CN106411944A - Network access management method and apparatus - Google Patents
Network access management method and apparatus Download PDFInfo
- Publication number
- CN106411944A CN106411944A CN201611055650.1A CN201611055650A CN106411944A CN 106411944 A CN106411944 A CN 106411944A CN 201611055650 A CN201611055650 A CN 201611055650A CN 106411944 A CN106411944 A CN 106411944A
- Authority
- CN
- China
- Prior art keywords
- network access
- data
- critical field
- described network
- data flow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
Abstract
According to the embodiments of the invention, a network access management method and apparatus are provided, which belong to the communication field and solve the problem that the key field corresponding to the type of the network access can not be obtained based on the data accessed by the network when there are multiple types of network accesses available in the prior art. The method comprises the following steps: obtaining the data of network access; determining the data stream rule corresponding to the network access based on the data of network assess; and according to the data stream rule, screening an analytic function; based on the screened analytic function, obtaining the key field of the data of the network access wherein the key field is used for the management of the network access. The invention is applied for the management of network access.
Description
Technical field
The present invention relates to the communications field, more particularly, to a kind of management method of network access and device.
Background technology
In recent years, developing rapidly with Internet technology and mobile communication technology, network application gradually becomes richer
Richness, the thing followed, the mode that user carries out network access also there occurs great variety, is only capable of by webpage from the user of early stage
Browse access network, user can be soft by including web search, mail transmission/reception, forum's access, instant messaging by now for development
A series of modes such as part communication, network storage conduct interviews to network.Although abundant network application can provide the user more
Abundant Web content simultaneously makes customer access network more convenient, but also brings a series of problem simultaneously, for example, work as user
When arbitrarily carrying out network access using network application under the scene prohibitting the use of subnetwork application, it is likely to result in partial information
Leak or cause communication link blocking so that network access efficiency is reduced.Therefore, Virtual network operator and network manager need basis
The demand of itself is managed to the network access of user.
Under normal circumstances network access is managed, can be when getting the data of network access, according in advance
The content of the extracting data needs from this network access for the management method setting simultaneously is parsed to obtain critical field, so that
In being managed to this network access according to critical field.Wherein, extract the content needing and this content parsed
Process typically and network access type strong correlation, if the type of network access occurs to change or there are multiple types simultaneously
Network access, then above-mentioned management method set in advance cannot be gone forward side by side from the corresponding content of the extracting data of network access
Row is corresponding to be parsed.Although new management method, the mistake being reset can be reset when the problems referred to above occur
Journey often takes more, and when also cannot exist concurrently with the network access of multiple types, is obtained according to the data of network access
Taking critical field corresponding with the type of network access, thus reducing the efficiency of management network access, and compromising user's body
Test.
Content of the invention
The application provides a kind of management method of network access and device, and the network that can exist concurrently with multiple types is visited
When asking, the critical field corresponding with the type of network access of the data acquisition according to network access.
For reaching above-mentioned purpose, the application adopts the following technical scheme that:
In a first aspect, The embodiment provides a kind of management method of network access, including:Obtain network access
Data, and determine that data flow corresponding with network access is regular according to the data of network access;According to data flow Rules Filtering
Analytical function, and the critical field in the data of network access is obtained according to the analytical function filtering out, critical field is used for managing
Reason network access.
Second aspect, The embodiment provides a kind of managing device of network access, including:Acquisition module, quilt
It is configured to obtain the data of network access;Processing module, is configured to the data according to network access and determines and network access pair
The data flow rule answered;Processing module is additionally configured to, according to data flow Rules Filtering analytical function, and according to the solution filtering out
Analysis function obtains the critical field in the data of network access, and critical field is used for managing network access.
The embodiment provides a kind of management method of network access and device, by determining and network access pair
The data flow rule answered, and according to this data flow Rules Filtering analytical function, network is obtained according to the analytical function filtering out and visits
Critical field in the data asked, because this data flow rule can screen analytical function, and screened analytical function can
To include the analytical function of correspondence multiple data flow rule, even if therefore there is the network access of multiple types, the present invention simultaneously
The data acquisition that the management method of the network access providing still is able to according to network access is corresponding with the type of this network access
Critical field, such that it is able to manage this network access according to this critical field, therefore improves the efficiency of management network access, and
Improve Consumer's Experience.
Brief description
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, embodiment will be described below
In required use accompanying drawing be briefly described it should be apparent that, drawings in the following description be only the present invention some
Embodiment, for those of ordinary skill in the art, on the premise of not paying creative work, can also be attached according to these
Figure obtains other accompanying drawings.
A kind of indicative flowchart of the management method of network access that Fig. 1 is provided by embodiments of the invention;
A kind of indicative flowchart of the management method of network access that Fig. 2 is provided by another embodiment of the present invention;
A kind of schematic diagram of the managing device of network access that Fig. 3 is provided by embodiments of the invention;
A kind of schematic diagram of the managing device of network access that Fig. 4 is provided by another embodiment of the present invention.
Specific embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Site preparation description is it is clear that described embodiment is only a part of embodiment of the present invention, rather than whole embodiments.It is based on
Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under the premise of not making creative work
Embodiment, broadly falls into the scope of protection of the invention.
For the ease of clearly describing the technical scheme of the embodiment of the present invention, in an embodiment of the present invention, employ " the
One ", the printed words such as " second " identical entry essentially identical to function and effect or similar item make a distinction, and those skilled in the art can
To understand that the printed words such as " first ", " second " are not that quantity and execution order are being defined.
In recent years, developing rapidly with Internet technology and mobile communication technology, network application gradually becomes richer
Richness, this makes the way of act of people's online also there occurs great variety, is only capable of accessing by web page browsing from the user of early stage
Network, user can be by including web search, mail transmission/reception, forum's access, MSN communication, net by now for development
A series of modes such as network storage conduct interviews to network.And the arrival with the mobile Internet epoch, these application type and
The behavior that quantity and the network user show on the internet more tends to variation.This trend is enriching in network
While appearance, also bring many drawbacks, such as enterprise's confidential information leaks, staffing effectiveness reduces etc..Therefore, network operation
Business and network provider have become as more and more urgent demand to the management of the network access that user is carried out.This demand meaning
Taste the network access not only needing identifying user, is controlled with greater need for the illegal act in network access.
Network access management techniques in fast development process in recent years, the number of the network access that can identify and control
According to day by day enriching.Wherein pass through identification and record Internet source purpose procotol (English full name:Internet Protocol,
English abbreviation:IP) information, transport layer protocol, source destination interface information etc., can accomplish have record can look into afterwards, in combination with
IP address of internal network can divide or Verification System in organizational structure distinguish different user types, and can be according to transport layer
Source destination interface information is simple to distinguish different application types, such as HTML (Hypertext Markup Language) (English full name:HyperText
Transfer Protocol, English abbreviation:HTTP), Simple Mail Transfer protocol (English full name:Simple Mail
Transfer Protocol, English abbreviation:SMTP), file transfer protocol (FTP) (English full name:File Transfer
Protocol, English abbreviation:FTP) etc., thus customizing different internet behavior strategies.
URL (English full name:Uniform Resource Locator, English abbreviation:URL it is) a kind of
Position to the resource obtaining on the Internet and a kind of succinct expression of access method, are the ground of standard resource on the Internet
Location.Each file on the Internet has a unique URL, and the information that it comprises points out that the position of file and browser should
How this processes it.Basic URL comprises pattern (or claiming agreement), server name (or IP address), path and filename, such as
" agreement:// mandate/path?Inquiry ".URL classification is to distinguish different application types according to mandate/path field, such as new
The illegal type such as news, forum, mailbox, bank or pornographic, gambling.Deep packet detects (English full name:Deep Packet
Inspection, English abbreviation:DPI) technology is a kind of new detection technique for relatively common packet check, that is, to network
Layer 7, namely the content (payload) of application layer carries out depth analysis, thus identifying its application according to the payload characteristic of application layer
Type or content.If traditional port type identification is only that to be gone out according to 80 port identification of transport layer Transmission Control Protocol be http protocol
Web page browsing is applied, and DPI technology then can be according to the feature string in http protocol load, and such as mail.163.com (knows
Wei webpage mailbox), identify concrete application type.With the development of URL classification and DPI technology, the generic web page of user is clear
The behavior of looking at can further be segmented, and identifies news category, scientific and technological class, social class, mailbox class and various illegal classification, non-net
Page class application, the such as behavior such as game, office, download, video also can be identified further, by the subdivision of application layer message, on
Net behavior management equipment can be directed to user different behavior custom strategies, thus audit and control Internet user legal and non-
Judicial act.Further, for same application type, the different behaviors of user and content of the act requirement can be by thin further
Point, such as social microblogging class application, thus distinguish browse, post, replying, the different behaviors such as adnexa uploads, such as mailbox class should
With identifying sender, addressee, mail header, text, adnexa etc., different contents of the act can mate specific spy
Levy storehouse keyword, then define corresponding clearance or blocking strategy.
Although network log-in management technology develops into today, have been able to be finely controlled very much and manage the online row of user
For, but it is as WEB3.0 and the arrival in mobile Internet epoch, network log-in management technology starts to face various new challenges,
Various applications there occurs that (for example same application has been likely to occur PC end, Android mobile edition, IOS shifting for earth-shaking change
The multi-forms such as dynamic version), application protocol, data form also occur in that large-scale renewal and change (for example traditional WEB mailbox
Attachment version is progressively changed into the attachment version of Dropbox class), the quantity of application develops rapidly, and the requirement of people improves constantly (example
As user wishes not only to can recognize that the IP address of a certain behavior, and want to know user account number, the ID of this behavior
Deng virtual identity information).In the face of this situation, because the management method that existing network accesses is getting the data of network access
When according to presetting the field needing from the extracting data of this network access and protocol analysis can be carried out, in order to according to solution
Field after analysis is managed to this network access, wherein extracts the field of needs and the process that field is carried out with protocol analysis
Typically and network access type strong correlation, if the type of network access changes, then the pipe of above-mentioned network access
Reason method cannot according to the corresponding field information of the extracting data of the network access presetting after type changes simultaneously
Parsed accordingly.Although can again enter to the field extracted and for the agreement of parsing when the problems referred to above occur
Row sets, but the process being reset often takes more, reduces the efficiency of management network access, and compromises user
Experience.
For the problems referred to above, The embodiment provides a kind of management method of network access, can be according to network
The data accessing determines that data flow corresponding with network access is regular, and according to this data flow Rule Extraction and parses and extracted
Critical field in the data of network access is such that it is able to extracting and parsing the key in the data of different types of network access
Field, in order to manage different types of network access according to this critical field, improves the efficiency of management network access and changes
It has been apt to Consumer's Experience.
As shown in Figure 1, The embodiment provides a kind of management method of network access is it is characterised in that wrap
Include:
101st, obtain the data of network access.
Specifically, when the data of described network access can carry out network access for user using application, this application and net
The data of interaction between network.Exemplary, when user is by Sina weibo application issuing microblog, Sina weibo is applied to corresponding
The data that server end is transmitted is considered the data of network access.
102nd, the data according to network access determines data flow rule corresponding with network access.
Wherein data flow rule is for indicating the critical field in the data of network access and being used for parsing critical field
Analysis protocol.
Specifically, the data according to network access determines data flow rule corresponding with network access, can be according to net
The data that network accesses determines the type of the corresponding application of this network access, carries out network access by the data of this network access
Application type, and determine data flow corresponding with the type rule.
Critical field in the data of network access can be field specific in the data of network access, data flow rule
This critical field can be indicated by indicating field information, data type (integer, character type) or the length of this specific fields.
The analysis protocol of parsing critical field can be the agreement that this critical field can resolve to specified format.
Exemplary, when the network access that network access is carried out by the application of mailbox type, data flow rule is permissible
Determine specific fields such as sender's field, recipients fields, title in the data of network access by retrieving designated character
Field, additional fields etc., simultaneously data flow rule can also respectively specify that specific fields data type (integer, character type) or
Length is in order to determine specific fields further in the data of network access.
Further, the specific fields indicated by data flow rule can include three classes, and each of which class specific fields need
Being capable of specified data type (integer, character type) and length.In order to ensure the succinct of description information, can be specific using instruction
The mode of the length prefix of the type of field and specific fields, the length of specific fields generally can pre-set it is not necessary to
Display description.
Exemplary, specific fields can include key application field, message relevant information fields and common variabless word
Section, wherein, key application field is to need to carry out auditing to be stored in data base or carry out the application message of policy control that becomes more meticulous,
Title that such as forum posts, text etc., exemplary, key application field can be:$str_title、$str_
content.Message relevant information fields can for Link Layer MAC address information, network layer IP address information, transport layer protocol,
Port information, application layer load, length etc., message relevant information fields can be considered constant, does not typically make an amendment.Exemplary,
Message relevant information fields can be:@str_smac、@int_sip、@int_proto、@int_sport、@str_
payload、@int_payloadlen.Common variabless field can be integer variable, string variable, common variabless field one
As uses as information temporary in critical field extraction process, preservation ephemeral data or result of calculation, also can as conditional judgment,
The temporary variable of loop control.Exemplary, common variabless field can be int0, int1, str0, str1.
It should be noted that the length of the specific fields indicated by data flow rule can be corresponding according to data flow rule
The decision of network access type, the length of such as message relevant information fields is usually fixed, the length energy of common variabless field
Enough it is preset.Embodiments of the invention are not specifically limited to the type of organization of data flow rule, data flow rule
Type of organization can include key-value pair, extensible markup language (English full name:Extensible Markup Language,
English abbreviation:) or JavaScript object representation (English full name XML:JavaScript Object Notation, English
Referred to as:JSON) etc.
103rd, the data of network access according to data flow Rules Filtering analytical function, is obtained according to the analytical function filtering out
In critical field and critical field is parsed.
Specifically, due to according to data flow rule can obtain for obtain described network access data in keyword
Section and the analysis protocol for parsing described critical field, therefore can also according to the analytical function that data flow Rules Filtering goes out
It is interpreted as the content indicated by data flow rule, this analytical function is used for corresponding to from the extracting data of corresponding network access
Critical field and parse corresponding critical field it is understood that will data flow rule indicated by process logic taken out
As defining the analytical function that semantic independent function filters out one by one, this analytical function is used for visiting from corresponding network
The corresponding critical field of extracting data asked simultaneously parses corresponding critical field.According to data flow Rules Filtering analytical function,
Can be that the analytical function selecting needs is deleted from default multiple analytical functions according to data flow rule, this default multiple solution
Analysis function can consider that, including technology function corresponding with multiple data flows rule, the analytical function filtering out can consider and net
Network accesses and corresponds to, and the analytical function filtering out from the data that the extracting data of network access needs and can be parsed to obtain
Take the critical field after parsing, the analytical function filtering out can also by the data of network access carry out parsing and analytically after
The part that the extracting data of network access needs is to obtain the critical field after parsing.
It should be noted that the critical field obtaining after independent parsing can also be conceptualized as by independent parsing letter
Number is realized, and the critical field for obtaining after multiple parsings may be considered that patrolling including one or more independent analytical function
Collect combination.
Exemplary, the analytical function filtering out extract the needs in the data of network access partly after, can be to institute
The part extracted carries out URL and decodes to obtain critical field.
The embodiment provides a kind of management method of network access, by determining number corresponding with network access
According to stream rule, and according to this data flow Rules Filtering analytical function, obtain the number of network access according to the analytical function filtering out
According in critical field and critical field parsed, because this data flow rule can screen analytical function, and sieved
The analytical function of choosing can include the analytical function of correspondence multiple data flow rule, even if therefore there is the net of multiple types simultaneously
Network accesses, and the management method of the network access that the present invention provides still is able to the data acquisition according to network access and this network access
Type corresponding parsing after critical field such that it is able to this network access is managed according to the critical field after this parsing, because
This improves the efficiency of management network access, and improves Consumer's Experience.
Specifically, as shown in Figure 2, The embodiment provides a kind of management method of network access, its feature
It is, including:
201st, obtain the data of network access.
Particular content, with reference to step 101 in above-described embodiment, will not be described here.
202nd, determine the application node of the data of network access, and determined in the data of network access according to application node
The message load of the data of network access.
203rd, the message load of the data of network access is mated with feature string to determine and network access pair
The data flow rule answered.
Wherein, feature string is corresponding with data flow rule.
Specifically, the data of network access can be identified to determine the type of this network access, and according to this net
The type search utility node Hash table that network accesses to determine the application node of the data of network access, and according to this application node
The message load of the data of network access is determined in the data of network access.
The message load of the data of network access and feature string are mated corresponding with network access to determine
Data flow rule, can be that the application layer payload segment of the data to network access carries out feature string multimode matching, work as net
After the regular corresponding feature string of a certain data flow in the Data Matching that network accesses, determine that this network access is advised with this data flow
Then correspond to.
Further, after a certain data flow corresponding feature string of rule in the Data Matching of network access, can
Carry out the inspection of IP address, transport layer protocol and port with the data to network access, in order to further according to testing result
Determine whether to hit this certain data flow rule, feature string can also increase the semanteme of AOI, more complicated to meet
Screening conditions.Still hiting data stream is not had to advise if the number of times that the data of network access is mated exceedes matching message quantity
Then, then the data of clearance network access.
Exemplary, when the type of network access is Sina weibo it may be determined that the application section of the data of network access
Point, and determine the message load of the data of network access in the data of network access according to application node, by network access
The corresponding feature string of message loaded matching Sina weibo corresponding data flow rule of data, if hit " POST/aj/
Mblog/add ", then the further information such as matching transmission layer protocol, destination interface, if further matching result meets requiring,
Then confirmation hit Sina weibo is posted, and data flow is regular, and other microbloggings browse class data flow and then cannot hit, it is to avoid enter application
The advanced treating that critical field is extracted.
204th, according to data flow Rules Filtering analytical function, and obtain the number of network access according to the analytical function filtering out
According in critical field and parsed.
Particular content is with reference to step 103 in above-described embodiment.
Further, the analytical function group completing to obtain the critical field after parsing can be collectively referred to as functional-link, work as net
When the packet that network accesses contains multiple critical field information, this network access corresponding data flow rule can serve to indicate that multiple
Functional-link, wherein each critical field can be all to there being feature string to identify, and feature string mark can be used as function
The entrance of chain execution.The data of network access is parsed to obtain critical field according to analytical function corresponding with data flow rule,
Can be for calling functional-link corresponding with data flow rule, then the analytical function under traversal execution functional-link, completes keyword
Section is extracted and is parsed.In analytical function wherein under functional-link, it is unified that the code of each analytical function is realized, can be with
As the member of analytical function data structure, other members can include analytical function parameter knot to be operated to the form of pointer
Structure body.The data structure of each analytical function can have index information in the functional-link belonging to it, when functional-link executes,
The index information of current analytical function can be preserved, can be sentenced by the current function index realization circulation and condition that change functional-link
Break.
It should be noted that can in the data of network access search key section and by with data flow rule corresponding
Analytical function critical field is parsed.When determine network access data in do not include critical field and network access
Data when being across message transmissions, obtain the data of the described network access arriving again, and described in obtain and arrive again
In the data of network access search key section and by with the data flow corresponding analytical function of rule to the keyword finding
Duan Jinhang parses.
Specifically, because in actual applications, the data message that critical field may be in multiple network access is carried out
Transmission is the data of network access is across message transmissions, and the data message of network access has out of order feelings in the transmission
Condition, therefore, it can for the data of the network access receiving to enter row cache, and does not include key in the data determining network access
When the data of field and network access is across message transmissions, wait the data of network access arriving again, when obtaining again
Arrive the data of network access when, in the data of the network access arriving again search key section and by with data flow
The corresponding analytical function of rule parses to the critical field finding.Do not include closing in the data wherein determining network access
The data of key field and network access is across message transmissions, can be to start characteristic character in the data search of network access
String, and it is defined as critical field by starting the field between feature string and end feature string, when in network access
Data search to start feature string but until current data message terminate to find not yet end feature string it is determined that
The data of network access is across message transmissions.
Exemplary, when the type of network access is Sina weibo, can be according to data flow corresponding with Sina weibo
The data message that the feature string matching network of rule accesses, as hit “ &text=" when, execution data flow rule is right successively
Analytical function in the functional-link answered, reads “ &text=" after information be stored in after $ str_content dynamic mapping should
Use critical field data structure, occur until terminating feature string mark " & ".If the data message that current network accesses reads terminating
Do not find end feature string yet, then across message situation in explanation, and the current function therefore preserving functional-link indexes as reading word
The index that symbol vibration is made, and the information such as the length that read of message, functional-link switchs to suspended state.When this network access
When next data message arrives, functional-link reverts to running status from suspended state, from the current function index preserving before
Start to continue executing with reading character string action, complete extraction and the parsing of critical field.
205th, the critical field after parsing is saved as preset format, preset format is corresponding with network access.
Specifically, the critical field after parsing can save as the data-base recording specified in order to audit further, solution
Critical field after analysis can also be used as the input of the strategy control unit that becomes more meticulous.Becoming more meticulous strategy control unit can be according to solution
Whether the critical field after analysis comprises invalid information is blocked it is also possible to be hindered in itself according to the critical field after parsing
Disconnected, thus behavior management of realizing becoming more meticulous.
The embodiment provides a kind of management method of network access, by determining number corresponding with network access
According to stream rule, and according to this data flow Rules Filtering analytical function, obtain the number of network access according to the analytical function filtering out
According in critical field and parsed, because this data flow rule can screen analytical function, and screened parsing letter
Number can include the analytical function of correspondence multiple data flow rule, even if therefore there is the network access of multiple types simultaneously, this
Inventive embodiment still is able to the key after the data acquisition parsing corresponding with the type of this network access according to network access
Field, such that it is able to manage this network access according to the critical field after this parsing, therefore improves the effect of management network access
Rate, and improve Consumer's Experience.
As shown in Figure 3, The embodiment provides a kind of managing device 301 of network access it is characterised in that
Including:
Acquisition module 302, is configured to obtain the data of network access.
Specifically, when the data of described network access can carry out network access for user using application, this application and net
The data of interaction between network.Exemplary, when user is by Sina weibo application issuing microblog, Sina weibo is applied to corresponding
The data that server end is transmitted is considered the data of network access.
Processing module 303, is configured to the data according to network access and determines data flow rule corresponding with network access.
Wherein data flow rule is for indicating the critical field in the data of network access and being used for parsing critical field
Analysis protocol.
Specifically, the data according to network access determines data flow rule corresponding with network access, can be according to net
The data that network accesses determines the type of the corresponding application of this network access, carries out network access by the data of this network access
Application type, and determine data flow corresponding with the type rule.
Critical field in the data of network access can be field specific in the data of network access, data flow rule
This critical field can be indicated by indicating field information, data type (integer, character type) or the length of this specific fields.
The analysis protocol of parsing critical field can be the agreement that this critical field can resolve to specified format.
Exemplary, when the network access that network access is carried out by the application of mailbox type, data flow rule is permissible
Determine specific fields such as sender's field, recipients fields, title in the data of network access by retrieving designated character
Field, additional fields etc., simultaneously data flow rule can also respectively specify that specific fields data type (integer, character type) or
Length is in order to determine specific fields further in the data of network access.
Further, the specific fields indicated by data flow rule can include three classes, and each of which class specific fields need
Being capable of specified data type (integer, character type) and length.In order to ensure the succinct of description information, can be specific using instruction
The mode of the length prefix of the type of field and specific fields, the length of specific fields generally can pre-set it is not necessary to
Display description.
Exemplary, specific fields can include key application field, message relevant information fields and common variabless word
Section, wherein, key application field is to need to carry out auditing to be stored in data base or carry out the application message of policy control that becomes more meticulous,
Title that such as forum posts, text etc., exemplary, key application field can be:$str_title、$str_
content.Message relevant information fields can for Link Layer MAC address information, network layer IP address information, transport layer protocol,
Port information, application layer load, length etc., message relevant information fields can be considered constant, does not typically make an amendment.Exemplary,
Message relevant information fields can be:@str_smac、@int_sip、@int_proto、@int_sport、@str_
payload、@int_payloadlen.Common variabless field can be integer variable, string variable, common variabless field one
As uses as information temporary in critical field extraction process, preservation ephemeral data or result of calculation, also can as conditional judgment,
The temporary variable of loop control.Exemplary, common variabless field can be int0, int1, str0, str1.
It should be noted that the length of the specific fields indicated by data flow rule can be corresponding according to data flow rule
The decision of network access type, the length of such as message relevant information fields is usually fixed, the length energy of common variabless field
Enough it is preset.Embodiments of the invention are not specifically limited to the type of organization of data flow rule, data flow rule
Type of organization can include key-value pair, extensible markup language (English full name:Extensible Markup Language,
English abbreviation:) or JavaScript object representation (English full name XML:JavaScript Object Notation, English
Referred to as:JSON) etc.
Processing module 303 is additionally configured to, according to data flow Rules Filtering analytical function, according to the analytical function filtering out
Obtain the critical field in the data of network access and critical field is parsed, the critical field after parsing is used for managing net
Network accesses.
Specifically, due to according to data flow rule can obtain for obtain described network access data in keyword
Section and the analysis protocol for parsing described critical field, therefore can also according to the analytical function that data flow Rules Filtering goes out
It is interpreted as the content indicated by data flow rule, this analytical function is used for corresponding to from the extracting data of corresponding network access
Critical field and parse corresponding critical field it is understood that will data flow rule indicated by process logic taken out
As defining the analytical function that semantic independent function filters out one by one, this analytical function is used for visiting from corresponding network
The corresponding critical field of extracting data asked simultaneously parses corresponding critical field.According to data flow Rules Filtering analytical function,
Can be that the analytical function selecting needs is deleted from default multiple analytical functions according to data flow rule, this default multiple solution
Analysis function can consider that, including technology function corresponding with multiple data flows rule, the analytical function filtering out can consider and net
Network accesses and corresponds to, and the analytical function filtering out from the data that the extracting data of network access needs and can be parsed to obtain
Take the critical field after parsing, the analytical function filtering out can also by the data of network access carry out parsing and analytically after
The part that the extracting data of network access needs is to obtain the critical field after parsing.
It should be noted that the critical field obtaining after independent parsing can also be conceptualized as by independent parsing letter
Number is realized, and the critical field for obtaining after multiple parsings may be considered that patrolling including one or more independent analytical function
Collect combination.
Exemplary, the analytical function filtering out extract the needs in the data of network access partly after, can be to institute
The part extracted carries out URL and decodes to obtain critical field.
The embodiment provides a kind of managing device of network access, by determining number corresponding with network access
According to stream rule, according to this data flow Rules Filtering analytical function, obtain the data of network access according to the analytical function filtering out
In critical field and critical field is parsed, because this data flow rule can screen analytical function and screened
Analytical function can include the analytical function of correspondence multiple data flows rule, even if therefore there is the network of multiple types simultaneously
Access, the managing device of the network access that the present invention provides still is able to the data acquisition according to network access and this network access
Critical field after the corresponding parsing of type is such that it is able to manage this network access according to the critical field after this parsing, therefore
Improve the efficiency of management network access, and improve Consumer's Experience.
Specifically, processing module 303 is specifically configured to:
Determine the application node of the data of network access, and network is determined in the data of network access according to application node
The message load of the data accessing, the message load of the data of network access is mated with feature string with determination and net
Network accesses corresponding data flow rule, and feature string is corresponding with data flow rule.
Specifically, the data of network access can be identified to determine the type of this network access, and according to this net
The type search utility node Hash table that network accesses to determine the application node of the data of network access, and according to this application node
The message load of the data of network access is determined in the data of network access.
The message load of the data of network access and feature string are mated corresponding with network access to determine
Data flow rule, can be that the application layer payload segment of the data to network access carries out feature string multimode matching, work as net
After the regular corresponding feature string of a certain data flow in the Data Matching that network accesses, determine that this network access is advised with this data flow
Then correspond to.
Further, after a certain data flow corresponding feature string of rule in the Data Matching of network access, can
Carry out the inspection of IP address, transport layer protocol and port with the data to network access, in order to further according to testing result
Determine whether to hit this certain data flow rule, feature string can also increase the semanteme of AOI, more complicated to meet
Screening conditions.Still hiting data stream is not had to advise if the number of times that the data of network access is mated exceedes matching message quantity
Then, then the data of clearance network access.
Exemplary, when the type of network access is Sina weibo it may be determined that the application section of the data of network access
Point, and determine the message load of the data of network access in the data of network access according to application node, by network access
The corresponding feature string of message loaded matching Sina weibo corresponding data flow rule of data, if hit " POST/aj/
Mblog/add ", then the further information such as matching transmission layer protocol, destination interface, if further matching result meets requiring,
Then confirmation hit Sina weibo is posted, and data flow is regular, and other microbloggings browse class data flow and then cannot hit, it is to avoid enter application
The advanced treating that critical field is extracted.
Specifically, processing module 303 is specifically configured to:
In the data of network access search key section and by with the data flow corresponding analytical function of rule to lookup
To critical field parsed;
Do not include critical field when determining in the data of the network access of lookup and the data of network access is across report
During literary composition transmission, obtain the data of the network access arriving again, and search crucial in the data of the network access arriving again
Field is simultaneously parsed to the critical field finding by analytical function corresponding with data flow rule.
Specifically, because in actual applications, the data message that critical field may be in multiple network access is carried out
Transmission is the data of network access is across message transmissions, and the data message of network access has out of order feelings in the transmission
Condition, therefore, it can for the data of the network access receiving to enter row cache, and does not include key in the data determining network access
When the data of field and network access is across message transmissions, wait the data of network access arriving again, when obtaining again
Arrive the data of network access when, in the data of the network access arriving again search key section and by with data flow
The corresponding analytical function of rule parses to critical field.Critical field is not included simultaneously in the data wherein determining network access
And the data of network access is across message transmissions, can be to start feature string in the data search of network access, and will open
Beginning feature string and the field terminating between feature string are defined as critical field, when the data search in network access arrives
Start feature string but until current data message terminates to find not yet terminates feature string it is determined that network access
Data is across message transmissions.
The analytical function group completing to obtain critical field can be collectively referred to as functional-link, when the packet of network access is containing many
During individual critical field information, this network access corresponding data flow rule can serve to indicate that multiple functional-link, wherein each pass
Key field can be all to there being feature string to identify, and feature string mark can be used as the entrance of functional-link execution.According to
Analytical function corresponding with data flow rule parses the data of network access to obtain the critical field after parsing, can be for calling
With the data flow corresponding functional-link of rule, the then analytical function under traversal execution functional-link, complete critical field extract and
Parsing.In analytical function wherein under functional-link, the code of each analytical function is realized being unified, can be in the form of pointer
As the member of analytical function data structure, other members can include analytical function argument structure body to be operated.Each
The data structure of analytical function can have index information in the functional-link belonging to it, when functional-link executes, can preserve and work as
The index information of front analytical function, can realize circulation and conditional judgment etc. by changing the current function index of functional-link.
Exemplary, when the type of network access is Sina weibo, can be according to data flow corresponding with Sina weibo
The data message that the feature string matching network of rule accesses, as hit “ &text=" when, execution data flow rule is right successively
Analytical function in the functional-link answered, reads “ &text=" after information be stored in after $ str_content dynamic mapping should
Use critical field data structure, occur until terminating feature string mark " & ".If the data message that current network accesses reads terminating
Do not find end feature string yet, then across message situation in explanation, and the current function therefore preserving functional-link indexes as reading word
The index that symbol vibration is made, and the information such as the length that read of message, functional-link switchs to suspended state.When this network access
When next data message arrives, functional-link reverts to running status from suspended state, from the current function index preserving before
Start to continue executing with reading character string action, complete extraction and the parsing of critical field.
Specifically, as shown in Figure 4, the managing device 301 of network access also includes storage module 304;
Described processing module 303 is additionally configured to:
Control storage module 304 that the critical field after parsing is saved as preset format, preset format and network access pair
Should.
Specifically, the critical field after parsing can save as the data-base recording specified in order to audit further, solution
Critical field after analysis can also be used as the input of the strategy control unit that becomes more meticulous.Becoming more meticulous strategy control unit can be according to solution
Whether the critical field after analysis comprises invalid information is blocked it is also possible to be hindered in itself according to the critical field after parsing
Disconnected, thus behavior management of realizing becoming more meticulous.
The embodiment provides a kind of managing device of network access, by determining number corresponding with network access
According to stream rule, and according to this data flow Rules Filtering analytical function, obtain the number of network access according to the analytical function filtering out
According in critical field and parsed, because this data flow rule can screen analytical function, and screened parsing letter
Number can include the analytical function of correspondence multiple data flow rule, even if therefore there is the network access of multiple types simultaneously, this
Inventive embodiment still is able to the key after the data acquisition parsing corresponding with the type of this network access according to network access
Field, such that it is able to manage this network access according to the critical field after this parsing, therefore improves the effect of management network access
Rate, and improve Consumer's Experience.
Through the above description of the embodiments, those skilled in the art can be understood that the present invention is permissible
Realized with hardware, or firmware is realized, or combinations thereof mode is realizing.When implemented in software, can be by above-mentioned functions
It is stored in computer-readable medium or be transmitted as the one or more instructions on computer-readable medium or code.Meter
Calculation machine computer-readable recording medium includes computer-readable storage medium and communication media, and wherein communication media includes being easy to from a place to another
Any medium of individual local transmission computer program.Storage medium can be any usable medium that computer can access.With
As a example this but be not limited to:Computer-readable medium can include random access memory (English full name:Random Access
Memory, English abbreviation:RAM), read only memory (English full name:Read Only Memory, English abbreviation:ROM), electricity can
EPROM (English full name:Electrically Erasable Programmable Read Only
Memory, English abbreviation:EEPROM), read-only optical disc (English full name:Compact Disc Read Only Memory, English
Referred to as:CD-ROM) or other optical disc storage, magnetic disk storage medium or other magnetic storage apparatus or can be used in carry or
Storage have instruction or data structure form desired program code and can be by any other medium of computer access.This
Outward.Any connection can be suitable become computer-readable medium.For example, if software be using coaxial cable, optical fiber cable,
Twisted-pair feeder, digital subscriber line (English full name:Digital Subscriber Line, English abbreviation:DSL) or such as red
The wireless technology of outside line, radio and microwave etc is transmitted from website, server or other remote sources, then coaxial electrical
The wireless technology of cable, optical fiber cable, twisted-pair feeder, DSL or such as infrared ray, wireless and microwave etc is included in computer-readable
In the definition of medium.
Through the above description of the embodiments, those skilled in the art can be understood that, when with software
When mode realizes the present invention, can will be used for executing the instruction of said method or code is stored in computer-readable medium or logical
Cross computer-readable medium to be transmitted.Computer-readable medium includes computer-readable storage medium and communication media, wherein communicates
Medium includes being easy to transmitting any medium of computer program from a place to another place.Storage medium can be calculated
Any usable medium that machine can access.As example but be not limited to:Computer-readable medium can include RAM, ROM, electricity can
EPROM (full name:Electrically erasable programmable read-only memory,
Referred to as:EEPROM), CD, disk or other magnetic storage apparatus or can be used in carrying or store there is instruction or data
The desired program code of version simultaneously can be by any other medium of computer access.
The above, the only specific embodiment of the present invention, but protection scope of the present invention is not limited thereto, and any
Those familiar with the art the invention discloses technical scope in, change or replacement can be readily occurred in, all should contain
Cover within protection scope of the present invention.Therefore, protection scope of the present invention should described be defined by scope of the claims.
Claims (10)
1. a kind of management method of network access is it is characterised in that include:
Obtain the data of network access, and data flow corresponding with described network access is determined according to the data of described network access
Rule;
According to described data flow Rules Filtering analytical function, obtain the data of described network access according to the analytical function filtering out
In critical field and described critical field is parsed, the critical field after parsing is used for managing described network access.
2. network access according to claim 1 management method it is characterised in that described according to described network access
Data determines data flow rule corresponding with described network access, including:
Determine the application node of the data of described network access, and according to described application node in the data of described network access
Determine the message load of the data of described network access;
The message load of the data of described network access is mated with feature string to determine and described network access pair
The data flow rule answered, described feature string is corresponding with data flow rule.
3. the management method of network access according to claim 2 is it is characterised in that methods described also includes:
Data according to described network access carries out the inspection of IP address, transport layer protocol and port, in order to according to inspection
Result determines data flow rule corresponding with described network access again.
4. the management method of network access according to claim 1 is it is characterised in that the parsing letter that filters out of described basis
Number obtains the critical field in the data of described network access and described critical field is parsed, including:
In the data of described network access search key section and by with the described data flow corresponding analytical function pair of rule
The critical field finding is parsed;
Do not include described critical field and the number of described network access when determining in the data of the described network access of lookup
According to for across message transmissions when, obtain the data of described network access arriving again, and in the described described network arriving again
In the data accessing search key section and by with the described data flow corresponding analytical function of rule to the keyword finding
Duan Jinhang parses.
5. the management method of network access according to claim 1 is it is characterised in that methods described also includes:
Critical field after described parsing is saved as preset format, described preset format is corresponding with described network access.
6. a kind of managing device of network access is it is characterised in that include:
Acquisition module, is configured to obtain the data of network access;
Processing module, is configured to the data according to described network access and determines data flow rule corresponding with described network access
Then;
Described processing module is additionally configured to, according to described data flow Rules Filtering analytical function, according to the parsing letter filtering out
Number obtains the critical field in the data of described network access and described critical field is parsed, the critical field after parsing
For managing described network access.
7. the managing device of network access according to claim 6 is it is characterised in that described processing module is specifically configured
For:
Determine the application node of the data of described network access, and according to described application node in the data of described network access
Determine the message load of the data of described network access, message load and the feature string of the data of described network access are entered
, to determine data flow rule corresponding with described network access, described feature string is corresponding with data flow rule for row coupling.
8. the managing device of network access according to claim 7 is it is characterised in that described processing module is also configured
For:
Data according to described network access carries out the inspection of IP address, transport layer protocol and port, in order to according to inspection
Result determines data flow rule corresponding with described network access again.
9. the managing device of network access according to claim 6 is it is characterised in that described processing module is specifically configured
For:
In the data of described network access search key section and by with the described data flow corresponding analytical function pair of rule
The critical field finding is parsed;
Do not include described critical field and the number of described network access when determining in the data of the described network access of lookup
According to for across message transmissions when, obtain the data of described network access arriving again, and in the described described network arriving again
In the data accessing search key section and by with the described data flow corresponding analytical function of rule to the keyword finding
Duan Jinhang parses.
10. the managing device of network access according to claim 6 is it is characterised in that the management of described network access fills
Put and also include storage module;
Described processing module is additionally configured to:
Control described storage module that the critical field after described parsing is saved as preset format, described preset format and described net
Network accesses and corresponds to.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611055650.1A CN106411944B (en) | 2016-11-25 | 2016-11-25 | A kind of management method and device of network access |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611055650.1A CN106411944B (en) | 2016-11-25 | 2016-11-25 | A kind of management method and device of network access |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106411944A true CN106411944A (en) | 2017-02-15 |
| CN106411944B CN106411944B (en) | 2019-09-20 |
Family
ID=58081916
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611055650.1A Active CN106411944B (en) | 2016-11-25 | 2016-11-25 | A kind of management method and device of network access |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106411944B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108737203A (en) * | 2017-04-13 | 2018-11-02 | 中国移动通信有限公司研究院 | A kind of method and device of set extraction |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101316239A (en) * | 2008-07-23 | 2008-12-03 | 中兴通讯股份有限公司 | Method for controlling access and forwarding in virtual special LAN service network |
| US7916701B1 (en) * | 2002-08-27 | 2011-03-29 | Cisco Technology, Inc. | Virtual addressing to support wireless access to data networks |
| CN103118007A (en) * | 2013-01-06 | 2013-05-22 | 瑞斯康达科技发展股份有限公司 | Method and system of acquiring user access behavior |
| CN103475637A (en) * | 2013-04-24 | 2013-12-25 | 携程计算机技术(上海)有限公司 | Network access control method and system based on IP access behaviors |
-
2016
- 2016-11-25 CN CN201611055650.1A patent/CN106411944B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7916701B1 (en) * | 2002-08-27 | 2011-03-29 | Cisco Technology, Inc. | Virtual addressing to support wireless access to data networks |
| CN101316239A (en) * | 2008-07-23 | 2008-12-03 | 中兴通讯股份有限公司 | Method for controlling access and forwarding in virtual special LAN service network |
| CN103118007A (en) * | 2013-01-06 | 2013-05-22 | 瑞斯康达科技发展股份有限公司 | Method and system of acquiring user access behavior |
| CN103475637A (en) * | 2013-04-24 | 2013-12-25 | 携程计算机技术(上海)有限公司 | Network access control method and system based on IP access behaviors |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108737203A (en) * | 2017-04-13 | 2018-11-02 | 中国移动通信有限公司研究院 | A kind of method and device of set extraction |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106411944B (en) | 2019-09-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101010302B1 (en) | Security management system and method of irc and http botnet | |
| US7975025B1 (en) | Smart prefetching of data over a network | |
| US6665634B2 (en) | Test system for testing dynamic information returned by a web server | |
| CN107786545A (en) | A kind of attack detection method and terminal device | |
| US20100064234A1 (en) | System and Method for Browser within a Web Site and Proxy Server | |
| CN108259425A (en) | The determining method, apparatus and server of query-attack | |
| US20090015599A1 (en) | Draggable mechanism for identifying and communicating the state of an application | |
| CN107251528B (en) | Method and apparatus for providing data originating within a service provider network | |
| CN103607385A (en) | Method and apparatus for security detection based on browser | |
| CN102946343A (en) | Method and system for accessing virtual rooms of audio and video communities | |
| Trevisan et al. | AWESoME: Big data for automatic Web service management in SDN | |
| CN102281337A (en) | destination address access control method and system | |
| WO2006071324A2 (en) | Imroved bitmask access for managing blog content | |
| CN109831429A (en) | A kind of Webshell detection method and device | |
| Kim et al. | Analyzing traffic by domain name in the data plane | |
| CN108206769A (en) | Method, apparatus, equipment and the medium of screen quality alarm | |
| CN107528812A (en) | A kind of attack detection method and device | |
| CN108462615A (en) | A kind of network user's group technology and device | |
| CN110636038A (en) | Account number analysis method, account number analysis device, security gateway and system | |
| CN104462242B (en) | Webpage capacity of returns statistical method and device | |
| CN108345793A (en) | A kind of extracting method and device of software detection feature | |
| CN106528805A (en) | Mobile internet baleful program URL intelligent analyzing and mining method based on users | |
| CN106411819A (en) | Method and apparatus for recognizing proxy Internet protocol address | |
| CN104811418B (en) | The method and device of viral diagnosis | |
| CN106411944B (en) | A kind of management method and device of network access |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |