CN114584632B - Deep packet inspection method and device - Google Patents
Deep packet inspection method and device Download PDFInfo
- Publication number
- CN114584632B CN114584632B CN202210173616.3A CN202210173616A CN114584632B CN 114584632 B CN114584632 B CN 114584632B CN 202210173616 A CN202210173616 A CN 202210173616A CN 114584632 B CN114584632 B CN 114584632B
- Authority
- CN
- China
- Prior art keywords
- message
- rule
- hit
- unit
- character string
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 21
- 238000007689 inspection Methods 0.000 title claims description 21
- 238000012545 processing Methods 0.000 claims abstract description 50
- 238000001914 filtration Methods 0.000 claims abstract description 16
- 230000006399 behavior Effects 0.000 claims description 25
- 238000004458 analytical method Methods 0.000 claims description 18
- 238000001514 detection method Methods 0.000 claims description 8
- 238000005538 encapsulation Methods 0.000 claims description 4
- 238000007781 pre-processing Methods 0.000 claims description 4
- 238000004891 communication Methods 0.000 abstract description 3
- 238000012549 training Methods 0.000 description 3
- 238000013528 artificial neural network Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 230000014509 gene expression Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 239000002131 composite material Substances 0.000 description 1
- 150000001875 compounds Chemical class 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000005111 flow chemistry technique Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2483—Traffic characterised by specific attributes, e.g. priority or QoS involving identification of individual flows
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a method and a device for detecting a high-efficiency deep packet, belonging to the field of computer communication. The invention adopts three-level searching, and in the first-level processing, the five-tuple and the application layer protocol of the message are identified through the fast rule table entry; in the second-stage pipelining, searching the messages byte by byte through a high-speed searching unit to complete the matching of all rules in the rule table items of the second-stage character strings, and returning the character strings hit in each message; in the third-stage pipelining, each hit character string rule indexes the corresponding rule association table entry, the association table entry completes the hit character string rule in the second-stage pipelining, and flexible rule association is completed between the association table entries, so that high-performance full-packet filtering is satisfied, and meanwhile, the flexibility of the rule is also well satisfied. According to the invention, the user rule is converted into the three-level rule, and the requirements of DPI on performance and flexibility under a high-performance large-bandwidth scene are better met through high-speed character string searching and further flexible association.
Description
Technical Field
The invention belongs to the field of computer communication, and particularly relates to a method and a device for detecting a high-efficiency deep packet.
Background
The deep packet inspection (Deep Packet Inspection) is an application layer-based flow inspection and control technique, and solves the defect that only the header of a packet is identified and the corresponding packet cannot be identified more accurately by scanning byte by byte corresponding to the payload (payload) area of the data packet in the stream; the requirement on the performance of the identification device is high because of the need to identify the messages byte by byte. Meanwhile, with the development of network technology, the bandwidth is larger and larger, and the requirement on the performance of equipment is further improved; network applications are also increasingly complicated, various applications are increased, and the number of rules for recognition is also increased, so that the requirements of the deep packet inspection equipment on performance and flexibility are further increased.
CN112671618 proposes a method and apparatus for deep packet inspection, which uses an open source security inspection engine surica and hyperscan high-performance regular expression matching library, so that the problem of low accuracy of deep packet inspection and recognition can be better solved, and flexibility is better.
CN113298101a proposes a data message identifying method and apparatus, which uses a trained CNN network and DPI device, and combines two stages to improve the identifying accuracy and identifying efficiency. According to the scheme, a CNN system is used for carrying out first-stage parent application identification, so that the pressure on DPI equipment is relieved. However, in the scheme, the CNN network faces the problems of low training convergence speed and low accuracy in the reasoning stage in the parent application training stage; CNN networks, while capable of partially relieving the pressure on the performance of DPI devices, do not fundamentally address the performance and flexibility requirements of DPI devices themselves.
CN 112491643a proposes a method and device for detecting deep packet, which extracts the distribution information such as packet length, compares the packet length with a multi-level rule, and sends the comparison result to a second-level neural network for identification, so that a certain accuracy can be improved. However, for the application of a high-speed network, the packet length distribution and the extraction of the multi-stage rule are time-consuming, the results before and after the multi-stage comparison are dependent, and the delay uncertainty fluctuation is large; and the training and convergence of the second level neural network also faces the same problems as CN113298101 a.
CN101848091a proposes a data searching and processing method and system, which can better solve the searching and matching of character strings by multistage pipelining searching and intelligent rule compression technology; however, the requirements are not met for flexible regular expressions in DPI applications, especially flexible combinations between rules.
Disclosure of Invention
First, the technical problem to be solved
The invention aims to solve the technical problems of low convergence speed and low recognition accuracy and inflexible DPI (deep packet inspection) search processing when a CNN (computer network) is recognized.
(II) technical scheme
In order to solve the technical problems, the invention provides a high-efficiency deep message detection device, which comprises a message receiving unit, a message processing unit, a character string high-speed searching unit and a message sending unit;
the message receiving unit is used for receiving the messages in the network, extracting effective messages and sending the effective messages to the message processing unit;
the message processing unit comprises a message analysis unit, a DPI result execution unit and an association relation processing unit;
the message analysis unit carries out preprocessing on the message, namely analyzes a five-tuple, a source MAC address, a destination MAC address, a source IP address, a destination IP address and a port number of the message according to different encapsulation types of the message, and searches a first-level quick rule table item at the same time to acquire the designated forwarding behavior of each type of message; the message sending character string high-speed searching unit is used for further filtering byte by byte, and other messages are sent to the DPI result executing unit;
the association relation processing unit is used for receiving the search result of the character string high-speed searching unit, carrying out flexible combination processing on the character string hit by the current message searched by the character string high-speed searching unit according to the three-level rule association table item, and obtaining the output behavior of the message;
the DPI result execution unit is used for comprehensively judging the results processed by the message analysis unit and the association relation processing unit and acquiring corresponding output behaviors for the message;
the character string high-speed searching unit is used for scanning the payload of the current message byte by byte, matching the rule table items of the secondary character string, returning to the hit condition, acquiring the position, the length and the corresponding association relation ID of the hit character string if the hit is found, and returning the result to the association relation processing unit;
and the message sending unit is used for sending the message processed by the DPI result executing unit to the corresponding destination port.
Further, the message receiving units are deployed in a network in series or in a bypass.
Further, the message parsing unit is further configured to parse the message type of the upper layer, and search the first-level fast rule table entry at the same time, so as to obtain the forwarding behavior specified by each type of message.
Further, the forwarding behavior includes forwarding, dropping, editing, or further byte-by-byte filtering.
Further, the first-level fast rule judges whether the current message needs to perform full-packet search filtering according to the five-tuple and the message type of the current message.
Further, the three-level rule association table entry includes: and NOR operation between different strings, the offset range that the current string needs to meet, and the combination match between the current string needs and the quintuple.
Further, the secondary character string rule table item is a series of different character strings, and each message is matched with all rule tables of the secondary character string rule table item byte by byte, so as to judge whether the message hits.
Further, if there is a string hit, the following information is returned:
ptr: the position of the current hit character string relative to the current message payload starting point;
string lth: the length of the hit character string is combined with the value of ptr, so that the hit character string content can be locked in the original message;
the Relation id: the currently hit string requires the id of the index-removed three-level rule association table entry.
Further, after the result searched by the character string high-speed searching unit is returned to the association processing unit, the association processing unit analyzes information carried by each hit rule, and acquires the content of the three-level rule association table item according to the relationship id; according to the content of the three-level rule association table, the relation among the character strings hit by the current message is analyzed and calculated, so that the association relation processing among different character strings is realized, and meanwhile, the five-tuple information extracted by the message analysis unit is combined, so that more complex rule processing is completed.
The invention also provides a high-efficiency deep packet inspection method, which comprises the following steps:
s1, receiving a message;
s2, extracting a message header quintuple, a source MAC address, a destination MAC address, a source IP address, a destination IP address and a port number;
s3, judging whether payload byte-by-byte detection is needed according to the header of the message and the first-level quick rule table entry, if not, determining the output behavior of the message according to the hit quick rule, and sending the message to a message sending unit; if so, executing a step S4;
s4, carrying out character string searching and matching on the payload area of the message according to the two-level character string rule table entry, returning to the hit condition, returning to the hit character string position, length and corresponding association relation if the hit is found, and executing the step S5; if the message is not hit, returning the miss, determining the output behavior of the message according to the head information, and sending the message to a message sending unit;
s5, carrying out flexible combination processing according to the character strings of the three-level rule association table item in the current message, obtaining the output behaviors of the message, and sending the output behaviors to a message sending unit.
(III) beneficial effects
Compared with the prior art, the technical scheme provided by the invention adopts three-level searching, can work in a running water mode, and meets the high-speed performance requirement of DPI. In the first stage of processing, the five-tuple and the application layer protocol of the message are identified through a fast rule table entry, the data are judged in advance, and the next stage of flowing water is entered after further full packet filtering scanning is needed; in the second-stage pipelining, searching the messages byte by byte through a high-speed searching unit to complete the matching of all rules in the rule table items of the second-stage character strings, and returning the character strings hit in each message; in the third-stage pipelining, each hit character string rule indexes the corresponding rule association table entry, the association table entry completes the hit character string rule in the second-stage pipelining, and flexible rule association is completed between the association table entries, so that high-performance full-packet filtering is satisfied, and meanwhile, the flexibility of the rule is also well satisfied. According to the invention, the user rule is converted into the three-level rule, and the requirements of DPI on performance and flexibility under a high-performance large-bandwidth scene are better met through high-speed character string searching and further flexible association.
Drawings
FIG. 1 is a system architecture diagram of the present invention;
FIG. 2 is a process flow of the present invention;
FIG. 3 is a character string matching return format of the present invention;
FIG. 4 is a mapping relationship between a character string rule table entry and a rule association table entry according to the present invention;
fig. 5 is a flexible rule association diagram of the present invention.
Detailed Description
To make the objects, contents and advantages of the present invention more apparent, the following detailed description of the present invention will be given with reference to the accompanying drawings and examples.
The invention belongs to the field of computer communication, and is used for detecting data messages with large bandwidth, high performance and flexible rule, such as a large-capacity message detection scene of a backbone node 100G interface.
The invention provides a deep message detection method and a device which not only meet high performance, but also support rule flexible processing. The method and the device work on special circuits, such as FPGA/ASIC, and compared with CN112671618, the method and the device do not depend on a general processor, so that the bottlenecks of performance and power consumption are solved; meanwhile, the method completes the search of the byte-by-byte window of the message based on a special algorithm circuit, and solves the problems of low convergence speed and low recognition accuracy faced by the recognition of the CNN network in CN113298101A and 112491643A. By converting the complex rules of the user plane into flexible association between character strings and by associating the rules, the problem that CN101848091A is inflexible in processing DPI searching is solved.
The whole device is shown in the following figure 1, and comprises a message receiving unit, a message processing unit, a character string high-speed searching unit and a message sending unit.
The message receiving unit is used for receiving the messages in the network, extracting effective messages and sending the extracted effective messages to the message processing unit. The device detects the message and can be deployed in a network in series, namely, the service passes through the device; the message can be arranged in the network in a bypass way, namely, the message is mirrored by devices such as a beam splitter and the like and sent to the device. Regardless of the deployment, the message receiving unit is responsible for extracting the message for further analysis.
The message processing unit comprises a message analysis unit, a DPI result execution unit and an association relation processing unit.
The message analysis unit carries out preprocessing on the message, namely analyzes a five-tuple, a source MAC address, a destination MAC address, a source IP address, a destination IP address and a port number of the message according to different encapsulation types of the message, and searches a first-level quick rule table item at the same time to acquire the designated forwarding behavior of each type of message; the message sending character string high-speed searching unit is used for further filtering byte by byte, and other messages are sent to the DPI result executing unit;
the message analysis unit is used for preprocessing the message, namely analyzing a five-tuple of the message, a source MAC address, a destination MAC address, a source IP address, a destination IP address and a port number according to different encapsulation types of the message; the message type of the upper layer, such as control message or data packet, voice or picture, can be further analyzed. Through the first-level analysis processing, the first-level quick rule table entry is searched at the same time, and the designated forwarding behavior of each type of message is obtained, such as forwarding, discarding, editing, further byte-by-byte filtering and the like. Through this stage of screening, only the messages which need to be filtered further byte by byte are sent to subsequent processing, so that the flow processing of the primary data is finished in advance, and the analysis pressure of the later stage unit is reduced. The first-level fast rule is exemplified as follows: the first-level quick rule judges whether the current message needs to be subjected to full-packet search and filtration according to the five-tuple, particularly the message type, of the current message. For example, for ICMP messages, control type messages are usually forwarded directly without full message search. And for the message carrying the data, further searching and filtering the payload of the message in a byte-by-byte full packet mode. From the perspective of a device chip, the device chip needs to have the first-stage quick searching capability, and a specific strategy can be defined by a user according to actual conditions.
The association relation processing unit is used for receiving the search result of the character string high-speed searching unit, carrying out flexible combination processing on the character string hit by the current message searched by the character string high-speed searching unit according to the three-level rule association table item, and obtaining the output behavior of the message; such as an and or operation between different strings, an offset range that the current string needs to satisfy, a combination match between the current string and the quintuple, etc.
The DPI result execution unit is used for comprehensively judging the results processed by the message analysis unit and the association relation processing unit, and adopting the following steps of: forwarding, discarding, transparent transmission, editing, and the like.
The character string high-speed searching unit is used for scanning the payload of the current message byte by byte, matching the rule table items of the secondary character string, returning the hit condition, returning the position, the length and the corresponding association relation ID of the hit character string if the hit is found, and returning the result to the association relation processing unit;
and the message sending unit is used for sending the message processed by the DPI result executing unit to the corresponding destination port.
The whole equipment work flow is as follows:
s1, receiving a message;
s2, extracting a message header quintuple, a source MAC address, a destination MAC address, a source IP address, a destination IP address and a port number;
s3, judging whether payload byte-by-byte detection is needed according to the header of the message and the first-level quick rule table entry, if not, determining the output behavior of the message according to the hit quick rule, and sending the message to a message sending unit; if so, executing a step S4;
s4, carrying out character string searching and matching on the payload area of the message according to the two-level character string rule table entry, returning to the hit condition, returning to the hit character string position, length and corresponding association relation if the hit is found, and executing the step S5; if the message is not hit, returning the miss, determining the output behavior of the message according to the head information, and sending the message to a message sending unit;
s5, carrying out flexible combination processing according to the character strings of the three-level rule association table item in the current message, obtaining the output behaviors of the message, and sending the output behaviors to a message sending unit.
And compiling the rule base which is required to be processed by the user, splitting the rule base into three rule table entries, and issuing the rule table entries to the device in advance. After the received message enters the device, the whole process is as shown in fig. 2. And finally obtaining a matching result of each message relative to the user rule through three-stage pipelining treatment, and finishing the deep message detection treatment. If a small amount of rules are added or deleted, the business can be briefly bypassed on line, and the rules are synchronously added or deleted; if the rule base is to be updated in full quantity, the service is bypassed after recompilation and optimization, and the analysis is continued on the message after the three-level rule is updated in full quantity.
And for the message needing to search the character string, scanning byte by byte in a character string high-speed searching unit, and matching the rule table items of the secondary character string. The secondary string rule table is a series of different strings, and is commonly called as a "sensitive string" in the field of DPI. The specific data format is not limited herein, and there are also various implementation methods. The main task is that each message is matched with all rule tables of the rule table items of the secondary character string byte by byte, and whether the message hits is judged.
If there is a string hit, the following information is returned:
ptr: position of current hit string relative to current message payload starting point
String lth: the length of the current hit character string is combined with the value of ptr, so that the hit character string content can be locked in the original message
The Relation id: the currently hit string requires the id of the index-removed three-level rule association table entry.
After the result of the search of the character string high-speed searching unit is returned to the association processing unit, the association processing unit analyzes the information carried by each hit rule, and acquires the content of the three-level rule association table item according to the relationship id. According to the content of the three-level rule association table, the relation among the character strings hit by the current message is analyzed and calculated, so that the association relation processing among different character strings is realized, and meanwhile, the five-tuple information extracted by the message analysis unit is combined, so that more complex rule processing can be completed.
Fig. 5 below illustrates several examples of associations. For example, the string high-speed searching unit returns a result to display that string1 hits, the ptr of string1 in the message is m, and the relation id is 1. The association unit extracts the relation rule1 which requires that only string1 hits between messages offset a to b are valid. The association relation processing unit judges whether payload with the length of lth after the packet prt is string1 or not, and whether the packet prt is between a and b or not, and only if the packet prt and the packet prt are met at the same time, the string1 can be considered as a real hit rule. And further extracting information such as forwarding, discarding, editing and the like from the action corresponding to whether the rule is hit or not in the rule association table.
Similarly, the string high-speed search unit returns a string2 hit, while the relation rule2 requires the combination of the UDP port number information in the five-tuple, only if the port numbers are in the a and b ranges, is string2 actually hit. And after receiving the hit information of string2 in the character string high-speed searching unit, the association relation processing unit further judges the five-tuple information of the message, acquires port number information, judges whether the information is in the range of a and b, and if so, considers that the hit and port number hit of string2 are met. And further extracting information such as forwarding, discarding, editing and the like from the action corresponding to whether the rule is hit or not in the rule association table.
The method also can be composed of rule 3 and other rules, and the association relation between the character strings can support flexible combination through the association relation table entry.
The relationship between rules can also be accomplished at the association processing unit. For example, rule1 specifies that rule2 and rule 3 need to be judged in addition to the description of the rule, and the relationship between rule1 and rule2& (-rule 3) is satisfied, and the whole compound rule is satisfied. The result of the high-speed search unit hit of the character string triggers the analysis of the relation rule1, and he further judges the satisfaction of rule2 and rule 3 and the combination of them. And further determining the meeting condition of the composite rule, thereby obtaining the output behavior corresponding to the message.
The above rules are taken as examples, and the surface is pulled by the association relation processing unit by taking the result of the character string high-speed searching unit as traction, so that very complex and flexible rule association can be completed, and the requirements of high-speed performance and flexibility of the deep packet inspection are met.
The invention provides a high-efficiency method for deeply filtering messages, which can meet the requirement of deep message filtering performance through three-stage flow treatment; through a special character string high-speed searching unit, and combining with flexible three-level rule association table items, complex deep message filtering can be completed. The method overcomes the defects of low identification performance and inflexible rule in the existing method.
The foregoing is merely a preferred embodiment of the present invention, and it should be noted that modifications and variations could be made by those skilled in the art without departing from the technical principles of the present invention, and such modifications and variations should also be regarded as being within the scope of the invention.
Claims (9)
1. The deep message detection device is characterized by comprising a message receiving unit, a message processing unit, a character string searching unit and a message sending unit;
the message receiving unit is used for receiving the messages in the network, extracting effective messages and sending the effective messages to the message processing unit;
the message processing unit comprises a message analysis unit, a DPI result execution unit and an association relation processing unit;
the message analysis unit carries out preprocessing on the message, namely analyzes a five-tuple, a source MAC address, a destination MAC address, a source IP address, a destination IP address and a port number of the message according to different encapsulation types of the message, and searches a first-level quick rule table item at the same time to acquire the designated forwarding behavior of each type of message; the message sending character string searching unit is used for further filtering byte by byte, and other messages are sent to the DPI result executing unit;
the association relation processing unit is used for receiving the searching result of the character string searching unit, carrying out flexible combination processing on the character string hit by the current message searched by the character string searching unit according to the three-level rule association table item, and obtaining the output behavior of the message;
the DPI result execution unit is used for comprehensively judging the results processed by the message analysis unit and the association relation processing unit and acquiring corresponding output behaviors for the message;
the character string searching unit is used for scanning the payload of the current message byte by byte, matching the rule table items of the secondary character string, returning to the hit condition, and if hit, acquiring the position, the length and the corresponding association relation ID of the hit character string, and returning the result to the association relation processing unit;
the message sending unit is used for sending the message processed by the DPI result executing unit to the corresponding destination port;
wherein,,
after the result searched by the character string searching unit is returned to the association processing unit, the association processing unit analyzes the information carried by each hit rule and acquires the content of the three-level rule association table item according to the relation; according to the content of the three-level rule association table, the relation among the character strings hit by the current message is analyzed and calculated, so that the association relation processing among different character strings is realized, and meanwhile, the five-tuple information extracted by the message analysis unit is combined, so that more complex rule processing is completed.
2. The deep packet inspection device of claim 1, wherein the packet reception units are deployed in series in a network or bypass in a network.
3. The deep packet inspection device according to claim 1, wherein the packet parsing unit is further configured to parse out a packet type of an upper layer, and search a first-level fast rule table entry at the same time, so as to obtain a forwarding behavior specified by each type of packet.
4. A deep packet inspection apparatus in accordance with claim 3, wherein the forwarding action includes forwarding, dropping, editing, or further byte-by-byte filtering.
5. The deep packet inspection device of claim 1, wherein the first-level fast rule determines whether the current packet requires full packet search filtering according to a five-tuple and a packet type of the current packet.
6. The deep packet inspection device of claim 1, wherein the three-level rule association table entry comprises: and NOR operation between different strings, the offset range that the current string needs to meet, and the combination match between the current string needs and the quintuple.
7. The deep packet inspection apparatus of claim 1 wherein the secondary string rule table entry is a series of different strings, each message being byte by byte matched with all rule tables of the secondary string rule table entry to determine if there is a hit.
8. The deep packet inspection apparatus of claim 7 wherein if there is a string hit, the following information is returned:
ptr: the position of the current hit character string relative to the current message payload starting point;
string1th: the length of the hit character string is combined with the value of ptr, so that the hit character string content can be locked in the original message;
relationid: the currently hit string requires the id of the index-removed three-level rule association table entry.
9. A deep packet inspection method based on a deep packet inspection apparatus according to any one of claims 1-8, the method comprising the steps of:
s1, receiving a message;
s2, extracting a message header quintuple, a source MAC address, a destination MAC address, a source IP address, a destination IP address and a port number;
s3, judging whether payload byte-by-byte detection is needed according to the header of the message and the first-level quick rule table entry, if not, determining the output behavior of the message according to the hit quick rule, and sending the message to a message sending unit; if so, executing a step S4;
s4, carrying out character string searching and matching on the payload area of the message according to the two-level character string rule table entry, returning to the hit condition, returning to the hit character string position, length and corresponding association relation if the hit is found, and executing the step S5; if the message is not hit, returning the miss, determining the output behavior of the message according to the head information, and sending the message to a message sending unit;
s5, carrying out flexible combination processing according to the character strings of the three-level rule association table item in the current message, obtaining the output behaviors of the message, and sending the output behaviors to a message sending unit.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210173616.3A CN114584632B (en) | 2022-02-24 | 2022-02-24 | Deep packet inspection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210173616.3A CN114584632B (en) | 2022-02-24 | 2022-02-24 | Deep packet inspection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114584632A CN114584632A (en) | 2022-06-03 |
| CN114584632B true CN114584632B (en) | 2023-05-16 |
Family
ID=81773462
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210173616.3A Active CN114584632B (en) | 2022-02-24 | 2022-02-24 | Deep packet inspection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114584632B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102857493A (en) * | 2012-06-30 | 2013-01-02 | 华为技术有限公司 | Content filtering method and device |
| CN103873320A (en) * | 2013-12-27 | 2014-06-18 | 北京天融信科技有限公司 | Encrypted flow rate recognizing method and device |
| CN104717101A (en) * | 2013-12-13 | 2015-06-17 | 中国电信股份有限公司 | Deep packet inspection method and system |
| CN105515917A (en) * | 2015-12-31 | 2016-04-20 | 中国人民解放军国防科学技术大学 | Network protocol characteristic matching method based on index clustering |
| CN108322390A (en) * | 2017-01-18 | 2018-07-24 | 群晖科技股份有限公司 | Router and flow managing method |
| CN110865970A (en) * | 2019-10-08 | 2020-03-06 | 西安交通大学 | Compression flow pattern matching engine and pattern matching method based on FPGA platform |
| CN112084036A (en) * | 2020-09-21 | 2020-12-15 | 新华三信息安全技术有限公司 | Control method and device for message detection rule, electronic equipment and storage medium |
| CN112491901A (en) * | 2020-11-30 | 2021-03-12 | 北京锐驰信安技术有限公司 | Network flow fine screening device and method |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8266673B2 (en) * | 2009-03-12 | 2012-09-11 | At&T Mobility Ii Llc | Policy-based privacy protection in converged communication networks |
| US11563830B2 (en) * | 2018-12-19 | 2023-01-24 | Nokia Technologies Oy | Method and system for processing network packets |
-
2022
- 2022-02-24 CN CN202210173616.3A patent/CN114584632B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102857493A (en) * | 2012-06-30 | 2013-01-02 | 华为技术有限公司 | Content filtering method and device |
| CN104717101A (en) * | 2013-12-13 | 2015-06-17 | 中国电信股份有限公司 | Deep packet inspection method and system |
| CN103873320A (en) * | 2013-12-27 | 2014-06-18 | 北京天融信科技有限公司 | Encrypted flow rate recognizing method and device |
| CN105515917A (en) * | 2015-12-31 | 2016-04-20 | 中国人民解放军国防科学技术大学 | Network protocol characteristic matching method based on index clustering |
| CN108322390A (en) * | 2017-01-18 | 2018-07-24 | 群晖科技股份有限公司 | Router and flow managing method |
| CN110865970A (en) * | 2019-10-08 | 2020-03-06 | 西安交通大学 | Compression flow pattern matching engine and pattern matching method based on FPGA platform |
| CN112084036A (en) * | 2020-09-21 | 2020-12-15 | 新华三信息安全技术有限公司 | Control method and device for message detection rule, electronic equipment and storage medium |
| CN112491901A (en) * | 2020-11-30 | 2021-03-12 | 北京锐驰信安技术有限公司 | Network flow fine screening device and method |
Non-Patent Citations (3)
| Title |
|---|
| An optimized fuzzy logic-based control of static VAr compensator in a power system with wind generation;M. F. Kandlawala;《2009 Transmission & Distribution Conference & Exposition: Asia and Pacific》;全文 * |
| 基于FPGA的深度报文检测系统设计;李康士;李玉峰;董永吉;;电子设计工程(第09期);全文 * |
| 深度报文检测中基于GPU的正则表达式匹配引擎;王磊;陈曙晖;苏金树;许孟晋;;计算机应用研究(第11期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114584632A (en) | 2022-06-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107665191B (en) | Private protocol message format inference method based on extended prefix tree | |
| CN110311829B (en) | Network traffic classification method based on machine learning acceleration | |
| CN1881950B (en) | Packet classification acceleration using spectral analysis | |
| CN109063745B (en) | Network equipment type identification method and system based on decision tree | |
| JP5155001B2 (en) | Document search device | |
| CN110034966B (en) | Data flow classification method and system based on machine learning | |
| CN114553983B (en) | Deep learning-based high-efficiency industrial control protocol analysis method | |
| CN106126383A (en) | A kind of log processing method and device | |
| CN106789242A (en) | A kind of identification application intellectual analysis engine based on mobile phone client software behavioral characteristics storehouse | |
| CN1703890B (en) | Method for protocol recognition and analysis in data networks | |
| CN110381089A (en) | Means of defence is detected to malice domain name based on deep learning | |
| US20210185059A1 (en) | Label guided unsupervised learning based network-level application signature generation | |
| CN111294342A (en) | Method and system for detecting DDos attack in software defined network | |
| CN112054992B (en) | Malicious traffic identification method and device, electronic equipment and storage medium | |
| CN116055448A (en) | Identification data management platform for electric power operation | |
| CN114584632B (en) | Deep packet inspection method and device | |
| Meng et al. | Protocol reverse based on hierarchical clustering and probability alignment from network traces | |
| CN111163077A (en) | System and method for realizing multidimensional continuous mask based on network processor | |
| CN111917665A (en) | Terminal application data stream identification method and system | |
| KR100662254B1 (en) | Apparatus and Method for Packet Classification in Router | |
| CN1612135A (en) | Invasion detection (protection) product and firewall product protocol identifying technology | |
| CN112968865B (en) | Network protocol grammatical feature rapid extraction method based on association rule mining | |
| CN114285624A (en) | Attack message identification method, device, network equipment and storage medium | |
| CN113691562B (en) | Rule engine implementation method for accurately identifying malicious network communication | |
| CN113037628B (en) | Method, system and medium for automatically discovering service path |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |