CN102142925A - Method, equipment and system for filtering deep packet inspection - Google Patents

Method, equipment and system for filtering deep packet inspection Download PDF

Info

Publication number
CN102142925A
CN102142925A CN2010102535101A CN201010253510A CN102142925A CN 102142925 A CN102142925 A CN 102142925A CN 2010102535101 A CN2010102535101 A CN 2010102535101A CN 201010253510 A CN201010253510 A CN 201010253510A CN 102142925 A CN102142925 A CN 102142925A
Authority
CN
China
Prior art keywords
user
deep
packet detection
filtering policy
upstream data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2010102535101A
Other languages
Chinese (zh)
Other versions
CN102142925B (en
Inventor
夏秀岩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201010253510.1A priority Critical patent/CN102142925B/en
Publication of CN102142925A publication Critical patent/CN102142925A/en
Application granted granted Critical
Publication of CN102142925B publication Critical patent/CN102142925B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention relates to a method, equipment and a system for filtering deep packet inspection. The method for filtering deep packet inspection comprises the following steps: determining a user deep packet inspection filtering strategy corresponding to the relevant information of a user according to the relevant information of the user who sends uplink data; sending the user deep packet inspection filtering strategy to an executive function entity for deep packet inspection; identifying the user deep packet inspection content of the uplink data by the executive function entity for user deep packet inspection according to the user deep packet inspection filtering strategy; and filtering content limiting user to access in the uplink data. After the relevant information of the user is obtained by the embodiment of the invention, a corresponding user deep packet inspection (DPI) strategy is respectively adopted for each user according to the relevant information of the user, the content of the DPI filtering strategy is flexibly arranged and has wide application range, and the requirements of different user groups can be satisfied so as to more accurately and carefully filter content.

Description

Deep-packet detection filter method, equipment and system
Technical field
The embodiment of the invention relates to communication technical field, particularly a kind of deep-packet detection filter method, equipment and system.
Background technology
Deep-packet detection (Deep Packet Inspection; Be called for short: DPI) technology can be applied to aspects such as traffic management, safety and network analysis, can carry out content analysis to network packet.The DPI technology can provide deep-packet detection for different application programs, enough detects the content of packet and pay(useful) load and can extract the information of content-level, as Malware, concrete data and Application Type.
(the Gateway General Packet Radio Service Support Node of gateway general packet wireless service support node in the prior art; Be called for short: GGSN) can adopt embedded DPI or DPI server independently, mobile subscriber's up-downgoing data be carried out the Packet Filtering and the analysis of deep layer.Operator can be APN (Access Point Name on GGSN; Be called for short: the APN) different packet filtering/analysis rule of configuration, GGSN handles user data package according to these rules, for example: carry out source/destination IP address filtering at the 3rd layer; Carrying out port numbers at the 4th layer filters; Carry out url filtering at layer 7.By the 3rd layer to seven layers packet filtering and analysis, GGSN can discern and distinguish the content that user's up-downgoing data transmit, and judges whether to allow to handle.
But existing GGSN the or independently filter type of DPI filtering server is dumb is unfavorable for realizing the precision management.
Summary of the invention
The embodiment of the invention provides a kind of deep-packet detection filter method, equipment and system, in order to solve the inflexible problem of filter type of existing DPI filtering technique, realizes the flexible setting to the content of DPI filtering policy.
The embodiment of the invention provides a kind of deep-packet detection filter method, comprising:
According to the user's who sends upstream data relevant information, determine user's deep-packet detection filtering policy of described user's relevant information correspondence;
Described user's deep-packet detection filtering policy is sent to deep-packet detection carry out functional entity, carry out functional entity by described deep-packet detection and described upstream data is carried out user's deep-packet detection content recognition, filter the content of the described user capture of restriction in the described upstream data according to described user's deep-packet detection filtering policy.
The embodiment of the invention provides a kind of deep-packet detection filter method again, comprising:
Obtain user's deep-packet detection filtering policy that user's deep-packet detection regulation function entity is determined according to the user's who sends upstream data relevant information;
According to described user's deep-packet detection filtering policy, described upstream data is carried out the deep-packet detection content recognition, filter the content of the described user capture of restriction in the described upstream data.
The embodiment of the invention provides a kind of deep-packet detection regulation function entity again, comprising:
The subscriber policy determination module is used for the relevant information according to the user who sends upstream data, determines user's deep-packet detection filtering policy of described user's relevant information correspondence;
The subscriber policy sending module, be used for that described user's deep-packet detection filtering policy is sent to deep-packet detection and carry out functional entity, carry out functional entity by described deep-packet detection and described upstream data is carried out user's deep-packet detection content recognition, filter the content of the described user capture of restriction in the described upstream data according to described user's deep-packet detection filtering policy.
The embodiment of the invention also provides a kind of deep-packet detection to carry out functional entity, comprising:
The subscriber policy acquisition module is used to obtain user's deep-packet detection filtering policy that user's deep-packet detection regulation function entity is determined according to the user's who sends upstream data relevant information;
Filtering module is used for according to described user's deep-packet detection filtering policy described upstream data being carried out the deep-packet detection content recognition, filters the content of the described user capture of restriction in the described upstream data.
The embodiment of the invention also provides a kind of deep-packet detection filtration system, comprising: deep-packet detection regulation function entity and deep-packet detection are carried out functional entity;
Described deep-packet detection regulation function entity comprises:
The subscriber policy determination module is used for the relevant information according to the user who sends upstream data, determines user's deep-packet detection filtering policy of described user's relevant information correspondence;
The subscriber policy sending module, be used for that described user's deep-packet detection filtering policy is sent to deep-packet detection and carry out functional entity, carry out functional entity by described deep-packet detection and described upstream data is carried out user's deep-packet detection content recognition, filter the content of the described user capture of restriction in the described upstream data according to described user's deep-packet detection filtering policy;
Described deep-packet detection is carried out functional entity and is comprised:
The subscriber policy acquisition module is used to obtain user's deep-packet detection filtering policy that user's deep-packet detection regulation function entity is determined according to the user's who sends upstream data relevant information;
Filtering module is used for according to described user's deep-packet detection filtering policy described upstream data being carried out the deep-packet detection content recognition, filters the content of the described user capture of restriction in the described upstream data.
Deep-packet detection filter method, equipment and system that the embodiment of the invention provides, after obtaining user's relevant information, can adopt corresponding user DPI filtering policy respectively to each user according to user's relevant information, the content of DPI filtering policy is provided with flexibly, applied range, can satisfy different user group's demand, realize more accurate careful information filtering.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do one to the accompanying drawing of required use in embodiment or the description of the Prior Art below introduces simply, apparently, accompanying drawing in describing below is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the flow chart of deep-packet detection filter method first embodiment of the present invention;
Fig. 2 is the flow chart of deep-packet detection filter method second embodiment of the present invention;
Fig. 3 a is the schematic diagram of the application scenarios of deep-packet detection filter method the 3rd embodiment of the present invention;
Fig. 3 b is the schematic flow sheet of deep-packet detection filter method the 3rd embodiment of the present invention;
Fig. 4 a is the schematic diagram of the application scenarios of deep-packet detection filter method the 4th embodiment of the present invention;
Fig. 4 b is the schematic flow sheet of deep-packet detection filter method the 4th embodiment of the present invention;
Fig. 5 is the structural representation of deep-packet detection regulation function entity first embodiment of the present invention;
Fig. 6 is the structural representation of deep-packet detection regulation function entity second embodiment of the present invention;
Fig. 7 carries out the structural representation of functional entity first embodiment for deep-packet detection of the present invention;
Fig. 8 carries out the structural representation of functional entity second embodiment for deep-packet detection of the present invention;
Fig. 9 is the structural representation of deep-packet detection filtration system embodiment of the present invention.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention clearer, below in conjunction with the accompanying drawing in the embodiment of the invention, technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
Fig. 1 is the flow chart of deep-packet detection filter method first embodiment of the present invention, and as shown in Figure 1, this deep-packet detection filter method can may further comprise the steps:
Step 101, according to the user's who sends upstream data relevant information, determine user's deep-packet detection filtering policy of described user's relevant information correspondence;
Wherein, user's relevant information can comprise at least a of class of subscriber, age of user, user's ordering products or customer position information.
Carry out functional entity (DPIEF) by deep-packet detection regulation function entity (DPIRF) and deep-packet detection in the embodiment of the invention and carry out user DPI filtering policy, DPIRF can have multiple implementation, comprises following example:
Example one, to the strategy and charging execution function entity (PCEF) and gateway device (GGSN) on strategy and Gx (Diameter) interface between the charging regulation function entity (PCRF) improve, PCEF is set together, PCRF and DPIRF is deployed in DPIEF.PCRF issues DPIRF after the relevant information of obtaining the user of user-subscribed database (SPR), DPIRF receives the user's that PCRF obtains from SPR relevant information, and PCEF is carried out strategy loading.
Example two, DPIRF are autonomous device or DPIRF for example are arranged on DPI equipment: in the DPI filtering server, when needs carry out the DPI filtration, by gateway device (GGSN) go up PCEF to DPIRF application DPI filtering policy, the interface between PCEF and the DPIRF can adopt the Gx interface.At this moment, DPIRF is specially from the method that user-subscribed database (SPR) obtains user's relevant information: if DPIRF receives the application of user's deep-packet detection filtering policy, then DPIRF sends the user profile application to SPR, described user profile application is used for the relevant information that acquisition request sends the user of upstream data, receives the described user's that described user-subscribed database returns relevant information.
Step 102, described user's deep-packet detection filtering policy is sent to deep-packet detection carry out functional entity, carry out functional entity by described deep-packet detection and described upstream data is carried out user's deep-packet detection content recognition, filter the content of the described user capture of restriction in the described upstream data according to described user's deep-packet detection filtering policy.
In step 102, if DPIRF is independent of outside the PCRF in the system, then DPIRF can be directly with user's deep-packet detection filtering policy send to DPIEF; If there is DPIRF to be deployed in PCRF in the system, then DPIRF specifically can comprise the method that user's deep-packet detection filtering policy sends to DPIEF:
By the strategy with charging regulation function entity with described user's deep-packet detection filtering policy send to the strategy with charging execution function entity after, when described strategy and charging execution function entity determined to carry out described user's deep-packet detection filtering policy, described strategy and charging execution function entity sent to deep-packet detection execution functional entity with described upstream data and described user's deep-packet detection filtering policy.
Further, this deep-packet detection filter method can also comprise:
The term of validity of described user's deep-packet detection filtering policy is set, when described user's deep-packet detection filtering policy being sent to deep-packet detection execution functional entity, carries the described term of validity.
After DPIRF obtains user's deep-packet detection filtering policy, the term of validity of user's deep-packet detection filtering policy can be set, then, user's deep-packet detection filtering policy can be sent to DPIEF with the term of validity, within the term of validity, DPIEF can preserve user's deep-packet detection filtering policy of this user, and direct this user's deep-packet detection filtering policy of upstream data that this user is taken place once more carries out content recognition and filtration.
After present embodiment DPIRF or PCRF obtain user's relevant information from SPR, DPIRF can determine corresponding user DPI filtering policy respectively to each user according to user's relevant information, the user DPI filtering policy that DPIEF then can determine according to DPIRF, this user's data is carried out content recognition and filtration, the content of DPI filtering policy is provided with flexibly, applied range can satisfy different user group's demand, realizes more accurate careful information filtering.
Fig. 2 is the flow chart of deep-packet detection filter method second embodiment of the present invention, and as shown in Figure 2, this deep-packet detection filter method can may further comprise the steps:
Step 201, obtain user's deep-packet detection filtering policy that user's deep-packet detection regulation function entity is determined according to the user's who sends upstream data relevant information;
Wherein, user's relevant information can comprise at least a of class of subscriber, age of user, user's ordering products or customer position information.
Because DPIEF can be deployed in PCEF, DPIRF is deployed in PCRF, DPIEF, DPIRF also can distinguish independent setting, therefore before step 201, promptly can finish the process that common depth bag detection filtering policy is analyzed by DPIEF, by can finishing, specific as follows by PCRF:
Behind the upstream data of the user's transmission after strategy and charging execution function entity reception authentication, authentication are passed through, strategy is carried out user's deep-packet detection filtering policy application that functional entity receives described strategy and charging execution function entity transmission with charging regulation function entity or deep-packet detection filtration;
Described strategy and charging regulation function entity or deep-packet detection are filtered the execution functional entity described upstream data are carried out the analysis of common depth bag detection filtering policy, judge whether described upstream data allows to carry out the common depth bag and detect filtering policy;
If, then described strategy and charging regulation function entity or deep-packet detection are filtered and are carried out functional entity to the application of deep-packet detection regulation function entity transmission user deep-packet detection filtering policy, carry described user's relevant information in the application of described user's deep-packet detection filtering policy.
Step 202, according to described user's deep-packet detection filtering policy, described upstream data is carried out the deep-packet detection content recognition, filter in the described upstream data content of the described user capture of restriction.
Wherein, step 202 specifically can comprise:
Step 2021, according to described user's deep-packet detection filtering policy, judge whether the network address that user described in the described upstream data asks to visit allows visit; If then execution in step 2023; Otherwise, execution in step 2022.
Step 2022, the upstream data after will being redirected network address or replacing nominal key by strategy and charging execution function entity return described user.
Step 2023, with charging execution function entity described upstream data is sent to described user by strategy and asks the Internet Server that network address belonged to of visiting.
Step 2024, receive the described user's that described Internet Server returns downlink data by strategy and charging execution function entity;
Step 2025, according to described user's deep-packet detection filtering policy, described downlink data is carried out user's deep-packet detection content recognition, after filtering the content of the described user capture of restriction in the described downlink data, send to described user by described strategy and charging execution function entity.
Further, this deep-packet detection filter method can also comprise:
According to the term of validity that is provided with, described user's deep-packet detection filtering policy is carried out buffer memory;
In the described term of validity, if receive described user's upstream data or downlink data once more, then according to described user's deep-packet detection filtering policy, upstream data or downlink data to described user carry out content recognition, filter the content of the described user capture of restriction in described upstream data or the described downlink data.
After DPIRF obtains user's deep-packet detection filtering policy, the term of validity of user's deep-packet detection filtering policy can be set, then, user's deep-packet detection filtering policy be sent to DPIEF with the term of validity.Within the term of validity, DPIEF can preserve user's deep-packet detection filtering policy of this user, when if DPIEF arrives this user's upstream data once more, can obtain user's deep-packet detection filtering policy to DPIRF, but the user's deep-packet detection filtering policy sign that directly sends etc. according to DPIRF, user's deep-packet detection filtering policy of employing preservation last time carries out user's deep-packet detection content recognition to this user's upstream data, filters the content that limits this user capture in the upstream data.
Present embodiment DPIEF can obtain the user DPI filtering policy that DPIRF determines according to user's relevant information, this user's data is carried out content recognition and filtration, the content of DPI filtering policy is provided with flexibly, applied range, can satisfy different user group's demand, realize more accurate careful information filtering.
Fig. 3 a is the schematic diagram of the application scenarios of deep-packet detection filter method the 3rd embodiment of the present invention, shown in Fig. 3 a, if DPIRF is integrated or be deployed in PCRF, DPIEF is integrated or be deployed in PCEF, and PCEF is integrated or for example be deployed in gateway device: GGSN.After PCEF receives the upstream data of user's transmission, send the application of user DPI filtering policy to PCRF, PCRF sends the user profile application to SPR, to obtain user's relevant information; The user DPI filtering policy application that PCRF will carry user's relevant information sends to DPIRF; DPIRF can be according to the relevant information of different user, define different user DPI filtering policys, wherein concrete DPI filtering information (DPI data) can pass through DPI management function entity (Deep Packet Inspection Management Function in the user DPI filtering policy; Be called for short: DPIMF) unify maintenance management.DPIMF can be with the DPI data sync to DPIEF; Or the DPI data are sent to DPIRF, and being synchronized on the DPIEF by PCRF and PCEF, the public DPI filtering policy that transmits between DPIRF and the DPIEF can be identification information (ID), avoiding each online request to transmit too much DPI filtering information.After DPIEF carried out content recognition and filtration according to user DPI filtering policy to upstream data, the upstream data after can will filtering by PCEF sent to Internet Server, and the downlink data that Internet Server returns is sent on the DPIEF; After DPIEF carried out content recognition according to user DPI filtering policy to downlink data and filters, the downlink data after will filtering by PCEF returned to the user.
In addition, user DPI filtering policy based on user's relevant information can be provided with the term of validity, specify when sending user DPI filtering policy by DPIRF to DPIEF, for example: the term of validity is 1 day, be that the user downloads to DPIEF with the DPI filtering policy when the online first on the same day, each then user's online need not to apply for again user DPI filtering policy.In addition, when a certain user does not have the user DPI filtering policy of any correspondence, the public DPI filtering policy that whole users that DPIRF can give tacit consent to increases the operatable object merchant are come into force, for example: operator limits all users and does not allow to visit illegal gambling site.
Fig. 3 b is the schematic flow sheet of deep-packet detection filter method the 3rd embodiment of the present invention, and shown in Fig. 3 b, this deep-packet detection filter method specifically may further comprise the steps:
The user of step 301, needs online is after finishing authentication, authentication, and the request of will surfing the Net is that upstream data is for example issued gateway device: the PCEF on the GGSN.
Step 302, PCEF send the application of user DPI filtering policy at this user's upstream data to PCRF.
Wherein, user DPI filtering policy is the DPI filtering policy based on user's relevant information, can carry out DPI to different users according to different users' relevant information according to user DPI filtering policy and filter, for example: children do not allow to visit unhealthy website.In addition, PCEF can also send Qos strategy (for example: VIP user bandwidth 2M, the bandwidth 512k of domestic consumer), charging policy to PCRF (for example: domestic consumer downloads 0.1 yuan/Mb, 0.05 yuan of VIP user's download/Mb) etc.
Step 303, PCRF carry out the analysis of public DPI filtering policy to this upstream data, if this upstream data does not allow to carry out public DPI filtering policy, can directly return redirected network address to the user; If this upstream data allows to carry out public DPI filtering policy, apply for user DPI filtering policy again, need obtain user's relevant information this moment, concrete grammar is: PCRF sends the user profile application of the relevant information be used for the acquisition request user to SPR, and this user profile application can be passed through Diameter or Simple Object Access Protocol (Simple Object Access Protocol; Be called for short: SOAP) message equivalent-load; Particularly, the user profile application can comprise user ID, and SPR can be with the user's that finds relevant information for example according to user ID: age of user, class of subscriber, user's ordering products, customer position information etc. return to PCRF.
After step 304, PCRF receive the user's that SPR returns relevant information, relevant information according to the user can be selected the user DPI filtering policy of active user's needs, for example: the public DPI filtering policy of selective system level or the user DPI filtering policy of user class.PCRF sends to DPIRF with user's relevant information and carries out the application of user DPI filtering policy then.
Step 305, DPIRF be according to user's relevant information, determine corresponding user DPI filtering policy after, will send to PCRF according to the user DPI filtering policy that user's relevant information is determined.Every kind of user DPI filtering policy has defined that the user can visit or URL(uniform resource locator) (the Uniform/Universal Resource Locator of limiting access; Be called for short: URL), keyword message etc.For example: determine operable DPI filtering policy according to class of subscriber and age, the age of user section belongs to children (age<=18) should use " children DPI filtering policy "; Judge that according to class of subscriber the user belongs to " VIP user " or " domestic consumer " again,, then adopt " DPI of domestic consumer filtering policy " if belong to " domestic consumer "; To sum up, " DPI of the domestic consumer filtering policy " and " children DPI filtering policy " of DPIRF decision employing.
Step 306, PCRF send to PCEF with user's relevant information and definite user DPI filtering policy, and PCEF determines whether to carry out user DPI filtering policy according to user's relevant information and user DPI filtering policy.
When step 307, PCEF determine to need to carry out user DPI filtering policy, user's upstream data and the user DPI filtering policy of determining are sent to DPIEF.
Step 308, DPIEF carry out user DPI content recognition according to user DPI filtering policy to upstream data, the content of this user capture of filtering limit, for example: judge that user in the upstream data asks the network address of visiting whether in the scope that user DPI filtering policy allows, if, then allow visit, execution in step 310; Otherwise, limiting access, execution in step 309 or step 314.
For example: the user DPI filtering policy that the user need adopt is " the VIP DPI filtering policy " and " children DPI filtering policy " that DPIRF returns, then DPIEF carries out the DPI analysis according to the upstream data to the user, " VIP DPI filtering policy " and " children DPI filtering policy " analyzed one by one, suppose at first to judge that whether URL that the user who comprises in user's the upstream data asks to visit is at " DPI of domestic consumer filtering policy ", if do not exist, then do not allow visit; If, whether then continue to judge URL that the user asks to visit at " children DPI filtering policy ", if, then allow to visit execution in step 310; Otherwise do not allow visit, execution in step 309 or step 314.
Step 309, indication PCEF replace the content of the nominal key in the upstream data.
Step 310, indication PCEF send to the user with user's upstream data and ask the Internet that network address belonged to (Internet) server of visiting.If carried out step 309 after step 308, then in step 310, the upstream data that PCEF sends to Internet Server is a upstream data of having replaced the part nominal key.
Step 311, Internet Server return to PCEF that related data is user's a downlink data in the network address of request visit.
Step 312, PCEF send to DPIEF with the user DPI filtering policy that the downlink data that receives and PCEF preserve, DPIEF carries out user DPI content recognition according to user DPI filtering policy to downlink data, the content that limits this user capture is filtered, concrete grammar can refer step 308, judge whether that the content that comprises in the downlink data is whether in the scope that user DPI filtering policy allows, if then execution in step 313; Otherwise, will return to the user after the replacement of the nominal key in the downlink data, or execution in step 314.
Step 313, PCEF return to the user with user's downlink data.
Step 314, PCEF will be redirected network address and return to the user.Wherein, being redirected is that the another one server is pointed in the request of HTTP again, for example: when user capture hw.cn, actual access can be the identical server that points to again: Www.huawei.com.cN.
Wherein, in step 308 and step the 312, the function that DPIEF carries out is identical, and difference is to be that upstream data is carried out user DPI filtering policy in step 308, is that downlink data is carried out user DPI filtering policy in step 312.Wherein, behind upstream data or downlink data execution user DPI filtering policy, the DPI filtering policy that is adopted can carry out different disposal, for example: to upstream data, the keyword filtration treatment mechanism can forbid sending for: limited keyword, is redirected to the appointment network address; To downlink data, the keyword filtration treatment mechanism can for: replace the designated key speech.Upstream data and downlink data are carried out the DPI analysis, also can carry out same treatment, for example: when not allowing, return redirected network address.
In the process of concrete user's deep-packet detection filter method of implementing the embodiment of the invention, the agreement that can adopt between each functional entity comprise following situation:
The Diameter that adopts between situation one, PCRF and the PCEF (Gx).
When PCEF judges that the user surfs the Net first or the term of validity of DPI filtering policy when out of date, apply for the DPI filtering policy again to PCRF; Particularly, can be at credit Authentication Response (Credit Control Request; Be called for short: increase new property value CCA) (Attribute-Value Pairs; Be called for short: AVP), for example following is a kind of form of credit Authentication Response:
<CC-Answer>::=<Diameter?Header:272,PXY>
*[DPI-Filter-Rule-Group]
DPI-Filter-Rule-Group::=<AVP?Header:50001>
*[DPI-Filter-Rule-id]
[Expire-timer]
DPI-Filter-Rule-id::=<AVP?Header:50002>UTF8String
" * [DPI-Filter-Rule-Group] " wherein is the new right field of property value.
Adopt Diameter or other agreements of redetermination between situation two, DPIRF and the PCRF, the function of specific implementation can comprise:
PCRF in the user DPI filtering policy application that DPIRF initiates at least including but not limited to user's following relevant information: user ID and user basic information for example: age of user, class of subscriber, user's ordering products, customer position information etc.;
DPIRF comprises at least in the user DPI filtering policy that PCRF returns but is not limited at least 1 DPI filtering policy that the user allows to visit, term of validity etc.
Adopt Diameter or other agreements of redetermination between situation three, DPIEF and the PCEF; The function of specific implementation can comprise:
The message that is used for indicating DPIEF to carry out user DPI filtering policy that PCEF initiates to DPIEF is at least including but not limited to following information: user ID, user's upstream data or downlink data, user DPI filtering policy, the term of validity etc.;
DPIEF in the response message that PCEF returns at least including but not limited to following information: filter request result's (allowing, be redirected, replace keyword), be redirected network address (effective when being redirected), user uplink data or user's downlink data (replacement keyword message) when filtering request results.
Can adopt Diameter or soap protocol (Sp) between situation four, PCRF and the SPR, carry the user profile application that PCRF sends to SPR by Diameter or soap message.
Need to prove that the online request in the embodiment of the invention can be non-symmetrical figure local loop (Asymmetric Digital Subscriber Line; Be called for short: ADSL) broadband access network, WLAN, worldwide interoperability for microwave insert (Worldwide Interoperability for Microwave Access; Be called for short: the online request in multiple online field such as WiMax), DPIRF or DPIEF can be integrated by the online watch-dog in a plurality of online field.
After present embodiment PCRF obtains user's relevant information from SPR, DPIRF can determine corresponding user DPI filtering policy respectively to each user according to user's relevant information, DPIEF then can obtain the user DPI filtering policy that DPIRF determines, according to this user's data of user DPI filtering policy is carried out content recognition and filtration, the content of DPI filtering policy is provided with flexibly, applied range can satisfy different user group's demand, realizes more accurate careful information filtering.
Fig. 4 a is the schematic diagram of the application scenarios of deep-packet detection filter method the 4th embodiment of the present invention, shown in Fig. 4 a, be with the difference of Fig. 3 a, DPIRF and PCRF are the functional entity of equity, the network site of the two is identical, DPIEF is autonomous device or integrated being deployed in the existing DPI equipment, and PCEF is deployed in GGSN in addition, and user's relevant information is stored among the SPR.After GGSN receives the upstream data that the user sends to, send the application of user DPI filtering policy to DPIEF, DPIEF sends the application of user DPI filtering policy to DPIRF, and DPIRF sends the user profile application to SPR then, to obtain user's relevant information; After DPIRF determines user DPI filtering policy according to user's relevant information, the user DPI filtering policy of determining is sent to DPIEF, after DPIEF carries out content recognition to upstream data and filters, the upstream data after filtering is sent to the user ask the Internet Server that network address belonged to of visiting; DPIEF carries out content recognition and filtration according to user DPI filtering policy to the downlink data that the Internet Server that receives returns then, and the downlink data after will filtering again returns to the user.
Fig. 4 b is the schematic flow sheet of deep-packet detection filter method the 4th embodiment of the present invention, and as shown in Figure 4, this deep-packet detection filter method specifically can may further comprise the steps:
The user of step 401, needs online is after authentication, authentication are passed through, and the request of will surfing the Net is that upstream data is for example issued gateway device: GGSN.
Step 402, GGSN send the application of user DPI filtering policy at this user's upstream data to DPIEF.
Step 403, DPIEF carry out the analysis of public DPI filtering policy earlier, if do not allow to carry out public DPI filtering policy, then can directly return redirected network address to the user; If allow to carry out public DPI filtering policy, DPIEF is after DPIRF sends the application of user DPI filtering policy, and DPIRF sends the user profile application to SPR, can carry this user profile application by Diameter or soap message.
Step 404, DPIRF carry out the application of user DPI filtering policy according to the user's that SPR returns relevant information, and the user DPI filtering policy of determining is sent to DPIEF.Wherein DPIRF determines that the method for user DPI filtering policy can be with reference to the associated description in the step 305 among above-mentioned the 3rd embodiment.
The user DPI filtering policy that step 405, DPIEF basis are determined carries out user DPI content recognition to user's upstream data, the content of this user capture of filtering limit, for example: judge that user in the upstream data asks the network address of visiting whether in the scope that user DPI filtering policy allows, if, then allow visit, execution in step 407; If limiting access, then execution in step 406 or step 412.
Step 406, the content of indication GGSN after with the nominal key in the upstream data are replaced.
Step 407, indication GGSN send to the user with user's upstream data and ask the Internet that network address belonged to (Internet) server of visiting.
Step 408, Internet Server return to GGSN that related data is user's a downlink data in the network address of request visit.
Step 409, GGSN send to DPIEF with downlink data and the user DPI filtering policy that receives.
Step 410, DPIEF carry out user DPI content recognition according to user DPI filtering policy to downlink data, the content that limits this user capture is filtered, for example: judge that the content that comprises in the downlink data is whether in the scope that user DPI filtering policy allows, if allow, then execution in step 411; Otherwise, will return to the user after the replacement of the nominal key in the downlink data, or execution in step 412.Wherein, DPIEF can carry out buffer memory with the user DPI filtering policy of user's correspondence, and the term of validity of user DPI filtering policy is set, the term of validity can be carried in to DPIEF at DPIRF and specify when user DPI filtering policy loads, for example: specifying the term of validity is one day, loaded corresponding user DPI filtering policy when then this user initially surfed the Net the same day for the first time, the other times of this day can no longer carry out the application of user DPI filtering policy as long as the user DPI filtering policy of correspondence has existed.
Step 411, GGSN return to the user with user's downlink data.
Step 412, GGSN will be redirected network address and return to the user.
After present embodiment DPIRF obtains user's relevant information from SPR, DPIRF can determine corresponding user DPI filtering policy respectively to each user according to user's relevant information, DPIEF then can obtain the user DPI filtering policy that DPIRF determines, according to this user's data of user DPI filtering policy is carried out content recognition and filtration, the content of DPI filtering policy is provided with flexibly, applied range can satisfy different user group's demand, realizes more accurate careful information filtering.
Fig. 5 is the structural representation of deep-packet detection regulation function entity first embodiment of the present invention, and as shown in Figure 5, this deep-packet detection regulation function entity can comprise:
Subscriber policy determination module 51 is used for the relevant information according to the user who sends upstream data, determines user's deep-packet detection filtering policy of described user's relevant information correspondence;
Subscriber policy sending module 52, be used for that described user's deep-packet detection filtering policy is sent to deep-packet detection and carry out functional entity, carry out functional entity by described deep-packet detection and described upstream data is carried out user's deep-packet detection content recognition, filter the content of the described user capture of restriction in the described upstream data according to described user's deep-packet detection filtering policy.
Particularly, deep-packet detection regulation function entity (DPIRF) can independently be provided with or be arranged in the DPI equipment, also can be deployed in strategy and charging regulation function entity (PCRF), DPIRF obtains the user's who sends upstream data relevant information from user-subscribed database (SPR), or PCRF obtain from SPR send to DPIRF after user's the relevant information after, subscriber policy determination module 51 can be determined user's deep-packet detection (DPI) filtering policy of this user's relevant information correspondence according to the user's who sends upstream data relevant information; Then, subscriber policy sending module 52 sends to deep-packet detection with this user DPI filtering policy and carries out functional entity (DPIEF), DPIEF is according to this user DPI filtering policy, can carry out user's deep-packet detection content recognition to upstream data, filter the content that limits this user capture in the upstream data.DPIEF can send to the upstream data after filtering the Internet Server that the user asks the network address place visited by the strategy on the gateway device and charging execution function entity (PCEF) then, if receive the downlink data that Internet Server returns, return to the user after then the downlink data that receives being filtered according to user DPI filtering policy.
After present embodiment DPIRF or PCRF obtain user's relevant information from SPR, the subscriber policy determination module of DPIRF can be determined corresponding user DPI filtering policy respectively to each user according to user's relevant information, the subscriber policy sending module can send to DPIEF with this user DPI filtering policy, the user DPI filtering policy that DPIEF then can determine according to DPIRF, realization is to the content recognition and the filtration of this user's data, the content of DPI filtering policy is provided with flexibly, applied range, can satisfy different user group's demand, realize more accurate careful information filtering.
Fig. 6 is the structural representation of deep-packet detection regulation function entity second embodiment of the present invention, as shown in Figure 6, on the basis of deep-packet detection regulation function entity first embodiment of the present invention, this deep-packet detection regulation function entity can also comprise: user profile application module 53 or user profile receiver module 54.
Wherein, user profile application module 53, be used for if receive the application of user's deep-packet detection filtering policy, then send the user profile application to user-subscribed database, described user profile application is used for the relevant information that acquisition request sends the user of upstream data, receives the described user's that described user-subscribed database returns relevant information;
User profile receiver module 54 is used to receive the described user's that strategy and charging regulation function entity obtain from described user-subscribed database relevant information.
Further, this deep-packet detection regulation function entity can also comprise:
The term of validity is provided with module 55, is used to be provided with the term of validity of described user's deep-packet detection filtering policy, carries the described term of validity when described user's deep-packet detection filtering policy being sent to deep-packet detection execution functional entity.
Particularly, when DPIRF independently is provided with or is arranged in the DPI equipment, receive the user DPI filtering policy application of the PCEF transmission on the gateway device at DPIRF after, user profile application module 53 can send the user profile application to user-subscribed database, acquisition request sends the user's of upstream data relevant information, in the relevant information that receives this user that user-subscribed database returns.When DPIRF and PCRF are deployed in a time-out, this user's that can obtain from user-subscribed database by PCRF relevant information, the user profile receiver module 54 of DPIRF receives this user's that PCRF send relevant information then.Subscriber policy determination module 51 can be determined the user DPI filtering policy of this user's relevant information correspondence according to the user's who sends upstream data relevant information; The term of validity is provided with the term of validity that module 55 can be provided with this user DPI filtering policy; Then, subscriber policy sending module 52 sends to DPIEF with this user DPI filtering policy.In the term of validity of user DPI filtering policy, DPIEF can carry out user's deep-packet detection content recognition to upstream data according to this user DPI filtering policy, filters the content that limits this user capture in the upstream data.Then DPIEF can by the PCEF on the gateway device can with after filtering upstream data send to the Internet Server that the user asks the network address place visited, if receive the downlink data that Internet Server returns, return to the user after then the downlink data that receives being filtered according to user DPI filtering policy.
After the user profile application module of present embodiment DPIRF or user profile receiver module obtain user's relevant information, the subscriber policy determination module can be determined corresponding user DPI filtering policy respectively to each user according to user's relevant information, the term of validity is provided with the term of validity that module can be provided with this user DPI filtering policy, the subscriber policy sending module can send to DPIEF with this user DPI filtering policy and the term of validity thereof, the user DPI filtering policy that DPIEF then can determine according to DPIRF, realization is to the content recognition and the filtration of this user's data, the content of DPI filtering policy is provided with flexibly, applied range, can satisfy different user group's demand, realize more accurate careful information filtering.
Fig. 7 is the structural representation of deep-packet detection execution functional entity first embodiment of the present invention, and as shown in Figure 7, this deep-packet detection is carried out functional entity and can be comprised: subscriber policy acquisition module 71 and filtering module 72.
Wherein, subscriber policy acquisition module 71 is used to obtain user's deep-packet detection filtering policy that user's deep-packet detection regulation function entity is determined according to the user's who sends upstream data relevant information;
Filtering module 72 is used for according to described user's deep-packet detection filtering policy described upstream data being carried out the deep-packet detection content recognition, filters the content of the described user capture of restriction in the described upstream data.
Particularly, deep-packet detection is carried out functional entity (DPIEF) and can independently is provided with or be arranged in the DPI equipment, also can be deployed in strategy and charging execution function entity (PCEF), after the subscriber policy acquisition module 71 of DPIEF receives user's deep-packet detection (DPI) filtering policy that DPIRF determines according to the user's who sends upstream data relevant information, filtering module 72 is according to this user DPI filtering policy, upstream data is carried out the deep-packet detection content recognition, filter the content that limits this user capture in the upstream data.By gateway device this upstream data is sent to the Internet Server that the user asks the network address place visited, if receive the downlink data that Internet Server returns, return to the user after then the downlink data that receives being filtered according to user DPI filtering policy.
The subscriber policy acquisition module of present embodiment DPIEF can obtain the user DPI filtering policy that DPIRF determines according to user's relevant information, filtering module carries out content recognition and filtration to this user's data, the content of DPI filtering policy is provided with flexibly, applied range, can satisfy different user group's demand, realize more accurate careful information filtering.
Fig. 8 carries out the structural representation of functional entity second embodiment for deep-packet detection of the present invention, as shown in Figure 8, carry out in deep-packet detection of the present invention on the basis of functional entity first embodiment, the filtering module 72 that this deep-packet detection is carried out functional entity comprises: judge submodule 721, upstream data submodule 722 and return submodule 723.
Wherein, judge submodule 721, be used for, judge whether the network address that user described in the described upstream data asks to visit allows visit according to described user's deep-packet detection filtering policy;
Upstream data submodule 722 asks the network address of visiting to allow visit if be used for user described in the upstream data, then by strategy and charging execution function entity described upstream data is sent to described user and asks the Internet Server that network address belonged to of visiting;
Return submodule 723, do not allow visit if be used for the network address that user described in the upstream data asks to visit, the upstream data after will being redirected network address or replacing nominal key by strategy and charging execution function entity returns described user.
Further, filtering module 72 can also comprise: downlink data submodule 724 is used for receiving by strategy and charging execution function entity the described user's that described Internet Server returns downlink data; According to described user's deep-packet detection filtering policy, described downlink data is carried out user's deep-packet detection content recognition, after filtering the content of the described user capture of restriction in the described downlink data, send to described user by described strategy and charging execution function entity.
In addition, this deep-packet detection execution functional entity can also comprise: strategy application receiver module 73, common policy analysis module 74 and subscriber policy application module 75.
Wherein, strategy application receiver module 73, be used for upstream data that the user after strategy and charging execution function entity receive authentication, authentication and pass through sends after, receive user's deep-packet detection filtering policy application of described strategy and charging execution function entity transmission;
Common policy analysis module 74 is used for that described upstream data is carried out the common depth bag and detects the filtering policy analysis, judges whether described upstream data allows to carry out the common depth bag and detect filtering policy;
Subscriber policy application module 75, detect filtering policy if be used for allowing to carry out the common depth bag, then send the application of user's deep-packet detection filtering policy, carry described user's relevant information in the application of described user's deep-packet detection filtering policy to the deep-packet detection regulation function entity.
Particularly, after the PCEF on the gateway device received the upstream data that the user after authentication, authentication are passed through sends, strategy application receiver module 73 can receive the user DPI filtering policy application that this PCEF sends; 74 pairs of these upstream datas of common policy analysis module carry out the analysis of public DPI filtering policy, judge whether this upstream data allows to carry out public DPI filtering policy; If allow to carry out public DPI filtering policy, then subscriber policy application module 75 sends the user DPI filtering policy application of the relevant information of carrying the user to DPIRF, after DPIRF finishes the application of user DPI filtering policy, return definite user DPI filtering policy to DPIEF.After subscriber policy acquisition module 71 receives the user DPI filtering policy that DPIRF determines according to the user's who sends upstream data relevant information, the judgement submodule 721 of filtering module 72 judges according to user DPI filtering policy whether the network address that user described in the described upstream data asks to visit allows visit; If then the PCEF of upstream data submodule 722 by gateway device is sent to described user with described upstream data and asks the Internet Server that network address belonged to of visiting; Otherwise the upstream data that will return after submodule 723 will be redirected network address or replace nominal key by PCEF returns described user.If the PCEF of upstream data submodule 722 by gateway device is sent to described user with described upstream data and asks the Internet Server that network address belonged to of visiting, then downlink data submodule 724 can receive the described user's that Internet Server returns downlink data from PCEF, again according to user DPI filtering policy, described downlink data is carried out user DPI content recognition, after filtering the content of the described user capture of restriction in the described downlink data, ask the Internet Server at the network address place visited to send this upstream data to the user by PCEF, if receive the downlink data that Internet Server returns, return to the user after then the downlink data that receives being filtered according to user DPI filtering policy.
The subscriber policy acquisition module of present embodiment DPIEF can obtain the user DPI filtering policy that DPIRF determines according to user's relevant information, each submodule of filtering module carries out content recognition and filtration to this user's data, the content of DPI filtering policy is provided with flexibly, applied range, can satisfy different user group's demand, realize more accurate careful information filtering.
Fig. 9 is the structural representation of deep-packet detection filtration system embodiment of the present invention, and as shown in Figure 9, this deep-packet detection filtration system can comprise: deep-packet detection regulation function entity 91 and deep-packet detection are carried out functional entity 92;
Wherein, deep-packet detection regulation function entity 91 can comprise:
The subscriber policy determination module is used for the relevant information according to the user who sends upstream data, determines user's deep-packet detection filtering policy of described user's relevant information correspondence;
The subscriber policy sending module, be used for that described user's deep-packet detection filtering policy is sent to deep-packet detection and carry out functional entity, carry out functional entity by described deep-packet detection and described upstream data is carried out user's deep-packet detection content recognition, filter the content of the described user capture of restriction in the described upstream data according to described user's deep-packet detection filtering policy;
Deep-packet detection is carried out functional entity 92 and can be comprised:
The subscriber policy acquisition module is used to obtain user's deep-packet detection filtering policy that user's deep-packet detection regulation function entity is determined according to the user's who sends upstream data relevant information;
Filtering module is used for according to described user's deep-packet detection filtering policy described upstream data being carried out the deep-packet detection content recognition, filters the content of the described user capture of restriction in the described upstream data.
Particularly, the concrete structure of deep-packet detection regulation function entity 91 and deep-packet detection execution functional entity 92 can be with reference to the associated description in the foregoing description, deep-packet detection regulation function entity 91 can independently be provided with or be arranged in the DPI equipment, also can be deployed in strategy and charging regulation function entity 94; Deep-packet detection is carried out functional entity 92 and can independently is provided with or be arranged in the DPI equipment, also can be deployed in strategy and charging execution function entity 93.
When deep-packet detection regulation function entity 91, when deep-packet detection execution functional entity 92 independently is provided with or is arranged in the DPI equipment, deep-packet detection regulation function entity 91 can receive the user DPI filtering policy application that gateway device sends, then, send the user profile application to user-subscribed database, acquisition request sends the user's of upstream data relevant information, can receive this user's that user-subscribed database returns relevant information, determine corresponding user DPI filtering policy according to user's relevant information again; And this user DPI filtering policy is sent to deep-packet detection carry out functional entity 92.Deep-packet detection is carried out functional entity 92 according to this user DPI filtering policy, can carry out user DPI content recognition to upstream data, filters the content that limits this user capture in the upstream data.
Further, this deep-packet detection filtration system can also comprise:
Strategy and charging execution function entity 93, be used for behind the upstream data that the user who receives after authentication, authentication are passed through sends, carry out functional entity 92 to strategy and charging regulation function entity 94 or deep-packet detection and send the applications of user's deep-packet detection filtering policy;
Strategy and charging regulation function entity 94 are used for described upstream data being carried out the common depth bag detecting the filtering policy analysis after the user's deep-packet detection filtering policy application that receives strategy and charging execution function entity 93 transmissions; Judge whether described upstream data allows to carry out the common depth bag and detect filtering policy, if, then send the application of user's deep-packet detection filtering policy, carry described user's relevant information in the application of described user's deep-packet detection filtering policy to deep-packet detection regulation function entity 91.
When deep-packet detection regulation function entity 91 is deployed in strategy and charging regulation function entity 94; Deep-packet detection is carried out functional entity 92 and is deployed in a time-out with strategy and charging execution function entity 93, can be by this user's of obtaining from user-subscribed database relevant information, strategy and charging regulation function entity 94 send to deep-packet detection regulation function entity 91 with this user's relevant information then.Deep-packet detection regulation function entity 91 can be determined the user DPI filtering policy of this user's relevant information correspondence according to user's relevant information; Then, this user DPI filtering policy is sent to deep-packet detection and carry out functional entity 92.Deep-packet detection is carried out functional entity 92 according to this user DPI filtering policy, can carry out user's deep-packet detection content recognition to upstream data, filters the content that limits this user capture in the upstream data.Deep-packet detection is carried out functional entity 92 and is asked the Internet Server at the network address place visited to send this upstream data by strategy on the gateway device and charging execution function entity 93 to the user then, if receive the downlink data that Internet Server returns, return to the user after then the downlink data that receives being filtered according to user DPI filtering policy.
The user DPI filtering policy that present embodiment deep-packet detection regulation function entity is determined according to user's relevant information, deep-packet detection is carried out the user DPI filtering policy that can determine according to the deep-packet detection regulation function entity of functional entity, this user's data is carried out content recognition and filtration, the content of DPI filtering policy is provided with flexibly, applied range, can satisfy different user group's demand, realize more accurate careful information filtering.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, aforesaid program can be stored in the computer read/write memory medium, this program is carried out the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the scope of various embodiments of the present invention technical scheme.

Claims (18)

1. a deep-packet detection filter method is characterized in that, comprising:
According to the user's who sends upstream data relevant information, determine user's deep-packet detection filtering policy of described user's relevant information correspondence;
Described user's deep-packet detection filtering policy is sent to deep-packet detection carry out functional entity, carry out functional entity by described deep-packet detection and described upstream data is carried out user's deep-packet detection content recognition, filter the content of the described user capture of restriction in the described upstream data according to described user's deep-packet detection filtering policy.
2. deep-packet detection filter method according to claim 1, it is characterized in that, described user's relevant information comprises at least a of class of subscriber, age of user, user's ordering products or customer position information, described relevant information according to the user who sends upstream data, determine to comprise before user's deep-packet detection filtering policy of relevant information correspondence of described user:
If receive the application of user's deep-packet detection filtering policy, then send the user profile application to user-subscribed database, described user profile application is used for the relevant information that acquisition request sends the user of upstream data, receives the described user's that described user-subscribed database returns relevant information; Or
Receive the described user's that strategy and charging regulation function entity obtain from described user-subscribed database relevant information.
3. deep-packet detection filter method according to claim 1 is characterized in that, describedly described user's deep-packet detection filtering policy is sent to deep-packet detection carries out functional entity, comprising:
By the strategy with charging regulation function entity with described user's deep-packet detection filtering policy send to the strategy with charging execution function entity after, when described strategy and charging execution function entity determined to carry out described user's deep-packet detection filtering policy, described strategy and charging execution function entity sent to deep-packet detection execution functional entity with described upstream data and described user's deep-packet detection filtering policy.
4. deep-packet detection filter method according to claim 1 is characterized in that, also comprises:
The term of validity of described user's deep-packet detection filtering policy is set, when described user's deep-packet detection filtering policy being sent to deep-packet detection execution functional entity, carries the described term of validity.
5. a deep-packet detection filter method is characterized in that, comprising:
Obtain user's deep-packet detection filtering policy that user's deep-packet detection regulation function entity is determined according to the user's who sends upstream data relevant information;
According to described user's deep-packet detection filtering policy, described upstream data is carried out the deep-packet detection content recognition, filter the content of the described user capture of restriction in the described upstream data.
6. deep-packet detection filter method according to claim 5, it is characterized in that, described according to described user's deep-packet detection filtering policy, described upstream data is carried out the deep-packet detection content recognition, filter the content of the described user capture of restriction in the described upstream data, comprising:
According to described user's deep-packet detection filtering policy, judge whether the network address that user described in the described upstream data asks to visit allows visit;
If then with charging execution function entity described upstream data is sent to described user and asks the Internet Server that network address belonged to of visiting by strategy;
Otherwise the upstream data after will being redirected network address or replacing nominal key by strategy and charging execution function entity returns described user.
7. deep-packet detection filter method according to claim 6 is characterized in that, describedly by strategy and charging execution function entity described upstream data is sent to after the Internet Server that network address belonged to that described user asks to visit, and comprising:
Receive the described user's that described Internet Server returns downlink data by described strategy and charging execution function entity;
According to described user's deep-packet detection filtering policy, described downlink data is carried out user's deep-packet detection content recognition, after filtering the content of the described user capture of restriction in the described downlink data, send to described user by described strategy and charging execution function entity.
8. deep-packet detection filter method according to claim 5, it is characterized in that, described user's relevant information comprises at least a of class of subscriber, age of user, user's ordering products or customer position information, described user's deep-packet detection regulation function entity that obtains comprises according to before the definite user's deep-packet detection filtering policy of the user's who sends upstream data relevant information:
Behind the upstream data of the user's transmission after strategy and charging execution function entity reception authentication, authentication are passed through, strategy is carried out user's deep-packet detection filtering policy application that functional entity receives described strategy and charging execution function entity transmission with charging regulation function entity or deep-packet detection filtration;
Described strategy and charging regulation function entity or deep-packet detection are filtered the execution functional entity described upstream data are carried out the analysis of common depth bag detection filtering policy, judge whether described upstream data allows to carry out the common depth bag and detect filtering policy;
If, then described strategy and charging regulation function entity or deep-packet detection are filtered and are carried out functional entity to the application of deep-packet detection regulation function entity transmission user deep-packet detection filtering policy, carry described user's relevant information in the application of described user's deep-packet detection filtering policy.
9. according to the arbitrary described deep-packet detection filter method of claim 5-8, it is characterized in that, also comprise:
According to the term of validity that is provided with, described user's deep-packet detection filtering policy is carried out buffer memory;
In the described term of validity, if receive described user's upstream data or downlink data once more, then according to described user's deep-packet detection filtering policy, upstream data or downlink data to described user carry out content recognition, filter the content of the described user capture of restriction in described upstream data or the described downlink data.
10. a deep-packet detection regulation function entity is characterized in that, comprising:
The subscriber policy determination module is used for the relevant information according to the user who sends upstream data, determines user's deep-packet detection filtering policy of described user's relevant information correspondence;
The subscriber policy sending module, be used for that described user's deep-packet detection filtering policy is sent to deep-packet detection and carry out functional entity, carry out functional entity by described deep-packet detection and described upstream data is carried out user's deep-packet detection content recognition, filter the content of the described user capture of restriction in the described upstream data according to described user's deep-packet detection filtering policy.
11. deep-packet detection regulation function entity according to claim 10 is characterized in that, also comprises:
User profile application module, be used for if receive the application of user's deep-packet detection filtering policy, then send the user profile application to user-subscribed database, described user profile application is used for the relevant information that acquisition request sends the user of upstream data, receives the described user's that described user-subscribed database returns relevant information; Or
The user profile receiver module is used to receive the described user's that strategy and charging regulation function entity obtain from described user-subscribed database relevant information.
12. according to claim 10 or 11 described deep-packet detection regulation function entities, it is characterized in that, also comprise:
The term of validity is provided with module, is used to be provided with the term of validity of described user's deep-packet detection filtering policy, carries the described term of validity when described user's deep-packet detection filtering policy being sent to deep-packet detection execution functional entity.
13. a deep-packet detection is carried out functional entity, it is characterized in that, comprising:
The subscriber policy acquisition module is used to obtain user's deep-packet detection filtering policy that user's deep-packet detection regulation function entity is determined according to the user's who sends upstream data relevant information;
Filtering module is used for according to described user's deep-packet detection filtering policy described upstream data being carried out the deep-packet detection content recognition, filters the content of the described user capture of restriction in the described upstream data.
14. deep-packet detection according to claim 13 is carried out functional entity, it is characterized in that described filtering module comprises:
Judge submodule, be used for, judge whether the network address that user described in the described upstream data asks to visit allows visit according to described user's deep-packet detection filtering policy;
The upstream data submodule asks the network address of visiting to allow visit if be used for user described in the upstream data, then by strategy and charging execution function entity described upstream data is sent to described user and asks the Internet Server that network address belonged to of visiting;
Return submodule, do not allow visit if be used for the network address that user described in the upstream data asks to visit, the upstream data after will being redirected network address or replacing nominal key by strategy and charging execution function entity returns described user.
15. deep-packet detection according to claim 14 is carried out functional entity, it is characterized in that described filtering module also comprises:
The downlink data submodule is used for receiving by strategy and charging execution function entity the described user's that described Internet Server returns downlink data; According to described user's deep-packet detection filtering policy, described downlink data is carried out user's deep-packet detection content recognition, after filtering the content of the described user capture of restriction in the described downlink data, send to described user by described strategy and charging execution function entity.
16. carry out functional entity according to the arbitrary described deep-packet detection of claim 13-15, it is characterized in that, also comprise:
Strategy application receiver module, be used for upstream data that the user after strategy and charging execution function entity receive authentication, authentication and pass through sends after, receive user's deep-packet detection filtering policy application of described strategy and charging execution function entity transmission;
The common policy analysis module is used for that described upstream data is carried out the common depth bag and detects the filtering policy analysis, judges whether described upstream data allows to carry out the common depth bag and detect filtering policy;
Subscriber policy application module, detect filtering policy if be used for allowing to carry out the common depth bag, then send the application of user's deep-packet detection filtering policy, carry described user's relevant information in the application of described user's deep-packet detection filtering policy to the deep-packet detection regulation function entity.
17. a deep-packet detection filtration system is characterized in that, comprising: deep-packet detection regulation function entity and deep-packet detection are carried out functional entity;
Described deep-packet detection regulation function entity comprises:
The subscriber policy determination module is used for the relevant information according to the user who sends upstream data, determines user's deep-packet detection filtering policy of described user's relevant information correspondence;
The subscriber policy sending module, be used for that described user's deep-packet detection filtering policy is sent to deep-packet detection and carry out functional entity, carry out functional entity by described deep-packet detection and described upstream data is carried out user's deep-packet detection content recognition, filter the content of the described user capture of restriction in the described upstream data according to described user's deep-packet detection filtering policy;
Described deep-packet detection is carried out functional entity and is comprised:
The subscriber policy acquisition module is used to obtain user's deep-packet detection filtering policy that user's deep-packet detection regulation function entity is determined according to the user's who sends upstream data relevant information;
Filtering module is used for according to described user's deep-packet detection filtering policy described upstream data being carried out the deep-packet detection content recognition, filters the content of the described user capture of restriction in the described upstream data.
18. deep-packet detection filtration system according to claim 17 is characterized in that, also comprises:
Strategy and charging execution function entity, carrying out functional entity with described deep-packet detection is connected, be used for behind the upstream data that the user who receives after authentication, authentication are passed through sends, carry out functional entity to strategy and charging regulation function entity or described deep-packet detection and send the application of user's deep-packet detection filtering policy;
Strategy and charging regulation function entity, be connected with described deep-packet detection executing rule entity, be used for after the user's deep-packet detection filtering policy application that receives the transmission of described strategy and charging execution function entity, described upstream data carried out the common depth bag detect the filtering policy analysis; Judge whether described upstream data allows to carry out the common depth bag and detect filtering policy, if, then send the application of user's deep-packet detection filtering policy, carry described user's relevant information in the application of described user's deep-packet detection filtering policy to described deep-packet detection regulation function entity.
CN201010253510.1A 2010-08-12 2010-08-12 Method, equipment and system for filtering deep packet inspection Active CN102142925B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201010253510.1A CN102142925B (en) 2010-08-12 2010-08-12 Method, equipment and system for filtering deep packet inspection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201010253510.1A CN102142925B (en) 2010-08-12 2010-08-12 Method, equipment and system for filtering deep packet inspection

Publications (2)

Publication Number Publication Date
CN102142925A true CN102142925A (en) 2011-08-03
CN102142925B CN102142925B (en) 2015-01-07

Family

ID=44410180

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201010253510.1A Active CN102142925B (en) 2010-08-12 2010-08-12 Method, equipment and system for filtering deep packet inspection

Country Status (1)

Country Link
CN (1) CN102142925B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103888307A (en) * 2012-12-20 2014-06-25 中国电信股份有限公司 Method, user side board card and broadband access gateway used for optimizing deep packet detection
CN104468253A (en) * 2013-09-23 2015-03-25 中兴通讯股份有限公司 Deep packet inspection control method and device
CN105354234A (en) * 2015-10-09 2016-02-24 武汉烽火网络有限责任公司 Deep packet inspection based network real-time large data system and large data analysis method
CN107493203A (en) * 2016-06-12 2017-12-19 中兴通讯股份有限公司 DPI rules delivery method and device
CN113923207A (en) * 2021-09-28 2022-01-11 广东女子职业技术学院 Computer network monitoring method and terminal

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1937623A (en) * 2006-10-18 2007-03-28 华为技术有限公司 Method and system for controlling network business
CN101399749A (en) * 2007-09-27 2009-04-01 华为技术有限公司 Method, system and device for packet filtering
CN101599895A (en) * 2008-06-04 2009-12-09 华为技术有限公司 Data processing method and wideband network gateway, strategy controller device and access node apparatus
CN101720111A (en) * 2009-02-03 2010-06-02 中兴通讯股份有限公司 Method and device for issuing deep packet inspection technical strategy

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1937623A (en) * 2006-10-18 2007-03-28 华为技术有限公司 Method and system for controlling network business
CN101399749A (en) * 2007-09-27 2009-04-01 华为技术有限公司 Method, system and device for packet filtering
CN101599895A (en) * 2008-06-04 2009-12-09 华为技术有限公司 Data processing method and wideband network gateway, strategy controller device and access node apparatus
CN101720111A (en) * 2009-02-03 2010-06-02 中兴通讯股份有限公司 Method and device for issuing deep packet inspection technical strategy

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103888307A (en) * 2012-12-20 2014-06-25 中国电信股份有限公司 Method, user side board card and broadband access gateway used for optimizing deep packet detection
CN104468253A (en) * 2013-09-23 2015-03-25 中兴通讯股份有限公司 Deep packet inspection control method and device
US10003614B2 (en) 2013-09-23 2018-06-19 Zte Corporation Method, device, and storage medium for deep packet inspection control
CN104468253B (en) * 2013-09-23 2019-07-12 中兴通讯股份有限公司 A kind of deep-packet detection control method and device
CN105354234A (en) * 2015-10-09 2016-02-24 武汉烽火网络有限责任公司 Deep packet inspection based network real-time large data system and large data analysis method
CN105354234B (en) * 2015-10-09 2018-10-09 武汉烽火网络有限责任公司 The real-time big data system of network based on deep-packet detection and big data analysis method
CN107493203A (en) * 2016-06-12 2017-12-19 中兴通讯股份有限公司 DPI rules delivery method and device
WO2017215565A1 (en) * 2016-06-12 2017-12-21 中兴通讯股份有限公司 Method and device for transmitting dpi policy
CN113923207A (en) * 2021-09-28 2022-01-11 广东女子职业技术学院 Computer network monitoring method and terminal

Also Published As

Publication number Publication date
CN102142925B (en) 2015-01-07

Similar Documents

Publication Publication Date Title
CN103493523B (en) Methods, systems, and equipment for diameter-based steering of mobile device network access
CN101534469B (en) Method for content delivery to portable wireless transreceiver
CN102142990B (en) Business consumption monitoring method and apparatus
CN104185973B (en) For the method and apparatus for the priority for setting data transmission
JP5947403B2 (en) Method and apparatus for performing billing control on application layer data
CN104335641B (en) Data service handling method, device and system under roaming scence
CN102665191B (en) The policy control method of a kind of data service, Apparatus and system
CN102098649B (en) Method, device and system for processing value added service based on policy and charging control system
WO2017115747A1 (en) Information processing device, information processing method, and program
CN104335638A (en) Methods, systems, and computer readable media for access network discovery and selection
CN101977239B (en) Method for making strategy, strategy server and gateway
WO2007095546A2 (en) Hotspot communication limiter
CN102497379B (en) Network access method, system and equipment
CN102823197A (en) Methods, systems, and computer readable media for enhanced service detection and policy rule determination
CN102131172B (en) Method for processing business and system
CN102142925B (en) Method, equipment and system for filtering deep packet inspection
CN101809973A (en) controlling receipt of electronic advertising
CN103718508A (en) Advanced determination, processing and control in communication networks
CN106982430B (en) Portal authentication method and system based on user use habits
KR20110116191A (en) Adaptive ambient sevices
CN110475229A (en) Method, apparatus, computer equipment and the storage medium of service data visitation
EP4248616A1 (en) Methods and apparatus for differentiated charging in a communication network
CN111278111B (en) Service scene-based network resource differentiated scheduling method and device
CN105120444B (en) A kind of image transfer method, proxy server and network access system
CN104254060B (en) Strategy and charging control rule delivery method and equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant