CN116074124A - Attack detection matching method and device for rule without fixed offset - Google Patents
Attack detection matching method and device for rule without fixed offset Download PDFInfo
- Publication number
- CN116074124A CN116074124A CN202310283417.2A CN202310283417A CN116074124A CN 116074124 A CN116074124 A CN 116074124A CN 202310283417 A CN202310283417 A CN 202310283417A CN 116074124 A CN116074124 A CN 116074124A
- Authority
- CN
- China
- Prior art keywords
- rule
- data
- array
- hash
- hash value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses an attack detection matching method and device for a rule without fixed offset. The method comprises the following steps: reading rule files, reading rules from the rule files, calculating the characteristic data length of each rule, putting the characteristic data length into an array E, calculating the hash value of the characteristic data, and forming a hash table T by the hash values of all the rule characteristic data; in response to receiving the message, dividing the effective data of the message according to the array E, forming an array element by the divided data, and carrying out hash calculation on the divided data to obtain a hash value array H; and searching in the hash table T according to the hash value in the hash value array H, if the hash value is hit, comparing whether the lengths of the real data and the rule data are identical, if the lengths are identical, finding the corresponding rule, and finishing matching.
Description
Technical Field
The invention relates to the technical field of industrial control network security, in particular to an attack detection matching method and device without fixed offset rules.
Background
The attack detection is a common security means in the network security field, and has the effects that the rule is matched, the threat is found, the alarm is carried out, one of the main difficulties of the attack detection is that the rule data is large, the matching efficiency is low, the field with higher network delay requirement can be influenced, in rule matching, whether the network data message contains certain specific data is usually required to be searched, the traditional method is to match the currently received message according to the characteristic data in each rule, and if the rule data is many, such as hundreds of thousands, the matching needs longer time.
For rule data without fixed offset, the traditional matching method needs to search for the rule data in the load data of the message, and the search also needs to offset byte by byte, so the matching efficiency is extremely low. Therefore, the invention provides a method and a device for matching attack detection rules, which have the advantages that the matching efficiency is irrelevant to the text body and the rule data, the rule matching efficiency can be improved, and the matching efficiency can be greatly improved.
Disclosure of Invention
The invention provides an attack detection matching method for a rule without fixed offset, which comprises the following steps:
reading rule files, reading rules from the rule files, calculating the characteristic data length of each rule, putting the characteristic data length into an array E, calculating the hash value of the characteristic data, and forming a hash table T by the hash values of all the rule characteristic data;
in response to receiving the message, dividing the effective data of the message according to the array E, forming an array element by the divided data, and carrying out hash calculation on the divided data to obtain a hash value array H;
and searching in the hash table T according to the hash value in the hash value array H, if the hash value is hit, comparing whether the lengths of the real data and the rule data are identical, if the lengths are identical, finding the corresponding rule, and finishing matching.
An attack detection matching method for a rule without fixed offset as described above, wherein constraint conditions of regular feature data, that is, feature data without fixed offset but with length, are set.
In the attack detection matching method for the rule without fixed offset, the byte bit n=1 is set to segment the effective data of the message, the segmentation mode is that the segmentation starts from the nth byte of the effective data and is performed according to the value of the array E, namely, the 1 st segmentation starting position is the 1 st byte, and the segmentation lengths respectively correspond to all values of the array E.
The attack detection matching method for the fixed offset rule-free attack detection matching method, wherein if no hit or different lengths of comparison data are obtained, n=n+1 is continuously returned for matching.
The invention also provides an attack detection matching device for the rule without fixed offset, which comprises:
the hash table construction module is used for reading rule files, reading rules from the rule files, calculating the characteristic data length of each rule, putting the characteristic data length into the array E, calculating hash values of the characteristic data, and forming a hash table T by the hash values of all the rule characteristic data;
the message data segmentation module is used for responding to the received message, segmenting the effective data of the message according to the array E, forming an array element by the segmented data, and carrying out hash calculation on the segmented data to obtain a hash value array H;
the matching module is used for searching in the hash table T according to the hash value in the hash value array H, if the hash value is hit, comparing whether the lengths of the real data and the regular data are identical, if the lengths are identical, finding the corresponding rule, and finishing matching.
The present invention also provides a computer readable storage medium having one or more program instructions embodied therein for execution by a processor of an attack detection matching method for non-fixed offset rules as described in any of the preceding claims.
The beneficial effects achieved by the invention are as follows: the invention solves the problem that the traditional matching method needs to search the offset byte by using the rule data in the load data of the message, and the matching efficiency is not related to the text body and the rule data of the message, thereby greatly improving the matching efficiency.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the present invention, and other drawings may be obtained according to these drawings for a person having ordinary skill in the art.
FIG. 1 is a flowchart of an attack detection matching method for a rule without fixed offset according to an embodiment of the present invention;
fig. 2 is a schematic diagram of an attack detection matching device for a rule without fixed offset according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Example 1
As shown in fig. 1, a first embodiment of the present invention provides an attack detection matching method for a rule without fixed offset, including:
wherein constraints of regular feature data are set, i.e. feature data has no fixed offset but a length.
specifically, let byte bit n=1 (i.e., starting from the first byte); the effective data of the message is segmented, the segmentation mode is that the effective data starts from the nth byte of the effective data and is carried out according to the numerical value of the array E, for example: the 1 st division starting position is the 1 st byte, the division length corresponds to all values of the array E respectively, and hash calculation is carried out on the divided data to obtain a hash value array H with the same array elements as the array E.
searching the hash table T process generated in the step 110 by the hash value in the hash value array H, if hit, comparing whether the lengths of the real data and the regular data are identical, if identical, comparing whether the data are identical, if identical, finding the corresponding rule, and ending the matching successfully; if the hit is not found, the length of the comparison data is not the same, or the comparison data is not the same, n=n+1 is continued to be returned for matching.
Example two
Referring to fig. 2, a second embodiment of the present invention provides an attack detection matching device for a rule without fixed offset, including:
the hash table construction module 21 is configured to read rule files, read rules from the rule files, calculate a characteristic data length of each rule, put the characteristic data length into the array E, calculate hash values of the characteristic data, and form a hash table T from hash values of all the rule characteristic data;
the message data segmentation module 22 is configured to segment the valid data of the message according to the array E in response to receiving the message, the segmented data form an array element, and hash the segmented data to obtain a hash value array H;
the matching module 23 is configured to search in the hash table T according to the hash value in the hash value array H, compare whether the lengths of the real data and the rule data are identical if they can hit, compare whether the lengths of the real data and the rule data are identical if they are identical, find the corresponding rule if they are identical, and end the matching.
By adopting the technical scheme of the invention, the following effects can be achieved:
1. the invention uses the characteristic of limited data length of the matching rule data to carry out quick matching by dividing the data which needs to be matched currently, the method can greatly reduce the matching times, for example, the method can greatly reduce the matching times of effective data with the length of 100 bytes, if the length of the data rule is 10, if the rule has 10 ten thousand pieces, the matching is carried out for 10 ten thousand pieces, and the method only needs to match 1000 times. If the size of the rule data is further increased, for example, 50 ten thousand pieces, then matching is performed 50 ten thousand times, and the method is only performed 1000 times.
2. The invention solves the problem that the traditional matching method needs to search the offset byte by using the rule data in the load data of the message, and the matching efficiency is not related to the text body and the rule data of the message, thereby greatly improving the matching efficiency.
Corresponding to the above embodiment, an embodiment of the present invention provides an attack detection matching device for a rule without fixed offset, including: at least one memory and at least one processor;
the memory is used for storing one or more program instructions;
a processor for executing one or more program instructions for performing an attack detection matching method for a fixed offset-free rule.
In accordance with the foregoing embodiments, embodiments of the present invention provide a computer readable storage medium having one or more program instructions embodied therein for execution by a processor of an attack detection matching method for a fixed offset-free rule.
The disclosed embodiments provide a computer readable storage medium having stored therein computer program instructions that, when run on a computer, cause the computer to perform an attack detection matching method for a fixed offset-free rule as described above.
In the embodiment of the invention, the processor may be an integrated circuit chip with signal processing capability. The processor may be a general purpose processor, a digital signal processor (Digital Signal Processor, DSP for short), an application specific integrated circuit (Application Specific Integrated Circuit, ASIC for short), a field programmable gate array (FieldProgrammable Gate Array, FPGA for short), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components.
The disclosed methods, steps, and logic blocks in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be embodied directly in the execution of a hardware decoding processor, or in the execution of a combination of hardware and software modules in a decoding processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The processor reads the information in the storage medium and, in combination with its hardware, performs the steps of the above method.
The storage medium may be memory, for example, may be volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory.
The nonvolatile Memory may be a Read-Only Memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable ROM (Electrically EPROM, EEPROM), or a flash Memory.
The volatile memory may be a random access memory (Random Access Memory, RAM for short) which acts as an external cache. By way of example, and not limitation, many forms of RAM are available, such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (Double Data RateSDRAM), enhanced SDRAM (ESDRAM), synchronous DRAM (SLDRAM), and direct memory bus RAM (directracram, DRRAM).
The storage media described in embodiments of the present invention are intended to comprise, without being limited to, these and any other suitable types of memory.
Those skilled in the art will appreciate that in one or more of the examples described above, the functions described in the present invention may be implemented in a combination of hardware and software. When the software is applied, the corresponding functions may be stored in a computer-readable medium or transmitted as one or more instructions or code on the computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
The foregoing embodiments have been provided for the purpose of illustrating the general principles of the present invention in further detail, and are not to be construed as limiting the scope of the invention, but are merely intended to cover any modifications, equivalents, improvements, etc. based on the teachings of the invention.
Claims (6)
1. An attack detection matching method for a rule without fixed offset, comprising:
reading rule files, reading rules from the rule files, calculating the characteristic data length of each rule, putting the characteristic data length into an array E, calculating the hash value of the characteristic data, and forming a hash table T by the hash values of all the rule characteristic data;
in response to receiving the message, dividing the effective data of the message according to the array E, forming an array element by the divided data, and carrying out hash calculation on the divided data to obtain a hash value array H;
and searching in the hash table T according to the hash value in the hash value array H, if the hash value is hit, comparing whether the lengths of the real data and the rule data are identical, if the lengths are identical, finding the corresponding rule, and finishing matching.
2. An attack detection matching method for non-fixed offset rules according to claim 1, characterized in that constraints of the rule feature data are set, i.e. feature data has no fixed offset but a length.
3. The attack detection matching method for no fixed offset rule according to claim 1, wherein the byte bit n=1 is used to segment the effective data of the message, the segmentation is performed according to the value of the array E from the nth byte of the effective data, i.e. the 1 st segmentation starting position is the 1 st byte, and the segmentation lengths respectively correspond to all values of the array E.
4. The attack detection matching method for a fixed offset rule according to claim 1, wherein if no hit or the length of the comparison data is not the same or the comparison data is not the same, n=n+1 is continued to be returned for matching.
5. An attack detection matching device for a rule without fixed offset, comprising:
the hash table construction module is used for reading rule files, reading rules from the rule files, calculating the characteristic data length of each rule, putting the characteristic data length into the array E, calculating hash values of the characteristic data, and forming a hash table T by the hash values of all the rule characteristic data;
the message data segmentation module is used for responding to the received message, segmenting the effective data of the message according to the array E, forming an array element by the segmented data, and carrying out hash calculation on the segmented data to obtain a hash value array H;
the matching module is used for searching in the hash table T according to the hash value in the hash value array H, if the hash value is hit, comparing whether the lengths of the real data and the regular data are identical, if the lengths are identical, finding the corresponding rule, and finishing matching.
6. A computer readable storage medium having one or more program instructions embodied therein for execution by a processor of an attack detection matching method for non-fixed offset rules according to any of claims 1-4.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310283417.2A CN116074124A (en) | 2023-03-22 | 2023-03-22 | Attack detection matching method and device for rule without fixed offset |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310283417.2A CN116074124A (en) | 2023-03-22 | 2023-03-22 | Attack detection matching method and device for rule without fixed offset |
Publications (1)
Publication Number | Publication Date |
---|---|
CN116074124A true CN116074124A (en) | 2023-05-05 |
Family
ID=86183930
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202310283417.2A Pending CN116074124A (en) | 2023-03-22 | 2023-03-22 | Attack detection matching method and device for rule without fixed offset |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116074124A (en) |
-
2023
- 2023-03-22 CN CN202310283417.2A patent/CN116074124A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10698885B2 (en) | Method and device for writing service data in block chain system | |
WO2019148712A1 (en) | Phishing website detection method, device, computer equipment and storage medium | |
CN117093881B (en) | Data compression method and device, electronic equipment and storage medium | |
CN113094742B (en) | Data desensitizing method, data desensitizing device, electronic equipment and storage medium | |
CN114527938A (en) | Data reading method, system, medium and device based on solid state disk | |
CN112434158A (en) | Enterprise label acquisition method and device, storage medium and computer equipment | |
CN104166649B (en) | Caching method and equipment for search engine | |
CN117573574B (en) | Prefetching method and device, electronic equipment and readable storage medium | |
CN110647746A (en) | Malicious software detection method, system and storage medium | |
CN111310450B (en) | Character string word segmentation method, device, equipment and storage medium | |
CN116074124A (en) | Attack detection matching method and device for rule without fixed offset | |
CN111858467A (en) | File data processing method, device, equipment and medium based on artificial intelligence | |
WO2023093017A1 (en) | Method and apparatus for identifying web service device | |
CN110046180B (en) | Method and device for locating similar examples and electronic equipment | |
CN116389088A (en) | Attack detection rule matching method and device based on coordinate system | |
CN104751362A (en) | Method and device for submitting orders | |
CN114398518A (en) | Method and system for rapidly matching normalization strategy for log | |
CN113282800B (en) | Dynamic multimode matching method and device based on information entropy | |
CN114816219A (en) | Data writing and reading method and device and data reading and writing system | |
CN113051569B (en) | Virus detection method and device, electronic equipment and storage medium | |
KR102501227B1 (en) | System and Method for detecting money fraud based on volume of Internet address search | |
CN112836693B (en) | Repeated detection method and system for optical character recognition | |
CN113282800A (en) | Dynamic multi-mode matching method and device based on information entropy | |
CN111882310B (en) | Data comparison method, device and equipment and computer readable storage medium | |
CN117668925B (en) | File fingerprint generation method and device, electronic equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |