[go: up one dir, main page]

CN101060492A - Talk detection method and talk detection system - Google Patents

Talk detection method and talk detection system Download PDF

Info

Publication number
CN101060492A
CN101060492A CNA2007101060175A CN200710106017A CN101060492A CN 101060492 A CN101060492 A CN 101060492A CN A2007101060175 A CNA2007101060175 A CN A2007101060175A CN 200710106017 A CN200710106017 A CN 200710106017A CN 101060492 A CN101060492 A CN 101060492A
Authority
CN
China
Prior art keywords
feature
message
session
detection
protocol
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2007101060175A
Other languages
Chinese (zh)
Other versions
CN101060492B (en
Inventor
胡华强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN2007101060175A priority Critical patent/CN101060492B/en
Publication of CN101060492A publication Critical patent/CN101060492A/en
Priority to PCT/CN2007/071119 priority patent/WO2008061483A1/en
Priority to US12/347,534 priority patent/US8060633B2/en
Application granted granted Critical
Publication of CN101060492B publication Critical patent/CN101060492B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The disclosed dialogue detection method comprises: deeply detecting the received message, if there is any one untreated feature, recognizing whether it can exist in recognized protocol layer of the message, yes to recognize the feature; if the feature matching a pre-set protocol, generating relative recognized protocol message for the dialogue; when the untreated feature matching a pre-set feature and available in successive message, generating relative recognized feature plug-in connection point, and outputting the generated recognized protocol message and recognized feature connection point to the recognition result record; or else, abandoning the feature. This invention improves dialogue accuracy and system performance.

Description

Talk detection method and talk detection system
Technical field
The present invention relates to networking technology area, especially a kind of talk detection method and a kind of talk detection system
Background technology
At present, network technology just by simple data transmission network to managing application network development, therefore, network is growing to the detection demand of session, be used to realize purposes such as Bandwidth Management, service quality (Quality ofService is called for short QoS) detection, intrusion prevention/detection, anti-virus, information filtering, load balancing.To achieve these goals, mainly carry out the detection of following two aspects:
1, detect the affiliated application protocol of identification session, this need analyze the various data fields of specific protocol in advance, so that to classifying based on the session of respective protocol and discerning; Such as in order to realize the purpose of Bandwidth Management, just need the affiliated application protocol of each session of identification, can carry out flow restriction and bandwidth scheduling to the data in the session according to the band width configuration of user afterwards to using;
2, detect the feature of packet in the identification session,, generally show as the depth detection function of the network equipment so that take measures areput after catching these packets; Such as typical intrusion prevention system/intruding detection system (Intrusion Prevention System/Intrusion Detection System, be called for short IPS/IDS), in order to realize the purpose of intrusion detection/defence, whether the feature database recognition network transmitting data bag that constitutes by regular expression has attack signature, and further blocking-up has the packet of attack signature and to User Alarms.
The detection of above-mentioned two aspects in fact is being mutually related: on the one hand, by the feature of having discerned, can improve the accuracy and the flexibility of agreement identification, for instance, the feature rather than of shaking hands according to agreement to come identification protocol according to fixed port in the prior art, can make the identification of agreement not be subjected to the restriction of port arrangement scope, so recognition result is reliable more and accurately; On the other hand, by agreement of having discerned and protocol hierarchy, can improve the accuracy and the flexibility of feature detection, for instance, attack signature is the data characteristics to transmit on the specific protocol often, therefore can only search these features in the session of respective protocol, just can effectively reduce wrong report, owing to need not to improve the detection performance all carrying out the attack signature detection in the session.
Further, often need in actual use the application-specific session data stream is recombinated and intercepted, so that detect session characteristics more accurately or carry out content corresponding analysis, audit and management,, the data recombination of Email attachment carries out virus scan such as being got up to obtain a complete annex.Because the data flow that needs intercepting and reorganization is normally by the specific protocol carrying and by the special characteristic sign, such as Email attachment, be to form by the Mail Transfer protocol carrying and by the session of attachment feature sign, therefore, data cutout and reorganization can be carried out based on agreement and feature detection result.
But in actual applications, most 4-7 layer (transport layer/session layer/presentation layer/application layer) equipment all is the realization above-mentioned functions of isolating relatively, causes all underactions and accurate of agreement identification and feature detection; On the whole, lack a kind of technical scheme that protocol detection, feature detection can be organically blent at present, the technical scheme according to agreement is discerned and the attack signature testing result is carried out data cutout and reorganization is not provided simultaneously yet.
Summary of the invention
The purpose of this invention is to provide a kind of talk detection method and talk detection system, the problem of feature detection and protocol detection relative separation in the solution prior art.
For achieving the above object, embodiments of the invention provide a kind of talk detection method, and the message that the needs that receive are detected is carried out depth detection, when detecting arbitrary being untreated during feature, carry out following steps:
Whether step 1, the described feature that is untreated of identification can be present on the level of identification protocol of message place session, are then to carry out next step, otherwise abandon this feature that is untreated;
Step 2, the described feature that is untreated of identification; When the described characteristic matching one that is untreated is known agreement in advance, for described session generates accordingly identification protocol information; When the described characteristic matching one of being untreated is pre-when knowing feature and described session subsequent packet being come into force, the recognition feature plug-in unit articulates a little for described session generates accordingly in described pre-knowledge feature;
Step 3, the information of identification protocol that will generate and the recognition feature plug-in unit articulate in the recognition result record that a little outputs to described session.
Embodiments of the invention also provide a kind of talk detection system, comprising:
Session recognition result logging modle, be used to preserve identification protocol information and the recognition feature plug-in unit articulate a little;
The depth detection module is used to receive message and carries out depth detection;
The feature filtering module is used for the matching characteristic that described depth detection module is returned is filtered, and filtering out can not be in the feature of identification protocol level;
The feature derivation module is used to receive the matching characteristic after filtering through feature, generate accordingly identification protocol information and accordingly the recognition feature plug-in unit articulate a little, and output to described session recognition result logging modle; Also be used for by the characteristic matching instruction or articulate a triggering knowing protocol processes function and pre-knowledge feature plug-in unit in advance, described message is handled.
As shown from the above technical solution, embodiments of the invention utilize the feature identification agreement, and identification protocol has following beneficial effect as feature detection environment and filtercondition:
1, accuracy and flexibility that session detects have been improved;
2, improved the systematic function that session detects.
Below by drawings and Examples, technical scheme of the present invention is described in further detail.
Description of drawings
Fig. 1 is the flow chart of talk detection method embodiment 1 provided by the present invention;
Fig. 2 is the flow chart of talk detection method one preferred embodiment provided by the present invention;
Fig. 3 is the block diagram of talk detection system embodiment 1 provided by the present invention;
Fig. 4 is the block diagram of talk detection system embodiment 2 provided by the present invention;
Fig. 5 is the block diagram of talk detection system embodiment 3 provided by the present invention.
Embodiment
In order effectively agreement identification and feature identification to be combined, embodiments of the invention provide a kind of talk detection method and a kind of talk detection system, utilize feature identification to find agreement, utilize agreement recognition result conduct feature identification environment more accurately simultaneously, described respectively below.
Referring to Fig. 1, the flow chart for talk detection method embodiment 1 provided by the present invention may further comprise the steps:
Step 101, the message that the needs that receive are detected are carried out depth detection;
As characteristics of the present invention, the present invention is in order to combine feature identification and agreement identification, the feature form is defined as by Internet protocol (Internet Protocol, be called for short IP)/transmission control protocol (Transfer Control Protocol, be called for short TCP)/user datagram protocol (User DatagramProtocol, be called for short UDP)/ICMP (Internet Control Message Protocol, be called for short ICMP) wait protocol option and regular expression composition, and with the detection rule definition format compatible of the open source code Network Intrusion Detection System (snort) of widespread deployment.Wherein, so-called feature (signature) is meant the data pattern of packet on the network, has different data patterns such as the packet of particular attack on the network with the packet of decoded information; Realized information expansion on the basis that is defined in snort rule definition form of the present invention to feature to feature, it is the protocol hierarchy that feature is carried place own, after being detected by depth detection, the feature self-information of protocol hierarchy that can carry according to itself and regular expression indication satisfies the follow-up fusion protocol and the needs of characteristic discover.
Step 102, to detected one feature that is untreated, discern this feature that is untreated and whether can be present on the level of identification protocol of message place session, be execution in step 104 then, otherwise execution in step 103;
The so-called level of identification protocol, be meant by to the place session detection of message formerly, the protocol hierarchy at the feature place of being identified, this level may be at many levels, such as on the Transmission Control Protocol level, also discerned the http protocol level, then discerned on the level of identification protocol whether this feature that is untreated can be present in the session of message place and comprise whether identification can be present in Transmission Control Protocol or http protocol all can.
This step can be avoided some insignificant continuation identifications by the environment of agreement recognition result as feature detection.Such as, when message place protocol hierarchy is SSL (Secure Socket Layer is called for short SSL) agreement, because ssl protocol is encrypted data, so can't discern attack signature in the session under ssl protocol basically, therefore need not further feature detection.
Step 103, abandon this feature that is untreated, and execution in step 108;
As can be seen, by agreement realize being untreated feature filtration and abandon, avoid further that identification detects, can improve the performance of detection system; And further discern the feature of processing for needs, then continue the feature identification step that is untreated of execution in step 104 to 108.
In order to realize that to the Feature Recognition that is untreated talk detection system must the pairing all pre-knowledge feature of cognitive above-mentioned feature be known agreement with pre-, and by mating realization identification, this can realize in the prior art.Wherein, know in advance in the agreement and can also comprise the processing function, know in advance and can also comprise in the feature and articulate code, the further processing after being beneficial to discern.
In order effectively agreement and feature to be merged, feature is divided into two types but in the present invention:
One class is the feature that is used for protocol discovery, after this category feature is found, can expand the level of identification of session.Specifically, IP/TCP/UDP/ICMP as the root agreement, can be defined the feature that much is used for protocol discovery on each agreement, these features are used to find new agreement; Such as, be defined in the feature on the identification protocol level TCP, can identification document transportation protocol (File Transfer Protocol, abbreviation FTP), Simple Mail Transfer protocol (Simple Mail Transfer Protocol, be called for short SMTP) etc., then find this category feature by further discerning after the depth detection, just mean that FTP new on the TCP level, smtp protocol are found.On the found new agreement, also defining new protocol discovery feature simultaneously,, can successively limit the environment and the condition of feature detection therefore by the definition successively of protocol discovery.
Another kind of is to trigger class to report feature, and these characterizing definitions such as the attack signature or the feature of carrying out data recombination, intercepting, all can trigger corresponding function and carry out message and handle on the certain protocol level.
Further, can make pairing whole pre-knowledge features of the cognitive above-mentioned feature of talk detection system and pre-knowledge agreement, and then coupling be discerned the type of this feature that is untreated based on default agreement and feature database.Agreement that should be default and feature database can write down a large amount of pre-knowledge protocol processes functions and know the feature plug-in unit in advance, detect and the relative trigger processing in order to identification.Wherein, know the protocol processes function in advance and triggered by the agreement matching instruction, knowing the feature plug-in unit in advance is the set that articulates code, by the characteristic matching instruction or articulate a triggering, can provide the processing function for the message characteristic that triggers this plug-in unit.In the present embodiment, can be kept at equally in agreement and the feature database, exist as the part of agreement and characteristic attribute to the definition of characteristic type.
Concrete identification detects step and comprises:
Whether step 104, the described feature that is untreated of identification mate a pre-knowledge agreement, are then to be that described session generates accordingly identification protocol information, and execution in step 105; Otherwise execution in step 106;
Step 105, the described information of identification protocol is outputed in the recognition result record of described session;
In general, this identification protocol information can be the agreement ID in the protocol library, the required actual execution function of protocol processes is then static is recorded in the protocol architecture in agreement and the feature database, and any message and the session of this agreement ID correspondence come into force.
As can be seen, further by identification protocol recording of information and identification protocol function calls, no longer be subject in the prior art pattern, but according to concrete feature identification protocol successively according to the port numbers identification protocol, realized agreement accurately, identification flexibly.
Whether step 106, the described feature that is untreated of identification mate one pre-is known feature, is execution in step 107 then, otherwise execution in step 109;
When identification is described when being untreated that characteristic matching one is pre-knows feature, can also comprise and generate identifying signature, identifying signature can be with the information of identification protocol that generates in the step 104 for this, deal with data as current message, send to control centre, be used to monitor the ruuning situation that message detects.
Whether the pre-knowledge feature of step 107, the described coupling of identification comes into force to described session subsequent packet, is that then the recognition feature plug-in unit articulates a little for described session generates accordingly in described pre-knowledge feature, and execution in step 108; Otherwise execution in step 109;
Step 108, the described plug-in unit of recognition feature is articulated in the recognition result record that a little outputs to described session;
It may be noted that situation that not all coupling knows feature in advance all can know that the generating feature plug-in unit articulate a little on feature in advance at this.Because a certain feature may be applied to a plurality of sessions simultaneously, therefore, after those execution, return code represents to carry out the session subsequent packet situation of flow interception or processing, just need provide a Processing Interface, to guarantee to coming into force that a certain session is handled; At this moment, on agreement and the corresponding pre-knowledge feature of feature database, articulate a little for this session generating feature plug-in unit.Relative, during the pre-knowledge feature only representing current message is come into force for return code, directly in agreement and feature database, call the individual features plug-in unit and carry out and get final product, do not need generation to articulate and a little handle subsequent packet.
Further, a little output in the recognition result record by articulating, such as, in the recognition result record, be established to the pointer that articulates a little, subsequent packet need not to detect once more the code that articulates that gets final product in triggered protocol and the feature database, and corresponding with the place session, and the realization message is handled continuously.
In step 104 in step 108, having taked first detection whether to mate pre-knowledge agreement detects the order that whether mates pre-knowledge feature again and is illustrated, but those skilled in the art can understand, can realize technical scheme of the present invention as long as can detect the type of the feature that is untreated, with the sequence independence that detects, in other words, any can realize to the characteristic type that is untreated detect and take the corresponding step that articulates operation on an equal basis alternative steps 104 to step 108.
Whether step 109, inquiry detect next unidentified feature, are then to described unidentified feature execution in step 102, otherwise the detection of described session message is finished, and can carry out the detection of next session message.
Embodiment 1 by talk detection method of the present invention as can be seen, utilize feature detection to come accurate identification protocol, can resolution protocol flexibility, the accuracy problem of identification, utilize the environment of agreement recognition result as feature detection, improve the accuracy of feature identification equally, and further improved the performance of detection system.
The present invention also provides talk detection method embodiment 2, and on the basis of realizing detecting at embodiment 1, to be untreated characteristic matching one pre-when knowing agreement when described, also comprises and trigger the corresponding pre-step that the protocol processes function is handled described message of knowing; And, when the described characteristic matching one that is untreated is known feature in advance, also comprise and trigger the step that corresponding pre-knowledge feature plug-in unit is handled described message, realize a complete detection-handling process.
Nonetheless, what above-mentioned steps embodied is still handling one by one after the message execution depth detection again, if before depth detection, called for being kept at articulating a little in the recognition result record, avoid the depth detection and the processing of processing feature, to further improve systematic function, therefore present embodiment 2 also comprised before carrying out depth detection: the recognition result record that calls the place session, trigger corresponding pre-know protocol processes function and the corresponding pre-feature plug-in unit of knowing by the recognition result record, described message is handled.
For conserve system resources, the present invention also provides talk detection method embodiment 3, comprise further also after receiving message whether the place session of identification message needs to continue to carry out the step of detection, such as surpassed the maximum length that detects when some session, when perhaps the agreement of Fa Xianing is for encryption, not need to continue to detect this session.
Wherein, the judgement in order to realize detecting continuing can be defined in when finding some agreement or feature, just need not to continue to detect; Perhaps, can define the data length of the session that needs detection, promptly after message execution depth detection is finished, also comprise and calculate the step that the session of message place detects stream length, when described detection stream length had surpassed default detection length, instruction stopped the detection to session; Described default detection length is the detection length sum of the defined all or part of feature of corresponding pre-knowledge agreement in the recognition result record.
For instance, the detection of agreement or feature can be judged incorporate and calculate session and detect in the long scheme of stream, such as for cryptographic protocol, because this agreement is encrypted, therefore should not define any feature above it, just the maximum of all features detection length is 0 on this agreement; Then in case find that this agreement, corresponding session just need not to continue to detect.
Perhaps, the maximum length of having discerned all features on the superiors' agreement in the definition session is that session detects stream length, if detected length greater than required detection length, corresponding session also need not to continue to detect.As special case, there is not feature if discerned on the superiors' agreement, its length of session that need detect is 0 just so, need not to continue to detect, can be by the detection of instruction termination to session.
Present embodiment 3 utilizes session detection stream length and needs the comparison of the length of session of detection, determines dynamically whether session continues to detect, and can significantly improve the detection performance.
Can only be foundation with fixing byte number (as 2k, 4k etc.) in the prior art relatively, when carrying out packet order preserving, recombinate, and then carry out depth detection, therefore its regrouping process ossifys, the reorganization result can not reflect the defective of the truth of annex, the present invention is based on and utilize agreement and situation that the feature identification result can effectively carry out the intercepting and the reorganization of data flow, the talk detection method embodiment 4 that can effectively agreement identification, feature identification and data flow intercepting reorganization three aspects be merged is provided.In this embodiment, trigger identification protocol handle function and/or the recognition feature plug-in unit message handled comprised: whether inquiry needs the reservation of recombinating of described message, be then the message formerly of described message and place session to be recombinated and buffer memory, and next message of place session carried out session detect step.
As can be seen, reorganization can be handled function and taken place during the recognition feature plug-in unit triggering identification protocol in the present embodiment 4, also can generate for session corresponding protocol information and plug-in unit articulate a little after generation immediately, no longer be confined to and must carry out simultaneously with order-preserving, this is one of key point of present embodiment.
Simultaneously, the order-preserving function still can adopt the scheme of prior art in embodiments of the present invention, takes place after receiving message.In general, after order-preserving and the reorganization, feature detection could accurately and not have and omit; But order-preserving and reorganization cost are bigger, so when some session has surpassed maximum detection length, not need to continue to detect this session, therefore can close the order-preserving function.And then, whether the order-preserving function can be closed as index, at first discern message place session order-preserving function and whether close, if close, then no longer carry out the order-preserving and the depth detection of described message; Open if discern this order-preserving function, then described message is carried out order-preserving, and call the recognition result record of place session, described message is continued to carry out detect.As for when recombinating, then depend on concrete protocol processes situation to decide with articulating an implementation status.
By present embodiment 4, TCP order-preserving and application layer reorganization logic can be separated, improved the flexibility of reorganization; Simultaneously, recombinate, feature detection, agreement identification and application recombination nodule are lumped together, improved the hit rate and the accuracy of reorganization based on agreement and feature.
Referring to Fig. 2, the flow chart for a preferred embodiment provided by the present invention may further comprise the steps:
Step 201, receive message;
Step 202, checking whether the order-preserving function of this message place session closes, is to illustrate that then this message need not to continue to detect, and the current sessions message detects and finishes; Otherwise execution in step 203;
Step 203, this message is carried out order-preserving and calls the recognition result record of message place session;
Step 204, handle function and recognition feature plug-in unit, described message handled, can comprise by triggering identification protocol in this recognition result record:
2041, checking in this recognition result record whether have identification protocol information, is execution in step 2042 then, otherwise execution in step 2044;
2042, trigger and to call that identification protocol information is corresponding to be known the protocol processes function this message is handled in advance;
2043, checking that whether result is that reorganization keeps this message, is then to the message formerly of described message and place session is recombinated and buffer memory, and this message detects end, can carry out the detection to next message; Otherwise execution in step 2044;
2044, checking whether have in this recognition result record that the recognition feature plug-in unit articulates a little, is execution in step 2045 then, otherwise execution in step 205;
2045, trigger and to call the described plug-in unit of recognition feature and articulate a little pairing pre-knowledge feature plug-in unit and articulate code this message is handled;
2046, checking that whether result is that reorganization keeps this message, is then to the message formerly of described message and place session is recombinated and buffer memory, and this message detects end, can carry out the detection to next message; Otherwise execution in step 205;
Step 205, the message after this is handled are carried out depth detection;
Whether step 206, identification the detected feature that is untreated, and is execution in step 207 then, otherwise execution in step 212;
Step 207, to detected one feature that is untreated, discern on its level of identification protocol that whether can be present in the session of message place, be execution in step 208 then, otherwise abandon/skip this feature that is untreated, execution in step 211;
Step 208, discern the type of this feature that is untreated, one is pre-when knowing agreement in match protocol and the feature database, execution in step 2091, and one is pre-when knowing feature in match protocol and the feature database, execution in step 2101;
Step 2091, be that described session generates accordingly identification protocol information,, to agreement function calls in the storehouse, realized on the current protocol hierarchy of message, having expanded new agreement by this ID such as the ID of this agreement in the storehouse;
Step 2092, general identification protocol information output in the recognition result record of described session;
Step 2093, trigger according to matching instruction and to call described pre-knowledge protocol processes function this message is handled; It will be appreciated by those skilled in the art that present embodiment only for convenience of explanation, but not to the qualification of execution sequence, this step 2093 can occur in before the step 2091, can not exert an influence to technique effect of the present invention.
Step 2094, checking that whether result is that reorganization keeps this message, is then to the message formerly of described message and place session is recombinated and buffer memory, and this message detects end, can carry out the detection to next message; Otherwise execution in step 211;
Step 2101, be that described session generates accordingly identifying signature,, use during in order to system's control session detected status such as the ID of this feature in the storehouse;
Step 2102, trigger the code that articulates call described pre-knowledge feature plug-in unit, this message is handled according to matching instruction;
The order that it will be appreciated by those skilled in the art that step 2101~2105 is not limited to shown in Figure 2, for example: can also adopt following order: step 2102,2106,2101,2103,2104,2105.
Step 2103, whether checking this feature to the session subsequent packet is come into force, is execution in step 2104 then, otherwise execution in step 2106;
Step 2104, the recognition feature plug-in unit articulates a little for described session generates accordingly on feature described in the storehouse, promptly for this session this is being known calling continuously of feature interface is being provided in advance;
Step 2105, general recognition feature plug-in unit articulate in the recognition result record that a little outputs to described session;
Step 2106, checking that whether result is that reorganization keeps this message, is then to the message formerly of described message and place session is recombinated and buffer memory, and this message detects end, can carry out the detection to next message; Otherwise execution in step 211;
Whether step 211, inquiry detect next unidentified feature, are then to described unidentified feature execution in step 207, otherwise execution in step 212;
The detection stream of step 212, the place session of calculating message is long;
Step 213, checking the long detection length that whether has surpassed all features of this detection stream, is execution in step 214 then, otherwise this message detects and finish, and can carry out the detection to next message;
Step 214, close the order-preserving function of this session, this message detects and finishes.
In step 212~214, long by the detection stream that calculates session, and will detect the long detection length of stream and compare with all features, if surpassed the detection length of all features then close session order-preserving function, and the switch of order-preserving function has determined whether to proceed message and has detected in the flow process of the embodiment of the invention; Therefore, one of ordinary skill in the art will appreciate that,, be not limited to exist after the step 211 for the operation in above-mentioned step 212~214, can exist with the session testing process in any position or with other the operation executed in parallel.
One of ordinary skill in the art will appreciate that, realize that all or part of step in the foregoing description method is to instruct relevant hardware to finish by program, described program can be stored in the computer read/write memory medium, and this program comprises the steps: when carrying out
The message that the needs that receive detect is carried out depth detection, when detecting arbitrary being untreated during feature, discern the described feature that is untreated and whether can be present on the level of identification protocol of message place session, be then to carry out next step, otherwise abandon this feature that is untreated;
Discern the described feature that is untreated; When the described characteristic matching one that is untreated is known agreement in advance, for described session generates accordingly identification protocol information; When the described characteristic matching one of being untreated is pre-when knowing feature and described session subsequent packet being come into force, the recognition feature plug-in unit articulates a little for described session generates accordingly in described pre-knowledge feature;
With the information of identification protocol that generates and the recognition feature plug-in unit articulate during the recognition result that a little outputs to described session writes down.
Embodiments of the invention also provide a kind of talk detection system, and as shown in Figure 3, the embodiment 1 for talk detection system comprises:
Session recognition result logging modle 1, be used to preserve identification protocol information and the recognition feature plug-in unit articulate a little;
Depth detection module 2 is used to receive message and carries out depth detection, promptly realizes data multi-mode (generally having regular expression to represent) matching feature, can be realized with reference to snort open source software algorithm;
Feature filtering module 3 is used for the matching characteristic that described depth detection module 2 is returned is filtered, and filtering out can not be in the feature of identification protocol level;
Feature derivation module 4, be used to receive matching characteristic through after 3 filtrations of feature filtering module, according to the present invention to the definition of feature, expand the level of identification protocol of session and report new recognition feature, generate accordingly identification protocol information and accordingly the recognition feature plug-in unit articulate a little, and output to described session recognition result logging modle 1; Also be used for by the characteristic matching instruction or articulate a triggering knowing protocol processes function and pre-knowledge feature plug-in unit in advance, described message is handled.
Embodiment 1 by talk detection system of the present invention as can be seen, feature filtering module 3 utilizes the environment of agreement recognition result as feature detection, has improved the accuracy of feature identification, and has improved the performance of detection system; Feature derivation module 4 utilizes feature detection accurately to discern and Extended Protocol, can resolution protocol flexibility, the accuracy problem of identification.
For the ease of the session detection case is controlled, feature derivation module 4 can also be used to generate identifying signature, and extracts identification protocol information, reports control centre's (not shown) together.
Preferable, in the present embodiment 1 agreement and feature database 5 can be set separately, be used for preserving and pre-knowledge protocol processes function be provided and know the feature plug-in unit in advance for described feature derivation module.
For instance, what agreement and feature database 5 write down can be agreement and characteristic node, these nodes have been represented the hierarchical relationship of agreement, attribute and the affiliated protocol hierarchy of feature that agreement is passed through which characteristic discover, feature, in addition, have write down processing function and plug-in unit on agreement and the feature.
For being kept perfectly property, can also comprise session management module x in the system that present embodiment provided, this module is carried out the state-maintenance and the management work of session, does not have difference with the conversation management functional of most of 4-7 layer equipment, belongs to prior art; Its realization can be with reference to the session management module of the linux kernel fire compartment wall netfilter that increases income.
Referring to Fig. 4, be the block diagram of talk detection system embodiment 2 provided by the present invention.On the basis of system embodiment 1, further comprise and discerned plug-in unit processing module 6, be connected with described depth detection module 2, be used for before message is carried out depth detection, according to the record in the described session recognition result logging modle 1, trigger corresponding pre-knowledge protocol processes function and pre-know the feature plug-in unit and articulate code message is handled.
As can be seen, discerned the adding of plug-in unit processing module 6, before depth detection, just called and be stored in articulating a little in the recognition result record, avoided the depth detection and the processing of processing feature further improved systematic function.
Processing in system embodiment 2 can be for triggering to the prevention of attack signature and to the reorganization of data and intercepting etc., and following system embodiment 3 has just shown the situation to data reorganization and intercepting.
Referring to Fig. 5, be the block diagram of talk detection system embodiment 3 provided by the present invention.On the basis of embodiment 2, further comprise:
Order-preserving module 7 is used to receive the order-preserving control command of feature derivation module 4, when the order-preserving function is opened message is carried out order-preserving, finishes the order-preserving function of TCP bag, and the message after the order-preserving is sent into the described plug-in unit processing module 6 of having discerned;
Data recombination module 8, respectively with described feature derivation module 4 with discern plug-in unit processing module 6 and be connected, the reorganization and the buffer memory of described message carried out in the instruction that is used for keeping according to described message is recombinated, and realizes the combination and the caching function of data fragmentation.
In present embodiment 3,7 of order-preserving modules are done order-preserving and are not done reorganization, and this has embodied the present invention with order-preserving and reorganization thought separately, and recombination function is finished according to the execution result that plug-in unit articulates code by follow-up data recombination module 8.
Those skilled in the art as can be seen, order-preserving module 7 and data recombination module 8 also can be added on the basis of system embodiment 1, then order-preserving module 7 is sent the message after the order-preserving into described depth detection module 2, and data recombination module 8 only is connected with feature derivation module 4.
As can be seen,, order-preserving and application layer reorganization logic are separated, improved the flexibility of reorganization by introducing order-preserving module 7 and data recombination module 8; Simultaneously, recombinate, feature detection, agreement identification and application recombination nodule are lumped together, improved the hit rate and the accuracy of reorganization based on agreement and feature.
Because but embodiments of the invention provide a kind of fusion protocol identification, feature detection, based on the data cutout of using and the talk detection system of reorganization, therefore can be with it as IPS/IDS, UTM (Unified Threat Management is called for short UTM), based on the important component part of systems such as Bandwidth Management of using and QoS.Therefore the present invention also provides the switching equipment that is applied to 4~7 layers on network, is provided with above-mentioned talk detection system in the described switching equipment.
Embodiments of the invention it should be noted that at last: above embodiment is only in order to technical scheme of the present invention to be described but not limit it, although the present invention is had been described in detail with reference to preferred embodiment, those of ordinary skill in the art is to be understood that: it still can make amendment or be equal to replacement technical scheme of the present invention, and these modifications or be equal to replacement and also can not make amended technical scheme break away from the spirit and scope of technical solution of the present invention.

Claims (15)

1, a kind of talk detection method is characterized in that message that the needs that receive are detected carries out depth detection, when detecting arbitrary being untreated during feature, carries out following steps:
Whether step 1, the described feature that is untreated of identification can be present on the level of identification protocol of message place session, are then to carry out next step, otherwise abandon this feature that is untreated;
Step 2, the described feature that is untreated of identification; When the described characteristic matching one that is untreated is known agreement in advance, for described session generates accordingly identification protocol information; When the described characteristic matching one of being untreated is pre-when knowing feature and described session subsequent packet being come into force, the recognition feature plug-in unit articulates a little for described session generates accordingly in described pre-knowledge feature;
Step 3, the information of identification protocol that will generate and the recognition feature plug-in unit articulate in the recognition result record that a little outputs to described session.
2, talk detection method according to claim 1 is characterized in that also comprising the step of preset protocol and feature database: pre-knowledge protocol processes function is set in described storehouse and knows the feature plug-in unit in advance, be used to carry out characteristic matching; And described pre-knowledge protocol processes function is triggered by the agreement matching instruction, and described pre-knowledge feature plug-in unit is by the characteristic matching instruction or articulate a triggering, is used for message is handled.
3, talk detection method according to claim 1 is characterized in that the described form that receives feature in the message is made up of protocol option and regular expression, with the detection rule definition format compatible of the open source code Network Intrusion Detection System of widespread deployment.
4, talk detection method according to claim 2 is characterized in that to be untreated characteristic matching one pre-when knowing agreement when described, also comprises triggering knowing the protocol processes function described message being handled in advance accordingly; And, when the described characteristic matching one that is untreated is known feature in advance, comprise that also triggering corresponding pre-knowledge feature plug-in unit handles described message.
5, talk detection method according to claim 1, it is characterized in that also comprising before carrying out depth detection: when having the session recognition result record of the message correspondence that described needs are detected, call the recognition result record of place session, trigger corresponding pre-knowledge protocol processes function and the corresponding pre-feature plug-in unit of knowing by the recognition result record, described message is handled.
6, according to claim 4 or 5 described talk detection methods, it is characterized in that triggering pre-knowledge protocol processes function and/or know the feature plug-in unit in advance and message is handled comprised: whether inquiry needs the reservation of recombinating of described message, is then the message formerly of described message and place session to be recombinated and buffer memory.
7, talk detection method according to claim 1, it is characterized in that also comprising after receiving message: whether the order-preserving function of identification place session closes, it is the detection of then no longer carrying out described message, otherwise described message is carried out order-preserving, judging whether to have the recognition result record, is the recognition result record that then calls the place session, described message is continued to carry out detect, otherwise, carry out depth detection.
8, talk detection method according to claim 1, after it is characterized in that message carried out depth detection and finish, comprise that also calculating the session of message place detects the long step of stream, when described detection stream is long when having surpassed default detection length, instruction stop to the detection of described session and or close session order-preserving function; Described default detection length is the detection length sum of the defined all or part of feature of corresponding pre-knowledge agreement in the recognition result record.
9, talk detection method according to claim 1 is characterized in that also comprising after receiving message: feature in the described message or agreement are discerned, when having predefined feature or agreement in finding message, stopped the detection to session.
10, a kind of talk detection system is characterized in that comprising:
Session recognition result logging modle, be used to preserve identification protocol information and the recognition feature plug-in unit articulate a little;
The depth detection module is used to receive message and carries out depth detection;
The feature filtering module is used for the matching characteristic that described depth detection module is returned is filtered, and filtering out can not be in the feature of identification protocol level;
The feature derivation module is used to receive the matching characteristic after filtering through feature, generate accordingly identification protocol information and accordingly the recognition feature plug-in unit articulate a little, and output to described session recognition result logging modle; Also be used for by the characteristic matching instruction or articulate a triggering knowing protocol processes function and pre-knowledge feature plug-in unit in advance, described message is handled.
11, talk detection system according to claim 10 is characterized in that also comprising:
Agreement and feature database are used for preserving and pre-knowledge protocol processes function are provided and know the feature plug-in unit in advance for described feature derivation module.
12, according to claim 10 or 11 described talk detection systems, it is characterized in that also comprising:
The order-preserving module is used to receive the order-preserving control command of feature derivation module, and message is carried out order-preserving, and the message after the order-preserving is sent into described depth detection module;
The data recombination module is connected with described feature derivation module, and the reorganization and the buffer memory of described message carried out in the instruction that is used for keeping according to described message is recombinated.
13, according to claim 10 or 11 described talk detection systems, it is characterized in that also comprising:
Discerned the plug-in unit processing module, be connected with described depth detection module, be used for before message is carried out depth detection,, trigger corresponding pre-knowledge protocol processes function and message is handled with pre-knowledge feature plug-in unit according to the record in the described session recognition result logging modle.
14, talk detection system according to claim 13 is characterized in that also comprising:
The order-preserving module is used to receive the order-preserving control command of feature derivation module, and message is carried out order-preserving, and the message after the order-preserving is sent into the described plug-in unit processing module of having discerned;
The data recombination module, respectively with described feature derivation module with discern the plug-in unit processing module and be connected, the reorganization and the buffer memory of described message carried out in the instruction that is used for keeping according to described message is recombinated.
15, a kind of switching equipment that is applied to 4~7 layers on network is characterized in that being provided with in the described switching equipment the arbitrary described talk detection system of claim 11-15.
CN2007101060175A 2006-11-24 2007-05-29 Talk detection method and talk detection system Expired - Fee Related CN101060492B (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CN2007101060175A CN101060492B (en) 2007-05-29 2007-05-29 Talk detection method and talk detection system
PCT/CN2007/071119 WO2008061483A1 (en) 2006-11-24 2007-11-23 A method and apparatus for identifying the data content
US12/347,534 US8060633B2 (en) 2006-11-24 2008-12-31 Method and apparatus for identifying data content

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2007101060175A CN101060492B (en) 2007-05-29 2007-05-29 Talk detection method and talk detection system

Publications (2)

Publication Number Publication Date
CN101060492A true CN101060492A (en) 2007-10-24
CN101060492B CN101060492B (en) 2010-08-11

Family

ID=38866388

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2007101060175A Expired - Fee Related CN101060492B (en) 2006-11-24 2007-05-29 Talk detection method and talk detection system

Country Status (1)

Country Link
CN (1) CN101060492B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008061483A1 (en) * 2006-11-24 2008-05-29 Hangzhou H3C Technologies Co., Ltd. A method and apparatus for identifying the data content
CN101795236A (en) * 2010-03-31 2010-08-04 成都市华为赛门铁克科技有限公司 Report sequence preservation method and device
CN101282362B (en) * 2008-05-13 2011-04-06 中兴通讯股份有限公司 Method and apparatus for detecting depth packet
CN101605067B (en) * 2009-04-22 2011-09-21 网经科技(苏州)有限公司 Network behaviour active analyzing and diagnosing method
CN112054935A (en) * 2019-06-06 2020-12-08 烽火通信科技股份有限公司 Extensible service quality diagnosis configuration method and system
CN113922992A (en) * 2021-09-18 2022-01-11 成都安恒信息技术有限公司 Attack detection method based on HTTP session
CN114285652A (en) * 2021-12-27 2022-04-05 湖北天融信网络安全技术有限公司 Industrial protocol detection method and device, computer equipment and storage medium

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1578227A (en) * 2003-07-29 2005-02-09 上海聚友宽频网络投资有限公司 Dynamic IP data packet filtering method
CN1555170A (en) * 2003-12-23 2004-12-15 沈阳东软软件股份有限公司 Flow filtering fine wall
CN1738257A (en) * 2004-12-31 2006-02-22 北京大学 Network intrusion detection system and method based on application protocol detection engine
CN1852297B (en) * 2005-11-11 2010-05-12 华为技术有限公司 Network data stream identification system and method
CN100450046C (en) * 2006-08-30 2009-01-07 北京启明星辰信息技术有限公司 Virus detection and invasion detection combined method and system
CN100542176C (en) * 2006-11-24 2009-09-16 杭州华三通信技术有限公司 The analysis and processing method of packet content and system

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008061483A1 (en) * 2006-11-24 2008-05-29 Hangzhou H3C Technologies Co., Ltd. A method and apparatus for identifying the data content
US8060633B2 (en) 2006-11-24 2011-11-15 Hangzhou H3C Technologies Co., Ltd. Method and apparatus for identifying data content
CN101282362B (en) * 2008-05-13 2011-04-06 中兴通讯股份有限公司 Method and apparatus for detecting depth packet
CN101605067B (en) * 2009-04-22 2011-09-21 网经科技(苏州)有限公司 Network behaviour active analyzing and diagnosing method
CN101795236A (en) * 2010-03-31 2010-08-04 成都市华为赛门铁克科技有限公司 Report sequence preservation method and device
CN112054935A (en) * 2019-06-06 2020-12-08 烽火通信科技股份有限公司 Extensible service quality diagnosis configuration method and system
CN112054935B (en) * 2019-06-06 2022-02-01 烽火通信科技股份有限公司 Extensible service quality diagnosis configuration method and system
CN113922992A (en) * 2021-09-18 2022-01-11 成都安恒信息技术有限公司 Attack detection method based on HTTP session
CN113922992B (en) * 2021-09-18 2024-06-07 成都安恒信息技术有限公司 Attack detection method based on HTTP session
CN114285652A (en) * 2021-12-27 2022-04-05 湖北天融信网络安全技术有限公司 Industrial protocol detection method and device, computer equipment and storage medium
CN114285652B (en) * 2021-12-27 2024-07-05 湖北天融信网络安全技术有限公司 Industrial protocol detection method and device, computer equipment and storage medium

Also Published As

Publication number Publication date
CN101060492B (en) 2010-08-11

Similar Documents

Publication Publication Date Title
US10762201B2 (en) Apparatus and method for conducting endpoint-network-monitoring
US20220239687A1 (en) Security Vulnerability Defense Method and Device
CN101060492A (en) Talk detection method and talk detection system
EP3731124B1 (en) Deception-based responses to security attacks
US20190020689A1 (en) Network privilege manager for a dynamically programmable computer network
US9374384B2 (en) Hardware based detection devices for detecting network traffic content and methods of using the same
US11930036B2 (en) Detecting attacks and quarantining malware infected devices
CN1160899C (en) Distributed Network Dynamic Security Protection System
US8869268B1 (en) Method and apparatus for disrupting the command and control infrastructure of hostile programs
AU2021221443A1 (en) Malware host netflow analysis system and method
US20090268617A1 (en) Systems and methods for content type classification
JP2008504737A (en) Efficient classification of network packets
CN101030889A (en) Method and apparatus against attack
CN107612890B (en) Network monitoring method and system
JPWO2006103743A1 (en) Communication control device and communication control system
CN101068205A (en) Internet communication structure, network apparatus and method for executing data packet content analysis
CN1960246A (en) Method for filtering out harmfulness data transferred between terminal and destination host in network
US7269649B1 (en) Protocol layer-level system and method for detecting virus activity
EP3443723B1 (en) Blocking undesirable communications in voice over internet protocol systems
CN101039326A (en) Service flow recognition method, apparatus and method and system for defending distributed refuse attack
CN1839591A (en) Method for discarding all segments corresponding to the same packet in a buffer
CN1298141C (en) Safety platform for network data exchange
CN1859366A (en) State stack detection method for anti-virus and anti-intrusion firewall
CN110912887A (en) Bro-based APT monitoring system and method
US10320839B2 (en) Automatic anti-spoof for multicast routing

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP03 Change of name, title or address

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Patentee after: Xinhua three Technology Co., Ltd.

Address before: 310053 Hangzhou science and Technology Industrial Park, high tech Industrial Development Zone, Zhejiang Province, No. six and road, No. 310

Patentee before: Huasan Communication Technology Co., Ltd.

CP03 Change of name, title or address
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20100811

Termination date: 20200529

CF01 Termination of patent right due to non-payment of annual fee