CN102523139B - High-speed network protocol deep detection device and detection method - Google Patents

High-speed network protocol deep detection device and detection method Download PDF

Info

Publication number
CN102523139B
CN102523139B CN201210002915.7A CN201210002915A CN102523139B CN 102523139 B CN102523139 B CN 102523139B CN 201210002915 A CN201210002915 A CN 201210002915A CN 102523139 B CN102523139 B CN 102523139B
Authority
CN
China
Prior art keywords
matching
message flow
control unit
processing
regular expressions
Prior art date
Application number
CN201210002915.7A
Other languages
Chinese (zh)
Other versions
CN102523139A (en
Inventor
刘凯
Original Assignee
深圳市共进电子股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳市共进电子股份有限公司 filed Critical 深圳市共进电子股份有限公司
Priority to CN201210002915.7A priority Critical patent/CN102523139B/en
Publication of CN102523139A publication Critical patent/CN102523139A/en
Application granted granted Critical
Publication of CN102523139B publication Critical patent/CN102523139B/en

Links

Abstract

The invention discloses a high-speed network protocol deep detection device, which comprises a management unit, a control unit and a forwarding analysis processing unit, wherein the management unit sets various protocol processing rules and processing strategies, transmits the protocol processing rules and the processing strategies to the control unit, and simultaneously receives information fed back by the control unit; the control unit receives the protocol processing rules and the processing strategies from the management unit, converts the protocol processing rules and the processing strategies into forwarding analysis processing rules, transmits the forwarding analysis processing rules to the forwarding analysis processing unit, and simultaneously monitors the real-time information transmission of the forwarding analysis processing unit to the control unit; and the forwarding analysis processing unit processes an input message flow according to the forwarding analysis processing rules, and outputs the processed message flow. By the high-speed network protocol deep detection device and a high-speed network protocol deep detection method, a complex deterministic finite automaton (DFA) construction process can be well avoided, a memory space is saved, and performance is improved by fully utilizing the line-speed processing capability of a specific chip and a hardware pipelining technology.

Description

High-speed network protocol deep detection device and detection method

Technical field

The present invention relates to procotol identification field, particularly relate to a kind of high-speed network protocol deep detection device and detection method.

Background technology

In the Internet environment of current high-speed high capacity, content safety is the important component part of network security.For network management, most important is exactly identify and diffServ network flow, can carry out flow control, network billing, information filtering and traffic management by protocol identification to network.

What traditional protocol identification adopted is port identification, this identification can reach higher speed, but now a large amount of application layer protocols is in order to avoid identifying, escape the inspection of fire compartment wall, fixing port is not used to communicate. this not only comprises numerous emerging P2P agreement in recent years, and including increasing legacy protocol, the P2P agreements such as such as BitTorrent, eMule, it adopts dynamic port to communicate; The agreements such as Skype, QQ then share 80 ports.The generation of more and more agreement like this, makes port identification helpless, and therefore a lot of in recent years research work is all devoted to develop new method to identify application layer protocol.

Summary of the invention

For the problems referred to above, the object of the present invention is to provide a kind of high-speed network protocol deep detection device and detection method, avoid complicated DFA building process preferably, save memory space, the line-speed processing ability and the hardware pipeline technology that make full use of chip improve performance.

For achieving the above object, a kind of high-speed network protocol deep detection device of the present invention, comprises administrative unit, control unit and forwards analysis and processing unit, wherein;

Administrative unit, arranges various protocol processes rule and processing policy be sent to control unit; The simultaneously information that feeds back to of reception control unit;

Control unit, the protocol processes rule that receiving management unit transmits and processing policy are also converted into and forward analyzing and processing rule and be sent to forwarding analysis and processing unit; The real time information that monitoring simultaneously forwards analysis and processing unit is sent to control unit;

Forward analysis and processing unit, according to the message flow forwarding the input of analyzing and processing rule process, and the message flow after output processing.

Preferably, described forwarding analysis and processing unit comprises exact matching module, matching regular expressions module and forwarding decision module, wherein;

Exact matching module, carries out exact matching process to the message flow of input, the message flow that the match is successful is directly sent to forwarding decision module;

Matching regular expressions module, carries out matching treatment to the successful message flow of non-exact matching, the message flow that the match is successful is sent to forwarding decision module;

Forwarding decision module, exports after carrying out forwarding decision process to the message flow that the match is successful.

Preferably, described matching regular expressions module comprises buffer memory deterministic finite automaton, configuration information memory cell, matching regular expressions information memory cell and process control module, wherein;

Buffer memory deterministic finite automaton, carries out string matching process to the successful message flow of non-exact matching and is sent to configuration information memory cell;

Matching regular expressions information memory cell, stores matching regular expressions information;

Configuration information memory cell, message flow after storing character string matching treatment, and mutual with matching regular expressions information memory cell, by matching regular expressions information, matching regular expressions is carried out to message flow, and the message flow after process is sent to process control module;

Process control module, the flow control instructions that reception control unit sends, exports the message flow after process.

Preferably, the information in described matching regular expressions information memory cell is write by control unit.

For achieving the above object, a kind of detection method of the present invention, comprises the following steps:

The exact matching that feature based word combines with mask is carried out to the message flow of input;

Judge whether to carry out matching regular expressions according to exact matching result:

If exact matching success, then directly carry out forwarding decision process.

Otherwise, then carry out matching regular expressions, then carry out forwarding decision process.

Beneficial effect of the present invention is:

The invention provides a kind of high-speed network protocol deep detection device and detection method, complicated DFA building process can be avoided preferably, save memory space, and make full use of line-speed processing ability and the hardware pipeline technology raising performance of certain chip.

Accompanying drawing explanation

Fig. 1 is the structure chart of high-speed network protocol deep detection device described in the embodiment of the present invention;

Fig. 2 is the structure distribution figure forwarding analysis and processing unit described in embodiment;

Fig. 3 is the structure of matching regular expressions module described in embodiment and the graph of a relation with control unit.

Embodiment

Below in conjunction with Figure of description, the present invention will be further described.

As shown in Figure 1, a kind of high-speed network protocol deep detection device described in the embodiment of the present invention, comprises administrative unit, control unit and forwards analysis and processing unit, wherein;

Administrative unit, be supplied to network management personnel and use telnet, the modes such as web, ssh, snmp, cli carry out management equipment, arrange various protocol processes rule and processing policy be sent to control unit; The simultaneously information that feeds back to of reception control unit;

Control unit, the protocol processes rule that receiving management unit transmits and processing policy are also converted into and forward analyzing and processing rule and be sent to forwarding analysis and processing unit, that is: control unit is used for the strategy that analysis management unit issues, after analyzing, be converted into the rule forwarding analysis and processing unit, being written to and forwarding in analysis and processing unit Hardware Forwarding Engine, provide the Rule Information of Forwarding plane Message processing, achieving the control to forwarding; The real time information that monitoring simultaneously forwards analysis and processing unit is sent to control unit;

Forward analysis and processing unit, according to the message flow forwarding the input of analyzing and processing rule process, and the message flow after output processing.The effect of forwarding analysis and processing unit is the rule according to setting, and the message flow of process input, the result of process is different according to security strategy, and comprise and export forwarding, alarm, directly abandons.

This device forwards analysis and processing unit by adopting, control unit, the design that administrative unit is separated, ensure that the protocal analysis task of most consumes resources does not affect the management of device, the operation such as the O&M of administration module and upgrading also can not affect the analyzing and processing of message, ensure that the stability of a system of device.

Be illustrated in figure 2 the structure distribution figure forwarding analysis and processing unit.Described forwarding analysis and processing unit comprises exact matching module, matching regular expressions module and forwarding decision module, wherein;

Exact matching module, carries out exact matching process to the message flow of input, the message flow that the match is successful is directly sent to forwarding decision module;

Matching regular expressions module, carries out matching treatment to the successful message flow of non-exact matching, the message flow that the match is successful is sent to forwarding decision module;

Forwarding decision module, exports after carrying out forwarding decision process to the message flow that the match is successful.

In the process of implementation, first exact matching process is carried out to the message flow of input, if the match is successful, skip matching regular expressions module, directly carry out forwarding decision process; Otherwise then carry out matching regular expressions process, then carry out forwarding decision process.Because of exact matching module can directly adopt can the ACL chip of surface speed forwarding process, ensure that the high-performance of forwarding.The control of the controlled plane of exact matching module, namely can open and also can close, and during unlatching, control plane needs the tagged word and the mask information that issue coupling.

Be illustrated in figure 3 the structure of matching regular expressions module and the graph of a relation with control unit.Described matching regular expressions module comprises buffer memory deterministic finite automaton, configuration information memory cell, matching regular expressions information memory cell and process control module, wherein;

Buffer memory deterministic finite automaton, carries out string matching process to the successful message flow of non-exact matching and is sent to configuration information memory cell;

Matching regular expressions information memory cell, stores matching regular expressions information;

Configuration information memory cell, message flow after storing character string matching treatment, and mutual with matching regular expressions information memory cell, by matching regular expressions information, matching regular expressions is carried out to message flow, and the message flow after process is sent to process control module;

Process control module, the flow control instructions that reception control unit sends, exports the message flow after process.

Regular expression (Regular Expression) describes a kind of pattern of string matching, can be used for inspection one string whether containing certain substring, the substring of coupling replaced or take out the substring etc. meeting certain condition from certain string.

The mode of conventional identification regular expression uses FSM (finite automata), has the FSM of two types: deterministic finite automaton (DFA) and non deterministic finite automaton (NFA).DFA only produces a state transitions to each input, and NFA may produce multiple state transitions to each input.The feature of NFA is that to take memory space little, but often read in a character in the matching process, all to upgrade whole states that it is safeguarded, to avoid Lou mating, and a general only corresponding regular expression of NFA, therefore for supporting multiple regular expression coupling, need build multiple NFA concurrent efforts, the growth performance with scale declines rapidly, but due to deep message testing requirement handling capacity strong, therefore, great majority are studied based on DFA but not NFA.

In summary, matching regular expressions module is mainly divided into two parts, and Part I is buffer memory deterministic finite automaton, and for character string exact matching, Part II is matching regular expressions execution part.These two parts need collaborative work, so character string memory block is absolutely necessary, do not mark in figure.Input data flow into from left end, and string matching structure is read in data and judged whether to mate, and output matching character string number is sent into matching regular expressions with input data and performed part, the regular expression number of last output matching.Information in described matching regular expressions information memory cell is write by control unit.

For achieving the above object, a kind of detection method of the present invention, comprises the following steps:

The exact matching that feature based word combines with mask is carried out to the message flow of input;

Judge whether to carry out matching regular expressions according to exact matching result:

If exact matching success, then directly carry out forwarding decision process.

Otherwise, then carry out matching regular expressions, then carry out forwarding decision process.

Above; be only preferred embodiment of the present invention, but protection scope of the present invention is not limited thereto, is anyly familiar with those skilled in the art in the technical scope that the present invention discloses; the change that can expect easily or replacement, all should be encompassed within protection scope of the present invention.Therefore, the protection range that protection scope of the present invention should define with claim is as the criterion.

Claims (2)

1. a high-speed network protocol deep detection device, is characterized in that, comprises administrative unit, control unit and forwards analysis and processing unit, wherein;
Administrative unit, arranges various protocol processes rule and processing policy be sent to control unit; The simultaneously information that feeds back to of reception control unit;
Control unit, the protocol processes rule that receiving management unit transmits and processing policy are also converted into and forward analyzing and processing rule and be sent to forwarding analysis and processing unit; The real time information that monitoring simultaneously forwards analysis and processing unit is sent to control unit;
Forward analysis and processing unit, according to the message flow forwarding the input of analyzing and processing rule process, and the message flow after output processing;
Wherein, described forwarding analysis and processing unit comprises exact matching module, matching regular expressions module and forwarding decision module, wherein;
Exact matching module, carries out exact matching process to the message flow of input, the message flow that the match is successful is directly sent to forwarding decision module;
Matching regular expressions module, carries out matching treatment to the successful message flow of non-exact matching, the message flow that the match is successful is sent to forwarding decision module;
Forwarding decision module, exports after carrying out forwarding decision process to the message flow that the match is successful;
Described matching regular expressions module comprises buffer memory deterministic finite automaton, configuration information memory cell, matching regular expressions information memory cell and process control module, wherein;
Buffer memory deterministic finite automaton, carries out string matching process to the successful message flow of non-exact matching and is sent to configuration information memory cell;
Matching regular expressions information memory cell, stores matching regular expressions information;
Configuration information memory cell, message flow after storing character string matching treatment, and mutual with matching regular expressions information memory cell, by matching regular expressions information, matching regular expressions is carried out to message flow, and the message flow after process is sent to process control module;
Process control module, the flow control instructions that reception control unit sends, exports the message flow after process.
2. high-speed network protocol deep detection device according to claim 1, is characterized in that, the information in described matching regular expressions information memory cell is write by control unit.
CN201210002915.7A 2012-01-06 2012-01-06 High-speed network protocol deep detection device and detection method CN102523139B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210002915.7A CN102523139B (en) 2012-01-06 2012-01-06 High-speed network protocol deep detection device and detection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210002915.7A CN102523139B (en) 2012-01-06 2012-01-06 High-speed network protocol deep detection device and detection method

Publications (2)

Publication Number Publication Date
CN102523139A CN102523139A (en) 2012-06-27
CN102523139B true CN102523139B (en) 2015-01-14

Family

ID=46293938

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210002915.7A CN102523139B (en) 2012-01-06 2012-01-06 High-speed network protocol deep detection device and detection method

Country Status (1)

Country Link
CN (1) CN102523139B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104753931B (en) * 2015-03-18 2018-02-06 中国人民解放军信息工程大学 A kind of deep message detection method based on regular expression
CN104767658B (en) * 2015-04-17 2018-05-29 浪潮电子信息产业股份有限公司 A kind of method and apparatus of on-line checking message transmissions mistake

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101557329A (en) * 2009-05-27 2009-10-14 杭州迪普科技有限公司 Application layer-based data segmenting method and device thereof
CN102082762A (en) * 2009-11-30 2011-06-01 华为技术有限公司 Protocol identification method and device and system for same

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101360088B (en) * 2007-07-30 2011-09-14 华为技术有限公司 Regular expression compiling, matching system and compiling, matching method
WO2011011916A1 (en) * 2009-07-29 2011-02-03 华为技术有限公司 Regular expression matching method and system, and searching device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101557329A (en) * 2009-05-27 2009-10-14 杭州迪普科技有限公司 Application layer-based data segmenting method and device thereof
CN102082762A (en) * 2009-11-30 2011-06-01 华为技术有限公司 Protocol identification method and device and system for same

Also Published As

Publication number Publication date
CN102523139A (en) 2012-06-27

Similar Documents

Publication Publication Date Title
Fovino et al. Modbus/DNP3 state-based intrusion detection system
US9614762B2 (en) Work migration in a processor
CN102025577B (en) Network system of Internet of things and data processing method thereof
US8819217B2 (en) Intelligent graph walking
RU2419986C2 (en) Combining multiline protocol accesses
CN104115463B (en) For processing the streaming method and system of network metadata
US8837322B2 (en) Method and apparatus for snoop-and-learn intelligence in data plane
US8782787B2 (en) Distributed packet flow inspection and processing
US8964569B2 (en) Generic monitoring packet handling mechanism for OpenFlow 1.1
Lin et al. Adapting bro into scada: building a specification-based intrusion detection system for the dnp3 protocol
JP2006236356A (en) Windows (r) remote debugger service
US20160021123A1 (en) Reverse NFA Generation And Processing
CN103609071A (en) Systems and methods for tracking application layer flow via a multi-connection intermediary device
US20140314078A1 (en) Forwarding multicast packets over different layer-2 segments
WO2009015603A1 (en) Regular expression compiling system, matching system, compiling method and matching method
CN100369423C (en) Network simulation detection system and method
CN103004158A (en) Network device with a programmable core
CN1929472B (en) Method and system for managing a transfer of data in a data network
CN104012052A (en) System And Method For Flow Management In Software-Defined Networks
Iliofotou et al. Graph-based p2p traffic classification at the internet backbone
Wang et al. Generating regular expression signatures for network traffic classification in trusted network management
WO2013115177A1 (en) Network system and topology management method
US20120255006A1 (en) Two-tier deep analysis of html traffic
EP1774716A2 (en) Inline intrusion detection using a single physical port
EP2456138B1 (en) Methods and apparatus for centralized virtual switch fabric control

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant