CN110109672B - Analysis processing method and device for expression - Google Patents

Analysis processing method and device for expression Download PDF

Info

Publication number
CN110109672B
CN110109672B CN201910309202.7A CN201910309202A CN110109672B CN 110109672 B CN110109672 B CN 110109672B CN 201910309202 A CN201910309202 A CN 201910309202A CN 110109672 B CN110109672 B CN 110109672B
Authority
CN
China
Prior art keywords
expression
target
public
node
parsing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910309202.7A
Other languages
Chinese (zh)
Other versions
CN110109672A (en
Inventor
程诗尧
覃永靖
王彬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qax Technology Group Inc
Original Assignee
Qax Technology Group Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qax Technology Group Inc filed Critical Qax Technology Group Inc
Priority to CN201910309202.7A priority Critical patent/CN110109672B/en
Publication of CN110109672A publication Critical patent/CN110109672A/en
Application granted granted Critical
Publication of CN110109672B publication Critical patent/CN110109672B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/41Compilation
    • G06F8/42Syntactic analysis
    • G06F8/427Parsing

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Machine Translation (AREA)
  • Stored Programmes (AREA)

Abstract

本发明实施例公开了一种表达式的解析处理方法及装置,方法包括:对当前网络安全规则引擎中事件处理语言的所有表达式进行统计,得到各表达式的统计数量,并根据各表达式的统计数量确定公共表达式;对所述事件处理语言的目标表达式进行解析时,若判断获知所述目标表达式为公共表达式,则判断所述目标表达式对应的目标公共表达式是否解析过;若所述目标公共表达式解析过,则根据所述目标公共表达式的解析结果,得到所述目标表达式的解析结果。本发明实施例通过确定事件处理语言的公共表达式,在表达式的解析过程中,对于解析过的公共表达式,直接采用其解析结果,大大节省了解析时间,同时降低了内存的消耗。

Figure 201910309202

The embodiment of the present invention discloses a method and device for parsing and processing expressions. The method includes: counting all the expressions of the event processing language in the current network security rule engine to obtain the statistical quantity of each expression, and according to each expression determine the public expression; when parsing the target expression of the event processing language, if it is judged that the target expression is a public expression, then it is judged whether the target public expression corresponding to the target expression is parsed If the target public expression has been parsed, the parsing result of the target expression is obtained according to the parsing result of the target public expression. In the embodiment of the present invention, by determining the public expression of the event processing language, in the parsing process of the expression, the parsing result of the parsed public expression is directly used, which greatly saves parsing time and reduces memory consumption.

Figure 201910309202

Description

一种表达式的解析处理方法及装置Method and device for parsing and processing expressions

技术领域technical field

本发明实施例涉及网络安全技术领域,具体涉及一种表达式的解析处理方法及装置。Embodiments of the present invention relate to the field of network security technologies, and in particular to a method and device for parsing and processing expressions.

背景技术Background technique

EPL(Event Process Language,事件处理语言)在网络安全规则引擎的DSL(Domain Specified Language,特定领域语言)编写中应用较为广泛。EPL (Event Process Language, Event Processing Language) is widely used in DSL (Domain Specified Language, Domain Specified Language) writing of network security rule engine.

事件处理语言包含大量的表达式,现有技术中对事件处理语言进行解析时,对其表达式进行逐一解析,时间复杂度较高,且消耗了过多的内存。The event processing language contains a large number of expressions. When parsing the event processing language in the prior art, the expressions are parsed one by one, which has high time complexity and consumes too much memory.

发明内容Contents of the invention

由于现有方法存在上述问题,本发明实施例提出一种表达式的解析处理方法及装置。Since the above-mentioned problems exist in the existing methods, the embodiments of the present invention propose a method and device for parsing and processing expressions.

第一方面,本发明实施例提出一种表达式的解析处理方法,包括:In the first aspect, the embodiment of the present invention proposes an expression analysis processing method, including:

对当前网络安全规则引擎中事件处理语言的所有表达式进行统计,得到各表达式的统计数量,并根据各表达式的统计数量确定公共表达式;Make statistics on all expressions of the event processing language in the current network security rule engine, obtain the statistical quantity of each expression, and determine the common expression according to the statistical quantity of each expression;

对所述事件处理语言的目标表达式进行解析时,若判断获知所述目标表达式为公共表达式,则判断所述目标表达式对应的目标公共表达式是否解析过;When parsing the target expression of the event processing language, if it is judged that the target expression is a public expression, it is judged whether the target public expression corresponding to the target expression has been parsed;

若所述目标公共表达式解析过,则根据所述目标公共表达式的解析结果,得到所述目标表达式的解析结果。If the target public expression has been parsed, the parsing result of the target expression is obtained according to the parsing result of the target public expression.

第二方面,本发明实施例还提出一种表达式的解析处理装置,包括:In the second aspect, the embodiment of the present invention also proposes an expression analysis processing device, including:

表达式统计模块,用于对当前网络安全规则引擎中事件处理语言的所有表达式进行统计,得到各表达式的统计数量,并根据各表达式的统计数量确定公共表达式;The expression statistics module is used to make statistics on all the expressions of the event processing language in the current network security rule engine, obtain the statistical quantity of each expression, and determine the common expression according to the statistical quantity of each expression;

解析判断模块,用于对所述事件处理语言的目标表达式进行解析时,若判断获知所述目标表达式为公共表达式,则判断所述目标表达式对应的目标公共表达式是否解析过;The parsing and judging module is used for parsing the target expression of the event processing language, if it is judged that the target expression is a public expression, then judge whether the target public expression corresponding to the target expression has been parsed;

结果获取模块,用于若所述目标公共表达式解析过,则根据所述目标公共表达式的解析结果,得到所述目标表达式的解析结果。The result acquisition module is configured to obtain the analysis result of the target expression according to the analysis result of the target public expression if the target public expression has been analyzed.

第三方面,本发明实施例还提出一种电子设备,包括:In the third aspect, the embodiment of the present invention also proposes an electronic device, including:

至少一个处理器;以及at least one processor; and

与所述处理器通信连接的至少一个存储器,其中:at least one memory communicatively coupled to the processor, wherein:

所述存储器存储有可被所述处理器执行的程序指令,所述处理器调用所述程序指令能够执行上述方法。The memory stores program instructions that can be executed by the processor, and the processor can execute the above method by calling the program instructions.

第四方面,本发明实施例还提出一种非暂态计算机可读存储介质,所述非暂态计算机可读存储介质存储计算机程序,所述计算机程序使所述计算机执行上述方法。In a fourth aspect, an embodiment of the present invention also provides a non-transitory computer-readable storage medium, where the non-transitory computer-readable storage medium stores a computer program, and the computer program causes the computer to execute the above method.

由上述技术方案可知,本发明实施例通过确定事件处理语言的公共表达式,在表达式的解析过程中,对于解析过的公共表达式,直接采用其解析结果,大大节省了解析时间,同时降低了内存的消耗。It can be seen from the above technical solution that the embodiment of the present invention determines the public expression of the event processing language, and directly adopts the parsing result of the parsed public expression in the parsing process of the expression, which greatly saves parsing time and reduces memory consumption.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only These are some embodiments of the present invention. Those skilled in the art can also obtain other drawings based on these drawings without creative work.

图1为本发明一实施例提供的一种表达式的解析处理方法的流程示意图;FIG. 1 is a schematic flow diagram of an expression analysis processing method provided by an embodiment of the present invention;

图2为本发明一实施例提供的一种表达式的数量统计的流程示意图;Fig. 2 is a schematic flow chart of the quantity statistics of an expression provided by an embodiment of the present invention;

图3为本发明另一实施例提供的一种表达式的解析处理方法的流程示意图;FIG. 3 is a schematic flowchart of an expression analysis processing method provided by another embodiment of the present invention;

图4为本发明一实施例提供的一种表达式的解析处理装置的结构示意图;FIG. 4 is a schematic structural diagram of an expression analysis processing device provided by an embodiment of the present invention;

图5为本发明一实施例提供的电子设备的逻辑框图。Fig. 5 is a logic block diagram of an electronic device provided by an embodiment of the present invention.

具体实施方式detailed description

下面结合附图,对本发明的具体实施方式作进一步描述。以下实施例仅用于更加清楚地说明本发明的技术方案,而不能以此来限制本发明的保护范围。The specific embodiments of the present invention will be further described below in conjunction with the accompanying drawings. The following examples are only used to illustrate the technical solution of the present invention more clearly, but not to limit the protection scope of the present invention.

图1示出了本实施例提供的一种表达式的解析处理方法的流程示意图,包括:Figure 1 shows a schematic flowchart of an expression analysis processing method provided in this embodiment, including:

S101、对当前网络安全规则引擎中事件处理语言的所有表达式进行统计,得到各表达式的统计数量,并根据各表达式的统计数量确定公共表达式。S101. Make statistics on all the expressions of the event processing language in the current network security rule engine, obtain the statistical quantity of each expression, and determine a common expression according to the statistical quantity of each expression.

其中,所述统计数量为各个表达式在事件处理语言中出现的次数。Wherein, the statistical quantity is the number of times each expression appears in the event processing language.

所述公共表达式为事件处理语言中出现次数大于1的表达式。The common expression is an expression whose occurrence times is greater than 1 in the event processing language.

具体地,当前网络安全规则引擎中的事件处理语言是由若干个表达式组成的,在具体存储过程中,以树形结构进行存储,树形结构中的每个叶子节点为一个表达式。在对事件处理语言进行解析时,需要依次对树形结构中的每个表达式节点进行解析,而在实际过程中,树形结构中存在多组相同的表达式节点,即多组公共表达式,每组公共表达式包括多个相同的表达式,即该表达式的统计数量大于1。Specifically, the event processing language in the current network security rule engine is composed of several expressions, which are stored in a tree structure in the specific storage process, and each leaf node in the tree structure is an expression. When parsing the event processing language, each expression node in the tree structure needs to be parsed in turn, but in the actual process, there are multiple sets of the same expression nodes in the tree structure, that is, multiple sets of common expressions , each group of common expressions includes multiple identical expressions, that is, the statistical quantity of the expressions is greater than 1.

S102、对所述事件处理语言的目标表达式进行解析时,若判断获知所述目标表达式为公共表达式,则判断所述目标表达式对应的目标公共表达式是否解析过。S102. When parsing the target expression of the event processing language, if it is determined that the target expression is a common expression, then determine whether the target common expression corresponding to the target expression has been parsed.

其中,所述目标表达式为划分为公共表达式的表达式。Wherein, the target expression is an expression divided into common expressions.

所述目标公共表达式为所述目标表达式对应的公共表达式。The target public expression is a public expression corresponding to the target expression.

具体地,在完成事件处理语言的表达式统计后,需要对事件处理语言的各个表达式进行逐一解析。若当前解析的目标表达式为公共表达式,则说明该目标表达式之前可能已经被解析过。Specifically, after the expression statistics of the event processing language are completed, each expression of the event processing language needs to be analyzed one by one. If the currently parsed target expression is a public expression, it means that the target expression may have been parsed before.

S103、若所述目标公共表达式解析过,则根据所述目标公共表达式的解析结果,得到所述目标表达式的解析结果。S103. If the target public expression has been parsed, obtain the parsing result of the target expression according to the parsing result of the target public expression.

具体地,由于目标表达式是公共表达式,因此目标表达式和另一表达式是相同的目标公共表达式,而该目标公共表达式之前被解析过,由于表达式相同,因此解析结果也是相同的,故目标表达式的解析结果可以直接采用目标公共表达式的解析结果。通过重复利用公共表达式的解析结果,加快了事件处理语言的解析速度,从而提升了网络安全规则引擎的性能。Specifically, since the target expression is a public expression, the target expression and another expression are the same target public expression, and the target public expression has been parsed before, and since the expressions are the same, the parsing result is also the same , so the parsing result of the target expression can directly adopt the parsing result of the target public expression. By reusing the parsing results of common expressions, the parsing speed of the event processing language is accelerated, thereby improving the performance of the network security rule engine.

本实施例可以应用在网络安全技术领域,通过确定事件处理语言的公共表达式,在表达式的解析过程中,对于解析过的公共表达式,直接采用其解析结果,大大节省了解析时间,同时降低了内存的消耗。This embodiment can be applied in the field of network security technology. By determining the public expression of the event processing language, in the parsing process of the expression, the parsing result of the parsed public expression is directly used, which greatly saves parsing time, and at the same time Reduced memory consumption.

进一步地,在上述方法实施例的基础上,S101具体包括:Further, on the basis of the above method embodiments, S101 specifically includes:

采用递归方式对事件处理语言的所有表达式进行统计,得到各表达式的统计数量,将统计数量大于1的表达式存储至公共节点集合中,并将所述公共节点集合中的所有表达式确定为公共表达式。Count all the expressions in the event processing language in a recursive manner to obtain the statistical quantity of each expression, store the expressions with a statistical quantity greater than 1 in the public node set, and determine all the expressions in the public node set is a public expression.

其中,所述公共节点集合为存储公共表达式的集合。Wherein, the set of common nodes is a set storing common expressions.

通过设置公共节点集合,方便在表达式统计时存储公共表达式,同时方便后续在表达式解析时快速确定当前解析的表达式是否为公共表达式。By setting the set of public nodes, it is convenient to store public expressions during expression statistics, and at the same time, it is convenient to quickly determine whether the currently parsed expression is a public expression during expression parsing.

进一步地,在上述方法实施例的基础上,S101中所述采用递归方式对事件处理语言的所有表达式进行统计,得到各表达式的统计数量,具体包括:Further, on the basis of the above method embodiments, in S101, recursively count all the expressions of the event processing language to obtain the statistical quantity of each expression, specifically including:

S1011、对事件处理语言的当前表达式进行统计时,判断所述当前表达式在通用表达式上下文的节点映射是否存在。S1011. When making statistics on the current expression of the event processing language, judge whether the node mapping of the current expression exists in the general expression context.

S1012、若所述当前表达式在所述节点映射已存在,则将所述节点映射中存在的第一目标节点的统计数量进行加1。S1012. If the current expression already exists in the node map, add 1 to the statistical quantity of the first target node existing in the node map.

S1013、若所述当前表达式在所述节点映射不存在,则将所述当前表达式对应的第二目标节点添加至所述节点映射中,并将所述第二目标节点的统计数量设为1。S1013. If the current expression does not exist in the node map, add the second target node corresponding to the current expression to the node map, and set the statistical quantity of the second target node to 1.

S1014、对所述当前表达式的孩子表达式继续进行统计。S1014. Continue to perform statistics on child expressions of the current expression.

其中,所述通用表达式上下文的节点映射用于存储各表达式的解析结果,对于公共表达式的解析结果仅存储一次。Wherein, the node mapping of the general expression context is used to store the parsing results of each expression, and the parsing results of common expressions are only stored once.

具体地,上述实施例还可以包括:Specifically, the foregoing embodiments may also include:

S104、若所述目标公共表达式未解析过,则对所述目标公共表达式进行解析,并将解析得到的解析结果存储至所述通用节点代码映射中。S104. If the target public expression has not been parsed, parse the target public expression, and store the parsed result in the general node code mapping.

所述第一目标节点为节点映射中已存在的表达式。The first target node is an existing expression in the node map.

所述第二目标节点为节点映射中不存在的表达式。The second target node is an expression that does not exist in the node map.

所述通用节点代码映射用于存储各表达式的解析结果。The general node code map is used to store the parsing results of each expression.

在具体统计过程中,如图2所示,首先将EPL(事件处理语言)解析为抽象语法树,通过通用表达式优化器递归解析该抽象语法树,并对该抽象语法树的各个节点对应的表达式进行统计;若当前表达式节点不存在节点映射,则将当前表达式节点添加至节点映射中,并将节点计数(统计数量)设置为1,继续递归解析当前表达式节点的孩子节点;若当前表达式节点存在节点映射,则将当前表达式节点的节点计数(统计数量)递增,不再递归解析当前表达式节点的孩子节点;待抽象语法树遍历完毕后,遍历节点映射,将节点计数大于1的表达式节点添加至公共节点集合中。In the specific statistical process, as shown in Figure 2, firstly, the EPL (event processing language) is parsed into an abstract syntax tree, and the abstract syntax tree is recursively parsed by the general expression optimizer, and each node corresponding to the abstract syntax tree is Count the expressions; if there is no node mapping for the current expression node, add the current expression node to the node mapping, set the node count (statistics) to 1, and continue recursively parsing the child nodes of the current expression node; If there is a node mapping for the current expression node, the node count (statistics) of the current expression node is incremented, and the child nodes of the current expression node are no longer recursively parsed; after the abstract syntax tree is traversed, the node mapping is traversed, and the node Expression nodes with a count greater than 1 are added to the public node collection.

即:对于在节点映射中已存在表达式的第一目标节点,说明该表达式为公共表达式,无需再添加至节点映射中,只需将节点映射中对应的表达式的统计数量+1即可;对于在节点映射中不存在表达式的第一目标节点,说明该表达式未统计过,需要将其添加至节点映射中,并将节点映射中该表达式的统计数量设为1。由于事件处理语言的各表达式采用树形结构进行存储,因此在统计过程中,需要进行递归统计,继续统计当前表达式的孩子表达式;若当前表达式无孩子表达式,则统计其兄弟表达式;若无兄弟表达式,则说明事件处理语言统计完毕,此时节点映射中存储了所有不重复的表达式及各表达式的统计数量,统计数量大于1即为公共表达式。That is: for the first target node that already has an expression in the node map, it means that the expression is a public expression, and there is no need to add it to the node map, and it is only necessary to add 1 to the statistical quantity of the corresponding expression in the node map. Yes; for the first target node that does not have an expression in the node map, it means that the expression has not been counted, and it needs to be added to the node map, and the statistical quantity of the expression in the node map is set to 1. Since each expression in the event processing language is stored in a tree structure, it is necessary to perform recursive statistics during the statistical process, and continue to count the child expressions of the current expression; if the current expression has no child expressions, count its sibling expressions If there is no sibling expression, it means that the statistics of the event processing language have been completed. At this time, all non-repeated expressions and the statistical quantity of each expression are stored in the node map. If the statistical quantity is greater than 1, it is a public expression.

通过通用表达式上下文的节点映射对各表达式及其统计数量进行存储,方便快速确定公共表达式。Each expression and its statistical quantity are stored through the node mapping of the general expression context, so as to facilitate and quickly determine the common expression.

进一步地,在上述方法实施例的基础上,S102具体包括:Further, on the basis of the above method embodiments, S102 specifically includes:

S1021、对所述事件处理语言的目标表达式进行解析时,若判断所述目标表达式在所述公共节点集合中,则确定所述目标表达式为公共表达式。S1021. When parsing the target expression of the event processing language, if it is judged that the target expression is in the public node set, determine that the target expression is a public expression.

S1022、根据通用节点代码映射中是否存在所述目标表达式对应的目标公共表达式的解析结果,确定所述目标公共表达式是否解析过。S1022. Determine whether the target public expression has been parsed according to whether there is a parsing result of the target public expression corresponding to the target expression in the general node code mapping.

具体地,由于在表达式统计过程中,将公共表达式存储至公共节点集合中,因此在进行表达式解析时,可以直接根据公共节点集合中是否存在当前表达式来确定是否为公共表达式,方便快捷。Specifically, since the public expressions are stored in the public node collection during the expression statistics process, when parsing the expression, it can be directly determined whether it is a public expression according to whether the current expression exists in the public node collection, Convenient.

在确定是公共表达式后,如果该公共表达式对应的目标公共表达式已经被解析过,则无需进行二次解析,直接从通用节点代码映射中获取目标公共表达式的解析结果即可,能够大大节省解析时间。After it is determined that it is a public expression, if the target public expression corresponding to the public expression has been parsed, there is no need to perform secondary parsing, and the parsing result of the target public expression can be obtained directly from the general node code map, which can Greatly saves parsing time.

参见图3,通过表达式生成器递归处理抽象语法树,若当前表达式节点在公共节点集合中,则判断通用节点代码映射中是否存在当前表达式节点对应的解析结果,若存在,则返回公共节点代码映射存储的解析结果,若不存在,则对当前表达式节点进行解析,并将解析结果存储至公共节点代码映射中;判断完毕通用节点代码映射中是否存在当前表达式节点对应的解析结果后,不再递归解析当前表达式节点的孩子节点;若当前表达式节点不在公共节点集合中,则对当前表达式节点进行解析,得到解析结果,并继续递归处理当前表达式节点的孩子节点,直至抽象语法树遍历完毕。Referring to Figure 3, the abstract syntax tree is recursively processed by the expression generator. If the current expression node is in the public node set, it is judged whether there is a parsing result corresponding to the current expression node in the general node code map, and if it exists, it returns the public If the analysis result stored in the node code map does not exist, the current expression node will be parsed and the analysis result will be stored in the public node code map; after judging whether there is an analysis result corresponding to the current expression node in the general node code map After that, the child nodes of the current expression node will not be recursively parsed; if the current expression node is not in the public node set, the current expression node will be parsed to obtain the parsing result, and the child nodes of the current expression node will continue to be recursively processed. Until the abstract syntax tree is traversed.

本实施例提供的公共表达式的解析处理方法可以解决事件处理语言公共表达式解析性能较差的问题,通过预先转换事件处理语言表达式的所有表达式,抽取表达式的公共部分,在保证事件处理语言正确解析的前提下,重复利用公共表达式的解析结果,加快了事件处理语言的解析速度,提升了网络安全规则引擎的性能,降低了时间复杂度,同时,公共表达式解析结果只会在内存中存储一份,从而节省了内存占用,降低了空间复杂度,节省了成本。The parsing and processing method of public expressions provided by this embodiment can solve the problem of poor parsing performance of public expressions in event processing languages. By converting all expressions in event processing language expressions in advance and extracting the common parts of expressions, it is guaranteed that events Under the premise of correct parsing of the processing language, the parsing results of common expressions are reused, which speeds up the parsing speed of the event processing language, improves the performance of the network security rule engine, and reduces the time complexity. At the same time, the parsing results of public expressions will only One copy is stored in memory, thereby saving memory usage, reducing space complexity, and saving cost.

图4示出了本实施例提供的一种表达式的解析处理装置的结构示意图,所述装置包括:表达式统计模块401、解析判断模块402和结果获取模块403,其中:FIG. 4 shows a schematic structural diagram of an expression analysis and processing device provided in this embodiment. The device includes: an expression statistics module 401, an analysis and judgment module 402, and a result acquisition module 403, wherein:

所述表达式统计模块401用于对当前网络安全规则引擎中事件处理语言的所有表达式进行统计,得到各表达式的统计数量,并根据各表达式的统计数量确定公共表达式;The expression statistics module 401 is used to perform statistics on all expressions of the event processing language in the current network security rule engine, obtain the statistical quantity of each expression, and determine the public expression according to the statistical quantity of each expression;

所述解析判断模块402用于对所述事件处理语言的目标表达式进行解析时,若判断获知所述目标表达式为公共表达式,则判断所述目标表达式对应的目标公共表达式是否解析过;The parsing and judging module 402 is used to parse the target expression of the event processing language, if it is judged that the target expression is a public expression, then judge whether the target public expression corresponding to the target expression is parsed Pass;

所述结果获取模块403用于若所述目标公共表达式解析过,则根据所述目标公共表达式的解析结果,得到所述目标表达式的解析结果。The result acquisition module 403 is configured to obtain the analysis result of the target expression according to the analysis result of the target public expression if the target public expression has been parsed.

具体地,所述表达式统计模块401对当前网络安全规则引擎中事件处理语言的所有表达式进行统计,得到各表达式的统计数量,并根据各表达式的统计数量确定公共表达式;所述解析判断模块402对所述事件处理语言的目标表达式进行解析时,若判断获知所述目标表达式为公共表达式,则判断所述目标表达式对应的目标公共表达式是否解析过;所述结果获取模块403若所述目标公共表达式解析过,则根据所述目标公共表达式的解析结果,得到所述目标表达式的解析结果。Specifically, the expression statistics module 401 performs statistics on all the expressions of the event processing language in the current network security rule engine, obtains the statistical quantity of each expression, and determines the public expression according to the statistical quantity of each expression; When the parsing and judging module 402 parses the target expression of the event processing language, if it is judged that the target expression is a public expression, then it is judged whether the target public expression corresponding to the target expression has been parsed; If the target public expression has been parsed, the result obtaining module 403 obtains the parsing result of the target expression according to the parsing result of the target public expression.

本实施例通过确定事件处理语言的公共表达式,在表达式的解析过程中,对于解析过的公共表达式,直接采用其解析结果,大大节省了解析时间,同时降低了内存的消耗。In this embodiment, by determining the common expressions of the event processing language, in the parsing process of the expressions, the parsing results of the parsed public expressions are directly used, which greatly saves parsing time and reduces memory consumption.

进一步地,在上述装置实施例的基础上,所述表达式统计模块401具体用于采用递归方式对事件处理语言的所有表达式进行统计,得到各表达式的统计数量,将统计数量大于1的表达式存储至公共节点集合中,并将所述公共节点集合中的所有表达式确定为公共表达式。Further, on the basis of the above-mentioned device embodiment, the expression statistics module 401 is specifically used to recursively count all expressions of the event processing language to obtain the statistical quantity of each expression, and count the statistical quantity greater than 1 The expressions are stored in the public node set, and all expressions in the public node set are determined as public expressions.

进一步地,在上述装置实施例的基础上,所述表达式统计模块401具体用于:Further, on the basis of the above device embodiments, the expression statistics module 401 is specifically used for:

对事件处理语言的当前表达式进行统计时,判断所述当前表达式在通用表达式上下文的节点映射是否存在;When performing statistics on the current expression of the event processing language, it is judged whether the node mapping of the current expression exists in the general expression context;

若所述当前表达式在所述节点映射已存在,则将所述节点映射中存在的第一目标节点的统计数量进行加1;If the current expression already exists in the node mapping, add 1 to the statistical quantity of the first target node existing in the node mapping;

若所述当前表达式在所述节点映射不存在,则将所述当前表达式对应的第二目标节点添加至所述节点映射中,并将所述第二目标节点的统计数量设为1;If the current expression does not exist in the node map, adding a second target node corresponding to the current expression to the node map, and setting the statistical quantity of the second target node to 1;

对所述当前表达式的孩子表达式继续进行统计。Continue to perform statistics on child expressions of the current expression.

进一步地,在上述装置实施例的基础上,所述解析判断模块402具体用于:Further, on the basis of the above device embodiments, the parsing and judging module 402 is specifically used for:

对所述事件处理语言的目标表达式进行解析时,若判断所述目标表达式在所述公共节点集合中,则确定所述目标表达式为公共表达式;When parsing the target expression of the event processing language, if it is judged that the target expression is in the public node set, then determine that the target expression is a public expression;

根据通用节点代码映射中是否存在所述目标表达式对应的目标公共表达式的解析结果,确定所述目标公共表达式是否解析过。Determine whether the target public expression has been parsed according to whether there is a parsing result of the target public expression corresponding to the target expression in the general node code mapping.

进一步地,在上述装置实施例的基础上,所述装置还包括:Further, on the basis of the above device embodiment, the device further includes:

表达式解析模块,用于若所述目标公共表达式未解析过,则对所述目标公共表达式进行解析,并将解析得到的解析结果存储至所述通用节点代码映射中。An expression parsing module, configured to parse the target public expression if the target public expression has not been parsed, and store the parsed result in the general node code mapping.

本实施例所述的表达式的解析处理装置可以用于执行上述方法实施例,其原理和技术效果类似,此处不再赘述。The apparatus for parsing and processing expressions described in this embodiment can be used to execute the above-mentioned method embodiments, and its principles and technical effects are similar, and will not be repeated here.

参照图5,所述电子设备,包括:处理器(processor)501、存储器(memory)502和总线503;Referring to FIG. 5, the electronic device includes: a processor (processor) 501, a memory (memory) 502 and a bus 503;

其中,in,

所述处理器501和存储器502通过所述总线503完成相互间的通信;The processor 501 and the memory 502 complete mutual communication through the bus 503;

所述处理器501用于调用所述存储器502中的程序指令,以执行上述各方法实施例所提供的方法。The processor 501 is configured to invoke program instructions in the memory 502 to execute the methods provided in the above method embodiments.

本实施例公开一种计算机程序产品,所述计算机程序产品包括存储在非暂态计算机可读存储介质上的计算机程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,计算机能够执行上述各方法实施例所提供的方法。This embodiment discloses a computer program product, the computer program product includes a computer program stored on a non-transitory computer-readable storage medium, the computer program includes program instructions, and when the program instructions are executed by the computer, the computer The methods provided by the foregoing method embodiments can be executed.

本实施例提供一种非暂态计算机可读存储介质,所述非暂态计算机可读存储介质存储计算机指令,所述计算机指令使所述计算机执行上述各方法实施例所提供的方法。This embodiment provides a non-transitory computer-readable storage medium, where the non-transitory computer-readable storage medium stores computer instructions, and the computer instructions cause the computer to execute the methods provided in the foregoing method embodiments.

以上所描述的装置实施例仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。本领域普通技术人员在不付出创造性的劳动的情况下,即可以理解并实施。The device embodiments described above are only illustrative, and the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in One place, or it can be distributed to multiple network elements. Part or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment. It can be understood and implemented by those skilled in the art without any creative effort.

通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到各实施方式可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件。基于这样的理解,上述技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品可以存储在计算机可读存储介质中,如ROM/RAM、磁碟、光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行各个实施例或者实施例的某些部分所述的方法。Through the above description of the implementations, those skilled in the art can clearly understand that each implementation can be implemented by means of software plus a necessary general hardware platform, and of course also by hardware. Based on this understanding, the essence of the above technical solution or the part that contributes to the prior art can be embodied in the form of software products, and the computer software products can be stored in computer-readable storage media, such as ROM/RAM, magnetic discs, optical discs, etc., including several instructions to make a computer device (which may be a personal computer, server, or network device, etc.) execute the methods described in various embodiments or some parts of the embodiments.

应说明的是:以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。It should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention, rather than limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it still can The technical solutions described in the foregoing embodiments are modified, or some of the technical features are replaced equivalently; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the various embodiments of the present invention.

Claims (8)

1.一种表达式的解析处理方法,应用于网络安全技术领域,其特征在于,包括:1. An analytical processing method of an expression, which is applied to the technical field of network security, is characterized in that, comprising: 采用递归方式对事件处理语言的所有表达式进行统计,得到各表达式的统计数量,将统计数量大于1的表达式存储至公共节点集合中,并将所述公共节点集合中的所有表达式确定为公共表达式;Count all the expressions in the event processing language in a recursive manner to obtain the statistical quantity of each expression, store the expressions with a statistical quantity greater than 1 in the public node set, and determine all the expressions in the public node set is a public expression; 对所述事件处理语言的目标表达式进行解析时,若判断获知所述目标表达式为公共表达式,则判断所述目标表达式对应的目标公共表达式是否解析过;When parsing the target expression of the event processing language, if it is judged that the target expression is a public expression, it is judged whether the target public expression corresponding to the target expression has been parsed; 若所述目标公共表达式解析过,则根据所述目标公共表达式的解析结果,得到所述目标表达式的解析结果;If the target public expression has been parsed, then according to the parsing result of the target public expression, the parsing result of the target expression is obtained; 其中,所述采用递归方式对事件处理语言的所有表达式进行统计,得到各表达式的统计数量,具体包括:Wherein, the recursive method is used to count all the expressions of the event processing language to obtain the statistical quantity of each expression, specifically including: 对事件处理语言的当前表达式进行统计时,判断所述当前表达式在通用表达式上下文的节点映射是否存在;When performing statistics on the current expression of the event processing language, it is judged whether the node mapping of the current expression exists in the general expression context; 若所述当前表达式在所述节点映射已存在,则将所述节点映射中存在的第一目标节点的统计数量进行加1;If the current expression already exists in the node mapping, add 1 to the statistical quantity of the first target node existing in the node mapping; 若所述当前表达式在所述节点映射不存在,则将所述当前表达式对应的第二目标节点添加至所述节点映射中,并将所述第二目标节点的统计数量设为1;If the current expression does not exist in the node map, adding a second target node corresponding to the current expression to the node map, and setting the statistical quantity of the second target node to 1; 对所述当前表达式的孩子表达式继续进行统计。Continue to perform statistics on child expressions of the current expression. 2.根据权利要求1所述的方法,其特征在于,所述对所述事件处理语言的目标表达式进行解析时,若判断获知所述目标表达式为公共表达式,则判断所述目标表达式对应的目标公共表达式是否解析过,具体包括:2. The method according to claim 1, wherein when parsing the target expression of the event processing language, if it is judged that the target expression is a public expression, then it is judged that the target expression Whether the target public expression corresponding to the formula has been parsed, including: 对所述事件处理语言的目标表达式进行解析时,若判断所述目标表达式在所述公共节点集合中,则确定所述目标表达式为公共表达式;When parsing the target expression of the event processing language, if it is judged that the target expression is in the public node set, then determine that the target expression is a public expression; 根据通用节点代码映射中是否存在所述目标表达式对应的目标公共表达式的解析结果,确定所述目标公共表达式是否解析过。Determine whether the target public expression has been parsed according to whether there is a parsing result of the target public expression corresponding to the target expression in the general node code mapping. 3.根据权利要求2所述的方法,其特征在于,所述方法还包括:3. The method according to claim 2, wherein the method further comprises: 若所述目标公共表达式未解析过,则对所述目标公共表达式进行解析,并将解析得到的解析结果存储至所述通用节点代码映射中。If the target public expression has not been parsed, the target public expression is parsed, and the parsed result is stored in the general node code mapping. 4.一种表达式的解析处理装置,应用于网络安全技术领域,其特征在于,包括:4. A device for parsing and processing expressions, applied to the technical field of network security, characterized in that, comprising: 表达式统计模块,用于采用递归方式对事件处理语言的所有表达式进行统计,得到各表达式的统计数量,将统计数量大于1的表达式存储至公共节点集合中,并将所述公共节点集合中的所有表达式确定为公共表达式;The expression statistics module is used to recursively count all the expressions of the event processing language, obtain the statistical quantity of each expression, store the expressions with a statistical quantity greater than 1 in the public node set, and store the public node All expressions in the set are determined to be public expressions; 解析判断模块,用于对所述事件处理语言的目标表达式进行解析时,若判断获知所述目标表达式为公共表达式,则判断所述目标表达式对应的目标公共表达式是否解析过;The parsing and judging module is used for parsing the target expression of the event processing language, if it is judged that the target expression is a public expression, then judge whether the target public expression corresponding to the target expression has been parsed; 结果获取模块,用于若所述目标公共表达式解析过,则根据所述目标公共表达式的解析结果,得到所述目标表达式的解析结果;A result acquisition module, configured to obtain the analysis result of the target expression according to the analysis result of the target public expression if the target public expression has been parsed; 其中,所述表达式统计模块具体用于:Wherein, the expression statistics module is specifically used for: 对事件处理语言的当前表达式进行统计时,判断所述当前表达式在通用表达式上下文的节点映射是否存在;When performing statistics on the current expression of the event processing language, it is judged whether the node mapping of the current expression exists in the general expression context; 若所述当前表达式在所述节点映射已存在,则将所述节点映射中存在的第一目标节点的统计数量进行加1;If the current expression already exists in the node mapping, add 1 to the statistical quantity of the first target node existing in the node mapping; 若所述当前表达式在所述节点映射不存在,则将所述当前表达式对应的第二目标节点添加至所述节点映射中,并将所述第二目标节点的统计数量设为1;If the current expression does not exist in the node map, adding a second target node corresponding to the current expression to the node map, and setting the statistical quantity of the second target node to 1; 对所述当前表达式的孩子表达式继续进行统计。Continue to perform statistics on child expressions of the current expression. 5.根据权利要求4所述的装置,其特征在于,所述解析判断模块具体用于:5. The device according to claim 4, wherein the parsing and judging module is specifically used for: 对所述事件处理语言的目标表达式进行解析时,若判断所述目标表达式在所述公共节点集合中,则确定所述目标表达式为公共表达式;When parsing the target expression of the event processing language, if it is judged that the target expression is in the public node set, then determine that the target expression is a public expression; 根据通用节点代码映射中是否存在所述目标表达式对应的目标公共表达式的解析结果,确定所述目标公共表达式是否解析过。Determine whether the target public expression has been parsed according to whether there is a parsing result of the target public expression corresponding to the target expression in the general node code mapping. 6.根据权利要求5所述的装置,其特征在于,所述装置还包括:6. The device according to claim 5, further comprising: 表达式解析模块,用于若所述目标公共表达式未解析过,则对所述目标公共表达式进行解析,并将解析得到的解析结果存储至所述通用节点代码映射中。An expression parsing module, configured to parse the target public expression if the target public expression has not been parsed, and store the parsed result in the general node code mapping. 7.一种电子设备,其特征在于,包括:7. An electronic device, characterized in that it comprises: 至少一个处理器;以及at least one processor; and 与所述处理器通信连接的至少一个存储器,其中:at least one memory communicatively coupled to the processor, wherein: 所述存储器存储有可被所述处理器执行的程序指令,所述处理器调用所述程序指令能够执行如权利要求1至3任一所述的方法。The memory stores program instructions executable by the processor, and the processor calls the program instructions to execute the method as claimed in any one of claims 1 to 3 . 8.一种非暂态计算机可读存储介质,其特征在于,所述非暂态计算机可读存储介质存储计算机程序,所述计算机程序使所述计算机执行如权利要求1至3任一所述的方法。8. A non-transitory computer-readable storage medium, wherein the non-transitory computer-readable storage medium stores a computer program, and the computer program enables the computer to execute the computer program according to any one of claims 1 to 3. Methods.
CN201910309202.7A 2019-04-17 2019-04-17 Analysis processing method and device for expression Active CN110109672B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910309202.7A CN110109672B (en) 2019-04-17 2019-04-17 Analysis processing method and device for expression

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910309202.7A CN110109672B (en) 2019-04-17 2019-04-17 Analysis processing method and device for expression

Publications (2)

Publication Number Publication Date
CN110109672A CN110109672A (en) 2019-08-09
CN110109672B true CN110109672B (en) 2023-01-10

Family

ID=67485683

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910309202.7A Active CN110109672B (en) 2019-04-17 2019-04-17 Analysis processing method and device for expression

Country Status (1)

Country Link
CN (1) CN110109672B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111597302B (en) * 2020-04-28 2022-02-15 北京中科智加科技有限公司 Text event acquisition method and device, electronic equipment and storage medium
CN111986033B (en) * 2020-07-31 2024-12-13 金证财富南京科技有限公司 Equivalent expression recognition method, recognition device and terminal device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103019728A (en) * 2012-12-20 2013-04-03 厦门亿力吉奥信息科技有限公司 Effective complex report parsing engine and parsing method thereof
CN104991963A (en) * 2015-07-23 2015-10-21 中国工商银行股份有限公司 File processing method and file processing apparatus
CN105512105A (en) * 2015-12-07 2016-04-20 百度在线网络技术(北京)有限公司 Semantic parsing method and device
CN105698865A (en) * 2016-03-15 2016-06-22 龙岩烟草工业有限责任公司 Method and system for acquiring cigarette production quality control data
CN108549535A (en) * 2018-03-16 2018-09-18 北京大学 A kind of efficient procedure parsing method and system based on file dependence
CN108959279A (en) * 2017-05-17 2018-12-07 北京京东尚科信息技术有限公司 Data processing method, data processing equipment, readable medium and electronic equipment

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050060307A1 (en) * 2003-09-12 2005-03-17 International Business Machines Corporation System, method, and service for datatype caching, resolving, and escalating an SQL template with references
US8050907B2 (en) * 2004-07-30 2011-11-01 Microsoft Corporation Generating software components from business rules expressed in a natural language
US8676785B2 (en) * 2006-04-06 2014-03-18 Teradata Us, Inc. Translator of statistical language programs into SQL
US8024177B2 (en) * 2007-09-28 2011-09-20 Cycorp, Inc. Method of transforming natural language expression into formal language representation

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103019728A (en) * 2012-12-20 2013-04-03 厦门亿力吉奥信息科技有限公司 Effective complex report parsing engine and parsing method thereof
CN104991963A (en) * 2015-07-23 2015-10-21 中国工商银行股份有限公司 File processing method and file processing apparatus
CN105512105A (en) * 2015-12-07 2016-04-20 百度在线网络技术(北京)有限公司 Semantic parsing method and device
CN105698865A (en) * 2016-03-15 2016-06-22 龙岩烟草工业有限责任公司 Method and system for acquiring cigarette production quality control data
CN108959279A (en) * 2017-05-17 2018-12-07 北京京东尚科信息技术有限公司 Data processing method, data processing equipment, readable medium and electronic equipment
CN108549535A (en) * 2018-03-16 2018-09-18 北京大学 A kind of efficient procedure parsing method and system based on file dependence

Also Published As

Publication number Publication date
CN110109672A (en) 2019-08-09

Similar Documents

Publication Publication Date Title
CN108664635B (en) Method, device, equipment and storage medium for acquiring database statistical information
WO2018001078A1 (en) Url matching method and device, and storage medium
CN104182405A (en) Method and device for connection query
CN108228875B (en) Log parsing method and device based on perfect hash
CN110795069A (en) Code analysis method, intelligent terminal and computer readable storage medium
CN110109672B (en) Analysis processing method and device for expression
CN105677640A (en) Domain concept extraction method for open texts
CN102915344B (en) SQL (structured query language) statement processing method and device
CN112084179A (en) Data processing method, device, equipment and storage medium
CN114760369A (en) Protocol metadata extraction method, device, equipment and storage medium
CN105022667B (en) One kind being based on built-in browser CSS engine parallel methods
CN112069305A (en) Data screening method and device and electronic equipment
CN109284088B (en) Signaling big data processing method and electronic equipment
CN112883088B (en) Data processing method, device, equipment and storage medium
CN104361121B (en) A kind of batch analytic method of WEB reporting systems formula
CN106326090A (en) Method and device for realizing construction of test use case
CN108388646A (en) A kind of method that can ensure SQL integralities and dynamic and change
CN111352932B (en) Method and device for improving data processing efficiency based on bitmap tree algorithm
CN111782645B (en) Data processing method and device
CN110083583B (en) Streaming event processing method and device
CN112217896A (en) JSON message conversion method and related device
CN108415930A (en) Data analysis method and device
CN110096504B (en) Streaming event feature matching method and device
CN117057811B (en) Automatic analysis method, device, equipment and medium for complaints of Internet of things
CN117972245B (en) Method and device for clearing compact-reduce cache

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Applicant after: QAX Technology Group Inc.

Address before: 100015 15, 17 floor 1701-26, 3 building, 10 Jiuxianqiao Road, Chaoyang District, Beijing.

Applicant before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant