CN108270783A - A kind of data processing method and device - Google Patents
A kind of data processing method and device Download PDFInfo
- Publication number
- CN108270783A CN108270783A CN201810034333.4A CN201810034333A CN108270783A CN 108270783 A CN108270783 A CN 108270783A CN 201810034333 A CN201810034333 A CN 201810034333A CN 108270783 A CN108270783 A CN 108270783A
- Authority
- CN
- China
- Prior art keywords
- data
- content
- type
- target
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Transfer Between Computers (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the present application provides a kind of data processing method and device, and method includes:Data message is received, data message includes data content;Determine target data content, target data content includes data content;Extract the content of the preceding preset data amount of target data content;The content of extraction with default condition code is matched, determines the default condition code that the content of extraction includes;According to the correspondence of default condition code and file type, the corresponding file type of default condition code that the content of extraction includes is determined, as target data type;According to target data type, data message is handled with other data messages of other data contents including belonging to same raw data packets with data content.Using technical solution provided by the embodiments of the present application, the accuracy of file type identification is improved, improves the safety of network.
Description
Technical field
This application involves field of communication technology, more particularly to a kind of data processing method and device.
Background technology
File filter function is based on application layer detecting and alarm and a kind of deep packet inspection technology for realizing, it is a kind of
According to file type information to the Security mechanism that is filtered through the file that equipment is transmitted.
At present, file filter function is realized in the following ways:The file of file in data message is determined according to extension name
Type, and then according to the matched characterization rules processing data message of file type.For example, limitation Intranet user is sent out to outer net equipment
Docx files and pptx files are sent, if detecting the extension entitled docx or pptx of file in data message, it is determined that datagram
The file type of file is docx files or pptx files in text, the file in the data message can be abandoned, to limit docx
File or pptx files send outer net equipment.
The extension name of file is relatively easy, determines that the file type of file is inaccurate with extension name;In addition, user can
To bypass safety inspection by changing the extension name of file, the safety of network is low.
Invention content
The embodiment of the present application is designed to provide a kind of data processing method and device, to improve file type identification
Accuracy improves the safety of network.Specific technical solution is as follows:
In a first aspect, the embodiment of the present application discloses a kind of data processing method, the method includes:
Data message is received, the data message includes data content;
Determine target data content, the target data content includes the data content;
Extract the content of the preceding preset data amount of the target data content;
The content of extraction with default condition code is matched, determines the default condition code that the content of extraction includes;
According to the correspondence of default condition code and file type, determine that the default condition code that the content of extraction includes corresponds to
File type, as target data type;
According to the target data type, the data message and other data messages are handled, other described numbers
Include other data contents for belonging to same raw data packets with the data content according to message.
Second aspect, the embodiment of the present application disclose a kind of data processing equipment, and described device includes:
Receiving unit, for receiving data message, the data message includes data content;
First determination unit, for determining target data content, the target data content includes the data content;
Extraction unit, for extracting the content of the preceding preset data amount of the target data content;
Matching unit, for the content of extraction to be matched with default condition code, the determining content extracted includes pre-
If condition code;
Second determination unit for the correspondence according to default condition code and file type, determines the content packet of extraction
The corresponding file type of default condition code included, as target data type;
Processing unit, for according to the target data type, at the data message and other data messages
Reason, other described data messages include other data contents for belonging to same raw data packets with the data content.
The third aspect, the embodiment of the present application disclose a kind of electronic equipment, including processor and machine readable storage medium,
The machine readable storage medium is stored with the machine-executable instruction that can be performed by the processor, and the processor is by institute
Machine-executable instruction is stated to promote to realize above-mentioned data processing method.
Fourth aspect, the embodiment of the present application disclose a kind of machine readable storage medium, are stored with machine-executable instruction,
When being called and being performed by processor, the machine-executable instruction promotes the processor to realize above-mentioned data processing method.
In the embodiment of the present application, data content includes file feature information, and file type is determined according to data content, and
It is not to determine file type according to simple extension name, improves the accuracy of file type identification, in addition, data content is uses
The information transmitted it is expected at family, and user will not change data content easily, therefore determine file type, and then locate according to data content
Data message is managed, improves the safety of network.Certainly, implementing any product of the application or method must be not necessarily required to reach simultaneously
To all the above advantage.
Description of the drawings
In order to illustrate the technical solutions in the embodiments of the present application or in the prior art more clearly, to embodiment or it will show below
There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of application, for those of ordinary skill in the art, without creative efforts, can be with
Other attached drawings are obtained according to these attached drawings.
Fig. 1 is the first flow diagram of data processing method provided by the embodiments of the present application;
Fig. 2 is a kind of schematic diagram of state machine provided by the embodiments of the present application;
Fig. 3 is second of flow diagram of data processing method provided by the embodiments of the present application;
Fig. 4 is the schematic diagram of a scenario of data processing provided by the embodiments of the present application;
Fig. 5 is a kind of structure diagram of data processing equipment provided by the embodiments of the present application;
Fig. 6 is a kind of structure diagram of electronic equipment provided by the embodiments of the present application.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present application, the technical solution in the embodiment of the present application is carried out clear, complete
Site preparation describes, it is clear that described embodiments are only a part of embodiments of the present application, instead of all the embodiments.It is based on
Embodiment in the application, those of ordinary skill in the art are obtained every other without making creative work
Embodiment shall fall in the protection scope of this application.
At present, Main Basiss extension name determines the file type of file in data message, and then is matched according to file type
Characterization rules processing data message.The extension name of file is relatively easy, determines that the file type of file is inaccurate with extension name
True;In addition, user can bypass safety inspection by changing the extension name of file, the safety of network is low.
To improve the accuracy of file type identification, the safety of network is improved, the embodiment of the present application provides a kind of number
According to processing method and processing device.This method can be applied to the network equipments such as firewall box, interchanger, router, and the application is real
Example is applied to this without limiting.
With reference to figure 1, the first flow diagram of Fig. 1 for data processing method provided by the embodiments of the present application, this method
The equipment for being equipped with DPI (Deep Packet Inspection, deep-packet detection) function is can be applied to, such as fire wall is set
It is standby etc..
Specifically, above-mentioned data processing method includes:
Step 101:Receive data message;Data message includes data content.
The network equipment is when sending datagram, the data for the corresponding raw data packets of data content that data message carries
Type can be non-file type or file type.
In addition, MTU (the Maximum Transmission that if size of raw data packets, which has been more than link, can be supported
Unit, maximum transmission unit), then the raw data packets are split as multiple subpackages by the network equipment, and each subpackage is encapsulated in one
Other equipment is sent in data message.At this point, the data message that other equipment receives includes a part for raw data packets
Data content.
If the size of raw data packets is less than the MTU that link can be supported, the network equipment encapsulates the initial data
Other equipment is sent in a data message.At this point, the data message that other equipment receives includes one completely
Raw data packets.
In the embodiment of the present application, if raw data packets are split as multiple packets, the data message received is the original number
According to the corresponding first packet of packet.
Step 102:Determine target data content.Target data content includes:The data content that data message includes.
Data message can be transmitted with different agreements, after data message is received, first according to the data message
Transport protocol, which is parsed, obtain data content, and then according to parsing obtain data content determine mesh
Mark data content.
In one embodiment of the application, the data content that data message includes can be determined as in target data
Hold.
In another embodiment of the application, the data volume size that data content is carried in each data message is not true
Fixed.In order to avoid the data volume deficiency preset data amount of data content first received, lead to not accurately determine data
The problem of type, it can first determine whether the data volume of data content that the data message received includes is not less than preset data
Amount.
If it is determined that the data volume of data content is not less than preset data amount, then can data content be directly determined as target
Data content.
If it is determined that the data volume of data content is less than preset data amount, when receiving the data including including with data message
When content belongs to other data messages of other data contents of same raw data packets, by data content and other data contents
It is determined as target data content.It is, target data content in addition to the data content included including data message, can also wrap
It includes:Other data contents for belonging to same raw data packets with data content that at least one other data message includes.
In order to ensure quickly to identify data type, the memory space of occupancy is reduced, it is each to receive other number
According to message, it may be determined that the data content that the data content and other data messages that the data message once received includes include
Whether data volume summation is not less than preset data amount.If not less than preset data amount, by data content and other data contents
It is determined as target data content;If less than preset data amount, other data messages are continued to.
In one embodiment of the application, if the data volume of data content is less than preset data amount, one can be started
Timer belongs to same initial data if being received before timer expiry including the data content included with first receiving data message
Data content and other data contents are then determined as target data content by other data messages of other data contents of packet;
Belong to same raw data packets including the data content included with first receiving data message if not received yet after timer expiry
Other data contents other data messages, then the data content that the data message of reception includes is determined as in target data
Hold, the problem of avoiding storing target data content always, waiting other data messages to be received, reduce the storage sky for occupying equipment
Between, reduce the influence to data processing.
For example, preset data amount is Q.Raw data packets X is split as 5 packets, i.e., raw data packets X is split as 5
Divided data content, this 5 partial data content are individually enclosed in 5 data messages, this 5 data messages include message 1, message
2nd, message 3, message 4 and message 5.
After the network equipment receives message 1, however, it is determined that the data volume for the data content that message 1 includes is not less than Q, then will
The data content that message 1 includes is determined as target data content.
If it is determined that the data volume for the data content that message 1 includes is less than Q, then starts timer, wait other data to be received
Message.
If timer expiry, the data content that message 1 includes is determined as target data content.
If the network equipment receives message 2 before timer expiry, determine that data content that message 1 includes and message 2 wrap
Whether the data volume summation of the data content included is not less than Q.
If it is determined that the data volume summation of data content that data content and message 2 that message 1 includes include is not less than Q, it will
The data content that the data content and message 2 that message 1 includes include is determined as target data content.
If it is determined that the data volume summation of data content that data content and message 2 that message 1 includes include is less than Q, resetting
Start timer, continue waiting for receiving other data messages.
If timer expiry, the data content that message 1 includes and the data content that message 2 includes are determined as number of targets
According to content.
If the network equipment receives message 3 before timer expiry, it is determined that data content that message 1 includes, message 2 wrap
Whether the data volume summation of data content that the data content and message 3 included includes is not less than Q.It specifically can refer to and receive report
Operation during text 2.
Step 103:Extract the content of the preceding preset data amount of target data content.
Here, preset data amount can be set based on experience value, and preset data amount can also consider determining number
According to the accuracy rate of type, determine the efficiency of data type and set.For example, it is extracted in 12 bytes before data content special
Code is levied, can determine that the accuracy rate of file type is up to 90%, therefore it is 12 bytes that can set preset data amount.
In the embodiment of the present application, the content for extracting the preceding preset data amount of target data content determines file type,
It is exactly the content for only needing to cache preset data amount, without caching target complete data content, does not need to cache same original
The total data content of beginning data packet, has saved memory space.In addition, the content of the preset data amount according to target data content
It determines file type rather than determines file type according to whole target data contents, nor according to same initial data
The total data content of packet determines file type, effectively increases file identification efficiency.
Step 104:The content of extraction with default condition code is matched, determines the default feature that the content of extraction includes
Code.
Here, condition code is the feature field of data content, and default condition code can be included for files in different types
Condition code, for example, for the condition code " rar " of compressed file, for the condition code " PK [Content_types] of docx files
.xml " etc..
Step 105:According to the correspondence of default condition code and file type, the default spy that the content of extraction includes is determined
The corresponding file type of code is levied, as target data type.
In one embodiment of the application, for the ease of determining file type, multiple types can be splitted the file into, point
Not Que Ding each class file condition code, file type can include:
(1) basic class file:File content head carries apparent condition code;For example, compressed file;
(2) general class file:File content head carries generic features code;For example, docx, pptx file;Here, it is this kind of
File can not accurately determine file type by the condition code on head, it is also necessary to detect the content of other fields to determine files classes
Type;
(3) script class file:For the class file in data transmission procedure, protocol payload content is usually that program is interior in itself
Hold, it is contemplated that the style of program language itself and specific program critical field or code field in file identification, according to
Above-mentioned comprehensive characteristics field determines the concrete type of file, for example, perl script file;
(4) unknown file class:The class file does not have clear and definite feature, needs to isolate individually to be located when processing
Reason.This common class file has:Picture class file, audio class file, WIN executable files, Linux executable files etc..
After extracting condition code to each class file, pair of the condition code of the class file and the file type of the class file is stored
It should be related to, and then according to the correspondence of condition code and file type, derive the default condition code matching of the content matching of extraction
Characterization rules, determine receive data content file type.
Step 106:According to target data type, data message and other data messages are handled.Other datagrams
The data content that text includes including with data message belongs to other data contents of same raw data packets.
Here, data message and other data messages are handled to be:By data message and other data messages
Processing is detected in input deep-packet detection engine.
In one embodiment of the application, however, it is determined that target data type is compressed file, then illustrates the target data
Alternative document is nested in content, to target data content decompression, extraction decompresses the obtained preceding preset data amount of content
Content, continue to execute step 104.
Here, in order to quickly identify the type of file, can only to the content decompression extracted from target data content,
Later, step 105 is re-executed.
If it is determined that target data type is not compressed file, further according to target data type, to data message and other numbers
It is handled according to message.
In one embodiment of the application, if after the content of extraction is matched with default condition code, determining extraction
Content default condition code not to be covered, then it is non-file content that can determine target data content, and target data content is non-text
Part type, and then using non-file type as target data type, and then according to target data type, to data message and other
Data message is handled.
For example, preset rules are:Forbid transmitting docx, pptx file, let pass non-file and other kinds of file.Data
The data content Y that message includes, however, it is determined that the target data type of data content Y is pptx file types, then abandons datagram
Other data messages of text and other data contents including belonging to same raw data packets with data content Y;If it is determined that target
Data type be non-file type, then let pass data message and including with data content Y belong to same raw data packets other
Other data messages of data content.
In one embodiment of the application, for the ease of determining data type, data message is handled, with reference to shown in figure 2
State machine, according to the state machine carry out data type identification and processing data message.
Wherein, when state machine is in INIT (Initial, initial) state, parsing is carried out to the data message of reception and is obtained
Data content is taken, and extracts the content of the preceding preset data amount of data content;Later, it is transferred to MNMatch (MN algorithmic match) shape
State.Wherein, MN algorithms are a kind of AC of lightweight (Aho-Corasick) algorithm.
When state machine is in MNMatch states, the content of extraction is matched with default condition code;If after matching
Non-precondition condition code and the content matching of extraction, the file type for determining data content is non-file type, according to non-file
Type is to data message and other data messages of other data contents including belonging to same raw data packets with data content
It is handled, is transferred to FINI (Finish terminates) state;If having default condition code and the content matching of extraction after matching, turn
Enter Sigdeduce (Signature deduce, feature derive) state.
When state machine is in Sigdeduce states, the matched feature of default condition code of the content matching of extraction is derived
Rule determines the file type of data content;If it is determined that the file type of data content, according to determining file type to data
Other data messages of message and other data contents including belonging to same raw data packets with data content are handled, and are turned
Enter Fileproc (File process, file process) state;It is not completed if deriving, the state of state machine is constant, waits for next
Data message continues to derive when arriving;If deriving failure, the file type for determining data content is non-file type, according to non-text
Part type is to data message and other datagrams of other data contents including belonging to same raw data packets with data content
Text is handled, and is transferred to FINI states.
When state machine is in Fileproc states, the call back function of file is called according to determining file type, by number
Other data messages input according to message and other data contents including belonging to same raw data packets with data content is corresponding
Business module handled.Before raw data packets are not over, state machine is in Fileproc states.Work as raw data packets
At the end of, it is transferred to FINI states.
Business module includes AV (anti-virus, anti-virus) module, IPS (Intrusion Prevention
System, intrusion prevention system) module, FW (Fire Wall, fire wall) module etc..
When state machine is in FINI states, terminate data processing.
Using the embodiment of the present application, data content includes file feature information, and file type is determined according to data content,
Rather than determine file type according to simple extension name, the accuracy of file type identification is improved, in addition, data content is
User it is expected the information transmitted, and user will not change data content easily, therefore determine file type according to data content, and then
Data message is handled, improves the safety of network.
In one embodiment of the application, with reference to second of flow diagram of data processing method shown in Fig. 3, base
In Fig. 1, this method includes:
Step 301:Receive data message;Data message includes data content.
Step 302:Determine target data content.Target data content includes:The data content that data message includes.
Step 303:Extract the content of the preceding preset data amount of target data content.
Step 304:The content of extraction with default condition code is matched, determines the default feature that the content of extraction includes
Code.
Step 305:According to the correspondence of default condition code and file type, the default spy that the content of extraction includes is determined
The corresponding file type of code is levied, as target data type.
Step 301-305 is identical with step 101-105.
Step 306:According to pre-stored data type and the correspondence of deep-packet detection engine, target data is determined
The corresponding target depth detecting and alarm of type.
In the embodiment of the present application, the characterization rules of acquisition are divided according to data type.For each data type, will draw
The corresponding characterization rules compiling of the data type divided generates the corresponding deep-packet detection engine of the data type.Such as.It obtains
The characterization rules compiling generation deep-packet detection engine 1 of compressed file obtains the characterization rules compiling generation depth of script file
Packet detecting and alarm 2.
When determining target data type, it is possible to determine the corresponding target depth detecting and alarm of target data type.
Step 307:Data message and other data messages are inputted into target depth packet detecting and alarm, determine datagram respectively
Text and the matched characterization rules of other data messages.
Target depth packet detecting and alarm includes the corresponding characterization rules of data type of target data content, by datagram
Text and other data messages input target depth packet detecting and alarm, it may be determined that go out data message and other data messages difference
The characterization rules matched.
Step 308:Data message and other data messages are handled respectively according to matched characterization rules.Other data messages
Data content including including with data message belongs to other data contents of same raw data packets.
In the embodiment of the present application, multiple deep-packet detection engines are divided according to data type, each deep-packet detection is drawn
It holds up including a kind of corresponding characterization rules of data type, characterization rules corresponding far less than all data types, according to data
Type determines target depth packet detecting and alarm, by the target depth packet detecting and alarm detection data message and other data messages
The characterization rules matched, compared to a main deep-packet detection engine being compiled by the corresponding characterization rules of all data types,
For detection data message and the matched characterization rules of other data messages, detection speed is effectively raised, and then improve
Data-handling efficiency.
Data processing scene as shown in Figure 4, deep-packet detection engine in being provided with 5 in the network equipment, respectively based on
Deep-packet detection engine 2, the Linux that deep-packet detection engine 1, the WIN of class file can perform class file can perform class file
The deep-packet detection engine 5 of deep-packet detection engine 3, the deep-packet detection engine 4 of picture class file and script class file.
If the network equipment receives a flow, as shown in figure 4, the flow is divided into 6 sections, can perform including non-file, WIN
File cannot identify file, picture file, script file and Linux executable files;Then non-file and it will cannot identify file
Deep-packet detection engine 1 is inputted, WIN executable files input deep-packet detection engine 2 examines picture file input deep packet
Engine 4 is surveyed, by script file input deep-packet detection engine 5, Linux executable files are inputted into deep-packet detection engine 3;It is logical
It crosses this 5 deep-packet detection engines and determines the matched characterization rules of each file, and then handle the flow.In this way, not reducing
In the case of recognition accuracy, recognition efficiency is improved, improves equipment performance.
The data content mentioned in the embodiment of the present application is the data content that the data message received includes.Other datagrams
Text is the data message for including belonging to data content other data contents of same raw data packets.
Corresponding with data processing method embodiment, the embodiment of the present application additionally provides a kind of data processing equipment.Reference chart
5, Fig. 5 be a kind of structure diagram of data processing equipment provided by the embodiments of the present application, which includes:
Receiving unit 501, for receiving data message, data message includes data content;
First determination unit 502, for determining target data content, target data content includes data content;
Extraction unit 503, for extracting the content of the preceding preset data amount of target data content;
Matching unit 504, for the content of extraction to be matched with default condition code, what the determining content extracted included
Default condition code;
Second determination unit 505 for the correspondence according to default condition code and file type, determines the content of extraction
Including the corresponding file type of default condition code, as target data type;
Processing unit 506, for according to target data type, handling data message and other data messages,
His data message includes other data contents for belonging to same raw data packets with data content.
In one embodiment of the application, if the data volume of data content is less than preset data amount, target data content
It further includes:Other data contents for belonging to same raw data packets with data content that at least one other data message includes.
In one embodiment of the application, processing unit 506, if can be also used for target data type as compression text
Part unzips it target data content;
Extraction unit 503 can be also used for the content of preset data amount before being extracted from the content that decompression obtains;
Processing unit 506, it is right according to target data type if can be also used for target data type is not compressed file
Data message and other data messages are handled.
In one embodiment of the application, the second determination unit 505, if the content that can be also used for extraction is not included in advance
If condition code, target data content is determined as non-file type, using non-file type as target data type.
In one embodiment of the application, processing unit 506 specifically can be used for:
According to pre-stored data type and the correspondence of deep-packet detection engine, determine that target data type corresponds to
Target depth detecting and alarm;
Data message and other data messages are inputted into target depth packet detecting and alarm, determine data message and other respectively
The matched characterization rules of data message;
Data message and other data messages are handled respectively according to matched characterization rules.
Using the embodiment of the present application, data content includes file feature information, and file type is determined according to data content,
Rather than determine file type according to simple extension name, the accuracy of file type identification is improved, in addition, data content is
User it is expected the information transmitted, and user will not change data content easily, therefore determine file type according to data content, and then
Data message is handled, improves the safety of network.
Corresponding with data processing method embodiment, the embodiment of the present application additionally provides a kind of electronic equipment, including processor
And machine readable storage medium, machine readable storage medium are stored with the machine-executable instruction that can be executed by processor, place
Reason device is promoted to realize above-mentioned data processing method by machine-executable instruction.
Electronic equipment as shown in Figure 6, including processor 601 and machine readable storage medium xx, machine readable storage medium
602 are stored with the machine-executable instruction that can be performed by processor 601.
In addition, as shown in fig. 6, electronic equipment can also include:Communication interface 603 and communication bus 604;Wherein, it handles
Device 601, machine readable storage medium 602, communication interface 603 complete mutual communication, communication interface by communication bus 604
603 for the communication between above-mentioned electronic equipment and other equipment.
Wherein, machine-executable instruction includes:Receive the 612, first determine instruction 622 of instruction, extraction instruction 632, matching
Instruct the 642, second determine instruction 652 and process instruction 662;
Processor 601 is received instruction 612 and promotes to realize:Data message is received, data message includes data content;
Processor 601 promotes to realize by the first determine instruction 622:Determine target data content, target data content includes
Data content;
Processor 601 is extracted instruction 632 and promotes to realize:Extract the content of the preceding preset data amount of target data content;
Processor 601 is matched instruction 642 and promotes to realize:The content of extraction with default condition code is matched, is determined
The default condition code that the content of extraction includes;
Processor 601 promotes to realize by the second determine instruction 652:It is closed according to default condition code is corresponding with file type
System determines the corresponding file type of default condition code that the content of extraction includes, as target data type;
Processor 601 promotes to realize by process instruction 662:According to target data type, to data message and other data
Message is handled, other data messages include other data contents for belonging to same raw data packets with data content.
In one embodiment of the application, if the data volume of data content is less than preset data amount, target data content
It further includes:Other data contents for belonging to same raw data packets with data content that at least one other data message includes.
In one embodiment of the application, processor 601 promotes to realize by process instruction 662:If number of targets
It is compressed file according to type, target data content is unziped it;
Processor 601 is extracted instruction 632 and promotes to realize:Present count before being extracted in the content obtained from decompression
According to the content of amount;
Processor 601 promotes to realize by process instruction 662:If target data type is not compressed file, according to
Target data type handles data message and other data messages.
In one embodiment of the application, processor 601 promotes to realize by the second determine instruction 652:If it carries
The content taken does not include default condition code, target data content is determined as non-file type, using non-file type as number of targets
According to type.
In one embodiment of the application, processor 601 promotes specifically realize by process instruction 662:
According to pre-stored data type and the correspondence of deep-packet detection engine, determine that target data type corresponds to
Target depth detecting and alarm;
Data message and other data messages are inputted into target depth packet detecting and alarm, determine data message and other respectively
The matched characterization rules of data message;
Data message and other data messages are handled respectively according to matched characterization rules.
Using the embodiment of the present application, data content includes file feature information, and file type is determined according to data content,
Rather than determine file type according to simple extension name, the accuracy of file type identification is improved, in addition, data content is
User it is expected the information transmitted, and user will not change data content easily, therefore determine file type according to data content, and then
Data message is handled, improves the safety of network.
Communication bus 604 can be PCI (Peripheral Component Interconnect, Peripheral Component Interconnect mark
It is accurate) bus or EISA (Extended Industry Standard Architecture, expanding the industrial standard structure) bus
Deng.The communication bus 604 can be divided into address bus, data/address bus, controlling bus etc..For ease of representing, only with one in Fig. 6
Thick line represents, it is not intended that an only bus or a type of bus.
Machine readable storage medium 602 can include RAM (Random Access Memory, random access memory),
It can also include NVM (Non-Volatile Memory, nonvolatile memory), for example, at least a magnetic disk storage.Separately
Outside, machine readable storage medium 602 can also be at least one storage device for being located remotely from aforementioned processor.
Processor 601 can be general processor, including CPU (Central Processing Unit, central processing
Device), NP (Network Processor, network processing unit) etc.;Can also be DSP (Digital Signal Processing,
Digital signal processor), ASIC (Application Specific Integrated Circuit, application-specific integrated circuit),
It is FPGA (Field-Programmable Gate Array, field programmable gate array) or other programmable logic device, discrete
Door or transistor logic, discrete hardware components.
Corresponding with data processing method embodiment, the embodiment of the present application additionally provides a kind of machine readable storage medium, deposits
Machine-executable instruction is contained, when being called and being performed by processor, machine-executable instruction promotes processor to realize above-mentioned number
According to processing method.
Wherein, machine-executable instruction includes:Receive instruction, the first determine instruction, extraction instruction, matching instruction, second
Determine instruction and process instruction;
When being called and being performed by processor, receive instruction and processor is promoted to realize:Receive data message, data message packet
Include data content;
When being called and being performed by processor, the first determine instruction promotes processor to realize:Determine target data content, mesh
It marks data content and includes data content;
When being called and being performed by processor, extraction instruction promotes processor to realize:Extract the preceding pre- of target data content
If the content of data volume;
When being called and being performed by processor, matching instruction promotes processor to realize:By the content of extraction and default feature
Code is matched, and determines the default condition code that the content of extraction includes;
When being called and being performed by processor, the second determine instruction promotes processor to realize:According to default condition code and text
The correspondence of part type determines the corresponding file type of default condition code that the content of extraction includes, as target data class
Type;
When being called and being performed by processor, process instruction promotes processor to realize:According to target data type, to data
Message and other data messages are handled, other data messages include with data content belong to same raw data packets other
Data content.
In one embodiment of the application, if the data volume of data content is less than preset data amount, target data content
It further includes:Other data contents for belonging to same raw data packets with data content that at least one other data message includes.
In one embodiment of the application, when being called and being performed by processor, process instruction promotes processor may be used also
To realize:If target data type is compressed file, target data content is unziped it;
When being called and being performed by processor, extraction instruction promotes processor that can also realize:From decompression obtain in
The content of preset data amount before being extracted in appearance;
When being called and being performed by processor, process instruction promotes processor that can also realize:If target data type is not
It is compressed file, according to target data type, data message and other data messages is handled.
In one embodiment of the application, when being called and being performed by processor, the second determine instruction promotes processor
It can also realize:If the content of extraction does not include default condition code, target data content is determined as non-file type, by non-file
Type is as target data type.
In one embodiment of the application, when being called and being performed by processor, process instruction promotes to handle implement body
It can realize:
According to pre-stored data type and the correspondence of deep-packet detection engine, determine that target data type corresponds to
Target depth detecting and alarm;
Data message and other data messages are inputted into target depth packet detecting and alarm, determine data message and other respectively
The matched characterization rules of data message;
Data message and other data messages are handled respectively according to matched characterization rules.
Using the embodiment of the present application, data content includes file feature information, and file type is determined according to data content,
Rather than determine file type according to simple extension name, the accuracy of file type identification is improved, in addition, data content is
User it is expected the information transmitted, and user will not change data content easily, therefore determine file type according to data content, and then
Data message is handled, improves the safety of network.
It should be noted that herein, relational terms such as first and second and the like are used merely to a reality
Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation
In any this practical relationship or sequence.Moreover, term " comprising ", "comprising" or its any other variant are intended to
Non-exclusive inclusion, so that process, method, article or equipment including a series of elements not only will including those
Element, but also including other elements that are not explicitly listed or further include as this process, method, article or equipment
Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that
Also there are other identical elements in process, method, article or equipment including the element.
Each embodiment in this specification is described using relevant mode, identical similar portion between each embodiment
Point just to refer each other, and the highlights of each of the examples are difference from other examples.At data
For managing device, electronic equipment, machine readable storage medium embodiment, implement since it is substantially similar to data processing method
Example, so description is fairly simple, related part illustrates referring to the part of data processing method embodiment.
The foregoing is merely the preferred embodiments of the application, are not intended to limit the protection domain of the application.It is all
Any modification, equivalent replacement, improvement and so within spirit herein and principle are all contained in the protection domain of the application
It is interior.
Claims (12)
1. a kind of data processing method, which is characterized in that the method includes:
Data message is received, the data message includes data content;
Determine target data content, the target data content includes the data content;
Extract the content of the preceding preset data amount of the target data content;
The content of extraction with default condition code is matched, determines the default condition code that the content of extraction includes;
According to the correspondence of default condition code and file type, the corresponding text of default condition code that the content of extraction includes is determined
Part type, as target data type;
According to the target data type, the data message and other data messages are handled, other described datagrams
Text includes other data contents for belonging to same raw data packets with the data content.
2. if according to the method described in claim 1, it is characterized in that, the data volume of the data content is less than the present count
According to amount, the target data content further includes:What other at least one described data messages included belongs to the data content
Other data contents of same raw data packets.
3. according to the method described in claim 1, it is characterized in that, described according to the target data type, to the data
Before the step of message and other data messages are handled, further include:
If the target data type is compressed file, the target data content is unziped it;It is obtained from decompression
The content of preset data amount before being extracted in content returns to the execution content by extraction and is matched with default condition code, really
Surely the step of default condition code that the content extracted includes;
If the target data type is not compressed file, continue to execute it is described according to the target data type, to the number
The step of being handled according to message and other data messages.
4. according to the method described in claim 1, it is characterized in that, the method further includes:
If the content of extraction does not include default condition code, the target data content is determined as non-file type, by the non-text
Part type is as target data type.
5. according to claim 1-4 any one of them methods, which is characterized in that it is described according to the target data type, it is right
The step of data message and other data messages are handled, including:
According to pre-stored data type and the correspondence of deep-packet detection engine, determine that the target data type corresponds to
Target depth detecting and alarm;
The data message and other data messages are inputted into the target depth packet detecting and alarm, determine the datagram respectively
The matched characterization rules of other literary and described data messages;
The data message and other data messages are handled respectively according to matched characterization rules.
6. a kind of data processing equipment, which is characterized in that described device includes:
Receiving unit, for receiving data message, the data message includes data content;
First determination unit, for determining target data content, the target data content includes the data content;
Extraction unit, for extracting the content of the preceding preset data amount of the target data content;
Matching unit for the content of extraction to be matched with default condition code, determines the default spy that the content of extraction includes
Levy code;
Second determination unit, for the correspondence according to default condition code and file type, what the determining content extracted included
The corresponding file type of default condition code, as target data type;
Processing unit, for according to the target data type, handling the data message and other data messages, institute
It states other data messages and includes other data contents for belonging to same raw data packets with the data content.
7. device according to claim 6, which is characterized in that if the data volume of the data content is less than the present count
According to amount, the target data content further includes:What other at least one described data messages included belongs to the data content
Other data contents of same raw data packets.
8. device according to claim 6, which is characterized in that
The processing unit if being additionally operable to the target data type as compressed file, solves the target data content
Compression;
The extraction unit is additionally operable to the content of preset data amount before being extracted from the content that decompression obtains;
The processing unit, it is right according to the target data type if it is not compressed file to be additionally operable to the target data type
The data message and other data messages are handled.
9. device according to claim 6, which is characterized in that second determination unit, if being additionally operable to the content of extraction
Do not include default condition code, the target data content is determined as non-file type, using the non-file type as number of targets
According to type.
10. according to claim 6-9 any one of them devices, which is characterized in that the processing unit is specifically used for:
According to pre-stored data type and the correspondence of deep-packet detection engine, determine that the target data type corresponds to
Target depth detecting and alarm;
The data message and other data messages are inputted into the target depth packet detecting and alarm, determine the datagram respectively
The matched characterization rules of other literary and described data messages;
The data message and other data messages are handled respectively according to matched characterization rules.
11. a kind of electronic equipment, which is characterized in that including processor and machine readable storage medium, the machine readable storage
Media storage has the machine-executable instruction that can be performed by the processor, and the processor is by the machine-executable instruction
Promote:Realize any method and steps of claim 1-5.
12. a kind of machine readable storage medium, which is characterized in that be stored with machine-executable instruction, by processor call and
During execution, the machine-executable instruction promotes the processor:Realize any method and steps of claim 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810034333.4A CN108270783B (en) | 2018-01-15 | 2018-01-15 | Data processing method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810034333.4A CN108270783B (en) | 2018-01-15 | 2018-01-15 | Data processing method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108270783A true CN108270783A (en) | 2018-07-10 |
| CN108270783B CN108270783B (en) | 2021-04-16 |
Family
ID=62775642
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810034333.4A Active CN108270783B (en) | 2018-01-15 | 2018-01-15 | Data processing method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108270783B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111181806A (en) * | 2019-12-25 | 2020-05-19 | 深圳市丰润达科技有限公司 | Method and device for realizing whole network flow analysis technology and readable storage medium |
| CN111367582A (en) * | 2020-03-06 | 2020-07-03 | 上海赋华网络科技有限公司 | High-performance file type identification method |
| CN112214462A (en) * | 2020-10-22 | 2021-01-12 | 新华三信息安全技术有限公司 | Multi-layer decompression method of compressed file, electronic equipment and storage medium |
| CN115002243A (en) * | 2022-08-02 | 2022-09-02 | 上海秉匠信息科技有限公司 | Data processing method and device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102571767A (en) * | 2011-12-24 | 2012-07-11 | 成都市华为赛门铁克科技有限公司 | File type recognition method and file type recognition device |
| CN102624547A (en) * | 2011-12-31 | 2012-08-01 | 成都市华为赛门铁克科技有限公司 | Method, device and system for managing IM (Instant Messaging) online behavior |
| CN103209170A (en) * | 2013-03-04 | 2013-07-17 | 汉柏科技有限公司 | File type identification method and identification system |
| CN105808583A (en) * | 2014-12-30 | 2016-07-27 | Tcl集团股份有限公司 | File type identification method and device |
| US20160335415A1 (en) * | 2015-05-14 | 2016-11-17 | Florence Healthcare, Inc. | Remote Monitoring and Dynamic Document Management Systems and Methods |
-
2018
- 2018-01-15 CN CN201810034333.4A patent/CN108270783B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102571767A (en) * | 2011-12-24 | 2012-07-11 | 成都市华为赛门铁克科技有限公司 | File type recognition method and file type recognition device |
| CN102624547A (en) * | 2011-12-31 | 2012-08-01 | 成都市华为赛门铁克科技有限公司 | Method, device and system for managing IM (Instant Messaging) online behavior |
| CN103209170A (en) * | 2013-03-04 | 2013-07-17 | 汉柏科技有限公司 | File type identification method and identification system |
| CN105808583A (en) * | 2014-12-30 | 2016-07-27 | Tcl集团股份有限公司 | File type identification method and device |
| US20160335415A1 (en) * | 2015-05-14 | 2016-11-17 | Florence Healthcare, Inc. | Remote Monitoring and Dynamic Document Management Systems and Methods |
Non-Patent Citations (1)
| Title |
|---|
| 李洪革等: "《VERILOG硬件描述语言与设计》", 31 March 2017 * |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111181806A (en) * | 2019-12-25 | 2020-05-19 | 深圳市丰润达科技有限公司 | Method and device for realizing whole network flow analysis technology and readable storage medium |
| CN111181806B (en) * | 2019-12-25 | 2022-02-25 | 深圳市丰润达科技有限公司 | Method and device for realizing whole network flow analysis technology and readable storage medium |
| CN111367582A (en) * | 2020-03-06 | 2020-07-03 | 上海赋华网络科技有限公司 | High-performance file type identification method |
| CN111367582B (en) * | 2020-03-06 | 2023-08-25 | 上海赋华网络科技有限公司 | Method for identifying file type in high performance |
| CN112214462A (en) * | 2020-10-22 | 2021-01-12 | 新华三信息安全技术有限公司 | Multi-layer decompression method of compressed file, electronic equipment and storage medium |
| CN115002243A (en) * | 2022-08-02 | 2022-09-02 | 上海秉匠信息科技有限公司 | Data processing method and device |
| CN115002243B (en) * | 2022-08-02 | 2022-11-01 | 上海秉匠信息科技有限公司 | Data processing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108270783B (en) | 2021-04-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108270783A (en) | A kind of data processing method and device | |
| US9749341B2 (en) | Method, device and system for recognizing network behavior of program | |
| US10467411B1 (en) | System and method for generating a malware identifier | |
| CN112468488A (en) | Industrial anomaly monitoring method and device, computer equipment and readable storage medium | |
| CN108965267B (en) | Network attack processing method and device and vehicle | |
| US11777971B2 (en) | Bind shell attack detection | |
| CN109617885A (en) | Capture host automatic judging method, device, electronic equipment and storage medium | |
| CA3159619C (en) | Packet processing method and apparatus, device, and computer-readable storage medium | |
| CN109309591B (en) | Traffic data statistical method, electronic device and storage medium | |
| CN107888500A (en) | Message forwarding method and device, storage medium, electronic equipment | |
| CN108737344B (en) | Network attack protection method and device | |
| CN110113290A (en) | Detection method, device, host and the storage medium of network attack | |
| CN104125213A (en) | Distributed denial of service DDOS attack resisting method and device for firewall | |
| CN110958245A (en) | Attack detection method, device, equipment and storage medium | |
| CN108989275A (en) | A kind of attack prevention method and device | |
| CN109361674B (en) | Bypass access streaming data detection method and device and electronic equipment | |
| CN113630417B (en) | WAF-based data transmission method, WAF-based data transmission device, WAF-based electronic device and storage medium | |
| US9794274B2 (en) | Information processing apparatus, information processing method, and computer readable medium | |
| CN118104189A (en) | Apparatus and method for processing data units | |
| CN112953957B (en) | Intrusion prevention method, system and related equipment | |
| CN113965367B (en) | Policy object upper limit control method, system, computer and storage medium | |
| CN112565290B (en) | Intrusion prevention method, system and related equipment | |
| CN112202717B (en) | HTTP request processing method and device, server and storage medium | |
| CN113595797A (en) | Alarm information processing method and device, electronic equipment and storage medium | |
| CN114050917A (en) | Audio data processing method, device, terminal, server and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |