CN102075512A - Method and device for decoding network protocol - Google Patents

Method and device for decoding network protocol Download PDF

Info

Publication number
CN102075512A
CN102075512A CN2010105329036A CN201010532903A CN102075512A CN 102075512 A CN102075512 A CN 102075512A CN 2010105329036 A CN2010105329036 A CN 2010105329036A CN 201010532903 A CN201010532903 A CN 201010532903A CN 102075512 A CN102075512 A CN 102075512A
Authority
CN
China
Prior art keywords
data
protocol
state
decoding
jump
Prior art date
Application number
CN2010105329036A
Other languages
Chinese (zh)
Inventor
么刚
张涛
韩鹏
Original Assignee
北京神州绿盟信息安全科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京神州绿盟信息安全科技股份有限公司 filed Critical 北京神州绿盟信息安全科技股份有限公司
Priority to CN2010105329036A priority Critical patent/CN102075512A/en
Publication of CN102075512A publication Critical patent/CN102075512A/en

Links

Abstract

The invention relates to a method for decoding application layer network protocol data packets and a decoder. Each application layer network protocol data packet comprises a plurality of data fragment groups. The method comprises the following steps of: (a) extracting the data in a first data fragment group of the application layer network protocol data packet, jumping to a first intermediate state by taking the extracted data as an input and simultaneously executing corresponding protocol decoding; (b) extracting the data in a next data fragment group of the application layer network protocol data packet, jumping to a next first intermediate state by taking the extracted data as the input and simultaneously executing corresponding protocol decoding; and (c) sequentially repeating the step (b) on the residual data fragment groups of the application layer network protocol data packet till the finishing state reaches. Therefore, all data received from a lower module can be provided for the decoder without integration so that a data integration module in the traditional decoding scheme can be removed, and the module design of a network intrusion detection device is simplified.

Description

网络协议解码器和解码方法 Network protocol decoders and decoding methods

技术领域 FIELD

[0001 ] 本发明总的涉及网络协议解码。 It relates generally to network protocol decoding the [0001] present invention. 本发明更具体地涉及一种网络协议解码器和解码方法。 The present invention relates to a network protocol decoder and decoding method more specifically.

背景技术 Background technique

[0002] 伴随着web2. 0/3. 0、在线音视频,点对点(P2P)文件共享,社交网站(SNS)等多种网络服务的出现和普及,网络流量迅速膨胀。 [0002] With the web2. 0/3. 0, online audio and video, peer to peer (P2P) file sharing, emergence and rapid expansion of the popularity of network traffic social networking sites (SNS) and other network services. 因此,各种网络设备需要执行繁重的网络协议解码工作,这也给网络设备的处理能力提出了新的挑战。 Thus, a variety of network equipment required to perform heavy network protocol decoding work, it also gives the ability to deal with network devices presents new challenges. 如何持续提升网络设备的处理能力成为了各厂商关注的热点。 How to continue to enhance the processing power of network equipment manufacturers has become the focus of attention.

[0003] 一个典型的例子是网关级入侵检测系统(IDS)/入侵防御系统(IPS)面临的挑战。 [0003] A typical example is the gateway level intrusion detection system (IDS) challenge / intrusion prevention system (IPS). 网络流量的激增给IDS/IPS等网络设备带来了巨大的处理负载。 Surge in network traffic to the IDS / IPS and other network equipment tremendous processing load. IDS/IPS等网络设备的核心模块——应用层网络协议解码模块的性能在很大程度上决定了整个IDS/IPS产品的性能。 IDS / IPS core module and other network devices - Application of network protocol decoding performance module largely determines the performance of the IDS / IPS products. 目前主流IDS/IPS的应用层网络协议解码模块,只有在收到完整的应用层数据包之后才能进行正确解码。 The current mainstream IDS / IPS application layer network protocol decoding module can only be decoded correctly after receiving a complete application layer packets. 因此,传统的应用层网络协议解码模块之前需要一个数据整合模块,用来完成数据重组工作。 Therefore, a conventional data integration module before the application layer network protocol decoding module, the data used to complete restructuring.

[0004] 图1是示出传统的网络入侵检测设备的示意图。 [0004] FIG. 1 is a schematic diagram illustrating a conventional network intrusion detection device. 如图1所示,来自外部网络的数据经过底层(例如,TCP/IP层)处理,得到的数据分片经过数据整合模块,被整合为完整的数据包。 1, the data from the external network through the bottom layer (e.g., TCP / IP layer) to give the data piece via the data integration module, are integrated into a complete data packet. 应用层网络协议解码模块对完整的数据包解码,并将解码结果提供给其他模块使用。 Application of network protocol decoding module to decode the entire packet, the decoded result to the other modules. 数据重组工作本身就是一个数据的缓存、拷贝的操作,大量的数据缓存、拷贝等冗余操作将会降低系统性能。 Restructuring the data itself is a data cache, a copy operation, a large amount of data cache, and other redundant copy operation will degrade system performance. 特别是在网络流量巨大的情况下,这种频繁的数据缓存拷贝操作对性能的影响将是致命的。 Especially in the huge volume of network traffic, the impact of such frequent data cached copy of the operating performance would be fatal.

发明内容 SUMMARY

[0005] 本发明的一个目的是至少解决上面指出的问题。 [0005] An object of the present invention is to solve at least the problems noted above.

[0006] 根据本发明的一个方面,提供一种用于对应用层网络协议数据包解码的方法。 [0006] In accordance with one aspect of the invention, there is provided a method for application-layer network protocol data packet decoding. 每个应用层网络协议数据包包括多个数据分片组。 Each application layer network protocol data packet includes a plurality of sets of data pieces. 所述方法包括: The method comprising:

[0007] a)提取应用层网络协议数据包的第一数据分片组中的数据并且以所提取的数据为输入,跳转到第一中间状态,同时执行相应的协议解码; The first data [0007] a) extracting the application protocol layer network divided piece of data packets in the group and to input the extracted data, jump to the first intermediate state, while performing appropriate protocol decoder;

[0008] b)提取该应用层网络协议数据包的下一数据分片组中的数据并且所提取的数据为输入,跳转到下一中间状态,同时执行相应的协议解码; [0008] b) extracting the application protocol layer network packet of the next slice data sub-data set and the extracted data is input, jump to the next intermediate state, while performing appropriate protocol decoder;

[0009] c)依次对该应用层网络协议数据包的其余数据分片组重复上述步骤b),直至到达结束状态。 [0009] c) sequentially repeating steps b above the rest of the data slice set of application network protocol packet), until it reaches the end state.

[0010] 应用层网络协议数据包的每个数据分片组可以分别对应于应用层网络协议规定的消息中的一部分。 [0010] Each data slice groups network application layer protocol packet may correspond to a predetermined part of the message at the application layer protocol, respectively.

[0011] 所述步骤a)和b)中的每一个可以分别包括: Each [0011] The steps a) and b) may respectively include:

[0012] d)提取数据分片组中的第一子组中的数据,并且以所提取的数据为输入,跳转到第一子中间状态,同时执行相应的协议解码; [0012] d) extracting a first sub-set of data sub-data set in the sheet, and to input the extracted data, jump to the first intermediate sub-state, while performing appropriate protocol decoder;

[0013] e)提取该数据分片组中的下一子组中的数据,并且以所提取的数据为输入,跳转到下一子中间状态,同时执行相应的协议解码; [0013] e) extracting the sub-data of the next data subset of the group of sheets, and to input the extracted data, jump to the next sub-intermediate state, while performing appropriate protocol decoder;

[0014] f)依次对该数据分片组中的其余子组重复上述步骤e),直至到达子结束状态。 [0014] f) sequentially repeating step e above the remaining sub-set of data slice group), until reaching the end of the sub-state.

[0015] 每个子组可以对应于应用层网络协议规定的消息中的一个字符或一个字段。 [0015] Each subset may correspond to a predetermined character message application layer network protocol or a field.

[0016] 所述方法还可以包括:如果所提取的数据不符合应用层网络层协议规定的消息格式,跳转到异常状态。 The [0016] method may further comprise: if the extracted data does not comply with the predetermined message format application layer network layer protocol, to jump to the abnormal state. 所述方法还可以包括:保存标识各个中间状态或子中间状态的状态号。 The method may further include: saving the intermediate state or sub-identifiers of the intermediate state is a state number.

[0017] 所述应用层网络协议可以至少包括超文本传输协议HTTP、文件传输协议FTP、简单文件传输协议TFTP、Telnet协议,简单邮件传输协议SMTP,P0P3协议和安全超文本传输协议HTTPS以及应用程序协议。 [0017] The application layer may comprise at least a network protocol Hypertext Transfer Protocol HTTP, file transfer protocol FTP, Trivial File Transfer Protocol TFTP, Telnet Protocol, Simple Mail Transfer Protocol SMTP, P0P3 and protocol HTTPS secure hypertext transfer protocol and an application program protocol.

[0018] 所述方法可以在入侵检测系统IDS/入侵防御系统IPS上执行。 [0018] The method may be performed on the intrusion detection system IDS / IPS IPS.

[0019] 各个中间状态和结束状态可以是根据所述应用层网络协议规定的消息格式定义的。 [0019] The various intermediate and end states may be defined in a predetermined message format according to the application layer network protocol.

[0020] 根据本发明的另一方面,提供一种用于对应用层网络协议数据包解码的解码器。 [0020] The decoder of the application layer network protocol data packet decoded in accordance with another aspect of the present invention, there is provided a method for. 每个应用层网络协议数据包包括多个数据分片组。 Each application layer network protocol data packet includes a plurality of sets of data pieces. 所述解码器包括: Said decoder comprising:

[0021] 解码装置;和 [0021] The decoding means; and

[0022] 跳转装置,其中,解码装置和跳转装置被配置为: [0022] Skip means, wherein the decoding means and the jump device is configured to:

[0023] 解码装置提取应用层网络协议数据包的第一数据分片组中的数据,并且跳转装置以所提取的数据为输入,跳转到第一中间状态,同时解码装置执行相应的协议解码; The first data [0023] The decoding apparatus extracts the application layer network protocol data packet divided pieces of data in the group, and skip means to input the extracted data, jump to the first intermediate state, while the decoding apparatus performs appropriate protocol decoding;

[0024] 解码装置提取该应用层网络协议数据包的下一数据分片组中的数据,并且跳转装置以所提取的数据为输入,跳转到下一中间状态,同时解码装置执行相应的协议解码; Decoding means extracts the application data network protocol packet data for the next slice group [0024], and skip means to input the extracted data, jump to the next intermediate state, and performs a corresponding decoding apparatus protocol decoding;

[0025] 解码装置和跳转装置依次对该应用层网络协议数据包的其余数据分片组重复上述操作,直至到达结束状态。 [0025] The decoding apparatus and the above operation is repeated sequentially jump means of the remaining set of application data slice packet data network protocol, until it reaches the end state.

[0026] 应用层网络协议数据包的每个数据分片组可以分别对应于应用层网络协议规定的消息中的一部分。 [0026] Each data slice groups network application layer protocol packet may correspond to a predetermined part of the message at the application layer protocol, respectively.

[0027] 解码装置和跳转装置可以进一步被配置为: [0027] The decoding apparatus and the apparatus may jump further configured to:

[0028] 解码装置提取数据分片组中的第一子组中的数据,并且跳转装置以所提取的数据为输入,跳转到第一子中间状态,同时解码装置执行相应的协议解码; [0028] The sub-data decoding apparatus extracts a first subset of the data set in the sheet, and means to skip the extracted data is input, jump to the first intermediate sub-state, while the decoding apparatus performs the appropriate protocol decoder;

[0029] 解码装置提取该数据分片组中的下一子组中的数据,并且跳转装置以所提取的数据为输入,跳转到下一子中间状态,同时解码装置执行相应的协议解码; [0029] The decoding apparatus extracts the next data subset of the data in the slice group, and skip means to input the extracted data, jump to the next sub-intermediate state, while the decoding apparatus performs decoding corresponding protocol ;

[0030] 解码装置和跳转装置依次对该数据分片组中的其余子组重复上述解码和跳转操作,直至到达子结束状态。 [0030] The decoding apparatus described above is repeated sequentially and the jumps the decoding means and the jump operation of the remaining sub-group of data slices in the group, until reaching the end of the sub-state.

[0031] 每个子组可以对应于应用层网络协议规定的消息中的一个字符或一个字段。 [0031] Each subset may correspond to a predetermined character message application layer network protocol or a field.

[0032] 跳转装置可以被配置为:如果所提取的数据不符合应用层网络层协议规定的消息格式,跳转到异常状态。 [0032] The device may be configured Jump: If the extracted data does not comply with the predetermined message format application layer network layer protocol, to jump to the abnormal state.

[0033] 解码器还可以包括:存储装置,用于保存标识各个中间状态或子中间状态的状态号。 [0033] The decoder may further comprise: a storage means for storing the identification of each sub-intermediate state or intermediate state is a state number.

[0034] 所述应用层网络协议可以至少包括超文本传输协议HTTP、文件传输协议FTP、简单文件传输协议TFTP、Telnet协议,简单邮件传输协议SMTP,P0P3协议和安全超文本传输协议HTTPS以及应用程序协议。 [0034] The application layer of the network protocol may include at least a hypertext transfer protocol HTTP, file transfer protocol FTP, Trivial File Transfer Protocol TFTP, Telnet Protocol, Simple Mail Transfer Protocol SMTP, P0P3 and protocol HTTPS secure hypertext transfer protocol and an application program protocol.

[0035] 各个中间状态和结束状态可以是根据所述应用层网络协议规定的消息格式定义的。 [0035] The various intermediate and end states may be defined in a predetermined message format according to the application layer network protocol.

[0036] 所述解码器可以在入侵检测系统IDS/入侵防御系统IPS上实现。 The [0036] decoder may be implemented on intrusion detection system IDS / IPS IPS.

[0037] 根据本发明的再一个方面,提供一种入侵检测系统/入侵防御系统设备,包括前面提到的解码器。 [0037] According to a further aspect of the invention there is provided an intrusion detection system / intrusion prevention system apparatus comprising the aforementioned decoders.

附图说明 BRIEF DESCRIPTION

[0038] 本发明以及其目的和优点将通过下面参照附图的描述得到更好地理解,在附图中: [0038] The present invention and its objects and advantages will be better understood from the following description with reference to the accompanying drawings, in which:

[0039] 图1是示出传统的网络入侵检测设备的示意图; [0039] FIG. 1 is a schematic diagram illustrating a conventional network intrusion detection device;

[0040] 图2是示出HTTP请求消息的顶层解码状态机的示意图; [0040] FIG. 2 is a diagram showing the top-level decoding state machine HTTP request message;

[0041] 图3是示出HTTP请求消息的start-line部分的状态机的示意图; [0041] FIG. 3 is a diagram illustrating a state machine start-line portion of the HTTP request message;

[0042] 图4是示出HTTP请求消息的message-header部分的状态机的示意图; [0042] FIG. 4 is a diagram illustrating a state machine message-header portion of the HTTP request message;

[0043] 图5是示出HTTP请求消息的start-line部分中的Method的状态机的示意图; [0043] FIG. 5 is a diagram showing part of the start-line Method state machine HTTP request message;

[0044] 图6是示出FTP命令消息状态机的示意图; [0044] FIG. 6 is a schematic diagram illustrating message FTP command state machine;

[0045] 图7是示出FTP命令消息的method状态机的示意图; [0045] FIG. 7 is a diagram showing a state machine FTP method command message;

[0046] 图8是示出FTP命令消息的参数状态机的示意图; [0046] FIG. 8 is a diagram showing the state machine FTP command parameter of the message;

[0047] 图9是示出FTP应答消息状态机的示意图; [0047] FIG. 9 is a schematic diagram illustrating FTP response message state machine;

[0048] 图IOA和IOB是示出根据本发明一个实施例的解码方法的示意流程图; [0048] FIGS. IOA and IOB are a schematic flow chart illustrating a decoding method according to an embodiment of the present invention;

[0049] 图11是示出根据本发明一个实施例的解码器的示意方框图;以及 [0049] FIG. 11 is a schematic block diagram illustrating a decoder according to an embodiment of the present invention; and

[0050] 图12是示出根据本发明一个实施例的网络入侵检测设备的示意图。 [0050] FIG. 12 is a schematic view of a network intrusion detection device according to an embodiment of the present invention is shown.

具体实施方式 Detailed ways

[0051] 在详细描述各实施例之前,应当理解的是,本发明不限于所描述的设备的特定组成部件或者所描述的方法的处理步骤,因为这些设备和方法是可以改变的。 [0051] Prior to each of the embodiments described in detail, it should be understood that the present invention is not limited to the particular apparatus described components or the process steps of the methods described, as such devices and methods may vary. 还应当理解,这里使用的术语仅仅是为了描述特定实施例的目的,而非意图是限制性的。 It should also be understood that the terminology used herein is for the purpose of describing particular embodiments and is not intended to be limiting. 必须注意,在说明书和权利要求书中使用的单数形式“一个”、“另一”、“该”、“所述”可能也包含复数含义,除非上下文清楚地另有所指。 It must be noted, in the specification and claims, the singular forms "a", "another", "an", "the" may include the plural unless the context clearly dictates otherwise. 因此,例如术语“设备”可能指代一个或多个设备。 Thus, for example, the term "device" may refer to one or more devices.

[0052] 除非另外定义,否则在此所使用的术语(包括技术术语和科学术语)具有与本发明所属领域的普通技术人员所共同理解的相同意义。 [0052] Unless otherwise defined, have the same meaning of ordinary skill in the art of the present invention is commonly understood by the term as used herein (including technical and scientific terms). 将进一步理解,在此所使用的术语应解释为具有与其在该说明书的上下文以及有关领域中的意义一致的意义,并且将不以理想化的或过于正式的意义来解释,除非在此特意如此定义。 Will be further understood that terms used herein should be interpreted as having a meaning consistent therewith in the context of this specification and the relevant art in the sense, and will not be interpreted in an idealized or overly formal sense be interpreted, unless expressly so this definition.

[0053] 以下参照示出根据本发明实施例的方法、装置(系统)和/或计算机程序产品的框图和/或流程图描述本发明。 [0053] The following reference illustrates a method according to an embodiment of the present invention, and / or block diagrams of a computer program product, apparatus (systems) and / or flowchart of the present invention is described. 应理解,可以通过计算机程序指令来实现框图和/或流程图示图的一个块以及框图和/或流程图示图的块的组合。 It should be understood, may be implemented in a combination of the block diagrams and / or block diagrams and / or flowchart illustrations block flowchart illustrations by computer program instructions. 可以将这些计算机程序指令提供给通用计算机、专用计算机的处理器和/或其它可编程数据处理装置,以产生机器,使得经由计算机处理器和/或其它可编程数据处理装置执行的指令创建用于实现框图和/或流程图块中所指定的功能/动作的方法。 These computer program instructions may be provided to a general purpose computer, special purpose computer, and / or other programmable data processing apparatus to produce a machine, such that the created via a computer processor and / or execution of instructions other programmable data processing means for implemented method block diagrams and / or flowchart block or blocks specified functions / acts.

[0054] 相应地,还可以用硬件和/或软件(包括固件、驻留软件、微码等)来实施本发明。 [0054] Accordingly, also be implemented in hardware and / or software (including firmware, resident software, micro-code, etc.) embodiments of the present invention. 更进一步地,本发明可以采取计算机可使用或计算机可读存储介质上的计算机程序产品的形式,其具有在介质中实现的计算机可使用或计算机可读程序代码,以由指令执行系统来使用或结合指令执行系统而使用。 Still further, the present invention may take the form of a computer program product on a computer-usable storage medium or a computer-readable, having computer-implemented may be used in the medium or computer readable program code, instructions for execution by the system to use or used in conjunction with the instruction execution system. 在本发明上下文中,计算机可使用或计算机可读介质可以是任意介质,其可以包含、存储、通信、传输、或传送程序,以由指令执行系统、装置或设备使用,或结合指令执行系统、装置或设备使用。 In the context of the present invention, a computer-usable or computer-readable medium may be any medium that can contain, store, communicate, transmit, or transfer the program to an instruction execution system, apparatus, or device, or in connection with an instruction execution system, apparatus, or device.

[0055] 本发明设计了一种基于状态机的应用层网络协议解码器(模块)。 [0055] The present invention contemplates the application layer network protocol decoder (module) based on a state machine. 解码状态机中的状态分为初始状态、中间状态、结束状态和异常状态。 State of the decoder state machine is divided into an initial state, intermediate state, the end state and the abnormal state. 解码器根据解码状态机当前状态的状态转换函数和输入的数据,进行状态跳转。 And function decoder converts the input data in accordance with the current state of state of the decoder state machine performs state transition. 解码状态机的起始状态表示还没有开始进行解码;解码状态机的输入符号集是网络中所有可能的字符的集合;解码状态机的状态集合以及对应的状态转换函数由各个协议的消息格式所决定。 Initial state of the decoder state machine indicates that no start decoding; decoding state machine input symbol set is the set of all possible characters in the network; the state of the decoder state machine and a corresponding set of state transition function message format by the respective protocol decision. 当状态机从初始状态经中间状态,跳转到结束状态时,认为一个完整的应用层数据包解码完毕;当状态机跳转到异常状态时,则认为该数据包异常。 When the state machine transitions from the initial state via an intermediate state, jump to the end state, that a complete application layer data packet has been decoded; when the state machine jumps to the abnormal state, the packet is considered abnormal.

[0056] 下面以HTTP协议请求消息为例,说明基于状态机的网络协议解码器的操作方法。 [0056] In the following an example HTTP protocol request message, the operation of the state machine based network protocol decoder. 为便于设计,可以采用多级架构、自顶而下的方法。 For ease of design, multi-level architecture, the top-down method.

[0057] 图2是HTTP请求消息的顶层解码状态机的设计。 [0057] FIG. 2 is a top decoding state machine design HTTP request message. 分析HTTP请求消息的格式, 由于HTTP请求消息分为三个部分:start-line、message-header (以下简称为header)、 和meSSage-b0dy(以下简称为body),因此可以首先以这三个部分作为解码状态设计出状态机。 Analysis of the HTTP request message format, since the HTTP request message is divided into three parts: start-line, message-header (hereinafter referred to as header), and meSSage-b0dy (hereinafter simply referred to as body), it is possible to first three parts as the decoding state of the state machine design. 如图2所示,当有数据分片到达时,由初始状态跳转到start-line解码状态,在对start-line部分的解码完成之后跳转到header解码状态,在对start-line部分的解码完成之后再根据是否存在body,选择跳转到body解码状态或者结束状态。 2, when the data slice arrives, the jump from the initial state to the start-line state decoder, after decoding start-line jumps to the header portion of the decoding completed state, the start-line portion of after then decoded according to whether the body is present, a jump to the selected state or the decoding end state body. 而其中的start-line解码、header解码和body解码3个状态本身又分别是独立的子状态机。 And wherein the decoding start-line, header, and body decoder 3 decodes the state itself are independent sub state machine.

[0058] 在设计好顶层的解码状态机之后,再根据start-line、header, body各自的消息结构,进行子状态机的设计。 [0058] After designing a good top decoding state machine, and then in accordance with start-line, header, body structure of each message, the sub state machine design.

[0059] 其中start-line部分的消息格式为: [0059] wherein the message format as part of the start-line:

[0060] SP*Method SP+[schema:/]/[host[:port][ ? [0060] SP * Method SP + [schema: /] / [host [: port] [? param]]SP+HTTP Λ d. \d[CR]LF param]] SP + HTTP Λ d. \ d [CR] LF

[0061] 其中SP表示ASCII字符表的空格符,SP*表示0个或多个空格符,“SP+”表示1个或多个空格符;“Method”为HTTP协议规定的某些固定的字符串,如“GET”,“HEAD”,“POST” 等;schema表示协议名,host为网络主机名,port为0〜65536的数字,表示网络端口, param表示参数,其中用[]括起来的部分表示是可选的;\d表示任一个数字,HTTP Λ d. \d 表示的是该HTTP数据包遵循的HTTP协议版本号,如HTTP/1. 1表示的是1. 1版本的HTTP 协议;CR表示的是ASCII字符表的回车键。 [0061] where SP denotes the space character ASCII character set, SP * represents 0 or more spaces, "SP +" denotes one or more spaces; certain fixed character string "Method" specified for the HTTP protocol , such as "GET", "HEAD", "POST" and the like; Schema represents a protocol name, host name for the host network, port digital 0~65536 containing the network interface, a parameter indicating param, wherein the [] enclosed portion represents optional; \ D represents any one of a number, HTTP Λ d \ d represents the HTTP protocol version number of the HTTP packet to follow, such as HTTP / 1 1 represents the 1.1 version of the HTTP protocol.; CR indicates the ASCII character table of the Enter key. 具体消息格式的说明请参阅RFC2616。 Description specific message formats refer to RFC2616.

[0062] 下面结合图3描述HTTP请求消息的start-1 ine部分的状态机。 [0062] FIG. 3 is described below the state machine start-1 ine moiety binding HTTP request message. 如图3所示, 该状态机包括一个初始状态和一个结束状态。 As shown in FIG 3, the state machine comprises an initial state and an end state. 可对比start-line的消息格式。 Comparable start-line message format. 当处于初始状态时,如果输入的是空格字符,则处于初始状态不变,如果输入的是字母字符,则跳转到Method状态;在Method状态时,如果输入为一个空格字符,则跳转到空格状态;在空格状态时,如果输入为字母字符,则跳转到schema状态,如果输入为一个' /'字符,则状态跳转到path状态。 When in an initial state, if the input is a space character, then the change in the initial state, if the input is a alphabetical character jumps to Method state; Method state when, if the input is a space character, then jump to space condition; when the space condition, if the input alphabetical characters, then jump to the schema state, if the input is a '/' character, the state transition to the state path. 如果经过连续跳转,跳转到了结束状态,则说明对该HTTP请求消息的start-line部分解码结束,接下来需要进入header的解码部分。 If after continuous jump, jump to the end state, then the end of the start-line portion of the decoded message to the HTTP request, need to enter the next part of the header decoding. 相对于图2中的状态,这里start-line部分状态机中的各个状态可以称为子状态。 With respect to the state in FIG. 2, where various states the state machine start-line portion may be referred to as a sub-state.

[0063] 在进行状态机跳转的同时,解码的工作也同时完成。 [0063] The state machine jumps performed while decoding work simultaneously. 例如,在状态机处于host状态时的所有输入就组成了HTTP请求消息的host字段,假设当状态机处于host状态时,先后输入了“www. baidu. com" 13个字符,那么解码得到的该HTTP请求的host字段就是字符串誦.baidu. com。 For example, all input in the state machine is in the host state to form the host field of the HTTP request message, assuming that when the state machine is in the host state, has entered "www. Baidu. Com" 13 characters, then the decoding obtained HTTP requests the host field is the string recite .baidu. com. 又假设当状态机处于port状态时,先后输入了“8080”四个字符,那么解码得到的该HTTP请求消息的端口就是8080。 Further assumed that when the state machine is in state port, has entered "8080" four characters, then the port where the HTTP request message decoded is 8080.

[0064] 状态机跳转的过程实际上也是一个数据合规性检查的过程。 [0064] The state machine is actually a jump during data bonding process compliance check. 当状态机处于特定状态时,只有特定的输入数据才是合法的。 When the state machine is in a particular state, only the specific input data is legitimate. 例如,在schema状态时,只有输入字符为'/'才是合规的,否则进入异常状态(未示出),表明进入解码器的数据包或者进入解码器的数据分片所属的数据包是不合规的,甚至可能是恶意攻击包。 For example, when the schema state, only the input character '/' is the compliance, or enters an abnormal state (not shown), indicating that the incoming data packet into the decoder or the packet data pieces belonging to the decoder is non-compliance, possibly even malicious attack packets. 还可以对输入某一个状态的数据长度进行合规性检查,比如一般情况下HTTP请求的中的host字段长度不会过长,可以设定一个阈值,当host字段长度——也就是当状态机处于host状态时输入的数据长度超过该阈值时,认为host字段长度超长,则该HTTP请求很有可能包含了一个溢出攻击。 May also be one of the input data length state compliance checks, such as the host field length generally HTTP request is not excessively long, a threshold value may be set when the host field, the length - i.e. when the state machine when the length of the input data in the host state exceeds the threshold value, that the host field, long length, the HTTP request includes a likely overflow attack.

[0065] 下面结合图4描述HTTP请求消息的message-header部分的状态机。 [0065] The following description message-header of the HTTP request message of FIG. 4 of the state machine. message-header是由0个或多个头部域以及一个空行(CRLF之前没有任何东西的行)组成的,即: message-header is composed of zero or more header fields and a blank line (no rows before anything CRLF) composition, i.e.:

[0066] (head[CR]LF)*[CR]LF [0066] (head [CR] LF) * [CR] LF

[0067] 每个头部域(head)的格式为: [0067] The format of each header field (head) is:

[0068] Field_name “ : ” [Filed_value] [0068] Field_name ":" [Filed_value]

[0069] 其中FielcLname为每个头部域的名称;Filed_Value是对应的头部域的值,是可选的。 [0069] wherein the name of each head FielcLname domain; Filed_Value is a value corresponding to the header field is optional. 图4中的状态机从初始状态开始,经过跳转到结束状态,说明对message-header部分的解码结束。 The state machine of FIG. 4 from the initial state, after a jump to the end state, indicating the end of decoding message-header portion. 其中的fname状态表示对HTTP请求的头部域的解码。 It represents a state wherein the decoding fname HTTP request header field. 其他状态的含义也在相关的RFC2616中有相应的规定,因此这里不再详述。 Meaning other states are associated with corresponding provisions in RFC2616 and therefore not described in detail here.

[0070] HTTP请求消息的message-body部分也可以根据具体的消息格式,涉及适合的状态机进行解码,这里不再详述。 [0070] message-body of the HTTP request message may also be based on specific message format, to the appropriate state machine for decoding, not described in detail here.

[0071] 另夕卜,还可以对图3的状态机进行分级,例如图3中的Method状态,对于start-1 ine状态机而言是一个普通的状态,但Method状态本身又是一个字符串状态机。 [0071] Another Bu Xi, may be ranked the state machine of FIG. 3, for example, the state in FIG. 3 Method for the start-1 ine state machine is in terms of a normal state, the state itself is a Method string state machine.

[0072] 下面结合图5描述HTTP请求消息的start-1 ine部分中的Method的状态机。 [0072] FIG. 5 is described below in connection with start-1 ine of the HTTP request message in Method state machine. 根据RFC2616的定义,HTTP请求消息的Method是特定的字符串,可能的字符串包括: “ OPT IONS ”、“ GET ”、“ HEAD ”、“ POST ”、“ PUT ”、“ DELETE ”、“ TRACE ” 和“ CONNECT ”。 According to the definition of RFC2616, Method HTTP request message is a specific character string, the character string may include: "OPT IONS", "GET", "HEAD", "POST", "PUT", "DELETE", "TRACE" and "CONNECT". 那么由上述字符串可以设计如图5所示的字符串状态机。 Then the character string by the string state machine may be designed as shown in FIG. 5. 该状态机的初始状态为状态0,可能的结束状态为状态13,状态15,状态18,状态20,状态23,状态四,状态34,状态41。 The initial state of the state machine is state 0, the state may end state 13, state 15, state 18, state 20, state 23, state four, state 34, state 41. 当start-line 状态机由初始状态跳转到Method状态时,状态切换到图5的字符串状态机的状态0,当该字符串状态机跳转到结束状态时,start-line状态机中的Method状态结束,在接收到下一个空格字符时即跳转到图3中的空格状态。 When the start-line from the initial state of the state machine jumps to Method state, the state is switched to the state of the state machine of FIG. 5 String 0, the character string when the state machine jumps to the end state, the start-line state machines Method end state, upon reception of the next space character will jump to the state in the space 3 in FIG. 和start-line状态机一样,Method字符串状态机也有异常状态,如当状态机处于状态1时,只有字符'P'是合法的输入,其他所有的输入都将导致进入异常状态,即表明进入解码器的数据包或者进入解码器的数据分片所属的数据包中包含不合法的Method字段。 And a start-line state machines, like, Method string state machine has an abnormal state, such as when the state machine is in state 1, only the character 'P' is a legal input, all other inputs will result enters an abnormal state, which indicates to enter packets of the packet data into the decoder, or the decoder slice belongs contains illegal Method field. [0073] 因此,根据本发明的应用层网络协议数据包的解码方案将一个应用层网络协议数据包划分为多个数据分片组,利用状态机依次进行解码。 [0073] Thus, according to the decoding scheme application layer protocol data packet network of the present invention to an application layer network protocol data packet into a plurality of groups of data pieces, using a state machine sequentially decoded. 首先,提取应用层网络协议数据包的第一数据分片组中的数据,并且以所提取的数据为输入,跳转到第一中间状态,同时执行相应的协议解码。 First, a first data, extract application layer network protocol data packet divided pieces of data in the group, and to input the extracted data, jump to the first intermediate state, while performing appropriate protocol decoders. 然后,提取该应用层网络协议数据包的下一数据分片组中的数据,并且以所提取的数据为输入,跳转到下一中间状态,同时执行相应的协议解码。 Then, extract the data set of the next slice data layer network application protocol data packet, and the extracted data is input, jump to the next intermediate state, while performing appropriate protocol decoders. 依次对该应用层网络协议数据包的其余数据分片组重复进行提取、跳转和解码的操作,直至到达结束状态。 Sequentially set the remaining slice data network application layer protocol packets are repeated extraction and decoding of the jump operation until reaching the end state. 传统的网络协议解码方案直接对整个应用层网络协议数据包进行解码,而本发明的解码方案则利用状态机对各个数据分片组分步解码。 Traditional network protocol decoding scheme directly to the entire application layer network protocol decoding the data packet, and the decoding scheme of the present invention using a state machine for each data piece component decoding step. 因此,在实现上,可以将从低层模块接收到的所有数据不加整合地实时提供给解码器,从而省去传统的解码方案中的数据整合模块,简化网络入侵检测设备的模块设计。 Therefore all data on implementation, modules can be received from the lower layer to the integration of real-time without supplied to the decoder, thereby eliminating the conventional decoding scheme in a data integration module, network intrusion detection module is designed to simplify the apparatus.

[0074] 还可以进一步将数据分片组划分为子组,进行分步解码。 [0074] The data can be further divided into sub-slice group sets, by fractional decoded. 例如,在上面提到的HTTP 请求消息的例子中,start-line、start-line、message-header 禾口message-body 部分可以分别作为三个数据分片组。 For example, an example of the HTTP request message in the above-mentioned, start-line, start-line, message-header message-body opening portion Wo as three sets of data pieces respectively. 在对start-line部分的解码中,又可以将method字段作为其中的一个子组进行解码。 In the decoding start-line portion, and it may be a method wherein the field as a sub-group decoding. 应当理解,这种划分是可以根据实际需要而设计的。 It should be understood, this division is according to actual needs and design. 应用层网络协议数据包的每个数据分片组可以对应于应用层网络协议规定的消息中的一部分,每个子组可以对应于应用层网络协议规定的消息中的一个字符或一个字段。 Each data slice groups network application layer protocol packet may correspond to a predetermined part of the message at the application layer protocol, each subset may correspond to a character or a predetermined field of the message at the application layer protocol. 可以进行更进一步的划分,例如,可以将method字段的每个字符作为一个状态的输入,如图5所示的那样。 It may be further divided, e.g., each character field method may be used as an input of a state, as shown in FIG. 5. 当然, 也可以将一整个字符串,例如'OPTION',作为图4中method状态的输入,即,解码器直接提取输入的整个'OPTION'并跳转到图4中的空格状态,而不是像图5中那样逐个对'OPTION' 的每个字符进行提取和跳转。 Of course, the entire string may be a, e.g. 'OPTION', as an input method in a state of FIG. 4, i.e., the direct extraction of the whole decoder 'OPTION' input state and jump to the space in FIG. 4, rather than as each character one by one 'OPTION' jump to extract and 5. 也就是说,可以根据需要而对划分的精细度进行设计。 In other words, it can be designed according to required fineness divided. 与图5的逐个字符进行提取和跳转的方案相比,解码的实时性稍差,但由于不必保存图5中众多的状态,因此降低对解码器中的存储空间的要求。 And character by character extraction scheme of FIG. 5 and jump compared to the real-time decoding slightly inferior, but since many do not have to save the state of FIG. 5, the resultant decrease in the decoder memory space.

[0075] 还需要注意的是,尽管在上面提到的例子中,提供给解码器的是数据分片(组), 但也可以是一个完整的数据包。 [0075] It is also noted that, although in the example mentioned above, the decoder is supplied to a data slice (s), but can also be a complete data packet. 在这种情况下,解码器的处理方法是一样的,它仍然以划分的数据分片(组)作为输入,根据当前状态的状态转换函数进行状态跳转,所不同的仅仅是它不需要等待下一个数据分片。 In this case, the processing method of the decoder is the same, it is still divided data slice (s) as input, the conversion function according to the state of the current state of the state transition, except that it does not need to wait only the next data slice. 而在前一种情况下,解码器需要等待来自底层处理模块的数据分片(组)到达,在此之前要保存标识中间状态(包括各级状态机中的中间状态)的状态号。 The former case, the decoder needs to wait for the data slice (s) from reaching the bottom of the processing module, to be saved before identification intermediate state (intermediate state machine including all levels) state number.

[0076] 如果提取的数据不符合应用层网络层协议规定的消息格式,则跳转到异常状态。 [0076] If the extracted data does not comply with the predetermined message format application layer network layer protocol, to jump to the exception condition. 当跳转到异常状态时,表明该输入解码器的数据分片所属的数据包异常,这就提供了更为严格的数据包的合规性检查。 When a jump to the abnormal state indicates that the data packet of the input data slice decoder abnormality belongs, which provides a more rigorous compliance check packets.

[0077] 此外,由于传统的网络协议解码模块的输入是一个完整的数据包,也就是一段连续的内存,这段内存在解码过程中是可以被反复读取和使用的,因此传统的网络协议解码模型中的数据包内存指针,是可以在数据包内存的范围内进行前后跳转的。 [0077] Further, since the input conventional network protocol decoding module is a complete packet, which is a contiguous memory, this memory in the decoding process can be repeatedly read and used, so the conventional network protocols memory pointer packet decoding model, before and after the jump may be made within the scope of the packet memory. 这给网络协议解码带来了实现上的便利,但是这种便利往往是建立在性能损耗的基础上的:数据包内存反复读取和使用的过程实际上就是数据包内存指针对相同的内存进行重复扫描的过程。 This brings convenience to the network protocol decoding on the implementation, but this convenience is often based on performance on the loss: Packet Memory repeatedly read and use the process is actually a packet memory refers to memory for the same conduct repeat the scanning process. 对内存的重复扫描也会带来一定程度上的性能下降。 Repeat scan of memory will bring a certain degree of performance degradation. 而本发明提出的解码方案则把数据分片,例如对应于消息中的字段或字符,作为输入,传递给当前状态的状态转换函数,进行状态跳转,同时把数据指针指向当前字段或字符的下一个字段或字符,作为下一个状态的输入。 And decoding scheme proposed by the present invention is put data pieces, for example corresponding to the message field or characters, as input, is transmitted to the current state of a state transition function, for state transition, while the data field or a pointer to the current character the next field or character, as the next state input. 这样数据指针一直指向下一个字段或字符,直到数据指针已经指向了输入数据的末尾。 Such data pointer always points to the next field or characters until the end of the data pointer has been pointing to the input data. 可见,状态机将会对输入的数据执行从头到位的一次性扫描。 Seen, the state machine will perform a single scan of the head bit of the input data. 这种一次性的扫描相对于传统解码模型中可能出现的反复扫描,性能有所提升。 This one-time scanning is repeatedly scanned with respect to the conventional decoding may occur in the model, performance improves.

[0078] 本发明的解码方案也可以应用于HTTP以外的其他应用层网络协议。 [0078] decoding scheme according to the present invention may also be applied to other network application layer protocol other than HTTP. 例如,可以应用于文件传输协议(FTP)、简单文件传输协议(TFTP)、Telnet协议,简单邮件传输协议(SMTP), P0P3协议和安全超文本传输协议(HTTPQ等常见的基础网络协议,还可以应用于应用程序协议,如SMB, SMB2, RPC, SUNRPC, MSN, ICQ, TDS, TNS, BT, edonkey,迅雷等。一般来说,对于报文格式可以用形式化语言描述的网络协议,都可以使用本方案。 For example, can be applied to a File Transfer Protocol (FTP), Trivial File Transfer Protocol (TFTP), Telnet protocol, Simple Mail Transfer Protocol (SMTP), P0P3 protocol and Secure Hypertext Transfer Protocol (HTTPQ other common underlying network protocol, you can applied to an application protocol, such as SMB, SMB2, RPC, SUNRPC, MSN, ICQ, TDS, TNS, BT, edonkey, Thunder, etc. Generally, for packet format can be described in formal language of the network protocol, can be use of the program.

[0079] 下面再以FTP为例进行说明。 [0079] In the following further FTP example. FTP是采用命令-应答式的消息时序。 FTP is the use of command - acknowledge the message sequence.

[0080] FTP命令消息状态机如图6所示,其中method状态和参数状态本身也是子状态机。 [0080] FTP command message to the state machine shown in Figure 6, and in which method the state parameter status sub state machine itself. 图7示出method状态机,图8示出参数状态机。 Figure 7 shows a state machine method, FIG. 8 shows a state machine parameters. 参数状态的格式因method而异,常见的格式包括字符串,可打印字符串,整形数,地址-端口等。 Format parameter method varies by state, the common format comprising a character string, string of printable characters, integers, address - ports. 例如,PORT命令参数的格式地址-端口格式为 For example, the address format of the parameter PORT command - the format of the port

[0081] <number>, <number>, <number>, <number>, <number>, <number>, <number> [0081] <number>, <number>, <number>, <number>, <number>, <number>, <number>

[0082] 其中〈number〉为0〜255的数字,其对应的状态机如图8所示。 [0082] where <number> is the number of 0~255, the corresponding state machine as shown in FIG.

[0083] 图9示出FTP应答消息状态机。 [0083] FIG. 9 shows a state machine FTP reply message.

[0084] 图6至图9中各个状态的含义在RFC959中有相应的规定,因此这里不再详述。 [0084] FIGS. 6 to 9 in the meaning of each state corresponding provisions in FIG RFC959, and therefore not described in detail here.

[0085] 图10A和图10B是根据本发明一个实施例的解码方法的示意流程图。 [0085] FIGS. 10A and 10B are a schematic flowchart of a decoding method according to one embodiment of the present invention.

[0086] 如图10A所示,在步骤S1010提取应用层网络协议数据包的第一数据分片组中的数据,并且以所提取的数据为输入,跳转到第一中间状态,同时执行相应的协议解码。 In step S1010 extract application layer network packet of the first protocol data slice data set [0086] As shown in FIG. 10A, and to input the extracted data, jump to the first intermediate state, while performing the corresponding the protocol decoding. 然后, 在步骤S1020提取该应用层网络协议数据包的下一数据分片组中的数据,并且以所提取的数据为输入,跳转到下一中间状态,同时执行相应的协议解码。 Then, at step S1020 to extract the next data slice data sets the application layer network protocol data packet, and the extracted data is input, jump to the next intermediate state, while performing appropriate protocol decoders. 在步骤S1030,依次对该应用层网络协议数据包的其余数据分片组重复进行S1020的操作,直至到达结束状态。 In step S1030, the remaining data pieces sequentially sets a network application layer protocol packet operation S1020 is repeated until reaching the end state. 上述每个步骤还可以包括如图10B所示的步骤。 Each of the above steps may further include the step of FIG. 10B. 如图10B所示,在步骤S1011,提取数据分片组中的第一子组中的数据,并且以所提取的数据为输入,跳转到第一子中间状态,同时执行相应的协议解码。 As shown in FIG. 10B, in step S1011,, extracting data of the first subset of data pieces in the set, and to input the extracted data, jump to the first intermediate sub-state, while performing appropriate protocol decoders. 在步骤S1012,提取该数据分片组中的下一子组中的数据,并且以所提取的数据为输入,跳转到下一子中间状态,同时执行相应的协议解码。 In step S1012, the extracted data of the next data subset of the group in the slice, and the extracted data is input, jump to the next sub-intermediate state, while performing appropriate protocol decoders. 在步骤S1013,依次对该数据分片组中的其余子组重复进行步骤S1012的操作,直至到达子结束状态。 In step S1013, the remaining sub-group sequence data pieces set step S1012 are repeated operation, until it reaches the end of the sub-state. 当然,还可以根据需要对更小的子组进行类似的解码处理。 Of course, it can also be similar to the decoding processing of smaller sub-groups if necessary. 该方法还可以包括如果所提取的数据不符合应用层网络层协议规定的消息格式,跳转到异常状态的步骤,和保存标识各个中间状态或子中间状态的状态号的步骤。 The method may further comprise the step of, if the extracted data do not conform to a predetermined message format application layer network layer protocol, each intermediate number state or sub-state to the intermediate state is an abnormal state of the step jump, the identification and preservation.

[0087] 图11是根据本发明一个实施例的解码器的示意方框图。 [0087] FIG. 11 is a schematic block diagram of an embodiment of a decoder according to the embodiment of the present invention.

[0088] 如图11所示,解码器1100包括解码装置1110和跳转装置1120。 [0088] As shown, the decoder 11 comprises a decoding means 1100 and 1110 jump device 1120. 解码装置提取应用层网络协议数据包的第一数据分片组中的数据,并且跳转装置以所提取的数据为输入, 跳转到第一中间状态,同时解码装置执行相应的协议解码。 First data slice group decoding apparatus extracts the application layer network protocol data packet, and means to skip the extracted input data, jump to the first intermediate state, while the decoding apparatus performs decoding corresponding protocol. 解码装置提取该应用层网络协议数据包的下一数据分片组中的时间,并且跳转装置以所提取的数据为输入,跳转到下一中间状态,同时解码装置执行相应的协议解码。 Decoding means extracts the network application layer protocol packet time slice of the next group of data packets, and means to skip the extracted data is input, jump to the next intermediate state, while the decoding apparatus performs decoding corresponding protocol. 解码装置和跳转装置依次对该应用层网络协议数据包的其余数据分片组重复上述提取、跳转和解码操作,直至到达结束状态。 Jump apparatus and decoding apparatus sequentially repeating the rest of the data slice set of application network protocol of the extracted packet, and skip the decoding operation until reaching the end state. 此外, 解码装置还可以提取数据分片组中的第一子组中的数据,并且跳转装置可以以所提取的数据为输入,跳转到第一子中间状态,同时解码装置执行相应的协议解码。 Further, the decoding apparatus can also extract data from the first subset of data pieces in the set, and the apparatus may jump to the extracted input data, jump to the first intermediate sub-state, while the decoding apparatus performs appropriate protocol decoding. 解码装置可以提取该数据分片组中的下一子组中的数据,并且跳转装置可以以所提取的数据为输入,跳转到下一子中间状态,同时解码装置执行相应的协议解码。 A decoding apparatus may extract the next data subset of the data set in the slice, and the apparatus may jump to the extracted input data, jump to the next sub-intermediate state, while the decoding apparatus performs decoding corresponding protocol. 解码装置和跳转装置可以依次对该数据分片组中的其余子组重复上述提取、跳转和解码操作,直至到达子结束状态。 Decoding means and the apparatus may jump sequentially repeating the subset of data pieces remaining in the extracted group, and skip the decoding operation until the child reaches an end state. 如果所提取的数据不符合应用层网络层协议规定的消息格式,跳转装置可以跳转到异常状态。 If the extracted data does not comply with the predetermined message format application layer network layer protocol, to jump to the jump means an abnormal state. 该解码器1100还可以包括存储装置1130,用于保存标识各个中间状态或子中间状态的状态号。 The decoder 1100 may further include a storage means 1130 for storing the identification of each sub-intermediate state or intermediate state is a state number.

[0089] 图12是根据本发明一个实施例的网络入侵检测设备的示意图。 [0089] FIG. 12 is a schematic diagram of a network intrusion detection apparatus according to an embodiment of the present invention. 可以看出,其包括根据本发明一个实施例的应用层网络协议解码模块(解码器)。 It can be seen that the application comprising a network protocol decoding module (decoder) of an embodiment of the present invention. 来自外部网络的数据经过底层处理,得到的数据分片可以由应用层网络协议解码模块直接解码,并将解码结果提供给其他模块使用。 Data from the external network through the underlying processing to obtain data slice can be provided by the application layer network protocol decoding module directly decodes the decoded result to the other modules. 可见,省去了传统的数据整合模块,从而省去了大量的数据缓存、拷贝操作。 Visible, eliminating the traditional data integration modules, thereby eliminating a large number of data cache, the copy operation.

[0090] 应当注意,尽管在上下文中是以IDS/IPS设备为例进行的描述,但显然本发明并不限于此,而是也可以应用到其他类型的需要进行网络协议解码的设备。 [0090] It should be noted that, although described based IDS / IPS device as an example in this context, it is apparent that the present invention is not limited thereto, but may be applied to other types of network protocol decoding required equipment.

[0091] 尽管在所述附图和前面的描述中已经详细地图示和描述了本发明,但是这样的图示和描述应当被认为是说明性或示例性的,而不是限制性的。 [0091] While there has been illustrated and described in the present invention in detail in the foregoing description and the drawings, but such illustration and description are to be considered illustrative or exemplary and not restrictive. 本发明并不限于所公开的实施例。 The present invention is not limited to the disclosed embodiments. 通过阅读本公开内容,其他的修改对于本领域技术人员应当是清楚明白的。 From reading the present disclosure, other modifications to those skilled in the art should be apparent. 这样的修改可以涉及本领域中已知的并且可以代替或者附加于本文已经描述的特征而使用的其他特征。 Such modifications may involve known in the art and may be instead of or in addition to features already described herein and use of other features.

Claims (20)

1. 一种用于对应用层网络协议数据包解码的方法,每个应用层网络协议数据包包括多个数据分片组,所述方法包括:a)提取应用层网络协议数据包的第一数据分片组中的数据并且以所提取的数据为输入,跳转到第一中间状态,同时执行相应的协议解码;b)提取该应用层网络协议数据包的下一数据分片组中的数据并且以所提取的数据为输入,跳转到下一中间状态,同时执行相应的协议解码;c)依次对该应用层网络协议数据包的其余数据分片组重复上述步骤b),直至到达结束状态。 First a) extracting the application protocol layer network packet: 1. A packet decoding method of application layer protocol for the network, each application layer network protocol data packet includes a plurality of groups of data pieces, said method comprising divided piece of data in the data set and to input the extracted data, jump to the first intermediate state, while performing the appropriate protocol decoder; b) extracting a next data of the network application layer protocol packet fragmentation group data and the extracted data is input, jump to the next intermediate state, while performing the appropriate protocol decoder; c) are sequentially repeated for the remaining set of application data slice packet data network protocol above steps b), until reaching end state.
2.如权利要求1所述的方法,其中应用层网络协议数据包的每个数据分片组分别对应于应用层网络协议规定的消息中的一部分。 2. The method according to claim 1, wherein each data slice set of application network protocol packets corresponding predetermined part of the message at the application layer protocol.
3.如权利要求1所述的方法,其中,所述步骤a)和b)中的每一个分别包括:d)提取数据分片组中的第一子组中的数据并且以该数据为输入,跳转到第一子中间状态,同时执行相应的协议解码;e)提取该数据分片组中的下一子组中的数据并且以该数据为输入,跳转到下一子中间状态,同时执行相应的协议解码;f)依次对该数据分片组中的其余子组重复上述步骤e),直至到达子结束状态。 3. The method according to claim 1, wherein said steps a) and b) each of a respective comprising: d) extracting data from the first subset of data pieces set in the data input and to , jump to the first intermediate sub-state, while performing the appropriate protocol decoder; E) extracting the data sub-data in the next sub-slice group set in the data input and to jump to the next sub-intermediate state, while performing the appropriate protocol decoder; F) sequentially repeating step e above the remaining sub-set of data slice group), until reaching the end of the sub-state.
4.如权利要求3所述的方法,其中每个子组对应于应用层网络协议规定的消息中的一个字符或一个字段。 4. The method according to claim 3, wherein each sub-character group corresponds to a predetermined application layer message network protocol or a field.
5.如权利要求1-4中任一个所述的方法,还包括:如果所提取的数据不符合应用层网络层协议规定的消息格式,跳转到异常状态。 5. The method as claimed in any one of claims 1 to 4, further comprising: if the extracted data does not comply with the predetermined message format application layer network layer protocol, to jump to the abnormal state.
6.如权利要求1-4中任一个所述的方法,还包括:保存标识各个中间状态或子中间状态的状态号。 The method according to any one of claim 1-4, further comprising: saving individual identification intermediate state or sub-state of an intermediate state number.
7.如权利要求1-4中任一个所述的方法,其中,所述应用层网络协议至少包括超文本传输协议HTTP、文件传输协议FTP、简单文件传输协议TFTP、Telnet协议,简单邮件传输协议SMTP,P0P3协议和安全超文本传输协议HTTPS以及应用程序协议。 7. The method as claimed in one of claims 1-4 Trivial File Transfer Protocol TFTP, Telnet Protocol, Simple Mail Transfer Protocol claim, wherein the application layer comprises at least a network protocol Hypertext Transfer Protocol HTTP, File Transfer Protocol FTP, SMTP, P0P3 protocol and secure hypertext transfer protocol HTTPS protocols and applications.
8.如权利要求1-4中任一个所述的方法,其中,所述方法是在入侵检测系统IDS/入侵防御系统IPS上执行的。 8. A method as claimed in any one of claims 1 to 4, wherein said method is performed on the intrusion detection system IDS / IPS IPS.
9.如权利要求1-4中任一个所述的方法,其中,各个中间状态和结束状态是根据所述应用层网络协议规定的消息格式定义的。 9. The method as claimed in any one of claims 1-4, wherein each of the intermediate and end states are defined in accordance with the predetermined application layer network protocol message format.
10. 一种用于对应用层网络协议数据包解码的解码器,每个应用层网络协议数据包包括多个数据分片组,所述解码器包括:解码装置;和跳转装置,其中,解码装置和跳转装置被配置为:解码装置提取应用层网络协议数据包的第一数据分片组中的数据,跳转装置以所提取的数据为输入,跳转到第一中间状态,同时解码装置执行相应的协议解码;解码装置提取该应用层网络协议数据包的下一数据分片组中的数据,并且跳转装置以所提取的数据为输入,跳转到下一中间状态,同时解码装置执行相应的协议解码;解码装置和跳转装置依次对该应用层网络协议数据包的其余数据分片组重复上述操作,直至到达结束状态。 10. A decoder for decoding data packets to the application layer protocol network, each network application layer protocol data packet includes a plurality of sets of data slices, the decoder comprising: decoding means; and means jump, wherein, decoding means and the device is configured to jump: the first data slice group decoding apparatus extracts an application layer protocol data packet network, the apparatus jumps to the extracted data is input, jump to the first intermediate state, while decoding means performs decoding corresponding protocol; decoding means extracts the data of the next data slice group application layer network protocol data packet, and means to skip the extracted input data, jump to the next intermediate state, and decoding means performs decoding corresponding protocol; jump apparatus and decoding apparatus sequentially repeats the above operation to the rest of the data slice set of application network protocol packets, until it reaches the end state.
11.如权利要求10所述的解码器,其中应用层网络协议数据包的每个数据分片组分别对应于应用层网络协议规定的消息中的一部分。 11. The decoder according to claim 10, wherein each data slice set of application network protocol packets corresponding predetermined part of the message at the application layer protocol.
12.如权利要求11所述的解码器,其中,解码装置和跳转装置进一步被配置为:解码装置提取数据分片组中的第一子组中的数据,并且跳转装置以所提取的数据为输入,跳转到第一子中间状态,同时解码装置执行相应的协议解码;解码装置对该数据分片组中的下一子组解码中的数据,并且跳转装置以所提取的数据为输入,跳转到下一子中间状态,同时解码装置执行相应的协议解码;解码装置和跳转装置依次对该数据分片组中的其余子组重复上述解码和跳转操作,直至到达子结束状态。 12. The decoder of claim 11, wherein the decoding means and the jump device is further configured to: extract data sub-data decoding device of the first subset of the slice group, and the extracted jump means data input, jump to the first intermediate sub-state, while the decoding apparatus performs the appropriate protocol decoder; decoding means decodes the data of a next subset of data pieces in the set, and means to jump the extracted data input, jump to the next sub-intermediate state, while the decoding apparatus performs the appropriate protocol decoder; decoding means and the jump apparatus and successively repeating the above decoding operation skip the remaining sub-group of data slices in the group, until reaching sub end state.
13.如权利要求12所述的解码器,其中每个子组对应于应用层网络协议规定的消息中的一个字符或一个字段。 13. The decoder of claim 12, wherein each sub-character group corresponds to a predetermined application layer message network protocol or a field.
14.如权利要求10-13中任一个所述的解码器,跳转装置被配置为:如果所提取的数据不符合应用层网络层协议规定的消息格式,跳转到异常状态。 10-13 14. The decoder according to any one of claims jump means is configured to: if the extracted data does not conform to a predetermined message format application layer network layer protocol, to jump to the abnormal state.
15.如权利要求10-13中任一个所述的解码器,还包括:存储装置,用于保存标识各个中间状态或子中间状态的状态号。 15. A decoder 10-13 in one of the preceding claims, further comprising: a storage means for each intermediate number state or sub-state of an intermediate state that is saved identification.
16.如权利要求10-13中任一个所述的解码器,其中,所述应用层网络协议至少包括超文本传输协议HTTP、文件传输协议FTP、简单文件传输协议TFTP、Telnet协议,简单邮件传输协议SMTP,P0P3协议和安全超文本传输协议HTTPS以及应用程序协议。 16. A decoder 10-13 in one of the preceding claims, wherein the application layer comprises at least a network protocol Hypertext Transfer Protocol HTTP, file transfer protocol FTP, Trivial File Transfer Protocol TFTP, Telnet Protocol, Simple Mail Transfer protocol SMTP, P0P3 protocol and secure hypertext transfer protocol HTTPS protocols and applications.
17.如权利要求10-13中任一个所述的解码器,其中,所述解码器是在入侵检测系统IDS/入侵防御系统IPS上实现的。 17. A decoder 10-13 in one of the preceding claims, wherein the decoder is implemented in the intrusion detection system IDS / IPS IPS.
18.如权利要求10-13中任一个所述的解码器,其中,各个中间状态和结束状态是根据所述应用层网络协议规定的消息格式定义的。 18. A decoder 10-13 in one of the claims, wherein each of the intermediate and end states are defined according to the message format defined in the application layer of the network protocol.
19. 一种网络设备,包括如权利要求10-18中任一项所述的解码器。 19. A network device comprising a decoder as claimed in any one of claims 10-18.
20.如权利要求19所述的网络设备,其中该网络设备包括入侵检测系统IDS/入侵防御系统IPS设备。 20. The network apparatus according to claim 19, wherein the apparatus comprises a network intrusion detection system IDS / IPS IPS device.
CN2010105329036A 2010-11-02 2010-11-02 Method and device for decoding network protocol CN102075512A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2010105329036A CN102075512A (en) 2010-11-02 2010-11-02 Method and device for decoding network protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2010105329036A CN102075512A (en) 2010-11-02 2010-11-02 Method and device for decoding network protocol

Publications (1)

Publication Number Publication Date
CN102075512A true CN102075512A (en) 2011-05-25

Family

ID=44033857

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2010105329036A CN102075512A (en) 2010-11-02 2010-11-02 Method and device for decoding network protocol

Country Status (1)

Country Link
CN (1) CN102075512A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1166755A (en) * 1996-04-09 1997-12-03 汤姆森多媒体公司 Code sequence detection in trellis decoder
CN1464501A (en) * 2002-06-28 2003-12-31 清华大学 An impact and noise resistance process of limiting observation probability minimum value in a speech recognition system
CN1941636A (en) * 2005-03-16 2007-04-04 株式会社东芝 Encoding method, decoding method, encoding system, recording method, reading method and recording system
US7782801B2 (en) * 2007-05-29 2010-08-24 Red Hat, Inc. Flush support for virtual synchrony

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1166755A (en) * 1996-04-09 1997-12-03 汤姆森多媒体公司 Code sequence detection in trellis decoder
CN1464501A (en) * 2002-06-28 2003-12-31 清华大学 An impact and noise resistance process of limiting observation probability minimum value in a speech recognition system
CN1941636A (en) * 2005-03-16 2007-04-04 株式会社东芝 Encoding method, decoding method, encoding system, recording method, reading method and recording system
US7782801B2 (en) * 2007-05-29 2010-08-24 Red Hat, Inc. Flush support for virtual synchrony

Similar Documents

Publication Publication Date Title
US8640216B2 (en) Systems and methods for cross site forgery protection
CN102047262B (en) Authentication for distributed secure content management system
Weinberg et al. StegoTorus: a camouflage proxy for the Tor anonymity system
Cho et al. Inference and analysis of formal models of botnet command and control protocols
CN1716958B (en) System safety realizing method and relative system using sub form automatic machine
KR20090091727A (en) Creating and verifying globally unique device-specific identifiers
US20070255659A1 (en) System and method for DRM translation
CN101436958B (en) Method for resisting abnegation service aggression
US9692732B2 (en) Network connection automation
US9660974B2 (en) Fingerprint based authentication for single sign on
TWI526825B (en) Web page link detection method, device and system
KR20100017704A (en) Verifying authenticity of webpages
US9203734B2 (en) Optimized bi-directional communication in an information centric network
US9985994B2 (en) Enforcing compliance with a policy on a client
US20160344769A1 (en) Security systems for mitigating attacks from a headless browser executing on a client computer
CN101208685B (en) Method and apparatus providing policy-based revocation of network security credentials
US20070136809A1 (en) Apparatus and method for blocking attack against Web application
CN101834866B (en) CC (Communication Center) attack protective method and system thereof
US9456002B2 (en) Selective modification of encrypted application layer data in a transparent security gateway
US8869254B2 (en) User verification using voice based password
CN101964025A (en) XSS (Cross Site Scripting) detection method and device
CN103179134A (en) Single sign on method and system based on Cookie and application server thereof
CN1406351A (en) System, device and method for rapid packet filtering and preocessing
CN102577302A (en) Systems and methods for using end point auditing in connection with traffic management
CN1783773A (en) Method of auto-configuration and auto-prioritizing for wireless security network

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination
C12 Rejection of a patent application after its publication