CN114006868B - Flow screening method and device - Google Patents
Flow screening method and device Download PDFInfo
- Publication number
- CN114006868B CN114006868B CN202111278074.8A CN202111278074A CN114006868B CN 114006868 B CN114006868 B CN 114006868B CN 202111278074 A CN202111278074 A CN 202111278074A CN 114006868 B CN114006868 B CN 114006868B
- Authority
- CN
- China
- Prior art keywords
- rule
- matching
- address
- source
- flow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012216 screening Methods 0.000 title claims abstract description 52
- 238000000034 method Methods 0.000 title claims abstract description 50
- 238000000605 extraction Methods 0.000 claims description 3
- 238000004458 analytical method Methods 0.000 description 18
- 238000010586 diagram Methods 0.000 description 10
- 238000012545 processing Methods 0.000 description 10
- 239000000284 extract Substances 0.000 description 9
- 238000005192 partition Methods 0.000 description 6
- 238000004891 communication Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 238000004590 computer program Methods 0.000 description 3
- 208000033748 Device issues Diseases 0.000 description 2
- 230000009471 action Effects 0.000 description 2
- 230000000295 complement effect Effects 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2441—Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present disclosure relates to a traffic screening method, apparatus, electronic device, and computer-readable medium. Can be used for a fluidic device, the method comprising: extracting message data from the flow data; extracting five-tuple information of the message data and a preset bit of a source IP address; determining a target matching rule in a rule matching table of the flow control device based on the preset bit of the source IP address; and comparing the five-tuple information of the message data with the target matching rule to carry out flow screening. The flow screening method, the flow screening device, the electronic equipment and the computer readable medium can be more efficient when the equipment matches rules, so that the matching speed of the rules is improved, and meanwhile, the matching performance of the random access register is improved.
Description
Technical Field
The present disclosure relates to the field of computer information processing, and in particular, to a traffic screening method, a traffic screening device, an electronic device, and a computer readable medium.
Background
Through legal monitoring and analysis of internet traffic, and control of illegal traffic is an effective means of maintaining network security, and equipment manufacturers have developed traffic filtering equipment based on this idea. The device is connected in series in the network, various control items aiming at different flows are configured on the device, the internet flows are classified, and the required flows are forwarded to a background server for analysis, so that legal supervision of the internet is realized.
In the current network environment, the flow is screened by accessing the flow control equipment between two routers, the flow meeting the conditions is sent to an analysis server for analysis, and after the analysis of the content of the flow is completed, the flow is forwarded to the flow control equipment and is forwarded to the original network environment through the flow control equipment.
The main mode of the flow control device for screening the flow is to establish a series of control items through one or more tuples of the five tuple information of the source IP, the destination IP, the four-layer protocol, the source port number and the destination port number of the message, and store the control items in the device in the form of a table. And when the flow quintuple information received by the equipment accords with a certain control item, the control item is regarded as a matching control item.
In general, the flow in the network environment has large order of magnitude and wide variation range of quintuple information such as IP, and the like, and high-efficiency analysis of the flow is required to be realized.
The above information disclosed in the background section is only for enhancement of understanding of the background of the disclosure and therefore it may include information that does not form the prior art that is already known to a person of ordinary skill in the art.
Disclosure of Invention
In view of this, the disclosure provides a flow screening method, a device, an electronic device, and a computer readable medium, which can be used for a flow control device, and can be more efficient when the device matches a rule, so that the matching speed of the rule is improved, and meanwhile, the matching performance of a RAM is improved.
Other features and advantages of the present disclosure will be apparent from the following detailed description, or may be learned in part by the practice of the disclosure.
According to an aspect of the present disclosure, a flow screening method is provided, which may be used for a fluidic device, and the method includes: extracting message data from the flow data; extracting five-tuple information of the message data and a preset bit of a source IP address; determining a target matching rule in a rule matching table of the flow control device based on the preset bit of the source IP address; and comparing the five-tuple information of the message data with the target matching rule to carry out flow screening.
In an exemplary embodiment of the present disclosure, further comprising: establishing the rule matching table in a random access register of the flow control device; dividing addresses for the rule matching table based on preset bits of the source IP address; reserving a plurality of rule entries for each address; and sequentially storing the plurality of matching rules into the rule matching table.
In an exemplary embodiment of the present disclosure, storing the plurality of matching rules sequentially into the rule matching table includes: extracting rule identifiers of a plurality of matching rules and preset bits of a source IP address; and sequentially storing the plurality of matching rules into the rule entries of the rule matching table based on the rule identification and the preset bit of the source IP address.
In an exemplary embodiment of the present disclosure, further comprising: acquiring an update matching rule from a user; extracting a source IP address of the updated matching rule; determining whether a residual position exists in a corresponding rule entry in the rule matching table based on the source IP address; and when the rest positions are contained, storing the updated matching rule sequence into the rule entries.
In one exemplary embodiment of the present disclosure, there is provided: when the remaining locations are not included and there is remaining capacity in the random access register, the updated matching rules are sequentially stored into the entries and subsequent matching rules are sequentially stored in a backward order.
In an exemplary embodiment of the present disclosure, further comprising: and generating warning information when the remaining position is not contained and the remaining capacity is not present in the random access register.
In an exemplary embodiment of the present disclosure, determining a target matching rule in a rule matching table of a fluidic device based on a preset bit of the source IP address includes: determining dividing addresses in a rule matching table of the flow control equipment based on preset bits of the source IP address; a search is performed in the partition address to determine the target match rule.
In one exemplary embodiment of the present disclosure, retrieving in the partition address to determine the target match rule includes: a search is made in the partition address of the random access register of the flow control device to determine the target match rule.
In an exemplary embodiment of the present disclosure, comparing the five-tuple information of the packet data with the target matching rule to perform traffic screening includes: comparing the five-tuple information of the message data with the target matching rule; when the matching is successful, the message data is processed according to a preset strategy; and when the matching is unsuccessful, the message data is transmitted through.
According to an aspect of the present disclosure, there is provided a flow screening device, usable with a fluidic apparatus, the device comprising: the data module is used for extracting message data from the flow data; the extraction module is used for extracting quintuple information of the message data and preset bits of a source IP address; the rule module is used for determining a target matching rule in a rule matching table of the flow control equipment based on the preset bit of the source IP address; and the screening module is used for comparing the five-tuple information of the message data with the target matching rule so as to carry out flow screening.
In an exemplary embodiment of the present disclosure, further comprising: a matching table module, configured to establish the rule matching table in a random access register of the fluidic device; dividing addresses for the rule matching table based on preset bits of the source IP address; reserving a plurality of rule entries for each address; and sequentially storing the plurality of matching rules into the rule matching table.
According to an aspect of the present disclosure, there is provided an electronic device including: one or more processors; a storage means for storing one or more programs; when the one or more programs are executed by the one or more processors, the one or more processors are caused to implement the methods as described above.
According to an aspect of the present disclosure, a computer-readable medium is presented, on which a computer program is stored, which program, when being executed by a processor, implements a method as described above.
According to the flow screening method, the flow screening device, the electronic equipment and the computer readable medium, message data are extracted from flow data; extracting five-tuple information of the message data and a preset bit of a source IP address; determining a target matching rule in a rule matching table of the flow control device based on the preset bit of the source IP address; the five-tuple information of the message data and the target matching rule are compared to perform flow screening, so that the efficiency can be improved when equipment matches the rule, the matching speed of the rule is improved, and the matching performance of the RAM is improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings. The drawings described below are merely examples of the present disclosure and other drawings may be obtained from these drawings without inventive effort for a person of ordinary skill in the art.
Fig. 1 is a system block diagram illustrating a traffic screening method and apparatus according to an example embodiment.
Fig. 2 is a flow chart illustrating a method of traffic screening according to an exemplary embodiment.
Fig. 3 is a flow chart illustrating a traffic screening method according to another exemplary embodiment.
Fig. 4 is a schematic diagram illustrating a traffic screening method according to another exemplary embodiment.
Fig. 5 is a flow chart illustrating a traffic screening method according to another exemplary embodiment.
Fig. 6 is a block diagram illustrating a traffic screening device according to another exemplary embodiment.
Fig. 7 is a block diagram of an electronic device, according to an example embodiment.
Fig. 8 is a block diagram of a computer-readable medium shown according to an example embodiment.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. However, the exemplary embodiments can be embodied in many forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the example embodiments to those skilled in the art. The same reference numerals in the drawings denote the same or similar parts, and thus a repetitive description thereof will be omitted.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the disclosed aspects may be practiced without one or more of the specific details, or with other methods, components, devices, steps, etc. In other instances, well-known methods, devices, implementations, or operations are not shown or described in detail to avoid obscuring aspects of the disclosure.
The block diagrams depicted in the figures are merely functional entities and do not necessarily correspond to physically separate entities. That is, the functional entities may be implemented in software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
The flow diagrams depicted in the figures are exemplary only, and do not necessarily include all of the elements and operations/steps, nor must they be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the order of actual execution may be changed according to actual situations.
It will be understood that, although the terms first, second, third, etc. may be used herein to describe various components, these components should not be limited by these terms. These terms are used to distinguish one element from another element. Accordingly, a first component discussed below could be termed a second component without departing from the teachings of the concepts of the present disclosure. As used herein, the term "and/or" includes any one of the associated listed items and all combinations of one or more.
Those skilled in the art will appreciate that the drawings are schematic representations of example embodiments and that the modules or flows in the drawings are not necessarily required to practice the present disclosure, and therefore, should not be taken to limit the scope of the present disclosure.
The technical abbreviations are explained as follows:
RAM: the random access register is an internal memory for direct data exchange of CPU, and can be read and written at any time, so that its speed is high.
Five-tuple: the source IP address, destination IP address, protocol, source port number, destination port number in the message are called five-tuple.
Two-layer head: is the standard definition of the header of the data message in Layer2 in the network communication protocol.
Three-layer head: data message header working at network layer.
Four-layer head: data message header working in the transport layer.
The inventor of the present disclosure finds that in the existing scheme, the device issues the rule through software first, and stores five-tuple information of the rule into the RAM. When the flow enters the device, the message is matched with the rule in the RAM through the analysis module. And when matching, the analysis module firstly extracts the quintuple information of the message, and then sends the quintuple information to the RAM. And after the RAM receives the quintuple information of the message, comparing the transmitted quintuple information with the quintuple information when the device issues the rule. If the matching results are consistent, processing the message according to the service configuration; if the matching result is inconsistent, the message is not processed for direct transparent transmission.
In the current technical scheme, the message matching needs to access all addresses of the RAM, and when the message information is matched with the rule stored in the software, the RAM returns a matching result which is inflexible in use, and the method is specifically characterized in that:
1. rule matching requires traversing RAM addresses;
2. The search performance is affected when the flow pressure is large.
In general, the flow in the network environment has large flow order and wide information change range of five-tuple such as IP and the like, and high-efficiency analysis on the flow is needed to be realized. The method of the present disclosure will be described in detail with reference to specific examples.
Fig. 1 is a system block diagram illustrating a traffic screening method and apparatus according to an example embodiment.
As shown in fig. 1, the system architecture may include a router a, a router B, a flow control device, a network environment, and a server. The network environment is the medium used to provide communication links between router a, router B and the flow control devices, servers. Various connection types may be included in the network environment, such as wired, wireless communication links, or fiber optic cables, among others.
Router a, router B may receive traffic data from a user terminal, and may interact with the flow control device, server, through the network environment, to receive or transmit the traffic data.
The user terminal may have various communication client applications installed thereon, such as shopping class applications, web browser applications, search class applications, instant messaging tools, mailbox clients, social platform software, and the like. The user terminal may be a variety of electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.
The flow control device is used for acquiring flow data from the router A and the router B, sending the flow meeting the conditions to the server for analysis, and forwarding the flow to the flow control device after the server finishes the analysis of the flow content, and forwarding the flow to the router A and the router B in the original network environment through the flow control device. More specifically, the server may process flow data from the fluidic device according to built-in rules.
The flow control device may extract message data from the flow data, for example; the flow control device may, for example, extract five-tuple information of the message data and preset bits of the source IP address; the flow control device may determine a target matching rule in a rule matching table of the flow control device, e.g., based on a preset bit of the source IP address; the flow control device may, for example, compare the five-tuple information of the message data with the target matching rule for flow screening.
The flow control device may also build the rule matching table, for example in a random access register of the flow control device; dividing addresses for the rule matching table based on preset bits of the source IP address; reserving a plurality of rule entries for each address; and sequentially storing the plurality of matching rules into the rule matching table.
The flow control device may also, for example, obtain updated matching rules from the user; extracting a source IP address of the updated matching rule; determining whether a residual position exists in a corresponding rule entry in the rule matching table based on the source IP address; and when the rest positions are contained, storing the updated matching rule sequence into the rule entries.
The flow control device may be a device of one entity, or may be formed by a plurality of entity devices, for example, it should be noted that the flow screening method provided in the embodiments of the present disclosure may be executed by the flow control device, and accordingly, the flow screening apparatus may be disposed in the flow control device.
Fig. 2 is a flow chart illustrating a method of traffic screening according to an exemplary embodiment. The flow screening method 20 at least includes steps S202 to S208.
As shown in fig. 2, in S202, message data is extracted from traffic data.
In S204, quintuple information of the message data and a preset bit of a source IP address are extracted. One connection of both parties is identified by a network five-tuple, which is composed of two local triplets of the same protocol family of both parties. Five tuples are often referred to as full correlations. The network quintuple refers to: protocol family (address family), local network address, local port, remote network address, and remote port.
More specifically, after a message enters the flow control device, an analysis module built in the flow control device firstly extracts five-tuple information in the message. In addition to extracting the five-tuple information of the message, the parsing module extracts data of a few bits in the source IP of the message according to the source IP, and in the present application, the following description is performed by taking the lower 8 bits of the source IP address as the data.
In S206, a target matching rule is determined in a rule matching table of the fluidic device based on the preset bits of the source IP address. Determining a dividing address in a rule matching table of the flow control device based on the preset bit of the source IP address; a search is performed in the partition address to determine the target match rule.
More specifically, retrieving in the partition address to determine the target matching rule includes: a search is made in the partition address of the random access register of the flow control device to determine the target match rule.
The RAM may, for example, confirm the storage location of the message in the RAM according to the low 8 bits of the source IP, and then retrieve the rule at the corresponding address of the RAM. For example, the source IP is 2.0.0.1, the low 8bit is 1, the ram detects that the low 8bit is 1 rule is in the first block, and then traverses the address of the first block.
When the message enters the flow control device, the analysis module extracts quintuple information in the message and sends the quintuple information to the RAM. After receiving the five-tuple, the RAM searches an address table according to the low 8 bits of the source IP, and then matches the five-tuple stored in the RAM according to the starting position and the ending position in the table. And returning the result to the analysis module by the RAM after comparison.
In S208, the quintuple information of the packet data and the target matching rule are compared to perform traffic screening. The five-tuple information of the message data and the target matching rule can be compared; when the matching is successful, the message data is processed according to a preset strategy; and when the matching is unsuccessful, the message data is transmitted through.
If no matching item exists, the equipment does not issue a corresponding rule, the flow is not processed, and the flow is directly transmitted in a transparent way; if the comparison result can be matched, the RAM returns the comparison result to the analysis module; and processing according to the business action according to the business where the rule is located.
According to the flow screening method disclosed by the disclosure, message data are extracted from flow data; extracting five-tuple information of the message data and a preset bit of a source IP address; determining a target matching rule in a rule matching table of the flow control device based on the preset bit of the source IP address; the five-tuple information of the message data and the target matching rule are compared to perform flow screening, so that the efficiency can be improved when equipment matches the rule, the matching speed of the rule is improved, and the matching performance of the RAM is improved.
It should be clearly understood that this disclosure describes how to make and use particular examples, but the principles of this disclosure are not limited to any details of these examples. Rather, these principles can be applied to many other embodiments based on the teachings of the present disclosure.
Fig. 3 is a flow chart illustrating a traffic screening method according to another exemplary embodiment. The flow 30 shown in fig. 3 is a complementary description of the flow shown in fig. 2.
As shown in fig. 3, in S302, the rule matching table is built in a random access register of the fluidic device.
In S304, an address is divided for the rule matching table based on the preset bit of the source IP address.
In S306, a plurality of rule entries are reserved for each address.
In S308, the plurality of matching rules are sequentially stored in the rule matching table. Rule identifications of a plurality of matching rules and preset bits of a source IP address can be extracted; and sequentially storing the plurality of matching rules into the rule entries of the rule matching table based on the rule identification and the preset bit of the source IP address.
When the rule is issued, the five-tuple, the rule ID and the service number are included, and when the rule is configured, the content of the corresponding tuple is only required to be filled according to the prompt of the command line. And after the rule is successfully issued, the quintuple information and the rule ID are stored in the RAM. At the same time of rule issuing, the software also stores a table in the RAM, wherein the table stores the starting position and the ending position of the current rule source IP, the rule ID and the starting position of the rule in the RAM, and the table is updated in real time along with rule issuing.
As shown in fig. 4, the RAM stores five-tuple into corresponding block in the RAM according to 8 bits lower of source IP. For example, the rule five-tuple issued by the user through the device is "1.1.1.1 2.2.2.2 1024 5001 6" and the rule ID is "1", and the software stores the rule into the address corresponding to the 100 th block of the RAM according to the low 8 bits of the source IP, namely "100" of "1.1.1.100". Meanwhile, the software generates an address table according to the rule ID, the source IP is 8 bits lower and the address for storing the rule. The start and end addresses of the rule stored in the RAM, and the five-tuple information of the rule can be confirmed by the rule ID.
In the flow screening method of the present disclosure, a packet can be covered with 0-255 according to the source IP of the packet; when the rule is issued, the address stored by the rule is stored in the RAM, so that the correctness of the rule is ensured when the rule is retrieved.
Fig. 5 is a flow chart illustrating a traffic screening method according to another exemplary embodiment. The flow 50 shown in fig. 5 is a complementary description of the flow shown in fig. 2.
As shown in fig. 5, in S502, an update matching rule is acquired.
In S504, whether the rule entry is full.
In S506, the updated matching rule order is stored into the rule entry.
In S508, whether the RAM total capacity is full.
In S510, the information is alerted.
In S512, the updated matching rules are sequentially stored into the rule entries and subsequent matching rules are sequentially stored in a backward order.
In S514, the rule matching table is updated.
According to the method, through matching of the message quintuple information with the equipment rule, the equipment stores the quintuple information in the rule into the RAM. The RAM will divide the address according to the source IP 8 bits lower in the five-tuple (dividing 256 blocks, 10 blocks each); and the device also issues an address table to the RAM for storing the source IP 8bit lower, the starting position and ending position of the rule in the RAM and the rule ID. When a plurality of rules are issued, the address table is synchronously refreshed.
The way rules are stored in RAM is a dequeue mechanism. For example, a rule of 0.0.0.1 for source IP would be deposited to a first address of a first block of RAM and a rule of 0.0.1.1 for source IP would be deposited to a second address of the first block. When 10 addresses are full, a message with a source IP of 0.0.10.1 is received, the RAM judges whether the total capacity is remained or not because the capacity of the first block is full, if so, the rule after the 10 th rule is moved backwards as a whole and is stored in the 11 th rule; and prompting FULL if the total capacity is FULL.
In the flow screening method disclosed by the invention, the RAM address is divided by 8 bits of source IP (Internet protocol) low, so that the message matching speed is improved; traversing the corresponding initial position and end position of the RAM during retrieval; for the post-added regular dequeue mechanism, the regular address of 8 bits lower than the source IP is guaranteed to be continuous.
Those skilled in the art will appreciate that all or part of the steps implementing the above described embodiments are implemented as a computer program executed by a CPU. The above-described functions defined by the above-described methods provided by the present disclosure are performed when the computer program is executed by a CPU. The program may be stored in a computer readable storage medium, which may be a read-only memory, a magnetic disk or an optical disk, etc.
Furthermore, it should be noted that the above-described figures are merely illustrative of the processes involved in the method according to the exemplary embodiments of the present disclosure, and are not intended to be limiting. It will be readily appreciated that the processes shown in the above figures do not indicate or limit the temporal order of these processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, for example, among a plurality of modules.
The following are device embodiments of the present disclosure that may be used to perform method embodiments of the present disclosure. For details not disclosed in the embodiments of the apparatus of the present disclosure, please refer to the embodiments of the method of the present disclosure.
Fig. 6 is a block diagram illustrating a traffic screening device according to another exemplary embodiment. As shown in fig. 6, the flow rate screening device 60 includes: a data module 602, an extraction module 604, a rules module 606, a screening module 608, and a matching table module 610.
The data module 602 is configured to extract message data from the traffic data;
the extracting module 604 is configured to extract quintuple information of the packet data and a preset bit of a source IP address;
The rule module 606 is configured to determine a target matching rule in a rule matching table of the fluidic device based on the preset bit of the source IP address;
The screening module 608 is configured to compare the quintuple information of the message data with the target matching rule to perform traffic screening.
The matching table module 610 is configured to establish the rule matching table in a random access register of the fluidic device; dividing addresses for the rule matching table based on preset bits of the source IP address; reserving a plurality of rule entries for each address; and sequentially storing the plurality of matching rules into the rule matching table.
According to the flow screening device disclosed by the disclosure, message data is extracted from flow data; extracting five-tuple information of the message data and a preset bit of a source IP address; determining a target matching rule in a rule matching table of the flow control device based on the preset bit of the source IP address; the five-tuple information of the message data and the target matching rule are compared to perform flow screening, so that the efficiency can be improved when equipment matches the rule, the matching speed of the rule is improved, and the matching performance of the RAM is improved.
Fig. 7 is a block diagram of an electronic device, according to an example embodiment.
An electronic device 700 according to such an embodiment of the present disclosure is described below with reference to fig. 7. The electronic device 700 shown in fig. 7 is merely an example and should not be construed to limit the functionality and scope of use of embodiments of the present disclosure in any way.
As shown in fig. 7, the electronic device 700 is embodied in the form of a general purpose computing device. Components of electronic device 700 may include, but are not limited to: at least one processing unit 710, at least one memory unit 720, a bus 730 connecting the different system components (including the memory unit 720 and the processing unit 710), a display unit 740, and the like.
Wherein the storage unit stores program code that is executable by the processing unit 710 such that the processing unit 710 performs steps described in the present specification according to various exemplary embodiments of the present disclosure. For example, the processing unit 710 may perform the steps as shown in fig. 2,3, and 5.
The memory unit 720 may include readable media in the form of volatile memory units, such as Random Access Memory (RAM) 7201 and/or cache memory 7202, and may further include Read Only Memory (ROM) 7203.
The storage unit 720 may also include a program/utility 7204 having a set (at least one) of program modules 7205, such program modules 7205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.
Bus 730 may be a bus representing one or more of several types of bus structures including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local bus using any of a variety of bus architectures.
The electronic device 700 may also communicate with one or more external devices 700' (e.g., keyboard, pointing device, bluetooth device, etc.), devices that enable a user to interact with the electronic device 700, and/or any devices (e.g., routers, modems, etc.) with which the electronic device 700 can communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 750. Also, electronic device 700 may communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN) and/or a public network, such as the Internet, through network adapter 760. Network adapter 760 may communicate with other modules of electronic device 700 via bus 730. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with electronic device 700, including, but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
In general, the method and the device divide the RAM address through the low 8bit of the source IP, improve the message matching speed, traverse the corresponding starting position and the corresponding ending position of the RAM during retrieval, and ensure that the regular address of the low 8bit of the source IP is continuous for the subsequent regular queue inserting mechanism. The message of 0-255 can be covered according to the source IP of the message, and the address stored by the rule is stored in the RAM when the rule is issued, so that the correctness of the rule is ensured when the rule is searched.
In other words, the device stores the five-tuple information in the rule into the RAM through matching the five-tuple information in the message with the rule of the device. The RAM will divide the address according to the source IP 8 bits lower in the five-tuple (dividing 256 blocks, 10 blocks each); and the device also issues an address table to the RAM for storing the source IP 8bit lower, the starting position and ending position of the rule in the RAM and the rule ID. When a plurality of rules are issued, the address table is synchronously refreshed. The way rules are stored in RAM is a dequeue mechanism. For example, a rule of 0.0.0.1 for source IP would be deposited to a first address of a first block of RAM and a rule of 0.0.1.1 for source IP would be deposited to a second address of the first block. When 10 addresses are full, a message with a source IP of 0.0.10.1 is received, the RAM judges whether the total capacity is remained or not because the capacity of the first block is full, if so, the rule after the 10 th rule is moved backwards as a whole and is stored in the 11 th rule; and prompting FULL if the total capacity is FULL.
When the message enters the equipment, the analysis module extracts quintuple information in the message and sends the quintuple information to the RAM. After receiving the five-tuple, the RAM searches an address table according to the low 8 bits of the source IP, and then matches the five-tuple stored in the RAM according to the starting position and the ending position in the table. And returning the result to the analysis module by the RAM after comparison.
When in configuration, the rule comprises five tuples, rule IDs and service numbers, and when in configuration, the content of the corresponding tuples is only required to be filled according to the prompt of a command line. And after the rule is successfully issued, the quintuple information and the rule ID are stored in the RAM. At the same time of rule issuing, the software also stores a table in the RAM, wherein the table stores the starting position and the ending position of the current rule source IP, the rule ID and the starting position of the rule in the RAM, and the table is updated in real time along with rule issuing. And the RAM stores the five-tuple into a corresponding block in the RAM according to 8 bits of the source IP. For example, the rule five-tuple issued by the user through the device is "1.1.1.1 2.2.2.2 1024 5001 6" and the rule ID is "1", and the software stores the rule into the address corresponding to the 100 th block of the RAM according to the low 8 bits of the source IP, namely "100" of "1.1.1.100". Meanwhile, the software generates an address table according to the rule ID, the source IP is 8 bits lower and the address for storing the rule. The start and end addresses of the rule stored in the RAM, and the five-tuple information of the rule can be confirmed by the rule ID.
And when the message is processed, extracting message information. After the message enters the device, the parsing module extracts the five-tuple information in the message. Besides extracting the five-tuple information of the message, the parsing module also extracts the low 8 bits of the source IP of the message according to the source IP. The RAM is then 8 bits lower than the source IP and matches the quintuple information. And the RAM confirms the storage position of the message in the RAM according to the low 8bit of the source IP, and then searches the rule at the corresponding address of the RAM. For example, the source IP is 2.0.0.1, the low 8bit is 1, the ram detects that the low 8bit is 1 rule is in the first block, and then traverses the address of the first block. If no matching item exists, the equipment does not issue a corresponding rule, the flow is not processed, and the flow is directly transmitted in a transparent way; if the comparison result can be matched, the RAM returns the comparison result to the analysis module; and processing according to the business action according to the business where the rule is located.
The scheme disclosed by the invention is more efficient when the equipment matches the rule, so that the matching speed of the rule is improved, and meanwhile, the matching performance of the RAM is improved.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, as shown in fig. 8, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, and includes several instructions to cause a computing device (may be a personal computer, a server, or a network device, etc.) to perform the above-described method according to the embodiments of the present disclosure.
The software product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable storage medium may include a data signal propagated in baseband or as part of a carrier wave, with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable storage medium may also be any readable medium that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
The computer-readable medium carries one or more programs, which when executed by one of the devices, cause the computer-readable medium to perform the functions of: extracting message data from the flow data; extracting five-tuple information of the message data and a preset bit of a source IP address; determining a target matching rule in a rule matching table of the flow control device based on the preset bit of the source IP address; and comparing the five-tuple information of the message data with the target matching rule to carry out flow screening. The computer readable medium may also implement the following functions: establishing the rule matching table in a random access register of the flow control device; dividing addresses for the rule matching table based on preset bits of the source IP address; reserving a plurality of rule entries for each address; and sequentially storing the plurality of matching rules into the rule matching table. The computer readable medium may also implement the following functions: acquiring an update matching rule from a user; extracting a source IP address of the updated matching rule; determining whether a residual position exists in a corresponding rule entry in the rule matching table based on the source IP address; and when the rest positions are contained, storing the updated matching rule sequence into the rule entries.
Those skilled in the art will appreciate that the modules may be distributed throughout several devices as described in the embodiments, and that corresponding variations may be implemented in one or more devices that are unique to the embodiments. The modules of the above embodiments may be combined into one module, or may be further split into a plurality of sub-modules.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or in combination with the necessary hardware. Thus, the technical solutions according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, and include several instructions to cause a computing device (may be a personal computer, a server, a mobile terminal, or a network device, etc.) to perform the method according to the embodiments of the present disclosure.
Exemplary embodiments of the present disclosure are specifically illustrated and described above. It is to be understood that this disclosure is not limited to the particular arrangements, instrumentalities and methods of implementation described herein; on the contrary, the disclosure is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.
Claims (7)
1. A flow screening method for a fluidic device, comprising:
Extracting message data from the flow data;
Extracting five-tuple information of the message data and a preset bit of a source IP address;
Determining a target matching rule in a rule matching table of the flow control device based on the preset bit of the source IP address comprises the following steps: establishing the rule matching table in a random access register of the flow control device, determining a division address in the rule matching table of the flow control device based on a preset bit of the source IP address, reserving a plurality of rule entries for each address, sequentially storing the plurality of matching rules into the rule matching table, and searching in the division address of the random access register of the flow control device to determine the target matching rule;
and comparing the five-tuple information of the message data with the target matching rule to carry out flow screening.
2. The method of claim 1, wherein sequentially storing the plurality of matching rules into the rule matching table comprises:
Extracting rule identifiers of a plurality of matching rules and preset bits of a source IP address;
And sequentially storing the plurality of matching rules into the rule entries of the rule matching table based on the rule identification and the preset bit of the source IP address.
3. The method as recited in claim 1, further comprising:
acquiring an update matching rule from a user;
extracting a source IP address of the updated matching rule;
Determining whether a residual position exists in a corresponding rule entry in the rule matching table based on the source IP address;
and when the rest positions are contained, storing the updated matching rule sequence into the rule entries.
4. A method as claimed in claim 3, comprising:
When the remaining locations are not included and there is remaining capacity in the random access register, the updated matching rules are sequentially stored into the entries and subsequent matching rules are sequentially stored in a backward order.
5. A method as recited in claim 3, further comprising:
and generating warning information when the remaining position is not contained and the remaining capacity is not present in the random access register.
6. The method of claim 1, wherein comparing the five-tuple information of the message data with the target matching rule for traffic screening comprises:
comparing the five-tuple information of the message data with the target matching rule;
When the matching is successful, the message data is processed according to a preset strategy;
and when the matching is unsuccessful, the message data is transmitted through.
7. A flow screening apparatus for use with a flow control device, comprising:
the data module is used for extracting message data from the flow data;
The extraction module is used for extracting quintuple information of the message data and preset bits of a source IP address;
a rule module, configured to determine a target matching rule in a rule matching table of the fluidic device based on the preset bit of the source IP address, including: determining a dividing address in a rule matching table of the flow control device based on the preset bit of the source IP address, and searching in the dividing address of a random access register of the flow control device to determine the target matching rule;
A matching table module, configured to establish the rule matching table in a random access register of the fluidic device; dividing addresses for the rule matching table based on preset bits of the source IP address; reserving a plurality of rule entries for each address; sequentially storing the plurality of matching rules into the rule matching table;
and the screening module is used for comparing the five-tuple information of the message data with the target matching rule so as to carry out flow screening.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111278074.8A CN114006868B (en) | 2021-10-30 | 2021-10-30 | Flow screening method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111278074.8A CN114006868B (en) | 2021-10-30 | 2021-10-30 | Flow screening method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114006868A CN114006868A (en) | 2022-02-01 |
| CN114006868B true CN114006868B (en) | 2024-04-26 |
Family
ID=79925940
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111278074.8A Active CN114006868B (en) | 2021-10-30 | 2021-10-30 | Flow screening method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114006868B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115225544A (en) * | 2022-07-19 | 2022-10-21 | 武汉思普崚技术有限公司 | Network flow counting and monitoring method, device, electronic equipment and medium |
| CN117633551A (en) * | 2023-12-07 | 2024-03-01 | 武汉中航通用科技有限公司 | Method for carrying out matching detection on real-time message |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1913495A (en) * | 2006-08-28 | 2007-02-14 | 杭州华为三康技术有限公司 | Data conversion method and device |
| CN102387160A (en) * | 2011-12-13 | 2012-03-21 | 曙光信息产业(北京)有限公司 | System and method based on IP message quintuple filtering strategy |
| CN110855629A (en) * | 2019-10-21 | 2020-02-28 | 新华三信息安全技术有限公司 | Matching method of IP address, generating method of matching table and related device |
| CN111711577A (en) * | 2020-07-24 | 2020-09-25 | 杭州迪普信息技术有限公司 | Message forwarding method and device of flow control equipment |
| CN111817960A (en) * | 2020-07-23 | 2020-10-23 | 杭州迪普信息技术有限公司 | Message forwarding method and device of flow control equipment |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090141716A1 (en) * | 2007-11-30 | 2009-06-04 | Hangzhou H3C Technologies Co., Ltd. | Method and apparatus for packet rule matching |
| US9219694B2 (en) * | 2013-03-15 | 2015-12-22 | Wisconsin Alumni Research Foundation | Content addressable memory with reduced power consumption |
| US10154062B2 (en) * | 2015-09-25 | 2018-12-11 | Nxp Usa, Inc. | Rule lookup using predictive tuples based rule lookup cache in the data plane |
| US11343187B2 (en) * | 2017-12-05 | 2022-05-24 | Intel Corporation | Quantitative exact match distance in network flows |
-
2021
- 2021-10-30 CN CN202111278074.8A patent/CN114006868B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1913495A (en) * | 2006-08-28 | 2007-02-14 | 杭州华为三康技术有限公司 | Data conversion method and device |
| CN102387160A (en) * | 2011-12-13 | 2012-03-21 | 曙光信息产业(北京)有限公司 | System and method based on IP message quintuple filtering strategy |
| CN110855629A (en) * | 2019-10-21 | 2020-02-28 | 新华三信息安全技术有限公司 | Matching method of IP address, generating method of matching table and related device |
| CN111817960A (en) * | 2020-07-23 | 2020-10-23 | 杭州迪普信息技术有限公司 | Message forwarding method and device of flow control equipment |
| CN111711577A (en) * | 2020-07-24 | 2020-09-25 | 杭州迪普信息技术有限公司 | Message forwarding method and device of flow control equipment |
Non-Patent Citations (2)
| Title |
|---|
| Accelerating Packet Classification with Counting Bloom Filters for Virtual Open Flow Switching;Jinyuan Zhao;Zhigang Hu;Bing Xiong;Keqin Li;;中国通信(第10期);全文 * |
| ACL功能在MDU设备中研究与实现;陈昌奇;吴军平;;电子设计工程(第02期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114006868A (en) | 2022-02-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11243973B2 (en) | Automated scalable contextual data collection and extraction system | |
| CN114006868B (en) | Flow screening method and device | |
| JP6734946B2 (en) | Method and apparatus for generating information | |
| CN111400504B (en) | Method and device for identifying enterprise key people | |
| WO2012030411A1 (en) | Method for classification of objects in a graph data stream | |
| CN107733894B (en) | Comparison method, system, equipment and storage medium of logical interface message | |
| US9009782B2 (en) | Steering traffic among multiple network services using a centralized dispatcher | |
| CN111314063A (en) | Big data information management method, system and device based on Internet of things | |
| US20170053019A1 (en) | System to organize search and display unstructured data | |
| CN111107181B (en) | NAT rule matching method and device, electronic equipment and storage medium | |
| CN107295086A (en) | Collect group session anti-loss method and system | |
| CN114640508B (en) | Network anti-fraud method and device | |
| CN114006831B (en) | Message data processing method and device | |
| CN110110099A (en) | A kind of multimedia document retrieval method and device | |
| CN113656731B (en) | Advertisement page processing method and device, electronic equipment and storage medium | |
| CN116600031B (en) | Message processing method, device, equipment and storage medium | |
| CN113079165B (en) | Access processing method and device | |
| CN114363257B (en) | Five-tuple matching method and device for tunnel message | |
| CN112887442B (en) | Method and device for processing domain name resolution query request | |
| CN115150331B (en) | Information processing method, information processing device, electronic device, and medium | |
| CN115174367B (en) | Service system boundary determining method and device, electronic equipment and storage medium | |
| Liu et al. | Defense against malicious URL spreading in micro‐blog network with hub nodes | |
| US11671456B2 (en) | Natural language processing systems and methods for automatic reduction of false positives in domain discovery | |
| CN109240565A (en) | Self-teaching matching process and device | |
| CN114513466A (en) | Session processing method and device for load balancing equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |