
| / | × | × | × | × | × | × | ||||||||
| CR | × | × | × | × | × | × | × | × | × | × | × | × | ||
| LF | × | × | × | × | × | × | × | × | × | × | × | × | ||
| ; | × | × | × | × | × | × | × | × | × | |||||
| = | × | × | × | × | × | × | × | × | × | × | ||||
| < | × | × | × | × | × | × | ||||||||
| > | × | × | × | × | × | |||||||||
| “ | × | × | × | × | × | × | ||||||||
| ” | × | × | × | × | ||||||||||
| , | × | × | × | × | × | × | × | × | ||||||
| …… |
His-and-hers watches 2 are described as follows:
1) " ... " represents the feature separator of not using in the session initiation protocol.
2) exist restriction relation not occur continuously between two feature separators of " * " expression.
3) (English is: Media Gateway Control Protocol MGCP for MGCP, be abbreviated as MGCP), Session Description Protocol (English is Session DescriptionProtocol, be abbreviated as SDP) wait other signaling data newspaper based on text code, only need the basis restriction relation between the agreement adjustment feature separator separately.
After the feature pitch table having been arranged and having separated the feature constraint relation table, the overlength message that we just can directly carry out the incoming signalling message has detected.Its process is simply described as follows:
To any one the feature separator in the text of receiving, whether the character that detects its direct adjacency is the feature list separator, if feature separator, judge then whether two feature separators belong to the situation that does not allow adjacency in the feature separator restriction relation table, if illustrate that then detecting current text is the overlength message; To any one the feature separator in the text of receiving, detect the maximum spacing whether another nearest feature distance separating with interval exceeds feature pitch table regulation, if illustrate that then detecting current text is the overlength message.
For realizing fast detecting to the incoming signalling message, method of the present invention has been utilized a five-tuple as the data association (S1, F1, D, S2, F2), this five-tuple can be 1 pair of filter engine input packet, 5 pretreated results among Fig. 1, is the whether basis of overlength of quick judgment data bag.Each element in the five-tuple is described below:
S1: first feature separator of extraction.
F1: first character that first feature separator is closelyed follow.
D: the length between two feature separators is feature pitch.
S2: second feature separator of closelying follow behind first feature separator.
F2: first character of closelying follow behind second feature separator.
In conjunction with Fig. 1, filter engine 1 is the core that realizes that the overlength message detects, its effect comprises: 1) each signaling message that enters network is analyzed, extracted feature separator wherein, convert the signaling message of importing to five-tuple set (S1, F1, D, S2, F2); 2) five-tuple set (S1, F1, D, S2, F2) is detected the supertext that whether belongs to feature pitch table regulation; 3) five-tuple set (S1, F1, D, S2, F2) is detected the overlength message that whether belongs to feature separator restriction relation table regulation, at this moment, if S1, F1 are all the feature separator or S2, F2 are all the feature separator, and belong to feature separator restriction relation table and forbid situation about linking to each other, then current detection to message belong to the overlength message.Just stop to detect if find to belong to the overlength message, filter out this packet.
Each five-tuple (S1, F1, D, S2, F2) that forms according to the incoming signalling message is carried out following detection: whether satisfy forbid situation about linking to each other in the feature separator restriction relation table if being feature separator and S1 with F1 as F1; Whether satisfy forbid situation about linking to each other in the feature separator restriction relation table if being feature separator and S2 with f2 as F2; Whether feature pitch D satisfies the S1 that defines in the feature pitch table and the feature pitch between the S2.Satisfy overlength message condition if any any point, then filter out this message.
As above-mentioned, the five-tuple of any text chunk (S1, F1, D1, S2, F2) has three test points, detects three somes during detection simultaneously, if the condition that has any to satisfy the overlength message just thinks that text section contains the overlength message, can filter out it.Above-mentioned detection based on five-tuple is also to be applicable to detection in the ranks and the interior detection of row that utilizes the inventive method hereinafter to introduce.
Utilize the detection of method of the present invention to superlong signaling message, can adopt and detect and go the interior detection method that combines that detects in the ranks, that is, whether the length of at first judging every row in the signaling message as shown in Figure 2 is in normal range (NR), as long as have delegation not satisfy, promptly filter out this message; If satisfy every provisional capital, can generate a capable distributing position table, instruct and go interior detection, judge whether the feature pitch between interior each feature separator of every row meets the demands.
In conjunction with Fig. 2, see whole testing process, at frame 201 beginning incoming signalling messages, between frame 202 begin columns, detect, 203 pairs of frames in the ranks testing result judge, if belong to the overlength message, then in frame 204 with its filtration; Otherwise at frame 205, generate the line position distribution table, start in the row and detect; Testing result is judged in 206 pairs of row of frame, if belong to the overlength message, at frame 207 with its filtration; Otherwise sell the decision that signaling message passes through at frame 208.
For the testing process in the ranks of explanation frame 202, with reference to figure 3.In the ranks detect is to accord with according to new line judging whether every length in the ranks satisfies condition.Can feature separator (being new line) be transformed into five-tuple (S1, F1 here by the filter engine among Fig. 11, D, S2, F2) in, the five-tuple (S1 that provides according to embodiment 2 then, F1, D, S2, F2) principle of 3 detections is judged, if do not belong to the overlength message, carry out the detection of next line; Otherwise, think to stop this signaling message overlength detection it is filtered out.From Fig. 3 of specifically providing testing process in the ranks as seen, in frame 301, the incoming signalling message in frame 302, extracts first character and first new line symbol thereafter from the signaling message of input, constitutes a delegation that accords with end with new line; In frame 303 its mapping (also can think express or preliminary treatment for) is become a five-tuple (S1, F1, D, S2, F2), whether in frame 304, detecting three test points in this five-tuple has and satisfies the overlength message; If have, in frame 305, stop to detect, lose this message; Otherwise detect whether arrive message trailer at frame 306,, in frame 307, form row distributing position table, be used for starting in the row and detect if arrived the message end; If also do not arrive the message end, second new line and the next new line of extracting in the five-tuple at frame 308 accord with, and forward frame 303 to.All after in the ranks detection is finished, can generate a line position distribution table, as shown in table 3, this table can be used as the basis of detecting in the row.
Table 3 line position distribution table
| First character of message | Side-play amount n1 | The new line symbol | Side-play amount n2 | The new line symbol | …… | The new line symbol |
His-and-hers watches 3 are simply described as follows, side-play amount is with respect to the shift length between the new line symbol of front, in other words, so-called line position distribution table, be used to point out the position and the length of each row text chunk of incoming signalling message, specifically comprise message initial character, right by the finite sequence of forming with respect to the side-play amount and the new line symbol of distance between the previous row new line symbol (character).For example, if a message has 9 row, the length of line position distribution table is 19, is respectively: initial character, n1, CR, n2, CR, n3 ..., n9, CR.Wherein CR is the new line symbol.The process that forms the line position distribution table is actually the process of counting.
In the embodiment shown in Figure 2, frame 205 is pointed out, on the basis of detecting that frame 202 is pointed out, utilizes the capable interior detection of the line position distribution table shown in the table 3 in the ranks.Its principle is the same with detection in the ranks, extract two adjacent feature separators and be mapped to five-tuple, judge according to the detection principle of five-tuple then, if do not belong to the overlength message, carry out the intercharacter detection of further feature in the one's own profession, otherwise, think to stop this signaling message overlength detecting and this packet filtering being fallen.If detection all satisfies condition in all row, think that then this signaling message is qualified, system allows this signaling message to pass through.Fig. 4 has provided the detailed process that detects in the row corresponding to Fig. 2 frame 205.In frame 401, select and extract a row according to the line position distribution table; In frame 402, extract first feature separator S1 of one's own profession and second feature separator S2 thereafter; In frame 403, be that a corresponding data formation five-tuple (S1, F1, D, S2, F2) is extracted on the basis with feature separator S1 and S2; In frame 404, this five-tuple is implemented three detections, as the condition that has any one to satisfy the overlength message in three detections, then enter frame 405 and abandon this message and withdraw from detection; All belong to normal message as three detections, then enter frame 406, judge whether the one's own profession end; If arrived the one's own profession end, then in frame 407, judge whether to finish in all row and detect, detect as not finishing in all row, then enter the detection of frame 409 beginning remaining row and turn back to frame 402; Detect as judging to have finished in all row in frame 407, then making this message in frame 410 is not the overlength message, allows it normally pass through; As in frame 406, detect and do not arrive the one's own profession end, then forward frame 408 to, at frame 408 with second feature separator of current five-tuple as S1 with extract the next feature separator of one's own profession as S2, and forward frame 403 to, continue to detect.
In the present embodiment, in the ranks detecting is to accord with the behavior unit that finishes with new line to detect; Detecting in the row that carries out after in the ranks detecting is to detect in the delegation, and whether the text chunk between two feature separators belongs to supertext.Both can be on different aspects, and it is possible to detect the institute that belongs to supertext.
Detection in the ranks shown in Figure 3 can be directly carried out detecting in the row shown in Figure 4 and not carrying out, under the most situations, the supertext in the input text can be in time detected equally.
Present embodiment is a modulate expression implementing network superlong signaling message detection method of the present invention, in conjunction with Fig. 1, filter engine unit 1 be used for the incoming signalling message each the row and each the row in, change, leave each five-tuple (S1, F1, D, S2, F2) after the conversion in five-tuple unit 2; Filter engine unit 1 also be used for detecting in the ranks and go in detect link and judge whether five-tuple satisfies the situation that belongs to the overlength message that feature pitch table 3 and feature separator restriction relation table 4 are stipulated, if belong to the overlength message, then filter the text signaling that belongs to the overlength message; Then export the text signaling that does not belong to the overlength message as not belonging to the overlength message, continue to handle.Wherein, feature pitch table 3 is used to deposit between any two feature separators the maximum spacing that allows, and feature separator restriction relation table 4 is used to deposit whether any two feature separators allow to repeat continuously; In the five-tuple unit 2, S1 is first feature separator that extracts from text chunk, and F1 is first character immediately following this first feature separator; D is two feature pitch between the feature separator; S2 is second feature separator of closelying follow behind first feature separator; F2 is first character of closelying follow behind second feature separator.
The present invention is directed to signaling protocol, proposed to utilize the overlength field to detect the method and apparatus of the malicious attack of lopsided message, can be used for various signaling protocol based on text code based on text code.The above embodiment of the present invention only is exemplary illustration statement and non-limiting statement.Those of ordinary skills may carry out certain to the embodiment of the invention and change according to enlightenment of the present invention and instruction, but the protection range that this distortion and change still limit for the application's claims.
Claims (7)
1, a kind of detection method of the superlong signaling message based on text code is characterized in that, may further comprise the steps:
A, reception signaling message, whether spacing or the neighbouring relations of judging two adjacent feature separators in the described signaling message conform to corresponding parameters in the overlength message recognition function, described overlength message recognition function generates based on the feature separator, and described parameter comprises the maximum spacing or the unallowed neighbouring relations of any two feature separators;
If B conforms to, judge that described signaling message is the overlength message;
C, described overlength packet filtering is handled.
2, according to the described method of claim 1, it is characterized in that, described overlength message recognition function is specially the feature pitch table, described feature pitch table comprises the maximum spacing of any two feature separators, steps A is specially: receive signaling message, whether the spacing of judging two adjacent feature separators in the described signaling message is greater than described maximum spacing.
3, according to claim 1 or 2 described methods, it is characterized in that, described overlength message recognition function is specially feature separator restriction relation table, described feature separator restriction relation table comprises any two unallowed neighbouring relations of feature separator, steps A is specially: receive signaling message, judge whether the neighbouring relations of two adjacent feature separators in the described signaling message are unallowed.
According to the described method of claim 3, it is characterized in that 4, described steps A and B are specially step B23, described step B23 carries out following steps to each with the row that the new line symbol finishes:
B231) extract first a feature separator S1 of one's own profession and a feature separator S2 thereafter;
B232) on the feature separator S1 that has extracted, S2 basis, form five-tuple (S1, F1, D, S2, F2), wherein, F1 is first character immediately following this first feature separator S1; D is the feature pitch between two feature separator S1 and the S2; F2 is first character of closelying follow behind second feature separator S2; B233) five-tuple (S1, F1, D, S2, F2) is carried out three detections: if whether the neighbouring relations that F1 is the feature separator detects S1 and F1 are unallowed in the described feature separator restriction relation table; If F2 is the feature separator, whether the neighbouring relations that detect S2 and F2 are unallowed in the described feature separator restriction relation table; Whether the detected characteristics space D satisfies greater than S1 that stipulates in the described feature pitch table and the maximum spacing between the S2; If there is any one condition to satisfy in three detections, confirm that then this message is the overlength message and withdraws from, otherwise, execution in step B234);
B234) detect whether arrive this line endings, as not arriving this line endings, then with current feature separator S2 as S1, the next feature separator of extraction as S2, turn back to step B232); As arriving this line endings, then forward step B235 to);
B235) judge whether to finish detection in all row, then select next row as unfinished, forward step B231 to); Then withdraw from as finishing the interior detection of all row.
According to the described method of claim 4, it is characterized in that 5, also comprise before the described step B23 and detect step B22 in the ranks, the described step B22 that detects may further comprise the steps in the ranks:
B221) to each carries out following steps B222-B223 repeatedly with the text chunk of embarking on journey that the new line symbol finishes in the incoming signalling message, be overlength message or incoming signalling ENMES up to definite current message;
B222) produce the five-tuple (S1, F1, D, S2, F2) of text chunk like this, make the initial character of this section of style of writing of winning or the previous row new line symbol of other row text chunk be S1, immediately following first character behind the S1 is F1, first new line symbol of getting behind the S1 is S2, getting first character of closelying follow behind the S2 is F2, and the spacing between symbol S1 and the symbol S2 is D;
B223) above-mentioned five-tuple being detected S1 and F1, whether to satisfy F1 be the feature separator, and it is unallowed whether the neighbouring relations of judging S1 and F1 simultaneously belong to described feature separator restriction relation table; Detecting S2 and F2, whether to satisfy F2 be the feature separator, and it is unallowed whether the neighbouring relations of judging S2 and F2 simultaneously belong to described feature separator restriction relation table; Whether the detected characteristics space D satisfies greater than S1 that stipulates in the described feature pitch table and the maximum spacing between the S2; Satisfy if any any one, confirm that then this message is the overlength message and withdraws from; Otherwise, take off delegation's text chunk, enter step B222.
6, according to the described method of claim 5, it is characterized in that, between described step B22 and described step B23, also comprise step B224) as current incoming signalling ENMES and do not confirm as the overlength message, then be formed for pointing out the position of each row text chunk of incoming signalling message and the capable distributing position table of length, comprise message initial character, right by the finite sequence of forming with respect to the side-play amount and the new line symbol of distance between the previous row new line symbol.
7, according to the described method of claim 1, it is characterized in that, described feature separator comprise " (", ") ", "<", ">", " @ ", ", ", "; ", ": ", "/", " [", "] ", "=", " { ", " } ", SP, wherein SP is the space.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005101208915A CN100459579C (en) | 2005-12-15 | 2005-12-15 | Method for detecting superlong signaling message based text code |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005101208915A CN100459579C (en) | 2005-12-15 | 2005-12-15 | Method for detecting superlong signaling message based text code |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1852245A CN1852245A (en) | 2006-10-25 |
| CN100459579C true CN100459579C (en) | 2009-02-04 |
Family
ID=37133714
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005101208915A Expired - Fee Related CN100459579C (en) | 2005-12-15 | 2005-12-15 | Method for detecting superlong signaling message based text code |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100459579C (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101374115B (en) * | 2008-09-28 | 2010-12-22 | 北京鼎实创新科技有限公司 | Rapid discriminating multiport control method based on PROFIBUS packet |
| US8867837B2 (en) | 2010-07-30 | 2014-10-21 | Hewlett-Packard Development Company, L.P. | Detecting separator lines in a web page |
| CN102821100B (en) * | 2012-07-25 | 2014-10-29 | 河南省信息中心 | Method for realizing streaming file system based on security gateway of network application layer |
| CN113890904B (en) * | 2021-09-27 | 2023-10-27 | 新华三信息安全技术有限公司 | Method, device, computer equipment and storage medium for message analysis |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1529248A (en) * | 2003-10-20 | 2004-09-15 | 北京启明星辰信息技术有限公司 | Network invasion related event detecting method and system |
| US20050097357A1 (en) * | 2003-10-29 | 2005-05-05 | Smith Michael R. | Method and apparatus for providing network security using security labeling |
| CN1633123A (en) * | 2004-12-03 | 2005-06-29 | 北京北方烽火科技有限公司 | Method of one-way short message pick-up based on MAP layer protocol |
| CN1677933A (en) * | 2004-04-01 | 2005-10-05 | 华为技术有限公司 | Method for controlling protocol message attack |
-
2005
- 2005-12-15 CN CNB2005101208915A patent/CN100459579C/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1529248A (en) * | 2003-10-20 | 2004-09-15 | 北京启明星辰信息技术有限公司 | Network invasion related event detecting method and system |
| US20050097357A1 (en) * | 2003-10-29 | 2005-05-05 | Smith Michael R. | Method and apparatus for providing network security using security labeling |
| CN1677933A (en) * | 2004-04-01 | 2005-10-05 | 华为技术有限公司 | Method for controlling protocol message attack |
| CN1633123A (en) * | 2004-12-03 | 2005-06-29 | 北京北方烽火科技有限公司 | Method of one-way short message pick-up based on MAP layer protocol |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1852245A (en) | 2006-10-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP5320458B2 (en) | Attack protection for packet-based networks | |
| CN100459579C (en) | Method for detecting superlong signaling message based text code | |
| KR101088852B1 (en) | System for detecting toll fraud attack for internet telephone and method for the same | |
| CN101730903B (en) | Multi-dimensional reputation scoring | |
| US7835352B2 (en) | Method, system and equipment for processing SIP requests in IMS network | |
| CN101730904A (en) | Related and the analysis of entity attribute | |
| US9083556B2 (en) | System and method for detectng malicious mail from spam zombies | |
| CN102420723A (en) | Anomaly detection method for various kinds of intrusion | |
| CN101567815A (en) | Method for effectively detecting and defending domain name server (DNS) amplification attacks | |
| WO2016008778A1 (en) | Method for detecting an attack in a communication network | |
| CN112769833B (en) | Method and device for detecting command injection attack, computer equipment and storage medium | |
| CN109302421A (en) | Application system security prevention policies optimization method and device | |
| US11683323B2 (en) | Method and device for authenticating a message transmitted via a bus | |
| CN112422567B (en) | Network intrusion detection method oriented to large flow | |
| CN110958233A (en) | Encryption type malicious flow detection system and method based on deep learning | |
| CN103856487A (en) | Method and system for protecting authorization DNS | |
| WO2007057267A1 (en) | Method, detection device and server device for evaluation of an incoming communication to a communication device | |
| CN104021348B (en) | Real-time detection method and system of dormant P2P (Peer to Peer) programs | |
| Hajamydeen et al. | A detailed description on unsupervised heterogeneous anomaly based intrusion detection framework | |
| CN110309645A (en) | A kind of couple of API carries out the method, apparatus and system of security protection | |
| CN112448919A (en) | Network anomaly detection method, device and system and computer readable storage medium | |
| CN112565259B (en) | Method and device for filtering DNS tunnel Trojan communication data | |
| KR101004376B1 (en) | SPF System for Blocking Spam and Method of Querying in VoIP | |
| KR102406421B1 (en) | Explainable advanced persistent threat detect system and method using multiple machine learning | |
| RU82356U1 (en) | INTELLECTUAL PROPERTY TRANSFER CONTROL SYSTEM ON THE INTERNET |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090204 Termination date: 20191215 |