CN102523139A - High-speed network protocol deep detection device and detection method - Google Patents
High-speed network protocol deep detection device and detection method Download PDFInfo
- Publication number
- CN102523139A CN102523139A CN2012100029157A CN201210002915A CN102523139A CN 102523139 A CN102523139 A CN 102523139A CN 2012100029157 A CN2012100029157 A CN 2012100029157A CN 201210002915 A CN201210002915 A CN 201210002915A CN 102523139 A CN102523139 A CN 102523139A
- Authority
- CN
- China
- Prior art keywords
- message flow
- regular expression
- processing
- control unit
- unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a high-speed network protocol deep detection device, which comprises a management unit, a control unit and a forwarding analysis processing unit, wherein the management unit sets various protocol processing rules and processing strategies, transmits the protocol processing rules and the processing strategies to the control unit, and simultaneously receives information fed back by the control unit; the control unit receives the protocol processing rules and the processing strategies from the management unit, converts the protocol processing rules and the processing strategies into forwarding analysis processing rules, transmits the forwarding analysis processing rules to the forwarding analysis processing unit, and simultaneously monitors the real-time information transmission of the forwarding analysis processing unit to the control unit; and the forwarding analysis processing unit processes an input message flow according to the forwarding analysis processing rules, and outputs the processed message flow. By the high-speed network protocol deep detection device and a high-speed network protocol deep detection method, a complex deterministic finite automaton (DFA) construction process can be well avoided, a memory space is saved, and performance is improved by fully utilizing the line-speed processing capability of a specific chip and a hardware pipelining technology.
Description
Technical field
The present invention relates to procotol identification field, relate in particular to a kind of express network protocol depth checkout gear and detection method.
Background technology
In the Internet environment of current high-speed high capacity, content safety is the important component part of network security.For network management, most important is exactly identification and differentiation network traffics, can carry out flow control, network billing, information filtering and traffic management to network through agreement identification.
What traditional agreement identification was adopted is port identification; This identification can reach higher speed, but the number of applications layer protocol is for fear of identification now, escapes the inspection of fire compartment wall; Do not use fixed port to communicate. this not only comprises numerous emerging in recent years P2P agreements; And comprised increasing legacy protocol, such as P2P agreements such as BitTorrent, eMule, it adopts dynamic port to communicate; Then shared 80 ports of agreement such as Skype, QQ.The generation of more and more agreements like that makes port identification incompetent unable, and therefore a lot of in recent years research work all is devoted to develop new method and is come the recognition application layer protocol.
Summary of the invention
To the problems referred to above; The object of the present invention is to provide a kind of express network protocol depth checkout gear and detection method; Avoid complicated DFA building process preferably, saved memory space, the linear speed disposal ability and the hardware pipeline technology that make full use of chip have improved performance.
For achieving the above object, a kind of express network protocol depth checkout gear according to the invention comprises administrative unit, control unit and transmits analysis and processing unit, wherein;
Administrative unit is provided with variety of protocol processing rule and processing policy and is sent to control unit; Receive the information that control unit feeds back to simultaneously;
Protocol processes rule and the processing policy that control unit, receiving management unit transmit also is converted into and transmits the analyzing and processing rule and be sent to the forwarding analysis and processing unit; The real time information that analysis and processing unit is transmitted in monitoring simultaneously is sent to control unit;
Transmit analysis and processing unit, according to the message flow of transmitting the input of analyzing and processing rule treatments, and the message flow after the output processing.
Preferably, said forwarding analysis and processing unit comprises accurate matching module, regular expression matching module and forwarding decision module, wherein;
Accurately matching module carries out accurate matching treatment to the message flow of importing, and the successful message flow of coupling directly is sent to the forwarding decision module;
The regular expression matching module carries out matching treatment to accurately not mating successful message flow, and the successful message flow of coupling is sent to the forwarding decision module;
The forwarding decision module carries out exporting after forwarding decision is handled to mating successful message flow.
Preferably, said regular expression matching module comprises that buffer memory confirms type finite automata, configuration information memory cell, regular expression match information memory cell and process control module, wherein;
Buffer memory is confirmed the type finite automata, carries out the string matching processing and is sent to the configuration information memory cell accurately not mating successful message flow;
Regular expression match information memory cell, storage regular expression match information;
The configuration information memory cell; Message flow after the store character string matching treatment; And mutual with regular expression match information memory cell, by the regular expression match information message flow is carried out the regular expression coupling, and the message flow after will handling is sent to process control module;
Process control module receives the flow process control command that control unit sends, with the message flow output after handling.
Preferably, the information in the said regular expression match information memory cell is write by control unit.
For achieving the above object, a kind of detection method according to the invention may further comprise the steps:
Message flow to input carries out the accurate coupling that combines with mask based on tagged word;
Judge whether to carry out the regular expression coupling according to accurate matching result:
If accurately mate successfully, then directly carry out forwarding decision and handle.
Otherwise, then carry out the regular expression coupling, carry out forwarding decision then and handle.
Beneficial effect of the present invention is:
The present invention provides a kind of express network protocol depth checkout gear and detection method, can avoid complicated DFA building process preferably, has saved memory space, and makes full use of the linear speed disposal ability and the hardware pipeline technology raising performance of certain chip.
Description of drawings
Fig. 1 is the structure chart of the said express network protocol depth of embodiment of the invention checkout gear;
Fig. 2 is the structure distribution figure of the said forwarding analysis and processing unit of embodiment;
Fig. 3 be the said regular expression matching module of embodiment structure and with the graph of a relation of control unit.
Embodiment
Below in conjunction with Figure of description the present invention is done further description.
As shown in Figure 1, the said a kind of express network protocol depth checkout gear of the embodiment of the invention comprises administrative unit, control unit and transmits analysis and processing unit, wherein;
Administrative unit offers the network management personnel and uses telnet, web, and ssh, snmp, modes such as cli are come management equipment, variety of protocol processing rule and processing policy are set and are sent to control unit; Receive the information that control unit feeds back to simultaneously;
Control unit; Protocol processes rule and the processing policy that the receiving management unit transmits also is converted into and transmits the analyzing and processing rule and be sent to the forwarding analysis and processing unit, that is: control unit is used for the strategy that the analysis management unit issues, after analyzing; Be converted into the rule of transmitting analysis and processing unit; Be written to and transmit in the analysis and processing unit Hardware Forwarding Engine, the Rule Information that provides the Forwarding plane message to handle has been realized the control to transmitting; The real time information that analysis and processing unit is transmitted in monitoring simultaneously is sent to control unit;
Transmit analysis and processing unit, according to the message flow of transmitting the input of analyzing and processing rule treatments, and the message flow after the output processing.The effect of transmitting analysis and processing unit is according to the rule of setting, and handles the message flow of input, and process result is different according to security strategy, comprises exporting transmitting, and alarm directly abandons etc.
This device is transmitted analysis and processing unit through adopting; Control unit; The design that administrative unit is separated; Guaranteed that the protocal analysis task of consumes resources does not influence the management of device, operations such as the O&M of administration module and upgrading can not influence the analyzing and processing of message yet, have guaranteed the stability of a system of device.
Be illustrated in figure 2 as the structure distribution figure that transmits analysis and processing unit.Said forwarding analysis and processing unit comprises accurate matching module, regular expression matching module and forwarding decision module, wherein;
Accurately matching module carries out accurate matching treatment to the message flow of importing, and the successful message flow of coupling directly is sent to the forwarding decision module;
The regular expression matching module carries out matching treatment to accurately not mating successful message flow, and the successful message flow of coupling is sent to the forwarding decision module;
The forwarding decision module carries out exporting after forwarding decision is handled to mating successful message flow.
In the process of implementation, earlier the message flow to input carries out accurate matching treatment, if mate successfully then skip the regular expression matching module, directly carries out the forwarding decision processing; Otherwise then carry out the regular expression matching treatment, carry out forwarding decision then and handle.Because of accurate matching module can directly adopt the ACL chip of can surface speed forwarding handling, guaranteed the high-performance of transmitting.Accurately the control on the controlled plane of matching module promptly can be opened also and can be closed, and control plane need issue the tagged word and the mask information of coupling during unlatching.
Be illustrated in figure 3 as the regular expression matching module structure and with the graph of a relation of control unit.Said regular expression matching module comprises that buffer memory confirms type finite automata, configuration information memory cell, regular expression match information memory cell and process control module, wherein;
Buffer memory is confirmed the type finite automata, carries out the string matching processing and is sent to the configuration information memory cell accurately not mating successful message flow;
Regular expression match information memory cell, storage regular expression match information;
The configuration information memory cell; Message flow after the store character string matching treatment; And mutual with regular expression match information memory cell, by the regular expression match information message flow is carried out the regular expression coupling, and the message flow after will handling is sent to process control module;
Process control module receives the flow process control command that control unit sends, with the message flow output after handling.
Regular expression (Regular Expression) has been described a kind of pattern of string matching, can be used for checking whether a string contains certain substring, the substring of coupling is done replacement or from certain string, taken out the substring that meets certain condition etc.
The mode of identification regular expression commonly used is to use FSM (finite automata), and two types FSM is arranged: deterministic finite automaton (DFA) and non deterministic finite automaton (NFA).DFA only produces a state transitions to each input, and NFA possibly produce a plurality of state transitions to each input.The characteristics of NFA are that to take memory space little, but in matching process, whenever read in a character, all will upgrade whole states of its maintenance; Avoiding Lou coupling, and the general only corresponding regular expression of NFA, therefore for supporting the multiple regular expression coupling; Need to make up the concurrent work of a plurality of NFA, descend rapidly with the growth performance of scale, but require handling capacity strong because deep message detects; Therefore, great majority research is based on DFA but not NFA.
In summary, the main separated into two parts of regular expression matching module, first is that buffer memory is confirmed the type finite automata, is used for character string and accurately matees, second portion is a regular expression coupling operating part.These two parts need collaborative work, so the character string memory block is absolutely necessary, do not mark among the figure.The input data flow into from left end, and the string matching structure is read in data and judged whether and matees, and output matched character string number is sent into regular expression with the input data and mated operating part, export regular expression matched number at last.Information in the said regular expression match information memory cell is write by control unit.
For achieving the above object, a kind of detection method according to the invention may further comprise the steps:
Message flow to input carries out the accurate coupling that combines with mask based on tagged word;
Judge whether to carry out the regular expression coupling according to accurate matching result:
If accurately mate successfully, then directly carry out forwarding decision and handle.
Otherwise, then carry out the regular expression coupling, carry out forwarding decision then and handle.
More than; Be merely preferred embodiment of the present invention, but protection scope of the present invention is not limited thereto, any technical staff who is familiar with the present technique field is in the technical scope that the present invention discloses; The variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range that claim was defined.
Claims (5)
1. an express network protocol depth checkout gear is characterized in that, comprises administrative unit, control unit and transmits analysis and processing unit, wherein;
Administrative unit is provided with variety of protocol processing rule and processing policy and is sent to control unit; Receive the information that control unit feeds back to simultaneously;
Protocol processes rule and the processing policy that control unit, receiving management unit transmit also is converted into and transmits the analyzing and processing rule and be sent to the forwarding analysis and processing unit; The real time information that analysis and processing unit is transmitted in monitoring simultaneously is sent to control unit;
Transmit analysis and processing unit, according to the message flow of transmitting the input of analyzing and processing rule treatments, and the message flow after the output processing.
2. express network protocol depth checkout gear according to claim 1 is characterized in that said forwarding analysis and processing unit comprises accurate matching module, regular expression matching module and forwarding decision module, wherein;
Accurately matching module carries out accurate matching treatment to the message flow of importing, and the successful message flow of coupling directly is sent to the forwarding decision module;
The regular expression matching module carries out matching treatment to accurately not mating successful message flow, and the successful message flow of coupling is sent to the forwarding decision module;
The forwarding decision module carries out exporting after forwarding decision is handled to mating successful message flow.
3. express network protocol depth checkout gear according to claim 2; It is characterized in that; Said regular expression matching module comprises that buffer memory confirms type finite automata, configuration information memory cell, regular expression match information memory cell and process control module, wherein;
Buffer memory is confirmed the type finite automata, carries out the string matching processing and is sent to the configuration information memory cell accurately not mating successful message flow;
Regular expression match information memory cell, storage regular expression match information;
The configuration information memory cell; Message flow after the store character string matching treatment; And mutual with regular expression match information memory cell, by the regular expression match information message flow is carried out the regular expression coupling, and the message flow after will handling is sent to process control module;
Process control module receives the flow process control command that control unit sends, with the message flow output after handling.
4. express network protocol depth checkout gear according to claim 3 is characterized in that, the information in the said regular expression match information memory cell is write by control unit.
5. a detection method is characterized in that, may further comprise the steps:
Message flow to input carries out the accurate coupling that combines with mask based on tagged word;
Judge whether to carry out the regular expression coupling according to accurate matching result:
If accurately mate successfully, then directly carry out forwarding decision and handle.
Otherwise, then carry out the regular expression coupling, carry out forwarding decision then and handle.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210002915.7A CN102523139B (en) | 2012-01-06 | 2012-01-06 | High-speed network protocol deep detection device and detection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210002915.7A CN102523139B (en) | 2012-01-06 | 2012-01-06 | High-speed network protocol deep detection device and detection method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102523139A true CN102523139A (en) | 2012-06-27 |
| CN102523139B CN102523139B (en) | 2015-01-14 |
Family
ID=46293938
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210002915.7A Active CN102523139B (en) | 2012-01-06 | 2012-01-06 | High-speed network protocol deep detection device and detection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102523139B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104753931A (en) * | 2015-03-18 | 2015-07-01 | 中国人民解放军信息工程大学 | DPI (deep packet inspection) method based on regular expression |
| CN104767658A (en) * | 2015-04-17 | 2015-07-08 | 浪潮电子信息产业股份有限公司 | Method and device for online detecting message transmission errors |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101557329A (en) * | 2009-05-27 | 2009-10-14 | 杭州迪普科技有限公司 | Application layer-based data segmenting method and device thereof |
| US20100131935A1 (en) * | 2007-07-30 | 2010-05-27 | Huawei Technologies Co., Ltd. | System and method for compiling and matching regular expressions |
| WO2011011916A1 (en) * | 2009-07-29 | 2011-02-03 | 华为技术有限公司 | Regular expression matching method and system, and searching device |
| CN102082762A (en) * | 2009-11-30 | 2011-06-01 | 华为技术有限公司 | Protocol identification method and device and system for same |
-
2012
- 2012-01-06 CN CN201210002915.7A patent/CN102523139B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100131935A1 (en) * | 2007-07-30 | 2010-05-27 | Huawei Technologies Co., Ltd. | System and method for compiling and matching regular expressions |
| CN101557329A (en) * | 2009-05-27 | 2009-10-14 | 杭州迪普科技有限公司 | Application layer-based data segmenting method and device thereof |
| WO2011011916A1 (en) * | 2009-07-29 | 2011-02-03 | 华为技术有限公司 | Regular expression matching method and system, and searching device |
| CN102082762A (en) * | 2009-11-30 | 2011-06-01 | 华为技术有限公司 | Protocol identification method and device and system for same |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104753931A (en) * | 2015-03-18 | 2015-07-01 | 中国人民解放军信息工程大学 | DPI (deep packet inspection) method based on regular expression |
| CN104753931B (en) * | 2015-03-18 | 2018-02-06 | 中国人民解放军信息工程大学 | A kind of deep message detection method based on regular expression |
| CN104767658A (en) * | 2015-04-17 | 2015-07-08 | 浪潮电子信息产业股份有限公司 | Method and device for online detecting message transmission errors |
| CN104767658B (en) * | 2015-04-17 | 2018-05-29 | 浪潮电子信息产业股份有限公司 | A kind of method and apparatus of on-line checking message transmissions mistake |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102523139B (en) | 2015-01-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104065731B (en) | A kind of ftp file Transmission system and transmission method | |
| US8891546B1 (en) | Protocol splitter | |
| CN109688069A (en) | A kind of method, apparatus, equipment and storage medium handling network flow | |
| CN104580222A (en) | DDoS attack distributed detection and response system and method based on information entropy | |
| CN105812340B (en) | A kind of method and apparatus of virtual network access outer net | |
| Zhang et al. | Security threats and measures for the cyber-physical systems | |
| Ma | Analysis of anomaly detection method for Internet of things based on deep learning | |
| CN111797371A (en) | Switch encryption system | |
| CN102707696B (en) | Multi-serial-port data transmission method and transmission center system | |
| Schuster et al. | Towards learning normality for anomaly detection in industrial control networks | |
| CN107273554A (en) | Elevator intelligent monitoring system and method | |
| CN105429950A (en) | Network flow identification system and method based on dynamic data packet sampling | |
| CN113055356A (en) | Nuclear power plant vibration data transmission system and method | |
| CN108833430B (en) | Topology protection method of software defined network | |
| CN101184089A (en) | Port and content interweaved detection based protocol identifying method | |
| CN202979014U (en) | Network isolation device | |
| CN102523139A (en) | High-speed network protocol deep detection device and detection method | |
| Roh et al. | Cyber security system with FPGA-based network intrusion detector for nuclear power plant | |
| CN104618341A (en) | Systems and methods for secute remote access | |
| CN108696390A (en) | A kind of software-defined network safety equipment and method | |
| CN102916872A (en) | Communication proxy gateway | |
| CN114553546B (en) | Message grabbing method and device based on network application | |
| CN101364895B (en) | High performance wideband Internet behavior real-time analysis and management system | |
| Wei et al. | Design of the web log analysis system based on hadoop | |
| CN106789208B (en) | A kind of network forensics facility network tube model based on the reversed through-transmission technique of UDT |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |