Using the network connection tracing method of balanced binary tree algorithm
Technical field
The present invention relates to information security field, more particularly to a kind of network connection track side using balanced binary tree algorithm
Method.
Background technology
Prior art provides the optimization method that tracking is connected under a kind of netfilter frameworks, there is provided a kind of netfilter
The optimization method of tracking is connected under framework, including:Define and initialize current connection tracking number M, maximum connection tracking number Mmax,
The current connection tracking number N applied, connection tracking the number Nmax, Nmax of maximum application>Mmax;In new application connection tracking
When, N adds 1, judges M>MmaxIf it is, new connection tracking is created after carrying out burin-in process;If it is not, then judge N>
NmaxIf then returning to mistake, if otherwise creating new connection tracking;After the connection tracking newly applied confirms, M adds 1, and
It is added into and has confirmed that connection tracking chained list.The embodiment of the present invention ensure that the quantity of effectively connection tracking;Optimize exception
Reason;It specify that connection tracking confirms the responsibility in two stages in alloc initialization with confirm;Normal online is ensure that, under
The good resource of speed can be also effectively maintained during load.
Prior art also provides a kind of network traffics identifying system and method based on dynamic data packet sampling, there is provided a kind of
Network connection tracing method and system, methods described include connection trace logic, wherein the connection trace logic includes processing
The table of connection unconfirmed and processing have confirmed that the table of connection, the described method comprises the following steps:For connection unconfirmed, judgement is
It is no to meet confirmation condition;If meeting confirmation condition, move to processing and have confirmed that in the table of connection;Processing is had confirmed that connection
Connection in table carries out protocol stack subsequent processes successively.The present invention is using the nullified connection of two-stage connection Track Table structure or is not intended to
Justice connection takes limited Internet resources and is preferably minimized, while data packets in advance is distinguished by track its connection status.
Prior art can not realize the application layer equipment tracking network such as high speed matching connection and fire wall under limited memory
The problem of network connects.
The content of the invention
The application provides a kind of network connection tracing method using balanced binary tree algorithm.It solves the skill of prior art
Art scheme can not realize asking for the application layer equipment such as high speed matching connection and fire wall under limited memory tracking network connection
Topic.
On the one hand, there is provided a kind of network connection tracing method using balanced binary tree algorithm, methods described include as follows
Step:
Step S101, the five-tuple Y each connected is obtained, the Y includes:Source IP, Target IP, source port, target port
And agreement, the Y is inserted into balanced binary tree;
Step S102, search whether the Y be present in balanced binary tree T, the Y as described in existing, update current root node
RXData, if the Y, step 103 and subsequent step is not present;
Step S103, it is vacant to judge whether balanced binary tree T interior joints number has, such as balanced binary tree T interior joint numbers
Without vacant, end operation, if any vacant, the R is judgedXWith the presence or absence of data, such as described RXIn the absence of data, data are inserted
To the RX, perform step 105 and subsequent step;Such as RXData be present, perform step S104;
Step S104, by the Y and current root node five-tuple XXCompare, if Y<Xx, into the left side son section of the Rx
Point Rx-1 carries out step D again, if Y>Xx, the right child node Rx+1 into the Rx carries out step D again, if Y=Xx, renewal is worked as
Preceding root node Rx data;
Step S105, it is F1 or F2 according to the order of the balanced turning of Determines binary tree;
The right subtree of current root node is designated as R, and the left subtree of current root node is designated as L;
F1:If the node number of R right subtree is more than L node number, binary tree T is overturn to the left, if R left subtree
Node number be more than L node number, then first overturn R to the right, update R nodal information, then overturn binary tree T to the left;
F2:If the node number of L left subtree is more than R node number, binary tree T is overturn to the right, if L right subnumber
Node number be more than R node number, then first overturn L to the left, update L nodal information, then overturn binary tree T to the right;
Step S106, child node is overturn, is specifically included:
The left subtree of current root node is carried out step F upset left subtrees as root node, updates left subtree information;
The right subtree of current root node is carried out step F upset right subtrees as root node, updates right subtree information;
Step S107, in doubly linked list, after carrying out data processing, the five-tuple of current data is moved to doubly linked list
The head node of middle time linked list;
Step S108, when the connection ends, the five-tuple in balanced binary tree is deleted, while also deleted in doubly linked list
Remove.
Optionally, it is described to search whether the Y be present in balanced binary tree T, including:
To Y compared with Xx,
If Y<Xx, the left child node Rx-1 into root node Rx are compared again,
If Y>Xx, the right child node Rx+1 into root node Rx are compared again,
If Y=Xx, the Y is present in binary tree T;If node is sky, the Y is not present in binary tree T.
Optionally, whether the balanced binary tree T interior joints number is vacant, including:
If present node number N >=maximum node number M, y-bend tree node is without residue;
If N<M, then y-bend tree node have residue.
Optionally, it is described when the connection ends to delete the five-tuple in balanced binary tree, while also in doubly linked list
Delete, including:
First look for needing the node A deleted, check that node A whether there is left and right subtree;
If left and right subtree, direct deletion of node A is not present.
If in the presence of only existing left subtree or right subtree, deletion of node A, and replace node A using its child node;
If left and right subtree is all present, deletion of node A, it is replaced according to the condition selection wherein big right child node of numerical value
Node A, while renewal time chained list content.
Second aspect, there is provided a kind of computer program product, the computer program product include storing computer journey
The non-transient computer-readable recording medium of sequence, the computer program are operable to make computer perform described in first aspect
Method.
The third aspect, a kind of computer-readable recording medium, it stores the computer program for electronic data interchange, its
In, the computer program causes computer to perform the method described in first aspect.
Technical scheme provided by the invention, can be with higher speed by being attached tracking using balanced binary tree
Complete insertion, matching and delete, in the case where connection quantity has 2n-1 growth, the matching speed for connecting tracking increases speed
Spend for n times.After being attached tracking using balanced binary tree, due to computational methods are stable and it is estimated that consumption internal memory and
Time can accurately calculate and control, and flow address change is not influenceed in by network, no matter five-tuple whether concentration or
Scattered, matching speed is stablized constant.
Brief description of the drawings
In order to illustrate the technical solution of the embodiments of the present invention more clearly, required use in being described below to embodiment
Accompanying drawing be briefly described, it should be apparent that, drawings in the following description are some embodiments of the present invention, for this area
For those of ordinary skill, on the premise of not paying creative work, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is the network connection tracing method using balanced binary tree algorithm that the first better embodiment of the invention provides
Flow chart;
Fig. 2 is a kind of network connection tracking system structure chart that the second better embodiment of the invention provides.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Site preparation describes, it is clear that described embodiment is part of the embodiment of the present invention, rather than whole embodiments.Based on this hair
Embodiment in bright, the every other implementation that those of ordinary skill in the art are obtained under the premise of creative work is not made
Example, belongs to the scope of protection of the invention.
Fig. 1 is refer to, Fig. 1 is a kind of net using balanced binary tree algorithm that the first better embodiment of the invention proposes
Network connects tracking, and this method is as shown in figure 1, comprise the following steps:
A, the five-tuple { source IP, Target IP, source port, target port, agreement } each connected is obtained, Y is designated as, will connect
Y inserts balanced binary tree.
B:Binary tree is designated as T, and binary tree maximum node number is designated as M, and present node number is designated as N, current root node note
For Rx, current root node five-tuple is designated as Xx.
C:Search whether Y be present in binary tree T:
Performing C concrete mode can be:
To Y compared with Xx.
If Y<Xx, the left child node Rx-1 into root node Rx are compared again.
If Y>Xx, the right child node Rx+1 into root node Rx are compared again.
If Y=Xx, illustrate that Y is present in binary tree T, it is only necessary to update current root node R x data;If node is
Sky, then illustrate that Y is not present in binary tree T, carry out step D.
D:It is vacant to judge whether binary tree T interior joints number has.
Performing D concrete mode can be:To N compared with M.
If N >=M, illustrate y-bend tree node without residue, it is without any processing.
If N<M, judge that current root node Rx whether there is data, i.e., whether can be inserted into data.If Rx has data, enter
Row step E;If data are not present in Rx, data are inserted Rx, carry out step F, overturn binary tree.
E:Carry out five-tuple Y and five-tuple Xx comparison.
If Y<Xx, the left child node Rx-1 into root node Rx carry out step D again.
If Y>Xx, the right child node Rx+1 into root node Rx carry out step D again.
If Y=Xx, illustrate that data are identical, it is only necessary to update current root node R x data.
F:The balanced turning of binary tree.It is F1 or F2 according to the order that Determines are overturn.
The right subtree of current root node is designated as R, and the left subtree of current root node is designated as L.
F1:Update R.If the node number of R right subtree is more than L node number, binary tree T is overturn to the left.If R's
The node number of left subtree is more than L node number, then first overturns R to the right, update R nodal information, then overturn y-bend to the left
Set T.Otherwise it is without any processing;
F2:Update L.If the node number of L left subtree is more than R node number, binary tree T is overturn to the right.If L's
The node number of right subnumber is more than R node number, then first overturns L to the left, update L nodal information, then overturn y-bend to the right
Set T.Otherwise it is without any processing.
G:Overturn child node.
The left subtree of current root node is carried out step F upset left subtrees as root node, updates left subtree information.
The right subtree of current root node is carried out step F upset right subtrees as root node, updates right subtree information.
Current root node carries out step F upset left subtrees.
Current root node carries out step F upset right subtrees.
H:In doubly linked list, after carrying out data processing, the five-tuple of current data is moved to the time in doubly linked list
The head node of chained list, ensure that the data of current accessed always come most starting for time linked list.
I:When the connection ends, the five-tuple in balanced binary tree is deleted, while also deleted in doubly linked list.
First look for needing the node A deleted, check that node A whether there is left and right subtree.
If left and right subtree, direct deletion of node A is not present.
If in the presence of only existing left subtree or right subtree, deletion of node A, and replace node A using its child node.
If left and right subtree is all present, deletion of node A, it is replaced according to the condition selection wherein big right child node of numerical value
Node A.
Renewal time chained list content simultaneously.
The beneficial effects of the invention are as follows:
By the way that insertion, matching to being attached tracking using balanced binary tree, can be completed with higher speed and deleted,
In the case where connection quantity has 2n-1 growth, the matching speed growth rate for connecting tracking is n times.
After being attached tracking using balanced binary tree, due to computational methods are stable and it is estimated that consumption internal memory and
Time can accurately calculate and control, and flow address change is not influenceed in by network, no matter five-tuple whether concentration or
Scattered, matching speed is stablized constant.
It should be noted that for foregoing each embodiment of the method, in order to be briefly described, therefore it is all expressed as to a system
The combination of actions of row, but those skilled in the art should know, the present invention is not limited by described sequence of movement, because
For according to the present invention, certain some step can use other orders or carry out simultaneously.Secondly, those skilled in the art also should
Know, embodiment described in this description belongs to preferred embodiment, involved action and module not necessarily this hair
Necessary to bright.
In the above-described embodiments, the description to each embodiment all emphasizes particularly on different fields, and is not described in some embodiment
Part, may refer to the associated description of other embodiment.
One of ordinary skill in the art will appreciate that all or part of step in the various methods of above-described embodiment is can
To instruct the hardware of correlation to complete by program, the program can be stored in a computer-readable recording medium, storage
Medium can include:Flash disk, read-only storage (English:Read-Only Memory, referred to as:ROM), random access device (English
Text:Random Access Memory, referred to as:RAM), disk or CD etc..
The content download method and relevant device that are there is provided above the embodiment of the present invention, system are described in detail,
Specific case used herein is set forth to the principle and embodiment of the present invention, and the explanation of above example is simply used
Understand the method and its core concept of the present invention in help;Meanwhile for those of ordinary skill in the art, according to the present invention's
Thought, there will be changes in specific embodiments and applications, in summary, this specification content should not be construed as
Limitation of the present invention.