CN100345118C - Data package content filtering device and method and recording media - Google Patents
Data package content filtering device and method and recording media Download PDFInfo
- Publication number
- CN100345118C CN100345118C CNB2003101148116A CN200310114811A CN100345118C CN 100345118 C CN100345118 C CN 100345118C CN B2003101148116 A CNB2003101148116 A CN B2003101148116A CN 200310114811 A CN200310114811 A CN 200310114811A CN 100345118 C CN100345118 C CN 100345118C
- Authority
- CN
- China
- Prior art keywords
- mentioned
- data
- packet
- definition
- condition
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
- 238000001914 filtration Methods 0.000 title claims abstract description 28
- 238000000034 method Methods 0.000 title claims abstract description 21
- 238000004891 communication Methods 0.000 claims description 37
- 238000009434 installation Methods 0.000 claims 1
- 239000012634 fragment Substances 0.000 abstract description 34
- 238000010586 diagram Methods 0.000 description 19
- 241000700605 Viruses Species 0.000 description 9
- 230000005540 biological transmission Effects 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 5
- 238000004590 computer program Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 101150012579 ADSL gene Proteins 0.000 description 2
- 102100020775 Adenylosuccinate lyase Human genes 0.000 description 2
- 108700040193 Adenylosuccinate lyases Proteins 0.000 description 2
- 201000004569 Blindness Diseases 0.000 description 2
- 230000009977 dual effect Effects 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 230000003612 virological effect Effects 0.000 description 2
- 230000004888 barrier function Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000008521 reorganization Effects 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
- 238000011100 viral filtration Methods 0.000 description 1
Images
Abstract
The present invention relates to a data packet content filtering device, a method thereof and a storing medium. The data packet content filtering device comprises a storing device and a processing unit, wherein the storing device is used for storing at least one defined data string which represents restrictive content which is not allowed to be transferred, and the processing unit receives data packets from a first network terminal device. Data fragments are obtained from the data packets, and the data fragments are compared with the defined data string; whether the data fragments have the partially continuous defined data string is detected, and whether all the formerly received data fragments and the just received data fragments can form the defined data string is detected; when complete conformity exists, the data packets are not allowed to be transferred to a specified destination, or warning / error information and the data packets are transferred to the specified destination.
Description
Technical field
This invention relates to a kind of content filtering device and method, and the data in particularly a kind of scan for networks in institute's data packets transmitted are filtered the device and method of its content.
Technical background
Content filtering system is a kind of in electronic file content, seek the system of computer virus or restricted theme (for example pornographic, violence etc.), to seek computer virus is example, it is by comparing with viral kenel (pattern), detect whether exist in the data content computer virus sign indicating number with and viral kind, if detect, then use one to remove (clean-up) system, the virus code in the data content is removed.Be to adapt to the prosperity of the Internet, the virus scan system no longer only detects whether virus code of the data file that is present in floppy drive or the hard drives, more in order to the data in the packet (packet) that is circulated on the detection network.
With the tcp/ip communication agreement is example, a TCP/IP package is made up of gauge outfit district and data field, and the agreement of each stratum all has its oneself gauge outfit area definition, and has specific program to be responsible for understanding the field in gauge outfit district, with the demand of understanding the other side and take suitable disposal.So a complete TCP/IP package can comprise four layers of gauge outfit such as online service, transmission service, application service and physical network technology from inside to outside.Data begin just to add from level to level gauge outfit from application program, and complete TCP/IP package is via the Network Transmission of the entity main frame to the other side, and the take over party disassembles the package gauge outfit more from level to level and comes, and last raw data just is sent in recipient's the hand.When using TCP to carry out data transmission, must set up online relation between the two earlier.The online foundation of TCP is to transmit between the main frame of two ends by the package that has online control information, and the inspection by sequence numbering in the TCP gauge outfit and bug check value is correct again, and behind some talk, both sides agree to enter on line state.Through thus, just formed the Handshake Protocol (3-way handshaking) of three-dimensional formula, and broken string the time also is to adopt similar program: broken string request, broken string are confirmed, are broken successfully.After Handshake Protocol was finished, a complete data can be transmitted between the main frame of two ends through being cut into data packet one by one.So with regard to conceptive, packet can be divided into two kinds of Control on Communication and data, the Control on Communication package is in order to transmit online control information, and data packet is then in order to Data transmission.
The content filtering system of packet mainly is that data stored in the data package are scanned, and wherein whether contains computer virus or restricted theme in order to detect.Blindness guiding scanning (blindly redirect scanning) configuration diagram of 1a figure expression known technology.In this framework, when use side device 11, for example, simple mail is transmitted communication protocol server (SMTP server), post office communication protocol third edition server (POP3 server) etc., pass through network communication protocol, for example, simple mail is transmitted communication protocol (SMTP), the post office communication protocol third edition (POP3), hypertext transport communication protocol (HTTP) etc., when transferring data on the network 10 other computing machine, network communication device 13, asymmetric modulation detuner (ADSL modem) for example, router (router), converter (switch) or gateway (gateway) etc., the packet that can will pass passes to scanister 12 earlier, scanister 12 has the function of telecommunication management and information filtering, can collect earlier and be cut into the part data of being carried in Pork-pieces packet, revert back an original whole string data, carry out content scanning, more no problem data transfer is arrived network 10 at a whole string data.Otherwise, when network 10 will transmit data to use side device 11, scanister 12 can be played the part of the role as acting server (proxy), the whole string data that institute's tendency to develop is passed in the temporal data bag, this whole string data is carried out content scanning, more no problem data are passed to use side device 11 via network communication device 13.This network communication device 13 does not have the network service management function, only merely data is changeed transmission (reroute) and goes out.
For avoiding above-mentioned shortcoming, another feasible construction framework is a box interscan framework.Fig. 1 b represents box interscan (the inside the box scanning) configuration diagram of known technology.In this framework, when use side device 11, for example, simple mail is transmitted communication protocol server (SMTP server), post office communication protocol third edition server (POP3 server) etc., pass through network communication protocol, for example, simple mail is transmitted communication protocol (SMTP), the post office communication protocol third edition (POP3), hypertext transport communication protocol (HTTP) etc., when transferring data on the network 10 other computing machine, network communication device 14 possesses the ability of meaningful filtration, can collect and be cut into the fragment data that is carried in the packet of a piece tool same communication identification code, revert back an original whole string data, carry out content scanning at a whole string data, more no problem data transfer is arrived network 10.Otherwise when network 10 will transmit data to use side device 11, network communication device 14 equally can first aggregated data be bundled into a whole string data, and this whole string data is carried out content scanning, more no problem data is passed to use side device 11.
Though above-mentioned two known frameworks all can be in order to existing unfavorable content in the filtering data bag, but it must detain the packet that (queue) residence has earlier, and reorganization (reassemble) goes out a whole string data, the throughput (throughput) of network will be reduced, and, can increase the cost of hardware for the function of information filtering is provided.
Therefore, need apparatus and method to have higher network throughput, and when implementing, spend still less in the cost of hardware than conventional architectures.
Summary of the invention
In view of this, purpose of the present invention is removed and can be had higher network throughput than conventional architectures for a kind of packet content filtration unit and method are provided, and when implementing, and spends in the cost of hardware still less.
According to above-mentioned purpose, packet content filtration unit of the present invention at first is provided with a storage device, a package receiving element, a content scanning unit and a package delivery unit.
The a plurality of definition of data strings of being made up of character (character) or dual code (binary code) of storage device stores, this definition of data string is in order to restricted contents such as expression virus code or restricted themes.The package receiving element is in order to receiving a packet (packet), and packet is passed to the content scanning unit scans.After the content scanning unit is responsible for being to receive the fragment data that is transmitted by the package receiving element, carry out content scanning, detect and whether comprise a part of continuous definition of data string in (1) packet, and (2) whether the fragment data in all packets of past tested measuring tool same communication identification code can form remaining definition of data string, do not allow above-mentioned packet be sent to named place of destination if then stop this packet, perhaps, to warn/error message and above-mentioned packet be sent to named place of destination, tell the destination end device, tested finding contained restricted contents in the data that it received.The package delivery unit is in order to the destination-address in the foundation packet, transmits this packet and gives corresponding to other end device in the network of destination-address and one of use in the end device person.
The accompanying drawing summary
For above-mentioned purpose of the present invention, feature and advantage can be become apparent, embodiment cited below particularly, and cooperate appended diagram, it is as follows to be elaborated:
Fig. 1 a is blindness guiding scanning (blindly redirect scanning) configuration diagram of expression known technology;
Fig. 1 b is box interscan (the inside the box scanning) configuration diagram of expression known technology;
Fig. 2 represents the network architecture synoptic diagram according to the packet content filtration unit of the embodiment of the invention;
Fig. 3 is the block schematic diagram of expression according to the packet content filtration unit of the embodiment of the invention;
Fig. 4 is the schematic diagram data of the definition of data string of the expression embodiment of the invention;
Fig. 5 a, 5b, 5c, 5d are that expression is according to the fragment data synoptic diagram in the packet of the embodiment of the invention;
Fig. 6 a, 6b, 6c are definition of data string and the fragment data comparison synoptic diagram of expression according to the embodiment of the invention;
Fig. 7 is the method flow diagram of expression according to the packet content filter method of the embodiment of the invention;
Fig. 8 is the computer-readable storage media synoptic diagram of the expression embodiment of the invention.
The reference numeral explanation
The 10-network; 11-use side device; The 12-scanister; 13,14-network communication device; 2-packet content filtration unit; The 31-storage device; 32-package receiving element; 33-content scanning unit; 34-package delivery unit; 41-definition of data string; 51,52,53,54-fragment data; S71, S72 ..., the S76-method step; The 820-packet content is filtered computer program; 821-receives the packet logic; 822-comparison definition serial data logic; 823-judges whether to contain partly continuous definition of data string logic; 824-judges whether the past data bag can form remaining definition of data string logic; 825-Data transmission bag or warning/error message logic; 826-block data bag logic.
Embodiment
Fig. 2 represents the network architecture synoptic diagram according to the packet content filtration unit of the embodiment of the invention.Be responsible for other end device in network 10 and use between the end device 11 according to the packet content filtration unit 2 of the embodiment of the invention, the data packet that acquisition is transmitted also carries out information filtering.With the virus filtration is example, packet content filtration unit 2 is responsible for collecting a packet (packet) that is delivered to other end device in the network 10 or uses end device 11, carry out content scanning, in order to detect whether comprise a part of continuous restricted contents in (1) packet, and (2) whether the fragment data in all packets (packet) of past tested measuring tool same communication identification code can form remaining restricted contents, do not allow above-mentioned packet be sent to named place of destination if then stop this packet, perhaps, to warn/error message and above-mentioned packet be sent to named place of destination, tell the destination end device, tested finding contained restricted contents in the data that it received.
Fig. 3 represents the block schematic diagram according to the packet content filtration unit of the embodiment of the invention.Packet content filtration unit 2 comprises a storage device 31, a package receiving element 32, a content scanning unit 33 and a package delivery unit 34, may be implemented in personal computer, workstation, mainframe, asymmetric modulation detuner (ADSL modem), router (router), converter (switch), gateway (gateway) or other can be used to carry out in the equipment of network service and information filtering.
Below more with the function of an example description scanning element.Fig. 5 a, 5b, 5c, 5d are that expression is according to the fragment data synoptic diagram in the packet of the embodiment of the invention.Fig. 6 a, 6b, 6c are definition of data string and the fragment data comparison synoptic diagram of expression according to the embodiment of the invention.
At first, receive a fragment data 51, " BBBC ", shown in the shade part of Fig. 5 a, after comparing, find to comprise in the packet partly continuous restricted contents with definition of data string 41, shown in Fig. 6 a, but because of there is not the packet of tool same communication identification code in the past, so, the packet that carries fragment data 51 is passed to package delivery unit 34.
After a time, it receives another fragment data 52, " CBZZ ", shown in Fig. 5 b, after comparing, find to comprise in the packet partly continuous restricted contents with definition of data string 41, shown in the shade part of Fig. 6 b, but because of the fragment data in the packet (packet) 51 of past tested measuring tool same communication identification code also can't be formed remaining definition of data string, so the data packet delivery that will carry fragment data 52 is given package delivery unit 34.
Next, it receives another fragment data 53, " ZZZZ ", shown in Fig. 5 c, after comparing, find not comprise in the packet partly continuous restricted contents with definition of data string 41, so, the packet that carries fragment data 53 is passed to package delivery unit 34.
Again after a time, it receives another fragment data 54, " ZAAA ", shown in Fig. 5 d, after comparing with definition of data string 41, find to comprise in the packet partly continuous restricted contents, shown in the shade part of Fig. 6 c, and because of the fragment data 51 and 52 in the packet (packet) of past tested measuring tool same communication identification code can be formed remaining definition of data string, so, barrier sheet segment data 54, do not allow it be sent to named place of destination, perhaps, warning/error message and the packet that carries fragment data 54 are sent to named place of destination by packet, this information is in order to tell the destination end device, and tested finding contained restricted contents in the data that it received.When the packet that carries fragment data 54 does not pass to package delivery unit 34, corresponding to other end device in the network 10 of destination-address and one of use in the end device 11 person just can't obtain entire packet, the data that contain restricted contents just can't be made up and read by end device.Other end device and the packet that uses end device 11 to receive warning/error message and carry fragment data 54 in corresponding to the network 10 of destination-address, the then processing that can carry out the content removing or abandon according to warning/error message.
Fig. 7 is the method flow diagram of expression according to the packet content filter method of the embodiment of the invention.
At first, as step S71, receive a packet, and obtain a fragment data from packet, example is shown in Fig. 5 a, 5b, 5c or 5d.Afterwards, shown in step S72, fragment data relatively one is defined serial data (representative restricted contents), example shown in step S73, judges whether this fragment data contains partly continuous definition of data string as shown in Figure 4.
If not, then carry out step S75, the Data transmission bag is to corresponding to other end device in the network 10 of destination-address and one of use in the end device 11 person.
If, then carry out the judgement of step S74, whether the fragment data in all packets of past tested measuring tool same communication identification code can form remaining definition of data string.If, then carry out step S76, stop that this packet does not allow above-mentioned packet be sent to named place of destination, perhaps, to warn/error message and above-mentioned packet be sent to named place of destination, and in order to notice destination end device, tested finding contained restricted contents in the data that it received; If not, then carry out step S75, the Data transmission bag is to corresponding to other end device in the network 10 of destination-address and one of use in the end device 11 person.
Moreover the present invention proposes a kind of computer-readable storage media, and in order to store a computer program, aforementioned calculation machine program is in order to realize the packet content filter method, and the method can be carried out aforesaid step.
Fig. 8 is the computer-readable storage media synoptic diagram of the expression embodiment of the invention.This computer-readable storage media 80 is in order to store a computer program 820, in order to realize the packet content filter method.Its computer program comprises six logics, is respectively and receives packet logic 821, comparison definition serial data logic 822, judges whether to contain partly continuous definition of data string logic 823, judges whether the past data bag can form remaining definition of data string logic 824, Data transmission bag or warning/error message logic 825 and block data bag logic 826.
Therefore,, remove and to have higher network throughput than conventional architectures, and when implementing, spend still less in the cost of hardware by packet content filtration unit provided by the present invention and method.
Though the present invention discloses as above with preferred embodiment; right its is not in order to limit the present invention; any those who are familiar with this art; without departing from the spirit and scope of the present invention; when can doing a little change and retouching, so protection scope of the present invention is as the criterion when looking accompanying the claim person of defining.
Claims (8)
1. packet content filtration unit comprises:
One storage device, in order to storing certain at least adopted serial data, above-mentioned definition of data string representative does not allow the restricted contents transmitted; And
One processing unit, be coupled to said storage unit, receive a packet from one first network terminating unit, wherein above-mentioned packet contains a communication discriminating code, a data slot and a destination-address corresponding to above-mentioned communication discriminating code, wherein the above-mentioned purpose way address is represented one second network terminating unit, above-mentioned processing unit obtains above-mentioned data slot from above-mentioned packet, more above-mentioned data slot and above-mentioned definition of data string, detect a first condition that whether contains partly continuous above-mentioned definition of data string in the above-mentioned data slot, and all data slots of the identical above-mentioned communication discriminating code of received tool add whether above-mentioned data slot can form a second condition of above-mentioned definition of data string before detecting, then do not allow above-mentioned packet be sent to above-mentioned second network terminating unit if meet above-mentioned first condition and above-mentioned second condition corresponding to the above-mentioned purpose way address, or transmit above-mentioned packet and an information to above-mentioned second network terminating unit corresponding to the above-mentioned purpose way address, above-mentioned information contains above-mentioned definition of data string in order to above-mentioned second network terminating unit of notice corresponding to the above-mentioned purpose way address in the data of reception.
2. packet content filtration unit as claimed in claim 1 wherein, in above-mentioned processing unit, if do not meet above-mentioned first condition, then transmits above-mentioned packet to above-mentioned second network terminating unit corresponding to the above-mentioned purpose way address.
3. packet content filtration unit as claimed in claim 1, wherein, in above-mentioned processing unit,, then transmit above-mentioned packet to above-mentioned second network terminating unit corresponding to the above-mentioned purpose way address if meet above-mentioned first condition but do not meet above-mentioned second condition.
4. packet content filtration unit as claimed in claim 1, wherein, above-mentioned definition of data string is made up of a plurality of binary codes or a plurality of character code.
5. hybrid packet content filter method, in order to be loaded and to carry out by an electronic installation that contains central processing unit, its method comprises the following steps:
Receive a packet, wherein above-mentioned packet contains a communication discriminating code, corresponding to a data slot and a destination-address of above-mentioned communication discriminating code, and wherein the above-mentioned purpose way address is represented one second network terminating unit;
Obtain the above-mentioned data slot that is contained in the above-mentioned packet;
A more above-mentioned data slot and a definition serial data, the representative of above-mentioned definition of data string do not allow the restricted contents transmitted;
Detect a first condition that whether contains partly continuous above-mentioned definition of data string in the above-mentioned data slot, and all data slots of the identical above-mentioned communication discriminating code of received tool add whether above-mentioned data slot can form a second condition of above-mentioned definition of data string before detecting; And
If meet above-mentioned first condition and above-mentioned second condition then stops above-mentioned packet, do not allow above-mentioned packet be sent to above-mentioned second network terminating unit corresponding to the above-mentioned purpose way address, or transmit above-mentioned packet and an information to above-mentioned second network terminating unit corresponding to the above-mentioned purpose way address, above-mentioned information contains above-mentioned definition of data string in order to above-mentioned second network terminating unit of notice corresponding to the above-mentioned purpose way address in the data of reception.
6. packet content filter method as claimed in claim 5 more comprises a step, if do not meet above-mentioned first condition, then transmits above-mentioned packet to above-mentioned second network terminating unit corresponding to the above-mentioned purpose way address.
7. packet content filter method as claimed in claim 6 more comprises a step, if meet above-mentioned first condition but do not meet above-mentioned second condition, then transmits above-mentioned packet to above-mentioned second network terminating unit corresponding to the above-mentioned purpose way address.
8. packet content filter method as claimed in claim 5, wherein above-mentioned definition of data string is made up of a plurality of binary codes or a plurality of character code.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2003101148116A CN100345118C (en) | 2003-11-07 | 2003-11-07 | Data package content filtering device and method and recording media |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2003101148116A CN100345118C (en) | 2003-11-07 | 2003-11-07 | Data package content filtering device and method and recording media |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1614565A CN1614565A (en) | 2005-05-11 |
| CN100345118C true CN100345118C (en) | 2007-10-24 |
Family
ID=34760226
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2003101148116A Expired - Lifetime CN100345118C (en) | 2003-11-07 | 2003-11-07 | Data package content filtering device and method and recording media |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100345118C (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8060633B2 (en) | 2006-11-24 | 2011-11-15 | Hangzhou H3C Technologies Co., Ltd. | Method and apparatus for identifying data content |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101883081A (en) * | 2009-05-05 | 2010-11-10 | 昆明智讯达科技开发有限公司 | Method for carrying out video stream transmission filtering based on content of network data packet |
| US8966607B2 (en) | 2009-07-15 | 2015-02-24 | Rockstar Consortium Us Lp | Device programmable network based packet filter |
| US9218566B2 (en) | 2010-08-20 | 2015-12-22 | International Business Machines Corporation | Detecting disallowed combinations of data within a processing element |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1317119A (en) * | 1998-07-02 | 2001-10-10 | 埃弗内特集团股份有限公司 | Firewall apparatus and method of controlling network data packed traffic between internal and external networks |
| CN1350247A (en) * | 2001-12-03 | 2002-05-22 | 上海交通大学 | E-mail content monitoring system |
| CN1367595A (en) * | 2001-01-23 | 2002-09-04 | 联想(北京)有限公司 | Method for filtering electronic mail contents in interconnection network |
-
2003
- 2003-11-07 CN CNB2003101148116A patent/CN100345118C/en not_active Expired - Lifetime
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1317119A (en) * | 1998-07-02 | 2001-10-10 | 埃弗内特集团股份有限公司 | Firewall apparatus and method of controlling network data packed traffic between internal and external networks |
| CN1367595A (en) * | 2001-01-23 | 2002-09-04 | 联想(北京)有限公司 | Method for filtering electronic mail contents in interconnection network |
| CN1350247A (en) * | 2001-12-03 | 2002-05-22 | 上海交通大学 | E-mail content monitoring system |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8060633B2 (en) | 2006-11-24 | 2011-11-15 | Hangzhou H3C Technologies Co., Ltd. | Method and apparatus for identifying data content |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1614565A (en) | 2005-05-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US6092110A (en) | Apparatus for filtering packets using a dedicated processor | |
| CN102067532B (en) | Processing of packet fragments | |
| US6976089B2 (en) | Method for high speed discrimination of policy in packet filtering type firewall system | |
| CN101213811B (en) | Multi-pattern packet content inspection mechanisms employing tagged values | |
| US6158008A (en) | Method and apparatus for updating address lists for a packet filter processor | |
| EP1734718A2 (en) | Computer-implemented method with real-time response mechanism for detecting viruses in data transfer on a stream basis | |
| EP0581716A2 (en) | Frame relay system capable of handling both voice and data frames | |
| US20070047457A1 (en) | Method and system for reassembling packets prior to searching | |
| KR20010072661A (en) | Firewall apparatus and method of controlling network data packet traffic between internal and external networks | |
| US20060168273A1 (en) | Mechanism for removing data frames or packets from data communication links | |
| JP5053445B2 (en) | Inbound mechanism to check end-to-end service configuration using application awareness | |
| CN1836245A (en) | Integrated circuit apparatus and method for high throughput signature based network applications | |
| US20040218615A1 (en) | Propagation of viruses through an information technology network | |
| WO2004017604A2 (en) | Tcp-splitter: reliable packet monitoring methods for high speed networks | |
| CN1269030A (en) | Method and apparatus for automated network surveillance and security breanch intervention | |
| CN1575462A (en) | Method and apparatus for implementing a layer 3/layer 7 firewall in an l2 device | |
| CN101056306A (en) | Network device and its access control method | |
| CN101459660A (en) | Method for integrating multi-threat security service | |
| CN1175621C (en) | Method of detecting and monitoring malicious user host machine attack | |
| CN1925427A (en) | Warning system and warning method | |
| CN101030928A (en) | Network node with modular multistage packet classification | |
| CN1722707A (en) | Method for securing communication in a local area network switch | |
| CN100345118C (en) | Data package content filtering device and method and recording media | |
| CN1839601A (en) | Relay device, packet filtering method, and packet filtering program | |
| US7793344B2 (en) | Method and apparatus for identifying redundant rules in packet classifiers |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CX01 | Expiry of patent term |
Granted publication date: 20071024 |
|
| CX01 | Expiry of patent term |