CN110943873B

CN110943873B - Message flow processing method and device and readable medium

Info

Publication number: CN110943873B
Application number: CN201811105422.XA
Authority: CN
Inventors: 曾英佩; 池伟; 田永兴; 王国栋; 陈远发
Original assignee: China Mobile Communications Group Co Ltd; China Mobile Hangzhou Information Technology Co Ltd
Current assignee: China Mobile Communications Group Co Ltd; China Mobile Hangzhou Information Technology Co Ltd
Priority date: 2018-09-21
Filing date: 2018-09-21
Publication date: 2021-08-17
Anticipated expiration: 2038-09-21
Also published as: CN110943873A

Abstract

The invention discloses a method and a device for processing a message stream and a readable medium, and relates to the technical field of message detection. In the method provided by the invention, a message flow to be detected is obtained; determining whether the message flow meets a preset Delay Signature Matching (DSM) rule or not according to attribute information of a data packet and statistical information of the data packet, which are obtained from the message flow; determining the protocol type of a DSM rule met by the message flow; and processing the message flow by using a protocol analyzer corresponding to the determined protocol type. By adopting the method, a large number of protocol analyzers are not called immediately to try to match the data packets in the message flow after the message flow is received, but whether the message flow meets the preset DSM rule or not is determined, and after the message flow meets the DSM rule, the protocol analyzers of the protocol types corresponding to the meeting DSM rule are used for processing the message flow, so that the matching try times are greatly reduced, and the matching efficiency of the message flow is improved.

Description

Message flow processing method and device and readable medium

Technical Field

The present invention relates to the field of packet detection technologies, and in particular, to a method and an apparatus for processing a packet stream, and a readable medium.

Background

Deep Packet Inspection (DPI) is integrated in a variety of network systems. Protocols such as firewalls, network security detectors, and intrusion detection systems IDS that use DPI to identify messages are further used to detect possible threats on the application layer. Network security audit systems deployed by government laws and regulations requiring audition functions in locations such as the police department's 82 code requiring public WiFi offerings, or by corporate regulatory requirements such as monitoring employees' internet access, use DPI to identify what websites a user accesses and what applications to use. The processing speed of DPIs is critical because one DPI instance often needs to handle traffic from many terminals, which is often large. Thus, processing speed is an important consideration in DPI products.

The core work of the DPI is to match a received message flow with a known feature or pattern, which is referred to as feature matching or pattern matching for short, and many researches are focused on developing a new algorithm for pattern matching at present, such as Kumar et al propose a time-lag type deterministic finite state automaton (Delayed Input DFA), which greatly reduces the storage space required by the DFA, and Dharmapurikar et al propose to store features in a bloom filter to realize fast matching in hardware, but the approaches are improvements to the algorithm itself. When each message flow is received, the processing of the message flow still immediately calls various types of protocol resolvers to try to match the message flow, so that the matching try times are increased, and resources are wasted due to the fact that irrelevant protocol resolvers also try to match the message flow.

Therefore, how to quickly match an appropriate protocol parser for a packet flow is one of the primary considerations.

Disclosure of Invention

The embodiment of the invention provides a message flow processing method which is used for quickly matching a proper protocol analyzer for each message flow.

In a first aspect, an embodiment of the present invention provides a method for processing a packet flow, where the method includes:

acquiring a message flow to be detected;

determining whether the message flow meets a preset Delay Signature Matching (DSM) rule or not according to attribute information of a data packet and statistical information of the data packet, which are obtained from the message flow;

determining the protocol type of the DSM rule met by the message flow, wherein different protocol types correspond to different DSM rules;

and processing the message flow by using a protocol analyzer corresponding to the determined protocol type.

By adopting the method, through setting the DSM rule, the protocol parser corresponding to the DSM rule which the message flow conforms to is determined instead of directly matching the message flow by all the protocol parsers in the prior art so as to determine the protocol parser suitable for the message flow, and then the protocol parser corresponding to the determined protocol type is used for matching the message flow, so that the matching attempt times of the protocol parser are greatly reduced, and the processing efficiency of the message flow is improved.

Preferably, the protocol type includes at least one of: file transfer FTP protocol, post office protocol POP3, hypertext transfer protocol HTTP and hypertext transfer protocol for secure transfer HTTPs.

Preferably, the attribute information of the data packet includes a transport layer protocol of the data packet, a server port number and a byte at a preset index of the data packet carrying a load, and the statistical information of the data packet includes the number of the data packets carrying the load; and

determining whether the packet flow meets a preset Delay Signature Matching (DSM) rule or not according to attribute information of the data packet and statistical information of the data packet obtained from the packet flow, specifically comprising:

after determining that the transmission layer protocol of the obtained data packet is a Transmission Control Protocol (TCP), judging whether the server port number of the data packet is a first set port number or not;

if so, determining the number of data packets carrying loads obtained from the message flow;

when the number is determined to be not less than a first number threshold, judging whether bytes at a preset index of a data packet with a load are first set characters;

and if so, determining that the message flow meets a delay signature matching DSM rule corresponding to a first protocol, wherein the first protocol is one of the FTP protocol, the POP3 protocol, the HTTP protocol and the HTTPS protocol.

Optionally, the statistical information of the data packets further includes a total number of data packets that have been obtained from the packet flow; and

when the number is smaller than the first number threshold value, or when the byte at the preset index of the data packet with the load is judged not to be the first set character, judging whether the total number of the data packets obtained from the message flow is not larger than the first set total number threshold value or not;

and when the judgment result is yes, continuously acquiring a data packet from the message flow, and continuously determining whether the message flow meets a preset DSM rule.

Preferably, the method further comprises:

when the server port number of the data packet is judged not to be the first set port number, judging whether the server port number of the data packet is the second set port number or not;

when the number is determined to be not less than a second number threshold, judging whether bytes at preset indexes of the data packets with the loads are second set characters or not;

and when the judgment result is yes, determining that the message flow meets a delay signature matching DSM rule corresponding to a second protocol, wherein the second protocol is one of the FTP protocol, the POP3 protocol, the HTTP protocol and the HTTPS protocol, and the second protocol is different from the first protocol.

Optionally, when it is determined that the number is smaller than the second number threshold, or when it is determined that bytes at a preset index of a data packet with a load are not a second set character, it is determined whether the total number of data packets obtained from the packet stream is not greater than a second set total number threshold;

Preferably, the statistical information of the data packets further includes the number of data packets having a secure transport layer protocol; and the method, further comprising:

when the server port number of the data packet is judged not to be a first set port number, or when the server port number of the data packet is judged not to be a second set port number, judging whether the server port number of the data packet is a third set port number;

if so, determining the number of data packets with a secure transport layer protocol obtained from the message flow;

when the number is determined to be not smaller than a third number threshold, judging whether the number of data packets carrying loads obtained from the message flow is not smaller than a fourth number threshold;

and when the judgment result is yes, determining that the message flow meets a delay signature matching DSM rule corresponding to a third protocol, wherein the third protocol is one of the FTP protocol, the POP3 protocol, the HTTP protocol and the HTTPS protocol, and the third protocol is different from the first protocol and the second protocol.

Optionally, when it is determined that the number is smaller than a third number threshold or it is determined that the number is smaller than a fourth number threshold, determining whether the total number of data packets obtained from the packet stream is not greater than a third set total number threshold;

Preferably, processing the message stream by using the protocol parser corresponding to the determined protocol type specifically includes:

matching the message stream by using a protocol analyzer corresponding to the determined protocol type;

and marking the message flow as detection completion after the matching is successful.

Preferably, if the protocol type is an HTTPS protocol, after the matching is unsuccessful, determining whether a server identifier has been acquired, or determining whether ssl _ stage is greater than a set value;

and when any judgment result is yes, marking the message flow so as to process the message flow by using a protocol analyzer corresponding to the HTTPS protocol at the next moment.

Preferably, before determining the protocol type to which the delay signature satisfied by the packet flow matches the DSM rule according to the attribute information of the packet and the statistical information of the packet obtained from the packet flow, the method further includes

Determining that the packet flow is not marked.

In a second aspect, an embodiment of the present invention provides a device for processing a packet flow, including:

the device comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring a message flow to be detected;

a first determining unit, configured to determine whether the packet flow satisfies a preset delay signature matching DSM rule according to attribute information of a packet and statistical information of the packet, which are obtained from the packet flow;

a second determining unit, configured to determine a protocol type to which a DSM rule that is satisfied by the packet flow belongs, where different protocol types correspond to different DSM rules;

and the processing unit is used for processing the message stream by using the protocol analyzer corresponding to the determined protocol type.

the first determining unit is specifically configured to, after determining that a transport layer protocol of the obtained data packet is a transmission control protocol TCP, determine whether a server port number of the data packet is a first set port number; if so, determining the number of data packets carrying loads obtained from the message flow; when the number is determined to be not less than a first number threshold, judging whether bytes at a preset index of a data packet with a load are first set characters; and if so, determining that the message flow meets a delay signature matching DSM rule corresponding to a first protocol, wherein the first protocol is one of the FTP protocol, the POP3 protocol, the HTTP protocol and the HTTPS protocol.

the first determining unit is further configured to, when it is determined that the number is smaller than the first number threshold, or when it is determined that a byte at a preset index of a data packet with a load is not a first set character, determine whether a total number of data packets obtained from the packet stream is not greater than a first set total number threshold; and when the judgment result is yes, continuously acquiring a data packet from the message flow, and continuously determining whether the message flow meets a preset DSM rule.

Preferably, the first determining unit is further configured to determine whether the server port number of the data packet is a second set port number when it is determined that the server port number of the data packet is not the first set port number; if so, determining the number of data packets carrying loads obtained from the message flow; when the number is determined to be not less than a second number threshold, judging whether bytes at preset indexes of the data packets with the loads are second set characters or not; and when the judgment result is yes, determining that the message flow meets a delay signature matching DSM rule corresponding to a second protocol, wherein the second protocol is one of the FTP protocol, the POP3 protocol, the HTTP protocol and the HTTPS protocol, and the second protocol is different from the first protocol.

Optionally, the first determining unit is further configured to, when it is determined that the number is smaller than the second number threshold, or when it is determined that a byte at a preset index of a data packet with a load is not a second set character, determine whether a total number of data packets obtained from the packet stream is not greater than a second set total number threshold; and when the judgment result is yes, continuously acquiring a data packet from the message flow, and continuously determining whether the message flow meets a preset DSM rule.

Preferably, the statistical information of the data packets further includes the number of data packets having a secure transport layer protocol; and

the first determining unit is further configured to determine whether the server port number of the packet is a third set port number when determining that the server port number of the packet is not the first set port number or when determining that the server port number of the packet is not the second set port number; if so, determining the number of data packets with a secure transport layer protocol obtained from the message flow; when the number is determined to be not smaller than a third number threshold, judging whether the number of data packets carrying loads obtained from the message flow is not smaller than a fourth number threshold; and when the judgment result is yes, determining that the message flow meets a delay signature matching DSM rule corresponding to a third protocol, wherein the third protocol is one of the FTP protocol, the POP3 protocol, the HTTP protocol and the HTTPS protocol, and the third protocol is different from the first protocol and the second protocol.

Optionally, the first determining unit is further configured to determine, when it is determined that the number is smaller than a third number threshold or it is determined that the number is smaller than a fourth number threshold, whether a total number of data packets obtained from the packet stream is not greater than a third set total number threshold; and when the judgment result is yes, continuously acquiring a data packet from the message flow, and continuously determining whether the message flow meets a preset DSM rule.

Preferably, the processing unit is specifically configured to match the message stream with a protocol parser corresponding to the determined protocol type; and marking the message flow as detection completion after the matching is successful.

Preferably, the processing unit is specifically configured to, if the protocol type is an HTTPS protocol, determine whether a server identifier has been acquired or whether ssl _ stage is greater than a set value after the matching is unsuccessful; and when any judgment result is yes, marking the message flow so as to process the message flow by using a protocol analyzer corresponding to the HTTPS protocol at the next moment.

Preferably, the apparatus further comprises:

a third determining unit, configured to determine that the packet flow is not marked before the first determining unit determines, according to the attribute information of the packet and the statistical information of the packet, that the delay signature satisfied by the packet flow matches the protocol type to which the DSM rule belongs.

In a third aspect, an embodiment of the present invention provides a communication device, including a memory, a processor, and a computer program stored in the memory and executable on the processor; when the processor executes the program, the method for processing the message stream according to any one of the embodiments provided in the present application is implemented.

In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps in the message stream processing method according to any one of the methods provided in this application.

The invention has the beneficial effects that:

the message flow processing method, the message flow processing device and the readable medium provided by the embodiment of the invention are used for acquiring a message flow to be detected; determining whether the message flow meets a preset Delay Signature Matching (DSM) rule or not according to attribute information of a data packet and statistical information of the data packet, which are obtained from the message flow; determining the protocol type of the DSM rule met by the message flow, wherein different protocol types correspond to different DSM rules; and processing the message flow by using a protocol analyzer corresponding to the determined protocol type. By adopting the method, a large number of protocol analyzers are not called immediately to try to match the data packets in the message flow after the message flow is received, but whether the message flow meets the preset DSM rule or not is determined, and after the message flow meets the DSM rule, the protocol analyzers of the protocol types corresponding to the meeting DSM rule are used for processing the message flow, so that the matching try times are greatly reduced, and the matching efficiency of the message flow is improved.

Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.

Drawings

The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the invention and not to limit the invention. In the drawings:

FIG. 1 is a diagram of the first 9 packets of a typical FTP connection in the prior art;

fig. 2 is a schematic flow chart of a prior art npi engine processing the data packet of the FTP connection in fig. 1;

fig. 3 is a schematic structural diagram of a computing device 10 for implementing a message flow processing method according to an embodiment of the present invention;

fig. 4 is a schematic flowchart of a method for processing a message flow according to an embodiment of the present invention;

fig. 5 is a schematic flowchart of determining whether a packet flow meets a preset delay signature matching DSM rule according to an embodiment of the present invention;

fig. 6 is a second schematic flowchart of the process of determining whether a packet flow satisfies the preset delay signature matching DSM rule according to the embodiment of the present invention;

fig. 7 is a third schematic flowchart of the process of determining whether a packet flow meets a preset delay signature matching DSM rule according to the embodiment of the present invention;

fig. 8 is a schematic flowchart of a protocol parser processing a message flow according to an embodiment of the present invention;

fig. 9 is a schematic flowchart of a protocol parser corresponding to an HTTPS protocol according to an embodiment of the present invention, which is executed after matching is unsuccessful;

fig. 10 is a schematic structural diagram of a message flow processing apparatus according to an embodiment of the present invention.

Detailed Description

The method for processing the message flow provided by the embodiment of the invention is used for quickly matching each message flow to a proper protocol analyzer, reducing the matching attempt times, improving the processing efficiency of the message flow and saving the processing resources.

The preferred embodiments of the present invention will be described below with reference to the accompanying drawings of the specification, it being understood that the preferred embodiments described herein are merely for illustrating and explaining the present invention, and are not intended to limit the present invention, and that the embodiments and features of the embodiments in the present invention may be combined with each other without conflict.

To facilitate understanding of the invention, the technical terms involved in the invention are as follows:

1. the File Transfer Protocol, FTP, is one of the protocols in the TCP/IP suite. The FTP protocol includes two components, one being an FTP server and the other being an FTP client. Wherein the FTP server is used for storing files, and the user can use the FTP client to access resources located on the FTP server through the FTP protocol. When a Web site is developed, Web pages or programs are typically transferred to a Web server using the FTP protocol. In addition, since FTP is very efficient in transmission, the protocol is also generally used when large files are transmitted over a network. The FTP protocol uses by default two of the TCP ports, 20 and 21, where 20 is used to transfer data and 21 is used to transfer control information.

2. Post Office Protocol Version 3 (Post Office Protocol Version 3, POP3), which is a client/server Protocol for receiving e-mail. It is the first offline protocol standard for internet email, allowing users to store mail from a server onto a local host (i.e., their own computer) while deleting or saving mail on the mail server according to the operation of the client.

3. The HyperText Transfer Protocol (HTTP) is the most widely used network Transfer Protocol on the internet, and all WWW files must comply with this standard.

4. The hypertext Transfer Protocol over secure transport Protocol (HTTPS) is an HTTP channel that targets security, and is simply a secure version of HTTP. Namely, an SSL layer is added under HTTP, the security base of HTTPS is SSL, and therefore SSL is needed for encryption details. It is a URI scheme (abstract identifier system), syntactically similar to the HTTP: system, for secure HTTP data transmission.

5. The protocol type is divided according to application layer protocols, which are generally POP3, POP3S, FTP, HTTP, HTTPS, TELNET, SMTP and DNS protocols. Correspondingly, the protocol resolver corresponding to the protocol type in the invention is also the protocol resolver corresponding to the application layer protocol.

There are many DPI systems available today, and some performance comparisons of them can be found. DPI systems can be broadly divided into two categories: regular expression based and hybrid (combining regular expressions and code). The L7filter is a typical regular-expression-based DPI system, and many different regular expressions are defined for different protocols, and the detection of one protocol mainly depends on its corresponding regular expression (but its regular expression has not been updated since 2009). DPI is a hybrid DPI system derived from OpenDPI (pressed), which in turn is derived from the earlier version of the aforementioned commercial product PACE, which mainly uses code to match different protocols, but it also supports automata and hyperspcan in some steps, such as host name matching. nDPI is open source on Github and actively developed by ntop corporation. It can detect the application protocol of 240+ and also be used in another product nProbe of ntop. One of the gustprotocolid techniques in the nDPI attempts matching by first guessing the corresponding protocol parser using information such as packet ports, etc., but the gustprotocolid technique is based only on the values of the ports and the protocol fields in the IP header, and cannot completely eliminate useless matching attempts.

The explanation will be given by taking an example of determining whether the packet flow is the FTP protocol packet flow, which is shown in fig. 1. Fig. 1 is a schematic diagram of the first 9 packets of a typical FTP connection. It contains 3 TCP handshakes, and later USER and PASS commands to authenticate the client "demo". Then, in fig. 2 it is shown how the dpi engine handles the packets of the FTP connection in fig. 1. The first 3 packets are processed by 10-12 protocol parsers for feature matching, since only a few parsers are interested in TCP and no-load packets of this type. Some parsers analyze to find that the flow does not match them completely, so they have long excluded themselves from the flow of the message flow in order not to detect future packets of this flow. For packet #4 (packet 4 in fig. 1), the engine first tries the FTP protocol parser guessed based on port 21 (based on the aforementioned gus protocol id technique), but the FTP parser still cannot confirm that it is an FTP packet stream at this time (it needs more packets to confirm). The following packets are still not successfully detected by the protocol parser, but more protocol parsers exclude themselves from detecting the flow (i.e., no further future packets of the flow are detected). Finally, the reply code 331 in packet #7 causes the FTP protocol parser to believe it is an FTP packet stream and completes the protocol inspection. In practice, it can be calculated that the protocol resolvers are called 175 times in total to identify the FTP connection, and the number of matching attempts is large.

In the above example, it is clear that some attempts to match are wasteful, e.g., matching packet #4 with 103 protocol parsers of that non-FTP protocol, which is deemed useless. nDPI uses code-based FTP protocol matching, similar for regex-based DPI engines (e.g., L7Filter and Hyperscan). In L7Filter, the engine constantly appends the contents of new packets to the stream's receive content buffer (up to 2048 bytes) and matches the buffer to the pattern of all protocols. The L7filter may use the pattern "^220[ x09-x0d- ]ftp |331[ x09-x0d- ]" PASS "for accurate FTP detection, and it obviously also needs to pattern match the buffer with protocol parsers of multiple protocols multiple times until packet #7 containing the 331 response code is retrieved and appended to the buffer to match the pattern of the FTP protocol. For a more efficient regex match code library, while it only needs to send the newly received packet to the pattern library, the entire signature database containing all protocols needs to be matched again with the newly received packet each time.

Based on the above description, in the prior art, when a packet stream is processed, the matching algorithm is emphasized, and the scheduling of the matching algorithm is not concerned, so that after the packet stream is received, various pattern matching needs to be tried on the data packet in the packet stream, that is, a protocol parser in various patterns is used to determine whether the packet stream needs to be processed by itself, which may result in a large number of matching attempts and thus a low packet stream processing efficiency.

In order to solve the problem of a large number of matching attempts in the prior art, the present invention provides a solution, that is, a computing apparatus 10 is provided, where the computing apparatus 10 implements the processing method of a packet stream provided by the present invention, and the computing apparatus may be represented in the form of a general-purpose computing device, and the general-purpose computing device may be a communication device, such as a firewall, a network security detector, an intrusion detection system, and the like. The computing device 10 according to the invention is described below with reference to fig. 3. The computing device 10 shown in fig. 3 is only an example and should not impose any limitations on the functionality or scope of use of embodiments of the present invention.

As shown in fig. 3, computing device 10 is embodied in the form of a general purpose computing device. Components of computing device 10 may include, but are not limited to: the at least one processing unit 11, the at least one memory unit 12, and a bus 13 connecting the various system components (including the memory unit 12 and the processing unit 11).

Bus 13 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, a processor, or a local bus using any of a variety of bus architectures.

The storage unit 12 may include readable media in the form of volatile memory, such as Random Access Memory (RAM)121 and/or cache memory 122, and may further include Read Only Memory (ROM) 123.

The storage unit 12 may also include a program/utility 125 having a set (at least one) of program modules 124, such program modules 124 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.

Computing device 10 may also communicate with one or more external devices 14 (e.g., keyboard, pointing device, etc.), with one or more devices that enable a user to interact with computing device 10, and/or with any devices (e.g., router, modem, etc.) that enable computing device 10 to communicate with one or more other computing devices. Such communication may be via an input/output (I/O) interface 15. Moreover, computing device 10 may also communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the internet) via network adapter 16. As shown, network adapter 16 communicates with other modules for computing device 10 over bus 13. It should be understood that although not shown in the figures, other hardware and/or software modules may be used in conjunction with computing device 10, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.

The application scenario of the message stream processing method provided in the embodiment of the present invention is that when a computing device 10 acquires a message stream to be detected, it determines whether the message stream satisfies a preset delay signature matching DSM rule according to attribute information of a data packet and statistical information of the data packet acquired from the message stream; determining the protocol type of the DSM rule met by the message flow, wherein different protocol types correspond to different DSM rules; and processing the message flow by using a protocol analyzer corresponding to the determined protocol type. Therefore, the protocol type of the message flow can be quickly determined by using the DSM rule, and then the message flow is matched by the protocol analyzer corresponding to the protocol type without matching the message flow by using all the protocol analyzers, so that the matching attempt times are effectively reduced, and the processing speed of the message flow is accelerated.

Based on the above application scenarios, a method for processing a packet stream according to an exemplary embodiment of the present invention is described with reference to fig. 4 to 10. It should be noted that the above application scenarios are merely illustrated for the convenience of understanding the spirit and principles of the present invention, and the embodiments of the present invention are not limited in this respect. Rather, embodiments of the present invention may be applied to any scenario where applicable.

As shown in fig. 4, a schematic flow chart of a method for processing a message flow according to an embodiment of the present invention is illustrated by applying the method provided by the present invention to a computing device 10 as an example, and the method for processing a message flow according to the present invention may include the following steps:

and S11, acquiring the message flow to be detected.

The message flow to be detected in this step may be a newly received message flow or a message flow in which protocol detection is not completed. The message flow with unfinished protocol detection means that an application layer protocol adopted by the message flow is not determined according to the DSM rule, that is, a protocol parser for processing the message flow is not determined, where the reason why the protocol adopted by the message flow is not determined according to the DSM rule may be that a data packet acquired from the message flow is insufficient.

Preferably, after acquiring the message flow, before executing step S12, the method may further include:

determining that the packet flow is not marked.

Specifically, if it is determined that the packet stream is marked, it indicates that other protocol parsers are successfully matched with the packet stream, and then the subsequent processing flow is not executed on the packet stream, so that the processing resources can be saved.

S12, determining whether the packet flow meets the preset delay signature matching DSM rule according to the attribute information of the packet and the statistical information of the packet obtained from the packet flow.

Specifically, in order to determine which application layer protocol the message flow to be detected belongs to as early as possible, the present invention determines whether the message flow conforms to a preset Delayed Signature Matching (DSM) rule based on the attribute information of the data packet acquired from the message flow, and the number of Matching searches between the message flow and the protocol is fundamentally reduced by using the DSM rule. In order to reduce the number of matching attempts, the invention respectively carries out quantity statistics on data packets and/or data packets with loads acquired from a message flow, the statistical results are statistical information of the data packets, whether the data packets carry the loads and the like are determined, the statistical results are attribute information of the data packets, and then the message flow is determined to meet DSM rules corresponding to which type of protocol based on the attribute information and the statistical information of the data packets.

In the invention, corresponding DSM rules are configured for the current common application layer protocol. For example, DSM rules are configured for the FTP protocol, POP3 protocol, HTTP protocol, and HTTPs protocol, respectively. However, in specific implementations, these rules can be used in combination in order to reduce the computational complexity and speed up the processing.

Preferably, the protocol types in the present invention may include, but are not limited to, at least one of the following: file transfer FTP protocol, post office protocol POP3, hypertext transfer protocol HTTP, and hypertext transfer protocol for secure transfer HTTPs, among others.

The first protocol, the second protocol and the third protocol in the invention are one of FTP protocol, POP3 protocol, HTTP protocol and HTTPS protocol, and the first protocol, the second protocol and the third protocol are different from each other.

For better understanding of the present invention, the FTP protocol, POP3 protocol and HTTPS protocol are used as examples of the present invention, and are described in detail below:

because the FTP protocol has more message flows, in practical applications, the present invention first determines whether the message flows conform to the DSM rule corresponding to the FTP protocol, that is, the first protocol is taken as an FTP protocol for illustration in the present invention, and those skilled in the art can understand that the first, second, and third protocols may be other types of protocols different from those in the embodiments. As shown in fig. 5, a schematic flow chart of determining whether a packet flow satisfies a preset delay signature matching DSM rule according to an embodiment of the present invention is provided, where attribute information of a packet in the present invention may include, but is not limited to, a transport layer protocol of the packet, a server port number, bytes at a preset index of the packet carrying a load, and the like, and statistical information of the packet in the present invention may include, but is not limited to, the number of packets carrying a load, and the like; the method shown in fig. 5 may comprise the steps of:

and S21, acquiring the data packet from the message flow.

Specifically, there may be a plurality of packets in the packet flow, for example, the packet flow of the FTP protocol in fig. 1 has at least 9 packets, so that the step S12 needs to be executed by obtaining the packets from the packet flow.

S22, judging whether the transmission layer protocol of the obtained data packet is a Transmission Control Protocol (TCP), if so, executing a step S23; otherwise, step S29 is executed.

Specifically, the data packet is obtained through layer-by-layer encapsulation, and according to an Open System Interconnection (OSI) reference model in the communication System, the OSI model has a 7-layer structure, which is from top to bottom: an application layer, a presentation layer, a session layer, a transport layer, a network layer, a data link layer, and a physical layer, so that the data packet is generally sent after being encapsulated according to the requirements of each layer, and after receiving the data packet, it can be determined whether a transport layer Protocol in the data packet is a Transmission Control Protocol (TCP), and the code representation is as follows: protocol? If the transmission layer protocol is determined to be the TCP protocol, the subsequent process is executed, otherwise, the message stream is processed according to the existing matching flow.

S23, judging whether the server port number of the data packet is the first set port number, if yes, executing step S24; otherwise, step S210 is executed, that is, it is determined whether the server port number of the packet is another port number.

Specifically, since the server ports commonly used in the FTP protocol are 20, 21, and the like, when setting the DSM rule corresponding to the FTP protocol, the first set port number may be set to 20, 21, and the like, and then in this step, it may be determined whether the server port number in the packet is 21, and the code is expressed as: "21? If yes, it indicates that the message stream may match the FTP protocol, and in order to further determine whether the message stream matches the FTP protocol, the following steps are also required. If not, the message flow is determined not to be matched with the FTP message flow, and whether the server port number of the data packet in the message flow is the server port number commonly used by other protocols or not can be continuously judged, which is described in detail later.

And S24, determining the number of data packets carrying the load obtained from the message flow.

Specifically, in a general case, the DSM rule that the packet flow satisfies may be determined according to the number of data packets that are obtained from the packet flow and carry a load, so that for different protocol types, a number threshold may be configured in the DSM rule corresponding to the protocol type.

S25, judging whether the number is not less than a first number threshold value; if yes, go to step S26; otherwise, step S28 is executed.

Specifically, the payload _ pkt _ num is used to indicate the determined number of packets carrying the load, and it may be determined whether the payload _ pkt _ num is not less than the first number threshold. In a specific implementation, the first number threshold in the DSM rule corresponding to the FTP protocol type may be 4. If it is determined that the payload _ pkt _ num is greater than or equal to 4, it indicates that the 7 th packet "331 passed required for demo" in fig. 1 has been received from the packet flow, and further indicates that the packet flow belongs to a packet flow of the FTP protocol.

S26, judging whether the byte at the preset index of the data packet with the load is a first set character; if yes, go to step S27; otherwise, step S28 is executed.

In order to more accurately determine that the message flow is an FTP message flow, the present invention may further determine whether a byte at a position where a last obtained data packet with a load in the obtained data packets satisfies an index i is a first set byte, where the expression is: "payload [ i ] ═ a'? "for example, when i is 0 and a is P, it can be determined that the expression" payload [0] ═ P'? If "is true, that is," whether the first character of the PASS command is P "is true, step S27 is executed, that is, it is determined that the packet stream satisfies the DSM rule corresponding to the FTP protocol, that is, it is determined that the packet stream is the packet stream of the FTP protocol accurately.

S27, determining that the message flow meets the delay signature matching DSM rule corresponding to the FTP protocol.

S28, judging whether the total number of the data packets obtained from the message flow is not larger than a first set total number threshold value; if yes, go to step S21; otherwise, step S29 is executed.

The statistical information of the data packets in the present invention also includes the total number of data packets that have been obtained from the packet stream.

Specifically, if the result of the determination in step S25 or step S26 is no, it indicates that the data packet currently acquired from the packet flow may have a problem that the packet flow cannot be proved to be the FTP packet flow due to an insufficient amount of factors, so step S28 needs to be further executed to determine whether the data packet currently acquired from the packet flow is sufficient. The first set total number threshold in the invention is configurable and can be determined according to actual conditions. In specific implementation, pkt _ num is used to represent the total number of data packets obtained from the packet stream, and a first set total number threshold is taken as 10 for example, so that it can be determined that an expression "pkt _ num > 10? If the determination result is "yes," it indicates that the number of the data packets currently acquired from the packet flow is not enough to determine whether the packet flow is an FTP packet flow, and step S21 needs to be executed again to continuously acquire the next data packet from the packet flow, and then the process shown in steps S22 to S29 is executed again. If the expression "pkt _ num > 10? If the message flow is determined to be the FTP message flow, if the message flow is determined to be the FTP message flow, the FTP message flow is excluded from a possible protocol list of the message flow, and then the message flow is processed by adopting the existing message flow processing method. I.e., step S29 is performed.

And S29, processing the message flow by using the message flow processing method provided by the prior art.

By implementing the processes shown in steps S21 to S29, it can be determined whether the packet flow conforms to the DSM rule corresponding to the FTP protocol, that is, whether the packet flow is an FTP packet flow.

On this basis, when it is determined that the server port number of the obtained packet is not the first set port number (20 or 21), it is determined whether the port number is a port number corresponding to another protocol, and here, taking the second protocol as the POP3 protocol as an example, it is determined whether the port number is a port number commonly used by the POP3 protocol. Referring to fig. 6, another flow chart for determining whether a packet flow meets a preset delay signature matching DSM rule provided in the embodiment of the present invention includes the following steps:

s31, judging whether the server port number of the data packet obtained from the message flow is a second set port number; if yes, go to step S32; otherwise, step S38 is executed, that is, it is determined whether the server port number of the packet is another port number.

Specifically, the DSM rules of each protocol type are determined comprehensively, for example, after determining that the server port number of the packet is not the first set port number, it is not necessary to perform the flow of determining whether the packet flow conforms to the DSM rule of the FTP protocol, and it may be continuously determined whether the server port number is the second set port number configured in the DSM rule corresponding to the POP3 protocol. Since the number of the server port commonly used for the packet stream of the POP3 protocol is 110, the second set port number can be configured to be 110 in the DSM rule corresponding to the POP3 protocol. When it is determined that the port number of the packet is not 21, further determining that the expression "server _ port? If yes, it indicates that the message flow may be a message flow of the POP3 protocol, but further determination is required by executing subsequent processes.

And S32, determining the number of data packets carrying the load obtained from the message flow.

Specifically, the number of packets carrying the determined load is represented by payload _ pkt _ num.

S33, judging whether the number is not less than a second number threshold value; if yes, go to step S34; otherwise, step S36 is executed.

In the DSM rule corresponding to the POP3 protocol in the present invention, the second quantity threshold may be set to 2, and if it is determined that the expression "payload _ pkt _ num ≧ 2? If yes, the message flow is proved to belong to the message flow of the POP3 protocol if the data packet which can prove that the message flow is the POP3 message flow is received.

S34, judging whether the byte at the preset index of the data packet with the load is a second set character; if yes, go to step S35; otherwise, step S36 is executed.

In order to further improve the accuracy of the message stream belonging to the POP3 protocol, the present invention may further determine whether the byte at the index j of the data packet with a load, which is obtained last in the obtained data packets, is the second set byte, that is, determine the expression: whether or not "payload [ j ] ═ B'" holds. In the present invention, the byte at the preset index may be a byte at j ═ 0, and the second set character B may be U, then it can be determined that "payload [0] ═ U'? And if the message flow is determined to meet the DSM rule corresponding to the POP3 protocol, the message flow is further proved to be the message flow of the POP3 protocol.

And S35, determining that the message flow meets the delay signature matching DSM rule corresponding to the POP3 protocol.

S36, judging whether the total number of the data packets obtained from the message flow is not larger than a second set total number threshold value; if yes, continuing to execute step 21, namely, continuing to acquire a next data packet from the message flow; otherwise, step S37 is executed.

If the result of the determination in step S33 or S34 is no, it indicates that the data packet currently acquired from the packet stream may have a problem that it cannot be verified that the packet stream is the packet stream of the POP3 protocol due to the insufficient number of data packets, so that step S36 needs to be further performed. The second set total number threshold in the invention is configurable and can be determined according to actual conditions. In specific implementation, taking the second set total number threshold in the DSM rule corresponding to the POP3 protocol as 10 as an example, if pkt _ num is used to represent the total number of data packets obtained from the packet stream, it can be determined that the expression "pkt _ num > 10? If the number of the data packets is not enough, it is not enough to determine whether the message flow is a POP3 message flow, and step S21 needs to be executed again to continue to obtain the next data packet from the message flow, and then the flow of steps S31 to S37 is executed again. If the expression "pkt _ num > 10? If "true," indicating that a sufficient number of packets have been currently received, indicating that the packet flow is not a POP3 packet flow, then excluding POP3 from the list of possible protocols for the packet flow, and then processing the packet flow using existing packet flow processing methods. I.e., step S37 is performed.

And S37, processing the message flow by using the message flow processing method provided by the prior art.

By implementing the processes shown in steps S31 to S37, it can be determined whether the packet stream conforms to the DSM rule corresponding to the POP3 protocol, that is, whether the packet stream is a POP3 packet stream.

On this basis, when it is determined that the port number of the obtained packet is not the first set port number or the port number of the obtained packet is not the second set port number, it is determined whether the port number is a port number corresponding to another protocol, and here, it is described that the third protocol is an HTTPS protocol, it is determined whether the port number is a port number commonly used by the HTTPS protocol. Referring specifically to fig. 7, a schematic flowchart of another process for determining whether a packet flow meets a preset delay signature matching DSM rule provided in an embodiment of the present invention includes the following steps:

s41, judging whether the server port number of the data packet obtained from the message flow is a third set port number; if yes, go to step S42; otherwise, step S48 is executed, that is, it is determined whether the server port number of the packet is another port number.

Specifically, the DSM rules of each protocol type are determined comprehensively, for example, after determining that the server port number of the packet is not the first set port number, it is not necessary to perform the procedure whether the packet stream conforms to the DSM rule corresponding to the FTP protocol, or after determining that the server port number of the packet is not the second set port number, it is not necessary to perform the procedure whether the packet stream conforms to the DSM rule corresponding to the POP3 protocol, and it is possible to continue determining whether the server port number is the third set port number configured in the DSM rule corresponding to the HTTPS protocol. Since the server port number commonly used for the packet flow of the HTTPS protocol is 443, the third set port number may be configured to 443 in the DSM rule corresponding to the HTTPS protocol. When it is determined that the server port number of the packet is not 21 or when it is determined that the server port number is not 110, it is further determined that the expression "server _ port? If the result is true, it indicates that the packet flow may be a packet flow of an HTTPS protocol, but in order to improve the accuracy of the result, a further determination needs to be made by executing a subsequent process.

S42, determining the number of data packets with the safe transmission layer protocol obtained from the message flow.

The statistical information of the data packets in the present invention also includes the number of data packets having a secure transport layer protocol, and the like.

Specifically, the number of packets having a Transport Layer Security (TLS) determined is represented by TLS _ pkt _ num. In specific implementation, the number of packets having TLS record layer types obtained from the packet stream may be determined by the following method: for each data packet acquired from the message stream, determining whether the first byte of the data packet is one of the following bytes: 20. 21, 22 and 23, if yes, determining that the data packet is a data packet with a security transport layer protocol, and further determining that the number of data packets with the security transport layer protocol tls _ pkt _ num is obtained from the message stream. It should be noted that 20 identifies a change cipher specification (change _ cipher _ spec); 21 identify an alert (alert); 22 identify handshake (handshake); application data (application) is identified at 23.

S43, judging whether the number is not less than a third number threshold value; if yes, go to step S44; otherwise, step S46 is executed.

In the DSM rule corresponding to the HTTPS protocol in the present invention, the third quantity threshold may be set to 1, and if it is determined that the expression "tls _ pkt _ num ≧ 1? If "true," it indicates that at least one TLS packet is received, for example, a packet with a Client _ Hello message is obtained, which further indicates that the packet flow is larger and may be a packet of the HTTPS protocol.

S44, judging whether the number of data packets carrying loads obtained from the message flow is not less than a fourth number threshold; if yes, go to step S45; otherwise, step S46 is executed.

For accurate determination, the number of packets with a load that have been obtained from the packet flow is further determined, for example, the determined number of packets with a load is represented by payload _ pkt _ num. In the DSM rule corresponding to the HTTPS protocol in the present invention, the second quantity threshold may be set to 3, and if it is determined that the expression "payload _ pkt _ num ≧ 3? If "the packet is determined to be obtained, for example, the packet with the Client _ Hello message, the Server _ Hello message, and the packet with the Certificate message indicates that the packet is connected to the SSL/TLS, so that the packet that can prove that the packet is an HTTPS packet is received, that is, the packet is determined to satisfy the delay signature matching DSM rule corresponding to the HTTPS protocol, that is, the packet is further proved to belong to the HTTPS protocol.

S45, determining that the message flow meets the delay signature matching DSM rule corresponding to the HTTPS protocol.

S46, judging whether the total number of the data packets obtained from the message flow is not more than a third set total number threshold value; if yes, continuing to execute step S21, that is, continuing to obtain the next data packet from the message stream; otherwise, step S47 is executed.

If the result of the determination in step S43 or S44 is no, it indicates that the data packets currently acquired from the packet flow may have a problem that it cannot be verified that the packet flow is the packet flow of the HTTPS protocol due to the insufficient number of the data packets, so step S46 needs to be further performed. The third set total number threshold in the invention is configurable and can be determined according to actual conditions. In specific implementation, taking the third set total number threshold in the DSM rule corresponding to the HTTPS protocol as 10 for example, if pkt _ num is used to represent the total number of packets obtained from the packet stream, it can be determined that the expression "pkt _ num > 10? If the packet number is not enough, it indicates that the number of the packets currently acquired from the packet flow is not enough to determine whether the packet flow is an HTTPS packet flow, and step S21 needs to be executed again to continuously acquire the next packet from the packet flow, and then the flow of steps S41 to S47 is executed again. If the expression "pkt _ num > 10? If the packet flow is a HTTPS packet flow, the HTTPS packet flow is excluded from a possible protocol list of the packet flow, and then the packet flow is processed by adopting the existing packet flow processing method. I.e., step S47 is performed.

And S47, processing the message flow by using the message flow processing method provided by the prior art.

By implementing the processes shown in steps S41 to S47, it can be accurately determined whether the packet flow conforms to the DSM rule corresponding to the HTTPS protocol, that is, whether the packet flow is an HTTPS packet flow.

S13, determining the protocol type of the DSM rule satisfied by the message flow.

Wherein different protocol types correspond to different DSM rules.

Specifically, if it is determined that the message flow satisfies the DSM rule shown in fig. 5, it is determined that the protocol type to which the DSM rule belongs is the FTP protocol; if the message flow is determined to meet the DSM rule shown in FIG. 6, determining that the protocol type of the meeting DSM rule is the POP3 protocol; if the message flow is determined to meet the DSM rule shown in fig. 7, it is determined that the protocol type to which the meeting DSM rule belongs is an HTTPS protocol.

And S14, processing the message flow by using the protocol resolver corresponding to the determined protocol type.

After determining the protocol type to which the message stream to be detected belongs based on steps S12 and S13, the message stream can be processed according to the flow shown in fig. 8 by using the protocol parser corresponding to the determined protocol type, which includes the following steps:

and S51, matching the message flow by using the protocol resolver corresponding to the determined protocol type.

And S52, marking the message flow as the detection completion after the matching is successful.

After the protocol to which the message flow belongs is determined, a protocol analyzer corresponding to the protocol is used for matching the message flow, after the matching is successful, the message flow really belongs to the protocol, and in order to avoid the waste of processing resources caused by executing the message flow processing method provided by the invention again when the message flow candidate is used as an undetected message flow, the invention provides the message flow with successful matching mark. Therefore, after the message flow is acquired, whether the message flow is marked or not can be determined firstly, and if the message flow is marked, the message flow is not processed, so that the processing resources can be effectively saved.

By setting the DSM rule, instead of directly matching the message stream by using all protocol resolvers in the prior art to determine the protocol resolver suitable for the message stream, the protocol type of the DSM rule which the message stream conforms to is determined, and then the protocol resolver corresponding to the determined protocol type is used for matching the message stream, so that the matching attempt times of the protocol resolver are greatly reduced, and the processing efficiency of the message stream is improved.

Preferably, when the matching at step S51 fails after it is determined that the packet flow belongs to an HTTPS packet flow, HTTPS cannot be simply excluded from the list of possible protocols for the packet flow because it may be a TLS type packet flow, but more packets are required to further test its application protocol. Specifically, the following steps can be implemented according to the flow shown in fig. 9:

s61, judging whether the server identification is acquired; if yes, go to step S63; otherwise, step S64 is executed.

S62, judging whether the ssl _ stage is larger than a set value; if yes, go to step S63; otherwise, step S64 is executed.

And S63, marking the message flow so as to process the message flow by using a protocol analyzer corresponding to the HTTPS protocol at the next moment.

S64, excluding HTTPS from the list of possible protocols for the message flow.

And S65, processing the message flow by using the message flow processing method provided by the prior art.

In steps S61 to S65, whether the name of the server has been acquired is determined by detecting whether the name of the server has been acquired, specifically, according to a Server Name Indication (SNI) extension of TLS, or a certificate of the server. Or determining whether some stages have passed in the TLS interaction process, specifically, using ssl _ stage to indicate that the rules are added to DSM rules corresponding to the HTTPS protocol, so as to determine whether the packet flow is a TLS flow in the HTTPS protocol. If the judgment result in either step S61 or step S62 is yes, it is determined that the packet stream is a TLS stream, and the packet stream is marked to be processed by using a TLS protocol parser in the selected HTTP protocol all the time, otherwise, it indicates that the packet stream does not belong to a packet stream of the HTTPs protocol, and the HTTPs is excluded from a possible (suspected) protocol list of the packet stream, and the packet stream is processed by using a packet stream processing method provided in the prior art.

It should be noted that steps S61 and S62 may be executed simultaneously, or step S62 may be executed first and then step S62 is executed; alternatively, step S62 is executed first, and then step S61 is executed. The present invention does not limit the execution sequence of S61 and S62.

It should be noted that, when configuring DSM rules for various application layer protocols, it is necessary to reflect the characteristics of the application layer protocols in the DSM rules according to the characteristics of each application layer protocol, for example, the commonly used server port numbers of the FTP protocol, POP3 protocol, and HTTPS protocol are different, so corresponding server port numbers are set in the respective DSM rules; furthermore, when the DSM rule is configured for the HTTP protocol, it may be set whether a preset length byte at a preset index i of a packet carrying a load is a preset byte, for example: in the DSM rule configured for the HTTP protocol, a payload (i, len) ═ ABC equation check rule is set, which is intended to check whether len bytes from index i of a packet with a load acquired from a packet flow are equal to a string "ABC", where i, len, and ABC in the present invention may be configured according to actual situations, and the values thereof are not limited here.

Alternatively, the present invention requires periodically finding message streams that have DSM applied (i.e., have buffered packets) but are blocked (i.e., "stuck") for a period of time and processing them using existing processing methods. This is because a packet flow may meet some DSM rules of a protocol but not fully, e.g., payload _ pkt _ num is not enough, while on the other hand the packet flow itself does not have enough packets to eventually meet the threshold rule, i.e., pkt _ num ≧ 10. At this point, if the original processing method is not used to process the message stream, even if some parsers can recognize the message stream, the message stream will not be processed by any parser. Therefore, the invention sets the blocking time threshold, e.g. 2 seconds, which should be sufficient for existing protocols. The message flow with the blocking time larger than the blocking time threshold value is checked periodically, and if the message flow with the blocking time larger than the blocking time threshold value exists, the message flow is processed by using the existing processing method. In addition, such periodic checking for "stuck" message flows can be done along with clearing out of order (idle) message flows to multiplex the process of traversing the flow tree for efficiency.

It should be noted that DSM rules are defined. First, the present invention employs waiting for more than a sufficient number of packets before beginning feature matching (e.g., for FTP we need payload _ pkt _ num ≧ 4). This is because more packets generally means more evidence about the type of packet flow and therefore the probability of success of the selected protocol parser is higher. This may not be appropriate where it is desirable to identify the protocol to which the message flow belongs as early as possible, such as firewalls or intermediate IDS, but is appropriate for network security auditing (which is more tolerant to latency). In addition, some thresholds in the DSM rules set by the invention may be loose, for example, TLS _ pkt _ num is more than or equal to 1 for the TLS protocol so as to adapt to different audit scenes and data packet transmission strategies, and the purpose is to ensure that the established DSM rules are higher in portability (written once and suitable for all occasions). For example, in a network audit scenario, only packets in one direction (upstream) are mainly captured, and it is also found that TLS can transmit multiple record layer (record layer) packets in one TCP packet. Based on these two factors, the DSM rules set by the present invention may require more packets than actually required by the corresponding parser.

The message flow processing method provided by the invention obtains the message flow to be detected; determining whether the message flow meets a preset Delay Signature Matching (DSM) rule or not according to attribute information of a data packet and statistical information of the data packet, which are obtained from the message flow; determining the protocol type of the DSM rule met by the message flow, wherein different protocol types correspond to different DSM rules; and processing the message flow by using a protocol analyzer corresponding to the determined protocol type. By adopting the method, a large number of protocol analyzers are not called immediately to try to match the data packets in the message flow after the message flow is received, but whether the message flow meets the preset DSM rule or not is determined, and after the message flow meets the DSM rule, the protocol analyzers of the protocol types corresponding to the meeting DSM rule are used for processing the message flow, so that the matching try times are greatly reduced, and the matching efficiency of the message flow is improved.

Based on the same inventive concept, the embodiment of the present invention further provides a device for processing a packet flow, and because the principle of the device for solving the problem is similar to the method for processing the packet flow, the implementation of the device may refer to the implementation of the method, and repeated details are not described again.

As shown in fig. 10, a schematic structural diagram of a device for processing a message flow according to an embodiment of the present invention includes:

an obtaining unit 71, configured to obtain a message stream to be detected;

a first determining unit 72, configured to determine whether the packet flow satisfies a preset delay signature matching DSM rule according to attribute information of a packet and statistical information of the packet, which are obtained from the packet flow;

a second determining unit 73, configured to determine a protocol type to which a DSM rule that is satisfied by the packet flow belongs, where different protocol types correspond to different DSM rules;

and the processing unit 74 is configured to process the packet stream by using the protocol parser corresponding to the determined protocol type.

the first determining unit 72 is specifically configured to, after determining that the transport layer protocol of the obtained data packet is a transmission control protocol TCP, determine whether a server port number of the data packet is a first set port number; if so, determining the number of data packets carrying loads obtained from the message flow; when the number is determined to be not less than a first number threshold, judging whether bytes at a preset index of a data packet with a load are first set characters; and if so, determining that the message flow meets a delay signature matching DSM rule corresponding to a first protocol, wherein the first protocol is one of the FTP protocol, the POP3 protocol, the HTTP protocol and the HTTPS protocol.

the first determining unit 72 is further configured to, when it is determined that the number is smaller than the first number threshold, or when it is determined that the byte at the preset index of the data packet with the load is not the first set character, determine whether the total number of the data packets obtained from the packet stream is not greater than a first set total number threshold; and when the judgment result is yes, continuously acquiring a data packet from the message flow, and continuously determining whether the message flow meets a preset DSM rule.

Preferably, the first determining unit 72 is further configured to determine whether the server port number of the data packet is a second set port number when it is determined that the server port number of the data packet is not the first set port number; if so, determining the number of data packets carrying loads obtained from the message flow; when the number is determined to be not less than a second number threshold, judging whether bytes at preset indexes of the data packets with the loads are second set characters or not; and when the judgment result is yes, determining that the message flow meets a delay signature matching DSM rule corresponding to a second protocol, wherein the second protocol is one of the FTP protocol, the POP3 protocol, the HTTP protocol and the HTTPS protocol, and the second protocol is different from the first protocol.

Optionally, the first determining unit 72 is further configured to, when it is determined that the number is smaller than the second number threshold, or when it is determined that a byte at a preset index of a data packet with a load is not a second set character, determine whether a total number of data packets obtained from the packet stream is not greater than a second set total number threshold; and when the judgment result is yes, continuously acquiring a data packet from the message flow, and continuously determining whether the message flow meets a preset DSM rule.

the first determining unit 72 is further configured to determine whether the server port number of the packet is a third set port number when determining that the server port number of the packet is not the first set port number or when determining that the server port number of the packet is not the second set port number; if so, determining the number of data packets with a secure transport layer protocol obtained from the message flow; when the number is determined to be not smaller than a third number threshold, judging whether the number of data packets carrying loads obtained from the message flow is not smaller than a fourth number threshold; and when the judgment result is yes, determining that the message flow meets a delay signature matching DSM rule corresponding to a third protocol, wherein the third protocol is one of the FTP protocol, the POP3 protocol, the HTTP protocol and the HTTPS protocol, and the third protocol is different from the first protocol and the second protocol.

Optionally, the first determining unit 72 is further configured to, when it is determined that the number is smaller than a third number threshold, or when it is determined that the number is smaller than a fourth number threshold, determine whether the total number of data packets obtained from the packet stream is not greater than a third set total number threshold; and when the judgment result is yes, continuously acquiring a data packet from the message flow, and continuously determining whether the message flow meets a preset DSM rule.

Preferably, the processing unit 74 is specifically configured to match the message stream by using a protocol parser corresponding to the determined protocol type; and marking the message flow as detection completion after the matching is successful.

Preferably, the processing unit 74 is specifically configured to, if the protocol type is an HTTPS protocol, determine whether a server identifier has been acquired or whether ssl _ stage is greater than a set value after matching is unsuccessful; and when any judgment result is yes, marking the message flow so as to process the message flow by using a protocol analyzer corresponding to the HTTPS protocol at the next moment.

Preferably, the apparatus further comprises:

a third determining unit 75, configured to determine that the packet flow is not marked before the first determining unit 72 determines, according to the attribute information of the packet and the statistical information of the packet, that the delay signature satisfied by the packet flow matches the protocol type to which the DSM rule belongs.

For convenience of description, the above parts are separately described as modules (or units) according to functional division. Of course, the functionality of the various modules (or units) may be implemented in the same or in multiple pieces of software or hardware in practicing the invention.

Based on the same inventive concept, an embodiment of the present invention provides a communication device, including a memory, a processor, and a computer program stored on the memory and executable on the processor; when the processor executes the program, the method for processing the message stream according to any one of the embodiments of the present invention is implemented.

In some possible embodiments, various aspects of the message stream processing method provided by the present invention may also be implemented in a form of a program product, which includes program code for causing a computer device to execute the steps in the message stream processing method according to various exemplary embodiments of the present invention described above in this specification when the program product runs on the computer device, for example, the computer device may execute the message stream processing flow in steps S11 to S14 shown in fig. 4.

The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

The program product of the message stream processing method of the embodiments of the present invention may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on a computing device. However, the program product of the present invention is not limited in this regard and, in the present document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.

A readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.

Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.

Program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device over any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., over the internet using an internet service provider).

It should be noted that although several units or sub-units of the apparatus are mentioned in the above detailed description, such division is merely exemplary and not mandatory. Indeed, the features and functions of two or more of the units described above may be embodied in one unit, according to embodiments of the invention. Conversely, the features and functions of one unit described above may be further divided into embodiments by a plurality of units.

Moreover, while the operations of the method of the invention are depicted in the drawings in a particular order, this does not require or imply that the operations must be performed in this particular order, or that all of the illustrated operations must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions.

The message stream processing device provided by the embodiment of the application can be realized by a computer program. It should be understood by those skilled in the art that the above-mentioned module division is only one of many module division, and if the module division is divided into other modules or not, it is within the scope of the present application as long as the processing apparatus of the message stream has the above-mentioned functions.

As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims

1. A method for processing a message stream, comprising:

acquiring a message flow to be detected;

determining whether the message flow meets a preset Delay Signature Matching (DSM) rule or not according to attribute information of a data packet and statistical information of the data packet, wherein the attribute information of the data packet comprises a transport layer protocol of the data packet, a server port number and bytes at a preset index of the data packet with a load, and the statistical information of the data packet comprises the number of the data packets with the load; and determining whether the packet flow meets a preset Delay Signature Matching (DSM) rule or not according to attribute information of the data packet and statistical information of the data packet obtained from the packet flow, specifically comprising: after determining that the transmission layer protocol of the obtained data packet is a Transmission Control Protocol (TCP), judging whether the server port number of the data packet is a first set port number or not; if so, determining the number of data packets carrying loads obtained from the message flow; when the number is determined to be not less than a first number threshold, judging whether bytes at a preset index of a data packet with a load are first set characters; if so, determining that the message flow meets a delay signature matching DSM rule corresponding to a first protocol, wherein the first protocol is one of an FTP protocol, a POP3 protocol, an HTTP protocol and an HTTPS protocol;

2. The method of claim 1, wherein the protocol type includes at least one of: file transfer FTP protocol, post office protocol POP3, hypertext transfer protocol HTTP and hypertext transfer protocol for secure transfer HTTPs.

3. The method of claim 1, wherein the statistics of the packets further include a total number of packets that have been obtained from the packet flow; and

4. The method of claim 1, further comprising:

5. The method of claim 4,

when the number is smaller than the second number threshold value, or when the bytes at the preset index of the data packet with the load are determined not to be the second set characters, judging whether the total number of the data packets obtained from the message flow is not larger than the second set total number threshold value or not;

6. The method of claim 1 or 4, wherein the statistics of the packets further include a number of packets having a secure transport layer protocol; and the method, further comprising

and if so, determining that the message flow meets a delay signature matching DSM rule corresponding to a third protocol, wherein the third protocol is one of the FTP protocol, the POP3 protocol, the HTTP protocol and the HTTPS protocol, and the third protocol is different from the first protocol and the second protocol.

7. The method of claim 6,

when the number is determined to be smaller than a third number threshold or the number is determined to be smaller than a fourth number threshold, judging whether the total number of the data packets obtained from the message flow is not larger than a third set total number threshold or not;

8. The method of claim 1, wherein processing the packet stream using a protocol parser corresponding to the determined protocol type specifically includes:

9. The method of claim 8,

if the protocol type is an HTTPS protocol, judging whether a server identifier is acquired or not or judging whether the ssl _ stage is larger than a set value or not after the matching is unsuccessful;

10. The method of claim 1, wherein before determining that the delay signature satisfied by the packet flow matches the protocol type to which the DSM rule belongs based on the packet's attribute information and packet's statistics obtained from the packet flow, further comprising

Determining that the packet flow is not marked.

11. An apparatus for processing a packet stream, comprising:

a first determining unit, configured to determine whether the packet flow meets a preset delay signature matching DSM rule according to attribute information of a packet and statistical information of the packet, where the attribute information of the packet includes a transport layer protocol of the packet, a server port number, and a byte at a preset index of the packet carrying a load, and the statistical information of the packet includes the number of packets carrying the load; the first determining unit is specifically configured to determine whether a server port number of the obtained data packet is a first set port number after determining that a transport layer protocol of the data packet is a transmission control protocol TCP; if so, determining the number of data packets carrying loads obtained from the message flow; when the number is determined to be not less than a first number threshold, judging whether bytes at a preset index of a data packet with a load are first set characters; if so, determining that the message flow meets a delay signature matching DSM rule corresponding to a first protocol, wherein the first protocol is one of an FTP protocol, a POP3 protocol, an HTTP protocol and an HTTPS protocol;

12. The apparatus of claim 11, wherein the protocol type includes at least one of: file transfer FTP protocol, post office protocol POP3, hypertext transfer protocol HTTP and hypertext transfer protocol for secure transfer HTTPs.

13. The apparatus of claim 11, wherein the statistics of the packets further include a total number of packets that have been obtained from the packet flow; and

14. The apparatus of claim 13,

the first determining unit is further configured to determine whether the server port number of the data packet is a second set port number when it is determined that the server port number of the data packet is not the first set port number; if so, determining the number of data packets carrying loads obtained from the message flow; when the number is determined to be not less than a second number threshold, judging whether bytes at preset indexes of the data packets with the loads are second set characters or not; and when the judgment result is yes, determining that the message flow meets a delay signature matching DSM rule corresponding to a second protocol, wherein the second protocol is one of the FTP protocol, the POP3 protocol, the HTTP protocol and the HTTPS protocol, and the second protocol is different from the first protocol.

15. The apparatus of claim 14,

the first determining unit is further configured to, when it is determined that the number is smaller than the second number threshold, or when it is determined that a byte at a preset index of a data packet with a load is not a second set character, determine whether a total number of data packets obtained from the packet stream is not greater than a second set total number threshold; and when the judgment result is yes, continuously acquiring a data packet from the message flow, and continuously determining whether the message flow meets a preset DSM rule.

16. The apparatus of claim 11 or 14, wherein the statistics of the packets further include a number of packets having a secure transport layer protocol; and

the first determining unit is further configured to determine whether the server port number of the packet is a third set port number when determining that the server port number of the packet is not the first set port number or when determining that the server port number of the packet is not the second set port number; if so, determining the number of data packets with a secure transport layer protocol obtained from the message flow; when the number is determined to be not smaller than a third number threshold, judging whether the number of data packets carrying loads obtained from the message flow is not smaller than a fourth number threshold; and if so, determining that the message flow meets a delay signature matching DSM rule corresponding to a third protocol, wherein the third protocol is one of the FTP protocol, the POP3 protocol, the HTTP protocol and the HTTPS protocol, and the third protocol is different from the first protocol and the second protocol.

17. The apparatus of claim 16,

the first determining unit is further configured to determine whether the total number of data packets obtained from the packet stream is not greater than a third set total number threshold when it is determined that the number is smaller than a third number threshold or when it is determined that the number is smaller than a fourth number threshold; and when the judgment result is yes, continuously acquiring a data packet from the message flow, and continuously determining whether the message flow meets a preset DSM rule.

18. The apparatus of claim 11,

the processing unit is specifically configured to match the message stream with a protocol parser corresponding to the determined protocol type; and marking the message flow as detection completion after the matching is successful.

19. The apparatus of claim 18,

the processing unit is specifically configured to, if the protocol type is an HTTPS protocol, determine whether a server identifier has been acquired or whether ssl _ stage is greater than a set value after matching is unsuccessful; and when any judgment result is yes, marking the message flow so as to process the message flow by using a protocol analyzer corresponding to the HTTPS protocol at the next moment.

20. The apparatus of claim 11, further comprising:

21. A communication device comprising a memory, a processor and a computer program stored on the memory and executable on the processor; the message flow processing method according to any one of claims 1 to 10 is implemented when the processor executes the program.

22. A computer-readable storage medium, on which a computer program is stored, which program, when being executed by a processor, carries out the steps of the method for processing a message stream according to any one of claims 1 to 10.