WO2011134739A1 - Method for searching for message sequences, protocol analysis engine and protocol analyzer - Google Patents

Method for searching for message sequences, protocol analysis engine and protocol analyzer Download PDF

Info

Publication number
WO2011134739A1
WO2011134739A1 PCT/EP2011/055150 EP2011055150W WO2011134739A1 WO 2011134739 A1 WO2011134739 A1 WO 2011134739A1 EP 2011055150 W EP2011055150 W EP 2011055150W WO 2011134739 A1 WO2011134739 A1 WO 2011134739A1
Authority
WO
WIPO (PCT)
Prior art keywords
message
sequence
filtering conditions
expression
input
Prior art date
Application number
PCT/EP2011/055150
Other languages
French (fr)
Inventor
Simon KÜNZLI
Kelvin Martin
Dan Yu
Liang Zhang
Original Assignee
Siemens Aktiengesellschaft
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Aktiengesellschaft filed Critical Siemens Aktiengesellschaft
Publication of WO2011134739A1 publication Critical patent/WO2011134739A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/18Protocol analysers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/028Capturing of monitoring data by filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/04Processing captured monitoring data, e.g. for logfile generation

Definitions

  • the present invention relates to a method and a processor for searching for information and, in particular, to a method for searching for message sequences, a protocol analysis engine and a protocol analyzer.
  • a protocol analyzer is an instrument which can be used to capture and record data flowing through a network or a portion thereof, and it can decode the captured data messages according to an appropriate RFC or other specifications so as to display the contents thereof and to facilitate a user in analyzing the network status.
  • Protocol analyzers are not only very important for network management and fault detection, but also beneficial to the development and implementation of protocols, network security, network protocol learning, etc.
  • a protocol analyzer comprises several important components, in which there are a sniffer, a decoder and an analysis engine, wherein the sniffer can be used for capturing network messages, the decoder for decoding the messages according to a particular specification, and the analysis engine for assisting the analysis of the captured network messages so as to discover specific problems and check specific status in the network, therefore the analysis engine can also be referred to as a protocol analysis engine.
  • Protocol analyzers in the prior art can be used to analyze specific problems in specific networks, such as the status packet filtering technique used in firewalls, however, such protocol analyzers can only analyze specific problems and cannot be universally applied in other situations, for example, the "Great Wall" firewall of the Netpower
  • Corporation can only carry out controls according to the data such as the packets' source address, destination address, protocol type, source port, destination port, network
  • each plug-in is a program written by using a program language and specific analysis requirements can be satisfied just by executing this program; however, since the problems existing in the network are different from one another, it is needed to prepare a large number of dedicated analysis plug-ins, moreover, each plug-in may use different program languages, so it is difficult to repeat their use in other analyzers, which also increases
  • the object of the present invention is to provide a method for searching for message sequences, a protocol analysis engine and a protocol analyzer which save a large number of dedicated analysis plug-ins.
  • the present invention proposes a method for searching for message sequences, which method searches, according to input
  • filtering conditions and a sequence expression of said filtering conditions in captured message sequences for a message sequence matched therewith and saves the same, with said sequence expression being used for searching for a message sequence meeting a specific relationship in messages meeting said filtering conditions.
  • it further searches, according to an input stop condition together with said filtering conditions and the sequence expression of said filtering conditions, in the captured message sequences for a message sequence matched therewith and saves the same, with said stop condition being used for limiting the search scope of said captured message sequences .
  • said filtering conditions comprise message information, with said message information including a message attribute and/or message contents.
  • said filtering conditions comprise various pieces of message information combined by using a logic operator .
  • said searching in the captured message sequences for a matched message sequence and saving the same further comprises:
  • it further comprises saving the message sequences found and the corresponding information thereof as a result file.
  • it further comprises further filtering said saved message sequence according to an in-depth analysis criterion input, with said in-depth analysis criterion being an expression of said saved message sequence information, and said message sequence information including a message
  • the present invention further provides a protocol
  • analysis engine comprising an input port and an analysis unit, wherein,
  • said input port is used for receiving input filtering conditions and a sequence expression of said filtering conditions, with said sequence expression being used for searching for a message sequence meeting a specific
  • said analysis unit is used for searching, according to said input filtering conditions and the sequence expression of said filtering conditions, in the captured message
  • said input port is further used for receiving an input stop condition for limiting the search scope of said captured message sequences
  • said analysis unit is used for searching, according to said input filtering conditions, the sequence expression of said filtering conditions and the stop condition, in the captured message sequences for a message sequence matched therewith and saving the same.
  • said input port is further used for receiving an in-depth analysis criterion input to further filter said saved message sequence, with said in-depth analysis criterion being an expression of said saved message sequence
  • protocol analysis engine further comprises a post ⁇ processing unit for filtering the message sequence found by said analysis unit according to said in-depth analysis criterion .
  • the present invention further provides a protocol
  • analyzer which comprises a sniffer and a decoder, with said sniffer being used for capturing network messages and said decoder being used for decoding the captured messages according to a particular specification, and further
  • the present invention further discloses a method for searching for information, which method searches, according to input filtering conditions and a sequence expression of said filtering conditions, in searched objects for a sequence of information pieces matched therewith and saves the same, with said sequence expression being used for searching for a sequence of information pieces meeting a specific
  • said searched objects are texts, log files, user's behavior models, and monitored results of system state.
  • the present invention further discloses a processor comprising an input unit and a processing unit, wherein said input unit is used for receiving input filtering conditions and a sequence expression of said filtering conditions, said sequence expression is used for indicating a specific inter- information-piece relationship, and said processing unit is used for searching, according to said filtering conditions and the sequence expression of said filtering conditions, in searched objects for a sequence of information pieces matched therewith and saving the same.
  • this application can also be extended to a wider scope, for example, by searching for certain characters meeting a specific relationship in a text, it can also be used for analyzing log files, monitoring system status, monitoring network intrusion, modeling user's behaviors, etc. It only needs to input filtering conditions and a sequence expression of the filtering conditions for searching in the information meeting said filtering conditions for sequences of information pieces meeting a specific relationship, then a processor can search in the objects for sequences of
  • Fig. 1 is a schematic diagram of the flow of an
  • Fig. 2 is a schematic diagram of an application of an embodiment of the method for searching for a message sequence of the present invention
  • Fig. 3 is a block diagram of the structure of an
  • the results of the matched message sequences i.e. a group of the messages meeting the specific relationship between them
  • the results found in this way can be analyzed further according to an in-depth analysis criterion so as to obtain more accurate results.
  • FIG. 1 shows a search process by using the embodiment of the present invention. Now it will be described according to Fig. 1 and in conjunction with Fig. 3:
  • S10 Search conditions (filtering conditions, a sequence expression of said filtering conditions, a stop condition) are set and input according to analysis requirements.
  • the filtering conditions when used individually, one piece or several pieces of messages without relationship between them can be found according to the message information (such as message attributes or contents) , and the filtering conditions can give a description of "YES” or "NO” according to the message attributes or any
  • the substantial contents of the messages can be used as a filtering criterion, for example, by judging the size of a value in some field in a message: msg.field2 between (valuel, value2) can be used to search for a message with the value of which in the 2 nd field being bigger than valuel and smaller than value2;
  • backward reference can be used, such as searching for a message with a source address which is the destination address of the message meeting the first
  • the messages' contents per se can be used as a filtering criterion, while regular expressions can be used to describe or match a single string in a series of strings meeting a specific syntactic rule, and regular expressions can be used to find out a specific message meeting a specific rule here, for example, ab+c*a can be used to search in the messages for a message meeting this rule, such as a message including a string abbca , and so on.
  • a filtering condition 1 is Fl
  • a filtering condition 2 is F2
  • a filtering condition 3 is F3
  • Fl and F2 or F3 can be used to indicate messages meeting Fl and F2 at the same time or messages meeting F3. It can be seen that by using filtering conditions it can only search for messages which can match this search
  • the expression of the filtering conditions can be used.
  • the expression of the filtering conditions uses an expression (for example an expression similar to the regular expression) to combine different filtering conditions so as to define the relationship between messages, then the message sequence modes meeting the requirements can be found, i.e., the messages satisfy a specific relationship between them, for example, a filtering condition 1 is Fl , a filtering condition 2 is F2, a filtering condition 3 is F3, and a filtering condition 4 is F4 , then F1(F2/F3)+F4 can be used to indicate first searching for the messages meeting Fl , after they are found then searching for the messages meeting F2 or F3 (there should be at least one such message) , and finally searching for the messages meeting F4.
  • a filtering condition 1 is Fl
  • a filtering condition 2 is F2
  • a filtering condition 3 is F3
  • a filtering condition 4 is F4
  • F1(F2/F3)+F4 can be used to indicate first searching for the messages meeting Fl , after they are found
  • the captured messages can be searched by combining the filtering conditions and the sequence expression of the filtering conditions.
  • a stop condition can also be set to limit the scope of a result (message sequence) , for example: this stop condition will start to work after having found the first message meeting the conditions, and assuming the stop condition is 10 s or a message count within 1000, then if no message sequence meeting the conditions is found in the defined range (10 s, or 1000 messages), then the search for this result is stopped and a next search is started .
  • the generated search conditions will also change correspondingly, and by using the abovementioned inputs, a user can simply set various filtering conditions according to the analysis requirements, and find out the message results meeting the requirements by using the sequence expressions of the
  • S20 The target files, i.e. the message sequences which have been captured and decoded, are determined, which are just the target objects to be searched by using the search conditions. Capturing message sequences belongs to the prior art, and it will not be described redundantly here. Of course, there is no substantial order restriction between S10 and S20, and it is fully possible to first perform step S20 and then perform S10, or to perform them simultaneously.
  • S30 The protocol analysis engine searches in the target files using the search conditions, and judges whether a message sequence result has been found.
  • step S40 If no result is found in step S30, then it indicates that there is no message meeting this search condition in the target files, and the flow ends.
  • step S50 If there is a result found in step S30, then this result will be saved.
  • step S60 The protocol analysis engine searches again in the target files, and judges whether another result can be found, and after a result has been found in step S50, the next search program in step S60 will start after the first matched message in the former result.
  • step S70 If another result can be found, then this result will be saved, and step S60 is performed again to search for other results.
  • a result file is generated, which file includes all the message sequences found and their corresponding information, such as the messages proper, the positions of the messages in the message sequences, the matched filtering conditions, the referenced messages (if using backward reference) and so on.
  • a user can also set a more intensive in-depth analysis criterion so as to obtain more accurate results.
  • This in-depth analysis criterion is based on the expressions of the filtered results, and it can give out a description of "YES” or "NO” to any mathematical expression of the
  • M[Fl ]. count+M[F2]. count > 10 can indicate the case that the sum of the number of the messages meeting the first filtering condition Fl and the number of the messages meeting the second filtering condition F2 is greater than 10.
  • S100 By using the in-depth analysis criterion, a postprocessing engine searches message sequences in the result file to see whether there is a result.
  • step S140 If another result can be found, then this result is saved, and step S130 is performed again from the next result after this result.
  • the sequences of the filtering conditions can express relationships using a rule similar to the regular expressions, however compared with the ordinary regular expressions, the expressions in the embodiment have differences as follows:
  • the filtering conditions are used as elementary data units in this specification.
  • a stop condition can also be used in this embodiment of the present invention, for example, only search for the messages within 10 s of the time stamp (M[Fl ] [1 ] . time) of the 1 st message (M[F1] [1] ) in the message combination (MF[1]) meeting the 1 st filtering condition (Fl) , or end this search of results up to the 1000 th message meeting the 1 st filtering condition (Fl) (1000 messages after M[Fl ] [1 ] . lineNumber) , while in the ordinary regular expressions, no stop condition is used.
  • the search program After having found a result, the next run of the search program will start from behind the first matched message in the previous result, since it is possible for these two results (message modes) to overlap in the sequences. However, in the ordinary regular expressions, the search program will start at the end of the previous result.
  • IP address and the MAC address of a source node in a network are respectively ip_addr_src and
  • filtering condition F2 uses the related information of the messages meeting the first filtering condition Fl to search for the same messages arriving at the destination node. It can be seen that the filtering condition F2 uses the related information of the messages meeting the first filtering condition Fl to search for the same messages arriving at the destination node. It can be seen that the filtering condition F2 uses the related information of the messages meeting the first filtering condition Fl to search for the same messages arriving at the destination node. It can be seen that the filtering condition F2 uses the related information of the messages meeting the first filtering condition Fl to
  • the in-depth analysis criterion is set as "M[F2] [1 ] . time - M[Fl ] [1 ] . time > 5 s", i.e. it indicates that the time
  • the filtering condition and the 1 st message satisfying the 2 nd filtering condition is greater than 5 s, that is to say, the time delay of the message from the source node to the
  • destination node is greater than 5 s, and in this way, all the messages with time delays greater than 5 s would be found .
  • a user can also use inputs and use the in-depth analysis criteria to further reduce the scope of the results and find out the needed results accurately and conveniently as required.
  • the present invention further provides a protocol analysis engine 100, which comprises an input port 101, an analysis unit 103 and a post-processing unit 104.
  • the filtering conditions and sequence expressions of the filtering conditions can be input via the input port 101, in which the filtering conditions are used for searching the messages not related to one another, and sequence expressions of the filtering conditions can define the relationships between the messages for searching the message sequences, and optionally, a stop condition can also be input via the input port 101 to limit the searched message scope, and after having received this information, the input port 101 will provide it to the analysis unit 103.
  • the analysis unit 103 can carry out a search according to the inputs received at the input port 101 so as to find the results meeting the specific relationships.
  • an in-depth analysis criterion can also be input via the input port 101, and the post-processing unit 104 can make an in-depth analysis to the results searched out by the analysis unit 103 according to this criterion so as to obtain the final analyzed results.
  • the present invention further provides a message analyzer 10, which not only comprises the protocol analysis engine 100 described above but also at least comprises a sniffer 200 and a decoder 300, in which the sniffer 200 can be used for capturing network messages, the decoder 300 is used for decoding the captured messages according to a particular specification, and the protocol analysis engine 100 is used for analyzing the decoded
  • this method can also be applied to other objects, for example, searching for certain characters meeting a specific relationship in the text, and also it can be used for analyzing log files, monitoring system status, monitoring network intrusions, modeling user's behaviors, etc. It only needs to input filtering conditions and sequence expressions of the
  • Such a processor can search for the matched sequences of information pieces in the objects and save the same.
  • a processor can comprise an input unit and a processing unit, in which the input unit receives the input filtering conditions and the sequence expressions of said filtering conditions, and the processing unit searches for the matched sequences of information pieces in the searched objects and saves the same according to these inputs.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Mining & Analysis (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present invention provides a method for searching for a message sequence, which method searches, according to input filtering conditions and a sequence expression of said filtering conditions, in captured message sequences for a message sequence matched therewith and saves the same, with said sequence expression being used for searching for a message sequence meeting a specific relationship in messages meeting said filtering conditions. A user only needs to define the filtering conditions and the sequence expression so as to be able to search for a message sequence meeting requirements, so it satisfies quite a lot of analysis requirements, has simple and intuitive designs, is easy for later maintenance and has relatively low requirements to designers so that they do not have to learn other complicated programming languages.

Description

Description
Method for searching for message sequences, protocol analysis engine and protocol analyzer
Technical field
The present invention relates to a method and a processor for searching for information and, in particular, to a method for searching for message sequences, a protocol analysis engine and a protocol analyzer.
Background art
A protocol analyzer is an instrument which can be used to capture and record data flowing through a network or a portion thereof, and it can decode the captured data messages according to an appropriate RFC or other specifications so as to display the contents thereof and to facilitate a user in analyzing the network status. Protocol analyzers are not only very important for network management and fault detection, but also beneficial to the development and implementation of protocols, network security, network protocol learning, etc. According to the definition of a protocol analyzer, it comprises several important components, in which there are a sniffer, a decoder and an analysis engine, wherein the sniffer can be used for capturing network messages, the decoder for decoding the messages according to a particular specification, and the analysis engine for assisting the analysis of the captured network messages so as to discover specific problems and check specific status in the network, therefore the analysis engine can also be referred to as a protocol analysis engine.
Some protocol analyzers in the prior art can be used to analyze specific problems in specific networks, such as the status packet filtering technique used in firewalls, however, such protocol analyzers can only analyze specific problems and cannot be universally applied in other situations, for example, the "Great Wall" firewall of the Netpower
Corporation can only carry out controls according to the data such as the packets' source address, destination address, protocol type, source port, destination port, network
interface, etc., to record the connection status through the firewall, and to filter according to the connection status, while the analysis requirements in the network are different from one another, and if it needs to analyze other
requirements, for example, to analyze which message is lost between the source address and the destination address and where it is lost and some other requirements, then the analyzer cannot accomplish this task.
There are also some other analyzers in the prior art which can use different plug-ins aiming at different analysis requirements, in which each plug-in is a program written by using a program language and specific analysis requirements can be satisfied just by executing this program; however, since the problems existing in the network are different from one another, it is needed to prepare a large number of dedicated analysis plug-ins, moreover, each plug-in may use different program languages, so it is difficult to repeat their use in other analyzers, which also increases
maintenance burden.
Contents of the invention
The object of the present invention is to provide a method for searching for message sequences, a protocol analysis engine and a protocol analyzer which save a large number of dedicated analysis plug-ins.
In order to achieve the abovementioned object, the present invention proposes a method for searching for message sequences, which method searches, according to input
filtering conditions and a sequence expression of said filtering conditions, in captured message sequences for a message sequence matched therewith and saves the same, with said sequence expression being used for searching for a message sequence meeting a specific relationship in messages meeting said filtering conditions.
Preferably, it further searches, according to an input stop condition together with said filtering conditions and the sequence expression of said filtering conditions, in the captured message sequences for a message sequence matched therewith and saves the same, with said stop condition being used for limiting the search scope of said captured message sequences .
Preferably, said filtering conditions comprise message information, with said message information including a message attribute and/or message contents.
Preferably, said filtering conditions comprise various pieces of message information combined by using a logic operator .
Preferably, said searching in the captured message sequences for a matched message sequence and saving the same further comprises:
after having found a message sequence, saving the same and starting from the message behind the first matched message in said message sequence to search for other matched message sequences.
Preferably, it further comprises saving the message sequences found and the corresponding information thereof as a result file.
Preferably, it further comprises further filtering said saved message sequence according to an in-depth analysis criterion input, with said in-depth analysis criterion being an expression of said saved message sequence information, and said message sequence information including a message
sequence attribute and/or message sequence contents.
The present invention further provides a protocol
analysis engine comprising an input port and an analysis unit, wherein,
said input port is used for receiving input filtering conditions and a sequence expression of said filtering conditions, with said sequence expression being used for searching for a message sequence meeting a specific
relationship in the messages meeting said filtering
conditions, and
said analysis unit is used for searching, according to said input filtering conditions and the sequence expression of said filtering conditions, in the captured message
sequences for a message sequence matched therewith and saving the same.
Preferably, said input port is further used for receiving an input stop condition for limiting the search scope of said captured message sequences, and said analysis unit is used for searching, according to said input filtering conditions, the sequence expression of said filtering conditions and the stop condition, in the captured message sequences for a message sequence matched therewith and saving the same.
Preferably, said input port is further used for receiving an in-depth analysis criterion input to further filter said saved message sequence, with said in-depth analysis criterion being an expression of said saved message sequence
information and said message sequence information including a message sequence attribute and/or message sequence contents, and said protocol analysis engine further comprises a post¬ processing unit for filtering the message sequence found by said analysis unit according to said in-depth analysis criterion . The present invention further provides a protocol
analyzer, which comprises a sniffer and a decoder, with said sniffer being used for capturing network messages and said decoder being used for decoding the captured messages according to a particular specification, and further
comprises a protocol analysis engine as described above.
The present invention further discloses a method for searching for information, which method searches, according to input filtering conditions and a sequence expression of said filtering conditions, in searched objects for a sequence of information pieces matched therewith and saves the same, with said sequence expression being used for searching for a sequence of information pieces meeting a specific
relationship in the information meeting said filtering conditions .
Preferably, said searched objects are texts, log files, user's behavior models, and monitored results of system state.
The present invention further discloses a processor comprising an input unit and a processing unit, wherein said input unit is used for receiving input filtering conditions and a sequence expression of said filtering conditions, said sequence expression is used for indicating a specific inter- information-piece relationship, and said processing unit is used for searching, according to said filtering conditions and the sequence expression of said filtering conditions, in searched objects for a sequence of information pieces matched therewith and saving the same.
It can be seen that by using the embodiments provided by the present invention, a user only needs to know the
knowledge relevant to the protocol analyzed and find the message sequences meeting requirements (meeting a specific relationship between them) by defining filtering conditions (for searching for the messages not related to one another) and sequence expression (for searching sequence mode) .
By using different inputs it can satisfy quite a lot of analysis requirements, for example, to find out how the message is transmitted from the source node to the
destination node, how long it takes, which hop consumes the longest time, which message does not reach the destination node, and at which node a packet is lost. Theoretically speaking, by way of defining sufficiently adequate message sequence expressions, all the events in all the complicated and state machine-based protocols can be found, thus avoiding the situation that plug-ins need to be individually set for each analysis requirement.
Moreover, this application can also be extended to a wider scope, for example, by searching for certain characters meeting a specific relationship in a text, it can also be used for analyzing log files, monitoring system status, monitoring network intrusion, modeling user's behaviors, etc. It only needs to input filtering conditions and a sequence expression of the filtering conditions for searching in the information meeting said filtering conditions for sequences of information pieces meeting a specific relationship, then a processor can search in the objects for sequences of
information pieces matched therewith and save the same.
Brief description of the accompanying drawings
The following drawings are only intended to give out an illustrative description and explanation of the present invention and are not to limit the scope of the present invention. In the drawings,
Fig. 1 is a schematic diagram of the flow of an
embodiment of the method for searching for a message sequence of the present invention;
Fig. 2 is a schematic diagram of an application of an embodiment of the method for searching for a message sequence of the present invention; and Fig. 3 is a block diagram of the structure of an
embodiment of a protocol analyzer of the present invention.
Exemplary embodiments
For better understanding of the technical features, objects and effects of the present invention, the particular embodiments of the present invention will now be described herein with reference to the accompanying drawings. In an embodiment of the present invention, according to filtering conditions and a sequence expression of said filtering conditions (it indicates a specific relationship between messages and can be used for searching for message meeting this specific relationship in the messages meeting said filtering conditions) input by a user, the results of the matched message sequences (i.e. a group of the messages meeting the specific relationship between them) can be searched in the captured message sequences and be saved, and then the results found in this way can be analyzed further according to an in-depth analysis criterion so as to obtain more accurate results.
The flow chart as shown in Fig. 1 shows a search process by using the embodiment of the present invention. Now it will be described according to Fig. 1 and in conjunction with Fig. 3:
S10: Search conditions (filtering conditions, a sequence expression of said filtering conditions, a stop condition) are set and input according to analysis requirements.
In this case, when the filtering conditions are used individually, one piece or several pieces of messages without relationship between them can be found according to the message information (such as message attributes or contents) , and the filtering conditions can give a description of "YES" or "NO" according to the message attributes or any
mathematical expression of a predetermined value, moreover, different filtering conditions can make a backward reference between them, i.e. results obtained by previous filtering conditions are used to define filtering conditions latter.
For example, the following expressions can be used as filtering conditions:
1. Using any of the messages' attributes
That is to say, the substantial contents of the messages can be used as a filtering criterion, for example, by judging the size of a value in some field in a message: msg.field2 between (valuel, value2) can be used to search for a message with the value of which in the 2nd field being bigger than valuel and smaller than value2;
as another example, backward reference can be used, such as searching for a message with a source address which is the destination address of the message meeting the first
filtering condition: msg. source=M[Fl ]. destination ; and
also, the value (s) of one certain bit or several bits of a message can be judged, such as msg [5,8] == 0 x A can be used to search for a message with its fifth bit to the eighth bit being 0 x A (i.e. character of which is 1010) .
2. Using regular expressions
That is to say, the messages' contents per se can be used as a filtering criterion, while regular expressions can be used to describe or match a single string in a series of strings meeting a specific syntactic rule, and regular expressions can be used to find out a specific message meeting a specific rule here, for example, ab+c*a can be used to search in the messages for a message meeting this rule, such as a message including a string abbca , and so on.
3. Using logic operators to combine filtering conditions For example, a filtering condition 1 is Fl, a filtering condition 2 is F2, and a filtering condition 3 is F3, then Fl and F2 or F3 can be used to indicate messages meeting Fl and F2 at the same time or messages meeting F3. It can be seen that by using filtering conditions it can only search for messages which can match this search
condition, but it is unable to search for the message
sequences having specific relationships between them,
therefore we cannot use the abovementioned filtering
conditions only to search for the message sequences related to one another.
If it needs to search for the message sequences having a specific relationship between them, then a sequence
expression of the filtering conditions can be used. The expression of the filtering conditions uses an expression (for example an expression similar to the regular expression) to combine different filtering conditions so as to define the relationship between messages, then the message sequence modes meeting the requirements can be found, i.e., the messages satisfy a specific relationship between them, for example, a filtering condition 1 is Fl , a filtering condition 2 is F2, a filtering condition 3 is F3, and a filtering condition 4 is F4 , then F1(F2/F3)+F4 can be used to indicate first searching for the messages meeting Fl , after they are found then searching for the messages meeting F2 or F3 (there should be at least one such message) , and finally searching for the messages meeting F4. Different from the filtering conditions which can use a logic operator, it is an
expression that is used in the sequence expression of the filtering conditions, and a logic operator can only indicate "and" or "or" but cannot define the relationships between the filtering conditions, while by using an expression the relationships between the filtering conditions can be
defined, such as the sequencing, the number of times of appearances and so on.
The captured messages can be searched by combining the filtering conditions and the sequence expression of the filtering conditions. In practical applications, a stop condition can also be set to limit the scope of a result (message sequence) , for example: this stop condition will start to work after having found the first message meeting the conditions, and assuming the stop condition is 10 s or a message count within 1000, then if no message sequence meeting the conditions is found in the defined range (10 s, or 1000 messages), then the search for this result is stopped and a next search is started .
By inputting corresponding stop conditions and the abovementioned filtering conditions and a sequence expression of the filtering conditions, a search can also be performed correspondingly. It can be seen that as the filtering
conditions, the sequence expressions of the filtering
conditions and the stop conditions change, the generated search conditions will also change correspondingly, and by using the abovementioned inputs, a user can simply set various filtering conditions according to the analysis requirements, and find out the message results meeting the requirements by using the sequence expressions of the
filtering conditions and the stop conditions without
preparing a large number of analysis programs for individual analysis requirements and also without having to learn various program languages for different protocols, it only needs to use one language and do a simple input so as to satisfy the analysis requirements to different protocols, different occasions and different objects, and to make a simple and intuitive design, which is easy for later
maintenance and has relatively low requirements to designers so that they do not have to learn other complicated
programming languages.
S20: The target files, i.e. the message sequences which have been captured and decoded, are determined, which are just the target objects to be searched by using the search conditions. Capturing message sequences belongs to the prior art, and it will not be described redundantly here. Of course, there is no substantial order restriction between S10 and S20, and it is fully possible to first perform step S20 and then perform S10, or to perform them simultaneously. S30: The protocol analysis engine searches in the target files using the search conditions, and judges whether a message sequence result has been found.
S40: If no result is found in step S30, then it indicates that there is no message meeting this search condition in the target files, and the flow ends.
S50: If there is a result found in step S30, then this result will be saved.
S60: The protocol analysis engine searches again in the target files, and judges whether another result can be found, and after a result has been found in step S50, the next search program in step S60 will start after the first matched message in the former result.
S70: If another result can be found, then this result will be saved, and step S60 is performed again to search for other results.
S80: If no other result can be found, then a result file is generated, which file includes all the message sequences found and their corresponding information, such as the messages proper, the positions of the messages in the message sequences, the matched filtering conditions, the referenced messages (if using backward reference) and so on.
S90: An in-depth analysis criterion is set to make an in- depth analysis to the result file. As to the obtained
results, a user can also set a more intensive in-depth analysis criterion so as to obtain more accurate results. This in-depth analysis criterion is based on the expressions of the filtered results, and it can give out a description of "YES" or "NO" to any mathematical expression of the
attributes or contents of the message sequences so as to find a message mode from the message results obtained by the filtering. For example, M[F4] [1] . fieldl - M[Fl ] [1 ] . fieldl <= vl can be used to express the messages with the result of the first field of the first message meeting the 4th filtering condition F4 minus the first field of the first message meeting the first filtering condition Fl being not greater than vl . As another example, M[Fl ]. count+M[F2]. count > 10 can indicate the case that the sum of the number of the messages meeting the first filtering condition Fl and the number of the messages meeting the second filtering condition F2 is greater than 10. S100: By using the in-depth analysis criterion, a postprocessing engine searches message sequences in the result file to see whether there is a result.
S110: If no result is found by using the in-depth
analysis criterion, then the flow ends.
S120: If there is a result found by using the in-depth analysis criterion, then this result will be saved. S130: The post-processing engine searches the sequence mode again in the result file to see whether a result can still be found.
S140: If another result can be found, then this result is saved, and step S130 is performed again from the next result after this result.
S150: If no other result can be found, then a file is generated including all the results which can match the in- depth analysis criterion. By then, all the results which meet the analysis requirements have been found, and a user can make an analysis directly based on these results. In an embodiment of the present invention, the sequences of the filtering conditions can express relationships using a rule similar to the regular expressions, however compared with the ordinary regular expressions, the expressions in the embodiment have differences as follows:
1. As to the definition of the mode, the filtering conditions are used as elementary data units in this
embodiment of the present invention, while in the ordinary regular expressions characters are used; and the objects analyzed or searched in this embodiment of the present invention are not strings but message sequences.
2 As to the control of the matching process, a stop condition can also be used in this embodiment of the present invention, for example, only search for the messages within 10 s of the time stamp (M[Fl ] [1 ] . time) of the 1st message (M[F1] [1] ) in the message combination (MF[1]) meeting the 1st filtering condition (Fl) , or end this search of results up to the 1000th message meeting the 1st filtering condition (Fl) (1000 messages after M[Fl ] [1 ] . lineNumber) , while in the ordinary regular expressions, no stop condition is used.
Furthermore, as to the messages not meeting the filtering conditions in the current status, they will be ignored in this embodiment of the present invention but the current matching search process will not be stopped.
After having found a result, the next run of the search program will start from behind the first matched message in the previous result, since it is possible for these two results (message modes) to overlap in the sequences. However, in the ordinary regular expressions, the search program will start at the end of the previous result.
3. As to the results obtained after having conducted the search by using the search conditions, in the embodiment of the present invention what are obtained are a group of consecutive or inconsecutive message sequences meeting a predesigned mode, and preferably, these consecutive or inconsecutive message sequences will be saved for further in- depth analysis, and preferably, each message in the results together with all or part of its information (such as the message itself, the position of the message in the message sequence, the matched filtering conditions, and the
referenced messages (if backward reference is used) ) will be saved . Furthermore, the present invention can use not only the abovementioned expressions similar to the regular
expressions, but also other expressions such as expressions using a form of wildcard characters and so on. Hereinbelow, an embodiment of the present invention will be described in a particular scenario in conjunction with Fig. 2.
Assuming the IP address and the MAC address of a source node in a network are respectively ip_addr_src and
mac_addr_src, and the IP address and the MAC address of a destination node are respectively ip_addr_dst and
mac_addr_dst, if the time delay of the TCP transmission between these two nodes in the network is required to be less than 5 s, then the messages with a transmission time delay greater than 5 s can be found by using this embodiment of the present invention.
We use a first filtering condition (Fl) to search for the messages sent from the source node, and use a second
filtering condition (F2) to search for the same messages arriving at the destination node. It can be seen that the filtering condition F2 uses the related information of the messages meeting the first filtering condition Fl to
determine whether the message arriving at the destination node and the message sent from the source node is the same message. Since the destination node may receive several copies of the same message due to the retransmission and the backup routing mechanism during its transmission, for this reason, a sequence expression of the filtering conditions "Fl F2+" is used to search for the messages meeting Fl and the messages meeting F2, and at the same time a stop condition of 30 s is used, that is, only search for the messages within 30 s after the time stamp of the message meeting the 1st
filtering condition.
According to the abovementioned requirements, all the messages sent from the source node and arriving at the destination node (including both the totally matched message sequences (which includes both messages meeting Fl and messages meeting F2) and partially matched message sequences (there are only messages meeting Fl but none meeting F2 found)) will be saved in a captured tracking file.
In order to make further analysis, a user can also use an in-depth analysis criterion, and in this example, the in- depth analysis criterion is set as "M[F2] [1 ] . time - M[Fl ] [1 ] . time > 5 s", i.e. it indicates that the time
difference between the 1st message satisfying the 1st
filtering condition and the 1st message satisfying the 2nd filtering condition is greater than 5 s, that is to say, the time delay of the message from the source node to the
destination node is greater than 5 s, and in this way, all the messages with time delays greater than 5 s would be found .
It can be seen that by using the embodiments provided by the present invention, a user only needs to know the
knowledge relevant to the protocol to be analyzed, so as to find the message sequences meeting requirements (meeting a specific relationship between them) by defining the filtering conditions (for searching for the messages not related to one another) and the sequence expression (for searching sequence mode) . By using different inputs it can satisfy quite a lot of analysis requirements, for example, to find out how the message is transmitted from the source node to the
destination node, how long it takes, which hop consumes the longest time, which message does not reach the destination node, and at which node a packet is lost. Theoretically speaking, by defining sufficiently adequate message sequence expressions, all the events in all the state machine-based complicated protocols can be found, thus avoiding the
situation that plug-ins are individually set for each
analysis requirement.
After having found the abovementioned results, a user can also use inputs and use the in-depth analysis criteria to further reduce the scope of the results and find out the needed results accurately and conveniently as required.
As shown in Fig.3, the present invention further provides a protocol analysis engine 100, which comprises an input port 101, an analysis unit 103 and a post-processing unit 104.
In this case, the filtering conditions and sequence expressions of the filtering conditions can be input via the input port 101, in which the filtering conditions are used for searching the messages not related to one another, and sequence expressions of the filtering conditions can define the relationships between the messages for searching the message sequences, and optionally, a stop condition can also be input via the input port 101 to limit the searched message scope, and after having received this information, the input port 101 will provide it to the analysis unit 103.
The analysis unit 103 can carry out a search according to the inputs received at the input port 101 so as to find the results meeting the specific relationships.
At the same time, an in-depth analysis criterion can also be input via the input port 101, and the post-processing unit 104 can make an in-depth analysis to the results searched out by the analysis unit 103 according to this criterion so as to obtain the final analyzed results. Also as shown in Fig. 3, the present invention further provides a message analyzer 10, which not only comprises the protocol analysis engine 100 described above but also at least comprises a sniffer 200 and a decoder 300, in which the sniffer 200 can be used for capturing network messages, the decoder 300 is used for decoding the captured messages according to a particular specification, and the protocol analysis engine 100 is used for analyzing the decoded
messages according to the aforementioned method.
Of course, in practical applications, this method can also be applied to other objects, for example, searching for certain characters meeting a specific relationship in the text, and also it can be used for analyzing log files, monitoring system status, monitoring network intrusions, modeling user's behaviors, etc. It only needs to input filtering conditions and sequence expressions of the
filtering conditions for indicating the specific
relationships between the information pieces, then a
processor can search for the matched sequences of information pieces in the objects and save the same. Such a processor can comprise an input unit and a processing unit, in which the input unit receives the input filtering conditions and the sequence expressions of said filtering conditions, and the processing unit searches for the matched sequences of information pieces in the searched objects and saves the same according to these inputs.
What are described above are merely the illustrative particular embodiments of the present invention, and are not intended to limit the scope of the present invention. Any equivalent variation, modification and combination made by anyone skilled in the art without departing from the concept and principles of the present invention shall belong to the protective scope of the present invention.

Claims

Claims
1. A method for searching for a message sequence, characterized in that it searches, according to input
filtering conditions and a sequence expression of said filtering conditions, in captured message sequences for a message sequence matched therewith and saves the same, with said sequence expression being used for indicating a specific inter-message relationship.
2. The method as claimed in claim 1, characterized in that it further searches, according to an input stop
condition together with said filtering conditions and the sequence expression of said filtering conditions, in the captured message sequences for a message sequence matched therewith and saves the same, with said stop condition being used for limiting the search scope of said captured message sequences .
3. The method as claimed in claim 1, characterized in that said filtering conditions comprise message information, with said message information including a message attribute and/or message contents.
4. The method as claimed in claim 3, characterized in that said filtering conditions comprise various pieces of message information combined by using a logic operator.
5. The method as claimed in claim 1, characterized in that said searching in the captured message sequences for a message sequence matched therewith and saves the same further comprises :
after having found a message sequence, saving the same and starting from the message behind the first matched message in said message sequence to search for other matched message sequences.
6. The method as claimed in claim 1, characterized in that it further comprises saving the message sequence found and the corresponding information thereof as a result file.
7. The method as claimed in claim 6, characterized in that it further comprises further filtering said saved message sequence according to an in-depth analysis criterion input, with said in-depth analysis criterion being an
expression of said saved message sequence information and said message sequence information including a message
sequence attribute and/or message sequence contents.
8. A protocol analysis engine (100), characterized in that it comprises an input port (101) and an analysis unit (103) , wherein,
said input port (101) is used for receiving input
filtering conditions and a sequence expression of said filtering conditions, with said sequence expression being used for indicating a specific inter-message relationship, and
said analysis unit (103) is used for searching, according to said input filtering conditions and the sequence
expression of said filtering conditions, in the captured message sequences for a message sequence matched therewith and saving the same.
9. The protocol analysis engine (100) as claimed in claim 8, characterized in that said input port (101) is further used for receiving an input stop condition, said stop condition is used for limiting the search scope of said captured message sequences, and said analysis unit (103) is used for searching, according to said input filtering
conditions, the sequence expression of said filtering
conditions and the stop condition, in the captured message sequences for a message sequence matched therewith and saving the same.
10. The protocol analysis engine (100) as claimed in claim 8, characterized in that said input port (101) is further used for receiving an in-depth analysis criterion input to further filter said saved message sequence, with said in-depth analysis criterion being an expression of said saved message sequence information and said message sequence information including a message sequence attribute and/or message sequence contents, and
said protocol analysis engine (100) further comprises a post-processing unit (104) for filtering the message sequence found by said analysis unit (103) according to said in-depth analysis criterion.
11. A protocol analyzer, comprising a sniffer (200) and a decoder (300), wherein said sniffer (200) is used for
capturing network messages, and said decoder (300) is used for decoding the captured messages according to a particular specification, characterized in that it further comprises a protocol analysis engine as claimed in any one of claims 8 to 10.
12. A method for searching for information, characterized in that it searches, according to input filtering conditions and a sequence expression of said filtering conditions, in searched objects for a sequence of information pieces matched therewith and saves the same, with said sequence expression being used for indicating a specific inter-information-piece relationship .
13. The method as claimed in claim 12, characterized in that said searched objects are texts, log files, user's behavior models or monitored results of system state.
14. A processor, characterized in that it comprises an input unit and a processing unit, wherein said input unit is used for receiving input filtering conditions and a sequence expression of said filtering conditions, with said sequence expression being used for indicating a specific inter- information-piece relationship, and said processing unit is used for searching, according to said filtering conditions and the sequence expression of said filtering conditions, in searched objects for a sequence of information pieces matched therewith and saving the same.
PCT/EP2011/055150 2010-04-28 2011-04-04 Method for searching for message sequences, protocol analysis engine and protocol analyzer WO2011134739A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2010101599553A CN102238021A (en) 2010-04-28 2010-04-28 Message sequence searching method, protocol analysis engine and protocol analyzer
CN201010159955.3 2010-04-28

Publications (1)

Publication Number Publication Date
WO2011134739A1 true WO2011134739A1 (en) 2011-11-03

Family

ID=44148490

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2011/055150 WO2011134739A1 (en) 2010-04-28 2011-04-04 Method for searching for message sequences, protocol analysis engine and protocol analyzer

Country Status (2)

Country Link
CN (1) CN102238021A (en)
WO (1) WO2011134739A1 (en)

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103209141A (en) * 2012-01-17 2013-07-17 中兴通讯股份有限公司 Method for processing data messages with switching chip and switching chip
US20160226944A1 (en) * 2015-01-29 2016-08-04 Splunk Inc. Facilitating custom content extraction from network packets
US9838512B2 (en) 2014-10-30 2017-12-05 Splunk Inc. Protocol-based capture of network data using remote capture agents
US9843598B2 (en) 2014-10-30 2017-12-12 Splunk Inc. Capture triggers for capturing network data
US9923767B2 (en) 2014-04-15 2018-03-20 Splunk Inc. Dynamic configuration of remote capture agents for network data capture
US10127273B2 (en) 2014-04-15 2018-11-13 Splunk Inc. Distributed processing of network data using remote capture agents
US10257059B2 (en) 2014-04-15 2019-04-09 Splunk Inc. Transforming event data using remote capture agents and transformation servers
US10360196B2 (en) 2014-04-15 2019-07-23 Splunk Inc. Grouping and managing event streams generated from captured network data
US10366101B2 (en) 2014-04-15 2019-07-30 Splunk Inc. Bidirectional linking of ephemeral event streams to creators of the ephemeral event streams
US10462004B2 (en) 2014-04-15 2019-10-29 Splunk Inc. Visualizations of statistics associated with captured network data
US10523521B2 (en) 2014-04-15 2019-12-31 Splunk Inc. Managing ephemeral event streams generated from captured network data
US10693742B2 (en) 2014-04-15 2020-06-23 Splunk Inc. Inline visualizations of metrics related to captured network data
US10700950B2 (en) 2014-04-15 2020-06-30 Splunk Inc. Adjusting network data storage based on event stream statistics
US11086897B2 (en) 2014-04-15 2021-08-10 Splunk Inc. Linking event streams across applications of a data intake and query system
US11281643B2 (en) 2014-04-15 2022-03-22 Splunk Inc. Generating event streams including aggregated values from monitored network data
US12028208B1 (en) 2014-05-09 2024-07-02 Splunk Inc. Selective event stream data storage based on network traffic volume

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107360051B (en) * 2016-09-30 2021-06-15 成都科来软件有限公司 Method and device for controlling analysis switch of multiple different network protocols
CN108377211B (en) * 2018-01-31 2021-06-11 湖南戎腾网络科技有限公司 Dynamic rule chain type recursion triggering method and system based on message content perception

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1115227A1 (en) * 2000-01-06 2001-07-11 Wandel &amp; Goltermann CTS Protocol analysis apparatus and method
US20030135612A1 (en) * 2001-07-17 2003-07-17 Huntington Stephen Glen Full time network traffic recording systems and methods
US20030191599A1 (en) * 2002-03-22 2003-10-09 Wolfgang Bartsch Method and protocol tester for decoding data encoded in accordance with a protocol description

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7880429B2 (en) * 2008-05-13 2011-02-01 GM Global Technology Operations LLC Power management method using feedback current bias for simultaneously controlling low cells and overall stack voltage
CN201582515U (en) * 2009-09-04 2010-09-15 肖功宽 Anti-leakage pipe hoop of pressure rubber pipe and steel pipe connector

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1115227A1 (en) * 2000-01-06 2001-07-11 Wandel &amp; Goltermann CTS Protocol analysis apparatus and method
US20030135612A1 (en) * 2001-07-17 2003-07-17 Huntington Stephen Glen Full time network traffic recording systems and methods
US20030191599A1 (en) * 2002-03-22 2003-10-09 Wolfgang Bartsch Method and protocol tester for decoding data encoded in accordance with a protocol description

Cited By (39)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103209141A (en) * 2012-01-17 2013-07-17 中兴通讯股份有限公司 Method for processing data messages with switching chip and switching chip
US11716248B1 (en) 2014-04-15 2023-08-01 Splunk Inc. Selective event stream data storage based on network traffic volume
US10951474B2 (en) 2014-04-15 2021-03-16 Splunk Inc. Configuring event stream generation in cloud-based computing environments
US11818018B1 (en) 2014-04-15 2023-11-14 Splunk Inc. Configuring event streams based on identified security risks
US9923767B2 (en) 2014-04-15 2018-03-20 Splunk Inc. Dynamic configuration of remote capture agents for network data capture
US10127273B2 (en) 2014-04-15 2018-11-13 Splunk Inc. Distributed processing of network data using remote capture agents
US11245581B2 (en) 2014-04-15 2022-02-08 Splunk Inc. Selective event stream data storage based on historical stream data
US10257059B2 (en) 2014-04-15 2019-04-09 Splunk Inc. Transforming event data using remote capture agents and transformation servers
US11451453B2 (en) 2014-04-15 2022-09-20 Splunk Inc. Configuring the generation of ephemeral event streams by remote capture agents
US11314737B2 (en) 2014-04-15 2022-04-26 Splunk Inc. Transforming event data using values obtained by querying a data source
US10348583B2 (en) 2014-04-15 2019-07-09 Splunk Inc. Generating and transforming timestamped event data at a remote capture agent
US11108659B2 (en) 2014-04-15 2021-08-31 Splunk Inc. Using storage reactors to transform event data generated by remote capture agents
US11863408B1 (en) 2014-04-15 2024-01-02 Splunk Inc. Generating event streams including modified network data monitored by remote capture agents
US10462004B2 (en) 2014-04-15 2019-10-29 Splunk Inc. Visualizations of statistics associated with captured network data
US11296951B2 (en) 2014-04-15 2022-04-05 Splunk Inc. Interval-based generation of event streams by remote capture agents
US10374883B2 (en) 2014-04-15 2019-08-06 Splunk Inc. Application-based configuration of network data capture by remote capture agents
US10523521B2 (en) 2014-04-15 2019-12-31 Splunk Inc. Managing ephemeral event streams generated from captured network data
US10693742B2 (en) 2014-04-15 2020-06-23 Splunk Inc. Inline visualizations of metrics related to captured network data
US10360196B2 (en) 2014-04-15 2019-07-23 Splunk Inc. Grouping and managing event streams generated from captured network data
US10700950B2 (en) 2014-04-15 2020-06-30 Splunk Inc. Adjusting network data storage based on event stream statistics
US11281643B2 (en) 2014-04-15 2022-03-22 Splunk Inc. Generating event streams including aggregated values from monitored network data
US11252056B2 (en) 2014-04-15 2022-02-15 Splunk Inc. Transforming event data generated by remote capture agents using user-generated code
US10366101B2 (en) 2014-04-15 2019-07-30 Splunk Inc. Bidirectional linking of ephemeral event streams to creators of the ephemeral event streams
US11086897B2 (en) 2014-04-15 2021-08-10 Splunk Inc. Linking event streams across applications of a data intake and query system
US12028208B1 (en) 2014-05-09 2024-07-02 Splunk Inc. Selective event stream data storage based on network traffic volume
US10701191B2 (en) 2014-10-30 2020-06-30 Splunk Inc. Configuring rules for filtering events to be included in event streams
US10264106B2 (en) 2014-10-30 2019-04-16 Splunk Inc. Configuring generation of multiple event streams from a packet flow
US10812514B2 (en) 2014-10-30 2020-10-20 Splunk Inc. Configuring the generation of additional time-series event data by remote capture agents
US10805438B2 (en) 2014-10-30 2020-10-13 Splunk Inc. Configuring the protocol-based generation of event streams by remote capture agents
US10382599B2 (en) 2014-10-30 2019-08-13 Splunk Inc. Configuring generation of event streams by remote capture agents
US11936764B1 (en) 2014-10-30 2024-03-19 Splunk Inc. Generating event streams based on application-layer events captured by remote capture agents
US11425229B2 (en) 2014-10-30 2022-08-23 Splunk Inc. Generating event streams from encrypted network traffic monitored by remote capture agents
US9838512B2 (en) 2014-10-30 2017-12-05 Splunk Inc. Protocol-based capture of network data using remote capture agents
US10193916B2 (en) 2014-10-30 2019-01-29 Splunk Inc. Configuring the generation of event data based on a triggering search query
US9843598B2 (en) 2014-10-30 2017-12-12 Splunk Inc. Capture triggers for capturing network data
US11115505B2 (en) 2015-01-29 2021-09-07 Splunk Inc. Facilitating custom content extraction rule configuration for remote capture agents
US10334085B2 (en) * 2015-01-29 2019-06-25 Splunk Inc. Facilitating custom content extraction from network packets
US11973852B2 (en) 2015-01-29 2024-04-30 Splunk Inc. Generating event data at remote capture agents based on identified network addresses
US20160226944A1 (en) * 2015-01-29 2016-08-04 Splunk Inc. Facilitating custom content extraction from network packets

Also Published As

Publication number Publication date
CN102238021A (en) 2011-11-09

Similar Documents

Publication Publication Date Title
WO2011134739A1 (en) Method for searching for message sequences, protocol analysis engine and protocol analyzer
US20220263736A1 (en) Method and system for deep packet inspection in software defined networks
US9275224B2 (en) Apparatus and method for improving detection performance of intrusion detection system
CN107968791B (en) Attack message detection method and device
US11546295B2 (en) Industrial control system firewall module
KR100439177B1 (en) Method for representing, storing and editing network security policy
CN105099916A (en) Open flow routing and switching equipment and data message processing method thereof
Yaseen et al. Aragog: Scalable runtime verification of shardable networked systems
KR102069142B1 (en) Apparatus and method for automatic extraction of accurate protocol specifications
CN111698110A (en) Network equipment performance analysis method, system, equipment and computer medium
Hussein et al. SDN verification plane for consistency establishment
US7266088B1 (en) Method of monitoring and formatting computer network data
Xiao et al. Automatic protocol reverse engineering using grammatical inference
Sija et al. Survey on network protocol reverse engineering approaches, methods and tools
CN115514683A (en) Method and device for determining packet loss reason, exchange chip and storage medium
CN112910842B (en) Network attack event evidence obtaining method and device based on flow reduction
CN114362992A (en) Hidden Markov attack chain prediction method and device based on SNORT log
Rekhis et al. Visibility: a novel concept for characterising provable network digital evidences
Buttyán et al. Consistency verification of stateful firewalls is not harder than the stateless case
Zhang et al. Toward comprehensive network verification: Practices, challenges and beyond
CN112217784A (en) Apparatus and method for attack recognition in computer networks
CN115174265B (en) ICMP hidden tunnel detection method based on flow characteristics
CN115664739B (en) User identity attribute active detection method and system based on flow characteristic matching
Tavares et al. P4-onids: A p4-based nids optimized for constrained programmable data planes in sdn
Hommes et al. Automated source code extension for debugging of openflow based networks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11714507

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11714507

Country of ref document: EP

Kind code of ref document: A1