WO2016101552A1 - Procédé et dispositif de détection de message ainsi que support d'informations - Google Patents

Procédé et dispositif de détection de message ainsi que support d'informations Download PDF

Info

Publication number
WO2016101552A1
WO2016101552A1 PCT/CN2015/081205 CN2015081205W WO2016101552A1 WO 2016101552 A1 WO2016101552 A1 WO 2016101552A1 CN 2015081205 W CN2015081205 W CN 2015081205W WO 2016101552 A1 WO2016101552 A1 WO 2016101552A1
Authority
WO
WIPO (PCT)
Prior art keywords
value
bit segment
detected
keyword
data
Prior art date
Application number
PCT/CN2015/081205
Other languages
English (en)
Chinese (zh)
Inventor
陈钦树
Original Assignee
深圳市中兴微电子技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳市中兴微电子技术有限公司 filed Critical 深圳市中兴微电子技术有限公司
Publication of WO2016101552A1 publication Critical patent/WO2016101552A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks

Definitions

  • the present invention relates to packet switching technologies, and in particular, to a deep packet detection method and apparatus, and a storage medium.
  • the traditional IP packet traffic identification and Quality of Service (QoS) control technology analyzes only the source IP address, destination IP address, source port, destination port, and protocol type in the IP header to determine the current traffic.
  • Basic information The traditional IP router also uses this series of information to achieve a certain degree of traffic identification and QoS guarantee, but it only analyzes the contents of the IP packet below the four layers, including the source IP address, destination IP address, source port, and destination port. And the type of agreement. With the continuous enrichment of online application types, it is impossible to truly determine the application type in the traffic only through the Layer 4 port information, and it is not possible to deal with the application type based on the open port, the random port, or even the encryption method.
  • Deep packet inspection technology adds analysis of the application layer based on the analysis of the packet header. It is an application layer-based traffic detection and control technology.
  • IP packet TCP or UDP data flows pass the bandwidth management based on DPI technology.
  • the system detects the application layer information in the open network reference model seven-layer protocol by deeply reading the contents of the IP packet payload, thereby obtaining the content of the entire application, and then shaping the traffic according to the system-defined management policy. operating.
  • detecting the data content of the entire message searching for attack code or sensitive information in the data packet is also an important measure for network security.
  • the detection efficiency of current message detection technology is generally low.
  • an embodiment of the present invention provides a packet detection method and apparatus, Storage medium.
  • a message detection method for establishing a transfer state database for a key bit segment search comprising:
  • the transfer state database is provided with a bit segment row including all keywords and a value column of a transfer state set for the bit segment, and the column in which the bit segment in each keyword is located and the bit segment
  • the intersection node of the row where the value of the transition state of the previous bit segment is located, the value of the transition state of the next bit segment of the bit segment, the transfer of the column of the last bit segment and the transfer of the second to last bit segment The intersection node of the row where the value of the state is located, and the value of the initial transition state of the keyword is written;
  • the data to be detected of the to-be-detected packet is obtained, including:
  • the packets to be inspected are classified, and the data to be detected in the packets that need to be deeply detected are determined; the data to be detected is a part of the packets that need to be deeply detected.
  • the searching for the keyword in the data to be detected in the database according to the bit segment in the data to be detected includes:
  • the value in the found junction node is the value of the initial transfer state, and it is determined that the data to be detected contains a keyword.
  • the method further includes:
  • Obtaining a second bit segment of the data to be detected searching for a node that meets according to the value of the first bit segment and the initial transition state, and acquiring a value in the node; determining whether the value is a value of an initial transition state When the value is a value of the non-initial transfer state, the search for the node to be merged is continued according to the row of the value and the column of the second bit segment of the keyword until the last bit of the data to be detected is found. Segment, determining all keywords in the data to be detected.
  • the searching for the keyword in the data to be detected in the database according to the bit segment in the data to be detected includes:
  • the value is incremented by one, and the value in the intersection of the added value and the corresponding next bit segment in the data to be detected is searched for, including:
  • the value of the average number of bit segments after the value and the plurality of intersection nodes of the column of the corresponding bit segment in the to-be-detected data are obtained according to the number of average bit segments included in the keyword.
  • a message detecting apparatus includes: an establishing unit, a setting unit, a writing unit, a searching unit, and an output unit, wherein:
  • a setting unit configured to set a transition state for each bit segment in the to-be-detected keyword, and the values of the initial transition states of each keyword are equal; the transition state of the first bit segment to the last bit segment in each keyword The values are consecutive, and the values of the transition states of the other bit segments except the value of the initial transition state in each keyword are not equal;
  • a writing unit configured to acquire all keywords and write a value of a transfer state of each bit segment in the keyword to the database
  • a search unit configured to acquire data to be detected of the to-be-detected packet, and search for a keyword in the database according to the bit segment in the data to be detected;
  • An output unit configured to output a test result.
  • the transfer state database is provided with a bit segment row including all keywords and a value column of a transfer state set for the bit segment, and the column in which the bit segment in each keyword is located and the bit segment
  • the intersection node of the row where the value of the transition state of the previous bit segment is located, the value of the transition state of the next bit segment of the bit segment, the transfer of the column of the last bit segment and the transfer of the second to last bit segment The intersection node of the row where the value of the state is located, and the value of the initial transition state of the keyword is written.
  • the searching unit is further configured to: determine, according to the transmission packet, a packet that needs to be deeply detected; classify the packet that needs to be deeply detected, and determine that each type of packet that needs to be deeply detected is to be processed. Detecting data; wherein the data to be detected is part of a message requiring depth detection.
  • the searching unit is further configured to acquire a first bit segment of the data to be detected, and search for a node that meets according to the value of the first bit segment and the initial transition state, and obtain a value in the node. Determining whether the value is a value of an initial transition state, and when the value is a value of a non-initial transition state, continuing to find a node that meets the convergence according to the row in which the value is located and the column in which the second bit segment of the keyword is located, Until the value in the found junction node is the value of the initial transfer state, it is determined that the data to be detected contains a keyword.
  • the searching unit is configured to acquire the data to be detected when the value of the first bit segment and the value of the initial transition state is the value of the initial transition state.
  • a second bit segment searching for a node that meets according to the value of the first bit segment and the initial transition state, and acquiring a value in the node; determining whether the value is a value of an initial transition state, and the value is a non-initial
  • the node in which the intersection is located is continued according to the row in which the value is located and the column in which the second bit segment of the keyword is located, until the last bit segment of the data to be detected is found, and the waiting is determined. Detect all keywords in the data.
  • the searching unit is further configured to acquire a first bit segment of the data to be detected, and search for a node that meets according to the value of the first bit segment and the initial transition state, and obtain a value in the node. Determining whether the value is a value of an initial transition state, and when the value is a value of a non-initial transition state, continuing to find a node that meets the convergence according to the row in which the value is located and the column in which the second bit segment of the keyword is located, And, the value is incremented by one, and the value of the added value and the value of the intersection node of the corresponding next bit segment in the data to be detected are searched until the value of the found intersection node is the value of the initial transfer state. Or finding a last bit segment of the data to be detected, and determining a keyword in the data to be detected.
  • the searching unit is further configured to acquire, according to the average number of bit segments included in the keyword, the average number of bit segments after the value and the corresponding bit in the to-be-detected data.
  • the value of the transition state is set for each bit segment in the keyword to be detected, and the value of the transition state of each bit segment of each keyword is recorded in the database in a two-dimensional manner to facilitate subsequent treatment.
  • the data to be detected in the detection packet is detected to determine whether the message contains a keyword, and the detection result is output when included.
  • by setting a value table of a two-dimensional bit segment transition state for a keyword it is convenient and quick to find a keyword in a message, which greatly improves the efficiency of packet depth detection.
  • FIG. 1 is a flowchart of a packet detecting method according to an embodiment of the present invention
  • FIG. 2 is a schematic diagram of a deep packet detection transition state according to an embodiment of the present invention.
  • FIG. 3 is a schematic diagram of a deep packet detection transition state database according to an embodiment of the present invention.
  • FIG. 4 is a schematic diagram of data to be detected according to an embodiment of the present invention.
  • FIG. 5 is a schematic diagram of an output result according to an embodiment of the present invention.
  • FIG. 6 is a schematic structural diagram of a packet detecting apparatus according to an embodiment of the present invention.
  • FIG. 1 is a flowchart of a packet detecting method according to an embodiment of the present invention. As shown in FIG. 1 , a packet detecting method according to an embodiment of the present invention includes the following steps:
  • Step 101 Establish a transfer state database for the key segment search.
  • the mobile transfer state database is provided with a bit segment row including all keywords and a value column of a transfer state set for the bit segment, and a column of the bit segment in each keyword and the bit
  • the intersection node of the row where the value of the transition state of the previous bit segment of the segment is located Write the value of the transition state of the next bit segment of the bit segment, the intersection of the row where the last bit segment is located and the value of the transition state of the second to last bit segment, and the initial transfer of the write keyword The value of the state.
  • a transfer state database of each keyword to be detected needs to be established, and the database records the transfer of each bit segment and its corresponding bit segment in the keyword by two-dimensional data.
  • the value of the state is shown in Figure 3.
  • the values of the initial transfer states of each keyword are equal; the transition state values of the first bit segment to the last bit segment in each keyword are consecutive, and the value of the initial transfer state is included in each keyword.
  • the values of the transition states of other bit segments other than are not equal.
  • the initial transition state of the keyword and the transition state of each bit segment in the keyword are as shown in FIG. 2 .
  • Step 102 Acquire all keywords, and write the value of each bit segment in the keyword into the database; according to the value of the transfer state of the bit segment in the keyword and its corresponding bit segment, each keyword is The value of the transfer status of the bit segment is written to the database.
  • the values of all the acquired keywords and their corresponding transition states are written into the database.
  • the transition state database of the embodiment of the present invention is as shown in FIG. 3 .
  • Step 103 Acquire data to be detected of the to-be-detected packet, and search for a keyword in the database according to the bit segment in the to-be-detected data, and output a detection result.
  • the data to be detected of the to-be-detected packet includes: determining a packet that needs to be deeply detected from the transmission packet; classifying the packet that needs to be deeply detected, and determining various types of packets that need to be deeply detected.
  • Data to be detected in the text; the data to be detected is part of a message requiring depth detection.
  • the destination MAC address and source MAC address of the packet can be obtained according to the format of the packet, and the type of the TAG is determined according to the TAG type, and the VLAN ID and the Ethernet type are extracted according to the TAG type.
  • Field as the data to be detected.
  • the first and last characters to be detected are determined for the packet to be detected in depth, so as to avoid deep detection of the entire packet, thereby improving the efficiency of packet detection.
  • the searching for the keyword in the data to be detected in the database according to the value of the bit segment in the data to be detected and the value of the corresponding transfer state includes:
  • the searching, in the database, whether the keyword to be detected includes a keyword according to the value of the bit segment in the data to be detected and the value of the corresponding transfer state
  • the method includes: acquiring a first bit segment of the data to be detected; searching for a node that meets according to the value of the first bit segment and the initial transition state, and acquiring a value in the node; determining whether the value is an initial transition state. a value, where the value is a non-initial transition state, the node in which the value is located and the second bit segment of the keyword are searched for, and the value is incremented by one.
  • the value after the addition is corresponding to the data to be detected
  • the value in the intersection node of the latter bit segment determines the keyword in the data to be detected until the value in the found junction node is the value of the initial transition state or the last bit segment of the data to be detected.
  • the value of the intersection of the value and the value of the intersection of the corresponding one of the to-be-detected data including:
  • the value of the average number of bit segments after the value and the plurality of intersection nodes of the column of the corresponding bit segment in the to-be-detected data are obtained according to the number of average bit segments included in the keyword.
  • the purpose of the present invention is that deep message detection needs to compare all the information of the entire message, and then process the message according to the result of the comparison. Deep packet inspection cannot meet the actual needs in data centers, core switches, and high-performance routers. At the same time, the database of the transfer state corresponding to the keyword detected by the deep message is generally large, and if the cost of the memory placed on the chip is too high, and if a huge database is placed on the internal memory of the chip, the chip area is too large, manufacturing The yield is greatly reduced. Considering the cost factor, the deep packet detection transfer state database is generally stored in the DDR. However, due to the DDR timing characteristics, the data efficiency of a single read DDR is relatively low, which cannot meet the requirements of a high-speed switch or a core router.
  • the patent filters the input packet through the access list control module, extracts the packet to be detected, and obtains the start byte and the end byte of the packet to be detected according to the classification result, so that the deep report can be greatly reduced.
  • the amount of data that the detection device needs to detect improves the detection efficiency.
  • the deep message detection state is encoded and optimized, and the transition state corresponding to the average length of the keyword is read into the cache in advance by using the predictive transfer state technology, which greatly improves the packet detection efficiency and reduces the cost.
  • a keyword that needs to be matched is mapped as a transition condition to a transition state of deep packet detection.
  • the transfer status of the same keyword must be encoded consecutively. For example, the need to match
  • the key is hello, the initial transition state is 0, and the transition state of h is assumed to be 4, then the transition state of e must be 5, the transition state of the first l is 6, and the second transition state must be 7, o is The last byte of the keyword, the next transition state is the initial transition state 0.
  • the generated deep message then detects the transfer state database and writes it to the DDR.
  • the input data packet is processed by the packet parsing module to obtain information about the packet, such as the source destination MAC address, the source destination IP address, the protocol number, the Ethernet type, and the VLAN ID.
  • the information is classified and processed to obtain the stream classification number corresponding to the packet. Whether the deep packet detection is required to obtain the packet according to the traffic classification number, the deep packet detection start byte and the termination byte, and the detected packet is the copy packet or the original packet.
  • the read depth message detection transition state database is compared with the message, and the comparison result is output.
  • the transfer state database of each keyword to be detected is first established, and specifically includes the following steps:
  • Step 1 The user-configured keyword to be checked is mapped to a transition state map, and the initial state is generally set to 0.
  • the initial state may not be 0, but is generally set to 0 for convenience.
  • the bit segment can be selected from 8 bits.
  • the first 8 bits of the keyword are read as the condition for the transfer, and the next transfer state is assigned a value.
  • the bit segment is not limited to 8 bits, and may be any bit length.
  • the value of the transition state of the next bit segment can be randomly assigned, but cannot be a value already assigned. At the same time, the value of the transfer state of the bit segment in the same keyword must be continuously incremented.
  • the transition state corresponding to h is 4, the transition state corresponding to e is 5, the transition state corresponding to the first l is 6, the transition state corresponding to the second l is 7, and o is the last of the keywords.
  • One byte, the next transition state is the initial transition state 0, see the example shown in Figure 1.
  • the figure also shows the transfer state diagram of the two keys work and secret.
  • Step 2 Map the transfer state map generated in step 1 to the transfer state database.
  • the initial state and the first octet of the keyword to be detected are taken as addresses, the content written is the next transition state S1 and its corresponding attribute, and then the transition state S1 and the second eight of the checked keywords are The bit byte is written as the address to the next transfer state and its corresponding attribute, and so on, until the end of the checked keyword.
  • the last transition state corresponding to the keyword to be checked is the initial transition state and the corresponding rule number.
  • the hatch table is the content of the hello keyword in the transfer state database
  • the sandpoint table is the content of the work keyword in the transfer state database
  • the double grid table is the secret keyword in the transfer state database. content.
  • step 3 the generated transfer state database is written into the DDR by the CPU.
  • the deep packet detection process includes the following steps:
  • Step 1 The packet parsing module receives the packet input from the external interface, and then extracts the destination MAC address, the source MAC address, and the type of the TAG according to the format of the packet, and extracts the VLAN ID and the Ethernet type field according to the TAG type.
  • Step 2 According to the Ethernet type field obtained in step 1, it is determined whether the packet is an IPv4 packet, an IPv6 packet, or an MPLS packet, and then the corresponding field is extracted according to the parsed packet type. For example, IP packets are extracted from the destination IP address, source IP address, IP protocol number, IP TTL, IP DSCP, etc.; if it is an MPLS packet, the label of each layer is extracted, the priority of the label, and the TTL value corresponding to the label.
  • Step 3 According to the packet parsing result of step 1 and step 2 and the information about the obtained packet, the information is sent to the access control list module.
  • the access control list module compares the information with the user-configured access control list rules, classifies the incoming packets, and assigns a traffic classification number to each type of packet.
  • Step 4 According to the flow classification number obtained in step 3, the flow attribute table is used to obtain the attribute of the corresponding flow.
  • the attribute table includes, but is not limited to, whether to perform packet depth detection, the start byte of the packet depth detection, and the depth packet.
  • the detected termination byte whether the sent packet is the original message or the copied message.
  • the information about the deep packet detection is added to the packet of the original data packet and sent to the deep packet detection module.
  • the format of the packet sent to the deep packet detection module is shown in FIG. 4 .
  • Step 5 The deep packet detection module starts to fetch the first byte W1 of the message and the transition state initial state S0 as the address for accessing the DDR according to the depth message detection start byte position.
  • the byte of the message is the lower bit of the access DDR address
  • the initial transfer state S0 is the upper bit of the access DDR address, which is ⁇ S0, W1 ⁇ .
  • Use this address to read the database stored in the DDR internal transfer state to get the next transfer state S1.
  • the 256 data corresponding to S0 is pre-read into the Cache, that is, all the columns corresponding to the state 0 of the table in FIG. 2 are read into the cache.
  • transition state S1 is equal to the initial transition state S0, and if it is equal to step 6. Since the transition state corresponding to the keyword is continuous coding, it can be foreseen that the value of S2 is S1+1, and the value of S3 is S2+1. If the transition state S1 and the initial transition state S0 are not equal, all the column data of the corresponding row in the transition state database and the subsequent (L-1) transition states are read into the Cache, where L is to be found. The average length of the keyword. It can be seen from Fig. 2 that each transition state corresponds to 256 columns of data, so a total of 256 x L transition state data is read.
  • Step 6 The transfer state S1 is used as the address high address of the access DDR, and the second byte W2 of the read detection message is read as the low bit of the access DDR address, and the address is represented as ⁇ S1, W2 ⁇ . Use this address to access the Cache to read the corresponding transfer state S2. If S2 is read in the Cache, the read is successful. If S2 is not found in Cahe, the address ⁇ S1, W2 ⁇ is used to access the DDR to obtain the transfer state S2 because the next transfer state corresponding to the keyword. All are continuous coding, so the next transition state S3 is predicted to be S2+1, and the data corresponding to all columns corresponding to the read S3 and the subsequent (L-1) transition states are read into the Cache.
  • Step 7 follows step 6 to describe the byte-by-byte search from the start byte of the message until the message termination byte or match the keyword to be searched, and then end the search.
  • the end register is configurable by either terminating the end byte or matching to the keyword to be searched. Finally, the number corresponding to the matched keyword is reported to the CPU as a result or is carried in the header of the message.
  • the output message is shown in Figure 5.
  • Step 5 and Step 7 describe the working process of the deep packet inspection engine.
  • Deep packet detection requires a number of clock cycles to process a packet.
  • a detection engine generally cannot meet the needs of the data center or the core switch.
  • multiple engines need to complete the detection of packets in parallel.
  • the detected flow rate is related to the operating frequency of the chip.
  • the working process of each detection engine is as described in steps 5, 6, and 7.
  • step 6 and step 7 an example is now used to illustrate that the deep message detection engine is a working process.
  • the input message is kjkloworkcef
  • the key to be searched is work
  • the initial transfer status is 0
  • the deep message detection start byte is the 4th byte
  • the end byte is the 11th byte
  • the keyword average The length is 5.
  • the deep packet detection module first takes the 4th byte of the message, and combines the initial transition state into ⁇ 0, l ⁇ as the address of the DDR to read the next transition state S1 to 0, and at the same time, the initial transition state S0. Read all the 0 lines into the cache.
  • the transfer state S1 obtained in the first step and the fifth byte o of the message are taken as the address ⁇ 0, o ⁇ , and the next transfer state S2 is directly read from the Cache to be 0. Since the corresponding transfer state can be found in the Cache and S2 is equal to the initial state, there is no need to read the DDR internal transfer state database.
  • the transfer state S2 obtained in the second step and the sixth byte w of the message are taken as the address ⁇ 0, w ⁇ to directly read the next transfer state S3 from the Cache to 10.
  • the corresponding transition state can also be found in the Cache, but the value of the transition state S3 is not equal to the initial state S0. Therefore, the data of the four transition states corresponding to S3 and S3 are read into the Cache. And read the data from the 10th to 14th lines of the table into the Cache.
  • the fourth step is to take the transfer state S3 obtained in the third step and the 7th byte o of the message as the address. ⁇ 10, o ⁇ directly reads the next transfer state S4 from the Cache to 11.
  • the transfer state S4 obtained in the fourth step and the eighth byte r of the message are taken as the address ⁇ 11, r ⁇ , and the next transfer state S5 is directly read from the Cache to 12.
  • the transfer state S5 obtained in the fifth step and the ninth byte k of the message are taken as the address ⁇ 12, k ⁇ , and the next transfer state S6 is directly read from the Cache to be 0. At this time, you can get the rule number of the work keyword.
  • the transfer state S6 obtained in the sixth step and the 10th byte c of the message are taken as the address ⁇ 0, c ⁇ , and the next transfer state S7 is directly read from the Cache to be 0.
  • the transfer state S7 obtained in the seventh step and the eleventh byte e of the message are taken as the address ⁇ 0, e ⁇ , and the next transfer state S8 is directly read from the Cache to be 0. It is found that the deep packet detection termination position has been read here, the entire search process ends, the matching keyword work is searched, and the rule number corresponding to the work is obtained.
  • FIG. 6 is a schematic structural diagram of a packet detecting apparatus according to an embodiment of the present invention.
  • the packet detecting apparatus of the embodiment of the present invention includes an establishing unit 60, a setting unit 61, a writing unit 62, a searching unit 63, and Output unit 64, wherein:
  • the establishing unit 60 is configured to establish a transfer state database of the keyword bit segment search, where the mobile transfer state database is provided with a bit segment row including all keywords and a value column of a transfer state set for the bit segment, each keyword The intersection of the column in which the bit segment is located and the row in which the value of the transition state of the previous bit segment of the bit segment is located is written with the value of the transition state of the next bit segment of the bit segment, and the last bit segment The intersection of the row in which the value of the transition state of the second and last bit segments is located, and the value of the initial transition state of the keyword is written;
  • the setting unit 61 is configured to set a transition state for each bit segment in the to-be-detected keyword, and the values of the initial transition states of each keyword are equal; the transition from the first bit segment to the last bit segment in each keyword The status values are consecutive, and the values of the transition states of the other bit segments except the value of the initial transition state in each keyword are not equal;
  • Write unit 62 configured to acquire all keywords, and write the value of the transfer status of each bit segment in the keyword to the database
  • the searching unit 63 is configured to acquire data to be detected of the to-be-detected packet, and search for a keyword in the database according to the bit segment in the to-be-detected data.
  • the output unit 64 is configured to output a detection result.
  • the searching unit 63 is further configured to: determine, according to the transmission packet, a packet that needs to be deeply detected; classify the packet that needs to be deeply detected, and determine various types of packets that need to be deeply detected. Data to be detected; wherein the data to be detected is part of a message requiring depth detection. The data segment to be deeply detected is determined in the to-be-detected packet, so that the entire packet does not need to be deeply detected, thereby improving the efficiency of the depth detection.
  • the searching unit 63 is further configured to acquire a first bit segment of the data to be detected, and search for a node that meets according to the value of the first bit segment and the initial transition state, and acquire a node in the node. a value; determining whether the value is a value of an initial transition state, and when the value is a value of a non-initial transition state, continuing to find a node that meets the convergence according to a row in which the value is located and a column in which the second bit segment of the keyword is located Until the value in the found junction node is the value of the initial transfer state, it is determined that the data to be detected contains a keyword.
  • the searching unit 63 is configured to acquire the data to be detected when the value of the first bit segment and the value of the initial transition state is the value of the initial transition state. a second bit segment, searching for a node that meets according to the value of the first bit segment and the initial transition state, and acquiring a value in the node; determining whether the value is a value of an initial transition state, the value is non When the value of the initial transition state is used, the node in which the intersection is located is continued according to the row in which the value is located and the column in which the second bit segment of the keyword is located, until the last bit segment of the data to be detected is found, and the All keywords in the data to be tested.
  • the searching unit 63 is further configured to acquire a first bit segment of the data to be detected; and search for a convergence according to the value of the first bit segment and the initial transition state. a node, and obtaining a value in the node; determining whether the value is a value of an initial transition state, where the value is a value of a non-initial transition state, according to a row where the value is located and a second bit segment of the keyword The column continues to find the node of the intersection, and sequentially increments the value by one, and finds the value in the intersection of the added value and the corresponding next bit segment in the data to be detected until the matching node is found.
  • the searching unit 63 is further configured to acquire, according to the average number of bit segments included in the keyword, the plurality of rows of the average bit segment after the value and the column of the corresponding bit segment in the data to be detected. The value in the junction node.
  • processing units in the packet detecting apparatus of the embodiment of the present invention can be understood by referring to the related description of the packet detecting method in the foregoing embodiment, and the packet detecting apparatus in the embodiment of the present invention
  • Each of the processing units may be implemented by an analog circuit that implements the functions described in the embodiments of the present invention, or may be implemented by running software executing the functions described in the embodiments of the present invention on a smart device.
  • the embodiment of the invention further describes a storage medium in which a computer program is stored, the computer program being configured to execute the message detection method of the foregoing embodiments.
  • the disclosed method and smart device may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner such as: multiple units or components may be combined, or Can be integrated into another system, or some features can be ignored or not executed.
  • the coupling, or direct coupling, or communication connection of the components shown or discussed may be indirect coupling or communication connection through some interfaces, devices or units, and may be electrical, mechanical or other forms. of.
  • the units described above as separate components may or may not be physically separated, and the components displayed as the unit may or may not be physical units, that is, may be located in one place or distributed to multiple network units; You can choose some of them according to your actual needs. Or all of the units to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may be separately used as one unit, or two or more units may be integrated into one unit;
  • the unit can be implemented in the form of hardware or in the form of hardware plus software functional units.
  • the foregoing storage medium includes: a mobile storage device, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk.
  • ROM read-only memory
  • RAM random access memory
  • magnetic disk or an optical disk.
  • optical disk A medium that can store application code.
  • the above-described integrated unit of the embodiment of the present invention may be stored in a computer readable storage medium if it is implemented in the form of a software function module and sold or used as a stand-alone product.
  • the technical solution of the embodiments of the present invention may be embodied in the form of a software product in essence or in the form of a software product stored in a storage medium, including a plurality of instructions.
  • a computer device (which may be a personal computer, server, or network device, etc.) is caused to perform all or part of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes: a removable storage device, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like, which can store application code.
  • a value table of a two-dimensional bit segment transition state is set to a keyword, and is reported in the report. Finding keywords in the text is convenient and fast, which greatly improves the efficiency of message depth detection.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un procédé et un dispositif de détection de message ainsi qu'un support d'informations. Le procédé consiste à : établir une base de données d'état de transfert permettant de rechercher une période binaire d'un mot-clé ; définir un état de transfert de chaque période binaire d'un mot-clé à détecter, égaliser la valeur d'un état de transfert initial de chaque mot-clé, rendre continues les valeurs d'état de transfert de la première période binaire à la dernière période binaire de chaque mot-clé, et rendre inégales les valeurs des états de transfert d'autres périodes binaires à l'exception de la valeur de l'état de transfert initial de chaque mot-clé ; acquérir tous les mots-clés, et écrire la valeur de l'état de transfert de chaque période binaire des mots-clés dans la base de données ; et acquérir des données à détecter dans un message à détecter, rechercher, dans la base de données, si les mots-clés sont compris dans les données à détecter conformément aux périodes binaires des données à détecter, et délivrer en sortie un résultat de détection.
PCT/CN2015/081205 2014-12-25 2015-06-10 Procédé et dispositif de détection de message ainsi que support d'informations WO2016101552A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410827248.5A CN105791124B (zh) 2014-12-25 2014-12-25 报文检测方法及装置
CN201410827248.5 2014-12-25

Publications (1)

Publication Number Publication Date
WO2016101552A1 true WO2016101552A1 (fr) 2016-06-30

Family

ID=56149117

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/081205 WO2016101552A1 (fr) 2014-12-25 2015-06-10 Procédé et dispositif de détection de message ainsi que support d'informations

Country Status (2)

Country Link
CN (1) CN105791124B (fr)
WO (1) WO2016101552A1 (fr)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110995694B (zh) * 2019-11-28 2021-10-12 新华三半导体技术有限公司 网络报文检测方法、装置、网络安全设备及存储介质
CN112187639B (zh) * 2020-08-31 2021-11-19 西安交通大学 一种基于流属性的数据包路径编码的生成方法及系统

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101551803A (zh) * 2008-03-31 2009-10-07 华为技术有限公司 一种建立模式匹配状态机、模式识别的方法和装置
US20130108160A1 (en) * 2011-03-07 2013-05-02 Ntt Docomo, Inc. Character recognition device, character recognition method, character recognition system, and character recognition program
CN103093147A (zh) * 2011-11-02 2013-05-08 中国移动通信集团广东有限公司 一种识别信息的方法和电子装置
CN104077358A (zh) * 2014-06-03 2014-10-01 南京大学 用于海量短文本信息发现的自动机方法

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1909502B (zh) * 2005-08-01 2010-05-05 中兴通讯股份有限公司 数据流报文头快速定位的装置和方法

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101551803A (zh) * 2008-03-31 2009-10-07 华为技术有限公司 一种建立模式匹配状态机、模式识别的方法和装置
US20130108160A1 (en) * 2011-03-07 2013-05-02 Ntt Docomo, Inc. Character recognition device, character recognition method, character recognition system, and character recognition program
CN103093147A (zh) * 2011-11-02 2013-05-08 中国移动通信集团广东有限公司 一种识别信息的方法和电子装置
CN104077358A (zh) * 2014-06-03 2014-10-01 南京大学 用于海量短文本信息发现的自动机方法

Also Published As

Publication number Publication date
CN105791124B (zh) 2019-04-30
CN105791124A (zh) 2016-07-20

Similar Documents

Publication Publication Date Title
US10764181B2 (en) Pipelined evaluations for algorithmic forwarding route lookup
US7813350B2 (en) System and method to process data packets in a network using stateful decision trees
CN111371779B (zh) 一种基于dpdk虚拟化管理系统的防火墙及其实现方法
US11418632B2 (en) High speed flexible packet classification using network processors
US10397116B1 (en) Access control based on range-matching
US20150113646A1 (en) Apparatus and method for improving detection performance of intrusion detection system
US20120099597A1 (en) Method and device for detecting a packet
US10693790B1 (en) Load balancing for multipath group routed flows by re-routing the congested route
US10778588B1 (en) Load balancing for multipath groups routed flows by re-associating routes to multipath groups
US20130246697A1 (en) Organizing Data in a Hybrid Memory for Search Operations
US8599859B2 (en) Iterative parsing and classification
US9159420B1 (en) Method and apparatus for content addressable memory parallel lookup
TW201501556A (zh) 用於唯一枚舉解析樹中的路徑的裝置和方法
US10819640B1 (en) Congestion avoidance in multipath routed flows using virtual output queue statistics
CN105591914B (zh) 一种openflow流表的查表方法和装置
US9485179B2 (en) Apparatus and method for scalable and flexible table search in a network switch
CN106487769B (zh) 一种访问控制列表acl的实现方法及装置
US9985885B1 (en) Aggregating common portions of forwarding routes
CN109672623B (zh) 一种报文处理方法和装置
WO2016101552A1 (fr) Procédé et dispositif de détection de message ainsi que support d'informations
US10887234B1 (en) Programmatic selection of load balancing output amongst forwarding paths
CN105991391A (zh) 一种协议报文上送cpu的方法和装置
Lo et al. Flow entry conflict detection scheme for software-defined network
CN112087389B (zh) 一种报文匹配查表方法、系统、存储介质和终端
US11689464B2 (en) Optimizing entries in a content addressable memory of a network device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15871627

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15871627

Country of ref document: EP

Kind code of ref document: A1