CN101009660A - Universal method and device for processing the match of the segmented message mode - Google Patents
Universal method and device for processing the match of the segmented message mode Download PDFInfo
- Publication number
- CN101009660A CN101009660A CNA2007100628805A CN200710062880A CN101009660A CN 101009660 A CN101009660 A CN 101009660A CN A2007100628805 A CNA2007100628805 A CN A2007100628805A CN 200710062880 A CN200710062880 A CN 200710062880A CN 101009660 A CN101009660 A CN 101009660A
- Authority
- CN
- China
- Prior art keywords
- state information
- flow state
- coupling
- matching
- execution
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The disclosed general method for matching segmented message pattern comprises: creating flow state information for segmented message without current pattern information; matching message executive pattern according to flow state information, and succeeding when matching completely; or else, updating flow state information, and re-executing former steps. This invention provides a general method for AC, BF, BM and PCRE algorithms, improves message-process security, and overcomes problems of network delay and decreased service.
Description
Technical field
The present invention relates to handle the universal method and the device of segmented message pattern matching, belong to communication technical field.
Background technology
In the system as depicted in figs. 1 and 2, gateway device and bypass equipment need pass through pattern matching (Pattern Matching, abbreviation PM) method realizes network security, virus prevention (Anti-Virus, be called for short AV), Bandwidth Management, use identification, upper layer application such as safety detection and wide area network acceleration, we can say, method for mode matching is the basis of the high performance content detection engine of network-oriented device build, have only by pattern matching and finish management and detection the Network Transmission content, could be network security, AV, Bandwidth Management, use identification, the enforcement of upper layer application such as safety detection and wide area network acceleration provides technical support, therefore, the implementation pattern coupling is to make up to manage, the technology foundation stone of the safe and intelligent network that can run.
At present, the method for pattern matching mainly contains monotype coupling and multi-mode is mated two kinds.The monotype matching algorithm is meant once can only carry out Matching Algorithm to a pattern string in text string, regular expression (PerlCompatible Regular Expression, algorithm PCRE) algorithm such as BoyerMoore (being called for short BM) algorithm, Brute force (being called for short BF) and Perl compatibility; Particularly the BM algorithm as accurate monotype matching algorithm, can be taken into account character match and strategy matching simultaneously.Multi-pattern matching algorithm is meant simultaneously a plurality of pattern strings is carried out Matching Algorithm, such as Aho-Corasick (being called for short AC) algorithm.
But, no matter be to the monotype matching algorithm or to multi-pattern matching algorithm, all must can realize continuously at present based on the content (Text) of transport stream (Flow), and in actual applications, each transmission Text of network realizes that by being segmented into a plurality of messages this has just caused the difficulty of carrying out pattern matching in network.General solution is that segmented message is flowed reorganization at present, such as to according to User Datagram Protoco (UDP) (User Datagram Protocol, abbreviation UDP) segmented message of tissue, to according to Internet Control Message Protocol (Intemet Control Message Protocol, be called for short ICMP) segmented message of tissue and to according to transmission control protocol (Transfer Control Protocol, be called for short TCP) segmented message of tissue etc., flow reorganization according to separately protocol format as pseudo-stream respectively, carry out the order-preserving of segmented message and the recovery of segmented message; Continuous Text after will recombinating then carries out pattern matching.
But there is the critical defect that self can't overcome in the method for this stream reorganization, and is example with the segmented message according to the TCP tissue:
At first, flowing reorganization must revise the TCP/IP of the network equipment (destruction that causes the protocol stack integrality has been improved the probability of failure of the network equipment for Internet protocol, IntemetProtocol) protocol stack;
Secondly, flowing reorganization requires the segmented message of each transmission Text of buffer memory to finish up to pattern matching, this has taken a large amount of Installed System Memories on the one hand, not only reduced systematic function, increased the possibility of DoS/DDoS (Denial of Service attack/distributed denial of service attack) simultaneously, particularly for the memory of the system of bypass (Off-Line) class, intruding detection system (Intrusion DetectionSystem for example, be called for short IDS), be a very large challenge; On the other hand, because system all reserves internal memory for each Text, under the limited objective circumstances of internal memory, owing to the internal memory of reserving for each Text is limited, therefore unavoidably can occur failing to report, again on the one hand, segmented message is carried out buffer memory will cause postponing to increase, be sensitive to the business of time delay for some, as (the Voice over IP of transporting speech on the IP network, be called for short VoIP) business, video traffic etc., the consequence of bringing service quality to descend, particularly online (In-Line) system to the TCP message being transmitted fast in real time, for example intrusion prevention system (IntrusionPrevention System, be called for short IPS), may cause defending the consequence that lost efficacy.
For above-mentioned EMS memory occupation is controlled, proposed at present application protocol is divided into row mode or length pattern, distinguish the technical scheme that flows reorganization.Because some application protocol messages are unit organization according to " OK ", then the message of buffer memory is the length of delegation to the maximum, so the size of EMS memory occupation is controlled substantially; For not being the application protocol of organizing for unit according to " OK ", then carrying out buffer memory, thereby realize control EMS memory occupation according to the appointment message size.But this scheme has just improved the control to EMS memory occupation, optimization system performance to a certain extent, the possibility that the minimizing system is under attack, but not fundamentally to overcome the high defective of EMS memory occupation, also can't overcome simultaneously and revise inherent shortcoming that the ICP/IP protocol stack brought and the time delay that buffer memory brought, can't avoid failing to report and reporting by mistake.
In sum, also there is not a kind of current techique scheme that can not rely on the processing segmented message pattern matching of stream reorganization in the prior art, promptly there is not a kind of like this technical scheme: can not revise the ICP/IP protocol stack of the network equipment own, also need not a large amount of segmented message of buffer memory, avoided internal memory to take a series of problems of bringing with buffer delay in a large number, thereby efficiently, accurately, intelligently segmented message is carried out pattern matching.
Summary of the invention
The technical problem to be solved in the present invention provides universal method and the device of handling the segmented message pattern matching, must flow reorganization in the prior art and can carry out pattern matching to overcome, and cause thus that protocol stack destroys, internal memory takies the safety issue brought in a large number, fail to report the many defectives of degradation under wrong report, time delay and the service quality.
For achieving the above object, the invention provides a kind of universal method of handling the segmented message pattern matching, may further comprise the steps:
Wherein, situation for the monotype coupling, create flow state information in the described step 1 and can be specially the flow state information of the first matching unit of record as present mode, and the designating unit that writes down the character that prestores is set, comprise the coupling start position information and the coupling end position information of carrying out the first rule match of described present mode in the described matching unit at least.
Then step 2 is specially:
Step 21, the character that prestores in described segmented message and the described flow state information combined be treated to the target segment message, and according to arbitrary matching unit, to described target segment message execution pattern coupling;
Step 22, whether the match is successful to judge last rule of described present mode, be then present mode the match is successful, finish; Otherwise renewal flow state information, and execution in step 3.
