CN117768344A - Application layer message depth detection method, device, equipment and medium - Google Patents
Application layer message depth detection method, device, equipment and medium Download PDFInfo
- Publication number
- CN117768344A CN117768344A CN202311705230.3A CN202311705230A CN117768344A CN 117768344 A CN117768344 A CN 117768344A CN 202311705230 A CN202311705230 A CN 202311705230A CN 117768344 A CN117768344 A CN 117768344A
- Authority
- CN
- China
- Prior art keywords
- message
- detected
- dpi
- daemon
- preset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 57
- 238000000034 method Methods 0.000 claims abstract description 118
- 230000008569 process Effects 0.000 claims abstract description 82
- 230000001133 acceleration Effects 0.000 claims abstract description 23
- 230000009471 action Effects 0.000 claims description 107
- 238000012545 processing Methods 0.000 claims description 72
- 238000004590 computer program Methods 0.000 claims description 16
- 238000004458 analytical method Methods 0.000 claims description 12
- 230000006870 function Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 5
- 238000007726 management method Methods 0.000 description 5
- 238000007689 inspection Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
Landscapes
- Computer And Data Communications (AREA)
Abstract
The disclosure relates to a method, a device, equipment and a medium for detecting depth of an application layer message. According to the DPI engine based on the DPU, the DPI application process based on the DPI is separated from the DPI daemon, so that a flexible DPI engine based on the DPU is realized, a user can flexibly realize various DPI application processes based on the DPI, including but not limited to application identification, intrusion detection and the like, flexibility of an application layer message depth detection method is improved, acceleration unloading of a DPI function on the DPU is realized, performance of the DPI function is effectively improved, and host resources are released.
Description
Technical Field
The disclosure relates to the technical field of computers, and in particular relates to a method, a device, equipment and a medium for detecting depth of an application layer message.
Background
Virtualization, networking, storage, and security are very important tasks undertaken by data centers. Deep packet inspection (Deep Packet Inspection, DPI) is an application-level flow inspection and control technique, which is implemented as part of security services with significant computational effort consumption, and with the rapid development of cloud computing, there is an increasing demand for computational effort in large-scale data centers.
The conventional DPI technology is mostly implemented as an integral application program, and the implementation complexity is high, wherein various application layer protocol parsing, multimode matching and regular matching algorithms are involved, so that the application program based on the DPI cannot be easily implemented, and meanwhile, the implementation algorithm consumes very much performance, so that the DPI application program is easy to become a performance bottleneck in a network.
Disclosure of Invention
In order to solve the technical problems, the present disclosure provides a method, an apparatus, a device, and a medium for detecting depth of an application layer message.
In a first aspect, an embodiment of the present disclosure provides an application layer packet depth detection method, where the method is applied to a DPU, where the DPU includes at least a DPI-based application process and a DPI daemon, and the method includes:
receiving a message to be detected through an application process based on DPI;
sending the message to be detected to a DPI daemon;
matching the message to be detected through the DPI daemon, and obtaining a target strategy action corresponding to the message to be detected from a preset rule strategy database;
sending the message to be detected and the target strategy action to the DPI-based application process;
and carrying out safety detection processing on the message to be detected according to the target policy action through an application process based on DPI.
In some embodiments, before the receiving, by the DPI-based application process, the message to be detected, the method further includes:
and constructing a preset rule strategy database according to preset configuration information configured by a user.
In some embodiments, the preset configuration information at least includes preset rule information and at least one preset policy action, and the constructing a preset rule policy database according to the preset configuration information configured by the user includes:
receiving preset rule information and at least one preset strategy action issued by a host;
invoking a hardware regular acceleration engine to compile the preset rule information to obtain a compiling rule, wherein the compiling rule comprises a corresponding relation between a message characteristic and at least one target strategy action in the preset strategy actions;
and constructing a preset rule strategy database according to the compiling rule and the at least one preset strategy action.
In some embodiments, the method further comprises:
and maintaining a message processing flow table according to the quintuple information of the message to be detected and the target policy action.
In some embodiments, the sending the message to be detected to the DPI daemon includes:
matching the message to be detected according to the message processing flow table;
if the target strategy action corresponding to the message to be detected exists in the message processing flow table, carrying out safety detection processing on the message to be detected according to the target strategy action through the DPI-based application process;
and if the message to be detected does not exist in the corresponding message processing flow table or does not exist in the target strategy action corresponding to the message to be detected in the message processing flow table, the message to be detected is sent to a DPI daemon.
In some embodiments, the matching processing of the to-be-detected packet by the DPI daemon, obtaining, from a preset rule policy database, a target policy action corresponding to the to-be-detected packet, includes:
carrying out protocol identification on the port number carried by the message to be detected through the DPI daemon to obtain a protocol identification result of the message to be detected;
according to the protocol identification result, analyzing the message to be detected by utilizing a protocol analysis plug-in corresponding to the protocol identification result to obtain an analysis result of the message to be detected, wherein the analysis result at least comprises an application layer protocol and information to be detected;
and according to the information to be detected and the preset rule policy database, matching, and determining a target policy action corresponding to the message to be detected.
In some embodiments, the DPU further includes a hardware regular acceleration engine, and the matching processing, by the DPI daemon, of the packet to be detected includes:
and calling a hardware regular acceleration engine through the DPI daemon to carry out matching processing on the message to be detected.
In a second aspect, an embodiment of the present disclosure provides an application layer packet depth detection apparatus, including:
the receiving module is used for receiving the message to be detected through the application process based on the DPI;
the first sending module is used for sending the message to be detected to a DPI daemon;
the matching module is used for carrying out matching processing on the message to be detected through the DPI daemon process, and obtaining a target strategy action corresponding to the message to be detected from a preset rule strategy database;
the second sending module is used for sending the message to be detected and the target strategy action to the DPI-based application process;
and the processing module is used for carrying out safety detection processing on the message to be detected according to the target policy action through the DPI-based application process.
In a third aspect, an embodiment of the present disclosure provides an electronic device, including:
a memory;
a processor; and
a computer program;
wherein the computer program is stored in the memory and configured to be executed by the processor to implement the method according to the first aspect.
In a fourth aspect, embodiments of the present disclosure provide a computer-readable storage medium having stored thereon a computer program for execution by a processor to implement the method of the first aspect.
In a fifth aspect, embodiments of the present disclosure also provide a computer program product comprising a computer program or instructions which, when executed by a processor, implement an application layer message depth detection method as described above.
According to the application layer message depth detection method, device, equipment and medium, the DPI-based application process and the DPI daemon are separated on the DPU, so that a flexible DPI engine based on the DPU is realized, a user can flexibly realize various DPI-based application processes including but not limited to application identification, intrusion detection and the like, the flexibility of the application layer message depth detection method is improved, the acceleration and the unloading of DPI functions on the DPU are realized, the performance of the DPI functions is effectively improved, and simultaneously host resources are released.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure.
In order to more clearly illustrate the embodiments of the present disclosure or the solutions in the prior art, the drawings that are required for the description of the embodiments or the prior art will be briefly described below, and it will be obvious to those skilled in the art that other drawings can be obtained from these drawings without inventive effort.
Fig. 1 is a flowchart of an application layer message depth detection method provided in an embodiment of the present disclosure;
fig. 2 is a schematic diagram of an application scenario provided in an embodiment of the present disclosure;
fig. 3 is a flowchart of an application layer message depth detection method according to another embodiment of the present disclosure;
fig. 4 is a flowchart of an application layer message depth detection method according to another embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of an application layer message depth detection device according to an embodiment of the present disclosure;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the disclosure.
Detailed Description
In order that the above objects, features and advantages of the present disclosure may be more clearly understood, a further description of aspects of the present disclosure will be provided below. It should be noted that, without conflict, the embodiments of the present disclosure and features in the embodiments may be combined with each other.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present disclosure, but the present disclosure may be practiced otherwise than as described herein; it will be apparent that the embodiments in the specification are only some, but not all, embodiments of the disclosure.
The embodiment of the disclosure provides an application layer message depth detection method, and the method is described below with reference to specific embodiments.
Fig. 1 is a flowchart of an application layer message depth detection method provided in an embodiment of the present disclosure. The method can be applied to the application scenario shown in fig. 2, wherein the application scenario comprises a data processor (Data Processing Unit, DPU) 21 and a Host (Host) 22, the DPU21 is in communication connection with the Host 22, the DPU21 comprises SOC (System On Chip) and a hardware regular acceleration engine 212, and a DPI-based application process and a DPI daemon run on the soc. It can be appreciated that the method for detecting the depth of the application layer message provided by the embodiment of the disclosure can also be applied to other scenes.
The following describes the method for detecting the depth of the application layer message shown in fig. 1 in combination with the application scenario shown in fig. 2, and the method comprises the following specific steps:
s101, receiving a message to be detected through an application process based on DPI.
In the embodiment of the disclosure, the message to be detected is received through a DPI-based application process in the DPU. Wherein the DPU may be a new generation processor oriented to data-centric computations; DPI-based application processes (DPI) may be an application layer traffic detection and control technique including, but not limited to, various DPI-based applications such as AR, IPS (Intrusion Prevention System), etc.; the message to be detected is a message which needs to be safely detected based on the application process of DPI.
Among other things, DPI-based application processes include, but are not limited to, application identification, intrusion detection, uniform resource locator (Uniform Resource Locator, URL) filtering, and the like, to which embodiments of the present disclosure are not limited.
Specifically, a message to be detected, which needs to be detected safely by the DPI-based application process, is received by the DPI-based application process in the DPU.
S102, the message to be detected is sent to a DPI daemon.
The DPI daemon is relatively independent of the DPI-based application process, but communicatively coupled to the DPI daemon.
S103, carrying out matching processing on the message to be detected through the DPI daemon, and obtaining a target strategy action corresponding to the message to be detected from a preset rule strategy database.
After obtaining the message to be detected, the DPI-based application process sends the message to be detected to the DPI daemon process to be matched according to a preset rule policy database so as to obtain a target policy action corresponding to the message to be detected.
Specifically, the matching rules are divided according to different types of DPI-based application processes: application identification, intrusion detection, uniform resource locator (Uniform Resource Locator, URL) filtering, etc.
The target policy actions include at least one or more of the following: permission, blocking, log alerting, etc., to which embodiments of the present disclosure are not limited.
The preset rule strategy database comprises preset rule information and at least one preset strategy action, wherein the preset rule information is obtained by configuring and issuing a hardware regular engine through a user or a developer, and the rule strategy database is used for matching and searching a target strategy action corresponding to a message to be detected. Specifically, the rule policy database stores the corresponding relation between the message characteristics and at least one preset policy action, and the DPI daemon determines the target policy action corresponding to the message to be detected from a plurality of preset policy actions according to the received content information of the message to be detected and the corresponding relation between the characteristics stored in the rule database and the at least one preset policy action.
S104, the message to be detected and the target strategy action are sent to the DPI-based application process.
After the DPI daemon determines the target strategy action corresponding to the message to be detected, the message to be detected and the corresponding target strategy action are returned to the DPI-based application process.
Optionally, if the packet to be detected is stored or cached in the DPI-based application process, the DPI sends the target policy action to the DPI-based application process.
S105, performing security detection processing on the message to be detected according to the target policy action through an application process based on DPI.
And the DPI-based application process acquires the message to be detected and the corresponding target strategy action thereof, and carries out corresponding processing on the message to be detected according to the target strategy action so as to finish the safety detection processing of the message to be detected.
Optionally, the application process based on the DPI is also responsible for counting and storing various information in the process of carrying out security detection on the message, generating a corresponding log, and reporting the log to the host.
The embodiment of the disclosure receives a message to be detected through an application process based on DPI; sending the message to be detected to a DPI daemon; matching the message to be detected through the DPI daemon, and obtaining a target strategy action corresponding to the message to be detected from a preset rule strategy database; sending the message to be detected and the target strategy action to the DPI-based application process; the DPI-based application process performs security detection processing on the message to be detected according to the target policy action, and the DPI-based application process is separated from the DPI daemon on the DPU, so that a flexible DPI engine based on the DPU is realized, a user can flexibly realize various DPI-based application processes, the flexibility of an application layer message depth detection method is improved, the acceleration unloading of the DPI function on the DPU is realized, the performance of the DPI function is effectively improved, and simultaneously, host resources are released.
On the basis of the above embodiment, before the packet to be detected is received by the DPI-based application process, the method further includes: and constructing a preset rule strategy database according to preset configuration information configured by a user.
Specifically, the preset configuration information at least includes preset rule information and at least one preset policy action. The constructing a preset rule policy database according to preset configuration information configured by a user comprises: receiving preset rule information and at least one preset strategy action issued by a host; compiling the preset rule information to obtain a compiling rule, wherein the compiling rule comprises a corresponding relation between a message characteristic and at least one target strategy action in the preset strategy actions; and constructing a preset rule strategy database according to the compiling rule and the at least one preset strategy action.
The user configures preset rule information and related information of at least one preset strategy action on the host computer to obtain preset configuration information. Optionally, a user management process is run on the host, and the process is used for generating preset configuration information conforming to the user intention according to the configuration instruction of the user.
After the user completes the configuration of the preset configuration information, the host computer issues the preset configuration information to the DPI daemon on the DPU. The preset configuration information comprises preset rule information which is used for representing the corresponding relation between the message characteristics and at least one target strategy action in the preset strategy actions, and the DPI daemon calls a hardware regular acceleration engine to compile the preset rule information and converts the preset rule information into a compiling rule conforming to the hardware regular acceleration engine specification; while the DPI daemon receives a plurality of preset policy actions. Namely, the compiling rule comprises a corresponding relation between the message characteristic and at least one target strategy action in the preset strategy actions. Specifically, the message characteristics include application layer protocol information or known threat information in the message.
And constructing a preset rule policy database in the DPI daemon based on the compiling rule and the plurality of preset policy actions.
Fig. 3 is a flowchart of a method for detecting depth of an application layer message according to another embodiment of the present disclosure, as shown in fig. 3, where the method includes the following steps:
s301, constructing a preset rule strategy database according to preset configuration information configured by a user.
S302, receiving a message to be detected through an application process based on DPI.
S303, matching the message to be detected according to a message processing flow table.
Data, typically quintuple information, having some common characteristic or attribute over the same network over a period of time is abstracted into one stream. For example, a message of the same five-tuple information is treated as one flow, which can be executed according to policy actions that the flow has previously been matched to. Correspondingly, the flow table is a set of strategy action table items aiming at a specific flow and is responsible for searching and forwarding the data packet.
In the embodiment of the disclosure, the message processing flow table is generated according to the message processed by the detection process, wherein the relevant information for the specific flow (namely, the specific five-tuple) is recorded, and the relevant information at least comprises the target policy action matched with the processing process before the flow table.
In some embodiments, five-tuple information of the historical pending message and the corresponding target policy actions are recorded in the message processing flow table.
In some embodiments, the message to be detected is matched according to quintuple information of the message to be detected and a message processing flow table.
In some embodiments, after the application process based on the DPI receives the message to be detected, the message processing flow table is maintained according to the quintuple information of the message to be detected, for example, the message processing flow table is searched according to the quintuple information, and if no related information exists, the flow table is created according to the quintuple information.
S304, judging whether the message to be detected is successfully matched. If yes, executing S305; if not, S306 is performed.
If the five-tuple information of the message to be detected and the corresponding target strategy action are recorded in the stream table in the message processing stream table, the message to be detected is successfully matched.
If the flow table corresponding to the message to be detected is not found in the message processing flow table, or the flow table corresponding to the message to be detected is a newly created flow table, or the flow table corresponding to the message to be detected has a target strategy action which is not matched but exists, determining that the message to be detected fails to be matched.
S305, performing security detection processing on the message to be detected according to the target policy action through the DPI-based application process.
If the five-tuple information and the corresponding target policy actions of the message to be detected are recorded in the flow table in the message processing flow table, the application process based on the DPI directly carries out safety detection processing on the message to be detected according to the target policy actions in the message processing flow table.
S306, the message to be detected is sent to a DPI daemon.
S307, calling a hardware regular acceleration engine to match the message to be detected through the DPI daemon, and obtaining a target strategy action corresponding to the message to be detected from a preset rule strategy database.
The hardware regular acceleration engine is used for calculating acceleration when matching between the message to be detected and the preset rule policy database, and compared with regular acceleration realized in a software mode, the processing performance can be further improved.
Specifically, the DPI daemon process carries out protocol identification on the port number carried by the message to be detected, so as to obtain a protocol identification result of the message to be detected; according to the protocol identification result, analyzing the message to be detected by utilizing a protocol analysis plug-in corresponding to the protocol identification result to obtain an analysis result of the message to be detected, wherein the analysis result at least comprises an application layer protocol and information to be detected; and according to the information to be detected and the preset rule policy database, matching, and determining a target policy action corresponding to the message to be detected.
The DPI daemon performs preliminary protocol identification according to the port number carried in the message to be detected, and determines a protocol identification result of the message to be detected, that is, an application layer protocol type of the message to be detected, for example, a server message block (Server Message Block, SMB) protocol, a network file system (Network File System, NFS), and the like, which are not limited herein.
Further, the protocol analysis plug-in corresponding to the identification result in the protocol analysis plug-in of multiple types is utilized to analyze the message to be detected, relevant content in the message is further extracted, an application layer protocol is finally determined, information of the content to be detected of the message to be detected is obtained, a hardware regular acceleration engine is called to match with preset rules in a preset rule policy database, and a target policy action corresponding to the message to be detected is determined.
S308, the message to be detected and the target policy action are sent to the DPI-based application process.
S309, performing security detection processing on the message to be detected according to the target policy action through an application process based on DPI.
And S310, maintaining a message processing flow table according to the quintuple information of the message to be detected and the target policy action.
And updating the message processing flow table by the application process based on the DPI according to the five-tuple information of the message to be detected and the corresponding target strategy action.
The embodiment of the disclosure improves the performance of message detection by adopting a hardware regular acceleration engine; meanwhile, the DPI-based DPI management method and system facilitate the flexible realization of various DPI-based application processes on the DPU by a user, and release host CPU and memory resources.
Fig. 4 is a flowchart illustrating a method for detecting depth of an application layer message according to another embodiment of the present disclosure. As shown in fig. 4, a Host (Host) 41 is communicatively connected to the DPU42, and a user management process 411 is running on the Host 41, and is used for configuring preset rules and preset policy actions by a user, and meanwhile, is also used for obtaining log information reported by the DPU, and performing operations such as statistical analysis on the log information; DPU42 is provided with DPI-based application process 421 and DPI daemon 422, and DPI-based application process 421 is responsible for receiving and transmitting messages and invoking a general flow table management interface and a DPI engine interface provided by DPI daemon 422 to realize corresponding functions.
Specifically, the host 41 issues preset rule information configured by a user and at least one preset policy action to the DPI daemon 422 on the DPU42, and the DPI daemon 422 compiles the preset rule information and receives at least one preset policy action to construct a preset rule policy database.
The DPI-based application process 421 on the DPU42 receives the message to be detected and invokes the generic flow table management interface to search, create and maintain a message processing flow table according to the five-tuple information of the message to be detected. If the five-tuple information and the corresponding target policy actions of the message to be detected are recorded in the flow table in the message processing flow table, the DPI-based application process 421 directly carries out security detection processing on the message to be detected according to the target policy actions in the message processing flow table by the DPI-based application process; otherwise, if the flow table corresponding to the message to be detected is not found in the message processing flow table, or the flow table corresponding to the message to be detected is a newly created flow table, or the flow table corresponding to the message to be detected exists but has no matched target policy action, determining that the message to be detected fails to match, calling a DPI engine interface, and sending the message to be detected to the DPI daemon 422 for processing.
After receiving a message to be detected, the DPI daemon 422 carries out protocol identification according to a port number carried by the message to be detected to obtain a protocol identification result of the message to be detected, and analyzes the message to be detected by utilizing a protocol analysis plug-in corresponding to the protocol identification result according to the protocol identification result to obtain application layer protocol information of the message to be detected; and calling a hardware regular acceleration engine to perform matching processing on the message to be detected, determining a target policy action corresponding to the message to be detected, sending the message to be detected and the target policy action to the DPI-based application process 421, performing security detection processing on the message to be detected by the DPI-based application process 421 according to the target policy action, simultaneously performing statistics and storage on various information in the security detection processing process of the message, generating a corresponding log, and reporting the log to a host.
According to the application layer message depth detection method provided by the embodiment of the disclosure, the DPI engine based on the DPU is realized by separating the DPI-based application process from the DPI daemon process on the DPU, so that a user can flexibly realize various DPI-based application processes, the flexibility of the application layer message depth detection method is improved, the acceleration and the unloading of the DPI function on the DPU are realized, the performance of the DPI function is effectively improved, and host resources are released; meanwhile, by adopting a hardware regular acceleration engine, the performance of message detection is further improved.
Fig. 5 is a schematic structural diagram of an application layer message depth detection device according to an embodiment of the present disclosure. The application layer message depth detection means may be a DPU as described in the above embodiments, or the application layer message depth detection means may be a part or component in the DPU. The application layer message depth detection device provided in the embodiment of the present disclosure may execute the processing flow provided in the embodiment of the application layer message depth detection method, as shown in fig. 5, where the application layer message depth detection device 50 includes: a receiving module 51, a first transmitting module 52, a matching module 53, a second transmitting module 54, and a processing module 55; the receiving module 51 is configured to receive a message to be detected through an application process based on DPI; the first sending module 52 is configured to send the message to be detected to a DPI daemon; the matching module 53 is configured to perform matching processing on the to-be-detected message through the DPI daemon, and obtain a target policy action corresponding to the to-be-detected message from a preset rule policy database; the second sending module 54 is configured to send the message to be detected and the target policy action to the DPI-based application process; the processing module 55 is configured to perform security detection processing on the message to be detected according to the target policy action through an application process based on DPI.
Optionally, the application layer message depth detection apparatus 50 further includes a construction module 56, configured to construct a preset rule policy database according to preset configuration information configured by a user.
Optionally, the preset configuration information at least includes preset rule information and at least one preset policy action, and the building module 56 includes a receiving unit 561, a compiling unit 562, and a building unit 563; the receiving unit 561 is configured to receive preset rule information and at least one preset policy action issued by the host; the compiling unit 562 is configured to invoke a hardware regular acceleration engine to compile the preset rule information, so as to obtain a compiling rule, where the compiling rule includes a correspondence between a message feature and at least one target policy action in the preset policy actions; the construction unit 563 is configured to construct a preset rule policy database according to the compiling rule and the at least one preset policy action.
Optionally, the application layer message depth detection device 50 further includes a maintenance module 57, configured to maintain a message processing flow table according to the quintuple information of the message to be detected and the target policy action.
Optionally, the first transmitting module 52 includes a first matching unit 521, a processing unit 522, and a transmitting unit 523; the first matching unit 521 is configured to match the message to be detected according to the message processing flow table; the processing unit 522 is configured to perform security detection processing on the to-be-detected message according to the target policy action by using the DPI-based application process if the target policy action corresponding to the to-be-detected message exists in the message processing flow table; the sending unit 523 is configured to send the message to be detected to a DPI daemon if the message to be detected does not have a corresponding message processing flow table or does not have a target policy action corresponding to the message to be detected in the message processing flow table.
Optionally, the matching module 53 includes an identifying unit 531, an parsing unit 532, and a second matching unit 533; the identifying unit 531 is configured to identify, by using the DPI daemon, a protocol of a port number carried by the message to be detected, so as to obtain a protocol identification result of the message to be detected; the parsing unit 532 is configured to parse the message to be detected by using a protocol parsing plug-in corresponding to the protocol identification result according to the protocol identification result, so as to obtain a parsing result of the message to be detected, where the parsing result at least includes an application layer protocol and information to be detected; the second matching unit 533 is configured to determine, according to the to-be-detected information, a target policy action corresponding to the to-be-detected message, where the target policy action is determined by matching the to-be-detected information with the preset rule policy database.
Optionally, the matching module 53 is specifically configured to invoke a hardware regular acceleration engine by using the DPI daemon to perform matching processing on the message to be detected.
The application layer message depth detection device of the embodiment shown in fig. 5 may be used to implement the technical solution of the above method embodiment, and its implementation principle and technical effects are similar, and are not repeated here.
Fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the disclosure. The electronic device may be a DPU as described in the above embodiments. The electronic device provided in the embodiment of the present disclosure may execute the processing flow provided in the embodiment of the application layer message depth detection method, as shown in fig. 6, where the electronic device 60 includes: a memory 61, a processor 62, computer programs and a communication interface 63; wherein the computer program is stored in the memory 61 and configured to be executed by the processor 62 for the application layer message depth detection method as described above.
In addition, the embodiment of the disclosure further provides a computer readable storage medium, on which a computer program is stored, where the computer program is executed by a processor to implement the application layer message depth detection method described in the foregoing embodiment.
Furthermore, the embodiment of the disclosure also provides a computer program product, which comprises a computer program or instructions, and the computer program or instructions realize the application layer message depth detection method when being executed by a processor. The foregoing description is only of the preferred embodiments of the present disclosure and description of the principles of the technology being employed. It will be appreciated by persons skilled in the art that the scope of the disclosure referred to in this disclosure is not limited to the specific combinations of features described above, but also covers other embodiments which may be formed by any combination of features described above or equivalents thereof without departing from the spirit of the disclosure. Such as those described above, are mutually substituted with the technical features having similar functions disclosed in the present disclosure (but not limited thereto).
Moreover, although operations are depicted in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order. In certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are included in the above discussion, these should not be construed as limiting the scope of the present disclosure. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable subcombination.
Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are example forms of implementing the claims.
It should be noted that in this document, relational terms such as "first" and "second" and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing is merely a specific embodiment of the disclosure to enable one skilled in the art to understand or practice the disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown and described herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. The method for detecting the depth of the application layer message is characterized by being applied to a DPU, wherein the DPU at least comprises an application process based on DPI and a DPI daemon, and the method comprises the following steps:
receiving a message to be detected through an application process based on DPI;
sending the message to be detected to a DPI daemon;
matching the message to be detected through the DPI daemon, and obtaining a target strategy action corresponding to the message to be detected from a preset rule strategy database;
sending the message to be detected and the target strategy action to the DPI-based application process;
and carrying out safety detection processing on the message to be detected according to the target policy action through an application process based on DPI.
2. The method of claim 1, wherein prior to receiving the message to be detected by the DPI-based application process, the method further comprises:
and constructing a preset rule strategy database according to preset configuration information configured by a user.
3. The method according to claim 2, wherein the preset configuration information at least includes preset rule information and at least one preset policy action, and the constructing a preset rule policy database according to the preset configuration information configured by the user includes:
receiving preset rule information and at least one preset strategy action issued by a host;
invoking a hardware regular acceleration engine to compile the preset rule information to obtain a compiling rule, wherein the compiling rule comprises a corresponding relation between a message characteristic and at least one target strategy action in the preset strategy actions;
and constructing a preset rule strategy database according to the compiling rule and the at least one preset strategy action.
4. The method according to claim 1, wherein the method further comprises:
and maintaining a message processing flow table according to the quintuple information of the message to be detected and the target policy action.
5. The method of claim 4, wherein the sending the message to be detected to a DPI daemon comprises:
matching the message to be detected according to the message processing flow table;
if the target strategy action corresponding to the message to be detected exists in the message processing flow table, carrying out safety detection processing on the message to be detected according to the target strategy action through the DPI-based application process;
and if the message to be detected does not exist in the corresponding message processing flow table or does not exist in the target strategy action corresponding to the message to be detected in the message processing flow table, the message to be detected is sent to a DPI daemon.
6. The method of claim 1, wherein the matching, by the DPI daemon, the message to be detected, and obtaining, from a preset rule policy database, a target policy action corresponding to the message to be detected, includes:
carrying out protocol identification on the port number carried by the message to be detected through the DPI daemon to obtain a protocol identification result of the message to be detected;
according to the protocol identification result, analyzing the message to be detected by utilizing a protocol analysis plug-in corresponding to the protocol identification result to obtain an analysis result of the message to be detected, wherein the analysis result at least comprises an application layer protocol and information to be detected;
and according to the information to be detected and the preset rule policy database, matching, and determining a target policy action corresponding to the message to be detected.
7. The method of claim 1, wherein the DPU further comprises a hardware regular acceleration engine, and the matching the message to be detected by the DPI daemon comprises:
and calling a hardware regular acceleration engine through the DPI daemon to carry out matching processing on the message to be detected.
8. An application layer message depth detection device, comprising:
the receiving module is used for receiving the message to be detected through the application process based on the DPI;
the first sending module is used for sending the message to be detected to a DPI daemon;
the matching module is used for carrying out matching processing on the message to be detected through the DPI daemon process, and obtaining a target strategy action corresponding to the message to be detected from a preset rule strategy database;
the second sending module is used for sending the message to be detected and the target strategy action to the DPI-based application process;
and the processing module is used for carrying out safety detection processing on the message to be detected according to the target policy action through the DPI-based application process.
9. An electronic device, comprising:
a memory;
a processor; and
a computer program;
wherein the computer program is stored in the memory and configured to be executed by the processor to implement the method of any of claims 1-7.
10. A computer readable storage medium, on which a computer program is stored, which computer program, when being executed by a processor, implements the method according to any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311705230.3A CN117768344A (en) | 2023-12-12 | 2023-12-12 | Application layer message depth detection method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311705230.3A CN117768344A (en) | 2023-12-12 | 2023-12-12 | Application layer message depth detection method, device, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117768344A true CN117768344A (en) | 2024-03-26 |
Family
ID=90309812
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311705230.3A Pending CN117768344A (en) | 2023-12-12 | 2023-12-12 | Application layer message depth detection method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117768344A (en) |
-
2023
- 2023-12-12 CN CN202311705230.3A patent/CN117768344A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3205072B1 (en) | Differential dependency tracking for attack forensics | |
| US11429625B2 (en) | Query engine for remote endpoint information retrieval | |
| EP2939173B1 (en) | Real-time representation of security-relevant system state | |
| US10594711B2 (en) | Detection of botnets using command-and-control access patterns | |
| CN104618304B (en) | Data processing method and data handling system | |
| CN111988304B (en) | Distributed data node abnormal behavior detection method and device based on Internet of things | |
| EP3531324B1 (en) | Identification process for suspicious activity patterns based on ancestry relationship | |
| Baumgärtner et al. | Complex event processing for reactive security monitoring in virtualized computer systems | |
| CN113312615A (en) | Terminal detection and response system | |
| CN113935028A (en) | Method and device for identifying attack behaviors | |
| US10630715B1 (en) | Methods and system for characterizing infrastructure security-related events | |
| US20190394216A1 (en) | Statistical approach for augmenting signature detection in web application firewall | |
| Zuo | Defense of Computer Network Viruses Based on Data Mining Technology. | |
| US11157834B2 (en) | Automated identification of higher-order behaviors in a machine-learning network security system | |
| CN117768344A (en) | Application layer message depth detection method, device, equipment and medium | |
| CN115859305A (en) | Knowledge graph-based industrial control security situation sensing method and system | |
| CN115600195A (en) | Web attack detection method, device, equipment and readable storage medium | |
| CN114205146A (en) | Processing method and device for multi-source heterogeneous security log | |
| CN110768957B (en) | Network security cooperative processing method, system and storage medium | |
| EP3484122A1 (en) | Malicious relay and jump-system detection using behavioral indicators of actors | |
| CN113810351A (en) | Method and device for determining attacker of network attack and computer readable storage medium | |
| CN117478438B (en) | Network micro-isolation method, system and virtualized cloud host | |
| CN113194075B (en) | Access request processing method, device, equipment and storage medium | |
| Riyad et al. | A Quality Framework to Improve IDS Performance Through Alert Post-Processing. | |
| US11223650B2 (en) | Security system with adaptive parsing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |