CN106657104A - Matching method and device of protection strategies - Google Patents
Matching method and device of protection strategies Download PDFInfo
- Publication number
- CN106657104A CN106657104A CN201611252950.9A CN201611252950A CN106657104A CN 106657104 A CN106657104 A CN 106657104A CN 201611252950 A CN201611252950 A CN 201611252950A CN 106657104 A CN106657104 A CN 106657104A
- Authority
- CN
- China
- Prior art keywords
- default
- bit string
- message
- matched
- characteristic value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/306—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Technology Law (AREA)
- Communication Control (AREA)
Abstract
The invention provides a matching method and device of protection strategies. The method comprises the steps of: when receiving a message to be protected, parsing from the message to be protected to obtain at least one feature value to be matched; carrying out matching on each of the at least one feature value to be matched and a preset feature list of which a type is the same with a respective feature value so as to obtain strategy bit strings respectively corresponding to the at least one feature value to be matched, wherein each feature value recorded in each preset feature list respectively corresponds to one strategy bit string, and each bit of the strategy bit stings corresponds to one preset protection strategy; carrying out AND operation on the strategy bit strings respectively corresponding to the at least one feature value to be matched to obtain a target bit string; and based on the target bit string, determining whether the message to be protected is successfully matched with the preset protection strategies. By applying the matching method and device provided by the embodiment of the invention, the problem of long time consumption of the matching process of the protection strategies is solved.
Description
Technical field
The present invention relates to network communication technology field, more particularly to a kind of matching process and device of prevention policies.
Background technology
Generally administrative staff need to preset prevention policies according to demand in safeguard, and then based on default prevention policies
Treat protection message and realize protection.
In prior art, safeguard extracts at least one characteristic value to be matched from message to be protected, and should
At least one characteristic value to be matched is matched with each default prevention policies, when the quantity of default prevention policies it is hundreds and thousands of
When, safeguard needs one by one to be matched at least one characteristic value to be matched with hundreds of default prevention policies,
Time-consuming for matching process.
The content of the invention
In view of this, the present invention provides a kind of matching process and device of prevention policies, when the prevention policies for needing matching
When quantity is more, to solve the problems, such as the matching process of prevention policies, time-consuming.
For achieving the above object, present invention offer technical scheme is as follows:
According to the first aspect of the invention, it is proposed that a kind of matching process of prevention policies, methods described includes:
When receiving when message is protected, the parsing from the message to be protected obtains at least one characteristic value to be matched;
Each characteristic value to be matched in described at least one characteristic value to be matched is identical with respective feature Value Types
Default feature list matched, obtain described at least one characteristic value to be matched and distinguish corresponding tactful bit string, it is described every
Each characteristic value recorded in one default feature list corresponds to respectively a tactful bit string, and each of the tactful bit string is right
Answer a default prevention policies;
By described at least one characteristic value to be matched, respectively corresponding tactful bit string is carried out and computing, obtains a target position
String;
Based on the target bit string, it is determined that whether the message to be protected is with the default prevention policies, and the match is successful.
According to the second aspect of the invention, it is proposed that a kind of coalignment of prevention policies, including:
Characteristic value parsing module, for when receive wait protect message when, from message protect parse obtain to
A few characteristic value to be matched;
Characteristic value matching module, for obtain described at least one to be matched will to be parsed in the characteristic value parsing module
Each characteristic value to be matched in characteristic value is matched with the default feature list of respective feature Value Types identical, obtains institute
State at least one characteristic value to be matched and distinguish corresponding tactful bit string, each recorded in described each default feature list
Characteristic value corresponds to respectively a tactful bit string, each one default prevention policies of correspondence of the tactful bit string;
With computing module, for described at least one characteristic value to be matched in the characteristic value matching module is right respectively
The tactful bit string answered is carried out and computing, obtains a target bit string;
Prevention policies determining module, for based on the target bit string obtained in described and computing module, it is determined that described
Whether the match is successful with the default prevention policies for message to be protected.
From above technical scheme, safeguard will be parsed from message to be protected, each feature to be matched
Value is matched with the default feature list of respective feature Value Types identical, obtains each characteristic value difference to be matched corresponding
Tactful bit string, safeguard determines whether message to be protected matches with default prevention policies based on tactful bit string with operation result
Success, eliminates safeguard by least one characteristic value to be matched parsed from message to be protected, and hundreds of
The process that default prevention policies are matched one by one, the quantity of characteristic value to be matched is compared to hundreds of default prevention policies
It is less, the process consumption that each characteristic value to be matched is matched with the default feature list of respective feature Value Types identical
When it is shorter, therefore time-consuming to solve the problems, such as the matching process of prevention policies.
Description of the drawings
Fig. 1 is the embodiment flow chart of the matching process of the prevention policies that the present invention is provided;
Fig. 2 is the embodiment flow chart of the matching process of another prevention policies that the present invention is provided;
Fig. 3 is a kind of hardware structure diagram of safeguard that the present invention is provided;
Fig. 4 is the embodiment block diagram of the coalignment of the prevention policies that the present invention is provided;
Fig. 5 is the embodiment block diagram of the coalignment of another prevention policies that the present invention is provided.
Specific embodiment
Here exemplary embodiment will be illustrated in detail, its example is illustrated in the accompanying drawings.Explained below is related to
During accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represent same or analogous key element.Following exemplary embodiment
Described in embodiment do not represent and the consistent all embodiments of the present invention.Conversely, they be only with it is such as appended
The example of the consistent apparatus and method of some aspects described in detail in claims, the present invention.
It is, only merely for the purpose of description specific embodiment, and to be not intended to be limiting the present invention in terminology used in the present invention.
" one kind ", " described " and " being somebody's turn to do " of singulative used in the present invention and appended claims is also intended to include majority
Form, unless context clearly shows that other implications.It is also understood that term "and/or" used herein is referred to and wrapped
Containing one or more associated any or all possible combinations for listing project.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the present invention
A little information should not necessarily be limited by these terms.These terms are only used for that same type of information is distinguished from each other out.For example, without departing from
In the case of the scope of the invention, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as
One information.Depending on linguistic context, word as used in this " if " can be construed to " ... when " or
" when ... " or " in response to determining ".
The embodiment of the present invention can be applied on safeguard, and safeguard is that to carry out safety anti-with protection message is treated
The Network Security Device of shield, it will be appreciated by persons skilled in the art that the embodiment of the present invention is applied being only on safeguard
Exemplary illustration, it can not form limitation of the present invention.Generally, safeguard stores at least one default characteristic series
Table, the feature Value Types of each default feature list record are different, and feature Value Types include:Message length, agreement, source
Mouth, destination interface, transmission control protocol (Transmission Control Protocol, referred to as TCP) Flag marks, mutually
Networking control message protocol (Internet Control Message Protocol, referred to as ICMP) Type, ICMP Code
Correspond to a tactful bit string respectively Deng, each characteristic value recorded in each default feature list, the length of tactful bit string by
The quantity decision of default prevention policies, wherein, what default prevention policies pre-set for administrative staff, for treating protection message
In the policy information that matched of characteristic value to be matched, a default prevention policies are, for example, specifically source port information 80, association
View number 6;The quantity of default prevention policies is, for example, 32, then the length of tactful bit string is 32, each in tactful bit string
One default prevention policies of correspondence.When safeguard is received when message is protected, safeguard is parsed from message to be protected
At least one characteristic value to be matched is obtained, characteristic value to be matched includes:Message length, protocol number, source port information, destination interface
Information, TCP Flag marks, ICMP Type values, ICMP Code values etc., the message to be protected of different type of messages, parsing is obtained
Characteristic value to be matched it is different.Safeguard by each characteristic value to be matched at least one characteristic value to be matched with it is respective
The default feature list of feature Value Types identical is matched, and is obtained each characteristic value to be matched and is distinguished corresponding policy bit
String, safeguard carries out the tactful bit string that matching is obtained and computing, and the operation result for obtaining is targeted bit string, protection
Equipment is based on target bit string, it is determined that whether message to be protected is with default prevention policies, and the match is successful.Specifically, with message to be protected
As a example by for UDP (User Datagram Protocol, referred to as UDP) message, with least one spy to be matched
Value indicative is:As a example by protocol number 17, source port information 83, destination interface information 53, the byte of message length 66, safeguard is by agreement
Numbers 17, source port information 83, destination interface information 53, the byte of message length 66 have with record respectively protocol number, source port information,
Destination interface information, the default feature list of message length are matched, and obtain protocol number 17, source port information 83, destination
The message breath 53, byte of message length 66 distinguishes corresponding tactful bit string, safeguard will match the tactful bit string that obtains carry out with
Computing, obtains a target bit string, and safeguard is based on target bit string, determines whether the UDP messages match with default prevention policies
Success, specifically, how safeguard is based on target bit string, it is determined that whether message to be protected is with default prevention policies, and the match is successful
Specific descriptions, can be found in step shown in following Fig. 1, be not first described further herein.By the embodiment of the present invention, when default protection plan
When quantity slightly is hundreds and thousands of, safeguard will be parsed from message to be protected, each characteristic value to be matched with it is respective
The default feature list of feature Value Types identical is matched, and is obtained each characteristic value to be matched and is distinguished corresponding policy bit
String, safeguard determines message to be protected whether the match is successful with default prevention policies based on tactful bit string with operation result,
Safeguard is eliminated by least one characteristic value to be matched parsed from message to be protected, pre- is set up defences with hundreds of
The shield process that matched one by one of strategy, time-consuming to solve the problems, such as the matching process of prevention policies.
It is that the present invention is further described, there is provided the following example:
Fig. 1 is the embodiment flow chart of the matching process of the prevention policies that the present invention is provided, as shown in figure 1, including
Following steps:
Step 101:When receiving when message is protected, the parsing from message to be protected obtains at least one feature to be matched
Value.
Step 102:By each characteristic value to be matched at least one characteristic value to be matched and respective feature Value Types
The default feature list of identical is matched, and is obtained at least one characteristic value to be matched and is distinguished corresponding tactful bit string, each
Each characteristic value recorded in default feature list corresponds to respectively a tactful bit string, and each correspondence one of tactful bit string is pre-
If prevention policies.
Step 103:By at least one characteristic value to be matched, respectively corresponding tactful bit string is carried out and computing, obtains a target
Bit string.
Step 104:Based on target bit string, it is determined that whether message to be protected is with default prevention policies, and the match is successful.
Optionally, step 105 (not shown) was can also carry out before execution step 101.
Step 105:At least one default feature list to be matched is determined based on the type of message of message to be protected, is based on
It is determined that at least one default feature list in the feature Value Types of characteristic value that record, in execution step 101 from waiting to protect
The step of parsing obtains at least one characteristic value to be matched in message.
In a step 101, in one embodiment, the type of message of message to be protected includes:TCP message, UDP messages,
Icmp packet etc.;The feature Value Types of characteristic value to be matched include:Message length, agreement, source port, destination interface, TCP
Flag marks, ICMP Type, ICMP Code etc..It will be appreciated by persons skilled in the art that different type of messages wait prevent
Shield message, the feature Value Types for parsing the characteristic value to be matched for obtaining are different, for example, when when protection message is TCP message, prevent
Shield equipment is parsed from TCP message and obtained:Protocol number, TCP Flag marks, source port information, destination interface information, message are long
Degree;When it is icmp packet to protect message, safeguard is parsed from icmp packet and obtained:Protocol number, ICMP Type values,
ICMP Code values, message length;When it is UDP messages to protect message, safeguard is parsed from UDP messages and obtained:Agreement
Number, source port information, destination interface information, message length.So that message to be protected is for UDP messages as an example, safeguard is reported from UDP
Parsing in text obtains protocol number 17, source port information 83, destination interface information 53, the byte of message length 66.
In a step 102, in one embodiment, safeguard stores at least one default feature list, presets feature
List is that administrative staff are default, and the feature Value Types of each default feature list record are different, and feature Value Types include:Report
Literary length, agreement, source port, destination interface, TCP Flag marks, ICMP Type, ICMP Code etc..It is commonly used for record
The default feature list of message length, can store to the message length of 0~2048 byte;For the pre- of record protocol number
If feature list, different protocol number numerical value can be stored, such as 1 (ICMP protocol numbers), 6 (Transmission Control Protocol number), 17
(udp protocol number) etc.;For recording the default feature list of source port information, 0~65536 source port information can be carried out
Storage;For recording the default feature list of destination interface information, 0~65536 destination interface information can be stored;
For recording the default feature list of ICMP Type values, 0~18 ICMP Type values can be stored;For recording
The default feature list of ICMP Code values, can store to 0~15 ICMP Code values;It should be noted that being used for
The default feature list of record TCP Flag marks, can define TCP Flag marks (URG, ACK, PSH, RST, SYN, FIN)
In each of each letter have three kinds of states, X, 0,1, wherein, it can be " 0 " or " 1 " that X is represented, specifically, for example
Administrative staff configuration TCP Flag be designated " X100XX ", then " 010000 ", " 010001 ", " 010010 ", " 010011 ",
" 110000 ", " 110001 ", " 110010 ", " 110011 ", 8 kinds of TCP Flag mark can the match is successful with " X100XX ".Such as
It is illustrative to have recorded the structure of default feature list of source port information shown in table 1:
Table 1
0 | 1 | 2 | ...... | 53 | ...... | 80 | 81 | ...... | 65536 |
In table 1, default feature list have recorded 0~65536 source port information, because the space of a whole page is limited, three in table 1
" ... " corresponds to respectively 3-52,54-79,82-65535 source port information, is omitted herein.Those skilled in the art can
To be understood by, the scope of the source port information of 0~65536 recorded in default feature list is not limited to that, concrete model
Enclose and configured as needed by administrative staff, for have recorded the default feature list of message length, have recorded protocol number
Default feature list, the default feature list that have recorded destination interface information, the default characteristic series that have recorded ICMP Type values
Table, the default feature list that have recorded ICMP Code values, the concrete structure that have recorded the default feature list that TCP Flag are identified
It is similar to the structure of the default feature list that have recorded source port information shown in table 1, concrete example is not made herein.
Additionally, each characteristic value recorded in each default feature list corresponds to respectively a tactful bit string, policy bit
Each one default prevention policies of correspondence of string, are generally represented with " 0 " in tactful bit string and do not configure prevention policies, with " 1 "
Expression is configured with prevention policies, it should be noted that in prevention policies, untapped characteristic value is identified with " 1 ", wherein being not used
Characteristic value be administrative staff setting without the concern for characteristic value factor, with a default prevention policies specifically be, for example, source
As a example by port information 80, protocol number 6, then untapped characteristic value be purpose port information, message length, TCP Flag mark,
It will be appreciated by persons skilled in the art that herein in prevention policies plan, untapped characteristic value is also with the purpose of " 1 " mark
It is, when at least one characteristic value to be matched, respectively corresponding tactful bit string is carried out with computing so that untapped characteristic value
Impact is not produced on the result with computing.Pre-setting four default prevention policies with administrative staff as space is limited, is
Example, it is illustrative with the corresponding relation of default prevention policies to tactful bit string:
Strategy 1:Source port information 80+ protocol numbers 6;
Strategy 2:Source port information 81;
Strategy 3:Destination interface information 53+ protocol number 17+ message lengths are less than 70 bytes more than 64 bytes;
Strategy 4:The byte of source port information 80+ message lengths 80.
Above-mentioned tactful 1, strategy 2, strategy 3, strategy 4 are four default prevention policies, then, the length of tactful bit string is 4
Position, i.e., 0000, the position of four " 0 " in tactful bit string " 0000 " respectively with strategy 1, strategy 2, strategy 3, a pair of strategy 4 one
Should, this is sentenced as a example by dextrosinistral order, " 0000 " difference relative strategy 1, strategy 2, strategy 3, strategy 4, art technology
Personnel are it is understood that herein strategy 1, strategy 2, strategy 3, strategy 4 can also with the corresponding relation of tactful bit string " 0000 "
It is concrete right with default prevention policies to each in tactful bit string herein for from left to right, unordered pair should wait corresponded manner
Mode is answered not to be limited.Specifically, for strategy 1:Source port information 80+ protocol numbers 6, have recorded the default spy of source port information
Levy the corresponding tactful bit string of the source port information 80 in list and be set to " 0001 ", in have recorded the default feature list of protocol number
The corresponding tactful bit string of protocol number 6 be set to " 0001 ", in tactful bit string, untapped characteristic value destination interface information, report
Literary length, TCP Flag marks are all identified with " 0001 ";For strategy 2:Source port information 81, have recorded source port information
The corresponding tactful bit string of source port information 81 in default feature list is set to " 0010 ", in tactful bit string, untapped spy
Value indicative is, for example, protocol number, destination interface information, message length, TCP Flag marks all with " 0010 " mark;For strategy
3:Destination interface information 53+ protocol number 17+ message lengths are less than 70 bytes more than 64 bytes, have recorded the pre- of destination interface information
If the corresponding tactful bit string of destination interface information 53 in feature list is set to " 0100 ", the default feature of protocol number is have recorded
The corresponding tactful bit string of protocol number 17 in list is set to " 0100 ", have recorded the report in the default feature list of message length
The corresponding tactful bit string of the byte of literary length 64,65 bytes, 66 bytes, 67 bytes, 68 bytes, 69 bytes, 70 bytes is
" 0100 ", in tactful bit string, untapped characteristic value source port information is identified with " 0100 ";For strategy 4:Source port information 80
The byte of+message length 80, have recorded the source port information 80 in the default feature list of source port information except above-mentioned for plan
Slightly 1 corresponding tactful bit string " 0001 ", also corresponds to a tactful bit string " 1000 ", therefore have recorded the default spy of source port information
The tactful bit string for levying the source port information 80 in list is set to " 1001 ", in have recorded the default feature list of message length
The corresponding tactful bit string of the byte of message length 80 is set to " 1000 ", and in tactful bit string, untapped characteristic value is, for example, agreement
Number, destination interface information, TCP Flag mark all with " 1000 " mark.
Specifically, with reference to step 101- step 102, safeguard is by protocol number 17, source port information 83, destination message
The breath 53, byte of message length 66 have with record respectively protocol number, source port information, destination interface information, message length it is default
Feature list is matched, and obtains the corresponding tactful bit string " 0100 " of protocol number 17, the corresponding tactful bit string of source port information 83
The corresponding tactful bit string " 0100 " of " 0100 ", destination interface information 53, the corresponding tactful bit string " 0100 " of the byte of message length 66,
It should be noted that source port information 83 is untapped characteristic value in strategy 3, therefore, the corresponding strategy of source port information 83
Bit string is " 0100 ".
In step 103, in one embodiment, with reference to step 102, safeguard will match the tactful bit string for obtaining
" 0100 ", " 0100 ", " 0100 ", " 0100 " are carried out and computing, obtain a target bit string " 0100 ".
At step 104, in one embodiment, with reference to step 103, safeguard is based on target bit string " 0100 ", it is determined that
Whether the match is successful with default prevention policies for the UDP messages." 1 " relative strategy 3 in target bit string " 0100 ", represents and waits to protect
The match is successful with strategy 3 for message.
Optionally, can also carry out step 105 before execution step 101.
In step 105, in one embodiment, safeguard determines at least one based on the type of message of message to be protected
Default feature list to be matched, safeguard based on a determination that at least one default feature list in the spy of characteristic value that records
Value indicative type, in execution step 101 the step of obtaining at least one characteristic value to be matched is parsed from message to be protected.Wait to prevent
The type of message of shield message includes:TCP message, UDP messages, icmp packet etc..Generally, administrative staff are for different type of messages
Message to be protected be configured with different default feature lists to be matched, specifically, for TCP message configuration it is to be matched
Default feature list includes:The default feature list of message length is have recorded, the default feature list of protocol number is have recorded, is recorded
The default feature list of source port information, have recorded the default feature list of destination interface information, have recorded TCP Flag marks
The default feature list known;Include for the default feature list of UDP messages configuration:Have recorded the default characteristic series of message length
Table, have recorded the default feature list of protocol number, have recorded the default feature list of source port information, have recorded destination message
The default feature list of breath;Include for the default feature list of icmp packet configuration:Have recorded the default spy of ICMP Type values
List is levied, the default feature list of ICMP Code values is have recorded, the default feature list of message length is have recorded, association is have recorded
The default feature list of view number;For the message to be protected of other type of messages, the default feature list of configuration at least includes:Note
The default feature list of message length has been recorded, the default feature list of protocol number has been have recorded.Specifically, if message to be protected is
Icmp packet, determines that default feature list to be matched includes based on for icmp packet:Have recorded the default spy of message length
List is levied, the default feature list of protocol number is have recorded, the default feature list of ICMP Type values is have recorded, ICMP is have recorded
The default feature list of Code values.Safeguard have recorded protocol number based on the default feature list that have recorded message length
Default feature list, have recorded the default feature list of ICMP Type values, have recorded the default feature list of ICMP Code values
The feature Value Types of the middle characteristic value for recording respectively:Message length, protocol number, ICMP Type, ICMP Code, safeguard is true
The parsing from icmp packet is needed to obtain message length, protocol number, ICMP Type values, ICMP Code values calmly.
In the embodiment of the present invention, safeguard will be parsed from message to be protected, each characteristic value to be matched with
Each the default feature list of feature Value Types identical is matched, and is obtained each characteristic value to be matched and is distinguished corresponding strategy
Bit string, safeguard can determine that whether message to be protected matches with default prevention policies based on tactful bit string with operation result
Success, eliminates safeguard by least one characteristic value to be matched parsed from message to be protected, and hundreds of
The process that default prevention policies are matched one by one, the quantity of characteristic value to be matched is compared to hundreds of default prevention policies
It is less, the process consumption that each characteristic value to be matched is matched with the default feature list of respective feature Value Types identical
When it is shorter, therefore time-consuming to solve the problems, such as the matching process of prevention policies.
Fig. 2 is the embodiment flow chart of the matching process of another prevention policies that the present invention is provided, with reference to Fig. 1, in Fig. 1
On the basis of described step 101- step 104, how target bit string is based on to safeguard, it is determined that message to be protected whether with
The match is successful for default prevention policies;And when the quantity of the default prevention policies that the match is successful is multiple, how to determine target
Strategy simultaneously performs protection instruction based on target strategy, illustrative, as shown in Fig. 2 comprising the steps:
Step 201:Determine whether target bit string is default bit string, when target bit string is not default bit string, execution step
202, when target bit string is to preset bit string, execution step 207.
Step 202:It is determined that message to be protected is with default prevention policies, and the match is successful.
Step 203:If the quantity of the default prevention policies that the match is successful is multiple, based on default policy selection rule,
A target strategy is determined from the default prevention policies that the match is successful.
Step 204:Corresponding first mark of target strategy is generated based on target bit string.
Step 205:First mark is matched with least one second marks of default process list records, each
Second mark corresponds to respectively a protection instruction.
Step 206:When the match is successful for one of them second mark in the first mark with default process list, treat anti-
Shield message performs the corresponding protection instruction of the second mark that the match is successful.
Step 207:It is determined that message to be protected matches unsuccessful with default prevention policies, message to be protected is forwarded to next
The network equipment being connected with safeguard.
In step 201, safeguard determines whether target bit string is default bit string, presets length and the target position of bit string
String length is identical, and with reference to step 102- step 103, it is " 0000 " to preset bit string, when target bit string is not default bit string " 0000 "
When, execution step 202, when target bit string is to preset bit string, execution step 207.
In step 202., when target bit string is not default bit string, safeguard determines message to be protected with default protection
Strategy matching success.Specifically, with reference to step 102, if target bit string is " 0100 ", target bit string " 0100 " is not default bit string
" 0000 ", safeguard determines message to be protected, and the match is successful with default prevention policies, " 1 " and plan in target bit string " 0100 "
Slightly 3 is corresponding, and the match is successful with strategy 3 for message to be protected.
In step 203, if the quantity of the default prevention policies that the match is successful is multiple, safeguard is based on default plan
Rule is slightly selected, a target strategy is determined from the default prevention policies that the match is successful.Specifically, if target bit string is
" 1001 ", with reference to the strategy 1 in step 102:Source port information 80+ protocol numbers 6;Strategy 4:Source port information 80+ message lengths
80 bytes, represent message to be protected and strategy 1, the match is successful for strategy 4, safeguard is regular based on default policy selection, from
Tactful 1, a target strategy is determined in strategy 4, policy selection rule can be that the match is successful for selection first from right to left
Default prevention policies;Can also be first default prevention policies that the match is successful of selection from left to right;Can also be random choosing
The default prevention policies that the match is successful are selected, it will be appreciated by persons skilled in the art that herein policy selection rule can not
Form limitation of the present invention.This sentences and select from right to left first default prevention policies that the match is successful as policy selection
Rule is illustrative, and safeguard determines that strategy 1 is target strategy from the strategy 1, strategy 4 that the match is successful.
In step 204, safeguard is based on target bit string, generates corresponding first mark of target strategy.For example, protect
Equipment generates the first mark " 1 " based on the strategy 1 in target bit string " 1001 ", if it will be appreciated by persons skilled in the art that
Target strategy is strategy 4, then first be designated " 4 ", and the first mark is only used for target strategy and following default process lists
In the second mark matched, the first mark can also be the combination of numeral, letter or both, and the present invention is identified to first
Concrete form be not restricted.
In step 205, safeguard divides the first mark with least one second marks of default process list records
Do not matched, each second mark corresponds to respectively a protection instruction.As shown in table 2, have recorded in list with default process
Four second marks are illustrative to the structure for presetting process list:
Table 2
In table 2, the second mark " 1 ", the second mark " 2 ", the second mark " 3 ", the second mark " 4 " correspond to abandon and wait to prevent respectively
Shield message, the protection instruction for sending warning message, abandoning message to be protected, transmission warning message.With reference to step 204, protection sets
It is standby that first mark " 1 " is identified into " 1 ", the second mark " 2 ", the second mark " 3 ", the second mark with the second of default process list records
Know " 4 " to be matched respectively.
In step 206, when the match is successful for one of them second mark in the first mark with default process list, prevent
Shield equipment treats protection message and performs the corresponding protection instruction of the second mark that the match is successful.With reference to step 205, the first mark
" 1 " the match is successful with default the second mark " 1 " processed in list, and the corresponding protection instruction of the second mark " 1 " is to abandon to wait to prevent
Shield message, then, safeguard treats protection message and performs the protection instruction for abandoning message to be protected.
In step 207, when target bit string is to preset bit string, safeguard determines message to be protected with default protection plan
Slightly match unsuccessful, message to be protected is forwarded to into next network equipment being connected with safeguard.If target bit string is
" 0000 ", to preset bit string " 0000 ", safeguard determines message to be protected with default prevention policies to target bit string " 0000 "
With unsuccessful, message to be protected is forwarded to next network equipment being connected with safeguard by safeguard.
In the embodiment of the present invention, safeguard determines whether target bit string is default bit string, when target bit string is not default
During bit string, safeguard determines message to be protected, and the match is successful with default prevention policies, if the default prevention policies that the match is successful
Quantity for multiple, safeguard determines one based on default policy selection rule from the default prevention policies that the match is successful
Individual target strategy, by different policy selection rules, makes selection of the safeguard to target strategy more flexible, target strategy
Difference cause the protection instruction that safeguard is performed to the message to be protected different;Safeguard is generated based on target bit string
Corresponding first mark of target strategy, and the first mark and default at least one second marks for processing list records are carried out
Match somebody with somebody, when the match is successful for one of them second mark in the first mark with default process list, safeguard treats protection report
Text performs the corresponding protection instruction of the second mark that the match is successful, when corresponding second mark of protection instruction changes, or
When the mark of person first changes with the corresponding relation of the second mark, administrative staff can process list to sending out by obtaining to preset
Second mark of changing, protection instruction are modified, it is easy to be managed collectively.
Corresponding to the matching process of above-mentioned prevention policies, the invention allows for the hardware knot of the safeguard shown in Fig. 3
Composition.Refer to Fig. 3, in hardware view, the safeguard include processor, internal bus, network interface, internal memory and it is non-easily
The property lost memory, the hardware being also possible that certainly required for other business.It is right that processor reads from nonvolatile memory
The computer program answered is in internal memory and then runs, and the coalignment of prevention policies is formed on logic level.Certainly, except soft
Outside part implementation, the present invention is not precluded from other implementations, such as mode of logical device or software and hardware combining etc.
Deng, that is to say, that the executive agent of following handling process is not limited to each logical block, or hardware or logic device
Part.
Fig. 4 is the embodiment block diagram of the coalignment of the prevention policies that the present invention is provided, as shown in figure 4, the protection
The coalignment of strategy can include:Characteristic value parsing module 41, characteristic value matching module 42 and computing module 43, protection plan
Determining module 44 is omited, wherein:
Characteristic value parsing module 41, for when receiving when message is protected, parsing from message to be protected and obtaining at least
One characteristic value to be matched;
Characteristic value matching module 42, at least one feature to be matched for obtaining will to be parsed in characteristic value parsing module 41
Each characteristic value to be matched in value is matched with the default feature list of respective feature Value Types identical, obtains at least one
Individual characteristic value to be matched distinguishes corresponding tactful bit string, and each characteristic value recorded in each default feature list is right respectively
Answer a tactful bit string, each one default prevention policies of correspondence of tactful bit string;
With computing module 43, at least one of characteristic value matching module 42 characteristic value to be matched difference is corresponding
Tactful bit string is carried out and computing, obtains a target bit string;
Prevention policies determining module 44, for the target bit string being based on obtain in computing module 43, it is determined that treating protection report
Whether the match is successful with default prevention policies for text.
Fig. 5 is the embodiment block diagram of the coalignment of another prevention policies that the present invention is provided, as shown in figure 5, upper
On the basis of stating embodiment illustrated in fig. 4, the coalignment of prevention policies also includes:
Feature list determining module 45, for determining that at least one is to be matched pre- based on the type of message of message to be protected
If feature list, based on a determination that at least one default feature list in the feature Value Types of characteristic value that record, perform feature
The step of obtaining at least one characteristic value to be matched is parsed from message to be protected in value parsing module 41.
In one embodiment, prevention policies determining module 44 includes:
Default bit string comparison sub-module 441, for determining whether target bit string is default bit string;
Message forwards submodule 442, is default bit string for the target bit string in bit string comparison sub-module 441 is preset
When, it is determined that message to be protected matches unsuccessful with default prevention policies, message to be protected is forwarded to next with safeguard phase
The network equipment of connection;
Determination sub-module that the match is successful 443, is not default for the target bit string in bit string comparison sub-module 441 is preset
During bit string, it is determined that message to be protected is with default prevention policies, and the match is successful.
In one embodiment, the coalignment of prevention policies also includes:
Target strategy determining module 46, if for the default protection that the match is successful in the match is successful determination sub-module 443
The quantity of strategy is multiple, based on default policy selection rule, a mesh is determined from the default prevention policies that the match is successful
Mark strategy.
In one embodiment, the coalignment of prevention policies also includes:
First identifier generation module 47, the target bit string generation target strategy for being based on obtain in computing module 43 is true
Corresponding first mark of target strategy determined in cover half block 46;
Mark matching module 48, first for generating in the first identifier generation module 47 identifies and default process list
At least one second marks of record are matched respectively, and each second mark corresponds to respectively a protection instruction;
Protection instruction performing module 49, for when one of them second mark in the first mark with default process list
With it is successful when, treat the corresponding protection instruction of the second mark that performs that the match is successful of protection message.
The function of unit and effect realizes that process specifically refers in said method correspondence step in said apparatus
Process is realized, be will not be described here.
For device embodiment, because it corresponds essentially to embodiment of the method, so related part is referring to method reality
Apply the part explanation of example.Device embodiment described above is only schematic, wherein described as separating component
The unit of explanation can be or may not be physically separate, can be as the part that unit shows or can also
It is not physical location, you can be located at a place, or can also be distributed on multiple NEs.Can be according to reality
Need the purpose for selecting some or all of module therein to realize the present invention program.Those of ordinary skill in the art are not paying
In the case of going out creative work, you can to understand and implement.
As seen from the above-described embodiment, safeguard will be parsed from message to be protected, each characteristic value to be matched
Matched with the default feature list of respective feature Value Types identical, obtain each characteristic value to be matched and distinguish corresponding plan
Bit string is omited, safeguard determines whether message to be protected matches into default prevention policies based on tactful bit string with operation result
Work(, eliminates safeguard by least one characteristic value to be matched parsed from message to be protected, pre- with hundreds of
If the process that prevention policies are matched one by one, the quantity of characteristic value to be matched is compared to hundreds of default prevention policies
Less, the process that each characteristic value to be matched is matched with the default feature list of respective feature Value Types identical takes
It is shorter, therefore time-consuming to solve the problems, such as the matching process of prevention policies.
Those skilled in the art will readily occur to its of the present invention after considering specification and putting into practice invention disclosed herein
Its embodiment.It is contemplated that cover any modification of the present invention, purposes or adaptations, these modifications, purposes or
Person's adaptations follow the general principle of the present invention and including the undocumented common knowledge in the art of the present invention
Or conventional techniques.Description and embodiments are considered only as exemplary, and true scope and spirit of the invention are by following
Claim is pointed out.
Also, it should be noted that term " including ", "comprising" or its any other variant are intended to nonexcludability
Comprising so that a series of process, method, commodity or equipment including key elements not only includes those key elements, but also wrapping
Other key elements being not expressly set out are included, or also includes intrinsic for this process, method, commodity or equipment wanting
Element.In the absence of more restrictions, the key element for being limited by sentence " including ... ", it is not excluded that including described
Also there is other identical element in the process of key element, method, commodity or equipment.
Presently preferred embodiments of the present invention is the foregoing is only, not to limit the present invention, all essences in the present invention
Within god and principle, any modification, equivalent substitution and improvements done etc. should be included within the scope of protection of the invention.
Claims (10)
1. a kind of matching process of prevention policies, it is characterised in that methods described includes:
When receiving when message is protected, the parsing from the message to be protected obtains at least one characteristic value to be matched;
Each characteristic value to be matched in described at least one characteristic value to be matched is pre- with respective feature Value Types identical
If feature list is matched, obtain described at least one characteristic value to be matched and distinguish corresponding tactful bit string, it is described each
Each characteristic value recorded in default feature list corresponds to respectively a tactful bit string, each correspondence one of the tactful bit string
Individual default prevention policies;
By described at least one characteristic value to be matched, respectively corresponding tactful bit string is carried out and computing, obtains a target bit string;
Based on the target bit string, it is determined that whether the message to be protected is with the default prevention policies, and the match is successful.
2. method according to claim 1, it is characterised in that methods described also includes:
At least one default feature list to be matched is determined based on the type of message of the message to be protected;
The feature Value Types of the characteristic value recorded at least one default feature list based on the determination, perform described from institute
State the step of parsing obtains at least one characteristic value to be matched in message to be protected.
3. method according to claim 1, it is characterised in that described based on the target bit string, it is determined that described wait to protect
Whether the match is successful with the default prevention policies for message, including:
Determine whether the target bit string is default bit string;
When the target bit string is the default bit string, it is determined that the message to be protected is matched not with the default prevention policies
Success, by the message to be protected next network equipment being connected with safeguard is forwarded to;
When the target bit string is not the default bit string, it is determined that the message to be protected is matched with the default prevention policies
Success.
4. method according to claim 3, it is characterised in that message to be protected described in the determination and the default protection
During strategy matching success, methods described also includes:
If the quantity of the default prevention policies that the match is successful is multiple, based on default policy selection rule, from described
With one target strategy of determination in successful default prevention policies.
5. method according to claim 4, it is characterised in that methods described also includes:
Corresponding first mark of the target strategy is generated based on the target bit string;
By described first mark with it is default process list records at least one second mark matched respectively, it is described each
Second mark corresponds to respectively a protection instruction;
When the match is successful for one of them second mark in the described first mark with the default process list, wait to prevent to described
Shield message performs the corresponding protection instruction of second mark that the match is successful.
6. a kind of coalignment of prevention policies, it is characterised in that described device includes:
Characteristic value parsing module, for when receiving when message is protected, the parsing from the message to be protected to obtain at least one
Individual characteristic value to be matched;
Characteristic value matching module, for described at least one feature to be matched for obtaining will to be parsed in the characteristic value parsing module
The default feature list of each characteristic value to be matched in value and respective feature Value Types identical is matched, obtain it is described extremely
A few characteristic value to be matched distinguishes corresponding tactful bit string, each feature recorded in described each default feature list
Value corresponds to respectively a tactful bit string, each one default prevention policies of correspondence of the tactful bit string;
With computing module, for described at least one characteristic value to be matched difference in the characteristic value matching module is corresponding
Tactful bit string is carried out and computing, obtains a target bit string;
Prevention policies determining module, for based on the target bit string obtained in described and computing module, it is determined that described wait to prevent
Whether the match is successful with the default prevention policies for shield message.
7. device according to claim 6, it is characterised in that described device also includes:
Feature list determining module, for determining that at least one to be matched presets based on the type of message of message protect
Feature list, the feature Value Types of the characteristic value recorded in the default feature list of at least one based on the determination, performs institute
The step of stating described in characteristic value parsing module parsing obtain at least one characteristic value to be matched from the message to be protected.
8. device according to claim 6, it is characterised in that the prevention policies determining module includes:
Default bit string comparison sub-module, for determining whether the target bit string is default bit string;
Message forwards submodule, and the target bit string for working as in the default bit string comparison sub-module is the default bit string
When, it is determined that the message to be protected matches unsuccessful with the default prevention policies, the message to be protected is forwarded to next
The network equipment being connected with safeguard;
Determination sub-module that the match is successful, is not described pre- for working as the target bit string in the default bit string comparison sub-module
If during bit string, it is determined that the message to be protected is with the default prevention policies, and the match is successful.
9. device according to claim 8, it is characterised in that described device also includes:
Target strategy determining module, if for the default protection plan that the match is successful described in the match is successful the determination sub-module
Quantity slightly is multiple, based on default policy selection rule, one is determined from the default prevention policies that the match is successful
Target strategy.
10. device according to claim 9, it is characterised in that described device also includes:
First identifier generation module, for generating the target plan based on the target bit string obtained in described and computing module
Corresponding first mark of the target strategy for slightly determining in determining module;
Mark matching module, for generate in first identifier generation module described first to be identified and default process list
At least one second marks of record are matched respectively, and described each second mark corresponds to respectively a protection instruction;
Protection instruction performing module, for when the described first mark and described default one of them second mark processed in list
When the match is successful, the corresponding protection instruction of second mark that the match is successful is performed to the message to be protected.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611252950.9A CN106657104B (en) | 2016-12-30 | 2016-12-30 | A kind of matching process and device of prevention policies |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611252950.9A CN106657104B (en) | 2016-12-30 | 2016-12-30 | A kind of matching process and device of prevention policies |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106657104A true CN106657104A (en) | 2017-05-10 |
CN106657104B CN106657104B (en) | 2019-09-06 |
Family
ID=58836876
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611252950.9A Active CN106657104B (en) | 2016-12-30 | 2016-12-30 | A kind of matching process and device of prevention policies |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106657104B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109698831A (en) * | 2018-12-28 | 2019-04-30 | 中电智能科技有限公司 | Data prevention method and device |
CN110311835A (en) * | 2019-07-09 | 2019-10-08 | 国网甘肃省电力公司电力科学研究院 | A kind of electric power IEC agreement airworthiness compliance method based on content template |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101102277A (en) * | 2007-06-20 | 2008-01-09 | 华为技术有限公司 | Recognition method and system for service data and recognition control device |
US20140173733A1 (en) * | 2012-12-17 | 2014-06-19 | Fixmo, Inc. | Exploit detection and reporting of a device using server chaining |
CN104040550A (en) * | 2011-10-18 | 2014-09-10 | 迈可菲公司 | Integrating security policy and event management |
CN104615634A (en) * | 2014-11-10 | 2015-05-13 | 广东智冠信息技术股份有限公司 | Direction feature based palm vein guiding quick retrieval method |
CN104850797A (en) * | 2015-04-30 | 2015-08-19 | 北京奇虎科技有限公司 | Device security management method and apparatus |
CN105939284A (en) * | 2016-01-08 | 2016-09-14 | 杭州迪普科技有限公司 | Message control strategy matching method and device |
-
2016
- 2016-12-30 CN CN201611252950.9A patent/CN106657104B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101102277A (en) * | 2007-06-20 | 2008-01-09 | 华为技术有限公司 | Recognition method and system for service data and recognition control device |
CN104040550A (en) * | 2011-10-18 | 2014-09-10 | 迈可菲公司 | Integrating security policy and event management |
US20140173733A1 (en) * | 2012-12-17 | 2014-06-19 | Fixmo, Inc. | Exploit detection and reporting of a device using server chaining |
CN104615634A (en) * | 2014-11-10 | 2015-05-13 | 广东智冠信息技术股份有限公司 | Direction feature based palm vein guiding quick retrieval method |
CN104850797A (en) * | 2015-04-30 | 2015-08-19 | 北京奇虎科技有限公司 | Device security management method and apparatus |
CN105939284A (en) * | 2016-01-08 | 2016-09-14 | 杭州迪普科技有限公司 | Message control strategy matching method and device |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109698831A (en) * | 2018-12-28 | 2019-04-30 | 中电智能科技有限公司 | Data prevention method and device |
CN109698831B (en) * | 2018-12-28 | 2021-07-02 | 中电智能科技有限公司 | Data protection method and device |
CN110311835A (en) * | 2019-07-09 | 2019-10-08 | 国网甘肃省电力公司电力科学研究院 | A kind of electric power IEC agreement airworthiness compliance method based on content template |
Also Published As
Publication number | Publication date |
---|---|
CN106657104B (en) | 2019-09-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US6754832B1 (en) | Security rule database searching in a network security environment | |
US6505192B1 (en) | Security rule processing for connectionless protocols | |
US6715081B1 (en) | Security rule database searching in a network security environment | |
US6347376B1 (en) | Security rule database searching in a network security environment | |
US9894093B2 (en) | Structuring data and pre-compiled exception list engines and internet protocol threat prevention | |
US7702785B2 (en) | Methods, systems and computer program products for selectively allowing users of a multi-user system access to network resources | |
CN110120942B (en) | Security policy rule matching method and device, firewall equipment and medium | |
US8522199B2 (en) | System, method, and computer program product for applying a regular expression to content based on required strings of the regular expression | |
CN107145799A (en) | A kind of data desensitization method and device | |
US11290484B2 (en) | Bot characteristic detection method and apparatus | |
CN105939284B (en) | The matching process and device of message control strategy | |
JP2004336702A (en) | Data originality securing method and system, and program for securing data originality | |
JP2008537195A5 (en) | ||
EP3192226B1 (en) | Device and method for controlling a communication network | |
CN106790170A (en) | A kind of packet filtering method and device | |
US20190297533A1 (en) | Processing packets in a computer system | |
JP6355836B2 (en) | Packet filter device and packet filter method | |
CN106657104A (en) | Matching method and device of protection strategies | |
US8365045B2 (en) | Flow based data packet processing | |
JP2009077030A (en) | Rule controller, rule control method, and rule control program | |
CN106657128B (en) | Data packet filtering method and device based on wildcard mask rule | |
CN107547504B (en) | Intrusion prevention method and device | |
US8443359B2 (en) | Method and system for providing a filter for a router | |
CN106790241A (en) | A kind of processing method and processing device of message | |
CN105471839B (en) | A kind of method for judging router data and whether being tampered |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |