CN114285634B - Depth detection method, device, medium and monitoring system for data message - Google Patents

Depth detection method, device, medium and monitoring system for data message Download PDF

Info

Publication number
CN114285634B
CN114285634B CN202111587759.0A CN202111587759A CN114285634B CN 114285634 B CN114285634 B CN 114285634B CN 202111587759 A CN202111587759 A CN 202111587759A CN 114285634 B CN114285634 B CN 114285634B
Authority
CN
China
Prior art keywords
message
detection result
fpga
protocol stack
detected
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111587759.0A
Other languages
Chinese (zh)
Other versions
CN114285634A (en
Inventor
范维庭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Armyfly Technology Co Ltd
Original Assignee
Beijing Armyfly Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Armyfly Technology Co Ltd filed Critical Beijing Armyfly Technology Co Ltd
Priority to CN202111587759.0A priority Critical patent/CN114285634B/en
Publication of CN114285634A publication Critical patent/CN114285634A/en
Application granted granted Critical
Publication of CN114285634B publication Critical patent/CN114285634B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention discloses a depth detection method, a device, a medium and a monitoring system for a data message. The method is executed by a CPU in a data message monitoring system, and comprises the following steps: storing the received message to be detected deeply in a target memory area of a kernel space, and notifying a target storage address of the target memory area to a user protocol stack in the CPU; and carrying out depth detection on the message to be detected in the target storage area matched with the target storage address through the user protocol stack to obtain a detection result message. The technical scheme of the embodiment of the invention improves the depth detection capability of the CPU on the data message and improves the performance of the network security monitoring system.

Description

Depth detection method, device, medium and monitoring system for data message
Technical Field
The embodiment of the invention relates to a computer technology, in particular to a depth detection method, a device, a medium and a monitoring system for a data message.
Background
In the existing various network security devices, general packet Inspection is generally performed by an FPGA, contents below the layer 4 of the IP packet are analyzed, including source address, destination address, source port, destination port and protocol type, deep Packet Inspection (DPI) is performed by a CPU, and the DPI increases application layer analysis to identify various applications and contents thereof.
At present, when a CPU in the network security equipment detects a deep message, the CPU is matched with a kernel protocol stack and a user protocol stack together to realize the deep detection of the data message.
The inventor finds that the following defects exist in the prior art in the process of realizing the invention: in the traditional kernel protocol stack, the processing of the network data message has a lot of performance bottlenecks, such as local failure, interrupt processing, kernel copying and performance consumption generated by system call, and seriously affects the receiving and transmitting of the data message, thereby affecting the deep detection capability of the CPU auxiliary FPGA on the data message and the performance of the network security monitoring system.
Disclosure of Invention
The embodiment of the invention provides a depth detection method, a device, a medium and a monitoring system for a data message, which are used for improving the depth detection capability of a CPU (Central processing Unit) on the data message and improving the performance of a network security monitoring system.
In a first aspect, an embodiment of the present invention provides a method for detecting depth of a data packet, where the method is executed by a CPU in a data packet monitoring system, and the method includes:
Storing the received message to be detected deeply in a target memory area of a kernel space, and notifying a target storage address of the target memory area to a user protocol stack in the CPU;
and carrying out depth detection on the message to be detected in the target storage area matched with the target storage address through the user protocol stack to obtain a detection result message.
Further, a depth detection program is registered in advance in a user protocol stack of the CPU, and the depth detection program is used for detecting a message above a transport layer protocol;
And performing depth detection on the message to be detected in the target storage area matched with the target storage address through the user protocol stack, wherein the depth detection comprises the following steps:
And executing the depth detection program through the user protocol stack, and performing depth detection on the message to be detected in a target storage area matched with the target storage address.
Further, before storing the received message to be detected in depth in the target memory area of the kernel space, the method further includes:
Receiving a to-be-detected message sent by an FPGA in the data message monitoring system, wherein the to-be-detected message is obtained after the FPGA detects an original message received by an exchange module under a message transmission layer protocol;
And performing depth detection on the message to be detected in a target storage area matched with the target storage address through the user protocol stack to obtain a detection result message, and further comprising:
through the user protocol stack, when determining that the detection result message meets the forwarding condition, rewriting the detection result message into the target memory area;
And acquiring the detection result message from the target memory area, and sending the detection result message to the FPGA so as to send the detection result message to the switching module for forwarding through the FPGA.
Further, in the target storage area matched with the target storage address through the user protocol stack, performing depth detection on the to-be-detected message to obtain a detection result message, further including:
And clearing the target memory area when the user protocol stack determines that the detection result message does not meet the forwarding condition.
Further, storing the received message to be detected deeply in a target memory area in kernel space, and notifying a target storage address of the target memory area to a user protocol stack in the CPU, including:
Storing the received message to be detected deeply into a target memory area of a kernel space through a driving unit, and notifying a target storage address of the target memory area to a user protocol stack in the CPU;
The detection result message is obtained from the target memory area, and the detection result message is sent to the FPGA, and the method comprises the following steps:
and acquiring the detection result message from the target memory area through the driving unit, and sending the detection result message to the FPGA.
Further, the method further comprises:
acquiring an access control list rule through the user protocol stack, and issuing the access control list rule to the FPGA;
the access control list rule is a rule used when the FPGA detects under a message transmission layer protocol.
In a second aspect, an embodiment of the present invention further provides a depth detection device for a data packet, where the device includes:
the message storage module is used for storing the received message to be detected deeply in a target memory area of the kernel space and notifying a target storage address of the target memory area to a user protocol stack in the CPU;
And the message depth detection module is used for carrying out depth detection on the message to be detected in the target storage area matched with the target storage address through the user protocol stack to obtain a detection result message.
In a third aspect, an embodiment of the present invention further provides a computer readable storage medium, where a computer program is stored, where the program when executed by a processor implements a depth detection method for a data packet according to any embodiment of the present invention.
In a fourth aspect, an embodiment of the present invention further provides a network data packet monitoring system, where the system includes: the system comprises an exchange module, an FPGA and a CPU;
The switching module is used for receiving an original message and sending the original message to the FPGA; or receiving a detection result message sent by the FPGA, and forwarding the detection result message;
the FPGA is used for receiving an original message sent by the exchange module and an access control list rule issued by a user protocol stack, detecting the original message under a message transmission layer protocol according to the access control list rule to obtain a message to be detected deeply, and sending the message to be detected deeply to the CPU; or receiving a detection result message sent by a CPU, and sending the detection result message to a switching module;
The CPU is used for realizing the depth detection method of the data message according to any embodiment of the invention.
Further, the switching module includes: a first port and a second port;
The first port is used for receiving an original message and sending the original message to the FPGA;
the second port is configured to receive a detection result message sent by the FPGA, and forward the detection result message.
According to the embodiment of the invention, a CPU in a data message monitoring system stores a received message to be detected deeply in a target memory area of a kernel space, and a target storage address of the target memory area is notified to a user protocol stack in the CPU; the technical means for carrying out depth detection on the message to be detected in depth in the target storage area matched with the target storage address by the user protocol stack to obtain a detection result message solves the problems that the CPU receives the data message, and the CPU wastes the performance of the network security monitoring system such as local invalidation, interrupt processing, kernel copying, system calling and the like when carrying out depth detection by the user protocol stack, thereby improving the depth detection capability of the CPU on the data message and improving the performance of the network security monitoring system.
Drawings
Fig. 1A is a flowchart of a method for detecting depth of a data packet according to a first embodiment of the present invention;
FIG. 1B is a diagram of a specific application scenario for detection under a message transport layer protocol according to one embodiment of the present invention;
FIG. 1C is a diagram of a specific application scenario for message depth detection according to a first embodiment of the present invention;
Fig. 2 is a schematic structural diagram of a depth detection device for a data packet according to a second embodiment of the present invention;
Fig. 3 is a schematic structural diagram of a network data packet monitoring system according to a fourth embodiment of the present invention.
Detailed Description
The invention is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting thereof. It should be further noted that, for convenience of description, only some, but not all of the structures related to the present invention are shown in the drawings.
Example 1
Fig. 1A is a flowchart of a method for detecting depth of a data packet according to an embodiment of the present invention, where the method may be performed by a CPU in a data packet monitoring system, and the method may be performed by a device for detecting depth of a data packet, and the device may be implemented by software and/or hardware, and may be generally integrated in a data packet monitoring system, and specifically includes the following steps:
S110, storing the received message to be detected deeply in a target memory area of a kernel space, and notifying a target storage address of the target memory area to a user protocol stack in the CPU.
The message to be deeply detected may be a message that needs to analyze an application layer of the message and identify application and content besides a source address, a destination address, a source port, a destination port and a protocol type of the detected message. The target memory area may refer to a storage area of the message to be deeply detected in the CPU. The target memory address may refer to a memory address corresponding to the target memory area, for example, may be a memory directory address.
Specifically, the method can receive the message to be detected deeply, store the message in a target memory area of the CPU kernel space, and notify a user protocol stack in the CPU of a target memory address corresponding to the target memory area.
Before storing the received message to be detected in the target memory area in the kernel space, the method may further include: and receiving a message to be detected deeply, which is sent by the FPGA in the data message monitoring system.
The message to be deeply detected may be obtained after the FPGA performs detection under a message transport layer protocol on the original message received through the switching module. An original message may refer to an unprocessed message received by a receiving port of a switching module in network communication.
Optionally, after detecting and filtering the original message transmission layer protocol received by the exchange module, the FPGA of the data message monitoring system obtains a message to be detected deeply, and further, the message to be detected deeply may be sent to the CPU for detecting deeply.
Exemplary, fig. 1B is a schematic diagram of a specific application scenario for implementing detection under a packet transport layer protocol according to an embodiment of the present invention. Pre-programming a security filter program to the FPGA, and installing adaptive system software in the FPGA; the basic IP filtering function of the assigned exchange port is configured to the FPGA through the system software. By routing the corresponding protocol messages and other messages at this switch port (i.e., receiving the original message at this switch port). The other switching port looks at the normal message after filtering out the IP message that is not allowed to pass (i.e. the other switching port can forward the detected normal message under the protocol of the message transport layer via the security filter).
The safety filter program is used for detecting the original message under the message transmission layer protocol. The original message in the specific application scene does not need to be subjected to depth detection.
