CN113765877B

CN113765877B - Session identification method, apparatus, electronic device and computer readable medium

Info

Publication number: CN113765877B
Application number: CN202110180504.6A
Authority: CN
Inventors: 刘遇哲
Original assignee: Beijing Jingdong Century Trading Co Ltd; Beijing Wodong Tianjun Information Technology Co Ltd
Current assignee: Beijing Jingdong Century Trading Co Ltd; Beijing Wodong Tianjun Information Technology Co Ltd
Filing date: 2021-02-08
Publication date: 2024-09-24
Anticipated expiration: 2041-02-08

Abstract

Embodiments of the present disclosure disclose a session identification method, apparatus, electronic device, and computer-readable medium. One embodiment of the method comprises the following steps: extracting information from the cached message to obtain quintuple information, wherein the quintuple information comprises a session structure body identifier; matching a target session structure body matched with the session structure body identification included in the quintuple information from a preset session structure body library; responding to successful matching, carrying out message state identification on the message to obtain a message state identification; and updating the target session structure body based on the message state identification and a preset message state matching tree. This embodiment may improve the security of the network.

Description

Session identification method, apparatus, electronic device and computer readable medium

Technical Field

Embodiments of the present disclosure relate to the field of computer technology, and in particular, to a session identification method, apparatus, electronic device, and computer readable medium.

Background

The session identification method is a technology for identifying a session in network traffic. At present, a common session identification method is to utilize a character string identification engine in a main stream detection system to perform character string identification on a session in a flow to obtain an identification result.

However, when the session identification is performed by the above method, there are often the following technical problems:

when a message in a session is divided into multiple segments for message transmission, the character string recognition engine is not easy to accurately recognize the session, so that the network risk existing in the session cannot be recognized, and the network security is reduced.

Disclosure of Invention

The disclosure is in part intended to introduce concepts in a simplified form that are further described below in the detailed description. The disclosure is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.

Some embodiments of the present disclosure propose session identification methods, apparatuses, electronic devices, and computer-readable media to solve one or more of the technical problems mentioned in the background section above.

In a first aspect, some embodiments of the present disclosure provide a session identification method, the method comprising: extracting information from the cached message to obtain quintuple information, wherein the quintuple information comprises a session structure body identifier; matching a target session structure body matched with the session structure body identification included in the quintuple information from a preset session structure body library; responding to successful matching, carrying out message state identification on the message to obtain a message state identification; and updating the target session structure body based on the message state identification and a preset message state matching tree.

Optionally, the method further comprises: in response to a match failure, creating an initial session structure; and adding the message state identification of the message into the initial session structure body.

Optionally, the identifying the message status of the message to obtain a message status identifier includes: and carrying out state recognition on the target character string included in the message to generate a state identifier serving as the message state recognition identifier.

Optionally, the target session structure includes a state tree; and updating the target session structure based on the message state identifier and a preset message state matching tree, including: determining a message transmission direction from the message state identifier to the matched next-hop node identifier in response to determining that the next-hop node identifier in the preset next-hop node identifier list is matched with the message state identifier; in response to determining that the message transmission direction is the same as the transmission direction corresponding to the message state identifier, adding the message transmission direction as state information of a child node into the state tree, wherein the state tree is used for recording a jump relationship from the message state identifier to the message matching identifier of the message; and adding the quintuple information into the target session structure body to update the target session structure body.

Optionally, the updating the target session structure based on the message state identifier and a preset message state matching tree further includes: and taking the next-hop node matched with the message state identification as a child node in the message state matching tree to obtain a next-hop node identification list to be matched, wherein the next-hop node identification list to be matched is used for identifying the message corresponding to the message in the cache.

Optionally, the updating the target session structure based on the message state identifier and a preset message state matching tree further includes: and storing the depth value of the next-hop node matched with the message state identification in the message state matching tree to the node of the state tree corresponding to the message.

Optionally, the message further includes application information; the method further comprises the following steps: and in response to determining that the next hop node matched with the message state identification is a leaf node of the message state matching tree, storing application information included in the message into the leaf node of the state tree to determine that the updating of the target session structure body is completed, wherein the updated target session structure body is used for representing the identification result of the session corresponding to the message.

In a second aspect, some embodiments of the present disclosure provide a session identification apparatus, the apparatus comprising: the information extraction unit is configured to extract information from the cached message to obtain quintuple information, wherein the quintuple information comprises a session structure body identifier; a selection unit configured to match a target session structure matching a session structure identifier included in the five-tuple information from a preset session structure library; the message state identification unit is configured to respond to successful matching and identify the message state of the message to obtain a message state identifier; and an updating unit configured to update the target session structure based on the message state identifier and a preset message state matching tree.

Optionally, the session identification apparatus further includes: an initial session structure creation unit configured to create an initial session structure in response to a match failure; an initial session structure adding unit configured to add a message status identifier of the message to the initial session structure.

Optionally, the message state identifying unit is further configured to: and carrying out state recognition on the target character string included in the message to generate a state identifier serving as the message state recognition identifier.

Optionally, the target session structure includes a state tree; and the updating unit is further configured to: determining a message transmission direction from the message state identifier to the matched next-hop node identifier in response to determining that the next-hop node identifier in the preset next-hop node identifier list is matched with the message state identifier; in response to determining that the message transmission direction is the same as the transmission direction corresponding to the message state identifier, adding the message transmission direction as state information of a child node into the state tree, wherein the state tree is used for recording a jump relationship from the message state identifier to the message matching identifier of the message; and adding the quintuple information into the target session structure body to update the target session structure body.

Optionally, the updating unit is further configured to: and taking the next-hop node matched with the message state identification as a child node in the message state matching tree to obtain a next-hop node identification list to be matched, wherein the next-hop node identification list to be matched is used for identifying the message corresponding to the message in the cache.

Optionally, the updating unit is further configured to: and storing the depth value of the next-hop node matched with the message state identification in the message state matching tree to the node of the state tree corresponding to the message.

Optionally, the message further includes application information; the updating unit further includes: and a storage subunit configured to store application information included in the message in the leaf nodes of the state tree to determine that the updating of the target session structure is completed in response to determining that the next-hop node matched with the message state identifier is a leaf node of the message state matching tree, wherein the updated target session structure is used for representing an identification result of a session corresponding to the message.

In a third aspect, some embodiments of the present disclosure provide an electronic device comprising: one or more processors; a storage device having one or more programs stored thereon, which when executed by one or more processors causes the one or more processors to implement the method described in any of the implementations of the first aspect above.

In a fourth aspect, some embodiments of the present disclosure provide a computer readable medium having a computer program stored thereon, wherein the program, when executed by a processor, implements the method described in any of the implementations of the first aspect above.

The above embodiments of the present disclosure have the following advantageous effects: by the session identification method of some embodiments of the present disclosure, the security of the network may be improved. Specifically, the reason why the network security is not high is that: when a message in a session is divided into multiple segments for transmission, the string recognition engine cannot recognize such a session, so that the network risk existing in such a session cannot be recognized. Based on this, the session identification method of some embodiments of the present disclosure introduces a session structure, which may be used to store the identification result of the message corresponding to the same session. Therefore, when one message in a session is divided into a plurality of segments for transmission, the identification results of the plurality of segments can be recorded in one session structure. Therefore, the introduced session structure body is used as the identification result for representing the session, and the identification of the session in which one message is divided into a plurality of sections of message transmission can be completed. Therefore, the situation that the conversation cannot be identified when one message in the conversation is divided into a plurality of sections of message transmission can be avoided. Thus, it is made possible to identify to some extent the network risk present in such a session. Further, the security of the network is improved.

Drawings

The above and other features, advantages, and aspects of embodiments of the present disclosure will become more apparent by reference to the following detailed description when taken in conjunction with the accompanying drawings. The same or similar reference numbers will be used throughout the drawings to refer to the same or like elements. It should be understood that the figures are schematic and that elements and components are not necessarily drawn to scale.

FIG. 1 is a schematic illustration of one application scenario of a session identification method according to some embodiments of the present disclosure;

FIG. 2 is a flow chart of some embodiments of a session identification method according to the present disclosure;

FIG. 3 is a schematic diagram of a message state matching tree in a session identification method according to some embodiments of the present disclosure;

FIG. 4 is a flow chart of further embodiments of a session identification method according to the present disclosure;

FIG. 5 is a schematic diagram of the structure of some embodiments of a session identification apparatus according to the present disclosure;

fig. 6 is a schematic structural diagram of an electronic device suitable for use in implementing some embodiments of the present disclosure.

Detailed Description

Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While certain embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete. It should be understood that the drawings and embodiments of the present disclosure are for illustration purposes only and are not intended to limit the scope of the present disclosure.

It should be noted that, for convenience of description, only the portions related to the present invention are shown in the drawings. Embodiments of the present disclosure and features of embodiments may be combined with each other without conflict.

It should be noted that the terms "first," "second," and the like in this disclosure are merely used to distinguish between different devices, modules, or units and are not used to define an order or interdependence of functions performed by the devices, modules, or units.

It should be noted that references to "one", "a plurality" and "a plurality" in this disclosure are intended to be illustrative rather than limiting, and those of ordinary skill in the art will appreciate that "one or more" is intended to be understood as "one or more" unless the context clearly indicates otherwise.

The names of messages or information interacted between the various devices in the embodiments of the present disclosure are for illustrative purposes only and are not intended to limit the scope of such messages or information.

The present disclosure will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.

Fig. 1 is a schematic diagram of one application scenario of a session identification method of some embodiments of the present disclosure.

In the application scenario of fig. 1, first, the computing device 101 may perform information extraction on the packet 102 in the buffer to obtain five-tuple information 103, where the five-tuple information 103 includes a session structure identifier 1031. As an example, the above five-tuple information 103 may be [ message source IP (internet protocol address): 192.1, message source port 2020, message destination IP: 192.2, packet destination port number: 2021, session structure identity: 10]. Then, the computing device 101 may match the target session structure 105 that matches the session structure identifier 1031 included in the five-tuple information from the preset session structure library 104. The computing device 101 may then perform a message status identification on the message 102 in response to successful matching, to obtain a message status identifier 106. As an example, the message status identifier 106 may be: ②. Finally, the computing device 101 may update the target session structure 105 based on the message state identifier 106 and a preset message state matching tree 107.

It should be noted that, the computing device 101 may be hardware, or may be software. When the computing device is hardware, the computing device may be implemented as a distributed cluster formed by a plurality of servers or terminal devices, or may be implemented as a single server or a single terminal device. When the computing device is embodied as software, it may be installed in the hardware devices listed above. It may be implemented as a plurality of software or software modules, for example, for providing distributed services, or as a single software or software module. The present invention is not particularly limited herein.

It should be understood that the number of computing devices in fig. 1 is merely illustrative. There may be any number of computing devices, as desired for an implementation.

With continued reference to fig. 2, a flow chart 200 of some embodiments of a session identification method according to the present disclosure is shown. The session identification method comprises the following steps:

and step 201, extracting information from the cached message to obtain quintuple information.

In some embodiments, the executing body of the session identification method (such as the computing device 101 shown in fig. 1) may perform information extraction on the packet in the buffer to obtain quintuple information. Wherein, the five-tuple information can include a session structure body identifier. The information extraction may be selecting the required information from the message as five-tuple information. For example, the source IP, source port number, destination IP, destination port number, and session structure identification of the message may be selected from the above-described messages. The session structure body identifier may be a unique identifier of a session structure body, and the session structure body may be used to store an identification result of a message corresponding to the same session.

As an example, the above five-tuple information may be: message source IP: 192.1, message source port 2020, message destination IP: 192.2, packet destination port number: 2021, session structure identity: 10].

Step 202, a target session structure matched with the session structure identification included in the quintuple information is matched from a preset session structure library.

In some embodiments, the executing entity may match a target session structure that matches a session structure identifier included in the five-tuple information from a preset session structure library. The session structure library may be composed of identified session structures corresponding to different sessions. The session structure may be a string. Each session structure has a unique identification key (i.e., session structure identification). Since one key uniquely identified by the session structure is saved in each session. Thus, each session structure may have a one-to-one correspondence with a session via a key. The matching may be that the session structure identification is the same as a unique identification key of one session structure in the session structure library.

And 203, in response to successful matching, carrying out message state identification on the message to obtain a message state identifier.

In some embodiments, the execution body may perform message status identification on the message in response to successful matching, to obtain a message status identifier. Wherein, in response to the successful matching, it may be determined that the selected target session structure is successful, and it may be characterized that at least one other message in the session to which the message belongs has been identified as completed. The message state identification can be performed by the following ways: message state identification may be performed by an identification algorithm (e.g., HYPERSCAN flow pattern identification method). The message status identifier may be a sequence number for uniquely identifying a character string in the message. For example, the message status identifies: ②.

Step 204, updating the target session structure based on the message state identifier and the preset message state matching tree.

In some embodiments, the executing entity may update the target session structure based on the message state identifier and a preset message state matching tree. The message state matching tree can represent a set of migration conditions of the message in the network, and is used for detecting whether the transmission direction of the message accords with the correctness. As shown in fig. 3, the root node of the message state matching tree may be marked 0. The child node (e.g., ①,②,③, etc.) may include a unique identification number of the message string. The leaf nodes (e.g., ⑧,⑨,⑩, etc.) may include: and the unique identification sequence number is composed of unique identification sequence numbers corresponding to the root node and the current leaf node. Specifically, the sub-node corresponding to the message state identifier and the message state matching tree may be determined, and the unique identifier serial number of the sub-node is added to the target session structure body, so as to update the target session structure body. In addition, because the nodes in the message state identification and the message state matching tree are all serial numbers for carrying out unique identification on the character strings in the message, the child nodes in the message state matching tree and the message state identification can be determined. Actually, each message in the cache is identified, and the identification result is added into a corresponding target session structure body of the message. When a message corresponding to a session is identified, the completion of the identification of the session may be indicated.

Optionally, the executing body may further include the steps of:

First, an initial session structure is created in response to a match failure. The matching failure may be failure to determine to select the target session structure, and may characterize the message as the first identified message in the session to which the message belongs. The initial session structure may be created by: a session structure identification different from the session structure identifications of the respective session structures in the session structure library described above is determined as a unique identification of the created initial session structure. For example, the session structure identification of each session structure in the session structure library may be: [10001, 10002, 10003]. Then, the session structure identification of the initial session structure created above may be: "10004". The five-tuple information described above may then be added to the created initial session structure. The initial session structure created above may include a message state identification field for storing the state identification of the message.

As an example, the initial session structure created above may be "10004": "[ message Source IP: 192.1, message source port 2020, message destination IP: 192.2, packet destination port number 2021, session structure identity 10004, packet status identity: [0]]".

And step two, adding the message state identification of the message into the initial session structure body. Specifically, the message state identifier of the message may be added to the message state identification field in the initial session structure, and a message state identifier migration symbol "→" may be added.

As an example, the message status identifier of the above message may be: 1. then, the initial session structure added above may be "10004": "[ message Source IP: 192.1, message source port 2020, message destination IP: 192.2, packet destination port number 2021, session structure identity 10004, packet status identity: [0→ ① ] ].

With continued reference to fig. 4, fig. 4 illustrates a flow 400 of some embodiments of a session identification method according to the present disclosure. The session identification method comprises the following steps:

And step 401, extracting information from the cached message to obtain quintuple information.

Step 402, a target session structure matched with the session structure identification included in the quintuple information is matched from a preset session structure library.

In some embodiments, the specific implementation manner and the technical effects of the steps 401 to 402 may refer to the steps 201 to 202 in those embodiments corresponding to fig. 2, which are not described herein.

Step 403, in response to successful matching, carrying out message state identification on the message to obtain a message state identifier.

In some embodiments, the executing body performs message status identification on the message to obtain a message status identifier, and may include the following steps:

And carrying out message state identification on the target character string included in the message to generate a state identification serving as a message state identification. The message status recognition may be performed by an improved string recognition algorithm (e.g., HYPERSCAN block pattern recognition method). The improved character string recognition algorithm may be a node which introduces a state tree, and the recognition result of the character string recognition algorithm may be used as the state tree. The state tree can form a corresponding relation with the session, and each node corresponds to an identification result of one message in the session and is used for representing the state transition process of the message in the session.

Step 404, in response to determining that there is a match between the next-hop node identifier and the message state identifier in the preset next-hop node identifier list, determining a message transmission direction from the message state identifier to the matched next-hop node identifier.

In some embodiments, the executing body may determine, in response to determining that there is a match between a next-hop node identifier and a message status identifier in the preset next-hop node identifier list, a message transmission direction from the message status identifier to the matched next-hop node identifier. The next hop node identification list may be used to identify a message in the buffer corresponding to the above message. The message corresponding to the message may be: and the session to which the message belongs comprises the message. The matching may be that a next hop node identifier exists in the next hop node identifier list and is the same as the message state identifier. The message transmission direction (for example, the response direction or the request direction) from the determined message status identifier to the matched next-hop node identifier may be: and acquiring the transmission direction of the message stored in the node corresponding to the matched next hop node representation identifier.

In step 405, in response to determining that the message transmission direction is the same as the transmission direction corresponding to the message state identifier, the message transmission direction is added to the state tree as state information of the child node.

In some embodiments, the executing body may add the packet transmission direction as the state information of the child node to the state tree in response to determining that the packet transmission direction is the same as the transmission direction corresponding to the packet state identifier, where the target session structure may include the state tree. The state tree may also be a string. The root node of the state tree may be 0, and each child node corresponds to each message in the session to which the message belongs one by one, and is used for storing the message transmission direction of the message to represent the skip relationship between the message state identifiers. Therefore, the state tree may be used to record a skip relationship between the message from the message state identifier to the message matching identifier. The fact that the determined message transmission direction is the same as the transmission direction corresponding to the message state identifier can indicate that the message transmission direction is correct. The adding of the message transmission direction as the state information of the child node to the state tree may be: the message transmission direction (e.g., the request direction) is added to the state tree as state information of the child node.

As an example, the above state tree may be: [ root node: "0" →child node 1: "request direction" ].

In step 406, quintuple information is added to the target session structure to update the target session structure.

In some embodiments, the execution body may add the five-tuple information to the target session structure to update the target session structure.

As an example, the above five-tuple information may be: message source IP: 192.1, message source port 2020, message destination IP: 192.2, packet destination port number: 2021, session structure identity: 10]. The updated target session structure may be: "[ message Source IP: 192.1, message source port 2020, message destination IP: 192.2, packet destination port number 2021, session structure identity 10004, status tree: [ root node: "0" →child node 1: "request direction" ] ".

In some optional implementations of some embodiments, the execution body may further use a child node of the next-hop node that matches the packet status identifier in the packet status matching tree as a next-hop node to be matched, to obtain a next-hop node identifier list to be matched. The next hop node identification list to be matched is used for identifying the message corresponding to the message in the cache.

In some optional implementations of some embodiments, the execution body may further store a depth value of a next-hop node that matches the packet status identifier in the packet status matching tree to a node of the status tree corresponding to the packet. Specifically, as shown in fig. 3, the next-hop node that matches the packet status identifier ① may be ⑦. Then, the depth value of the message state matching tree may be 3.

In some optional implementations of some embodiments, the message may further include application information, and the execution body may further store the application information included in the message in a leaf node of the state tree to determine that the target session structure update is completed in response to determining that a next-hop node that matches the message state identifier is a leaf node of the message state matching tree. The updated target session structure is used for representing the identification result of the session corresponding to the message. Specifically, it is determined that the next-hop node that matches the packet status identifier is a leaf node of the packet status matching tree, which may indicate that the packet is the last identified packet in the session to which the packet belongs. The session to which the message belongs may also be characterized as being identified as completed.

As can be seen from fig. 4, the flow 400 of the session identification method of some embodiments corresponding to fig. 4 embodies the step of expanding the updating of the target session structure as described above, as compared to the description of some embodiments corresponding to fig. 2. Whether the identification result of the message state identifier is accurate or not can be determined according to a preset message state matching tree. A state tree is introduced to record the message transmission direction of the message and related information (e.g., depth values, application information, etc.). Used for representing the jump states of different messages in the same session. Therefore, in the case that one message is divided into a plurality of sections of message transmission, the jump state of the plurality of sections of messages can be recorded to represent the recognition result of the message. Thus, the recognition capability of the session is further improved. Further, the security of the network is improved.

With further reference to fig. 5, as an implementation of the method shown in the above figures, the present disclosure provides some embodiments of a session identification apparatus, which correspond to those method embodiments shown in fig. 2, and which are particularly applicable in various electronic devices.

As shown in fig. 5, the session identification apparatus 500 of some embodiments includes: an information extraction unit 501, a selection unit 502, a message state identification unit 503, and an update unit 504. The information extraction unit is configured to extract information from the cached message to obtain quintuple information, wherein the quintuple information comprises a session structure body identifier; a selection unit configured to match a target session structure matching a session structure identifier included in the five-tuple information from a preset session structure library; the message state identification unit is configured to respond to successful matching and identify the message state of the message to obtain a message state identifier; and an updating unit configured to update the target session structure based on the message state identifier and a preset message state matching tree.

In some optional implementations of some embodiments, the presentation data sending apparatus 500 further includes: an initial session structure creation unit (not shown in the figure) and an initial session structure addition unit (not shown in the figure), wherein the initial session structure creation unit is configured to create an initial session structure in response to a match failure; an initial session structure adding unit configured to add a message status identifier of the message to the initial session structure.

In some optional implementations of some embodiments, the message state identifying unit 503 is further configured to: and carrying out state recognition on the target character string included in the message to generate a state identifier serving as the message state recognition identifier.

In some alternative implementations of some embodiments, the target session structure includes a state tree; and the updating unit 504 is further configured to: determining a message transmission direction from the message state identifier to the matched next-hop node identifier in response to determining that the next-hop node identifier in the preset next-hop node identifier list is matched with the message state identifier; in response to determining that the message transmission direction is the same as the transmission direction corresponding to the message state identifier, adding the message transmission direction as state information of a child node into the state tree, wherein the state tree is used for recording a jump relationship from the message state identifier to the message matching identifier of the message; and adding the quintuple information into the target session structure body to update the target session structure body.

In some optional implementations of some embodiments, the updating unit 504 is further configured to: and taking the next-hop node matched with the message state identification as a child node in the message state matching tree to obtain a next-hop node identification list to be matched, wherein the next-hop node identification list to be matched is used for identifying the message corresponding to the message in the cache.

In some optional implementations of some embodiments, the updating unit 504 is further configured to: and storing the depth value of the next-hop node matched with the message state identification in the message state matching tree to the node of the state tree corresponding to the message.

In some optional implementations of some embodiments, the message further includes application information; and the updating unit 504 further includes: and a storage subunit (not shown in the figure) configured to store application information included in the message in the leaf nodes of the state tree to determine that the updating of the target session structure is completed in response to determining that the next-hop node matched with the message state identifier is a leaf node of the message state matching tree, where the updated target session structure is used to characterize an identification result of a session corresponding to the message.

It will be appreciated that the elements described in the apparatus 500 correspond to the various steps in the method described with reference to fig. 2. Thus, the operations, features and resulting benefits described above with respect to the method are equally applicable to the apparatus 500 and the units contained therein, and are not described in detail herein.

As shown in fig. 6, the electronic device 600 may include a processing means (e.g., a central processing unit, a graphics processor, etc.) 601, which may perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 602 or a program loaded from a storage means 608 into a Random Access Memory (RAM) 603. In the RAM603, various programs and data required for the operation of the electronic apparatus 600 are also stored. The processing device 601, the ROM 602, and the RAM603 are connected to each other through a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.

In general, the following devices may be connected to the I/O interface 605: input devices 606 including, for example, a touch screen, touchpad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, and the like; an output device 607 including, for example, a Liquid Crystal Display (LCD), a speaker, a vibrator, and the like; storage 608 including, for example, magnetic tape, hard disk, etc.; and a communication device 609. The communication means 609 may allow the electronic device 600 to communicate with other devices wirelessly or by wire to exchange data. While fig. 6 shows an electronic device 600 having various means, it is to be understood that not all of the illustrated means are required to be implemented or provided. More or fewer devices may be implemented or provided instead. Each block shown in fig. 6 may represent one device or a plurality of devices as needed.

In particular, according to some embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, some embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flow chart. In such embodiments, the computer program may be downloaded and installed from a network via communications device 609, or from storage device 608, or from ROM 602. The above-described functions defined in the methods of some embodiments of the present disclosure are performed when the computer program is executed by the processing device 601.

It should be noted that, in some embodiments of the present disclosure, the computer readable medium may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In some embodiments of the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In some embodiments of the present disclosure, however, the computer-readable signal medium may comprise a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, fiber optic cables, RF (radio frequency), and the like, or any suitable combination of the foregoing.

In some embodiments, the clients, servers may communicate using any currently known or future developed network protocol, such as HTTP (HyperText Transfer Protocol ), and may be interconnected with any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include a local area network ("LAN"), a wide area network ("WAN"), the internet (e.g., the internet), and peer-to-peer networks (e.g., ad hoc peer-to-peer networks), as well as any currently known or future developed networks.

The computer readable medium may be contained in the electronic device; or may exist alone without being incorporated into the electronic device. The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: extracting information from the cached message to obtain quintuple information, wherein the quintuple information comprises a session structure body identifier; matching a target session structure body matched with the session structure body identification included in the quintuple information from a preset session structure body library; responding to successful matching, carrying out message state identification on the message to obtain a message state identification; and updating the target session structure body based on the message state identification and a preset message state matching tree.

Computer program code for carrying out operations for some embodiments of the present disclosure may be written in one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).

The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

The units described in some embodiments of the present disclosure may be implemented by means of software, or may be implemented by means of hardware. The described units may also be provided in a processor, for example, described as: a processor includes an information extraction unit, a selection unit, a message state identification unit, and an update unit. The names of these units do not limit the unit itself in some cases, and for example, the updating unit may also be described as "a unit for updating the target session structure based on the packet status identifier and a preset packet status matching tree".

The functions described above herein may be performed, at least in part, by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: a Field Programmable Gate Array (FPGA), an Application Specific Integrated Circuit (ASIC), an Application Specific Standard Product (ASSP), a system on a chip (SOC), a Complex Programmable Logic Device (CPLD), and the like.

The foregoing description is only of the preferred embodiments of the present disclosure and description of the principles of the technology being employed. It will be appreciated by those skilled in the art that the scope of the invention in the embodiments of the present disclosure is not limited to the specific combination of the above technical features, but encompasses other technical features formed by any combination of the above technical features or their equivalents without departing from the spirit of the invention. Such as the above-described features, are mutually substituted with (but not limited to) the features having similar functions disclosed in the embodiments of the present disclosure.

Claims

1. A session identification method, comprising:

extracting information from the cached message to obtain quintuple information, wherein the quintuple information comprises a session structure body identifier;

Matching a target session structure body matched with a session structure body identifier included in the quintuple information from a preset session structure body library, wherein the target session structure body comprises a state tree;

Responding to successful matching, carrying out message state identification on the message to obtain a message state identification;

Updating the target session structure based on the message state identification and a preset message state matching tree, wherein the message state matching tree represents a set of migration conditions of messages in a network;

the updating the target session structure body based on the message state identifier and a preset message state matching tree comprises the following steps:

Taking a child node of the next-hop node matched with the message state identification in the message state matching tree as a next-hop node to be matched to obtain a next-hop node identification list to be matched, wherein the next-hop node identification list to be matched is used for identifying a message included in a session of a buffer memory to which the message belongs;

Determining a message transmission direction from the message state identifier to the matched next-hop node identifier in response to determining that the next-hop node identifier in the preset next-hop node identifier list is matched with the message state identifier;

In response to determining that the message transmission direction is the same as the transmission direction corresponding to the message state identifier, adding the message transmission direction as state information of a child node into the state tree, wherein the state tree is used for recording a jump relationship from the message state identifier to the message matching identifier of the message;

the five-tuple information is added to the target session structure to update a state tree in the target session structure.

2. The method of claim 1, wherein the method further comprises:

in response to a match failure, creating an initial session structure;

And adding the message state identification of the message into the initial session structure body.

3. The method of claim 1, wherein the performing the message state identification on the message to obtain the message state identifier includes:

And carrying out state recognition on the target character string included in the message to generate a state identifier serving as the message state recognition identifier.

4. The method of claim 1, wherein the updating the target session structure based on the message state identification and a preset message state matching tree further comprises:

And storing the depth value of the next-hop node matched with the message state identification in the message state matching tree to the node corresponding to the message in the state tree.

5. The method of claim 1, wherein the message further comprises application information; and

The method further comprises the steps of:

And in response to determining that the next-hop node matched with the message state identification is a leaf node of the message state matching tree, storing application information included in the message into the leaf node of the state tree to determine that the updating of the target session structure body is completed, wherein the updated target session structure body is used for representing the identification result of the session corresponding to the message.

6. A session identification apparatus comprising:

The information extraction unit is configured to extract information from the cached message to obtain quintuple information, wherein the quintuple information comprises a session structure body identifier;

A selection unit configured to match a target session structure body matched with a session structure body identifier included in the five-tuple information from a preset session structure body library, wherein the target session structure body includes a state tree;

the message state identification unit is configured to respond to successful matching, and perform message state identification on the message to obtain a message state identification;

an updating unit configured to update the target session structure based on the message state identifier and a preset message state matching tree;

7. An electronic device, comprising:

One or more processors;

a storage device having one or more programs stored thereon,

When executed by the one or more processors, causes the one or more processors to implement the method of any of claims 1-5.

8. A computer readable medium having stored thereon a computer program, wherein the program when executed by a processor implements the method of any of claims 1-5.