CN106657104A - Matching method and device of protection strategies - Google Patents

Matching method and device of protection strategies Download PDF

Info

Publication number
CN106657104A
CN106657104A CN201611252950.9A CN201611252950A CN106657104A CN 106657104 A CN106657104 A CN 106657104A CN 201611252950 A CN201611252950 A CN 201611252950A CN 106657104 A CN106657104 A CN 106657104A
Authority
CN
China
Prior art keywords
default
bit string
message
matched
characteristic value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201611252950.9A
Other languages
Chinese (zh)
Other versions
CN106657104B (en
Inventor
邢涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201611252950.9A priority Critical patent/CN106657104B/en
Publication of CN106657104A publication Critical patent/CN106657104A/en
Application granted granted Critical
Publication of CN106657104B publication Critical patent/CN106657104B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Technology Law (AREA)
  • Communication Control (AREA)

Abstract

The invention provides a matching method and device of protection strategies. The method comprises the steps of: when receiving a message to be protected, parsing from the message to be protected to obtain at least one feature value to be matched; carrying out matching on each of the at least one feature value to be matched and a preset feature list of which a type is the same with a respective feature value so as to obtain strategy bit strings respectively corresponding to the at least one feature value to be matched, wherein each feature value recorded in each preset feature list respectively corresponds to one strategy bit string, and each bit of the strategy bit stings corresponds to one preset protection strategy; carrying out AND operation on the strategy bit strings respectively corresponding to the at least one feature value to be matched to obtain a target bit string; and based on the target bit string, determining whether the message to be protected is successfully matched with the preset protection strategies. By applying the matching method and device provided by the embodiment of the invention, the problem of long time consumption of the matching process of the protection strategies is solved.

Description

A kind of matching process and device of prevention policies
Technical field
The present invention relates to network communication technology field, more particularly to a kind of matching process and device of prevention policies.
Background technology
Generally administrative staff need to preset prevention policies according to demand in safeguard, and then based on default prevention policies Treat protection message and realize protection.
In prior art, safeguard extracts at least one characteristic value to be matched from message to be protected, and should At least one characteristic value to be matched is matched with each default prevention policies, when the quantity of default prevention policies it is hundreds and thousands of When, safeguard needs one by one to be matched at least one characteristic value to be matched with hundreds of default prevention policies, Time-consuming for matching process.
The content of the invention
In view of this, the present invention provides a kind of matching process and device of prevention policies, when the prevention policies for needing matching When quantity is more, to solve the problems, such as the matching process of prevention policies, time-consuming.
For achieving the above object, present invention offer technical scheme is as follows:
According to the first aspect of the invention, it is proposed that a kind of matching process of prevention policies, methods described includes:
When receiving when message is protected, the parsing from the message to be protected obtains at least one characteristic value to be matched;
Each characteristic value to be matched in described at least one characteristic value to be matched is identical with respective feature Value Types Default feature list matched, obtain described at least one characteristic value to be matched and distinguish corresponding tactful bit string, it is described every Each characteristic value recorded in one default feature list corresponds to respectively a tactful bit string, and each of the tactful bit string is right Answer a default prevention policies;
By described at least one characteristic value to be matched, respectively corresponding tactful bit string is carried out and computing, obtains a target position String;
Based on the target bit string, it is determined that whether the message to be protected is with the default prevention policies, and the match is successful.
According to the second aspect of the invention, it is proposed that a kind of coalignment of prevention policies, including:
Characteristic value parsing module, for when receive wait protect message when, from message protect parse obtain to A few characteristic value to be matched;
Characteristic value matching module, for obtain described at least one to be matched will to be parsed in the characteristic value parsing module Each characteristic value to be matched in characteristic value is matched with the default feature list of respective feature Value Types identical, obtains institute State at least one characteristic value to be matched and distinguish corresponding tactful bit string, each recorded in described each default feature list Characteristic value corresponds to respectively a tactful bit string, each one default prevention policies of correspondence of the tactful bit string;
With computing module, for described at least one characteristic value to be matched in the characteristic value matching module is right respectively The tactful bit string answered is carried out and computing, obtains a target bit string;
Prevention policies determining module, for based on the target bit string obtained in described and computing module, it is determined that described Whether the match is successful with the default prevention policies for message to be protected.
From above technical scheme, safeguard will be parsed from message to be protected, each feature to be matched Value is matched with the default feature list of respective feature Value Types identical, obtains each characteristic value difference to be matched corresponding Tactful bit string, safeguard determines whether message to be protected matches with default prevention policies based on tactful bit string with operation result Success, eliminates safeguard by least one characteristic value to be matched parsed from message to be protected, and hundreds of The process that default prevention policies are matched one by one, the quantity of characteristic value to be matched is compared to hundreds of default prevention policies It is less, the process consumption that each characteristic value to be matched is matched with the default feature list of respective feature Value Types identical When it is shorter, therefore time-consuming to solve the problems, such as the matching process of prevention policies.
Description of the drawings
Fig. 1 is the embodiment flow chart of the matching process of the prevention policies that the present invention is provided;
Fig. 2 is the embodiment flow chart of the matching process of another prevention policies that the present invention is provided;
Fig. 3 is a kind of hardware structure diagram of safeguard that the present invention is provided;
Fig. 4 is the embodiment block diagram of the coalignment of the prevention policies that the present invention is provided;
Fig. 5 is the embodiment block diagram of the coalignment of another prevention policies that the present invention is provided.
Specific embodiment
Here exemplary embodiment will be illustrated in detail, its example is illustrated in the accompanying drawings.Explained below is related to During accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represent same or analogous key element.Following exemplary embodiment Described in embodiment do not represent and the consistent all embodiments of the present invention.Conversely, they be only with it is such as appended The example of the consistent apparatus and method of some aspects described in detail in claims, the present invention.
It is, only merely for the purpose of description specific embodiment, and to be not intended to be limiting the present invention in terminology used in the present invention. " one kind ", " described " and " being somebody's turn to do " of singulative used in the present invention and appended claims is also intended to include majority Form, unless context clearly shows that other implications.It is also understood that term "and/or" used herein is referred to and wrapped Containing one or more associated any or all possible combinations for listing project.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the present invention A little information should not necessarily be limited by these terms.These terms are only used for that same type of information is distinguished from each other out.For example, without departing from In the case of the scope of the invention, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as One information.Depending on linguistic context, word as used in this " if " can be construed to " ... when " or " when ... " or " in response to determining ".
The embodiment of the present invention can be applied on safeguard, and safeguard is that to carry out safety anti-with protection message is treated The Network Security Device of shield, it will be appreciated by persons skilled in the art that the embodiment of the present invention is applied being only on safeguard Exemplary illustration, it can not form limitation of the present invention.Generally, safeguard stores at least one default characteristic series Table, the feature Value Types of each default feature list record are different, and feature Value Types include:Message length, agreement, source Mouth, destination interface, transmission control protocol (Transmission Control Protocol, referred to as TCP) Flag marks, mutually Networking control message protocol (Internet Control Message Protocol, referred to as ICMP) Type, ICMP Code Correspond to a tactful bit string respectively Deng, each characteristic value recorded in each default feature list, the length of tactful bit string by The quantity decision of default prevention policies, wherein, what default prevention policies pre-set for administrative staff, for treating protection message In the policy information that matched of characteristic value to be matched, a default prevention policies are, for example, specifically source port information 80, association View number 6;The quantity of default prevention policies is, for example, 32, then the length of tactful bit string is 32, each in tactful bit string One default prevention policies of correspondence.When safeguard is received when message is protected, safeguard is parsed from message to be protected At least one characteristic value to be matched is obtained, characteristic value to be matched includes:Message length, protocol number, source port information, destination interface Information, TCP Flag marks, ICMP Type values, ICMP Code values etc., the message to be protected of different type of messages, parsing is obtained Characteristic value to be matched it is different.Safeguard by each characteristic value to be matched at least one characteristic value to be matched with it is respective The default feature list of feature Value Types identical is matched, and is obtained each characteristic value to be matched and is distinguished corresponding policy bit String, safeguard carries out the tactful bit string that matching is obtained and computing, and the operation result for obtaining is targeted bit string, protection Equipment is based on target bit string, it is determined that whether message to be protected is with default prevention policies, and the match is successful.Specifically, with message to be protected As a example by for UDP (User Datagram Protocol, referred to as UDP) message, with least one spy to be matched Value indicative is:As a example by protocol number 17, source port information 83, destination interface information 53, the byte of message length 66, safeguard is by agreement Numbers 17, source port information 83, destination interface information 53, the byte of message length 66 have with record respectively protocol number, source port information, Destination interface information, the default feature list of message length are matched, and obtain protocol number 17, source port information 83, destination The message breath 53, byte of message length 66 distinguishes corresponding tactful bit string, safeguard will match the tactful bit string that obtains carry out with Computing, obtains a target bit string, and safeguard is based on target bit string, determines whether the UDP messages match with default prevention policies Success, specifically, how safeguard is based on target bit string, it is determined that whether message to be protected is with default prevention policies, and the match is successful Specific descriptions, can be found in step shown in following Fig. 1, be not first described further herein.By the embodiment of the present invention, when default protection plan When quantity slightly is hundreds and thousands of, safeguard will be parsed from message to be protected, each characteristic value to be matched with it is respective The default feature list of feature Value Types identical is matched, and is obtained each characteristic value to be matched and is distinguished corresponding policy bit String, safeguard determines message to be protected whether the match is successful with default prevention policies based on tactful bit string with operation result, Safeguard is eliminated by least one characteristic value to be matched parsed from message to be protected, pre- is set up defences with hundreds of The shield process that matched one by one of strategy, time-consuming to solve the problems, such as the matching process of prevention policies.
It is that the present invention is further described, there is provided the following example:
Fig. 1 is the embodiment flow chart of the matching process of the prevention policies that the present invention is provided, as shown in figure 1, including Following steps:
Step 101:When receiving when message is protected, the parsing from message to be protected obtains at least one feature to be matched Value.
Step 102:By each characteristic value to be matched at least one characteristic value to be matched and respective feature Value Types The default feature list of identical is matched, and is obtained at least one characteristic value to be matched and is distinguished corresponding tactful bit string, each Each characteristic value recorded in default feature list corresponds to respectively a tactful bit string, and each correspondence one of tactful bit string is pre- If prevention policies.
Step 103:By at least one characteristic value to be matched, respectively corresponding tactful bit string is carried out and computing, obtains a target Bit string.
Step 104:Based on target bit string, it is determined that whether message to be protected is with default prevention policies, and the match is successful.
Optionally, step 105 (not shown) was can also carry out before execution step 101.
Step 105:At least one default feature list to be matched is determined based on the type of message of message to be protected, is based on It is determined that at least one default feature list in the feature Value Types of characteristic value that record, in execution step 101 from waiting to protect The step of parsing obtains at least one characteristic value to be matched in message.
In a step 101, in one embodiment, the type of message of message to be protected includes:TCP message, UDP messages, Icmp packet etc.;The feature Value Types of characteristic value to be matched include:Message length, agreement, source port, destination interface, TCP Flag marks, ICMP Type, ICMP Code etc..It will be appreciated by persons skilled in the art that different type of messages wait prevent Shield message, the feature Value Types for parsing the characteristic value to be matched for obtaining are different, for example, when when protection message is TCP message, prevent Shield equipment is parsed from TCP message and obtained:Protocol number, TCP Flag marks, source port information, destination interface information, message are long Degree;When it is icmp packet to protect message, safeguard is parsed from icmp packet and obtained:Protocol number, ICMP Type values, ICMP Code values, message length;When it is UDP messages to protect message, safeguard is parsed from UDP messages and obtained:Agreement Number, source port information, destination interface information, message length.So that message to be protected is for UDP messages as an example, safeguard is reported from UDP Parsing in text obtains protocol number 17, source port information 83, destination interface information 53, the byte of message length 66.
In a step 102, in one embodiment, safeguard stores at least one default feature list, presets feature List is that administrative staff are default, and the feature Value Types of each default feature list record are different, and feature Value Types include:Report Literary length, agreement, source port, destination interface, TCP Flag marks, ICMP Type, ICMP Code etc..It is commonly used for record The default feature list of message length, can store to the message length of 0~2048 byte;For the pre- of record protocol number If feature list, different protocol number numerical value can be stored, such as 1 (ICMP protocol numbers), 6 (Transmission Control Protocol number), 17 (udp protocol number) etc.;For recording the default feature list of source port information, 0~65536 source port information can be carried out Storage;For recording the default feature list of destination interface information, 0~65536 destination interface information can be stored; For recording the default feature list of ICMP Type values, 0~18 ICMP Type values can be stored;For recording The default feature list of ICMP Code values, can store to 0~15 ICMP Code values;It should be noted that being used for The default feature list of record TCP Flag marks, can define TCP Flag marks (URG, ACK, PSH, RST, SYN, FIN) In each of each letter have three kinds of states, X, 0,1, wherein, it can be " 0 " or " 1 " that X is represented, specifically, for example Administrative staff configuration TCP Flag be designated " X100XX ", then " 010000 ", " 010001 ", " 010010 ", " 010011 ", " 110000 ", " 110001 ", " 110010 ", " 110011 ", 8 kinds of TCP Flag mark can the match is successful with " X100XX ".Such as It is illustrative to have recorded the structure of default feature list of source port information shown in table 1:
Table 1
0 1 2 ...... 53 ...... 80 81 ...... 65536
In table 1, default feature list have recorded 0~65536 source port information, because the space of a whole page is limited, three in table 1 " ... " corresponds to respectively 3-52,54-79,82-65535 source port information, is omitted herein.Those skilled in the art can To be understood by, the scope of the source port information of 0~65536 recorded in default feature list is not limited to that, concrete model Enclose and configured as needed by administrative staff, for have recorded the default feature list of message length, have recorded protocol number Default feature list, the default feature list that have recorded destination interface information, the default characteristic series that have recorded ICMP Type values Table, the default feature list that have recorded ICMP Code values, the concrete structure that have recorded the default feature list that TCP Flag are identified It is similar to the structure of the default feature list that have recorded source port information shown in table 1, concrete example is not made herein.
Additionally, each characteristic value recorded in each default feature list corresponds to respectively a tactful bit string, policy bit Each one default prevention policies of correspondence of string, are generally represented with " 0 " in tactful bit string and do not configure prevention policies, with " 1 " Expression is configured with prevention policies, it should be noted that in prevention policies, untapped characteristic value is identified with " 1 ", wherein being not used Characteristic value be administrative staff setting without the concern for characteristic value factor, with a default prevention policies specifically be, for example, source As a example by port information 80, protocol number 6, then untapped characteristic value be purpose port information, message length, TCP Flag mark, It will be appreciated by persons skilled in the art that herein in prevention policies plan, untapped characteristic value is also with the purpose of " 1 " mark It is, when at least one characteristic value to be matched, respectively corresponding tactful bit string is carried out with computing so that untapped characteristic value Impact is not produced on the result with computing.Pre-setting four default prevention policies with administrative staff as space is limited, is Example, it is illustrative with the corresponding relation of default prevention policies to tactful bit string:
Strategy 1:Source port information 80+ protocol numbers 6;
Strategy 2:Source port information 81;
Strategy 3:Destination interface information 53+ protocol number 17+ message lengths are less than 70 bytes more than 64 bytes;
Strategy 4:The byte of source port information 80+ message lengths 80.
Above-mentioned tactful 1, strategy 2, strategy 3, strategy 4 are four default prevention policies, then, the length of tactful bit string is 4 Position, i.e., 0000, the position of four " 0 " in tactful bit string " 0000 " respectively with strategy 1, strategy 2, strategy 3, a pair of strategy 4 one Should, this is sentenced as a example by dextrosinistral order, " 0000 " difference relative strategy 1, strategy 2, strategy 3, strategy 4, art technology Personnel are it is understood that herein strategy 1, strategy 2, strategy 3, strategy 4 can also with the corresponding relation of tactful bit string " 0000 " It is concrete right with default prevention policies to each in tactful bit string herein for from left to right, unordered pair should wait corresponded manner Mode is answered not to be limited.Specifically, for strategy 1:Source port information 80+ protocol numbers 6, have recorded the default spy of source port information Levy the corresponding tactful bit string of the source port information 80 in list and be set to " 0001 ", in have recorded the default feature list of protocol number The corresponding tactful bit string of protocol number 6 be set to " 0001 ", in tactful bit string, untapped characteristic value destination interface information, report Literary length, TCP Flag marks are all identified with " 0001 ";For strategy 2:Source port information 81, have recorded source port information The corresponding tactful bit string of source port information 81 in default feature list is set to " 0010 ", in tactful bit string, untapped spy Value indicative is, for example, protocol number, destination interface information, message length, TCP Flag marks all with " 0010 " mark;For strategy 3:Destination interface information 53+ protocol number 17+ message lengths are less than 70 bytes more than 64 bytes, have recorded the pre- of destination interface information If the corresponding tactful bit string of destination interface information 53 in feature list is set to " 0100 ", the default feature of protocol number is have recorded The corresponding tactful bit string of protocol number 17 in list is set to " 0100 ", have recorded the report in the default feature list of message length The corresponding tactful bit string of the byte of literary length 64,65 bytes, 66 bytes, 67 bytes, 68 bytes, 69 bytes, 70 bytes is " 0100 ", in tactful bit string, untapped characteristic value source port information is identified with " 0100 ";For strategy 4:Source port information 80 The byte of+message length 80, have recorded the source port information 80 in the default feature list of source port information except above-mentioned for plan Slightly 1 corresponding tactful bit string " 0001 ", also corresponds to a tactful bit string " 1000 ", therefore have recorded the default spy of source port information The tactful bit string for levying the source port information 80 in list is set to " 1001 ", in have recorded the default feature list of message length The corresponding tactful bit string of the byte of message length 80 is set to " 1000 ", and in tactful bit string, untapped characteristic value is, for example, agreement Number, destination interface information, TCP Flag mark all with " 1000 " mark.
Specifically, with reference to step 101- step 102, safeguard is by protocol number 17, source port information 83, destination message The breath 53, byte of message length 66 have with record respectively protocol number, source port information, destination interface information, message length it is default Feature list is matched, and obtains the corresponding tactful bit string " 0100 " of protocol number 17, the corresponding tactful bit string of source port information 83 The corresponding tactful bit string " 0100 " of " 0100 ", destination interface information 53, the corresponding tactful bit string " 0100 " of the byte of message length 66, It should be noted that source port information 83 is untapped characteristic value in strategy 3, therefore, the corresponding strategy of source port information 83 Bit string is " 0100 ".
In step 103, in one embodiment, with reference to step 102, safeguard will match the tactful bit string for obtaining " 0100 ", " 0100 ", " 0100 ", " 0100 " are carried out and computing, obtain a target bit string " 0100 ".
At step 104, in one embodiment, with reference to step 103, safeguard is based on target bit string " 0100 ", it is determined that Whether the match is successful with default prevention policies for the UDP messages." 1 " relative strategy 3 in target bit string " 0100 ", represents and waits to protect The match is successful with strategy 3 for message.
Optionally, can also carry out step 105 before execution step 101.
In step 105, in one embodiment, safeguard determines at least one based on the type of message of message to be protected Default feature list to be matched, safeguard based on a determination that at least one default feature list in the spy of characteristic value that records Value indicative type, in execution step 101 the step of obtaining at least one characteristic value to be matched is parsed from message to be protected.Wait to prevent The type of message of shield message includes:TCP message, UDP messages, icmp packet etc..Generally, administrative staff are for different type of messages Message to be protected be configured with different default feature lists to be matched, specifically, for TCP message configuration it is to be matched Default feature list includes:The default feature list of message length is have recorded, the default feature list of protocol number is have recorded, is recorded The default feature list of source port information, have recorded the default feature list of destination interface information, have recorded TCP Flag marks The default feature list known;Include for the default feature list of UDP messages configuration:Have recorded the default characteristic series of message length Table, have recorded the default feature list of protocol number, have recorded the default feature list of source port information, have recorded destination message The default feature list of breath;Include for the default feature list of icmp packet configuration:Have recorded the default spy of ICMP Type values List is levied, the default feature list of ICMP Code values is have recorded, the default feature list of message length is have recorded, association is have recorded The default feature list of view number;For the message to be protected of other type of messages, the default feature list of configuration at least includes:Note The default feature list of message length has been recorded, the default feature list of protocol number has been have recorded.Specifically, if message to be protected is Icmp packet, determines that default feature list to be matched includes based on for icmp packet:Have recorded the default spy of message length List is levied, the default feature list of protocol number is have recorded, the default feature list of ICMP Type values is have recorded, ICMP is have recorded The default feature list of Code values.Safeguard have recorded protocol number based on the default feature list that have recorded message length Default feature list, have recorded the default feature list of ICMP Type values, have recorded the default feature list of ICMP Code values The feature Value Types of the middle characteristic value for recording respectively:Message length, protocol number, ICMP Type, ICMP Code, safeguard is true The parsing from icmp packet is needed to obtain message length, protocol number, ICMP Type values, ICMP Code values calmly.
In the embodiment of the present invention, safeguard will be parsed from message to be protected, each characteristic value to be matched with Each the default feature list of feature Value Types identical is matched, and is obtained each characteristic value to be matched and is distinguished corresponding strategy Bit string, safeguard can determine that whether message to be protected matches with default prevention policies based on tactful bit string with operation result Success, eliminates safeguard by least one characteristic value to be matched parsed from message to be protected, and hundreds of The process that default prevention policies are matched one by one, the quantity of characteristic value to be matched is compared to hundreds of default prevention policies It is less, the process consumption that each characteristic value to be matched is matched with the default feature list of respective feature Value Types identical When it is shorter, therefore time-consuming to solve the problems, such as the matching process of prevention policies.
Fig. 2 is the embodiment flow chart of the matching process of another prevention policies that the present invention is provided, with reference to Fig. 1, in Fig. 1 On the basis of described step 101- step 104, how target bit string is based on to safeguard, it is determined that message to be protected whether with The match is successful for default prevention policies;And when the quantity of the default prevention policies that the match is successful is multiple, how to determine target Strategy simultaneously performs protection instruction based on target strategy, illustrative, as shown in Fig. 2 comprising the steps:
Step 201:Determine whether target bit string is default bit string, when target bit string is not default bit string, execution step 202, when target bit string is to preset bit string, execution step 207.
Step 202:It is determined that message to be protected is with default prevention policies, and the match is successful.
Step 203:If the quantity of the default prevention policies that the match is successful is multiple, based on default policy selection rule, A target strategy is determined from the default prevention policies that the match is successful.
Step 204:Corresponding first mark of target strategy is generated based on target bit string.
Step 205:First mark is matched with least one second marks of default process list records, each Second mark corresponds to respectively a protection instruction.
Step 206:When the match is successful for one of them second mark in the first mark with default process list, treat anti- Shield message performs the corresponding protection instruction of the second mark that the match is successful.
Step 207:It is determined that message to be protected matches unsuccessful with default prevention policies, message to be protected is forwarded to next The network equipment being connected with safeguard.
In step 201, safeguard determines whether target bit string is default bit string, presets length and the target position of bit string String length is identical, and with reference to step 102- step 103, it is " 0000 " to preset bit string, when target bit string is not default bit string " 0000 " When, execution step 202, when target bit string is to preset bit string, execution step 207.
In step 202., when target bit string is not default bit string, safeguard determines message to be protected with default protection Strategy matching success.Specifically, with reference to step 102, if target bit string is " 0100 ", target bit string " 0100 " is not default bit string " 0000 ", safeguard determines message to be protected, and the match is successful with default prevention policies, " 1 " and plan in target bit string " 0100 " Slightly 3 is corresponding, and the match is successful with strategy 3 for message to be protected.
In step 203, if the quantity of the default prevention policies that the match is successful is multiple, safeguard is based on default plan Rule is slightly selected, a target strategy is determined from the default prevention policies that the match is successful.Specifically, if target bit string is " 1001 ", with reference to the strategy 1 in step 102:Source port information 80+ protocol numbers 6;Strategy 4:Source port information 80+ message lengths 80 bytes, represent message to be protected and strategy 1, the match is successful for strategy 4, safeguard is regular based on default policy selection, from Tactful 1, a target strategy is determined in strategy 4, policy selection rule can be that the match is successful for selection first from right to left Default prevention policies;Can also be first default prevention policies that the match is successful of selection from left to right;Can also be random choosing The default prevention policies that the match is successful are selected, it will be appreciated by persons skilled in the art that herein policy selection rule can not Form limitation of the present invention.This sentences and select from right to left first default prevention policies that the match is successful as policy selection Rule is illustrative, and safeguard determines that strategy 1 is target strategy from the strategy 1, strategy 4 that the match is successful.
In step 204, safeguard is based on target bit string, generates corresponding first mark of target strategy.For example, protect Equipment generates the first mark " 1 " based on the strategy 1 in target bit string " 1001 ", if it will be appreciated by persons skilled in the art that Target strategy is strategy 4, then first be designated " 4 ", and the first mark is only used for target strategy and following default process lists In the second mark matched, the first mark can also be the combination of numeral, letter or both, and the present invention is identified to first Concrete form be not restricted.
In step 205, safeguard divides the first mark with least one second marks of default process list records Do not matched, each second mark corresponds to respectively a protection instruction.As shown in table 2, have recorded in list with default process Four second marks are illustrative to the structure for presetting process list:
Table 2
In table 2, the second mark " 1 ", the second mark " 2 ", the second mark " 3 ", the second mark " 4 " correspond to abandon and wait to prevent respectively Shield message, the protection instruction for sending warning message, abandoning message to be protected, transmission warning message.With reference to step 204, protection sets It is standby that first mark " 1 " is identified into " 1 ", the second mark " 2 ", the second mark " 3 ", the second mark with the second of default process list records Know " 4 " to be matched respectively.
In step 206, when the match is successful for one of them second mark in the first mark with default process list, prevent Shield equipment treats protection message and performs the corresponding protection instruction of the second mark that the match is successful.With reference to step 205, the first mark " 1 " the match is successful with default the second mark " 1 " processed in list, and the corresponding protection instruction of the second mark " 1 " is to abandon to wait to prevent Shield message, then, safeguard treats protection message and performs the protection instruction for abandoning message to be protected.
In step 207, when target bit string is to preset bit string, safeguard determines message to be protected with default protection plan Slightly match unsuccessful, message to be protected is forwarded to into next network equipment being connected with safeguard.If target bit string is " 0000 ", to preset bit string " 0000 ", safeguard determines message to be protected with default prevention policies to target bit string " 0000 " With unsuccessful, message to be protected is forwarded to next network equipment being connected with safeguard by safeguard.
In the embodiment of the present invention, safeguard determines whether target bit string is default bit string, when target bit string is not default During bit string, safeguard determines message to be protected, and the match is successful with default prevention policies, if the default prevention policies that the match is successful Quantity for multiple, safeguard determines one based on default policy selection rule from the default prevention policies that the match is successful Individual target strategy, by different policy selection rules, makes selection of the safeguard to target strategy more flexible, target strategy Difference cause the protection instruction that safeguard is performed to the message to be protected different;Safeguard is generated based on target bit string Corresponding first mark of target strategy, and the first mark and default at least one second marks for processing list records are carried out Match somebody with somebody, when the match is successful for one of them second mark in the first mark with default process list, safeguard treats protection report Text performs the corresponding protection instruction of the second mark that the match is successful, when corresponding second mark of protection instruction changes, or When the mark of person first changes with the corresponding relation of the second mark, administrative staff can process list to sending out by obtaining to preset Second mark of changing, protection instruction are modified, it is easy to be managed collectively.
Corresponding to the matching process of above-mentioned prevention policies, the invention allows for the hardware knot of the safeguard shown in Fig. 3 Composition.Refer to Fig. 3, in hardware view, the safeguard include processor, internal bus, network interface, internal memory and it is non-easily The property lost memory, the hardware being also possible that certainly required for other business.It is right that processor reads from nonvolatile memory The computer program answered is in internal memory and then runs, and the coalignment of prevention policies is formed on logic level.Certainly, except soft Outside part implementation, the present invention is not precluded from other implementations, such as mode of logical device or software and hardware combining etc. Deng, that is to say, that the executive agent of following handling process is not limited to each logical block, or hardware or logic device Part.
Fig. 4 is the embodiment block diagram of the coalignment of the prevention policies that the present invention is provided, as shown in figure 4, the protection The coalignment of strategy can include:Characteristic value parsing module 41, characteristic value matching module 42 and computing module 43, protection plan Determining module 44 is omited, wherein:
Characteristic value parsing module 41, for when receiving when message is protected, parsing from message to be protected and obtaining at least One characteristic value to be matched;
Characteristic value matching module 42, at least one feature to be matched for obtaining will to be parsed in characteristic value parsing module 41 Each characteristic value to be matched in value is matched with the default feature list of respective feature Value Types identical, obtains at least one Individual characteristic value to be matched distinguishes corresponding tactful bit string, and each characteristic value recorded in each default feature list is right respectively Answer a tactful bit string, each one default prevention policies of correspondence of tactful bit string;
With computing module 43, at least one of characteristic value matching module 42 characteristic value to be matched difference is corresponding Tactful bit string is carried out and computing, obtains a target bit string;
Prevention policies determining module 44, for the target bit string being based on obtain in computing module 43, it is determined that treating protection report Whether the match is successful with default prevention policies for text.
Fig. 5 is the embodiment block diagram of the coalignment of another prevention policies that the present invention is provided, as shown in figure 5, upper On the basis of stating embodiment illustrated in fig. 4, the coalignment of prevention policies also includes:
Feature list determining module 45, for determining that at least one is to be matched pre- based on the type of message of message to be protected If feature list, based on a determination that at least one default feature list in the feature Value Types of characteristic value that record, perform feature The step of obtaining at least one characteristic value to be matched is parsed from message to be protected in value parsing module 41.
In one embodiment, prevention policies determining module 44 includes:
Default bit string comparison sub-module 441, for determining whether target bit string is default bit string;
Message forwards submodule 442, is default bit string for the target bit string in bit string comparison sub-module 441 is preset When, it is determined that message to be protected matches unsuccessful with default prevention policies, message to be protected is forwarded to next with safeguard phase The network equipment of connection;
Determination sub-module that the match is successful 443, is not default for the target bit string in bit string comparison sub-module 441 is preset During bit string, it is determined that message to be protected is with default prevention policies, and the match is successful.
In one embodiment, the coalignment of prevention policies also includes:
Target strategy determining module 46, if for the default protection that the match is successful in the match is successful determination sub-module 443 The quantity of strategy is multiple, based on default policy selection rule, a mesh is determined from the default prevention policies that the match is successful Mark strategy.
In one embodiment, the coalignment of prevention policies also includes:
First identifier generation module 47, the target bit string generation target strategy for being based on obtain in computing module 43 is true Corresponding first mark of target strategy determined in cover half block 46;
Mark matching module 48, first for generating in the first identifier generation module 47 identifies and default process list At least one second marks of record are matched respectively, and each second mark corresponds to respectively a protection instruction;
Protection instruction performing module 49, for when one of them second mark in the first mark with default process list With it is successful when, treat the corresponding protection instruction of the second mark that performs that the match is successful of protection message.
The function of unit and effect realizes that process specifically refers in said method correspondence step in said apparatus Process is realized, be will not be described here.
For device embodiment, because it corresponds essentially to embodiment of the method, so related part is referring to method reality Apply the part explanation of example.Device embodiment described above is only schematic, wherein described as separating component The unit of explanation can be or may not be physically separate, can be as the part that unit shows or can also It is not physical location, you can be located at a place, or can also be distributed on multiple NEs.Can be according to reality Need the purpose for selecting some or all of module therein to realize the present invention program.Those of ordinary skill in the art are not paying In the case of going out creative work, you can to understand and implement.
As seen from the above-described embodiment, safeguard will be parsed from message to be protected, each characteristic value to be matched Matched with the default feature list of respective feature Value Types identical, obtain each characteristic value to be matched and distinguish corresponding plan Bit string is omited, safeguard determines whether message to be protected matches into default prevention policies based on tactful bit string with operation result Work(, eliminates safeguard by least one characteristic value to be matched parsed from message to be protected, pre- with hundreds of If the process that prevention policies are matched one by one, the quantity of characteristic value to be matched is compared to hundreds of default prevention policies Less, the process that each characteristic value to be matched is matched with the default feature list of respective feature Value Types identical takes It is shorter, therefore time-consuming to solve the problems, such as the matching process of prevention policies.
Those skilled in the art will readily occur to its of the present invention after considering specification and putting into practice invention disclosed herein Its embodiment.It is contemplated that cover any modification of the present invention, purposes or adaptations, these modifications, purposes or Person's adaptations follow the general principle of the present invention and including the undocumented common knowledge in the art of the present invention Or conventional techniques.Description and embodiments are considered only as exemplary, and true scope and spirit of the invention are by following Claim is pointed out.
Also, it should be noted that term " including ", "comprising" or its any other variant are intended to nonexcludability Comprising so that a series of process, method, commodity or equipment including key elements not only includes those key elements, but also wrapping Other key elements being not expressly set out are included, or also includes intrinsic for this process, method, commodity or equipment wanting Element.In the absence of more restrictions, the key element for being limited by sentence " including ... ", it is not excluded that including described Also there is other identical element in the process of key element, method, commodity or equipment.
Presently preferred embodiments of the present invention is the foregoing is only, not to limit the present invention, all essences in the present invention Within god and principle, any modification, equivalent substitution and improvements done etc. should be included within the scope of protection of the invention.

Claims (10)

1. a kind of matching process of prevention policies, it is characterised in that methods described includes:
When receiving when message is protected, the parsing from the message to be protected obtains at least one characteristic value to be matched;
Each characteristic value to be matched in described at least one characteristic value to be matched is pre- with respective feature Value Types identical If feature list is matched, obtain described at least one characteristic value to be matched and distinguish corresponding tactful bit string, it is described each Each characteristic value recorded in default feature list corresponds to respectively a tactful bit string, each correspondence one of the tactful bit string Individual default prevention policies;
By described at least one characteristic value to be matched, respectively corresponding tactful bit string is carried out and computing, obtains a target bit string;
Based on the target bit string, it is determined that whether the message to be protected is with the default prevention policies, and the match is successful.
2. method according to claim 1, it is characterised in that methods described also includes:
At least one default feature list to be matched is determined based on the type of message of the message to be protected;
The feature Value Types of the characteristic value recorded at least one default feature list based on the determination, perform described from institute State the step of parsing obtains at least one characteristic value to be matched in message to be protected.
3. method according to claim 1, it is characterised in that described based on the target bit string, it is determined that described wait to protect Whether the match is successful with the default prevention policies for message, including:
Determine whether the target bit string is default bit string;
When the target bit string is the default bit string, it is determined that the message to be protected is matched not with the default prevention policies Success, by the message to be protected next network equipment being connected with safeguard is forwarded to;
When the target bit string is not the default bit string, it is determined that the message to be protected is matched with the default prevention policies Success.
4. method according to claim 3, it is characterised in that message to be protected described in the determination and the default protection During strategy matching success, methods described also includes:
If the quantity of the default prevention policies that the match is successful is multiple, based on default policy selection rule, from described With one target strategy of determination in successful default prevention policies.
5. method according to claim 4, it is characterised in that methods described also includes:
Corresponding first mark of the target strategy is generated based on the target bit string;
By described first mark with it is default process list records at least one second mark matched respectively, it is described each Second mark corresponds to respectively a protection instruction;
When the match is successful for one of them second mark in the described first mark with the default process list, wait to prevent to described Shield message performs the corresponding protection instruction of second mark that the match is successful.
6. a kind of coalignment of prevention policies, it is characterised in that described device includes:
Characteristic value parsing module, for when receiving when message is protected, the parsing from the message to be protected to obtain at least one Individual characteristic value to be matched;
Characteristic value matching module, for described at least one feature to be matched for obtaining will to be parsed in the characteristic value parsing module The default feature list of each characteristic value to be matched in value and respective feature Value Types identical is matched, obtain it is described extremely A few characteristic value to be matched distinguishes corresponding tactful bit string, each feature recorded in described each default feature list Value corresponds to respectively a tactful bit string, each one default prevention policies of correspondence of the tactful bit string;
With computing module, for described at least one characteristic value to be matched difference in the characteristic value matching module is corresponding Tactful bit string is carried out and computing, obtains a target bit string;
Prevention policies determining module, for based on the target bit string obtained in described and computing module, it is determined that described wait to prevent Whether the match is successful with the default prevention policies for shield message.
7. device according to claim 6, it is characterised in that described device also includes:
Feature list determining module, for determining that at least one to be matched presets based on the type of message of message protect Feature list, the feature Value Types of the characteristic value recorded in the default feature list of at least one based on the determination, performs institute The step of stating described in characteristic value parsing module parsing obtain at least one characteristic value to be matched from the message to be protected.
8. device according to claim 6, it is characterised in that the prevention policies determining module includes:
Default bit string comparison sub-module, for determining whether the target bit string is default bit string;
Message forwards submodule, and the target bit string for working as in the default bit string comparison sub-module is the default bit string When, it is determined that the message to be protected matches unsuccessful with the default prevention policies, the message to be protected is forwarded to next The network equipment being connected with safeguard;
Determination sub-module that the match is successful, is not described pre- for working as the target bit string in the default bit string comparison sub-module If during bit string, it is determined that the message to be protected is with the default prevention policies, and the match is successful.
9. device according to claim 8, it is characterised in that described device also includes:
Target strategy determining module, if for the default protection plan that the match is successful described in the match is successful the determination sub-module Quantity slightly is multiple, based on default policy selection rule, one is determined from the default prevention policies that the match is successful Target strategy.
10. device according to claim 9, it is characterised in that described device also includes:
First identifier generation module, for generating the target plan based on the target bit string obtained in described and computing module Corresponding first mark of the target strategy for slightly determining in determining module;
Mark matching module, for generate in first identifier generation module described first to be identified and default process list At least one second marks of record are matched respectively, and described each second mark corresponds to respectively a protection instruction;
Protection instruction performing module, for when the described first mark and described default one of them second mark processed in list When the match is successful, the corresponding protection instruction of second mark that the match is successful is performed to the message to be protected.
CN201611252950.9A 2016-12-30 2016-12-30 A kind of matching process and device of prevention policies Active CN106657104B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611252950.9A CN106657104B (en) 2016-12-30 2016-12-30 A kind of matching process and device of prevention policies

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611252950.9A CN106657104B (en) 2016-12-30 2016-12-30 A kind of matching process and device of prevention policies

Publications (2)

Publication Number Publication Date
CN106657104A true CN106657104A (en) 2017-05-10
CN106657104B CN106657104B (en) 2019-09-06

Family

ID=58836876

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611252950.9A Active CN106657104B (en) 2016-12-30 2016-12-30 A kind of matching process and device of prevention policies

Country Status (1)

Country Link
CN (1) CN106657104B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109698831A (en) * 2018-12-28 2019-04-30 中电智能科技有限公司 Data prevention method and device
CN110311835A (en) * 2019-07-09 2019-10-08 国网甘肃省电力公司电力科学研究院 A kind of electric power IEC agreement airworthiness compliance method based on content template

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101102277A (en) * 2007-06-20 2008-01-09 华为技术有限公司 Recognition method and system for service data and recognition control device
US20140173733A1 (en) * 2012-12-17 2014-06-19 Fixmo, Inc. Exploit detection and reporting of a device using server chaining
CN104040550A (en) * 2011-10-18 2014-09-10 迈可菲公司 Integrating security policy and event management
CN104615634A (en) * 2014-11-10 2015-05-13 广东智冠信息技术股份有限公司 Direction feature based palm vein guiding quick retrieval method
CN104850797A (en) * 2015-04-30 2015-08-19 北京奇虎科技有限公司 Device security management method and apparatus
CN105939284A (en) * 2016-01-08 2016-09-14 杭州迪普科技有限公司 Message control strategy matching method and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101102277A (en) * 2007-06-20 2008-01-09 华为技术有限公司 Recognition method and system for service data and recognition control device
CN104040550A (en) * 2011-10-18 2014-09-10 迈可菲公司 Integrating security policy and event management
US20140173733A1 (en) * 2012-12-17 2014-06-19 Fixmo, Inc. Exploit detection and reporting of a device using server chaining
CN104615634A (en) * 2014-11-10 2015-05-13 广东智冠信息技术股份有限公司 Direction feature based palm vein guiding quick retrieval method
CN104850797A (en) * 2015-04-30 2015-08-19 北京奇虎科技有限公司 Device security management method and apparatus
CN105939284A (en) * 2016-01-08 2016-09-14 杭州迪普科技有限公司 Message control strategy matching method and device

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109698831A (en) * 2018-12-28 2019-04-30 中电智能科技有限公司 Data prevention method and device
CN109698831B (en) * 2018-12-28 2021-07-02 中电智能科技有限公司 Data protection method and device
CN110311835A (en) * 2019-07-09 2019-10-08 国网甘肃省电力公司电力科学研究院 A kind of electric power IEC agreement airworthiness compliance method based on content template

Also Published As

Publication number Publication date
CN106657104B (en) 2019-09-06

Similar Documents

Publication Publication Date Title
US6754832B1 (en) Security rule database searching in a network security environment
US6505192B1 (en) Security rule processing for connectionless protocols
US6715081B1 (en) Security rule database searching in a network security environment
US6347376B1 (en) Security rule database searching in a network security environment
US9894093B2 (en) Structuring data and pre-compiled exception list engines and internet protocol threat prevention
US7702785B2 (en) Methods, systems and computer program products for selectively allowing users of a multi-user system access to network resources
CN110120942B (en) Security policy rule matching method and device, firewall equipment and medium
US8522199B2 (en) System, method, and computer program product for applying a regular expression to content based on required strings of the regular expression
CN107145799A (en) A kind of data desensitization method and device
US11290484B2 (en) Bot characteristic detection method and apparatus
CN105939284B (en) The matching process and device of message control strategy
JP2004336702A (en) Data originality securing method and system, and program for securing data originality
JP2008537195A5 (en)
EP3192226B1 (en) Device and method for controlling a communication network
CN106790170A (en) A kind of packet filtering method and device
US20190297533A1 (en) Processing packets in a computer system
JP6355836B2 (en) Packet filter device and packet filter method
CN106657104A (en) Matching method and device of protection strategies
US8365045B2 (en) Flow based data packet processing
JP2009077030A (en) Rule controller, rule control method, and rule control program
CN106657128B (en) Data packet filtering method and device based on wildcard mask rule
CN107547504B (en) Intrusion prevention method and device
US8443359B2 (en) Method and system for providing a filter for a router
CN106790241A (en) A kind of processing method and processing device of message
CN105471839B (en) A kind of method for judging router data and whether being tampered

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant