CN103746869B - With reference to data/mask and the multistage deep packet inspection method of regular expression - Google Patents
With reference to data/mask and the multistage deep packet inspection method of regular expression Download PDFInfo
- Publication number
- CN103746869B CN103746869B CN201310720871.6A CN201310720871A CN103746869B CN 103746869 B CN103746869 B CN 103746869B CN 201310720871 A CN201310720871 A CN 201310720871A CN 103746869 B CN103746869 B CN 103746869B
- Authority
- CN
- China
- Prior art keywords
- data
- match
- packet
- regular expression
- mask
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention discloses a kind of combination data/mask and the multistage deep packet inspection method of regular expression, including:The step of for being matched comprising the characteristic below four layers and four layer protocols, by two layers of packet to be detected, into four layer protocol data packet heads and detected rule, corresponding data/mask is matched:If the match is successful, continue next step processing step;If it fails to match, notebook data bag to should the operation of detected rule terminate.Using the present invention, with reference to the advantage of the deep packet inspection method based on fixed character word and based on regular expression, it can overcome the disadvantages that both deficiencies simultaneously, application protocol that is various by the matching precise marking of regular expression and often changing, significantly reduced using the matching operation operation probability of regular expression, system resource can be saved and improve systematic function.
Description
Technical field
The present invention relates to the network communications technology, more particularly to the multistage of a kind of combination data/mask and regular expression are deep
Spend packet inspection method.
Background technology
Deep-packet detection(DPI, Deep Packet Inspection)Technology is in network flow management, network real time status
The field such as monitoring and analysis, network security, the network optimization, network QOS enhancing, intelligent pipeline obtains a wide range of applications.
At present, the research of the technology and method that are associated with DPI is also in deep progress.Existing DPI identification technologies can return
Receive as three major types:1)The identification technology of feature based word;2)ALG identification knot art;3)Behavior pattern recognition technology.Its
In, the identification technology of feature based word is most widely used.
Here, the identification technology and method of the feature based word, the knowledge based on data and mask can be further divided into
Other method and the recognition methods based on regular expression.Wherein,
Recognition methods based on data and mask, realize it is relatively simple, by means of application specific integrated circuit(ASIC), scene can
Editorial logic gate array(FPGA)It can be realized Deng PLD and software, therefore there is very strong practicality, especially
It is applied to two layers of detection determination to four layer protocol packet header.But because the information such as the numerical value of data and mask, position, length are consolidated
It is fixed, it is difficult to adapt to variation at present and often the application protocol detection of " variation ".
Recognition methods based on regular expression, because the representation function of regular expression is powerful, particularly suitable for feature
The application layer protocol detection of the indefinite fixation of word.But the processing of regular expression needs more system resources, due to processing
Time is grown also to have a significant impact to the forwarding performance of system.Meanwhile current ASIC is not supported based on regular expression typically
Identification, and realized with PLDs such as FPGA there is also certain limitation, therefore, normally tend to use based on logical
The detection based on regular expression is realized with the software systems of processor or polycaryon processor, so, is more deposited in real-time performance
In challenge.
The content of the invention
In view of this, it is a primary object of the present invention to provide a kind of multistage of combination data/mask and regular expression
Deep packet inspection method, its feature based word analysis, with reference to based on fixed character word(Such as data, mask)Method and based on just
Then the advantages of the method for expression formula, above two method graded combination is used, is respectively used to spy different in processing data bag
Data are levied, solve to realize that deep-packet detection is difficult in adapt to the diversified and changeable deficiency of application layer protocol based on fixed character word,
And solve to realize that deep-packet detection is difficult to meet that high-performance forwards demand not in real time in disposal ability based on regular expression
Foot, to save system resource and improve systematic function.
To reach above-mentioned purpose, the technical proposal of the invention is realized in this way:
A kind of multistage deep packet inspection method of combination data/mask and regular expression, including:
The step of for being matched comprising the characteristic below four layers and four layer protocols, two layers of packet to be detected is arrived
Corresponding data/mask is matched in four layer protocol data packet heads and detected rule:If the match is successful, under continuing
One processing step;If it fails to match, notebook data bag to should the operation of detected rule terminate.
Wherein:The step of characteristic matching, is suitable for using the processing method based on data/mask, its function energy
Enough by using application-specific integrated circuit ASIC, field-programmable logic gate array FPGA combination three-state content addressing memories TCAM
Mode or software mode realize.
Further comprise:The step of for four layer protocol above fixed character Data Matchings, it is specially:
Corresponding data in the data packet head and detected rule of more than four layers agreements of packet to be detected/mask is carried out
Matching, if the match is successful, continues next processing step;If it fails to match, notebook data bag is to that should detect rule
Operation then terminates.
Described the step of being directed to four layer protocol above fixed character Data Matchings, its function can be by using special integrated
Circuit ASIC, field-programmable logic gate array FPGA combination three-state content addressing memories TCAM mode or software mode are real
It is existing.
The step of further comprising being directed to more than four layers matching regular expressions, it is specially:
Corresponding regular expression in packet application layer characteristic to be detected and detected rule is matched, such as
The match is successful for fruit, then performs operation corresponding with this detected rule;If it fails to match, detected rule corresponding to notebook data bag
Operation terminate.
Described the step of being directed to more than four layers matching regular expressions, using FPGA or operate in general processor/multinuclear
Software on processor is realized.
It is a kind of comprising combining data/mask and regular expression described in claim 1, claim 3 or claim 5
The deep packet inspection method of multistage deep packet inspection method, including:
When packet to be detected be present, whether inspection system is configured with for four layer protocol data below/mask portion
Divide, for four layer protocol data above/mask part or the detected rule for application layer regular expression part and the detection
Rule is not processed, if described detected rule is not processed, next detected rule is continued executing with for the detected rule.
It is preferred that obtaining testing result, i.e., after the result that the match is successful and execution operates accordingly or it fails to match, enter
One step performs following operation:
1)If it fails to match, and in the presence of a untreated rule, then continue with next untreated rule;If
It fails to match, and next untreated rule is not present, then continues with next packet;Or,
2)If the match is successful, there are two kinds of selections:The detection of notebook data bag terminates and continued the packet for next
The processing of detected rule, the option are determined by configuration.
The multistage deep packet inspection method of combination data/mask and regular expression provided by the present invention, have following
Advantage:
The multistage deep packet inspection method can be directed to and realize that deep-packet detection is relatively difficult in adapt to based on fixed character word
Application layer protocol it is diversified and changeable deficiency and realize that deep-packet detection is difficult in disposal ability based on regular expression
Meet the defects of high-performance forwards demand in real time, both are combined, both both comprehensive advantages, while and can makes up
Both deficiencies.By the way that detected rule according to three sections of designs and is stored, meanwhile, processing function is carried out in three steps, for appointing
One packet and any detected rule:1)By packet corresponding field with rule 1 segment data/mask matches, such as matching into
Work(is then carried out in next step, and otherwise, it fails to match returns;2)By 2 segment datas/mask of packet corresponding field and rule
Match somebody with somebody, continue if the match is successful in next step, otherwise, it fails to match returns;3)By in application layer data in packet and rule
Regular expression is matched, and the match is successful, then carries out operating corresponding to the rule.So, the matching of regular expression is passed through
The application protocol can be various with precise marking and often changed, while the matching operation operation probability of regular expression significantly drops
It is low, system resource can be saved and improve systematic function.
Brief description of the drawings
Fig. 1 is that any data bag of the present invention matches any regular process flow diagram flow chart;
Fig. 2 is the detected rule table structure of the present invention;
Fig. 3 is the complete deep-packet detection process flow diagram flow chart of the embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawings and embodiments of the invention are further detailed to the multistage deep packet inspection method work of the present invention
Explanation.
The deep packet inspection method of the present invention, there is the consideration of uniqueness in detected rule design.Based on modern net
Seven layers of communication protocol i.e. physical layer, the data link that the representative ICP/IP protocol stack of network communication and OSI/ISO are defined
The characteristics of layer, Internet, transport layer, session layer, expression layer, application layer, and internet it is various using protocol data
The present situation of pack arrangement, detected rule is designed to three-stage structure, that is to say, that detected rule includes following three parts, such as Fig. 2
It is shown:
1)Below four layer protocols(Containing four layers)Data/mask part, mainly corresponding two layers to four layer protocol data packet heads,
This part of each field definition is clear and definite, and field values, length, position determine.
2)It is more than four layer protocols(Without four layers)Data/mask part, main corresponding four layers are compared into seven layer protocol data
Compared with the field infrequently changed of determination.
3)Application layer regular expression part, it is main to tackle features that are revocable in application layer protocol or often changing
Point.
The main handling process of this method is based on above-mentioned detected rule table structure.The detection method of the present invention is made below
Further instruction.The handling process for corresponding to a certain detected rule first against a certain packet to be detected illustrates.
Fig. 1 is that any data bag of the present invention matches any regular process flowchart.And the main work(of the present invention
Energy flow chart, as shown in figure 1, the processing procedure mainly includes following three step:
Step 1:Below four layer protocols(Include four layers)Characteristic matching the step of.
Specially:By two layers of packet to be detected into four layer protocol data packet heads and detected rule corresponding data/
Mask is matched.
If the match is successful, continue next processing step.
If it fails to match, notebook data bag to should the operation of detected rule terminate.
Here, either ICP/IP protocol stack, or the seven layer model that OSI/ISO is defined, first layer physical layer mainly according to
Rely hardware to realize, can ignore here.And the second layer is clear and definite and fixed to the 4th layer of protocol data head-coating structure, because
This, this part is suitable for using the processing method based on data/mask, and this partial function can use ASIC, FPGA to combine three
State content adressable memory(TCAM)And the mode such as software is realized.It is more suitable to use in view of real-time and scalability
FPGA combinations TCAM mode is realized.
Because substantial amounts of packet during above-mentioned steps 1 by having filtered out, step 2 and step 3 are in majority of case
Under be not carried out, therefore the efficiency of the deep-packet detection system using the inventive method can be greatly improved.
Step 2:More than four layer protocols(Not comprising four layers)The step of fixed character Data Matching.
Specially:By more than four layers of packet to be detected(It is four to seven layers for OSI/ISO seven layer models, it is right
It is presented above more preferable with four layers because more than four layers of distinguishing hierarchies do not have unified standard for ICP/IP protocol stack)Agreement
Corresponding data/mask is matched in data packet head and detected rule.
If the match is successful, continue next processing step.
If it fails to match, notebook data bag to should the operation of detected rule terminate.
Even application layer protocol, it is also possible to have some protocol fields that there is fixed position, numerical value and length.These are true
Fixed field is handled with being suitable for using based on the processing method of data/mask.It is substantial amounts of due to having been filtered in step 1
Packet, the processing pressure of step 2 mitigate significantly, and therefore, step 2 uses ASIC, FPGA combination TCAM, and mode such as software etc.
It can be achieved.
Step 3:The step of for more than four layers matching regular expressions.
Specially:Corresponding regular expression in packet application layer characteristic to be detected and detected rule is carried out
Matching, can use the deterministic finite automaton based on application layer characteristic(DFA)Algorithm or using regular expression as
Main non deterministic finite automaton(NFA)Algorithm.
If the match is successful, operation corresponding with this detected rule is performed.
If it fails to match, notebook data bag to should the operation of detected rule terminate.
Diversity and polytropy due to application layer protocol, the Partial Feature are difficult inspection with the method based on data/mask
Survey, therefore the method based on regular expression need to be used.In view of flexibility and scalability, this partial function preferably use FPGA or
The software that operates on general processor/polycaryon processor is realized.
Although being had an impact based on the detection of regular expression in real-time performance, because first two steps have completed exhausted big portion
The filtering of divided data bag, then, the packet into matching regular expressions process is considerably less, therefore, it is possible to by base
Bottom line is fallen below in influence of the regular expression detection in real-time performance.
Because the whole detection process of this method is divided into above-mentioned three-level(I.e. above-mentioned 3 steps), per one-level using different
Detected rule data, therefore, the structure of detected rule should also be designed to match with processing procedure.
Fig. 2 show detected rule table structure used in the above-mentioned detection method of the present invention, every detected rule again by
Relatively independent three parts composition, i.e., below four layer protocols(Containing four layers)Data/mask part, more than four layer protocols(Without four
Layer)Data/mask part and application layer regular expression part.During specific implementation, above-mentioned three parts can both store
Together, it can also separate and be stored.It can even be stored in different processors, such as TCAM or SRAM.
It should be noted that not every detected rule all includes above-mentioned complete three parts.If a certain detected rule lacks
Certain few part, then the matching on the part, which is considered as, detects successfully.
Fig. 3 is the complete deep-packet detection process flow diagram flow chart of the embodiment of the present invention.As shown in figure 3, for shown in Fig. 1
Complete detection process example based on flow.
When packet to be detected be present, it is regular whether inspection system configures(Four layer protocol data below/mask,
Four layer protocol data above/mask or application layer regular expression)And the rule is not processed, then Fig. 1 is performed for the rule
Shown flow.
After the flow shown in Fig. 1 is finished, there are two kinds of possible results:The match is successful and perform corresponding operation or
It fails to match.
1)If it fails to match, and in the presence of a untreated rule, then continue with next untreated rule;If
It fails to match, and next untreated rule is not present, then continues with next packet.
2)If the match is successful, there are two kinds of selections:The detection of notebook data bag terminates and continued the packet for next
The processing of detected rule, the option are determined by configuration.
The foregoing is only a preferred embodiment of the present invention, is not intended to limit the scope of the present invention.
Claims (5)
- A kind of 1. multistage deep packet inspection method of combination data/mask and regular expression, it is characterised in that including:The step of for being matched comprising the characteristic below four layers and four layer protocols, by two layers to four layers of packet to be detected Corresponding data/mask is matched in protocol data packet header and detected rule:If the match is successful, continue next place Manage step;If it fails to match, notebook data bag to should the operation of detected rule terminate;Further comprise:The step of for four layer protocol above fixed character Data Matchings, it is specially:By corresponding data in the data packet head and detected rule of more than four layers agreements of packet to be detected/mask progress Match somebody with somebody, if the match is successful, continue next processing step;If it fails to match, notebook data bag is to should detected rule Operation terminate;The step of further comprising being directed to more than four layers matching regular expressions, it is specially:Corresponding regular expression in packet application layer characteristic to be detected and detected rule is matched, if With success, then operation corresponding with this detected rule is performed;If it fails to match, the behaviour of detected rule corresponding to notebook data bag Work terminates.
- 2. the multistage deep packet inspection method of combination data/mask according to claim 1 and regular expression, its feature It is, described the step of being directed to four layer protocol above fixed character Data Matchings, its function can be by using special integrated electricity Road ASIC, field-programmable logic gate array FPGA combination three-state content addressing memories TCAM mode or software mode are real It is existing.
- 3. the multistage deep packet inspection method of combination data/mask according to claim 1 and regular expression, its feature It is, described the step of being directed to more than four layers matching regular expressions, using FPGA or operates in general processor/multinuclear processing Software on device is realized.
- 4. the multistage deep packet inspection method of a kind of combination data/mask comprising described in claim 1 and regular expression Deep packet inspection method, it is characterised in that including:When packet to be detected be present, whether inspection system is configured with for four layer protocol data below/mask part, pin To four layer protocol data above/mask part or for the detected rule of application layer regular expression part and the detected rule not It is processed, if described detected rule is not processed, the detected rule is continued with for the packet.
- 5. the depth of the multistage deep packet inspection method of combination data/mask according to claim 4 and regular expression Packet inspection method, it is characterised in that obtaining testing result, i.e., the match is successful and performs operation accordingly or the knot that it fails to match After fruit, following operation is further performed:1) if it fails to match, and in the presence of a untreated detected rule, then continue with next untreated detected rule; If it fails to match, and is not present next untreated detected rule, then next packet is continued with;Or,If 2) the match is successful, there are two kinds of selections:The detection of notebook data bag terminates and continued the packet for next detection The processing of rule, the option are determined by configuration.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310720871.6A CN103746869B (en) | 2013-12-24 | 2013-12-24 | With reference to data/mask and the multistage deep packet inspection method of regular expression |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310720871.6A CN103746869B (en) | 2013-12-24 | 2013-12-24 | With reference to data/mask and the multistage deep packet inspection method of regular expression |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103746869A CN103746869A (en) | 2014-04-23 |
| CN103746869B true CN103746869B (en) | 2017-11-10 |
Family
ID=50503860
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310720871.6A Active CN103746869B (en) | 2013-12-24 | 2013-12-24 | With reference to data/mask and the multistage deep packet inspection method of regular expression |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103746869B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104348729B (en) * | 2014-10-11 | 2018-08-21 | 北京中创腾锐技术有限公司 | A kind of Internet streaming sorting technique of software and hardware combining |
| CN105429820B (en) * | 2015-11-05 | 2018-10-09 | 武汉烽火网络有限责任公司 | Deep-packet detection system based on software defined network and method |
| CN106656501A (en) * | 2016-09-23 | 2017-05-10 | 深圳市紫光同创电子有限公司 | Data packet verification method and data packet verification system |
| CN110232364A (en) * | 2019-06-18 | 2019-09-13 | 华中师范大学 | A kind of answering card page number recognition methods and device |
| CN111866202B (en) * | 2019-11-08 | 2023-04-07 | 北京嘀嘀无限科技发展有限公司 | Message sending method and device, electronic equipment and storage medium |
| CN111817917B (en) * | 2020-07-03 | 2021-12-24 | 中移(杭州)信息技术有限公司 | Deep packet inspection method, device, server and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101420371A (en) * | 2008-07-03 | 2009-04-29 | 江苏华丽网络工程有限公司 | Dynamic function supporting method and system for ASIC fusion network device |
| CN101771627A (en) * | 2009-01-05 | 2010-07-07 | 武汉烽火网络有限责任公司 | Equipment and method for analyzing and controlling node real-time deep packet on internet |
| CN102163221A (en) * | 2011-04-02 | 2011-08-24 | 华为技术有限公司 | Pattern matching method and device thereof |
| EP2595355A1 (en) * | 2010-11-29 | 2013-05-22 | Huawei Technologies Co., Ltd. | Method and device used in acquiring parameters for general analysis of protocol and in general analysis of protocol |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102347949B (en) * | 2011-09-28 | 2014-07-02 | 上海西默通信技术有限公司 | Application protocol analysis method based on DPI (Distributed Protocol Interface) |
-
2013
- 2013-12-24 CN CN201310720871.6A patent/CN103746869B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101420371A (en) * | 2008-07-03 | 2009-04-29 | 江苏华丽网络工程有限公司 | Dynamic function supporting method and system for ASIC fusion network device |
| CN101771627A (en) * | 2009-01-05 | 2010-07-07 | 武汉烽火网络有限责任公司 | Equipment and method for analyzing and controlling node real-time deep packet on internet |
| EP2595355A1 (en) * | 2010-11-29 | 2013-05-22 | Huawei Technologies Co., Ltd. | Method and device used in acquiring parameters for general analysis of protocol and in general analysis of protocol |
| CN102163221A (en) * | 2011-04-02 | 2011-08-24 | 华为技术有限公司 | Pattern matching method and device thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103746869A (en) | 2014-04-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103746869B (en) | With reference to data/mask and the multistage deep packet inspection method of regular expression | |
| EP3135018B1 (en) | Policy-based payload delivery for transport protocols | |
| CN103004158B (en) | There is the network equipment of programmable core | |
| CN104579940B (en) | Search the method and device of accesses control list | |
| CN104348716B (en) | A kind of message processing method and equipment | |
| CN115037575A (en) | Message processing method and device | |
| CN106790170B (en) | Data packet filtering method and device | |
| US20140369363A1 (en) | Apparatus and Method for Uniquely Enumerating Paths in a Parse Tree | |
| CN110324245A (en) | A kind of method and device to be E-Packeted based on integrated flow table | |
| CN102739473A (en) | Network detecting method using intelligent network card | |
| CN102694801B (en) | Method for detecting virus, device and firewall box | |
| CN109271793A (en) | Internet of Things cloud platform device class recognition methods and system | |
| CN101184000A (en) | Packet sampling and application signature based internet application flux identifying method | |
| CN112468365A (en) | Data quality detection method, system and medium for network mirror flow | |
| CN114327833A (en) | Efficient flow processing method based on software-defined complex rule | |
| CN104333461A (en) | Identification method, system and identification device for internet application flow | |
| WO2020092099A1 (en) | Configuring and performing character pattern recognition in a data plane circuit | |
| Bando et al. | Range hash for regular expression pre-filtering | |
| EP3264713B1 (en) | Hardware acceleration architecture for signature matching applications for deep packet inspection | |
| CN108400984A (en) | Based on the matched MQTT information filtering methods of dynamic rules and system | |
| CN105072122A (en) | Rapid matching classification method for data packets | |
| CN102143151A (en) | Deep packet inspection based protocol packet spanning inspection method and deep packet inspection based protocol packet spanning inspection device | |
| EP3264716B1 (en) | State transition compression mechanism to efficiently compress dfa based regular expression signatures | |
| CN104104675A (en) | Internet control message protocol camouflage capture and analysis technology | |
| CN107124410A (en) | Network safety situation feature clustering method based on machine deep learning |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20190114 Address after: 430074 No. 6, High-tech Fourth Road, Donghu High-tech Development Zone, Wuhan City, Hubei Province Patentee after: Fenghuo Communication Science &. Technology Co., Ltd. Address before: 430074 3rd Floor, Optical Communication Building, No. 5 Dongxin Road, Donghu Development Zone, Wuhan City, Hubei Province Patentee before: Wuhan Fenghuo Network Co., Ltd. |