CN108134751A - A kind of TCP segment message text recombination method to be detected and device - Google Patents

A kind of TCP segment message text recombination method to be detected and device Download PDF

Info

Publication number
CN108134751A
CN108134751A CN201711316411.1A CN201711316411A CN108134751A CN 108134751 A CN108134751 A CN 108134751A CN 201711316411 A CN201711316411 A CN 201711316411A CN 108134751 A CN108134751 A CN 108134751A
Authority
CN
China
Prior art keywords
tcp segment
segment message
sequence number
divided
sequence
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711316411.1A
Other languages
Chinese (zh)
Other versions
CN108134751B (en
Inventor
孙行鹭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201711316411.1A priority Critical patent/CN108134751B/en
Publication of CN108134751A publication Critical patent/CN108134751A/en
Application granted granted Critical
Publication of CN108134751B publication Critical patent/CN108134751B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/90Buffering arrangements
    • H04L49/9057Arrangements for supporting packet reassembly or resequencing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Abstract

The application provides a kind of TCP segment message text recombination method to be detected, it is characterized in that, at least one TCP segment message that same data are divided into is identified by one-to-one sequence number, the sequence number according to TCP segment message stripe sequence alternation, the method includes:Determine the length n of data in any TCP segment message received;In the case of n >=2k, the data order in any TCP segment message received is divided at least 2 pieces, wherein, first piece be divided into and the length of last block number evidence are k, and k is the data partition length determined previously according to the length of attack signature;According to the alternation of the sequence number of TCP segment message received sequence, the first block number evidence that any TCP segment message received is divided into is spliced to last block number that a TCP segment message is divided into according to below, is reassembled as a text to be detected.Using application scheme, the memory source of equipment can be saved, improves efficiency of transmission.

Description

A kind of TCP segment message text recombination method to be detected and device
Technical field
This application involves field of computer technology more particularly to a kind of TCP segment message text recombination method to be detected and Device.
Background technology
TCP (Transmission Control Protocol, transmission control protocol) is used as one kind towards connection, reliably Transport layer protocol, be widely used in network data transmission.The management of TCP message and attack detecting also become WAF (Web Application Firewall, Web application firewall), IPS (IntrusionPrevention System, intrusion prevention system System), one of the vital task of secure networking devices such as Anti Virus Gateway.Due to the attack carried in the TCP message of network transmission Property content generally all have certain feature, therefore pattern matching method be to TCP message carry out attack detecting common method it One.The feature of pattern matching method extracting attack content first, then feature is matched with the text of TCP message, if matching Success, then can determine in message and include aggressive content.
Since the data packet for including chunk data can be divided into multiple TCP segment messages in transmission, content is attacked One section of feature may be divided into two sections of adjacent TCP segment messages, and the text that the requirement of the algorithm of pattern match is matched is Continuously, if each section of message is only detected separately, feature existing for span can not be detected, it is therefore desirable to by TCP points Section Packet reassembling is continuous text to be detected.In the prior art, it is that each TCP segment message of same data packet is all slow After depositing, a complete text is sequentially reassembled as, then the feature with attacking content carries out pattern match.Due to needing entirely to count Text to be detected is completely reassembled as according to each TCP segment in packet, the network equipment memory source of occupancy is more, and takes Longer, increasing transmission delay reduces efficiency of transmission.
Invention content
In view of this, the application provides a kind of TCP segment message text recombination method to be detected and device, and technical solution is such as Under:
A kind of TCP segment message text recombination method to be detected, which is characterized in that same data are divided at least one TCP segment message is identified by one-to-one sequence number, the sequence number according to TCP segment message stripe sequence alternation, This method includes:
Determine the length n of data in any TCP segment message received;
In the case of n >=2k, the data order in any TCP segment message received is divided at least 2 pieces, In, first piece be divided into and the length of last block number evidence are k, and k is the data determined previously according to the length of attack signature Partition length;
According to the alternation of the sequence number of TCP segment message received sequence, any TCP segment message received is drawn The first block number evidence being divided into is spliced to last block number that a TCP segment message is divided into according to below, is reassembled as one and treats Detect text.
A kind of TCP segment message text reconstruction unit to be detected, which is characterized in that same data are divided at least one TCP segment message is identified by one-to-one sequence number, the sequence number according to TCP segment message stripe sequence alternation, The device includes:
Length determination modul, for determining the length n of data in any TCP segment message received;
Data division module, it is in the case of n >=2k, the data in any TCP segment message received are suitable Sequence is divided at least 2 pieces, wherein, first piece be divided into and the length of last block number evidence are k, and k is special previously according to attack The data partition length that the length of sign determines;
Text recombination module, for the alternation according to the sequence number of TCP segment message received sequentially, by what is received The first block number evidence that any TCP segment message is divided into is spliced to last block number evidence that a TCP segment message is divided into Below, it is reassembled as a text to be detected.
Technical solution provided herein, only need to be according to the length of the feature of attack content, interception TCP segment message head Tail may include the partial data of attack content, and be a text by the data recombination intercepted in two neighboring TCP segment message This, the text to be detected during attack signature is detected as pattern matching method, saves network equipment memory source, and take more It is short, transmission delay is reduced, improves efficiency of transmission.
It should be understood that above general description and following detailed description are only exemplary and explanatory, not The application can be limited.In addition, any embodiment in the application does not need to reach above-mentioned whole effects.
Description of the drawings
In order to illustrate the technical solutions in the embodiments of the present application or in the prior art more clearly, to embodiment or it will show below There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments described in application, for those of ordinary skill in the art, can also be obtained according to these attached drawings other Attached drawing.
Fig. 1 is a kind of schematic diagram of the TCP segment message format of the embodiment of the present application;
Fig. 2 is the flow diagram of the TCP segment message text recombination method to be detected of the embodiment of the present application;
Fig. 3 is a kind of schematic diagram that across the TCP segment message aggression feature of the embodiment of the present application divides;
Fig. 4 be the embodiment of the present application TCP segment message in data be divided into a kind of schematic diagram of data block;
Fig. 5 is a kind of schematic diagram of data block storage and splicing that the TCP segment message of the embodiment of the present application is divided into;
Fig. 6 is the first structure diagram of the TCP segment message text reconstruction unit to be detected of the embodiment of the present application;
Fig. 7 is second of structure diagram of the TCP segment message text reconstruction unit to be detected of the embodiment of the present application.
Specific embodiment
Here exemplary embodiment will be illustrated in detail, example is illustrated in the accompanying drawings.Following description is related to During attached drawing, unless otherwise indicated, the same numbers in different attached drawings represent the same or similar element.Following exemplary embodiment Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with it is such as appended The example of the consistent device and method of some aspects be described in detail in claims, the application.
It is only merely for the purpose of description specific embodiment in term used in this application, and is not intended to be limiting the application. It is also intended in the application and " one kind " of singulative used in the attached claims, " described " and "the" including majority Form, unless context clearly shows that other meanings.It is also understood that term "and/or" used herein refers to and wraps Containing one or more associated list items purposes, any or all may be combined.
The basic principle that data are transmitted by TCP connection is simply introduced first:
During based on Transmission Control Protocol transmission chunk data, monoblock data can be divided into multiple data segments by data sender, be formed Multiple TCP segment message transmissions, multiple TCP segment messages that same data divide form a TCP data packet, each TCP Segmented message is identified by one-to-one sequence number, and the alternation sequence of sequence number is by the stripe sequence of TCP segment message It determines, it, can be according to each TCP segment after receiving so as to recipient and belong to multiple TCP segment messages of a TCP data packet By each TCP segment message, the data block before dividing is rearranged for according to sequence when dividing for the sequence of sequence of message number. The form of TCP segment message can be with as shown in Figure 1, wherein, the sequence number of sequence number, that is, current TCP segment message, and segment length is The length of data in current TCP segment message, flag bit are used to control the foundation and disconnection of TCP connection.
Before transmission data, sender and recipient establish TCP connection by three-way handshake, and both sides negotiate in the process Confirm the maximum length of data in initial sequence number and each TCP segment message.TCP connection can start to transmit number after establishing According to, after recipient receives the TCP segment message from sender, corresponding confirmation message will be returned, and sender will retransmit not The message being confirmed.After completing data transmission, both sides wave to disconnect established TCP connection by four times.
The sequence number that Transmission Control Protocol passes through each TCP segment message, it is ensured that transmit the sequence of data, and pass through re-transmission Mechanism ensures the integrality of transmitted data, this so that Transmission Control Protocol is a kind of reliable connection-oriented transport protocol, in network It is widely used in data transmission, therefore important task is also become to the attack detecting of TCP message, common method is pattern With method, the i.e. feature of extracting attack content, then feature is matched with the text of TCP message first, if successful match, It can determine and include aggressive content in message.Since the algorithm of pattern match requires the text being matched to be continuous, and wrap Two adjacent TCP segment messages may be divided into when dividing data segment by having included the data of attack signature, therefore, this Application proposes a kind of TCP segment message text recombination method to be detected, and shown in Figure 2, this method may comprise steps of:
S101 determines the length n of data in any TCP segment message received;
Since the length of monoblock data transmitted in each TCP connection is not necessarily identical, the length of the data segment divided Also it and is not fixed, therefore any TCP segment message for receiving, it is necessary first to by data length, judge number therein According to that whether may include attack signature, and whether included feature is only Partial Feature, i.e. whether complete characterization is divided To 2 adjacent TCP segment messages.
The data length n of any TCP segment message received, can be by the TCP segment heading information The value of segment length determines, can also detect by other means determining, and application scheme is not needed to theoretically to determining data The mode of length n is defined, and in practical applications, those skilled in the art can choose suitable side according to actual conditions Formula.
Data order in any TCP segment message received in the case of n >=2k, is divided at least 2 by S102 Block, wherein, first piece be divided into and the length of last block number evidence are k, and k is to be determined previously according to the length of attack signature Data partition length;
Fig. 3 gives the schematic diagram that complete attack signature is divided into 2 adjacent TCP segment messages, it can be seen that Across attack signature existing for 2 TCP segment messages, it can only be present in the end of data or initial in each TCP segment message Partial-length, if representing the length of data and feature with byte number, as exist only in data in each TCP segment message " partial bytes since the last one byte to the left " or " partial bytes since first character section to the right ", when So, the distribution signal of attack signature at one, the left end of TCP segment message 1 and the right end of TCP segment message 2 are only gived in Fig. 3 Part attack signature is also likely to be present, therefore the data in TCP segment message are divided at least 2 block numbers in application scheme According to, obtain may include part attack signature the first block number evidence and last block number evidence, as shown in figure 4, i.e. TCP segment message The 1st, the 3 block number evidences that 1 the 1st, 2 block number evidences being divided into and TCP segment message 2 are divided into.
Data partition length k based on when dividing the data in each TCP segment message, can be special previously according to attack The length of sign determines.Assuming that it is m to need attack signature length existing for across the TCP segment message that detects, then the attack signature institute In existing 2 adjacent TCP segment messages, respectively there may be part attack signature, and the length of this two parts attack signature Therefore respectively less than m, can determine data partition length k according to the length m of attack signature and with reference to concrete condition.For example, such as Fruit receive and detect TCP data packet device memory resource is limited or the reception of TCP data packet and sender will to efficiency of transmission It asks higher, then k values can be determined as to a smaller value less than m, recombinated with reducing the data block being divided into and data block Text to be detected length, it is but smaller in k values, it is special to may result in the data block holiday being divided into Sign so that incomplete attack signature is contained only in the text to be detected of recombination, thus can not be found to attack by pattern matching method Content is hit, it, can be by k values in the case of there is no the limitation of device memory resource or efficiency of transmission in order to reduce omission factor It is determined as the value of bigger, it might even be possible to more than m.In all values of k values according to determined by m, it both can guarantee and do not omitted spy Sign, and memory source can be saved as possible, improve the optimal value of efficiency of transmission as (m-1), certainly, application scheme does not need to Identified k values are defined, in practical applications, those skilled in the art can determine suitable k according to actual demand Value.
After the value for determining data partition length k, you can the data in the TCP segment message that is received are divided, For example, the TCP segment message 2 in Fig. 4, it is assumed that the length of data is n in message, long at the left and right both ends of range data respectively It spends to be divided at k, obtains 3 block number evidences, wherein the 1st piece and the 3rd block length are k, the 2nd piece is (n-2k) for residue length, certainly, If n just for 2k, is likely to occur the situation as shown in TCP segment message 1 in Fig. 4, the data in message are just divided It is 2 pieces.Therefore, before being divided to the data in TCP segment message, it is also necessary to judge data length n whether meet n >= 2k only in the case of satisfaction, just can guarantee when being divided with length k to data, can be respectively from left and right the two of data End marks off the data block that 2 block lengths are k, causes to divide failure without overlapping in partition process.
S103, according to the alternation of the sequence number of TCP segment message received sequence, any TCP segment that will be received The first block number evidence that message is divided into is spliced to last block number that a TCP segment message is divided into according to below, is reassembled as One text to be detected.
After data in message are divided into the data block of needs, you can according to the sequence number of each TCP segment message Alternation sequence, determines the sequence and neighbouring relations of message, the data block of adjacent message is spliced two-by-two, be reassembled as text to be detected This, by taking the TCP segment message 1,2 in Fig. 3 and Fig. 4 as an example, in figure 3 data sender divided before transmission data 2 Segment data forms respectively adjacent TCP segment message 1,2, and passes through adjacent sequence respectively in the stem form of 2 messages Row number identifies, and in Fig. 4 according to S101, S102 of application scheme, the data in 2 messages are divided into 2 pieces or 3 pieces respectively Data, and TCP segment message 1 is a upper message for TCP segment message 2 according to the sequence number of 2 messages, therefore can With the 1st block number evidence for being divided into TCP segment message 2, it is spliced to the 2nd piece i.e. last block number that TCP segment message 1 is divided into According to a continuous text to be detected below, is reassembled as, whether there is with detecting in TCP segment message 1,2 across existing for message Attack signature, in addition, the 1st block number evidence of TCP segment message 1 can also be last with the upper message determined by sequence number One block number according to splicing, the 3rd block number of TCP segment message 2 according to can also with determined by sequence number the first of next message Block number is reassembled as text to be detected according to splicing respectively, and the 2nd block number in TCP segment message 2 is according to need not then be recombinated, because And it saves the memory source of equipment, improve efficiency of transmission.
Application scheme is the alternation sequence according to the sequence number of TCP segment message received, and adjacent message is divided Into data block be reassembled as text, therefore, when transmitting TCP segment message, in order to allow recipient obtain recipient used in The graded approach of sequence number and sequence number, to recombinate text, the TCP segment that sender can will be divided according to correct sequence Sequence number and its alternation sequence of message are also sent to recipient or both sides negotiate the 1st sequence number and graded approach in advance, Etc., the basic scheme of the application does not need to limit this, and those skilled in the art in practical applications can be flexible Ground selects appropriate mode.In a kind of specific embodiment of the application, the both sides of data transmission can advance negotiation sequence Number graded approach, and after any TCP segment message is received, according to the sequence number and graded approach of the message, calculate phase The sequence number and/or sequence number range of adjacent message, then result of calculation is compared with the sequence number of other messages received, It can determine the alternation sequence of the sequence number of each message received.
In addition, in TCP data packet each TCP segment message sequence number, be the stripe sequence alternation according to message, example It such as, can message ground increasing or decreasing, etc. one by one, those skilled in the art in practical applications can be with since a certain numerical value The graded approach of sequence number is neatly selected, the basic scheme of the application does not need to limit this.Wherein, it is more convenient Mode be directly using TCP connection establish and transmit data when common sequence number graded approach, number is transmitted by TCP connection According to when, the sequence number in TCP segment heading form is not usually to be numbered with segmented message, but will connection life For all data transmitted in cycle of deposit as a byte stream, sequence number is the number of each byte in entire byte stream, and every Sequence number in a heading form, is the sequence number of the first character section of data in the message, the message it is next Sequence number in heading form, the then sequence number for the first character section of the data in next message, and should be one The sequence number of a message is plus the byte number of wherein data.
It therefore, can be according to the length of data in each TCP segment message in a kind of specific embodiment of the application Degree calculates the sequence number and/or sequence number range of adjacent message.Assuming that the Serial No. S of a certain message receivedi, wherein Data length be ni, then the Serial No. S of next messagei+1=Si+ni.Computationally during the sequence number of message, Due to the length n of the data in a upper messagei-1It is unknown, and S can not be passed throughi-1=Si-ni-1It directly calculates, if data pass Defeated both sides have negotiated the maximum data length N in message in advance, then can calculate the sequence number of a TCP segment message Si-1Range:Si-N≤Si-1<Si
In addition, according to the alternation of the TCP segment sequence of message number received sequence, the data block that each message is divided into Splice, be reassembled as the process of text to be detected two-by-two, it, can be first by TCP segment in a kind of specific embodiment of the application The data block that message is divided into storage corresponding with its sequence number further according to the alternation sequence of sequence number, determines the number of adjacent message After also being stored according to block, corresponding data block is reassembled as text to be detected in a manner described.As shown in figure 5, may be used also in storage With directly according to the alternation of sequence number sequence, first piece and last block data block for being sequentially divided into message, deposit is in advance The corresponding position of TCP message list first established then is stored in when being not belonging to same message, adjacent position two data blocks During corresponding position, directly the two can be spliced, be reassembled as text to be detected.
Certainly, according to the alternation of the TCP segment sequence of message number received sequence, the data block that each message is divided into Splice, be reassembled as the process of text to be detected two-by-two, can also be realized by other various ways, for example, each message is drawn Be divided into first piece and last block number according to the sequential storage according to sequence number, and after the data block of all messages stores Uniformly splice, be reassembled as text to be detected;Alternatively, since TCP segment message is usually sequential delivery, it can receive, draw I.e. according to sequence number sequential concatenation while dividing each message;Etc., the basic scheme of the application does not need to limit this System, those skilled in the art can neatly select appropriate mode in practical applications.
After recombinating obtained text to be detected, you can detect whether to exist across 2 TCP segment messages by pattern matching method Existing attack signature.It, can if data receiver needs to forward the TCP data packet after the completion of the attack detecting of TCP data packet It, can also be in the way of data block be divided and sequence to back up the former TCP segment message of reception in advance before data block is divided Restore message, be also based on dividing, recombinate after data be packaged into new TCP segment message, specifically, can will recombinate To any text be re-packaged into a TCP segment message, the sequence number of the message can be according to the data of the splicing text The sequence number of the message belonged to before block point calculates, such as the message belonged to before being divided for the latter data block of the splicing text Sequence number subtract data partition length k.For for participate in text recombination database, the such as the 2nd of TCP segment message in Fig. 4 the Block number evidence, then can directly be encapsulated as new TCP segment message, before the sequence number of the message can equally be divided according to the data block The sequence number of the message belonged to calculates, such as can add data partition length k for the sequence number of message belonged to before its division. It can also be in established TCP message list be pre-deposited in addition, Resealing the information such as required port numbers.
Corresponding to above method embodiment, the application also provides a kind of TCP segment message text reconstruction unit to be detected, It is characterized in that, at least one TCP segment message that same data are divided into is identified by one-to-one sequence number, the sequence Number according to TCP segment message stripe sequence alternation, shown in Figure 6, which can include:
Length determination modul 110, for determining the length n of data in any TCP segment message received;
Data division module 120, in the case of n >=2k, by the data in any TCP segment message received Sequence is divided at least 2 pieces, wherein, first piece be divided into and the length of last block number evidence are k, and k is previously according to attack The data partition length that the length of feature determines;
Text recombination module 130, for according to the alternation of the sequence number of TCP segment message received sequence, will receive To the first block number evidence for being divided into of any TCP segment message, be spliced to last block that a TCP segment message is divided into Behind data, it is reassembled as a text to be detected.
In a kind of specific embodiment of the application, as shown in fig. 7, the device can also include:
Sequence number computing module 140, for the sequence number according to any TCP segment message received and advance negotiation Sequence number graded approach, calculate the sequence number and/or sequence number range of upper one and/or next TCP segment message;
Sequence determining module 150, for by the sequence number being calculated and/or sequence number range, with receive TCP points The sequence number of section message is compared, and determines the alternation sequence of the sequence number of TCP segment message received.
In a kind of specific embodiment of the application, the sequence number computing module 140 specifically can be used for:
According to the sequence number Si of any TCP segment message and data length ni received, next TCP segment report is calculated The sequence number Si+1=Si+ni of text;
And/or
According to the sequence number Si of any TCP segment message received the and maximum data length N negotiated in advance, calculate The range of the sequence number Si-1 of a upper TCP segment message:Si-N≤Si-1<Si.
In a kind of specific embodiment of the application, the text recombination module 130 can include:
Sub-module stored, for data block and the TCP segment message for being divided into any TCP segment message received Sequence number correspond to storage;
Submodule is recombinated, for sequentially, monitoring this in the alternation according to the sequence number of TCP segment message received In the case of data block that a upper TCP segment message for TCP segment message is divided into is stored, which is drawn The first block number evidence being divided into is spliced to last block number that a TCP segment message is divided into according to below, is reassembled as one and treats Detect text.
In a kind of specific embodiment of the application, the sub-module stored can include:
Alternation sequence obtaining unit, for obtaining the alternation of the sequence number of TCP segment message received sequence;
Information memory cell, for data block and the TCP segment report for being divided into any TCP segment message received The sequence number of text, storage is to the corresponding position of TCP message list pre-established, and the sequence of positions in information list is by sequence number Alternation sequence determine.
The function of each unit and the realization process of effect specifically refer to and step are corresponded in the above method in above device Realization process, details are not described herein.
For device embodiment, since it corresponds essentially to embodiment of the method, so related part is referring to method reality Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separating component The unit of explanation may or may not be physically separate, and the component shown as unit can be or can also It is not physical unit, you can be located at a place or can also be distributed in multiple network element.It can be according to reality It needs that some or all of module therein is selected to realize the purpose of application scheme.Those of ordinary skill in the art are not paying In the case of going out creative work, you can to understand and implement.
Although this specification includes many specific implementation details, these are not necessarily to be construed as the model for limiting any invention It encloses or range claimed, and is primarily used for describing the feature of the specific embodiment of specific invention.In this specification Certain features described in multiple embodiments can also be combined implementation in single embodiment.On the other hand, in single implementation Various features described in example can also be performed separately or be implemented with any suitable sub-portfolio in various embodiments.This Outside, although feature can work in certain combinations and even initially so be claimed as described above, institute is come from One or more of claimed combination feature can remove, and claimed from the combination in some cases Combination can be directed toward the modification of sub-portfolio or sub-portfolio.
Similarly, although depicting operation in the accompanying drawings with particular order, this is understood not to require these behaviour Make to perform with shown particular order or sequentially carry out or require the operation of all illustrations to be performed, to realize desired knot Fruit.In some cases, it may be advantageous for multitask and parallel processing.In addition, the various system modules in above-described embodiment Separation with component is understood not to be required to such separation in all embodiments, and it is to be understood that described Program assembly and system usually can be integrated in single software product or be packaged into multiple software product together.
The specific embodiment of theme has been described as a result,.Other embodiment is within the scope of the appended claims. In some cases, action described in claim can be executed in different order and still realize desired result.This Outside, the processing described in attached drawing and nonessential shown particular order or sequential order, to realize desired result.In certain realities In existing, it may be advantageous for multitask and parallel processing.
The foregoing is merely the preferred embodiment of the application, not limiting the application, all essences in the application God and any modification, equivalent substitution, improvement and etc. within principle, done, should be included within the scope of the application protection.

Claims (10)

1. a kind of TCP segment message text recombination method to be detected, which is characterized in that same data are divided at least one TCP segment message is identified by one-to-one sequence number, the sequence number according to TCP segment message stripe sequence alternation, The method includes:
Determine the length n of data in any TCP segment message received;
In the case of n >=2k, the data order in any TCP segment message received is divided at least 2 pieces, wherein, First piece be divided into and the length of last block number evidence are k, and k is that the data determined previously according to the length of attack signature divide Length;
According to the alternation of the sequence number of TCP segment message received sequence, any TCP segment message received is divided into The first block number evidence, it is to be detected according to below, being reassembled as one to be spliced to last block number that a TCP segment message is divided into Text.
2. according to the method described in claim 1, it is characterized in that, the method further includes:
According to the sequence number of any TCP segment message received and the sequence number graded approach negotiated in advance, upper one is calculated And/or the sequence number and/or sequence number range of next TCP segment message;
By the sequence number being calculated and/or sequence number range, it is compared with the sequence number of TCP segment message received, Determine the alternation sequence of the sequence number of TCP segment message received.
3. the according to the method described in claim 2, it is characterized in that, sequence of any TCP segment message that the basis receives Row number and sequence number graded approach calculate the sequence number and/or sequence number range of upper one and/or next TCP segment message, Including:
According to the sequence number S of any TCP segment message receivediAnd data length ni, calculate next TCP segment message Sequence number Si+1=Si+ni
And/or
According to the sequence number S of any TCP segment message receivediAnd the maximum data length N negotiated in advance, calculate upper one The sequence number S of TCP segment messagei-1Range:Si-N≤Si-1<Si
4. method according to any one of claims 1 to 3, which is characterized in that the TCP segment message that the basis receives The alternation sequence of sequence number, the first block number evidence that any TCP segment message received is divided into are spliced to a TCP Last block number that segmented message is divided into is reassembled as a text to be detected according to below, including:
The data block storage corresponding with the sequence number of the TCP segment message that any TCP segment message received is divided into;
In the alternation according to the sequence number of TCP segment message received sequentially, upper one of the TCP segment message is monitored In the case of data block that TCP segment message is divided into is stored, the first block number evidence which is divided into is spelled Last block number that a TCP segment message is divided into is connected to according to below, is reassembled as a text to be detected.
5. according to the method described in claim 4, it is characterized in that, described be divided into any TCP segment message received Data block it is corresponding with the sequence number of the TCP segment message storage, including:
Obtain the alternation sequence of the sequence number of TCP segment message received;
The data block that any TCP segment message received is divided into and the sequence number of the TCP segment message, storage is in advance The corresponding position of the TCP message list of foundation, the sequence of positions in information list are determined by the alternation sequence of sequence number.
6. a kind of TCP segment message text reconstruction unit to be detected, which is characterized in that same data are divided at least one TCP segment message is identified by one-to-one sequence number, the sequence number according to TCP segment message stripe sequence alternation, Described device includes:
Length determination modul, for determining the length n of data in any TCP segment message received;
Data division module, in the case of n >=2k, the data order in any TCP segment message received to be drawn It is divided at least 2 pieces, wherein, first piece be divided into and the length of last block number evidence are k, and k is previously according to attack signature The data partition length that length determines;
Text recombination module, for the alternation according to the sequence number of TCP segment message received sequentially, any that will be received The first block number evidence that TCP segment message is divided into, after being spliced to last block number evidence that a TCP segment message is divided into Face is reassembled as a text to be detected.
7. device according to claim 6, which is characterized in that described device further includes:
Sequence number computing module, for the sequence number according to any TCP segment message received and the sequence number negotiated in advance Graded approach calculates the sequence number and/or sequence number range of upper one and/or next TCP segment message;
Sequence determining module, for by the sequence number being calculated and/or sequence number range, with the TCP segment message received Sequence number be compared, determine the sequence number of TCP segment message received alternation sequence.
8. device according to claim 7, which is characterized in that the sequence number computing module is specifically used for:
According to the sequence number S of any TCP segment message receivediAnd data length ni, calculate next TCP segment message Sequence number Si+1=Si+ni
And/or
According to the sequence number S of any TCP segment message receivediAnd the maximum data length N negotiated in advance, calculate upper one The sequence number S of TCP segment messagei-1Range:Si-N≤Si-1<Si
9. according to claim 6 to 8 any one of them device, which is characterized in that the text recombination module, including:
Sub-module stored, for the data block and the sequence of the TCP segment message for being divided into any TCP segment message received Row number corresponds to storage;
Submodule is recombinated, for sequentially, monitoring the TCP points in the alternation according to the sequence number of TCP segment message received In the case of the data block that is divided into of a upper TCP segment message of section message is stored, which is divided into First block number evidence is spliced to last block number that a TCP segment message is divided into according to below, is reassembled as a text to be detected This.
10. device according to claim 9, which is characterized in that the sub-module stored, including:
Alternation sequence obtaining unit, for obtaining the alternation of the sequence number of TCP segment message received sequence;
Information memory cell, for data block and the TCP segment message for being divided into any TCP segment message received Sequence number, storage is to the corresponding position of TCP message list pre-established, sequence of positions the passing by sequence number in information list Change sequence determines.
CN201711316411.1A 2017-12-12 2017-12-12 TCP segmented message text recombination method and device to be detected Active CN108134751B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711316411.1A CN108134751B (en) 2017-12-12 2017-12-12 TCP segmented message text recombination method and device to be detected

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711316411.1A CN108134751B (en) 2017-12-12 2017-12-12 TCP segmented message text recombination method and device to be detected

Publications (2)

Publication Number Publication Date
CN108134751A true CN108134751A (en) 2018-06-08
CN108134751B CN108134751B (en) 2020-08-04

Family

ID=62389304

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711316411.1A Active CN108134751B (en) 2017-12-12 2017-12-12 TCP segmented message text recombination method and device to be detected

Country Status (1)

Country Link
CN (1) CN108134751B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111342929A (en) * 2018-12-18 2020-06-26 中国电信股份有限公司 Information sending and receiving method and device and information processing system
CN111371782A (en) * 2020-03-03 2020-07-03 深信服科技股份有限公司 Message transmission method and device and storage medium
CN113297577A (en) * 2021-06-16 2021-08-24 深信服科技股份有限公司 Request processing method and device, electronic equipment and readable storage medium
WO2024021479A1 (en) * 2022-07-27 2024-02-01 天翼云科技有限公司 Message detection method and apparatus, and electronic device and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101841545A (en) * 2010-05-14 2010-09-22 中国科学院计算技术研究所 TCP stream restructuring and/or packetizing method and device
US7953093B2 (en) * 2001-09-06 2011-05-31 Broadcom Corporation TCP/IP reordering
EP2202937B1 (en) * 2008-12-24 2011-11-30 Mitsubishi Electric R&D Centre Europe B.V. Partial reassembly for pattern matching
CN102307151A (en) * 2011-10-10 2012-01-04 上海西默通信技术有限公司 HTTP (hyper text transport protocol)-based network packet reduction method
CN102752189A (en) * 2011-04-22 2012-10-24 华为数字技术有限公司 Method and equipment for processing message
CN105939297A (en) * 2015-10-26 2016-09-14 杭州迪普科技有限公司 TCP message reassembling method and TCP message reassembling device
CN107332839A (en) * 2017-06-28 2017-11-07 杭州迪普科技股份有限公司 A kind of message transmitting method and device

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7953093B2 (en) * 2001-09-06 2011-05-31 Broadcom Corporation TCP/IP reordering
EP2202937B1 (en) * 2008-12-24 2011-11-30 Mitsubishi Electric R&D Centre Europe B.V. Partial reassembly for pattern matching
CN101841545A (en) * 2010-05-14 2010-09-22 中国科学院计算技术研究所 TCP stream restructuring and/or packetizing method and device
CN102752189A (en) * 2011-04-22 2012-10-24 华为数字技术有限公司 Method and equipment for processing message
CN102307151A (en) * 2011-10-10 2012-01-04 上海西默通信技术有限公司 HTTP (hyper text transport protocol)-based network packet reduction method
CN105939297A (en) * 2015-10-26 2016-09-14 杭州迪普科技有限公司 TCP message reassembling method and TCP message reassembling device
CN107332839A (en) * 2017-06-28 2017-11-07 杭州迪普科技股份有限公司 A kind of message transmitting method and device

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111342929A (en) * 2018-12-18 2020-06-26 中国电信股份有限公司 Information sending and receiving method and device and information processing system
CN111371782A (en) * 2020-03-03 2020-07-03 深信服科技股份有限公司 Message transmission method and device and storage medium
CN113297577A (en) * 2021-06-16 2021-08-24 深信服科技股份有限公司 Request processing method and device, electronic equipment and readable storage medium
WO2024021479A1 (en) * 2022-07-27 2024-02-01 天翼云科技有限公司 Message detection method and apparatus, and electronic device and storage medium

Also Published As

Publication number Publication date
CN108134751B (en) 2020-08-04

Similar Documents

Publication Publication Date Title
CN108134751A (en) A kind of TCP segment message text recombination method to be detected and device
CN107248994B (en) Information sending method, processing method and device
CN107710716A (en) For realizing the communication equipment of the selective encryption in software defined network
US20080104397A1 (en) Composed message authentication code
CN111585890A (en) SRv 6-based network path verification method and system
WO2017031984A1 (en) Bmp message authentification method and device
CN106254355B (en) A kind of security processing and system of the Internet protocol data packet
CN110071943B (en) Compound high-safety IP secret communication method with truly random change of secret key
CN101958886A (en) Non-internet protocol (IP) network-based multi-stage antivirus file secure transmission method and system
CN110730143B (en) Fragment data packet processing method and device
CN113691490A (en) Method and device for checking SRv6 message
CN112822103B (en) Information reporting method, information processing method and equipment
CN107852369A (en) Method for obtaining power line communication route
CN111385090B (en) Key distribution method and system based on multi-key combination quantum key relay
EP3447668B1 (en) Utilizing routing for secure transactions
CN104135469B (en) A kind of method of raising RSSP II protocol safeties
CN116827651A (en) Communication security protection method, device, computer equipment and storage medium
CN104243319A (en) Neighbor discovering method and device thereof
CN103581034B (en) Message mirroring and encrypted transmitting method
CN109145620A (en) Data flow diversion processing method and device
CN112910774B (en) Communication method, system and network forwarding equipment
CN112787803B (en) Method and equipment for secure communication
US20170034135A1 (en) Making a secure connection over insecure lines more secure
CN111200492A (en) Quantum encryption method, device and equipment
CN105704122B (en) A kind of routing encryption system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant