WO2009089701A1 - Method and system for packet inspection - Google Patents

Method and system for packet inspection Download PDF

Info

Publication number
WO2009089701A1
WO2009089701A1 PCT/CN2008/072525 CN2008072525W WO2009089701A1 WO 2009089701 A1 WO2009089701 A1 WO 2009089701A1 CN 2008072525 W CN2008072525 W CN 2008072525W WO 2009089701 A1 WO2009089701 A1 WO 2009089701A1
Authority
WO
WIPO (PCT)
Prior art keywords
data packet
detection
policy
packet
module
Prior art date
Application number
PCT/CN2008/072525
Other languages
French (fr)
Chinese (zh)
Inventor
Peilin Yang
Rong ZOU
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2009089701A1 publication Critical patent/WO2009089701A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/026Capturing of monitoring data using flow identification

Definitions

  • the embodiments of the present invention relate to network security technologies, and in particular, to a packet detection method and system. Background technique
  • IP networks are gradually carrying a single Internet service to carry data, voice, video, large customer lines, 3G, Next Generation Network (hereinafter referred to as NGN).
  • IP Multimedia Subsystem IP Multimedia Subsystem
  • IPTV Internet Protocol Television
  • IP networks are safe and reliable. There will also be fundamental changes in the quality of business and business services.
  • P2P peer-to-peer
  • online games Internet TV and other emerging services
  • P2P cross-domain traffic occupies 80% of the bandwidth in the trunk line.
  • most of the bandwidth of the network is occupied by a small number of users, and these users do not pay the corresponding cost overhead.
  • it affects the network quality of most other users, causing different degrees of congestion on the network and greatly reducing the user experience of other applications.
  • the main reason for the above phenomenon is that the operator lacks an effective control and zone for the user.
  • the operator does not know what the user is doing on the Internet, nor does it provide a different quality of service and service level guarantee for different users.
  • a new technology means deep packet inspection (Deep Packet Inspection, hereinafter referred to as DPI) and Deep/Dynamic Flow Inspection (DFI), which can sense network applications and provide operators with operators. Provides means of network control and management.
  • the so-called "depth” is compared with the detection level of ordinary messages.
  • the normal message detection only detects the content below the 4th layer of the IP packet, including the source address, the destination address, the source port, the destination port, and the service type, and the DPI.
  • /DFI also adds application layer detection, which can identify various applications and their contents, and control and manage them.
  • FIG. 1 it is a schematic diagram of a system for performing DPI detection in a series manner in the prior art.
  • a DPI/DFI detection device is located between an aggregation layer and an access layer, and may also be deployed in an aggregation layer and an IP.
  • MPLS Multiprotocol Label Switch
  • FIG. 2 it is a schematic diagram of a system for performing DPI detection in parallel in the prior art.
  • the DPI/DFI detection device is hanged beside the network access server (hereinafter referred to as NAS). It can also be hanged next to other network devices according to the actual situation of the network. All packets entering or accessing the access network need to pass through the NAS.
  • the NAS copies the packets to the DPI/DFI detection device for detection.
  • the packet continues to enter the access network or is sent from the access network, and is not affected.
  • the DPI/DFI detection device recognizes the illegal service, it drops into the access network through the NAS or leaves. A packet of an illegal service that accesses the network. Summary of the invention
  • the embodiment of the invention provides a packet detection method and system, which can detect packets in a hierarchical manner, can meet the requirements of real-time services, and prevent the DPI/DFI detection device from becoming a bottleneck for message forwarding.
  • the embodiment of the invention provides a packet detection method, including:
  • the embodiment of the invention further provides a packet detection method, including:
  • the embodiment of the invention further provides a packet detection method, including:
  • the data packet When the data packet satisfies the detection policy, it is determined according to the configuration policy whether the data packet needs to be copied, and if so, the data packet is copied, and the copied data packet is detected according to the deep-level detection policy.
  • the embodiment of the invention provides a message detection system, including:
  • a detecting module configured to detect the received data packet according to the detection policy
  • a forwarding module configured to forward the data packet when the data packet meets the detection policy
  • a determining module configured to determine, according to the configuration policy, whether to copy the data packet
  • a copying module configured to: when it is determined that the data packet needs to be copied, copy the data packet
  • the deep layer detecting module is configured to detect the copied data packet according to the deep layer detection policy.
  • the embodiment of the invention further provides a message detection system, including:
  • a detecting module configured to detect the received data packet according to the detection policy
  • a copying module configured to: when the data packet meets the detection policy, copy the data packet;
  • a deep detection module configured to detect a copied data packet according to a deep-level detection policy
  • a determining module configured to determine, according to the configuration policy, whether to forward the data packet
  • a forwarding module configured to forward the data packet when determining to forward the data packet.
  • the embodiment of the invention further provides a message detection system, including:
  • a detecting module configured to detect the received data packet according to the detection policy
  • a determining module configured to determine, according to the configuration policy, whether to copy the data packet when the data packet meets the detection policy
  • a copying module configured to: when it is determined that the data packet needs to be copied, copy the data packet; and the deep-level detection module is configured to detect the copied data packet according to the deep-level detection policy.
  • the method and system for detecting a packet according to the embodiment of the present invention firstly detects a data packet according to the detection policy, and further detects the data packet according to the deep-layer policy, thereby implementing hierarchical detection of the data packet, and solving the data packet detection and fast.
  • the balance between data packet forwarding performance meets the requirements of real-time services, which avoids the DPI/DFI detection device becoming the bottleneck of packet forwarding, and realizes the network operator's perception and control functions.
  • FIG. 1 is a schematic diagram of a system for performing DPI detection in a series manner in the prior art
  • FIG. 2 is a schematic diagram of a system for performing DPI detection in a parallel manner in the prior art
  • FIG. 3 is a schematic diagram of a network architecture according to an embodiment of the present invention
  • FIG. 4 is a flowchart of a message detecting method according to an embodiment of the present invention
  • FIG. 5 is a flowchart of a packet detecting method according to Embodiment 2 of the present invention.
  • FIG. 6 is a flowchart of a method for detecting a packet according to Embodiment 3 of the present invention.
  • FIG. 7 is a schematic diagram of a message detection system according to an embodiment of the present invention.
  • FIG. 8 is a schematic diagram of a message detecting system according to Embodiment 2 of the present invention.
  • FIG. 9 is a schematic diagram of an NGN network architecture based on data packet detection according to an embodiment of the present invention
  • FIG. 10 is a schematic diagram of a packet detection system according to Embodiment 3 of the present invention. detailed description
  • the DPI detection scheme is performed in series, and all the packets pass the DPI/DFI detection device, resulting in the DPI/DFI detection device. It becomes the bottleneck of packet forwarding, which causes transmission delay, especially for real-time services.
  • the detection policy is not flexible, and it is impossible to deploy detection policies according to network conditions and dynamic requirements.
  • the DPI detection scheme is implemented in parallel. Because the DPI/DFI detection device is connected to the network, the real-time control capability of the service is weak, which reduces the control effect.
  • the detection strategy is not flexible, and the detection cannot be deployed according to the network conditions and dynamic requirements. Strategy.
  • FIG. 3 it is a schematic diagram of a network architecture according to an embodiment of the present invention.
  • the network includes a user terminal, an access network, a NAS, an internal measurement and control module, and an IP/MPLS backbone network, where the NAS includes a flow detection module.
  • the method is configured to detect a data packet according to the detection policy
  • the content detection and control module is configured to detect the data packet according to the deep detection policy.
  • the content detection and control module pre-configures the detection policy and the deep-level detection policy, and specifically includes the following steps:
  • Step 1 Detect the received data packet according to the detection policy.
  • the NAS receives the data packet, and the flow detection module detects the data packet according to the detection policy.
  • Step 2 When the data packet meets the detection policy, determine whether the data packet needs to be copied according to the configuration policy, and if yes, perform step 3;
  • the configuration policy can be a policy configured by the operator according to the network operation.
  • the pre-configuration determines whether the deep detection is required when the data packet meets the detection policy.
  • Step 3 Copy the data packet.
  • Step 4 Detecting the copied data packet according to the deep-level detection strategy; specifically, the content detection and control module detects the copied data packet according to the deep-level detection strategy.
  • the packet detection and related policies are distributed to different functional entities, and the packets are detected at different levels, which solves the problem of balance between data packet detection and fast data packet forwarding performance, and satisfies the real-time service.
  • the requirement avoids the DPI/DFI detection device becoming the bottleneck of packet forwarding, and can control and manage the service flow, and realize the network operator's perception and control function for the service.
  • the content detection and control module pre-configures the detection policy and the deep-level detection strategy. Specifically, the content detection and control module configures a deep-level detection policy internally according to the needs of the operation, and configures the NAS for the NAS. Detection strategy.
  • the detection policy can be a quintuple (source address, sink address, source port, sink port, and protocol type) and a traffic characteristic model (such as packet length, connection rate, transmission byte amount, packet interval, etc.)
  • the detection strategy can be a five-tuple and a service agreement basic feature word strategy.
  • Step 1 01 The NAS receives the data packet.
  • Step 1 02 The flow detection module detects the data packet according to the detection policy, and if the data packet does not satisfy the detection policy, step 106 is performed; otherwise, step 103 is performed;
  • Step 1 03 Forward the data packet according to the normal process, determine whether to copy the data packet according to the configuration policy, and if yes, perform step 104;
  • the configuration policy may be a policy configured by the operator according to network operation conditions, and the The configuration determines whether further deep detection is required when the data packet meets the detection policy.
  • Step 104 The data packet is copied, and the content detection and control module detects the copied data packet according to the deep-level detection policy. If the data packet meets the deep-level detection policy, step 105 is performed; otherwise, step 106 is performed;
  • Step 105 Processing the next data packet, and ending;
  • Step 106 Send an alarm notification to discard the data packet.
  • the flow detection module detects a data packet that is not normally transmitted by the quintuple; or, when the user uses the voice service, the flow detection module detects that the packet length of the data packet is 400 bytes (usually the packet length of the voice service data packet is about 150 bytes), and the duration is very long, indicating that the data packet is not a voice service packet; or, when the user watches the IPTV service stream, the flow detection The module detects the real-time transport protocol (Rea lt ime Transpor t Protocol, hereinafter referred to as RTP) service protocol basic feature word, but the feature word of other services; the stream detection module can write the data packet In the blacklist, the flow detection module may send an alarm notification to the NAS, and the NAS directly discards the data packet. Alternatively, the flow detection module reduces the priority of the data packet, and during the processing of the data packet, the priority is prioritized. The data packets of the highest level will be processed first.
  • RTP real-time transport protocol
  • the internal detection and control module sends an alarm notification to the NAS; the NAS discards the data packet according to the alarm notification; for example, when the user watches the IPTV service flow, the internal detection and the The control module detects that the IPTV service stream to which the packet belongs has no copyright or is an illegal service flow packet, and notifies the NAS to discard the data packet sent from the quintuple.
  • the content detection and control module may further classify the data packet according to the result of the deep detection policy detection, and perform traffic management on the data packet, where the traffic management may include management and scheduling of the data packet queue, and Supervision and shaping of data packet traffic.
  • the packet detection and related policies are distributed to different functional entities, and the packets are detected at different levels, which solves the problem of balance between data packet detection and fast data packet forwarding performance, and satisfies the real-time service.
  • the need to avoid the DPI/DFI detection device becomes the bottleneck of packet forwarding. It can also control and manage the service flow, and realize the network operator's perception and control functions.
  • FIG. 6 which is a flowchart of a packet detection method according to Embodiment 3 of the present invention, before performing the steps in this embodiment, a detection policy and a deep detection strategy need to be configured. Specifically, the content detection and control module is operated according to the operation.
  • the detection policy can be a quintuple (source address, sink address, source port, sink port, and protocol type) and a traffic characteristic model (such as packet length, connection rate, transmission byte amount, packet interval, etc.)
  • the detection strategy can be a five-tuple and a service agreement basic feature word strategy.
  • Step 201 The NAS receives the data packet.
  • Step 202 The flow detection module detects the data packet according to the detection policy. If the data packet does not satisfy the detection policy, step 206 is performed; otherwise, step 203 is performed;
  • Step 203 Copy the data packet, and the content detection and control module detects the copied data packet according to the deep-level detection policy. If the data packet satisfies the deep-level detection policy, step 204 is performed;
  • Step 204 Determine, according to the configuration policy, whether to forward the data packet, and if yes, perform the step.
  • the configuration policy may be a policy configured by the operator according to the network operation, and may be configured to determine whether the data packet needs to be forwarded when the data packet satisfies the detection policy, or may be determined by using the result of the deep-level detection policy, for example,
  • the configuration policy can be set to: When the data packet meets the deep detection policy, the data packet is forwarded.
  • Step 205 Forward the data packet, and end
  • Step 206 Send an alarm notification, discard the data packet, and end.
  • the flow detection module detects a data packet that is not normally transmitted by the quintuple; or, when the user uses the voice service, the flow detection module detects that the packet length of the data packet is 400 bytes (usually the voice service data packet has a packet length of about 150 bytes) The above, and the duration is very long, indicating that the data packet is not a voice service packet; or, when the user views the IPTV service stream, the stream detection module detects the basic feature word of the RTP service protocol that is not required for the IPTV, but other services.
  • the stream detection module can write the data packet to the blacklist. Further, the stream detection module can send an alarm notification to the NAS, and the NAS directly discards the data packet. Alternatively, the stream detection module reduces the data. Priority of the packet. During the processing of the data packet, the data packet with the highest priority will be processed first.
  • the internal detection and control module sends an alarm notification to the NAS; the NAS discards the data packet according to the alarm notification; for example, when the user watches the IPTV service flow, the internal detection and the The control module detects that the IPTV service stream to which the packet belongs has no copyright or is an illegal service flow packet, and notifies the NAS to discard the data packet sent from the quintuple.
  • the content detection and control module may further classify the data packet according to the result of the deep detection policy detection, and perform traffic management on the data packet, where the traffic management may include management and scheduling of the data packet queue, and Supervision and shaping of data packet traffic.
  • the packet detection and related policies are distributed to different functional entities, and the packets are detected at different levels, which solves the problem of balance between data packet detection and fast data packet forwarding performance, and satisfies the real-time service.
  • the requirement avoids the DPI/DFI detection device becoming the bottleneck of packet forwarding, and can control and manage the service flow, and realize the network operator's perception and control function for the service.
  • a schematic diagram of a packet detection system includes: a detection module 1 configured to detect a received data packet according to a detection policy; and a determination module 2 configured to: when the data packet satisfies When detecting the policy, determining whether to copy the data packet according to the configuration policy; the copying module 3 is configured to: when determining that the data packet needs to be copied, copying the data packet; and the deep detection module 4 is configured to detect the replication according to the deep detection policy.
  • Data message As shown in FIG. 7, a schematic diagram of a packet detection system according to an embodiment of the present invention includes: a detection module 1 configured to detect a received data packet according to a detection policy; and a determination module 2 configured to: when the data packet satisfies When detecting the policy, determining whether to copy the data packet according to the configuration policy; the copying module 3 is configured to: when determining that the data packet needs to be copied, copying the data packet; and the deep detection module 4 is configured to detect the replication according to the deep detection policy. Data message.
  • a schematic diagram of a packet detection system includes: a detection module 11 configured to detect a received data packet according to a detection policy; and a forwarding module 12 configured to be used as the datagram When the file satisfies the detection policy, the data packet is forwarded; the determining module 13 is configured to determine whether to copy the data packet according to the configuration policy; and the copying module 14 is configured to: when determining that the data packet needs to be restored When the data message is processed, the data message is copied; the deep level detecting module 15 is configured to detect the copied data message according to the deep level detection policy.
  • the embodiment may further include: a configuration module 16 configured to configure the detection policy and the deep-level detection policy; the alarm module 17 is configured to: when the data packet does not satisfy the detection policy, or when When the copied data packet does not satisfy the deep detection policy, the alarm notification is sent; the processing module 18 is configured to: when the data packet does not satisfy the detection policy, write the data packet into the blacklist;
  • the processing module may include a discarding module, configured to discard the data packet in the blacklist according to the alarm notification, and may further include a priority module, configured to reduce the priority of the data packet in the blacklist. level.
  • FIG. 9 a schematic diagram of an NGN network architecture based on data packet detection according to an embodiment of the present invention, where a detection module is located at a network transmission layer, and in a device that accesses a network and an IP/MPLS backbone network, is subjected to a deep detection module.
  • the control mainly performs basic identification on data packets, and reports various traffic information to the deep detection module.
  • the deep detection module is located at the network control layer of the network transport layer, and further may be part of the network attachment control system and/or the resource admission control system, or may be used as an internal measurement and control system alone in the network control layer, independent of Current network attachment control systems and resource admission control systems.
  • the deep detection module is mainly used for deep detection and content identification of data packets; configuring detection strategies for detection modules in the NAS; providing control functions for the detection modules; providing traffic management control, and optimizing reports according to network needs
  • the file is forwarded to ensure the quality of service of the data packet.
  • This embodiment solves the problem of balance between packet detection and fast data forwarding performance. It not only satisfies the requirements of real-time services, but also prevents DPI/DFI detection equipment from becoming a bottleneck for packet forwarding, and can control and manage service flows. , realizes the network operator's perception and control functions for the business.
  • a schematic diagram of a packet detection system includes: a detection module 21, configured to detect a received data packet according to a detection policy; and a replication module 22, configured to: when the datagram is used When the text satisfies the detection policy, the data packet is copied; the deep detection module 23, The determining module 24 is configured to determine whether to forward the data packet according to the configuration policy, and the forwarding module 25 is configured to: when determining to forward the data packet, forward the Data message.
  • the embodiment may further include: a configuration module 26, configured to configure the detection policy and the deep-level detection policy; and an alarm module 27, configured to: when the data packet does not satisfy the detection policy, or when When the copied data packet does not satisfy the deep detection policy, the alarm notification is sent; the processing module 28 is configured to: when the data packet does not satisfy the detection policy, write the data packet into the blacklist.
  • the processing module may include a discarding module, configured to discard the data packet in the blacklist according to the alarm notification, and may further include a priority module, configured to reduce the priority of the data packet in the blacklist. level.
  • the detection module 21 can be located in the network transmission layer, and the deep level detection module 23 is located in the network control layer, which is the same as described in the message detection system of the first embodiment of the present invention.
  • This embodiment solves the problem of balance between packet detection and fast data forwarding performance. It not only satisfies the requirements of real-time services, but also prevents DPI/DFI detection equipment from becoming a bottleneck for packet forwarding, and can control and manage service flows. , realizes the network operator's perception and control functions for the business.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method and a system for packet inspection are provided. Wherein a method includes: inspecting a received data packet according to an inspection policy; transmitting the data packet when the data packet satisfies the inspection policy; determining whether the data packet should be copied according to a configuration policy, if yes, copying the data packet and inspecting the copied data packet according to a deep inspection policy. Another method includes: inspecting a received data packet according to an inspection policy; copying the data packet and inspecting the copied data packet if the data packet satisfies the inspection policy; determining whether the data packet should be transmitted, if yes, transmitting the data packet. Therefore, the requirement of runtime service is satisfied. It is avoided that DPI/DFI inspection device becomes a bottleneck of packet transmission. Function of apperceiving and controlling service by network operator is realized.

Description

4艮文检测方法及系统  4艮Detection method and system
技术领域 Technical field
本发明实施例涉及网络安全技术, 尤其涉及一种报文检测方法及系统。 背景技术  The embodiments of the present invention relate to network security technologies, and in particular, to a packet detection method and system. Background technique
随着 IP技术的不断发展, IP宽带业务成为亮点, IP网络逐渐从承载 单一的因特网业务到承载数据、 语音、 视频、 大客户专线、 3G、 下一代网 络( Next Generation Network, 以下简称: NGN ) 、 IP多媒体子系统 ( IP Multimedia Subsystem,以下简称: IMS )、因特网协议电视( Internet Protocol Television, 以下简称: IPTV ) 等运营级多业务的方向转型, 在转型过程 中, IP网络在安全性、 可靠性、 业务服务质量上也将发生根本性的变革。  With the continuous development of IP technology, IP broadband services have become a bright spot. IP networks are gradually carrying a single Internet service to carry data, voice, video, large customer lines, 3G, Next Generation Network (hereinafter referred to as NGN). IP Multimedia Subsystem (IP Multimedia Subsystem, hereinafter referred to as IMS), Internet Protocol Television (hereinafter referred to as IPTV), and other operational-level multi-service transformation. In the process of transformation, IP networks are safe and reliable. There will also be fundamental changes in the quality of business and business services.
随着网络技术的不断发展,各种新的应用层出不穷,如对等网络(Peer to Peer, 以下简称: P2P ) 、 网络游戏、 网络电视等新兴业务, 占用了互 联网大部分带宽,从目前国内统计来看,P2P跨域的流量在干线占用了 80% 的带宽, 在我国宽带不限时包月资费模式下, 网络的绝大部分带宽被少量 用户所占用, 而这些用户并未支付相应的成本开销, 却影响了其他大部分 用户的网络质量, 导致网络出现不同程度的拥塞, 大大降低了其他应用的 用户体验。 与此同时, 计算机网络受到越来越严重的攻击和入侵, 给用户 和运营商造成非常巨大的损失, 盈利能力相应降低。 虽然防火墙緩解了部 分攻击, 但普通的防火墙对于藏身在 IP 包净荷中病毒的传播和攻击显得 力不从心。 近年来, 网络攻击的发展趋势逐渐转向高层应用, 据分析, 目 前网络攻击的 70%以上集中在应用层, 并且该数字呈上升趋势。 正因为如 此, 内容安全开始成为目前信息安全中最关键的问题。  With the continuous development of network technology, various new applications emerge in an endless stream, such as peer-to-peer (Peer to Peer, P2P), online games, Internet TV and other emerging services, occupying most of the Internet bandwidth, from the current domestic statistics In view of the fact, P2P cross-domain traffic occupies 80% of the bandwidth in the trunk line. In China's broadband unlimited monthly subscription fee mode, most of the bandwidth of the network is occupied by a small number of users, and these users do not pay the corresponding cost overhead. However, it affects the network quality of most other users, causing different degrees of congestion on the network and greatly reducing the user experience of other applications. At the same time, computer networks are being attacked and intruded more and more, causing huge losses to users and operators, and correspondingly lower profitability. Although the firewall mitigates some of the attacks, ordinary firewalls are overwhelmed by the spread and attacks of viruses hiding in the IP packet payload. In recent years, the development trend of cyber attacks has gradually turned to high-level applications. According to analysis, more than 70% of current cyber attacks are concentrated in the application layer, and the number is on the rise. Because of this, content security has become the most critical issue in information security today.
造成以上现象的主要原因是运营商对用户缺少一个有效的控制和区 分手段, 运营商既不知道用户在网上干什么, 也没有办法给不同用户提供 一个不同的服务质量、 服务等级的保证, 无法实现报文检测和业务识别, 导致增加了运营商的运营成本, 降低了客户的满意度。 因此, 如何实现报 文检测和业务识别, 感知网络应用, 提供网络业务控制和管理手段, 构建 可以运营与管理的和谐网络, 是非常必要的。 The main reason for the above phenomenon is that the operator lacks an effective control and zone for the user. By means of the means, the operator does not know what the user is doing on the Internet, nor does it provide a different quality of service and service level guarantee for different users. It is impossible to implement packet detection and service identification, which increases the operator's operating cost and reduces Customer satisfaction. Therefore, how to implement packet detection and service identification, perceive network applications, provide network service control and management tools, and build a harmonious network that can operate and manage is very necessary.
一种新的技术手段 深度 4艮文检测技术 (Deep Packet Inspection, 以下简称: DPI)和深度 /动态流检测技术 ( Deep/Dynamic Flow Inspection , 以下简称: DFI), 能够感知网络应用, 给运营商提供网络控制和管理的手 段。 所谓"深度"是和普通报文的检测层次相比较而言的, 普通报文检测仅 检测 IP 包 4层以下的内容, 包括源地址、 目的地址、 源端口、 目的端口 以及业务类型, 而 DPI/DFI除了对前面的层次进行检测外, 还增加了应用 层检测, 能够识别各种应用及其内容, 并进行控制和管理。  A new technology means deep packet inspection (Deep Packet Inspection, hereinafter referred to as DPI) and Deep/Dynamic Flow Inspection (DFI), which can sense network applications and provide operators with operators. Provides means of network control and management. The so-called "depth" is compared with the detection level of ordinary messages. The normal message detection only detects the content below the 4th layer of the IP packet, including the source address, the destination address, the source port, the destination port, and the service type, and the DPI. In addition to detecting the previous layers, /DFI also adds application layer detection, which can identify various applications and their contents, and control and manage them.
现有技术中提出了以下两种 DPI/DFI报文检测方案:  The following two DPI/DFI message detection schemes are proposed in the prior art:
如图 1所示,为现有技术中釆用串联方式进行 DPI检测的系统示意图, 在该网络中, DPI/DFI检测设备位于汇聚层和接入层之间, 也可以部署在 汇聚层和 IP/多协议标记交换 (Multiprotocol Label Switch, 以下简称: MPLS ) 骨干网之间, 所有进入接入网络或从接入网络发出的报文都需要 经过 DPI/DFI检测设备进行检测, 只有符合检测策略的报文才允许进入网 络或从网络发出。  As shown in FIG. 1 , it is a schematic diagram of a system for performing DPI detection in a series manner in the prior art. In the network, a DPI/DFI detection device is located between an aggregation layer and an access layer, and may also be deployed in an aggregation layer and an IP. /Multiprotocol Label Switch (hereinafter referred to as MPLS). Between the backbone networks, all packets entering or accessing the access network need to be detected by the DPI/DFI detection device. Only the detection policy is met. The message is allowed to enter or be sent out of the network.
如图 2所示,为现有技术中釆用并联方式进行 DPI检测的系统示意图, 在该网络中, DPI/DFI检测设备侧挂在网络接入服务器 (Network Access Server, 以下简称: NAS ) 旁, 也可以根据网络实际情况侧挂在其它网络 设备旁, 所有进入接入网络或从接入网络发出的报文都需要经过 NAS , NAS将报文复制到 DPI/DFI检测设备进行检测 ,在 DPI/DFI检测设备检测 的过程中, 报文继续进入接入网络或从接入网络发出, 不受影响, 当 DPI/DFI检测设备识别出非法业务后,通过 NAS丟弃进入接入网络或离开 接入网络的非法业务的报文。 发明内容 As shown in FIG. 2, it is a schematic diagram of a system for performing DPI detection in parallel in the prior art. In the network, the DPI/DFI detection device is hanged beside the network access server (hereinafter referred to as NAS). It can also be hanged next to other network devices according to the actual situation of the network. All packets entering or accessing the access network need to pass through the NAS. The NAS copies the packets to the DPI/DFI detection device for detection. During the detection process of the /DFI detection device, the packet continues to enter the access network or is sent from the access network, and is not affected. When the DPI/DFI detection device recognizes the illegal service, it drops into the access network through the NAS or leaves. A packet of an illegal service that accesses the network. Summary of the invention
本发明实施例提供了一种报文检测方法及系统, 以实现分层次对报文进 行检测, 能满足实时业务的需求, 避免 DPI/DFI检测设备成为报文转发的瓶 颈。  The embodiment of the invention provides a packet detection method and system, which can detect packets in a hierarchical manner, can meet the requirements of real-time services, and prevent the DPI/DFI detection device from becoming a bottleneck for message forwarding.
本发明实施例提供了一种报文检测方法, 包括:  The embodiment of the invention provides a packet detection method, including:
根据检测策略检测接收到的数据报文;  Detecting the received data message according to the detection policy;
当所述数据报文满足所述检测策略时, 转发所述数据报文;  And when the data packet meets the detection policy, forwarding the data packet;
根据配置策略确定是否复制所述数据报文,若是, 则复制所述数据报文, 并根据深层次检测策略检测复制的数据报文。  Determining whether to copy the data packet according to the configuration policy, and if yes, copying the data packet, and detecting the copied data packet according to the deep detection policy.
本发明实施例还提供了一种报文检测方法, 包括:  The embodiment of the invention further provides a packet detection method, including:
根据检测策略检测接收到的数据报文;  Detecting the received data message according to the detection policy;
当所述数据报文满足所述检测策略时, 复制所述数据报文, 根据深层次 检测策略检测复制的数据报文;  And when the data packet meets the detection policy, copying the data packet, and detecting the copied data packet according to the deep-level detection policy;
根据配置策略确定是否转发所述数据报文,若是, 则转发所述数据报文。 本发明实施例又提供了一种报文检测方法, 包括:  Determining whether to forward the data packet according to the configuration policy, and if yes, forwarding the data packet. The embodiment of the invention further provides a packet detection method, including:
根据检测策略检测接收到的数据报文;  Detecting the received data message according to the detection policy;
当所述数据报文满足所述检测策略时, 根据配置策略确定是否需要复制 所述数据报文, 若是, 则复制所述数据报文, 并根据深层次检测策略检测复 制的数据报文。  When the data packet satisfies the detection policy, it is determined according to the configuration policy whether the data packet needs to be copied, and if so, the data packet is copied, and the copied data packet is detected according to the deep-level detection policy.
本发明实施例提供了一种报文检测系统, 包括:  The embodiment of the invention provides a message detection system, including:
检测模块, 用于根据检测策略检测接收到的数据报文;  a detecting module, configured to detect the received data packet according to the detection policy;
转发模块, 用于当所述数据报文满足所述检测策略时, 转发所述数据报 文;  a forwarding module, configured to forward the data packet when the data packet meets the detection policy;
确定模块, 用于根据配置策略确定是否复制所述数据报文; 复制模块, 用于当确定需要复制所述数据报文时, 复制所述数据报文; 深层次检测模块, 用于根据深层次检测策略检测复制的数据报文。 a determining module, configured to determine, according to the configuration policy, whether to copy the data packet; a copying module, configured to: when it is determined that the data packet needs to be copied, copy the data packet; and the deep layer detecting module is configured to detect the copied data packet according to the deep layer detection policy.
本发明实施例还提供了一种报文检测系统, 包括:  The embodiment of the invention further provides a message detection system, including:
检测模块, 用于根据检测策略检测接收到的数据报文;  a detecting module, configured to detect the received data packet according to the detection policy;
复制模块, 用于当所述数据报文满足所述检测策略时, 复制所述数据报 文;  a copying module, configured to: when the data packet meets the detection policy, copy the data packet;
深层次检测模块, 用于根据深层次检测策略检测复制的数据报文; 确定模块, 用于根据配置策略确定是否转发所述数据报文;  a deep detection module, configured to detect a copied data packet according to a deep-level detection policy; and a determining module, configured to determine, according to the configuration policy, whether to forward the data packet;
转发模块, 用于当确定转发所述数据报文时, 转发所述数据报文。  And a forwarding module, configured to forward the data packet when determining to forward the data packet.
本发明实施例又提供了一种报文检测系统, 包括:  The embodiment of the invention further provides a message detection system, including:
检测模块, 用于根据检测策略检测接收到的数据报文;  a detecting module, configured to detect the received data packet according to the detection policy;
确定模块, 用于当所述数据报文满足所述检测策略时, 根据配置策略确 定是否复制所述数据报文;  a determining module, configured to determine, according to the configuration policy, whether to copy the data packet when the data packet meets the detection policy;
复制模块, 用于当确定需要复制所述数据报文时, 复制所述数据报文; 深层次检测模块, 用于根据深层次检测策略检测复制的数据报文。  a copying module, configured to: when it is determined that the data packet needs to be copied, copy the data packet; and the deep-level detection module is configured to detect the copied data packet according to the deep-level detection policy.
本发明实施例的报文检测方法及系统,首先根据检测策略检测数据报文, 进一步根据深层次策略检测数据报文, 实现了分层次对数据报文进行检测, 解决了数据报文检测和快速数据报文转发性能之间的平衡问题, 满足了实时 业务的需求, 避免了 DPI /DFI检测设备成为报文转发的瓶颈, 实现了网络运营 商对业务的感知和控制功能。 附图说明  The method and system for detecting a packet according to the embodiment of the present invention firstly detects a data packet according to the detection policy, and further detects the data packet according to the deep-layer policy, thereby implementing hierarchical detection of the data packet, and solving the data packet detection and fast. The balance between data packet forwarding performance meets the requirements of real-time services, which avoids the DPI/DFI detection device becoming the bottleneck of packet forwarding, and realizes the network operator's perception and control functions. DRAWINGS
图 1为现有技术中釆用串联方式进行 DPI检测的系统示意图; 图 2为现有技术中釆用并联方式进行 DPI检测的系统示意图; 图 3为本发明实施例的网络架构示意图;  1 is a schematic diagram of a system for performing DPI detection in a series manner in the prior art; FIG. 2 is a schematic diagram of a system for performing DPI detection in a parallel manner in the prior art; FIG. 3 is a schematic diagram of a network architecture according to an embodiment of the present invention;
图 4为本发明实施例一报文检测方法的流程图; 图 5为本发明实施例二报文检测方法的流程图; 4 is a flowchart of a message detecting method according to an embodiment of the present invention; FIG. 5 is a flowchart of a packet detecting method according to Embodiment 2 of the present invention;
图 6为本发明实施例三报文检测方法的流程图;  6 is a flowchart of a method for detecting a packet according to Embodiment 3 of the present invention;
图 7为本发明实施例一报文检测系统的示意图;  7 is a schematic diagram of a message detection system according to an embodiment of the present invention;
图 8为本发明实施例二报文检测系统的示意图;  8 is a schematic diagram of a message detecting system according to Embodiment 2 of the present invention;
图 9为本发明实施例基于数据报文检测的 NGN网络架构示意图; 图 10为本发明实施例三报文检测系统的示意图。 具体实施方式  FIG. 9 is a schematic diagram of an NGN network architecture based on data packet detection according to an embodiment of the present invention; FIG. 10 is a schematic diagram of a packet detection system according to Embodiment 3 of the present invention. detailed description
在实现本发明实施例的过程中, 发明人发现以上两种方案至少存在如 下问题:釆用串联方式进行 DPI检测的方案,由于所有报文都经过 DPI/DFI 检测设备, 导致 DPI/DFI检测设备成为报文转发的瓶颈, 造成传输延迟, 尤其对实时业务有很大影响; 同时检测策略不灵活, 无法根据网络情况以 及动态要求部署检测策略。 釆用并联方式进行 DPI 检测的方案, 由于 DPI/DFI检测设备侧挂在网络中, 业务的实时控制能力较弱, 降低了控制 效果; 同时检测策略不灵活, 无法根据网络情况以及动态要求部署检测策 略。  In the process of implementing the embodiments of the present invention, the inventor has found that the above two solutions have at least the following problems: The DPI detection scheme is performed in series, and all the packets pass the DPI/DFI detection device, resulting in the DPI/DFI detection device. It becomes the bottleneck of packet forwarding, which causes transmission delay, especially for real-time services. At the same time, the detection policy is not flexible, and it is impossible to deploy detection policies according to network conditions and dynamic requirements.方案The DPI detection scheme is implemented in parallel. Because the DPI/DFI detection device is connected to the network, the real-time control capability of the service is weak, which reduces the control effect. At the same time, the detection strategy is not flexible, and the detection cannot be deployed according to the network conditions and dynamic requirements. Strategy.
下面通过附图和实施例, 对本发明实施例的技术方案做进一步的详细描 述。  The technical solutions of the embodiments of the present invention are further described in detail below with reference to the accompanying drawings and embodiments.
如图 3所示, 为本发明实施例的网络架构示意图, 该网络中包括用户终 端、 接入网络、 NAS、 内 佥测和控制模块以及 IP/MPLS骨干网, 其中 NAS中 包括流检测模块, 用于根据检测策略检测数据报文; 内容检测和控制模块, 用于根据深层次检测策略检测数据报文。  As shown in FIG. 3, it is a schematic diagram of a network architecture according to an embodiment of the present invention. The network includes a user terminal, an access network, a NAS, an internal measurement and control module, and an IP/MPLS backbone network, where the NAS includes a flow detection module. The method is configured to detect a data packet according to the detection policy, and the content detection and control module is configured to detect the data packet according to the deep detection policy.
如图 4所示, 为本发明实施例一报文检测方法的流程图, 在执行本实施 例的步骤之前, 内容检测和控制模块预先配置检测策略和深层次检测策略, 具体包括如下步骤:  As shown in FIG. 4, which is a flowchart of a message detection method according to an embodiment of the present invention, before the step of the embodiment is performed, the content detection and control module pre-configures the detection policy and the deep-level detection policy, and specifically includes the following steps:
步骤 1、 根据检测策略检测接收到的数据报文; NAS接收到数据报文, 流检测模块根据检测策略检测数据报文。 Step 1. Detect the received data packet according to the detection policy. The NAS receives the data packet, and the flow detection module detects the data packet according to the detection policy.
步骤 2、 当该数据报文满足检测策略时, 根据配置策略确定是否需要复 制数据报文, 若是, 则执行步骤 3;  Step 2: When the data packet meets the detection policy, determine whether the data packet needs to be copied according to the configuration policy, and if yes, perform step 3;
其中配置策略可以是运营商根据网络运营情况而配置的策略, 通过预先 配置决定当数据报文满足检测策略时, 是否需要进一步进行深层次检测。  The configuration policy can be a policy configured by the operator according to the network operation. The pre-configuration determines whether the deep detection is required when the data packet meets the detection policy.
步骤 3、 复制该数据报文;  Step 3. Copy the data packet.
步骤 4、 根据深层次检测策略检测复制的数据报文; 具体为内容检测和 控制模块根据深层次检测策略检测复制的数据报文。  Step 4: Detecting the copied data packet according to the deep-level detection strategy; specifically, the content detection and control module detects the copied data packet according to the deep-level detection strategy.
本实施例把报文检测及相关策略分布到不同的功能实体中, 分层次对报 文进行检测,解决了数据报文检测和快速数据报文转发性能之间的平衡问题, 既满足了实时业务的需求, 避免了 DPI/DFI检测设备成为报文转发的瓶颈, 又能对业务流进行控制和管理, 实现了网络运营商对业务的感知和控制功能。  In this embodiment, the packet detection and related policies are distributed to different functional entities, and the packets are detected at different levels, which solves the problem of balance between data packet detection and fast data packet forwarding performance, and satisfies the real-time service. The requirement avoids the DPI/DFI detection device becoming the bottleneck of packet forwarding, and can control and manage the service flow, and realize the network operator's perception and control function for the service.
如图 5所示, 为本发明实施例二报文检测方法的流程图。 在执行本实施 例的步骤之前, 内容检测和控制模块预先配置检测策略和深层次检测策略, 具体的说, 内容检测和控制模块根据运营的需要在其内部配置深层次检测策 略, 并为 NAS配置检测策略。 以语音业务为例, 检测策略可以为五元组(源 地址、 宿地址、 源端口、 宿端口和协议类型)及流量特征模型 (如包长、 连 接速率、 传输字节量、 包间隔等); 以 IPTV业务流为例, 检测策略可以为五 元组及业务协议基本特征字策略。  As shown in FIG. 5, it is a flowchart of a method for detecting a message according to Embodiment 2 of the present invention. Before performing the steps of this embodiment, the content detection and control module pre-configures the detection policy and the deep-level detection strategy. Specifically, the content detection and control module configures a deep-level detection policy internally according to the needs of the operation, and configures the NAS for the NAS. Detection strategy. Taking the voice service as an example, the detection policy can be a quintuple (source address, sink address, source port, sink port, and protocol type) and a traffic characteristic model (such as packet length, connection rate, transmission byte amount, packet interval, etc.) Taking the IPTV service flow as an example, the detection strategy can be a five-tuple and a service agreement basic feature word strategy.
本实施例具体包括如下步骤:  This embodiment specifically includes the following steps:
步骤 1 01、 NAS接收数据报文;  Step 1 01: The NAS receives the data packet.
步骤 1 02、 流检测模块根据检测策略检测数据报文, 若数据报文不满足 检测策略, 则执行步骤 106 ; 否则, 执行步骤 103;  Step 1 02: The flow detection module detects the data packet according to the detection policy, and if the data packet does not satisfy the detection policy, step 106 is performed; otherwise, step 103 is performed;
步骤 1 03、 按照正常流程转发数据报文, 根据配置策略确定是否复制该 数据报文, 若是, 则执行步骤 104 ;  Step 1 03: Forward the data packet according to the normal process, determine whether to copy the data packet according to the configuration policy, and if yes, perform step 104;
其中配置策略可以是运营商根据网络运营情况而配置的策略, 通过预先 配置决定当数据报文满足检测策略时, 是否需要进一步进行深层次检测。 步骤 104、 复制数据报文, 且内容检测和控制模块根据深层次检测策略 检测复制的数据报文, 若数据报文满足深层次检测策略, 执行步骤 105 ; 否 则, 执行步骤 106; The configuration policy may be a policy configured by the operator according to network operation conditions, and the The configuration determines whether further deep detection is required when the data packet meets the detection policy. Step 104: The data packet is copied, and the content detection and control module detects the copied data packet according to the deep-level detection policy. If the data packet meets the deep-level detection policy, step 105 is performed; otherwise, step 106 is performed;
步骤 105、 处理下一个数据报文, 结束;  Step 105: Processing the next data packet, and ending;
步骤 106、 发送告警通知, 丟弃数据报文。  Step 106: Send an alarm notification to discard the data packet.
当数据报文不满足检测策略时, 例如, 流检测模块检测出不是正常的五 元组转发的数据报文; 或者, 当用户使用语音业务时, 流检测模块检测出数 据报文的包长在 400字节 (通常语音业务数据报文的包长为 150字节左右) 以上, 且持续时间很长, 说明该数据报文不是语音业务报文; 或者, 当用户 收看 IPTV 业务流时, 流检测模块检测出不是 IPTV 所需的实时传输协议 ( Rea l t ime Transpor t Protocol , 以下简称: RTP ) 业务协议基本特征字, 而是其它业务的特征字; 则流检测模块可以将该数据报文写入黑名单中, 进 一步的, 流检测模块可以向 NAS发送告警通知, NAS直接丟弃该数据报文; 或者, 流检测模块降低该数据报文的优先级, 在数据报文的处理过程中, 优 先级高的数据报文将得到优先处理。  When the data packet does not satisfy the detection policy, for example, the flow detection module detects a data packet that is not normally transmitted by the quintuple; or, when the user uses the voice service, the flow detection module detects that the packet length of the data packet is 400 bytes (usually the packet length of the voice service data packet is about 150 bytes), and the duration is very long, indicating that the data packet is not a voice service packet; or, when the user watches the IPTV service stream, the flow detection The module detects the real-time transport protocol (Rea lt ime Transpor t Protocol, hereinafter referred to as RTP) service protocol basic feature word, but the feature word of other services; the stream detection module can write the data packet In the blacklist, the flow detection module may send an alarm notification to the NAS, and the NAS directly discards the data packet. Alternatively, the flow detection module reduces the priority of the data packet, and during the processing of the data packet, the priority is prioritized. The data packets of the highest level will be processed first.
当数据报文不满足深层次检测策略时, 内 佥测和控制模块向 NAS发送 告警通知; NAS根据告警通知, 丟弃该数据报文; 例如, 当用户收看 IPTV业 务流时, 内 佥测和控制模块检测出该报文所属的 IPTV业务流没有版权, 或 者是非法的业务流报文, 则通知 NAS丟弃从五元组发送来的数据报文。  When the data packet does not satisfy the deep detection policy, the internal detection and control module sends an alarm notification to the NAS; the NAS discards the data packet according to the alarm notification; for example, when the user watches the IPTV service flow, the internal detection and the The control module detects that the IPTV service stream to which the packet belongs has no copyright or is an illegal service flow packet, and notifies the NAS to discard the data packet sent from the quintuple.
进一步的, 内容检测和控制模块还可以根据深层次检测策略检测的结果, 将数据报文进行分类, 并对数据报文进行流量管理, 该流量管理可以包括数 据报文队列的管理和调度, 以及数据报文流量的监管和整形。  Further, the content detection and control module may further classify the data packet according to the result of the deep detection policy detection, and perform traffic management on the data packet, where the traffic management may include management and scheduling of the data packet queue, and Supervision and shaping of data packet traffic.
本实施例把报文检测及相关策略分布到不同的功能实体中, 分层次对报 文进行检测,解决了数据报文检测和快速数据报文转发性能之间的平衡问题, 既满足了实时业务的需求, 避免了 DPI/DFI检测设备成为报文转发的瓶颈, 又能对业务流进行控制和管理, 实现了网络运营商对业务的感知和控制功能。 如图 6所示, 为本发明实施例三报文检测方法的流程图, 在执行本实施 例的步骤之前, 需配置检测策略和深层次检测策略, 具体的说, 内容检测和 控制模块根据运营的需要在其内部配置深层次检测策略, 并为 NAS配置检测 策略。 以语音业务为例, 检测策略可以为五元组(源地址、 宿地址、 源端口、 宿端口和协议类型)及流量特征模型 (如包长、 连接速率、 传输字节量、 包 间隔等); 以 IPTV业务流为例, 检测策略可以为五元组及业务协议基本特征 字策略。 In this embodiment, the packet detection and related policies are distributed to different functional entities, and the packets are detected at different levels, which solves the problem of balance between data packet detection and fast data packet forwarding performance, and satisfies the real-time service. The need to avoid the DPI/DFI detection device becomes the bottleneck of packet forwarding. It can also control and manage the service flow, and realize the network operator's perception and control functions. As shown in FIG. 6 , which is a flowchart of a packet detection method according to Embodiment 3 of the present invention, before performing the steps in this embodiment, a detection policy and a deep detection strategy need to be configured. Specifically, the content detection and control module is operated according to the operation. It is necessary to configure a deep detection policy inside it and configure a detection policy for the NAS. Taking the voice service as an example, the detection policy can be a quintuple (source address, sink address, source port, sink port, and protocol type) and a traffic characteristic model (such as packet length, connection rate, transmission byte amount, packet interval, etc.) Taking the IPTV service flow as an example, the detection strategy can be a five-tuple and a service agreement basic feature word strategy.
本实施例具体包括如下步骤:  This embodiment specifically includes the following steps:
步骤 201、 NAS接收数据报文;  Step 201: The NAS receives the data packet.
步骤 202、 流检测模块根据检测策略检测数据报文, 若数据报文不满足 检测策略, 则执行步骤 206; 否则, 执行步骤 203;  Step 202: The flow detection module detects the data packet according to the detection policy. If the data packet does not satisfy the detection policy, step 206 is performed; otherwise, step 203 is performed;
步骤 203、 复制数据报文, 内容检测和控制模块根据深层次检测策略检 测复制的数据报文, 若数据报文满足深层次检测策略, 执行步骤 204; 否贝' J , 执行步骤 206;  Step 203: Copy the data packet, and the content detection and control module detects the copied data packet according to the deep-level detection policy. If the data packet satisfies the deep-level detection policy, step 204 is performed;
步骤 204、 根据配置策略确定是否转发该数据报文, 若是, 则执行步骤 Step 204: Determine, according to the configuration policy, whether to forward the data packet, and if yes, perform the step.
205; 205;
其中配置策略可以是运营商根据网络运营情况而配置的策略, 可以通过 预先配置决定当数据报文满足检测策略时, 是否需要转发; 也可以是通过深 层次检测策略的结果来确定配置策略, 例如配置策略可以设置为: 当数据报 文满足深层次检测策略时, 转发数据报文。  The configuration policy may be a policy configured by the operator according to the network operation, and may be configured to determine whether the data packet needs to be forwarded when the data packet satisfies the detection policy, or may be determined by using the result of the deep-level detection policy, for example, The configuration policy can be set to: When the data packet meets the deep detection policy, the data packet is forwarded.
步骤 205、 转发数据报文, 结束;  Step 205: Forward the data packet, and end;
步骤 206、 发送告警通知, 丟弃数据报文, 结束。  Step 206: Send an alarm notification, discard the data packet, and end.
当数据报文不满足检测策略时, 例如, 流检测模块检测出不是正常的五 元组转发的数据报文; 或者, 当用户使用语音业务时, 流检测模块检测出数 据报文的包长在 400字节 (通常语音业务数据报文的包长为 150字节左右) 以上, 且持续时间很长, 说明该数据报文不是语音业务报文; 或者, 当用户 收看 IPTV业务流时, 流检测模块检测出不是 IPTV所需的 RTP业务协议基本 特征字, 而是其它业务的特征字; 则流检测模块可以将该数据报文写入黑名 单中, 进一步的, 流检测模块可以向 NAS发送告警通知, NAS直接丟弃该数 据报文; 或者, 流检测模块降低该数据报文的优先级, 在数据报文的处理过 程中, 优先级高的数据报文将得到优先处理。 When the data packet does not satisfy the detection policy, for example, the flow detection module detects a data packet that is not normally transmitted by the quintuple; or, when the user uses the voice service, the flow detection module detects that the packet length of the data packet is 400 bytes (usually the voice service data packet has a packet length of about 150 bytes) The above, and the duration is very long, indicating that the data packet is not a voice service packet; or, when the user views the IPTV service stream, the stream detection module detects the basic feature word of the RTP service protocol that is not required for the IPTV, but other services. The stream detection module can write the data packet to the blacklist. Further, the stream detection module can send an alarm notification to the NAS, and the NAS directly discards the data packet. Alternatively, the stream detection module reduces the data. Priority of the packet. During the processing of the data packet, the data packet with the highest priority will be processed first.
当数据报文不满足深层次检测策略时, 内 佥测和控制模块向 NAS发送 告警通知; NAS根据告警通知, 丟弃该数据报文; 例如, 当用户收看 IPTV业 务流时, 内 佥测和控制模块检测出该报文所属的 IPTV业务流没有版权, 或 者是非法的业务流报文, 则通知 NAS丟弃从五元组发送来的数据报文。  When the data packet does not satisfy the deep detection policy, the internal detection and control module sends an alarm notification to the NAS; the NAS discards the data packet according to the alarm notification; for example, when the user watches the IPTV service flow, the internal detection and the The control module detects that the IPTV service stream to which the packet belongs has no copyright or is an illegal service flow packet, and notifies the NAS to discard the data packet sent from the quintuple.
进一步的, 内容检测和控制模块还可以根据深层次检测策略检测的结果, 将数据报文进行分类, 并对数据报文进行流量管理, 该流量管理可以包括数 据报文队列的管理和调度, 以及数据报文流量的监管和整形。  Further, the content detection and control module may further classify the data packet according to the result of the deep detection policy detection, and perform traffic management on the data packet, where the traffic management may include management and scheduling of the data packet queue, and Supervision and shaping of data packet traffic.
本实施例把报文检测及相关策略分布到不同的功能实体中, 分层次对报 文进行检测,解决了数据报文检测和快速数据报文转发性能之间的平衡问题, 既满足了实时业务的需求, 避免了 DPI/DFI检测设备成为报文转发的瓶颈, 又能对业务流进行控制和管理, 实现了网络运营商对业务的感知和控制功能。  In this embodiment, the packet detection and related policies are distributed to different functional entities, and the packets are detected at different levels, which solves the problem of balance between data packet detection and fast data packet forwarding performance, and satisfies the real-time service. The requirement avoids the DPI/DFI detection device becoming the bottleneck of packet forwarding, and can control and manage the service flow, and realize the network operator's perception and control function for the service.
如图 7所示, 为本发明实施例一报文检测系统的示意图, 具体包括: 检 测模块 1 , 用于根据检测策略检测接收到的数据报文; 确定模块 2 , 用于当数 据报文满足检测策略时, 根据配置策略确定是否复制数据报文; 复制模块 3 , 用于当确定需要复制数据报文时, 复制数据报文; 深层次检测模块 4 , 用于 根据深层次检测策略检测复制的数据报文。  As shown in FIG. 7, a schematic diagram of a packet detection system according to an embodiment of the present invention includes: a detection module 1 configured to detect a received data packet according to a detection policy; and a determination module 2 configured to: when the data packet satisfies When detecting the policy, determining whether to copy the data packet according to the configuration policy; the copying module 3 is configured to: when determining that the data packet needs to be copied, copying the data packet; and the deep detection module 4 is configured to detect the replication according to the deep detection policy. Data message.
如图 8所示, 为本发明实施例二报文检测系统的示意图, 具体包括: 检 测模块 11 , 用于根据检测策略检测接收到的数据报文; 转发模块 12 , 用于当 所述数据报文满足所述检测策略时, 转发所述数据报文; 确定模块 13 , 用于 根据配置策略确定是否复制所述数据报文; 复制模块 14 , 用于当确定需要复 制所述数据报文时, 复制所述数据报文; 深层次检测模块 15 , 用于根据深层 次检测策略检测复制的数据报文。 As shown in FIG. 8, a schematic diagram of a packet detection system according to a second embodiment of the present invention includes: a detection module 11 configured to detect a received data packet according to a detection policy; and a forwarding module 12 configured to be used as the datagram When the file satisfies the detection policy, the data packet is forwarded; the determining module 13 is configured to determine whether to copy the data packet according to the configuration policy; and the copying module 14 is configured to: when determining that the data packet needs to be restored When the data message is processed, the data message is copied; the deep level detecting module 15 is configured to detect the copied data message according to the deep level detection policy.
本实施例还可以包括: 配置模块 16 , 用于配置所述检测策略和所述深层 次检测策略; 告警模块 17 , 用于在所述数据报文不满足所述检测策略时, 或 者当所述复制的数据报文不满足深层次检测策略时, 发送告警通知; 处理模 块 18 , 用于当所述数据报文不满足所述检测策略时, 将所述数据报文写入黑 名单中;  The embodiment may further include: a configuration module 16 configured to configure the detection policy and the deep-level detection policy; the alarm module 17 is configured to: when the data packet does not satisfy the detection policy, or when When the copied data packet does not satisfy the deep detection policy, the alarm notification is sent; the processing module 18 is configured to: when the data packet does not satisfy the detection policy, write the data packet into the blacklist;
其中处理模块可以包括丟弃模块, 用于根据所述告警通知, 丟弃所述黑 名单中的数据报文; 也可以包括优先级模块, 用于降低所述黑名单中的数据 报文的优先级。  The processing module may include a discarding module, configured to discard the data packet in the blacklist according to the alarm notification, and may further include a priority module, configured to reduce the priority of the data packet in the blacklist. level.
如图 9所示,为本发明实施例基于数据报文检测的 NGN网络架构示意图, 其中检测模块位于网络传输层, 在接入网络和 IP/MPLS骨干网的设备中, 受 深层次检测模块的控制, 主要对数据报文进行基本识别, 向深层次检测模块 上报各种流量信息。 深层次检测模块位于网络传输层的网络控制层, 进一步 的, 可以是网络附着控制系统和 /或资源接纳控制系统的一部分, 也可单独在 网络控制层作为一个内 佥测和控制系统, 独立于当前的网络附着控制系统 和资源接纳控制系统。 深层次检测模块主要用于对数据报文进行深层次检测 和内容识别; 对 NAS中的检测模块配置检测策略; 可以提供对检测模块的控 制功能; 还可以提供流量管理控制, 根据网络需要优化报文转发路径, 从而 保证数据报文的服务质量。  As shown in FIG. 9 , a schematic diagram of an NGN network architecture based on data packet detection according to an embodiment of the present invention, where a detection module is located at a network transmission layer, and in a device that accesses a network and an IP/MPLS backbone network, is subjected to a deep detection module. The control mainly performs basic identification on data packets, and reports various traffic information to the deep detection module. The deep detection module is located at the network control layer of the network transport layer, and further may be part of the network attachment control system and/or the resource admission control system, or may be used as an internal measurement and control system alone in the network control layer, independent of Current network attachment control systems and resource admission control systems. The deep detection module is mainly used for deep detection and content identification of data packets; configuring detection strategies for detection modules in the NAS; providing control functions for the detection modules; providing traffic management control, and optimizing reports according to network needs The file is forwarded to ensure the quality of service of the data packet.
本实施例解决了报文检测和快速数据转发性能之间的平衡问题, 既满足 了实时业务的需求, 避免了 DPI/DFI检测设备成为报文转发的瓶颈, 又能对 业务流进行控制和管理, 实现了网络运营商对业务的感知和控制功能。  This embodiment solves the problem of balance between packet detection and fast data forwarding performance. It not only satisfies the requirements of real-time services, but also prevents DPI/DFI detection equipment from becoming a bottleneck for packet forwarding, and can control and manage service flows. , realizes the network operator's perception and control functions for the business.
如图 10所示, 为本发明实施例三报文检测系统的示意图, 具体包括: 检 测模块 21 , 用于根据检测策略检测接收到的数据报文; 复制模块 22 , 用于当 所述数据报文满足所述检测策略时,复制所述数据报文;深层次检测模块 23, 用于根据深层次检测策略检测复制的数据报文; 确定模块 24 , 用于根据配置 策略确定是否转发所述数据报文; 转发模块 25 , 用于当确定转发所述数据报 文时, 转发所述数据报文。 As shown in FIG. 10, a schematic diagram of a packet detection system according to a third embodiment of the present invention includes: a detection module 21, configured to detect a received data packet according to a detection policy; and a replication module 22, configured to: when the datagram is used When the text satisfies the detection policy, the data packet is copied; the deep detection module 23, The determining module 24 is configured to determine whether to forward the data packet according to the configuration policy, and the forwarding module 25 is configured to: when determining to forward the data packet, forward the Data message.
本实施例还可以包括: 配置模块 26 , 用于配置所述检测策略和所述深层 次检测策略; 告警模块 27 , 用于在所述数据报文不满足所述检测策略时, 或 者当所述复制的数据报文不满足深层次检测策略时, 发送告警通知; 处理模 块 28 , 用于当所述数据报文不满足所述检测策略时, 将所述数据报文写入黑 名单中。  The embodiment may further include: a configuration module 26, configured to configure the detection policy and the deep-level detection policy; and an alarm module 27, configured to: when the data packet does not satisfy the detection policy, or when When the copied data packet does not satisfy the deep detection policy, the alarm notification is sent; the processing module 28 is configured to: when the data packet does not satisfy the detection policy, write the data packet into the blacklist.
其中处理模块可以包括丟弃模块, 用于根据所述告警通知, 丟弃所述黑 名单中的数据报文; 也可以包括优先级模块, 用于降低所述黑名单中的数据 报文的优先级。  The processing module may include a discarding module, configured to discard the data packet in the blacklist according to the alarm notification, and may further include a priority module, configured to reduce the priority of the data packet in the blacklist. level.
本实施例检测模块 21可以位于网络传输层, 深层次检测模块 23位于网 络控制层, 这与本发明实施例一报文检测系统所描述的相同。  In this embodiment, the detection module 21 can be located in the network transmission layer, and the deep level detection module 23 is located in the network control layer, which is the same as described in the message detection system of the first embodiment of the present invention.
本实施例解决了报文检测和快速数据转发性能之间的平衡问题, 既满足 了实时业务的需求, 避免了 DPI/DFI检测设备成为报文转发的瓶颈, 又能对 业务流进行控制和管理, 实现了网络运营商对业务的感知和控制功能。  This embodiment solves the problem of balance between packet detection and fast data forwarding performance. It not only satisfies the requirements of real-time services, but also prevents DPI/DFI detection equipment from becoming a bottleneck for packet forwarding, and can control and manage service flows. , realizes the network operator's perception and control functions for the business.
非对其限制; 尽管参照前述实施例对本发明实施例进行了详细的说明, 本领 域的普通技术人员应当理解: 其依然可以对前述各实施例所记载的技术方案 进行修改, 或者对其中部分技术特征进行等同替换; 而这些修改或者替换, 并不使相应技术方案的本质脱离本发明实施例各实施例技术方案的精神和范 围。 It is not limited thereto; although the embodiments of the present invention have been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that they can still modify the technical solutions described in the foregoing embodiments, or some of the technologies. The features are equivalent to the equivalents of the technical solutions of the embodiments of the embodiments of the present invention.

Claims

权 利 要 求 Rights request
1、 一种 文检测方法, 其特征在于包括:  A text detection method, characterized by comprising:
根据检测策略检测接收到的数据报文;  Detecting the received data message according to the detection policy;
当所述数据报文满足所述检测策略时, 转发所述数据报文;  And when the data packet meets the detection policy, forwarding the data packet;
根据配置策略确定是否复制所述数据报文, 若是, 则复制所述数据报文, 并根据深层次检测策略检测复制的数据报文。  Determining whether to copy the data packet according to the configuration policy, and if yes, copying the data packet, and detecting the copied data packet according to the deep-level detection policy.
2、 根据权利要求 1 所述的报文检测方法, 其特征在于, 在所述根据检 测策略检测接收到的数据报文之前还包括:配置所述检测策略和所述深层次 检测策略。  The packet detection method according to claim 1, wherein before the detecting the received data message according to the detection policy, the method further comprises: configuring the detection policy and the deep level detection policy.
3、 根据权利要求 1 所述的报文检测方法, 其特征在于还包括: 当所述 数据报文不满足所述检测策略时, 将所述数据报文写入黑名单中。  The method for detecting a packet according to claim 1, further comprising: when the data packet does not satisfy the detection policy, writing the data packet to a blacklist.
4、 根据权利要求 3所述的报文检测方法, 其特征在于, 在所述将数据 报文写入黑名单中之后还包括: 发送告警通知, 丟弃所述黑名单中的数据报 文。  The packet detection method according to claim 3, further comprising: sending an alarm notification to discard the data message in the blacklist after the data packet is written in the blacklist.
5、 根据权利要求 3所述的报文检测方法, 其特征在于, 在所述将数据 报文写入黑名单中之后还包括: 降低所述黑名单中的数据报文的优先级。  The method for detecting a packet according to claim 3, further comprising: reducing the priority of the data packet in the blacklist after the data packet is written in the blacklist.
6、 根据权利要求 1 所述的报文检测方法, 其特征在于, 在所述根据深 层次检测策略检测复制的数据报文之后还包括: 当所述复制的数据报文不满 足深层次检测策略时, 发送告警通知。  The method for detecting a packet according to claim 1, wherein after the detecting the copied data packet according to the deep-level detection policy, the method further comprises: when the copied data packet does not satisfy the deep-level detection strategy At the time, an alert notification is sent.
7、 根据权利要求 1 - 6任一所述的报文检测方法, 其特征在于, 在所述 根据深层次检测策略检测复制的数据报文之后还包括: 根据深层次检测策略 检测的结果, 将所述数据报文进行分类, 并对所述数据报文进行流量管理。  The method for detecting a packet according to any one of claims 1 to 6, further comprising: after detecting the copied data packet according to the deep layer detection policy, further comprising: according to the result of the deep layer detection policy detection, The data packet is classified, and traffic management is performed on the data packet.
8、 根据权利要求 7所述的报文检测方法, 其特征在于, 所述流量管理 包括数据报文队列的管理和调度, 以及数据报文流量的监管和整形。  The packet detection method according to claim 7, wherein the traffic management includes management and scheduling of data packet queues, and supervision and shaping of data packet traffic.
9、 根据权利要求 6所述的报文检测方法, 其特征在于, 在所述发送告 警通知之后还包括: 根据所述告警通知, 丟弃所述数据报文。 The packet detection method according to claim 6, wherein after the sending the alarm notification, the method further comprises: discarding the data packet according to the alarm notification.
10、 根据权利要求 9所述的报文检测方法, 其特征在于, 所述根据检测 策略检测接收到的数据报文具体为: 根据五元组和流量特征模型策略, 或者 五元组和业务协议基本特征字策略检测接收到的数据报文。 The packet detection method according to claim 9, wherein the detecting the received data message according to the detection policy is specifically: according to a quintuple and a traffic characteristic model policy, or a quintuple and a service protocol The basic feature word policy detects the received data message.
11、 根据权利要求 10所述的报文检测方法, 其特征在于, 所述丟弃数 据报文具体为: 丟弃从所述五元组发送来的数据报文。  The packet detection method according to claim 10, wherein the discarding data packet is specifically: discarding a data packet sent from the quintuple.
12、 一种报文检测方法, 其特征在于包括:  12. A packet detection method, comprising:
根据检测策略检测接收到的数据报文;  Detecting the received data message according to the detection policy;
当所述数据报文满足所述检测策略时, 复制所述数据报文, 根据深层次 检测策略检测复制的数据报文;  And when the data packet meets the detection policy, copying the data packet, and detecting the copied data packet according to the deep-level detection policy;
根据配置策略确定是否转发所述数据报文, 若是, 则转发所述数据报文。 Determining whether to forward the data packet according to the configuration policy, and if yes, forwarding the data packet.
1 3、 根据权利要求 12所述的报文检测方法, 其特征在于, 在所述根据 检测策略检测接收到的数据报文之前还包括:配置所述检测策略和所述深层 次检测策略。 The method for detecting a packet according to claim 12, further comprising: configuring the detection policy and the deep detection policy before detecting the received data message according to the detection policy.
14、 根据权利要求 12所述的报文检测方法, 其特征在于还包括: 当所 述数据报文不满足所述检测策略时, 将所述数据报文写入黑名单中。  The packet detection method according to claim 12, further comprising: when the data packet does not satisfy the detection policy, writing the data packet to a blacklist.
15、 根据权利要求 14所述的报文检测方法, 其特征在于, 在所述将数 据报文写入黑名单中之后还包括: 发送告警通知, 丟弃所述黑名单中的数据 报文。  The packet detection method according to claim 14, wherein after the data packet is written into the blacklist, the method further includes: sending an alarm notification, discarding the data packet in the blacklist.
16、 根据权利要求 14所述的报文检测方法, 其特征在于, 在所述将数 据报文写入黑名单中之后还包括: 降低所述黑名单中的数据报文的优先级。  The method for detecting a packet according to claim 14, further comprising: reducing the priority of the data packet in the blacklist after the data packet is written in the blacklist.
17、 根据权利要求 12所述的报文检测方法, 其特征在于, 在所述根据 深层次检测策略检测复制的数据报文之后还包括: 当所述复制的数据报文不 满足深层次检测策略时, 发送告警通知。  The method for detecting a packet according to claim 12, wherein after the detecting the copied data packet according to the deep-level detection policy, the method further comprises: when the copied data packet does not satisfy the deep-level detection strategy At the time, an alert notification is sent.
18、 根据权利要求 12 - 17任一所述的报文检测方法, 其特征在于, 在 所述根据深层次检测策略检测复制的数据报文之后还包括: 根据深层次检测 策略检测的结果, 将所述数据报文进行分类, 并对所述数据报文进行流量管 理。 The method for detecting a packet according to any one of claims 12-17, wherein after detecting the copied data packet according to the deep layer detection policy, the method further comprises: according to the result of the deep layer detection policy detection, Sorting the data packet, and performing traffic management on the data packet Reason.
19、 根据权利要求 18所述的报文检测方法, 其特征在于, 所述流量管 理包括数据报文队列的管理和调度, 以及数据报文流量的监管和整形。  The packet detection method according to claim 18, wherein the traffic management includes management and scheduling of data packet queues, and supervision and shaping of data packet traffic.
20、 根据权利要求 17所述的报文检测方法, 其特征在于, 在所述发送 告警通知之后还包括: 根据所述告警通知, 丟弃所述数据报文。  The packet detection method according to claim 17, wherein after the sending the alarm notification, the method further comprises: discarding the data packet according to the alarm notification.
21、 根据权利要求 20所述的报文检测方法, 其特征在于, 所述根据检 测策略检测接收到的数据报文具体为: 根据五元组和流量特征模型策略, 或 者五元组和业务协议基本特征字策略检测接收到的数据报文。  The packet detection method according to claim 20, wherein the detecting the received data message according to the detection policy is specifically: according to a quintuple and a traffic characteristic model policy, or a quintuple and a service protocol The basic feature word policy detects the received data message.
22、 根据权利要求 21所述的报文检测方法, 其特征在于, 所述丟弃数 据报文具体为: 丟弃从所述五元组发送来的数据报文。  The method for detecting a packet according to claim 21, wherein the discarding data packet is specifically: discarding a data packet sent from the quintuple.
23、 一种报文检测方法, 其特征在于包括:  23. A packet detection method, comprising:
根据检测策略检测接收到的数据报文;  Detecting the received data message according to the detection policy;
当所述数据报文满足所述检测策略时, 根据配置策略确定是否需要复制 所述数据报文, 若是, 则复制所述数据报文, 并根据深层次检测策略检测复 制的数据报文。  When the data packet satisfies the detection policy, it is determined according to the configuration policy whether the data packet needs to be copied, and if so, the data packet is copied, and the copied data packet is detected according to the deep-level detection policy.
24、 一种才艮文检测系统, 其特征在于包括:  24. A talent detection system, characterized by comprising:
检测模块, 用于根据检测策略检测接收到的数据报文;  a detecting module, configured to detect the received data packet according to the detection policy;
转发模块, 用于当所述数据报文满足所述检测策略时, 转发所述数据报 文;  a forwarding module, configured to forward the data packet when the data packet meets the detection policy;
确定模块, 用于根据配置策略确定是否复制所述数据报文;  a determining module, configured to determine, according to the configuration policy, whether to copy the data packet;
复制模块, 用于当确定需要复制所述数据报文时, 复制所述数据报文; 深层次检测模块, 用于根据深层次检测策略检测复制的数据报文。  a copying module, configured to: when it is determined that the data packet needs to be copied, copy the data packet; and the deep-level detection module is configured to detect the copied data packet according to the deep-level detection policy.
25、 根据权利要求 24所述的报文检测系统, 其特征在于还包括: 配置 模块, 用于配置所述检测策略和所述深层次检测策略。  The packet detection system of claim 24, further comprising: a configuration module, configured to configure the detection policy and the deep level detection policy.
26、 根据权利要求 25所述的报文检测系统, 其特征在于还包括: 告警 模块, 用于在所述数据报文不满足所述检测策略时, 或者当所述复制的数据 报文不满足深层次检测策略时, 发送告警通知。 The packet detection system according to claim 25, further comprising: an alarm module, configured to: when the data message does not satisfy the detection policy, or when the copied data When the packet does not satisfy the deep detection policy, an alarm notification is sent.
27、 根据权利要求 26所述的报文检测系统, 其特征在于还包括: 处理 模块, 用于当所述数据报文不满足所述检测策略时, 将所述数据报文写入黑 名单中。  The packet detection system according to claim 26, further comprising: a processing module, configured to: when the data packet does not satisfy the detection policy, write the data packet into a blacklist .
28、 根据权利要求 27所述的报文检测系统, 其特征在于, 所述处理模 块包括丟弃模块, 用于根据所述告警通知, 丟弃所述黑名单中的数据报文。  The packet detection system according to claim 27, wherein the processing module includes a discarding module, configured to discard the data packet in the blacklist according to the alarm notification.
29、 根据权利要求 27所述的报文检测系统, 其特征在于, 所述处理模 块包括优先级模块, 用于降低所述黑名单中的数据报文的优先级。  The packet detection system according to claim 27, wherein the processing module includes a priority module, configured to reduce a priority of the data packet in the blacklist.
30、 根据权利要求 24 - 29任一所述的报文检测系统, 其特征在于, 所 述检测模块位于网络传输层。  The message detecting system according to any one of claims 24 to 29, wherein the detecting module is located at a network transport layer.
31、 根据权利要求 30所述的报文检测系统, 其特征在于, 所述深层次 检测模块位于网络控制层。  The packet detection system according to claim 30, wherein the deep level detection module is located at a network control layer.
32、 一种才艮文检测系统, 其特征在于包括:  32. A talent detection system, comprising:
检测模块, 用于根据检测策略检测接收到的数据报文;  a detecting module, configured to detect the received data packet according to the detection policy;
复制模块, 用于当所述数据报文满足所述检测策略时, 复制所述数据报 文;  a copying module, configured to: when the data packet meets the detection policy, copy the data packet;
深层次检测模块, 用于根据深层次检测策略检测复制的数据报文; 确定模块, 用于根据配置策略确定是否转发所述数据报文;  a deep detection module, configured to detect a copied data packet according to a deep-level detection policy; and a determining module, configured to determine, according to the configuration policy, whether to forward the data packet;
转发模块, 用于当确定转发所述数据报文时, 转发所述数据报文。  And a forwarding module, configured to forward the data packet when determining to forward the data packet.
33、 根据权利要求 32所述的报文检测系统, 其特征在于还包括: 配置 模块, 用于配置所述检测策略和所述深层次检测策略。  The packet detection system of claim 32, further comprising: a configuration module, configured to configure the detection policy and the deep level detection policy.
34、 根据权利要求 33所述的报文检测系统, 其特征在于还包括: 告警 模块, 用于在所述数据报文不满足所述检测策略时, 或者当所述复制的数据 报文不满足深层次检测策略时, 发送告警通知。  The packet detection system according to claim 33, further comprising: an alarm module, configured to: when the data message does not satisfy the detection policy, or when the copied data message is not satisfied Send an alarm notification when the policy is deeply detected.
35、 根据权利要求 34所述的报文检测系统, 其特征在于还包括: 处理 模块, 用于当所述数据报文不满足所述检测策略时, 将所述数据报文写入黑 名单中。 The packet detection system according to claim 34, further comprising: a processing module, configured to: when the data packet does not satisfy the detection policy, write the data packet to black In the list.
36、 根据权利要求 35所述的报文检测系统, 其特征在于, 所述处理模 块包括丟弃模块, 用于根据所述告警通知, 丟弃所述黑名单中的数据报文。  The packet detection system according to claim 35, wherein the processing module includes a discarding module, configured to discard the data packet in the blacklist according to the alarm notification.
37、 根据权利要求 35所述的报文检测系统, 其特征在于, 所述处理模 块包括优先级模块, 用于降低所述黑名单中的数据报文的优先级。  The packet detection system according to claim 35, wherein the processing module includes a priority module, configured to reduce a priority of a data packet in the blacklist.
38、 根据权利要求 32 - 37任一所述的报文检测系统, 其特征在于, 所 述检测模块位于网络传输层。  38. The message detection system of any of claims 32-37, wherein the detection module is located at a network transport layer.
39、 根据权利要求 38所述的报文检测系统, 其特征在于, 所述深层次 检测模块位于网络控制层。  39. The message detection system according to claim 38, wherein the deep level detection module is located at a network control layer.
40、 一种才艮文检测系统, 其特征在于包括:  40. A talent detection system, comprising:
检测模块, 用于根据检测策略检测接收到的数据报文;  a detecting module, configured to detect the received data packet according to the detection policy;
确定模块, 用于当所述数据报文满足所述检测策略时, 根据配置策略确 定是否复制所述数据报文;  a determining module, configured to determine, according to the configuration policy, whether to copy the data packet when the data packet meets the detection policy;
复制模块, 用于当确定需要复制所述数据报文时, 复制所述数据报文; 深层次检测模块, 用于根据深层次检测策略检测复制的数据报文。  a copying module, configured to: when it is determined that the data packet needs to be copied, copy the data packet; and the deep-level detection module is configured to detect the copied data packet according to the deep-level detection policy.
PCT/CN2008/072525 2008-01-16 2008-09-25 Method and system for packet inspection WO2009089701A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200810056265.8 2008-01-16
CNA2008100562658A CN101488946A (en) 2008-01-16 2008-01-16 Packet detection method and system

Publications (1)

Publication Number Publication Date
WO2009089701A1 true WO2009089701A1 (en) 2009-07-23

Family

ID=40885062

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/072525 WO2009089701A1 (en) 2008-01-16 2008-09-25 Method and system for packet inspection

Country Status (2)

Country Link
CN (1) CN101488946A (en)
WO (1) WO2009089701A1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102025623A (en) * 2010-12-07 2011-04-20 苏州迈科网络安全技术股份有限公司 Intelligent network flow control method
CN102868638A (en) * 2012-08-16 2013-01-09 苏州迈科网络安全技术股份有限公司 Method and system for dynamically regulating bandwidth
CN103152277A (en) * 2011-12-07 2013-06-12 北京网康科技有限公司 Method for improving network flow control performance and device thereof
CN105743681A (en) * 2014-12-12 2016-07-06 国家电网公司 Time-delay visualization analysis method for process-level communication network and system
US10003614B2 (en) 2013-09-23 2018-06-19 Zte Corporation Method, device, and storage medium for deep packet inspection control
CN109275045A (en) * 2018-09-06 2019-01-25 东南大学 Mobile terminal encrypted video ad traffic recognition methods based on DFI
US10673897B2 (en) 2010-08-25 2020-06-02 International Business Machines Corporation Two-tier deep analysis of HTML traffic

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101986609A (en) * 2009-07-29 2011-03-16 中兴通讯股份有限公司 Method and system for realizing network flow cleaning
CN101997826A (en) * 2009-08-28 2011-03-30 中兴通讯股份有限公司 Routing methods of control net element, forwarding net element and internet protocol network
CN101741744B (en) * 2009-12-17 2011-12-14 东南大学 Network flow identification method
CN101764754B (en) * 2009-12-28 2012-07-25 东南大学 Sample acquiring method in business identifying system based on DPI and DFI
CN103096166B (en) * 2011-10-18 2017-07-11 南京中新赛克科技有限责任公司 A kind of IPTV front ends monitoring system and method
CN103888307B (en) * 2012-12-20 2017-11-17 中国电信股份有限公司 For optimizing method, user side board and the broad access network gate of deep-packet detection
CN103237039A (en) * 2013-05-10 2013-08-07 汉柏科技有限公司 Message forwarding method and message forwarding device
CN103618641B (en) * 2013-11-25 2017-01-11 北京邮电大学 Data packet detecting and monitoring system based on multiple-core network processor and capable of being deployed fast
CN103607354B (en) * 2013-11-26 2016-09-07 中国联合网络通信集团有限公司 A kind of flow control methods, DPI equipment and system
CN105406977A (en) * 2014-09-01 2016-03-16 中兴通讯股份有限公司 Depth package detection implementation method and device
CN106507414B (en) * 2016-10-12 2020-02-11 杭州迪普科技股份有限公司 Message forwarding method and device
CN107172107B (en) * 2017-07-24 2019-08-13 中国人民解放军信息工程大学 A kind of transparent management-control method and equipment of the passback of differentiated service stream early stage
CN111817917B (en) * 2020-07-03 2021-12-24 中移(杭州)信息技术有限公司 Deep packet inspection method, device, server and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1801854A (en) * 2004-12-21 2006-07-12 朗迅科技公司 Detection of unwanted messages (spam)
WO2006108281A1 (en) * 2005-04-13 2006-10-19 Zeugma Systems Canada, Inc. Network element architecture for deep packet inspection
CN1937623A (en) * 2006-10-18 2007-03-28 华为技术有限公司 Method and system for controlling network business
CN1996892A (en) * 2006-12-25 2007-07-11 杭州华为三康技术有限公司 Detection method and device for network attack
CN101056222A (en) * 2007-05-17 2007-10-17 华为技术有限公司 A deep message detection method, network device and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1801854A (en) * 2004-12-21 2006-07-12 朗迅科技公司 Detection of unwanted messages (spam)
WO2006108281A1 (en) * 2005-04-13 2006-10-19 Zeugma Systems Canada, Inc. Network element architecture for deep packet inspection
CN1937623A (en) * 2006-10-18 2007-03-28 华为技术有限公司 Method and system for controlling network business
CN1996892A (en) * 2006-12-25 2007-07-11 杭州华为三康技术有限公司 Detection method and device for network attack
CN101056222A (en) * 2007-05-17 2007-10-17 华为技术有限公司 A deep message detection method, network device and system

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10673897B2 (en) 2010-08-25 2020-06-02 International Business Machines Corporation Two-tier deep analysis of HTML traffic
US10673898B2 (en) 2010-08-25 2020-06-02 International Business Machines Corporation Two-tier deep analysis of HTML traffic
CN102025623A (en) * 2010-12-07 2011-04-20 苏州迈科网络安全技术股份有限公司 Intelligent network flow control method
CN102025623B (en) * 2010-12-07 2013-03-20 苏州迈科网络安全技术股份有限公司 Intelligent network flow control method
CN103152277A (en) * 2011-12-07 2013-06-12 北京网康科技有限公司 Method for improving network flow control performance and device thereof
CN102868638A (en) * 2012-08-16 2013-01-09 苏州迈科网络安全技术股份有限公司 Method and system for dynamically regulating bandwidth
US10003614B2 (en) 2013-09-23 2018-06-19 Zte Corporation Method, device, and storage medium for deep packet inspection control
CN105743681A (en) * 2014-12-12 2016-07-06 国家电网公司 Time-delay visualization analysis method for process-level communication network and system
CN105743681B (en) * 2014-12-12 2019-04-05 国家电网公司 A kind of the time delay visual analysis method and system of process layer communication network
CN109275045A (en) * 2018-09-06 2019-01-25 东南大学 Mobile terminal encrypted video ad traffic recognition methods based on DFI
CN109275045B (en) * 2018-09-06 2020-12-25 东南大学 DFI-based mobile terminal encrypted video advertisement traffic identification method

Also Published As

Publication number Publication date
CN101488946A (en) 2009-07-22

Similar Documents

Publication Publication Date Title
WO2009089701A1 (en) Method and system for packet inspection
Baker et al. IETF recommendations regarding active queue management
CN100474819C (en) A deep message detection method, network device and system
US8149705B2 (en) Packet communications unit
US7764612B2 (en) Controlling access to a host processor in a session border controller
JP4122232B2 (en) System and method for guaranteeing network service level for intelligent distribution
KR101172491B1 (en) System and method for enhancing network quality of service
US8392991B2 (en) Proactive test-based differentiation method and system to mitigate low rate DoS attacks
TW201032542A (en) Network intrusion protection
EP2482497B1 (en) Data forwarding method, data processing method, system and device thereof
US10637792B2 (en) Real-time analysis of quality of service for multimedia traffic in a local area network
WO2008046326A1 (en) A method and system for network service controlling
WO2017143897A1 (en) Method, device, and system for handling attacks
WO2022057647A1 (en) Packet processing method, system, and device
US9942161B1 (en) Methods and systems for configuring and updating session-based quality of service for multimedia traffic in a local area network
JP5177366B2 (en) Service providing system, filtering device, and filtering method
WO2011012004A1 (en) Method and system for realizing network flow cleaning
KR101211147B1 (en) System for network inspection and providing method thereof
Mathis et al. Congestion exposure (conex) concepts, abstract mechanism, and requirements
US7870285B2 (en) Mitigating subscriber side attacks in a cable network
Fowler et al. Impact of denial of service solutions on network quality of service
KR101466895B1 (en) Method of detecting voip fraud, apparatus performing the same and storage media storing the same
Wahanani et al. Performance analysis of video on demand and video streaming on the network MPLS Traffic Engineering
KR20110071774A (en) Smart border router and method for transmitting flow using the same
KR101003505B1 (en) Dynamic control method of traffic according to network congestion and Apparatus

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08800996

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08800996

Country of ref document: EP

Kind code of ref document: A1