CN108134751B - TCP segmented message text recombination method and device to be detected - Google Patents

TCP segmented message text recombination method and device to be detected Download PDF

Info

Publication number
CN108134751B
CN108134751B CN201711316411.1A CN201711316411A CN108134751B CN 108134751 B CN108134751 B CN 108134751B CN 201711316411 A CN201711316411 A CN 201711316411A CN 108134751 B CN108134751 B CN 108134751B
Authority
CN
China
Prior art keywords
sequence
tcp
data
message
divided
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711316411.1A
Other languages
Chinese (zh)
Other versions
CN108134751A (en
Inventor
孙行鹭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201711316411.1A priority Critical patent/CN108134751B/en
Publication of CN108134751A publication Critical patent/CN108134751A/en
Application granted granted Critical
Publication of CN108134751B publication Critical patent/CN108134751B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/90Queuing arrangements
    • H04L49/9057Arrangements for supporting packet reassembly or resequencing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Abstract

The application provides a method for recombining a text to be detected of TCP (transmission control protocol) segmented messages, which is characterized in that at least one TCP segmented message divided by the same data is identified by one-to-one corresponding serial number, and the serial number is graded according to the dividing sequence of the TCP segmented messages, and the method comprises the following steps: determining the length n of data in any received TCP segmentation message; under the condition that n is larger than or equal to 2k, sequentially dividing data in any received TCP segmentation message into at least 2 blocks, wherein the length of the divided first block and the last block is k, and k is the data division length determined in advance according to the length of the attack characteristic; according to the sequence of the received TCP segment message, splicing the first block of data divided by any TCP segment message to the back of the last block of data divided by the previous TCP segment message, and recombining the data into a text to be detected. By applying the scheme, the memory resource of the equipment can be saved, and the transmission efficiency is improved.

