CN102075512A - Method and device for decoding network protocol - Google Patents
Method and device for decoding network protocol Download PDFInfo
- Publication number
- CN102075512A CN102075512A CN2010105329036A CN201010532903A CN102075512A CN 102075512 A CN102075512 A CN 102075512A CN 2010105329036 A CN2010105329036 A CN 2010105329036A CN 201010532903 A CN201010532903 A CN 201010532903A CN 102075512 A CN102075512 A CN 102075512A
- Authority
- CN
- China
- Prior art keywords
- data
- application layer
- decoding
- protocol
- intermediateness
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a method for decoding application layer network protocol data packets and a decoder. Each application layer network protocol data packet comprises a plurality of data fragment groups. The method comprises the following steps of: (a) extracting the data in a first data fragment group of the application layer network protocol data packet, jumping to a first intermediate state by taking the extracted data as an input and simultaneously executing corresponding protocol decoding; (b) extracting the data in a next data fragment group of the application layer network protocol data packet, jumping to a next first intermediate state by taking the extracted data as the input and simultaneously executing corresponding protocol decoding; and (c) sequentially repeating the step (b) on the residual data fragment groups of the application layer network protocol data packet till the finishing state reaches. Therefore, all data received from a lower module can be provided for the decoder without integration so that a data integration module in the traditional decoding scheme can be removed, and the module design of a network intrusion detection device is simplified.
Description
Technical field
The present invention relates generally to the procotol decoding.The present invention relates more specifically to a kind of procotol decoder and coding/decoding method.
Background technology
Be accompanied by web2.0/3.0, online audio frequency and video, point-to-point (P2P) file-sharing, the appearance of social network sites multiple network such as (SNS) service and universal, network traffics expand rapidly.Therefore, various network device need be carried out heavy procotol decoding work, and this has proposed new challenge also for the disposal ability of the network equipment.The disposal ability that how to continue to promote the network equipment becomes the focus that each manufacturer pays close attention to.
A typical example is the challenge that gateway level intruding detection system (IDS)/intrusion prevention system (IPS) faces.The surge of network traffics has brought huge processing load to network equipments such as IDS/IPS.The nucleus module of the network equipments such as IDS/IPS---the performance of application layer procotol decoder module has determined the performance of entire I DS/IPS product to a great extent.The application layer procotol decoder module of main flow IDS/IPS only just can be correctly decoded after receiving complete application layer data bag at present.Therefore, need a data integrate module before traditional application layer procotol decoder module, be used for finishing data recombination work.
Fig. 1 is the schematic diagram that traditional network invasion monitoring equipment is shown.As shown in Figure 1, handle through bottom (for example, tcp/ip layer) from the data of external network, the data fragmentation that obtains is integrated into complete packet through the data integrate module.Application layer procotol decoder module is to complete decoded packet data, and decoded result is offered other modules uses.Data recombination work itself is exactly the buffer memory of data, the operation of copy, and redundant operations such as lot of data buffer memory, copy will reduce systematic function.Particularly under the huge situation of network traffics, this frequent metadata cache copy function will be fatal to Effect on Performance.
Summary of the invention
An object of the present invention is to solve at least the problem of pointing out above.
According to an aspect of the present invention, providing a kind of is used for using the method for layer network protocol data bag decoding.Each application layer the Internet protocol data bag comprises a plurality of data fragmentation groups.Described method comprises:
A) extract data in the first data fragmentation group of application layer the Internet protocol data bag and be input, jump to first intermediateness, carry out the corresponding protocol decoding simultaneously with the data of being extracted;
B) extract the data in next data fragmentation group of this application layer the Internet protocol data bag and the data extracted for input, jump to next intermediateness, carry out the corresponding protocol decoding simultaneously;
C) successively the remainder data burst group of this application layer the Internet protocol data bag is repeated above-mentioned steps b), until arriving done state.
Each data fragmentation group of application layer the Internet protocol data bag can correspond respectively to the part in the message of application layer network protocol specifies.
Described step a) and b) in each can comprise respectively:
D) extract data in the first son group in the data fragmentation group, and be input, jump to the first sub-intermediateness, carry out the corresponding protocol decoding simultaneously with the data of being extracted;
E) extract data in the next son group in this data fragmentation group, and be input, jump to the next son intermediateness, carry out the corresponding protocol decoding simultaneously with the data of being extracted;
F) successively all the other the son groups in this data fragmentation group are repeated above-mentioned steps e), until arriving sub-done state.
Each child group can be corresponding to a character or the field in the message of application layer network protocol specifies.
Described method can also comprise: if the data of being extracted do not meet the message format of application layer network layer protocol regulation, jump to abnormality.Described method can also comprise: the state number of preserving each intermediateness of sign or sub-intermediateness.
Described application layer procotol can comprise HTML (Hypertext Markup Language) HTTP, file transfer protocol (FTP) FTP, TFTP TFTP, Telnet agreement at least, Simple Mail Transfer protocol SMTP, POP3 agreement and Secure Hypertext Transfer Protocol HTTPS and application protocol.
Described method can be carried out on intruding detection system IDS/ intrusion prevention system IPS.
Each intermediateness and done state can be the message format definition according to described application layer network protocol specifies.
According to a further aspect in the invention, providing a kind of is used for using the decoder of layer network protocol data bag decoding.Each application layer the Internet protocol data bag comprises a plurality of data fragmentation groups.Described decoder comprises:
Decoding device; With
The redirect device, wherein, decoding device and redirect device are configured to:
Decoding device extracts the data in the first data fragmentation group of application layer the Internet protocol data bag, and the redirect device is input with the data of being extracted, and jumps to first intermediateness, and decoding device is carried out the corresponding protocol decoding simultaneously;
Decoding device extracts the data in next data fragmentation group of this application layer the Internet protocol data bag, and the redirect device is input with the data of being extracted, and jumps to next intermediateness, and decoding device is carried out the corresponding protocol decoding simultaneously;
Decoding device and redirect device repeat aforesaid operations to the remainder data burst group of this application layer the Internet protocol data bag successively, until arriving done state.
Each data fragmentation group of application layer the Internet protocol data bag can correspond respectively to the part in the message of application layer network protocol specifies.
Decoding device and redirect device can further be configured to:
Decoding device extracts the data in the first son group in the data fragmentation group, and the redirect device is input with the data of being extracted, and jumps to the first sub-intermediateness, and decoding device is carried out the corresponding protocol decoding simultaneously;
Decoding device extracts the data in the next son group in this data fragmentation group, and the redirect device is input with the data of being extracted, and jumps to the next son intermediateness, and decoding device is carried out the corresponding protocol decoding simultaneously;
Decoding device and redirect device repeat above-mentioned decoding and skip operation to all the other the son groups in this data fragmentation group successively, until arriving sub-done state.
Each child group can be corresponding to a character or the field in the message of application layer network protocol specifies.
The redirect device can be configured to: if the data of being extracted do not meet the message format of application layer network layer protocol regulation, jump to abnormality.
Decoder can also comprise: storage device is used to preserve the state number of each intermediateness of sign or sub-intermediateness.
Described application layer procotol can comprise HTML (Hypertext Markup Language) HTTP, file transfer protocol (FTP) FTP, TFTP TFTP, Telnet agreement at least, Simple Mail Transfer protocol SMTP, POP3 agreement and Secure Hypertext Transfer Protocol HTTPS and application protocol.
Each intermediateness and done state can be the message format definition according to described application layer network protocol specifies.
Described decoder can be realized on intruding detection system IDS/ intrusion prevention system IPS.
According to a further aspect of the invention, provide a kind of intruding detection system/intrusion prevention system equipment, comprise above-mentioned decoder.
Description of drawings
The present invention with and purpose and advantage will be understood better by description with reference to the accompanying drawings, in the accompanying drawings:
Fig. 1 is the schematic diagram that traditional network invasion monitoring equipment is shown;
Fig. 2 is the schematic diagram that the top layer decoder state machine of HTTP request message is shown;
Fig. 3 is the schematic diagram that the start-line state machine partly of HTTP request message is shown;
Fig. 4 is the schematic diagram that the message-header state machine partly of HTTP request message is shown;
Fig. 5 is the schematic diagram that the state machine of the Method in the start-line part of HTTP request message is shown;
Fig. 6 is the schematic diagram that FTP command messages state machine is shown;
Fig. 7 is the schematic diagram that the method state machine of FTP command messages is shown;
Fig. 8 is the schematic diagram that the parameter state machine of FTP command messages is shown;
Fig. 9 is the schematic diagram that FTP response message state machine is shown;
Figure 10 A and 10B illustrate the schematic flow diagram of coding/decoding method according to an embodiment of the invention;
Figure 11 illustrates the schematic block diagram of decoder according to an embodiment of the invention; And
Figure 12 illustrates the schematic diagram of network invasion monitoring equipment according to an embodiment of the invention.
Embodiment
Before describing each embodiment in detail, should be understood that, the invention is not restricted to the specific composition parts of described equipment or the treatment step of described method, because these equipment and method can change.It is also understood that term used herein only is in order to describe the purpose of specific embodiment, but not be intended that restrictive.Must be noted that the singulative that uses " ", " another ", " being somebody's turn to do ", " described " may also comprise plural implication, unless context clearly refers else in specification and claims.Therefore, for example term " equipment " may refer to one or more equipment.
Unless otherwise defined, otherwise this employed term (comprising technical term and scientific terminology) have with those skilled in the art the common same meaning of understanding.Will be further understood that, this employed term should be interpreted as having with its in the context of this specification and the meaning of the meaning unanimity in the relevant field, and will not explain, unless in this specially so definition with Utopian or too formal meaning.
Following reference illustrates block diagram and/or flow chart description the present invention of method, device (system) and/or computer program according to the embodiment of the invention.Should be understood that the combination that can realize the piece of piece of block diagram and/or flowchart illustration and block diagram and/or flowchart illustration by computer program instructions.These computer program instructions can be offered processor and/or other programmable data processing unit of all-purpose computer, special-purpose computer, to produce machine, the method that makes the instruction of carrying out via computer processor and/or other programmable data processing unit create to be used for function/action of realizing that block diagram and/or flow chart block are specified.
Correspondingly, can also implement the present invention with hardware and/or software (comprising firmware, resident software, microcode etc.).Further, the present invention can take computer to use or computer-readable recording medium on the form of computer program, it has the computer of realizing and can use or computer readable program code in medium, to be used by instruction execution system or combined command executive system and using.In the context of the invention, computer can use or computer-readable medium can be an arbitrary medium, it can comprise, store, communicates by letter, transmits or convey program, and being used by instruction execution system, device or equipment, or combined command executive system, device or equipment use.
The present invention has designed a kind of application layer procotol decoder (module) based on state machine.State in the decoder state machine is divided into initial condition, intermediateness, done state and abnormality.Decoder carries out the state redirect according to the state transition function of decoder state machine current state and the data of input.The initial state of decoder state machine is represented also not begin to decode; The incoming symbol collection of decoder state machine is the set of all possible character in the network; The state transition function of the state set of decoder state machine and correspondence is determined by the message format of each agreement.When state machine from initial condition through intermediateness, when jumping to done state, think that a complete application layer data bag decoding finishes; When state machine jumps to abnormality, think that then this packet is unusual.
Be example with the http protocol request message below, the method for operation based on the procotol decoder of state machine is described.For ease of the design, can adopt multistage architecture, from the top and under method.
Fig. 2 is the design of the top layer decoder state machine of HTTP request message.Analyze the form of HTTP request message, because the HTTP request message is divided into three part: start-line, message-header (being designated hereinafter simply as header) and message-body (being designated hereinafter simply as body), therefore can at first design state machine as decoded state with these three parts.As shown in Figure 2, when data fragmentation arrives, jump to the start-line decoded state by initial condition, after being finished, the decoding of start-line part jumps to the header decoded state, after being finished, the decoding of start-line part, selects to jump to body decoded state or done state again according to whether having body.And the decoding of start-line wherein, header decoding and 3 states of body decoding itself are respectively independently sub-state machines.
After designing the decoder state machine of top layer, according to start-line, header, body message structure separately, carry out the design of sub-state machine again.
Wherein the message format of start-line part is:
SP*Method?SP+[schema:/]/[host[:port][?param]]SP+HTTP∧d.\d[CR]LF
Wherein SP represents the space character of ascii character table, and SP* represents 0 or a plurality of space character, and " SP+ " represents one or more space characters; Some fixing character string that " Method " stipulates for http protocol, as " GET ", " HEAD ", " POST " etc.; Schema presentation protocol name, host is the network host name, port is 0~65536 numeral, the expression network port, param represents parameter, the part of wherein using [] to bracket represents it is optional; D represent any numeral, HTTP ∧ d. d represents is the http protocol version number that this HTTP packet is followed, what represent as HTTP/1.1 is the http protocol of 1.1 versions; What CR represented is the enter key of ascii character table.The explanation of concrete message format sees also RFC2616.
The state machine of the start-line part of HTTP request message is described below in conjunction with Fig. 3.As shown in Figure 3, this state machine comprises an initial condition and a done state.Can contrast the message format of start-line.When being in initial condition, if input is space character, it is constant then to be in initial condition, if input is alphabetic character, then jumps to the Method state; When the Method state,, then jump to space condition if be input as a space character; When space condition, if be input as alphabetic character, then jump to the schema state, if be input as one '/' character, then state jumps to the path state.If, jumped to done state, illustrate that then the start-line partial decoding of h to this HTTP request message finishes the decoded portion that next needs to enter header through continuous redirect.With respect to the state among Fig. 2, each state in the start-line partial status machine can be called sub-state here.
When carrying out the state machine redirect, the work of decoding is also finished simultaneously.For example, the host field of HTTP request message has just been formed in all inputs when state machine is in the host state, suppose when state machine is in the host state, successively imported " www.baidu.com " 13 characters, the host field of this HTTP request of obtaining of decoding is exactly character string www.baidu.com so.Hypothesis has successively been imported " 8080 " four characters when state machine is in the port state again, and the port of this HTTP request message obtain of decoding so is exactly 8080.
The process of state machine redirect in fact also is the process that a data compliance is checked.When state machine was in particular state, it was legal to have only specific input data to be only.For example, when the schema state, having only input character is that '/' is only and closes rule, otherwise enters the abnormality (not shown), the packet that shows the packet that enters decoder or enter under the data fragmentation of decoder does not conform to rule, even may be the malicious attack bag.Can also carry out the compliance inspection to the data length of importing some states, can be not long such as the host field length in the request of HTTP generally speaking, can set a threshold value, when the host field length---when the data length just imported when state machine is in the host state surpasses this threshold value, think host field length overlength, then this HTTP request has probably comprised a flooding.
The state machine of the message-header part of HTTP request message is described below in conjunction with Fig. 4.Message-header is made up of 0 or a plurality of header field and null row of thing (before the CRLF without any), that is:
(head[CR]LF)*[CR]LF
The form of each header field (head) is:
Field_name“:”[Filed_value]
Wherein Field_name is the title of each header field; Filed_value is the value of the header field of correspondence, is optional.State machine among Fig. 4 through jumping to done state, illustrates that the decoding to the message-header part finishes from initial condition.Fname state representation wherein is to the decoding of the header field of HTTP request.The implication of other states also has corresponding regulation in relevant RFC2616, therefore no longer describe in detail here.
The message-body part of HTTP request message also can relate to suitable state machine and decode according to concrete message format, no longer describes in detail here.
In addition, can also carry out classification to the state machine of Fig. 3, for example the Method state among Fig. 3 is a common state for the start-line state machine, but Method state itself is again a character string state machine.
The state machine of Method in the start-line part of HTTP request message is described below in conjunction with Fig. 5.According to the definition of RFC2616, the Method of HTTP request message is specific character string, and possible character string comprises: " OPTIONS ", " GET ", " HEAD ", " POST ", " PUT ", " DELETE ", " TRACE " and " CONNECT ".Can design as shown in Figure 5 character string state machine by above-mentioned character string so.The initial condition of this state machine is a state 0, and possible done state is a state 13, state 15, state 18, state 20, state 23, state 29, state 34, state 41.When the start-line state machine jumps to the Method state by initial condition, state switches to the state 0 of the character string state machine of Fig. 5, when this character string state machine jumps to done state, Method state in the start-line state machine finishes, and jumps to the space condition among Fig. 3 when receiving next space character.The same with the start-line state machine, Method character string state machine also has abnormality, as when state machine is in state 1, having only character ' P ' is legal input, other all inputs all will cause entering abnormality, promptly show the packet that enters decoder or enter in the packet under the data fragmentation of decoder to comprise illegal Method field.
Therefore, an application layer the Internet protocol data bag is divided into a plurality of data fragmentation groups, utilizes state machine to decode successively according to the decoding scheme of application layer the Internet protocol data bag of the present invention.At first, extract the data in the first data fragmentation group of application layer the Internet protocol data bag, and be input, jump to first intermediateness, carry out the corresponding protocol decoding simultaneously with the data of being extracted.Then, extract the data in next data fragmentation group of this application layer the Internet protocol data bag, and be input, jump to next intermediateness, carry out the corresponding protocol decoding simultaneously with the data of being extracted.Successively to the remainder data burst group of this application layer the Internet protocol data bag repeat to extract, the operation of redirect and decoding, until arriving done state.Traditional procotol decoding scheme is directly decoded to whole application layer the Internet protocol data bag, and decoding scheme of the present invention then utilizes state machine to each data fragmentation component step decoding.Therefore, in realization, all data that receive from modules at lower layers can not added integration ground and offer decoder in real time, thereby save the data integrate module in traditional decoding scheme, simplify the modular design of network invasion monitoring equipment.
Can also further the data fragmentation group be divided into the son group, carry out the substep decoding.For example, in the example of the HTTP request message of mentioning in the above, start-line, start-line, message-header and message-body part can be respectively as three data burst groups.In decoding, the method field can be decoded as one of them son group again to the start-line part.Should be appreciated that this division can design according to actual needs.Each data fragmentation group of application layer the Internet protocol data bag can be corresponding to the part in the message of application layer network protocol specifies, and each child group can be corresponding to a character or the field in the message of application layer network protocol specifies.Can further divide, for example, can be with the input of each character of method field, as shown in Figure 5 as a state.Certainly, also can be with a whole character string, for example ' OPTION ', input as method state among Fig. 4, promptly, decoder directly extracts whole ' OPTION ' of input and jumps to space condition among Fig. 4, rather than in the image pattern 5 like that one by one each character to ' OPTION ' extract and redirect.That is to say, can design the fineness of dividing as required.Extract with the scheme of redirect with the character one by one of Fig. 5 and to compare, the real-time of decoding is poor slightly, but owing to needn't preserve states numerous among Fig. 5, therefore reduces the requirement to the memory space in the decoder.
It is also to be noted that although in the example of mentioning, what offer decoder is data fragmentation (group), also can be a complete packet in the above.In this case, the processing method of decoder is the same, it still with the data fragmentation (group) divided as importing, carry out the state redirect according to the state transition function of current state, different only be that it does not need to wait for next data fragmentation.And in the previous case, decoder need wait for from the data fragmentation of bottom layer treatment module (group) and arriving, and will preserve the state number of sign intermediateness (comprising the intermediateness in the state machines at different levels) before this.
If the data of extracting do not meet the message format of application layer network layer protocol regulation, then jump to abnormality.When jumping to abnormality, show that the packet under the data fragmentation of this input decoder is unusual, this just provides the compliance inspection of more strict packet.
In addition, because the input of traditional procotol decoder module is a complete packet, one section continuous internal memory just, exist in this section in the decode procedure and can be read repeatedly and use, therefore the packet internal memory pointer in traditional procotol decoding model is to carry out the front and back redirect in the scope of packet internal memory.This has brought the facility that realizes to procotol decoding, but this facility is based upon on the basis of performance loss often: in fact the packet internal memory reads with the process of using repeatedly is exactly packet internal memory pointer carries out multiple scanning to identical internal memory process.Also can bring to a certain extent decreased performance to the multiple scanning of internal memory.The decoding scheme that the present invention proposes is then data fragmentation, for example corresponding to field in the message or character, as input, pass to the state transition function of current state, carry out the state redirect, simultaneously data pointer is pointed to the next field or the character of current field or character, as the input of next state.Data pointer points to next field or character always like this, has pointed to the end of input data up to data pointer.As seen, state machine will be carried out the one-off scanning that from the beginning puts in place to the data of input.This disposable scanning is with respect to the scanning repeatedly that may occur in the tradition decoding model, and performance promotes to some extent.
Decoding scheme of the present invention also can be applied to other application layer procotols beyond the HTTP.For example, can be applied to file transfer protocol (FTP) (FTP), TFTP (TFTP), Telnet agreement, Simple Mail Transfer protocol (SMTP), POP3 agreement and Secure Hypertext Transfer Protocol common basic network agreements such as (HTTPS) can also be applied to application protocol, as SMB, SMB2, RPC, SUNRPC, MSN, ICQ, TDS, TNS, BT, edonkey, a sudden peal of thunder etc.In general, can use this programme with the procotol of formalization language description for message format.
Be that example describes below again with FTP.FTP adopts the message time sequence of ordering-replying formula.
FTP command messages state machine as shown in Figure 6, wherein method state and parameter state itself also is sub-state machine.Fig. 7 illustrates the method state machine, and Fig. 8 illustrates the parameter state machine.The form of parameter state is different because of method, and common form comprises character string, printable character string, shaping number, address-port etc.For example, the format address of PORT command parameter-port form is
<number>,<number>,<number>,<number>,<number>,<number>,<number>
Wherein<and number〉be 0~255 numeral, its corresponding state machine is as shown in Figure 8.
Fig. 9 illustrates FTP response message state machine.
The implication of each state has corresponding regulation among Fig. 6 to Fig. 9 in RFC959, therefore no longer describes in detail here.
Figure 10 A and Figure 10 B are the schematic flow diagrams of coding/decoding method according to an embodiment of the invention.
Shown in Figure 10 A, extract data in the first data fragmentation group of application layer the Internet protocol data bag at step S1010, and be input with the data of being extracted, jump to first intermediateness, carry out the corresponding protocol decoding simultaneously.Then, extract data in next data fragmentation group of this application layer the Internet protocol data bag, and be input, jump to next intermediateness, carry out the corresponding protocol decoding simultaneously with the data of being extracted at step S1020.At step S1030, successively the remainder data burst group of this application layer the Internet protocol data bag is repeated the operation of S1020, until arriving done state.Above-mentioned each step can also comprise the step shown in Figure 10 B.Shown in Figure 10 B, at step S1011, extract the data in the first son group in the data fragmentation group, and be input with the data of being extracted, jump to the first sub-intermediateness, carry out the corresponding protocol decoding simultaneously.At step S1012, extract the data in the next son group in this data fragmentation group, and be input with the data of being extracted, jump to the next son intermediateness, carry out the corresponding protocol decoding simultaneously.At step S1013, successively all the other the son groups in this data fragmentation group are repeated the operation of step S1012, until arriving sub-done state.Certainly, can also carry out similar decoding processing to littler child group as required.This method can also comprise if the data of being extracted do not meet the message format of application layer network layer protocol regulation, the step that jumps to the step of abnormality and preserve the state number of each intermediateness of sign or sub-intermediateness.
Figure 11 is the schematic block diagram of decoder according to an embodiment of the invention.
As shown in figure 11, decoder 1100 comprises decoding device 1110 and redirect device 1120.Decoding device extracts the data in the first data fragmentation group of application layer the Internet protocol data bag, and the redirect device is input with the data of being extracted, and jumps to first intermediateness, and decoding device is carried out the corresponding protocol decoding simultaneously.Decoding device extracts the time in next data fragmentation group of this application layer the Internet protocol data bag, and the redirect device is input with the data of being extracted, and jumps to next intermediateness, and decoding device is carried out the corresponding protocol decoding simultaneously.Decoding device and redirect device repeat said extracted, redirect and decode operation to the remainder data burst group of this application layer the Internet protocol data bag successively, until arriving done state.In addition, decoding device can also extract the data in the group of first in the data fragmentation group, and the redirect device can be input with the data of being extracted, and jumps to the first sub-intermediateness, and decoding device is carried out the corresponding protocol decoding simultaneously.Decoding device can extract the data in the next son group in this data fragmentation group, and the redirect device can be input with the data of being extracted, and jumps to the next son intermediateness, and decoding device is carried out the corresponding protocol decoding simultaneously.Decoding device and redirect device can repeat said extracted, redirect and decode operation to all the other the son groups in this data fragmentation group successively, until arriving sub-done state.If the data of being extracted do not meet the message format of application layer network layer protocol regulation, the redirect device can jump to abnormality.This decoder 1100 can also comprise storage device 1130, is used to preserve the state number of each intermediateness of sign or sub-intermediateness.
Figure 12 is the schematic diagram of network invasion monitoring equipment according to an embodiment of the invention.As can be seen, it comprises application layer procotol decoder module (decoder) according to an embodiment of the invention.Through bottom layer treatment, the data fragmentation that obtains can be by application layer procotol decoder module direct decoding from the data of external network, and decoded result is offered other modules uses.As seen, save traditional data integrate module, thereby saved lot of data buffer memory, copy function.
Although should be noted that in context being is the description that example is carried out with IDS/IPS equipment, obviously the present invention is not limited to this, but also can be applied to the equipment that the needs of other types carry out the procotol decoding.
Although illustrated and described the present invention in the description of described accompanying drawing and front, such diagram and description should be considered to illustrative or exemplary, rather than restrictive.The present invention is not limited to the disclosed embodiments.By reading present disclosure, other modification should be well-known for those skilled in the art.Such modification can relate to as known in the art and can replace or be additional to the feature that this paper described and other features of using.
Claims (20)
1. one kind is used for using the method for layer network protocol data bag decoding, and each application layer the Internet protocol data bag comprises a plurality of data fragmentation groups, and described method comprises:
A) extract data in the first data fragmentation group of application layer the Internet protocol data bag and be input, jump to first intermediateness, carry out the corresponding protocol decoding simultaneously with the data of being extracted;
B) extract data in next data fragmentation group of this application layer the Internet protocol data bag and be input, jump to next intermediateness, carry out the corresponding protocol decoding simultaneously with the data of being extracted;
C) successively the remainder data burst group of this application layer the Internet protocol data bag is repeated above-mentioned steps b), until arriving done state.
2. the method for claim 1, wherein each data fragmentation group of application layer the Internet protocol data bag is respectively corresponding to the part in the message of application layer network protocol specifies.
3. the method for claim 1, wherein described step a) and b) in each comprise respectively:
D) extract data in the first son group in the data fragmentation group and be input, jump to the first sub-intermediateness, carry out the corresponding protocol decoding simultaneously with these data;
E) extract data in the next son group in this data fragmentation group and be input, jump to the next son intermediateness, carry out the corresponding protocol decoding simultaneously with these data;
F) successively all the other the son groups in this data fragmentation group are repeated above-mentioned steps e), until arriving sub-done state.
4. method as claimed in claim 3, wherein each son group is corresponding to a character or a field in the message of application layer network protocol specifies.
5. as any described method among the claim 1-4, also comprise:
If the data of being extracted do not meet the message format of application layer network layer protocol regulation, jump to abnormality.
6. as any described method among the claim 1-4, also comprise:
Preserve the state number of each intermediateness of sign or sub-intermediateness.
7. as any described method among the claim 1-4, wherein, described application layer procotol comprises HTML (Hypertext Markup Language) HTTP, file transfer protocol (FTP) FTP, TFTP TFTP, Telnet agreement at least, Simple Mail Transfer protocol SMTP, POP3 agreement and Secure Hypertext Transfer Protocol HTTPS and application protocol.
8. as any described method among the claim 1-4, wherein, described method is carried out on intruding detection system IDS/ intrusion prevention system IPS.
9. as any described method among the claim 1-4, wherein, each intermediateness and done state are according to the message format definition of described application layer network protocol specifies.
10. one kind is used for using the decoder of layer network protocol data bag decoding, and each application layer the Internet protocol data bag comprises a plurality of data fragmentation groups, and described decoder comprises:
Decoding device; With
The redirect device, wherein, decoding device and redirect device are configured to:
Data in the first data fragmentation group of decoding device extraction application layer the Internet protocol data bag, the redirect device is input with the data of being extracted, and jumps to first intermediateness, decoding device is carried out the corresponding protocol decoding simultaneously;
Decoding device extracts the data in next data fragmentation group of this application layer the Internet protocol data bag, and the redirect device is input with the data of being extracted, and jumps to next intermediateness, and decoding device is carried out the corresponding protocol decoding simultaneously;
Decoding device and redirect device repeat aforesaid operations to the remainder data burst group of this application layer the Internet protocol data bag successively, until arriving done state.
11. decoder as claimed in claim 10, wherein each data fragmentation group of application layer the Internet protocol data bag is respectively corresponding to the part in the message of application layer network protocol specifies.
12. decoder as claimed in claim 11, wherein, decoding device and redirect device further are configured to:
Decoding device extracts the data in the first son group in the data fragmentation group, and the redirect device is input with the data of being extracted, and jumps to the first sub-intermediateness, and decoding device is carried out the corresponding protocol decoding simultaneously;
Decoding device is to the data in the next son group in this data fragmentation group decoding, and the redirect device is input with the data of being extracted, and jumps to the next son intermediateness, and decoding device is carried out the corresponding protocol decoding simultaneously;
Decoding device and redirect device repeat above-mentioned decoding and skip operation to all the other the son groups in this data fragmentation group successively, until arriving sub-done state.
13. decoder as claimed in claim 12, wherein each son group is corresponding to a character or a field in the message of application layer network protocol specifies.
14. as any described decoder among the claim 10-13, the redirect device is configured to:
If the data of being extracted do not meet the message format of application layer network layer protocol regulation, jump to abnormality.
15., also comprise as any described decoder among the claim 10-13:
Storage device is used to preserve the state number of each intermediateness of sign or sub-intermediateness.
16. as any described decoder among the claim 10-13, wherein, described application layer procotol comprises HTML (Hypertext Markup Language) HTTP, file transfer protocol (FTP) FTP, TFTP TFTP, Telnet agreement at least, Simple Mail Transfer protocol SMTP, POP3 agreement and Secure Hypertext Transfer Protocol HTTPS and application protocol.
17. as any described decoder among the claim 10-13, wherein, described decoder is realized on intruding detection system IDS/ intrusion prevention system IPS.
18. as any described decoder among the claim 10-13, wherein, each intermediateness and done state are according to the definition of the message format of described application layer network protocol specifies.
19. a network equipment comprises as each described decoder among the claim 10-18.
20. the network equipment as claimed in claim 19, wherein this network equipment comprises intruding detection system IDS/ intrusion prevention system IPS equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010105329036A CN102075512A (en) | 2010-11-02 | 2010-11-02 | Method and device for decoding network protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010105329036A CN102075512A (en) | 2010-11-02 | 2010-11-02 | Method and device for decoding network protocol |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102075512A true CN102075512A (en) | 2011-05-25 |
Family
ID=44033857
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010105329036A Pending CN102075512A (en) | 2010-11-02 | 2010-11-02 | Method and device for decoding network protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102075512A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1166755A (en) * | 1996-04-09 | 1997-12-03 | 汤姆森多媒体公司 | Code sequence detection in trellis decoder |
| CN1464501A (en) * | 2002-06-28 | 2003-12-31 | 清华大学 | An impact and noise resistance process of limiting observation probability minimum value in a speech recognition system |
| CN1941636A (en) * | 2005-03-16 | 2007-04-04 | 株式会社东芝 | Encoding method, decoding method, encoding system, recording method, reading method and recording system |
| US7782801B2 (en) * | 2007-05-29 | 2010-08-24 | Red Hat, Inc. | Flush support for virtual synchrony |
-
2010
- 2010-11-02 CN CN2010105329036A patent/CN102075512A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1166755A (en) * | 1996-04-09 | 1997-12-03 | 汤姆森多媒体公司 | Code sequence detection in trellis decoder |
| CN1464501A (en) * | 2002-06-28 | 2003-12-31 | 清华大学 | An impact and noise resistance process of limiting observation probability minimum value in a speech recognition system |
| CN1941636A (en) * | 2005-03-16 | 2007-04-04 | 株式会社东芝 | Encoding method, decoding method, encoding system, recording method, reading method and recording system |
| US7782801B2 (en) * | 2007-05-29 | 2010-08-24 | Red Hat, Inc. | Flush support for virtual synchrony |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10334016B2 (en) | System and method for context specific website optimization | |
| CN102769549B (en) | The method and apparatus of network security monitoring | |
| US7647404B2 (en) | Method of authentication processing during a single sign on transaction via a content transform proxy service | |
| CN107026821B (en) | Message processing method and device | |
| US20130195117A1 (en) | Parameter acquisition method and device for general protocol parsing and general protocol parsing method and device | |
| CN103795762B (en) | A kind of test method and system of reverse proxy | |
| CN110855676A (en) | Network attack processing method and device and storage medium | |
| US20120197847A1 (en) | Method and System for Monitoring and Tracing Multimedia Resource Transmission | |
| US20160277306A1 (en) | Data Stream Identifying Method and Device | |
| WO2015039474A1 (en) | Method, device, and storage medium for deep packet inspection control | |
| CN103401850A (en) | Message filtering method and device | |
| CN103218410A (en) | Internet event analysis method and device | |
| US20060149771A1 (en) | Information processing system and communication retry method | |
| CN103379125A (en) | Multi-screen interaction method based on social network | |
| CN103067389B (en) | High safety file transfer method based on short website | |
| CN103188347B (en) | The Internet affair analytical method and device | |
| CN107707549B (en) | Device and method for automatically extracting application characteristics | |
| CN106341377A (en) | Method and device for preventing Web server from being attacked | |
| EP2760161B1 (en) | Policy processing method and device | |
| CN103812679A (en) | Mass log statistical analysis system and method | |
| Hurley et al. | ITACA: Flexible, scalable network analysis | |
| CN106209656A (en) | Router upgrade system, method and router | |
| CN109327455A (en) | A kind of access method of NAS device, device, equipment and readable storage medium storing program for executing | |
| CN104219212B (en) | Video file across a network transmission method, apparatus and system | |
| CN104811418A (en) | Virus detection method and apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20110525 |