WO2017157335A1 - 报文识别的方法及装置 - Google Patents

报文识别的方法及装置 Download PDF

Info

Publication number
WO2017157335A1
WO2017157335A1 PCT/CN2017/077126 CN2017077126W WO2017157335A1 WO 2017157335 A1 WO2017157335 A1 WO 2017157335A1 CN 2017077126 W CN2017077126 W CN 2017077126W WO 2017157335 A1 WO2017157335 A1 WO 2017157335A1
Authority
WO
WIPO (PCT)
Prior art keywords
address
rule
list
fingerprint
bits
Prior art date
Application number
PCT/CN2017/077126
Other languages
English (en)
French (fr)
Inventor
乔伟
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2017157335A1 publication Critical patent/WO2017157335A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/026Capturing of monitoring data using flow identification
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/695Types of network addresses using masks or ranges of addresses

Definitions

  • the present disclosure relates to the field of communications, for example, to a method and apparatus for message recognition.
  • the Internet Protocol (IP) layer, the transport layer, and the application layer in the data packet need to be identified and matched, and the packet is processed according to the policy corresponding to the identification result.
  • Identifying the matching and corresponding processing includes: identifying a content quintuple of the IP layer and the transport layer below the fourth layer of the data packet, wherein the content quintuple comprises: a source IP address, a source port, a destination IP address, a destination port, and a protocol type And identifying the content of the application layer, identifying the type or content of the application based on the payload fingerprint of the application layer.
  • the IP address class rule recognition is mainly through a class-like traditional routing packet algorithm, such as a dictionary tree (Trie).
  • Trie dictionary tree
  • the application layer can be identified by means of regular expression matching.
  • the gateway is in a variety of different charging rules customized by the operator, that is, the mass rules and the identification scenario, the gateway's recognition performance of the packet is drastically decreased in the related identification method, and the gateway cannot identify the packet identification efficiency. Requirements. Therefore, there is a need for a method for message identification under a large number of rules, which improves the efficiency of message recognition and satisfies the requirements of the gateway for message recognition efficiency.
  • the present disclosure provides a method and apparatus for message identification, which can improve the recognition efficiency of an aggregated IP address under a large number of rules.
  • the present disclosure provides a method for data packet identification under a massive rule, the method comprising:
  • IP address Determining the IP address when determining that the IP address exists in a first rule list corresponding to a subnet mask of length 16 bits according to the first 16 bits of the IP address;
  • the corresponding rule list is determined according to the length of the subnet mask, and the IP address is identified.
  • the method may further include:
  • the determining the corresponding rule list according to the length of the subnet mask, and identifying the IP address may include:
  • the second rule list is hanged at a corresponding position of the first rule list, where the second rule list is a subnet mask with a length of 17 to 23 bits. a list of rules with a length of 7 corresponding to the code;
  • the value obtained by subtracting 16 from the length of the subnet mask is a subscript, and the IP address is searched for at a corresponding position of the second rule list, and when the IP address is found, the IP is identified. address.
  • the determining the corresponding rule list according to the length of the subnet mask, and identifying the IP address may include:
  • the third rule list is hanged at a corresponding position of the first rule list, where the third rule list is a subnet mask with a length of 24 bits.
  • the IP address is searched for at a corresponding position of the third rule list, and when the IP address is found, the IP address is recognized.
  • the determining the corresponding rule list according to the length of the subnet mask, and identifying the IP address may include:
  • the fourth rule list is hanged at a corresponding position of the third rule list, wherein the third rule list is based on the first 16 bits of the IP address. Determining that the fourth rule list is a rule list of length 7 corresponding to a subnet mask of length 25 to 31 bits;
  • the value obtained by subtracting 24 from the length of the subnet mask is a subscript, and the IP address is searched for at the corresponding position of the fourth rule list, and when the IP address is found, the IP address is recognized.
  • the method may further include: when determining that the rule carried by the data packet includes an IP address or a domain name, performing a hash operation on the rule by using a first hash algorithm to obtain a first fingerprint, The rule is operated by the second hash algorithm to obtain a second fingerprint, and the rule is identified according to the first fingerprint and the second fingerprint.
  • the identifying the rule according to the first fingerprint and the second fingerprint may include:
  • the identifying the rule according to the first fingerprint and the second fingerprint may include:
  • the first fingerprint of the first hash list is traversed
  • the rule is recognized when the rule exists in the linked list.
  • An apparatus for data packet identification provided by the present disclosure, the apparatus includes: a parsing module and an identification module; wherein
  • the parsing module is configured to parse the received data packet, and determine that the rule carried by the data packet includes an IP address
  • the identification module is configured to identify the IP address when the IP address exists in a first rule list corresponding to a subnet mask of length 16 bits according to the first 16 bits of the IP address; When the first 16 bits of the IP address determine that the IP address does not exist in the first rule list, determine a corresponding rule list according to the length of the subnet mask, and identify the IP address.
  • the identification module may include: a first identification module, configured to use the first 16 bits of the IP address as a subscript, and look up the IP address in the first rule list, when the When the IP address is determined, the IP address is determined to exist in the first rule list.
  • the identifying module may include:
  • a first identification module configured to use a first 16 bits of the IP address as a subscript, and to hang a second rule list at a corresponding position of the first rule list, where the second rule list has a length of 17 a list of rules of length 7 corresponding to a 23-bit subnet mask;
  • the value obtained by subtracting 16 from the length of the subnet mask is a subscript, and the IP address is searched for at the corresponding position of the second rule list, and when the IP address is found, the IP address is recognized.
  • the identification module may include: a first identification module, configured to use a first 16 bits of the IP address as a subscript, and a third rule list is hanged at a corresponding position of the first rule list, where The third rule list is a rule list of length 256 corresponding to a subnet mask of length 24 bits;
  • the IP address is searched for at the corresponding position of the third rule list, and when the IP address is found, the IP address is recognized.
  • the identification module may further include: a second identification module, configured to use the 17th to 24th bits of the IP address as a subscript, and to hang the fourth rule at a corresponding position of the third rule list a list, wherein the third rule list is determined according to the first 16 bits of the IP address, and the fourth rule list is a rule list of length 7 corresponding to a subnet mask of length 25 to 31 bits;
  • the value obtained by subtracting 24 from the length of the subnet mask is a subscript, and the IP address is searched for at the corresponding position of the fourth rule list, and when the IP address is found, the IP address is recognized.
  • the device may further include: a rule module, configured to: when determining that the rule carried by the data packet includes an IP address or a domain name, performing the hash operation on the rule by using a first hash algorithm to obtain the first The fingerprint is operated by the second hash algorithm to obtain a second fingerprint, and the rule is identified according to the first fingerprint and the second fingerprint.
  • a rule module configured to: when determining that the rule carried by the data packet includes an IP address or a domain name, performing the hash operation on the rule by using a first hash algorithm to obtain the first The fingerprint is operated by the second hash algorithm to obtain a second fingerprint, and the rule is identified according to the first fingerprint and the second fingerprint.
  • the identifying the rule according to the first fingerprint and the second fingerprint may include:
  • the identifying the rule according to the first fingerprint and the second fingerprint may include:
  • the first fingerprint of the first hash list is traversed
  • the rule is recognized when the rule exists in the linked list.
  • the present disclosure also provides a non-transitory computer readable storage medium storing computer executable instructions arranged to perform the above method.
  • the present disclosure also provides an electronic device, including:
  • At least one processor At least one processor
  • the memory stores instructions executable by the at least one processor, the instructions being executed by the at least one processor to cause the at least one processor to perform the method described above.
  • a data packet identification method of the present disclosure includes: parsing a received data packet, determining that the rule carried by the data packet includes an IP address; determining the IP address according to the first 16 bits of the IP address When the first rule list corresponding to the subnet mask of length 16 bits exists, the IP address is identified; and according to the first 16 bits of the IP address, it is determined that the IP address does not exist in the first In the rule list, the corresponding rule list is determined according to the length of the subnet mask, and the IP address is identified.
  • the first rule list corresponding to the subnet mask of length 16 bits is searched according to the first 16 bits of the IP address in the data packet, and the rule is quickly found in the first rule list.
  • the identification process ends. If the IP address does not exist in the first rule list, the IP address is identified in a rule list other than the first rule list associated with the length of the subnet mask, Save time and space for identification and improve the efficiency of data message recognition.
  • FIG. 1 is a schematic flowchart diagram of a method for identifying a first data packet according to Embodiment 1;
  • FIG. 2 is a schematic flowchart of a second method for identifying a data packet according to Embodiment 1;
  • FIG. 3 is a schematic structural diagram of a rule list when a subnet mask length is 16 bits according to an embodiment
  • FIG. 4 is a schematic structural diagram of a rule list when a subnet mask length is 17-23 bits according to an embodiment
  • FIG. 5 is a schematic structural diagram of a rule list when a subnet mask length is 24 bits according to an embodiment
  • FIG. 6 is a schematic structural diagram of a rule list when a subnet mask length is 25-31 bits according to an embodiment
  • FIG. 7 is a schematic flowchart of a method for identifying a data packet according to Embodiment 3;
  • FIG. 8 is a schematic structural diagram of an apparatus for identifying a first data packet according to Embodiment 4.
  • FIG. 9 is a schematic structural diagram of an apparatus for identifying a data packet under a second massive rule according to Embodiment 4.
  • FIG. 10 is a schematic structural diagram of an apparatus for identifying a data packet under a third mass rule according to Embodiment 4; Figure;
  • FIG. 11 is a schematic diagram showing the hardware structure of an electronic device according to an embodiment.
  • Embodiment 1 provides a method for identifying a first data packet.
  • step 110 the received data packet is parsed, and the rule carried in the data packet is determined to include an IP address.
  • step 120 when the IP address is determined to exist in the first rule list corresponding to the subnet mask of length 16 bits according to the first 16 bits of the IP address, the IP address is identified.
  • N bits in the present disclosure all refer to N-bit bits, and N is a non-negative integer.
  • the length of the subnet mask is the number of bits "1" in the binary data of the subnet mask. For example, when the subnet mask is 255.255.0.0, the length of the subnet mask is 16 bits (bits); When the subnet mask is 255.255.255.0, the length of the subnet mask is 24 bits (bits), and when the subnet mask is 255.255.128.0, the length of the subnet mask is 17 bits (bits); When the mask is 255.255.255.128, the length of the subnet mask is 25 (bits).
  • step 130 determining, according to the first 16 bits of the IP address, that the IP address does not exist in the first rule list, determining a corresponding rule list according to the length of the subnet mask, The IP address is identified.
  • the gateway When the gateway receives the data packet, it can identify multiple rules carried in the data packet to match the different charging rules customized by the operator.
  • the received data packet may include multiple rules, parse the received data packet, and parse the rule carried by the received data packet.
  • the rule carried in the file includes an IP address, the IP address is identified.
  • step 110 Initially matching the IP address parsed in step 110 in the first rule list corresponding to the subnet mask of 16 bits, for example, using the first 16 bits of the IP address as a subscript in the first rule list.
  • Finding the IP address when the IP address is found, determining that the IP address exists in the first rule list, and at this time, identifying the IP address, if it is determined that the IP address does not exist in the first rule list Medium, Then step 130 is performed.
  • the IP address when the IP address is found in the first rule list, it indicates that the subnet mask of the IP address has a length of 16 bits.
  • the first rule list is a linear list of length 65536, and the subscripts of the first rule list are sequentially from 0-65535.
  • step 130 when the IP address is not found in the first rule list by using the first 16 bits of the IP address as a subscript, it indicates that the IP address does not exist in the first rule list, and the IP address is not recognized.
  • the corresponding rule list may be determined according to the length of the subnet mask, and a linear list other than the first rule list associated with the subnet mask length is searched for, and the IP address is identified.
  • Determining a corresponding rule list according to the length of the subnet mask, and identifying the IP address may include: using a first 16 bits of the IP address as a subscript, and a corresponding position in the first rule list And arranging a second rule list, where the second rule list is a rule list of length 7 corresponding to a subnet mask of length 17 to 23; and subtracting 16 from the length of the subnet mask The value is a subscript, and the IP address is searched for at a corresponding position of the second rule list, and when the IP address is found, the IP address is identified.
  • Determining a corresponding rule list according to the length of the subnet mask, and identifying the IP address may include: using a first 16 bits of the IP address as a subscript, and a corresponding position in the first rule list a third rule list is logged, wherein the third rule list is a rule list of length 256 corresponding to a subnet mask of length 24; and the 17th to 24th bits of the subnet mask are a subscript, searching for the IP address at a corresponding position of the third rule list, and identifying the IP address when the IP address is found.
  • Determining, according to the length of the subnet mask, a corresponding rule list, and identifying the IP address may include: using a 17th to 24th bits of the IP address as a subscript, and corresponding to the third list
  • the fourth rule list is suspended at the location, wherein the third rule list is determined according to the first 16 bits of the IP address, and the fourth rule list is a length corresponding to a subnet mask of length 25 to 31 bits. a list of rules; and a value obtained by subtracting 24 from the length of the subnet mask as a subscript, searching for the IP address at a corresponding position of the fourth rule list, when the IP address is found, The IP address is identified.
  • the IP address is searched for in the first rule list corresponding to the subnet mask of length 16 bits.
  • the identification process ends, and the IP address is identified, and The IP address is an aggregated IP address corresponding to a subnet mask of length 16 bits.
  • the corresponding linear list is searched according to the length of the subnet mask.
  • the method may further include step 140.
  • step 140 when it is determined that the rule carried by the data packet includes an IP address or a domain name, the rule is hashed by the first hash algorithm to obtain a first fingerprint, and the second hash algorithm is used to perform the The rule performs an operation to obtain a second fingerprint, and the rule is identified according to the first fingerprint and the second fingerprint.
  • the IP address can include an aggregated IP address and a precise IP address. In addition to identifying the aggregated IP address of the subnet mask of length 16-31 bits, it can also be used for subnet masks or subnets of 32 bits in length. The precise IP address of the mask is identified, and the rules of the received data packet may also include a domain name.
  • the aggregated IP address can be an IP address segment.
  • the aggregate IP address 192.168.1.0/24 represents the IP address 192.168.1.0 to 192.168.255.255.
  • the exact IP address can be an IP address such as 192.168.1.1.
  • the rule carried in the received data packet is identified, and the rule may include a rule such as an IP address and a domain name, but after the received rule is not identified in step 140, According to a first rule list corresponding to a subnet mask having a length of 16 bits, a second rule list corresponding to a subnet mask having a length of 17-23 bits, and a subnet mask having a length of 24 bits.
  • the third rule list and the fourth rule list corresponding to the subnet mask of length 25-31 bits identify the IP, and when identified, determine that the IP is an aggregate IP.
  • the identifying the rule according to the first fingerprint and the second fingerprint may include:
  • a rule is received, and the rule is hashed by the first hash algorithm to obtain a first fingerprint (ie, the first hash value X1), and the rule is operated by the second hash algorithm.
  • Obtaining a second fingerprint ie, a second hash value X2
  • L1 is the length of the first hash table H1.
  • the search is successful and the rule is identified.
  • the first fingerprint of the first hash list is traversed
  • the rule is recognized when the rule exists in the linked list.
  • the rule that the same value of the fingerprint obtained by the hash operation is the same is stored in the linked list L, and the value at the position P2 in the second hash list is incremented by 1, which is 2.
  • P2 is calculated for the first time, the position is treated as 1.
  • the received rule is identified, the first hash algorithm X1 is hashed by the first hash algorithm, and the second fingerprint X2 is obtained by the second hash algorithm, and the first fingerprint is obtained.
  • the first fingerprint X1 of the hash list is non-empty at the position corresponding to the position P1
  • the second fingerprint corresponding position P2 of the second hash list is greater than 1 at the position
  • the linked list is traversed at the P1 position of the first hash list H1.
  • the rule may be searched in the first hash list H1; when there are two or more rules, the value of the first fingerprint If the hash conflict occurs, the rule is searched in the linked list at the corresponding position of the first fingerprint of the first hash list H1, where the second fingerprint corresponds to the second fingerprint list H2.
  • the value at the location is the number of conflicting records.
  • the first hash algorithm and the second hash algorithm in this embodiment may use a hash algorithm such as MurmurHash64A and murmurHash3_32.
  • the first hash algorithm and the second hash algorithm may select a hash algorithm with a low collision rate.
  • the quintuple recognition performance of the IP layer and the transport layer is analyzed as follows:
  • the calculation of the hash fingerprint is 10 times faster than the regular determination of the Uniform Resource Locator (URL).
  • the error rate of the two fingerprints is the same and the application layer content is different from 10 ⁇ -8, and the three error rate is 10 ⁇ -23, where ⁇ is a power symbol.
  • 2-5% of messages can be identified.
  • the identification of the 2-5% packet is because the IP address of the configured rule base exists.
  • the method for identifying the data packet provided by this embodiment is used to identify the rule by aggregating the IP address.
  • the quintuple in the text can improve the efficiency of recognition.
  • the IP address is 192.168.1.1
  • the length of the subnet mask of the IP address is 16 bits, 17 bits, 24 bits, and 25 bits, respectively.
  • the aggregation IP in this embodiment is used.
  • the process of address recognition is described in detail. Before the identification, the rule configuration process and the storage process are described. When storing 192.168.1.1, the length is stored according to the length of the subnet mask carried by the IP address.
  • a first rule list List16 as shown in FIG. 3 is created, where the first rule list is a linear list, such as an array list, and the size is 2 ⁇ 16 or 65536, and the i-th position is stored.
  • the data can be expressed as List16[i], 0 ⁇ i ⁇ 65535.
  • the rule is IP address 192.168.1.1
  • the subnet mask is 255.255.0.0, that is, the subnet mask length is 16 bits
  • the IP address and subnet mask are bitwise ANDed to obtain the IP address 192.168.1.1 & 255.255.0.0.
  • the first 16 bits of the address 192.168.0.0, the decimal number 192168 is converted to a binary number 1100000010101000, the binary number is converted to an integer 49320, and the 49320 is used as a subscript stored in the List16 [49320] position of the first rule list, that is, stored.
  • List16 [IP first 16 bits] the pointer to the linked list at this position is empty. This location stores the rule that the 192.168.1.1 mask length is 16 bits.
  • the rule When the subnet mask length of the rule is 24 bits, as shown in FIG. 4, the rule is located at the position of List16 [IP first 16 bits], and a third rule list List24 is created, that is, the third rule is hanged at the position.
  • the third 8 bits of the rule IP address are taken as the subscript of the List24 table, and the length of the List 24 is 2 ⁇ 8 or 256.
  • the rule is IP address 192.168.1.1
  • the subnet mask is 255.255.255.0
  • the subnet mask length is 24.
  • Determine the array in List16 by converting the first 16-bit binary 192.168 of the IP address to the subscript
  • the position in the middle is 49320, which can be expressed as List16[49320], and a linked list is hanged at the position of List16[49320], that is, the third rule list List24, and the third 8-bit of the IP address, that is, the 17th to 24th bits
  • the bit and the binary data of 255 are bitwise ANDed to obtain 1, and the rule is stored at the position determining List24[1], that is, the IP address having the subnet mask length of 24 is stored in the List24 of the third rule list List24 [ 1] Location.
  • each element may include a rule pointing to a singly linked list to store the corresponding subnet mask.
  • the rule is IP address 192.168.1.1 and the subnet mask is 255.255.128.0
  • the subnet mask length is 17 bits.
  • the first 16-bit binary 192.168 into the subscript 49320, it is determined that List16 [49320] is 49320 of List16, and the second rule list List17_23 linear table is hung at the position, as shown in FIG. 5, the size of the linear table is 7.
  • the IP address is stored to the 1 position, that is, stored in List17_23[1].
  • a plurality of rules may need to be stored at each position of 1-7 of the second rule list hanged at List 16 [49320], and may be hanged at each position of 1-7 of List 17_23 of the second rule list.
  • each element may include a rule that points to a unidirectional linked list to store the corresponding subnet mask.
  • the rule is IP address 192.168.1.1
  • the subnet mask is 255.255.255.128
  • the subnet mask length is 25 bits.
  • Determine the position in the List16 array by the first 16-bit binary 192.168 as the subscript, ie 49320, and the third 8-bit secondary system in 192.168.1.1 is 1, and determine the position in the first rule list List16[49320] List24[1] of the suspended third rule list List24, and the fourth rule list List25_31 hanging at the position of List24[1] finds the rule.
  • the subscript of List25_31 hanging at List24[1] is 17 (corresponding to subnet mask 2531).
  • the data packet identification process is as follows.
  • the received IP address is 192.168.1.1, and 192.168.1.1 is found in the List16[49320] position of the first rule list, and when the IP address is found, 192.168.1.1 is recognized.
  • the IP address has a subnet mask of 255.255.0.0 and a length of 16 bits.
  • the corresponding rule list is searched for by the length of the subnet mask.
  • the first rule list, the third rule list, the second rule list, and the fourth rule list may be sequentially searched, or may be followed by the first rule list, the second rule list, the third rule list, and The order of the fourth rule list is searched, starting with the first rule list.
  • the IP address is 192.168.1.1 as a decimal representation. When expressed as binary, it is 11000000.10101000.00000001.00000001, the first 16 bits 1100000010101000 are converted to decimal 49320, and the third 8 bits, 17-24 bits, are 1.
  • the process of identifying the rules including the first-level domain name, the second-level domain name, or the quintuple rule provided in this embodiment is described.
  • the rule uses the domain name as www.baidu.com, and the hash algorithm used is MurmurHash64A and murmurHash3_32 as an example.
  • the rules can be configured. As shown in Figure 7, the configuration process is as follows.
  • step 710 the first hash is obtained by hashing the rule by the first hash algorithm, and the second fingerprint is obtained by the second hash algorithm.
  • the hashing algorithm H1 and C2 are respectively hashed by the rules www.baidu.com to obtain a 4-byte hash value, that is, a fingerprint, and each rule can store two fingerprints for a total of 8 bytes.
  • C1 is the first hash algorithm
  • MurmurHash64A can be used
  • C2 is the second hash algorithm
  • murmurHash3_32 can be used.
  • step 720 when there is no hash collision, the first fingerprint is stored at a corresponding position of the first hash fingerprint corresponding to the first hash list.
  • the rule is calculated by the first hash algorithm C1MurmurHash64A to obtain an unsigned 64-bit integer first fingerprint X1, and the second hash algorithm C2murmurHash3_32 is used to calculate the rule to obtain an unsigned 32-bit integer second fingerprint X2, and the first fingerprint X1 is modeled.
  • L1 is the length of the first hash table H1.
  • step 730 when there is a hash conflict graph, it is stored in the linked list at the corresponding position of the first fingerprint of the first hash list.
  • L1 is the length of the first hash table H1.
  • the rule is calculated by C1 to obtain X1.
  • P1 is obtained, and the P1 position of H1 is linked to the linked list L; the rule is calculated by C2 to obtain X2, and X2 is subjected to mode.
  • the operation obtains P2, and increases the bit position of P2 of H2 by one. If there is a conflict record as the number of conflicts such as conflict 2 times, it is 2; it is stored at position P1 in the hash table H1. If there is a hash conflict, it is solved by hanging the linked list L at that position. The stored value represents whether the rule exists.
  • the value stored at the P2 position of H2 may represent whether a rule exists.
  • the position is dealt with 1. If there is a conflict, the record at the position is the number of conflicts such as conflict 2 times, the position is handled 2; the number of conflicts is 5 times, and the position is handled 5.
  • the identification process is as follows.
  • the data packet passes through the gateway, the data packet is extracted to extract the host domain name of the Hyper Text Transport Protocol (HTTP) layer, and the two-level hash algorithm, that is, the first hash algorithm and the second hash algorithm, are used.
  • X1 and X2 are respectively obtained, and a 32-bit integer of the P1 position in the first hash table H1 is searched for (4 bytes).
  • the 32-bit integer obtained by the P1 position of H1 is X2
  • the record is judged to exist and the www. Baidu.com, indicating that the message matches this rule. If the 32-bit integer obtained from the P1 position of H1 is not X2, it is judged whether it is empty.
  • the fourth embodiment provides a device for identifying a data packet under a massive rule.
  • the device includes: a parsing module 801 and an identifying module 802.
  • the parsing module 801 is configured to parse the received data packet, and determine that the rule carried by the data packet includes an IP address.
  • the identification module 802 is configured to identify, according to the first 16 bits of the IP address, that the IP address exists in a first rule list corresponding to a subnet mask of length 16 bits, and identify the IP address; The first 16 bits of the IP address are determined. When it is determined that the IP address does not exist in the first rule list, the corresponding rule list is determined according to the length of the subnet mask, and the IP address is identified.
  • the identification module 802 can include a first identification module 8021.
  • the first identification module 8021 is configured to use the first 16 bits of the IP address as a subscript, and search for the IP address in the first rule list. When the IP address is found, it is determined that the IP address exists. In the first rule list.
  • the identification module 802 can include a first identification module 8021, and the first identification module 8021 is configured to use the first 16 bits of the IP address as a subscript, and hang at a corresponding position of the first rule list.
  • a second rule list wherein the second rule list is a rule list of length 7 corresponding to a subnet mask of length 17 to 23 bits; and the value obtained by subtracting 16 from the length of the subnet mask is And searching for the IP address at a corresponding position of the second rule list, and identifying the IP address when the IP address is found.
  • the identification module 802 can include a first identification module 8021, and the first identification module 8021 is configured to use the first 16 bits of the IP address as a subscript, and hang at a corresponding position of the first rule list.
  • a third rule list wherein the third rule list is a rule list of length 256 corresponding to a subnet mask of length 24 bits; and the 17th to 24th bits of the subnet mask are subscripts,
  • the IP address is searched for at a corresponding location of the third rule list, and when the IP address is found, the IP address is identified.
  • the identification module 802 can include a first identification module 8021 and a second identification module 8022.
  • the first identification module 8021 is configured to use the first 16 bits of the IP address as a subscript, and the third rule list is hanged at a corresponding position of the first rule list, where the third rule list is a length a rule list of length 256 corresponding to a 24-bit subnet mask; and a subscript of the 17th to 24th bits of the subnet mask, searching for the IP at a corresponding position of the third rule list
  • the address when the IP address is found, the IP address is identified.
  • the second identification module 8022 is configured to use the 17th to 24th bits of the IP address as a subscript, and to hang the fourth rule list at a corresponding position of the third rule list, where the third rule list is according to the IP
  • the first 16 bits of the address are determined, and the fourth rule list is a rule list of length 7 corresponding to a subnet mask of length 25 to 31 bits; and the value obtained by subtracting 24 from the length of the subnet mask is And searching for the IP address at a corresponding position of the fourth rule list, and identifying the IP address when the IP address is found.
  • the apparatus can also include a rules module 803.
  • the rule module 803 is configured to: when determining that the rule carried by the data packet includes an IP address or a domain name, hashing the rule by using a first hash algorithm to obtain a first fingerprint, and using the second hash algorithm The rule performs an operation to obtain a second fingerprint, and the rule is identified according to the first fingerprint and the second fingerprint.
  • the identifying the rule according to the first fingerprint and the second fingerprint may include:
  • the first fingerprint of the first hash list is traversed
  • the rule is recognized when the rule exists in the linked list.
  • the present disclosure also provides a non-transitory computer readable storage medium storing computer executable instructions arranged to perform any of the methods described above.
  • the present disclosure also provides a hardware structure diagram of an electronic device.
  • the electronic device include:
  • At least one processor 100 which is exemplified by a processor 100 in FIG. 11; and a memory 101, may further include a communication interface 102 and a bus 103.
  • the processor 100, the communication interface 102, and the memory 101 can complete communication with each other through the bus 103.
  • Communication interface 102 can be configured to transmit information.
  • the processor 100 can call logic instructions in the memory 101 to perform the above method.
  • logic instructions in the memory 101 described above may be implemented in the form of a software functional unit and sold or used as a stand-alone product, and may be stored in a computer readable storage medium.
  • the memory 101 is a computer readable storage medium that can store software programs, computer executable programs, program instructions or modules corresponding to the methods in the present disclosure.
  • the processor 100 performs functional applications and data processing by running software programs, instructions or modules stored in the memory 101.
  • the memory 101 may include a storage program area and an storage data area, wherein the storage program area may store an operating system, an application required for at least one function; the storage data area may store data created according to usage of the device, and the like. Further, the memory 101 may include a high speed random access memory, and may also include a nonvolatile memory.
  • the integrated modules described in this disclosure if implemented in the form of software functional modules and sold or used as separate products, may also be stored in a computer readable storage medium.
  • the technical solution of the present disclosure may be embodied in the form of a software product stored in a storage medium, including one or more instructions for causing a computer device (which may be a personal computer, a server, or a network)
  • a computer device which may be a personal computer, a server, or a network
  • the device or the like performs all or part of the method of the embodiments of the present disclosure.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like, which can store a program code. .
  • the method and device for identifying a message provided by the present disclosure can improve the recognition efficiency of an aggregated IP address under a large number of rules.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

一种数据报文识别的方法,所述方法包括:解析接收到的数据报文,确定所述数据报文携带的规则包括IP地址;根据所述IP地址的前16位,确定所述IP地址存在于长度为16位的子网掩码对应的第一规则列表中时,识别到所述IP地址;以及根据所述IP地址的前16位,确定所述IP地址不存在于所述第一规则列表中时,根据所述子网掩码的长度确定相应的规则列表,对所述IP地址进行识别。

Description

报文识别的方法及装置 技术领域
本公开涉及通信领域,例如涉及一种报文识别的方法及装置。
背景技术
本申请发明人在实现本申请实施例技术方案的过程中,发现相关技术中存在如下技术问题。
在移动通信网关中,需要对数据报文中的因特网互联协议(Internet Protocol,IP)层、传输层以及应用层进行识别匹配,根据识别结果对应的策略对报文进行相应的处理。识别匹配以及相应的处理包括:识别数据报文四层以下IP层和传输层的内容五元组,其中,内容五元组包括:源IP地址、源端口、目的IP地址、目的端口以及协议类型;以及识别应用层的内容,根据应用层的净荷指纹识别应用的类型或内容。
针对内容五元组的识别,IP地址类规则识别主要通过类传统路由包算法,例如字典树(Trie)等。可以通过正则表达式匹配的方式对应用层进行识别。当网关处于指运营商定制的多种不同的计费规则,即海量规则,识别情景下时,相关的识别方法中,网关对报文的识别性能急剧下降,不能满足网关对报文识别效率方面的要求。因此,亟需一种海量规则下报文识别的方法,提高报文识别的效率,满足网关对报文识别效率方面的要求。
发明内容
本公开提供一种报文识别的方法及装置,能够在海量规则条件下,提高聚合IP地址的识别效率。
本公开提供一种海量规则下数据报文识别的方法,所述方法包括:
解析接收到的数据报文,确定所述数据报文携带的规则包括IP地址;
根据所述IP地址的前16位,确定所述IP地址存在于长度为16位的子网掩码对应的第一规则列表中时,识别到所述IP地址;以及
根据所述IP地址的前16位,确定所述IP地址不存在于所述第一规则列表 中时,根据所述子网掩码的长度确定相应的规则列表,对所述IP地址进行识别。
上述方案中,所述方法还可以包括:
以所述IP地址的前16位为下标,在所述第一规则列表中查找所述IP地址,当查找到所述IP地址时,确定所述IP地址存在于所述第一规则列表中。
上述方案中,所述根据所述子网掩码的长度确定相应的规则列表,对所述IP地址进行识别可以包括:
以所述IP地址的前16位为下标,在所述第一规则列表的对应位置处下挂第二规则列表,其中,所述第二规则列表为长度为17至23位的子网掩码对应的长度为7的规则列表;以及
以所述子网掩码的长度减去16得到的数值为下标,在所述第二规则列表的对应位置处查找所述IP地址,当查找到所述IP地址时,识别到所述IP地址。
上述方案中,所述根据所述子网掩码的长度确定相应的规则列表,对所述IP地址进行识别可以包括:
以所述IP地址的前16位为下标,在所述第一规则列表的对应位置处下挂第三规则列表,其中,所述第三规则列表为长度为24位的子网掩码的对应的长度为256的规则列表;以及
以所述子网掩码的第17至24位为下标,在所述第三规则列表的相应位置处查找所述IP地址,当查找到所述IP地址时,识别到所述IP地址。
上述方案中,所述根据所述子网掩码的长度确定相应的规则列表,对所述IP地址进行识别可以包括:
以所述IP地址的第17至24位为下标,在所述第三规则列表的对应位置处下挂第四规则列表,其中,所述第三规则列表根据所述IP地址的前16位确定,所述第四规则列表为长度为25至31位子网掩码对应的长度为7的规则列表;以及
以子网掩码的长度减去24得到的数值为下标,在所述第四规则列表的对应位置处查找所述IP地址,当查找到所述IP地址时,识别到所述IP地址。
上述方案中,所述方法还可以包括:当确定所述数据报文携带的规则包括IP地址或域名时,通过第一哈希算法对所述规则进行哈希运算得到第一指纹, 通过第二哈希算法对所述规则进行运算得到第二指纹,根据所述第一指纹和所述第二指纹识别所述规则。
上述方案中,所述根据所述第一指纹和所述第二指纹识别所述规则可以包括:
将所述第二指纹和第一哈希列表的第一指纹对应位置存储的值做比较,当一致时,识别到所述规则。
上述方案中,所述根据所述第一指纹和所述第二指纹识别所述规则可以包括:
当所述第一哈希列表的第一指纹对应位置的值为非空,且第二哈希列表的第二指纹对应位置的值大于1时,遍历所述第一哈希列表的第一指纹对应位置处的链表,当所述链表中存在所述规则时,识别到所述规则。
本公开提供的一种数据报文识别的装置,所述装置包括:解析模块和识别模块;其中,
所述解析模块设置为解析接收到的数据报文,确定所述数据报文携带的规则包括IP地址;以及
所述识别模块设置为根据所述IP地址的前16位确定所述IP地址存在于长度为16位的子网掩码对应的第一规则列表中时,识别到所述IP地址;以及根据所述IP地址的前16位确定所述IP地址不存在于所述第一规则列表中时,根据所述子网掩码的长度确定相应的规则列表,对所述IP地址进行识别。
上述方案中,所述识别模块可以包括:第一识别模块,设置为以所述IP地址的前16位为下标,在所述第一规则列表中查找所述IP地址,当查找到所述IP地址时,确定所述IP地址存在于所述第一规则列表中。
上述方案中,所述识别模块可以包括:
第一识别模块,设置为以所述IP地址的前16位为下标,在所述第一规则列表的对应位置处下挂第二规则列表,其中,所述第二规则列表为长度为17至23位的子网掩码对应的长度为7的规则列表;以及
以子网掩码的长度减去16得到的数值为下标,在所述第二规则列表的对应位置处查找所述IP地址,当查找到所述IP地址时,识别到所述IP地址。
上述方案中,所述识别模块可以包括:第一识别模块,设置为以所述IP地址的前16位为下标,在所述第一规则列表的对应位置处下挂第三规则列表,其中,所述第三规则列表为长度为24位的子网掩码对应的长度为256的规则列表;以及
以子网掩码的第17至24位为下标,在所述第三规则列表的对应位置处查找所述IP地址,当查找到所述IP地址时,识别到所述IP地址。
上述方案中,所述识别模块还可以包括:第二识别模块,设置为以所述IP地址的第17至24位为下标,在所述第三规则列表的对应位置处下挂第四规则列表,其中,所述第三规则列表根据所述IP地址的前16位确定,所述第四规则列表为长度为25至31位的子网掩码对应的长度为7的规则列表;以及
以子网掩码的长度减去24得到的数值为下标,在所述第四规则列表的对应位置处查找所述IP地址,当查找到所述IP地址时,识别到所述IP地址。
上述方案中,所述装置还可以包括:规则模块,设置为当确定所述数据报文携带的规则包括IP地址或域名时,通过第一哈希算法对所述规则进行哈希运算得到第一指纹,通过第二哈希算法对所述规则进行运算得到第二指纹,根据所述第一指纹和所述第二指纹识别所述规则。
上述方案中,所述根据所述第一指纹和所述第二指纹识别所述规则可以包括:
将所述第二指纹和第一哈希列表的第一指纹对应位置存储的值做比较,当一致时,识别到所述规则。
上述方案中,所述根据所述第一指纹和所述第二指纹识别所述规则可以包括:
当所述第一哈希列表的第一指纹对应位置的值为非空,且第二哈希列表的第二指纹对应位置的值大于1时,遍历所述第一哈希列表的第一指纹对应位置处的链表,当所述链表中存在所述规则时,识别到所述规则。
本公开还提供了一种非暂态计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令设置为执行上述方法。
本公开还提供了一种电子设备,包括:
至少一个处理器;以及
与所述至少一个处理器通信连接的存储器;其中,
所述存储器存储有可被所述至少一个处理器执行的指令,所述指令被所述至少一个处理器执行,以使所述至少一个处理器执行上述方法。
本公开的一种数据报文识别的方法,包括:解析接收到的数据报文,确定所述数据报文携带的规则包括IP地址;根据所述IP地址的前16位,确定所述IP地址存在于长度为16位的子网掩码对应的第一规则列表中时,识别到所述IP地址;以及根据所述IP地址的前16位,确定所述IP地址不存在于所述第一规则列表中时,根据所述子网掩码的长度确定相应的规则列表,对所述IP地址进行识别。采用本公开的技术方案,在海量规则场景下,根据数据报文中的IP地址前16位查找长度为16位的子网掩码对应的第一规则列表,并快速找到规则在第一规则列表的位置,确定所述IP地址是否存在于第一规则列表中,如果在第一规则列表中查找到所述IP地址则查找成功,识别到该IP地址,且认为该IP地址的子网掩码为16位,识别过程结束,如果所述IP地址不存在于第一规则列表中,在与子网掩码的长度关联的除第一规则列表之外的规则列表中,对IP地址进行识别,节省识别的时间和空间,提高数据报文识别的效率。
附图说明
图1为实施例一提供的第一种数据报文识别的方法的流程示意图;
图2为实施例一提供的第二种数据报文识别的方法的流程示意图;
图3为一实施例提供的子网掩码长度为16位时规则列表的结构示意图;
图4为一实施例提供的子网掩码长度为17-23位时规则列表的结构示意图;
图5为一实施例提供的子网掩码长度为24位时规则列表的结构示意图;
图6为一实施例提供的子网掩码长度为25-31位时规则列表的结构示意图;
图7为实施例三一种数据报文识别的方法的流程示意图;
图8为实施例四提供的第一种数据报文识别的装置的结构示意图;
图9为实施例四提供的第二种海量规则下数据报文识别的装置的结构示意图;
图10为实施例四提供的第三种海量规则下数据报文识别的装置的结构示意 图;以及
图11为开实施例提供的电子设备的硬件结构示意图。
具体实施方式
下面结合附图对技术方案的实施作详细描述。
实施例一
如图1所示,实施例一提供第一种数据报文识别的方法。
在步骤110中,解析接收到的数据报文,确定所述数据报文携带的规则包括IP地址。
在步骤120中,根据所述IP地址的前16位,确定所述IP地址存在于长度为16位的子网掩码对应的第一规则列表中时,识别到所述IP地址。
本公开中N位均指N位比特,N为非负整数。
其中,子网掩码的长度为子网掩码的二进制数据中比特“1”的个数,例如,子网掩码为255.255.0.0时,子网掩码的长度为16位(比特);子网掩码为255.255.255.0时,子网掩码的长度为24位(比特),子网掩码为255.255.128.0时,则子网掩码的长度为17位(比特);以及子网掩码为255.255.255.128时,子网掩码的长度为25为(比特)。
在步骤130中,根据所述IP地址的前16位,确定所述IP地址不存在于所述第一规则列表中时,根据所述子网掩码的长度确定相应的规则列表,对所述IP地址进行识别。
当网关接收到数据报文时,可以对数据报文携带的多种规则进行识别,以匹配运营商定制的多种不同的计费规则,进行流量细化经营。
在步骤110中,当网关接收到数据报文时,接收到的数据报文可以包括多种规则,对接收到的数据报文进行解析,解析接收到的数据报文携带的规则,当数据报文携带的规则包括IP地址时,对所述IP地址进行识别。
在长度为16位的子网掩码对应的第一规则列表中对步骤110中解析出的IP地址进行初步匹配,例如,以所述IP地址的前16位为下标在第一规则列表中查找所述IP地址,当查找到所述IP地址时,确定所述IP地址存在于第一规则列表中,此时,识别到该IP地址,若确定所述IP地址不存在于第一规则列表中, 则执行步骤130。其中,当在第一规则列表中查找到该IP地址时,表明该IP地址的子网掩码的长度为16位。第一规则列表为长度为65536的线性列表,第一规则列表的下标依次从0-65535。
在步骤130中,以该IP地址的前16位为下标在第一规则列表中未查找到该IP地址时,表明该IP地址不存在于第一规则列表中,未识别到该IP地址,此时,可以根据子网掩码的长度确定相应的规则列表,查找与子网掩码长度关联的除第一规则列表之外的线性列表,对该IP地址进行识别。
所述根据所述子网掩码的长度确定相应的规则列表,对所述IP地址进行识别可以包括:以所述IP地址的前16位为下标,在所述第一规则列表的对应位置处下挂第二规则列表,其中,所述第二规则列表为长度为17至23的子网掩码对应的长度为7的规则列表;以及以所述子网掩码的长度减去16得到的数值为下标,在所述第二规则列表的对应位置处查找所述IP地址,当查找到所述IP地址时,识别到所述IP地址。
所述根据所述子网掩码的长度确定相应的规则列表,对所述IP地址进行识别可以包括:以所述IP地址的前16位为下标,在所述第一规则列表的对应位置处下挂第三规则列表,其中,所述第三规则列表为长度为24位的子网掩码对应的长度为256的规则列表;以及以所述子网掩码的第17至24位为下标,在所述第三规则列表的对应位置处查找所述IP地址,当查找到所述IP地址时,识别到所述IP地址。
所述根据所述子网掩码的长度确定相应的规则列表,对所述IP地址进行识别可以包括:以所述IP地址的第17至24位为下标,在所述第三列表的对应位置处下挂第四规则列表,其中,第三规则列表根据所述IP地址的前16位确定,所述第四规则列表为与长度为25至31位的子网掩码对应的长度为7的规则列表;以及以所述子网掩码的长度减去24得到的数值为下标,在所述第四规则列表的对应位置处查找所述IP地址,当查找到所述IP地址时,识别到所述IP地址。
在该方法中,在长度为16位的子网掩码对应的第一规则列表中查找该IP地址,当第一规则列表中存在该IP地址时,识别过程结束,识别到该IP地址,且该IP地址为与长度为16位的子网掩码对应的聚合IP地址。当第一规则列表中不存在该IP地址时,根据子网掩码的长度查找相应的线性列表。
如图2所示,本方法还可以包括步骤140。在步骤140中,当确定所述数据报文携带的规则包括IP地址或域名时,通过第一哈希算法对所述规则进行哈希运算得到第一指纹,通过第二哈希算法对所述规则进行运算得到第二指纹,根据所述第一指纹和所述第二指纹识别所述规则。
IP地址可以包括聚合IP地址和精确IP地址,除了对长度为16-31位的子网掩码的聚合IP地址进行识别外,还可以对不存在子网掩码或长度为32位的子网掩码的精确IP地址进行识别,接收到的数据报文的规则还可以包括域名。
其中,聚合IP地址可以是一个IP地址段,比如,聚合IP 192.168.1.0/24代表IP地址192.168.1.0~192.168.255.255。精确IP地址可以是一个IP地址,如192.168.1.1。
如图4所示,当接收到数据报文时,对接收到的数据报文携带的规则进行识别,规则可包括IP地址以及域名等规则,但经过步骤140未识别到接收到的规则时,可根据与长度为16位的子网掩码对应的第一规则列表、与长度为17-23位的子网掩码对应的第二规则列表、与长度为24位的子网掩码对应的第三规则列表以及与长度为25-31位的子网掩码对应的第四规则列表对该IP进行识别,当识别到时,确定该IP为聚合IP。
所述根据所述第一指纹和所述第二指纹识别所述规则可包括:
(1)将所述第二指纹和第一哈希列表的第一指纹对应位置存储的值做比较,当一致时,识别到所述规则。
在规则的配置时,接收到一规则,将该规则通过第一哈希算法做哈希运算得到第一指纹(即第一哈希值X1),并通过第二哈希算法对该规则进行运算得到第二指纹(即第二哈希值X2),将得到的第二指纹存储在第一哈希表中的第一指纹对应位置P1处,其中,P1为对X1通过模运算P1=X1%L1得到,L1为第一哈希表H1的长度。在接收到数据报文,对该数据报文的精确IP地址或域名等规则进行识别时,通过第一哈希算法对该规则进行哈希运算后得到第一指纹X1,通过第二哈希算法对该规则进行运算后得到第二指纹X2,对X1做模运算P1=X1%L1得到P1,以P1为下标在第一哈希表H1的P1位置处查找是否存在X2,当存在时,则查找成功,识别到该规则。
其中,对X1通过模运算P1=X1%L1为对通过X1除以L1后取余,比如:5%2=1。
当所述第一哈希列表的第一指纹对应位置的值为非空,且第二哈希列表的第二指纹对应位置的值大于1时,遍历所述第一哈希列表的第一指纹对应位置处的链表,当所述链表中存在所述规则时,识别到所述规则。
在规则的配置时,存储(1)中的计算结果之后,接收到一规则,将该规则通过第一哈希算法做哈希运算得到第一指纹X1,则通过第二哈希算法对该规则进行运算得到第二指纹X2,此时,得到的该规则的第一指纹和第二指纹的值和(1)中的第一指纹X1和第二指纹X2的值是否相同,不同时,根据(1)中的配置方法存储计算结果,当相同时,产生哈希冲突。此时,分别对第一指纹和第二指纹做模运算P1=X1%L1,P2=X2%L2,置第一哈希列表中的P1位置处为非空,且在P1位置处下挂链表L,将经哈希运算后得到的指纹的值相同的规则存储在该链表L中,同时,将第二哈希列表中的P2位置处的值加1,为2。当首次计算得到P2时,将该位置处置1。当对接收到的规则进行识别时,通过第一哈希算法对该规则进行哈希运算得到第一指纹X1,通过第二哈希算法对该规则进行运算得到第二指纹X2,当第一哈希列表的第一指纹X1对应位置P1位置处为非空,且第二哈希列表的第二指纹对应位置P2位置处大于1时,遍历第一哈希列表H1的P1位置处下挂的链表L,当在L中查找到该规则时,则匹配到该规则,表明识别到该规则。
当不存在两个以上的规则的第一指纹的值相同时,不存在哈希冲突,则可在第一哈希列表H1中查找该规则;当存在两个以上的规则的第一指纹的值相同时,此时,发生哈希冲突,则在第一哈希列表H1的第一指纹对应位置处下挂的链表中查找该规则,其中,第二哈希列表H2中的第二指纹对应位置处的数值为冲突的记录次数。
本实施例中的第一哈希算法和第二哈希算法,可以采用MurmurHash64A以及murmurHash3_32等哈希算法。可选的,第一哈希算法和第二哈希算法可选取冲突率低的哈希算法。
采用本实施例提供的方法,对IP层和传输层的五元组识别性能分析如下:
95%的报文1次查找获得结果,5%的报文2-7次获得结果(取中值4),若采用类似Trie的路由器算法,由于32位的IP地址的每个比特(bit)都可以参与运算,即使按照子网掩码最少有16位比特计算,平均比较次数至少16次。由此可以得出算法性能的对比为(95%*1+5%*4=0.97)∶16,也就是说提升15 倍,考虑到Trie算法的运算开销大(更多的内存寻址,更多的比较和判断),真实场景下的识别性能与类似Trie的识别性能之间的差距在50-100倍之间。对第应用层的识别和相关正则表达式等算法进行对比,哈希指纹的计算比正则判断统一资源定位符(Uniform Resource Locator,URL)快10倍以上。两个指纹相同而应用层内容不同的误码率10^-8,三个误码率为10^-23,其中,^为幂符号。
除了通过精确的五元组与域名规则在概率上可以识别95%-98%的报文,还可以对2-5%的报文进行识别。而对这2-5%的报文进行识别,是因为配置的规则库中存在聚合IP地址,这种情况下,使用本实施例提供的数据报文的识别方法,通过聚合IP的规则识别报文中的五元组时,能够提高识别的效率。
实施例二
在该实施例中,以IP地址为192.168.1.1为例,通过该IP地址的子网掩码的长度分别为16位、17位、24位和25位为例,对本实施例中的聚合IP地址识别的过程进行详细说明。在识别之前,对规则的配置过程及存储过程进行说明,对192.168.1.1进行存储时,根据该IP地址携带的子网掩码的长度进行存储。
当子网掩码长度为16位时,创建如图3所示的第一规则列表List16,其中第一规则列表为线性列表,比如数组列表,大小为2^16即65536,第i位置处存储的数据可表示为List16[i],0≤i≤65535。
比如,规则为IP地址192.168.1.1,子网掩码为255.255.0.0即子网掩码长度为16位,将IP地址和子网掩码做位与运算192.168.1.1&255.255.0.0得到该IP地址的前十六位192.168.0.0,将十进制数192168转换为二进制数1100000010101000,将该二进制数转换为整数49320,以49320作为下标存储在第一规则列表的List16[49320]位置处,即存储在以IP地址的前16位为下标的第一规则列表的位置处List16[IP前16位],这个位置的指向链表的指针为空。这个位置就存储着192.168.1.1掩码长度为16位比特的这条规则。
当规则的子网掩码长度为24位,如图4所示,将该规则定位到List16[IP前16位]位置处,创建第三规则列表List24,即在该位置处下挂第三规则列表,取该规则IP地址的前面第三个8位作为List24表的下标,List24的长度为2^8即256。
比如:规则为IP地址192.168.1.1,子网掩码为255.255.255.0,子网掩码长度为24。通过IP地址的前16位二进制192.168转化为下标确定在List16数组 中的位置即49320处,可表示为List16[49320],在List16[49320]位置处下挂一个链表,即第三规则列表List24,将IP地址的第三个8位,即第17~24位比特与255的二进制数据做位与运算得到1,则在确定List24[1]的位置处存储该规则,也就是将子网掩码长度为24的IP地址存储在第三规则列表List24的List24[1]位置处。
当规则的子网掩码长度为17~23位时,如图5所示,将该规则定位到List16[IP前16位]元素节点处,在List16下面创建List17_23线性表,该线性表大小为7,元素下标为1-7(分别对应掩码17-23),每个元素可以包括指向一个单向链表存放对应子网掩码的规则。
比如,规则为IP地址192.168.1.1,子网掩码为255.255.128.0,则子网掩码长度为17位。通过前16位二进制192.168转化为下标49320,确定List16[49320]即List16的49320处,在该位置处下挂第二规则列表List17_23线性表,如图5所示,线性表的大小为7,这样通过17-16=1,将该IP地址存储到1位置处,即存储在List17_23[1]。
多个规则可能同时需要存储在List16[49320]处下挂的第二规则列表的1-7的每一个位置处,可在第二规则列表的List17_23的1-7的每个位置处下挂规则列表,如果再接收一条规则根据前16位确定位于List16[49320]处,且同时子网掩码长度也是17位,则在1的位置处继续插入规则。如图5所示,如果子网掩码长度为19位,则19-16=3,在3处下挂链表插入规则。
当规则的子网掩码长度为25~31位时,如图6所示,在第三规则列表List24下创建长度为7的第四规则列表List25_31,下标为1-7(分别对应掩码25-31),每个元素可以包括指向一个单向链表存放对应子网掩码的规则。
比如:规则为IP地址192.168.1.1,子网掩码为255.255.255.128,子网掩码长度为25位。通过前16位二进制192.168转化为下标确定在List16数组中的位置即49320处,通过192.168.1.1中第3个8位二级制为1,确定在第一规则列表List16[49320]位置处下挂的第三规则列表List24的List24[1],在List24[1]位置处下挂的第四规则列表List25_31查找所述规则。在List24[1]处下挂的List25_31的下标为17(分别对应子网掩码2531)。
通过25-24=1,确定在List25_31[1]处存储该规则。同子网掩码长度为17-23位的情况相同,多个规则可能同时需要第四规则列表的1-7的每一个位置处,因 此,可在List25_31[1]位置处下挂列表存储这样的规则。
数据报文识别过程如下。
当接收到数据报文时,接收到的IP地址为192.168.1.1,在第一规则列表的List16[49320]位置处查找192.168.1.1,当查找到该IP地址时,则识别到192.168.1.1,且该IP地址的子网掩码为255.255.0.0,长度为16位。当未识别到该IP地址时,通过子网掩码的长度查找相应的规则列表。
查找子网掩码长度为17-23位对应的第二规则列表,当查找List16[49320]位置处下挂的第二规则列表List17_23,且在List17_23[1]位置处或List17_23[1]位置处下挂的线性列表中查找到该IP时,识别到该IP地址,且子网掩码255.255.128.0,子网掩码长度为17位。
查找子网掩码长度为24位的第三规则列表,当查找List16[49320]位置处下挂的第三规则列表List24,且在List24[1]位置处查找到该IP时,识别到该IP地址,且子网掩码为255.255.255.0,子网掩码长度为24位。
查找子网掩码长度为25-31位对应的第四规则列表,确定List16[49320]位置处下挂的第三规则列表List24[1],当查找List24[1]位置处下挂的第四规则列表List25_31,且在List25_31[1]位置处或List25_31[1]位置处下挂的线性列表查找到该IP时,识别到该IP地址,且当子网掩码为255.255.255.128时,子网掩码长度为25位。
本方案中,可以依次按照第一规则列表、第三规则列表、第二规则列表以及第四规则列表的顺序进行查找,也可以依次按照第一规则列表、第二规则列表、第三规则列表以及第四规则列表的顺序进行查找,以第一规则列表为首。
IP地址是192.168.1.1为十进制的表示,当表示为二进制时为11000000.10101000.00000001.00000001,前十六位1100000010101000转换为十进制为49320,第3个8位即17-24位为1。
实施例三
在实施例三中,对本实施例提供的包括一级域名、二级域名或五元组规则等规则的识别过程进行说明。其中,规则以域名为www.baidu.com,采用的哈希算法为MurmurHash64A,murmurHash3_32为例进行说明。
在规则的识别之前,可以进行规则的配置,如图7所示,配置过程如下。
在步骤710中,通过第一哈希算法对规则进行哈希运算得到第一指纹,通过第二哈希算法对规则进行运算得到第二指纹。
对规则www.baidu.com分别通过哈希(hash)算法C1、C2进行哈希运算分别得到一个4字节的哈希值即指纹,每条规则可以存储两个指纹共计8字节。C1为第一哈希算法,可以采用MurmurHash64A,C2为第二哈希算法,可以采用murmurHash3_32。
在步骤720中,未存在哈希冲突时,将第一指纹存储在第一哈希指纹对应第一哈希列表的对应位置处。
将规则通过第一哈希算法C1MurmurHash64A计算得到无符号64位整数第一指纹X1,通过第二哈希算法C2murmurHash3_32对规则进行计算得到无符号32位整数第二指纹X2,将第一指纹X1作模运算P1=X1%L1得到P1,将第二指纹X2存储到第一哈希表H1中,存储的位置为H1[P1]位置处。L1为第一哈希表H1的长度。
在步骤730中,存在哈希冲突图时,存储在第一哈希列表的第一指纹对应位置处下挂的链表中。
如果发生哈希冲突时,则在H1[P1]位置处下挂链表L来解决冲突。将规则存储在链表L中,并且将第二指纹X2作模运算P2=X2%L2得到P2,将第二哈希表H2的H2[P2]的值加1。L1为第一哈希表H1的长度。
在本方案中,当不存在哈希冲突时,将规则通过第一哈希算法C1哈希算法计算得到X1,通过对X1取余P1=X1%L1确定位置P1,其中,L1为哈希表H1长度;通过第二哈希算法C2对规则进行计算得到无符号32位整数X2,将X2存储到哈希表H1的位置P1处。存在哈希冲突时,将规则通过C1计算得到X1,通过对X1取余P=X1%L1得到P1,将H1的P1位置处下挂链表L;将规则经过C2计算得到X2,将X2经过模运算(取余运算)得到P2,将H2的P2的位位置加1。如果有冲突记录为冲突次数比如冲突2次,就是2;存储到哈希表H1中的位置P1处。如果存在哈希冲突则通过在该位置下挂链表L解决。置存储的值代表规则是否存在。
H2的P2位置处存储的值可以代表规则是否存在。当首次计算得到P2时,将该位置处置1,如果有冲突则该位置处的记录为冲突次数比如冲突2次,该位置处置2;冲突次数5次,该位置处置5。
识别过程如下。
当数据报文经过网关,解析数据报文提取网关超文本传输协议(Hyper Text Transport Protocol,HTTP)层的主机域名,利用上述两级哈希算法即第一哈希算法和第二哈希算法,分别得到X1和X2,查找第一哈希表H1中P1位置的32位整数即(4个字节),当H1的P1位置获取的32位整数为X2时,判断记录存在,识别到www.baidu.com,说明该报文匹配到此规则。如果从H1的P1位置获取的32位整数不为X2时,判断是否为空,如果不为空,且H2中的P2位置处是够大于1,当大于1时,遍历H1中P位置处下挂的链表L,当查找到www.baidu.com时,识别到www.baidu.com,说明该报文匹配到此规则。
实施例四
为实现上述方法,本实施例四提供一种海量规则下数据报文识别的装置,如图8所示,所述装置包括:解析模块801和识别模块802。
解析模块801设置为解析接收到的数据报文,确定所述数据报文携带的规则包括IP地址。
识别模块802设置为根据所述IP地址的前16位,确定所述IP地址存在于长度为16位的子网掩码对应的第一规则列表中时,识别到所述IP地址;以及根据所述IP地址的前16位,确定所述IP地址不存在于所述第一规则列表中时,根据所述子网掩码的长度确定相应的规则列表,对所述IP地址进行识别。
如图9所示,识别模块802可以包括第一识别模块8021。第一识别模块8021设置为以所述IP地址的前16位为下标,在所述第一规则列表中查找所述IP地址,当查找到所述IP地址时,确定所述IP地址存在于第一规则列表中。
如图9所示,识别模块802可以包括第一识别模块8021,第一识别模块8021设置为以所述IP地址的前16位为下标,在所述第一规则列表的对应位置处下挂第二规则列表,其中,所述第二规则列表为长度为17至23位的子网掩码对应的长度为7的规则列表;以及以子网掩码的长度减去16得到的数值为下标,在所述第二规则列表的对应位置处查找所述IP地址,当查找到所述IP地址时,识别到所述IP地址。
参见图9,识别模块802可以包括第一识别模块8021,第一识别模块8021设置为以所述IP地址的前16位为下标,在所述第一规则列表的对应位置处下挂 第三规则列表,其中,所述第三规则列表为长度为24位的子网掩码对应的长度为256的规则列表;以及以所述子网掩码的第17至24位为下标,在所述第三规则列表的对应位置处查找所述IP地址,当查找到所述IP地址时,识别到所述IP地址。
参见图10,识别模块802可以包括第一识别模块8021和第二识别模块8022。其中,第一识别模块8021设置为以所述IP地址的前16位为下标,在所述第一规则列表的对应位置处下挂第三规则列表,其中,所述第三规则列表为长度为24位的子网掩码对应的长度为256的规则列表;以及以所述子网掩码的第17至24位为下标,在所述第三规则列表的对应位置处查找所述IP地址,当查找到所述IP地址时,识别到所述IP地址。
第二识别模块8022设置为以所述IP地址的第17至24位为下标,在所述第三规则列表的对应位置处下挂第四规则列表,其中,第三规则列表根据所述IP地址的前16位确定,所述第四规则列表为长度为25至31位的子网掩码对应的长度为7的规则列表;以及以子网掩码的长度减去24得到的数值为下标,在所述第四规则列表的对应位置处查找所述IP地址,当查找到所述IP地址时,识别到所述IP地址。
所述装置还可以包括规则模块803。规则模块803设置为当确定所述数据报文携带的规则包括IP地址或域名时,通过第一哈希算法对所述规则进行哈希运算得到第一指纹,通过第二哈希算法对所述规则进行运算得到第二指纹,根据所述第一指纹和所述第二指纹识别所述规则。
其中,所述根据所述第一指纹和所述第二指纹识别所述规则可以包括:
将所述第二指纹和第一哈希列表的第一指纹对应位置存储的值做比较,当一致时,识别到所述规则。
当所述第一哈希列表的第一指纹对应位置的值为非空,且第二哈希列表的第二指纹对应位置的值大于1时,遍历所述第一哈希列表的第一指纹对应位置处的链表,当所述链表中存在所述规则时,识别到所述规则。
本公开还提供了一种非暂态计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令设置为执行上述任一方法。
本公开还提供了一种电子设备的硬件结构示意图。参见图11,该电子设备 包括:
至少一个处理器(processor)100,图11中以一个处理器100为例;和存储器(memory)101,还可以包括通信接口(Communications Interface)102和总线103。其中,处理器100、通信接口102、存储器101可以通过总线103完成相互间的通信。通信接口102可以设置为传输信息。处理器100可以调用存储器101中的逻辑指令,以执行上述方法。
此外,上述的存储器101中的逻辑指令可以通过软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。
存储器101作为一种计算机可读存储介质,可存储软件程序、计算机可执行程序,如本公开中方法对应的程序指令或模块。处理器100通过运行存储在存储器101中的软件程序、指令或模块,从而执行功能应用以及数据处理。
存储器101可包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、至少一个功能所需的应用程序;存储数据区可存储根据设备的使用所创建的数据等。此外,存储器101可以包括高速随机存取存储器,还可以包括非易失性存储器。
本公开所述集成的模块如果以软件功能模块的形式实现并作为独立的产品销售或使用时,也可以存储在一个计算机可读取存储介质中。
本公开的技术方案本质上可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括一个或多个指令用以使得一台计算机设备(可以是个人计算机、服务器、或者网络设备等)执行本公开实施例所述方法的全部或部分。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等多种可以存储程序代码的介质。
工业实用性
本公开提供的报文识别的方法及装置,能够在海量规则条件下,提高聚合IP地址的识别效率。

Claims (17)

  1. 一种数据报文识别的方法,包括:
    解析接收到的数据报文,确定所述数据报文携带的规则包括IP地址;
    根据所述IP地址的前16位,确定所述IP地址存在于长度为16位的子网掩码对应的第一规则列表中时,识别到所述IP地址;以及
    根据所述IP地址的前16位,确定所述IP地址不存在于所述第一规则列表中时,根据所述子网掩码的长度确定相应的规则列表,对所述IP地址进行识别。
  2. 根据权利要求1所述的方法,还包括:
    以所述IP地址的前16位为下标,在所述第一规则列表中查找所述IP地址,当查找到所述IP地址时,确定所述IP地址存在于所述第一规则列表中。
  3. 根据权利要求1所述的方法,其中,所述根据所述子网掩码的长度确定相应的规则列表,对所述IP地址进行识别包括:
    以所述IP地址的前16位为下标,在所述第一规则列表的对应位置处下挂第二规则列表,其中,所述第二规则列表为长度为17至23位的子网掩码对应的长度为7的规则列表;以及
    以所述子网掩码的长度减去16得到的数值为下标,在所述第二规则列表的对应位置处查找所述IP地址,当查找到所述IP地址时,识别到所述IP地址。
  4. 根据权利要求1所述的方法,其中,所述根据所述子网掩码的长度确定相应的规则列表,对所述IP地址进行识别包括:
    以所述IP地址的前16位为下标,在所述第一规则列表的对应位置处下挂第三规则列表,其中,所述第三规则列表为长度为24位的子网掩码对应的长度为256的规则列表;以及
    以所述子网掩码的第17至24位为下标,在所述第三规则列表的对应位置处查找所述IP地址,当查找到所述IP地址时,识别到所述IP地址。
  5. 根据权利要求4所述的方法,其中,所述根据所述子网掩码的长度确定相应的规则列表,对所述IP地址进行识别包括:
    以所述IP地址的第17至24位为下标,在所述第三规则列表的对应位置处下挂第四规则列表,其中,所述第三规则列表根据所述IP地址的前16位确定,所述第四规则列表为子网掩码的长度为25至31对应的长度为7的规则列表;以及
    以子网掩码的长度减去24得到的数值为下标,在所述第四规则列表的对应位置处查找所述IP地址,当查找到所述IP地址时,识别到所述IP地址。
  6. 根据权利要求1所述的方法,还包括:当确定所述数据报文携带的规则包括IP地址或域名时,通过第一哈希算法对所述规则进行哈希运算得到第一指纹,通过第二哈希算法对所述规则进行运算得到第二指纹,根据所述第一指纹和所述第二指纹识别所述规则。
  7. 根据权利要求6所述的方法,其中,所述根据所述第一指纹和所述第二指纹识别所述规则包括:
    将所述第二指纹和第一哈希列表的第一指纹对应位置存储的值做比较,当一致时,识别到所述规则。
  8. 根据权利要求7所述的方法,其中,所述根据所述第一指纹和所述第二指纹识别所述规则包括:
    当所述第一哈希列表的第一指纹对应位置的值为非空,且第二哈希列表的第二指纹对应位置的值大于1时,遍历所述第一哈希列表的第一指纹对应位置处的链表,当所述链表中存在所述规则时,识别到所述规则。
  9. 一种数据报文识别的装置,包括:解析模块和识别模块;其中,
    所述解析模块设置为解析接收到的数据报文,确定所述数据报文携带的规 则包括IP地址;以及
    所述识别模块设置为根据所述IP地址的前16位,确定所述IP地址存在于长度为16位的子网掩码对应的第一规则列表中时,识别到所述IP地址;以及根据所述IP地址的前16位确定所述IP地址不存在于所述第一规则列表中时,根据所述子网掩码的长度确定相应的规则列表,对所述IP地址进行识别。
  10. 根据权利要求9所述的装置,其中,所述识别模块包括:第一识别模块,设置为以所述IP地址的前16位为下标,在所述第一规则列表中查找所述IP地址,当查找到所述IP地址时,确定所述IP地址存在于所述第一规则列表中。
  11. 根据权利要求9所述的装置,其中,所述识别模块包括:
    第一识别模块,设置为以所述IP地址的前16位为下标,在所述第一规则列表的对应位置处下挂第二规则列表,其中,所述第二规则列表为长度为17至23位的子网掩码对应的长度为7的规则列表;以及
    以所述子网掩码的长度减去16得到的数值为下标,在所述第二规则列表的对应位置处查找所述IP地址,当查找到所述IP地址时,识别到所述IP地址。
  12. 根据权利要求9所述的装置,其中,所述识别模块包括:第一识别模块,设置为以所述IP地址的前16位为下标,在所述第一规则列表的对应位置处下挂第三规则列表,其中,所述第三规则列表为长度为24位的子网掩码对应的长度为256的规则列表;以及
    以子网掩码的第17至24位为下标,在所述第三规则列表的对应位置处查找所述IP地址,当查找到所述IP地址时,识别到所述IP地址。
  13. 根据权利要求12所述的装置,其中,所述识别模块还包括:第二识别模块,设置为以所述IP地址的第17至24位为下标,在所述第三规则列表的对应位置处下挂第四规则列表,其中,所述第三规则列表根据所述IP地址的前16 位确定,所述第四规则列表为长度为25至31位的子网掩码对应的长度为7的规则列表;以及
    以子网掩码的长度减去24得到的数值为下标,在所述第四规则列表的对应位置处查找所述IP地址,当查找到所述IP地址时,识别到所述IP地址。
  14. 根据权利要求9所述的装置,还包括:规则模块,设置为当确定所述数据报文携带的规则包括IP地址或域名时,通过第一哈希算法对所述规则进行哈希运算得到第一指纹,通过第二哈希算法对所述规则进行运算得到第二指纹,根据所述第一指纹和所述第二指纹识别所述规则。
  15. 根据权利要求14所述的装置,其中,所述根据所述第一指纹和所述第二指纹识别所述规则包括:
    将所述第二指纹和第一哈希列表的第一指纹对应位置存储的值做比较,当一致时,识别到所述规则。
  16. 根据权利要求14所述的装置,其中,所述根据所述第一指纹和所述第二指纹识别所述规则包括:
    当所述第一哈希列表的第一指纹对应位置的值为非空,且第二哈希列表的第二指纹对应位置的值大于1时,遍历所述第一哈希列表的第一指纹对应位置处的链表,当所述链表中存在所述规则时,识别到所述规则。
  17. 一种非暂态计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令设置为执行权利要求1-8中任一项的方法。
PCT/CN2017/077126 2016-03-18 2017-03-17 报文识别的方法及装置 WO2017157335A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610156886.8 2016-03-18
CN201610156886.8A CN107204891A (zh) 2016-03-18 2016-03-18 一种海量规则下报文识别的方法及装置

Publications (1)

Publication Number Publication Date
WO2017157335A1 true WO2017157335A1 (zh) 2017-09-21

Family

ID=59850592

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/077126 WO2017157335A1 (zh) 2016-03-18 2017-03-17 报文识别的方法及装置

Country Status (2)

Country Link
CN (1) CN107204891A (zh)
WO (1) WO2017157335A1 (zh)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111343153A (zh) * 2020-02-10 2020-06-26 Oppo(重庆)智能科技有限公司 数据包检测方法、装置、服务器及存储介质
CN112199175A (zh) * 2020-04-02 2021-01-08 支付宝(杭州)信息技术有限公司 一种任务队列生成方法、装置及设备

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110351397B (zh) * 2019-05-30 2022-06-14 湖北微源卓越科技有限公司 一种匹配ip网段的方法及装置
CN112491901B (zh) * 2020-11-30 2023-03-24 北京锐驰信安技术有限公司 一种网络流量精细化筛选装置及方法
CN115865459B (zh) * 2022-11-25 2023-06-27 南京信息工程大学 一种基于二次特征提取的网络流量异常检测方法及系统

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1553655A (zh) * 2003-05-29 2004-12-08 华为技术有限公司 构造路由表及用其查找路由项的方法
CN1719769A (zh) * 2004-07-09 2006-01-11 杭州华为三康技术有限公司 在网络设备中对接收数据包进行分类的方法
US20100040067A1 (en) * 2008-08-13 2010-02-18 Lucent Technologies Inc. Hash functions for applications such as network address lookup
CN102232219A (zh) * 2010-01-26 2011-11-02 华为技术有限公司 关键字存储、查找的方法及装置
CN102984071A (zh) * 2012-12-31 2013-03-20 武汉烽火网络有限责任公司 分段地址路由的路由表组织方法及查找路由的方法

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1553655A (zh) * 2003-05-29 2004-12-08 华为技术有限公司 构造路由表及用其查找路由项的方法
CN1719769A (zh) * 2004-07-09 2006-01-11 杭州华为三康技术有限公司 在网络设备中对接收数据包进行分类的方法
US20100040067A1 (en) * 2008-08-13 2010-02-18 Lucent Technologies Inc. Hash functions for applications such as network address lookup
CN102232219A (zh) * 2010-01-26 2011-11-02 华为技术有限公司 关键字存储、查找的方法及装置
CN102984071A (zh) * 2012-12-31 2013-03-20 武汉烽火网络有限责任公司 分段地址路由的路由表组织方法及查找路由的方法

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111343153A (zh) * 2020-02-10 2020-06-26 Oppo(重庆)智能科技有限公司 数据包检测方法、装置、服务器及存储介质
CN112199175A (zh) * 2020-04-02 2021-01-08 支付宝(杭州)信息技术有限公司 一种任务队列生成方法、装置及设备
CN112199175B (zh) * 2020-04-02 2024-05-17 支付宝(杭州)信息技术有限公司 一种任务队列生成方法、装置及设备

Also Published As

Publication number Publication date
CN107204891A (zh) 2017-09-26

Similar Documents

Publication Publication Date Title
WO2017157335A1 (zh) 报文识别的方法及装置
CN109617927B (zh) 一种匹配安全策略的方法及装置
US20240297889A1 (en) Automatic inline detection based on static data
US7110540B2 (en) Multi-pass hierarchical pattern matching
CN110493208B (zh) 一种多特征的dns结合https恶意加密流量识别方法
US7949683B2 (en) Method and apparatus for traversing a compressed deterministic finite automata (DFA) graph
US20150242429A1 (en) Data matching based on hash table representations of hash tables
CN1881950B (zh) 使用频谱分析的分组分类加速
US7930516B1 (en) Linked list traversal with reduced memory accesses
US20160048585A1 (en) Bloom filter with memory element
CN105162626B (zh) 基于众核处理器的网络流量深度识别系统及识别方法
US20110016154A1 (en) Profile-based and dictionary based graph caching
WO2020209085A1 (ja) 登録システム、登録方法及び登録プログラム
CN107979581B (zh) 僵尸特征的检测方法和装置
US20170310694A1 (en) Malicious communication pattern extraction apparatus, malicious communication pattern extraction method, and malicious communication pattern extraction program
US11463360B2 (en) System and method for range matching
US20080313708A1 (en) Data content matching
CN104462396B (zh) 字符串处理方法和装置
US11088991B2 (en) Firewall device to automatically select a rule required for each individual web server
WO2015104061A1 (en) Method and apparatus for generating a plurality of indexed data fields
WO2017145898A1 (en) Real-time validation of json data applying tree graph properties
CN112839055B (zh) 面向tls加密流量的网络应用识别方法、装置及电子设备
WO2020019524A1 (zh) 数据处理方法及装置
JP2012175296A (ja) 通信分類装置及び方法
US20240073240A1 (en) Suspicious communication detection apparatus, suspicious communication detection method, and suspicious communication detection program

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17765877

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 17765877

Country of ref document: EP

Kind code of ref document: A1