CN116074124A - Attack detection matching method and device for rule without fixed offset - Google Patents

Attack detection matching method and device for rule without fixed offset Download PDF

Info

Publication number
CN116074124A
CN116074124A CN202310283417.2A CN202310283417A CN116074124A CN 116074124 A CN116074124 A CN 116074124A CN 202310283417 A CN202310283417 A CN 202310283417A CN 116074124 A CN116074124 A CN 116074124A
Authority
CN
China
Prior art keywords
rule
data
array
hash
hash value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310283417.2A
Other languages
Chinese (zh)
Inventor
王方立
黄敏
龙国东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Winicssec Technologies Co Ltd
Original Assignee
Beijing Winicssec Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Winicssec Technologies Co Ltd filed Critical Beijing Winicssec Technologies Co Ltd
Priority to CN202310283417.2A priority Critical patent/CN116074124A/en
Publication of CN116074124A publication Critical patent/CN116074124A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses an attack detection matching method and device for a rule without fixed offset. The method comprises the following steps: reading rule files, reading rules from the rule files, calculating the characteristic data length of each rule, putting the characteristic data length into an array E, calculating the hash value of the characteristic data, and forming a hash table T by the hash values of all the rule characteristic data; in response to receiving the message, dividing the effective data of the message according to the array E, forming an array element by the divided data, and carrying out hash calculation on the divided data to obtain a hash value array H; and searching in the hash table T according to the hash value in the hash value array H, if the hash value is hit, comparing whether the lengths of the real data and the rule data are identical, if the lengths are identical, finding the corresponding rule, and finishing matching.

Description

Attack detection matching method and device for rule without fixed offset
Technical Field
The invention relates to the technical field of industrial control network security, in particular to an attack detection matching method and device without fixed offset rules.
Background
The attack detection is a common security means in the network security field, and has the effects that the rule is matched, the threat is found, the alarm is carried out, one of the main difficulties of the attack detection is that the rule data is large, the matching efficiency is low, the field with higher network delay requirement can be influenced, in rule matching, whether the network data message contains certain specific data is usually required to be searched, the traditional method is to match the currently received message according to the characteristic data in each rule, and if the rule data is many, such as hundreds of thousands, the matching needs longer time.
For rule data without fixed offset, the traditional matching method needs to search for the rule data in the load data of the message, and the search also needs to offset byte by byte, so the matching efficiency is extremely low. Therefore, the invention provides a method and a device for matching attack detection rules, which have the advantages that the matching efficiency is irrelevant to the text body and the rule data, the rule matching efficiency can be improved, and the matching efficiency can be greatly improved.
Disclosure of Invention
The invention provides an attack detection matching method for a rule without fixed offset, which comprises the following steps:
reading rule files, reading rules from the rule files, calculating the characteristic data length of each rule, putting the characteristic data length into an array E, calculating the hash value of the characteristic data, and forming a hash table T by the hash values of all the rule characteristic data;
in response to receiving the message, dividing the effective data of the message according to the array E, forming an array element by the divided data, and carrying out hash calculation on the divided data to obtain a hash value array H;
and searching in the hash table T according to the hash value in the hash value array H, if the hash value is hit, comparing whether the lengths of the real data and the rule data are identical, if the lengths are identical, finding the corresponding rule, and finishing matching.
An attack detection matching method for a rule without fixed offset as described above, wherein constraint conditions of regular feature data, that is, feature data without fixed offset but with length, are set.
In the attack detection matching method for the rule without fixed offset, the byte bit n=1 is set to segment the effective data of the message, the segmentation mode is that the segmentation starts from the nth byte of the effective data and is performed according to the value of the array E, namely, the 1 st segmentation starting position is the 1 st byte, and the segmentation lengths respectively correspond to all values of the array E.
The attack detection matching method for the fixed offset rule-free attack detection matching method, wherein if no hit or different lengths of comparison data are obtained, n=n+1 is continuously returned for matching.
The invention also provides an attack detection matching device for the rule without fixed offset, which comprises:
the hash table construction module is used for reading rule files, reading rules from the rule files, calculating the characteristic data length of each rule, putting the characteristic data length into the array E, calculating hash values of the characteristic data, and forming a hash table T by the hash values of all the rule characteristic data;
the message data segmentation module is used for responding to the received message, segmenting the effective data of the message according to the array E, forming an array element by the segmented data, and carrying out hash calculation on the segmented data to obtain a hash value array H;
the matching module is used for searching in the hash table T according to the hash value in the hash value array H, if the hash value is hit, comparing whether the lengths of the real data and the regular data are identical, if the lengths are identical, finding the corresponding rule, and finishing matching.
The present invention also provides a computer readable storage medium having one or more program instructions embodied therein for execution by a processor of an attack detection matching method for non-fixed offset rules as described in any of the preceding claims.
The beneficial effects achieved by the invention are as follows: the invention solves the problem that the traditional matching method needs to search the offset byte by using the rule data in the load data of the message, and the matching efficiency is not related to the text body and the rule data of the message, thereby greatly improving the matching efficiency.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the present invention, and other drawings may be obtained according to these drawings for a person having ordinary skill in the art.
FIG. 1 is a flowchart of an attack detection matching method for a rule without fixed offset according to an embodiment of the present invention;
fig. 2 is a schematic diagram of an attack detection matching device for a rule without fixed offset according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Example 1
As shown in fig. 1, a first embodiment of the present invention provides an attack detection matching method for a rule without fixed offset, including:
step 110, reading rule files, reading rules from the rule files, calculating the characteristic data length of each rule, putting the characteristic data length into an array E, calculating the hash value of the characteristic data, and forming a hash table T by the hash values of all the rule characteristic data;
wherein constraints of regular feature data are set, i.e. feature data has no fixed offset but a length.
Step 120, in response to receiving the message, dividing the effective data of the message according to the array E, forming an array element by the divided data, and performing hash calculation on the divided data to obtain a hash value array H;
specifically, let byte bit n=1 (i.e., starting from the first byte); the effective data of the message is segmented, the segmentation mode is that the effective data starts from the nth byte of the effective data and is carried out according to the numerical value of the array E, for example: the 1 st division starting position is the 1 st byte, the division length corresponds to all values of the array E respectively, and hash calculation is carried out on the divided data to obtain a hash value array H with the same array elements as the array E.
Step 130, searching in a hash table T according to the hash value in the hash value array H, if the hash value is hit, comparing whether the lengths of the real data and the regular data are identical, if the lengths are identical, finding the corresponding rule, and if the lengths are identical, finishing matching, otherwise, failing to match;
searching the hash table T process generated in the step 110 by the hash value in the hash value array H, if hit, comparing whether the lengths of the real data and the regular data are identical, if identical, comparing whether the data are identical, if identical, finding the corresponding rule, and ending the matching successfully; if the hit is not found, the length of the comparison data is not the same, or the comparison data is not the same, n=n+1 is continued to be returned for matching.
Example two
Referring to fig. 2, a second embodiment of the present invention provides an attack detection matching device for a rule without fixed offset, including:
the hash table construction module 21 is configured to read rule files, read rules from the rule files, calculate a characteristic data length of each rule, put the characteristic data length into the array E, calculate hash values of the characteristic data, and form a hash table T from hash values of all the rule characteristic data;
the message data segmentation module 22 is configured to segment the valid data of the message according to the array E in response to receiving the message, the segmented data form an array element, and hash the segmented data to obtain a hash value array H;
the matching module 23 is configured to search in the hash table T according to the hash value in the hash value array H, compare whether the lengths of the real data and the rule data are identical if they can hit, compare whether the lengths of the real data and the rule data are identical if they are identical, find the corresponding rule if they are identical, and end the matching.
By adopting the technical scheme of the invention, the following effects can be achieved:
1. the invention uses the characteristic of limited data length of the matching rule data to carry out quick matching by dividing the data which needs to be matched currently, the method can greatly reduce the matching times, for example, the method can greatly reduce the matching times of effective data with the length of 100 bytes, if the length of the data rule is 10, if the rule has 10 ten thousand pieces, the matching is carried out for 10 ten thousand pieces, and the method only needs to match 1000 times. If the size of the rule data is further increased, for example, 50 ten thousand pieces, then matching is performed 50 ten thousand times, and the method is only performed 1000 times.
2. The invention solves the problem that the traditional matching method needs to search the offset byte by using the rule data in the load data of the message, and the matching efficiency is not related to the text body and the rule data of the message, thereby greatly improving the matching efficiency.
Corresponding to the above embodiment, an embodiment of the present invention provides an attack detection matching device for a rule without fixed offset, including: at least one memory and at least one processor;
the memory is used for storing one or more program instructions;
a processor for executing one or more program instructions for performing an attack detection matching method for a fixed offset-free rule.
In accordance with the foregoing embodiments, embodiments of the present invention provide a computer readable storage medium having one or more program instructions embodied therein for execution by a processor of an attack detection matching method for a fixed offset-free rule.
The disclosed embodiments provide a computer readable storage medium having stored therein computer program instructions that, when run on a computer, cause the computer to perform an attack detection matching method for a fixed offset-free rule as described above.
In the embodiment of the invention, the processor may be an integrated circuit chip with signal processing capability. The processor may be a general purpose processor, a digital signal processor (Digital Signal Processor, DSP for short), an application specific integrated circuit (Application Specific Integrated Circuit, ASIC for short), a field programmable gate array (FieldProgrammable Gate Array, FPGA for short), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components.
The disclosed methods, steps, and logic blocks in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be embodied directly in the execution of a hardware decoding processor, or in the execution of a combination of hardware and software modules in a decoding processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The processor reads the information in the storage medium and, in combination with its hardware, performs the steps of the above method.
The storage medium may be memory, for example, may be volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory.
The nonvolatile Memory may be a Read-Only Memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable ROM (Electrically EPROM, EEPROM), or a flash Memory.
The volatile memory may be a random access memory (Random Access Memory, RAM for short) which acts as an external cache. By way of example, and not limitation, many forms of RAM are available, such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (Double Data RateSDRAM), enhanced SDRAM (ESDRAM), synchronous DRAM (SLDRAM), and direct memory bus RAM (directracram, DRRAM).
The storage media described in embodiments of the present invention are intended to comprise, without being limited to, these and any other suitable types of memory.
Those skilled in the art will appreciate that in one or more of the examples described above, the functions described in the present invention may be implemented in a combination of hardware and software. When the software is applied, the corresponding functions may be stored in a computer-readable medium or transmitted as one or more instructions or code on the computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
The foregoing embodiments have been provided for the purpose of illustrating the general principles of the present invention in further detail, and are not to be construed as limiting the scope of the invention, but are merely intended to cover any modifications, equivalents, improvements, etc. based on the teachings of the invention.

Claims (6)

1. An attack detection matching method for a rule without fixed offset, comprising:
reading rule files, reading rules from the rule files, calculating the characteristic data length of each rule, putting the characteristic data length into an array E, calculating the hash value of the characteristic data, and forming a hash table T by the hash values of all the rule characteristic data;
in response to receiving the message, dividing the effective data of the message according to the array E, forming an array element by the divided data, and carrying out hash calculation on the divided data to obtain a hash value array H;
and searching in the hash table T according to the hash value in the hash value array H, if the hash value is hit, comparing whether the lengths of the real data and the rule data are identical, if the lengths are identical, finding the corresponding rule, and finishing matching.
2. An attack detection matching method for non-fixed offset rules according to claim 1, characterized in that constraints of the rule feature data are set, i.e. feature data has no fixed offset but a length.
3. The attack detection matching method for no fixed offset rule according to claim 1, wherein the byte bit n=1 is used to segment the effective data of the message, the segmentation is performed according to the value of the array E from the nth byte of the effective data, i.e. the 1 st segmentation starting position is the 1 st byte, and the segmentation lengths respectively correspond to all values of the array E.
4. The attack detection matching method for a fixed offset rule according to claim 1, wherein if no hit or the length of the comparison data is not the same or the comparison data is not the same, n=n+1 is continued to be returned for matching.
5. An attack detection matching device for a rule without fixed offset, comprising:
the hash table construction module is used for reading rule files, reading rules from the rule files, calculating the characteristic data length of each rule, putting the characteristic data length into the array E, calculating hash values of the characteristic data, and forming a hash table T by the hash values of all the rule characteristic data;
the message data segmentation module is used for responding to the received message, segmenting the effective data of the message according to the array E, forming an array element by the segmented data, and carrying out hash calculation on the segmented data to obtain a hash value array H;
the matching module is used for searching in the hash table T according to the hash value in the hash value array H, if the hash value is hit, comparing whether the lengths of the real data and the regular data are identical, if the lengths are identical, finding the corresponding rule, and finishing matching.
6. A computer readable storage medium having one or more program instructions embodied therein for execution by a processor of an attack detection matching method for non-fixed offset rules according to any of claims 1-4.
CN202310283417.2A 2023-03-22 2023-03-22 Attack detection matching method and device for rule without fixed offset Pending CN116074124A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310283417.2A CN116074124A (en) 2023-03-22 2023-03-22 Attack detection matching method and device for rule without fixed offset

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310283417.2A CN116074124A (en) 2023-03-22 2023-03-22 Attack detection matching method and device for rule without fixed offset

Publications (1)

Publication Number Publication Date
CN116074124A true CN116074124A (en) 2023-05-05

Family

ID=86183930

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310283417.2A Pending CN116074124A (en) 2023-03-22 2023-03-22 Attack detection matching method and device for rule without fixed offset

Country Status (1)

Country Link
CN (1) CN116074124A (en)

Similar Documents

Publication Publication Date Title
US10698885B2 (en) Method and device for writing service data in block chain system
WO2019148712A1 (en) Phishing website detection method, device, computer equipment and storage medium
CN117093881B (en) Data compression method and device, electronic equipment and storage medium
CN113094742B (en) Data desensitizing method, data desensitizing device, electronic equipment and storage medium
CN114527938A (en) Data reading method, system, medium and device based on solid state disk
CN112434158A (en) Enterprise label acquisition method and device, storage medium and computer equipment
CN104166649B (en) Caching method and equipment for search engine
CN117573574B (en) Prefetching method and device, electronic equipment and readable storage medium
CN110647746A (en) Malicious software detection method, system and storage medium
CN111310450B (en) Character string word segmentation method, device, equipment and storage medium
CN116074124A (en) Attack detection matching method and device for rule without fixed offset
CN111858467A (en) File data processing method, device, equipment and medium based on artificial intelligence
WO2023093017A1 (en) Method and apparatus for identifying web service device
CN110046180B (en) Method and device for locating similar examples and electronic equipment
CN116389088A (en) Attack detection rule matching method and device based on coordinate system
CN104751362A (en) Method and device for submitting orders
CN114398518A (en) Method and system for rapidly matching normalization strategy for log
CN113282800B (en) Dynamic multimode matching method and device based on information entropy
CN114816219A (en) Data writing and reading method and device and data reading and writing system
CN113051569B (en) Virus detection method and device, electronic equipment and storage medium
KR102501227B1 (en) System and Method for detecting money fraud based on volume of Internet address search
CN112836693B (en) Repeated detection method and system for optical character recognition
CN113282800A (en) Dynamic multi-mode matching method and device based on information entropy
CN111882310B (en) Data comparison method, device and equipment and computer readable storage medium
CN117668925B (en) File fingerprint generation method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination