CN111259122B - Network packet detection method and device - Google Patents

Network packet detection method and device Download PDF

Info

Publication number
CN111259122B
CN111259122B CN202010033497.2A CN202010033497A CN111259122B CN 111259122 B CN111259122 B CN 111259122B CN 202010033497 A CN202010033497 A CN 202010033497A CN 111259122 B CN111259122 B CN 111259122B
Authority
CN
China
Prior art keywords
nfa
state
relation
state information
nfa state
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010033497.2A
Other languages
Chinese (zh)
Other versions
CN111259122A (en
Inventor
王彬
覃永靖
程诗尧
马江波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qax Technology Group Inc
Secworld Information Technology Beijing Co Ltd
Original Assignee
Qax Technology Group Inc
Secworld Information Technology Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qax Technology Group Inc, Secworld Information Technology Beijing Co Ltd filed Critical Qax Technology Group Inc
Priority to CN202010033497.2A priority Critical patent/CN111259122B/en
Publication of CN111259122A publication Critical patent/CN111259122A/en
Application granted granted Critical
Publication of CN111259122B publication Critical patent/CN111259122B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/30Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
    • G06F16/33Querying
    • G06F16/332Query formulation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/30Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
    • G06F16/33Querying
    • G06F16/3331Query processing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Computational Linguistics (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Technology Law (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention provides a network packet detection method and device, wherein the method comprises the following steps: acquiring a network packet to be detected; and inputting the network packet to be detected into a pre-constructed updated NFA state relation network for detection to obtain a detection result, wherein the updated NFA state relation network is obtained by performing skip relation update processing on an original NFA state relation network. According to the network packet detection method provided by the embodiment of the invention, the jump relation update processing is carried out on the NFA state relation network, so that the jump states in the NFA state relation network are reduced, the utilization rate of the memory space is improved, the effective jump states of characters of the input network packet are reduced, the detection matching speed of the network packet is accelerated, and the aim of timely carrying out safety detection on the network packet is fulfilled.

Description

Network packet detection method and device
Technical Field
The present invention relates to the field of text search technologies, and in particular, to a network packet detection method and apparatus.
Background
In the technical field of network packet detection, characters in a network packet need to be searched and matched so as to achieve the safety judgment of the network packet. Regular expression matching is generally adopted, and the regular expression is compiled into NFA (non-deterministic finite automaton) first. Then, if the memory space and execution time allow, the NFA is converted into DFA (deterministic finite automaton). Finally, matching tasks are performed according to the matching pattern ("substring search" and "full text matching"). However, when the character string matching processing is performed at present, the matching speed is low, and the security detection of the network packet cannot be completed quickly.
Disclosure of Invention
Aiming at the problems existing in the prior art, the embodiment of the invention provides a network packet detection method and device.
In a first aspect, an embodiment of the present invention provides a network packet detection method, including:
acquiring a network packet to be detected;
and inputting the network packet to be detected into a pre-constructed updated NFA state relation network for detection to obtain a detection result, wherein the updated NFA state relation network is obtained by performing skip relation update processing on an original NFA state relation network.
Further, the step of obtaining the updated NFA state relation network includes:
acquiring a plurality of regular expressions for detection, and compiling the regular expressions to obtain corresponding NFA state relation;
generating an original NFA state relation network according to the NFA state relation formula;
and performing jump relation update processing on the original NFA state relation network to obtain an updated NFA state relation network.
Further, performing a jump relation update process on the original NFA state relation network to obtain an updated NFA state relation network, including:
acquiring head state information and tail state information of each NFA state relation, wherein the head state information and the tail state information comprise an input edge list and an output edge list;
And performing jump relation update processing on the NFA state relation network according to the head state information and the tail state information of each NFA state relation to obtain an updated NFA state relation network.
Further, the step of performing a jump relation update process on the NFA state relation network according to the header state information and the tail state information of each NFA state relation to obtain an updated NFA state relation network includes:
performing connection structure update and/or structure update or closure structure update on the NFA state relation network according to the head state information and the tail state information of each NFA state relation to obtain an updated NFA state relation network, wherein the connection structure update is the optimization of connection operation among each NFA state relation according to the head state information and the tail state information of each NFA state relation; the or structure is updated to optimize or operation among the NFA state relations according to the head state information and the tail state information of the NFA state relations; the closure constructs are updated to optimize closure operations between the respective NFA state relationships based on the head state information and the tail state information of the respective NFA state relationships.
Further, updating the connection structure of the NFA state relation network according to the header state information and the tail state information of each NFA state relation, including:
determining two adjacent NFA state relations from each NFA state relation, and configuring the two adjacent NFA state relations into a current NFA state relation and a next NFA state relation;
determining that the current NFA state relation is non-empty, and if the head state information of the next NFA state relation does not have an input edge, merging the tail state information of the current NFA state relation with the head state information of the next NFA state relation;
if the tail state information of the current NFA state relation does not have an output edge, merging the head state information of the next NFA state relation with the tail state information of the current NFA state relation;
if the head state information of the next NFA state relation has an input edge and the tail state information of the current NFA state relation has an output edge, the tail state information of the current NFA state relation is added to the null jump of the head state information of the next NFA state relation.
Further, performing or updating the structure of the NFA state relation network according to the header state information and the tail state information of each NFA state relation, including:
Determining two adjacent NFA state relations from each NFA state relation, and configuring the two adjacent NFA state relations into a current NFA state relation and a next NFA state relation;
if the head state information of the current NFA state relation does not have an input side and the head state information of the next NFA state relation does not have an input side, merging the head state information of the current NFA state relation with the head state information of the next NFA state relation;
if the head state information of the current NFA state relation does not have an input side and the head state information of the next NFA state relation has an input side, adding the head state information of the current NFA state relation to the empty jump of the head state information of the next NFA state relation;
if the head state information of the current NFA state relation has an input edge and the head state information of the next NFA state relation does not have an input edge, adding the head state information of the next NFA state relation to the empty jump of the head state information of the current NFA state relation;
if the head state information of the current NFA state relation has an input side, the head state information of the next NFA state relation has an input side, and the head state information of the current NFA state relation can be combined with the head state information of the next NFA state relation, combining the head state information of the current NFA state relation with the head state information of the next NFA state relation;
If the head state information of the current NFA state relation has an input side, the head state information of the next NFA state relation has an input side, and the head state information of the current NFA state relation cannot be combined with the head state information of the next NFA state relation, creating new head state information for the current NFA state relation, adding the new head state information to the null jump of the head state information of the previous NFA state relation, and adding the new head state information to the null jump of the head state information of the next NFA state relation;
if the tail state information of the current NFA state relation does not have an output edge and the tail state of the next NFA state relation does not have an output edge, combining the tail state information of the current NFA state relation with the tail state information of the next NFA state relation;
if the tail state information of the current NFA state relation does not have an output edge and the tail state of the next NFA state relation has an output edge, adding the tail state information of the next NFA state relation to the null jump of the tail state information of the current NFA state relation;
if the tail state information of the current NFA state relation has an output edge and the tail state of the next NFA state relation does not have an output edge, adding the tail state information of the current NFA state relation to the null jump of the tail state information of the next NFA state relation;
If the tail state information of the current NFA state relation has an output edge, the tail state of the next NFA state relation does not have an output edge, and the tail state information of the current NFA state relation can be combined with the tail state information of the next NFA state relation, the tail state information of the current NFA state relation is combined with the tail state information of the next NFA state relation;
if the tail state information of the current NFA state relation has an output edge, the tail state of the next NFA state relation does not have an output edge, and the tail state information of the current NFA state relation cannot be combined with the tail state information of the next NFA state relation, creating new tail state information for the current NFA state relation, adding the tail state information of the current NFA state relation to a null jump of the new tail state information, and adding the tail state information of the current NFA state relation to a null jump of the new tail state information for the next NFA state relation.
Further, updating the closure structure of the NFA state relation network according to the header state information and the tail state information of each NFA state relation, including:
determining two adjacent NFA state relations from each NFA state relation, and configuring the two adjacent NFA state relations into a current NFA state relation and a next NFA state relation;
And if the closure state exists in the current NFA state relation and the next NFA state relation, merging the head state information of the current NFA state relation and the tail state information of the next NFA state relation.
Further, the method further comprises the following steps: compiling the updated NFA state relation network into a DFA state relation network, and enabling the DFA state relation network to detect the network packet to be detected to obtain a detection result.
In a second aspect, an embodiment of the present invention provides a network packet detection apparatus, including:
the acquisition module is used for acquiring the network packet to be detected;
the detection module is used for inputting the network packet to be detected into a pre-constructed updated NFA state relation network to detect to obtain a detection result, wherein the updated NFA state relation network is obtained by performing jump relation update processing on an original NFA state relation network.
Further, the device also comprises an updating module for:
acquiring a plurality of regular expressions for detection, and compiling the regular expressions to obtain corresponding NFA state relation;
generating an original NFA state relation network according to the NFA state relation formula;
and performing jump relation update processing on the original NFA state relation network to obtain an updated NFA state relation network.
Further, the updating module is specifically configured to, in a process of performing a skip relation update process on the original NFA state relation network to obtain an updated NFA state relation network:
acquiring head state information and tail state information of each NFA state relation, wherein the head state information and the tail state information comprise an input edge list and an output edge list;
and performing jump relation update processing on the NFA state relation network according to the head state information and the tail state information of each NFA state relation to obtain an updated NFA state relation network.
In a third aspect, an embodiment of the present invention provides an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the steps of the network packet detection method as described above when the program is executed.
In a fourth aspect, embodiments of the present invention provide a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of a network packet detection method as described above.
In a fifth aspect, embodiments of the present invention provide a computer program product comprising computer executable instructions for implementing the steps of a network packet detection method as described above when executed.
According to the network packet detection method and device, the jump relation update processing is carried out on the NFA state relation network, so that the jump states in the NFA state relation network are reduced, the utilization rate of memory space is improved, the effective jump states of characters of the input network packet are reduced, the detection matching speed of the network packet is increased, and the aim of timely carrying out safety detection on the network packet is fulfilled.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of a network packet detection method according to an embodiment of the present invention;
FIG. 2 is a flowchart of a network packet detection method according to another embodiment of the present invention;
FIG. 3 is a flowchart of a network packet detection method according to another embodiment of the present invention;
FIG. 4 is a flowchart of a network packet detection method according to another embodiment of the present invention;
FIG. 5 is a diagram illustrating the NFA state relationship prior to a connection structure update in accordance with the present invention;
FIG. 6 is a diagram of NFA state relationships after connection structure updates in accordance with the present invention;
FIG. 7 is a schematic diagram of the NFA state relationship prior to an update of the present invention or fabric;
FIG. 8 is a schematic diagram of the NFA state relationship after an update of the present invention or configuration;
FIG. 9 is a schematic diagram of NFA state relationships prior to a closure build update of the present invention;
FIG. 10 is a schematic diagram of NFA state relationships after a closure construct update of the present invention;
FIG. 11 is a diagram illustrating a network packet inspection apparatus according to an embodiment of the present invention;
fig. 12 is a schematic structural diagram of an embodiment of an electronic device according to the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Fig. 1 is a flow chart illustrating a network packet detection method according to an embodiment of the present invention, referring to fig. 1, the method includes:
S11, acquiring a network packet to be detected;
s12, inputting the network packet to be detected into a pre-constructed updated NFA state relation network for detection to obtain a detection result, wherein the updated NFA state relation network is obtained by performing jump relation update processing on an original NFA state relation network.
For the steps S11 and S12, it should be noted that, in the embodiment of the present invention, the network packet to be detected is a network packet that needs to be detected safely. Therefore, the network packet to be detected needs to be acquired.
In the process of detecting and matching network packets by using regular expressions, the regular expressions need to be compiled into an NFA (non-deterministic finite automaton) state relational expression and a DFA (deterministic finite automaton) state relational expression, and the NFA and the DFA respectively perform a character string matching process on the network packets.
In the process of detecting and matching network packets, matching of a plurality of regular expressions to the network packets is sometimes required, and for this purpose, NFA state relation networks are required to be established by NFA state relation expressions corresponding to the plurality of regular expressions. The NFA state relationship network established at this time is the original NFA state relationship network.
There are multiple states in each NFA state relationship, with hops or null hops between each state. Because of the condition that the NFA state relation or the NFA state relation has empty skip, the effective skip state of the characters of the input network packet is increased, and the detection matching speed of the network packet is reduced.
For this purpose, a jump relation update process is performed on the original NFA state relation network, so as to obtain an updated NFA state relation network.
And detecting the network packet to be detected by the updated NFA state relation network to obtain a detection result, and determining the security type of the network packet to be detected according to the detection result.
According to the network packet detection method provided by the embodiment of the invention, the jump relation update processing is carried out on the NFA state relation network, so that the jump states in the NFA state relation network are reduced, the utilization rate of the memory space is improved, the effective jump states of characters of the input network packet are reduced, the detection matching speed of the network packet is increased, and the aim of timely carrying out safety detection on the network packet is fulfilled.
Fig. 2 is a flow chart illustrating a network packet detection method according to an embodiment of the present invention, referring to fig. 2, the method includes:
s21, acquiring a network packet to be detected and a plurality of regular expressions for detection;
s22, compiling a plurality of regular expressions to obtain corresponding NFA state relation formulas, generating an original NFA state relation net according to the NFA state relation formulas, and performing skip relation update processing on the original NFA state relation net to obtain an updated NFA state relation net;
S23, inputting the network packet to be detected into a pre-constructed updated NFA state relation network for detection to obtain a detection result.
For steps S21 to S23, it should be noted that, in the embodiment of the present invention, in the process of detecting and matching the network packet by using the regular expression, the regular expression needs to be compiled into an NFA (finite automaton) state relational expression and a DFA (finite automaton) state relational expression, and the NFA and the DFA respectively perform a string matching process on the network packet.
In the process of detecting and matching network packets, matching of a plurality of regular expressions to the network packets is sometimes required, and for this purpose, NFA state relation networks are required to be established by NFA state relation expressions corresponding to the plurality of regular expressions. The NFA state relationship network established at this time is the original NFA state relationship network.
There are multiple states in each NFA state relationship, with hops or null hops between each state. Because of the condition that the NFA state relation or the NFA state relation has empty skip, the effective skip state of the characters of the input network packet is increased, and the detection matching speed of the network packet is reduced.
For this purpose, a jump relation update process is performed on the original NFA state relation network, so as to obtain an updated NFA state relation network.
And detecting the network packet to be detected by the updated NFA state relation network to obtain a detection result, and determining the security type of the network packet to be detected according to the detection result.
According to the network packet detection method provided by the embodiment of the invention, the jump relation update processing is carried out on the NFA state relation network, so that the jump states in the NFA state relation network are reduced, the utilization rate of the memory space is improved, the effective jump states of characters of the input network packet are reduced, the detection matching speed of the network packet is increased, and the aim of timely carrying out safety detection on the network packet is fulfilled.
Fig. 3 is a flow chart illustrating a network packet detection method according to an embodiment of the present invention, referring to fig. 3, the method includes:
s31, acquiring a network packet to be detected and a plurality of regular expressions for detection;
s32, compiling a plurality of regular expressions to obtain corresponding NFA state relation formulas, and generating an original NFA state relation net according to the NFA state relation formulas;
s33, acquiring head state information and tail state information of each NFA state relation, wherein the head state information and the tail state information comprise an input edge list and an output edge list, and performing skip relation update processing on an original NFA state relation network according to the head state information and the tail state information of each NFA state relation to obtain an updated NFA state relation network;
S34, inputting the network packet to be detected into a pre-constructed updated NFA state relation network for detection to obtain a detection result.
For steps S32 to S33, it should be noted that, in the embodiment of the present invention, there are multiple states in each NFA state relational expression, and there is a jump or a null jump between each state. Both jumps and null jumps have directionality, i.e. jumps from one state to another. To this end, each jump may represent an input edge or an output edge in a state relationship. Because of the condition that the NFA state relation or the NFA state relation has empty skip, the effective skip state of the characters of the input network packet is increased, and the detection matching speed of the network packet is reduced.
Updating empty hops existing between NFA state relations or existing between NFA state relations itself requires combining header state information and trailer state information of each NFA state relation. Here, the head state information and the tail state information each include an input side list and an output side list.
And performing jump relation update processing on the original NFA state relation network according to the head state information and the tail state information of each NFA state relation to obtain an updated NFA state relation network.
And detecting the network packet to be detected by the updated NFA state relation network to obtain a detection result, and determining the security type of the network packet to be detected according to the detection result.
For step S31 and step S34, these steps are the same as steps S21 and S23 in the above embodiment, and are not described in detail here.
According to the network packet detection method provided by the embodiment of the invention, the jump relation update processing is carried out on the NFA state relation network, so that the jump states in the NFA state relation network are reduced, the utilization rate of the memory space is improved, the effective jump states of characters of the input network packet are reduced, the detection matching speed of the network packet is increased, and the aim of timely carrying out safety detection on the network packet is fulfilled.
Fig. 4 is a flow chart illustrating a network packet detection method according to an embodiment of the present invention, referring to fig. 4, the method includes:
s41, acquiring a network packet to be detected and a plurality of regular expressions for detection;
s42, compiling a plurality of regular expressions to obtain corresponding NFA state relation formulas, and generating an original NFA state relation net according to the NFA state relation formulas;
s43, acquiring head state information and tail state information of each NFA state relation, wherein the head state information and the tail state information comprise an input edge list and an output edge list, and performing connection structure update or structure update and closure structure update on an original NFA state relation network according to the head state information and the tail state information of each NFA state relation to obtain an updated NFA state relation network;
S44, inputting the network packet to be detected into a pre-constructed updated NFA state relation network for detection to obtain a detection result.
For steps S42 and S43, there are multiple states in each NFA state relation, and there is a jump or null jump between each state. Both jumps and null jumps have directionality, i.e. jumps from one state to another. To this end, each jump may represent an input edge or an output edge in a state relationship. Because of the condition that the NFA state relation or the NFA state relation has empty skip, the effective skip state of the characters of the input network packet is increased, and the detection matching speed of the network packet is reduced.
Updating empty hops existing between NFA state relations or existing between NFA state relations itself requires combining header state information and trailer state information of each NFA state relation. Here, the head state information and the tail state information each include an input side list and an output side list.
There are three basic building relationship-join constructs, or constructs and closure constructs, in the NFA state relationship network, which are based on three basic operator-join, or and closure, in regular expressions.
In the embodiment of the invention, the connection structure of the NFA state relation network is required to be updated according to the head state information and the tail state information of each NFA state relation, and/or the structure is updated, and/or the closure structure is updated, so that the updated NFA state relation network is obtained, wherein the connection structure is updated to optimize the connection operation between each NFA state relation according to the head state information and the tail state information of each NFA state relation; the or structure is updated to optimize or operation among the NFA state relations according to the head state information and the tail state information of the NFA state relations; the closure constructs are updated to optimize closure operations between the respective NFA state relationships based on the head state information and the tail state information of the respective NFA state relationships.
The following explains the connection structure update, or structure update and closure structure update:
a) The connection configuration update is used for updating the connection operation of the current automaton NFA and the next automaton NFA.
If the "current automaton NFA" is empty, the "current automaton NFA" is replaced with the "next automaton NFA". For example: a.
if the "current automaton NFA" is not empty and the "head state of the next automaton NFA" does not have an input edge, the "tail state of the current automaton NFA" is merged with the "head state of the next automaton NFA". For example: a.b.
If the "current automaton NFA" is not empty and the "tail state of the current automaton NFA" does not have an output edge, the "head state of the next automaton NFA" is merged with the "tail state of the current automaton NFA". For example: ab.
If the "current automaton NFA" is not null and the "head state NFA of the next automaton NFA" has an input edge and the "tail state of the current automaton NFA" has an output edge, then the "tail state of the current automaton NFA" is added to the null jump of the "head state of the next automaton NFA". For example: a and b.
Connection structure update effect referring to fig. 5 and 6. Fig. 5 is a schematic diagram of an NFA state relationship network before a connection configuration update, and fig. 6 is a schematic diagram of an NFA state relationship network after a connection configuration update.
As can be seen from fig. 5, the NFA state relation network is "a..b", and the state relation network includes three state relations: a. and b. In fig. 5, 0-4 are the various states in the NFA state relationship network, and as can be seen from fig. 6, 0-3 are the various states in the NFA state relationship network. The numbers in the circles are the numbers of the states, and the numbers of the states are determined according to the different NFA state relation networks. Arrows represent jumps, i.e. jump edges. The dashed arrow in fig. 5 represents an empty jump. 0 represents the head state, 3 in FIG. 5 and 2 in FIG. 6 represent the tail state, and [1] represents the number of the regular expression in the box. Abcd in brackets represents characters in the regular expression, and numbers preceding abcd correspond to numbers of the characters. 00-ff (-) represents the interval skip edge, i.e., prefix ".
b) Or a construction update for updating the or construction operations of the "current automaton NFA" and the "next automaton NFA".
1. Head state update
If the "head state of the current automaton NFA" does not have an input edge and the "head state of the next automaton NFA" does not have an input edge, the "head state of the current automaton NFA" is merged with the "head state of the next automaton NFA". For example: a|b.
If the "head state of the current automaton NFA" does not have an input edge and the "head state of the next automaton NFA" does have an input edge, the "head state of the current automaton NFA" is added to the null jump of the "head state of the next automaton NFA". For example: a|b.
If the "head state of the current automaton NFA" has an input edge and the "head state of the next automaton NFA" does not have an input edge, the "head state of the next automaton NFA" is added to the null jump of the "head state of the current automaton NFA". For example: a|b.
If the "head state of the current automaton NFA" has an input edge and the "head state of the next automaton NFA" has an input edge, and the "head state of the current automaton NFA" can be merged with the "head state of the next automaton NFA", the "head state of the current automaton NFA" is merged with the "head state of the next automaton NFA". For example: a/b.
If the "head state of the current automaton NFA" has an input edge and the "head state of the next automaton NFA" has an input edge and the "head state of the current automaton NFA" cannot be merged with the "head state of the next automaton NFA", a "new head state" is created for the "current automaton NFA" first, then a "new head state" is added to the null jump of the "head state of the previous automaton NFA" and then a "new head state" is added to the null jump of the "head state of the next automaton NFA". For example: a|b.
2. Tail state update
If the "tail state of the current automaton NFA" does not have an output edge and the "tail state of the next automaton NFA" does not have an output edge, the "tail state of the current automaton NFA" is merged with the "tail state of the next automaton NFA". For example: a|b.
If the "tail state of the current automaton NFA" does not have an output edge and the "tail state of the next automaton NFA" does have an output edge, the "tail state of the next automaton NFA" is added to the null jump of the "tail state of the current automaton NFA". For example: a|b.
If the "tail state of the current automaton NFA" has an output edge and the "tail state of the next automaton NFA" does not have an output edge, the "tail state of the current automaton NFA" is added to the null jump of the "tail state of the next automaton NFA". For example: a|b.
If the "tail state of the current automaton NFA" has an output edge and the "tail state of the next automaton NFA" has an output edge, and the "tail state of the current automaton NFA" can be merged with the "tail state of the next automaton NFA", the "tail state of the current automaton NFA" is merged with the "tail state of the next automaton NFA". For example: a.|b...
If the "tail state of the current automaton NFA" has an output edge and the "tail state of the next automaton NFA" has an output edge and the "tail state of the current automaton NFA" cannot be merged with the "tail state of the next automaton NFA", a "new tail state" is created for the "current automaton NFA" first, then a null jump of the "tail state of the current automaton NFA" to the "new head state" is added, and then a null jump of the "tail state of the next automaton NFA" to the "new head state" is added. For example: a|b.
Or construct update effects referring to fig. 7 and 8. Fig. 7 is a schematic diagram of an NFA state relationship network before or after a build update, and fig. 8 is a schematic diagram of an NFA state relationship network after or after a build update.
c) The closure construct update is used to update the closure operation of the "current automaton NFA".
The "head state of the current automaton NFA" is merged with the "tail state of the current automaton NFA". For example: (ab).
Closure structure update effect referring to fig. 9 and 10. Fig. 9 is a schematic diagram of an NFA state relationship network before a closure structure update, and fig. 10 is a schematic diagram of an NFA state relationship network after a closure structure update.
For step S41 and step S44, these steps are the same as steps S31 and S34 in the above embodiment, and are not described in detail here.
According to the network packet detection method provided by the embodiment of the invention, the jump relation update processing is carried out on the NFA state relation network, so that the jump states in the NFA state relation network are reduced, the utilization rate of the memory space is improved, the effective jump states of characters of the input network packet are reduced, the detection matching speed of the network packet is increased, and the aim of timely carrying out safety detection on the network packet is fulfilled.
In a further embodiment of the foregoing embodiment, compiling the updated NFA state relationship network into a DFA state relationship network, so that the DFA state relationship network detects the network packet to be detected to obtain a detection result, and determining a security type of the network packet to be detected according to the detection result. And the jump state in the NFA state relation network is reduced, so that the execution time from NFA compiling to DFA is reduced, and the use efficiency of the DFA is increased.
Fig. 11 shows a network packet detection apparatus according to an embodiment of the present invention, including an acquisition module 111 and a detection module 112, where:
an obtaining module 111, configured to obtain a network packet to be detected;
The detection module 112 is configured to input the network packet to be detected into a pre-constructed updated NFA state relationship network to detect, so as to obtain a detection result, where the updated NFA state relationship network is obtained by performing a jump relationship update processing on an original NFA state relationship network.
In a further embodiment of the foregoing embodiment, the apparatus further includes an update module configured to:
acquiring a plurality of regular expressions for detection, and compiling the regular expressions to obtain corresponding NFA state relation;
generating an original NFA state relation network according to the NFA state relation formula;
and performing jump relation update processing on the original NFA state relation network to obtain an updated NFA state relation network.
In a further embodiment of the foregoing embodiment, the update module is specifically configured to, in a process of performing a skip relation update process on the original NFA state relation network to obtain an updated NFA state relation network:
acquiring head state information and tail state information of each NFA state relation, wherein the head state information and the tail state information comprise an input edge list and an output edge list;
and performing jump relation update processing on the NFA state relation network according to the head state information and the tail state information of each NFA state relation to obtain an updated NFA state relation network.
In a further embodiment of the foregoing embodiment, the update module is configured to, in a process of performing a skip relation update process on the NFA state relation network according to the header state information and the trailer state information of each NFA state relation, obtain an updated NFA state relation network, specifically:
and carrying out connection structure update and/or closure structure update on the NFA state relation network according to the head state information and the tail state information of each NFA state relation to obtain the updated NFA state relation network.
In a further embodiment of the foregoing embodiment, the update module is specifically configured to, in a process of updating the connection structure of the NFA state relationship network according to the header state information and the trailer state information of each NFA state relationship formula:
determining two adjacent NFA state relations from each NFA state relation, and configuring the two adjacent NFA state relations into a current NFA state relation and a next NFA state relation;
determining that the current NFA state relation is non-empty, and if the head state information of the next NFA state relation does not have an input edge, merging the tail state information of the current NFA state relation with the head state information of the next NFA state relation;
If the tail state information of the current NFA state relation does not have an output edge, merging the head state information of the next NFA state relation with the tail state information of the current NFA state relation;
if the head state information of the next NFA state relation has an input edge and the tail state information of the current NFA state relation has an output edge, the tail state information of the current NFA state relation is added to the null jump of the head state information of the next NFA state relation.
In a further embodiment of the foregoing embodiment, the update module is specifically configured to, in a process of performing or constructing updating on the NFA state relation network according to the header state information and the trailer state information of each NFA state relation:
determining two adjacent NFA state relations from each NFA state relation, and configuring the two adjacent NFA state relations into a current NFA state relation and a next NFA state relation;
if the head state information of the current NFA state relation does not have an input side and the head state information of the next NFA state relation does not have an input side, merging the head state information of the current NFA state relation with the head state information of the next NFA state relation;
If the head state information of the current NFA state relation does not have an input side and the head state information of the next NFA state relation has an input side, adding the head state information of the current NFA state relation to the empty jump of the head state information of the next NFA state relation;
if the head state information of the current NFA state relation has an input edge and the head state information of the next NFA state relation does not have an input edge, adding the head state information of the next NFA state relation to the empty jump of the head state information of the current NFA state relation;
if the head state information of the current NFA state relation has an input side, the head state information of the next NFA state relation has an input side, and the head state information of the current NFA state relation can be combined with the head state information of the next NFA state relation, combining the head state information of the current NFA state relation with the head state information of the next NFA state relation;
if the head state information of the current NFA state relation has an input side, the head state information of the next NFA state relation has an input side, and the head state information of the current NFA state relation cannot be combined with the head state information of the next NFA state relation, creating new head state information for the current NFA state relation, adding the new head state information to the null jump of the head state information of the previous NFA state relation, and adding the new head state information to the null jump of the head state information of the next NFA state relation;
If the tail state information of the current NFA state relation does not have an output edge and the tail state of the next NFA state relation does not have an output edge, combining the tail state information of the current NFA state relation with the tail state information of the next NFA state relation;
if the tail state information of the current NFA state relation does not have an output edge and the tail state of the next NFA state relation has an output edge, adding the tail state information of the next NFA state relation to the null jump of the tail state information of the current NFA state relation;
if the tail state information of the current NFA state relation has an output edge and the tail state of the next NFA state relation does not have an output edge, adding the tail state information of the current NFA state relation to the null jump of the tail state information of the next NFA state relation;
if the tail state information of the current NFA state relation has an output edge, the tail state of the next NFA state relation does not have an output edge, and the tail state information of the current NFA state relation can be combined with the tail state information of the next NFA state relation, the tail state information of the current NFA state relation is combined with the tail state information of the next NFA state relation;
If the tail state information of the current NFA state relation has an output edge, the tail state of the next NFA state relation does not have an output edge, and the tail state information of the current NFA state relation cannot be combined with the tail state information of the next NFA state relation, creating new tail state information for the current NFA state relation, adding the tail state information of the current NFA state relation to a null jump of the new tail state information, and adding the tail state information of the current NFA state relation to a null jump of the new tail state information for the next NFA state relation.
In a further embodiment of the foregoing embodiment, the update module is specifically configured to, in a process of updating the closure structure of the NFA state relationship network according to the header state information and the trailer state information of each NFA state relationship formula:
determining two adjacent NFA state relations from each NFA state relation, and configuring the two adjacent NFA state relations into a current NFA state relation and a next NFA state relation;
and if the closure state exists in the current NFA state relation and the next NFA state relation, merging the head state information of the current NFA state relation and the tail state information of the next NFA state relation.
In a further embodiment of the foregoing embodiment, the detection module is further configured to: compiling the updated NFA state relation network into a DFA state relation network, and enabling the DFA state relation network to detect the network packet to be detected to obtain a detection result.
Since the apparatus according to the embodiment of the present invention is the same as the method according to the above embodiment, the details of the explanation will not be repeated here.
It should be noted that, in the embodiment of the present invention, the related functional modules may be implemented by a hardware processor (hardware processor).
According to the network packet detection device provided by the embodiment of the invention, the jump relation update processing is carried out on the NFA state relation network, so that the jump states in the NFA state relation network are reduced, the utilization rate of the memory space is improved, the effective jump states of characters of the input network packet are reduced, the detection matching speed of the network packet is increased, and the aim of timely carrying out safety detection on the network packet is fulfilled.
Fig. 12 illustrates a physical structure diagram of an electronic device, as shown in fig. 12, which may include: processor 121, communication interface (Communications Interface) 122, memory 123 and communication bus 124, wherein processor 121, communication interface 122, memory 123 accomplish communication with each other through communication bus 124. Processor 121 may call logic instructions in memory 123 to perform the following method: acquiring a network packet to be detected; and inputting the network packet to be detected into a pre-constructed updated NFA state relation network for detection to obtain a detection result, wherein the updated NFA state relation network is obtained by performing skip relation update processing on an original NFA state relation network.
Further, the logic instructions in the memory 123 described above may be implemented in the form of software functional units and may be stored in a computer readable storage medium when sold or used as a stand alone product. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Embodiments of the present invention also provide a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, is implemented to perform the methods provided by the above embodiments, for example, comprising: acquiring a network packet to be detected; and inputting the network packet to be detected into a pre-constructed updated NFA state relation network for detection to obtain a detection result, wherein the updated NFA state relation network is obtained by performing skip relation update processing on an original NFA state relation network.
Embodiments of the present invention also provide a computer program product comprising computer executable instructions which, when executed, are implemented to perform the methods provided by the above embodiments, for example comprising: acquiring a network packet to be detected; and inputting the network packet to be detected into a pre-constructed updated NFA state relation network for detection to obtain a detection result, wherein the updated NFA state relation network is obtained by performing skip relation update processing on an original NFA state relation network.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (9)

1. A method for detecting a network packet, comprising:
acquiring a network packet to be detected;
inputting the network packet to be detected into a pre-constructed updated NFA state relation network to be detected to obtain a detection result, wherein the updated NFA state relation network is obtained by performing skip relation update processing on an original NFA state relation network, wherein,
the step of obtaining the updated NFA state relation network includes:
acquiring a plurality of regular expressions for detection, and compiling the regular expressions to obtain corresponding NFA state relation;
generating an original NFA state relation network according to the NFA state relation formula;
Performing a jump relation update process on the original NFA state relation network to obtain an updated NFA state relation network, where the jump relation update process on the original NFA state relation network is performed to obtain an updated NFA state relation network, and the jump relation update process includes:
acquiring head state information and tail state information of each NFA state relation, wherein the head state information and the tail state information comprise an input edge list and an output edge list;
and performing jump relation update processing on the NFA state relation network according to the head state information and the tail state information of each NFA state relation to obtain an updated NFA state relation network.
2. The network packet inspection method according to claim 1, wherein the performing a jump relation update process on the NFA state relation network according to the header state information and the trailer state information of each NFA state relation to obtain an updated NFA state relation network includes:
performing connection structure update and/or structure update or closure structure update on the NFA state relation network according to the head state information and the tail state information of each NFA state relation to obtain an updated NFA state relation network, wherein the connection structure update is the optimization of connection operation among each NFA state relation according to the head state information and the tail state information of each NFA state relation; the or structure is updated to optimize or operation among the NFA state relations according to the head state information and the tail state information of the NFA state relations; the closure constructs are updated to optimize closure operations between the respective NFA state relationships based on the head state information and the tail state information of the respective NFA state relationships.
3. The network packet inspection method of claim 2, wherein updating the connection structure of the NFA state relation network based on the header state information and the trailer state information of each NFA state relation comprises:
determining two adjacent NFA state relations from each NFA state relation, and configuring the two adjacent NFA state relations into a current NFA state relation and a next NFA state relation;
determining that the current NFA state relation is non-empty, and if the head state information of the next NFA state relation does not have an input edge, merging the tail state information of the current NFA state relation with the head state information of the next NFA state relation;
if the tail state information of the current NFA state relation does not have an output edge, merging the head state information of the next NFA state relation with the tail state information of the current NFA state relation;
if the head state information of the next NFA state relation has an input edge and the tail state information of the current NFA state relation has an output edge, the tail state information of the current NFA state relation is added to the null jump of the head state information of the next NFA state relation.
4. The network packet inspection method of claim 3 wherein updating or constructing the NFA state relationship network based on the header state information and the trailer state information of each NFA state relationship comprises:
Determining two adjacent NFA state relations from each NFA state relation, and configuring the two adjacent NFA state relations into a current NFA state relation and a next NFA state relation;
if the head state information of the current NFA state relation does not have an input side and the head state information of the next NFA state relation does not have an input side, merging the head state information of the current NFA state relation with the head state information of the next NFA state relation;
if the head state information of the current NFA state relation does not have an input side and the head state information of the next NFA state relation has an input side, adding the head state information of the current NFA state relation to the empty jump of the head state information of the next NFA state relation;
if the head state information of the current NFA state relation has an input edge and the head state information of the next NFA state relation does not have an input edge, adding the head state information of the next NFA state relation to the empty jump of the head state information of the current NFA state relation;
if the head state information of the current NFA state relation has an input side, the head state information of the next NFA state relation has an input side, and the head state information of the current NFA state relation can be combined with the head state information of the next NFA state relation, combining the head state information of the current NFA state relation with the head state information of the next NFA state relation;
If the head state information of the current NFA state relation has an input side, the head state information of the next NFA state relation has an input side, and the head state information of the current NFA state relation cannot be combined with the head state information of the next NFA state relation, creating new head state information for the current NFA state relation, adding the new head state information to the null jump of the head state information of the previous NFA state relation, and adding the new head state information to the null jump of the head state information of the next NFA state relation;
if the tail state information of the current NFA state relation does not have an output edge and the tail state of the next NFA state relation does not have an output edge, combining the tail state information of the current NFA state relation with the tail state information of the next NFA state relation;
if the tail state information of the current NFA state relation does not have an output edge and the tail state of the next NFA state relation has an output edge, adding the tail state information of the next NFA state relation to the null jump of the tail state information of the current NFA state relation;
if the tail state information of the current NFA state relation has an output edge and the tail state of the next NFA state relation does not have an output edge, adding the tail state information of the current NFA state relation to the null jump of the tail state information of the next NFA state relation;
If the tail state information of the current NFA state relation has an output edge, the tail state of the next NFA state relation does not have an output edge, and the tail state information of the current NFA state relation can be combined with the tail state information of the next NFA state relation, the tail state information of the current NFA state relation is combined with the tail state information of the next NFA state relation;
if the tail state information of the current NFA state relation has an output edge, the tail state of the next NFA state relation does not have an output edge, and the tail state information of the current NFA state relation cannot be combined with the tail state information of the next NFA state relation, creating new tail state information for the current NFA state relation, adding the tail state information of the current NFA state relation to a null jump of the new tail state information, and adding the tail state information of the current NFA state relation to a null jump of the new tail state information for the next NFA state relation.
5. The network packet inspection method of claim 4 wherein updating the closure structure of the NFA state relationship network based on the header state information and the trailer state information of each NFA state relationship comprises:
Determining two adjacent NFA state relations from each NFA state relation, and configuring the two adjacent NFA state relations into a current NFA state relation and a next NFA state relation;
and if the closure state exists in the current NFA state relation and the next NFA state relation, merging the head state information of the current NFA state relation and the tail state information of the next NFA state relation.
6. The network packet detection method of claim 1, further comprising: compiling the updated NFA state relation network into a DFA state relation network, and enabling the DFA state relation network to detect the network packet to be detected to obtain a detection result.
7. A network packet inspection apparatus, comprising:
the acquisition module is used for acquiring the network packet to be detected;
the detection module is used for inputting the network packet to be detected into a pre-constructed updated NFA state relation network to detect to obtain a detection result, wherein the updated NFA state relation network is obtained by performing jump relation update processing on an original NFA state relation network;
the updating module is used for acquiring a plurality of regular expressions for detection, and compiling the regular expressions to obtain corresponding NFA state relation; generating an original NFA state relation network according to the NFA state relation formula; the method comprises the steps of performing skip relation update processing on the original NFA state relation network to obtain an updated NFA state relation network, wherein the update module is particularly used for: acquiring head state information and tail state information of each NFA state relation, wherein the head state information and the tail state information comprise an input edge list and an output edge list; and performing jump relation update processing on the NFA state relation network according to the head state information and the tail state information of each NFA state relation to obtain an updated NFA state relation network.
8. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of the network packet detection method of any one of claims 1 to 6 when the program is executed by the processor.
9. A non-transitory computer readable storage medium having stored thereon a computer program, which when executed by a processor, implements the steps of the network packet detection method according to any of claims 1 to 6.
CN202010033497.2A 2020-01-13 2020-01-13 Network packet detection method and device Active CN111259122B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010033497.2A CN111259122B (en) 2020-01-13 2020-01-13 Network packet detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010033497.2A CN111259122B (en) 2020-01-13 2020-01-13 Network packet detection method and device

Publications (2)

Publication Number Publication Date
CN111259122A CN111259122A (en) 2020-06-09
CN111259122B true CN111259122B (en) 2023-07-25

Family

ID=70944057

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010033497.2A Active CN111259122B (en) 2020-01-13 2020-01-13 Network packet detection method and device

Country Status (1)

Country Link
CN (1) CN111259122B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114896469A (en) * 2022-04-29 2022-08-12 阿里巴巴(中国)有限公司 Regular expression engine construction method and device, storage medium and equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103259793A (en) * 2013-05-02 2013-08-21 东北大学 Method for inspecting deep packets based on suffix automaton regular engine structure
CN106487803A (en) * 2016-11-10 2017-03-08 深圳市任子行科技开发有限公司 Pattern matching algorithm and system for big flow Network Intrusion Detection System

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004072797A2 (en) * 2003-02-07 2004-08-26 Safenet, Inc. System and method for determining the start of a match of a regular expression
US10242125B2 (en) * 2013-12-05 2019-03-26 Entit Software Llc Regular expression matching

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103259793A (en) * 2013-05-02 2013-08-21 东北大学 Method for inspecting deep packets based on suffix automaton regular engine structure
CN106487803A (en) * 2016-11-10 2017-03-08 深圳市任子行科技开发有限公司 Pattern matching algorithm and system for big flow Network Intrusion Detection System

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张巍 ; 陈佼 ; 赵美凯 ; .深度包检测中一种正则表达式匹配算法的改进.现代电子技术.2015,(05),全文. *

Also Published As

Publication number Publication date
CN111259122A (en) 2020-06-09

Similar Documents

Publication Publication Date Title
Wang et al. Hyperscan: A fast multi-pattern regex matcher for modern {CPUs}
US9258317B2 (en) Device and method for data matching and device and method for network intrusion detection
US8032479B2 (en) String matching system and program therefor
CN111523831B (en) Risk group identification method and device, storage medium and computer equipment
US20170161645A1 (en) Method and apparatus for labeling training samples
CN102857493A (en) Content filtering method and device
US20080046423A1 (en) Method and system for multi-character multi-pattern pattern matching
WO2010065418A1 (en) Graph-based data search
US8583961B2 (en) Method and device for creating pattern matching state machine
CN102207979A (en) Sensitive word matching method and system
CN105468588A (en) Character string matching method and apparatus
CN111259122B (en) Network packet detection method and device
CN117675417B (en) Quick text scanning method and device, electronic equipment and storage medium
van Leeuwen et al. CoCoA: A non-iterative approach to a local search (A) DCOP solver
CN111262589B (en) DFA space compression method and device
CN107426211B (en) Network attack detection method and device, terminal equipment and computer storage medium
CN111078963B (en) Method and device for converting NFA (network File Access) into DFA (distributed File Access)
Barjon et al. Maintaining a distributed spanning forest in highly dynamic networks
Zhang et al. An efficient heuristic algorithm for solving connected vertex cover problem
CN116128525A (en) Multi-mode graph matching query method and device based on mode prefix sharing
CN111258960B (en) Construction method of NFA state relation, character string processing method and device
CN111352932B (en) Method and device for improving data processing efficiency based on bitmap tree algorithm
CN115525801A (en) Pattern matching algorithm for network security system
Liu et al. A lightweight anomaly mining algorithm in the Internet of Things
CN113065419A (en) Pattern matching algorithm and system based on flow high-frequency content

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Applicant after: QAX Technology Group Inc.

Applicant after: Qianxin Wangshen information technology (Beijing) Co.,Ltd.

Address before: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Applicant before: QAX Technology Group Inc.

Applicant before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc.

GR01 Patent grant
GR01 Patent grant