WO2014085952A1 - 一种策略处理的方法及网络设备 - Google Patents
一种策略处理的方法及网络设备 Download PDFInfo
- Publication number
- WO2014085952A1 WO2014085952A1 PCT/CN2012/085721 CN2012085721W WO2014085952A1 WO 2014085952 A1 WO2014085952 A1 WO 2014085952A1 CN 2012085721 W CN2012085721 W CN 2012085721W WO 2014085952 A1 WO2014085952 A1 WO 2014085952A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- condition
- rule
- business
- conditions
- mapping relationship
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0893—Assignment of logical groups to network elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0894—Policy-based network configuration management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/20—Network management software packages
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/54—Store-and-forward switching systems
- H04L12/56—Packet switching systems
- H04L12/5601—Transfer mode dependent, e.g. ATM
- H04L2012/5603—Access techniques
Definitions
- the present invention relates to the field of communications technologies, and in particular, to a method for processing a policy and a network device.
- policy control is an essential function of various core network devices (such as routers, switches, gateways, etc.). As shown in Figure 1, users configure multiple policy rules through configuration interfaces or specific policy scripts. It is delivered to the device, and the device implements multiple services on the device based on policy rules.
- ADC Application Delivery Controller
- WOC WAN Optimization Controller
- URLF Uniform / Universal Resource Locator Filter
- the execution of the policy rule in the prior art includes the following four steps: message data processing (policy related information collection), condition matching, rule verification, and action execution.
- the device After receiving the packet data, the device first performs the processing of the Layer 1-7 data, which usually includes unpacking, extracting the header information of each layer, extracting the information of the 7 layers of protocol fields, and the like; and then performing the policy condition on the collected information. Verification, if some conditions are met, enter the rule verification module to perform rule matching; for the matched policy rule, the corresponding business action is performed.
- Different services may need to include a part of the packet special processing process if the processing of the >3 ⁇ 4 text is different.
- the embodiments of the present invention provide a method for processing a policy and a network device, which are used to reduce redundancy and repeated operations during policy execution, and improve policy execution performance of the network device.
- an embodiment of the present invention provides a network device, including: a hybrid orchestrator, a conditional matcher, and a rule matcher, where:
- the hybrid orchestrator is configured to mix and match all business rules corresponding to multiple business applications running on the network device, each business rule includes conditions and actions to extract conditions of all the business rules, and Constructing at least one condition set using the extracted condition, and generating mapping relationship data for recording a mapping relationship between each business rule and a condition in the condition set;
- the condition matcher for Each condition set constructed by the orchestration device performs condition matching on the packet feature information of the network data packet received by the network device, and outputs a condition matching result set; the condition matching result set is used to record a condition for successful matching;
- the rule matcher is configured to determine, according to the condition matching result set, the mapping relationship data generated by the hybrid orchestrator, a service rule that matches the success, and trigger the corresponding business rule that is successfully matched.
- the service application performs the action corresponding to the successfully matched business rule.
- the hybrid orchestrator specifically includes: a rule splitting unit, configured to split each of the business rules into conditions and actions;
- condition classification unit configured to classify the condition after the condition is selected to be de-duplicated, to obtain a condition set of at least one type
- mapping unit configured to generate mapping relationship data for recording a mapping relationship between each business rule and a condition in the condition set.
- the mapping unit is specifically configured to: map each condition in the condition set to all service rules that include the condition And establishing a mapping relationship between each of the business rules and the conditions in the condition set, and generating mapping relationship data for recording the mapping relationship; or, the mapping unit is specifically configured to: When each of the business rules is split into conditions and actions, a mapping relationship between each of the business rules and a condition in the business rule is recorded, and the condition is filtered to de-emphasize After the unit removes the repeated condition, the mapping relationship of the record is adjusted, so that each condition in the condition set is mapped to all the business rules including the condition, and a record for recording the adjusted mapping relationship is generated. Map relational data.
- condition matcher is specifically configured to: receive network data received by the network device The packet characteristic information of the packet is matched with the conditions in the respective condition sets, and the identifier of the condition that the matching is successful is recorded to the condition matching result set.
- the network device further includes: a detector, configured to the network device Receiving the network data packet to perform packet detection, to collect the packet characteristic information of the network data packet; the condition matching device is specifically configured to use, according to each condition set constructed by the hybrid orchestration device, the The packet feature information of the network packet collected by the detector is conditionally matched, and the condition matching result set is output.
- the business rule is a composite rule, and the composite rule is a business rule that includes multiple conditions; the hybrid orchestrator is further configured to record a logical relationship between each condition in each of the composite rules;
- the rule matcher is specifically configured to determine, according to the condition matching result set, the mapping relationship data generated by the hybrid orchestrator, and the logical relationship between the conditions, to determine a business rule that is successfully matched, And invoking the service application to which the successfully matched business rule belongs to perform the action corresponding to the successfully matched business rule, or sending the rule hit message to the service application corresponding to the successfully matched business rule, so that the service application is Performing the horse according to the rule hit message The action corresponding to the successful business rule.
- the embodiment of the present invention further provides a multi-service policy processing method, including: mixing and arranging all service rules corresponding to multiple service applications, where each service rule includes conditions and actions to extract all the a condition of the business rule, and constructing at least one condition set using the extracted condition, and generating mapping relationship data for recording a mapping relationship between each business rule and a condition in the condition set;
- condition matching on the packet characteristic information of the received network data packet to output a condition matching result set according to each condition set constructed; the condition matching result set is used to record a condition for successful matching; and matching the result according to the condition
- the set, and the generated mapping relationship data determine a business rule that matches the success, and triggers the service corresponding to the successfully matched business rule to perform the action corresponding to the successfully matched business rule.
- the all the business rules corresponding to the multiple service applications are mixed and arranged, including:
- Classifying the conditions after deduplication to obtain at least one type of condition set
- mapping relationship data is adjusted to map each condition in the condition set to one or more business rules including the condition, thereby obtaining mapping relationship data between the conditions in the condition set and the respective business rules.
- the all the business rules corresponding to the multiple service applications are mixed and arranged, including:
- Classifying the conditions after de-duplication to obtain at least one type of condition set
- At least one of the service rules is a composite rule
- the composite rule is a business rule that includes multiple conditions
- the method further includes: recording a logical relationship between each condition in each of the composite rules;
- the method for processing a policy and the network device in the embodiment of the present invention by mixing and scheduling the multi-service application policy rules, extract information required for all services in a packet data scanning process, and simultaneously multi-service Uniform condition matching and rule matching, which reduces redundant operations between multiple services, facilitates multi-service convergence on a single device, improves device integration and performance, and reduces service deployment and device hardware costs, and improves network devices.
- Competitiveness by mixing and scheduling the multi-service application policy rules, extract information required for all services in a packet data scanning process, and simultaneously multi-service Uniform condition matching and rule matching, which reduces redundant operations between multiple services, facilitates multi-service convergence on a single device, improves device integration and performance, and reduces service deployment and device hardware costs, and improves network devices.
- FIG. 1 is a schematic diagram of a hierarchical deployment manner of multi-service policy control according to the present invention
- FIG. 2 is a schematic flowchart of a policy rule execution process according to an embodiment of the present invention.
- FIG. 3 is a schematic diagram of a network of an enterprise private cloud according to an embodiment of the present invention.
- FIG. 4 is a schematic flowchart of a policy processing method according to an embodiment of the present invention.
- FIG. 5 is a flowchart of a method for processing a policy according to an embodiment of the present invention.
- FIG. 6 is a schematic diagram of a method for mixing and scheduling multi-service rules according to an embodiment of the present invention.
- FIG. 7 is a schematic diagram of a network device according to an embodiment of the present disclosure.
- FIG. 8 is a schematic diagram of a hybrid arranger according to an embodiment of the present invention.
- FIG. 9 is a schematic flowchart of a process of a condition matcher according to an embodiment of the present disclosure
- FIG. 10 is a schematic flowchart of a process of a condition matcher according to an embodiment of the present disclosure
- FIG. 11 is a schematic flowchart of a rule matcher process according to an embodiment of the present invention.
- FIG. 12 is a schematic flowchart of a policy processing method according to an embodiment of the present disclosure.
- FIG. 13 is a schematic diagram of a network device according to an embodiment of the present invention.
- the application scenarios of the technical solutions of the embodiments of the present invention are briefly introduced.
- the technical solutions provided by the embodiments of the present invention can be applied to multiple applications.
- a policy control scenario such as a home network, an access network, an aggregation network, a backbone network, an enterprise network, a carrier network, and various private/public clouds.
- the following is a brief description of the enterprise network private cloud as a typical application scenario.
- FIG. 3 is a schematic diagram of a network diagram of an enterprise private cloud scenario provided by an embodiment of the present invention, as shown in FIG. 3
- SW and the router group are built into the local area network.
- the local area network is interconnected with the data center (WAN) through the WAN (Wide Area Network), and the data center is also deployed with multiple routers, gateways, and multiple Servers (such as Web servers, database servers, etc.);
- routers and switch devices in each office area usually integrate firewall, WOC, IPS, URLF, etc.
- routers and switch devices in data centers usually integrate firewalls and WOCs.
- a variety of business applications such as ADC, IPS, etc. In this case, both routers and switches need to perform multiple types of policy processing.
- the enterprise private cloud scenario is only a typical application scenario of the technical solution of the present invention, and does not limit the application scenario of the present invention.
- the embodiment of the present invention The technical solutions are applicable.
- the following is a general description of the policy processing method provided by the embodiment of the present invention. As shown in FIG. 4, the method mainly includes: message scanning, hybrid orchestration, unified condition matching, and unified rule verification.
- the packet scanning is mainly performed by means of packet detection, such as DPI (Deep Packet Inspection) of Layer 2-7, and extracts all the packet characteristics required for multiple services from the received network data packet.
- Information such as URLs, quintuples, protocol types, and more.
- no unnecessary operations are performed, and only the packet feature information required by the service applications (such as WOC, ADC, IPS, etc.) running by the current network device is extracted.
- Hybrid orchestration refers to the hybrid orchestration of business rules for all business applications. It mainly includes: (1) extracting similar conditions and constructing multiple types of condition sets only for the difference of related message information; (2) generating conditions and The mapping relationship between rules;
- the service rule referred to in the embodiment of the present invention is an execution policy of a service application, where a rule includes two parts: a condition and an action.
- Uniform conditional matching refers to the uniform condition matching of multiple condition sets after hybrid orchestration; unified rule verification refers to the unified rule matching of the mixed ordined rule sets to verify which business rules match successfully.
- the purpose of unified condition matching and unified verification is to stop the individual conditions and rules from being matched one by one, but to collect multiple message feature information collected after the message is scanned, and to mix multiple condition sets.
- the hierarchical message feature information is then uploaded to each corresponding condition data set for condition verification, and then the condition verification result is reported to the rule matching module for uniform rule matching, and the hit rule is obtained, and finally the hit rule is executed. Corresponding business actions.
- the multi-service policy processing method provided by the example includes:
- condition and action usually contain two parts: condition and action, which can be simply described as: Rule: if (condition set) then (action set); where the condition set includes the logical relationship between the condition and the condition, usually AND, OR; an action set includes a plurality of serial or parallel business actions corresponding to a rule, which may be sequentially represented, for example: action 1; action 2; for simplicity, in the embodiment of the present invention, only one condition and action are included Rule 1: if (condition 1) then action 1 to illustrate; this rule 1 indicates that when condition 1 is satisfied, the corresponding action 1 is executed.
- all the business rules corresponding to the multiple services are mixed and arranged, including:
- each business rule splits each business rule into two parts, a condition and an action, and generate mapping relationship data for recording a mapping relationship between each of the business rules and a condition in the business rule;
- mapping relationship between the conditions in each business rule and the business rule needs to be recorded in the mapping relationship data.
- Business rules if the verification is successful, it means that its corresponding business rules have been matched, and the actions contained in the business rules can also be triggered to execute; in one embodiment, if there are multiple conditions in all business rules.
- the composite rule it is not enough to record the mapping relationship between each business rule and the condition of the business rule, because the condition does not uniquely correspond to the rule, which requires recording each rule and the rule.
- the mapping relationship of conditions also records the logical relationship between the conditions in the same rule.
- mapping relationship data is only a functional noun. In a specific implementation, it can be a data table, a data file, or the like, which can store data.
- classifying conditions after removing the repetition to obtain at least one type of condition set specifically, classifying the conditions after the repetition is repeated, the conditions having the same characteristics are classified into one class, for example, an IP address is to be performed.
- the matching conditions are divided into one category, and the conditions for URL matching are classified into one category.
- you can also classify by matching for example, the condition of matching by regular expression.
- it can also be classified according to the level of message information. For example, the conditions of L3 are classified into one class, and the conditions of L7 are classified into one class.
- condition included in the service rule may be not only a condition related to the feature information of the L1-L7 message data, but also a service event, a protocol type, a service result, and the like.
- S5014 Adjust the mapping relationship data to map each condition in the foregoing condition set to all the business rules including the condition, so as to obtain the mapping relationship between the condition in the condition set and the respective business rules.
- step S5022 Since all the extracted conditions are de-emphasized in step S5022, the conditions in each condition set obtained after the classification are unique, but the de-duplication also destroys the previously established mapping relationship data, so the mapping relationship is required. After the data is adjusted, after the adjustment, the business rules containing the same conditions are mapped to the same condition corresponding to the condition set, that is, each condition in the condition set is mapped to one or more business rules including the condition.
- the method may further include: S5015, compiling each condition set obtained after the classification into a unified format;
- the classified condition sets are respectively compiled into categories and compiled into a format supported by the condition matching engine.
- the mapping relationship data of the mapping relationship between the business rule and the condition of the business rule may be compiled into a format required by the rule matching engine; in addition, if there is a composite rule as described above, each of The logical relationship between the conditions in the composite rule is saved to the rule matching engine (or compiled into a format supported by the rule matching engine).
- the condition matching engine is mainly responsible for the unified verification of various conditions, that is, verifying that the condition data in the business rules are successfully matched.
- the condition matching engine can be implemented by software or hardware. The logic is implemented, and will not be described here.
- S502 Perform condition matching on the packet feature information of the received network data packet according to each condition set that is constructed, and output a condition matching result set; the condition matching result set is used to record a condition for successful matching;
- the packet feature information of the network data packet specifically includes all the packet features related to the service rule of each service application, that is, the packet characteristics that must be used when verifying whether the conditions in each service rule match.
- the information may specifically be L1-L7 information of the network data packet, such as URL information related to the condition of the URLF rule, quintuple information related to the condition of the IPS rule, etc.
- the packet characteristic information of the network data packet is further It may include message characteristics information related to conditions such as service events, protocol types, and service results that can be used to determine whether a certain type of service action is performed.
- condition matching includes: matching the URL of the network packet into the URL condition set, and inputting the IP of the network packet into the IP address condition set for matching, and simultaneously
- the application layer protocol type of the network packet is input to the application layer protocol type condition set for matching.
- the specific process of matching is to compare whether the feature information of the network packet matches the condition of each condition set or whether the condition is met.
- condition matching result set The matching result of each condition set is summarized into a "condition matching result set", and finally reported to the rule matching engine, wherein the condition matching result set is mainly used to indicate which conditions have been successfully matched (hit), and specifically, the matching may be successful.
- Conditions, in the form of identification, are included in the conditional matching result set.
- S502 specifically includes:
- S5021 Perform packet detection on the received network data packet, to extract all the packet feature information required by the multiple service applications.
- the packet feature information required by the service application specifically refers to the packet feature information related to the service rule corresponding to the service application, or more specifically, the packet feature corresponding to the condition in the service rule.
- Information that is, message feature information that must be used when verifying that the conditions contained in the business rule are met.
- the rule matching engine can determine which business rules according to the mapping relationship between the conditions recorded in the mapping relationship data and the business rules. If the matching is successful, that is, the rule is hit; if the business rule is a compound rule with multiple conditions, the rule matching engine needs to be based on the mapping relationship between each business rule and the condition, and the logical relationship between the conditions in each business rule. Determining whether the rule is hit; Finally, triggering the business application corresponding to the successfully matched business rule to perform the action corresponding to the business rule. It can be understood that, the process of performing the triggering action may be: calling the successfully matched business rule.
- the associated service application performs the action corresponding to the successfully matched business rule; or sends the rule hit message to the service application corresponding to the successfully matched business rule, so that the service application performs the matching according to the rule hit message.
- the action corresponding to the successful business rule; or the matching result of each business rule is reported to the corresponding business application, so that the service determines whether to perform the action corresponding to the rule according to the matching condition according to the own business rule.
- the method for policy processing in the embodiment of the present invention by mixing and scheduling multiple service rules, uniformly organizes all service rules, and extracts information required for all services in a packet data scanning process, and only A conditional matching and rule verification process is required to reduce redundant operations between multiple services, facilitate multi-service convergence on a single device, improve device integration and performance, and reduce service deployment and device hardware costs, and improve network devices.
- Competitiveness The following describes an apparatus embodiment for implementing the foregoing method.
- the embodiment of the present invention provides a network device.
- the network device 70 includes: a hybrid orchestrator 720, a condition matcher 730, and a rule matcher. 740, wherein each business rule includes conditions and actions;
- the hybrid orchestrator 720 is configured to mix and match all the business rules corresponding to the multiple services running on the network device 70, to extract the conditions of the all the business rules, and construct at least one condition set by using the extracted conditions. And generating mapping relationship data for recording a mapping relationship between each business rule and a condition in the condition set; wherein
- the condition matcher 730 is configured to perform condition matching on the packet feature information of the network data packet received by the network device 70 according to each condition set constructed by the hybrid orchestrator 720, and output a condition matching result set; the condition matching result set Used to record the conditions for successful matching;
- the rule matcher 740 is configured to determine, according to the condition matching result set output by the condition matcher 730, the mapping relationship data generated by the hybrid orchestrator 720, the business rule matching the success, and trigger the corresponding business rule corresponding to the matching
- the service application performs the action corresponding to the successfully matched business rule.
- the hybrid orchestrator 720 specifically includes: a rule splitting unit 7201, a conditional deduplication unit 7202, a condition classification unit 7203, and a mapping unit 7204;
- the rule splitting unit 7201 is mainly used to split each business rule in the multi-business rule set into Conditions and actions; wherein the multi-service rule set includes all business rules corresponding to one or more business applications running or deployed on the network device 70;
- the condition filtering deduplication unit 7202 is configured to extract the conditions split by the rule splitting unit 7201, and remove the repeated conditions;
- the condition classification unit 7203 is configured to classify the condition after the de-weighting unit 7202 is de-weighted to obtain at least one type of condition set;
- the condition classification unit 7203 classifies the conditions having the same characteristics into one class, for example, classifying the conditions for performing IP address matching into one class, and classifying the conditions for performing URL matching into one class.
- the conditions matched by the regular expression are classified into one class, and can also be classified according to the message information level.
- the conditions of L3 are classified into one class, and the conditions of L7 are classified into one class. Wait.
- the conditions included in the service rule may be not only conditions related to the feature information of the L1-L7 message data, but also may include a service event, a protocol type, a service result, and the like.
- a policy condition that can be used to determine whether a certain type of business action is performed.
- the mapping unit 7204 is configured to generate mapping relationship data between the condition set in the condition set and each business rule.
- the mapping unit 7204 may directly map each condition in the condition set to all the service rules including the condition, to obtain mapping relationship data between the condition set and the service rule in the condition set; In an embodiment, the mapping unit 7204 may also generate, when the rule splitting unit 7201 splits each of the business rules into conditions and actions, for recording each of the business rules and the business rules. Mapping the relationship data between the conditions in the condition, and after the conditional deduplication unit 7202 removes the duplicate condition, adjusting the mapping relationship data to map each condition in the condition set to the inclusion On one or more business rules of the condition, the mapping relationship between the conditions in the condition set and the respective business rules is obtained.
- the hybrid orchestrator 720 further includes: a compiling unit 7205, configured to separately compile the various types of condition sets obtained after the classification into a unified format; wherein the unified format is The format supported by the conditional matcher 730; correspondingly, the condition matcher 730 is specifically configured to perform the >3 ⁇ 4 text feature information of the network data packet received by the network device 70 according to the condition set of the unified format compiled by the compiling unit 7205. The conditions match, and the condition matches the result set.
- a compiling unit 7205 configured to separately compile the various types of condition sets obtained after the classification into a unified format
- the unified format is The format supported by the conditional matcher 730; correspondingly, the condition matcher 730 is specifically configured to perform the >3 ⁇ 4 text feature information of the network data packet received by the network device 70 according to the condition set of the unified format compiled by the compiling unit 7205.
- the conditions match, and the condition matches the result set.
- the compiling unit 7205 can also compile the mapping relationship data generated by the mapping unit 7204 into a format supported by the rule matcher 740; in addition, if there is a composite type as described above In the case of rules, the logical relationship between each condition in each business rule needs to be saved into the rule matcher 740 (or compiled into a format supported by the rule matcher before being saved).
- the condition matcher 730 is specifically configured to match the packet feature information of the network data packet received by the network device 70 with the conditions in the respective condition sets, and the matching success condition And the identifier information is recorded to the condition matching result set.
- the feature information of the network data packet used for matching herein specifically includes all packet feature information related to the service rule of the service application running on the network device 70, that is, each service.
- the message characteristic information corresponding to the condition included in the rule; the identifier of the condition is used to uniquely represent the condition, and may be a number, a letter, a string, or the like.
- the condition matcher 730 performs uniform condition matching in the condition set of each category according to the feature type corresponding to the condition, the message feature information, and the like. It should be noted that the condition set is not limited to the condition set related to the feature information of the L1-L7 message data, and may also include other service events, protocol types, service results, and the like that can be used to determine whether a certain type of service action is performed. Condition set.
- the processing flow of the condition matcher 730 is as follows: First, the network packet is processed and parsed by one or more processing units (as shown in FIG. 9).
- the network device 70 may further include: a detector 710, configured to perform packet detection on the received network data packet, to collect all the packets required for multiple services running on the network device.
- the condition matcher 730 is specifically configured to perform condition matching on the packet feature information of the network packet collected by the detector 710 according to each condition set constructed by the hybrid orchestrator 720, and output a condition matching result set. .
- the detector 710 may be a plurality of message processing units, wherein each message processing unit is solely responsible for one type of message scanning, such as a processing unit dedicated to L3 processing, which is specifically responsible for a processing unit of the L7 processing, etc.; each packet processing unit jointly extracts all the packet feature information required by the plurality of services; Information, specifically, the packet feature information related to all service rules corresponding to the service application on the network device, or more specifically, the message that must be used when verifying whether the various conditions included in the service rule match. Feature information.
- the detector can also be a multi-function processor, such as a DPI module, that integrates L3-L7 processing and even other types of message processing functions.
- the detector 710 can be deployed inside the network device or as a separate service module, deployed outside the network device, and through the bus between the network device. Or other communication methods.
- condition matcher can be a separate matching engine, which can be implemented by a software algorithm or by hardware logic.
- the condition matcher may also be divided into multiple logical functional units and deployed to each report in a distributed manner.
- the hybrid orchestrator classifies the condition set obtained by the classification into the corresponding message processing unit according to the feature classification, and the condition matcher is deployed in each message processing unit, and the message is used as the message processing unit.
- the processing unit extracts the packet feature information, it reports directly to the condition matcher in the message processing unit. If the condition matches successfully, the result is up to the condition matching result set. As shown in FIG.
- the rule matcher 740 determines, according to the mapping relationship between each service rule recorded in the condition matching result set and the mapping relationship data and the condition in the business rule, to determine a business rule that has been successfully matched. Then, the service application is invoked to perform the action corresponding to the business rule. It should be noted that if the business rule is a "single condition rule" that only includes one condition, the rule matcher 740 specifically matches the result set according to the condition, and the mapping relationship data.
- the mapping relationship between each business rule recorded and the condition in the business rule determining which business rules match successfully, that is, the rule is hit, and then triggering the action corresponding to the rule that the business application performs the hit; if the business rule exists
- the rule matcher 740 specifically matches the result set, the mapping relationship between each business rule recorded in the mapping relationship data and the conditions in the business rule, and each business rule.
- the rule matcher 740 may directly invoke the service application to which the successfully matched business rule belongs to perform the action corresponding to the successfully matched business rule in a manner of a process/function call; or send the rule hit message to the matching success.
- Business application corresponding to the business rule to enable the business application And performing, according to the rule hit message, an action corresponding to the successfully matched service rule; where the rule hit message is used to indicate that the service rule has been successfully matched.
- FIG. 12 is a network device, a multi-service policy execution method for HTTP message URL information, according to an embodiment of the present invention.
- the network device in the embodiment of the present invention organizes all the service rules by using a mixed arrangement of the multiple service rules, and extracts information required for all services in a packet data scanning process, and only needs to perform condition matching and rule verification.
- the process reduces redundant operations between multiple services, promotes multi-service convergence on a single device, improves device integration and performance, and reduces service deployment and device hardware costs, thereby improving the competitiveness of network devices.
- FIG. 13 is a schematic diagram of another network device according to an embodiment of the present invention. As shown in FIG. 13, the network device includes: at least one processor 1001, a memory 1002, a communication interface 1003, and a bus.
- the processor 1001, the memory 1002, and the communication interface 1003 are connected by a bus and complete communication with each other.
- the bus may be an Industry Standard Architecture (ISA) bus, a Peripheral Component (PCI) bus, or an Extended Industry Standard Architecture (EISA) bus. Wait.
- ISA Industry Standard Architecture
- PCI Peripheral Component
- EISA Extended Industry Standard Architecture
- the bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 12, but it does not mean that there is only one bus or one type of bus. among them:
- the memory 1002 is for storing executable program code, the program code including computer operating instructions.
- the memory 1002 may include a high speed RAM memory, and may also include a non-volatile memory, for example, at least one disk memory.
- processor 1001 runs a program corresponding to the executable program code by reading executable program code stored in memory 1002 for:
- each business rule includes conditions and actions to extract conditions of all the business rules, and at least one condition set is constructed by using the extracted conditions, and is generated.
- Mapping relationship data for recording a mapping relationship between each business rule and a condition in the condition set;
- condition matching on the packet characteristic information of the received network data packet to output a condition matching result set according to each condition set constructed; the condition matching result set is used to record a condition for successful matching; and matching the result according to the condition
- the set, and the generated mapping relationship data determine a business rule that matches the success, and triggers the service corresponding to the successfully matched business rule to perform the action corresponding to the successfully matched business rule.
- the processor 1001 may be a central processing unit (CPU), or an application specific integrated circuit (ASIC), or one or more configured to implement the embodiments of the present invention. integrated circuit.
- CPU central processing unit
- ASIC application specific integrated circuit
- the foregoing processor 1001 may be used to perform other processes in the foregoing method embodiments, and details are not described herein again.
- the communication interface 1003 is mainly used to implement communication between the traffic source determining device of the present embodiment and other devices or devices.
- the disclosed system, apparatus, and method may be implemented in other manners.
- the device embodiments described above are merely illustrative.
- the components displayed by the unit may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
- each functional unit in the network device provided by each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
- the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
- the integrated unit if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium.
- the technical solution of the present invention may contribute to the prior art or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium.
- a number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention.
- the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk or an optical disk, and the like, which can store program codes. .
- a network device comprising: a hybrid orchestrator, a condition matcher, and a rule matcher, wherein:
- the hybrid orchestrator is configured to mix and match all business rules corresponding to multiple business applications running on the network device, each business rule includes conditions and actions to extract conditions of all the business rules, and Constructing at least one condition set using the extracted condition, and generating mapping relationship data for recording a mapping relationship between each business rule and a condition in the condition set;
- the condition matcher for Each condition set constructed by the orchestration device performs condition matching on the packet feature information of the network data packet received by the network device, and outputs a condition matching result set; the condition matching result set is used to record a condition for successful matching;
- the rule matcher is configured to determine, according to the condition matching result set, the mapping relationship data generated by the hybrid orchestrator, a service rule that matches the success, and trigger the corresponding business rule that is successfully matched.
- the service application performs the action corresponding to the successfully matched business rule.
- hybrid orchestrator comprises:
- a rule splitting unit configured to split each of the business rules into conditions and actions
- condition classification unit configured to classify the conditions after the condition screening deduplication unit removes the repetition, to obtain a condition set of at least one type
- mapping unit configured to generate mapping relationship data for recording a mapping relationship between each business rule and a condition in the condition set.
- mapping unit is specifically configured to: map each condition in the condition set to all service rules including the condition, to establish each business rule a mapping relationship with the condition of the condition set, and generating mapping relationship data for recording the mapping relationship;
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
Claims
Priority Applications (8)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
ES12876592.2T ES2624219T3 (es) | 2012-12-03 | 2012-12-03 | Método de procesamiento de políticas y dispositivo de red |
EP12876592.2A EP2760158B1 (en) | 2012-12-03 | 2012-12-03 | Policy processing method and network device |
KR1020137031987A KR101489420B1 (ko) | 2012-12-03 | 2012-12-03 | 폴리시 처리 방법 및 네트워크 장치 |
JP2014550617A JP5813252B2 (ja) | 2012-12-03 | 2012-12-03 | ポリシー処理方法およびネットワークデバイス |
CN201280003466.6A CN103688489B (zh) | 2012-12-03 | 2012-12-03 | 一种策略处理的方法及网络设备 |
PCT/CN2012/085721 WO2014085952A1 (zh) | 2012-12-03 | 2012-12-03 | 一种策略处理的方法及网络设备 |
US14/088,665 US9461888B2 (en) | 2012-12-03 | 2013-11-25 | Policy processing method and network device |
US15/269,381 US10225150B2 (en) | 2012-12-03 | 2016-09-19 | Policy processing method and network device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2012/085721 WO2014085952A1 (zh) | 2012-12-03 | 2012-12-03 | 一种策略处理的方法及网络设备 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/088,665 Continuation US9461888B2 (en) | 2012-12-03 | 2013-11-25 | Policy processing method and network device |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2014085952A1 true WO2014085952A1 (zh) | 2014-06-12 |
Family
ID=50323333
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2012/085721 WO2014085952A1 (zh) | 2012-12-03 | 2012-12-03 | 一种策略处理的方法及网络设备 |
Country Status (7)
Country | Link |
---|---|
US (2) | US9461888B2 (zh) |
EP (1) | EP2760158B1 (zh) |
JP (1) | JP5813252B2 (zh) |
KR (1) | KR101489420B1 (zh) |
CN (1) | CN103688489B (zh) |
ES (1) | ES2624219T3 (zh) |
WO (1) | WO2014085952A1 (zh) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2835943A4 (en) * | 2013-06-03 | 2015-05-27 | Huawei Tech Co Ltd | SERVICE PROCESS CONTROL METHOD AND NETWORK DEVICE |
Families Citing this family (100)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2014085952A1 (zh) * | 2012-12-03 | 2014-06-12 | 华为技术有限公司 | 一种策略处理的方法及网络设备 |
US10749711B2 (en) | 2013-07-10 | 2020-08-18 | Nicira, Inc. | Network-link method useful for a last-mile connectivity in an edge-gateway multipath system |
US10454714B2 (en) | 2013-07-10 | 2019-10-22 | Nicira, Inc. | Method and system of overlay flow control |
CN104104615B (zh) * | 2014-07-21 | 2017-07-07 | 华为技术有限公司 | 策略冲突解决方法以及装置 |
CN104202206A (zh) * | 2014-07-25 | 2014-12-10 | 汉柏科技有限公司 | 报文处理装置及方法 |
CN104202249A (zh) * | 2014-07-25 | 2014-12-10 | 汉柏科技有限公司 | 报文处理方法及装置 |
CN104219238B (zh) * | 2014-08-30 | 2018-05-29 | 华为技术有限公司 | 报文处理方法和装置 |
CN104243487A (zh) * | 2014-09-28 | 2014-12-24 | 网神信息技术(北京)股份有限公司 | 安全网关的规则匹配方法和装置 |
KR102364712B1 (ko) | 2015-04-03 | 2022-02-18 | 한국전자통신연구원 | 분산 클라우드 환경에서 서비스 오케스트레이션 시스템 및 방법 |
US10425382B2 (en) | 2015-04-13 | 2019-09-24 | Nicira, Inc. | Method and system of a cloud-based multipath routing protocol |
US10498652B2 (en) | 2015-04-13 | 2019-12-03 | Nicira, Inc. | Method and system of application-aware routing with crowdsourcing |
US10135789B2 (en) | 2015-04-13 | 2018-11-20 | Nicira, Inc. | Method and system of establishing a virtual private network in a cloud service for branch networking |
CN105592053B (zh) * | 2015-09-14 | 2018-11-27 | 新华三技术有限公司 | 一种匹配规则的匹配方法和装置 |
US10003466B1 (en) * | 2015-09-15 | 2018-06-19 | Amazon Technologies, Inc. | Network traffic with credential signatures |
CN106815112B (zh) * | 2015-11-27 | 2020-03-24 | 大唐软件技术股份有限公司 | 一种基于深度包检测的海量数据监控系统及方法 |
US10069934B2 (en) | 2016-12-16 | 2018-09-04 | Vignet Incorporated | Data-driven adaptive communications in user-facing applications |
US11127308B2 (en) | 2016-05-11 | 2021-09-21 | Vignet Incorporated | Personalized digital therapeutic interventions |
US9753618B1 (en) | 2016-05-11 | 2017-09-05 | Vignet Incorporated | Multi-level architecture for dynamically generating interactive program modules |
US9858063B2 (en) | 2016-02-10 | 2018-01-02 | Vignet Incorporated | Publishing customized application modules |
US9848061B1 (en) | 2016-10-28 | 2017-12-19 | Vignet Incorporated | System and method for rules engine that dynamically adapts application behavior |
US9928230B1 (en) | 2016-09-29 | 2018-03-27 | Vignet Incorporated | Variable and dynamic adjustments to electronic forms |
US9983775B2 (en) | 2016-03-10 | 2018-05-29 | Vignet Incorporated | Dynamic user interfaces based on multiple data sources |
CN105912571A (zh) * | 2016-03-30 | 2016-08-31 | 广东凯通软件开发有限公司 | 告警处理方法及装置 |
US10992568B2 (en) | 2017-01-31 | 2021-04-27 | Vmware, Inc. | High performance software-defined core network |
US11121962B2 (en) | 2017-01-31 | 2021-09-14 | Vmware, Inc. | High performance software-defined core network |
US11252079B2 (en) | 2017-01-31 | 2022-02-15 | Vmware, Inc. | High performance software-defined core network |
US20200036624A1 (en) | 2017-01-31 | 2020-01-30 | The Mode Group | High performance software-defined core network |
US11706127B2 (en) | 2017-01-31 | 2023-07-18 | Vmware, Inc. | High performance software-defined core network |
US20180219765A1 (en) | 2017-01-31 | 2018-08-02 | Waltz Networks | Method and Apparatus for Network Traffic Control Optimization |
US10992558B1 (en) | 2017-11-06 | 2021-04-27 | Vmware, Inc. | Method and apparatus for distributed data network traffic optimization |
US10778528B2 (en) | 2017-02-11 | 2020-09-15 | Nicira, Inc. | Method and system of connecting to a multipath hub in a cluster |
US10574528B2 (en) | 2017-02-11 | 2020-02-25 | Nicira, Inc. | Network multi-source inbound quality of service methods and systems |
CN106897927A (zh) * | 2017-02-16 | 2017-06-27 | 中国人民银行清算总中心 | 一种交易系统业务检查方法及系统 |
US10803411B1 (en) | 2017-04-17 | 2020-10-13 | Microstrategy Incorporated | Enterprise platform deployment |
US10523539B2 (en) | 2017-06-22 | 2019-12-31 | Nicira, Inc. | Method and system of resiliency in cloud-delivered SD-WAN |
CN107508698B (zh) * | 2017-07-20 | 2020-07-24 | 上海交通大学 | 雾计算中基于内容感知和带权图的软件定义服务重组方法 |
CN109391590A (zh) * | 2017-08-07 | 2019-02-26 | 中国科学院信息工程研究所 | 一种面向网络访问控制的规则描述方法及构建方法、介质 |
US10805114B2 (en) | 2017-10-02 | 2020-10-13 | Vmware, Inc. | Processing data messages of a virtual network that are sent to and received from external service machines |
US10999100B2 (en) | 2017-10-02 | 2021-05-04 | Vmware, Inc. | Identifying multiple nodes in a virtual network defined over a set of public clouds to connect to an external SAAS provider |
US10959098B2 (en) | 2017-10-02 | 2021-03-23 | Vmware, Inc. | Dynamically specifying multiple public cloud edge nodes to connect to an external multi-computer node |
US11115480B2 (en) | 2017-10-02 | 2021-09-07 | Vmware, Inc. | Layer four optimization for a virtual network defined over public cloud |
US10999165B2 (en) | 2017-10-02 | 2021-05-04 | Vmware, Inc. | Three tiers of SaaS providers for deploying compute and network infrastructure in the public cloud |
US11089111B2 (en) | 2017-10-02 | 2021-08-10 | Vmware, Inc. | Layer four optimization for a virtual network defined over public cloud |
US10521557B2 (en) | 2017-11-03 | 2019-12-31 | Vignet Incorporated | Systems and methods for providing dynamic, individualized digital therapeutics for cancer prevention, detection, treatment, and survivorship |
US11153156B2 (en) | 2017-11-03 | 2021-10-19 | Vignet Incorporated | Achieving personalized outcomes with digital therapeutic applications |
US10756957B2 (en) | 2017-11-06 | 2020-08-25 | Vignet Incorporated | Context based notifications in a networked environment |
US11223514B2 (en) | 2017-11-09 | 2022-01-11 | Nicira, Inc. | Method and system of a dynamic high-availability mode based on current wide area network connectivity |
US10095688B1 (en) | 2018-04-02 | 2018-10-09 | Josh Schilling | Adaptive network querying system |
CN110830278A (zh) * | 2018-08-09 | 2020-02-21 | 中兴通讯股份有限公司 | 一种设备配置更新方法、更新装置及计算机可读存储介质 |
US10775974B2 (en) | 2018-08-10 | 2020-09-15 | Vignet Incorporated | User responsive dynamic architecture |
CN109376988B (zh) * | 2018-09-11 | 2022-11-18 | 创新先进技术有限公司 | 一种业务数据的处理方法和装置 |
US11158423B2 (en) | 2018-10-26 | 2021-10-26 | Vignet Incorporated | Adapted digital therapeutic plans based on biomarkers |
CN109361701A (zh) * | 2018-12-07 | 2019-02-19 | 北京知道创宇信息技术有限公司 | 网络安全检测方法、装置及服务器 |
US10762990B1 (en) | 2019-02-01 | 2020-09-01 | Vignet Incorporated | Systems and methods for identifying markers using a reconfigurable system |
CN111698110B (zh) * | 2019-03-14 | 2023-07-18 | 深信服科技股份有限公司 | 一种网络设备性能分析方法、系统、设备及计算机介质 |
CN110266746B (zh) * | 2019-03-29 | 2022-04-29 | 星融元数据技术(苏州)有限公司 | 一种信息推送方法及装置 |
CN110336798B (zh) * | 2019-06-19 | 2022-05-13 | 南京中新赛克科技有限责任公司 | 一种基于dpi的报文匹配过滤方法及其装置 |
CN110675236A (zh) * | 2019-08-27 | 2020-01-10 | 阿里巴巴集团控股有限公司 | 基于分布式的税费计算方法以及装置 |
US11310170B2 (en) | 2019-08-27 | 2022-04-19 | Vmware, Inc. | Configuring edge nodes outside of public clouds to use routes defined through the public clouds |
US11714658B2 (en) | 2019-08-30 | 2023-08-01 | Microstrategy Incorporated | Automated idle environment shutdown |
US11755372B2 (en) | 2019-08-30 | 2023-09-12 | Microstrategy Incorporated | Environment monitoring and management |
US11044190B2 (en) | 2019-10-28 | 2021-06-22 | Vmware, Inc. | Managing forwarding elements at edge nodes connected to a virtual network |
US11394640B2 (en) | 2019-12-12 | 2022-07-19 | Vmware, Inc. | Collecting and analyzing data regarding flows associated with DPI parameters |
US11489783B2 (en) | 2019-12-12 | 2022-11-01 | Vmware, Inc. | Performing deep packet inspection in a software defined wide area network |
US11689959B2 (en) | 2020-01-24 | 2023-06-27 | Vmware, Inc. | Generating path usability state for different sub-paths offered by a network link |
US11102304B1 (en) | 2020-05-22 | 2021-08-24 | Vignet Incorporated | Delivering information and value to participants in digital clinical trials |
CN111600904B (zh) * | 2020-05-29 | 2022-08-05 | 福建光通互联通信有限公司 | 一种绿色上网的方法和存储设备 |
US11245641B2 (en) | 2020-07-02 | 2022-02-08 | Vmware, Inc. | Methods and apparatus for application aware hub clustering techniques for a hyper scale SD-WAN |
US11709710B2 (en) | 2020-07-30 | 2023-07-25 | Vmware, Inc. | Memory allocator for I/O operations |
US11127506B1 (en) | 2020-08-05 | 2021-09-21 | Vignet Incorporated | Digital health tools to predict and prevent disease transmission |
US11504011B1 (en) | 2020-08-05 | 2022-11-22 | Vignet Incorporated | Early detection and prevention of infectious disease transmission using location data and geofencing |
US11456080B1 (en) | 2020-08-05 | 2022-09-27 | Vignet Incorporated | Adjusting disease data collection to provide high-quality health data to meet needs of different communities |
US11056242B1 (en) | 2020-08-05 | 2021-07-06 | Vignet Incorporated | Predictive analysis and interventions to limit disease exposure |
CN111917783B (zh) * | 2020-08-06 | 2023-06-23 | 吉林亿联银行股份有限公司 | 一种通用报文的验证方法、装置及存储介质 |
US11763919B1 (en) | 2020-10-13 | 2023-09-19 | Vignet Incorporated | Platform to increase patient engagement in clinical trials through surveys presented on mobile devices |
US11444865B2 (en) | 2020-11-17 | 2022-09-13 | Vmware, Inc. | Autonomous distributed forwarding plane traceability based anomaly detection in application traffic for hyper-scale SD-WAN |
US11575600B2 (en) | 2020-11-24 | 2023-02-07 | Vmware, Inc. | Tunnel-less SD-WAN |
US11601356B2 (en) | 2020-12-29 | 2023-03-07 | Vmware, Inc. | Emulating packet flows to assess network links for SD-WAN |
US11417418B1 (en) | 2021-01-11 | 2022-08-16 | Vignet Incorporated | Recruiting for clinical trial cohorts to achieve high participant compliance and retention |
US11792127B2 (en) | 2021-01-18 | 2023-10-17 | Vmware, Inc. | Network-aware load balancing |
US11979325B2 (en) | 2021-01-28 | 2024-05-07 | VMware LLC | Dynamic SD-WAN hub cluster scaling with machine learning |
US11240329B1 (en) | 2021-01-29 | 2022-02-01 | Vignet Incorporated | Personalizing selection of digital programs for patients in decentralized clinical trials and other health research |
US11789837B1 (en) | 2021-02-03 | 2023-10-17 | Vignet Incorporated | Adaptive data collection in clinical trials to increase the likelihood of on-time completion of a trial |
US11586524B1 (en) | 2021-04-16 | 2023-02-21 | Vignet Incorporated | Assisting researchers to identify opportunities for new sub-studies in digital health research and decentralized clinical trials |
US11281553B1 (en) | 2021-04-16 | 2022-03-22 | Vignet Incorporated | Digital systems for enrolling participants in health research and decentralized clinical trials |
US11636500B1 (en) | 2021-04-07 | 2023-04-25 | Vignet Incorporated | Adaptive server architecture for controlling allocation of programs among networked devices |
US12009987B2 (en) | 2021-05-03 | 2024-06-11 | VMware LLC | Methods to support dynamic transit paths through hub clustering across branches in SD-WAN |
US11582144B2 (en) | 2021-05-03 | 2023-02-14 | Vmware, Inc. | Routing mesh to provide alternate routes through SD-WAN edge forwarding nodes based on degraded operational states of SD-WAN hubs |
US11729065B2 (en) | 2021-05-06 | 2023-08-15 | Vmware, Inc. | Methods for application defined virtual network service among multiple transport in SD-WAN |
US11489720B1 (en) | 2021-06-18 | 2022-11-01 | Vmware, Inc. | Method and apparatus to evaluate resource elements and public clouds for deploying tenant deployable elements based on harvested performance metrics |
US12015536B2 (en) | 2021-06-18 | 2024-06-18 | VMware LLC | Method and apparatus for deploying tenant deployable elements across public clouds based on harvested performance metrics of types of resource elements in the public clouds |
CN113505144A (zh) * | 2021-07-08 | 2021-10-15 | 中国工商银行股份有限公司 | 一种规则有效性的确定方法、装置和设备 |
US12047282B2 (en) | 2021-07-22 | 2024-07-23 | VMware LLC | Methods for smart bandwidth aggregation based dynamic overlay selection among preferred exits in SD-WAN |
US11375005B1 (en) | 2021-07-24 | 2022-06-28 | Vmware, Inc. | High availability solutions for a secure access service edge application |
US11943146B2 (en) | 2021-10-01 | 2024-03-26 | VMware LLC | Traffic prioritization in SD-WAN |
US11705230B1 (en) | 2021-11-30 | 2023-07-18 | Vignet Incorporated | Assessing health risks using genetic, epigenetic, and phenotypic data sources |
US11901083B1 (en) | 2021-11-30 | 2024-02-13 | Vignet Incorporated | Using genetic and phenotypic data sets for drug discovery clinical trials |
US11909815B2 (en) | 2022-06-06 | 2024-02-20 | VMware LLC | Routing based on geolocation costs |
US12034587B1 (en) | 2023-03-27 | 2024-07-09 | VMware LLC | Identifying and remediating anomalies in a self-healing network |
US12057993B1 (en) | 2023-03-27 | 2024-08-06 | VMware LLC | Identifying and remediating anomalies in a self-healing network |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1829160A (zh) * | 2005-03-01 | 2006-09-06 | 联想(北京)有限公司 | 一种混合策略加载系统及实现策略管理的方法 |
CN101141295A (zh) * | 2007-03-02 | 2008-03-12 | 中兴通讯股份有限公司 | 策略管理方法 |
CN101192967A (zh) * | 2006-11-21 | 2008-06-04 | 中兴通讯股份有限公司 | 实施资源控制决策的方法 |
CN102130965A (zh) * | 2011-04-13 | 2011-07-20 | 北京邮电大学 | 一种基于规则引擎的服务动态组合方法和系统 |
CN101876994B (zh) * | 2009-12-22 | 2012-02-15 | 中国科学院软件研究所 | 一种多层次优化的策略评估引擎的建立方法及其实施方法 |
Family Cites Families (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7257833B1 (en) * | 2001-01-17 | 2007-08-14 | Ipolicy Networks, Inc. | Architecture for an integrated policy enforcement system |
US7058821B1 (en) * | 2001-01-17 | 2006-06-06 | Ipolicy Networks, Inc. | System and method for detection of intrusion attacks on packets transmitted on a network |
US7072958B2 (en) * | 2001-07-30 | 2006-07-04 | Intel Corporation | Identifying network management policies |
WO2004108223A1 (en) | 2003-06-05 | 2004-12-16 | Flexiped As | Physical exercise apparatus and footrest platform for use with the apparatus |
US20050222996A1 (en) | 2004-03-30 | 2005-10-06 | Oracle International Corporation | Managing event-condition-action rules in a database system |
US7505463B2 (en) * | 2004-06-15 | 2009-03-17 | Sun Microsystems, Inc. | Rule set conflict resolution |
US7792775B2 (en) | 2005-02-24 | 2010-09-07 | Nec Corporation | Filtering rule analysis method and system |
CN101055630A (zh) * | 2006-04-12 | 2007-10-17 | 科凌力医学软件(深圳)有限公司 | 事件决策知识库组建方法及相应的事件决策方法和系统 |
US8065721B1 (en) * | 2007-08-10 | 2011-11-22 | Juniper Networks, Inc. | Merging filter rules to reduce forwarding path lookup cycles |
CN101739248A (zh) * | 2008-11-13 | 2010-06-16 | 国际商业机器公司 | 执行规则集的方法和系统 |
WO2014085952A1 (zh) * | 2012-12-03 | 2014-06-12 | 华为技术有限公司 | 一种策略处理的方法及网络设备 |
-
2012
- 2012-12-03 WO PCT/CN2012/085721 patent/WO2014085952A1/zh active Application Filing
- 2012-12-03 KR KR1020137031987A patent/KR101489420B1/ko active IP Right Grant
- 2012-12-03 JP JP2014550617A patent/JP5813252B2/ja active Active
- 2012-12-03 EP EP12876592.2A patent/EP2760158B1/en active Active
- 2012-12-03 ES ES12876592.2T patent/ES2624219T3/es active Active
- 2012-12-03 CN CN201280003466.6A patent/CN103688489B/zh active Active
-
2013
- 2013-11-25 US US14/088,665 patent/US9461888B2/en active Active
-
2016
- 2016-09-19 US US15/269,381 patent/US10225150B2/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1829160A (zh) * | 2005-03-01 | 2006-09-06 | 联想(北京)有限公司 | 一种混合策略加载系统及实现策略管理的方法 |
CN101192967A (zh) * | 2006-11-21 | 2008-06-04 | 中兴通讯股份有限公司 | 实施资源控制决策的方法 |
CN101141295A (zh) * | 2007-03-02 | 2008-03-12 | 中兴通讯股份有限公司 | 策略管理方法 |
CN101876994B (zh) * | 2009-12-22 | 2012-02-15 | 中国科学院软件研究所 | 一种多层次优化的策略评估引擎的建立方法及其实施方法 |
CN102130965A (zh) * | 2011-04-13 | 2011-07-20 | 北京邮电大学 | 一种基于规则引擎的服务动态组合方法和系统 |
Non-Patent Citations (1)
Title |
---|
See also references of EP2760158A4 * |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2835943A4 (en) * | 2013-06-03 | 2015-05-27 | Huawei Tech Co Ltd | SERVICE PROCESS CONTROL METHOD AND NETWORK DEVICE |
AU2014277525B2 (en) * | 2013-06-03 | 2016-06-09 | Huawei Technologies Co., Ltd. | Service process control method and network device |
US9537982B2 (en) | 2013-06-03 | 2017-01-03 | Huawei Technologies Co., Ltd. | Service process control method and network device |
US10425510B2 (en) | 2013-06-03 | 2019-09-24 | Huawei Technologies Co., Ltd. | Service process control method and network device |
US11233884B2 (en) | 2013-06-03 | 2022-01-25 | Huawei Technologies Co., Ltd. | Service process control method and network device |
US11700322B2 (en) | 2013-06-03 | 2023-07-11 | Huawei Technologies Co., Ltd. | Service process control method and network device |
Also Published As
Publication number | Publication date |
---|---|
US20140156823A1 (en) | 2014-06-05 |
ES2624219T3 (es) | 2017-07-13 |
EP2760158B1 (en) | 2017-02-15 |
CN103688489B (zh) | 2017-02-22 |
US10225150B2 (en) | 2019-03-05 |
JP5813252B2 (ja) | 2015-11-17 |
CN103688489A (zh) | 2014-03-26 |
US20170005872A1 (en) | 2017-01-05 |
JP2015508538A (ja) | 2015-03-19 |
US9461888B2 (en) | 2016-10-04 |
KR20140098671A (ko) | 2014-08-08 |
EP2760158A4 (en) | 2015-03-25 |
EP2760158A1 (en) | 2014-07-30 |
KR101489420B1 (ko) | 2015-02-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2014085952A1 (zh) | 一种策略处理的方法及网络设备 | |
US10841279B2 (en) | Learning network topology and monitoring compliance with security goals | |
CN107241186B (zh) | 网络设备和用于网络通信的方法 | |
US20230336527A1 (en) | Efficient Packet Capture for Cyber Threat Analysis | |
US10021033B2 (en) | Context driven policy based packet capture | |
CN108701187B (zh) | 用于混合硬件软件分布式威胁分析的设备和方法 | |
EP3871392B1 (en) | Network security system with enhanced traffic analysis based on feedback loop | |
CN107683597B (zh) | 用于异常检测的网络行为数据收集和分析 | |
US8528047B2 (en) | Multilayer access control security system | |
JP3954385B2 (ja) | 迅速なパケット・フィルタリング及びパケット・プロセシングのためのシステム、デバイス及び方法 | |
CN103609070B (zh) | 网络流量检测方法、系统、设备及控制器 | |
JP2008011537A (ja) | ネットワークセキュリティデバイスにおけるパケット分類 | |
US10868792B2 (en) | Configuration of sub-interfaces to enable communication with external network devices | |
JP2016508353A (ja) | ネットワークメタデータを処理する改良されたストリーミング方法およびシステム | |
EP2321934B1 (en) | System and device for distributed packet flow inspection and processing | |
EP3718284B1 (en) | Extending encrypted traffic analytics with traffic flow data | |
CN112437070A (zh) | 一种基于操作生成树状态机完整性验证计算方法及系统 | |
JP2022546879A (ja) | ネットワークフォレンジックシステム及びこれを用いたネットワークフォレンジック方法 | |
CN115883574A (zh) | 工业控制网络中的接入设备识别方法及装置 | |
CN114978563B (zh) | 一种封堵ip地址的方法及装置 | |
CN109462503A (zh) | 一种数据检测方法和装置 | |
WO2022171380A1 (en) | Anomaly detection | |
CN116781303A (zh) | 一种DDoS攻击防护方法和相关装置 | |
CN116032592A (zh) | 服务器的网络安全检测方法、装置及存储介质 | |
CN116827564A (zh) | 一种威胁事件识别方法及相关装置 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
REEP | Request for entry into the european phase |
Ref document number: 2012876592 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2012876592 Country of ref document: EP |
|
ENP | Entry into the national phase |
Ref document number: 20137031987 Country of ref document: KR Kind code of ref document: A |
|
ENP | Entry into the national phase |
Ref document number: 2014550617 Country of ref document: JP Kind code of ref document: A |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 12876592 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |