CN101764718A - Deep packet inspection method and device - Google Patents
Deep packet inspection method and device Download PDFInfo
- Publication number
- CN101764718A CN101764718A CN200810241050A CN200810241050A CN101764718A CN 101764718 A CN101764718 A CN 101764718A CN 200810241050 A CN200810241050 A CN 200810241050A CN 200810241050 A CN200810241050 A CN 200810241050A CN 101764718 A CN101764718 A CN 101764718A
- Authority
- CN
- China
- Prior art keywords
- packets
- information
- max
- feature keyword
- deep message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention provides a deep packet inspection method and a deep packet inspection device. The deep packet inspection method comprises the following steps: acquiring the maximized part that a suffix of the ith information packet is matched with a prefix of a characteristic keyword to be inspected as a max (bi); and judging whether the characteristic keyword is present in the ith information packet and the (i+1)th information packet according to the max (bi), wherein the i is a positive integer. Meanwhile, the deep packet inspection method also can comprise the following steps: acquiring the maximized part that a prefix of the ith information packet is matched with a suffix of a characteristic keyword to be inspected as a max (bi); and judging whether the characteristic keyword is present in the ith information packet and the (i-1)th information packet according to the max (bi), wherein the i is a positive integer of greater than 1. The deep packet inspection method and the deep packet inspection device improve the system concurrency and the system response speed to attacking codes, and improve the detection efficiency.
Description
Technical field
The present invention is relevant for communication technical field, in particular to data stream being carried out the technology that message detects.
Background technology
At present in digital communication technology field, it is an important techniques of intruding detection system (Intrusion Detection System:IDS)/intrusion prevention system (IntrusionPrevention System:IPS) that deep message detects (Deep Packet Inspection:DPI), by the monitoring of packet content being searched the feature keyword that whether has attack.But; transmission control protocol (Transmission ControlProtocol:TCP) data flow can be divided into different data segments usually and be transmitted by different Internet protocol (Internet Protocol:IP) packet; if IDS/IPS only carries out DPI to single packet, can cause a lot of safe hidden danger.
For example, as shown in Figure 1 be the schematic diagram that existing TCP stream is divided into a plurality of IP bags.As shown in Figure 1, suppose that it is " attack " that the feature keyword of an attack is arranged, but this keyword may be divided into two parts in different IP datagram in transmission.Like this each independent packet is carried out DPI and can't find out " attack " field, thereby leaked this section attack message.
The IDS/IPS technology of main flow adopts tcp data stream reorganization scheme to solve this problem at present, and these schemes reassemble into tcp data stream with the content in the IP bag, detect then.Wherein, the stream reorganization scheme is that a tcp data stream is done a complete backup, backup is uploaded to detects engine (PMengine) then.But this scheme must be waited for after all TCP in the tcp data stream (stream) wrap the IDS/IPS that flows through and could begin to detect, therefore its concurrency is poor, and tcp data stream is done a large amount of committed memory resources of complete backup meeting, and these shortcomings cause very big influence to the IDS/IPS performance.
In the scheme of prior art, whether this packet be sent out in order when a packet is detected earlier after intercepting and capturing, if the packet that order arrives then directly detects, detects by the back and let pass; If the packet of out of order arrival is waited for its copy that then all packets before it have all arrived and detected just the beginning later detects in internal memory.Therefore, partial data bag copy need be left in the internal memory in a lot of situations, even these packets itself just carry the feature keyword of attack, also can't detect at once, packet before can only waiting until detects after all detecting and finishing again, if detect attack message in the packet before then these packets will directly be dropped, thereby utilization ratio of storage resources is not high.
Summary of the invention
The purpose of embodiments of the invention is, a kind of deep message detection method and device are provided, so that when TCP stream is detected in real time, improves the utilance of resource as much as possible.
To achieve these goals, embodiments of the invention provide a kind of deep message detection method, and this method may further comprise the steps: the largest portion that the suffix that obtains i packets of information and the prefix of wanting detected feature keyword match is as max (bi); Judge in described i packets of information and i+1 packets of information whether have described feature keyword according to this max (bi), wherein, described i is a positive integer.
To achieve these goals, embodiments of the invention also provide a kind of deep message detection method, and this method may further comprise the steps: the largest portion that the prefix of obtaining i packets of information and the suffix of wanting detected feature keyword match is as max (a
i); According to this max (a
i) judge in described i packets of information and i-1 packets of information whether have described feature keyword, wherein, described i is the positive integer greater than 1.
To achieve these goals, embodiments of the invention provide a kind of deep message checkout gear again, and this device comprises: acquiring unit, the largest portion that the prefix that is used to obtain the suffix of i packets of information and want detected feature keyword matches is as max (b
i); Judging unit is used for according to this max (b
i) judge in described i packets of information and i+1 packets of information whether have described feature keyword, wherein, described i is a positive integer.
To achieve these goals, embodiments of the invention provide a kind of deep message checkout gear in addition, and this device comprises: acquiring unit, the largest portion that the suffix that is used to obtain the prefix of i packets of information and want detected feature keyword matches is as max (a
i); Judging unit is used for according to this max (a
i) judge in described i packets of information and i-1 packets of information whether have described feature keyword, wherein, described i is the positive integer greater than 1.
The beneficial effect of the embodiment of the invention is, because having adopted the maximum of obtaining packets of information and feature keyword earlier to coincide partly compares again, so overcome the not high problem of utilization ratio of storage resources of the prior art, and then raising that can be bigger the concurrency of system, and system has improved detection efficiency to the reaction speed of attack code.
Description of drawings
Accompanying drawing described herein is used to provide further understanding of the present invention, constitutes the application's a part, does not constitute limitation of the invention.In the accompanying drawings:
Shown in Figure 1 is the schematic diagram that existing TCP stream is divided into a plurality of IP bags.
Shown in Figure 2 is the flow chart of the deep message detection method of the embodiment of the invention 1.
Shown in Figure 3 is the structured flowchart of the deep message checkout gear of the embodiment of the invention 2.
Shown in Figure 4 is the flow chart of the deep message detection method of the embodiment of the invention 3.
Shown in Figure 5 is another flow chart of the deep message detection method of the embodiment of the invention 3.
Shown in Figure 6 is the flow chart of the deep message detection method of the embodiment of the invention 4.
Shown in Figure 7 is another flow chart of the deep message detection method of the embodiment of the invention 4.
Shown in Figure 8 is the structured flowchart of the deep message checkout gear of the embodiment of the invention 5.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer,, the present invention is described in further details below in conjunction with execution mode and accompanying drawing.At this, exemplary embodiment of the present invention and explanation thereof are used to explain the present invention, but not as a limitation of the invention.
For convenience of description, make following hypothesis in the embodiment of the invention:
Because the comparison of a plurality of feature keywords is not the protection point of the embodiment of the invention; in the description scheme coupling; the comparison of single feature keyword is only described; in reality realizes; the algorithm of a plurality of feature keyword comparisons is very ripe with realization, and different algorithms can use in embodiments of the present invention very neatly.
Under the situation of not losing generality, the length of a data packet payload of hypothesis (payload) is greater than the length of a feature keyword in the description of the embodiment of the invention.To such an extent as to but if the situation of the too small length less than a feature keyword of the length of payload, can be by also with a plurality of inclusions; Perhaps solve by the simple modifications algorithm.
For more rigorous description embodiments of the invention, it is as follows now to define some keys:
Prefix: a character string a is the prefix of character string b, and and if only if exists character string c to make b=ac (c be character string or for empty);
Suffix: a character string a is the suffix of character string b, and and if only if exists character string c to make b=ca (c be character string or for empty);
Comprise: a character string a comprises b, and if only if a=cbd (c, d are character string or for empty).
Embodiment 1
Shown in Figure 2 is the flow chart of the deep message detection method of the embodiment of the invention 1.As shown in Figure 2, the deep message detection method of the embodiment of the invention 1 comprises: the largest portion that the largest portion that the suffix that obtains i packets of information and the prefix of wanting detected feature keyword match matches as max (bi) or the prefix of obtaining i packets of information and suffix that will detected feature keyword is as max (ai); Judge in the tcp data stream that is transmitted whether have the feature keyword according to described max (bi) or max (ai).
Promptly, in the embodiment of the invention 1, the largest portion that the suffix that at first obtains i packets of information and the prefix of wanting detected feature keyword match is as max (bi); Judge in described i packets of information and i+1 packets of information whether have described feature keyword according to this max (bi), wherein, described i is a positive integer.
In addition, when whether having described feature keyword in judging i packets of information and i-1 packets of information, comprising: the largest portion that the prefix of obtaining i packets of information and the suffix of wanting detected feature keyword match is as max (a
i); According to this max (a
i) judge in described i packets of information and i-1 packets of information whether have described feature keyword, wherein, described i is the positive integer greater than 1.
In the embodiment of the invention 1,, therefore improved detection efficiency because different packets is detected its additional information respectively.
Embodiment 2
Shown in Figure 3 is the structured flowchart of the deep message checkout gear of the embodiment of the invention 2.As shown in Figure 3, the deep message checkout gear of the embodiment of the invention 2 comprises: the largest portion that the largest portion that acquiring unit 301, the suffix that is used to obtain i packets of information and the prefix of wanting detected feature keyword match matches as max (bi) or the prefix of obtaining i packets of information and suffix that will detected feature keyword is as max (ai); Judging unit 302 is used for judging according to described max (bi) or max (ai) whether the TCP stream that is transmitted exists the feature keyword, and wherein, described i is a positive integer.
Promptly, when judging the feature keyword according to described max (bi) and exist, this feature keyword is to be present in i packets of information and i+1 the packets of information; And when judging the feature keyword according to described max (ai) and exist, this feature keyword is to be present in i packets of information and i-1 the packets of information.
The deep message checkout gear of the embodiment of the invention 2 has improved the concurrency of system, and system is to the reaction speed of attack code, thereby has improved detection efficiency.
Embodiment 3
Shown in Figure 4 is the flow chart of the deep message detection method of the embodiment of the invention 3.As shown in Figure 4, the deep message detection method of the embodiment of the invention 3 comprises:
S401: the largest portion that the suffix that obtains i packets of information and the prefix of wanting detected feature keyword match is as max (b
i);
S402: obtain described max (b
i) character length, as Len (max (b
i));
S403: with the Len (max (b of described feature keyword
i))+first alignment of 1 character and described i+1 packets of information;
S404: compare with described feature keyword;
S405:, then be judged as described feature keyword and be present in described i packets of information and i+1 the packets of information if compare successfully (each character that is two groups of character strings being contrasted is all corresponding one by one).
Shown in Figure 5 is another flow chart of the deep message detection method of the embodiment of the invention 3.As shown in Figure 5, the deep message detection method of the embodiment of the invention 3 also can carry out according to following step:
S501: the largest portion that the prefix of obtaining i packets of information and the suffix of wanting detected feature keyword match is as max (a);
S502: obtain described max (a
i) character length, as Len (max (a
i));
S503: with the inverse Len (max (a of described feature keyword
i))+1 character aligns with last character of described i-1 packets of information;
S504: compare with described feature keyword;
S505:, then be judged as described feature keyword and be present in described i packets of information and i-1 the packets of information if compare successfully (each character that is two groups of character strings being contrasted is all corresponding one by one).
In the embodiment of the invention 3,, therefore saved memory space and improved detection efficiency owing to after obtaining the maximum part of coincideing, only compare remaining character.
Embodiment 4
Shown in Figure 6 is the flow chart of the deep message detection method of the embodiment of the invention 4.As shown in Figure 6, the deep message detection method of the embodiment of the invention 4 comprises:
S601: the largest portion that the suffix that obtains i packets of information and the prefix of wanting detected feature keyword match is as max (b
i);
S602: with described max (b
i) be added to the front of described i+1 packets of information, generate new packets of information;
S603: described new packets of information and described feature keyword are compared;
S604:, then be judged as described feature keyword and be present in described i packets of information and i+1 the packets of information if compare successfully (each character that is two groups of character strings being contrasted is all corresponding one by one).
Shown in Figure 7 is another flow chart of the deep message detection method of the embodiment of the invention 4.As shown in Figure 7, the deep message detection method of the embodiment of the invention 4 also can carry out according to following step:
S701: the largest portion that the prefix of obtaining i packets of information and the suffix of wanting detected feature keyword match is as max (a
i);
S702: with described max (a
i) be added to the back of described i-1 packets of information, generate new packets of information;
S703: described new packets of information and described feature keyword are compared;
S704:, then be judged as described feature keyword and be present in described i packets of information and i-1 the packets of information if compare successfully (each character that is two groups of character strings being contrasted is all corresponding one by one).
In the embodiment of the invention 4,, therefore saved memory space and improved detection efficiency owing to after obtaining the maximum part of coincideing, only compare remaining character.
Embodiment 5
Shown in Figure 8 is the structured flowchart of the deep message checkout gear of the embodiment of the invention 5.As shown in Figure 8, the deep message checkout gear of the embodiment of the invention 5 comprises: acquiring unit 801, the largest portion that the suffix that is used to obtain the prefix of i packets of information and want detected feature keyword matches is as max (a
i); Judging unit 802 is used for according to this max (a
i) judge in described i packets of information and i-1 packets of information whether have described feature keyword, wherein, described i is the positive integer greater than 1.
Above-mentioned judging unit 802 comprises:
First comparing unit 803 is used to obtain described max (a
i) character length, as Len (max (a
i)), with the inverse Len (max (a of described feature keyword
i))+last alignment of 1 character and described i-1 packets of information and comparing, if compare successfully, then described judging unit 802 is judged as described feature keyword and is present in described i-1 packets of information and i the packets of information; And/or
Second comparing unit 804 is used for described max (a
i) be added to the back of described i-1 packets of information, generate new packets of information, and described new packets of information and described feature keyword compared, if compare successfully, then described judging unit 802 is judged as described feature keyword and is present in described i packets of information and i-1 the packets of information.
In the embodiment of the invention 5, each functional unit of above-mentioned deep message checkout gear can also following execution function be finished the message detection: acquiring unit 801, the largest portion that the prefix that is used to obtain the suffix of i packets of information and want detected feature keyword matches is as max (b
i); Judging unit 802 is used for according to this max (b
i) judge in described i packets of information and i+1 packets of information whether have described feature keyword, wherein, described i is a positive integer.
Above-mentioned judging unit 802 comprises:
First comparing unit 803 is used to obtain described max (b
i) character length, as Len (max (b
i)), with the Len (max (b of described feature keyword
i))+first alignment of 1 character and described i+1 packets of information and comparing, if compare successfully, then described judging unit 802 is judged as described feature keyword and is present in described i packets of information and i+1 the packets of information; And/or
Second comparing unit 804 is used for described max (b
i) be added to the front of described i+1 packets of information, generate new packets of information, and described new packets of information and described feature keyword compared, if compare successfully, then described judging unit 802 is judged as described feature keyword and is present in described i packets of information and i+1 the packets of information.
In the deep message checkout gear of the embodiment of the invention 5,, therefore saved memory space and improved detection efficiency owing to after obtaining the maximum part of coincideing, only compare remaining character.
In the invention described above embodiment, can point to the character string (information of two tabulations of each bag storage) of the identical part of being extracted of maximum by pointer, thereby compared with prior art optimize performance.Yet the present invention is not limited to this, any can the record data bag and the mode of feature keyword (pattern) compatible portion can use, pointer is wherein a kind of just.Such as the maximum intersection of the suffix of i packet and the prefix of pattern is 3 characters.Can note with an integer 3 so.
The beneficial effect of the embodiment of the invention is, because having adopted the maximum of obtaining packets of information and feature keyword earlier to coincide partly compares again, so overcome the not high problem of utilization ratio of storage resources of the prior art, and then raising that can be bigger the concurrency of system, and system has improved detection efficiency to the reaction speed of attack code.
Above-described embodiment; purpose of the present invention, technical scheme and beneficial effect are further described; institute is understood that; the above only is the specific embodiment of the present invention; and be not intended to limit the scope of the invention; within the spirit and principles in the present invention all, any modification of being made, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (14)
1. a deep message detection method is characterized in that, this method may further comprise the steps:
The largest portion that the suffix that obtains i packets of information and the prefix of wanting detected feature keyword match is as max (b
i);
According to this max (b
i) judge in described i packets of information and i+1 packets of information whether have described feature keyword,
Wherein, described i is a positive integer.
2. deep message detection method according to claim 1 is characterized in that, and is described according to this max (b
i) judge in described i packets of information and i+1 packets of information whether exist the step of described feature keyword to comprise:
The described max (b that removes with described feature keyword
i) in addition part compares with the prefix of i+1 packets of information, if compare successfully, then be judged as described feature keyword and be present in described i packets of information and i+1 the packets of information.
3. deep message detection method according to claim 2 is characterized in that, the described described max (b that removes with the feature keyword
i) in addition part and the prefix of i+1 the packets of information step of comparing comprises:
Obtain described max (b
i) character length, as Len (max (b
i));
Len (max (b with described feature keyword
i))+first alignment of 1 character and described i+1 packets of information and comparing.
4. deep message detection method according to claim 1 is characterized in that, and is described according to this max (b
i) judge in described i packets of information and i+1 packets of information whether exist the step of described feature keyword to comprise:
With described max (b
i) be added to the front of described i+1 packets of information, generate new packets of information;
Described new packets of information and described feature keyword are compared;
If compare successfully, then be judged as described feature keyword and be present in described i packets of information and i+1 the packets of information.
5. a deep message detection method is characterized in that, this method may further comprise the steps:
The largest portion that the prefix of obtaining i packets of information and the suffix of wanting detected feature keyword match is as max (a
i);
According to this max (a
i) judge in described i packets of information and i-1 packets of information whether have described feature keyword,
Wherein, described i is the positive integer greater than 1.
6. deep message detection method according to claim 5 is characterized in that, and is described according to this max (a
i) judge in described i packets of information and i-1 packets of information whether exist the step of described feature keyword to comprise:
The described max (a that removes with described feature keyword
i) in addition part compares with the suffix of i-1 packets of information, if compare successfully, then be judged as described feature keyword and be present in described i-1 packets of information and i the packets of information.
7. deep message detection method according to claim 6 is characterized in that, the described described max (a that removes with the feature keyword
i) in addition part and the suffix of i-1 the packets of information step of comparing comprises:
Obtain described max (a
i) character length, as Len (max (a
i));
Inverse Len (max (a with described feature keyword
i))+last alignment of 1 character and described i-1 packets of information and comparing.
8. deep message detection method according to claim 5 is characterized in that, and is described according to this max (a
i) judge in described i packets of information and i-1 packets of information whether exist the step of described feature keyword to comprise:
With described max (a
i) be added to the back of described i-1 packets of information, generate new packets of information;
Described new packets of information and described feature keyword are compared;
If compare successfully, then be judged as described feature keyword and be present in described i packets of information and i-1 the packets of information.
9. a deep message checkout gear is characterized in that, described device comprises:
Acquiring unit, the largest portion that the prefix that is used to obtain the suffix of i packets of information and want detected feature keyword matches is as max (b
i);
Judging unit is used for according to this max (b
i) judge in described i packets of information and i+1 packets of information whether have described feature keyword,
Wherein, described i is a positive integer.
10. deep message checkout gear according to claim 9 is characterized in that, described judging unit comprises:
First comparing unit is used to obtain described max (b
i) character length, as Len (max (b
i)), with the Len (max (b of described feature keyword
i))+first alignment of 1 character and described i+1 packets of information and comparing,
If compare successfully, then described judgment unit judges is that described feature keyword is present in described i packets of information and i+1 the packets of information.
11. deep message checkout gear according to claim 9 is characterized in that, described judging unit comprises:
Second comparing unit is used for described max (b
i) be added to the front of described i+1 packets of information, generate new packets of information, and described new packets of information and described feature keyword are compared,
If compare successfully, then described judgment unit judges is that described feature keyword is present in described i packets of information and i+1 the packets of information.
12. a deep message checkout gear is characterized in that, described device comprises:
Acquiring unit, the largest portion that the suffix that is used to obtain the prefix of i packets of information and want detected feature keyword matches is as max (a
i);
Judging unit is used for according to this max (a
i) judge in described i packets of information and i-1 packets of information whether have described feature keyword,
Wherein, described i is the positive integer greater than 1.
13. deep message checkout gear according to claim 12 is characterized in that, described judging unit comprises:
First comparing unit is used to obtain described max (a
i) character length, as Len (max (a
i)), with the inverse Len (max (a of described feature keyword
i))+last alignment of 1 character and described i-1 packets of information and comparing,
If compare successfully, then described judgment unit judges is that described feature keyword is present in described i-1 packets of information and i the packets of information.
14. deep message checkout gear according to claim 12 is characterized in that, described judging unit comprises:
Second comparing unit is used for described max (a
i) be added to the back of described i-1 packets of information, generate new packets of information, and described new packets of information and described feature keyword are compared,
If compare successfully, then described judgment unit judges is that described feature keyword is present in described i packets of information and i-1 the packets of information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810241050A CN101764718A (en) | 2008-12-25 | 2008-12-25 | Deep packet inspection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810241050A CN101764718A (en) | 2008-12-25 | 2008-12-25 | Deep packet inspection method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101764718A true CN101764718A (en) | 2010-06-30 |
Family
ID=42495714
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200810241050A Pending CN101764718A (en) | 2008-12-25 | 2008-12-25 | Deep packet inspection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101764718A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102868571A (en) * | 2012-08-07 | 2013-01-09 | 华为技术有限公司 | Method and device for rule matching |
| CN105491018A (en) * | 2015-11-24 | 2016-04-13 | 北京中电普华信息技术有限公司 | System and method for network data security analysis based on DPI technology |
| CN112311765A (en) * | 2020-09-29 | 2021-02-02 | 新华三信息安全技术有限公司 | Message detection method and device |
-
2008
- 2008-12-25 CN CN200810241050A patent/CN101764718A/en active Pending
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102868571A (en) * | 2012-08-07 | 2013-01-09 | 华为技术有限公司 | Method and device for rule matching |
| CN102868571B (en) * | 2012-08-07 | 2015-04-08 | 华为技术有限公司 | Method and device for rule matching |
| US9811777B2 (en) | 2012-08-07 | 2017-11-07 | Huawei Technologies Co., Ltd. | Rule matching method and apparatus for deep packet inspection |
| CN105491018A (en) * | 2015-11-24 | 2016-04-13 | 北京中电普华信息技术有限公司 | System and method for network data security analysis based on DPI technology |
| CN105491018B (en) * | 2015-11-24 | 2019-02-12 | 北京中电普华信息技术有限公司 | A kind of network data security analysis method based on DPI technology |
| CN112311765A (en) * | 2020-09-29 | 2021-02-02 | 新华三信息安全技术有限公司 | Message detection method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| TWI477106B (en) | System and method for line-rate application recognition integrated in a switch asic | |
| CN101848222B (en) | Inspection method and device of Internet deep packet | |
| CN101557329B (en) | Application layer-based data segmenting method and device thereof | |
| EP1774716B1 (en) | Inline intrusion detection using a single physical port | |
| WO2005029245A3 (en) | Methods and apparatus for monitoring local network traffic on local network segments and resolving detected security and network management problems occurring on those segments | |
| CN107665191A (en) | Private protocol message format inference method based on extended prefix tree | |
| CN103118139B (en) | Distributed information hides transmission system and transmission method thereof | |
| US20120327956A1 (en) | Flow compression across multiple packet flows | |
| CN102523219B (en) | Regular expression matching system and regular expression matching method | |
| WO2012177752A1 (en) | Anchored patterns | |
| CN103248452A (en) | Data sending device, data receiving device, terminal and data transmission method | |
| CN112804253B (en) | Network flow classification detection method, system and storage medium | |
| CN109413016B (en) | Rule-based message detection method and device | |
| CN112532642B (en) | A Network Intrusion Detection Method for Industrial Control System Based on Improved Suricata Engine | |
| CN103955539B (en) | Method and device for obtaining control field demarcation point in binary protocol data | |
| US8532331B2 (en) | Method for monitoring a picture or multimedia video pictures in a communication system | |
| CN103268449A (en) | Method and system for detecting mobile phone malicious codes at high speed | |
| CN102497297A (en) | System and method for realizing deep packet inspection technology based on multi-core and multi-thread | |
| CN116318975A (en) | A method and system for detecting malicious traffic based on multi-session and multi-protocol | |
| CN113163406A (en) | Threat detection system for mobile communication system and central device and local device thereof | |
| CN101764718A (en) | Deep packet inspection method and device | |
| CN101252444A (en) | Method and apparatus for checking message characteristic | |
| CN101789105B (en) | Packet-level dynamic mail attachment virus detection method | |
| CN101795273B (en) | Method and device for filtering junk mail | |
| CN101576872B (en) | Chinese text processing method and device thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20100630 |