Specifically, an exchange port of the exchange module receives an original message, an access control list rule is issued to the FPGA through the CPU, the access control list is quickly searched through a ternary content addressable memory (ternary content addressable memory, TCAM), and the FPGA is assisted to perform preliminary message detection to filter out an IP message containing sensitive information, so that a normal message is obtained; further, normal forwarding is performed via another switch port of the switch module.
And S120, carrying out depth detection on the message to be detected in the target storage area matched with the target storage address through the user protocol stack to obtain a detection result message.
The target storage area may be a storage area corresponding to the target storage address. The detection result message may be a message obtained by screening out unsafe messages after the deep detection application and the content of the message to be detected are performed.
Specifically, after receiving the storage notification of the to-be-deep detection message, the user protocol stack may directly perform deep detection on the currently processed to-be-deep detection message in the target storage area where the target storage address of the to-be-deep detection message matches, thereby obtaining a detection result message.
Optionally, a depth detection program is registered in advance in a user protocol stack of the CPU, where the depth detection program is used for detecting a message above a transport layer protocol; based on this, in an optional implementation manner of this embodiment, by using the user protocol stack, performing depth detection on the to-be-depth detection packet in the target storage area matched with the target storage address may include: and executing the depth detection program through the user protocol stack, and performing depth detection on the message to be detected in a target storage area matched with the target storage address.
The depth detection program may be a pre-written program and is pre-registered in a user protocol stack of the CPU.
Specifically, the depth detection of the currently processed message to be detected can be directly performed by executing the depth detection program pre-registered in the user protocol stack in the target storage area where the target storage address of the message to be detected is matched. It should be noted that, the traditional CPU assists the FPGA to perform depth detection on the data packet, a part of detection is performed by the kernel protocol stack, and a part of detection is performed by the user protocol stack.
Optionally, after performing depth detection on the to-be-detected message in the target storage area matched with the target storage address through the user protocol stack to obtain a detection result message, the method further includes: through the user protocol stack, when determining that the detection result message meets the forwarding condition, rewriting the detection result message into the target memory area; acquiring the detection result message from the target memory area, and sending the detection result message to the FPGA so as to send the detection result message to the switching module for forwarding through the FPGA;
the forwarding condition may be that the content of the currently obtained detection result message does not contain a condition such as illegal or illegal.
Specifically, after the detection result message is obtained, whether the detection result message can be forwarded or not can be judged, and if so, the detection result message can be directly rewritten into the target memory area through a user protocol stack; further, the detection result message is obtained from the target memory area and is sent to the FPGA; and then the detection result message is sent to the exchange module for normal forwarding through the FPGA. Correspondingly, by the user protocol stack, when the detection result message is determined to not meet the forwarding condition, the target memory area is cleared, which can be understood as that the detection result message which does not meet the forwarding condition is cleared from the target memory area.
In another case, for the detection result message meeting the forwarding condition, if there is a modification request for the forwarding destination address of the detection result message, the message header of the detection result message may be modified by a depth detection program registered in advance in the user protocol stack, so as to implement the modified forwarding logic.
In an optional implementation manner of this embodiment, based on the foregoing operations, storing the received to-be-deep detected packet in a target memory area of the kernel space, and notifying a target storage address of the target memory area to a user protocol stack in the CPU may include:
Storing the received message to be detected deeply into a target memory area of a kernel space through a driving unit, and notifying a target storage address of the target memory area to a user protocol stack in the CPU; the detection result message is obtained from the target memory area, and the detection result message is sent to the FPGA, and the method comprises the following steps: and acquiring the detection result message from the target memory area through the driving unit, and sending the detection result message to the FPGA.
Wherein the driving unit may include: a DPDK driving unit or Netmap driving unit.
Specifically, the driving unit of the CPU may store the received message to be detected deeply into the target memory area in the kernel space, and notify the target memory address of the target memory area to the user protocol stack. After the user protocol stack performs depth detection on the depth message to be detected to obtain a detection result message, and stores the detection result message meeting the forwarding condition in the target memory area, the detection result message can be taken out from the target memory area through the driving unit and sent to the FPGA.
Exemplary, fig. 1C is a specific application scenario diagram of message depth detection according to the first embodiment of the present invention. Pre-programming a security filter program to the FPGA, and installing adaptive system software in the FPGA; configuring a depth filtering function of a designated exchange port to an FPGA (the depth filtering function is completed in an auxiliary way by a CPU in the application scene) through system software; by routing the corresponding protocol messages and other messages at the switch port. After another switch port looks into the normal message after filtering out the IP message which is not allowed to pass through (i.e. the other switch port can forward the normal message after the message is detected under the message transmission layer protocol by the security filter program, the message needing to be detected deeply is completed by the CPU in an auxiliary way).
Specifically, an exchange port of the exchange module receives an original message, and the original message is issued to an access control list rule of the FPGA through a user protocol stack, and the access control list is quickly searched through a TCAM to assist the FPGA to perform preliminary message detection and filter out messages containing sensitive information, so as to obtain a message to be deeply detected; further storing the message to be detected deeply into a memory area of the CPU kernel space through Netmap driving; further, after the user protocol stack carries out depth detection through a pre-registered depth detection program, a detection result message is obtained; and the user protocol stack rewrites the detection result message meeting the forwarding condition into the memory area again, sends the detection result message to the FPGA through Netmap drive, and performs normal forwarding through the switching module.
According to the technical scheme, the received message to be detected deeply is stored in a target memory area of a kernel space through a CPU in a data message monitoring system, and a target storage address of the target memory area is notified to a user protocol stack in the CPU; the technical means for carrying out depth detection on the message to be detected in depth in the target storage area matched with the target storage address by the user protocol stack to obtain a detection result message solves the problems that the CPU receives the data message, and the CPU wastes the performance of the network security monitoring system such as local invalidation, interrupt processing, kernel copying and system calling when carrying out depth detection by the user protocol stack, thereby improving the depth detection capability of the CPU on the data message and improving the performance of the network security monitoring system.
On the basis of the technical scheme, the depth detection method of the data message can further comprise the following steps: acquiring an access control list rule through the user protocol stack, and issuing the access control list rule to the FPGA;
the access control list rule is a rule used when the FPGA detects under a message transmission layer protocol.
Specifically, the access control list rule can be issued to the FPGA through a depth detection program pre-registered in the user protocol stack, and the FPGA can realize detection under the message transport layer protocol through the access control list rule.
Example two
Fig. 2 is a schematic structural diagram of a depth detection device for a data packet according to a second embodiment of the present invention. The device can execute the depth detection method of the data message provided by any embodiment of the invention. Referring to fig. 2, the apparatus includes: a message storage module 210 and a message depth detection module 220. Wherein:
the message storage module 210 is configured to store the received message to be detected in depth in a target memory area in kernel space, and notify a user protocol stack in the CPU of a target storage address of the target memory area;
and the message depth detection module 220 is configured to perform depth detection on the message to be detected in a target storage area matched with the target storage address through the user protocol stack, so as to obtain a detection result message.
According to the technical scheme, the received message to be detected deeply is stored in a target memory area of a kernel space through a CPU in a data message monitoring system, and a target storage address of the target memory area is notified to a user protocol stack in the CPU; the technical means for carrying out depth detection on the message to be detected in depth in the target storage area matched with the target storage address by the user protocol stack to obtain a detection result message solves the problems that the CPU receives the data message, and the CPU wastes the performance of the network security monitoring system such as local invalidation, interrupt processing, kernel copying and system calling when carrying out depth detection by the user protocol stack, thereby improving the depth detection capability of the CPU on the data message and improving the performance of the network security monitoring system.
In the above device, optionally, a depth detection program is registered in advance in a user protocol stack of the CPU, where the depth detection program is used for detecting a message above a transport layer protocol;
The message depth detection module 220 may specifically be configured to:
And executing the depth detection program through the user protocol stack, and performing depth detection on the message to be detected in a target storage area matched with the target storage address.
In the above apparatus, optionally, the apparatus further includes a to-be-depth detection message receiving module, specifically configured to, before storing the received to-be-depth detection message in the target memory area of the kernel space:
Receiving a to-be-detected message sent by an FPGA in the data message monitoring system, wherein the to-be-detected message is obtained after the FPGA detects an original message received by an exchange module under a message transmission layer protocol;
the detection result message forwarding module is specifically configured to perform depth detection on the to-be-detected message in a target storage area matched with the target storage address through the user protocol stack, so as to obtain a detection result message, and then include:
A detection result message rewriting subunit, configured to rewrite, through the user protocol stack, the detection result message to the target memory area when it is determined that the detection result message meets a forwarding condition;
And the detection result message sending subunit is used for acquiring the detection result message from the target memory area and sending the detection result message to the FPGA so as to send the detection result message to the switching module for forwarding through the FPGA.
The above device optionally further includes a target memory area emptying module, specifically configured to, after performing, by the user protocol stack, depth detection on the to-be-detected packet in a target memory area matched with the target memory address, to obtain a detection result packet:
And clearing the target memory area when the user protocol stack determines that the detection result message does not meet the forwarding condition.
In the above apparatus, optionally, the message storage module 210 may be specifically configured to:
Storing the received message to be detected deeply into a target memory area of a kernel space through a driving unit, and notifying a target storage address of the target memory area to a user protocol stack in the CPU;
The detection result message sending subunit may be further specifically configured to:
and acquiring the detection result message from the target memory area through the driving unit, and sending the detection result message to the FPGA.
In the above apparatus, optionally, the driving unit may include: a DPDK driving unit or Netmap driving unit.
The device, optionally, the depth detection device of the data packet further includes an access control list rule issuing module, which may be specifically configured to:
acquiring an access control list rule through the user protocol stack, and issuing the access control list rule to the FPGA;
the access control list rule is a rule used when the FPGA detects under a message transmission layer protocol.
The depth detection device for the data message provided by the embodiment of the invention can execute the depth detection method for the data message provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Example III
The third embodiment of the present invention also provides a computer readable storage medium having stored thereon a computer program which when executed by a processor is configured to perform a depth detection method for a data packet, the method being performed by a CPU in a data packet monitoring system, the method comprising:
Storing the received message to be detected deeply in a target memory area of a kernel space, and notifying a target storage address of the target memory area to a user protocol stack in the CPU;
and carrying out depth detection on the message to be detected in the target storage area matched with the target storage address through the user protocol stack to obtain a detection result message.
Of course, the computer readable storage medium provided in the embodiments of the present invention has a computer program stored thereon, and the program is not limited to the method operations described above, but may also perform related operations in the depth detection method of a data packet provided in any embodiment of the present invention.
From the above description of embodiments, it will be clear to a person skilled in the art that the present invention may be implemented by means of software and necessary general purpose hardware, but of course also by means of hardware, although in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a FLASH Memory (FLASH), a hard disk, or an optical disk of a computer, etc., and include several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments of the present invention.
It should be noted that, in the embodiment of the depth detection device for a data packet, each unit and module included in the depth detection device are only divided according to the functional logic, but are not limited to the above-mentioned division, so long as the corresponding functions can be implemented; in addition, the specific names of the functional units are also only for distinguishing from each other, and are not used to limit the protection scope of the present invention.
Example IV
Fig. 3 is a schematic structural diagram of a network data packet monitoring system according to a fourth embodiment of the present invention, where, as shown in fig. 3, the system includes: a switching module 310, an FPGA320, and a CPU330;
The switching module 310 is configured to receive an original packet, and send the original packet to an FPGA; or receiving a detection result message sent by the FPGA, and forwarding the detection result message;
The FPGA320 is configured to receive an original message sent by the switching module and an access control list rule sent by the user protocol stack, perform detection under a message transport layer protocol on the original message according to the access control list rule, obtain a message to be detected deeply, and send the message to be detected deeply to the CPU; or receiving a detection result message sent by a CPU, and sending the detection result message to a switching module;
The CPU330 is configured to implement a method for detecting depth of a data packet according to any embodiment of the present invention, where the method is executed by a CPU in a data packet monitoring system, and the method includes:
Storing the received message to be detected deeply in a target memory area of a kernel space, and notifying a target storage address of the target memory area to a user protocol stack in the CPU;
and carrying out depth detection on the message to be detected in the target storage area matched with the target storage address through the user protocol stack to obtain a detection result message.
In the above system, optionally, the switching module 310 includes: a first port and a second port;
The first port is used for receiving an original message and sending the original message to the FPGA;
the second port is configured to receive a detection result message sent by the FPGA, and forward the detection result message.
Note that the above is only a preferred embodiment of the present invention and the technical principle applied. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, while the invention has been described in connection with the above embodiments, the invention is not limited to the embodiments, but may be embodied in many other equivalent forms without departing from the spirit or scope of the invention, which is set forth in the following claims.

Claims (5)

1. A method for depth detection of data messages, the method being performed by a CPU in a data message monitoring system, the method comprising:
Receiving a to-be-detected message sent by an FPGA in the data message monitoring system, wherein the to-be-detected message is obtained after the FPGA detects an original message received by an exchange module in the data message monitoring system under a message transmission layer protocol;
Storing the received message to be detected deeply into a target memory area of a kernel space through a driving unit, and notifying a target storage address of the target memory area to a user protocol stack in the CPU; the user protocol stack is used for independently realizing a complete depth detection function through a pre-registered depth detection program; the depth detection program is used for detecting the message above the transmission layer protocol;
executing the depth detection program through the user protocol stack, and performing depth detection on the message to be detected in a target storage area matched with the target storage address to obtain a detection result message; the detection result message is obtained by screening out unsafe messages after the deep detection application and the content of the message to be detected are carried out;
Through the user protocol stack, when determining that the detection result message meets the forwarding condition, rewriting the detection result message into the target memory area; if a modification request for the forwarding destination address of the detection result message meeting the forwarding condition exists, modifying the message header of the detection result message through the depth detection program to realize modification of forwarding logic;
the detection result message is obtained from the target memory area through the driving unit, and is sent to the FPGA so as to be sent to the switching module for forwarding through the FPGA;
Through the user protocol stack, when the detection result message is determined not to meet the forwarding condition, the target memory area is cleared;
Acquiring an access control list rule through the user protocol stack, and issuing the access control list rule to the FPGA; the access control list rule is a rule used when the FPGA detects under a message transmission layer protocol.
2. A depth detection device for a data packet, the device comprising:
The to-be-detected message receiving module is used for receiving to-be-detected messages sent by the FPGA in the data message monitoring system, wherein the to-be-detected messages are obtained after the FPGA detects the original messages received by the exchange module in the data message monitoring system under a message transmission layer protocol;
The message storage module is used for storing the received message to be detected deeply into a target memory area of the kernel space through the driving unit, and notifying a target storage address of the target memory area to a user protocol stack in the CPU; the user protocol stack is used for independently realizing a complete depth detection function through a pre-registered depth detection program; the depth detection program is used for detecting the message above the transmission layer protocol;
The message depth detection module is used for executing the depth detection program through the user protocol stack, and carrying out depth detection on the message to be detected in the target storage area matched with the target storage address to obtain a detection result message; the detection result message is obtained by screening out unsafe messages after the deep detection application and the content of the message to be detected are carried out;
The detection result message forwarding module is used for rewriting the detection result message into the target memory area when the detection result message meets the forwarding condition through the user protocol stack; if a modification request for the forwarding destination address of the detection result message meeting the forwarding condition exists, modifying the message header of the detection result message through the depth detection program to realize modification of forwarding logic; the detection result message is obtained from the target memory area through the driving unit, and is sent to the FPGA so as to be sent to the switching module for forwarding through the FPGA;
the target memory area emptying module is used for emptying the target memory area when the detection result message is determined to not meet the forwarding condition through the user protocol stack;
the access control list rule issuing module is used for acquiring an access control list rule through the user protocol stack and issuing the access control list rule to the FPGA; the access control list rule is a rule used when the FPGA detects under a message transmission layer protocol.
3. A computer readable storage medium having stored thereon a computer program, which when executed by a processor implements the depth detection method for data messages according to claim 1.
4. A network data message monitoring system, comprising: the system comprises an exchange module, an FPGA and a CPU;
The switching module is used for receiving an original message and sending the original message to the FPGA; or receiving a detection result message sent by the FPGA, and forwarding the detection result message;
the FPGA is used for receiving an original message sent by the exchange module and an access control list rule issued by a user protocol stack, detecting the original message under a message transmission layer protocol according to the access control list rule to obtain a message to be detected deeply, and sending the message to be detected deeply to the CPU; or receiving a detection result message sent by a CPU, and sending the detection result message to a switching module;
the CPU is configured to implement the depth detection method of a data packet according to claim 1.
5. The system of claim 4, wherein the switching module comprises: a first port and a second port;
The first port is used for receiving an original message and sending the original message to the FPGA;
the second port is configured to receive a detection result message sent by the FPGA, and forward the detection result message.
CN202111587759.0A 2021-12-23 2021-12-23 Depth detection method, device, medium and monitoring system for data message Active CN114285634B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111587759.0A CN114285634B (en) 2021-12-23 2021-12-23 Depth detection method, device, medium and monitoring system for data message

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111587759.0A CN114285634B (en) 2021-12-23 2021-12-23 Depth detection method, device, medium and monitoring system for data message

Publications (2)

Publication Number Publication Date
CN114285634A CN114285634A (en) 2022-04-05
CN114285634B true CN114285634B (en) 2024-06-04

Family

ID=80874397

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111587759.0A Active CN114285634B (en) 2021-12-23 2021-12-23 Depth detection method, device, medium and monitoring system for data message

Country Status (1)

Country Link
CN (1) CN114285634B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106209684A (en) * 2016-07-14 2016-12-07 深圳市永达电子信息股份有限公司 A kind of method forwarding detection scheduling based on Time Triggered
CN107547566A (en) * 2017-09-29 2018-01-05 新华三信息安全技术有限公司 A kind of method and device of processing business message
CN109547580A (en) * 2019-01-22 2019-03-29 网宿科技股份有限公司 A kind of method and apparatus handling data message
CN111614631A (en) * 2020-04-29 2020-09-01 江苏深网科技有限公司 User mode assembly line framework firewall system
CN112039731A (en) * 2020-11-05 2020-12-04 武汉绿色网络信息服务有限责任公司 DPI (deep packet inspection) identification method and device, computer equipment and storage medium

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10212132B2 (en) * 2016-07-29 2019-02-19 ShieldX Networks, Inc. Systems and methods for accelerated pattern matching
US12058411B2 (en) * 2018-07-13 2024-08-06 Avago Technologies International Sales Pte. Limited Secure monitoring of system-on-chip applications

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106209684A (en) * 2016-07-14 2016-12-07 深圳市永达电子信息股份有限公司 A kind of method forwarding detection scheduling based on Time Triggered
CN107547566A (en) * 2017-09-29 2018-01-05 新华三信息安全技术有限公司 A kind of method and device of processing business message
CN109547580A (en) * 2019-01-22 2019-03-29 网宿科技股份有限公司 A kind of method and apparatus handling data message
CN111614631A (en) * 2020-04-29 2020-09-01 江苏深网科技有限公司 User mode assembly line framework firewall system
CN112039731A (en) * 2020-11-05 2020-12-04 武汉绿色网络信息服务有限责任公司 DPI (deep packet inspection) identification method and device, computer equipment and storage medium

Also Published As

Publication number Publication date
CN114285634A (en) 2022-04-05

Similar Documents

Publication Publication Date Title
CN101094236B (en) Method for processing message in address resolution protocol, communication system, and forwarding planar process portion
CN1771709B (en) Network attack signature generation method and apparatus
CN106936791B (en) Method and device for intercepting malicious website access
US20080250496A1 (en) Frame Relay Device
EP3270564A1 (en) Distributed security provisioning
JP2009506618A (en) System and method for processing and transferring transmission information
CN102075537B (en) Method and system for realizing data transmission between virtual machines
JP4290198B2 (en) Flexible network security system and network security method permitting reliable processes
US7333430B2 (en) Systems and methods for passing network traffic data
CN107547566B (en) Method and device for processing service message
JP5134141B2 (en) Unauthorized access blocking control method
CN112929376A (en) Flow data processing method and device, computer equipment and storage medium
CN109561172B (en) DNS transparent proxy method, device, equipment and storage medium
CN114024759B (en) Security policy management and control method, device, computer equipment and medium
CN101582880B (en) Method and system for filtering messages based on audited object
CN114285634B (en) Depth detection method, device, medium and monitoring system for data message
CN115913597A (en) Method and device for determining lost host
CN106506270B (en) Ping message processing method and device
WO2005045691B1 (en) Method of providing views of a managed network that uses network address translation
CN111010362B (en) Monitoring method and device for abnormal host
CN108848033B (en) Method, device and storage medium for avoiding route conflict
JP2002259187A (en) Attachable/detachable file monitoring system aiming at detection and elimination of abnormal file
CN108123875B (en) Bidirectional forwarding detection method and device
CN112615867B (en) Data packet detection method and device
CN110572415B (en) Safety protection method, equipment and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant