CN113347173B - Packet filtering method and device and electronic equipment - Google Patents

Packet filtering method and device and electronic equipment Download PDF

Info

Publication number
CN113347173B
CN113347173B CN202110599715.3A CN202110599715A CN113347173B CN 113347173 B CN113347173 B CN 113347173B CN 202110599715 A CN202110599715 A CN 202110599715A CN 113347173 B CN113347173 B CN 113347173B
Authority
CN
China
Prior art keywords
rule
bit
node
target
valid
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110599715.3A
Other languages
Chinese (zh)
Other versions
CN113347173A (en
Inventor
王洋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN202110599715.3A priority Critical patent/CN113347173B/en
Publication of CN113347173A publication Critical patent/CN113347173A/en
Application granted granted Critical
Publication of CN113347173B publication Critical patent/CN113347173B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N5/00Computing arrangements using knowledge-based models
    • G06N5/01Dynamic search techniques; Heuristics; Dynamic trees; Branch-and-bound
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Abstract

The embodiment of the invention provides a packet filtering method and device and electronic equipment. Wherein the method comprises the following steps: analyzing a message to be processed to obtain a binary code corresponding to the message to be processed; searching a target leaf node hit by the binary code in a rule decision tree according to the binary code corresponding to the message to be processed and the pre-constructed rule decision tree; extracting a code of a valid bit in the binary code to obtain a valid code, wherein the valid bit is a bit which does not participate in path calculation from a root node of the rule decision tree to the target leaf node; determining a target rule from each rule corresponding to the target leaf node as a hit rule of the message to be processed, wherein the value of the target rule on the valid bit is matched with the valid code; and processing the message to be processed according to the hit rule of the message to be processed. The efficiency of packet filtering can be effectively improved.

Description

Packet filtering method and device and electronic equipment
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a packet filtering method and apparatus, and an electronic device.
Background
For example, in some application scenarios, in order to prevent malicious attacks from an illegal user, the network device may discard a packet whose original IP address is a specific address. For another example, in some application scenarios, the network device may modify the packet whose source port number is a specific port number in a preset manner.
Therefore, after receiving the message, the network device may determine a rule hit by the message according to characteristics of the message, such as a source IP address, a destination IP address, a source port number, a destination port number, and the like, and process the message according to a processing mode corresponding to the hit rule, thereby implementing different processing modes for different messages. This process is referred to herein as packet filtering.
In the related art, the time consumed for determining the rule hit by the message is shortened. The rules can be screened in a rule decision tree mode to screen one or more rules which are possibly matched with the characteristics of the message from all the rules, and then the screened rules are matched with the characteristics of the message bit by bit, so that the rules hit by the message are determined.
However, the bit number of the feature of the packet is often large, so the time consumed by bit-by-bit matching is long, and the efficiency of packet filtering is low.
Disclosure of Invention
The embodiment of the invention aims to provide a packet filtering method, a packet filtering device and electronic equipment so as to improve the efficiency of packet filtering. The specific technical scheme is as follows:
in a first aspect of embodiments of the present invention, there is provided a packet filtering method, including:
analyzing a message to be processed to obtain a binary code corresponding to the message to be processed;
searching a target leaf node hit by the binary code in a rule decision tree according to the binary code corresponding to the message to be processed and the pre-constructed rule decision tree;
extracting a code of a valid bit in the binary code to obtain a valid code, wherein the valid bit is a bit which does not participate in path calculation from a root node of the rule decision tree to the target leaf node;
determining a target rule from each rule corresponding to the target leaf node as a hit rule of the message to be processed, wherein the value of the target rule on the valid bit is matched with the valid code;
and processing the message to be processed according to the hit rule of the message to be processed.
In a possible embodiment, the rule decision tree is constructed in advance in the following manner:
determining whether the number of rules corresponding to the current node is more than a rule number threshold, wherein the current node is a root node initially;
if so, dividing all the rules corresponding to the current node into a plurality of rule groups according to the values of the target bits corresponding to the current node, wherein the target bits corresponding to the current node are different from the target bits corresponding to any ancestor node of the current node, and the values of any two rules of each rule group on the target bits corresponding to the current node are matched;
for each rule group in the multiple rule groups, creating a new node as a child node of a current node, and taking a rule in the rule group as a rule corresponding to the new node;
if not, the current node is determined to be a leaf node.
In a possible embodiment, before dividing all rules corresponding to the current node into a plurality of rule groups according to the value of the target bit corresponding to the current node, the method further includes:
calculating a first discrete value of each candidate bit, wherein the candidate bit is different from a target bit corresponding to any ancestor node of the current node, and the first discrete value is used for expressing the discrete degree of a rule corresponding to the current node on the candidate bit, wherein the value of the rule is between 0 and 1;
and selecting the candidate bit with the highest first discrete value as the target bit of the current node.
In a possible embodiment, before dividing all rules corresponding to the current node into a plurality of rule groups according to the value of the target bit corresponding to the current node, the method further includes:
determining whether values of all rules corresponding to the current node on the target bit are matched or not;
if so, calculating a second discrete value of each candidate bit, wherein the second discrete value is used for expressing the discrete degree of the value of the rule corresponding to the current node on the candidate bit between the wildcard character and the non-wildcard character;
and selecting the candidate bit with the highest second discrete value as a new target bit of the current node.
In a possible embodiment, said calculating, for each candidate bit, a second discrete value of the candidate bit comprises:
and calculating the product of a first number and a second number aiming at each candidate bit to obtain a second discrete value, wherein the first number is the number of rules taking the value of the candidate bit as a wildcard in the rule corresponding to the current node, and the second number is the number of rules taking the value of the candidate bit as a non-wildcard in the rule corresponding to the current node.
In a possible embodiment, after calculating, for each candidate bit, the product of the first number and the second number, resulting in the second discrete value, the method further comprises:
and if the second discrete values of all the candidate bits are 0, determining the current node as a leaf node, and modifying the rule corresponding to the current node into the rule with the highest priority in all the rules originally corresponding to the current node.
In a possible embodiment, the method further comprises:
if the second discrete values of all the candidate bits are 0 and the values of the rule with the highest priority in all the rules corresponding to the current node on all the candidate bits are wildcards, marking the current node;
after searching a target leaf node hit by the binary code in the rule decision tree according to the binary code corresponding to the message to be processed and a pre-constructed rule decision tree, the method further comprises:
determining whether the target leaf node is marked;
if the target leaf node is marked, taking a rule corresponding to the target leaf node as a hit rule of the message to be processed;
the extracting of the code of the significant bit in the binary code to obtain the significant code includes:
and if the target leaf node is not marked, extracting the code of the valid bit in the binary code to obtain the valid code.
In a possible embodiment, the extracting the code of the significant bit in the binary code to obtain the significant code includes:
extracting codes of non-universal valid bits in the binary codes aiming at each rule corresponding to a target leaf node to obtain valid codes corresponding to the rules, wherein the non-universal valid bits are valid bits meeting the following conditions: the value of the rule on the effective bit is a non-wildcard character;
the determining a target rule from the rules corresponding to the target leaf node, as a rule for the message to be processed to hit, includes:
determining whether the value of the rule on the non-wildcard valid bit is matched with the valid code corresponding to the rule or not according to each rule corresponding to the target leaf node;
and if the value of the rule on the non-wildcard valid bit is matched with the valid code corresponding to the rule, determining the rule as the hit rule of the message to be processed.
In a possible embodiment, the determining, for each rule corresponding to the target leaf node, whether a value of the rule in the non-wildcard valid bit matches a valid code corresponding to the rule includes:
aiming at each rule corresponding to the target leaf node, carrying out XOR operation on the value of the rule on the non-wildcard valid bit and the valid code corresponding to the rule to obtain an operation result;
if the operation result is 0, determining that the value of the rule on the non-wildcard valid bit is matched with the valid code corresponding to the rule;
and if the operation result is not 0, determining that the value of the rule on the non-wildcard valid bit is not matched with the valid code corresponding to the rule.
In a second aspect of embodiments of the present invention, there is provided a packet filtering device, the device comprising:
the message analysis module is used for analyzing the message to be processed to obtain the binary code corresponding to the message to be processed;
the decision tree searching module is used for searching a target leaf node hit by the binary code in a rule decision tree according to the binary code corresponding to the message to be processed and the pre-constructed rule decision tree, wherein each leaf node in the rule decision tree corresponds to at least one rule;
the code extraction module is used for extracting a code of a valid bit in the binary code to obtain a valid code, wherein the valid bit is a bit which does not participate in path calculation from a root node of the regular decision tree to the target leaf node;
a rule hit module, configured to determine a target rule from rules corresponding to the target leaf node, where a value of the target rule on the valid bit matches the valid code, and the target rule is used as a hit rule of the to-be-processed packet;
and the message processing module is used for processing the message to be processed according to the hit rule of the message to be processed.
In a possible embodiment, the apparatus further includes a decision tree construction module for constructing a rule decision tree in advance according to the following manner:
determining whether the number of rules corresponding to the current node is more than a rule number threshold, wherein the current node is a root node initially;
if so, dividing all the rules corresponding to the current node into a plurality of rule groups according to the values of the target bits corresponding to the current node, wherein the target bits corresponding to the current node are different from the target bits corresponding to any ancestor node of the current node, and the values of any two rules of each rule group on the target bits corresponding to the current node are matched;
for each rule group in the multiple rule groups, creating a new node as a child node of a current node, and taking a rule in the rule group as a rule corresponding to the new node;
if not, the current node is determined to be a leaf node.
In a possible embodiment, the decision tree construction module is further configured to calculate, for each candidate bit, a first discrete value of the candidate bit, where the candidate bit is different from the target bit corresponding to any ancestor node of the current node, and the first discrete value is used to indicate a degree of dispersion between 0 and 1 of a value of a rule corresponding to the current node on the candidate bit;
and selecting the candidate bit with the highest first discrete value as the target bit of the current node.
In a possible embodiment, the decision tree construction module is further configured to determine whether values of all rules corresponding to the current node on the target bit match;
if so, calculating a second discrete value of each candidate bit, wherein the second discrete value is used for expressing the discrete degree of the value of the rule corresponding to the current node on the candidate bit between the wildcard character and the non-wildcard character;
and selecting the candidate bit with the highest second discrete value as a new target bit of the current node.
In a possible embodiment, the decision tree construction module is specifically configured to calculate, for each candidate bit, a product of a first number and a second number to obtain a second discrete value, where the first number is the number of rules whose values on the candidate bit are wildcards in a rule corresponding to the current node, and the second number is the number of rules whose values on the candidate bit are non-wildcards in a rule corresponding to the current node.
In a possible embodiment, the decision tree construction module is further configured to determine the current node as a leaf node if the second discrete values of all the candidate bits are 0, and modify the rule corresponding to the current node to a rule with the highest priority among all the rules originally corresponding to the current node.
In a possible embodiment, the decision tree construction module is further configured to mark the current node if the second discrete values of all candidate bits are 0, and values of a rule with the highest priority in all rules corresponding to the current node on all candidate bits are wildcards;
the rule hit module is further configured to determine whether the target leaf node is marked;
if the target leaf node is marked, taking a rule corresponding to the target leaf node as a hit rule of the message to be processed;
the code extraction module is specifically configured to extract a code of a valid bit in the binary code to obtain a valid code if the target leaf node is not marked.
In a possible embodiment, the code extracting module is specifically configured to, for each rule corresponding to a target leaf node, extract a code of a non-wildcarded valid bit in the binary code, to obtain a valid code corresponding to the rule, where the non-wildcarded valid bit is a valid bit that satisfies the following condition: the value of the rule on the effective bit is a non-wildcard character;
the rule hit module is specifically configured to determine, for each rule corresponding to a target leaf node, whether a value of the rule on a non-wildcard valid bit matches a valid code corresponding to the rule;
and if the value of the rule on the non-wildcard valid bit is matched with the valid code corresponding to the rule, determining the rule as the hit rule of the message to be processed.
In a possible embodiment, the rule hit module is specifically configured to perform, for each rule corresponding to a target leaf node, an exclusive or operation on a value of the rule on a non-wildcard valid bit and a valid code corresponding to the rule to obtain an operation result;
if the operation result is 0, determining that the value of the rule on the non-wildcard valid bit is matched with the valid code corresponding to the rule;
and if the operation result is not 0, determining that the value of the rule on the non-wildcard valid bit is not matched with the valid code corresponding to the rule.
In a third aspect of embodiments of the present invention, there is provided an electronic device, including:
a memory for storing a computer program;
a processor adapted to perform the method steps of any of the above first aspects when executing a program stored in the memory.
In a fourth aspect of embodiments of the present invention, a computer-readable storage medium is provided, in which a computer program is stored, which, when being executed by a processor, carries out the method steps of any one of the above-mentioned first aspects.
The embodiment of the invention has the following beneficial effects:
the packet filtering method, the packet filtering device and the electronic device provided by the embodiment of the invention can effectively shorten the length of the code which needs to be matched with the rule by extracting the effective code, and because other bits except the effective bit in the binary code participate in the path calculation from the root node to the target leaf node, the codes on other bits except the effective bit in the binary code are necessarily matched with the rule corresponding to the target leaf node, so that the rule hit by the message to be processed cannot be determined from the rule corresponding to the target leaf node according to the codes on other bits except the effective bit in the binary code, and the calculation amount for determining the rule hit by the message to be processed can be reduced by removing invalid calculation, thereby improving the efficiency for determining the rule hit by the message to be processed, namely effectively improving the efficiency of packet filtering.
Of course, not all of the advantages described above need to be achieved at the same time in the practice of any one product or method of the invention.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other embodiments can be obtained by referring to these drawings.
FIG. 1 is a schematic flow chart of a packet filtering method according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart of a method for constructing a rule decision tree according to an embodiment of the present invention;
FIG. 3 is a schematic structural diagram of a rule decision tree according to an embodiment of the present invention;
FIG. 4 is a schematic flow chart of another method for constructing a rule decision tree according to an embodiment of the present invention;
FIG. 5 is a schematic flow chart of another packet filtering method according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of a bag filter apparatus according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived from the embodiments given herein by one of ordinary skill in the art, are within the scope of the invention.
Referring to fig. 1, fig. 1 is a schematic flow chart of a packet filtering method according to an embodiment of the present invention, which may include:
s101, analyzing the message to be processed to obtain the binary code corresponding to the message to be processed.
S102, searching a target leaf node hit by the binary code in the rule decision tree according to the binary code corresponding to the message to be processed and the pre-constructed rule decision tree.
And S103, extracting the code of the effective bit in the binary code to obtain the effective code, wherein the effective bit is a bit which does not participate in the path calculation from the root node of the rule decision tree to the target leaf node.
And S104, determining a target rule from each rule corresponding to the target leaf node as a hit rule of the message to be processed, wherein the value of the target rule on the effective bit is matched with the effective code.
And S105, processing the message to be processed according to the hit rule of the message to be processed.
By adopting the embodiment, the length of the code which needs to be matched with the rule can be effectively shortened by extracting the effective code, and because other bits except the effective bit in the binary code participate in the path calculation from the root node to the target leaf node, the codes on the other bits except the effective bit in the binary code are necessarily matched with the rule corresponding to the target leaf node, so that the rule hit by the message to be processed cannot be determined from the rule corresponding to the target leaf node according to the codes on the other bits except the effective bit in the binary code, and the calculation amount for determining the rule hit by the message to be processed can be reduced by removing the invalid calculation, thereby improving the efficiency for determining the rule hit by the message to be processed, and effectively improving the efficiency for packet filtering.
In S101, the binary code corresponding to the message to be processed is used to represent the feature of the message to be processed, in other words, the binary code may be regarded as the feature of the message to be processed represented in a binary form. The characteristics of the message to be processed include, but are not limited to, the following: source IP address, destination IP address, source port number, destination port number.
In S102, each leaf node in the rule decision tree may or may not correspond to one or more rules. The rule decision tree may be constructed in any manner and will be described in detail below, which is not repeated here.
The process of searching for the target leaf node in the rule decision tree may be: and searching from the root node, performing path calculation according to the value on the corresponding bit of the binary code and the path calculation rule of the node searched currently, determining the next node from each child node of the node searched currently, and continuously searching the next node until the determined next node is a leaf node, and determining the leaf node as the target leaf node hit by the binary message. The leaf node refers to a node in the rule decision tree where no child node exists.
In S103, the root node is a node in the rule decision tree where no parent node exists, and for convenience of description, nodes other than the target leaf node on the path from the root node to the target leaf node are referred to as ancestor nodes of the target leaf node.
Assume that the bits involved in the path computation from the root node to the target leaf node include: bit 0, bit 1, bit 2, and bit 5, and assuming that the binary code includes 6 bits, denoted as bits 0-5, the valid bits are bit 3 and bit 4.
In S104, it can be understood that, if a bit participates in the path calculation from the root node to the target leaf node, in the process of searching the target leaf node, the rule is already screened by using the code of the bit in the binary code, so the rule corresponding to the target leaf node can be regarded as the rule obtained by screening the code of the bit in the binary code, that is, the values of all the rules corresponding to the target leaf node on the bit are matched with the code of the bit in the binary code, and the rule hit by the binary code cannot be further determined from the rule corresponding to the target leaf node by continuously using the code of the bit in the binary code, so the code of the bit in the binary code can be ignored when the rule is matched.
And if only the value of one rule on the effective bit is matched with the effective code in all the rules corresponding to the target leaf node, taking the rule as a hit rule of the message to be processed. And if the values of the rules on the effective bits are matched with the effective codes, taking the rule with the highest priority in the rules as a hit rule of the message to be processed. And if the values of all the rules on the effective bits are not matched with the effective codes, determining that the message to be processed does not hit any rule.
In S105, a processing mode corresponding to the rule of the hit of the message to be processed may be determined, and the message to be processed is processed according to the processing mode. For example, assuming that the hit rule of the to-be-processed packet is rule 1, and the processing manner corresponding to rule 1 is discarding, the to-be-processed packet may be discarded.
The message to be processed may not hit any rule based on which the rule decision tree is constructed, and therefore, the result obtained by executing S104 may be that values of all rules corresponding to the target leaf on the valid bit are not matched with the valid code, that is, there is no rule hit by the message to be processed, and at this time, the message to be processed may be processed according to a preset default processing mode.
For more clearly explaining the packet filtering method provided by the embodiment of the present invention, the following description is given to the construction of the rule decision tree, and referring to fig. 2, fig. 2 is a schematic flow chart of the construction method of the rule decision tree provided by the embodiment of the present invention, and the schematic flow chart may include:
s201, determining whether the number of the rules corresponding to the current node is more than a rule number threshold, if so, executing S202, and if not, executing S204.
The current node is a root node initially, and the rules corresponding to the root node are all rules. The threshold value of the number of rules may be set according to actual requirements, and may be set to 3, 4, and the like, for example.
S202, dividing all rules corresponding to the current node into a plurality of rule groups according to the values on the target bit corresponding to the current node.
And the target bit corresponding to the current node is different from the target bit corresponding to any ancestor node of the current node. For example, assuming that there are two ancestor nodes for the current node and the target bits of the two ancestor nodes are bit 0, bit 1, and bit 3, respectively, the target bit of the current node may be one or more bits other than bit 0, bit 1, and bit 3.
The values of any two rules in the same rule group on the target bit corresponding to the current node should match, it can be understood that the value of any one bit in the rules may be 0, 1 or wildcard, where 0 and 0, wildcard match, 1 and 1, wildcard match, that is, if the values of the two rules on the target bit are any one of the following combinations, the values of the two rules on the target bit match: (0,0), (1,1), (0, wildcard), (1, wildcard), (wildcard ).
For example, assume that the current node corresponds to a total of 3 rules, which are respectively denoted as rule 0, rule 1, and rule 2. And assuming that there is only one target bit, the value of rule 0 on the target bit is 0, the value of rule 1 on the target bit is 1, and the value of rule 2 on the target bit is a wildcard, the rule of the current node can be divided into two rule groups, namely { rule 0, rule 2} and { rule 1, rule 2} according to the value of the target bit.
It can be understood that, because the number of rules corresponding to the current node is large, if the current node is determined as a leaf node, the number of rules corresponding to the target leaf child node may be large, and the larger the number of rules corresponding to the target leaf child node is, the larger the calculation amount required for determining the rule hit by the binary code from the rules corresponding to the target leaf child node is, so if the current node is determined as a leaf node, the larger the calculation amount of packet filtering may be caused, and the lower the packet filtering efficiency is caused. Therefore, a further division of the rule corresponding to the current node is required.
S203, aiming at each rule group in the multiple rule groups, a new node is created to be used as a child node of the current node, and the rule in the rule group is used as the rule corresponding to the new node.
For example, taking the divided rule sets as { rule 0, rule 2} and { rule 1, rule 2} as examples, two new child nodes may be created for the current node, where the rule corresponding to one child node is { rule 0, rule 2} and the rule corresponding to the other child node is { rule 1, rule 2 }.
And S204, determining the current node as a leaf node.
It can be understood that, because the number of rules corresponding to the current node is small, as in the foregoing analysis, the packet filtering calculation amount is not large, and thus the packet filtering efficiency is low. Therefore, the rule corresponding to the current node does not need to be further divided.
S205, selecting the node which has not been taken as the current node as the new current node, and returning to execute S201 until no node which has not been taken as the current node exists.
I.e. traverse all nodes in the rule decision tree. Exemplarily, a root node is initially used as a current node, assuming that the number of rules corresponding to the root node is greater than a rule number threshold, the rules corresponding to the root node may be divided, and a plurality of child nodes of the root node are created according to a rule group obtained by the division, assuming that the number of created child nodes of the root node is 2, and the created child nodes are respectively marked as node 1 and node 2.
Node 1 may be taken as the new current node, and node 1 may be determined to be a leaf node, assuming that the number of rules corresponding to node 1 is not more than the rule number threshold. Then, the node 2 is used as a new current node, and assuming that the number of rules corresponding to the node 2 is greater than the threshold of the number of rules, the rules included in the node 2 may be divided, and a plurality of child nodes of the node 2 are created according to the rule group obtained by the division, and assuming that the number of created child nodes of the root node is 2, the child nodes are respectively marked as a node 3 and a node 4.
And then taking the node 3 as a new current node, and assuming that the number of rules corresponding to the node 3 is not more than the rule number threshold, determining the node 3 as a leaf node. And then taking the node 4 as a new current node, and assuming that the number of rules corresponding to the node 4 is not more than the rule number threshold, determining the node 4 as a leaf node. At this time, all the nodes are already used as current nodes, so that the construction of the rule decision tree is completed, and the rule decision tree shown in fig. 3 can be obtained, wherein the node 1, the node 3, and the node 4 are leaf nodes.
By adopting the embodiment, the number of the rules corresponding to each leaf node can be limited, so that the rules corresponding to the target leaf node are not excessive, the rules hit by the binary code are prevented from being determined from the rules corresponding to the target leaf node due to the fact that more time is consumed, and the efficiency of packet filtering is further improved.
It is understood that, in order to improve the efficiency of packet filtering, the depth of the rule decision tree needs to be reduced as much as possible, so that when dividing the rule groups, it is necessary to avoid that the number of rules included in a single rule group is too large, and since the number of rules corresponding to the current node is constant, the smaller the number of rules included in one rule group is, the larger the number of rules included in the other rule groups is, and thus, in order to avoid that the number of rules included in a rule group is too large, it is necessary to make the number of rules included in each rule group as close as possible.
The number of rules included in each rule set depends on the selected target bits, so how to reasonably select the target bits to make the number of rules included in each rule set as close as possible, thereby improving the efficiency of packet filtering, which is a technical problem to be solved urgently.
Based on this, in one possible embodiment, a first discrete value of each candidate bit may be calculated, and the candidate bit with the highest first discrete value may be selected as the target bit of the current node. The candidate bit is different from a target bit corresponding to any ancestor node of the current node, and the first discrete value is used for expressing the discrete degree of the value of the rule corresponding to the current node on the candidate bit between 0 and 1.
The candidate bit is different from the target bit corresponding to any ancestor node of the current node, which may mean that any candidate bit corresponding to the current node is different from the target bit corresponding to any ancestor node of the current node. For example, assuming a total of 6 bits, which are respectively denoted as bits 0-5, and assuming that there are two ancestor nodes in the current node, where the target bit corresponding to one ancestor node is bit 3 and the target bit corresponding to the other ancestor node is bit 4, the candidate bits corresponding to the current node may be bits 0, 1, 2, and 5.
The calculation manner of the first discrete value may be different according to different application scenarios, for example, in a possible embodiment, the first discrete value may be a product of a third number and a fourth number, where the third number is a number of rules with a value of 1 on the candidate bit in the rule corresponding to the current node, and the fourth number is a number of rules with a value of 0 on the candidate bit in the rule corresponding to the current node.
For example, assume that the current node corresponds to 9 rules, and for descriptive convenience, the wildcards are denoted as x, and the 9 rules are denoted as: rule 0, 011010; rule 1, 011011; rule 2, 1000111; rule 3,110101; rule 4, 10 × 1; rule 5, 0 x 00 x; rule 6, 110; rule 7,. about.000; rule 8, 11100.
And assuming that the candidate bits are bits 0-5, the first discrete value of each candidate bit can be calculated as shown in table 1:
TABLE 1
Bit Bit 0 Bit 1 Bit 2 Bit 3 Bit 4 Position 5
First discrete value 15 10 9 12 12 6
As can be seen from table 1, the candidate bit with the highest first discrete value is bit 0, and therefore bit 0 can be selected as the target bit of the current node. For a scenario where multiple target bits are selected, bit 0 may be used as the first target bit of the current node, and the remaining target bits are continuously selected from the remaining candidate bits. The way of selecting the remaining target bits may be the same as or different from the way of selecting the first target bit, and this embodiment does not limit this.
For example, in one possible embodiment, the rule corresponding to the current node is divided into a plurality of rule sets according to the value of the selected first target bit, the first discrete values of the remaining candidate bits are recalculated according to the rule included in the rule set including the most rules, and the candidate bit with the highest first discrete value is selected as the second target bit.
Still taking the foregoing example as an example, after selecting bit 0 as the first target bit, rules 0-8 may be divided into two rule sets, rule set 0{ rule 0, rule 1, rule 5, rule 7} and rule set 1{ rule 2, rule 3, rule 4, rule 6, rule 7, rule 8}, respectively.
Since rule set 1 includes the largest number of rules, the first discrete values of the remaining candidate bits, i.e., bits 1-5, are recalculated according to the rules included in rule set 1, and the first discrete values of the candidate bits are calculated as shown in table 2:
TABLE 2
Bit Bit 1 Bit 2 Bit 3 Bit 4 Position 5
First discrete value 6 3 6 4 2
As can be seen from table 2, if the candidate bits with the highest first discrete value are bits 1 and 3, one bit may be randomly selected from bits 1 and 3 as the second target bit, for example, bit 3 may be randomly selected as the second target bit. I.e. bit 0 and bit 3 are selected as the target bits of the current node.
By adopting the embodiment, the target bit can be selected according to the first discrete value, and the first discrete value is used for representing the discrete degree of the value of the rule corresponding to the current node on the candidate bit between 0 and 1, so that the capability of the bit screening rule can be reflected by the first discrete value, the number of the rules in a plurality of rule groups obtained by dividing according to the value of the target bit is close as much as possible, and the efficiency of packet filtering is improved.
However, in some application scenarios, the target bit selected according to the first discrete value may not be able to effectively distinguish different rules. For example, assuming that values of all rules corresponding to the current node are matched on the target bit, at this time, the rules corresponding to the current node can only be divided into one rule group according to the value of the target bit. That is, the target bit selected according to the first discrete value cannot effectively distinguish different rules.
Based on this, in a possible embodiment, as shown in fig. 4, fig. 4 is another flow diagram of the method for constructing a rule decision tree according to the embodiment of the present invention, and the method may include:
s301, determining whether the number of the rules corresponding to the current node is more than a rule number threshold, if so, executing S302, and if not, executing S309.
The step is the same as the foregoing step S201, and reference may be made to the related description of the foregoing step S201, which is not described herein again.
S302, for each candidate bit, a first discrete value of the candidate bit is calculated.
For the first discrete value, reference may be made to the foregoing description related to the first discrete value, and details are not repeated here.
S303, selecting the candidate bit with the highest first discrete value as the target bit of the current node.
S304, determining whether the values of all the rules corresponding to the current node on the target bit are matched, if so, executing S305, and if not, executing S307.
The value of all the rules corresponding to the current node on the target bit is matched, which means that the values of any two rules corresponding to the current node on the target bit are matched, that is, the values of any two rules on the target bit are any one of the following combinations: (0,0), (1,1), (0, wildcard), (1, wildcard), (wildcard ).
It can be understood that, if values of all the rules corresponding to the current node on the target bit are matched, the rules corresponding to the current node are divided according to the values on the target bit at this time, and only one rule group can be obtained through division, so that different rules cannot be distinguished according to the values on the target bit at this time.
The manner of determining whether the values of all the rules corresponding to the current node on the target bit are matched may be different according to different application scenarios, for example, it may be determined whether the values of the two rules on the target bit are matched for every two rules corresponding to the current node, if the values of the two rules on the target bit are matched, it is determined that the values of all the rules corresponding to the current node on the target bit are matched, otherwise, it is determined that the values of all the rules not corresponding to the current node on the target bit are not matched. Or the rule corresponding to the current node may be divided according to the value on the target bit, if the division obtains a plurality of rule groups, it is determined that the values of all the rules corresponding to the current node on the target bit are not matched, and if the division obtains one rule group, it is determined that the values of all the rules corresponding to the current node on the target bit are matched.
S305, for each candidate bit, a second discrete value of the candidate bit is calculated.
And the second discrete value is used for expressing the discrete degree of the value of the rule corresponding to the current node on the candidate bit between the wildcard and the non-wildcard. For example, in one possible embodiment, a product of a first number and a second number may be calculated for each candidate bit, so as to obtain a second discrete value, where the first number is the number of rules with wildcards in the candidate bit in the rule corresponding to the current node, and the second number is the number of rules with non-wildcards in the candidate bit in the rule corresponding to the current node.
For example, assume that the current node corresponds to 4 rules, which are denoted as rules 0-3, respectively, and for convenience of description, the wildcards are denoted as x, and the rules 0-3 are denoted as: rule 0, 1 x 0 x; rule 1, 11 x 1; rule 2,. 01,. sup.; rule 3, 1.
And assuming that the candidate bits are bits 0-4, the second discrete value of each candidate bit can be calculated as shown in table 3:
TABLE 3
Bit Bit 0 Bit 1 Bit 2 Bit 3 Bit 4
Second discrete value 4 3 4 3 0
As can be seen from table 3, the candidate bits with the highest second discrete value are bit 0 and bit 2, and one bit of the bits 0 and 2 may be randomly selected as the target bit, for example, bit 0 may be randomly selected as the target bit.
For a scenario where multiple target bits are selected, bit 0 may be used as the first target bit of the current node, and the remaining target bits are continuously selected from the remaining candidate bits. The way of selecting the remaining target bits may be the same as or different from the way of selecting the first target bit, and this embodiment does not limit this.
For example, in one possible embodiment, the rule corresponding to the current node is divided into a plurality of rule groups according to the value of the selected first target bit, the first discrete values of the remaining candidate bits are recalculated according to the rule included in the rule group with the largest number of rules, and the candidate bit with the highest first discrete value is selected as the second target bit.
Still taking the foregoing example as an example, after selecting bit 0 as the first target bit, rules 0-8 may be divided into two rule sets, rule set 0{ rule 2, rule 3} and rule set 1{ rule 0, rule 1, rule 2, rule 3, respectively.
Since rule set 1 includes the largest number of rules, the first discrete values of the remaining candidates, i.e., bits 1-4, are recalculated according to the rules included in rule set 1, and the first discrete values of the candidate bits are calculated as shown in table 4:
TABLE 4
Bit Bit 1 Bit 2 Bit 3 Bit 4
Second discrete value 3 4 3 0
As can be seen from table 4, the candidate bit with the highest first discrete value is bit 2, and bit 2 may be selected as the second target bit. Namely, bit 0 and bit 2 are selected as new target bits of the current node.
S306, selecting the candidate bit with the highest second discrete value as a new target bit of the current node.
S307, dividing the rule corresponding to the current node into a plurality of rule groups according to the value of the target bit corresponding to the current node.
S308, aiming at each rule group in the multiple rule groups, a new node is created to be used as a child node of the current node, and the rule in the rule group is used as the rule corresponding to the new node.
S309, determining the current node as a leaf node.
S310, selecting the node which has not been used as the current node as the new current node, and returning to execute S301 until no node which has not been used as the current node exists.
By adopting the embodiment, when the first discrete value can not effectively distinguish different rules, the different rules can be further distinguished through the second discrete value, so that the rules included in each rule group obtained by dividing according to the value of the target bit are as close as possible, and the efficiency of packet filtering is improved.
As analyzed above, to improve the efficiency of packet filtering, the number of rules corresponding to each leaf node should be minimized. Based on this, in a possible embodiment, when the second discrete values of all the candidate bits are 0, the current node may be determined as a leaf node, and the rule corresponding to the current node is modified to the rule with the highest priority among all the rules originally corresponding to the current node.
For example, assuming that the current node corresponds to three rules, which are respectively denoted as R0, R1, and R2, and wherein the priority of R0 is higher than that of R1 and R2, when the second discrete value of all candidate bits is 0, the rule corresponding to the current node is changed from { R0, R1, R2} to { R0}, that is, the current node does not correspond to R1 and R2 any more after the change, and only corresponds to R0.
It can be understood that, if the second discrete values of all the candidate bits are 0, it may be considered that different rules cannot be distinguished even if the target bits selected according to the second discrete values are selected, and at this time, when the binary code hits the current node, the binary code may simultaneously meet all the rules corresponding to the current node or may not meet any rule in the current node, and when the binary code meets all the rules in the current node, the binary code may match a rule with the highest priority among the rules.
Therefore, in this case, the binary code hits a rule with the highest priority in the rules corresponding to the current node, or does not hit any rule corresponding to the current node, and at this time, the rule corresponding to the current node may be equivalent to a rule with the highest priority in all the rules corresponding to the current node.
And as analyzed above, if the second discrete values of all the candidate bits are 0, when the binary code hits the current node, the binary code hits the rule with the highest priority among all the rules corresponding to the current node, or does not hit any rule. And if the values of all candidate bits of the rule with the highest priority in all rules of the current node are wildcards at the moment, the binary code must hit the rule with the highest priority in all rules corresponding to the current node, and the effective code of the binary code does not need to be further matched with the value of the rule corresponding to the current node on the effective bit.
Therefore, in one possible embodiment, if the second discrete values of all candidate bits are 0, and the values of all candidate bits in all rules with the highest priority among all rules corresponding to the current node are wildcards, the current node may be marked.
In this embodiment, the packet filtering method may be as shown in fig. 5, and fig. 5 is another flow diagram of the packet filtering method provided in the embodiment of the present invention, which may include:
s401, analyzing the message to be processed to obtain the binary code corresponding to the message to be processed.
The step is the same as the foregoing step S101, and reference may be made to the related description of the foregoing step S101, which is not described herein again.
S402, searching a target leaf node hit by the binary code in the rule decision tree according to the binary code corresponding to the message to be processed and the pre-constructed rule decision tree.
The step is the same as the step S102, and reference may be made to the related description of the step S102, which is not described herein again.
And S403, determining whether the target leaf node is marked, if so, executing S404, and if not, executing S405.
S404, taking the rule corresponding to the target leaf node as a hit rule of the message to be processed.
As discussed above, when the target leaf node is marked, it can be considered that only one rule corresponds to the target leaf node, i.e. the target leaf node corresponds to only the rule with the highest priority among all the rules that correspond to the target leaf node. And the binary code must hit the rule, so the rule corresponding to the target leaf node can be directly used as the rule for hitting the message to be processed.
S405, extracting the code of the effective bit in the binary code to obtain the effective code.
If the target leaf node is not marked, it can be considered that the binary code does not necessarily hit the rule corresponding to the target leaf child node, so it is necessary to further extract the valid code of the binary code to match the rule corresponding to the target leaf child node.
S406, determining a target rule from each rule corresponding to the target leaf node as a hit rule of the message to be processed, wherein the value of the target rule on the effective bit is matched with the effective code.
The step is the same as the step S104, and reference may be made to the related description of the step S104, which is not described herein again.
S407, processing the message to be processed according to the hit rule of the message to be processed.
The step is the same as the step S105, and reference may be made to the related description of the step S105, which is not described herein again.
By selecting the embodiment, when the marked node is hit by the binary code in the packet filtering process, the hit rule of the message to be processed can be directly determined without further extracting the effective code of the binary code, and the hit rule of the message to be processed is determined by matching the rule and the effective code, so that the packet filtering efficiency can be further improved.
How to determine whether the valid code matches the value of the rule in the valid bit is described as follows:
for convenience of description, it is assumed that the binary code is 110010, the valid bits are bit 0 and bit 2, bit 3, and the corresponding rule 1 x 01 in the target leaf node is assumed.
Then in one possible embodiment, the codes of bit 0, bit 2, and bit 3 in the binary code are extracted and combined into the valid code 100, and the values of bit 0, bit 2, and bit 3 in the rule are extracted and combined into the valid value 1 x 0.
For each bit, it is determined whether the code of the valid code on that bit matches the value of the valid value on that bit. Since the code 1 of the valid code on bit 0 matches the value 1 of the valid value on bit 0, and the code 0 of the valid code on bit 1 matches the value of the valid value on bit 1, and the code 0 of the valid code on bit 2 matches the value 0 of the valid value on bit 2, it can be determined that the binary code is 110010 matches the rule 1 x 01.
It will be appreciated that since the wildcards match any of the encodings, the wildcards can be ignored in determining whether the binary matches the rule. Thus, in one possible embodiment, in determining whether the valid code matches the value of the rule on the significand, it may be determined whether the valid code matches the value of the rule on the non-wildcard significand. Wherein the non-wildcarded valid bit is a valid bit that satisfies the following condition: the value of the rule on this valid bit is a non-wildcard. Still in the above example, since the valid bits are bit 0, bit 2, and bit 3, and since the value of rule 1 x 01 x is a wildcard at bit 2, and the values of bit 0 and bit 3 are not wildcards, the not-wildcard bits are bit 0 and bit 2.
In this embodiment, when extracting the valid code, the code of the non-universal bit in the binary code may be extracted to obtain the valid code corresponding to the rule.
For example, still taking the foregoing example as an example, since the non-universal bits are bit 0 and bit 3, it is possible to extract the codes of bit 0 and bit 3 in the binary code and combine the extracted codes into the effective code 10. Correspondingly, the values of bit 0 and bit 3 in the rule can be extracted, and the extracted values are combined into an effective value 10. And for each bit, determining whether the code of the valid code on the bit matches the value of the valid value on the bit.
By adopting the embodiment, the bit length of effective coding can be reduced, thereby further improving the efficiency of packet filtering.
It will be appreciated that the significance code can be considered a binary value, whereas the value of the rule on the non-wildcard significant bits can also be considered a binary value since they do not contain wildcards. Thus, determining whether the value of the valid code matches the value of the rule on the non-wildcard valid bit can translate into determining whether the two binary values are equal. And whether the two binary values are equal or not can be determined by an exclusive or operation.
Therefore, in a possible embodiment, the value of the rule on the non-wildcard valid bit and the valid code may be subjected to an exclusive or operation, and if the operation result is 0, it may be determined that the valid code matches the value of the rule on the non-wildcard valid bit. If the operation result is not 0, the value of the valid code and the rule on the non-wildcard valid bit can be determined.
Compared with the method of determining whether the codes are matched with the values bit by bit, the method has the advantage that the calculation amount of the XOR operation is small, so that the efficiency of packet filtering can be further improved by adopting the embodiment.
Referring to fig. 6, fig. 6 is a schematic structural diagram of an apparatus according to an embodiment of the present invention, which may include:
the message analysis module 601 is configured to analyze a message to be processed to obtain a binary code corresponding to the message to be processed;
a decision tree searching module 602, configured to search, according to a binary code corresponding to a packet to be processed and a pre-constructed rule decision tree, a target leaf node hit by the binary code in the rule decision tree, where each leaf node in the rule decision tree corresponds to at least one rule;
a code extracting module 603, configured to extract a code of a valid bit in the binary code to obtain a valid code, where the valid bit is a bit that does not participate in path calculation from a root node of the rule decision tree to the target leaf node;
a rule hit module 604, configured to extract a code of a valid bit in the binary code to obtain a valid code, where the valid bit is a bit that does not participate in a path calculation from a root node of the rule decision tree to the target leaf node;
a message processing module 605, configured to process the message to be processed according to the rule of the message to be processed hit.
In a possible embodiment, the apparatus further includes a decision tree construction module for constructing a rule decision tree in advance according to the following manner:
determining whether the number of rules corresponding to the current node is more than a rule number threshold, wherein the current node is a root node initially;
if so, dividing all the rules corresponding to the current node into a plurality of rule groups according to the values of the target bits corresponding to the current node, wherein the target bits corresponding to the current node are different from the target bits corresponding to any ancestor node of the current node, and the values of any two rules of each rule group on the target bits corresponding to the current node are matched;
for each rule group in the multiple rule groups, creating a new node as a child node of a current node, and taking a rule in the rule group as a rule corresponding to the new node;
if not, the current node is determined to be a leaf node.
In a possible embodiment, the decision tree construction module is further configured to calculate, for each candidate bit, a first discrete value of the candidate bit, where the candidate bit is different from the target bit corresponding to any ancestor node of the current node, and the first discrete value is used to indicate a degree of dispersion between 0 and 1 of a value of a rule corresponding to the current node on the candidate bit;
and selecting the candidate bit with the highest first discrete value as the target bit of the current node.
In a possible embodiment, the decision tree construction module is further configured to determine whether values of all rules corresponding to the current node on the target bit match;
if so, calculating a second discrete value of each candidate bit, wherein the second discrete value is used for expressing the discrete degree of the value of the rule corresponding to the current node on the candidate bit between the wildcard character and the non-wildcard character;
and selecting the candidate bit with the highest second discrete value as a new target bit of the current node.
In a possible embodiment, the decision tree construction module is specifically configured to calculate, for each candidate bit, a product of a first number and a second number to obtain a second discrete value, where the first number is the number of rules whose values on the candidate bit are wildcards in a rule corresponding to the current node, and the second number is the number of rules whose values on the candidate bit are non-wildcards in a rule corresponding to the current node.
In a possible embodiment, the decision tree construction module is further configured to determine the current node as a leaf node if the second discrete values of all the candidate bits are 0, and modify the rule corresponding to the current node to a rule with the highest priority among all the rules originally corresponding to the current node.
In a possible embodiment, the decision tree construction module is further configured to mark the current node if the second discrete values of all candidate bits are 0, and values of a rule with the highest priority in all rules corresponding to the current node on all candidate bits are wildcards;
the rule hit module 604, further configured to determine whether the target leaf node is marked;
if the target leaf node is marked, taking a rule corresponding to the target leaf node as a hit rule of the message to be processed;
the code extracting module 603 is specifically configured to extract a code of a valid bit in the binary code to obtain a valid code if the target leaf node is not marked.
In a possible embodiment, the code extracting module 603 is specifically configured to, for each rule corresponding to a target leaf node, extract a code of a non-wildcarded valid bit in the binary code, to obtain a valid code corresponding to the rule, where the non-wildcarded valid bit is a valid bit that satisfies the following condition: the value of the rule on the effective bit is a non-wildcard character;
the rule hit module 604 is specifically configured to determine, for each rule corresponding to a target leaf node, whether a value of the rule on a non-wildcard valid bit matches a valid code corresponding to the rule;
and if the value of the rule on the non-wildcard valid bit is matched with the valid code corresponding to the rule, determining the rule as the hit rule of the message to be processed.
In a possible embodiment, the rule hit module 604 is specifically configured to, for each rule corresponding to a target leaf node, perform an exclusive or operation on a value of the rule on a non-wildcard valid bit and a valid code corresponding to the rule to obtain an operation result;
if the operation result is 0, determining that the value of the rule on the non-wildcard valid bit is matched with the valid code corresponding to the rule;
and if the operation result is not 0, determining that the value of the rule on the non-wildcard valid bit is not matched with the valid code corresponding to the rule.
An embodiment of the present invention further provides an electronic device, as shown in fig. 7, including:
a memory 701 for storing a computer program;
the processor 702 is configured to implement the following steps when executing the program stored in the memory 701:
analyzing a message to be processed to obtain a binary code corresponding to the message to be processed;
searching a target leaf node hit by the binary code in a rule decision tree according to the binary code corresponding to the message to be processed and the pre-constructed rule decision tree;
extracting a code of a valid bit in the binary code to obtain a valid code, wherein the valid bit is a bit which does not participate in path calculation from a root node of the rule decision tree to the target leaf node;
determining a target rule from each rule corresponding to the target leaf node as a hit rule of the message to be processed, wherein the value of the target rule on the valid bit is matched with the valid code;
and processing the message to be processed according to the hit rule of the message to be processed.
The communication bus mentioned in the electronic device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the electronic equipment and other equipment.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
In yet another embodiment of the present invention, a computer-readable storage medium is further provided, in which a computer program is stored, and the computer program, when executed by a processor, implements the steps of any of the packet filtering methods described above.
In yet another embodiment, a computer program product containing instructions is provided, which when run on a computer, causes the computer to perform any of the packet filtering methods of the above embodiments.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the embodiments of the apparatus, the electronic device, the computer-readable storage medium, and the computer program product, since they are substantially similar to the method embodiments, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiments.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims (12)

1. A method of packet filtering, the method comprising:
analyzing a message to be processed to obtain a binary code corresponding to the message to be processed;
searching a target leaf node hit by the binary code in a rule decision tree according to the binary code corresponding to the message to be processed and the pre-constructed rule decision tree;
extracting a code of a valid bit in the binary code to obtain a valid code, wherein the valid bit is a bit which does not participate in path calculation from a root node of the rule decision tree to the target leaf node;
determining a target rule from each rule corresponding to the target leaf node as a hit rule of the message to be processed, wherein the value of the target rule on the valid bit is matched with the valid code;
and processing the message to be processed according to the hit rule of the message to be processed.
2. The method of claim 1, wherein the rule decision tree is constructed in advance in the following way:
determining whether the number of rules corresponding to the current node is more than a rule number threshold, wherein the current node is a root node initially;
if so, dividing all the rules corresponding to the current node into a plurality of rule groups according to the values of the target bits corresponding to the current node, wherein the target bits corresponding to the current node are different from the target bits corresponding to any ancestor node of the current node, and the values of any two rules of each rule group on the target bits corresponding to the current node are matched;
for each rule group in the multiple rule groups, creating a new node as a child node of a current node, and taking a rule in the rule group as a rule corresponding to the new node;
if not, the current node is determined to be a leaf node.
3. The method of claim 2, wherein before the dividing all rules corresponding to the current node into the plurality of rule groups according to the value at the target bit corresponding to the current node, the method further comprises:
calculating a first discrete value of each candidate bit, wherein the candidate bit is different from a target bit corresponding to any ancestor node of the current node, and the first discrete value is used for expressing the discrete degree of a rule corresponding to the current node on the candidate bit, wherein the value of the rule is between 0 and 1;
and selecting the candidate bit with the highest first discrete value as the target bit of the current node.
4. The method of claim 3, wherein before the dividing all rules corresponding to the current node into the plurality of rule groups according to the value at the target bit corresponding to the current node, the method further comprises:
determining whether values of all rules corresponding to the current node on the target bit are matched or not;
if so, calculating a second discrete value of each candidate bit, wherein the second discrete value is used for expressing the discrete degree of the value of the rule corresponding to the current node on the candidate bit between the wildcard character and the non-wildcard character;
and selecting the candidate bit with the highest second discrete value as a new target bit of the current node.
5. The method of claim 4, wherein computing, for each candidate bit, a second discrete value for the candidate bit comprises:
and calculating the product of a first number and a second number aiming at each candidate bit to obtain a second discrete value, wherein the first number is the number of rules taking the value of the candidate bit as a wildcard in the rule corresponding to the current node, and the second number is the number of rules taking the value of the candidate bit as a non-wildcard in the rule corresponding to the current node.
6. The method of claim 5, wherein after calculating a product of the first number and the second number for each candidate bit, resulting in a second discrete value, the method further comprises:
and if the second discrete values of all the candidate bits are 0, determining the current node as a leaf node, and modifying the rule corresponding to the current node into the rule with the highest priority in all the rules originally corresponding to the current node.
7. The method of claim 6, further comprising:
if the second discrete values of all the candidate bits are 0 and the values of the rule with the highest priority in all the rules corresponding to the current node on all the candidate bits are wildcards, marking the current node;
after searching a target leaf node hit by the binary code in the rule decision tree according to the binary code corresponding to the message to be processed and a pre-constructed rule decision tree, the method further comprises:
determining whether the target leaf node is marked;
if the target leaf node is marked, taking a rule corresponding to the target leaf node as a hit rule of the message to be processed;
the extracting of the code of the significant bit in the binary code to obtain the significant code includes:
and if the target leaf node is not marked, extracting the code of the valid bit in the binary code to obtain the valid code.
8. The method of claim 1, wherein extracting the code of the significant bit in the binary code to obtain a significant code comprises:
extracting codes of non-universal valid bits in the binary codes aiming at each rule corresponding to a target leaf node to obtain valid codes corresponding to the rules, wherein the non-universal valid bits are valid bits meeting the following conditions: the value of the rule on the effective bit is a non-wildcard character;
the determining a target rule from the rules corresponding to the target leaf node, as a rule for the message to be processed to hit, includes:
determining whether the value of the rule on the non-wildcard valid bit is matched with the valid code corresponding to the rule or not according to each rule corresponding to the target leaf node;
and if the value of the rule on the non-wildcard valid bit is matched with the valid code corresponding to the rule, determining the rule as the hit rule of the message to be processed.
9. The method of claim 8, wherein determining, for each rule corresponding to a target leaf node, whether a value of the rule in a non-wildcard valid bit matches a valid code corresponding to the rule comprises:
aiming at each rule corresponding to the target leaf node, carrying out XOR operation on the value of the rule on the non-wildcard valid bit and the valid code corresponding to the rule to obtain an operation result;
if the operation result is 0, determining that the value of the rule on the non-wildcard valid bit is matched with the valid code corresponding to the rule;
and if the operation result is not 0, determining that the value of the rule on the non-wildcard valid bit is not matched with the valid code corresponding to the rule.
10. A packet filtering device, the device comprising:
the message analysis module is used for analyzing the message to be processed to obtain the binary code corresponding to the message to be processed;
the decision tree searching module is used for searching a target leaf node hit by the binary code in a rule decision tree according to the binary code corresponding to the message to be processed and the pre-constructed rule decision tree;
the code extraction module is used for extracting a code of a valid bit in the binary code to obtain a valid code, wherein the valid bit is a bit which does not participate in path calculation from a root node of the regular decision tree to the target leaf node;
a rule hit module, configured to determine a target rule from rules corresponding to the target leaf node, where a value of the target rule on the valid bit matches the valid code, and the target rule is used as a hit rule of the to-be-processed packet;
and the message processing module is used for processing the message to be processed according to the hit rule of the message to be processed.
11. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the method steps of any of claims 1-9 when executing a program stored in the memory.
12. A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, which computer program, when being executed by a processor, carries out the method steps of any one of the claims 1-9.
CN202110599715.3A 2021-05-31 2021-05-31 Packet filtering method and device and electronic equipment Active CN113347173B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110599715.3A CN113347173B (en) 2021-05-31 2021-05-31 Packet filtering method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110599715.3A CN113347173B (en) 2021-05-31 2021-05-31 Packet filtering method and device and electronic equipment

Publications (2)

Publication Number Publication Date
CN113347173A CN113347173A (en) 2021-09-03
CN113347173B true CN113347173B (en) 2022-04-22

Family

ID=77472493

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110599715.3A Active CN113347173B (en) 2021-05-31 2021-05-31 Packet filtering method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN113347173B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114513460B (en) * 2022-01-28 2023-09-15 新华三技术有限公司 Decision tree generation method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102308533A (en) * 2010-06-28 2012-01-04 华为技术有限公司 Classification method and device for packets
CN105335411A (en) * 2014-07-31 2016-02-17 国际商业机器公司 Method and system for data processing
CN109194536A (en) * 2018-07-27 2019-01-11 北京奇虎科技有限公司 A kind of network flow filter method, device and terminal
CN110263043A (en) * 2019-06-24 2019-09-20 苏州睿威博科技有限公司 Date storage method, data query method, apparatus and storage medium
CN110474929A (en) * 2019-09-27 2019-11-19 新华三信息安全技术有限公司 A kind of redundancy rule detection method and device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9680738B2 (en) * 2013-09-15 2017-06-13 Nicira, Inc. Tracking prefixes of values associated with different rules to generate flows
US20190347529A1 (en) * 2018-05-08 2019-11-14 Tsinghua University Packet classification method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102308533A (en) * 2010-06-28 2012-01-04 华为技术有限公司 Classification method and device for packets
CN105335411A (en) * 2014-07-31 2016-02-17 国际商业机器公司 Method and system for data processing
CN109194536A (en) * 2018-07-27 2019-01-11 北京奇虎科技有限公司 A kind of network flow filter method, device and terminal
CN110263043A (en) * 2019-06-24 2019-09-20 苏州睿威博科技有限公司 Date storage method, data query method, apparatus and storage medium
CN110474929A (en) * 2019-09-27 2019-11-19 新华三信息安全技术有限公司 A kind of redundancy rule detection method and device

Also Published As

Publication number Publication date
CN113347173A (en) 2021-09-03

Similar Documents

Publication Publication Date Title
CN109617927B (en) Method and device for matching security policy
CN110311902B (en) Abnormal behavior identification method and device and electronic equipment
CN109246064B (en) Method, device and equipment for generating security access control and network access rule
US9825841B2 (en) Method of and network server for detecting data patterns in an input data stream
CN111817978B (en) Flow classification method and device
CN109274593B (en) Information storage method and device
WO2010065418A1 (en) Graph-based data search
CN109190014B (en) Regular expression generation method and device and electronic equipment
US10397263B2 (en) Hierarchical pattern matching for deep packet analysis
CN113347173B (en) Packet filtering method and device and electronic equipment
US9807204B2 (en) Optimized message processing
CN110555144A (en) stream clustering method and device, electronic equipment and medium
CN106657128B (en) Data packet filtering method and device based on wildcard mask rule
CN112468324B (en) Graph convolution neural network-based encrypted traffic classification method and device
CN112347100B (en) Database index optimization method, device, computer equipment and storage medium
CN113127693B (en) Traffic data packet statistics method, device, equipment and storage medium
US9235639B2 (en) Filter regular expression
CN111835599B (en) SketchLearn-based hybrid network measurement method, device and medium
CN113079153B (en) Network attack type prediction method and device and storage medium
CN115865843A (en) Rule storage method, message processing method, device, electronic equipment and medium
CN113992364A (en) Network data packet blocking optimization method and system
CN114398518A (en) Method and system for rapidly matching normalization strategy for log
CN114095231B (en) Message filtering method, device, equipment and medium
CN114143083B (en) Blacklist policy matching method and device, electronic equipment and storage medium
KR101802443B1 (en) Computer-executable intrusion detection method, system and computer-readable storage medium storing the same

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant