CN104253786B - A kind of deep packet inspection method based on regular expression - Google Patents
A kind of deep packet inspection method based on regular expression Download PDFInfo
- Publication number
- CN104253786B CN104253786B CN201310256991.5A CN201310256991A CN104253786B CN 104253786 B CN104253786 B CN 104253786B CN 201310256991 A CN201310256991 A CN 201310256991A CN 104253786 B CN104253786 B CN 104253786B
- Authority
- CN
- China
- Prior art keywords
- packet
- level
- subset
- intrusion behavior
- data table
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A kind of deep packet inspection method based on regular expression, by way of two-stage pattern match, it is to avoid excessively cause regular expression complicated due to pattern, matching efficiency low problem.Also, do not processed immediately after judging to receive packet, but by confirming just to be processed when intrusion behavior occurs really, it is to avoid the wrong report of intrusion behavior, it is ensured that the steady ordered of communication is carried out.By application above technology, enable to more accurately and fast be identified result in the safety identification of packet, and be also greatly optimized on identification process, easier can be realized in existing equipment.
Description
Technical field
The present invention relates to communication technical field, more particularly to a kind of method of deep-packet detection.
Background technology
Traditional network security detection is that continuous hairs of the however as network is analyzed to the structuring head of packet
Exhibition, many viruses, malicious code, invade instruction, the information such as spam be all hidden in the content of packet among therefore, when
It is preceding when safety detection is carried out, in addition to checking data packet header, also the content of packet is detected.
Deep-packet detection(DPI)Technology is a kind of flow detection and control technology based on application layer, when IP packets,
When TCP or UDP message stream are by bandwidth management system based on DPI technologies, the system is by deeply reading the interior of IP payload packages
Hold and the application layer message in the layer protocols of OSI seven recombinated, so as to obtain the content of whole application program, then according to being
The management strategy for defining of uniting carries out shaping operation to flow.Deep-packet detection method is namely based on this principle, various by detecting
Fixed character word that application protocol is used carries out various network security detections.
Following benefit can be brought using DPI technologies:
A) Detection accuracy is higher than the method based on port and flow rate mode, and the change of port does not interfere with verification and measurement ratio.
B) most popular application can be detected.
C) it is adapted to the accurate detection of flow.
Inventor has found that prior art at least has the disadvantage that when actually used DPI technologies are realized:
A) None- identified is emerging, encrypted application, it may appear that fail to judge.
B) protocal analysis and feature search needs to put into a large amount of manpowers and time.
C) it is difficult to obtain the feature of cryptographic protocol.
D) selection of feature has a significant impact to detection performance.
E) system detectio module need to aperiodically be upgraded.
F) check that the content of application layer is related to the problem of privacy.
G) the disposal ability requirement to testing equipment is higher.
The content of the invention
The invention provides a kind of deep packet inspection method based on regular expression, including:
Step 202, for various intrusion behaviors the characteristics of set up one group of feature mode collection of intrusion behavior, by this feature mould
Formula collection is divided into m one-level subset, is characterized using an one-level regular expression for each one-level subset, the one-level canonical table
The common trait of the intrusion behavior in corresponding one-level subset can be identified up to formula, by the one-level subset and one-level canonical
The corresponding relation of expression formula is saved in level one data table;
Step 204, for the m subset, be finely divided in each intra-subset, each in the subset range is entered
The feature for invading behavior is characterized using two grades of regular expressions, and sets the corresponding treatment measures of each feature accordingly,
By two grades of regular expressions, the one-level subset belonging to it, the intrusion behavior and treatment measures corresponding with intrusion behavior
Corresponding relation is saved in secondary data table;
Step 206, reception message, the message to receiving carry out DPI treatment, the load in message are being used into the one-level just
Then expression formula carries out pattern match;
Step 208, if without matching result enter step 206;Obtained if it was found that searching level one data table if matching result
The corresponding one-level subset of one-level regular expression of the matching result, into step 210;
Step 210, search in secondary data table the corresponding two grades of regular expressions of one-level subset obtained by matching result
Formula, carries out pattern match;Enter step 206 if without matching result;Obtained if it was found that searching secondary data table if matching result
The corresponding intrusion behavior of two grades of regular expressions of the matching result, into step 212;
Step 212, packet is only received, packet is stored, pause is forwarded to packet, the timing of statistics one
The number of the number of the interior packet for detecting intrusion behavior and the total data bag for receiving, judges the number of intrusion behavior
Whether the ratio according to the number of the number and total data bag of bag is more than the first thresholding;If so, then judging intrusion behavior, enter
Step 214;If it is not, then entering step 216;
The corresponding treatment measures of intrusion behavior in step 214, lookup secondary data table, using the treatment measures to packet
Processed, end data packet detection;
Step 216, the packet of storage is forwarded, and recovered the forwarding to packet, into step 206, continued
Carry out the detection of packet.
In the present invention, by way of two-stage pattern match, it is to avoid excessively cause due to pattern regular expression complicated,
The low problem of matching efficiency.Also, do not processed immediately after judging to receive packet, but by confirming to invade
Just processed when behavior occurs really, it is to avoid the wrong report of intrusion behavior, it is ensured that the steady ordered of communication carries out.By answering
Above technology is used, enables to more accurately and fast be identified result in the safety identification of packet, and in identification
Also it is greatly optimized in flow, easier can be realized in existing equipment.
Brief description of the drawings
Technical scheme in order to illustrate more clearly the embodiments of the present invention, below will be to embodiment or description of the prior art
Needed for the accompanying drawing to be used be briefly described.
It should be evident that drawings in the following description are only some embodiments of the present invention, for the common skill in this area
For art personnel, on the premise of not paying creative work, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is the flow chart that the present invention implements.
Specific embodiment
To make the objects, technical solutions and advantages of the present invention become more apparent, below will be by specific embodiment and phase
Accompanying drawing is closed, the present invention is described in further detail.
Embodiment one
The embodiment of the present invention one provides a kind of deep packet inspection method based on regular expression, including:
Step 202, for various intrusion behaviors the characteristics of set up one group of feature mode collection of intrusion behavior, by this feature mould
Formula collection is divided into m one-level subset, is characterized using an one-level regular expression for each one-level subset, the one-level canonical table
The common trait of the intrusion behavior in corresponding one-level subset can be identified up to formula, by the one-level subset and one-level canonical
The corresponding relation of expression formula is saved in level one data table;
Step 204, for the m subset, be finely divided in each intra-subset, each in the subset range is entered
The feature for invading behavior is characterized using two grades of regular expressions, and sets the corresponding treatment measures of each feature accordingly,
By two grades of regular expressions, the one-level subset belonging to it, the intrusion behavior and treatment measures corresponding with intrusion behavior
Corresponding relation is saved in secondary data table;
Step 206, reception message, the message to receiving carry out DPI treatment, the load in message are being used into the one-level just
Then expression formula carries out pattern match;
Step 208, if without matching result enter step 206;Obtained if it was found that searching level one data table if matching result
The corresponding one-level subset of one-level regular expression of the matching result, into step 210;
Step 210, search in secondary data table the corresponding two grades of regular expressions of one-level subset obtained by matching result
Formula, carries out pattern match;Enter step 206 if without matching result;Obtained if it was found that searching secondary data table if matching result
The corresponding intrusion behavior of two grades of regular expressions of the matching result, into step 212;
Step 212, the packet for receipt of subsequent, are only stored and are detected, pause is forwarded to packet, are united
The number of the packet of intrusion behavior and the number of the total data bag for receiving are detected in meter certain hour, judges to invade
Whether the ratio of the number of the packet of behavior and the number of total data bag is more than the first thresholding;If so, then judging to invade
Behavior, into step 214;If it is not, then entering step 216;
The corresponding treatment measures of intrusion behavior in step 214, lookup secondary data table, using the treatment measures to packet
Processed, end data packet detection;
Step 216, the packet of storage is forwarded, and recovered the forwarding to packet, into step 206, continued
Carry out the detection of packet.
One of ordinary skill in the art will appreciate that all or part of flow in realizing above-described embodiment method, can be
The hardware of correlation is instructed to complete by computer program, described program can be stored in a computer read/write memory medium
In, the program is upon execution, it may include such as the flow of the embodiment of above-mentioned each method.Wherein, described storage medium can be magnetic
Dish, CD, read-only memory (Read-Only Memory, ROM) or random access memory (Random Access
Memory, RAM) etc..
The object, technical solutions and advantages of the present invention are further described by above-listed preferred embodiment, are answered
Understand, the foregoing is only presently preferred embodiments of the present invention, be not intended to limit the invention, it is all in essence of the invention
Within god and principle, any modification, equivalent substitution and improvements made etc. should be included within the scope of the present invention.
Claims (1)
1. a kind of deep packet inspection method based on regular expression, including:
Step 202, for various intrusion behaviors the characteristics of set up one group of feature mode collection of intrusion behavior, by this feature set of patterns
It is divided into m one-level subset, is characterized using an one-level regular expression for each one-level subset, the one-level regular expression
The common trait of the intrusion behavior in corresponding one-level subset can be identified, by the one-level subset and one-level regular expressions
The corresponding relation of formula is saved in level one data table;
Step 204, for the m subset, be finely divided in each intra-subset, by the subset range each invasion row
For feature characterized using two grades of regular expressions, and the corresponding treatment measures of each feature are set accordingly, by this
Two grades of regular expressions, the one-level subset belonging to it, the intrusion behavior and treatment measures corresponding with intrusion behavior it is corresponding
Relation is saved in secondary data table;
Step 206, reception message, the message to receiving carry out DPI treatment, the load in message are used into the one-level canonical table
Pattern match is carried out up to formula;
Step 208, if without matching result enter step 206;If it was found that level one data table is searched if matching result obtains this
The corresponding one-level subset of one-level regular expression with result, into step 210;
Step 210, the corresponding two grades of regular expressions of one-level subset obtained by matching result are searched in secondary data table, entered
Row mode is matched;Enter step 206 if without matching result;If it was found that secondary data table is searched if matching result obtains the matching
The corresponding intrusion behavior of two grades of regular expressions of result, into step 212;
Step 212, packet is only received, packet is stored, pause is forwarded to packet, in statistics certain hour
The number and the number of the total data bag for receiving of the packet of intrusion behavior are detected, judges the packet of intrusion behavior
Number and total data bag number ratio whether be more than the first thresholding;If so, then judge intrusion behavior, into step
214;If it is not, then entering step 216;
The corresponding treatment measures of intrusion behavior in step 214, lookup secondary data table, are carried out using the treatment measures to packet
Treatment, end data packet detection;
Step 216, the packet of storage is forwarded, and recovered the forwarding to packet, into step 206, proceeded
The detection of packet.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310256991.5A CN104253786B (en) | 2013-06-26 | 2013-06-26 | A kind of deep packet inspection method based on regular expression |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310256991.5A CN104253786B (en) | 2013-06-26 | 2013-06-26 | A kind of deep packet inspection method based on regular expression |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104253786A CN104253786A (en) | 2014-12-31 |
| CN104253786B true CN104253786B (en) | 2017-07-07 |
Family
ID=52188330
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310256991.5A Active CN104253786B (en) | 2013-06-26 | 2013-06-26 | A kind of deep packet inspection method based on regular expression |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104253786B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106487771B (en) * | 2015-09-01 | 2020-07-24 | 阿里巴巴集团控股有限公司 | Network behavior acquisition method and device |
| CN106911637A (en) * | 2015-12-23 | 2017-06-30 | 北京奇虎科技有限公司 | Cyberthreat treating method and apparatus |
| CN106911640A (en) * | 2015-12-23 | 2017-06-30 | 北京奇虎科技有限公司 | Cyberthreat treating method and apparatus |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1679264A (en) * | 2002-08-12 | 2005-10-05 | 哈里公司 | Wireless local on metropolitan area network with intrusion detection features and related methods |
| CN101360088A (en) * | 2007-07-30 | 2009-02-04 | 华为技术有限公司 | Regular expression compiling, matching system and compiling, matching method |
| CN101656634A (en) * | 2008-12-31 | 2010-02-24 | 暨南大学 | Intrusion detection system and method based on IPv6 network environment |
| CN101887498A (en) * | 2010-06-30 | 2010-11-17 | 南京邮电大学 | Virus checking method based on immune algorithm in mixed peer-to-peer network |
| CN103136473A (en) * | 2011-11-29 | 2013-06-05 | 姚纪卫 | Method and device used for detecting computer viruses |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7784094B2 (en) * | 2005-06-30 | 2010-08-24 | Intel Corporation | Stateful packet content matching mechanisms |
-
2013
- 2013-06-26 CN CN201310256991.5A patent/CN104253786B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1679264A (en) * | 2002-08-12 | 2005-10-05 | 哈里公司 | Wireless local on metropolitan area network with intrusion detection features and related methods |
| CN101360088A (en) * | 2007-07-30 | 2009-02-04 | 华为技术有限公司 | Regular expression compiling, matching system and compiling, matching method |
| CN101656634A (en) * | 2008-12-31 | 2010-02-24 | 暨南大学 | Intrusion detection system and method based on IPv6 network environment |
| CN101887498A (en) * | 2010-06-30 | 2010-11-17 | 南京邮电大学 | Virus checking method based on immune algorithm in mixed peer-to-peer network |
| CN103136473A (en) * | 2011-11-29 | 2013-06-05 | 姚纪卫 | Method and device used for detecting computer viruses |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104253786A (en) | 2014-12-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11451566B2 (en) | Network traffic anomaly detection method and apparatus | |
| CN109600363B (en) | Internet of things terminal network portrait and abnormal network access behavior detection method | |
| Babun et al. | Z-iot: Passive device-class fingerprinting of zigbee and z-wave iot devices | |
| EP2434689B1 (en) | Method and apparatus for detecting message | |
| CN101505276B (en) | Network application flow recognition method and apparatus and network application flow management apparatus | |
| CN111277587A (en) | Malicious encrypted traffic detection method and system based on behavior analysis | |
| CN101399710B (en) | Detection method and system for protocol format exception | |
| CN110611640A (en) | DNS protocol hidden channel detection method based on random forest | |
| CN112769633B (en) | Proxy traffic detection method and device, electronic equipment and readable storage medium | |
| CN104253786B (en) | A kind of deep packet inspection method based on regular expression | |
| CN112565229B (en) | Hidden channel detection method and device | |
| CN102111400B (en) | Trojan horse detection method, device and system | |
| CN113973059A (en) | Passive industrial internet asset identification method and device based on network protocol fingerprint | |
| CN107209834A (en) | Malicious communication pattern extraction apparatus, malicious communication schema extraction system, malicious communication schema extraction method and malicious communication schema extraction program | |
| CN108809926A (en) | Inbreak detection rule optimization method, device, electronic equipment and storage medium | |
| CN104243225B (en) | A kind of method for recognizing flux based on deep-packet detection | |
| CN107666464A (en) | A kind of information processing method and server | |
| CN114051247A (en) | Method and equipment for detecting security of wireless network | |
| CN110365625B (en) | Internet of things security detection method and device and storage medium | |
| CN101453320B (en) | Service identification method and system | |
| CN105099834A (en) | Method and device for self-defining feature code | |
| CN104253712B (en) | A kind of method that P2P Network Recognitions are carried out using deep packet inspection technical | |
| CN108650274B (en) | Network intrusion detection method and system | |
| CN102724068A (en) | Method for identifying audit log asset in internet protocol version 6 (IPv6) mixed network | |
| CN114363059A (en) | Attack identification method and device and related equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 100094, Beijing, Haidian District Zhongguancun software park on the two phase, building 15, Zhongxing building, three floor Applicant after: BEIJING SAPLING TECHNOLOGY Co.,Ltd. Address before: 100084 No. 2 building, No. 1, Nongda South Road, Beijing, Haidian District, B-604 Applicant before: BEIJING SAPLING TECHNOLOGY Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| EE01 | Entry into force of recordation of patent licensing contract | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20141231 Assignee: CHINA TECHNOLOGY EXCHANGE Co.,Ltd. Assignor: BEIJING SAPLING TECHNOLOGY Co.,Ltd. Contract record no.: X2023110000029 Denomination of invention: A Depth Packet Detection Method Based on Regular Expressions Granted publication date: 20170707 License type: Exclusive License Record date: 20230317 |
|
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: A Deep Packet Detection Method Based on Regular Expressions Effective date of registration: 20230323 Granted publication date: 20170707 Pledgee: CHINA TECHNOLOGY EXCHANGE Co.,Ltd. Pledgor: BEIJING SAPLING TECHNOLOGY Co.,Ltd. Registration number: Y2023110000115 |