Description

TCP segmented message text recombination method and device to be detected
Technical Field
The application relates to the technical field of computers, in particular to a TCP (transmission control protocol) segmented message text recombination method and device to be detected.
Background
TCP (Transmission Control Protocol) is a connection-oriented and reliable transport layer Protocol and is widely used in network data Transmission. Management of TCP packets and attack detection also become one of important tasks of security network devices such as WAF (Web application Firewall), IPS (intrusion prevention System), and anti-virus gateway. Since the aggressive content carried in the TCP packet transmitted by the network generally has a certain characteristic, the pattern matching method is one of the commonly used methods for detecting the attack of the TCP packet. The mode matching method firstly extracts the characteristics of the attack content, then matches the characteristics with the text of the TCP message, and if the matching is successful, the message can be determined to contain the attack content.
Because a data packet including large data blocks is divided into a plurality of TCP segment messages during transmission, a section of feature of attack content may be divided into two adjacent TCP segment messages, and the algorithm of pattern matching requires that matched texts are continuous, if each segment message is detected alone, the features existing across segments cannot be detected, so that the TCP segment messages need to be recombined into a continuous text to be detected. In the prior art, after all TCP segment messages of the same data packet are cached, the TCP segment messages are sequentially recombined into a complete text, and then the complete text is subjected to pattern matching with the characteristics of attack contents. Because each TCP segment in the whole data packet needs to be completely recombined into the text to be detected, the occupied memory resource of the network equipment is more, the consumed time is longer, the transmission delay is increased, and the transmission efficiency is reduced.
Disclosure of Invention
In view of this, the present application provides a method and an apparatus for recombining a to-be-detected text of a TCP segmented message, where the technical scheme is as follows:
a TCP segmented message text recombination method to be detected is characterized in that at least one TCP segmented message divided by the same data is identified by one-to-one corresponding sequence number, and the sequence number is graded according to the dividing sequence of the TCP segmented message, the method comprises the following steps:
determining the length n of data in any received TCP segmentation message;
under the condition that n is larger than or equal to 2k, sequentially dividing data in any received TCP segmentation message into at least 2 blocks, wherein the length of the divided first block and the last block is k, and k is the data division length determined in advance according to the length of the attack characteristic;
according to the sequence of the received TCP segment message, splicing the first block of data divided by any TCP segment message to the back of the last block of data divided by the previous TCP segment message, and recombining the data into a text to be detected.
A TCP segmented message text recombination device to be detected is characterized in that at least one TCP segmented message divided by the same data is identified by one-to-one corresponding sequence number, and the sequence number is changed progressively according to the dividing sequence of the TCP segmented messages, and the device comprises:
the length determining module is used for determining the length n of the data in any received TCP segmented message;
the data dividing module is used for sequentially dividing the data in any TCP segmented message into at least 2 blocks under the condition that n is larger than or equal to 2k, wherein the length of the divided first block and the last block is k, and k is the data dividing length determined in advance according to the length of the attack characteristic;
and the text recombination module is used for splicing the first block of data divided by any one received TCP segmented message to the back of the last block of data divided by the last TCP segmented message according to the gradient sequence of the serial numbers of the received TCP segmented messages and recombining the first block of data into a text to be detected.
According to the technical scheme provided by the application, partial data which possibly includes attack contents at the head and the tail of the TCP segmented message is intercepted only according to the length of the features of the attack contents, the intercepted data in two adjacent TCP segmented messages is recombined into a text which is used as a text to be detected when the attack features are detected by a mode matching method, the memory resources of network equipment are saved, the consumed time is shorter, the transmission delay is reduced, and the transmission efficiency is improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application. Moreover, not all of the above-described effects need to be achieved by any of the embodiments in this application.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present application, and other drawings can be obtained by those skilled in the art according to the drawings.
FIG. 1 is a diagram illustrating a TCP segment message format according to an embodiment of the present application;
fig. 2 is a schematic flowchart of a method for recombining a to-be-detected text in a TCP segmented message according to an embodiment of the present application;
FIG. 3 is a schematic diagram of cross-TCP segment message attack feature partitioning according to an embodiment of the present application;
FIG. 4 is a diagram illustrating a data partitioning of a TCP segment packet into data blocks according to an embodiment of the present application;
FIG. 5 is a schematic diagram of storing and splicing data blocks into which TCP segment packets are divided according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a to-be-detected text reassembly device for TCP segment packets according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a second structure of a device for detecting text reassembly of TCP segment packets according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
The basic principle of transmitting data over a TCP connection is briefly introduced first:
when a large block of data is transmitted based on a TCP protocol, a data transmitting party divides the whole block of data into a plurality of data segments to form a plurality of TCP segmented message transmissions, the plurality of TCP segmented messages divided by the same block of data form a TCP data packet, each TCP segmented message is identified by a one-to-one corresponding serial number, and the gradient sequence of the serial numbers is determined by the division sequence of the TCP segmented messages, so that after the receiving party receives the plurality of TCP segmented messages belonging to one TCP data packet, each TCP segmented message can be rearranged into the data blocks before division according to the sequence of the serial numbers of the TCP segmented messages. The format of the TCP segment packet may be as shown in fig. 1, where the sequence number is a sequence number of a current TCP segment packet, the segment length is a length of data in the current TCP segment packet, and the flag is used to control establishment and disconnection of a TCP connection.
Before sending data, a sender and a receiver establish TCP connection through three-way handshake, and in the process, the two parties negotiate and confirm an initial sequence number and the maximum length of data in each TCP segment message. After the TCP connection is established, data transmission can be started, after a receiving party receives a TCP segmented message from a sending party, a corresponding confirmation message is returned, and the sending party retransmits the message which is not confirmed. After the data transmission is completed, the two parties disconnect the established TCP connection by waving hands four times.
The TCP protocol ensures the sequence of transmitted data through the serial number of each TCP segmented message, and ensures the integrity of the transmitted data through a retransmission mechanism, so that the TCP protocol is a reliable connection-oriented transmission protocol and is widely applied to network data transmission, therefore, the attack detection of the TCP message also becomes an important task. Since the algorithm of pattern matching requires that the matched texts are continuous, and data including attack features may be divided into two adjacent TCP segment messages when dividing data segments, the present application provides a method for recombining texts to be detected for TCP segment messages, as shown in fig. 2, the method may include the following steps:
s101, determining the length n of data in any received TCP segment message;
since the length of the whole block of data transmitted in each TCP connection is not necessarily the same, and the length of the divided data segment is not fixed, for any received TCP segment packet, it is first necessary to determine whether the data therein may include an attack feature according to the data length, and whether the included feature is only a partial feature, that is, whether the complete feature is divided into 2 adjacent TCP segment packets.
The data length n of any received TCP segment packet may be determined by a segment length value in header information of the TCP segment packet, or may be detected and determined by other methods.
S102, under the condition that n is larger than or equal to 2k, sequentially dividing data in any TCP segmented message into at least 2 blocks, wherein the length of the divided first block and the last block is k, and k is a data division length determined in advance according to the length of the attack characteristic;
fig. 3 shows a schematic diagram of a complete attack characteristic being divided into 2 adjacent TCP segment packets, and it can be seen that the attack characteristic existing across 2 TCP segment packets only exists at the end or initial partial length of data in each TCP segment packet, if the length of data and characteristic is represented by byte number, that is, "partial byte starting from the last byte to the left" or "partial byte starting from the first byte to the right" of data only exists in each TCP segment packet, of course, only a distribution schematic of the attack characteristic is given in fig. 3, and partial attack characteristics may also exist at the left end of TCP segment packet 1 and the right end of TCP segment packet 2, so in the present application scheme, data in TCP segment packet is divided into at least 2 blocks of data, to obtain the first block of data and the last block of data that may include partial attack characteristic, as shown in fig. 4, namely, the 1 st and 2 nd block data into which TCP segment packet 1 is divided, and the 1 st and 3 rd block data into which TCP segment packet 2 is divided.
The data division length k according to which the data in each TCP segment message is divided can be determined in advance according to the length of the attack feature. Assuming that the length of the attack feature existing across the TCP segment message to be detected is m, partial attack features may exist in 2 adjacent TCP segment messages of the attack feature, and the lengths of the two partial attack features are both smaller than m, so that the data partition length k may be determined according to the length m of the attack feature and by combining specific situations. For example, if the memory resource of the device that receives and detects the TCP packet is limited, or the receiving and sending party of the TCP packet has a high requirement on the transmission efficiency, the k value may be determined to be a smaller value smaller than m, so as to reduce the length of the divided data block and the text to be detected reconstructed by the data block, but when the k value is smaller, the divided data block may miss part of the features, so that the reconstructed text to be detected only contains incomplete attack features, and thus attack content cannot be found by the pattern matching method. In all the values of the k value determined according to m, the optimal value (m-1) can ensure that the characteristics are not omitted, the memory resources can be saved as much as possible, and the transmission efficiency is improved, and certainly, the scheme of the application does not need to limit the determined k value, and in practical application, a person skilled in the art can determine a proper k value according to actual requirements.
After determining the value of the data partition length k, the data in the received TCP segment message may be partitioned, for example, TCP segment message 2 in fig. 4, assuming that the length of the data in the message is n, the data is partitioned at the positions where the length is k away from the left end and the right end of the data, so as to obtain 3 blocks of data, where the length of the 1 st block and the 3 rd block is k, and the 2 nd block is the remaining length, that is, (n-2k), and of course, if n is exactly 2k, the situation shown in TCP segment message 1 in fig. 4 may occur, and the data in the message is just partitioned into 2 blocks. Therefore, before the data in the TCP segmentation message is divided, it is further required to determine whether the length n of the data satisfies n ≧ 2k, and only if the length n satisfies n, it can be guaranteed that 2 data blocks with length k are divided from the left and right ends of the data respectively, and the division fails due to overlapping in the division process.
S103, according to the sequence of the serial numbers of the received TCP segmented messages, splicing the first block of data divided by any one of the received TCP segmented messages behind the last block of data divided by the previous TCP segmented message, and recombining the first block of data into a text to be detected.
After dividing the data in the message into the required data blocks, determining the sequence and the adjacent relation of the messages according to the sequence of the serial numbers of each TCP segmented message, splicing the data blocks of the adjacent messages two by two, recombining the data blocks into the text to be detected, taking TCP segmented messages 1 and 2 in figures 3 and 4 as examples, dividing the 2 segments of data obtained by dividing the data sender before sending the data in figure 3 into adjacent TCP segmented messages 1 and 2 respectively, identifying the adjacent serial numbers in the header formats of the 2 messages respectively, dividing the data in the 2 messages into 2 blocks or 3 blocks of data according to S101 and S102 in figure 4 of the scheme of the application, and knowing that the TCP segmented message 1 is the previous message of the TCP segmented message 2 according to the serial numbers of the 2 messages, so that the 1 st block of data divided by the TCP segmented message 2 can be spliced behind the 2 nd block (the last block of data) divided by the TCP segmented message 1, the data is recombined into a continuous text to be detected so as to detect whether the attack characteristic of the cross-message exists in the TCP subsection messages 1 and 2, in addition, the data 1 of the TCP subsection message 1 can be spliced with the last data of the previous message determined by the serial number, the data 3 of the TCP subsection message 2 can be spliced with the first data of the next message determined by the serial number and are respectively recombined into the text to be detected, and the data 2 of the TCP subsection message 2 does not need to be recombined, so that the memory resource of the equipment is saved, and the transmission efficiency is improved.
According to the scheme, data blocks divided by adjacent messages are recombined into texts according to the gradient sequence of the serial numbers of the received TCP segmented messages, so that when the TCP segmented messages are transmitted, in order to enable a receiving party to obtain the serial numbers and the gradient modes of the serial numbers used by the receiving party so as to recombine the texts according to a correct sequence, a sending party can also send the serial numbers and the gradient modes of the divided TCP segmented messages to the receiving party, or both parties negotiate the 1 st serial number and the gradient mode in advance, and the like. In a specific embodiment of the present application, two parties of data transmission may negotiate a gradient manner of a sequence number in advance, and after receiving any TCP segment packet, calculate a sequence number and/or a sequence number range of an adjacent packet according to the sequence number and the gradient manner of the packet, and compare the calculation result with sequence numbers of other received packets, so as to determine a gradient order of the sequence numbers of the received packets.
In addition, the sequence number of each TCP segment packet in the TCP packet is changed according to the dividing sequence of the packet, for example, the sequence number may be increased or decreased from a certain value to the packet one by one, and the like. The method includes the steps that a serial number gradient mode which is commonly used when TCP connection is established and data is transmitted is directly used, when the data is transmitted through the TCP connection, serial numbers in TCP segmented message header formats are not numbered by segmented messages generally, all data transmitted in a connection life cycle are taken as a byte stream, the serial numbers are serial numbers of all bytes in the whole byte stream, the serial numbers in each message header format are serial numbers of first bytes of the data in the message, and the serial numbers in a next message header format of the message are serial numbers of first bytes of the data in a next message and are the serial numbers of the last message plus the byte number of the data in the last message.
Therefore, in an embodiment of the present application, the sequence number and/or the sequence number range of the adjacent packet may be calculated according to the length of data in each TCP segment packet. Suppose that the sequence number of a received message is SiWherein the data has a length of niIf the sequence number of the next message is Si+1=Si+ni. When calculating the sequence number of the last message, the length n of the data in the last messagei-1Is unknown and cannot pass Si-1=Si-ni-1Direct calculation, if both data transmission parties consult the maximum data length N in the message in advance, the sequence number S of the last TCP segment message can be calculatedi-1The range of (A): si-N≤Si-1<Si
In addition, according to the sequence of the sequence number of the received TCP segmented message, the process of splicing and recombining the data blocks into which each message is divided into two pieces into the text to be detected may be, in a specific embodiment of the present application, the data blocks into which the TCP segmented message is divided may be stored corresponding to the sequence number thereof, and then, according to the sequence number of the TCP segmented message, after determining that the data blocks of the adjacent message are also stored, the corresponding data blocks are recombined into the text to be detected in the above manner. As shown in fig. 5, during storage, the first block and the last block of data, into which the message is divided, may be sequentially stored in the corresponding positions of the pre-established TCP information list directly according to the sequence number gradient order, so that when two data blocks that do not belong to the same message and are located at adjacent positions are stored in the corresponding positions, the two data blocks may be directly spliced and reassembled into the text to be detected.
Certainly, the process of splicing and recombining the data blocks divided by each message into the text to be detected two by two according to the gradient sequence of the serial numbers of the received TCP segmented messages can also be realized by other various ways, for example, the first block and the last block of data divided by each message are stored according to the sequence of the serial numbers, and the data blocks of all the messages are uniformly spliced and recombined into the text to be detected after being stored; or, because the TCP segment messages are generally transmitted in sequence, the TCP segment messages can be received and divided and simultaneously spliced according to the sequence number; etc., which need not be limited thereto, and those skilled in the art can flexibly select an appropriate manner in practical applications.
After the obtained text to be detected is recombined, whether attack characteristics existing across 2 TCP segment messages exist can be detected through a mode matching method. After the attack detection of the TCP data packet is completed, if the data receiving party needs to forward the TCP data packet, the received original TCP segment packet may be backed up in advance before dividing the data block, the packet may also be restored according to the way and the sequence of dividing the data block, and the packet may also be encapsulated into a new TCP segment packet based on the divided and reassembled data. For the database participating in text reassembly, as shown in fig. 4, the data of the data block 2 of the TCP segmented packet may be directly encapsulated as a new TCP segmented packet, and the sequence number of the packet may also be calculated according to the sequence number of the packet to which the data block belongs before being divided, for example, the sequence number of the packet to which the data block belongs before being divided may be added with the data division length k. In addition, information such as the port number required for repackaging may be stored in the created TCP information list in advance.
Corresponding to the above method embodiment, the present application further provides a device for text reassembly to be detected for TCP segmented messages, where at least one TCP segmented message into which the same data is divided is identified by a one-to-one corresponding sequence number, and the sequence number is changed according to the dividing sequence of the TCP segmented messages, as shown in fig. 6, the device may include:
a length determining module 110, configured to determine a length n of data in any received TCP segment message;
the data dividing module 120 is configured to sequentially divide data in any received TCP segment message into at least 2 blocks under the condition that n is greater than or equal to 2k, where the length of the divided first block and last block is k, and k is a data division length determined in advance according to the length of the attack feature;
the text reassembly module 130 is configured to splice the first block of data divided by any received TCP segmented message to the back of the last block of data divided by the previous TCP segmented message according to the gradient sequence of the sequence numbers of the received TCP segmented messages, and reassemble the first block of data into a text to be detected.
In one embodiment of the present application, as shown in fig. 7, the apparatus may further include:
a sequence number calculation module 140, configured to calculate a sequence number and/or a sequence number range of a previous and/or next TCP segment packet according to a sequence number of any received TCP segment packet and a sequence number gradient mode negotiated in advance;
and the sequence determining module 150 is configured to compare the calculated sequence number and/or sequence number range with a sequence number of the received TCP segment packet, and determine a gradient sequence of the sequence number of the received TCP segment packet.
In an embodiment of the present application, the serial number calculating module 140 may be specifically configured to:
calculating the serial number Si +1 of the next TCP subsection message as Si + ni according to the serial number Si and the data length ni of any received TCP subsection message;
and/or
Calculating the range of the sequence number Si-1 of the last TCP segmented message according to the sequence number Si of any received TCP segmented message and the maximum data length N negotiated in advance: Si-N is less than or equal to Si-1 and Si.
In a specific embodiment of the present application, the text restructuring module 130 may include:
the storage submodule is used for correspondingly storing the data blocks divided by any received TCP segmented message and the serial number of the TCP segmented message;
and the restructuring submodule is used for splicing the first block of data divided by the TCP segmented message to the back of the last block of data divided by the previous TCP segmented message and restructuring the data into a text to be detected under the condition that the data blocks divided by the previous TCP segmented message of the TCP segmented message are stored according to the gradient sequence of the serial numbers of the received TCP segmented messages.
In a specific embodiment of the present application, the storage submodule may include:
a gradual change sequence obtaining unit, configured to obtain a gradual change sequence of sequence numbers of the received TCP segment packet;
and the information storage unit is used for storing the data blocks divided by any received TCP segmented message and the serial number of the TCP segmented message to the corresponding position of a pre-established TCP information list, and the position sequence in the information list is determined by the gradient sequence of the serial number.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
While this specification contains many specific implementation details, these should not be construed as limitations on the scope of any invention or of what may be claimed, but rather as descriptions of features specific to particular embodiments of particular inventions. Certain features that are described in this specification in the context of separate embodiments can also be implemented in combination in a single embodiment. In other instances, features described in connection with one embodiment may be implemented as discrete components or in any suitable subcombination. Moreover, although features may be described above as acting in certain combinations and even initially claimed as such, one or more features from a claimed combination can in some cases be excised from the combination, and the claimed combination may be directed to a subcombination or variation of a subcombination.
Similarly, while operations are depicted in the drawings in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In some cases, multitasking and parallel processing may be advantageous. Moreover, the separation of various system modules and components in the embodiments described above should not be understood as requiring such separation in all embodiments, and it should be understood that the described program components and systems can generally be integrated together in a single software product or packaged into multiple software products.
Thus, particular embodiments of the subject matter have been described. Other embodiments are within the scope of the following claims. In some cases, the actions recited in the claims can be performed in a different order and still achieve desirable results. Further, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some implementations, multitasking and parallel processing may be advantageous.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (10)

1. A TCP segmented message text recombination method to be detected is characterized in that at least one TCP segmented message divided by the same data is identified by one-to-one corresponding sequence number, and the sequence number is graded according to the dividing sequence of the TCP segmented message, the method comprises the following steps:
determining the length n of data in any received TCP segmentation message;
under the condition that n is larger than or equal to 2k, sequentially dividing data in any received TCP segmentation message into at least 2 blocks, wherein the length of the divided first block and the last block is k, and k is the data division length determined in advance according to the length of the attack characteristic;
according to the sequence of the received TCP segment message, splicing the first block of data divided by any TCP segment message to the back of the last block of data divided by the previous TCP segment message, and recombining the data into a text to be detected.
2. The method of claim 1, further comprising:
calculating the sequence number and/or the sequence number range of the previous and/or next TCP segmented message according to the sequence number of any received TCP segmented message and a sequence number gradient mode negotiated in advance;
and comparing the sequence number and/or the sequence number range obtained by calculation with the sequence number of the received TCP segmented message, and determining the gradient sequence of the sequence number of the received TCP segmented message.
3. The method according to claim 2, wherein said calculating the sequence number and/or sequence number range of the previous and/or next TCP segment packet according to the sequence number and sequence number progression of any TCP segment packet received comprises:
according to the sequence number S of any received TCP segmented messageiAnd data length niCalculating the sequence number S of the next TCP segment messagei+1=Si+ni
And/or
According to the sequence number S of any received TCP segmented messageiAnd a pre-negotiated maximum data length N, calculating the sequence number S of the last TCP segment messagei-1The range of (A): si-N≤Si-1<Si
4. The method according to any one of claims 1 to 3, wherein the step of splicing the first block of data into which any one of the received TCP segment messages is divided according to the ascending order of the sequence numbers of the received TCP segment messages to the last block of data into which the last TCP segment message is divided, and recombining the first block of data into a text to be detected comprises:
correspondingly storing data blocks divided by any received TCP segmented message and the serial number of the TCP segmented message;
under the condition that the data blocks divided by the last TCP segmented message of the TCP segmented message are monitored to be stored according to the gradient sequence of the serial numbers of the received TCP segmented messages, the first data blocks divided by the TCP segmented message are spliced behind the last data block divided by the last TCP segmented message and are recombined into a text to be detected.
5. The method according to claim 4, wherein the step of storing the data blocks into which any TCP segment packet is divided and the sequence numbers of the TCP segment packet correspondingly comprises:
obtaining the gradient sequence of the sequence numbers of the received TCP segmented messages;
and storing the data blocks divided by any received TCP segmented message and the sequence number of the TCP segmented message to the corresponding position of a pre-established TCP information list, wherein the position sequence in the information list is determined by the gradient sequence of the sequence number.
6. A TCP segmented message text recombination device to be detected is characterized in that at least one TCP segmented message divided by the same data is identified by one-to-one corresponding sequence number, and the sequence number is changed progressively according to the dividing sequence of the TCP segmented messages, and the device comprises:
the length determining module is used for determining the length n of the data in any received TCP segmented message;
the data dividing module is used for sequentially dividing the data in any TCP segmented message into at least 2 blocks under the condition that n is larger than or equal to 2k, wherein the length of the divided first block and the last block is k, and k is the data dividing length determined in advance according to the length of the attack characteristic;
and the text recombination module is used for splicing the first block of data divided by any one received TCP segmented message to the back of the last block of data divided by the last TCP segmented message according to the gradient sequence of the serial numbers of the received TCP segmented messages and recombining the first block of data into a text to be detected.
7. The apparatus of claim 6, further comprising:
a serial number calculating module, which is used for calculating the serial number and/or the serial number range of the previous and/or next TCP segmented message according to the serial number of any received TCP segmented message and a serial number gradient mode negotiated in advance;
and the sequence determining module is used for comparing the calculated sequence number and/or sequence number range with the sequence number of the received TCP segmented message and determining the gradient sequence of the sequence number of the received TCP segmented message.
8. The apparatus of claim 7, wherein the serial number calculation module is specifically configured to:
according to the sequence number S of any received TCP segmented messageiAnd data length niCalculating the sequence number S of the next TCP segment messagei+1=Si+ni
And/or
According to the sequence number S of any received TCP segmented messageiAnd a pre-negotiated maximum data length N, calculating the sequence number S of the last TCP segment messagei-1The range of (A): si-N≤Si-1<Si
9. The apparatus according to any one of claims 6 to 8, wherein the text reorganization module comprises:
the storage submodule is used for correspondingly storing the data blocks divided by any received TCP segmented message and the serial number of the TCP segmented message;
and the restructuring submodule is used for splicing the first block of data divided by the TCP segmented message to the back of the last block of data divided by the previous TCP segmented message and restructuring the data into a text to be detected under the condition that the data blocks divided by the previous TCP segmented message of the TCP segmented message are stored according to the gradient sequence of the serial numbers of the received TCP segmented messages.
10. The apparatus of claim 9, wherein the storage submodule comprises:
a gradual change sequence obtaining unit, configured to obtain a gradual change sequence of sequence numbers of the received TCP segment packet;
and the information storage unit is used for storing the data blocks divided by any received TCP segmented message and the serial number of the TCP segmented message to the corresponding position of a pre-established TCP information list, and the position sequence in the information list is determined by the gradient sequence of the serial number.
CN201711316411.1A 2017-12-12 2017-12-12 TCP segmented message text recombination method and device to be detected Active CN108134751B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711316411.1A CN108134751B (en) 2017-12-12 2017-12-12 TCP segmented message text recombination method and device to be detected

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711316411.1A CN108134751B (en) 2017-12-12 2017-12-12 TCP segmented message text recombination method and device to be detected

Publications (2)

Publication Number Publication Date
CN108134751A CN108134751A (en) 2018-06-08
CN108134751B true CN108134751B (en) 2020-08-04

Family

ID=62389304

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711316411.1A Active CN108134751B (en) 2017-12-12 2017-12-12 TCP segmented message text recombination method and device to be detected

Country Status (1)

Country Link
CN (1) CN108134751B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111371782A (en) * 2020-03-03 2020-07-03 深信服科技股份有限公司 Message transmission method and device and storage medium

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7953093B2 (en) * 2001-09-06 2011-05-31 Broadcom Corporation TCP/IP reordering
EP2202937B1 (en) * 2008-12-24 2011-11-30 Mitsubishi Electric R&D Centre Europe B.V. Partial reassembly for pattern matching
CN101841545B (en) * 2010-05-14 2012-08-01 中国科学院计算技术研究所 TCP stream restructuring and/or packetizing method and device
CN102752189B (en) * 2011-04-22 2015-08-19 北京华为数字技术有限公司 A kind of method and apparatus processing message
CN102307151B (en) * 2011-10-10 2014-04-02 上海西默通信技术有限公司 HTTP (hyper text transport protocol)-based network packet reduction method
CN105939297B (en) * 2015-10-26 2019-03-15 杭州迪普科技股份有限公司 A kind of TCP message recombination method and device
CN107332839B (en) * 2017-06-28 2020-03-06 杭州迪普科技股份有限公司 Message transmission method and device

Also Published As

Publication number Publication date
CN108134751A (en) 2018-06-08

Similar Documents

Publication Publication Date Title
EP2087766B1 (en) Composed message authentication code
US6009176A (en) How to sign digital streams
EP2020136B1 (en) Out-of-band authentication method and system for communication over a data network
CN107888344B (en) Method, equipment and system for detecting error code
CN108134751B (en) TCP segmented message text recombination method and device to be detected
CN110418376A (en) Data transmission method and device
WO2015176277A1 (en) Packet processing method and apparatus
CN111555984A (en) Method and device for data transmission, smart home equipment and storage medium
US20120011566A1 (en) System and method for sensor network authentication based on xor chain
US20160105358A1 (en) Compression of routing information exchanges
CN110324166B (en) Method, device and system for synchronizing target information in multiple nodes
CN103888338A (en) Flow sharing method and device for Ethernet microwave transmission link aggregation
CN109948347B (en) Data storage method and device, server and readable storage medium
US10355960B2 (en) Data transfer system including one-way datalink and continuous data synchronization
CN105656994B (en) A kind of business acceleration method and device
Fraczek et al. Steg Blocks: Ensuring Perfect Undetectability of Network Steganography
CN104868973A (en) Data integrity verifying method and system
CN111008827A (en) Cross-chain transaction signature method and device
US10171430B2 (en) Making a secure connection over insecure lines more secure
CN113632419A (en) Device and method for generating and authenticating at least one data packet to be transmitted in a BUs system (BU), in particular of a motor vehicle
CN105763375A (en) Data packet transmission method, receiving method and microwave station
CN108985740B (en) Method for realizing high-performance consensus algorithm
CN104601343A (en) Data downloading method, device and system
EP1065857A2 (en) Method for quick identification of special data packets
KR20130024996A (en) Method for packet source authentication using single-buffered hash in multicast environment and apparatus for the same

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant