Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, a flowchart of a method for setting an aging time of a session entry according to an embodiment of the present invention may include:
s1, learning the maximum survival time of the session table items within a preset learning time period until the learning time period is finished;
and in the preset learning time period, the firewall or the router normally processes the incoming message. That is, in the process of processing the message normally, the firewall or the router learns the maximum lifetime of the session entry, and the maximum lifetime of the session entry corresponding to different application protocols can be obtained through learning.
And S2, resetting the aging time of the conversation table item by taking the maximum survival time learned in the learning time period as the aging time reference value.
For example, the aging time reference value and the aging time floating value can be summed (i.e. the aging time reference value + the aging time floating value), and the result of the summation is assigned as the aging time for the session entry, so as to reset the aging time for the session entry.
More specifically, the value of the aging time float value may be 0 or more.
Therefore, in the embodiment of the present invention, the firewall or the router learns the maximum lifetime of the session entry, and then sets the aging time according to the learning result. Under different scenes, the maximum survival time of the learned session entries is different, so that the aging time is set according to the maximum survival time of the learned session entries, the effect of dynamically adjusting the actual aging time according to the scenes can be achieved, and the method has strong adaptability.
In other embodiments of the present invention, the maximum survival time learned in step S2 may specifically be the maximum survival time recorded at the end of the learning time period.
More specifically, the firewall or router may create an array of storage maximum time-to-live. At the end of the learning period, the data stored in the array is the maximum learned lifetime.
In other embodiments of the present invention, the session table entry may include a hit time of the session table entry and a maximum time interval between two hits of the message on the session table entry.
The hit time of the session entry is recorded as follows: when the message enters the firewall or the router, the firewall or the router searches for the corresponding session table entry, and after the session table entry is searched, the hit time in the session table entry is modified into the time for finding the session table entry (namely, the time for the message to enter). If the session table entry is not found, the session table entry is created according to the index, and the time for finding the session table entry is assigned to the hit time in the created session table entry. Wherein the index includes a source IP address, a destination IP address, a source port, a destination port, and a transport layer protocol number.
For example, when a packet a enters, the firewall or the router searches for its corresponding session entry, and it is assumed that the time for finding the corresponding session entry is 12: 30: 12, the hit time (i.e. the time of the last message entering) recorded at this time by the session entry is 12: 30: 10, the hit time of the session entry is changed to 12: 30: 12.
if the session entry is not found, a session entry is created, and the creation time and the hit time of the session entry are both filled into 12: 30: 12.
it should be noted that the session table entry adopted in the prior art also records the hit time, but does not record the maximum time interval between two times of message hit on the session table entry.
The maximum time interval of the message hitting the session table entry twice is obtained as follows:
when a new message is hit (i.e. a message enters), calculating the difference between the hit time of the new message (i.e. the current time) and the hit time recorded by the session table entry (i.e. the hit time of the previous message), comparing the difference with the maximum hit time interval recorded by the session table entry, and recording the larger of the difference and the maximum hit time interval as the maximum time interval.
Still using the previous example, the time for the packet a to enter, and the firewall or router to find the corresponding session entry is 12: 30: 12 (i.e. the hit time of message a is 12: 30: 12), and the hit time recorded at this time of the session table entry is 12: 30: 10, calculate 12: 30: 12 and 12: 30: 10, difference of 2 seconds.
Assuming that the maximum time interval recorded by the session entry is 10 seconds, comparing 2 seconds with 10 seconds, it can be known that 10 seconds are larger, 10 seconds are recorded as the maximum time interval. Of course, if the session entry records a maximum time interval of 1 second, then 2 seconds are recorded as the maximum time interval.
In another special case, when the first message enters, a session table entry corresponding to the first message is created, and at this time, the session table entry has no record of the hit time, so that the difference between the hit time of the new message and the hit time of the previous message cannot be calculated, and the maximum time interval is not recorded. Of course, in this case, the maximum time interval may be considered to be 0.
In other embodiments of the present invention, one way of "learning the maximum lifetime of the session entry" in all the above embodiments may include:
step A, regularly checking whether a session table item meets a first aging condition;
and step B, when the first aging condition is met, comparing the maximum time interval recorded by the session table item with the recorded maximum survival time, and recording the larger value of the maximum time interval and the recorded maximum survival time as the maximum survival time.
Wherein the first aging condition may include: the difference between the current check time and the hit time of the session entry is greater than the aging time of the session entry.
For example, assuming that the aging time of the session entry is 10 minutes, the hit time of the session entry record is 12: 30: 10, current check time 12: 41: and 10, the difference between the two is 11 minutes, and the difference is greater than the aging time, and the step B is executed.
In performing step B, assuming that the maximum time-to-live recorded by the firewall or router is 9 minutes and the maximum time interval recorded by the session entry is 10 minutes, 10 is recorded as the maximum time-to-live. And may age the session entries.
A more detailed flow including step A and step B is shown in FIG. 2.
In other embodiments of the present invention, the number of the learning time periods in all the embodiments described above may be one, or may be more than one.
When the number of the learning time periods is one, the aging time of the session entry in the first aging condition may be factory aging time of a protocol corresponding to the session entry.
And when the number of the learning time periods is more than one, in the first learning time period, the aging time of the session table entry in the first aging condition is the factory aging time of the protocol corresponding to the session table entry. And in other learning time periods, the aging time of the session table entry in the first aging condition is the aging time reset when the last learning time period is ended.
For example, the aging time of the session entry used in the learning period 3 is the aging time reset at the end of the learning period 2. The aging time of the session entry adopted in the learning period 4 is the aging time reset at the end of the learning period 3. By analogy, the description is omitted.
It should be noted that, when the aging time is reset, the firewall or the router may automatically sum the aging time reference value (the learned maximum lifetime) and the aging time floating value, and assign the sum result as the aging time for the session table entry.
Manual settings may also be supported: upon expiration of the learning period, the firewall or router displays the learned maximum lifetime (aging time reference value) or an aging time setting suggestion value (aging time setting suggestion value is equal to the sum of the aging time reference value and the aging time float value). The user may manually reset the aging time for the session entry with reference to the aging time reference value or the aging time setting suggestion value.
As mentioned above, during the preset learning period, the firewall or the router normally processes the incoming packet. Next, referring to fig. 3, taking the number of learning time periods as 1 as an example, how to perform learning and reset the aging time for the session table entry when the message is normally processed is described:
and step 01, the message enters a firewall.
Step 02, according to the index (such as source address, source port, destination address, destination port, transport layer protocol number), searching the corresponding session table entry.
How to search according to the index is the prior art, and is not described herein.
And 03, if the session table entry is not found, creating a session table entry and recording creation time.
Because the learning time period is one, the aging time of the session table entry is the factory preset value of the corresponding protocol.
Step 04, if the session table entry is found or the session table entry is created, refreshing the hit time in the session table entry and the maximum time interval between two times of hitting the session table entry by the message.
The refreshing the hit time in the session entry may specifically include: the hit time in the session entry is changed to the time when the session entry is found.
The maximum time interval between two times of message refreshing hits on the session table entry may specifically include:
the difference between the current time (i.e. the time when the session entry is found) and the hit time of the previous message is calculated.
If it is the first calculation, the difference is directly recorded as the maximum time interval in the session table entry. Otherwise, the maximum time interval recorded in the session entry is compared, and the larger of the two is recorded as the maximum time interval.
And step 05, monitoring the whole session table in real time, and continuously checking whether the session table entries in the session table meet the first aging condition.
And step 06, if any session table entry meets the first aging condition, comparing the maximum time interval recorded in the session table entry with the recorded maximum survival time, and recording the larger value of the maximum time interval and the recorded maximum survival time as the maximum survival time.
For example, assuming that the maximum time-to-live that the firewall or router has recorded is 9 minutes and the maximum time interval recorded in the session table entry is 10 minutes, 10 is recorded as the maximum time-to-live.
And step 07, aging the session table entry meeting the first aging condition. That is, the session table entry satisfying the first aging condition is deleted to release the resource.
Step 08, judging whether the learning time period is expired. If not, the session table continues to be monitored and maximum time to live learned.
And 09, when the learning time period expires, resetting the aging time aiming at the session table entry by taking the maximum survival time learned in the learning time period as an aging time reference value.
After the aging time is reset, a message enters the firewall, and when the session table entry is created in step 03, the reset aging time is used as the aging time of the created session table entry.
Another way of learning the maximum lifetime of a session entry will be described below. In the method, the maximum survival time of the session table entry is periodically learned for a long time, and a session aging time statistical table entry (statistical table) is introduced.
The session aging time statistic table entry records hit time and maximum message time interval. The maximum message time interval comprises the maximum value of all messages entering the firewall or the router and the time intervals of adjacent messages since the session aging time statistic table entry is created.
In this embodiment, the maximum lifetime of the learning session entry may at least include:
step one, when a refreshing condition is met, according to the record in the conversation table item, refreshing the record in the conversation aging time statistic table item corresponding to the conversation table item.
The corresponding session table entry and the session aging time statistic table entry adopt the same index. For the introduction of the index, please refer to the above description, which is not repeated herein.
And step two, when the session aging time statistic table entry meets a second aging condition and the corresponding session table entry is aged, comparing the maximum message time interval recorded in the session aging time statistic table entry with the recorded maximum survival time, and recording the larger value of the maximum message time interval and the recorded maximum survival time as the maximum survival time.
For example, assuming that the maximum time to live recorded by the firewall or router is 9 minutes and the maximum time interval recorded in the session aging time statistics entry is 10 minutes, 10 is recorded as the maximum time to live.
More specifically, the refresh conditions may include a first refresh condition and a second refresh condition; wherein,
the first refresh condition may include that a session entry is created.
The second refreshing condition may include that the session entry satisfies the first aging condition, or the session entry is hit, or the session aging time statistic entry satisfies the second aging condition and the corresponding session entry is not aged;
it should be noted that, in order to avoid frequently updating the statistical table entry, the first refresh condition may only include that the session table entry satisfies the first aging condition, or that the session aging time statistical table entry satisfies the second aging condition and the corresponding session table entry is not aged.
In the first learning time period, the aging time of the session table entry in the first aging condition is the factory aging time of the protocol corresponding to the session table entry; in the rest of the learning time periods, the aging time of the session entry in the first aging condition is the aging time reset when the last learning time period ends. For the related description, please refer to the above description, which is not repeated herein.
The second aging condition may then include: and the difference value between the current check time and the hit time of the session aging time statistic table entry is greater than the aging time of the session aging time statistic table entry.
For example, assuming that the aging time of the statistic table entry is 12 minutes, the hit time recorded by the statistic table entry is 12: 30: 10, current check time 12: 43: and 10, if the difference value between the two is 13 minutes and is greater than the aging time, further judging whether the session table entry is aged, if the session table entry is also aged, comparing the maximum message time interval recorded in the session aging time statistic table entry with the recorded maximum survival time, and recording the larger value of the two as the maximum survival time.
It should be noted that the aging time of the session aging time statistic table entry is fixed and is the factory aging time of the protocol corresponding to the session table entry, and the purpose of the aging time is described in the following description.
Correspondingly, the "refreshing the record in the session aging time statistic table entry corresponding to the session table entry" may include:
refreshing the maximum message time interval when a first refreshing condition is met;
and refreshing the hit time and the maximum message time interval in the session aging time statistic table entry when a second refreshing condition is met.
Further, refreshing the maximum message time interval may include:
calculating the difference between the creation time of the session table entry and the hit time in the session aging time statistic table entry;
and comparing the calculated difference value with the recorded maximum message time interval in the session aging time statistic table entry, and recording the larger value of the calculated difference value and the recorded maximum message time interval as the maximum message time interval.
The "refreshing the hit time and the maximum message time interval in the session aging time statistic table entry" may include:
updating the hit time in the session aging time statistic table entry into the hit time recorded in the session table entry;
comparing the maximum time interval recorded in the session table item (the maximum time interval of the messages hitting the session table item twice) with the maximum message time interval recorded in the session aging time statistic table item, and recording the larger value of the two as the maximum message time interval.
A more specific flow of how to learn the maximum lifetime and reset the aging time for the session entries will be described below (see fig. 4):
and step 01, the message enters a firewall.
Step 02, according to the index (such as source address, source port, destination address, destination port, transport layer protocol number), searching the corresponding session table entry.
And 03, if the session table entry is not found, creating a session table entry and recording creation time.
The session table entry is created according to an index, and the index includes a source IP address, a destination IP address, a source port, a destination port, and a transport layer protocol number. How to create the session table entry is the prior art, and is not described herein in detail.
In this embodiment, the learning is performed periodically for a long period. The number of learning periods is more than one. In the first learning time period, the aging time of the session entry in the first aging condition is the factory aging time of the protocol corresponding to the session entry. And in other learning time periods, the aging time of the session table entry in the first aging condition is the aging time reset when the last learning time period is ended.
Step 04, if the session table entry is found or the session table entry is created, refreshing the hit time in the session table entry and the maximum time interval between two times of hitting the session table entry by the message.
The refreshing the hit time in the session entry may specifically include: the hit time in the session entry is changed to the time when the session entry is found.
The maximum time interval between two times of message refreshing hits on the session table entry may specifically include:
calculating the difference between the current time (i.e. the time when the session table item is found) and the hit time of the previous message;
if it is the first calculation, the difference is directly recorded as the maximum time interval in the session table entry. Otherwise, the greater of the two is recorded as the maximum time interval compared to the maximum time interval recorded.
Step 05, after creating a session table item, searching a corresponding session aging time statistic table item (which will be referred to as a statistic table item hereinafter);
step 06, if the statistical table entry is found, the maximum message time interval (corresponding to the first refresh condition) is refreshed.
The refreshing the maximum message time interval may include:
the time interval (i.e. the difference) between the current time (the creation time of the session entry) and the hit time of the statistical entry is calculated, and compared with the recorded maximum message time interval in the statistical entry, and the larger value of the two is stored in the statistical entry.
By way of example, assume that the current time is 12: 30: 12, the hit time of the statistic table entry record is 12: 30: 00, calculate 12: 30: 12 and 12: 30: 10, difference 12 seconds.
Assuming that the maximum message time interval recorded by the statistical table entry is 10 seconds, comparing 12 seconds with 10 seconds, if 12 seconds is greater, recording 10 seconds as the maximum message time interval.
And step 07, monitoring the whole session table in real time, and continuously checking whether the session table entries in the session table meet the first aging condition.
For the related content of the first aging condition, please refer to the above description, which is not repeated herein.
Step 08, if any session entry meets the first aging condition (corresponding to the session entry meeting the first aging condition in the second refreshing condition), searching for a statistical entry according to the session index.
And 9, if the statistical table entry is not found, creating the statistical table entry. And assigning the creation time of the session table entry to the hit time in the statistic table entry.
Similar to creating the session entry, the statistics entry is also created from an index that includes the source IP address, the destination IP address, the source port, the destination port, and the transport layer protocol number.
Step 10, if the statistic table entry is found or the statistic table entry is created, refreshing the hit time and the maximum message time interval in the statistic table entry.
More specifically, refreshing the hit time and the maximum packet time interval in the session aging time statistic table entry may include:
updating the hit time in the session aging time statistic table entry into the hit time recorded in the session table entry;
comparing the maximum time interval recorded in the session table item (the maximum time interval of the messages hitting the session table item twice) with the maximum message time interval recorded in the session aging time statistic table item, and recording the larger value of the two as the maximum message time interval.
And step 11, aging the session table entry meeting the first aging condition. That is, the session table entry satisfying the first aging condition is deleted to release the resource.
And step 12, traversing each statistical table entry in the monitoring statistical table.
And step 13, judging whether a statistical table item meets a second aging condition. And if not, re-counting the table entries.
For the second aging condition, please refer to the above description, which is not repeated herein.
And step 14, if the statistical table entry meeting the second aging condition exists, judging whether a session table entry corresponding to the statistical table entry exists.
Step 15, if there is a corresponding session entry (the session aging time statistic entry in the corresponding first refresh condition satisfies the second aging condition and the corresponding session entry is not aged), refreshing the hit time and the maximum message time interval in the session aging time statistic entry, and then continuing to monitor the session table and the statistic table.
For how to refresh the hit time and the maximum message time interval in the session aging time statistics table entry, please refer to the description in step 10, which is not described herein again.
And step 16, if the corresponding session table entry does not exist, comparing the maximum message time interval recorded by the statistical table entry with the recorded maximum survival time, and recording the larger value of the maximum message time interval and the recorded maximum survival time as the maximum survival time.
Step 17, determine whether the learning period has expired. If not, the session table continues to be monitored and maximum time to live learned.
And 18, when the learning time period expires, resetting the aging time aiming at the session table entry by taking the maximum survival time learned in the learning time period as an aging time reference value. The learning of the next cycle is continued.
After the aging time is reset, a message enters the firewall, and when the session table entry is created in step 03, the reset aging time is used as the aging time of the created session table entry.
It should be noted that, assuming that the factory aging time of the session entry is 12 minutes, and when the first learning time period is over, the aging time reset according to the learned maximum survival time is 9 minutes, since the second learning time period adopts the aging time set when the first learning time period is over, the maximum survival time that can be learned in the second learning time period is less than 9 minutes, and so on, the shorter the maximum survival time is, the shorter the learning is, the shorter the aging time that is reset becomes, and the too short aging time may cause the session entry to be frequently created and deleted.
In order to avoid that the maximum survival time is smaller more scientifically, the aging time of the session aging time statistic table entry is fixed as the factory aging time of the protocol corresponding to the session table entry. This is now exemplified.
Assume that the aging time used in the second learning period is 9 minutes, and the aging time of the statistical table entry is fixed to 12 minutes.
And (4) entering the message 1, and creating a session table entry by a firewall or a router and creating a corresponding statistical table entry. Then, a message 2-5 enters, and the hit time of the message 5 is 12: 30: 00.
and in the next 9 minutes, if no message enters, aging the session table entry, and modifying the hit time of the statistical table entry to 12: 30: 00.
then, the message 6 enters, the firewall or the router recreates the session table entry, and it is assumed that the hit time of the message 6 is 12: 40: 00. since the aging time of the statistical table entry is 12 minutes, the statistical table entry is not aged when the message 6 enters.
Because the session table entry is created again, if the session table entry meets the first refreshing condition, the maximum message time interval in the statistical table entry is refreshed:
the time interval between the current time (12: 40: 00) and the hit time of the statistics entry (12: 30: 00) is calculated to be 10 minutes. And compares it with the maximum recorded message time interval in the statistics table entry (assuming it is 9 minutes), and saves the greater of the two in the statistics table entry.
Assuming that the second learning period is over, the maximum message time interval (10 minutes) recorded in the statistical table entry is compared with the recorded maximum lifetime (9 minutes), and 10 minutes is recorded as the maximum lifetime.
It follows that even if the second learning period takes 9 minutes as the aging time, this does not result in the shorter the maximum lifetime and thus the shorter the reset aging time.
In addition, the previous example is still used, and it is assumed that after the session table entry is created again according to the message 6, a message enters continuously, and the session table entry is not aged. Since the hit time of the statistic table entry is refreshed only when the session table entry is aged, the hit time of the statistic table entry is still the hit time of the message 5 (12: 30: 00).
After 12 minutes, the statistical table entry meets the second aging condition, at this time, whether the session table entry exists or not needs to be judged, and if the session table entry exists, the hit time of the statistical table entry and the maximum message hit time interval are refreshed. Of course, after the hit time of the statistical table entry is refreshed, the statistical table entry will no longer meet the second aging condition, and the statistical table entry will not be aged. That is, as long as there is a session entry, the statistics entry will not age.
Correspondingly, an embodiment of the present invention further provides a device for setting the aging time of the session table entry, referring to fig. 5, where the device may include:
the learning unit 1 is used for learning the maximum survival time of the session table items within a preset learning time period until the learning time period is finished;
the session table entry includes the hit time of the session table entry and the maximum time interval between two times of message hit on the session table entry. For related matters, please refer to the above description, which is not repeated herein.
And the setting unit 2 is used for resetting the aging time aiming at the session table entry by taking the maximum survival time learned in the learning time period as an aging time reference value.
More specifically, the maximum lifetime learned as described above is the maximum lifetime recorded at the end of the learning period.
In learning the maximum lifetime of the session entry, the learning unit 1 may be specifically configured to:
when the session table entry meets the first aging condition, comparing the maximum time interval recorded by the session table entry with the recorded maximum survival time, and recording the larger value of the maximum time interval and the recorded maximum survival time as the maximum survival time.
For related matters, please refer to the above description, which is not repeated herein.
Alternatively, in terms of learning the maximum lifetime of the session entry, the learning unit 1 may be specifically configured to:
when the refreshing condition is met, refreshing the record in the session aging time statistic table entry corresponding to the session table entry according to the record in the session table entry; the records in the session aging time statistic table entry comprise hit time and maximum message time interval;
and when the session aging time statistic table entry meets the second aging condition and the corresponding session table entry is aged, recording the maximum message time interval in the session aging time statistic table entry as the maximum survival time.
For details, please refer to the above description, and further description is omitted here.
In another embodiment of the present invention, in terms of resetting the aging time for the session table entry, the setting unit may be specifically configured to: and summing the aging time reference value and the aging time floating value, wherein the summation result is the aging time for the conversation table entry. Wherein, the value of the aging time floating value is more than or equal to 0.
For details, please refer to the above description, and further description is omitted here.
Fig. 6 shows a hardware structure of the setting apparatus 600 (firewall, router) for setting the aging time of the session table entry, which may include at least one processor 601, such as a CPU, at least one network interface 604 or other user interface 603, a memory 605, and at least one communication bus 602. A communication bus 602 is used to enable connectivity communication between these components. The transmission timing apparatus 600 optionally comprises a user interface 603, a keyboard or pointing device, such as a trackball (trackball), a touch-sensitive pad or a touch-sensitive display. Memory 605 may comprise high-speed RAM memory, and may also include non-volatile memory, such as at least one disk memory. The memory 605 may optionally include at least one storage device located remotely from the processor 601.
In some embodiments, memory 605 stores the following elements, executable modules or data structures, or a subset thereof, or an expanded set thereof:
an operating system 6051 containing various system programs for implementing various basic services and for processing hardware-based tasks;
the application module 6052 contains various applications for implementing various application services.
The application module 6052 includes, but is not limited to, a learning unit 1 and a setting unit 2.
For concrete implementation of each module in the application module 6052, refer to corresponding modules in the embodiment shown in fig. 5, which are not described herein again.
In an embodiment of the present invention, processor 601, by invoking programs or instructions stored by memory 605, is configured to:
learning the maximum survival time of the session table items within a preset learning time period until the learning time period is finished;
and resetting the aging time aiming at the conversation table item by taking the maximum survival time learned in the learning time period as an aging time reference value.
In addition, the setting apparatus 600 may also perform other steps related to the setting method described in the method section herein, and details of each step are not described herein.
In the invention, the CPU and the memory can be integrated in the same chip or can be two independent devices.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.