Wherein, described renewal flow state information is specially:
The matching result of step 23, judgement target segment message and current matching unit, when coupling is successful fully, execution in step 24; When the prefix character of at least one suffix character of described target segment message and described matching unit character string corresponding number when the match is successful, execution in step 25; When coupling is unsuccessful fully, execution in step 26;
Step 24, according to the pattern matching order, in described flow state information the record next matching unit, then in described target segment message the coupling complete successful positions after, again according to current matching unit execution in step 2;
Step 25, this suffix character that in described flow state information, prestores, and execution in step 26;
Step 26, according to the length information of described segmented message, revise in the described matching unit coupling start position information and coupling end position information.
Perhaps, for the monotype match condition, the establishment flow state information can also be specially the State Tree to described transport stream initialization present mode in the described step 1, comprise and root node is set as the flow state information of present mode and the prestore designating unit of character of record is set, described root node is first matching unit node, comprises that at least record carries out the coupling start position information and the coupling end position information of the first rule match of described pattern.
Then described step 2 can be specially:
Step 21 ', the character that prestores in described segmented message and the described flow state information combined be treated to the target segment message, and the State Tree of range traversal present mode is to described target segment message execution pattern coupling;
Step 22 ', whether the match is successful to judge in the described State Tree arbitrary matching unit node of corresponding last rule, be then present mode the match is successful, finish; Otherwise renewal flow state information, and execution in step 3.
Wherein, described renewal flow state information can be specially:
Step 23 ', judge the matching result of target segment message and current matching unit node, when coupling is successful fully, execution in step 24 '; When the prefix character of character string corresponding number at least one suffix character of described target segment message and described matching unit node when the match is successful, execution in step 25 '; When coupling is unsuccessful fully, execution in step 26 ';
Step 24 ', in described State Tree, add a child node for described matching unit node, write down next matching unit according to the pattern matching order in this child node, in described target segment message, mate after the complete successful positions, then again according to current matching unit node execution in step 2;
Step 25 ', this suffix character that in described flow state information, prestores, and execution in step 26 ';
Step 26 ', according to the length information of described segmented message, revise in the described matching unit node coupling start position information and coupling end position information.
For the situation of multi-mode coupling, the establishment flow state information can be specially the finite state machine that will set in advance and be made as initial condition in the described step 1, and described present mode comprises a plurality of patterns.
Described step 2 is specially the net load of described segmented message successively as the driving of described finite state machine and carries out following steps:
Step 2a, judge current input finite state machine a net load whether with the transition condition coupling, be that then described finite state machine is moved to NextState, otherwise described finite state machine is moved to initial condition;
Whether step 2b, the state of judging finite state machine move and are whole state, are that the result of then pattern matching is mated one of a plurality of patterns, report the successful matching result of this pattern, and upgrade flow state information, execution in step 2c; Otherwise renewal flow state information, and execution in step 2c; Step 2c, judge whether to exist the pattern that the match is successful, be execution in step 2d then, otherwise, finish for mating present mode fully;
Step 2d, judge whether current segmented message exists next net load, is then to receive next net load, re-executes step 2a, otherwise execution in step 3.
In order to economize on resources, the match is successful or during failure, also comprise the step that discharges flow state information at present mode.
The present invention also provides a kind of fexible unit of handling the segmented message pattern matching, comprising:
Flow state information is provided with module, is used for writing down the flow state information of this each pattern of transport stream at arbitrary transport stream;
The matching treatment module is provided with module with described flow state information and is connected, and is used for according to described flow state information the segmented message execution pattern being mated;
Matching result is reported module, is used to report the matching result of matching treatment module.
Wherein, described flow state information is provided with module and is provided with control unit and a plurality of matching unit; Instruction and transmission that described control unit is used to receive the matching treatment module prestore character to the matching treatment module, and dynamically change coupling start position information and coupling end position information in the matching unit; Wherein, first matching unit or arbitrary matching unit also are used for writing down the character that prestores.
Described matching unit can connect according to the State Tree mode, and subordinate's matching unit node is added, and is used to write down the successful coupling with its higher level's matching unit node, and wherein, initialized first matching unit node is a root node.
Perhaps, described flow state information is provided with module and is provided with finite state machine and record cell; Described record cell is used to write down the state after described finite state machine moves, as the flow state information of next net load in the segmented message.
Described matching treatment module can specifically comprise flow state information acquiring unit, coupling performance element and instruction sending unit; Described flow state information acquiring unit is used to obtain flow state information, is mated by described coupling performance element; Described coupling performance element sends to described instruction sending unit with matching result, according to match condition and message situation of change, to described flow state information the instruction that module is sent interpolation, deletion or change flow state information is set by described instruction sending unit.
As shown from the above technical solution, the present invention adopts the technical scheme that keeps and dynamically update flow state information, has following beneficial effect:
1, has versatility, can be applicable to monotype coupling and multi-mode coupling;
2, need not to destroy protocol stack, improved message processing security;
3, compare with whole preservation of a large amount of segmented message, only flow state information is preserved, avoided taking in a large number of internal memory;
4, needn't the buffer memory segmented message, message can be transmitted fast, overcome the problem that network delay and service quality descend.
Below by drawings and Examples, technical scheme of the present invention is described in further detail.
Description of drawings
Fig. 1 is the system schematic at the gateway device place of application model coupling;
Fig. 2 is the system schematic at the bypass equipment place of application model coupling;
Fig. 3 is divided into the schematic diagram of five sections messages for the transport stream that the present invention gave an example;
Fig. 4 is for flowing the schematic diagram after the reorganization in the prior art;
Fig. 5 is the universal method flow chart of processing segmented message pattern matching provided by the present invention;
Fig. 6 is the flow chart of the embodiment 1 of method shown in Figure 5;
State Tree structural representation among Fig. 7 method embodiment 2 shown in Figure 5;
Fig. 8 A-Fig. 8 I is among the method embodiment 2 shown in Figure 5, and the State Tree when carrying out the segmented message pattern matching changes schematic diagram;
Fig. 9 is method embodiment 3 shown in Figure 5, the schematic diagram of finite state machine;
The flow chart of Figure 10 method embodiment 3 shown in Figure 5;
Figure 11 is the system block diagram of the fexible unit of processing segmented message pattern matching provided by the present invention;
Figure 12 is the system block diagram of the embodiment 1 of Figure 11 institute generator;
Figure 13 is the system block diagram of the embodiment 2 of Figure 11 institute generator.
Embodiment
Must to flow the problem that reorganization can match pattern in the prior art in order overcoming, to the invention provides universal method and the device of handling the segmented message pattern matching, illustrate one by one below.
Be example with one section transport stream at first, its content is " abdddddcabcokabcddrtdefabcdddefdfdkdefkadghkdef ", and then in Network Transmission, above-mentioned transport stream can be divided into 5 sections messages according to Transmission Control Protocol, as shown in Figure 3.The setting that it will be appreciated by those skilled in the art that above-mentioned transport stream content is only for convenience of explanation and non-limiting, and method for mode matching provided by the present invention and mode matching device are applicable to any transport stream content that occurs in the practical application.Stream reset mode of the prior art is: preceding four messages of buffer memory always, after last segmented message 5 arrives, is reassembled as complete Text then, carry out further pattern matching, as shown in Figure 4 again.
The present invention then adopts the scheme of recorded stream state information to replace the stream reorganization, may further comprise the steps:
As shown in Figure 5, be the universal method schematic flow sheet of processing segmented message pattern matching provided by the present invention.In method for conserve system resources, it is preferred that the match is successful or during failure, comprise the scheme that discharges the flow state information step, but those skilled in the art should understand at present mode, even do not carry out the release of flow state information, can not constitute influence to the solution of the present invention yet.。
For the support of this method to monotype coupling and multi-mode coupling is described, be that example describes with BF in the monotype and the AC in the multi-mode respectively below.
Method embodiment 1:
Present embodiment provides a method of handling the segmented message pattern matching to be example according to the BF coupling.
For convenience of description, setting the transport stream content is that the pattern that is used to mate is " regular A ' abc ' offset 3 depth 50; regular B ' def ' distance 4 within 10; regular C ' ghk ' distance 3within 8 ", being called for short this pattern is Mode A BC, and the transmission content still is " abdddddcabcokabcddrtdefabcdddefdfdkdefkadghkdef ".What foregoing was explained is in this transport stream, search meets the pattern of specified rule A, B and C: skew 3 beginnings in transport stream, length is search " abc " in 50 the content, offset 4 beginnings that matching A, length is search " def " in 10 the content, in offset 3 beginning that matches B, length is search " ghk " in 8 the content.If final matched rule ABC success then illustrates and mated this pattern in the transport stream content.But the setting that it will be appreciated by those skilled in the art that above-mentioned transport stream match pattern is only for convenience of explanation and non-limiting, and method for mode matching provided by the present invention and mode matching device are applicable to any transport stream match pattern that occurs in the practical application.
Referring to Fig. 6, the method for processing segmented message pattern matching provided by the present invention may further comprise the steps:
The judgement of carrying out this step is to carry out at transport stream owing to carrying out pattern matching, and each segmented message only can combine with other segmented message in this transport stream, therefore at first discerns the transport stream at segmented message place, and this is that prior art can be finished.
After the transport stream at identification segmented message place, further whether identification exists corresponding flow state information at present mode.Because in different service application, the pattern matching that need carry out requires different, even therefore to same transport stream, during towards different service application, needs the pattern of coupling may be also inequality, therefore need be provided with as required and mate.The present invention is directed to arbitrary transport stream, adopt the flow state information of record different mode to replace a large amount of messages of buffer memory, thereby realize not based on the pattern matching that flows reorganization.
As can be seen, this method can be supported the coupling of a plurality of transport stream and a plurality of patterns simultaneously.
With segmented message shown in Figure 3 is example, when receiving segmented message 1, obviously need carry out the initialization of Mode A BC, comprise record character string " abc " and carry out the offset information 3 of this string matching and rule information such as length 50, also want the positional information " 1 " that the recorded message coupling begins and mate end position information " 53 ".As can be seen, when segmented message 1 is carried out pattern matching, just carry out matching operation according to this matching unit.
Step 103, the character that prestores in described segmented message and the described flow state information combined be treated to the target segment message, and empty the character that prestores in the described flow state information, execution in step 104 then;
Wherein, the character that prestores in segmented message and the flow state information is combined be treated to the target segment message and comprise:
In general, this designating unit can be current matching unit, promptly preserves the corresponding character that prestores in each designating unit respectively.
This designating unit also can be a matching unit of fixing, and such as first matching unit, when then any one matching unit being handled, all obtains character information from this designating unit.
Further, in order to reduce the EMS memory occupation of flow state information, can also in memory space, open up certain byte regions separately, be used for storing the character that prestores specially, the size of this byte regions can be according to the maximum length of regular institute matching content in all mode, as the present invention's three rules as an example, the content of being mated all is three bytes, and the zone of opening up 3 bytes so can meet the demands;
Be the situation of the matching unit fixed for designating unit, be included in designating unit stored the prestore character and the character that in special byte regions, prestores, simultaneously, all need in current matching unit, write down relative position specifying; This is particularly useful for the situation that there is repeat character (RPT) in a plurality of match patterns.Such as, when match pattern is respectively regular when being " abcd " " bcde " " cdf ", suppose that certain section segmented message end termination character is " xxabc ", the long word symbol " abc " of required preservation in three rules of this byte regions stored then, and set up of the connection of the designating unit of each schema stream state information respectively, and in current matching unit, write down relative position to this byte regions; For the flow state information of rule " abcd ", its relative position is 3, and for rule " bcde ", its relative position is 2, and for rule " cdf ", its relative position is 1.This relative position is exactly the forward direction side-play amount from the ENMES position.Particularly open up the scheme of byte regions in this way, be particularly useful for the situation that there is repeat character (RPT) in a plurality of match patterns, need not in each flow state information, to carry out character and preserve, can improve 10 orders of magnitude handling the message ability.
In the present embodiment, this designating unit is first matching unit, preserves and only preserve the character that prestores, therefore before carrying out this segmented message coupling, just need carry out segmented message in conjunction with working.
Then when segmented message 2 execution patterns are mated, need the matching unit in the ergodic flow state information equally; Because complete match condition does not take place in segmented message 1, therefore do not increase matching unit newly, this moment, existing matching unit still was the first matching unit after the initialization, promptly carried out the coupling of regular A; There is character string " abc " in the segmented message 2, mate fully, new matching unit then further is set, comprise record character string " def " and carry out the offset information 4 of this string matching and rule information such as length 10, also will write down start position information " 13 " and the end position information " 23 " that this character string " def " is mated of carrying out.As can be seen, through after this step process, when segmented message 3 is mated, to mate with two matching units at least.
The matching result of step 105, judgement target segment message and current matching unit, when coupling is successful fully, execution in step 106; When the prefix character of at least one suffix character of described target segment message and described matching unit character string corresponding number when the match is successful, execution in step 108; When coupling is unsuccessful fully, execution in step 109;
Whether the result of step 106, judgment model coupling is example with the present embodiment for mating present mode fully, is to judge whether finally to match " ghk ", be then present mode the match is successful, report successfully matching result, finish; Otherwise execution in step 107;
In this step, present mode also comprises the step that discharges flow state information when the match is successful.
For instance, last suffix character of segmented message 1 is " a " among Fig. 3, when this segmented message and regular A are mated, this suffix character " a " obviously with regular A in first letter coupling of character string " abc ", just mean that also last character " a " in this segmented message might be combined into " abc " that meets the coupling requirement with next segmented message, therefore, the character copy need be kept, write down relative position information simultaneously.
In order to guarantee not lose the match information of arbitrary matching unit, this suffix character that prestores in described flow state information in this step comprises; Checking whether there is the character that prestores in the described flow state information, is then described suffix character and the described character that prestores to be compared, and the character more to number of characters prestores; Otherwise this suffix character directly prestores.For instance, when the rule of a matching unit is a coupling " def ", and the rule of another matching unit is a coupling " tdef ", when the termination character of a certain segmented message is " tde ", may there be following two kinds of situations at random or successively matching order according to two matching units:
The first, when the matching unit that is at first mated is rule " def ", the character " de " that need prestore, and in current matching unit, preserve relevant position 2; When then carrying out the coupling of next matching unit, check the character that existence prestores in the described flow state information, then compare; Because the length of character " tde " therefore, is updated to " tde " with the character that prestores greater than character " de ", and in current matching unit, preserve relevant position 3;
The second, when the matching unit that is at first mated is rule " tdef ", the character " tde " that need prestore, and in current matching unit, preserve relevant position 3; When then carrying out the coupling of next matching unit, check the character that existence prestores in the described flow state information, then compare; Because the length of character " tde " is greater than character " de ", therefore, character " tde " is still preserved in the change of the character that do not prestore, but preserves relevant position 2 in current matching unit.
For example, the coupling start position information of matching unit record is " 1 " after the initialization, coupling end position information is " 53 ", then carry out the coupling of segmented message 1 and preserve character " a " afterwards, need carry out the coupling start position information and the coupling end position information of this matching unit regulates, be specifically as follows: the coupling start position information is " 1 ", and representative is from first character of next message; Coupling end position information is 45, as shown in Figure 3, coupling for the literary composition of reporting for the first time is position from being offset 3, be that offset character is 3, institute's characters matched is " ddddca ", because coupling is next time waited until in character " a " storage, therefore effectively the message of coupling is " ddddc ", totally 5 characters are exactly number according to the coupling character to the modification of coupling end position information then, and " 53 " are revised as " 45 ".
In this step, present mode also comprises the step that discharges flow state information when it fails to match.
Information for fear of storing excess, step 109 can also comprise to be judged coupling start position information in the amended matching unit and coupling end position information, if this coupling start position information or coupling end position information exceed valid analysing range, then delete this matching unit record.For example, after the adjustment of coupling start position information, be 0, then explanation can not be carried out the coupling of next segmented message again, then deletes this matching unit and gets final product.
By present embodiment as can be seen, the method by the recorded stream state information replaces the cache flow segmented message, can realize the requirement of monotype matching algorithm.
Method embodiment 2:
Present embodiment is an example with the BF coupling still, and a method of handling the segmented message pattern matching is provided, and is that example describes with transport stream matching content among the embodiment 1 and match pattern still.Wherein, flow state information adopts the mode of State Tree to organize.Because the inheritance of State Tree itself is clear, therefore help identification and processing.The method of the processing segmented message pattern matching that present embodiment 2 provides may further comprise the steps:
Step 201, when receiving arbitrary segmented message, whether the transport stream of judging described segmented message place has existed the flow state information of present mode, is execution in step 203 then, otherwise execution in step 202;
Step 202, to the flow state information of described transport stream initialization present mode, comprise that the establishment flow state information is specially the State Tree to described transport stream initialization present mode, be specially and root node be set as the flow state information of present mode and the prestore designating unit of character of record is set, described root node is first matching unit node, comprises that at least record carries out the coupling start position information and the coupling end position information of the first rule match of described pattern;
Step 203, the character that prestores in described segmented message and the described flow state information combined be treated to the target segment message, and empty the character that prestores in the described flow state information, execution in step 204 then;
Step 204, to described target segment message execution pattern coupling, be specially the State Tree of range traversal present mode, to described target segment message execution pattern coupling;
The matching result of step 205, judgement target segment message and current matching unit node, when coupling is successful fully, execution in step 206; When the prefix character of character string corresponding number at least one suffix character of described target segment message and described matching unit node when the match is successful, execution in step 207; When coupling is unsuccessful fully, execution in step 208;
Whether the result of step 206, judgment model coupling is example with the present embodiment for mating present mode fully, is to judge whether finally to match " ghk ", be then present mode the match is successful, report successfully matching result, and the release condition tree, finish; Otherwise execution in step 207;
Step 207, add a child node at matching unit node described in the described State Tree, write down next matching unit according to the pattern matching order in this child node, in described target segment message, mate after the complete successful positions, then again according to current matching unit node execution in step 204;
Step 208, this suffix character that in described flow state information, prestores, and execution in step 209;
Step 209, according to the length information of described segmented message, revise in the described matching unit node coupling start position information and coupling end position information;
Step 210, judge whether described transport stream finishes, be then present mode it fails to match, report the failure matching result, and the release condition tree, finish; Otherwise receive next segmented message, re-execute step 201.
Referring to Fig. 7, for handling the State Tree schematic diagram of the method for mode matching of segmented message in the present embodiment, here two streams are illustrated, wherein convection current ID is that 123 transport stream has provided the diagram of carrying out according to State Tree provided by the present invention, and convection current ID is 456 transport stream, has only provided the schematic diagram of root node.By this diagram as can be seen, the method for mode matching of processing segmented message provided by the present invention for not homogeneous turbulence and different patterns, does not disturb each other yet.With regard to State Tree of the present invention, what show is exactly independent between the different tree.
Further, all write down coupling start position information and coupling end position information among Fig. 7 in the matching unit node of State Tree, and this matching unit node rule of mating.When arbitrary segmented message is carried out the range traversal, carry out the coupling of regular A according to root node; According to two-level node, carry out the coupling of regular B; According to three grades of nodes, carry out the coupling of regular C.Below, be example just with the segmented message that Fig. 3 was provided, be illustrated in the mode of State Tree dynamic change.
Shown in Fig. 8 A, receive segmented message 1, there is not the flow state information of present mode 123 (Flow ID) in the transport stream of judging this segmented message place, flow state information to described transport stream initialization present mode, comprise root node is set, wherein the coupling start position information (A-Start) " 1 " of record rule A " abc " and coupling end position information (A-Len) " 53 "; Also comprising the designating unit that writes down the character that prestores is set, is that a special byte Pkt is set in root node in the present embodiment, and this moment, Pkt was empty, described segmented message 1 is set then is the target segment message.Referring to 8B, according to flow state information (root node) the segmented message execution pattern is mated, the character that prestores in described segmented message 1 and the described flow state information (root node) combined be treated to the target segment message, be empty this moment among the Pkt, so the target segment message after the combination still is former segmented message 1; Range travels through the State Tree of present mode then, and " abc " sought in the position that is specially skew 3 in message 1, and the result is mated fully; But last character of this segmented message 1 is " a ", might be combined as target string with next message ' abc ', so need copy to keep this character in Pkt, write down relative position information 1 simultaneously; Length information according to described segmented message 1, revise coupling start position information and coupling end position information in the described root node, be specially the coupling start position information is revised as " 1 ", representative is mated from next message initial character, coupling end position information is revised as " 45 ", the character number that promptly original coupling end position information deducts deviant and detected.The pattern matching of segmented message 1 finishes.
Judging has next segmented message, transport stream does not finish, therefore referring to Fig. 8 C, receive segmented message 2 and re-execute above-mentioned steps, be included as the flow state information that there has been present mode in the transport stream of judging described segmented message 2 places, then the Pkt content " a " and segmented message 2 contents of preserving are united two into one, and empty this Pkt field, will in conjunction with after message " abcokabcddrtdef " as the target segment message; Then the target segment message is mated, searching " abc " is played in the position that is specially in target segment message 2 " 1 ", and the result is mated fully; In described State Tree, add a child node B1, comprise that record carries out the coupling start position information 1+3+4=8 and the coupling end position information 8+10=18 of regular B coupling in the described pattern for described root node; In described target segment message, mate after the complete successful positions then, promptly from character 4, again the target segment message is carried out the coupling of this character string " abc ", the result is mated fully, therefore, in described State Tree, add a child node B2 again, comprise that record carries out the coupling start position information 6+3+4=13 and the coupling end position information 13+10=23 of regular B coupling in the described pattern for described root node; Length information according to described segmented message, revise coupling start position information and coupling end position information among the described matching unit A, be specially the coupling start position information is revised as " 1 ", representative is mated from next message initial character, coupling end position information is revised as " 30 ", and promptly original coupling end position information deducts the character number 15 that has detected; Described matching unit A coupling finishes, and promptly the range traversal of first row is finished.Referring to Fig. 8 D, owing to two new matching unit Node B 1 and B2 occurred, therefore need carry out the traversal of the second row child node: (1) carries out the coupling of matching unit B1 " def " in the position of character 8 to 18, the result is coupling success fully, is that described matching unit Node B 1 is added a child node C1 in described State Tree; After the position of mating fully, this target segment message 2 finishes, and it is unsuccessful fully therefore to continue coupling; Revise among the described matching unit B1 coupling start position information and coupling end position information, be specially that the coupling start position information is 1 among the matching unit B1, the coupling of representing next segmented message is from character 1, and mating end position information is 18-15=3; Described matching unit B1 coupling finishes; (2) carry out the coupling of target segment message 2 according to next matching unit B2, in the position of character 13 to 23, carry out the coupling of " def ", because the length of target segment message 2 is 15, therefore actual coupling occurs in character 13 to this target segment ENMES, the result is coupling success fully, is that described matching unit Node B 2 is added a child node C2 in described State Tree; After the position of mating fully, this target segment message 2 finishes, and it is unsuccessful fully therefore to continue coupling; Revise among the described matching unit B2 coupling start position information and coupling end position information, be specially that the coupling start position information is 1 among the matching unit B2, the coupling of representing next segmented message is from character 1, and mating end position information is 8; Described matching unit B2 coupling finishes.
As can be seen, the result of traversal has increased child node C1 newly for matching unit Node B 1, and matching unit Node B 2 has increased child node C2 newly, and variation has all taken place for the coupling start position information of B1 and B2 and coupling end position information simultaneously.Finish for segmented message 2 traversals.
Judging has next segmented message, and transport stream does not finish, referring to Fig. 8 E, receive segmented message 3 and carry out the range traversal, in traversal, added new matching unit Node B 3, and the coupling start position information and the coupling end position information of root node have been regulated root node.Referring to Fig. 8 F, in the traversal to the second degree matches cell node, do not produce new child node, the coupling start position information of former matching unit Node B 1, B2 and coupling end position information change, wherein, because the coupling end position information of B1 exceeds valid analysing range, can identify no longer it is mated; In the traversal to three grades of matching unit nodes, the coupling start position information of C1 and C2 and coupling end position information change.
Judging has next segmented message, and transport stream does not finish, and referring to Fig. 8 G, receives segmented message 4 and carries out the range traversal, in the traversal to one-level matching unit node, the coupling start position information and the coupling end position information of root node is regulated; In traversal to the second degree matches cell node, skip over B1, after the traversal to B2, because the coupling end position information of B2 exceeds valid analysing range, also sign is no longer mated it or is deleted the content that is write down, traversal to B3 has increased child node C3 newly, because the coupling end position information of B3 exceeds valid analysing range, therefore also sign is no longer mated it or deleted the content that is write down.
Referring to 8H, in traversal, travel through for C1, C2 and C3 at segmented message 4 to three grades of matching unit nodes, adjust its coupling start position information and coupling end position information respectively; Because the coupling of C1 begins to exceed valid analysing range with end position information, and node all need not to travel through on the path at its place, therefore, deletes this path.Wherein, the concrete operations of carrying out path deletion are:
Judge that there is not child node in matching unit node C1, deletes this matching unit node C1;
The father node B1 that further judges this matching unit node C1 has been designated and has no longer mated or be recorded as zero, then deletes this matching unit Node B 1.
And because the coupling of C2 begins to exceed valid analysing range with end position information, therefore sign is no longer mated it or is deleted the content that is write down.Certainly, because it does not have child node, therefore also can adopt the operation of deletion C2.
Judging has next segmented message, and transport stream does not finish, and referring to 8I, receives segmented message 5 and carries out the range traversal, in the traversal to one-level matching unit node, the coupling start position information and the coupling end position information of root node is regulated; Because two-level node all need not to travel through, therefore directly carry out the traversal of three grades of nodes, be specially traversal to C3 because C3 has mated " ghk ", so string pattern the match is successful, discharge stream information and promptly delete whole matching units.
Suppose that in the present embodiment the matching result to 5 sections segmented message is non-coupling fully, then, therefore will carry out reporting the failure matching result, and discharge flow state information, the step of end because segmented message 5 back transport stream finish.
As can be seen, present embodiment has provided the implementation method according to State Tree mode flow of tissue state information.
Method embodiment 3:
For the multi-mode coupling, the present invention promptly constructs corresponding state machine according to the multimode of determining in advance by making up finite state machine flow of tissue state information.Because the pattern that the engineering staff will be mated is determined, so state machine can set in advance N the corresponding N of a multimode difference state machine.
State machine mainly is applicable to the multi-mode coupling, is example with the multimode matching that comprises four patterns, and four included patterns are respectively " he ", " she ", " his " " hers ".As can be seen, the multi-mode coupling more is applicable to the situation that has overlapping character in the pattern that is comprised, and the state machine that constructs like this can effectively be raised the efficiency.And the rule in the monotype often mutually independently, if make up with state machine, constructed result will be linear; Such as, the rule among the embodiment 1 and 2 " abc ", the result of structure only are the linear states that drives as state transition with a, b and c respectively.
Referring to Fig. 9, be the schematic diagram of present embodiment finite state machine, wherein:
For the driving as the pattern finite state machine when the pattern matching of TCP flow point section message net load, net load character of every input, the state of pattern finite state machine moves, and when state transition during to the whole state of finite state machine, shows this pattern matching.For example: the net load of stream packet is hxhers, initial state is a state 0, the finite state machine state transition of pattern matching is: state 0 (input h)--〉state 1 (input x)--〉state 0 (input h)--〉state 1 (input e)--〉state 2 (input r)--〉state 8 (input s)--〉state 9, wherein state 2,9 is whole state, and expression pattern he, the match is successful in net load hxhers for hers.
But because this multi-mode comprises four patterns altogether, therefore the match is successful fully.Referring to Figure 10, for utilizing finite state machine, present embodiment realizes the method for segmented message pattern matching, may further comprise the steps:
Step 301, when receiving arbitrary segmented message, whether the transport stream of judging described segmented message place has existed the flow state information of present mode (being multi-mode in the present embodiment), is execution in step 303 then, otherwise execution in step 302;
Step 302, to the flow state information of described transport stream initialization present mode, comprise that the finite state machine that will set in advance is made as initial condition 0;
Step 303, with the net load of described segmented message successively as the driving of described finite state machine, and carry out coupling, may further comprise the steps:
Step 3031, judge current input finite state machine a net load whether with the transition condition coupling, be then to carry out peaceful step 3032, otherwise execution in step 3033;
Step 3032, described finite state machine are moved to NextState, and execution in step 3034;
Step 3033, described finite state machine are moved to initial condition;
Whether step 3034, the state of judging finite state machine move and are whole state, be that then one of current a plurality of patterns are mated, report the successful matching result of this pattern, and write down the state after the described finite state machine migration, as the flow state information of next net load, execution in step 3035 then; Otherwise write down the state after the described finite state machine migration, as the flow state information of next net load, and execution in step 3036;
Step 3035, judge whether to exist the pattern that the match is successful, be execution in step 3036 then, otherwise, discharge flow state information, finish for mating present mode fully;
There are next net load in step 3036, the current segmented message of judgement, are then to receive next net load, re-execute step 3031, otherwise execution in step 304;
Step 304, judging whether described transport stream finishes, is then to report the failure matching result, and discharges flow state information, finishes; Otherwise receive next segmented message, re-execute step 301-304.
Wherein, the whole state in the step 3034 may comprise two kinds of situations, in present embodiment, whole state comprises state 2 and 9, and then state 2 exists as the whole state of he and the intermediateness of hers simultaneously, therefore, even whole state also needs to carry out the renewal of flow state information.
As can be seen, the universal method of processing segmented message pattern matching provided by the present invention is a kind of general method for mode matching based on stream, can be applicable to multi-mode coupling and monotype coupling; Though in the above-described embodiments, be that example describes with BM and AC respectively, it will be understood by those skilled in the art that the scope of application of method provided by the present invention includes but not limited to BM, AC, PCRE, BF isotype matching algorithm.And as can be seen from the above-described embodiment, the organizational form of flow state information provided by the present invention includes but not limited to State Tree and finite state machine.
Except the match is successful at present mode or when failure discharges the flow state information, when stream aging or finish after, also will dynamically discharge flow state information, reduce EMS memory occupation to greatest extent.
Simultaneously,, therefore in system, have a plurality of monotypes because differentiation pattern and stream carry out the preservation of stream information, then for each monotype all according to above process flow operation, create a plurality of flow state informations; If have a plurality of streams in the system, then flow also all according to above process flow operation for each, create a plurality of flow state informations; Therefore, can be applicable to the situation of a plurality of monotypes and a plurality of streams simultaneously.
Owing to do not need to flow reorganization, therefore need not segmented message itself is carried out buffer memory, only need to preserve and safeguard that various algorithms detect necessary flow state information; Because state machine do not take character string, so the worst case of the flow state information committed memory of each stream is the length of character string maximum in the monotype coupling, and the best-case of committed memory is 0.Obviously, reduce taking in a large number of Installed System Memory, not only improved the entire system performance, and avoided the possibility failed to report theoretically fully, avoided the destruction to protocol stack simultaneously, the practice that does not increase various application services postpones, and has realized based on the pattern matching that flows with less cost.
The present invention also provides a kind of mode matching device of handling segmented message, referring to Figure 11, comprising:
Flow state information is provided with module 1, is used at arbitrary transport stream the flow state information of this each pattern of transport stream of dynamically recording.When handling the monotype coupling, described flow state information may comprise the prestore character and the matching unit of different relatively segmented message dynamic changes; And when handling the multi-mode coupling, described flow state information may comprise state machine and state machine migration results.
Matching result is reported module 3, is used to report the matching result of matching treatment module.
Referring to Figure 12, be the embodiment 1 of said apparatus, wherein, described flow state information is provided with module 1 and is provided with control unit 1A and a plurality of matching unit 1B1~1BN, and wherein, N is the number of matching unit, and for dynamic change; Instruction and transmission that described control unit 1A is used to receive matching treatment module 2 prestore character to matching treatment module 2, add, the deletion matching unit, and dynamically change coupling start position information and coupling end position information in the matching unit; Wherein, first matching unit 1B1 also is used for the record character that prestores, perhaps, and the character that prestores when arbitrary matching unit 1B1~1BN also is used to write down this matching unit and mates.
For the ease of tissue, above-mentioned matching unit 1B1~1BN can connect according to the mode of State Tree, and subordinate's matching unit node is added, and is used to write down the successful coupling with its higher level's matching unit node, wherein, initialized first matching unit node is a root node.
Described matching treatment module 2 comprises flow state information acquiring unit 2A, coupling performance element 2B and instruction sending unit 2C;
Described flow state information acquiring unit 2A is used to obtain flow state information, is mated by described coupling performance element 2B;
Described coupling performance element 2B sends to described instruction sending unit 2C with matching result, according to match condition and message situation of change, the instruction that module 1 is sent interpolation, deletion or change flow state information is set by described instruction sending unit 2C to described flow state information.
Obviously, the structure of embodiment 1 is fit to handle the monotype coupling.
Referring to Figure 13, be the embodiment 2 of said apparatus.Wherein, described flow state information is provided with module 1 and is provided with finite state machine 1C and record cell 1D, and is identical among described matching treatment module 2 and the embodiment 1, comprises flow state information acquiring unit 2A, coupling performance element 2B and instruction sending unit 2C; Described flow state information acquiring unit 2A is used to obtain flow state information,, the message that receives is mated in state machine according to last migration results by described coupling performance element 2B; Described coupling performance element 2B sends to described instruction sending unit 2C with matching result, by described instruction sending unit 2C according to match condition and message situation of change, to described flow state information the instruction that module 1 is sent interpolation, deletion or change flow state information is set, such as the deletion state machine, perhaps change transition state etc.
In the present embodiment, finite state machine 1C sets up according to the instruction of matching treatment module 2, and this record cell 1D is used to write down the state after the described finite state machine 1C migration, and finite state machine 1C and record cell 1D are jointly as the flow state information of next net load in the segmented message.Obviously, the structure of embodiment 1 is fit to handle the multi-mode coupling.
It should be noted that at last: above embodiment is only in order to technical scheme of the present invention to be described but not limit it, although the present invention is had been described in detail with reference to preferred embodiment, those of ordinary skill in the art is to be understood that: it still can make amendment or be equal to replacement technical scheme of the present invention, and these modifications or be equal to replacement and also can not make amended technical scheme break away from the spirit and scope of technical solution of the present invention.
Claims (16)
1, a kind of universal method of handling the segmented message pattern matching is characterized in that may further comprise the steps:
Step 1, when receiving arbitrary segmented message, whether the transport stream of judging described segmented message place has existed the flow state information of present mode, is execution in step 2 then, otherwise creates behind the flow state information execution in step 2 again;
Step 2, according to flow state information described segmented message execution pattern is mated, whether the result of judgment model coupling for mating present mode fully, be then present mode the match is successful, finish; Otherwise renewal flow state information, and execution in step 3;
Step 3, judge whether described transport stream finishes, be then present mode it fails to match, finish; Otherwise receive next segmented message, re-execute step 1.
2, method according to claim 1, it is characterized in that mating for monotype, create flow state information in the described step 1 and be specially the flow state information of the first matching unit of record as present mode, and the designating unit that writes down the character that prestores is set, comprise the coupling start position information and the coupling end position information of carrying out the first rule match of described present mode in the described matching unit at least.
3, method according to claim 2 is characterized in that described step 2 is specially:
Step 21, the character that prestores in described segmented message and the described flow state information combined be treated to the target segment message, and according to arbitrary matching unit, to described target segment message execution pattern coupling;
Step 22, whether the match is successful to judge last rule of described present mode, be then present mode the match is successful, finish; Otherwise renewal flow state information, and execution in step 3.
4,, it is characterized in that described renewal flow state information is specially according to claim 2 or 3 described methods:
The matching result of step 23, judgement target segment message and current matching unit, when coupling is successful fully, execution in step 24; When the prefix character of at least one suffix character of described target segment message and described matching unit character string corresponding number when the match is successful, execution in step 25; When coupling is unsuccessful fully, execution in step 26;
Step 24, according to the pattern matching order, in described flow state information the record next matching unit, then in described target segment message the coupling complete successful positions after, again according to current matching unit execution in step 2;
Step 25, this suffix character that in described flow state information, prestores, and execution in step 26;
Step 26, according to the length information of described segmented message, revise in the described matching unit coupling start position information and coupling end position information.
5, method according to claim 1, it is characterized in that mating for monotype, the establishment flow state information is specially the State Tree to described transport stream initialization present mode in the described step 1, comprise and root node is set as the flow state information of present mode and the prestore designating unit of character of record is set, described root node is first matching unit node, comprises that at least record carries out the coupling start position information and the coupling end position information of the first rule match of described pattern.
6, method according to claim 5 is characterized in that described step 2 is specially:
Step 21 ', the character that prestores in described segmented message and the described flow state information combined be treated to the target segment message, and the State Tree of range traversal present mode is to described target segment message execution pattern coupling;
Step 22 ', whether the match is successful to judge in the described State Tree arbitrary matching unit node of corresponding last rule, be then present mode the match is successful, finish; Otherwise renewal flow state information, and execution in step 3.
7,, it is characterized in that upgrading in the described step 2 flow state information and be specially according to claim 5 or 6 described methods:
Step 23 ', judge the matching result of target segment message and current matching unit node, when coupling is successful fully, execution in step 24 '; When the prefix character of character string corresponding number at least one suffix character of described target segment message and described matching unit node when the match is successful, execution in step 25 '; When coupling is unsuccessful fully, execution in step 26 ';
Step 24 ', in described State Tree, add a child node for described matching unit node, write down next matching unit according to the pattern matching order in this child node, in described target segment message, mate after the complete successful positions, then again according to current matching unit node execution in step 2;
Step 25 ', this suffix character that in described flow state information, prestores, and execution in step 26 ';
Step 26 ', according to the length information of described segmented message, revise in the described matching unit node coupling start position information and coupling end position information.
8, method according to claim 1 is characterized in that for the multi-mode coupling, the establishment flow state information is specially the finite state machine that will set in advance and is made as initial condition in the described step 1, and described present mode comprises a plurality of patterns.
9, method according to claim 8 is characterized in that described step 2 is specially the net load of described segmented message successively as the driving of described finite state machine and carries out following steps:
Step 2a, judge current input finite state machine a net load whether with the transition condition coupling, be that then described finite state machine is moved to NextState, otherwise described finite state machine is moved to initial condition;
Whether step 2b, the state of judging finite state machine move and are whole state, are that the result of then pattern matching is mated one of a plurality of patterns, report the successful matching result of this pattern, and upgrade flow state information, execution in step 2c; Otherwise renewal flow state information, and execution in step 2d;
Step 2c, judge whether to exist the pattern that the match is successful, be execution in step 2d then, otherwise, finish for mating present mode fully;
Step 2d, judge whether current segmented message exists next net load, is then to receive next net load, re-executes step 2a, otherwise execution in step 3.
10, according to Claim 8 or 9 described methods, it is characterized in that the state after described renewal flow state information is specially the described finite state machine migration of record, as the flow state information of next net load.
11, method according to claim 1 is characterized in that present mode the match is successful or during failure, also comprises the step that discharges flow state information.
12, a kind of fexible unit of handling the segmented message pattern matching is characterized in that comprising:
Flow state information is provided with module, is used for writing down the flow state information of this each pattern of transport stream at arbitrary transport stream;
The matching treatment module is provided with module with described flow state information and is connected, and is used for according to described flow state information the segmented message execution pattern being mated;
Matching result is reported module, is used to report the matching result of matching treatment module.
13, device according to claim 12 is characterized in that described flow state information is provided with module and is provided with control unit and a plurality of matching unit; Instruction and transmission that described control unit is used to receive the matching treatment module prestore character to the matching treatment module, and dynamically change coupling start position information and coupling end position information in the matching unit; Wherein, first matching unit or arbitrary matching unit also are used for writing down the character that prestores.
14, device according to claim 13, it is characterized in that described matching unit connects according to the State Tree mode, subordinate's matching unit node is added, and is used to write down the successful coupling with its higher level's matching unit node, wherein, initialized first matching unit node is a root node.
15, device according to claim 12 is characterized in that described flow state information is provided with module and is provided with finite state machine and record cell; Described record cell is used to write down the state after described finite state machine moves, as the flow state information of next net load in the segmented message.
16,, it is characterized in that described matching treatment module comprises flow state information acquiring unit, coupling performance element and instruction sending unit according to the arbitrary described device of claim 12-15;
Described flow state information acquiring unit is used to obtain flow state information, is mated by described coupling performance element;
Described coupling performance element sends to described instruction sending unit with matching result, according to match condition and message situation of change, to described flow state information the instruction that module is sent interpolation, deletion or change flow state information is set by described instruction sending unit.
Priority Applications (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007100628805A CN101009660B (en) | 2007-01-19 | 2007-01-19 | Universal method and device for processing the match of the segmented message mode |
| US12/513,650 US8239341B2 (en) | 2006-12-08 | 2007-11-16 | Method and apparatus for pattern matching |
| PCT/CN2007/071080 WO2008067743A1 (en) | 2006-12-08 | 2007-11-16 | A pattern matching method and apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007100628805A CN101009660B (en) | 2007-01-19 | 2007-01-19 | Universal method and device for processing the match of the segmented message mode |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101009660A true CN101009660A (en) | 2007-08-01 |
| CN101009660B CN101009660B (en) | 2010-06-30 |
Family
ID=38697798
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2007100628805A Active CN101009660B (en) | 2006-12-08 | 2007-01-19 | Universal method and device for processing the match of the segmented message mode |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101009660B (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008067743A1 (en) * | 2006-12-08 | 2008-06-12 | Hangzhou H3C Technologies Co., Ltd. | A pattern matching method and apparatus |
| CN101110783B (en) * | 2007-09-03 | 2011-05-04 | 中国工商银行股份有限公司 | Method for matching bank message |
| CN102184205A (en) * | 2011-04-28 | 2011-09-14 | 哈尔滨工业大学 | Multi-mode string matching algorithm based on extended precision chaos hash |
| CN103023883A (en) * | 2012-11-26 | 2013-04-03 | 清华大学 | Character string matching method based on automatic control (AC) automatic machine and suffix tree |
| CN103236940A (en) * | 2013-03-29 | 2013-08-07 | 北京星网锐捷网络技术有限公司 | Method and device for content processing and network equipment |
| CN104202206A (en) * | 2014-07-25 | 2014-12-10 | 汉柏科技有限公司 | Message processing device and method |
| CN105337932A (en) * | 2014-06-30 | 2016-02-17 | 杭州迪普科技有限公司 | WEB application protection method and device |
| CN107332839A (en) * | 2017-06-28 | 2017-11-07 | 杭州迪普科技股份有限公司 | A kind of message transmitting method and device |
| CN107545071A (en) * | 2017-09-21 | 2018-01-05 | 北京神州泰岳智能数据技术有限公司 | A kind of method and apparatus of string matching |
| CN107665464A (en) * | 2017-09-18 | 2018-02-06 | 平安科技(深圳)有限公司 | Generate method, apparatus, equipment and the computer-readable recording medium of reference message |
| CN113765877A (en) * | 2021-02-08 | 2021-12-07 | 北京沃东天骏信息技术有限公司 | Session identification method and device, electronic equipment and computer readable medium |
| CN117574178A (en) * | 2024-01-15 | 2024-02-20 | 国网湖北省电力有限公司信息通信公司 | Automatic network flow character string matching method and device based on FPGA |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040213289A1 (en) * | 2002-09-04 | 2004-10-28 | Chun-I Liu | Method and system for wakeup packet detection at Gigabit speeds |
| US7134143B2 (en) * | 2003-02-04 | 2006-11-07 | Stellenberg Gerald S | Method and apparatus for data packet pattern matching |
| CN1691581B (en) * | 2004-04-26 | 2010-04-28 | 彭诗力 | Multi-pattern matching algorithm based on characteristic value |
| CN1811776A (en) * | 2006-03-07 | 2006-08-02 | 丁光耀 | Random default substring mode matching judging and positioning method used for information inputting and retrieving |
| CN101154228A (en) * | 2006-09-27 | 2008-04-02 | 西门子公司 | Partitioned pattern matching method and device thereof |
-
2007
- 2007-01-19 CN CN2007100628805A patent/CN101009660B/en active Active
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8239341B2 (en) | 2006-12-08 | 2012-08-07 | Hangzhou H3C Technologies Co., Ltd. | Method and apparatus for pattern matching |
| WO2008067743A1 (en) * | 2006-12-08 | 2008-06-12 | Hangzhou H3C Technologies Co., Ltd. | A pattern matching method and apparatus |
| CN101110783B (en) * | 2007-09-03 | 2011-05-04 | 中国工商银行股份有限公司 | Method for matching bank message |
| CN102184205B (en) * | 2011-04-28 | 2016-04-13 | 哈尔滨工业大学 | Based on the Multi-Pattern Matching method of easily extensible precision chaos Hash |
| CN102184205A (en) * | 2011-04-28 | 2011-09-14 | 哈尔滨工业大学 | Multi-mode string matching algorithm based on extended precision chaos hash |
| CN103023883A (en) * | 2012-11-26 | 2013-04-03 | 清华大学 | Character string matching method based on automatic control (AC) automatic machine and suffix tree |
| CN103236940A (en) * | 2013-03-29 | 2013-08-07 | 北京星网锐捷网络技术有限公司 | Method and device for content processing and network equipment |
| CN105337932A (en) * | 2014-06-30 | 2016-02-17 | 杭州迪普科技有限公司 | WEB application protection method and device |
| CN104202206A (en) * | 2014-07-25 | 2014-12-10 | 汉柏科技有限公司 | Message processing device and method |
| CN107332839A (en) * | 2017-06-28 | 2017-11-07 | 杭州迪普科技股份有限公司 | A kind of message transmitting method and device |
| CN107665464A (en) * | 2017-09-18 | 2018-02-06 | 平安科技(深圳)有限公司 | Generate method, apparatus, equipment and the computer-readable recording medium of reference message |
| CN107665464B (en) * | 2017-09-18 | 2021-05-25 | 平安科技(深圳)有限公司 | Method, device and equipment for generating credit investigation message and computer readable storage medium |
| CN107545071A (en) * | 2017-09-21 | 2018-01-05 | 北京神州泰岳智能数据技术有限公司 | A kind of method and apparatus of string matching |
| CN107545071B (en) * | 2017-09-21 | 2020-02-07 | 北京神州泰岳智能数据技术有限公司 | Method and device for matching character strings |
| CN113765877A (en) * | 2021-02-08 | 2021-12-07 | 北京沃东天骏信息技术有限公司 | Session identification method and device, electronic equipment and computer readable medium |
| CN117574178A (en) * | 2024-01-15 | 2024-02-20 | 国网湖北省电力有限公司信息通信公司 | Automatic network flow character string matching method and device based on FPGA |
| CN117574178B (en) * | 2024-01-15 | 2024-04-26 | 国网湖北省电力有限公司信息通信公司 | Automatic network flow character string matching method and device based on FPGA |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101009660B (en) | 2010-06-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101009660B (en) | Universal method and device for processing the match of the segmented message mode | |
| CN101026576B (en) | Pattern matching method and device for processing fragmented message string giving consideration to matching strategy | |
| US7630379B2 (en) | Systems and methods for improved network based content inspection | |
| US9729655B2 (en) | Managing transfer of data in a data network | |
| KR101703446B1 (en) | Network capable of detection DoS attacks and Method for controlling thereof, Gateway and Managing server comprising the network | |
| US20050240989A1 (en) | Method of sharing state between stateful inspection firewalls on mep network | |
| US8239341B2 (en) | Method and apparatus for pattern matching | |
| US9571417B2 (en) | Processing resource access request in network | |
| CN102420771B (en) | Method for increasing concurrent transmission control protocol (TCP) connection speed in high-speed network environment | |
| CN1761244A (en) | Method for setting up notification function for route selection according to border gateway protocol | |
| CN104283786B (en) | System and method for the scalability for increasing software defined network | |
| US8069469B1 (en) | Addressing security in asymmetrical networks | |
| CN102780681A (en) | URL (Uniform Resource Locator) filtering system and URL filtering method | |
| CN107580032A (en) | Data processing method, device and equipment | |
| CN102195887B (en) | Message processing method, device and network security equipment | |
| US6725218B1 (en) | Computerized database system and method | |
| US6549521B1 (en) | Methods of managing dynamic decision trees | |
| CN104836738A (en) | Router hardware item resource management method and device, and network equipment | |
| CN110933032A (en) | SSH path tracking method, system and medium | |
| CN104901829B (en) | Routing data forwarding behavior congruence verification method and device based on action coding | |
| CN102752275A (en) | Matching route generation method and related device for signature library | |
| CN105763468A (en) | Method and device for transmitting BGP update message | |
| CN101079799A (en) | A dynamic port control device based on hardware acceleration | |
| KR102226915B1 (en) | Method, apparatus and computer program for operating the flow rules database in software defined network | |
| CN102843285A (en) | Distributed link aggregation method and node for realizing same |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |