M430774 月23日修正替換頁 五、新型說明: 【新型所屬之技術領域】 本創作侧於-_儕網路封包·裝置。更明確地 本創作係,可完全過歡阻獅儕網路串流封包的^M430774 Amendment page on March 23rd. 5. New description: [New technical field] This creation side is in -_侪 network packet and device. More specifically, this creative department can completely eliminate the lion network streaming packet ^
本創作之裝置對該等封包層所產生_字特徵碼⑷進行比P 對分析,不用by port管理,可設通過、不通過頻寬管理, 確保頻寬使用,以建立封包阻撞/過濾規則,進一步有助於達 到完全阻擔之最終目的;本創作能運用在各式點對點或== 對子節點(樹網路)之電腦(如終端機、飼服器)上,如考試 EBON···等。 ~ 【先前技術】 近年來同儕網路P2P(Pear-t0-Pear)技術的進步,許多影音 • 提供者歧1^業者麟柄⑽_轉_ P2P _ 構’其原因不外乎是_ P2P傳·音串_案的方式可以將 這些網路頻寬的使用分散轉嫁到使用者,降低業者的營運與系 統架設成本。 然而,P2P架構特性造成網路管理困難。眾所周知,單純 以流量統計或是特定埠號方式是不能夠完全的阻播Ρ2Ρ使 用。就流量統計結果來說,流量大於某個臨界值為判斷標準, 並不能完全代表正在使用P2P軟體。採用特定埠號方式,也已 3 101年4月23日修正替換頁 被證實對於大部份P2P應用程式是無效的。 因此,本技術領域中亟需有一種裝置,能夠完全過濾/阻 擋P2P封包,進一步確保網路頻寬,並且能夠增加網路通訊管 理的有效性以及便利性。 【新型内容】 本創作提出主要目的在於提供一種運用該等特徵規則過 濾/阻擋網路封包之同儕網路串流封包過濾裝置。該同儕網路 串流封包過濾裝置,其至少包含:一封包擷取單元、一多層次 特徵分析單元、一特徵規則儲存單元及一分歧單元;其中該 多層次特徵分析單元將該封包擷取單元所接收之網路資料封 包加以分析,以取得複數個特徵規則存入該特徵規則儲存單 元’且該分歧單元可依據該特徵規則儲存單元所記載之複數個 特徵規則,將同儕網路串流封包與非同儕網路串流封包分流。 本創作之次一目的在於提供一種能對封包進行掃毒之同 儕網路串流封包過濾裝置。其係在同儕網路串流封包過濾 裝置之分歧單元所屬之網路串流封包後,以電訊連接方 式架設一與掃毒引擎,該掃毒引擎另一端具電訊接線。 本創作之次二目的在於提供一種能再次對可疑封包進行 第二次以上分析掃毒之同儕網路串流封包過濾裝置。其係將該 掃毒引擎另一端與封包擷取單元電訊連接。 【實施方幻 Ιϊϊϋϊϊϊ^^] 參照第一圖,顯示的是本創作之同儕網路串流封包過濾裝 置1的方境圖。由圖中可知,該同儕網路串流封包過滤裝置至 夕〇括封包擷取單元10,· 一多層次特徵分析單元 20 ; —特徵規則儲存單元3〇 ; 一分歧單元4〇。 運作時封包擷取單元10可接收網路封包並予以 榻取,以供實施進—步分析,其分析程序如後文詳述。 多層次特徵分析單元2〇,其分別與封包掘取單元 W、特徵㈣儲存單元3G電訊連接,將贿包擷取單 元10所接收之網路賴封包加以分析,轉得複數個 =規貝]存人該特徵規則儲存單s ,該特徵規則餘 子單元30刀別與多層次特徵分析單元與一分歧單元 電訊連接lit分析可使用任何業内所熟知的方法實 例如多層次特徵分析單元2〇包括(但不限於):階 層分群法、_字統収、多層次缝關鍵字識別法, 以及上述方法的組合運用。 由夕層-人特徵分析單元2〇所取得之特徵規則,即 子特徵規則儲存單元3〇,其中該儲存單元3〇可為非 揮發式儲麵體’以供長_雌轉特徵規則。 在一具體實施例中’該特徵規則儲存單元30可預 先存有至少―特徵規則,並可視需要作經常性的更新。 接下來,分歧單元40可依據該特徵規則儲存單元 所記载之複數個特徵規則,將同傳網 =:串流封包分流區隔,讓同儕網路㈣: 被處理。=^之步處理,而非同儕網路串流封包則不 簡^之’合於特徵規則的封包 同儕網料流封包,並被重新導向以供進—步處理^ 般應用例中’係將同儕網路串流封包吾棄,實際上即達 到阻擋該等同儕網路串流封包目的,從而減少網路流 量,達到頻寬管理目的。 本創作-具體實施例中,其多層次特徵分析單元 20進-步包括:1層式分群引擎22;―關鍵字統計 引擎24,一多層次樹狀關鍵字識別引擎26。 其中:該階層式分群引擎22係用來將該等所掏取 封包依不同通訊協定分成複數個群組。舉例來說,目前 一般所流通的P2P串流可能使用的tTCP、UDP或 TCP/UDP混合使用或是交替使用,據此,該階層式分 群引擎22可將所操取封包分成TCP或UDP封包。可 心、而知,此兩群組之區分僅為舉例,並非要限制本創作。 接著,將已分群組之封包依其群組別交由關鍵字統 計引擎24進行封包内容關鍵字統計估測,並將所識別 特徵設為一特徵規則存入該特徵規則儲存單元3〇。舉 例來說,先針對TCP封包實施關鍵字統計估測,或先 針對UDP封包實施關鍵字統計估測。若某一字串在所 M430774 擷取封包t出現的頻率超過一預設閾限,即判定此係實 用之特徵規則’並存人特徵規職存單元。 同時亦將同一 關鍵字識别引擎26 的複數個共同特徵, 徵規則儲存單元。 已分群組之封包交由該多層次樹狀 進行分析,識別出該等封包資料中 並將該等至少一特徵規則存入該特 如上述’已知某些P2P應用軟體同時使用TCp以及咖 兩種通訊連線方法,或會隨時間改變所使用之通訊連線方法, 本創作的乡層次槪分料元2G亦雜珊層式分群引 =2所分_ ’财_各_断讀,獅酬到有效 ―閲第H提供—種能 :,於在同儕網路串流封包過遽裝 = 之力 屬之網路串流封包 刀歧早7C 40所 擎5〇,該掃毒^擎另一端2接方式架設一與掃毒引 圖,為再次對可疑封包H 接線;繼續參閱第三 毒引擎%另1與封^故11分猜毒’得在該掃 確確綱之網路_$。單元1Gf訊連接,達到精 ^ 口上述’本創作之同儕網路 階層式分群51擎、L 結合一 鍵字_丨擎,達到完全?丨擎、—多層次樹狀關 的。 過'慮處理同細路串流封包的目 M430774 _ % 101年4月23日修正替換頁 以上所述為本創作之較佳實施例之詳細說明與圖式,並非 用來限制本創作,本創作之所有範圍應以下述之專利範圍為 準,凡專利範圍之精神與其類似變化之實施例與近似結構,皆 應包含於本創作之中。 【圖式簡單說明】 第一圖係本創作一同儕網路串流封包過濾裝置之方塊圖; 第二圖係本創又一結構之方塊圖; 第三圖係本創又二結構之方塊圖。 【主要元件符號說明】 100 同儕網路串流封包過濾裝置 10 封包擷取單元 20 多層次特徵分析單元 22 階層式分群引擎 24 關鍵字統計引擎 26 多層次樹狀關鍵字識別引擎 30 特徵規則儲存單元 40 分歧單元 50 掃毒引擎 8The device of the creation performs the analysis of the _word feature code (4) generated by the packet layer, and does not need to be managed by the port, and can be set and passed through the bandwidth management to ensure the bandwidth is used to establish the packet blocking/filtering rule. Further help to achieve the ultimate goal of complete resistance; this creation can be applied to a variety of peer-to-peer or == computers (such as terminals, feeding machines) for child nodes (tree networks), such as the exam EBON·· ·Wait. ~ [Prior Art] In recent years, the progress of P2P (Pear-t0-Pear) technology in peer-to-peer network, many audio and video providers have become ambiguous (1), and the reason is nothing more than _ P2P transmission The way of the sound string _ case can be used to distribute the use of these network bandwidths to users, reducing the operator's operation and system installation costs. However, P2P architecture features make network management difficult. As we all know, it is not possible to completely block the use of traffic statistics or specific nicknames. As far as traffic statistics are concerned, the traffic is greater than a certain threshold value and does not fully represent the P2P software being used. With a specific nickname, the revised replacement page on April 23, 2003 was confirmed to be ineffective for most P2P applications. Therefore, there is a need in the art for a device that can completely filter/block P2P packets, further ensure network bandwidth, and increase the effectiveness and convenience of network communication management. [New Content] The main purpose of this creation is to provide a peer-to-peer stream packet filtering device that filters/blocks network packets using these feature rules. The peer-to-peer network stream packet filtering device includes at least: a packet capturing unit, a multi-level feature analyzing unit, a feature rule storage unit, and a divergent unit; wherein the multi-layer feature analyzing unit uses the packet capturing unit The received network data packet is analyzed to obtain a plurality of feature rules stored in the feature rule storage unit ′ and the divergent unit can encapsulate the peer network stream according to the plurality of feature rules recorded by the feature rule storage unit Split with non-peer network streaming packets. The second purpose of the present invention is to provide a peer-to-peer stream packet filtering device capable of cleaning a packet. After the network stream packet belongs to the branch unit of the peer network packet filtering device, a virus scanning engine is set up in the telecommunication connection mode, and the other end of the virus scanning engine has a telecommunication wire. The second purpose of this creation is to provide a peer-to-peer network stream packet filtering device that can perform the second or more analysis of suspicious packets again. It electrically connects the other end of the anti-virus engine to the packet capture unit. [Implementation of the illusion Ιϊϊϋϊϊϊ^^] Referring to the first figure, the context diagram of the peer-to-peer network stream packet filtering device 1 of the present invention is shown. As can be seen from the figure, the peer-to-peer network stream packet filtering device is coupled to the packet capture unit 10, a multi-level feature analyzing unit 20, a feature rule storage unit 3A, and a branch unit 4A. In operation, the packet capture unit 10 can receive and receive the network packet for implementation, and the analysis procedure is as described later. The multi-level feature analysis unit 2〇 is respectively connected with the packet tracing unit W and the feature (4) storage unit 3G, and analyzes the network packets received by the bribe collection unit 10, and converts the plurality of packets to the ruler] The feature rule storage list s is stored, and the feature rule remaining sub-unit 30 and the multi-level feature analysis unit and a different unit telecommunication connection lit analysis can use any well-known method examples such as a multi-level feature analyzing unit 2 Including (but not limited to): hierarchical grouping method, _ word collection, multi-level seam keyword recognition method, and the combined use of the above methods. The feature rule obtained by the layer-human feature analysis unit 2, that is, the sub-feature rule storage unit 3, wherein the storage unit 3〇 can be a non-volatile reservoir body for the long-status feature rule. In a specific embodiment, the feature rule storage unit 30 may pre-store at least a feature rule and perform frequent updates as needed. Next, the divergence unit 40 may divide the simultaneous network =: stream packet partition according to the plurality of feature rules recorded by the feature rule storage unit, and let the peer network (4): be processed. =^ step processing, rather than the same network stream packet is not simple ^ the feature rule of the packet with the network stream packet, and is redirected for further processing - in the application example At the same time, the network stream packet is discarded, and in fact, the purpose of blocking the equivalent network packet is achieved, thereby reducing network traffic and achieving bandwidth management. In the present invention-specific embodiment, the multi-level feature analysis unit 20 further includes: a 1-layer clustering engine 22; a keyword statistics engine 24, and a multi-level tree keyword recognition engine 26. Wherein: the hierarchical grouping engine 22 is configured to divide the captured packets into a plurality of groups according to different communication protocols. For example, currently available P2P streams may be mixed or used alternately using tTCP, UDP or TCP/UDP, whereby the hierarchical cluster engine 22 may divide the fetched packets into TCP or UDP packets. It can be understood that the distinction between the two groups is only an example and is not intended to limit the creation. Then, the packets of the group are grouped by the keyword statistics engine 24 for the packet content keyword statistical estimation according to the group, and the identified feature is set as a feature rule to be stored in the feature rule storage unit 3〇. For example, a keyword statistical estimate is first implemented for a TCP packet, or a keyword statistical estimate is first implemented for a UDP packet. If a string appears in the M430774, the frequency of occurrence of the packet t exceeds a predetermined threshold, it is determined that the feature rule of the system is used and the feature rule storage unit is stored. At the same time, a plurality of common features of the same keyword recognition engine 26 are also levied on the rule storage unit. The packets that have been grouped are analyzed by the multi-level tree, and the packet data are identified and the at least one feature rule is stored in the special case as described above. Some known P2P application software uses TCp and coffee. The two communication connection methods may change the communication connection method used over time. The township level of the creation is divided into 2G and the sub-groups are divided into 2 points. The lion is paid to the effective - read the H provides - kind of energy:, in the same network, the stream packet is over-packed = the force of the network stream packet knife knife early 7C 40 engine 5 〇, the virus scan The other end of the 2 way to set up a scan and map, in order to re-wire the suspicious packet H; continue to refer to the third poison engine% another 1 and seal 11 points guess the guess 'to get the network in the sweep _$ . Unit 1Gf communication connection, to achieve the above-mentioned 'this creation of the same network hierarchical group 51 engine, L combined with a key word _ 丨 ,, to achieve a complete 丨 、, - multi-level tree-like off. M430774 _% April 23, 2011 Revision of the replacement page The above description and drawings of the preferred embodiment of the present invention are not intended to limit the creation, this All ranges of creations are subject to the scope of the following patents, and the spirit of the scope of the patent and its similarly modified embodiments and approximate structures are intended to be included in this creation. [Simple diagram of the diagram] The first picture is a block diagram of the network stream packet filtering device; the second picture is a block diagram of another structure; the third picture is a block diagram of the original and the second structure. . [Main component symbol description] 100 peer network stream packet filtering device 10 packet capturing unit 20 multi-level feature analyzing unit 22 hierarchical grouping engine 24 keyword statistics engine 26 multi-level tree keyword recognition engine 30 feature rule storage unit 40 divergent unit 50 anti-virus engine 8