CN102142925B - Method, equipment and system for filtering deep packet inspection - Google Patents
Method, equipment and system for filtering deep packet inspection Download PDFInfo
- Publication number
- CN102142925B CN102142925B CN201010253510.1A CN201010253510A CN102142925B CN 102142925 B CN102142925 B CN 102142925B CN 201010253510 A CN201010253510 A CN 201010253510A CN 102142925 B CN102142925 B CN 102142925B
- Authority
- CN
- China
- Prior art keywords
- user
- deep
- packet detection
- upstream data
- filtering policy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention relates to a method, equipment and a system for filtering deep packet inspection. The method for filtering deep packet inspection comprises the following steps: determining a user deep packet inspection filtering strategy corresponding to the relevant information of a user according to the relevant information of the user who sends uplink data; sending the user deep packet inspection filtering strategy to an executive function entity for deep packet inspection; identifying the user deep packet inspection content of the uplink data by the executive function entity for user deep packet inspection according to the user deep packet inspection filtering strategy; and filtering content limiting user to access in the uplink data. After the relevant information of the user is obtained by the embodiment of the invention, a corresponding user deep packet inspection (DPI) strategy is respectively adopted for each user according to the relevant information of the user, the content of the DPI filtering strategy is flexibly arranged and has wide application range, and the requirements of different user groups can be satisfied so as to more accurately and carefully filter content.
Description
Technical field
The embodiment of the present invention relates to communication technical field, particularly a kind of deep-packet detection filter method, equipment and system.
Background technology
Deep-packet detection (Deep Packet Inspection; Be called for short: DPI) technology can be applied to the aspects such as traffic management, safety and network analysis, can carry out content analysis to network packet.DPI technology can provide deep-packet detection for different application programs, enough detects the content of packet and pay(useful) load and can extract the information of content-level, as Malware, concrete data and Application Type.
Gateway general packet wireless service support node (Gateway General Packet Radio Service Support Node in prior art; Be called for short: embedded DPI or independently DPI server GGSN) can be adopted, the up-downgoing data of mobile subscriber are carried out to Packet Filtering and the analysis of deep layer.Operator can be APN (Access Point Name on GGSN; Be called for short: APN) configure different packet filtering/analysis rules, GGSN, according to these rules, processes user data package, such as: carry out source/destination IP address filtering in third layer; Port numbers filtration is carried out at the 4th layer; Url filtering is carried out at layer 7.By packet filtering and the analysis of third layer to seven layer, GGSN can identify the content distinguished user's up-downgoing data and transmit, and judges whether to allow process.
But the filter type of existing GGSN or independently DPI filtering server is dumb, be unfavorable for realizing precisionization management.
Summary of the invention
The embodiment of the present invention provides a kind of deep-packet detection filter method, equipment and system, in order to solve the inflexible problem of filter type of existing DPI filtering technique, realizes the flexible setting of the content to DPI filtering policy.
The embodiment of the present invention provides a kind of deep-packet detection filter method, comprising:
According to the relevant information of the user of transmission upstream data, determine user's deep-packet detection filtering policy that the relevant information of described user is corresponding;
Described user's deep-packet detection filtering policy is sent to deep-packet detection n-back test entity, according to described user's deep-packet detection filtering policy, user's deep-packet detection content recognition is carried out to described upstream data by described deep-packet detection n-back test entity, filter in described upstream data the content limiting described user access.
The embodiment of the present invention provides again a kind of deep-packet detection filter method, comprising:
Obtain user's deep-packet detection filtering policy that user's deep-packet detection regulation function entity is determined according to the relevant information of the user sending upstream data;
According to described user's deep-packet detection filtering policy, deep-packet detection content recognition is carried out to described upstream data, filter in described upstream data the content limiting described user access.
The embodiment of the present invention reoffers a kind of deep-packet detection regulation function entity, comprising:
Subscriber policy determination module, for the relevant information of the user according to transmission upstream data, determines user's deep-packet detection filtering policy that the relevant information of described user is corresponding;
Subscriber policy sending module, for described user's deep-packet detection filtering policy is sent to deep-packet detection n-back test entity, according to described user's deep-packet detection filtering policy, user's deep-packet detection content recognition is carried out to described upstream data by described deep-packet detection n-back test entity, filter in described upstream data the content limiting described user access.
The embodiment of the present invention also provides a kind of deep-packet detection n-back test entity, comprising:
Subscriber policy acquisition module, for obtaining user's deep-packet detection filtering policy that user's deep-packet detection regulation function entity is determined according to the relevant information of the user sending upstream data;
Filtering module, for according to described user's deep-packet detection filtering policy, carries out deep-packet detection content recognition to described upstream data, filters in described upstream data the content limiting described user access.
The embodiment of the present invention also provides a kind of deep-packet detection filtration system, comprising: deep-packet detection regulation function entity and deep-packet detection n-back test entity;
Described deep-packet detection regulation function entity comprises:
Subscriber policy determination module, for the relevant information of the user according to transmission upstream data, determines user's deep-packet detection filtering policy that the relevant information of described user is corresponding;
Subscriber policy sending module, for described user's deep-packet detection filtering policy is sent to deep-packet detection n-back test entity, according to described user's deep-packet detection filtering policy, user's deep-packet detection content recognition is carried out to described upstream data by described deep-packet detection n-back test entity, filter in described upstream data the content limiting described user access;
Described deep-packet detection n-back test entity comprises:
Subscriber policy acquisition module, for obtaining user's deep-packet detection filtering policy that user's deep-packet detection regulation function entity is determined according to the relevant information of the user sending upstream data;
Filtering module, for according to described user's deep-packet detection filtering policy, carries out deep-packet detection content recognition to described upstream data, filters in described upstream data the content limiting described user access.
Deep-packet detection filter method, equipment and system that the embodiment of the present invention provides, after obtaining the relevant information of user, corresponding user DPI filtering policy can be adopted respectively to each user according to the relevant information of user, the curriculum offering of DPI filtering policy is flexible, applied range, the demand of different user group can be met, realize more accurately careful information filtering.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the flow chart of deep-packet detection filter method first embodiment of the present invention;
Fig. 2 is the flow chart of deep-packet detection filter method second embodiment of the present invention;
Fig. 3 a is the schematic diagram of the application scenarios of deep-packet detection filter method the 3rd embodiment of the present invention;
Fig. 3 b is the schematic flow sheet of deep-packet detection filter method the 3rd embodiment of the present invention;
Fig. 4 a is the schematic diagram of the application scenarios of deep-packet detection filter method the 4th embodiment of the present invention;
Fig. 4 b is the schematic flow sheet of deep-packet detection filter method the 4th embodiment of the present invention;
Fig. 5 is the structural representation of deep-packet detection regulation function entity first embodiment of the present invention;
Fig. 6 is the structural representation of deep-packet detection regulation function entity second embodiment of the present invention;
Fig. 7 is the structural representation of deep-packet detection n-back test entity first embodiment of the present invention;
Fig. 8 is the structural representation of deep-packet detection n-back test entity second embodiment of the present invention;
Fig. 9 is the structural representation of deep-packet detection filtration system embodiment of the present invention.
Embodiment
For making the object of the embodiment of the present invention, technical scheme and advantage clearly, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
Fig. 1 is the flow chart of deep-packet detection filter method first embodiment of the present invention, and as shown in Figure 1, this deep-packet detection filter method can comprise the following steps:
Step 101, according to the relevant information of user sending upstream data, determine user's deep-packet detection filtering policy that the relevant information of described user is corresponding;
Wherein, the relevant information of user can comprise at least one of class of subscriber, age of user, user's ordering products or customer position information.
Carry out user DPI filtering policy by deep-packet detection regulation function entity (DPIRF) and deep-packet detection n-back test entity (DPIEF) in the embodiment of the present invention, DPIRF can have multiple implementation, comprises following example:
Example one, Gx (Diameter) interface between the strategy on strategy and charging execution function entity (PCEF) and gateway device (GGSN) and charging regulation function entity (PCRF) to be improved, PCEF and DPIEF is set together, PCRF and DPIRF is deployed in together.PCRF issues DPIRF after the relevant information of the acquisition user of user-subscribed database (SPR), and DPIRF receives the relevant information of the user that PCRF obtains from SPR, carries out strategy load PCEF.
Example two, DPIRF are autonomous device or DPIRF are arranged on DPI equipment such as: in DPI filtering server, when needs carry out DPI filtration, apply for DPI filtering policy by the upper PCEF of gateway device (GGSN) to DPIRF, the interface between PCEF and DPIRF can adopt Gx interface.Now, the method that DPIRF obtains the relevant information of user from user-subscribed database (SPR) is specially: if DPIRF receives the application of user's deep-packet detection filtering policy, then DPIRF sends user profile application to SPR, described user profile application is used for the relevant information that acquisition request sends the user of upstream data, receives the relevant information of the described user that described user-subscribed database returns.
Step 102, described user's deep-packet detection filtering policy is sent to deep-packet detection n-back test entity, according to described user's deep-packet detection filtering policy, user's deep-packet detection content recognition is carried out to described upstream data by described deep-packet detection n-back test entity, filter in described upstream data the content limiting described user access.
In a step 102, if DPIRF is independent of outside PCRF in system, then DPIRF can directly by user's deep-packet detection filtering policy send to DPIEF; If there is DPIRF and PCRF to be deployed in together in system, then user's deep-packet detection filtering policy sends to the method for DPIEF specifically can comprise by DPIRF:
After described user's deep-packet detection filtering policy being sent to strategy and charging execution function entity by strategy and charging regulation function entity, when described strategy and charging execution function entity are determined to perform described user's deep-packet detection filtering policy, described upstream data and described user's deep-packet detection filtering policy are sent to deep-packet detection n-back test entity by described strategy and charging execution function entity.
Further, this deep-packet detection filter method can also comprise:
The term of validity of described user's deep-packet detection filtering policy is set, carries the described term of validity being sent to during deep-packet detection n-back test entity by described user's deep-packet detection filtering policy.
After DPIRF obtains user's deep-packet detection filtering policy, the term of validity of user's deep-packet detection filtering policy can be set, then, user's deep-packet detection filtering policy can be sent to DPIEF together with the term of validity, within the term of validity, DPIEF can preserve user's deep-packet detection filtering policy of this user, carries out content recognition and filtration to upstream data this user's deep-packet detection filtering policy direct that this user occurs again.
After the present embodiment DPIRF or PCRF obtains the relevant information of user from SPR, DPIRF can determine corresponding user DPI filtering policy according to the relevant information of user to each user respectively, the user DPI filtering policy that DPIEF then can determine according to DPIRF, content recognition and filtration are carried out to the data of this user, the curriculum offering of DPI filtering policy is flexible, applied range, can meet the demand of different user group, realizes more accurately careful information filtering.
Fig. 2 is the flow chart of deep-packet detection filter method second embodiment of the present invention, and as shown in Figure 2, this deep-packet detection filter method can comprise the following steps:
User's deep-packet detection filtering policy that step 201, acquisition user deep-packet detection regulation function entity are determined according to the relevant information of the user sending upstream data;
Wherein, the relevant information of user can comprise at least one of class of subscriber, age of user, user's ordering products or customer position information.
Together with DPIEF can be deployed in PCEF, DPIRF and PCRF is deployed in together, DPIEF, DPIRF also can independently be arranged, therefore before step 201, namely can be completed by DPIEF the process that common depth bag detection filtering policy is analyzed, by being completed by PCRF, specific as follows:
Receives certification at strategy and charging execution function entity, authentication pass through after the upstream data that sends of user after, tactful and charging regulation function entity or deep-packet detection are filtered n-back test entity and are received user's deep-packet detection filtering policy application that described strategy and charging execution function entity send;
Described strategy and charging regulation function entity or deep-packet detection are filtered n-back test entity and are carried out common depth bag to described upstream data and detect and filter analysis of strategies, judge whether described upstream data allows to perform common depth bag and detect filtering policy;
If, then described strategy and charging regulation function entity or deep-packet detection are filtered n-back test entity and are sent the application of user's deep-packet detection filtering policy to deep-packet detection regulation function entity, carry the relevant information of described user in the application of described user's deep-packet detection filtering policy.
Step 202, according to described user's deep-packet detection filtering policy, deep-packet detection content recognition is carried out to described upstream data, filter in described upstream data the content limiting described user access.
Wherein, step 202 specifically can comprise:
Step 2021, according to described user's deep-packet detection filtering policy, judge the network address of user's request access described in described upstream data whether allow access; If so, then step 2023 is performed; Otherwise, perform step 2022.
Step 2022, by strategy with charging execution function entity redirected network address or the upstream data after replacing nominal key are returned described user.
Step 2023, the Internet Server belonged to by the tactful network address described upstream data being sent to described user's request access with charging execution function entity.
Step 2024, receive the downlink data of the described user that described Internet Server returns by strategy and charging execution function entity;
Step 2025, according to described user's deep-packet detection filtering policy, user's deep-packet detection content recognition is carried out to described downlink data, after filtering in described downlink data the content limiting described user access, send to described user by described strategy and charging execution function entity.
Further, this deep-packet detection filter method can also comprise:
According to the term of validity arranged, buffer memory is carried out to described user's deep-packet detection filtering policy;
In the described term of validity, if again receive upstream data or the downlink data of described user, then according to described user's deep-packet detection filtering policy, content recognition is carried out to the upstream data of described user or downlink data, filters in described upstream data or described downlink data the content limiting described user access.
DPIRF can arrange the term of validity of user's deep-packet detection filtering policy, then, user's deep-packet detection filtering policy be sent to DPIEF together with the term of validity after obtaining user's deep-packet detection filtering policy.Within the term of validity, DPIEF can preserve user's deep-packet detection filtering policy of this user, if when DPIEF arrives the upstream data of this user again, user's deep-packet detection filtering policy can be obtained to DPIRF, but directly according to user's deep-packet detection filtering policy mark etc. that DPIRF sends, the user's deep-packet detection filtering policy adopting preserved last time carries out user's deep-packet detection content recognition to the upstream data of this user, filters the content limiting this user access in upstream data.
The present embodiment DPIEF can obtain the user DPI filtering policy that DPIRF determines according to the relevant information of user, content recognition and filtration are carried out to the data of this user, the curriculum offering of DPI filtering policy is flexible, applied range, the demand of different user group can be met, realize more accurately careful information filtering.
Fig. 3 a is the schematic diagram of the application scenarios of deep-packet detection filter method the 3rd embodiment of the present invention, as shown in Figure 3 a, if DPIRF and PCRF is integrated or be deployed in together, DPIEF and PCEF is integrated or be deployed in together, and PCEF is integrated or be deployed in gateway device such as: GGSN.After PCEF receives the upstream data of user's transmission, send the application of user DPI filtering policy to PCRF, PCRF sends user profile application, to obtain the relevant information of user to SPR; The user DPI filtering policy application of carrying the relevant information of user is sent to DPIRF by PCRF; DPIRF can according to the relevant information of different user, define different user DPI filtering policys, wherein concrete in user DPI filtering policy DPI filtering information (DPI data) is by DPI management function entity (Deep Packet Inspection Management Function; Be called for short: DPIMF) unify maintenance management.DPIMF can by DPI data syn-chronization on DPIEF; Or DPI data are sent to DPIRF, be synchronized on DPIEF by PCRF and PCEF, the public DPI filtering policy transmitted between DPIRF and DPIEF can be identification information (ID), avoids the request of surfing the Net at every turn to be conveyed through many DPI filtering information.DPIEF by PCEF, the upstream data after filtration is sent to Internet Server, and the downlink data returned by Internet Server is sent on DPIEF after carrying out content recognition and filtration according to user DPI filtering policy to upstream data; Downlink data after filtration is returned to user by PCEF after carrying out content recognition and filtration according to user DPI filtering policy to downlink data by DPIEF.
In addition, user DPI filtering policy based on the relevant information of user can arrange the term of validity, specified when sending user's DPI filtering policy to DPIEF by DPIRF, such as: the term of validity is 1 day, namely DPI filtering policy is downloaded to DPIEF when the online first on the same day by user, and then each user's online is without the need to again applying for user DPI filtering policy.In addition, when the user DPI filtering policy of a certain user without any correspondence, the public DPI filtering policy that whole users that DPIRF can give tacit consent to increases operatable object business are come into force, such as: operator limits all users and do not allow to access illegal gambling site.
Fig. 3 b is the schematic flow sheet of deep-packet detection filter method the 3rd embodiment of the present invention, and as shown in Figure 3 b, this deep-packet detection filter method specifically comprises the following steps:
Online request and upstream data, after completing certification, authentication, are issued gateway device such as: the PCEF on GGSN by the user of step 301, needs online.
Step 302, PCEF, for the upstream data of this user, send the application of user DPI filtering policy to PCRF.
Wherein, user DPI filtering policy is the DPI filtering policy of the relevant information based on user, DPI filtration can be carried out according to the relevant information of different users to different users, such as: children do not allow to access unhealthy website according to user DPI filtering policy.In addition, PCEF can also send Qos strategy (such as: VIP user bandwidth 2M, domestic consumer bandwidth 512k), charging policy (such as: domestic consumer downloads 0.1 yuan/Mb, VIP user and downloads 0.05 yuan/Mb) etc. to PCRF.
Step 303, PCRF carry out the analysis of public DPI filtering policy to this upstream data, if this upstream data does not allow to perform public DPI filtering policy, can return redirected network address directly to user; If this upstream data allows to perform public DPI filtering policy, apply for user DPI filtering policy again, now need the relevant information obtaining user, concrete grammar is: PCRF sends the user profile application of the relevant information being used for acquisition request user to SPR, this user profile application can pass through Diameter or Simple Object Access Protocol (Simple Object Access Protocol; Be called for short: SOAP) message equivalent-load; Particularly, user profile application can comprise user ID, and SPR can by the relevant information of the user found such as according to user ID: age of user, class of subscriber, user's ordering products, customer position information etc. return to PCRF.
After step 304, PCRF receive the relevant information of the user that SPR returns, relevant information according to user can be selected the user DPI filtering policy that active user needs, such as: the public DPI filtering policy of selective system level or the user DPI filtering policy of user class.Then the relevant information of user sends to DPIRF to carry out the application of user DPI filtering policy by PCRF.
The user DPI filtering policy determined according to the relevant information of user, according to the relevant information of user, after determining corresponding user DPI filtering policy, is sent to PCRF by step 305, DPIRF.Often kind of user DPI filtering policy defines user and can access or URL(uniform resource locator) (the Uniform/Universal Resource Locator of limiting access; URL), keyword message etc. be called for short:.Such as: determine operable DPI filtering policy according to class of subscriber and age, age of user section belongs to children (age <=18) and should use " children DPI filtering policy "; Judge that user belongs to " VIP user " or " domestic consumer " according to class of subscriber again, if belonged to " domestic consumer ", then adopt " domestic consumer DPI filtering policy "; To sum up, DPIRF determines " the domestic consumer DPI filtering policy " and " children DPI filtering policy " of employing.
The relevant information of user and the user DPI filtering policy determined are sent to PCEF by step 306, PCRF, and PCEF determines whether to perform user DPI filtering policy according to the relevant information of user and user DPI filtering policy.
When step 307, PCEF determine to need to perform user's DPI filtering policy, the upstream data of user and the user DPI filtering policy determined are sent to DPIEF.
Step 308, DPIEF carry out user DPI content recognition according to user DPI filtering policy to upstream data, filter the content limiting this user access, such as: judge that the network address of user's request access in upstream data is whether in the scope that user DPI filtering policy allows, if, then allow access, perform step 310; Otherwise limiting access, performs step 309 or step 314.
Such as: user needs the user DPI filtering policy adopted to be " the VIP DPI filtering policy " and " children DPI filtering policy " that DPIRF returns, then DPIEF carries out DPI analysis according to the upstream data of user, " VIP DPI filtering policy " and " children DPI filtering policy " is analyzed one by one, suppose first to judge that whether the URL of user's request access that the upstream data of user comprises is at " domestic consumer DPI filtering policy ", if not, then do not allow access; If, then continue to judge that whether the URL of user's request access is at " children DPI filtering policy ", if, then allow access, perform step 310; Otherwise do not allow access, perform step 309 or step 314.
The content of the nominal key in upstream data is replaced by step 309, instruction PCEF.
The Internet (Internet) server that the upstream data of user sends to the network address of user's request access to belong to by step 310, instruction PCEF.If perform step 309 after step 308, then in the step 310, PCEF is the upstream data that substituted for part nominal key to the upstream data that Internet Server sends.
Step 311, Internet Server return the downlink data of related data and user in the network address of request access to PCEF.
The user DPI filtering policy that the downlink data received and PCEF are preserved is sent to DPIEF by step 312, PCEF, DPIEF carries out user DPI content recognition according to user DPI filtering policy to downlink data, the content limiting this user access is filtered, concrete grammar can refer step 308, judge whether content that downlink data comprises whether in the scope that user DPI filtering policy allows, if so, then step 313 is performed; Otherwise, return to user after being replaced by the nominal key in downlink data, or perform step 314.
The downlink data of user is returned to user by step 313, PCEF.
Redirected network address is returned to user by step 314, PCEF.Wherein, be redirected is that another one server is pointed in the request of HTTP again, such as: when user accesses hw.cn, actual access can be the identical server again pointed to:
www.huawei.com.cn.
Wherein, in step 308 and step the 312, the function that DPIEF performs is identical, and difference is perform user DPI filtering policy to upstream data in step 308, is perform user DPI filtering policy to downlink data in step 312.Wherein, after performing user DPI filtering policy to upstream data or downlink data, the DPI filtering policy adopted can carry out different disposal, such as: to upstream data, keyword filtration treatment mechanism can be: limited keyword is forbidden sending, and is redirected to appointment network address; To downlink data, keyword filtration treatment mechanism can be: replace designated key word.DPI analysis is carried out to upstream data and downlink data, also can carry out same treatment, such as: when not allowing, return redirected network address.
Implement in the process of user's deep-packet detection filter method of the embodiment of the present invention concrete, the agreement that can adopt between each functional entity comprise following situation:
The Diameter (Gx) adopted between situation one, PCRF and PCEF.
When PCEF judges that user surfs the Net first or the term of validity of DPI filtering policy is out of date, again apply for DPI filtering policy to PCRF; Particularly, can at credit Authentication Response (Credit Control Request; Be called for short: increase new property value CCA) to (Attribute-Value Pairs; Being called for short: AVP), such as, is a kind of form of credit Authentication Response below:
<CC-Answer>::=<Diameter?Header:272,PXY>
*[DPI-Filter-Rule-Group]
DPI-Filter-Rule-Group::=<AVP?Header:50001>
*[DPI-Filter-Rule-id]
[Expire-timer]
DPI-Filter-Rule-id::=<AVP?Header:50002>UTF8String
" * [DPI-Filter-Rule-Group] " is wherein the right field of new property value.
Adopt Diameter or other agreements of new definition between situation two, DPIRF and PCRF, the function of specific implementation can comprise:
At least including but not limited to the following relevant information of user in the user DPI filtering policy application that PCRF initiates to DPIRF: user ID and user basic information such as: age of user, class of subscriber, user's ordering products, customer position information etc.;
At least comprise in the user DPI filtering policy that DPIRF returns to PCRF but be not limited at least 1 DPI filtering policy, the term of validity etc. that user allows to access.
Diameter or other agreements of new definition is adopted between situation three, DPIEF and PCEF; The function of specific implementation can comprise:
The DPIEF that is used to indicate that PCEF initiates to DPIEF to perform in the message of user DPI filtering policy at least including but not limited to following information: the upstream data of user ID, user or downlink data, user DPI filtering policy, the term of validity etc.;
At least including but not limited to following information in the response message that DPIEF returns to PCEF: filter request result (allow, be redirected, replace keyword), be redirected network address (effective when filtering request results for being redirected), user uplink data or user's downlink data (replacement keyword message).
Diameter or soap protocol (Sp) can be adopted, the user profile application sent to SPR by Diameter or soap message carrying PCRF between situation four, PCRF and SPR.
It should be noted that, the online request in the embodiment of the present invention can be ADSL (Asymmetric Digital Subscriber Line) (Asymmetric Digital Subscriber Line; Be called for short: ADSL) broadband access network, WLAN, worldwide interoperability for microwave access (Worldwide Interoperability for Microwave Access; WiMax) be called for short: the online request in multiple online field such as, DPIRF or DPIEF can be integrated by the online watch-dog in multiple online field.
After the present embodiment PCRF obtains the relevant information of user from SPR, DPIRF can determine corresponding user DPI filtering policy according to the relevant information of user to each user respectively, DPIEF then can obtain the user DPI filtering policy that DPIRF determines, content recognition and filtration is carried out according to the data of this user of user DPI filtering policy, the curriculum offering of DPI filtering policy is flexible, applied range, can meet the demand of different user group, realizes more accurately careful information filtering.
Fig. 4 a is the schematic diagram of the application scenarios of deep-packet detection filter method the 4th embodiment of the present invention, as shown in fig. 4 a, be with the difference of Fig. 3 a, DPIRF and PCRF is the functional entity of equity, the network site of the two is identical, DPIEF is that autonomous device or integral part are deployed in existing DPI equipment, and PCEF is deployed in GGSN in addition, and the relevant information of user is stored in SPR.After GGSN receives the upstream data that user sends to, send the application of user DPI filtering policy to DPIEF, DPIEF sends the application of user DPI filtering policy to DPIRF, and then DPIRF sends user profile application, to obtain the relevant information of user to SPR; After DPIRF determines user DPI filtering policy according to the relevant information of user, the user DPI filtering policy determined is sent to DPIEF, after DPIEF carries out content recognition and filtration to upstream data, by the Internet Server that the upstream data after filtering sends to the network address of user's request access to belong to; Then DPIEF carries out content recognition and filtration according to user DPI filtering policy to the downlink data that the Internet Server received returns, then the downlink data after filtering is returned to user.
Fig. 4 b is the schematic flow sheet of deep-packet detection filter method the 4th embodiment of the present invention, and as shown in Figure 4, this deep-packet detection filter method specifically can comprise the following steps:
Online request and upstream data, after certification, authentication are passed through, are issued gateway device such as: GGSN by the user of step 401, needs online.
Step 402, GGSN, for the upstream data of this user, send the application of user DPI filtering policy to DPIEF.
Step 403, DPIEF first carry out the analysis of public DPI filtering policy, if do not allow to perform public DPI filtering policy, then can return redirected network address directly to user; If allow to perform public DPI filtering policy, after DPIEF sends the application of user DPI filtering policy to DPIRF, DPIRF sends user profile application to SPR, can carry this user profile application by Diameter or soap message.
The relevant information of the user that step 404, DPIRF return according to SPR carries out the application of user DPI filtering policy, and the user DPI filtering policy determined is sent to DPIEF.Wherein DPIRF determines that the method for user DPI filtering policy can with reference to the associated description in step 305 in above-mentioned 3rd embodiment.
Step 405, DPIEF carry out user DPI content recognition according to the user DPI filtering policy determined to the upstream data of user, filter the content limiting this user access, such as: judge that the network address of user's request access in upstream data is whether in the scope that user DPI filtering policy allows, if, then allow access, perform step 407; If limiting access, then perform step 406 or step 412.
Content after nominal key in upstream data is replaced by step 406, instruction GGSN.
The Internet (Internet) server that the upstream data of user sends to the network address of user's request access to belong to by step 407, instruction GGSN.
Step 408, Internet Server return the downlink data of related data and user in the network address of request access to GGSN.
The downlink data received and user DPI filtering policy are sent to DPIEF by step 409, GGSN.
Step 410, DPIEF carry out user DPI content recognition according to user DPI filtering policy to downlink data, the content limiting this user access is filtered, such as: judge content that downlink data comprises whether in the scope that user DPI filtering policy allows, if allowed, then perform step 411; Otherwise, return to user after being replaced by the nominal key in downlink data, or perform step 412.Wherein, user DPI filtering policy corresponding for user can be carried out buffer memory by DPIEF, and the term of validity of user DPI filtering policy is set, the term of validity can be carried in appointment when user DPI filtering policy loads at DPIRF to DPIEF, such as: specify the term of validity to be one day, the user DPI filtering policy that then during this user's first time on the same day initial online, loading is corresponding, the other times of this day, as long as the user DPI filtering policy of correspondence has existed no longer can carry out the application of user DPI filtering policy.
The downlink data of user is returned to user by step 411, GGSN.
Redirected network address is returned to user by step 412, GGSN.
After the present embodiment DPIRF obtains the relevant information of user from SPR, DPIRF can determine corresponding user DPI filtering policy according to the relevant information of user to each user respectively, DPIEF then can obtain the user DPI filtering policy that DPIRF determines, content recognition and filtration is carried out according to the data of this user of user DPI filtering policy, the curriculum offering of DPI filtering policy is flexible, applied range, can meet the demand of different user group, realizes more accurately careful information filtering.
Fig. 5 is the structural representation of deep-packet detection regulation function entity first embodiment of the present invention, and as shown in Figure 5, this deep-packet detection regulation function entity can comprise:
Subscriber policy determination module 51, for the relevant information of the user according to transmission upstream data, determines user's deep-packet detection filtering policy that the relevant information of described user is corresponding;
Subscriber policy sending module 52, for described user's deep-packet detection filtering policy is sent to deep-packet detection n-back test entity, according to described user's deep-packet detection filtering policy, user's deep-packet detection content recognition is carried out to described upstream data by described deep-packet detection n-back test entity, filter in described upstream data the content limiting described user access.
Particularly, deep-packet detection regulation function entity (DPIRF) can independently arrange or be arranged in DPI equipment, also together with can being deployed in charging regulation function entity (PCRF) with strategy, DPIRF obtains the relevant information of the user sending upstream data from user-subscribed database (SPR), or PCRF from SPR obtain user relevant information after send to DPIRF after, subscriber policy determination module 51, according to the relevant information of the user of transmission upstream data, can determine user's deep-packet detection (DPI) filtering policy that the relevant information of this user is corresponding; Then, this user DPI filtering policy is sent to deep-packet detection n-back test entity (DPIEF) by subscriber policy sending module 52, DPIEF is according to this user DPI filtering policy, user's deep-packet detection content recognition can be carried out to upstream data, filter the content limiting this user access in upstream data.Then the upstream data after filtering can be sent to the Internet Server at the network address place of user's request access by DPIEF by the strategy on gateway device and charging execution function entity (PCEF), if receive the downlink data that Internet Server returns, then return to user after being filtered by the downlink data received according to user DPI filtering policy.
After the present embodiment DPIRF or PCRF obtains the relevant information of user from SPR, the subscriber policy determination module of DPIRF can determine corresponding user DPI filtering policy according to the relevant information of user to each user respectively, this user DPI filtering policy can be sent to DPIEF by subscriber policy sending module, the user DPI filtering policy that DPIEF then can determine according to DPIRF, realize the content recognition to the data of this user and filtration, the curriculum offering of DPI filtering policy is flexible, applied range, the demand of different user group can be met, realize more accurately careful information filtering.
Fig. 6 is the structural representation of deep-packet detection regulation function entity second embodiment of the present invention, as shown in Figure 6, on the basis of deep-packet detection regulation function entity first embodiment of the present invention, this deep-packet detection regulation function entity can also comprise: user profile application module 53 or user profile receiver module 54.
Wherein, user profile application module 53, if for receiving the application of user's deep-packet detection filtering policy, then send user profile application to user-subscribed database, described user profile application is used for the relevant information that acquisition request sends the user of upstream data, receives the relevant information of the described user that described user-subscribed database returns;
User profile receiver module 54, for receiving the relevant information of the described user that strategy and charging regulation function entity obtain from described user-subscribed database.
Further, this deep-packet detection regulation function entity can also comprise:
The term of validity arranges module 55, for arranging the term of validity of described user's deep-packet detection filtering policy, carries the described term of validity being sent to during deep-packet detection n-back test entity by described user's deep-packet detection filtering policy.
Particularly, when DPIRF is independently arranged or be arranged in DPI equipment, receive the user DPI filtering policy application of the PCEF transmission on gateway device at DPIRF after, user profile application module 53 can send user profile application to user-subscribed database, acquisition request sends the relevant information of the user of upstream data, is receiving the relevant information of this user that user-subscribed database returns.When DPIRF and PCRF is deployed in together, the relevant information of this user that can be obtained from user-subscribed database by PCRF, then the user profile receiver module 54 of DPIRF receives the relevant information of this user that PCRF sends.Subscriber policy determination module 51, according to the relevant information of the user of transmission upstream data, can determine the user DPI filtering policy that the relevant information of this user is corresponding; The term of validity arranges the term of validity that module 55 can arrange this user DPI filtering policy; Then, this user DPI filtering policy is sent to DPIEF by subscriber policy sending module 52.In the term of validity of user DPI filtering policy, DPIEF, according to this user DPI filtering policy, can carry out user's deep-packet detection content recognition to upstream data, filters the content limiting this user access in upstream data.Then DPIEF can by the PCEF on gateway device can by after filtering upstream data send to the Internet Server at the network address place of user's request access, if receive the downlink data that Internet Server returns, then return to user after being filtered by the downlink data received according to user DPI filtering policy.
After the user profile application module of the present embodiment DPIRF or user profile receiver module obtain the relevant information of user, subscriber policy determination module can determine corresponding user DPI filtering policy according to the relevant information of user to each user respectively, the term of validity arranges the term of validity that module can arrange this user DPI filtering policy, this user DPI filtering policy and the term of validity thereof can be sent to DPIEF by subscriber policy sending module, the user DPI filtering policy that DPIEF then can determine according to DPIRF, realize the content recognition to the data of this user and filtration, the curriculum offering of DPI filtering policy is flexible, applied range, the demand of different user group can be met, realize more accurately careful information filtering.
Fig. 7 is the structural representation of deep-packet detection n-back test entity first embodiment of the present invention, and as shown in Figure 7, this deep-packet detection n-back test entity can comprise: subscriber policy acquisition module 71 and filtering module 72.
Wherein, subscriber policy acquisition module 71, for obtaining user's deep-packet detection filtering policy that user's deep-packet detection regulation function entity is determined according to the relevant information of the user sending upstream data;
Filtering module 72, for according to described user's deep-packet detection filtering policy, carries out deep-packet detection content recognition to described upstream data, filters in described upstream data the content limiting described user access.
Particularly, deep-packet detection n-back test entity (DPIEF) can independently arrange or be arranged in DPI equipment, also together with can being deployed in charging execution function entity (PCEF) with strategy, after the subscriber policy acquisition module 71 of DPIEF receives user's deep-packet detection (DPI) filtering policy that DPIRF determines according to the relevant information of the user sending upstream data, filtering module 72 is according to this user DPI filtering policy, deep-packet detection content recognition is carried out to upstream data, filters the content limiting this user access in upstream data.By gateway device, this upstream data is sent to the Internet Server at the network address place of user's request access, if receive the downlink data that Internet Server returns, then return to user after being filtered by the downlink data received according to user DPI filtering policy.
The subscriber policy acquisition module of the present embodiment DPIEF can obtain the user DPI filtering policy that DPIRF determines according to the relevant information of user, filtering module carries out content recognition and filtration to the data of this user, the curriculum offering of DPI filtering policy is flexible, applied range, the demand of different user group can be met, realize more accurately careful information filtering.
Fig. 8 is the structural representation of deep-packet detection n-back test entity second embodiment of the present invention, as shown in Figure 8, on the basis of deep-packet detection n-back test entity first embodiment of the present invention, the filtering module 72 of this deep-packet detection n-back test entity comprises: judge submodule 721, upstream data submodule 722 and return submodule 723.
Wherein, judge submodule 721, for according to described user's deep-packet detection filtering policy, judge whether the network address of user's request access described in described upstream data allows access;
Upstream data submodule 722, if allow access for the network address of the request access of user described in upstream data, then the Internet Server that the network address by strategy and charging execution function entity, described upstream data being sent to described user's request access belongs to;
Return submodule 723, if do not allow access for the network address of the request access of user described in upstream data, by strategy and charging execution function entity, redirected network address or the upstream data after replacing nominal key are returned described user.
Further, filtering module 72 can also comprise: downlink data submodule 724, for being received the downlink data of the described user that described Internet Server returns by strategy and charging execution function entity; According to described user's deep-packet detection filtering policy, user's deep-packet detection content recognition is carried out to described downlink data, after filtering in described downlink data the content limiting described user access, send to described user by described strategy and charging execution function entity.
In addition, this deep-packet detection n-back test entity can also comprise: strategy application receiver module 73, common policy analysis module 74 and subscriber policy application module 75.
Wherein, strategy application receiver module 73, for receiving certification at strategy and charging execution function entity, authentication pass through after the upstream data that sends of user after, receive user's deep-packet detection filtering policy application that described strategy and charging execution function entity send;
Common policy analysis module 74, detects filtration analysis of strategies for carrying out common depth bag to described upstream data, judges whether described upstream data allows to perform common depth bag and detect filtering policy;
Subscriber policy application module 75, if detect filtering policy for allowing to perform common depth bag, then send the application of user's deep-packet detection filtering policy to deep-packet detection regulation function entity, in the application of described user's deep-packet detection filtering policy, carry the relevant information of described user.
Particularly, the PCEF on gateway device receives certification, authentication pass through after user send upstream data after, strategy application receiver module 73 can receive this PCEF send the application of user DPI filtering policy; Common policy analysis module 74 carries out the analysis of public DPI filtering policy to this upstream data, judges whether this upstream data allows to perform public DPI filtering policy; If allow to perform public DPI filtering policy, then subscriber policy application module 75 sends the user DPI filtering policy application of carrying the relevant information of user to DPIRF, after the application of DPIRF completing user DPI filtering policy, return the user DPI filtering policy determined to DPIEF.After subscriber policy acquisition module 71 receives the user DPI filtering policy that DPIRF determines according to the relevant information of user sending upstream data, the judgement submodule 721 of filtering module 72, according to user DPI filtering policy, judges whether the network address of user's request access described in described upstream data allows access; If so, then the Internet Server that belonged to by the network address that described upstream data is sent to described user's request access by the PCEF of gateway device of upstream data submodule 722; Otherwise, return submodule 723, by PCEF, redirected network address or the upstream data after replacing nominal key returned described user.If the Internet Server that the network address that described upstream data is sent to described user's request access by the PCEF of gateway device by upstream data submodule 722 belongs to, then downlink data submodule 724 can receive the downlink data of the described user that Internet Server returns from PCEF, again according to user DPI filtering policy, user DPI content recognition is carried out to described downlink data, after filtering in described downlink data the content limiting described user access, this upstream data is sent to the Internet Server at the network address place of user's request access by PCEF, if receive the downlink data that Internet Server returns, user is returned to after then being filtered by the downlink data received according to user DPI filtering policy.
The subscriber policy acquisition module of the present embodiment DPIEF can obtain the user DPI filtering policy that DPIRF determines according to the relevant information of user, each submodule of filtering module carries out content recognition and filtration to the data of this user, the curriculum offering of DPI filtering policy is flexible, applied range, the demand of different user group can be met, realize more accurately careful information filtering.
Fig. 9 is the structural representation of deep-packet detection filtration system embodiment of the present invention, and as shown in Figure 9, this deep-packet detection filtration system can comprise: deep-packet detection regulation function entity 91 and deep-packet detection n-back test entity 92;
Wherein, deep-packet detection regulation function entity 91 can comprise:
Subscriber policy determination module, for the relevant information of the user according to transmission upstream data, determines user's deep-packet detection filtering policy that the relevant information of described user is corresponding;
Subscriber policy sending module, for described user's deep-packet detection filtering policy is sent to deep-packet detection n-back test entity, according to described user's deep-packet detection filtering policy, user's deep-packet detection content recognition is carried out to described upstream data by described deep-packet detection n-back test entity, filter in described upstream data the content limiting described user access;
Deep-packet detection n-back test entity 92 can comprise:
Subscriber policy acquisition module, for obtaining user's deep-packet detection filtering policy that user's deep-packet detection regulation function entity is determined according to the relevant information of the user sending upstream data;
Filtering module, for according to described user's deep-packet detection filtering policy, carries out deep-packet detection content recognition to described upstream data, filters in described upstream data the content limiting described user access.
Particularly, the concrete structure of deep-packet detection regulation function entity 91 and deep-packet detection n-back test entity 92 can with reference to the associated description in above-described embodiment, deep-packet detection regulation function entity 91 can independently arrange or be arranged in DPI equipment, also can together with strategy is deployed in charging regulation function entity 94; Deep-packet detection n-back test entity 92 can independently arrange or be arranged in DPI equipment, also can together with strategy is deployed in charging execution function entity 93.
When deep-packet detection regulation function entity 91, deep-packet detection n-back test entity 92 independently arrange or are arranged in DPI equipment, deep-packet detection regulation function entity 91 can receive the user DPI filtering policy application that gateway device sends, then, user profile application is sent to user-subscribed database, acquisition request sends the relevant information of the user of upstream data, the relevant information of this user that user-subscribed database returns can be received, then determine corresponding user DPI filtering policy according to the relevant information of user; And this user DPI filtering policy is sent to deep-packet detection n-back test entity 92.Deep-packet detection n-back test entity 92, according to this user DPI filtering policy, can carry out user DPI content recognition to upstream data, filters the content limiting this user access in upstream data.
Further, this deep-packet detection filtration system can also comprise:
Strategy and charging execution function entity 93, for receiving certification, authentication pass through after the upstream data that sends of user after, send the application of user's deep-packet detection filtering policy to strategy and charging regulation function entity 94 or deep-packet detection n-back test entity 92;
Strategy and charging regulation function entity 94, for after receiving user's deep-packet detection filtering policy application that strategy sends with charging execution function entity 93, carry out common depth bag to described upstream data and detect filtration analysis of strategies; Judge whether described upstream data allows to perform common depth bag and detect filtering policy, if, then send the application of user's deep-packet detection filtering policy to deep-packet detection regulation function entity 91, in the application of described user's deep-packet detection filtering policy, carry the relevant information of described user.
Together with being deployed in charging regulation function entity 94 when deep-packet detection regulation function entity 91 and strategy; Time together with deep-packet detection n-back test entity 92 and strategy are deployed in charging execution function entity 93, can by the relevant information of this user from user-subscribed database acquisition, then the relevant information of this user is sent to deep-packet detection regulation function entity 91 by strategy and charging regulation function entity 94.Deep-packet detection regulation function entity 91, according to the relevant information of user, can determine the user DPI filtering policy that the relevant information of this user is corresponding; Then, this user DPI filtering policy is sent to deep-packet detection n-back test entity 92.Deep-packet detection n-back test entity 92, according to this user DPI filtering policy, can carry out user's deep-packet detection content recognition to upstream data, filters the content limiting this user access in upstream data.Then deep-packet detection n-back test entity 92 sends this upstream data by the strategy on gateway device and charging execution function entity 93 to the Internet Server at the network address place of user's request access, if receive the downlink data that Internet Server returns, then return to user after being filtered by the downlink data received according to user DPI filtering policy.
The user DPI filtering policy that the present embodiment deep-packet detection regulation function entity is determined according to the relevant information of user, the user DPI filtering policy can determined according to deep-packet detection regulation function entity of deep-packet detection n-back test entity, content recognition and filtration are carried out to the data of this user, the curriculum offering of DPI filtering policy is flexible, applied range, the demand of different user group can be met, realize more accurately careful information filtering.
One of ordinary skill in the art will appreciate that: all or part of step realizing said method embodiment can have been come by the hardware that program command is relevant, aforesaid program can be stored in a computer read/write memory medium, this program, when performing, performs the step comprising said method embodiment; And aforesaid storage medium comprises: ROM, RAM, magnetic disc or CD etc. various can be program code stored medium.
Last it is noted that above embodiment is only in order to illustrate technical scheme of the present invention, be not intended to limit; Although with reference to previous embodiment to invention has been detailed description, those of ordinary skill in the art is to be understood that: it still can be modified to the technical scheme described in foregoing embodiments, or carries out equivalent replacement to wherein portion of techniques feature; And these amendments or replacement, do not make the essence of appropriate technical solution depart from the scope of various embodiments of the present invention technical scheme.
Claims (15)
1. a deep-packet detection filter method, is characterized in that, comprising:
Filter n-back test entity in strategy and charging regulation function entity or deep-packet detection to carry out common depth bag to upstream data and detect and filter analysis of strategies, after judging that described upstream data allows to perform common depth bag detection filtering policy, according to the relevant information of the user of transmission upstream data, determine user's deep-packet detection filtering policy that the relevant information of described user is corresponding;
Described user's deep-packet detection filtering policy is sent to deep-packet detection n-back test entity, according to described user's deep-packet detection filtering policy, user's deep-packet detection content recognition is carried out to described upstream data by described deep-packet detection n-back test entity, filter in described upstream data the content limiting described user access.
2. deep-packet detection filter method according to claim 1, it is characterized in that, the relevant information of described user comprises at least one of class of subscriber, age of user, user's ordering products or customer position information, the relevant information of the described user according to transmission upstream data, before determining user's deep-packet detection filtering policy that the relevant information of described user is corresponding, comprising:
If receive the application of user's deep-packet detection filtering policy, then send user profile application to user-subscribed database, described user profile application is used for the relevant information that acquisition request sends the user of upstream data, receives the relevant information of the described user that described user-subscribed database returns; Or
Receive the relevant information of the described user that strategy obtains from described user-subscribed database with charging regulation function entity.
3. deep-packet detection filter method according to claim 1, is characterized in that, described described user's deep-packet detection filtering policy is sent to deep-packet detection n-back test entity, comprising:
After described user's deep-packet detection filtering policy being sent to strategy and charging execution function entity by strategy and charging regulation function entity, when described strategy and charging execution function entity are determined to perform described user's deep-packet detection filtering policy, described upstream data and described user's deep-packet detection filtering policy are sent to deep-packet detection n-back test entity by described strategy and charging execution function entity.
4. deep-packet detection filter method according to claim 1, is characterized in that, also comprise:
The term of validity of described user's deep-packet detection filtering policy is set, carries the described term of validity being sent to during deep-packet detection n-back test entity by described user's deep-packet detection filtering policy.
5. a deep-packet detection filter method, is characterized in that, comprising:
Obtain user's deep-packet detection filtering policy that user's deep-packet detection regulation function entity is determined according to the relevant information of the user sending upstream data;
According to described user's deep-packet detection filtering policy, deep-packet detection content recognition is carried out to described upstream data, filter in described upstream data the content limiting described user access;
The relevant information of described user comprises at least one of class of subscriber, age of user, user's ordering products or customer position information, before user's deep-packet detection filtering policy that described acquisition user deep-packet detection regulation function entity is determined according to the relevant information of the user sending upstream data, also comprise:
Receives certification at strategy and charging execution function entity, authentication pass through after the upstream data that sends of user after, tactful and charging regulation function entity or deep-packet detection are filtered n-back test entity and are received user's deep-packet detection filtering policy application that described strategy and charging execution function entity send;
Described strategy and charging regulation function entity or deep-packet detection are filtered n-back test entity and are carried out common depth bag to described upstream data and detect and filter analysis of strategies, judge whether described upstream data allows to perform common depth bag and detect filtering policy;
If, then described strategy and charging regulation function entity or deep-packet detection are filtered n-back test entity and are sent the application of user's deep-packet detection filtering policy to deep-packet detection regulation function entity, carry the relevant information of described user in the application of described user's deep-packet detection filtering policy.
6. deep-packet detection filter method according to claim 5, it is characterized in that, described according to described user's deep-packet detection filtering policy, deep-packet detection content recognition is carried out to described upstream data, filter in described upstream data the content limiting described user access, comprising:
According to described user's deep-packet detection filtering policy, judge whether the network address of user's request access described in described upstream data allows access;
If so, then the Internet Server that the network address by strategy and charging execution function entity, described upstream data being sent to described user's request access belongs to;
Otherwise, by strategy and charging execution function entity, redirected network address or the upstream data after replacing nominal key are returned described user.
7. deep-packet detection filter method according to claim 6, is characterized in that, after the Internet Server that the described network address described upstream data being sent to described user's request access by strategy and charging execution function entity belongs to, comprising:
The downlink data of the described user that described Internet Server returns is received by described strategy and charging execution function entity;
According to described user's deep-packet detection filtering policy, user's deep-packet detection content recognition is carried out to described downlink data, after filtering in described downlink data the content limiting described user access, send to described user by described strategy and charging execution function entity.
8., according to the arbitrary described deep-packet detection filter method of claim 5-7, it is characterized in that, also comprise:
According to the term of validity arranged, buffer memory is carried out to described user's deep-packet detection filtering policy;
In the described term of validity, if again receive upstream data or the downlink data of described user, then according to described user's deep-packet detection filtering policy, content recognition is carried out to the upstream data of described user or downlink data, filters in described upstream data or described downlink data the content limiting described user access.
9. a deep-packet detection regulation function entity, is characterized in that, comprising:
Subscriber policy determination module, common depth bag is carried out to upstream data detect for filtering n-back test entity in strategy and charging regulation function entity or deep-packet detection and filter analysis of strategies, after judging that described upstream data allows to perform common depth bag detection filtering policy, according to the relevant information of the user of transmission upstream data, determine user's deep-packet detection filtering policy that the relevant information of described user is corresponding;
Subscriber policy sending module, for described user's deep-packet detection filtering policy is sent to deep-packet detection n-back test entity, according to described user's deep-packet detection filtering policy, user's deep-packet detection content recognition is carried out to described upstream data by described deep-packet detection n-back test entity, filter in described upstream data the content limiting described user access.
10. deep-packet detection regulation function entity according to claim 9, is characterized in that, also comprise:
User profile application module, if for receiving the application of user's deep-packet detection filtering policy, then send user profile application to user-subscribed database, described user profile application is used for the relevant information that acquisition request sends the user of upstream data, receives the relevant information of the described user that described user-subscribed database returns; Or
User profile receiver module, for receiving the relevant information of the described user that strategy and charging regulation function entity obtain from described user-subscribed database.
11. deep-packet detection regulation function entities according to claim 9 or 10, is characterized in that, also comprise:
The term of validity arranges module, for arranging the term of validity of described user's deep-packet detection filtering policy, carries the described term of validity being sent to during deep-packet detection n-back test entity by described user's deep-packet detection filtering policy.
12. 1 kinds of deep-packet detection n-back test entities, is characterized in that, comprising:
Subscriber policy acquisition module, for obtaining user's deep-packet detection filtering policy that user's deep-packet detection regulation function entity is determined according to the relevant information of the user sending upstream data;
Filtering module, for according to described user's deep-packet detection filtering policy, carries out deep-packet detection content recognition to described upstream data, filters in described upstream data the content limiting described user access;
Strategy application receiver module, for receiving certification at strategy and charging execution function entity, authentication pass through after the upstream data that sends of user after, receive user's deep-packet detection filtering policy application that described strategy and charging execution function entity send;
Common policy analysis module, detects filtration analysis of strategies for carrying out common depth bag to described upstream data, judges whether described upstream data allows to perform common depth bag and detect filtering policy;
Subscriber policy application module, if detect filtering policy for allowing to perform common depth bag, then send the application of user's deep-packet detection filtering policy to deep-packet detection regulation function entity, in the application of described user's deep-packet detection filtering policy, carry the relevant information of described user.
13. deep-packet detection n-back test entities according to claim 12, it is characterized in that, described filtering module comprises:
Judge submodule, for according to described user's deep-packet detection filtering policy, judge whether the network address of user's request access described in described upstream data allows access;
Upstream data submodule, if allow access for the network address of the request access of user described in upstream data, then the Internet Server that the network address by strategy and charging execution function entity, described upstream data being sent to described user's request access belongs to;
Return submodule, if do not allow access for the network address of the request access of user described in upstream data, by strategy and charging execution function entity, redirected network address or the upstream data after replacing nominal key are returned described user.
14. deep-packet detection n-back test entities according to claim 13, it is characterized in that, described filtering module also comprises:
Downlink data submodule, for receiving the downlink data of the described user that described Internet Server returns by strategy and charging execution function entity; According to described user's deep-packet detection filtering policy, user's deep-packet detection content recognition is carried out to described downlink data, after filtering in described downlink data the content limiting described user access, send to described user by described strategy and charging execution function entity.
15. 1 kinds of deep-packet detection filtration systems, is characterized in that, comprising: deep-packet detection regulation function entity and deep-packet detection n-back test entity;
Described deep-packet detection regulation function entity comprises:
Subscriber policy determination module, for the relevant information of the user according to transmission upstream data, determines user's deep-packet detection filtering policy that the relevant information of described user is corresponding;
Subscriber policy sending module, for described user's deep-packet detection filtering policy is sent to deep-packet detection n-back test entity, according to described user's deep-packet detection filtering policy, user's deep-packet detection content recognition is carried out to described upstream data by described deep-packet detection n-back test entity, filter in described upstream data the content limiting described user access;
Described deep-packet detection n-back test entity comprises:
Subscriber policy acquisition module, for obtaining user's deep-packet detection filtering policy that user's deep-packet detection regulation function entity is determined according to the relevant information of the user sending upstream data;
Filtering module, for according to described user's deep-packet detection filtering policy, carries out deep-packet detection content recognition to described upstream data, filters in described upstream data the content limiting described user access;
Strategy and charging execution function entity, be connected with described deep-packet detection n-back test entity, for receiving certification, authentication pass through after the upstream data that sends of user after, send the application of user's deep-packet detection filtering policy to strategy and charging regulation function entity or described deep-packet detection n-back test entity;
Strategy and charging regulation function entity, be connected with described deep-packet detection executing rule entity, for after receiving user's deep-packet detection filtering policy application that described strategy and charging execution function entity send, common depth bag is carried out to described upstream data and detects and filter analysis of strategies; Judge whether described upstream data allows to perform common depth bag and detect filtering policy, if, then send the application of user's deep-packet detection filtering policy to described deep-packet detection regulation function entity, in the application of described user's deep-packet detection filtering policy, carry the relevant information of described user.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010253510.1A CN102142925B (en) | 2010-08-12 | 2010-08-12 | Method, equipment and system for filtering deep packet inspection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010253510.1A CN102142925B (en) | 2010-08-12 | 2010-08-12 | Method, equipment and system for filtering deep packet inspection |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102142925A CN102142925A (en) | 2011-08-03 |
| CN102142925B true CN102142925B (en) | 2015-01-07 |
Family
ID=44410180
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010253510.1A Active CN102142925B (en) | 2010-08-12 | 2010-08-12 | Method, equipment and system for filtering deep packet inspection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102142925B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103888307B (en) * | 2012-12-20 | 2017-11-17 | 中国电信股份有限公司 | For optimizing method, user side board and the broad access network gate of deep-packet detection |
| CN104468253B (en) | 2013-09-23 | 2019-07-12 | 中兴通讯股份有限公司 | A kind of deep-packet detection control method and device |
| CN105354234B (en) * | 2015-10-09 | 2018-10-09 | 武汉烽火网络有限责任公司 | The real-time big data system of network based on deep-packet detection and big data analysis method |
| CN107493203A (en) * | 2016-06-12 | 2017-12-19 | 中兴通讯股份有限公司 | DPI rules delivery method and device |
| CN113923207A (en) * | 2021-09-28 | 2022-01-11 | 广东女子职业技术学院 | Computer network monitoring method and terminal |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1937623A (en) * | 2006-10-18 | 2007-03-28 | 华为技术有限公司 | Method and system for controlling network business |
| CN101399749A (en) * | 2007-09-27 | 2009-04-01 | 华为技术有限公司 | Method, system and device for packet filtering |
| CN101720111A (en) * | 2009-02-03 | 2010-06-02 | 中兴通讯股份有限公司 | Method and device for issuing deep packet inspection technical strategy |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101599895B (en) * | 2008-06-04 | 2012-07-04 | 华为技术有限公司 | Data processing method, wideband network gateway, strategy controller device and accessing node equipment |
-
2010
- 2010-08-12 CN CN201010253510.1A patent/CN102142925B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1937623A (en) * | 2006-10-18 | 2007-03-28 | 华为技术有限公司 | Method and system for controlling network business |
| CN101399749A (en) * | 2007-09-27 | 2009-04-01 | 华为技术有限公司 | Method, system and device for packet filtering |
| CN101720111A (en) * | 2009-02-03 | 2010-06-02 | 中兴通讯股份有限公司 | Method and device for issuing deep packet inspection technical strategy |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102142925A (en) | 2011-08-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101868180B1 (en) | Aggregating multiple functions into a single platform | |
| CN101977239B (en) | Method for making strategy, strategy server and gateway | |
| KR101768743B1 (en) | System and method for providing user notifications | |
| US8855017B2 (en) | System and method of building an infrastructure for a virtual network | |
| JP6514639B2 (en) | Method, system and computer readable medium for dynamically controlling congestion in a radio access network | |
| CN104185973B (en) | For the method and apparatus for the priority for setting data transmission | |
| CN102142990B (en) | Business consumption monitoring method and apparatus | |
| CN108028809B (en) | Information processing device, information processing method, and program recording medium | |
| CN101809973B (en) | Controlling receipt of electronic advertising | |
| CN104335638A (en) | Methods, systems, and computer readable media for access network discovery and selection | |
| JP5988311B2 (en) | Issuing service offer sets to device agents with on-device service selection | |
| CN102142925B (en) | Method, equipment and system for filtering deep packet inspection | |
| CN102497379B (en) | Network access method, system and equipment | |
| CN102665191B (en) | The policy control method of a kind of data service, Apparatus and system | |
| US20100303087A1 (en) | Method and System for Controlling Network Access | |
| CN103718508B (en) | Senior determination, process and control in communication network | |
| CN108390955A (en) | Domain Name acquisition method, Website access method and server | |
| CN103200231B (en) | Policy control method and system | |
| CN106982430B (en) | Portal authentication method and system based on user use habits | |
| KR20110116191A (en) | Adaptive ambient sevices | |
| CN103703741B (en) | application program distribution method, terminal and server | |
| CN107786992A (en) | A kind of method and apparatus for detecting mobile communication network quality | |
| CN102395117B (en) | Method and device for identifying content type | |
| EP3641248B1 (en) | Traffic optimization device, communication system, traffic optimization method, and program | |
| CN102726076A (en) | Policy and charging control method, policy and charging rules function and policy and charging control system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |