CN103491069A - Filtering method for network data package - Google Patents
Filtering method for network data package Download PDFInfo
- Publication number
- CN103491069A CN103491069A CN201310398924.7A CN201310398924A CN103491069A CN 103491069 A CN103491069 A CN 103491069A CN 201310398924 A CN201310398924 A CN 201310398924A CN 103491069 A CN103491069 A CN 103491069A
- Authority
- CN
- China
- Prior art keywords
- packet
- data
- rule
- matching
- port
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention provides a filtering method for a network data package. The filtering method for the network data package comprises the steps that (A) a data package in a network is acquired; (B) full protocol stack analysis is carried out on the acquired data package; (C) compression is carried out on all matching strings in a matching string set, and a DFA used for patterning matching is built out of the compressed matching string set; (D) new character strings are generated after compression processing is carried out on character strings in the data package, and the new character strings are input to the DFA to carry out fuzzy matching; (E) data remained after filtering after the fuzzy matching are classified, and accurate matching is carried out according to classification results. According to the filtering method for the network data package, when the data package is detected, inaccurate matching is firstly carried out to enable the non-attack data to be removed through the filtering, the accurate matching is then carried out on the data remained after the filtering, the time for the matching of the non-attack data is reduced, and efficiency is improved. Through the advanced evasion technique, effective protection against advanced evasion invasion is achieved.
Description
Technical field
The present invention relates to the network security technology field, relate in particular to a kind of filter method of network packet.
Background technology
Network invasion monitoring is as one of current topmost Active Network Security measure, it connects and is identified and respond by the hostile network on the cyber-net resource, effectively supplement and perfect safety measures such as access control, data encryption, fire compartment wall, virus prevention, improve the integrality of information security foundation structure, become link indispensable in the information system security solution.
Senior reclusion technology (AET, Advanced Evasion Technique), the reclusion stacking network strength (cyber-force) of the attacking case that is penetrated into the computer attack of various countries' political struggle slightly is shown in not brightly, the Bank of Korea's computer network fault, the New York Times of the U.S. and the attack that Wall Street Journal is subject to that occur recently are enough to illustrate this situation.Obviously hacker's attack means and the variation that matter has occurred ability, according to the report of Garter, from over 2011, the ability of cyber-defence has lagged behind the means of attack far away.And senior reclusion technology (AET) is certainly the technical barrier of headache particularly to IDS/IPS manufacturer, the test (4.15 chapters and sections part) that has increased separately AET the up-to-date IPS testing standard " NSS_Labs_ips group test methodology v6.2 " of announcing from NSS Lab can be found out the attention degree to AET.
Fire compartment wall and IPS are the safety guarantee equipment of core in network, and fire compartment wall carries out the filtration of data usually according to data stream port, address, agreement etc., and IPS further carries out the depth detection of packet.For real understanding and Sampling network packet, the agreement that IPS needs the deep understanding data flow to adopt.If on surface, the protocol format of the saturating data flow of exhaustive analysis is just enough, but fact proved really not so.As far back as 1998, from Tim Newsham and the Thomas Ptacek of Secure Network company, delivered the technical article " insertion, reclusion and Denial of Service attack: avoid network invasion monitoring " about how penetrating IDS/IPS.Nearly 2 years, domestic relevant research, the Xu Jinwei researcher of Headquarters of the General Staff research institute once delivered too much piece of writing article with regard to AET.AET means commonly used have: character string is obscured, four kinds of the violations of encryption and tunneling technique, fragment technology and agreement.
Attack and should consider new interception pattern for senior reclusion, simple feature database match pattern no longer can reach the interception purpose fully, therefore, the present invention will propose a kind of brand-new network data packet filter method, and the method will improve the coefficient of safety of network greatly.
Summary of the invention
In order to overcome the defect of prior art, the present invention proposes a kind of filter method of network packet, to obtain matching speed faster, and reduce the shared memory space of DFA list item.
For achieving the above object, the filter method of network packet of the present invention, it comprises following concrete steps:
A) catch the packet in network;
B) caught packet is carried out to full protocol stack parsing;
C) each coupling string in the coupling trail is compressed, and the coupling trail after compression is constructed to a DFA for pattern matching;
D) character string in packet is generated after overcompression is processed to new character string, new character string is inputed in described DFA and does fuzzy matching;
E) Data classification will be filtered after fuzzy matching, then carry out exact matching according to the result of classification.
Further, the concrete grammar of described step B comprises:
B1) protocol resolver carries out initialization, and the regularity loaded after compiling is expressed collection;
B2) read data packet, and it is carried out to packet transaction;
B3) protocol type of described packet after the identification grouping, and judge whether described packet needs to resolve, and if do not needed, directly abandons this packet; Otherwise the packet that protocol type is identical is sorted out;
B4) find the protocol-decoding rule corresponding with the data protocol type according to the regular expression rule set, then the packet that comprises these data is scanned, according to described protocol analysis rule, extract the resolving information of described data from packet.
Further, the described concrete steps that packet is divided into groups comprise:
At first output port rule of classification and packet rule are set, at first the configuration of output port rule of classification is divided into groups each output port according to the Business Processing type of corresponding backend application system, and then determine that according to the disposal ability of back-end system corresponding to each port in group the allocation proportion of each port processing data packets flow in this group, the configuration of packet rule are according to IP address information or special field, packet to be divided in the middle of each grouping; Carry out again the packet processing, first, by protocol analysis, extract the IP packet in the raw data packets received from network, will be divided in each output port grouping with the subsequent treatment related data according to the packet rule set; Address and the port information that then will be divided into the packet in each group carry out the Hash computing, the port sum delivery that hash value comprises with this grouping again, and the result obtained is exactly this packet corresponding output port sequence number in affiliated grouping.
Further, following principle is followed in the configuration of described output port grouping:
1) grouping of output port is at first according to the business demand of back-end processing system, according to the Business Processing type, divided into groups, when a system and a plurality of system have mutually respectively when overlapping in packet rule attribute, same output port there will be in plural grouping;
2) in each packets inner, realize balanced the distribution in order to guarantee data processing task, same output port can repeatedly appear in same group, and in grouping, according to each port, the data-handling capacity of corresponding back-end system determines the allocation proportion of each port data packet flow in this group;
3) in the group each output port be distributed in the proof load equilibrium time, guarantee that same TCP connects two-way all packets and must be forwarded on same output port, be convenient to rear end gathering and reducing received data.
Further, the setting of described packet rule comprises two kinds of modes:
A kind of is using the IP address of packet and port information as direct monitored object, based on these IP address informations, rule is arranged in the packet rule list based on address information, and this rule tableau format is as follows:
Another kind is based on the regular set-up mode of special field information, and this rule tableau format is as follows:
| Rule number | The fields offset amount | Field length | Matching content | The packet behavior |
| ? | ? | ? | ? | ? |
Wherein:
Rule number: be each regular unique identification sequence number:
Source, purpose IP address: the IP address value of the source of data packet transmission and destination;
Source, purpose IP mask: the subnet mask of the source of data packet transmission and destination IP field;
Source, destination interface: the source of data packet transmission and the port numbers of destination;
Fields offset amount: the side-play amount of the special field that the needs that start to calculate from the IP packet content mate;
Field length: the length that needs the special field of coupling;
Matching content: the matching value of special field, these special field comprise as the receiver in URL address, Email mail and addresser's address field;
The packet behavior: " 0 " means this data packet discarding, " 1 " means this package forward to group 1, " 2 " mean this package forward to group 2, " N " means this Datagram forwarding to group N, " 1 " means to suspend this rule of use, if all fields in the packet rule list except the data packet row is field are all 0, mean that this rule is applicable to all packets.
Further, because the rule of dynamic setting has ageingly, therefore importing to the IP address of based on data bag of internal memory and the packet rule list of port information increases " dynamically/static state " and " time-out count " two fields, and form is:
| Rule number | Source IP address | Source IP mask | Source port number | Purpose IP address | Purpose IP mask | Purpose | Data are divided | Dynamically | Counting |
| ? | ? | ? | ? | ? | ? | Port numbers | The group behavior | / static state | Overtime |
| ? | ? | ? | ? | ? | ? | ? | ? | ? | ? |
Further, in described step B3, the concrete steps that identical packet is sorted out by protocol type comprise:
1) set up new tables of data when receiving new data packets;
2) when receiving data message, first search the Bale No. corresponding with it in described tables of data, if can find, then judge whether described data message is last bag, if not, described data message is included in corresponding packet; Otherwise, delete this packet;
3) when described packet occurs that out of order or repeating transmission and described packet are not normally deleted, start timer and in timing, described packet is deleted.
What further, structure DFA was used is the AC algorithm; Described DFA have five-tuple Q (α, β), ∑, q0, δ, A), wherein Q is the state point set; ∑ is character list; Q0 is the initial condition point; A (α, β) is the state of termination point, and wherein α represents the degree of depth of done state, the number on limit that this depth representing experiences from the root node to the state point, and β represents the length of the longest coupling string that done state can be exported; δ is state transition function.
Further, will compress and comprise the steps: each coupling string in the coupling trail in described step C
Each byte sequence that mates string that C1) will mate in trail is converted to bit sequence;
C2) bit sequence is converted to byte sequence, thereby completes the process of coupling string compression;
In described step C2, by bit sequence from first beginning take every 8 positions as a Conversion of measurement unit be 1 byte; By being abandoned of last remaining 8 positions of less than in bit sequence.
Further, in described step D, the new character string of generation after overcompression is processed of the character string in packet is being comprised the steps:
D1) byte sequence of the character string in packet is converted to bit sequence;
D2) bit sequence is converted to byte sequence, thereby generates new character string;
In described step D2, by bit sequence from first beginning take every 8 positions as a Conversion of measurement unit be 1 byte; By being abandoned of last remaining 8 positions of less than in bit sequence.Compared with prior art, beneficial effect of the present invention is:
The present invention is by carrying out full protocol stack parsing to packet, concrete grammar is to engage by protocol analysis and regular expression rule base, and adopt multithreading to carry out the hardware decoding to complicated user service data, greatly improved decoding speed, meet the real-time decoding requirement, and reduced the demand to server memory, reduced cost; The present invention also realizes the high-speed message coupling by the DFA state-transition table, can the threat existed accurately be detected and defend, and accurately identifies and remove senior escape technology, will greatly improve the coefficient of safety of network like this.
In addition, at first the present invention has carried out the coarse coupling of a step when packet detects, and so just can filter out a part of non-attack data; Only the data that do not filter out are mated accurately, find accurately the data of attack from the non-attack data of a part and whole attack data; In this way, reduce the time of being mated of a part of non-attack data, improved efficiency.
The accompanying drawing explanation
Fig. 1 is the structural representation of protocol analysis system in the present invention;
Fig. 2 is coupling string contraction principle figure in the present invention;
Fig. 3 is that in the present invention, character string inputs in DFA the principle schematic of doing coupling.
Embodiment
Below in conjunction with accompanying drawing, method of the present invention is further described in detail.
The filter method of network packet of the present invention, it comprises following concrete steps:
The first step, catch the packet in network;
Second step, carry out full protocol stack parsing to caught packet;
The 3rd step, compressed each coupling string in the coupling trail, and the coupling trail after compression constructed to a DFA for pattern matching;
The 4th step generates the character string in packet new character string after overcompression is processed, and new character string is inputed in described DFA and does fuzzy matching;
The 5th step, the Data classification will be filtered after fuzzy matching, then carry out exact matching according to the result of classification.
Fig. 1 is the structural representation of the protocol analysis system based on stream in this example, and this system comprises router and protocol analysis equipment.Wherein, router is used in communication network repeating business datum, and forwarded data Replica portion is issued to protocol resolver (being DPI protocol analysis equipment); Protocol resolver is parallel on described router, the data that send for receiving router, the data that receive are divided into groups and the data after grouping are carried out to the protocol type judgement, according to protocol type, data are sorted out, again data in each agreement are carried out to flow management, decoded to guarantee that same data flow sends in same processing module, finally by processing module, data are carried out to protocol analysis.The mode of this access in parallel is owing to being independently to carry out the data protocol parsing, so it is less that mobile system is carried out to the impact of data communication.
The specific implementation process of second step is as follows:
Step 1: protocol resolver carries out initialization, and loads the regular expression rule set after compiling.Wherein, DPI chip in protocol resolver could work after initialization, this step also can comprise before protocol resolver carries out initialization: the regular expression rule set is compiled, convert thereof into the DPI chip and can identify the data of form, protocol resolver could carry out the DPI protocol-decoding to packet like this;
Step 2: read data packet, and it is carried out to packet transaction.This step also comprises that described router is stored when packet is divided into groups and by distributed packet; The concrete steps of described packet transaction are:
(1) output port packet configuration rule is set: suppose that High Speed Network filtration shunting access platform has 8 output ports, port-mark number is respectively: 0,1,2,3,4,5,6,7, and these ports are each safety monitoring device of opposite rear end respectively.According to the type of service processing demands of each safety monitoring device and data-handling capacity separately, each port is divided into to four groupings:
| Packet number | The output |
| 1 | 3;2;0;2 |
| 2 | 1;4 |
| 3 | 5;7;5;6;7 |
| 4 | 0;4 |
They will process the packet of same type to be divided into the explanation of port in same grouping, and its middle port 2 is dividing into groups in 1 to occur twice, and the back-end processing equipment that port 2 correspondences are described will receive and process in this output port 1/2nd data volume; Port 4 is divided in the middle of 2 and 4 two groupings, illustrates that port 4 will be responsible for forwarding the data from these two groupings.
(2) the filter packets rule is set: filtering the regular setting of shunting is that data that will be useless to back-end processing filter out in order to realize the data filtering shunting of coarseness, the rear end required data of each treatment facility is divided in the port grouping of appointment.The example that the packet rule arranges is as follows:
The IP address of based on data bag and the packet rule list of port information:
Packet rule list based on special field information:
| Rule number | The fields offset amount | Field length | Matching content | Filter a minute Flow Behavior |
| 301 | 42 | 15 | xy@yahoo.com.cn | 3 |
Processing procedure according to situation about supposing in (3) to packet b: the rule arranged in the packet rule list of the IP address of the address information in packet b and based on data bag and port information is mated one by one, matching result finds that the match is successful with any rule, by fields offset amount in this packet, be again the value " xy@yahoo.com.cn " of 15 bytes after the 0X42 byte extract with filtration shunting rule list based on special field information in rule mate one by one, matching result meets rule 301.Divide Flow Behavior according to the filtration arranged in rule 301, packet b is divided into to grouping 3, and extract the IP address information in this packet, divide Flow Behavior together with the filtration arranged in rule 301, generate in the packet rule list that a new dynamic data filter packets rule joins the IP address of based on data bag and port information, that is:
(5) to being divided into the data of each grouping, according to the Diffluence Algorithm proposed in the present invention, carry out packet transaction.The source IP address 61.125.3.8 of packet a and purpose IP address 10.10.25.30 high-low-position step-by-step XOR, the end value obtained is carried out the step-by-step XOR with the XOR result of source port number 90 and destination slogan 1290 again, the result finally obtained and the total delivery of the port in grouping 4, that is:
{(0X3D7D_0X0A0A)_(0X0308_0X191E)_(0X005A_0X050A)}mod2={0X3777_0X1A16_0X0550}mod2=1
Operation result is 1, shows that this packet a should be from the 2nd the port output of dividing into groups 4, i.e. port 4 outputs.
The source IP address 10.10.19.131 of packet b and the high low byte step-by-step of purpose IP address 216.136.173.18 XOR, the end value obtained is carried out the step-by-step XOR with the XOR result of source port number 1664 and destination slogan 25 again, the result finally obtained and the total delivery of the port in grouping 3, that is:
{(0X0A0A_0XD888)_(0X1383_0XAD12)_(0X0680_0X0019)}mod5={0XD282_0XBE91_0X0699}=4
Operation result is 4, shows that this packet b should be from the 5th the port output of dividing into groups 3, i.e. port 7 outputs.
(6) subsequent packet connected under packet a, b is received in supposition, because the IP address of affiliated same connection packet is identical with port, therefore the result obtained through above-mentioned calculating process is also identical, so all subsequent packet that guaranteed identical connection are still from identical port output.
(7) receive the end packet connected under packet b, remove the rule 7 dynamically arranged.
If the high-rate fitration shunt method that does not rely on connection table that the present invention proposes adopts the CAM technology to realize, for 12 road 2.5G POS accesses, possess the data access ability of 30G, meet the linear speed data access demand of high-speed backbone network.
Step 3: the protocol type to the data through grouping is identified, and obtains the protocol type of described data; Judge whether described data need to be decoded, if do not need, directly abandon described data, otherwise carry out step 4.Wherein, the method for judgement is to judge according to actual requirement whether the data of certain protocol type need to be decoded;
Step 4: the Check processing module that same data flow distribution is referred in the same protocol resolver is processed, and the data to after protocol type identification are carried out to flow management; Described flow management comprises foundation, maintenance, deletion, aging the managing to data flow;
Same data flow is distributed to the concrete steps that the Check processing module in the same protocol resolver processed to be comprised:
1) set up new tables of data when receiving new data packets;
2) when receiving data message, first search the Bale No. corresponding with it in described tables of data, if can find, then judge whether described data message is last bag, if not, described data message is included in corresponding packet; Otherwise, delete this packet;
3) when described packet occurs that out of order or repeating transmission and described packet are not normally deleted, start timer and in timing, described packet is deleted.
Step 5: described DPI protocol resolver carries out the DPI protocol analysis according to the regular expression rule base to the data through the flow management module.After described DPI protocol resolver has obtained the protocol type of described data, according to the regular expression rule base, find the protocol-decoding rule corresponding with described data protocol type; Again the packet that comprises described data is scanned, extracted the output information of described data according to described protocol-decoding rule from described packet.
It should be noted that, described DPI protocol resolver is supported across bag scanning.For across the bag data message, Output rusults in next data message, comprise in even described output information across the bag field, need to take out the corresponding field result in last bag and current bag, can obtain the described output information across wrapping.In addition, due to what adopt in the present embodiment, it is the method for regular expression rule base matching and decoding, described output information is the side-play amount of the relatively described packet of matched position, so step 5 also comprises according to described output information, from described packet, extracts decoded information.
Than prior art, the present invention engages by DPI protocol analysis and regular expression rule base, and adopts multithreading to carry out the hardware decoding to complicated user service data.Due under the same conditions, DPI hardware decoding speed is more than 10 times of software decode speed, so the present invention has improved decoding speed greatly, meet the real-time decoding requirement, and because the DPI hardware supports scans across bag, only the last bag in data flow of need preservation and the information of current bag, so this has just greatly reduced the demand to server memory, reduced cost.
Compression, the matching process of the 3rd step and the 4th step are realized as follows:
In step 1, each coupling string in the coupling trail is compressed, and the coupling trail after compression is constructed to a DFA for pattern matching.In step 2, the character string in packet after processing, is generated in overcompression to new character string, and new character string is inputed in described DFA and does coupling.In step 3, by the Data classification of filtered, then select applicable coupling string to mate accurately according to the result of classification.
Packet detection method based on cloud system of the present invention is mainly used on the gateway of cloud system.
In step 1, compression fit string information, reduce the coupling string length.
In step 2, in the middle of the coupling of DFA, because coupling string (pattern) is that compressed (reduce function) crosses, for original input string, current coupling is exactly a coarse coupling; So will have the non-attack information of part is filtered, the non-attack information of another part is further accurately searched in the middle of will entering into the module of accurately searching in company with the attack data, at this time can select suitable coupling string (pattern) to search accurately according to the classification results of fuzzy matching.
To compress and comprise step Q1 and step Q2 each coupling string in the coupling trail in step 1.In step Q1, the byte sequence of each coupling string in the coupling trail is converted to bit sequence.In step Q2, bit sequence is converted to byte sequence, thereby completes the process of coupling string compression; By bit sequence from first beginning take every 8 positions as a Conversion of measurement unit be 1 byte; By being abandoned of last remaining 8 positions of less than in bit sequence.
Character string in packet is generated after overcompression is processed to new character string in step 2 and comprise step W1 and step W2.In step W1, the byte sequence of the character string in packet is converted to bit sequence.In step W2, bit sequence is converted to byte sequence, thereby generates new character string; By bit sequence from first beginning take every 8 positions as a Conversion of measurement unit be 1 byte; By being abandoned of last remaining 8 positions of less than in bit sequence.
Due in step 1 and step 2, coupling is gone here and there (pattern) through overcompression (reduce function) processing, so all mate, complete fuzzy matching when these coupling strings (pattern) of input of character string (input string) process can complete while being searched once fast; Thereby the filtration fraction normal data, only carry out next step exact matching to the normal data of part and whole attack data, so reduced the time of exact matching.In step 3, according to the fuzzy matching result of front, the data message after filtering can be classified, then select separately some applicable coupling strings and suitable matching algorithm to carry out exact matching sorted information, find out the attack data.This input of character string (input string) is exactly the character string in packet in step 2.
Compression processing in step 2 adopts identical method with the compression in step 1.Below only with the compression method in step 1, be illustrated: each byte (byte) of coupling string (pattern) is converted to corresponding δ position (bits), and then again is converted to 1 byte (byte) with 8 positions (bits) unit.Thereby play the effect of compression (reduce function) coupling trail (pattern set) information.In coupling string manipulation module, the coupling trail (pattern set) after overcompression (reduce function) is processed will generate a DFA.And search module at input string, the character string after overcompression (reduce function) is imported in the DFA of generation and does coupling.Here, in order to guarantee the compressibility of coupling string (pattern), n can get 1,2,4.Its algorithm steps is as follows:
We define coupling trail (pattern set) for P{P
1, P
2, P
3... P
n-1, P
n, P wherein
i(i=1,2 ... n) mean a coupling string (pattern), P
i1p
i2p
i3... P
immean P
im byte (byte).B
i1b
i2b
i3... b
immean P
ithrough compressing and converting, be bit sequence (bit sequence).When coupling trail (pattern set) process to start at first by each the element P in P
ithrough overcompression, processed.Transformation rule by compression following (here we take δ equal 1 as example):
J=1 in above-mentioned formula, 2 ... m-1.
After formula (2), we can obtain b
i1b
i2b
i3... b
ima sequence.Below a step bit sequence (bit sequence) to be converted to again to byte sequence (byte sequence) exactly, thereby complete the compression process of coupling string (pattern).The process that is converted to byte (byte) by position (bit) is as follows:
(1) b
i1b
i2b
i3... from first the position (bit), take every 8 positions (bit) as a Conversion of measurement unit be 1 byte (byte).
(2), if proceed to 8 positions of several less thaies (bits) of last remainder, these positions (bit) are lost.The byte (byte) that byte sequence (byte sequence) only stays front to generate.
Below lift a concrete example, shbea23cdd27dkgl9nv is converted to bit sequence (bit sequence), as shown in Figure 2, the last compression fit string hexadecimal representation obtained after the conversion of overcompression (reduce function) is (0xD8 0xC5).
Described DFA have five-tuple Q (α, β), ∑, q0, δ, A}, wherein Q is the state point set; ∑ is character list; Q0 is the initial condition point; A (α, β) is the state of termination point, and wherein α represents the degree of depth of done state, the number on limit that this depth representing experiences from the root node to the state point, and β represents the length of the longest coupling string that done state can be exported; δ is state transition function.
The structure rule of DFA of the present invention and original DFA is basic identical, unique different be exactly done state; In DFA of the present invention, done state A (α, β) has more two parameter alpha and β than the done state of original DFA.
What build DFA use of the present invention is the AC algorithm, and the AC algorithm is a multi-pattern matching algorithm fast.Be widely used in the deep-packet detection algorithm, and numerous algorithms of the improvement about the AC algorithm arranged for multi-mode matching.
Fig. 3 is the detailed process that a character string (input string) in packet is carried out DFA in this example.Character string (input string) starts one group of every 8 character from first character and is input to DFA of the present invention after Information Compression is carried out in overcompression (reduce function).The DFA state is since 0, and by the continuous input of input of character string, DFA has successively experienced state 1,2,3; And, when state 3, it fails to match for next character, after the fail function in the AC algorithm, from state 3, jumped to state 6; At this time, searching in original input string carried out and arrived the P place in Fig. 3.Because state 6 is state of terminations, so being input in the corresponding coupling trail of state 6 (pattern set), character string that will be at state 6, that a certain end is original (input string) searches accurately.For the matching times of the least possible minimizing exact matching, we are guaranteeing under correct prerequisite, as early as possible can the few original input string of extraction go to be mated with coupling trail (pattern set) corresponding to 6 states.How from original character string (input string), extract one piece of data string this time we two parameter alpha and β for the state point interpolation in DFA and played effect.
Value at 6 two parameter alpha of state point and β is (2,22), then according to P indicated position, we just can calculate one section character string choosing from input string.Because α equals 2, so the degree of depth of state 6 is 2, only had so 2*8 the character in original string before the P point.It is 22 that length due to coupling string (pattern) maximum in the coupling trail at state 6 (pattern set) is arranged, so count the individual character of 22-2*8=16 (comprising the character that P is ordered) from the P point more backward.Like this braces comprise from r to h between character be exactly the character string information that will carry out exact matching.
After entering into exact matching, just can select suitable exact matching algorithm according to the different situations of coupling trail (pattern set).And the situation through the pattern set after classification is also to estimate a key factor of Bit-reduced DFA algorithm.This will embody to some extent in the algorithm performance assessment of back.
At first the present invention has carried out the coarse coupling of a step when packet detects, and so just can filter out a part of non-attack data; Only the data that do not filter out are mated accurately, find accurately the data of attack from the non-attack data of a part and whole attack data; In this way, reduce the time of being mated of a part of non-attack data, improved efficiency.
Above content is in conjunction with concrete preferred implementation further description made for the present invention, can not assert that specific embodiment of the invention is confined to these explanations.For the general technical staff of the technical field of the invention, without departing from the inventive concept of the premise, can also make some simple deduction or replace, all should be considered as belonging to protection scope of the present invention.
Claims (10)
1. the filter method of a network packet, is characterized in that, comprises the following steps:
A) catch the packet in network;
B) caught packet is carried out to full protocol stack parsing;
C) each coupling string in the coupling trail is compressed, and the coupling trail after compression is constructed to a DFA for pattern matching;
D) character string in packet is generated after overcompression is processed to new character string, new character string is inputed in described DFA and does fuzzy matching;
E) Data classification will be filtered after fuzzy matching, then carry out exact matching according to the result of classification.
2. the method for claim 1, is characterized in that, the concrete grammar of described step B comprises:
B1) protocol resolver carries out initialization, and the regularity loaded after compiling is expressed collection;
B2) read data packet, and it is carried out to packet transaction;
B3) protocol type of described packet after the identification grouping, and judge whether described packet needs to resolve, and if do not needed, directly abandons this packet; Otherwise the packet that protocol type is identical is sorted out;
B4) find the protocol-decoding rule corresponding with the data protocol type according to the regular expression rule set, then the packet that comprises these data is scanned, according to described protocol analysis rule, extract the resolving information of described data from packet.
3. method according to claim 2, is characterized in that, the described concrete steps that packet is divided into groups comprise:
At first output port rule of classification and packet rule are set, at first the configuration of output port rule of classification is divided into groups each output port according to the Business Processing type of corresponding backend application system, and then determine that according to the disposal ability of back-end system corresponding to each port in group the allocation proportion of each port processing data packets flow in this group, the configuration of packet rule are according to IP address information or special field, packet to be divided in the middle of each grouping; Carry out again the packet processing, first, by protocol analysis, extract the IP packet in the raw data packets received from network, will be divided in each output port grouping with the subsequent treatment related data according to the packet rule set; Address and the port information that then will be divided into the packet in each group carry out the Hash computing, the port sum delivery that hash value comprises with this grouping again, and the result obtained is exactly this packet corresponding output port sequence number in affiliated grouping.
4. method according to claim 3, is characterized in that, following principle is followed in the configuration of described output port grouping:
1) grouping of output port is at first according to the business demand of back-end processing system, according to the Business Processing type, divided into groups, when a system and a plurality of system have mutually respectively when overlapping in packet rule attribute, same output port there will be in plural grouping;
2) in each packets inner, realize balanced the distribution in order to guarantee data processing task, same output port can repeatedly appear in same group, and in grouping, according to each port, the data-handling capacity of corresponding back-end system determines the allocation proportion of each port data packet flow in this group;
3) in the group each output port be distributed in the proof load equilibrium time, guarantee that same TCP connects two-way all packets and must be forwarded on same output port, be convenient to rear end gathering and reducing received data.
5. method according to claim 3, is characterized in that, the setting of described packet rule comprises two kinds of modes:
A kind of is using the IP address of packet and port information as direct monitored object, based on these IP address informations, rule is arranged in the packet rule list based on address information, and this rule tableau format is as follows:
Another kind is based on the regular set-up mode of special field information, and this rule tableau format is as follows:
Wherein:
Rule number: be each regular unique identification sequence number;
Source, purpose IP address: the IP address value of the source of data packet transmission and destination;
Source, purpose IP mask: the subnet mask of the source of data packet transmission and destination IP field;
Source, destination interface: the source of data packet transmission and the port numbers of destination;
Fields offset amount: the side-play amount of the special field that the needs that start to calculate from the IP packet content mate;
Field length: the length that needs the special field of coupling;
Matching content: the matching value of special field, these special field comprise as the receiver in URL address, Email mail and addresser's address field;
The packet behavior: " 0 " means this data packet discarding, " 1 " means this package forward to group 1, " 2 " mean this package forward to group 2, " N " means this Datagram forwarding to group N, " 1 " means to suspend this rule of use, if all fields in the packet rule list except the data packet row is field are all 0, mean that this rule is applicable to all packets.
6. method according to claim 5, it is characterized in that, because the rule of dynamic setting has ageingly, therefore importing to the IP address of based on data bag of internal memory and the packet rule list of port information increases " dynamically/static state " and " time-out count " two fields, and form is:
7. method according to claim 2, is characterized in that, in described step B3, the concrete steps that identical packet is sorted out by protocol type comprise:
1) set up new tables of data when receiving new data packets;
2) when receiving data message, first search the Bale No. corresponding with it in described tables of data, if can find, then judge whether described data message is last bag, if not, described data message is included in corresponding packet; Otherwise, delete this packet;
3) when described packet occurs that out of order or repeating transmission and described packet are not normally deleted, start timer and in timing, described packet is deleted.
8. method according to claim 1 is characterized in that: what build that DFA uses is the AC algorithm; Described DFA have five-tuple Q (α, β), ∑, q0, δ, A}, wherein Q is the state point set; ∑ is character list; Q0 is the initial condition point; A (α, β) is the state of termination point, and wherein α represents the degree of depth of done state, the number on limit that this depth representing experiences from the root node to the state point, and β represents the length of the longest coupling string that done state can be exported; δ is state transition function.
9. the method for claim 1, is characterized in that, in described step C, will compress and comprise the steps: each coupling string in the coupling trail
Each byte sequence that mates string that C1) will mate in trail is converted to bit sequence;
C2) bit sequence is converted to byte sequence, thereby completes the process of coupling string compression;
In described step C2, by bit sequence from first beginning take every 8 positions as a Conversion of measurement unit be 1 byte; By being abandoned of last remaining 8 positions of less than in bit sequence.
10. the method for claim 1, is characterized in that, in described step D, the new character string of generation after overcompression is processed of the character string in packet comprised the steps:
D1) byte sequence of the character string in packet is converted to bit sequence;
D2) bit sequence is converted to byte sequence, thereby generates new character string;
In described step D2, by bit sequence from first beginning take every 8 positions as a Conversion of measurement unit be 1 byte; By being abandoned of last remaining 8 positions of less than in bit sequence.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310398924.7A CN103491069A (en) | 2013-09-05 | 2013-09-05 | Filtering method for network data package |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310398924.7A CN103491069A (en) | 2013-09-05 | 2013-09-05 | Filtering method for network data package |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103491069A true CN103491069A (en) | 2014-01-01 |
Family
ID=49831028
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310398924.7A Pending CN103491069A (en) | 2013-09-05 | 2013-09-05 | Filtering method for network data package |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103491069A (en) |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104022924A (en) * | 2014-07-02 | 2014-09-03 | 浪潮电子信息产业股份有限公司 | Method for detecting HTTP (hyper text transfer protocol) communication content |
| CN104184722A (en) * | 2014-07-25 | 2014-12-03 | 汉柏科技有限公司 | Port group generating method and device of intrusion prevention system |
| CN105141519A (en) * | 2015-07-24 | 2015-12-09 | 上海红神信息技术有限公司 | Pseudo-network node protection method based on load transformation |
| CN105704059A (en) * | 2016-03-31 | 2016-06-22 | 北京百卓网络技术有限公司 | Load balancing method and load balancing system |
| CN105897739A (en) * | 2016-05-23 | 2016-08-24 | 西安交大捷普网络科技有限公司 | Data packet deep filtering method |
| CN106534135A (en) * | 2016-11-16 | 2017-03-22 | 杭州华三通信技术有限公司 | Method and apparatus for generating flow detection rule |
| CN107547905A (en) * | 2017-05-10 | 2018-01-05 | 新华三信息安全技术有限公司 | A kind of coding/decoding method and device |
| CN107703442A (en) * | 2017-07-17 | 2018-02-16 | 天津大学 | Data disorder security sweep device based on resisting differential scanning attack |
| CN110139300A (en) * | 2019-05-16 | 2019-08-16 | 西安电子科技大学 | Sensorcraft method based on the identification of wireless device configuration information |
| CN110191447A (en) * | 2019-05-28 | 2019-08-30 | 深圳云里物里科技股份有限公司 | The filter method and relevant apparatus of Bluetooth broadcast packet in a kind of ESL |
| CN110781209A (en) * | 2019-09-29 | 2020-02-11 | 苏州浪潮智能科技有限公司 | Method and device for quickly querying data |
| CN111756686A (en) * | 2020-05-18 | 2020-10-09 | 武汉思普崚技术有限公司 | Firewall equipment regular matching method and device and computer readable storage medium |
| CN111885016A (en) * | 2020-07-06 | 2020-11-03 | 河南信大网御科技有限公司 | Data message-based rapid arbitration method, system and architecture |
| CN112104451A (en) * | 2020-11-20 | 2020-12-18 | 武汉绿色网络信息服务有限责任公司 | Method and device for refreshing data packet transmission port |
| WO2020252635A1 (en) * | 2019-06-17 | 2020-12-24 | 西门子股份公司 | Method and apparatus for constructing network behavior model, and computer readable medium |
| CN112994984A (en) * | 2021-04-15 | 2021-06-18 | 紫光恒越技术有限公司 | Method for identifying protocol and content, storage device, security gateway and server |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1564547A (en) * | 2004-03-25 | 2005-01-12 | 上海复旦光华信息科技股份有限公司 | High speed filtering and stream dividing method for keeping connection features |
| US7200684B1 (en) * | 2000-04-13 | 2007-04-03 | International Business Machines Corporation | Network data packet classification and demultiplexing |
| CN101605018A (en) * | 2009-06-17 | 2009-12-16 | 中兴通讯股份有限公司 | A kind of decoding depth message detection protocol method, equipment and system based on stream |
| CN102904951A (en) * | 2012-10-12 | 2013-01-30 | 哈尔滨工业大学深圳研究生院 | Data packet detecting method based on cloud system |
-
2013
- 2013-09-05 CN CN201310398924.7A patent/CN103491069A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7200684B1 (en) * | 2000-04-13 | 2007-04-03 | International Business Machines Corporation | Network data packet classification and demultiplexing |
| CN1564547A (en) * | 2004-03-25 | 2005-01-12 | 上海复旦光华信息科技股份有限公司 | High speed filtering and stream dividing method for keeping connection features |
| CN101605018A (en) * | 2009-06-17 | 2009-12-16 | 中兴通讯股份有限公司 | A kind of decoding depth message detection protocol method, equipment and system based on stream |
| CN102904951A (en) * | 2012-10-12 | 2013-01-30 | 哈尔滨工业大学深圳研究生院 | Data packet detecting method based on cloud system |
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104022924A (en) * | 2014-07-02 | 2014-09-03 | 浪潮电子信息产业股份有限公司 | Method for detecting HTTP (hyper text transfer protocol) communication content |
| CN104184722B (en) * | 2014-07-25 | 2017-05-24 | 汉柏科技有限公司 | Port group generating method and device of intrusion prevention system |
| CN104184722A (en) * | 2014-07-25 | 2014-12-03 | 汉柏科技有限公司 | Port group generating method and device of intrusion prevention system |
| CN105141519A (en) * | 2015-07-24 | 2015-12-09 | 上海红神信息技术有限公司 | Pseudo-network node protection method based on load transformation |
| CN105704059A (en) * | 2016-03-31 | 2016-06-22 | 北京百卓网络技术有限公司 | Load balancing method and load balancing system |
| CN105897739A (en) * | 2016-05-23 | 2016-08-24 | 西安交大捷普网络科技有限公司 | Data packet deep filtering method |
| CN106534135A (en) * | 2016-11-16 | 2017-03-22 | 杭州华三通信技术有限公司 | Method and apparatus for generating flow detection rule |
| CN106534135B (en) * | 2016-11-16 | 2020-07-17 | 新华三技术有限公司 | Method and device for generating flow detection rule |
| CN107547905A (en) * | 2017-05-10 | 2018-01-05 | 新华三信息安全技术有限公司 | A kind of coding/decoding method and device |
| CN107547905B (en) * | 2017-05-10 | 2020-07-24 | 新华三信息安全技术有限公司 | Decoding method and device |
| CN107703442A (en) * | 2017-07-17 | 2018-02-16 | 天津大学 | Data disorder security sweep device based on resisting differential scanning attack |
| CN110139300A (en) * | 2019-05-16 | 2019-08-16 | 西安电子科技大学 | Sensorcraft method based on the identification of wireless device configuration information |
| CN110139300B (en) * | 2019-05-16 | 2021-05-14 | 西安电子科技大学 | Unmanned aerial vehicle detection method based on wireless device configuration information identification |
| CN110191447A (en) * | 2019-05-28 | 2019-08-30 | 深圳云里物里科技股份有限公司 | The filter method and relevant apparatus of Bluetooth broadcast packet in a kind of ESL |
| WO2020252635A1 (en) * | 2019-06-17 | 2020-12-24 | 西门子股份公司 | Method and apparatus for constructing network behavior model, and computer readable medium |
| CN110781209A (en) * | 2019-09-29 | 2020-02-11 | 苏州浪潮智能科技有限公司 | Method and device for quickly querying data |
| CN111756686A (en) * | 2020-05-18 | 2020-10-09 | 武汉思普崚技术有限公司 | Firewall equipment regular matching method and device and computer readable storage medium |
| CN111885016A (en) * | 2020-07-06 | 2020-11-03 | 河南信大网御科技有限公司 | Data message-based rapid arbitration method, system and architecture |
| CN111885016B (en) * | 2020-07-06 | 2023-06-16 | 河南信大网御科技有限公司 | Method, system and architecture for quickly judging based on data message |
| CN112104451A (en) * | 2020-11-20 | 2020-12-18 | 武汉绿色网络信息服务有限责任公司 | Method and device for refreshing data packet transmission port |
| CN112994984A (en) * | 2021-04-15 | 2021-06-18 | 紫光恒越技术有限公司 | Method for identifying protocol and content, storage device, security gateway and server |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103491069A (en) | Filtering method for network data package | |
| CN101267313B (en) | Flooding attack detection method and detection device | |
| CN105429963B (en) | Intrusion detection analysis method based on Modbus/Tcp | |
| CN104794170B (en) | Network forensics content source tracing method and system based on the multiple Hash Bloom filter of fingerprint | |
| CN103685224A (en) | A network invasion detection method | |
| CN103841096A (en) | Intrusion detection method with matching algorithm automatically adjusted | |
| CN1287570C (en) | High speed filtering and stream dividing method for keeping connection features | |
| CN102271068B (en) | Method for detecting DOS/DDOS (denial of service/distributed denial of service) attack | |
| US10218598B2 (en) | Automatic parsing of binary-based application protocols using network traffic | |
| CN101895521B (en) | Network worm detection and characteristic automatic extraction method and system | |
| CN107733851A (en) | DNS tunnels Trojan detecting method based on communication behavior analysis | |
| CN103685221A (en) | A network invasion detection method | |
| CN101640594B (en) | Method and unit for extracting traffic attack message characteristics on network equipment | |
| CN113114694B (en) | DDoS attack detection method oriented to high-speed network packet sampling data acquisition scene | |
| CN105429968B (en) | Network forensics load affiliation method based on Bloom filter and system | |
| CN104618377A (en) | NetFlow based botnet network detection system and detection method | |
| CN101465760A (en) | Method and system for detecting abnegation service aggression | |
| CN103685222A (en) | A data matching detection method based on a determinacy finite state automation | |
| CN105100023B (en) | Data packet feature extracting method and device | |
| CN104468107A (en) | Method and device for verification data processing | |
| CN105407096A (en) | Message data detection method based on stream management | |
| CN104333483A (en) | Identification method, system and identification device for internet application flow | |
| US7567568B2 (en) | Method and apparatus for user identification in computer traffic | |
| CN104394180A (en) | Wireless terminal authentication method, wireless router and system | |
| CN101316268B (en) | Detection method and system for exception stream |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140101 |