WO2016101552A1 - Message detection method and device, and storage medium - Google Patents

Message detection method and device, and storage medium Download PDF

Info

Publication number
WO2016101552A1
WO2016101552A1 PCT/CN2015/081205 CN2015081205W WO2016101552A1 WO 2016101552 A1 WO2016101552 A1 WO 2016101552A1 CN 2015081205 W CN2015081205 W CN 2015081205W WO 2016101552 A1 WO2016101552 A1 WO 2016101552A1
Authority
WO
WIPO (PCT)
Prior art keywords
value
bit segment
detected
keyword
data
Prior art date
Application number
PCT/CN2015/081205
Other languages
French (fr)
Chinese (zh)
Inventor
陈钦树
Original Assignee
深圳市中兴微电子技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳市中兴微电子技术有限公司 filed Critical 深圳市中兴微电子技术有限公司
Publication of WO2016101552A1 publication Critical patent/WO2016101552A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks

Definitions

  • the present invention relates to packet switching technologies, and in particular, to a deep packet detection method and apparatus, and a storage medium.
  • the traditional IP packet traffic identification and Quality of Service (QoS) control technology analyzes only the source IP address, destination IP address, source port, destination port, and protocol type in the IP header to determine the current traffic.
  • Basic information The traditional IP router also uses this series of information to achieve a certain degree of traffic identification and QoS guarantee, but it only analyzes the contents of the IP packet below the four layers, including the source IP address, destination IP address, source port, and destination port. And the type of agreement. With the continuous enrichment of online application types, it is impossible to truly determine the application type in the traffic only through the Layer 4 port information, and it is not possible to deal with the application type based on the open port, the random port, or even the encryption method.
  • Deep packet inspection technology adds analysis of the application layer based on the analysis of the packet header. It is an application layer-based traffic detection and control technology.
  • IP packet TCP or UDP data flows pass the bandwidth management based on DPI technology.
  • the system detects the application layer information in the open network reference model seven-layer protocol by deeply reading the contents of the IP packet payload, thereby obtaining the content of the entire application, and then shaping the traffic according to the system-defined management policy. operating.
  • detecting the data content of the entire message searching for attack code or sensitive information in the data packet is also an important measure for network security.
  • the detection efficiency of current message detection technology is generally low.
  • an embodiment of the present invention provides a packet detection method and apparatus, Storage medium.
  • a message detection method for establishing a transfer state database for a key bit segment search comprising:
  • the transfer state database is provided with a bit segment row including all keywords and a value column of a transfer state set for the bit segment, and the column in which the bit segment in each keyword is located and the bit segment
  • the intersection node of the row where the value of the transition state of the previous bit segment is located, the value of the transition state of the next bit segment of the bit segment, the transfer of the column of the last bit segment and the transfer of the second to last bit segment The intersection node of the row where the value of the state is located, and the value of the initial transition state of the keyword is written;
  • the data to be detected of the to-be-detected packet is obtained, including:
  • the packets to be inspected are classified, and the data to be detected in the packets that need to be deeply detected are determined; the data to be detected is a part of the packets that need to be deeply detected.
  • the searching for the keyword in the data to be detected in the database according to the bit segment in the data to be detected includes:
  • the value in the found junction node is the value of the initial transfer state, and it is determined that the data to be detected contains a keyword.
  • the method further includes:
  • Obtaining a second bit segment of the data to be detected searching for a node that meets according to the value of the first bit segment and the initial transition state, and acquiring a value in the node; determining whether the value is a value of an initial transition state When the value is a value of the non-initial transfer state, the search for the node to be merged is continued according to the row of the value and the column of the second bit segment of the keyword until the last bit of the data to be detected is found. Segment, determining all keywords in the data to be detected.
  • the searching for the keyword in the data to be detected in the database according to the bit segment in the data to be detected includes:
  • the value is incremented by one, and the value in the intersection of the added value and the corresponding next bit segment in the data to be detected is searched for, including:
  • the value of the average number of bit segments after the value and the plurality of intersection nodes of the column of the corresponding bit segment in the to-be-detected data are obtained according to the number of average bit segments included in the keyword.
  • a message detecting apparatus includes: an establishing unit, a setting unit, a writing unit, a searching unit, and an output unit, wherein:
  • a setting unit configured to set a transition state for each bit segment in the to-be-detected keyword, and the values of the initial transition states of each keyword are equal; the transition state of the first bit segment to the last bit segment in each keyword The values are consecutive, and the values of the transition states of the other bit segments except the value of the initial transition state in each keyword are not equal;
  • a writing unit configured to acquire all keywords and write a value of a transfer state of each bit segment in the keyword to the database
  • a search unit configured to acquire data to be detected of the to-be-detected packet, and search for a keyword in the database according to the bit segment in the data to be detected;
  • An output unit configured to output a test result.
  • the transfer state database is provided with a bit segment row including all keywords and a value column of a transfer state set for the bit segment, and the column in which the bit segment in each keyword is located and the bit segment
  • the intersection node of the row where the value of the transition state of the previous bit segment is located, the value of the transition state of the next bit segment of the bit segment, the transfer of the column of the last bit segment and the transfer of the second to last bit segment The intersection node of the row where the value of the state is located, and the value of the initial transition state of the keyword is written.
  • the searching unit is further configured to: determine, according to the transmission packet, a packet that needs to be deeply detected; classify the packet that needs to be deeply detected, and determine that each type of packet that needs to be deeply detected is to be processed. Detecting data; wherein the data to be detected is part of a message requiring depth detection.
  • the searching unit is further configured to acquire a first bit segment of the data to be detected, and search for a node that meets according to the value of the first bit segment and the initial transition state, and obtain a value in the node. Determining whether the value is a value of an initial transition state, and when the value is a value of a non-initial transition state, continuing to find a node that meets the convergence according to the row in which the value is located and the column in which the second bit segment of the keyword is located, Until the value in the found junction node is the value of the initial transfer state, it is determined that the data to be detected contains a keyword.
  • the searching unit is configured to acquire the data to be detected when the value of the first bit segment and the value of the initial transition state is the value of the initial transition state.
  • a second bit segment searching for a node that meets according to the value of the first bit segment and the initial transition state, and acquiring a value in the node; determining whether the value is a value of an initial transition state, and the value is a non-initial
  • the node in which the intersection is located is continued according to the row in which the value is located and the column in which the second bit segment of the keyword is located, until the last bit segment of the data to be detected is found, and the waiting is determined. Detect all keywords in the data.
  • the searching unit is further configured to acquire a first bit segment of the data to be detected, and search for a node that meets according to the value of the first bit segment and the initial transition state, and obtain a value in the node. Determining whether the value is a value of an initial transition state, and when the value is a value of a non-initial transition state, continuing to find a node that meets the convergence according to the row in which the value is located and the column in which the second bit segment of the keyword is located, And, the value is incremented by one, and the value of the added value and the value of the intersection node of the corresponding next bit segment in the data to be detected are searched until the value of the found intersection node is the value of the initial transfer state. Or finding a last bit segment of the data to be detected, and determining a keyword in the data to be detected.
  • the searching unit is further configured to acquire, according to the average number of bit segments included in the keyword, the average number of bit segments after the value and the corresponding bit in the to-be-detected data.
  • the value of the transition state is set for each bit segment in the keyword to be detected, and the value of the transition state of each bit segment of each keyword is recorded in the database in a two-dimensional manner to facilitate subsequent treatment.
  • the data to be detected in the detection packet is detected to determine whether the message contains a keyword, and the detection result is output when included.
  • by setting a value table of a two-dimensional bit segment transition state for a keyword it is convenient and quick to find a keyword in a message, which greatly improves the efficiency of packet depth detection.
  • FIG. 1 is a flowchart of a packet detecting method according to an embodiment of the present invention
  • FIG. 2 is a schematic diagram of a deep packet detection transition state according to an embodiment of the present invention.
  • FIG. 3 is a schematic diagram of a deep packet detection transition state database according to an embodiment of the present invention.
  • FIG. 4 is a schematic diagram of data to be detected according to an embodiment of the present invention.
  • FIG. 5 is a schematic diagram of an output result according to an embodiment of the present invention.
  • FIG. 6 is a schematic structural diagram of a packet detecting apparatus according to an embodiment of the present invention.
  • FIG. 1 is a flowchart of a packet detecting method according to an embodiment of the present invention. As shown in FIG. 1 , a packet detecting method according to an embodiment of the present invention includes the following steps:
  • Step 101 Establish a transfer state database for the key segment search.
  • the mobile transfer state database is provided with a bit segment row including all keywords and a value column of a transfer state set for the bit segment, and a column of the bit segment in each keyword and the bit
  • the intersection node of the row where the value of the transition state of the previous bit segment of the segment is located Write the value of the transition state of the next bit segment of the bit segment, the intersection of the row where the last bit segment is located and the value of the transition state of the second to last bit segment, and the initial transfer of the write keyword The value of the state.
  • a transfer state database of each keyword to be detected needs to be established, and the database records the transfer of each bit segment and its corresponding bit segment in the keyword by two-dimensional data.
  • the value of the state is shown in Figure 3.
  • the values of the initial transfer states of each keyword are equal; the transition state values of the first bit segment to the last bit segment in each keyword are consecutive, and the value of the initial transfer state is included in each keyword.
  • the values of the transition states of other bit segments other than are not equal.
  • the initial transition state of the keyword and the transition state of each bit segment in the keyword are as shown in FIG. 2 .
  • Step 102 Acquire all keywords, and write the value of each bit segment in the keyword into the database; according to the value of the transfer state of the bit segment in the keyword and its corresponding bit segment, each keyword is The value of the transfer status of the bit segment is written to the database.
  • the values of all the acquired keywords and their corresponding transition states are written into the database.
  • the transition state database of the embodiment of the present invention is as shown in FIG. 3 .
  • Step 103 Acquire data to be detected of the to-be-detected packet, and search for a keyword in the database according to the bit segment in the to-be-detected data, and output a detection result.
  • the data to be detected of the to-be-detected packet includes: determining a packet that needs to be deeply detected from the transmission packet; classifying the packet that needs to be deeply detected, and determining various types of packets that need to be deeply detected.
  • Data to be detected in the text; the data to be detected is part of a message requiring depth detection.
  • the destination MAC address and source MAC address of the packet can be obtained according to the format of the packet, and the type of the TAG is determined according to the TAG type, and the VLAN ID and the Ethernet type are extracted according to the TAG type.
  • Field as the data to be detected.
  • the first and last characters to be detected are determined for the packet to be detected in depth, so as to avoid deep detection of the entire packet, thereby improving the efficiency of packet detection.
  • the searching for the keyword in the data to be detected in the database according to the value of the bit segment in the data to be detected and the value of the corresponding transfer state includes:
  • the searching, in the database, whether the keyword to be detected includes a keyword according to the value of the bit segment in the data to be detected and the value of the corresponding transfer state
  • the method includes: acquiring a first bit segment of the data to be detected; searching for a node that meets according to the value of the first bit segment and the initial transition state, and acquiring a value in the node; determining whether the value is an initial transition state. a value, where the value is a non-initial transition state, the node in which the value is located and the second bit segment of the keyword are searched for, and the value is incremented by one.
  • the value after the addition is corresponding to the data to be detected
  • the value in the intersection node of the latter bit segment determines the keyword in the data to be detected until the value in the found junction node is the value of the initial transition state or the last bit segment of the data to be detected.
  • the value of the intersection of the value and the value of the intersection of the corresponding one of the to-be-detected data including:
  • the value of the average number of bit segments after the value and the plurality of intersection nodes of the column of the corresponding bit segment in the to-be-detected data are obtained according to the number of average bit segments included in the keyword.
  • the purpose of the present invention is that deep message detection needs to compare all the information of the entire message, and then process the message according to the result of the comparison. Deep packet inspection cannot meet the actual needs in data centers, core switches, and high-performance routers. At the same time, the database of the transfer state corresponding to the keyword detected by the deep message is generally large, and if the cost of the memory placed on the chip is too high, and if a huge database is placed on the internal memory of the chip, the chip area is too large, manufacturing The yield is greatly reduced. Considering the cost factor, the deep packet detection transfer state database is generally stored in the DDR. However, due to the DDR timing characteristics, the data efficiency of a single read DDR is relatively low, which cannot meet the requirements of a high-speed switch or a core router.
  • the patent filters the input packet through the access list control module, extracts the packet to be detected, and obtains the start byte and the end byte of the packet to be detected according to the classification result, so that the deep report can be greatly reduced.
  • the amount of data that the detection device needs to detect improves the detection efficiency.
  • the deep message detection state is encoded and optimized, and the transition state corresponding to the average length of the keyword is read into the cache in advance by using the predictive transfer state technology, which greatly improves the packet detection efficiency and reduces the cost.
  • a keyword that needs to be matched is mapped as a transition condition to a transition state of deep packet detection.
  • the transfer status of the same keyword must be encoded consecutively. For example, the need to match
  • the key is hello, the initial transition state is 0, and the transition state of h is assumed to be 4, then the transition state of e must be 5, the transition state of the first l is 6, and the second transition state must be 7, o is The last byte of the keyword, the next transition state is the initial transition state 0.
  • the generated deep message then detects the transfer state database and writes it to the DDR.
  • the input data packet is processed by the packet parsing module to obtain information about the packet, such as the source destination MAC address, the source destination IP address, the protocol number, the Ethernet type, and the VLAN ID.
  • the information is classified and processed to obtain the stream classification number corresponding to the packet. Whether the deep packet detection is required to obtain the packet according to the traffic classification number, the deep packet detection start byte and the termination byte, and the detected packet is the copy packet or the original packet.
  • the read depth message detection transition state database is compared with the message, and the comparison result is output.
  • the transfer state database of each keyword to be detected is first established, and specifically includes the following steps:
  • Step 1 The user-configured keyword to be checked is mapped to a transition state map, and the initial state is generally set to 0.
  • the initial state may not be 0, but is generally set to 0 for convenience.
  • the bit segment can be selected from 8 bits.
  • the first 8 bits of the keyword are read as the condition for the transfer, and the next transfer state is assigned a value.
  • the bit segment is not limited to 8 bits, and may be any bit length.
  • the value of the transition state of the next bit segment can be randomly assigned, but cannot be a value already assigned. At the same time, the value of the transfer state of the bit segment in the same keyword must be continuously incremented.
  • the transition state corresponding to h is 4, the transition state corresponding to e is 5, the transition state corresponding to the first l is 6, the transition state corresponding to the second l is 7, and o is the last of the keywords.
  • One byte, the next transition state is the initial transition state 0, see the example shown in Figure 1.
  • the figure also shows the transfer state diagram of the two keys work and secret.
  • Step 2 Map the transfer state map generated in step 1 to the transfer state database.
  • the initial state and the first octet of the keyword to be detected are taken as addresses, the content written is the next transition state S1 and its corresponding attribute, and then the transition state S1 and the second eight of the checked keywords are The bit byte is written as the address to the next transfer state and its corresponding attribute, and so on, until the end of the checked keyword.
  • the last transition state corresponding to the keyword to be checked is the initial transition state and the corresponding rule number.
  • the hatch table is the content of the hello keyword in the transfer state database
  • the sandpoint table is the content of the work keyword in the transfer state database
  • the double grid table is the secret keyword in the transfer state database. content.
  • step 3 the generated transfer state database is written into the DDR by the CPU.
  • the deep packet detection process includes the following steps:
  • Step 1 The packet parsing module receives the packet input from the external interface, and then extracts the destination MAC address, the source MAC address, and the type of the TAG according to the format of the packet, and extracts the VLAN ID and the Ethernet type field according to the TAG type.
  • Step 2 According to the Ethernet type field obtained in step 1, it is determined whether the packet is an IPv4 packet, an IPv6 packet, or an MPLS packet, and then the corresponding field is extracted according to the parsed packet type. For example, IP packets are extracted from the destination IP address, source IP address, IP protocol number, IP TTL, IP DSCP, etc.; if it is an MPLS packet, the label of each layer is extracted, the priority of the label, and the TTL value corresponding to the label.
  • Step 3 According to the packet parsing result of step 1 and step 2 and the information about the obtained packet, the information is sent to the access control list module.
  • the access control list module compares the information with the user-configured access control list rules, classifies the incoming packets, and assigns a traffic classification number to each type of packet.
  • Step 4 According to the flow classification number obtained in step 3, the flow attribute table is used to obtain the attribute of the corresponding flow.
  • the attribute table includes, but is not limited to, whether to perform packet depth detection, the start byte of the packet depth detection, and the depth packet.
  • the detected termination byte whether the sent packet is the original message or the copied message.
  • the information about the deep packet detection is added to the packet of the original data packet and sent to the deep packet detection module.
  • the format of the packet sent to the deep packet detection module is shown in FIG. 4 .
  • Step 5 The deep packet detection module starts to fetch the first byte W1 of the message and the transition state initial state S0 as the address for accessing the DDR according to the depth message detection start byte position.
  • the byte of the message is the lower bit of the access DDR address
  • the initial transfer state S0 is the upper bit of the access DDR address, which is ⁇ S0, W1 ⁇ .
  • Use this address to read the database stored in the DDR internal transfer state to get the next transfer state S1.
  • the 256 data corresponding to S0 is pre-read into the Cache, that is, all the columns corresponding to the state 0 of the table in FIG. 2 are read into the cache.
  • transition state S1 is equal to the initial transition state S0, and if it is equal to step 6. Since the transition state corresponding to the keyword is continuous coding, it can be foreseen that the value of S2 is S1+1, and the value of S3 is S2+1. If the transition state S1 and the initial transition state S0 are not equal, all the column data of the corresponding row in the transition state database and the subsequent (L-1) transition states are read into the Cache, where L is to be found. The average length of the keyword. It can be seen from Fig. 2 that each transition state corresponds to 256 columns of data, so a total of 256 x L transition state data is read.
  • Step 6 The transfer state S1 is used as the address high address of the access DDR, and the second byte W2 of the read detection message is read as the low bit of the access DDR address, and the address is represented as ⁇ S1, W2 ⁇ . Use this address to access the Cache to read the corresponding transfer state S2. If S2 is read in the Cache, the read is successful. If S2 is not found in Cahe, the address ⁇ S1, W2 ⁇ is used to access the DDR to obtain the transfer state S2 because the next transfer state corresponding to the keyword. All are continuous coding, so the next transition state S3 is predicted to be S2+1, and the data corresponding to all columns corresponding to the read S3 and the subsequent (L-1) transition states are read into the Cache.
  • Step 7 follows step 6 to describe the byte-by-byte search from the start byte of the message until the message termination byte or match the keyword to be searched, and then end the search.
  • the end register is configurable by either terminating the end byte or matching to the keyword to be searched. Finally, the number corresponding to the matched keyword is reported to the CPU as a result or is carried in the header of the message.
  • the output message is shown in Figure 5.
  • Step 5 and Step 7 describe the working process of the deep packet inspection engine.
  • Deep packet detection requires a number of clock cycles to process a packet.
  • a detection engine generally cannot meet the needs of the data center or the core switch.
  • multiple engines need to complete the detection of packets in parallel.
  • the detected flow rate is related to the operating frequency of the chip.
  • the working process of each detection engine is as described in steps 5, 6, and 7.
  • step 6 and step 7 an example is now used to illustrate that the deep message detection engine is a working process.
  • the input message is kjkloworkcef
  • the key to be searched is work
  • the initial transfer status is 0
  • the deep message detection start byte is the 4th byte
  • the end byte is the 11th byte
  • the keyword average The length is 5.
  • the deep packet detection module first takes the 4th byte of the message, and combines the initial transition state into ⁇ 0, l ⁇ as the address of the DDR to read the next transition state S1 to 0, and at the same time, the initial transition state S0. Read all the 0 lines into the cache.
  • the transfer state S1 obtained in the first step and the fifth byte o of the message are taken as the address ⁇ 0, o ⁇ , and the next transfer state S2 is directly read from the Cache to be 0. Since the corresponding transfer state can be found in the Cache and S2 is equal to the initial state, there is no need to read the DDR internal transfer state database.
  • the transfer state S2 obtained in the second step and the sixth byte w of the message are taken as the address ⁇ 0, w ⁇ to directly read the next transfer state S3 from the Cache to 10.
  • the corresponding transition state can also be found in the Cache, but the value of the transition state S3 is not equal to the initial state S0. Therefore, the data of the four transition states corresponding to S3 and S3 are read into the Cache. And read the data from the 10th to 14th lines of the table into the Cache.
  • the fourth step is to take the transfer state S3 obtained in the third step and the 7th byte o of the message as the address. ⁇ 10, o ⁇ directly reads the next transfer state S4 from the Cache to 11.
  • the transfer state S4 obtained in the fourth step and the eighth byte r of the message are taken as the address ⁇ 11, r ⁇ , and the next transfer state S5 is directly read from the Cache to 12.
  • the transfer state S5 obtained in the fifth step and the ninth byte k of the message are taken as the address ⁇ 12, k ⁇ , and the next transfer state S6 is directly read from the Cache to be 0. At this time, you can get the rule number of the work keyword.
  • the transfer state S6 obtained in the sixth step and the 10th byte c of the message are taken as the address ⁇ 0, c ⁇ , and the next transfer state S7 is directly read from the Cache to be 0.
  • the transfer state S7 obtained in the seventh step and the eleventh byte e of the message are taken as the address ⁇ 0, e ⁇ , and the next transfer state S8 is directly read from the Cache to be 0. It is found that the deep packet detection termination position has been read here, the entire search process ends, the matching keyword work is searched, and the rule number corresponding to the work is obtained.
  • FIG. 6 is a schematic structural diagram of a packet detecting apparatus according to an embodiment of the present invention.
  • the packet detecting apparatus of the embodiment of the present invention includes an establishing unit 60, a setting unit 61, a writing unit 62, a searching unit 63, and Output unit 64, wherein:
  • the establishing unit 60 is configured to establish a transfer state database of the keyword bit segment search, where the mobile transfer state database is provided with a bit segment row including all keywords and a value column of a transfer state set for the bit segment, each keyword The intersection of the column in which the bit segment is located and the row in which the value of the transition state of the previous bit segment of the bit segment is located is written with the value of the transition state of the next bit segment of the bit segment, and the last bit segment The intersection of the row in which the value of the transition state of the second and last bit segments is located, and the value of the initial transition state of the keyword is written;
  • the setting unit 61 is configured to set a transition state for each bit segment in the to-be-detected keyword, and the values of the initial transition states of each keyword are equal; the transition from the first bit segment to the last bit segment in each keyword The status values are consecutive, and the values of the transition states of the other bit segments except the value of the initial transition state in each keyword are not equal;
  • Write unit 62 configured to acquire all keywords, and write the value of the transfer status of each bit segment in the keyword to the database
  • the searching unit 63 is configured to acquire data to be detected of the to-be-detected packet, and search for a keyword in the database according to the bit segment in the to-be-detected data.
  • the output unit 64 is configured to output a detection result.
  • the searching unit 63 is further configured to: determine, according to the transmission packet, a packet that needs to be deeply detected; classify the packet that needs to be deeply detected, and determine various types of packets that need to be deeply detected. Data to be detected; wherein the data to be detected is part of a message requiring depth detection. The data segment to be deeply detected is determined in the to-be-detected packet, so that the entire packet does not need to be deeply detected, thereby improving the efficiency of the depth detection.
  • the searching unit 63 is further configured to acquire a first bit segment of the data to be detected, and search for a node that meets according to the value of the first bit segment and the initial transition state, and acquire a node in the node. a value; determining whether the value is a value of an initial transition state, and when the value is a value of a non-initial transition state, continuing to find a node that meets the convergence according to a row in which the value is located and a column in which the second bit segment of the keyword is located Until the value in the found junction node is the value of the initial transfer state, it is determined that the data to be detected contains a keyword.
  • the searching unit 63 is configured to acquire the data to be detected when the value of the first bit segment and the value of the initial transition state is the value of the initial transition state. a second bit segment, searching for a node that meets according to the value of the first bit segment and the initial transition state, and acquiring a value in the node; determining whether the value is a value of an initial transition state, the value is non When the value of the initial transition state is used, the node in which the intersection is located is continued according to the row in which the value is located and the column in which the second bit segment of the keyword is located, until the last bit segment of the data to be detected is found, and the All keywords in the data to be tested.
  • the searching unit 63 is further configured to acquire a first bit segment of the data to be detected; and search for a convergence according to the value of the first bit segment and the initial transition state. a node, and obtaining a value in the node; determining whether the value is a value of an initial transition state, where the value is a value of a non-initial transition state, according to a row where the value is located and a second bit segment of the keyword The column continues to find the node of the intersection, and sequentially increments the value by one, and finds the value in the intersection of the added value and the corresponding next bit segment in the data to be detected until the matching node is found.
  • the searching unit 63 is further configured to acquire, according to the average number of bit segments included in the keyword, the plurality of rows of the average bit segment after the value and the column of the corresponding bit segment in the data to be detected. The value in the junction node.
  • processing units in the packet detecting apparatus of the embodiment of the present invention can be understood by referring to the related description of the packet detecting method in the foregoing embodiment, and the packet detecting apparatus in the embodiment of the present invention
  • Each of the processing units may be implemented by an analog circuit that implements the functions described in the embodiments of the present invention, or may be implemented by running software executing the functions described in the embodiments of the present invention on a smart device.
  • the embodiment of the invention further describes a storage medium in which a computer program is stored, the computer program being configured to execute the message detection method of the foregoing embodiments.
  • the disclosed method and smart device may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner such as: multiple units or components may be combined, or Can be integrated into another system, or some features can be ignored or not executed.
  • the coupling, or direct coupling, or communication connection of the components shown or discussed may be indirect coupling or communication connection through some interfaces, devices or units, and may be electrical, mechanical or other forms. of.
  • the units described above as separate components may or may not be physically separated, and the components displayed as the unit may or may not be physical units, that is, may be located in one place or distributed to multiple network units; You can choose some of them according to your actual needs. Or all of the units to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may be separately used as one unit, or two or more units may be integrated into one unit;
  • the unit can be implemented in the form of hardware or in the form of hardware plus software functional units.
  • the foregoing storage medium includes: a mobile storage device, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk.
  • ROM read-only memory
  • RAM random access memory
  • magnetic disk or an optical disk.
  • optical disk A medium that can store application code.
  • the above-described integrated unit of the embodiment of the present invention may be stored in a computer readable storage medium if it is implemented in the form of a software function module and sold or used as a stand-alone product.
  • the technical solution of the embodiments of the present invention may be embodied in the form of a software product in essence or in the form of a software product stored in a storage medium, including a plurality of instructions.
  • a computer device (which may be a personal computer, server, or network device, etc.) is caused to perform all or part of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes: a removable storage device, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like, which can store application code.
  • a value table of a two-dimensional bit segment transition state is set to a keyword, and is reported in the report. Finding keywords in the text is convenient and fast, which greatly improves the efficiency of message depth detection.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Disclosed are a message detection method and device, and a storage medium. The method comprises: establishing a transfer state database for searching a bit period of a keyword; setting a transfer state for each bit period in a keyword to be detected, making the value of an initial transfer state of each keyword equal, making the transfer state values from the first bit period to the last bit period in each keyword continuous, and making the values of the transfer states of other bit periods except the value of the initial transfer state in each keyword unequal; acquiring all keywords, and writing the value of the transfer state of each bit period in the keywords into the database; and acquiring data to be detected in a message to be detected, searching, in the database, whether the keywords are included in the data to be detected according to the bit periods of the data to be detected, and outputting a detection result.

Description

报文检测方法及装置、存储介质Message detection method and device, storage medium 技术领域Technical field
本发明涉及分组交换技术,尤其涉及一种深度报文检测方法及装置、存储介质。The present invention relates to packet switching technologies, and in particular, to a deep packet detection method and apparatus, and a storage medium.
背景技术Background technique
传统的IP包流量识别和服务质量(QoS,Quality of Service)控制技术,仅对IP包头中的源IP地址、目的IP地址、源端口、目的端口以及协议类型等信息进行分析,来确定当前流量的基本信息。传统IP路由器也正是通过这一系列信息来实现一定程度的流量识别和QoS保障的,但其仅仅分析IP包的四层以下的内容,包括源IP地址、目的IP地址、源端口、目的端口以及协议类型。随着网上应用类型的不断丰富,仅通过第四层端口信息已经不能真正判断流量中的应用类型,更不能应对基于开放端口、随机端口甚至采用加密方式进行传输的应用类型。深度报文检测技术在分析包头的基础上,增加了对应用层的分析,是一种基于应用层的流量检测和控制技术,当IP数据包、TCP或UDP数据流经过基于DPI技术的带宽管理系统时,该系统通过深入读取IP包载荷的内容来对开放网络参考模型七层协议中的应用层信息进行检测,从而得到整个应用程序的内容,然后按照系统定义的管理策略对流量进行整形操作。同时,检测整个报文的数据内容,搜索数据包中的攻击代码或敏感信息也是网络安全重要措施。但目前的报文检测技术的检测效率普遍较低。The traditional IP packet traffic identification and Quality of Service (QoS) control technology analyzes only the source IP address, destination IP address, source port, destination port, and protocol type in the IP header to determine the current traffic. Basic information. The traditional IP router also uses this series of information to achieve a certain degree of traffic identification and QoS guarantee, but it only analyzes the contents of the IP packet below the four layers, including the source IP address, destination IP address, source port, and destination port. And the type of agreement. With the continuous enrichment of online application types, it is impossible to truly determine the application type in the traffic only through the Layer 4 port information, and it is not possible to deal with the application type based on the open port, the random port, or even the encryption method. Deep packet inspection technology adds analysis of the application layer based on the analysis of the packet header. It is an application layer-based traffic detection and control technology. When IP packet, TCP or UDP data flows pass the bandwidth management based on DPI technology. In the system, the system detects the application layer information in the open network reference model seven-layer protocol by deeply reading the contents of the IP packet payload, thereby obtaining the content of the entire application, and then shaping the traffic according to the system-defined management policy. operating. At the same time, detecting the data content of the entire message, searching for attack code or sensitive information in the data packet is also an important measure for network security. However, the detection efficiency of current message detection technology is generally low.
发明内容Summary of the invention
为解决上述技术问题,本发明实施例提供一种报文检测方法及装置、 存储介质。In order to solve the above technical problem, an embodiment of the present invention provides a packet detection method and apparatus, Storage medium.
本发明实施例的技术方案是这样实现的:The technical solution of the embodiment of the present invention is implemented as follows:
一种报文检测方法,建立关键字比特段查找的转移状态数据库,所述方法包括:A message detection method for establishing a transfer state database for a key bit segment search, the method comprising:
为待检测关键字中的每一比特段设置转移状态,且每一关键字的初始转移状态的值均相等;每一关键字中首比特段至最后一个比特段的转移状态值连续;Setting a transition state for each bit segment in the to-be-detected keyword, and the values of the initial transition states of each keyword are equal; the transition state values of the first bit segment to the last bit segment in each keyword are consecutive;
获取所有关键字,并将关键字中的每一比特段的转移状态的值写入所述数据库;Obtain all keywords and write the value of the transfer status of each bit segment in the keyword to the database;
获取待检测报文的待检测数据,根据所述待检测数据中的比特段在所述数据库中查找所述待检测数据中是否包含关键字,并输出检测结果。Acquiring the to-be-detected data of the to-be-detected packet, searching for the keyword in the to-be-detected data in the database according to the bit segment in the to-be-detected data, and outputting the detection result.
作为一种实现方式,所述转移状态数据库中设置有包含所有关键字的比特段行及为比特段设置的转移状态的值列,每一关键字中的比特段所在的列与所述比特段的前一比特段的转移状态的值所在的行的交汇节点,写入有所述比特段下一比特段的转移状态的值,最后一个比特段所在的列与倒数第二个比特段的转移状态的值所在的行的交汇节点,写入关键字的初始转移状态的值;As an implementation manner, the transfer state database is provided with a bit segment row including all keywords and a value column of a transfer state set for the bit segment, and the column in which the bit segment in each keyword is located and the bit segment The intersection node of the row where the value of the transition state of the previous bit segment is located, the value of the transition state of the next bit segment of the bit segment, the transfer of the column of the last bit segment and the transfer of the second to last bit segment The intersection node of the row where the value of the state is located, and the value of the initial transition state of the keyword is written;
作为一种实现方式,获取待检测报文的待检测数据,包括:As an implementation manner, the data to be detected of the to-be-detected packet is obtained, including:
从传输报文中确定出需深度检测的报文;Determining a packet requiring deep detection from the transmission message;
对需深度检测的报文进行分类,并确定各类需深度检测的报文中待检测数据;所述待检测数据为需深度检测的报文的一部分。The packets to be inspected are classified, and the data to be detected in the packets that need to be deeply detected are determined; the data to be detected is a part of the packets that need to be deeply detected.
作为一种实现方式,所述根据所述待检测数据中的比特段在所述数据库中查找所述待检测数据中是否包含关键字,包括:As an implementation manner, the searching for the keyword in the data to be detected in the database according to the bit segment in the data to be detected includes:
获取所述待检测数据的首比特段;Obtaining a first bit segment of the data to be detected;
根据所述首比特段与所述初始转移状态的值查找交汇的节点,并获取 节点中的值;Finding the node that meets according to the value of the first bit segment and the initial transition state, and acquiring The value in the node;
确定所述值是否为初始转移状态的值,所述值为非初始转移状态的值时,根据所述值所在的行及关键字的第二个比特段所在的列继续查找交汇的节点,直到查找的交汇节点中的值为初始转移状态的值,确定所述待检测数据中包含有关键字。Determining whether the value is a value of an initial transfer state, and when the value is a value of a non-initial transfer state, continuing to search for a node to be merged according to a row in which the value is located and a column in which the second bit segment of the keyword is located; The value in the found junction node is the value of the initial transfer state, and it is determined that the data to be detected contains a keyword.
作为一种实现方式,所述首比特段与所述初始转移状态的值查找交汇的节点中的值为初始转移状态的值时,所述方法还包括:As an implementation manner, when the value of the first bit segment and the value of the initial transition state are used to find a value of the initial transition state, the method further includes:
获取所述待检测数据的第二个比特段,根据所述首比特段与所述初始转移状态的值查找交汇的节点,并获取节点中的值;确定所述值是否为初始转移状态的值,所述值为非初始转移状态的值时,根据所述值所在的行及关键字的第二个比特段所在的列继续查找交汇的节点,直到查找至所述待检测数据的最后一个比特段,确定出所述待检测数据中的所有关键字。Obtaining a second bit segment of the data to be detected, searching for a node that meets according to the value of the first bit segment and the initial transition state, and acquiring a value in the node; determining whether the value is a value of an initial transition state When the value is a value of the non-initial transfer state, the search for the node to be merged is continued according to the row of the value and the column of the second bit segment of the keyword until the last bit of the data to be detected is found. Segment, determining all keywords in the data to be detected.
作为一种实现方式,所述根据所述待检测数据中的比特段在所述数据库中查找所述待检测数据中是否包含关键字,包括:As an implementation manner, the searching for the keyword in the data to be detected in the database according to the bit segment in the data to be detected includes:
获取所述待检测数据的首比特段;Obtaining a first bit segment of the data to be detected;
根据所述首比特段与所述初始转移状态的值查找交汇的节点,并获取节点中的值;Finding a node that meets according to the value of the first bit segment and the initial transition state, and acquiring a value in the node;
确定所述值是否为初始转移状态的值,所述值为非初始转移状态的值时,根据所述值所在的行及关键字的第二个比特段所在的列继续查找交汇的节点,且,依次将所述值加一,查找加一后的值与所述待检测数据中对应的后一比特段的交汇节点中的值,直到查找的交汇节点中的值为初始转移状态的值或查找至所述待检测数据的最后一个比特段,确定所述待检测数据中的关键字。Determining whether the value is a value of an initial transfer state, and when the value is a value of a non-initial transfer state, searching for a node that meets the intersection according to a row in which the value is located and a column in which the second bit segment of the keyword is located, and And sequentially adding the value to the value of the intersection of the added value and the corresponding next bit segment in the data to be detected until the value of the found junction node is the value of the initial transfer state or Finding a last bit segment of the data to be detected, and determining a keyword in the data to be detected.
作为一种实现方式,所述依次将所述值加一,查找加一后的值与所述待检测数据中对应的后一比特段的交汇节点中的值,包括: As an implementation manner, the value is incremented by one, and the value in the intersection of the added value and the corresponding next bit segment in the data to be detected is searched for, including:
按关键字中包含的平均比特段个数,获取所述值之后的所述平均比特段个数行与所述待检测数据中对应的比特段所在列的多个交汇节点中的值。The value of the average number of bit segments after the value and the plurality of intersection nodes of the column of the corresponding bit segment in the to-be-detected data are obtained according to the number of average bit segments included in the keyword.
一种报文检测装置,包括:建立单元、设置单元、写入单元、查找单元和输出单元,其中:A message detecting apparatus includes: an establishing unit, a setting unit, a writing unit, a searching unit, and an output unit, wherein:
建立单元,配置为建立关键字比特段查找的移状态数据库;Establishing a unit configured to establish a shift state database for keyword bit segment lookup;
设置单元,配置为为待检测关键字中的每一比特段设置转移状态,且每一关键字的初始转移状态的值均相等;每一关键字中首比特段至最后一个比特段的转移状态值连续,且每一关键字中除初始转移状态的值之外的其他比特段的转移状态的值不相等;a setting unit configured to set a transition state for each bit segment in the to-be-detected keyword, and the values of the initial transition states of each keyword are equal; the transition state of the first bit segment to the last bit segment in each keyword The values are consecutive, and the values of the transition states of the other bit segments except the value of the initial transition state in each keyword are not equal;
写入单元,配置为获取所有关键字,并将关键字中的每一比特段的转移状态的值写入所述数据库;a writing unit configured to acquire all keywords and write a value of a transfer state of each bit segment in the keyword to the database;
查找单元,配置为获取待检测报文的待检测数据,根据所述待检测数据中的比特段在所述数据库中查找所述待检测数据中是否包含关键字;a search unit, configured to acquire data to be detected of the to-be-detected packet, and search for a keyword in the database according to the bit segment in the data to be detected;
输出单元,配置为输出检测结果。An output unit configured to output a test result.
作为一种实现方式,所述转移状态数据库中设置有包含所有关键字的比特段行及为比特段设置的转移状态的值列,每一关键字中的比特段所在的列与所述比特段的前一比特段的转移状态的值所在的行的交汇节点,写入有所述比特段下一比特段的转移状态的值,最后一个比特段所在的列与倒数第二个比特段的转移状态的值所在的行的交汇节点,写入关键字的初始转移状态的值As an implementation manner, the transfer state database is provided with a bit segment row including all keywords and a value column of a transfer state set for the bit segment, and the column in which the bit segment in each keyword is located and the bit segment The intersection node of the row where the value of the transition state of the previous bit segment is located, the value of the transition state of the next bit segment of the bit segment, the transfer of the column of the last bit segment and the transfer of the second to last bit segment The intersection node of the row where the value of the state is located, and the value of the initial transition state of the keyword is written.
作为一种实现方式,所述查找单元,还配置为从传输报文中确定出需深度检测的报文;对需深度检测的报文进行分类,并确定各类需深度检测的报文中待检测数据;其中,所述待检测数据为需深度检测的报文的一部分。 As an implementation manner, the searching unit is further configured to: determine, according to the transmission packet, a packet that needs to be deeply detected; classify the packet that needs to be deeply detected, and determine that each type of packet that needs to be deeply detected is to be processed. Detecting data; wherein the data to be detected is part of a message requiring depth detection.
作为一种实现方式,所述查找单元,还配置为获取所述待检测数据的首比特段;根据所述首比特段与所述初始转移状态的值查找交汇的节点,并获取节点中的值;确定所述值是否为初始转移状态的值,所述值为非初始转移状态的值时,根据所述值所在的行及关键字的第二个比特段所在的列继续查找交汇的节点,直到查找的交汇节点中的值为初始转移状态的值,确定所述待检测数据中包含有关键字。As an implementation manner, the searching unit is further configured to acquire a first bit segment of the data to be detected, and search for a node that meets according to the value of the first bit segment and the initial transition state, and obtain a value in the node. Determining whether the value is a value of an initial transition state, and when the value is a value of a non-initial transition state, continuing to find a node that meets the convergence according to the row in which the value is located and the column in which the second bit segment of the keyword is located, Until the value in the found junction node is the value of the initial transfer state, it is determined that the data to be detected contains a keyword.
作为一种实现方式,所述查找单元,在所述首比特段与所述初始转移状态的值查找交汇的节点中的值为初始转移状态的值时,还配置为获取所述待检测数据的第二个比特段,根据所述首比特段与所述初始转移状态的值查找交汇的节点,并获取节点中的值;确定所述值是否为初始转移状态的值,所述值为非初始转移状态的值时,根据所述值所在的行及关键字的第二个比特段所在的列继续查找交汇的节点,直到查找至所述待检测数据的最后一个比特段,确定出所述待检测数据中的所有关键字。As an implementation manner, the searching unit is configured to acquire the data to be detected when the value of the first bit segment and the value of the initial transition state is the value of the initial transition state. a second bit segment, searching for a node that meets according to the value of the first bit segment and the initial transition state, and acquiring a value in the node; determining whether the value is a value of an initial transition state, and the value is a non-initial When the value of the state is transferred, the node in which the intersection is located is continued according to the row in which the value is located and the column in which the second bit segment of the keyword is located, until the last bit segment of the data to be detected is found, and the waiting is determined. Detect all keywords in the data.
作为一种实现方式,所述查找单元,还配置为获取所述待检测数据的首比特段;根据所述首比特段与所述初始转移状态的值查找交汇的节点,并获取节点中的值;确定所述值是否为初始转移状态的值,所述值为非初始转移状态的值时,根据所述值所在的行及关键字的第二个比特段所在的列继续查找交汇的节点,且,依次将所述值加一,查找加一后的值与所述待检测数据中对应的后一比特段的交汇节点中的值,直到查找的交汇节点中的值为初始转移状态的值或查找至所述待检测数据的最后一个比特段,确定所述待检测数据中的关键字。As an implementation manner, the searching unit is further configured to acquire a first bit segment of the data to be detected, and search for a node that meets according to the value of the first bit segment and the initial transition state, and obtain a value in the node. Determining whether the value is a value of an initial transition state, and when the value is a value of a non-initial transition state, continuing to find a node that meets the convergence according to the row in which the value is located and the column in which the second bit segment of the keyword is located, And, the value is incremented by one, and the value of the added value and the value of the intersection node of the corresponding next bit segment in the data to be detected are searched until the value of the found intersection node is the value of the initial transfer state. Or finding a last bit segment of the data to be detected, and determining a keyword in the data to be detected.
作为一种实现方式,所述查找单元,还配置为按关键字中包含的平均比特段个数,获取所述值之后的所述平均比特段个数行与所述待检测数据中对应的比特段所在列的多个交汇节点中的值。As an implementation manner, the searching unit is further configured to acquire, according to the average number of bit segments included in the keyword, the average number of bit segments after the value and the corresponding bit in the to-be-detected data. The value in multiple junction nodes in the column where the segment is located.
一种存储介质,所述存储介质中存储有计算机程序,所述计算机程序 配置为执行前述的报文检测方法。A storage medium in which a computer program is stored, the computer program It is configured to perform the foregoing packet detection method.
本发明实施例中,通过为待检测的关键字中的各比特段设置转移状态的值,并在数据库中以二维方式记录各关键字的各比特段的转移状态的值,以方便后续对待检测报文中的待检测数据进行检测,确定报文中是否包含关键字,包含时将检测结果输出。本发明实施例通过对关键字设置二维的比特段转移状态的值表,在报文中查找关键字方便快捷,大大提升了报文深度检测的效率。In the embodiment of the present invention, the value of the transition state is set for each bit segment in the keyword to be detected, and the value of the transition state of each bit segment of each keyword is recorded in the database in a two-dimensional manner to facilitate subsequent treatment. The data to be detected in the detection packet is detected to determine whether the message contains a keyword, and the detection result is output when included. In the embodiment of the present invention, by setting a value table of a two-dimensional bit segment transition state for a keyword, it is convenient and quick to find a keyword in a message, which greatly improves the efficiency of packet depth detection.
附图说明DRAWINGS
图1为本发明实施例的报文检测方法的流程图;FIG. 1 is a flowchart of a packet detecting method according to an embodiment of the present invention;
图2为本发明实施例的深度报文检测转移状态的示意图;2 is a schematic diagram of a deep packet detection transition state according to an embodiment of the present invention;
图3为本发明实施例的深度报文检测转移状态数据库的示意图;3 is a schematic diagram of a deep packet detection transition state database according to an embodiment of the present invention;
图4为本发明实施例的待检测数据的示意图;4 is a schematic diagram of data to be detected according to an embodiment of the present invention;
图5为本发明实施例的输出结果的示意图;FIG. 5 is a schematic diagram of an output result according to an embodiment of the present invention; FIG.
图6为本发明实施例的报文检测装置的组成结构示意图。FIG. 6 is a schematic structural diagram of a packet detecting apparatus according to an embodiment of the present invention.
具体实施方式detailed description
为使本发明的目的、技术方案和优点更加清楚明白,下文中将结合附图对本发明的实施例进行详细说明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互任意组合。The embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that, in the case of no conflict, the features in the embodiments and the embodiments in the present application may be arbitrarily combined with each other.
图1为本发明实施例的报文检测方法的流程图,如图1所示,本发明实施例的报文检测方法包括以下步骤:FIG. 1 is a flowchart of a packet detecting method according to an embodiment of the present invention. As shown in FIG. 1 , a packet detecting method according to an embodiment of the present invention includes the following steps:
步骤101,建立关键字比特段查找的转移状态数据库。Step 101: Establish a transfer state database for the key segment search.
本发明实施例中,所述移动转移状态数据库中设置有包含所有关键字的比特段行及为比特段设置的转移状态的值列,每一关键字中的比特段所在的列与所述比特段的前一比特段的转移状态的值所在的行的交汇节点, 写入有所述比特段下一比特段的转移状态的值,最后一个比特段所在的列与倒数第二个比特段的转移状态的值所在的行的交汇节点,写入关键字的初始转移状态的值。In the embodiment of the present invention, the mobile transfer state database is provided with a bit segment row including all keywords and a value column of a transfer state set for the bit segment, and a column of the bit segment in each keyword and the bit The intersection node of the row where the value of the transition state of the previous bit segment of the segment is located, Write the value of the transition state of the next bit segment of the bit segment, the intersection of the row where the last bit segment is located and the value of the transition state of the second to last bit segment, and the initial transfer of the write keyword The value of the state.
本发明实施例中,在进行深度报文检测之前,需建立各待检测的关键字的转移状态数据库,该数据库以二维数据的方式记录关键字中各比特段及其对应的比特段的转移状态的值。关键字的转移状态数据库的结构如图3所示。In the embodiment of the present invention, before performing deep packet inspection, a transfer state database of each keyword to be detected needs to be established, and the database records the transfer of each bit segment and its corresponding bit segment in the keyword by two-dimensional data. The value of the state. The structure of the keyword transfer state database is shown in Figure 3.
本发明实施例中,每一关键字的初始转移状态的值均相等;每一关键字中首比特段至最后一个比特段的转移状态值连续,且每一关键字中除初始转移状态的值之外的其他比特段的转移状态的值不相等。In the embodiment of the present invention, the values of the initial transfer states of each keyword are equal; the transition state values of the first bit segment to the last bit segment in each keyword are consecutive, and the value of the initial transfer state is included in each keyword. The values of the transition states of other bit segments other than are not equal.
关键字的初始转移状态及关键字中各比特段的转移状态如图2所示。The initial transition state of the keyword and the transition state of each bit segment in the keyword are as shown in FIG. 2 .
步骤102,获取所有关键字,并将关键字中的每一比特段的值写入所述数据库;根据关键字中比特段及其对应的比特段的转移状态的值,将各关键字中各比特段的转移状态的值写入数据库中。Step 102: Acquire all keywords, and write the value of each bit segment in the keyword into the database; according to the value of the transfer state of the bit segment in the keyword and its corresponding bit segment, each keyword is The value of the transfer status of the bit segment is written to the database.
本发明实施例中,建立数据库之后,将所获取的所有关键字及其对应的转移状态的值写入数据库中,本发明实施例的转移状态数据库如图3所示。In the embodiment of the present invention, after the database is established, the values of all the acquired keywords and their corresponding transition states are written into the database. The transition state database of the embodiment of the present invention is as shown in FIG. 3 .
步骤103,获取待检测报文的待检测数据,根据所述待检测数据中的比特段在所述数据库中查找所述待检测数据中是否包含关键字,并输出检测结果。Step 103: Acquire data to be detected of the to-be-detected packet, and search for a keyword in the database according to the bit segment in the to-be-detected data, and output a detection result.
本发明实施例中,获取待检测报文的待检测数据包括:从传输报文中确定出需深度检测的报文;对需深度检测的报文进行分类,并确定各类需深度检测的报文中待检测数据;所述待检测数据为需深度检测的报文的一部分。例如,可以根据报文的格式获取报文的目的MAC地址、源MAC地址,并据此判断TAG的类型,根据TAG类型提取VLAN ID和以太网类型 字段,作为待检测数据。本发明实施例中,为进行深度检测的报文确定出待检测的首尾字符,以避免对整个报文进行深度检测,从而提升报文检测的效率。In the embodiment of the present invention, the data to be detected of the to-be-detected packet includes: determining a packet that needs to be deeply detected from the transmission packet; classifying the packet that needs to be deeply detected, and determining various types of packets that need to be deeply detected. Data to be detected in the text; the data to be detected is part of a message requiring depth detection. For example, the destination MAC address and source MAC address of the packet can be obtained according to the format of the packet, and the type of the TAG is determined according to the TAG type, and the VLAN ID and the Ethernet type are extracted according to the TAG type. Field as the data to be detected. In the embodiment of the present invention, the first and last characters to be detected are determined for the packet to be detected in depth, so as to avoid deep detection of the entire packet, thereby improving the efficiency of packet detection.
本发明实施例中,所述根据所述待检测数据中的比特段及其对应的转移状态的值,在所述数据库中查找所述待检测数据中是否包含关键字,包括:In the embodiment of the present invention, the searching for the keyword in the data to be detected in the database according to the value of the bit segment in the data to be detected and the value of the corresponding transfer state includes:
获取所述待检测数据的首比特段;根据所述首比特段与所述初始转移状态的值查找交汇的节点,并获取节点中的值;确定所述值是否为初始转移状态的值,所述值为非初始转移状态的值时,根据所述值所在的行及关键字的第二个比特段所在的列继续查找交汇的节点,直到查找的交汇节点中的值为初始转移状态的值,确定所述待检测数据中包含有关键字。Obtaining a first bit segment of the data to be detected; searching for a node that meets according to the value of the first bit segment and the initial transition state, and acquiring a value in the node; determining whether the value is a value of an initial transition state, When the value is a value of the non-initial transition state, the node in which the intersection is located is continued according to the row in which the value is located and the column in which the second bit segment of the keyword is located, until the value in the found junction node is the value of the initial transition state. Determining that the data to be detected includes a keyword.
在所述首比特段与所述初始转移状态的值查找交汇的节点中的值为初始转移状态的值时,获取所述待检测数据的第二个比特段,根据所述首比特段与所述初始转移状态的值查找交汇的节点,并获取节点中的值;确定所述值是否为初始转移状态的值,所述值为非初始转移状态的值时,根据所述值所在的行及关键字的第二个比特段所在的列继续查找交汇的节点,直到查找至所述待检测数据的最后一个比特段,确定出所述待检测数据中的所有关键字。Obtaining a second bit segment of the to-be-detected data according to the value of the first bit segment and the value of the initial transition state to find a value of the initial transition state, according to the first bit segment and the The value of the initial transition state is used to find the node that meets the intersection, and the value in the node is obtained; whether the value is the value of the initial transition state, and the value is the value of the non-initial transition state, according to the row where the value is located and The column in which the second bit segment of the keyword is located continues to find the node that meets the intersection until the last bit segment of the data to be detected is found, and all the keywords in the data to be detected are determined.
作为另一种实现方式,本发明实施例中,所述根据所述待检测数据中的比特段及其对应的转移状态的值,在所述数据库中查找所述待检测数据中是否包含关键字,包括:获取所述待检测数据的首比特段;根据所述首比特段与所述初始转移状态的值查找交汇的节点,并获取节点中的值;确定所述值是否为初始转移状态的值,所述值为非初始转移状态的值时,根据所述值所在的行及关键字的第二个比特段所在的列继续查找交汇的节点,且,依次将所述值加一,查找加一后的值与所述待检测数据中对应的 后一比特段的交汇节点中的值,直到查找的交汇节点中的值为初始转移状态的值或查找至所述待检测数据的最后一个比特段,确定所述待检测数据中的关键字。As another implementation manner, in the embodiment of the present invention, the searching, in the database, whether the keyword to be detected includes a keyword according to the value of the bit segment in the data to be detected and the value of the corresponding transfer state The method includes: acquiring a first bit segment of the data to be detected; searching for a node that meets according to the value of the first bit segment and the initial transition state, and acquiring a value in the node; determining whether the value is an initial transition state. a value, where the value is a non-initial transition state, the node in which the value is located and the second bit segment of the keyword are searched for, and the value is incremented by one. The value after the addition is corresponding to the data to be detected The value in the intersection node of the latter bit segment determines the keyword in the data to be detected until the value in the found junction node is the value of the initial transition state or the last bit segment of the data to be detected.
其中,所述依次将所述值加一,查找加一后的值与所述待检测数据中对应的后一比特段的交汇节点中的值,包括:The value of the intersection of the value and the value of the intersection of the corresponding one of the to-be-detected data, including:
按关键字中包含的平均比特段个数,获取所述值之后的所述平均比特段个数行与所述待检测数据中对应的比特段所在列的多个交汇节点中的值。The value of the average number of bit segments after the value and the plurality of intersection nodes of the column of the corresponding bit segment in the to-be-detected data are obtained according to the number of average bit segments included in the keyword.
以下通过具体示例,进一步阐明本发明实施例的技术方案的实质。The essence of the technical solution of the embodiment of the present invention is further clarified by specific examples below.
本发明的目的在于深度报文检测需要对整个报文的所有信息进行比较,然后根据比较的结果对报文进行处理。深度报文检测在数据中心、核心交换机、高性能路由器等是无法满足实际需要的。同时由于深度报文检测的关键字对应的转移状态数据库一般比较大,如果放在芯片内部的存储器上成本过高,而且如果将一个巨大的数据库放在芯片内部存储器上,芯片面积过大,制造良率大大降低。考虑到成本因素,一般把深度报文检测转移状态数据库存放到DDR中。但是由于DDR时序特性,单个读取DDR的数据效率比较低,无法满足高速交换机或核心路由器的需求。本专利通过访问列表控制模块对输入的报文进行过滤,提取出需要检测的报文,并根据分类的结果得到该报文需要检测的起始字节和终止字节,这样可以大大减少深度报文检测装置需要检测的数据量,提高了检测效率。同时对深度报文检测状态进行编码优化,采用预测转移状态技术将关键字平均长度对应的转移状态预先读到cache中,极大地提高了报文检测效率,降低了成本。The purpose of the present invention is that deep message detection needs to compare all the information of the entire message, and then process the message according to the result of the comparison. Deep packet inspection cannot meet the actual needs in data centers, core switches, and high-performance routers. At the same time, the database of the transfer state corresponding to the keyword detected by the deep message is generally large, and if the cost of the memory placed on the chip is too high, and if a huge database is placed on the internal memory of the chip, the chip area is too large, manufacturing The yield is greatly reduced. Considering the cost factor, the deep packet detection transfer state database is generally stored in the DDR. However, due to the DDR timing characteristics, the data efficiency of a single read DDR is relatively low, which cannot meet the requirements of a high-speed switch or a core router. The patent filters the input packet through the access list control module, extracts the packet to be detected, and obtains the start byte and the end byte of the packet to be detected according to the classification result, so that the deep report can be greatly reduced. The amount of data that the detection device needs to detect improves the detection efficiency. At the same time, the deep message detection state is encoded and optimized, and the transition state corresponding to the average length of the keyword is read into the cache in advance by using the predictive transfer state technology, which greatly improves the packet detection efficiency and reduces the cost.
本发明实施例对需要匹配的关键字作为转移条件映射成深度报文检测的转移状态。同一个关键字的转移状态必须连续编码。例如需要匹配的关 键字为hello,初始转移状态为0,h的转移状态假设为4,那么e的转移状态必须为5,第一个l的转移状态为6,第二个l转移状态必须为7,o为关键字的最后一个字节,所以下一个转移状态为初始转移状态0。然后生成的深度报文检测转移状态数据库并写入到DDR中。In the embodiment of the present invention, a keyword that needs to be matched is mapped as a transition condition to a transition state of deep packet detection. The transfer status of the same keyword must be encoded consecutively. For example, the need to match The key is hello, the initial transition state is 0, and the transition state of h is assumed to be 4, then the transition state of e must be 5, the transition state of the first l is 6, and the second transition state must be 7, o is The last byte of the keyword, the next transition state is the initial transition state 0. The generated deep message then detects the transfer state database and writes it to the DDR.
输入的数据报文通过报文解析模块处理获取报文的相关信息,例如源目的MAC地址,源目的IP地址,协议号,以太网类型,VLAN ID等内容。将这些信息进行分类处理,获取报文对应的流分类号。根据流分类号获取报文是否需要进行深度报文检测,深度报文检测起始字节和终止字节,被检测报文是复制报文还是原始报文等信息。The input data packet is processed by the packet parsing module to obtain information about the packet, such as the source destination MAC address, the source destination IP address, the protocol number, the Ethernet type, and the VLAN ID. The information is classified and processed to obtain the stream classification number corresponding to the packet. Whether the deep packet detection is required to obtain the packet according to the traffic classification number, the deep packet detection start byte and the termination byte, and the detected packet is the copy packet or the original packet.
通过检测关键字的起始字节和终止字节,确定被检测报文是复制报文还是原始报文等信息。读取深度报文检测转移状态数据库和报文进行比较,将比较结果输出。By detecting the start byte and the end byte of the keyword, it is determined whether the detected message is a copy message or an original message. The read depth message detection transition state database is compared with the message, and the comparison result is output.
本发明实施例中,需要首先建立待检测的各关键字的转移状态数据库,具体包括以下步骤:In the embodiment of the present invention, the transfer state database of each keyword to be detected is first established, and specifically includes the following steps:
步骤1:将用户配置的待检查关键字映射成转移状态图,初始状态一般设置成0,本发明实施例中,初始状态也可以不是0,但是为了方便起见一般置为0。本发明实施例中,比特段可以选用8比特。读取关键字的起始8比特作为转移的条件,为下一个转移状态分配数值。本发明实施例中,比特段不限定一定是8比特,可以是任意比特长度。下一比特段的转移状态的数值可以随机分配,但是不能是前面已经分配数值。同时要求同一个关键字中比特段的转移状态的数值必须连续递增编码。例如hello规则,如果h对应的转移状态为4,那么e对应的转移状态为5,第一个l对应的转移状态为6,第二个l对应的转移状态为7,o为关键字的最后一个字节,所以下一个转移状态为初始转移状态0,参见图1所示的示例。图中还示出了work和secret两条关键字的转移状态图。 Step 1: The user-configured keyword to be checked is mapped to a transition state map, and the initial state is generally set to 0. In the embodiment of the present invention, the initial state may not be 0, but is generally set to 0 for convenience. In the embodiment of the present invention, the bit segment can be selected from 8 bits. The first 8 bits of the keyword are read as the condition for the transfer, and the next transfer state is assigned a value. In the embodiment of the present invention, the bit segment is not limited to 8 bits, and may be any bit length. The value of the transition state of the next bit segment can be randomly assigned, but cannot be a value already assigned. At the same time, the value of the transfer state of the bit segment in the same keyword must be continuously incremented. For example, in the hello rule, if the transition state corresponding to h is 4, the transition state corresponding to e is 5, the transition state corresponding to the first l is 6, the transition state corresponding to the second l is 7, and o is the last of the keywords. One byte, the next transition state is the initial transition state 0, see the example shown in Figure 1. The figure also shows the transfer state diagram of the two keys work and secret.
步骤2:将步骤1生成的转移状态图映射成转移状态数据库。将初始状态和待检测关键字的第一个八比特字节作为地址,写入的内容为下一个转移状态S1和其对应的属性,然后将转移状态S1和被检查关键字的第二个八比特字节作为地址写入下一个转移状态和其对应的属性,以此类推,一直读到被检查关键字结束为止。待检查关键字对应的最后转移状态为初始转移状态和对应的规则编号。如图2所示,剖面线表格为hello关键字在转移状态数据库中的内容,沙点表格为work关键字在转移状态数据库中的内容,双格线表格为secret关键字在转移状态数据库中的内容。Step 2: Map the transfer state map generated in step 1 to the transfer state database. The initial state and the first octet of the keyword to be detected are taken as addresses, the content written is the next transition state S1 and its corresponding attribute, and then the transition state S1 and the second eight of the checked keywords are The bit byte is written as the address to the next transfer state and its corresponding attribute, and so on, until the end of the checked keyword. The last transition state corresponding to the keyword to be checked is the initial transition state and the corresponding rule number. As shown in Figure 2, the hatch table is the content of the hello keyword in the transfer state database, the sandpoint table is the content of the work keyword in the transfer state database, and the double grid table is the secret keyword in the transfer state database. content.
步骤3,将上述生成的转移状态数据库由CPU写入到DDR中。In step 3, the generated transfer state database is written into the DDR by the CPU.
本发明实施例中,深度报文检测过程包括以下步骤:In the embodiment of the present invention, the deep packet detection process includes the following steps:
步骤1:报文解析模块接收从外部接口输入的报文,然后根据报文的格式提取目的MAC地址,源MAC地址,判断TAG的类型,根据TAG类型提取VLAN ID和以太网类型字段等。Step 1: The packet parsing module receives the packet input from the external interface, and then extracts the destination MAC address, the source MAC address, and the type of the TAG according to the format of the packet, and extracts the VLAN ID and the Ethernet type field according to the TAG type.
步骤2:根据步骤1得到的以太网类型字段判断报文是否是IPv4报文,IPv6报文还是MPLS报文等,然后根据解析到的报文类型提取对应的字段。例如IP报文提取目的IP地址,源IP地址,IP协议号,IP TTL,IP DSCP等;如果是MPLS报文则提取各层标签,标签对应的优先级和标签对应的TTL值。Step 2: According to the Ethernet type field obtained in step 1, it is determined whether the packet is an IPv4 packet, an IPv6 packet, or an MPLS packet, and then the corresponding field is extracted according to the parsed packet type. For example, IP packets are extracted from the destination IP address, source IP address, IP protocol number, IP TTL, IP DSCP, etc.; if it is an MPLS packet, the label of each layer is extracted, the priority of the label, and the TTL value corresponding to the label.
步骤3:根据步骤1和步骤2报文解析结果和获得报文相关信息送给访问控制列表模块。访问控制列表模块根据这些信息和用户配置的访问控制列表规则进行比较,对输入的报文进行分类,并为每一类报文分配一个流分类号。Step 3: According to the packet parsing result of step 1 and step 2 and the information about the obtained packet, the information is sent to the access control list module. The access control list module compares the information with the user-configured access control list rules, classifies the incoming packets, and assigns a traffic classification number to each type of packet.
步骤4:根据步骤3获取的流分类号访问流属性表获取对应的流的属性,属性表里包括但是不限于是否需要做报文深度检测,报文深度检测的起始字节,深度报文检测的终止字节,送检测的报文是原始报文还是复制报文, 同时还有其他和深度报文检测无关的信息,例如流的QoS,颜色信息,优先级以及限速信息等。然后将深度报文检测相关的信息附加在原始数据报文的报文前面送给深度报文检测模块,其送给深度报文检测模块的报文格式如图4所示。Step 4: According to the flow classification number obtained in step 3, the flow attribute table is used to obtain the attribute of the corresponding flow. The attribute table includes, but is not limited to, whether to perform packet depth detection, the start byte of the packet depth detection, and the depth packet. The detected termination byte, whether the sent packet is the original message or the copied message. There are also other information that is not related to deep packet inspection, such as QoS of the stream, color information, priority, and speed limit information. Then, the information about the deep packet detection is added to the packet of the original data packet and sent to the deep packet detection module. The format of the packet sent to the deep packet detection module is shown in FIG. 4 .
步骤5:深度报文检测模块根据深度报文检测起始字节位置开始取出报文的第一个字节W1和转移状态初始状态S0作为访问DDR的地址。报文的字节作为访问DDR地址的低位,初始转移状态S0作为访问DDR地址的高位,该地址为{S0,W1}。用这个地址读取存储在DDR内部转移状态数据库获取下一个转移状态S1。同时将S0对应的256个数据预读到Cache中,也就是图2表格状态0对应的所有列都读到cache中。判断转移状态S1是否和初始转移状态S0相等,如果相等执行步骤6。由于关键字对应的转移状态是连续编码,所以可以预见S2的数值为S1+1,S3的数值为S2+1。如果转移状态S1和初始转移状态S0不相等则将转移状态S1及后面(L-1)个转移状态在转移状态数据库中对应的行的所有列数据都读入到Cache中,其中L为待查找关键字的平均长度。从图2可以看出每个转移状态对应了256列数据,所以一共读取了256×L个转移状态数据。Step 5: The deep packet detection module starts to fetch the first byte W1 of the message and the transition state initial state S0 as the address for accessing the DDR according to the depth message detection start byte position. The byte of the message is the lower bit of the access DDR address, and the initial transfer state S0 is the upper bit of the access DDR address, which is {S0, W1}. Use this address to read the database stored in the DDR internal transfer state to get the next transfer state S1. At the same time, the 256 data corresponding to S0 is pre-read into the Cache, that is, all the columns corresponding to the state 0 of the table in FIG. 2 are read into the cache. It is judged whether or not the transition state S1 is equal to the initial transition state S0, and if it is equal to step 6. Since the transition state corresponding to the keyword is continuous coding, it can be foreseen that the value of S2 is S1+1, and the value of S3 is S2+1. If the transition state S1 and the initial transition state S0 are not equal, all the column data of the corresponding row in the transition state database and the subsequent (L-1) transition states are read into the Cache, where L is to be found. The average length of the keyword. It can be seen from Fig. 2 that each transition state corresponds to 256 columns of data, so a total of 256 x L transition state data is read.
步骤6:将转移状态S1作为访问DDR的地址高位,将读取需要检测报文第二个字节W2作为访问DDR地址低位,则地址表示为{S1,W2}。用该地址访问Cache读取对应的转移状态S2。如果在Cache中读取到了S2则表示读取成功,如果在Cahe中没有查找到S2则用该地址{S1,W2}去访问DDR获取到转移状态S2,因为关键字所对应的下一个转移状态都是连续编码,所以预测下一个转移状态S3为S2+1,读取S3及后面(L-1)个转移状态对应所有列的数据都读到Cache中。Step 6: The transfer state S1 is used as the address high address of the access DDR, and the second byte W2 of the read detection message is read as the low bit of the access DDR address, and the address is represented as {S1, W2}. Use this address to access the Cache to read the corresponding transfer state S2. If S2 is read in the Cache, the read is successful. If S2 is not found in Cahe, the address {S1, W2} is used to access the DDR to obtain the transfer state S2 because the next transfer state corresponding to the keyword. All are continuous coding, so the next transition state S3 is predicted to be S2+1, and the data corresponding to all columns corresponding to the read S3 and the subsequent (L-1) transition states are read into the Cache.
步骤7:依次按照步骤6描述从报文起始字节逐个字节搜索下去,一直到报文终止字节为止或匹配到待查找关键字后就结束查找,至于是一直搜 索到终止字节还是匹配到待查找关键字就结束寄存器可配置。最后将匹配的关键字对应的编号作为结果上报给CPU或携带在报文的头部输出。输出报文如图5所示。Step 7: Follow step 6 to describe the byte-by-byte search from the start byte of the message until the message termination byte or match the keyword to be searched, and then end the search. The end register is configurable by either terminating the end byte or matching to the keyword to be searched. Finally, the number corresponding to the matched keyword is reported to the CPU as a result or is carried in the header of the message. The output message is shown in Figure 5.
步骤5,步骤6和步骤7描述的是深度报文检测引擎的工作过程。深度报文检测处理一个报文需要消耗多个时钟周期,一个检测引擎一般是不能满足数据中心或核心交换机的需要,通常需要多个引擎并行完成报文的检测工作,具体需要的引擎数量和需要检测的流量及芯片的运行频率有关。但是每个检测引擎的工作过程如步骤5,步骤6和步骤7所描述的过程。 Step 5, Step 6 and Step 7 describe the working process of the deep packet inspection engine. Deep packet detection requires a number of clock cycles to process a packet. A detection engine generally cannot meet the needs of the data center or the core switch. Generally, multiple engines need to complete the detection of packets in parallel. The number of engines required and the number of engines required. The detected flow rate is related to the operating frequency of the chip. However, the working process of each detection engine is as described in steps 5, 6, and 7.
为了更好的说明步骤5,步骤6和步骤7的工作过程,现在用一个例子来说明深度报文检测引擎是工作过程。假定输入的报文为kjkloworkcef,待查找关键字为work,初始转移状态为0,深度报文检测起始字节为第4个字节,终止字节为第11个字节,关键字的平均长度为5。In order to better explain the working process of step 5, step 6 and step 7, an example is now used to illustrate that the deep message detection engine is a working process. Assume that the input message is kjkloworkcef, the key to be searched is work, the initial transfer status is 0, the deep message detection start byte is the 4th byte, the end byte is the 11th byte, and the keyword average The length is 5.
第一步,深度报文检测模块先取报文第4个字节l,和初始转移状态组合成{0,l}作为DDR的地址读取下一个转移状态S1为0,同时将初始转移状态S0为0整行都读进cache中。In the first step, the deep packet detection module first takes the 4th byte of the message, and combines the initial transition state into {0, l} as the address of the DDR to read the next transition state S1 to 0, and at the same time, the initial transition state S0. Read all the 0 lines into the cache.
第二步,取第一步获得的转移状态S1和报文第5个字节o作为地址{0,o}直接从Cache中读取下一个转移状态S2为0。由于在Cache中能够找到对应的转移状态并且S2和初始状态相等,所以不需要去读取DDR内部转移状态数据库。In the second step, the transfer state S1 obtained in the first step and the fifth byte o of the message are taken as the address {0, o}, and the next transfer state S2 is directly read from the Cache to be 0. Since the corresponding transfer state can be found in the Cache and S2 is equal to the initial state, there is no need to read the DDR internal transfer state database.
第三步,取第二步获得的转移状态S2和报文第6个字节w作为地址{0,w}直接从Cache中读取下一个转移状态S3为10。同样在Cache中能够找到对应的转移状态,但是转移状态S3的值和初始状态S0不相等。所以将S3及S3后面对应的4个转移状态的数据都读到Cache中。及把表格第10行到第14行的数据都读入到Cache中。In the third step, the transfer state S2 obtained in the second step and the sixth byte w of the message are taken as the address {0, w} to directly read the next transfer state S3 from the Cache to 10. The corresponding transition state can also be found in the Cache, but the value of the transition state S3 is not equal to the initial state S0. Therefore, the data of the four transition states corresponding to S3 and S3 are read into the Cache. And read the data from the 10th to 14th lines of the table into the Cache.
第四步,取第三步获取的转移状态S3和报文第7个字节o作为地址 {10,o}直接从Cache中读取下一个转移状态S4为11。The fourth step is to take the transfer state S3 obtained in the third step and the 7th byte o of the message as the address. {10, o} directly reads the next transfer state S4 from the Cache to 11.
第五步,取第四步获取的转移状态S4和报文第8个字节r作为地址{11,r}直接从Cache中读取下一个转移状态S5为12。In the fifth step, the transfer state S4 obtained in the fourth step and the eighth byte r of the message are taken as the address {11, r}, and the next transfer state S5 is directly read from the Cache to 12.
第六步,取第五步获取的转移状态S5和报文第9个字节k作为地址{12,k}直接从Cache中读取下一个转移状态S6为0。这个时候可以获取work关键字的规则编号。In the sixth step, the transfer state S5 obtained in the fifth step and the ninth byte k of the message are taken as the address {12, k}, and the next transfer state S6 is directly read from the Cache to be 0. At this time, you can get the rule number of the work keyword.
第七步,取第六步获取的转移状态S6和报文第10个字节c作为地址{0,c}直接从Cache中读取下一个转移状态S7为0。In the seventh step, the transfer state S6 obtained in the sixth step and the 10th byte c of the message are taken as the address {0, c}, and the next transfer state S7 is directly read from the Cache to be 0.
第八步,取第七步获取的转移状态S7和报文第11个字节e作为地址{0,e}直接从Cache中读取下一个转移状态S8为0。查找到这里已经读取了深度报文检测终止位置了,整个查找过程结束,查找匹配的关键字work,并获取了work对应的规则编号。In the eighth step, the transfer state S7 obtained in the seventh step and the eleventh byte e of the message are taken as the address {0, e}, and the next transfer state S8 is directly read from the Cache to be 0. It is found that the deep packet detection termination position has been read here, the entire search process ends, the matching keyword work is searched, and the rule number corresponding to the work is obtained.
图6为本发明实施例的报文检测装置的组成结构示意图,如图6所示,本发明实施例的报文检测装置包括建立单元60、设置单元61、写入单元62、查找单元63和输出单元64,其中:FIG. 6 is a schematic structural diagram of a packet detecting apparatus according to an embodiment of the present invention. As shown in FIG. 6, the packet detecting apparatus of the embodiment of the present invention includes an establishing unit 60, a setting unit 61, a writing unit 62, a searching unit 63, and Output unit 64, wherein:
建立单元60,配置为建立关键字比特段查找的转移状态数据库,所述移动转移状态数据库中设置有包含所有关键字的比特段行及为比特段设置的转移状态的值列,每一关键字中的比特段所在的列与所述比特段的前一比特段的转移状态的值所在的行的交汇节点,写入有所述比特段下一比特段的转移状态的值,最后一个比特段所在的列与倒数第二个比特段的转移状态的值所在的行的交汇节点,写入关键字的初始转移状态的值;The establishing unit 60 is configured to establish a transfer state database of the keyword bit segment search, where the mobile transfer state database is provided with a bit segment row including all keywords and a value column of a transfer state set for the bit segment, each keyword The intersection of the column in which the bit segment is located and the row in which the value of the transition state of the previous bit segment of the bit segment is located is written with the value of the transition state of the next bit segment of the bit segment, and the last bit segment The intersection of the row in which the value of the transition state of the second and last bit segments is located, and the value of the initial transition state of the keyword is written;
设置单元61,配置为为待检测关键字中的每一比特段设置转移状态,且每一关键字的初始转移状态的值均相等;每一关键字中首比特段至最后一个比特段的转移状态值连续,且每一关键字中除初始转移状态的值之外的其他比特段的转移状态的值不相等; The setting unit 61 is configured to set a transition state for each bit segment in the to-be-detected keyword, and the values of the initial transition states of each keyword are equal; the transition from the first bit segment to the last bit segment in each keyword The status values are consecutive, and the values of the transition states of the other bit segments except the value of the initial transition state in each keyword are not equal;
写入单元62,配置为获取所有关键字,并将关键字中的每一比特段的转移状态的值写入所述数据库;Write unit 62, configured to acquire all keywords, and write the value of the transfer status of each bit segment in the keyword to the database;
查找单元63,配置为获取待检测报文的待检测数据,根据所述待检测数据中的比特段在所述数据库中查找所述待检测数据中是否包含关键字;The searching unit 63 is configured to acquire data to be detected of the to-be-detected packet, and search for a keyword in the database according to the bit segment in the to-be-detected data.
输出单元64,配置为输出检测结果。The output unit 64 is configured to output a detection result.
本发明实施例中,所述查找单元63,还配置为从传输报文中确定出需深度检测的报文;对需深度检测的报文进行分类,并确定各类需深度检测的报文中待检测数据;其中,所述待检测数据为需深度检测的报文的一部分。通过在待检测报文中确定出待深度检测的数据段,这样不必对整个报文进行深度检测,从而提升了深度检测的效率。In the embodiment of the present invention, the searching unit 63 is further configured to: determine, according to the transmission packet, a packet that needs to be deeply detected; classify the packet that needs to be deeply detected, and determine various types of packets that need to be deeply detected. Data to be detected; wherein the data to be detected is part of a message requiring depth detection. The data segment to be deeply detected is determined in the to-be-detected packet, so that the entire packet does not need to be deeply detected, thereby improving the efficiency of the depth detection.
本发明实施例中,所述查找单元63,还配置为获取所述待检测数据的首比特段;根据所述首比特段与所述初始转移状态的值查找交汇的节点,并获取节点中的值;确定所述值是否为初始转移状态的值,所述值为非初始转移状态的值时,根据所述值所在的行及关键字的第二个比特段所在的列继续查找交汇的节点,直到查找的交汇节点中的值为初始转移状态的值,确定所述待检测数据中包含有关键字。In the embodiment of the present invention, the searching unit 63 is further configured to acquire a first bit segment of the data to be detected, and search for a node that meets according to the value of the first bit segment and the initial transition state, and acquire a node in the node. a value; determining whether the value is a value of an initial transition state, and when the value is a value of a non-initial transition state, continuing to find a node that meets the convergence according to a row in which the value is located and a column in which the second bit segment of the keyword is located Until the value in the found junction node is the value of the initial transfer state, it is determined that the data to be detected contains a keyword.
本发明实施例中,所述查找单元63,在所述首比特段与所述初始转移状态的值查找交汇的节点中的值为初始转移状态的值时,还配置为获取所述待检测数据的第二个比特段,根据所述首比特段与所述初始转移状态的值查找交汇的节点,并获取节点中的值;确定所述值是否为初始转移状态的值,所述值为非初始转移状态的值时,根据所述值所在的行及关键字的第二个比特段所在的列继续查找交汇的节点,直到查找至所述待检测数据的最后一个比特段,确定出所述待检测数据中的所有关键字。In the embodiment of the present invention, the searching unit 63 is configured to acquire the data to be detected when the value of the first bit segment and the value of the initial transition state is the value of the initial transition state. a second bit segment, searching for a node that meets according to the value of the first bit segment and the initial transition state, and acquiring a value in the node; determining whether the value is a value of an initial transition state, the value is non When the value of the initial transition state is used, the node in which the intersection is located is continued according to the row in which the value is located and the column in which the second bit segment of the keyword is located, until the last bit segment of the data to be detected is found, and the All keywords in the data to be tested.
或者,本发明实施例中,所述查找单元63,还配置为获取所述待检测数据的首比特段;根据所述首比特段与所述初始转移状态的值查找交汇的 节点,并获取节点中的值;确定所述值是否为初始转移状态的值,所述值为非初始转移状态的值时,根据所述值所在的行及关键字的第二个比特段所在的列继续查找交汇的节点,且,依次将所述值加一,查找加一后的值与所述待检测数据中对应的后一比特段的交汇节点中的值,直到查找的交汇节点中的值为初始转移状态的值或查找至所述待检测数据的最后一个比特段,确定所述待检测数据中的关键字。上述查找单元63,还配置为按关键字中包含的平均比特段个数,获取所述值之后的所述平均比特段个数行与所述待检测数据中对应的比特段所在列的多个交汇节点中的值。Or, in the embodiment of the present invention, the searching unit 63 is further configured to acquire a first bit segment of the data to be detected; and search for a convergence according to the value of the first bit segment and the initial transition state. a node, and obtaining a value in the node; determining whether the value is a value of an initial transition state, where the value is a value of a non-initial transition state, according to a row where the value is located and a second bit segment of the keyword The column continues to find the node of the intersection, and sequentially increments the value by one, and finds the value in the intersection of the added value and the corresponding next bit segment in the data to be detected until the matching node is found. The value of the value of the initial transfer state or the last bit segment of the data to be detected is determined, and the keyword in the data to be detected is determined. The searching unit 63 is further configured to acquire, according to the average number of bit segments included in the keyword, the plurality of rows of the average bit segment after the value and the column of the corresponding bit segment in the data to be detected. The value in the junction node.
本领域技术人员应当理解,本发明实施例的报文检测装置中各处理单元的功能,可参照前述实施例的报文检测方法的相关描述而理解,本发明实施例的报文检测装置中的各处理单元,可通过实现本发明实施例所述的功能的模拟电路而实现,也可以通过执行本发明实施例所述的功能的软件在智能设备上的运行而实现。It should be understood by those skilled in the art that the functions of the processing units in the packet detecting apparatus of the embodiment of the present invention can be understood by referring to the related description of the packet detecting method in the foregoing embodiment, and the packet detecting apparatus in the embodiment of the present invention Each of the processing units may be implemented by an analog circuit that implements the functions described in the embodiments of the present invention, or may be implemented by running software executing the functions described in the embodiments of the present invention on a smart device.
本发明实施例还记载了一种存储介质,所述存储介质中存储有计算机程序,所述计算机程序配置为执行前述各实施例的报文检测方法。The embodiment of the invention further describes a storage medium in which a computer program is stored, the computer program being configured to execute the message detection method of the foregoing embodiments.
在本发明所提供的几个实施例中,应该理解到,所揭露的方法和智能设备,可以通过其它的方式实现。以上所描述的设备实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,如:多个单元或组件可以结合,或可以集成到另一个系统,或一些特征可以忽略,或不执行。另外,所显示或讨论的各组成部分相互之间的耦合、或直接耦合、或通信连接可以是通过一些接口,设备或单元的间接耦合或通信连接,可以是电性的、机械的或其它形式的。In the several embodiments provided by the present invention, it should be understood that the disclosed method and smart device may be implemented in other manners. The device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, such as: multiple units or components may be combined, or Can be integrated into another system, or some features can be ignored or not executed. In addition, the coupling, or direct coupling, or communication connection of the components shown or discussed may be indirect coupling or communication connection through some interfaces, devices or units, and may be electrical, mechanical or other forms. of.
上述作为分离部件说明的单元可以是、或也可以不是物理上分开的,作为单元显示的部件可以是、或也可以不是物理单元,即可以位于一个地方,也可以分布到多个网络单元上;可以根据实际的需要选择其中的部分 或全部单元来实现本实施例方案的目的。The units described above as separate components may or may not be physically separated, and the components displayed as the unit may or may not be physical units, that is, may be located in one place or distributed to multiple network units; You can choose some of them according to your actual needs. Or all of the units to achieve the purpose of the solution of the embodiment.
另外,在本发明各实施例中的各功能单元可以全部集成在一个处理单元中,也可以是各单元分别单独作为一个单元,也可以两个或两个以上单元集成在一个单元中;上述集成的单元既可以采用硬件的形式实现,也可以采用硬件加软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may be separately used as one unit, or two or more units may be integrated into one unit; The unit can be implemented in the form of hardware or in the form of hardware plus software functional units.
本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过应用指令相关的硬件来完成,前述的应用可以存储于一计算机可读取存储介质中,该应用在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:移动存储设备、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储应用代码的介质。A person skilled in the art can understand that all or part of the steps of implementing the foregoing method embodiments may be implemented by using application-related hardware, and the foregoing application may be stored in a computer readable storage medium, and the application is executed when executed. The foregoing storage device includes the following steps: the foregoing storage medium includes: a mobile storage device, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk. A medium that can store application code.
或者,本发明实施例上述集成的单元如果以软件功能模块的形式实现并作为独立的产品销售或使用时,也可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明实施例的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机、服务器、或者网络设备等)执行本发明各个实施例所述方法的全部或部分。而前述的存储介质包括:移动存储设备、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储应用代码的介质。Alternatively, the above-described integrated unit of the embodiment of the present invention may be stored in a computer readable storage medium if it is implemented in the form of a software function module and sold or used as a stand-alone product. Based on such understanding, the technical solution of the embodiments of the present invention may be embodied in the form of a software product in essence or in the form of a software product stored in a storage medium, including a plurality of instructions. A computer device (which may be a personal computer, server, or network device, etc.) is caused to perform all or part of the methods described in various embodiments of the present invention. The foregoing storage medium includes: a removable storage device, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like, which can store application code.
以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。The above is only a specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or substitutions within the technical scope of the present invention. It should be covered by the scope of the present invention.
工业实用性Industrial applicability
本发明实施例通过对关键字设置二维的比特段转移状态的值表,在报 文中查找关键字方便快捷,大大提升了报文深度检测的效率。 In the embodiment of the present invention, a value table of a two-dimensional bit segment transition state is set to a keyword, and is reported in the report. Finding keywords in the text is convenient and fast, which greatly improves the efficiency of message depth detection.

Claims (15)

  1. 一种报文检测方法,建立关键字比特段查找的转移状态数据库,所述方法包括:A message detection method for establishing a transfer state database for a key bit segment search, the method comprising:
    为待检测关键字中的每一比特段设置转移状态,且每一关键字的初始转移状态的值均相等;每一关键字中首比特段至最后一个比特段的转移状态值连续;Setting a transition state for each bit segment in the to-be-detected keyword, and the values of the initial transition states of each keyword are equal; the transition state values of the first bit segment to the last bit segment in each keyword are consecutive;
    获取所有关键字,并将关键字中的每一比特段的转移状态的值写入所述数据库;Obtain all keywords and write the value of the transfer status of each bit segment in the keyword to the database;
    获取待检测报文的待检测数据,根据所述待检测数据中的比特段在所述数据库中查找所述待检测数据中是否包含关键字,并输出检测结果。Acquiring the to-be-detected data of the to-be-detected packet, searching for the keyword in the to-be-detected data in the database according to the bit segment in the to-be-detected data, and outputting the detection result.
  2. 根据权利要求1所述的方法,其中,所述转移状态数据库中设置有包含所有关键字的比特段行及为比特段设置的转移状态的值列,每一关键字中的比特段所在的列与所述比特段的前一比特段的转移状态的值所在的行的交汇节点,写入有所述比特段下一比特段的转移状态的值,最后一个比特段所在的列与倒数第二个比特段的转移状态的值所在的行的交汇节点,写入关键字的初始转移状态的值。The method according to claim 1, wherein said transfer state database is provided with a bit segment row including all keywords and a value column of a transfer state set for the bit segment, and a column in which each bit segment in the keyword is located The intersection of the row with the value of the transition state of the previous bit segment of the bit segment, the value of the transition state of the next bit segment of the bit segment, the column of the last bit segment and the second to last The intersection node of the row where the value of the transition state of the bit segment is located, and the value of the initial transition state of the keyword is written.
  3. 根据权利要求1所述的方法,其中,获取待检测报文的待检测数据,包括:The method of claim 1, wherein the data to be detected of the to-be-detected message is obtained, including:
    从传输报文中确定出需深度检测的报文;Determining a packet requiring deep detection from the transmission message;
    对需深度检测的报文进行分类,并确定各类需深度检测的报文中待检测数据;所述待检测数据为需深度检测的报文的一部分。The packets to be inspected are classified, and the data to be detected in the packets that need to be deeply detected are determined; the data to be detected is a part of the packets that need to be deeply detected.
  4. 根据权利要求1所述的方法,其中,所述根据所述待检测数据中的比特段在所述数据库中查找所述待检测数据中是否包含关键字,包括:The method according to claim 1, wherein the searching for the keyword in the data to be detected in the database according to the bit segment in the data to be detected includes:
    获取所述待检测数据的首比特段;Obtaining a first bit segment of the data to be detected;
    根据所述首比特段与所述初始转移状态的值查找交汇的节点,并获取 节点中的值;Finding the node that meets according to the value of the first bit segment and the initial transition state, and acquiring The value in the node;
    确定所述值是否为初始转移状态的值,所述值为非初始转移状态的值时,根据所述值所在的行及关键字的第二个比特段所在的列继续查找交汇的节点,直到查找的交汇节点中的值为初始转移状态的值,确定所述待检测数据中包含有关键字。Determining whether the value is a value of an initial transfer state, and when the value is a value of a non-initial transfer state, continuing to search for a node to be merged according to a row in which the value is located and a column in which the second bit segment of the keyword is located; The value in the found junction node is the value of the initial transfer state, and it is determined that the data to be detected contains a keyword.
  5. 根据权利要求4所述的方法,其中,所述首比特段与所述初始转移状态的值查找交汇的节点中的值为初始转移状态的值时,所述方法还包括:The method according to claim 4, wherein, when the value of the first bit segment and the value of the initial transition state finds a value in a node where the intersection is a value of an initial transition state, the method further includes:
    获取所述待检测数据的第二个比特段,根据所述首比特段与所述初始转移状态的值查找交汇的节点,并获取节点中的值;确定所述值是否为初始转移状态的值,所述值为非初始转移状态的值时,根据所述值所在的行及关键字的第二个比特段所在的列继续查找交汇的节点,直到查找至所述待检测数据的最后一个比特段,确定出所述待检测数据中的所有关键字。Obtaining a second bit segment of the data to be detected, searching for a node that meets according to the value of the first bit segment and the initial transition state, and acquiring a value in the node; determining whether the value is a value of an initial transition state When the value is a value of the non-initial transfer state, the search for the node to be merged is continued according to the row of the value and the column of the second bit segment of the keyword until the last bit of the data to be detected is found. Segment, determining all keywords in the data to be detected.
  6. 根据权利要求1所述的方法,其中,所述根据所述待检测数据中的比特段在所述数据库中查找所述待检测数据中是否包含关键字,包括:The method according to claim 1, wherein the searching for the keyword in the data to be detected in the database according to the bit segment in the data to be detected includes:
    获取所述待检测数据的首比特段;Obtaining a first bit segment of the data to be detected;
    根据所述首比特段与所述初始转移状态的值查找交汇的节点,并获取节点中的值;Finding a node that meets according to the value of the first bit segment and the initial transition state, and acquiring a value in the node;
    确定所述值是否为初始转移状态的值,所述值为非初始转移状态的值时,根据所述值所在的行及关键字的第二个比特段所在的列继续查找交汇的节点,且,依次将所述值加一,查找加一后的值与所述待检测数据中对应的后一比特段的交汇节点中的值,直到查找的交汇节点中的值为初始转移状态的值或查找至所述待检测数据的最后一个比特段,确定所述待检测数据中的关键字。Determining whether the value is a value of an initial transfer state, and when the value is a value of a non-initial transfer state, searching for a node that meets the intersection according to a row in which the value is located and a column in which the second bit segment of the keyword is located, and And sequentially adding the value to the value of the intersection of the added value and the corresponding next bit segment in the data to be detected until the value of the found junction node is the value of the initial transfer state or Finding a last bit segment of the data to be detected, and determining a keyword in the data to be detected.
  7. 根据权利要求6所述的方法,其中,所述依次将所述值加一,查找加一后的值与所述待检测数据中对应的后一比特段的交汇节点中的值,包 括:The method according to claim 6, wherein said adding the value one by one to find a value in the intersection of the added value and the corresponding next bit segment in the data to be detected, the packet include:
    按关键字中包含的平均比特段个数,获取所述值之后的所述平均比特段个数行与所述待检测数据中对应的比特段所在列的多个交汇节点中的值。The value of the average number of bit segments after the value and the plurality of intersection nodes of the column of the corresponding bit segment in the to-be-detected data are obtained according to the number of average bit segments included in the keyword.
  8. 一种报文检测装置,所述装置包括:建立单元、设置单元、写入单元、查找单元和输出单元,其中:A message detecting apparatus, the apparatus comprising: an establishing unit, a setting unit, a writing unit, a searching unit, and an output unit, wherein:
    建立单元,配置为建立关键字比特段查找的移状态数据库;Establishing a unit configured to establish a shift state database for keyword bit segment lookup;
    设置单元,配置为为待检测关键字中的每一比特段设置转移状态,且每一关键字的初始转移状态的值均相等;每一关键字中首比特段至最后一个比特段的转移状态值连续,且每一关键字中除初始转移状态的值之外的其他比特段的转移状态的值不相等;a setting unit configured to set a transition state for each bit segment in the to-be-detected keyword, and the values of the initial transition states of each keyword are equal; the transition state of the first bit segment to the last bit segment in each keyword The values are consecutive, and the values of the transition states of the other bit segments except the value of the initial transition state in each keyword are not equal;
    写入单元,配置为获取所有关键字,并将关键字中的每一比特段的转移状态的值写入所述数据库;a writing unit configured to acquire all keywords and write a value of a transfer state of each bit segment in the keyword to the database;
    查找单元,配置为获取待检测报文的待检测数据,根据所述待检测数据中的比特段在所述数据库中查找所述待检测数据中是否包含关键字;a search unit, configured to acquire data to be detected of the to-be-detected packet, and search for a keyword in the database according to the bit segment in the data to be detected;
    输出单元,配置为输出检测结果。An output unit configured to output a test result.
  9. 根据权利要求8所述的装置,其中,所述转移状态数据库中设置有包含所有关键字的比特段行及为比特段设置的转移状态的值列,每一关键字中的比特段所在的列与所述比特段的前一比特段的转移状态的值所在的行的交汇节点,写入有所述比特段下一比特段的转移状态的值,最后一个比特段所在的列与倒数第二个比特段的转移状态的值所在的行的交汇节点,写入关键字的初始转移状态的值。The apparatus according to claim 8, wherein said transfer state database is provided with a bit segment row including all keywords and a value column of a transfer state set for the bit segment, and a column in which each bit segment in the keyword is located The intersection of the row with the value of the transition state of the previous bit segment of the bit segment, the value of the transition state of the next bit segment of the bit segment, the column of the last bit segment and the second to last The intersection node of the row where the value of the transition state of the bit segment is located, and the value of the initial transition state of the keyword is written.
  10. 根据权利要求8所述的装置,其中,所述查找单元,还配置为从传输报文中确定出需深度检测的报文;对需深度检测的报文进行分类,并确定各类需深度检测的报文中待检测数据;其中,所述待检测数据为需深 度检测的报文的一部分。The apparatus according to claim 8, wherein the searching unit is further configured to: determine, from the transmission message, a packet that needs to be deeply detected; classify the packet that needs to be deeply detected, and determine various types of depth detection. Data to be detected in the message; wherein the data to be detected is deep Part of the message detected by the degree.
  11. 根据权利要求8所述的装置,其中,所述查找单元,还配置为获取所述待检测数据的首比特段;根据所述首比特段与所述初始转移状态的值查找交汇的节点,并获取节点中的值;确定所述值是否为初始转移状态的值,所述值为非初始转移状态的值时,根据所述值所在的行及关键字的第二个比特段所在的列继续查找交汇的节点,直到查找的交汇节点中的值为初始转移状态的值,确定所述待检测数据中包含有关键字。The apparatus according to claim 8, wherein the searching unit is further configured to acquire a first bit segment of the data to be detected; and to find a node that meets according to the value of the first bit segment and the initial transition state, and Obtaining a value in the node; determining whether the value is a value of an initial transition state, and when the value is a value of a non-initial transition state, continuing according to a row in which the value is located and a column in which the second bit segment of the keyword is located Find the node of the intersection until the value in the found junction node is the value of the initial transition state, and determine that the data to be detected contains the keyword.
  12. 根据权利要求10所述的装置,其中,所述查找单元,在所述首比特段与所述初始转移状态的值查找交汇的节点中的值为初始转移状态的值时,还配置为获取所述待检测数据的第二个比特段,根据所述首比特段与所述初始转移状态的值查找交汇的节点,并获取节点中的值;确定所述值是否为初始转移状态的值,所述值为非初始转移状态的值时,根据所述值所在的行及关键字的第二个比特段所在的列继续查找交汇的节点,直到查找至所述待检测数据的最后一个比特段,确定出所述待检测数据中的所有关键字。The apparatus according to claim 10, wherein the searching unit is further configured to acquire the location when the value of the first bit segment and the value of the initial transition state is the value of the initial transition state. Determining a second bit segment of the detected data, searching for a node that meets according to the value of the first bit segment and the initial transition state, and acquiring a value in the node; determining whether the value is a value of an initial transition state, When the value is a non-initial transfer state, the node in which the value is located and the second bit segment of the keyword continue to search for the node to be merged until the last bit segment of the data to be detected is found. All keywords in the data to be detected are determined.
  13. 根据权利要求8所述的装置,其中,所述查找单元,还配置为获取所述待检测数据的首比特段;根据所述首比特段与所述初始转移状态的值查找交汇的节点,并获取节点中的值;确定所述值是否为初始转移状态的值,所述值为非初始转移状态的值时,根据所述值所在的行及关键字的第二个比特段所在的列继续查找交汇的节点,且,依次将所述值加一,查找加一后的值与所述待检测数据中对应的后一比特段的交汇节点中的值,直到查找的交汇节点中的值为初始转移状态的值或查找至所述待检测数据的最后一个比特段,确定所述待检测数据中的关键字。The apparatus according to claim 8, wherein the searching unit is further configured to acquire a first bit segment of the data to be detected; and to find a node that meets according to the value of the first bit segment and the initial transition state, and Obtaining a value in the node; determining whether the value is a value of an initial transition state, and when the value is a value of a non-initial transition state, continuing according to a row in which the value is located and a column in which the second bit segment of the keyword is located Finding the nodes of the intersection, and sequentially adding the value to the value of the added value and the value of the intersection node of the corresponding next bit segment in the data to be detected until the value of the found intersection node is The value of the initial transfer state or the last bit segment of the data to be detected is determined, and the keyword in the data to be detected is determined.
  14. 根据权利要求13所述的装置,其中,所述查找单元,还配置为按关键字中包含的平均比特段个数,获取所述值之后的所述平均比特段个数 行与所述待检测数据中对应的比特段所在列的多个交汇节点中的值。The apparatus according to claim 13, wherein the searching unit is further configured to acquire the average number of bit segments after the value according to the number of average bit segments included in the keyword And a value in a plurality of intersection nodes of the column in which the bit segment corresponding to the bit to be detected is located.
  15. 一种存储介质,所述存储介质中存储有计算机程序,所述计算机程序配置为执行权利要求1至7任一项所述的报文检测方法。 A storage medium storing a computer program configured to execute the message detecting method according to any one of claims 1 to 7.
PCT/CN2015/081205 2014-12-25 2015-06-10 Message detection method and device, and storage medium WO2016101552A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410827248.5 2014-12-25
CN201410827248.5A CN105791124B (en) 2014-12-25 2014-12-25 Message detecting method and device

Publications (1)

Publication Number Publication Date
WO2016101552A1 true WO2016101552A1 (en) 2016-06-30

Family

ID=56149117

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/081205 WO2016101552A1 (en) 2014-12-25 2015-06-10 Message detection method and device, and storage medium

Country Status (2)

Country Link
CN (1) CN105791124B (en)
WO (1) WO2016101552A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110995694B (en) * 2019-11-28 2021-10-12 新华三半导体技术有限公司 Network message detection method, device, network security equipment and storage medium
CN112187639B (en) * 2020-08-31 2021-11-19 西安交通大学 Method and system for generating data packet path code based on stream attribute

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101551803A (en) * 2008-03-31 2009-10-07 华为技术有限公司 Method and device for establishing pattern matching state machine and pattern recognition
US20130108160A1 (en) * 2011-03-07 2013-05-02 Ntt Docomo, Inc. Character recognition device, character recognition method, character recognition system, and character recognition program
CN103093147A (en) * 2011-11-02 2013-05-08 中国移动通信集团广东有限公司 Method and electronic device for identifying information
CN104077358A (en) * 2014-06-03 2014-10-01 南京大学 Automata method for finding large number of short text information

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1909502B (en) * 2005-08-01 2010-05-05 中兴通讯股份有限公司 Device and method for fast positioning of data stream message head

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101551803A (en) * 2008-03-31 2009-10-07 华为技术有限公司 Method and device for establishing pattern matching state machine and pattern recognition
US20130108160A1 (en) * 2011-03-07 2013-05-02 Ntt Docomo, Inc. Character recognition device, character recognition method, character recognition system, and character recognition program
CN103093147A (en) * 2011-11-02 2013-05-08 中国移动通信集团广东有限公司 Method and electronic device for identifying information
CN104077358A (en) * 2014-06-03 2014-10-01 南京大学 Automata method for finding large number of short text information

Also Published As

Publication number Publication date
CN105791124A (en) 2016-07-20
CN105791124B (en) 2019-04-30

Similar Documents

Publication Publication Date Title
US10764181B2 (en) Pipelined evaluations for algorithmic forwarding route lookup
US7813350B2 (en) System and method to process data packets in a network using stateful decision trees
CN111371779B (en) Firewall based on DPDK virtualization management system and implementation method thereof
US11418632B2 (en) High speed flexible packet classification using network processors
US9275224B2 (en) Apparatus and method for improving detection performance of intrusion detection system
US10397116B1 (en) Access control based on range-matching
US20120099597A1 (en) Method and device for detecting a packet
US10693790B1 (en) Load balancing for multipath group routed flows by re-routing the congested route
US10778588B1 (en) Load balancing for multipath groups routed flows by re-associating routes to multipath groups
US20130246697A1 (en) Organizing Data in a Hybrid Memory for Search Operations
US8599859B2 (en) Iterative parsing and classification
US9159420B1 (en) Method and apparatus for content addressable memory parallel lookup
TW201501556A (en) Apparatus and method for uniquely enumerating paths in a parse tree
US10819640B1 (en) Congestion avoidance in multipath routed flows using virtual output queue statistics
CN105591914B (en) Openflow flow table lookup method and device
US9485179B2 (en) Apparatus and method for scalable and flexible table search in a network switch
CN106487769B (en) Method and device for realizing Access Control List (ACL)
US9985885B1 (en) Aggregating common portions of forwarding routes
CN109672623B (en) Message processing method and device
WO2016101552A1 (en) Message detection method and device, and storage medium
US10887234B1 (en) Programmatic selection of load balancing output amongst forwarding paths
CN105991391A (en) Method and device for uploading protocol message to CPU
Lo et al. Flow entry conflict detection scheme for software-defined network
CN112087389B (en) Message matching table look-up method, system, storage medium and terminal
US11689464B2 (en) Optimizing entries in a content addressable memory of a network device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15871627

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15871627

Country of ref document: EP

Kind code of ref document: A1