CN101247281A - Protocol packet detecting method, system and equipment - Google Patents
Protocol packet detecting method, system and equipment Download PDFInfo
- Publication number
- CN101247281A CN101247281A CN 200810026934 CN200810026934A CN101247281A CN 101247281 A CN101247281 A CN 101247281A CN 200810026934 CN200810026934 CN 200810026934 CN 200810026934 A CN200810026934 A CN 200810026934A CN 101247281 A CN101247281 A CN 101247281A
- Authority
- CN
- China
- Prior art keywords
- protocol massages
- fingerprint characteristic
- title head
- detected
- title
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/18—Multiprotocol handlers, e.g. single devices capable of handling multiple protocols
Abstract
The embodiment of the invention discloses a detection method of protocol message, comprising the steps of: collecting the protocol message to be detected; obtaining title head fingerprint characteristic of the protocol message to be detected; comparing and detecting the title head fingerprint characteristic of the protocol message with that stored in a fingerprint library. The embodiment of the invention also discloses a communication equipment and system, by which the fingerprint library is built up for the legal or illegal title head fingerprint characteristic of protocol message, and after the protocol message to be detected is received, rapid comparision and detection can be realized by obtaining the title head fingerprint characteristic of the protocol message, thereby preventing the illegal protocol message which distorts the title head from attacking and cheating the VOIP system in order to filter the illegal message.
Description
Technical field
The present invention relates to the communications field, relate in particular to a kind of detection method, system and equipment of protocol massages.
Background technology
(Voice Over IP, VOIP) technology provides a kind of low-cost speech business, and the signaling customization function is offered terminal, for carrying out of new business provided convenience to be carried on speech business on the IP.But malicious user is easy to utilize this door opening mechanism, the signaling of customization malice, and the signaling of these malice can threaten to communication system.
The signaling of these malice comprises following several, as increases unwarranted title head, and attempt causes that system handles is unusual or carry the information that allows without system secretly or make system that the user signaling erroneous judgement is system signaling; Or the necessary title head of deletion; Or some title head repeatedly repeated; Or the increase of non-the needed title head of message come in.
Be the exemplary of some lopsided messages of defining among the RFC4475 below, its dependent instruction program description is as follows:
Missing?Required?Header?Fields:
INVITE?sip:user@example.com?SIP/2.0
CSeq:193942INVITE
Via:SIP/2.0/UDP?192.0.2.95;branch=z9hG4bKkdj.insuf
Content-Type:application/sdp
1:152
v=0
o=mhandley?29739?7272939?IN?IP4?192.0.2.95
s=-
c=IN?IP4?192.0.2.95
t=0?0
m=audio?49217?RTP/AVP?0?12
m=video?3227?RTP/AVP?31
a=rtpmap:31?LPC
In above-mentioned message, lose necessary title head, as From, to during Call-ID, then can constitute system and attack.
Multiple?Values?in?Single?Value?Required?Fields:
INVITE?sip:user@company.com?SIP/2.0
Contact:<sip:caller@host25.example.net>
Via:SIP/2.0/UDP?192.0.2.25;branch=z9hG4bKkdjuw
Max-Forwards:70
CSeq:5INVITE
Call-ID:multi01.98asdh@192.0.2.1
CSeq:59INVITE
Call-ID:multi01.98asdh@192.0.2.2
From:sip:caller@example.com;tag=3413415
To:sip:user@example.com
To:sip:other@example.net
From:sip:caller@example.net;tag=2923420123
Content-Type:application/sdp
1:154
Contact:<sip:caller@host36.example.net>
Max-Forwards:5
v=0
o=mhandley?29739?7272939?IN?IP4?192.0.2.25
s=-
c=IN?IP4?192.0.2.25
t=0?0
m=audio?49217?RTP/AVP?0?12
m=video?3227?RTP/AVP?31
a=rtpmap:31?LPC
In above-mentioned message, title head: Call-ID, To, From, Max-Forwards, title heads such as CSeq repeatedly repeat, and system has been constituted attack.
Tackle method that the insulation of this class deformity attacks at present and generally be and in protocol stack, add decision logic, must not be by title head maximum length is set greater than certain numerical value, and the set of having stored all legal title heads.After receiving message, judge whether comprised the title head that in legal title head set, does not occur in the message, if exist then judge that this message is lopsided message, not legal message; Different classes of title head is provided with maximum number of repetition, allows most at most to occur N time as the VIA header field, if judge when the VIA header field surpasses N time, judges that then this message is lopsided message, is not legal message.By above-mentioned determination methods, when receiving message, can't get data necessary or find that non-essential title is nose heave when multiple, think that then this message is an invalid packet.But the communication system of prior art need carry out logic analysis one by one to the different title heads that terminal is sent data, it is lower to cause invalid data to handle filter efficiency, and the relation between the title head is analyzed by decision logic, the process more complicated is difficult to effectively carry out invalid packet and filters.When decision logic needs change, may need to carry out system software upgrading, be unfavorable for the development of whole communication system.
Summary of the invention
The embodiment of the invention provides a kind of detection method, system and equipment of protocol massages.By legal protocol massages is set up the fingerprint characteristic storehouse, carry out the fingerprint characteristic contrast and judge fast whether this protocol massages is invalid packet thereby in network, collect protocol massages.
In order to solve the problems of the technologies described above, the embodiment of the invention has proposed a kind of detection method of protocol massages, and this method comprises:
Collect protocol massages to be detected;
Obtain the title head fingerprint characteristic of described protocol massages to be detected;
The title head fingerprint characteristic of the protocol massages in the fingerprint characteristic storehouse of the title head fingerprint characteristic of described protocol massages to be detected and storage is compared detection.
Accordingly, the embodiment of the invention has also proposed a kind of communication equipment, and described communication equipment comprises:
Memory module is used to be stored as the fingerprint characteristic storehouse that the title head fingerprint characteristic of legal or illegal protocol massages is set up;
Acquisition module is used to collect protocol massages to be detected;
Processing module is used to obtain the title head fingerprint characteristic of the protocol massages to be detected that acquisition module collects;
Detection module is used for the title head fingerprint characteristic of protocol massages to be detected that processing module is obtained and the title head fingerprint characteristic storehouse of memory module and compares detection.
Accordingly, the embodiment of the invention has also proposed a kind of network system, comprises at least one or the above Network Transmission port and the network equipment that links to each other with described Network Transmission port, and described Network Transmission port is used for data message transmission;
The network equipment is used for that the data message on the described Network Transmission port is carried out message and detects, collect protocol massages to be detected on the described Network Transmission port, obtain the title head fingerprint characteristic of described protocol massages to be detected, the title head fingerprint characteristic of the protocol massages in the fingerprint characteristic storehouse of the title head fingerprint characteristic of described protocol massages to be detected and storage is compared detection.
Implement the embodiment of the invention, title head fingerprint characteristic to protocol massages is set up the fingerprint characteristic storehouse, after collecting protocol massages to be detected, obtain title head fingerprint characteristic in the protocol massages can realize with the fingerprint characteristic storehouse in fingerprint characteristic contrast detection fast, thereby the illegal agreement message that prevents to distort at the title head is realized the filtration to the illegal agreement message to VOIP system attack and deception.
Description of drawings
Fig. 1 is the communication equipment of the protocol massages detection method in the embodiment of the invention;
Fig. 2 sets up fingerprint characteristic data storehouse flow chart in the embodiment of the invention;
Fig. 3 is the flow chart of the message protocol detection method in the embodiment of the invention.
Embodiment
The embodiment of the invention provides a kind of detection method, system and equipment of protocol massages.By protocol massages being set up the fingerprint characteristic storehouse, carry out the fingerprint characteristic contrast and judge fast whether this protocol massages is invalid packet thereby in network, collect protocol massages
Describe the preferred embodiments of the present invention in detail below in conjunction with accompanying drawing.
At first see also Fig. 1, the message that Fig. 1 shows in the invention process detects communication equipment, and this communication equipment comprises acquisition module 11, detection module 14, processing module 13 and memory module 12, and wherein: acquisition module 11 is used to collect protocol massages to be detected; Processing module 13 is used to obtain the title head fingerprint characteristic of the protocol massages to be detected that acquisition module 11 collects; Memory module 12 is used to be stored as the fingerprint characteristic storehouse that the title head fingerprint characteristic of protocol massages is set up, this fingerprint characteristic storehouse is the fingerprint characteristic storehouse that illegal protocol massages title head fingerprint characteristic is set up, or the fingerprint characteristic storehouse of legal protocol massages title head fingerprint characteristic foundation; The title head fingerprint characteristic that detection module 14 is used for the protocol massages of the title head fingerprint characteristic of protocol massages to be detected that processing module is obtained and memory module compares detection.Accordingly, after detection module 14 detects the illegal agreement message, can carry out corresponding filtration treatment to agreement, also include filtering module 15 in this communication equipment, described filtering module 15 is used for when detecting unit 14 contrasts detect, in described memory module 12, can not find the title head fingerprint characteristic of the legal protocol massages that the title head fingerprint characteristic with protocol massages to be detected is complementary or in described fingerprint characteristic storehouse, find the title head fingerprint characteristic of the illegal agreement message that is complementary with protocol massages title head fingerprint characteristic to be detected, described protocol massages is carried out filtration treatment.Described processing module 13 also comprises regular processing unit 131, first acquiring unit 132, second acquisition unit 133, equivalent processes unit 134 and Hash processing unit 135, and wherein: regular processing unit 131 is used for the code stream of the protocol massages to be detected of acquisition module 11 collections regular by the byte form; The protocol massages that first acquiring unit 132 is used in regular unit 131 after regular obtains protocol massages content to be detected; Second acquisition unit 133 is used for obtaining protocol massages title head in the protocol massages content that first acquiring unit 132 obtains; Equivalent processes unit 134 is used for the protocol massages title head that first acquiring unit 133 obtains is carried out equivalent processes; The protocol massages title head that Hash processing unit 135 is used for after parity price processing unit 134 equivalent processes carries out the Hash processing.Need to prove that the memory module 12 here also can realize by the equipment that is independent of outside the communication equipment, be specifically designed to and collect and management agreement message header head fingerprint characteristic, be the protocol massages testing process realization contrast detection of communication equipment.
The communication equipment of described protocol massages detection method is arranged in the VOIP network system, by a plurality of terminal equipments in a plurality of transmit pories connection network systems of network system or communication gate etc., described communication equipment detects the data message on the described Network Transmission port, as H.248 waiting text protocol to detect to Session Initiation Protocol or MGCP, describe the implementation procedure of protocol massages detection method in the embodiment of the invention in detail below in conjunction with Fig. 1, Fig. 2 shows the flow chart of in the embodiment of the invention title head of legal protocol massages being set up the fingerprint characteristic data storehouse, here be that example describes with the Session Initiation Protocol, concrete steps are as follows:
Step S201: collect legal protocol massages;
Receive legal binary system SIP message code stream, under the situation of SIP message generation burst, can adopt two kinds of strategies to collect, a kind of is loose strategy, only collect the SIP message of first burst, only obtain the title head fingerprint characteristic of first burst, another is strict strategy, need get up to fragment message elder generation buffer memory, message is collected Qi Liaozai and is obtained title head fingerprint characteristic by the time.
Step S202: the code stream to the legal protocol massages collected is regular by the byte form;
After having collected legal protocol massages, that the binary word SIP message code stream that needs are analyzed is regular by byte (getting in touch 8 bits) form.
As follows, the legal SIP message that provides with RFC4475 is that example illustrates the entire process process.After S201 and S202, can obtain following message:
INVITE?sip:joe@example.com?SIP/2.0
t:sip:joe@example.com
From:sip:caller@example.net;tag=141334
Max-Forwards:8
Call-ID:dblreq.0ha0isnda977644900765@192.0.2.15
CSeq:8INVITE
Via:SIP/2.0/UDP?192.0.2.15;branch=z9hG4bKkdjuw380234
Content-Type:application/sdp
Content-Length:150
v=0
o=mhandley?29739?7272939?IN?IP4?192.0.2.15
s=-
c=IN?IP4?192.0.2.15
t=0?0
m=audio?49217?RTP/AVP?0?12
m=video?3227?RTP/AVP?31
a=rtpmap:31?LPC
Step S203: obtain legal protocol massages content in the protocol massages after regular;
Seek character string " 0D 0A 0D 0A ", follow-up character string directly abandons and does not handle.Character string " 0D 0A0D 0A " is the end mark of SIP message, and the back is connected to drawing description agreement, and (Session DescriptionProtocol SDP) waits other protocol massages.
Through S203, the SDP protocol section is dropped, and the message that obtains is as follows:
INVITE?sip:joe@example.com?SIP/2.0
t:sip:joe@example.com
From:sip:caller@example.net;tag=141334
Max-Forwards:8
Call-ID:dblreq.0ha0isnda977644900765@192.0.2.15
CSeq:8INVITE
Via:SIP/2.0/UDP?192.0.2.15;branch=z9hG4bKkdjuw380234
Content-Type:application/sdp
Content-Length:150
Step S204: in legal protocol massages content, obtain protocol massages title head;
Seek first character " 20 ", Session Initiation Protocol regulation content between " 20 " from the heading to the character is to be used to describe this SIP method of message, character " 20 " is actual to be space in the SIP message, in legal protocol massages content heading is taken out to the character string between the character " 20 ".
Through this step, can obtain the INVITE character string.
A1: in the character string of taking out, " 0D 0A " is labeled as Header[pointer with first character string], wherein pointer is a variable, note variable pointer=1;
A2: in the character string of taking out, seek character late string " 0D 0A ", be labeled as Header[pointer+1], seek Header[pointer] and Header[pointer+1] between first character " 3A ", take out Header[pointer] and character " 3A " between character string, wherein " 3A " is the colon behind the title head;
A3: obtaining Header[pointer] and character " 3A " between character string after, search next character string " 0D 0A ", be labeled as Header[pointer+1+1] carry out the content of A2 and A3, till searching less than character string " 0D 0A ";
Through A2, the circular treatment of A3 obtains title head: t successively, From, Max-Forwards, Call-ID, CSeq, Via, Content-Type, Content-Length.
A4: the character string of above-mentioned taking-up is carried out step S205.
Step S205: the protocol massages title head that obtains is carried out equivalent processes;
In the above-mentioned process of obtaining the title head, the title head that obtains all is of equal value in following situation, as case sensitive or employing abbreviation mode, " VIA ", " v ", " via " these several situations all are of equal value, needing the title head territory that these are of equal value to be mapped as wherein a kind of situation in the actual application handles, as with " VIA ", " v ", " via " these different title heads all are mapped as " VIA ".
Through behind the S205, obtain following character string " INVITETOFROMMAX-FORWARDSCALL-IDCSEQVIACONTENT-TYPECONTEN TLENGTH ".
Step S206: the protocol massages title head after parity price is handled carries out Hash to be handled;
Carrying out the Hash processing is in order to reduce the feature database scale, to improve the right efficient of aspect ratio.
Adopt specific hash algorithm, above character string can be mapped as a L bit stream (being assumed to 32 bits).As can be seen, carry out Hash operation after, the characteristic amount that obtains probably have only do not carry out that Hash handles 6%.
Step S207: set up the fingerprint characteristic storehouse according to the protocol header message after the Hash processing.
In the process of setting up the fingerprint characteristic storehouse, need to collect all legal SIP messages, obtain the fingerprint characteristic in the SIP message, and these fingerprint characteristics are kept in the fingerprint characteristic storehouse, the fingerprint characteristic storehouse is the fingerprint characteristic of the legal message of system's static configuration, also can dynamically generate fingerprint characteristic according to certain method.Can set up the fingerprint characteristic storehouse of legal protocol massages by the realization of said method, and be stored in the communication equipment that need carry out the protocol massages detection, the fingerprint characteristic storehouse of these legal protocol massages also can be stored in the corresponding service equipment, pass through remote storage, do not exist in the communication equipment of message detection, so that collect the fingerprint characteristic of legal protocol massages specially, and for carrying out the process that communication equipment that protocol massages detects provides contrast to detect, describe the flow chart of protocol massages detection method in detail below in conjunction with Fig. 3, here be that example describes with the Session Initiation Protocol, concrete steps are as follows:
Step S301: collect protocol massages to be detected;
Receive binary system SIP message code stream to be detected, under the situation of SIP message generation burst, can adopt two kinds of strategies to collect, a kind of is loose strategy, only collect the SIP message of first burst, only obtain the title head fingerprint characteristic of first burst, another is strict strategy, need get up to fragment message elder generation buffer memory, message is collected Qi Liaozai and is obtained title head fingerprint characteristic by the time.
Step S302: the code stream to the protocol massages to be detected collected is regular by the byte form;
After having collected protocol massages to be detected, that the binary word SIP message code stream that needs are analyzed is regular by byte (getting in touch 8 bits) form.
Step S303: obtain protocol massages content to be detected in the protocol massages after regular;
Seek character string " 0D 0A 0D 0A ", follow-up character string directly abandons and does not handle.Character string " 0D 0A0D 0A " is the end mark of SIP message, the back can agreement SDP etc. other protocol massages.
Step S304: in protocol massages content to be detected, obtain protocol massages title head;
Seek first character " 20 ", Session Initiation Protocol regulation content between " 20 " from the heading to the character is to be used to describe this SIP method of message, character " 20 " is actual to be space in the SIP message, in legal protocol massages content heading is taken out to the character string between the character " 20 ".
B1: in the character string of taking out, " 0D 0A " is labeled as Header[pointer with first character string], wherein pointer is a variable, note variable pointer=1;
B2: in the character string of taking out, seek character late string " 0D 0A ", be labeled as Header[pointer+1], seek Header[pointer] and Header[pointer+1] between first character " 3A ", take out Header[pointer] and character " 3A " between character string;
B3: obtaining Header[pointer] and character " 3A " between character string after, search next character string " 0D 0A ", be labeled as Header[pointer+1+1] carry out the content of B2 and B3, till searching less than character string " 0D 0A ";
B4: the character string of above-mentioned taking-up is carried out step S205.
Step S305: the protocol massages title head that obtains is carried out equivalent processes;
In the above-mentioned process of obtaining the title head, the title head that obtains all is of equal value in following situation, as case sensitive or employing abbreviation mode, " VIA ", " v ", " via " these several situations all are of equal value, needing the title head territory that these are of equal value to be mapped as wherein a kind of situation in the actual application handles, as with " VIA ", " v ", " via " these different title heads all are mapped as " VIA ".
Step S306: the protocol massages title head after parity price is handled carries out Hash to be handled;
Carrying out the Hash processing is in order to reduce the feature database scale, to improve the right efficient of aspect ratio.
Step S307: the title head fingerprint characteristic of described protocol massages to be detected and the title head fingerprint characteristic of the legal agreement in the fingerprint characteristic storehouse are compared detection;
Whether step S308: detecting described protocol massages to be detected is illegal protocol massages, if then carry out step S309, otherwise changes step S310, carries out the processing procedure of normal procedure;
Step S309: when detecting described protocol massages to be detected and be the illegal agreement message, described protocol massages is carried out filtration treatment;
Step S310: finish.
In the contrast testing process of step S307 and step S308, if can find the title head fingerprint characteristic of the legal agreement that is complementary the time, then described protocol massages to be detected is legal protocol massages, carries out the processing procedure of normal procedure; If search the title head fingerprint characteristic less than the legal agreement that is complementary, then described protocol massages to be detected is illegal protocol massages, then needs system to carry out corresponding filtration treatment.
The fingerprint characteristic of the protocol massages to be detected that can obtain by hash algorithm by flow chart 3 and the fingerprint characteristic in the legal protocol massages in the fingerprint characteristic storehouse compare, if there is identical fingerprint characteristic, then described agreement can be passed through, otherwise, system can think that this protocol massages to be detected is the illegal agreement message, then can carry out filtration treatment and abandon this protocol massages, the alarm of the line correlation of going forward side by side, log record or start dynamic safeguard procedures etc.
Need to prove, here also can be by collecting the title head fingerprint characteristic of illegal protocol massages, and the fingerprint characteristic storehouse of foundation contrast detection, when in the contrast testing process, finding the title head fingerprint characteristic of the protocol massages that is complementary, illustrate that described protocol massages to be detected is illegal protocol massages, need carry out relevant treatment operations, implementation procedure here and above-mentioned flow process are roughly the same, give unnecessary details no longer one by one here.Here the testing process of protocol massages title head also is not limited to the title head of Session Initiation Protocol message, the protocol massages that has with Session Initiation Protocol message header head form can adopt described method to realize the testing process of protocol massages, is described no longer one by one here.
In sum, implement the embodiment of the invention, can set up corresponding fingerprint characteristic storehouse to legal or illegal protocol massages earlier, after collecting protocol massages to be detected, obtain title head fingerprint characteristic in the protocol massages can realize with the fingerprint characteristic storehouse in fingerprint characteristic contrast detection fast, thereby the illegal agreement message that prevents to distort at the title head is realized the filtration to the illegal agreement message to VOIP system attack and deception.
Above disclosed only is a kind of preferred embodiment in the embodiment of the invention, can not limit the present invention's interest field certainly with this, and therefore the equivalent variations of doing according to claim of the present invention still belongs to the scope that the present invention is contained.
Claims (12)
1, a kind of detection method of protocol massages is characterized in that, this method comprises:
Collect protocol massages to be detected;
Obtain the title head fingerprint characteristic of described protocol massages to be detected;
The title head fingerprint characteristic of the protocol massages in the fingerprint characteristic storehouse of the title head fingerprint characteristic of described protocol massages to be detected and storage is compared detection.
2, the detection method of protocol massages as claimed in claim 1 is characterized in that,
For the title head fingerprint characteristic of legal or illegal protocol massages is set up the fingerprint characteristic storehouse, and the fingerprint characteristic storehouse of storage foundation.
3, the detection method of protocol massages as claimed in claim 2 is characterized in that, described title head fingerprint characteristic for legal or illegal protocol massages is set up fingerprint characteristic storehouse step and is specially:
Collect legal or illegal protocol massages;
Obtain the title head fingerprint characteristic of described legal or illegal protocol massages;
The described title head fingerprint characteristic that obtains is stored in the fingerprint characteristic storehouse.
4, the detection method of protocol massages as claimed in claim 3 is characterized in that, the protocol massages that described collection is legal or illegal or collect protocol massages to be detected and be specially:
When protocol massages generation burst situation, collect protocol massages by loose strategy or strict strategy.
5, the detection method of protocol massages as claimed in claim 4 is characterized in that, described title head fingerprint characteristic or the described title head fingerprint characteristic step of obtaining described protocol massages to be detected of obtaining described legal or illegal protocol massages is specially:
Code stream to described legal or illegal protocol massages that obtains or described protocol massages to be detected is regular by the byte form;
Obtain protocol massages content perhaps to be detected in the legal or illegal protocol massages in the protocol massages after regular;
Obtain the protocol massages title head in the protocol massages content perhaps to be detected in the legal or illegal protocol massages;
The protocol massages title head that obtains is carried out equivalent processes;
Protocol massages title head after parity price is handled carries out Hash to be handled.
6, the detection method of protocol massages as claimed in claim 5 is characterized in that, describedly the protocol massages title head that obtains is carried out equivalent processes is specially:
Capital and small letter character or abbreviated character to protocol massages title head are considered as same protocol massages title head.
7, the detection method of protocol massages as claimed in claim 6 is characterized in that, described method also comprises:
When if contrast detects, in described fingerprint characteristic storehouse, can not find the title head fingerprint characteristic of the legal protocol massages that the title head fingerprint characteristic with protocol massages to be detected is complementary or in described fingerprint characteristic storehouse, find the title head fingerprint characteristic of the illegal agreement message that is complementary with protocol massages title head fingerprint characteristic to be detected, then described protocol massages to be detected is carried out filtration treatment.
8, a kind of communication equipment is characterized in that, described communication equipment comprises:
Memory module is used to be stored as the fingerprint characteristic storehouse that the title head fingerprint characteristic of legal or illegal protocol massages is set up;
Acquisition module is used to collect protocol massages to be detected;
Processing module is used to obtain the title head fingerprint characteristic of the protocol massages to be detected that acquisition module collects;
Detection module is used for the title head fingerprint characteristic of protocol massages to be detected that processing module is obtained and the title head fingerprint characteristic storehouse of memory module and compares detection.
9, communication equipment as claimed in claim 8 is characterized in that, described processing module comprises:
Regular processing unit, the code stream that is used for protocol massages to be detected that acquisition module is collected is regular by the byte form;
First acquiring unit, the protocol massages that is used for after regular unit is regular obtains protocol massages content to be detected;
Second acquisition unit, the protocol massages content that is used for obtaining at first acquiring unit is obtained protocol massages title head;
The equivalent processes unit is used for the protocol massages title head that first acquiring unit obtains is carried out equivalent processes;
The Hash processing unit is used for protocol massages title head after the parity price processing unit equivalent processes and carries out Hash and handle and generate title head fingerprint characteristic.
10, communication equipment as claimed in claim 9, it is characterized in that, described communication equipment also comprises filtering module, be used for when the detecting unit contrast detects, in described memory module, can not find the title head fingerprint characteristic of the legal protocol massages that the title head fingerprint characteristic with protocol massages to be detected is complementary or in described fingerprint characteristic storehouse, find the title head fingerprint characteristic of the illegal agreement message that is complementary with protocol massages title head fingerprint characteristic to be detected, then described protocol massages to be detected is carried out filtration treatment.
11, a kind of network system comprises it is characterized in that at least one or the above Network Transmission port and the network equipment that links to each other with described Network Transmission port, wherein:
Described Network Transmission port is used for data message transmission;
The network equipment is used for that the data message on the described Network Transmission port is carried out message and detects, collect protocol massages to be detected on the described Network Transmission port, obtain the title head fingerprint characteristic of described protocol massages to be detected, the title head fingerprint characteristic of the protocol massages in the fingerprint characteristic storehouse of the title head fingerprint characteristic of described protocol massages to be detected and storage is compared detection.
12, network system as claimed in claim 11 is characterized in that, described Network Transmission port is connected with communication terminal or communication gate, and the data message on communication terminal or the communication gate is transmitted.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200810026934 CN101247281A (en) | 2008-03-21 | 2008-03-21 | Protocol packet detecting method, system and equipment |
| PCT/CN2009/070837 WO2009115034A1 (en) | 2008-03-21 | 2009-03-17 | Method, system and apparatus for detecting protocol message |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200810026934 CN101247281A (en) | 2008-03-21 | 2008-03-21 | Protocol packet detecting method, system and equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101247281A true CN101247281A (en) | 2008-08-20 |
Family
ID=39947507
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200810026934 Pending CN101247281A (en) | 2008-03-21 | 2008-03-21 | Protocol packet detecting method, system and equipment |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN101247281A (en) |
| WO (1) | WO2009115034A1 (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009115034A1 (en) * | 2008-03-21 | 2009-09-24 | 华为技术有限公司 | Method, system and apparatus for detecting protocol message |
| CN102413007A (en) * | 2011-10-12 | 2012-04-11 | 上海奇微通讯技术有限公司 | Deep packet inspection method and equipment |
| CN106407350A (en) * | 2016-09-05 | 2017-02-15 | 广州视睿电子科技有限公司 | Error log information filtering method and device |
| CN106792712A (en) * | 2017-02-26 | 2017-05-31 | 上海交通大学 | For the automatic monitoring framework system of the Session Initiation Protocol of VoLTE equipment |
| CN107276995A (en) * | 2017-06-05 | 2017-10-20 | 广西荣中科技有限责任公司 | A kind of communication system |
| CN110198290A (en) * | 2018-03-14 | 2019-09-03 | 腾讯科技(深圳)有限公司 | A kind of information processing method, unit and storage medium |
| CN110875918A (en) * | 2018-12-06 | 2020-03-10 | 北京安天网络安全技术有限公司 | Trojan communication behavior detection method and device and electronic equipment |
| CN114401147A (en) * | 2022-01-20 | 2022-04-26 | 山西晟视汇智科技有限公司 | New energy power station communication message comparison method and system based on abstract algorithm |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112989315B (en) * | 2021-02-03 | 2023-03-24 | 杭州安恒信息安全技术有限公司 | Fingerprint generation method, device and equipment for terminal of Internet of things and readable storage medium |
| CN113114663B (en) * | 2021-04-08 | 2022-10-11 | 北京威努特技术有限公司 | Judgment method and device based on message scanning behavior |
| CN113676466B (en) * | 2021-08-11 | 2023-06-16 | 中国人民银行数字货币研究所 | Network security detection method and device |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100484029C (en) * | 2005-04-06 | 2009-04-29 | 阿拉克斯拉网络株式会社 | Network controller, network control system and network control method |
| CN101167079B (en) * | 2006-03-29 | 2010-11-17 | 日本三菱东京日联银行股份有限公司 | User affirming device and method |
| CN100493094C (en) * | 2006-08-25 | 2009-05-27 | 清华大学 | P2P data message detection method based on character code |
| CN101247281A (en) * | 2008-03-21 | 2008-08-20 | 华为技术有限公司 | Protocol packet detecting method, system and equipment |
-
2008
- 2008-03-21 CN CN 200810026934 patent/CN101247281A/en active Pending
-
2009
- 2009-03-17 WO PCT/CN2009/070837 patent/WO2009115034A1/en active Application Filing
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009115034A1 (en) * | 2008-03-21 | 2009-09-24 | 华为技术有限公司 | Method, system and apparatus for detecting protocol message |
| CN102413007A (en) * | 2011-10-12 | 2012-04-11 | 上海奇微通讯技术有限公司 | Deep packet inspection method and equipment |
| CN102413007B (en) * | 2011-10-12 | 2014-03-26 | 上海奇微通讯技术有限公司 | Deep packet inspection method and equipment |
| CN106407350A (en) * | 2016-09-05 | 2017-02-15 | 广州视睿电子科技有限公司 | Error log information filtering method and device |
| CN106792712B (en) * | 2017-02-26 | 2020-04-03 | 上海交通大学 | Automatic monitoring framework system for SIP (Session initiation protocol) of VoLTE (Voice over Long term evolution) equipment |
| CN106792712A (en) * | 2017-02-26 | 2017-05-31 | 上海交通大学 | For the automatic monitoring framework system of the Session Initiation Protocol of VoLTE equipment |
| CN107276995A (en) * | 2017-06-05 | 2017-10-20 | 广西荣中科技有限责任公司 | A kind of communication system |
| CN110198290A (en) * | 2018-03-14 | 2019-09-03 | 腾讯科技(深圳)有限公司 | A kind of information processing method, unit and storage medium |
| CN110198290B (en) * | 2018-03-14 | 2021-11-19 | 腾讯科技(深圳)有限公司 | Information processing method, equipment, device and storage medium |
| CN110875918A (en) * | 2018-12-06 | 2020-03-10 | 北京安天网络安全技术有限公司 | Trojan communication behavior detection method and device and electronic equipment |
| CN110875918B (en) * | 2018-12-06 | 2022-02-11 | 北京安天网络安全技术有限公司 | Trojan communication behavior detection method and device and electronic equipment |
| CN114401147A (en) * | 2022-01-20 | 2022-04-26 | 山西晟视汇智科技有限公司 | New energy power station communication message comparison method and system based on abstract algorithm |
| CN114401147B (en) * | 2022-01-20 | 2024-02-20 | 山西晟视汇智科技有限公司 | New energy power station communication message comparison method and system based on abstract algorithm |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2009115034A1 (en) | 2009-09-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101247281A (en) | Protocol packet detecting method, system and equipment | |
| AU2022201831B2 (en) | Call classification through analysis of DTMF events | |
| CN101686239B (en) | Trojan discovery system | |
| US8015605B2 (en) | Scalable monitor of malicious network traffic | |
| US9197523B2 (en) | Systems and methods for extracting media from network traffic having unknown protocols | |
| CN106686191A (en) | Processing method for adaptively identifying harassing call and processing system thereof | |
| CN101605072A (en) | Protect not under fire method and security border node of packet-based network | |
| CN105391708A (en) | Audio data detection method and device | |
| CN103313249B (en) | Reminding method and reminding system for terminal and server | |
| CN110958233A (en) | Encryption type malicious flow detection system and method based on deep learning | |
| Cho et al. | A method of detecting storage based network steganography using machine learning | |
| CN102714652B (en) | Monitoring Data network comprises the conversational communication of multiple data flow | |
| CN102111400A (en) | Trojan horse detection method, device and system | |
| CN116319467B (en) | Depth synthesis audio detection method and system based on bidirectional flow of IDC machine room | |
| CN101980477A (en) | Method and device for detecting number of shadow users, and network equipment | |
| CN108111530B (en) | Computer readable storage medium for detecting VOIP call state and detection system using the same | |
| CN110404267A (en) | A kind of plug-in detection method of game based on HTTP flow HOST field feature | |
| CN115086055B (en) | Detection device and method for encrypting malicious traffic of android mobile device | |
| CN110111772A (en) | A kind of recognition methods encrypting the used language of voip network flow | |
| CN104253786B (en) | A kind of deep packet inspection method based on regular expression | |
| CN112615713B (en) | Method and device for detecting hidden channel, readable storage medium and electronic equipment | |
| CN109246144A (en) | HSS unauthorized access detection device and method in IMS network | |
| Li et al. | An efficient intrusion detection and prevention system against SIP malformed messages attacks | |
| Dittmann et al. | Network based intrusion detection to detect steganographic communication channels: on the example of audio data | |
| CN115499211A (en) | Rule generation method and generation device based on flow characteristics |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20080820 |