[go: up one dir, main page]

CN103414701B - A kind of rule matching method and device - Google Patents

A kind of rule matching method and device Download PDF

Info

Publication number
CN103414701B
CN103414701B CN201310317781.2A CN201310317781A CN103414701B CN 103414701 B CN103414701 B CN 103414701B CN 201310317781 A CN201310317781 A CN 201310317781A CN 103414701 B CN103414701 B CN 103414701B
Authority
CN
China
Prior art keywords
rule
matched
message
hash
tagged word
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310317781.2A
Other languages
Chinese (zh)
Other versions
CN103414701A (en
Inventor
郑妍妍
孙灵燕
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Haining Warp Knitting Industrial Park Development Co ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201310317781.2A priority Critical patent/CN103414701B/en
Publication of CN103414701A publication Critical patent/CN103414701A/en
Application granted granted Critical
Publication of CN103414701B publication Critical patent/CN103414701B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

Embodiment of the invention discloses that a kind of rule matching method and device, it is related to electronic information field, it is possible to increase rule matching efficiency.The method includes:Extract the rule of message, extract the tagged word of message rule and generate the relam identifier of message rule;The hash function computing that the tagged word of message rule and relam identifier are carried out predetermined number generates the cryptographic Hash of predetermined number;Search the data of storage in the address of corresponding cryptographic Hash respectively in the corresponding Hash table of each hash function, if the data of storage is preset value in the address of each cryptographic Hash, the match is successful for message rule, and otherwise it fails to match for message rule.The present invention is used for the coupling of rule.

Description

一种规则匹配方法及设备A rule matching method and device

技术领域technical field

本发明涉及电子信息领域,尤其涉及一种规则匹配方法及设备。The invention relates to the field of electronic information, in particular to a rule matching method and equipment.

背景技术Background technique

IP(Internet Protocol,网络协议)业务的爆炸性发展及宽带业务迅猛增长,给运营商带来了机遇的同时也带来了挑战。在网络与业务的安全保障方面,协议中恶意特征字规则数目多,并随着网络业务的发展而不断增多。并且恶意特征字规则出现位置不固定,无法预知准确位置,这些都给恶意数据段的识别带来了挑战。The explosive development of IP (Internet Protocol, Internet Protocol) services and the rapid growth of broadband services have brought opportunities and challenges to operators. In terms of network and service security, the number of malicious signature rules in the protocol is large, and it continues to increase with the development of network services. Moreover, the location of malicious signature rules is not fixed, and the exact location cannot be predicted, which brings challenges to the identification of malicious data segments.

DPI(Deep Packet Inspection,深度包检测)技术作为一种网络设备增强的过滤器,逐步将用户管理、安全控制、精细的业务控制等能力有机地集成在一起,实现各类业务的动态感知、策略控制、QOS(Qualityof Service,服务质量)保障,以及网络与业务的安全保障等功能,降低运营商的资本性支出与运营支出,为运营商提供一个电信业务的基础运营平台。DPI (Deep Packet Inspection, deep packet inspection) technology, as an enhanced filter for network equipment, gradually integrates user management, security control, fine service control and other capabilities organically, and realizes dynamic perception and strategy of various services. Functions such as control, QOS (Quality of Service, quality of service) guarantee, and network and service security guarantee reduce the capital expenditure and operating expenditure of operators, and provide operators with a basic operation platform for telecom services.

DPI技术的关键是高效识别网络上的各种应用。识别技术包含特征字识别、应用层网关识别、行为模式识别。特征字识别技术目前已经成为识别技术的主要方法之一,而“规则匹配技术”是特征字识别的关键技术。因此,“规则匹配技术”的发展成为了识别恶意数段,维护网络安全的重要部分。The key to DPI technology is to efficiently identify various applications on the network. Recognition technology includes feature word recognition, application layer gateway recognition, and behavior pattern recognition. Feature word recognition technology has become one of the main methods of recognition technology, and "rule matching technology" is the key technology of feature word recognition. Therefore, the development of "rule matching technology" has become an important part of identifying malicious segments and maintaining network security.

但是,在现有的技术中,因为只提取规则的特征字进行哈希函数运算,继而进行匹配,导致了对于规则的匹配精确度不足,效率较低,影响了网络信息中恶意数段的过滤效果。However, in the existing technology, because only the feature words of the rules are extracted for hash function operation and then matched, the matching accuracy of the rules is insufficient and the efficiency is low, which affects the filtering of malicious segments in network information Effect.

发明内容Contents of the invention

本发明的实施例提供一种规则匹配方法及设备,能够提高规则匹配的精度以及规则匹配的效率。Embodiments of the present invention provide a rule matching method and device, which can improve the accuracy and efficiency of rule matching.

为达到上述目的,本发明的实施例采用如下技术方案:In order to achieve the above object, embodiments of the present invention adopt the following technical solutions:

第一方面,一种规则匹配方法,包括:In the first aspect, a rule matching method includes:

规则匹配设备在报文中提取报文规则;The rule matching device extracts message rules from the message;

所述规则匹配设备在所述报文规则中提取特征字,并生成所述报文规则的域标识符;The rule matching device extracts feature words from the message rules, and generates domain identifiers of the message rules;

所述规则匹配设备将所述报文规则的特征字与所述报文规则的域标识符进行预设数量的哈希函数运算生成预设数量的哈希值;The rule matching device performs a preset number of hash function operations on the feature word of the message rule and the domain identifier of the message rule to generate a preset number of hash values;

分别在每一个所述哈希函数对应的哈希表中查找对应的所述哈希值的地址中存储的数据;Respectively look up the data stored in the address of the corresponding hash value in the hash table corresponding to each of the hash functions;

若每个所述哈希值的地址中存储的数据均为预设值,则所述报文规则匹配成功;否则所述报文规则匹配失败。If the data stored in the address of each hash value is a preset value, the message rule matching is successful; otherwise, the message rule matching fails.

在第一种可能的实现方式中,结合第一方面,所述规则匹配设备在报文中提取报文规则之前,还包括:In a first possible implementation manner, in combination with the first aspect, before the rule matching device extracts the message rule from the message, it further includes:

所述规则匹配设备在待匹配规则中提取所述待匹配规则的特征字,并生成所述待匹配规则的域标识符;The rule matching device extracts the feature word of the rule to be matched from the rule to be matched, and generates a domain identifier of the rule to be matched;

将所述待匹配规则的特征字与所述待匹配规则的域标识符进行所述预设数量的哈希函数运算生成预设数量的标准哈希值;performing the preset number of hash function operations on the feature word of the rule to be matched and the domain identifier of the rule to be matched to generate a preset number of standard hash values;

分别在每一个所述哈希函数对应的所述哈希表中查找对应的所述标准哈希值的地址,并将每个所述标准哈希值的地址中存储的数据改为所述预设值。Respectively look up the address of the corresponding standard hash value in the hash table corresponding to each of the hash functions, and change the data stored in the address of each standard hash value into the preset set value.

在第二种可能的实现方式中,结合第一方面的第一种可能的实现方式,所述规则匹配设备在所述报文规则中提取特征字,并生成所述报文规则的域标识符之后,还包括:In a second possible implementation manner, in combination with the first possible implementation manner of the first aspect, the rule matching device extracts a characteristic word from the message rule, and generates a domain identifier of the message rule After that, also include:

所述规则匹配设备将所述报文规则的特征字与所述报文规则的域标识符进行预设的主哈希函数运算得到主哈希值;The rule matching device performs a preset primary hash function operation on the feature word of the message rule and the domain identifier of the message rule to obtain a primary hash value;

将所述主哈希值作为入口Entry表的行地址,在所述Entry表的行地址对应的行中,查找所述报文规则的特征字与所述报文规则的域标识符;Using the main hash value as the row address of the entry Entry table, in the row corresponding to the row address of the Entry table, look up the feature word of the message rule and the domain identifier of the message rule;

若查找到所述报文规则的特征字与所述报文规则的域标识符,则所述报文规则匹配成功;否则所述报文规则匹配失败。If the feature word of the message rule and the domain identifier of the message rule are found, the message rule is successfully matched; otherwise, the message rule is not matched.

在第三种可能的实现方式中,结合第一方面的第二种可能的实现方式,所述规则匹配设备在待匹配规则中提取所述待匹配规则的特征字,并生成所述待匹配规则的域标识符之后,还包括:In a third possible implementation manner, in combination with the second possible implementation manner of the first aspect, the rule matching device extracts the feature words of the rule to be matched from the rule to be matched, and generates the rule to be matched After the domain identifier of the , also include:

所述规则匹配设备在所述预设数量的哈希函数中选择一个哈希函数作为所述预设的主哈希函数;The rule matching device selects a hash function from the preset number of hash functions as the preset main hash function;

将所述待匹配规则的特征字与所述待匹配规则的域标识符进行所述预设的主哈希函数运算得到标准主哈希值;performing the preset primary hash function operation on the feature word of the rule to be matched and the domain identifier of the rule to be matched to obtain a standard primary hash value;

将所述标准主哈希值作为所述Entry表的预设行地址,将所述待匹配规则的特征字与所述待匹配规则的域标识符存入所述Entry表的预设行地址对应的Entry表的行。The standard main hash value is used as the preset row address of the Entry table, and the feature word of the rule to be matched and the domain identifier of the rule to be matched are stored in the preset row address of the Entry table to correspond Rows of the Entry table.

在第四种可能的实现方式中,结合第一方面的第三种可能的实现方式,所述方法还包括:In a fourth possible implementation manner, in combination with the third possible implementation manner of the first aspect, the method further includes:

所述规则匹配设备根据所述待匹配规则获取所述待匹配规则的组标识符,所述待匹配规则的组标识符与所述待匹配规则的特征字及所述待匹配规则的域标识符一一对应;The rule matching device acquires the group identifier of the rule to be matched according to the rule to be matched, the group identifier of the rule to be matched is related to the feature word of the rule to be matched and the domain identifier of the rule to be matched one-to-one correspondence;

所述规则匹配设备将所述待匹配规则的组标识符存入所述Entry表的预设行地址对应的Entry表的行,以便于根据所述待匹配规则的组标识符在所述Entry表的行地址对应的行中查找所述报文规则的特征字与所述报文规则的域标识符。The rule matching device stores the group identifier of the rule to be matched into the row of the Entry table corresponding to the preset row address of the Entry table, so that the group identifier of the rule to be matched can be entered in the Entry table according to the group identifier of the rule to be matched. Search for the feature word of the message rule and the domain identifier of the message rule in the row corresponding to the row address of .

在第五种可能的实现方式中,结合第一方面的第四种可能的实现方式,所述规则匹配设备将所述报文规则的特征字与所述报文规则的域标识符进行预设数量的哈希函数运算生成预设数量的哈希值之前,还包括:In a fifth possible implementation manner, in combination with the fourth possible implementation manner of the first aspect, the rule matching device presets the feature word of the message rule and the domain identifier of the message rule The number of hash function operations before generating a preset number of hash values also includes:

所述规则匹配设备根据所述报文规则获取所述报文规则的偏移值;The rule matching device acquires an offset value of the message rule according to the message rule;

所述规则匹配设备将所述报文规则的特征字与所述报文规则的域标识符进行预设数量的哈希函数运算生成预设数量的哈希值,包括:The rule matching device performs a preset number of hash function operations on the feature word of the message rule and the domain identifier of the message rule to generate a preset number of hash values, including:

所述规则匹配设备将所述报文规则的特征字、所述报文规则的域标识符和所述报文规则的偏移值进行所述预设数量的哈希函数运算生成预设数量的所述哈希值;The rule matching device performs the preset number of hash function operations on the feature word of the message rule, the domain identifier of the message rule, and the offset value of the message rule to generate a preset number of said hash value;

所述规则匹配设备将所述待匹配规则的特征字与所述待匹配规则的域标识符进行所述预设数量的哈希函数运算生成预设数量的标准哈希值之前,还包括:Before the rule matching device performs the preset number of hash function operations on the feature word of the rule to be matched and the domain identifier of the rule to be matched to generate a preset number of standard hash values, it further includes:

所述规则匹配设备根据所述待匹配规则获取所述待匹配规则的偏移值;The rule matching device acquires an offset value of the rule to be matched according to the rule to be matched;

所述规则匹配设备将所述待匹配规则的特征字与所述待匹配规则的域标识符进行所述预设数量的哈希函数运算生成预设数量的标准哈希值,包括:The rule matching device performs the preset number of hash function operations on the feature word of the rule to be matched and the domain identifier of the rule to be matched to generate a preset number of standard hash values, including:

所述规则匹配设备将所述待匹配规则的特征字、所述待匹配规则的域标识符和所述待匹配规则的偏移值进行所述预设数量的哈希函数运算生成预设数量的所述标准哈希值。The rule matching device performs the preset number of hash function operations on the feature word of the rule to be matched, the domain identifier of the rule to be matched and the offset value of the rule to be matched to generate a preset number of The standard hash value.

在第六种可能的实现方式中,结合第一方面的第五种可能的实现方式,所述规则匹配设备将所述报文规则的特征字与所述报文规则的域标识符进行预设的主哈希函数运算得到主哈希值,将所述主哈希值作为所述Entry表的行地址,在所述Entry表的行地址对应的Entry表的行中,查找所述报文规则的特征字与所述报文规则的域标识符,包括:In a sixth possible implementation manner, in combination with the fifth possible implementation manner of the first aspect, the rule matching device presets the feature word of the message rule and the domain identifier of the message rule The main hash function operation of the main hash value is used to obtain the main hash value, and the main hash value is used as the row address of the Entry table, and the message rule is searched in the row of the Entry table corresponding to the row address of the Entry table The feature word and the domain identifier of the message rule include:

所述规则匹配设备将所述报文规则的特征字、所述报文规则的域标识符和所述报文规则的偏移值进行所述预设的主哈希函数运算得到所述主哈希值,将所述主哈希值作为所述Entry表的行地址,在所述Entry表的行地址对应的Entry表的行中,查找所述报文规则的特征字、所述报文规则的域标识符和所述报文规则的偏移值;The rule matching device performs the preset primary hash function operation on the feature word of the message rule, the domain identifier of the message rule, and the offset value of the message rule to obtain the primary hash function Hash value, using the main hash value as the row address of the Entry table, in the row of the Entry table corresponding to the row address of the Entry table, look up the feature word of the message rule, the message rule domain identifier and the offset value of the message rule;

所述将所述待匹配规则的特征字与所述待匹配规则的域标识符进行所述预设的主哈希函数运算得到标准主哈希值,将所述标准主哈希值作为所述Entry表的预设行地址,将所述待匹配规则的特征字与所述待匹配规则的域标识符存入所述Entry表的预设行地址对应的Entry表的行,包括:performing the preset primary hash function operation on the feature word of the rule to be matched and the domain identifier of the rule to be matched to obtain a standard primary hash value, and using the standard primary hash value as the The default row address of the Entry table, the characteristic word of the rule to be matched and the domain identifier of the rule to be matched are stored in the row of the Entry table corresponding to the preset row address of the Entry table, including:

所述规则匹配设备将所述待匹配规则的特征字、所述待匹配规则的域标识符和所述待匹配规则的偏移值进行所述预设的主哈希函数运算得到所述标准主哈希值,将所述标准主哈希值作为所述Entry表的预设行地址,将所述待匹配规则的特征字、所述待匹配规则的域标识符和所述待匹配规则的偏移值存入所述Entry表的预设行地址对应的Entry表的行。The rule matching device performs the preset main hash function operation on the feature word of the rule to be matched, the domain identifier of the rule to be matched and the offset value of the rule to be matched to obtain the standard main Hash value, using the standard main hash value as the preset row address of the Entry table, using the feature word of the rule to be matched, the domain identifier of the rule to be matched, and the offset of the rule to be matched The shift value is stored in the row of the Entry table corresponding to the preset row address of the Entry table.

在第七种可能的实现方式中,结合第一方面的第一种可能的实现方式、第一方面的第二种可能的实现方式、第一方面的第三种可能的实现方式、第一方面的第四种可能的实现方式和第一方面的第五种可能的实现方式,所述规则匹配设备在待匹配规则中提取所述待匹配规则的特征字之前,还包括:In the seventh possible implementation manner, in combination with the first possible implementation manner of the first aspect, the second possible implementation manner of the first aspect, the third possible implementation manner of the first aspect, the first aspect In the fourth possible implementation of the first aspect and the fifth possible implementation of the first aspect, before the rule matching device extracts the feature word of the rule to be matched from the rule to be matched, it further includes:

所述规则匹配设备将位置不固定的匹配规则的起始字符改写为预设起始字符;The rule matching device rewrites the starting character of the matching rule whose position is not fixed to a preset starting character;

所述规则匹配设备将起始字符改写为预设起始字符的匹配规则进行分组,以便于所述规则匹配设备将所述分组后的匹配规则作为所述待匹配规则。The rule matching device groups the matching rules with the initial characters rewritten into preset starting characters, so that the rule matching device uses the grouped matching rules as the rules to be matched.

在第八种可能的实现方式中,结合第一方面的第七种可能的实现方式,所述规则匹配设备将起始字符改写为预设起始字符的匹配规则进行分组,包括:In an eighth possible implementation manner, in combination with the seventh possible implementation manner of the first aspect, the rule matching device groups the matching rules for rewriting the initial character into a preset initial character, including:

所述规则匹配设备在所述位置不固定的匹配规则的特征字中选择预设特征字,提取所述预设特征字;The rule matching device selects a preset feature word from the feature words of the matching rule whose position is not fixed, and extracts the preset feature word;

所述规则匹配设备将所述位置不固定的匹配规则中拥有共同所述预设特征字的规则分为一组。The rule matching device groups rules that share the preset feature word among the matching rules whose positions are not fixed into a group.

在第九种可能的实现方式中,结合第一方面的第八种可能的实现方式,所述规则匹配设备在所述位置不固定的匹配规则的特征字中选择预设特征字之前,还包括:In a ninth possible implementation manner, in combination with the eighth possible implementation manner of the first aspect, the rule matching device further includes :

所述规则匹配设备在所述位置不固定的匹配规则中,提取含有达到阈值长度的相同字符的匹配规则;The rule matching device extracts a matching rule containing the same character reaching a threshold length among the matching rules whose positions are not fixed;

所述规则匹配设备将所述达到阈值长度的相同字符作为一条匹配规则替换所述含有达到阈值长度的相同字符的匹配规则。。The rule matching device uses the same character whose length reaches the threshold as a matching rule to replace the matching rule containing the same character whose length reaches the threshold. .

在第十种可能的实现方式中,结合第一方面的第八种可能的实现方式,所述规则匹配设备将所述位置不固定的匹配规则中拥有共同预设特征字的规则分为一组,还包括:In a tenth possible implementation manner, in combination with the eighth possible implementation manner of the first aspect, the rule matching device divides the rules that have a common preset feature word among the matching rules whose positions are not fixed into a group ,Also includes:

所述规则匹配设备计算同一个所述预设特征字在不同的所述位置不固定的匹配规则中的最大偏移值;The rule matching device calculates the maximum offset value of the same preset feature word in different matching rules whose positions are not fixed;

所述规则匹配设备在所述同一组的每个所述位置不固定的匹配规则中,将所述预设特征字的偏移值改写为所述最大偏移值。The rule matching device rewrites the offset value of the preset feature word into the maximum offset value in each matching rule whose position is not fixed in the same group.

第二方面,一种规则匹配设备,包括:In the second aspect, a rule matching device includes:

提取单元,用于在报文中提取报文规则,在所述报文规则中提取特征字,并生成所述报文规则的域标识符,将所述报文规则的特征字与所述报文规则的域标识符传输至匹配单元;An extracting unit, configured to extract a message rule from a message, extract a feature word from the message rule, and generate a domain identifier of the message rule, and combine the feature word of the message rule with the message The domain identifier of the text rule is transmitted to the matching unit;

所述匹配单元,用于接收所述提取单元传输的所述报文规则的特征字与所述报文规则的域标识符,将所述报文规则的特征字与所述报文规则的域标识符进行预设数量的哈希函数运算生成预设数量的哈希值,分别在每一个所述哈希函数对应的哈希表中查找对应的所述哈希值的地址中存储的数据,若每个所述哈希值的地址中存储的数据均为预设值,则所述报文规则匹配成功;否则所述报文规则匹配失败。The matching unit is configured to receive the feature word of the message rule and the field identifier of the message rule transmitted by the extraction unit, and combine the feature word of the message rule with the field identifier of the message rule Performing a preset number of hash function operations on the identifier to generate a preset number of hash values, respectively searching the data stored in the address of the corresponding hash value in the hash table corresponding to each of the hash functions, If the data stored in the address of each hash value is a preset value, the message rule matching is successful; otherwise, the message rule matching fails.

在第一种可能的实现方式中,结合第一方面,In the first possible implementation, combined with the first aspect,

所述提取单元,还用于在所述待匹配规则中提取所述待匹配规则的特征字,并生成所述待匹配规则的域标识符,将所述待匹配规则的特征字与所述待匹配规则的域标识符传输至所述匹配单元;The extraction unit is further configured to extract the feature words of the rules to be matched from the rules to be matched, and generate a domain identifier of the rules to be matched, and combine the feature words of the rules to be matched with the The domain identifier of the matching rule is transmitted to the matching unit;

所述匹配单元,还用于接收所述提取单元传输的所述待匹配规则的特征字与所述待匹配规则的域标识符,将所述待匹配规则的特征字与所述待匹配规则的域标识符进行所述预设数量的哈希函数运算生成预设数量的标准哈希值,分别在每一个所述哈希函数对应的所述哈希表中查找对应的所述标准哈希值的地址,并将每个所述标准哈希值的地址中存储的数据改为所述预设值。The matching unit is further configured to receive the feature word of the rule to be matched and the domain identifier of the rule to be matched transmitted by the extraction unit, and combine the feature word of the rule to be matched with the domain identifier of the rule to be matched Performing the preset number of hash function operations on the domain identifier to generate a preset number of standard hash values, and searching for the corresponding standard hash values in the hash table corresponding to each of the hash functions address, and change the data stored in the address of each standard hash value to the preset value.

在第二种可能的实现方式中,结合第一方面的第一种可能的实现方式,In the second possible implementation, combined with the first possible implementation of the first aspect,

所述匹配单元,还用于将所述报文规则的特征字与所述报文规则的域标识符进行预设的主哈希函数运算得到主哈希值,将所述主哈希值作为入口Entry表的行地址,在所述Entry表的行地址对应的Entry表的行中,查找所述报文规则的特征字与所述报文规则的域标识符,若查找到所述报文规则的特征字与所述报文规则的域标识符,则所述报文规则匹配成功;否则所述报文规则匹配失败。The matching unit is further configured to perform a preset primary hash function operation on the feature word of the message rule and the domain identifier of the message rule to obtain a primary hash value, and use the primary hash value as The row address of the entry Entry table, in the row of the Entry table corresponding to the row address of the Entry table, look up the feature word of the message rule and the domain identifier of the message rule, if the message is found If the feature word of the rule matches the domain identifier of the message rule, the message rule is successfully matched; otherwise, the message rule is not matched.

在第三种可能的实现方式中,结合第一方面的第二种可能的实现方式,In the third possible implementation, combined with the second possible implementation of the first aspect,

所述匹配单元,还用于在所述预设数量的哈希函数中选择一个哈希函数作为所述预设的主哈希函数,将所述待匹配规则的特征字与所述待匹配规则的域标识符进行所述预设的主哈希函数运算得到标准主哈希值,将所述标准主哈希值作为所述Entry表的预设行地址,将所述待匹配规则的特征字与所述待匹配规则的域标识符存入所述Entry表的预设行地址对应的Entry表的行。The matching unit is further configured to select a hash function from the preset number of hash functions as the preset main hash function, and combine the feature word of the rule to be matched with the rule to be matched Perform the preset main hash function operation on the domain identifier to obtain a standard main hash value, use the standard main hash value as the preset row address of the Entry table, and use the feature word of the rule to be matched The field identifier of the rule to be matched is stored in the row of the Entry table corresponding to the preset row address of the Entry table.

在第四种可能的实现方式中,结合第一方面的第三种可能的实现方式,In the fourth possible implementation, combined with the third possible implementation of the first aspect,

所述提取单元,还用于根据所述待匹配规则获取所述待匹配规则的组标识符,将所述待匹配规则的组标识符传输至所述匹配单元,所述待匹配规则的组标识符与所述待匹配规则的特征字及所述待匹配规则的域标识符一一对应;The extracting unit is further configured to obtain the group identifier of the rule to be matched according to the rule to be matched, and transmit the group identifier of the rule to be matched to the matching unit, and the group identifier of the rule to be matched The character is in one-to-one correspondence with the feature word of the rule to be matched and the domain identifier of the rule to be matched;

所述匹配单元,还用于接收所述提取单元传输的所述待匹配规则的组标识符,将所述待匹配规则的组标识符存入所述Entry表的预设行地址对应的Entry表的行,以便于所述匹配单元根据所述待匹配规则的组标识符在所述Entry表的行地址对应的行中查找所述报文规则的特征字与所述报文规则的域标识符。The matching unit is further configured to receive the group identifier of the rule to be matched transmitted by the extraction unit, and store the group identifier of the rule to be matched into the Entry table corresponding to the preset row address of the Entry table row, so that the matching unit searches the feature word of the message rule and the domain identifier of the message rule in the row corresponding to the row address of the Entry table according to the group identifier of the rule to be matched .

在第五种可能的实现方式中,结合第一方面的第四种可能的实现方式,In the fifth possible implementation, combined with the fourth possible implementation of the first aspect,

所述提取单元,还用于根据所述报文规则获取所述报文规则的偏移值,并将所述报文规则的偏移值传输至所述匹配单元;The extracting unit is further configured to obtain an offset value of the message rule according to the message rule, and transmit the offset value of the message rule to the matching unit;

所述匹配单元,还用于接收所述提取单元传输的所述报文规则的偏移值,将所述报文规则的特征字、所述报文规则的域标识符和所述报文规则的偏移值进行所述预设数量的哈希函数运算生成预设数量的所述哈希值;The matching unit is further configured to receive the offset value of the message rule transmitted by the extracting unit, and combine the feature word of the message rule, the domain identifier of the message rule and the message rule performing the preset number of hash function operations on the offset value to generate a preset number of the hash values;

所述提取单元,还用于根据所述待匹配规则获取所述待匹配规则的偏移值,并将所述待匹配规则的偏移值传输至所述匹配单元;The extracting unit is further configured to obtain an offset value of the rule to be matched according to the rule to be matched, and transmit the offset value of the rule to be matched to the matching unit;

所述匹配单元,还用于接收所述提取单元传输的所述待匹配规则的偏移值,将所述待匹配规则的特征字、所述待匹配规则的域标识符和所述待匹配规则的偏移值进行所述预设数量的哈希函数运算生成预设数量的所述标准哈希值。The matching unit is further configured to receive the offset value of the rule to be matched transmitted by the extraction unit, and combine the feature word of the rule to be matched, the domain identifier of the rule to be matched and the rule to be matched Perform the preset number of hash function operations on the offset value to generate the preset number of standard hash values.

在第六种可能的实现方式中,结合第一方面的第五种可能的实现方式,In the sixth possible implementation, combined with the fifth possible implementation of the first aspect,

所述匹配单元,还用于将所述报文规则的特征字、所述报文规则的域标识符和所述报文规则的偏移值进行所述预设的主哈希函数运算得到所述主哈希值,将所述主哈希值作为所述Entry表的行地址,在所述Entry表的行地址对应的Entry表的行中,查找所述报文规则的特征字、所述报文规则的域标识符和所述报文规则的偏移值;The matching unit is further configured to perform the preset main hash function operation on the feature word of the message rule, the domain identifier of the message rule and the offset value of the message rule to obtain the The main hash value, using the main hash value as the row address of the Entry table, in the row of the Entry table corresponding to the row address of the Entry table, search for the feature word of the message rule, the The domain identifier of the message rule and the offset value of the message rule;

所述匹配单元,还用于将所述待匹配规则的特征字、所述待匹配规则的域标识符和所述待匹配规则的偏移值进行所述预设的主哈希函数运算得到所述标准主哈希值,将所述标准主哈希值作为所述Entry表的预设行地址,将所述待匹配规则的特征字、所述待匹配规则的域标识符和所述待匹配规则的偏移值存入所述Entry表的预设行地址对应的Entry表的行。The matching unit is further configured to perform the preset main hash function operation on the feature word of the rule to be matched, the domain identifier of the rule to be matched and the offset value of the rule to be matched to obtain the The standard main hash value, using the standard main hash value as the preset row address of the Entry table, using the feature word of the rule to be matched, the domain identifier of the rule to be matched and the address to be matched The offset value of the rule is stored in the row of the Entry table corresponding to the preset row address of the Entry table.

在第七种可能的实现方式中,结合第一方面的第一种可能的实现方式、第一方面的第二种可能的实现方式、第一方面的第三种可能的实现方式、第一方面的第四种可能的实现方式和第一方面的第五种可能的实现方式,所述规则匹配设备还包括分组单元;In the seventh possible implementation manner, in combination with the first possible implementation manner of the first aspect, the second possible implementation manner of the first aspect, the third possible implementation manner of the first aspect, the first aspect In the fourth possible implementation of the first aspect and the fifth possible implementation of the first aspect, the rule matching device further includes a grouping unit;

所述分组单元,用于将位置不固定的匹配规则的起始字符改写为预设起始字符;The grouping unit is configured to rewrite the starting character of the matching rule whose position is not fixed into a preset starting character;

所述分组单元,还用于将起始字符改写为预设起始字符的匹配规则进行分组,以便于所述匹配单元将所述分组后的匹配规则作为所述待匹配规则。The grouping unit is further configured to group the matching rules of rewriting the initial character into a preset initial character, so that the matching unit can use the grouped matching rules as the rules to be matched.

在第八种可能的实现方式中,结合第一方面的第七种可能的实现方式,In the eighth possible implementation manner, in combination with the seventh possible implementation manner of the first aspect,

所述分组单元,还用于在所述位置不固定的匹配规则的特征字中选择预设特征字,提取所述预设特征字,将所述位置不固定的匹配规则中拥有共同所述预设特征字的规则分为一组。The grouping unit is further configured to select a preset feature word from the feature words of the matching rules whose positions are not fixed, extract the preset feature words, and combine the preset feature words in the matching rules whose positions are not fixed. Set the rules of feature words into one group.

在第九种可能的实现方式中,结合第一方面的第八种可能的实现方式,In the ninth possible implementation, combined with the eighth possible implementation of the first aspect,

所述分组单元,还用于在所述位置不固定的匹配规则中,提取含有达到阈值长度的相同字符的匹配规则,将所述达到阈值长度的相同字符作为一条匹配规则替换所述含有达到阈值长度的相同字符的匹配规则。The grouping unit is further configured to extract a matching rule containing the same character reaching a threshold length from the matching rules whose positions are not fixed, and use the same character reaching the threshold length as a matching rule to replace the matching rule containing the same character reaching the threshold length. Matching rules for characters of the same length.

在第十种可能的实现方式中,结合第一方面的第八种可能的实现方式,In the tenth possible implementation manner, in combination with the eighth possible implementation manner of the first aspect,

所述分组单元,还用于计算同一个所述预设特征字在不同的所述位置不固定的匹配规则中的最大偏移值,在所述同一组的每个所述位置不固定的匹配规则中,将所述预设特征字的偏移值改写为所述最大偏移值。The grouping unit is also used to calculate the maximum offset value of the same preset feature word in different matching rules whose positions are not fixed, and each of the matching rules whose positions are not fixed in the same group In the rule, the offset value of the preset feature word is rewritten as the maximum offset value.

本发明的实施例提供的规则匹配方法及设备,通过将报文规则的特征字与报文规则的域标识符进行预设数量的哈希函数运算生成预设数量的哈希值,分别在每一个哈希函数对应的哈希表中查找对应的哈希值的地址中存储的数据,若每个哈希值的地址中存储的数据均为预设值,则报文规则匹配成功,否则报文规则匹配失败,从而提高了规则匹配的效率。The rule matching method and equipment provided by the embodiments of the present invention generate a preset number of hash values by performing a preset number of hash function operations on the feature word of the message rule and the domain identifier of the message rule, respectively, in each Find the data stored in the address of the corresponding hash value in the hash table corresponding to a hash function. If the data stored in the address of each hash value is the preset value, the message rule matches successfully, otherwise it reports text rule matching failure, thus improving the efficiency of rule matching.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍。In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the following briefly introduces the drawings that are required in the description of the embodiments or the prior art.

图1为本发明的实施例提供的一种规则匹配方法;Fig. 1 is a kind of rule matching method provided by the embodiment of the present invention;

图2为本发明的另一实施例提供的一种规则匹配方法;FIG. 2 is a rule matching method provided by another embodiment of the present invention;

图3为本发明的实施例提供的规则匹配方法中的一种规则分组方法;Fig. 3 is a rule grouping method in the rule matching method provided by the embodiment of the present invention;

图4为本发明的实施例提供的一种规则匹配设备;FIG. 4 is a rule matching device provided by an embodiment of the present invention;

图5为本发明的另一实施例提供的一种规则匹配设备。Fig. 5 is a rule matching device provided by another embodiment of the present invention.

具体实施方式detailed description

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some, not all, embodiments of the present invention.

目前,规则匹配技术大多都是基于FPGA(Field-Programmable GateArray,现场可编程门阵列)芯片实现的,它是作为ASIC(Application SpecificIntegrated Circuit,专用集成电路)领域中的一种半定制电路而出现的。本发明的实施例在FPGA芯片的背景下,提供了一种规则匹配方法,如图1所示,当然,本发明的实施例不局限于使用FPGA芯片,通过其他芯片也可以实现,只不过优选的使用FPGA芯片作为硬件基础,该方法包括以下步骤:At present, most of the rule matching technologies are implemented based on FPGA (Field-Programmable Gate Array, Field Programmable Gate Array) chip, which appears as a semi-custom circuit in the field of ASIC (Application Specific Integrated Circuit, application specific integrated circuit) . Embodiments of the present invention provide a rule matching method under the background of FPGA chips, as shown in FIG. The use of FPGA chips as the hardware basis, the method includes the following steps:

101、规则匹配设备在报文中提取报文规则。101. The rule matching device extracts a packet rule from the packet.

102、规则匹配设备在报文规则中提取特征字,并生成报文规则的域标识符。102. The rule matching device extracts the characteristic words in the message rule, and generates a domain identifier of the message rule.

其中,报文规则的特征字是报文规则的一部分字符串,它包含了自身规则可以区别于其他规则的独有的特征。报文规则的域标识符包含报文规则出现的位置信息,增加域标识符提高了规则匹配的精度与效率。Wherein, the feature word of the message rule is a part of the character string of the message rule, which contains the unique features of its own rule that can be distinguished from other rules. The domain identifier of the message rule contains the location information where the message rule appears. Adding the domain identifier improves the accuracy and efficiency of rule matching.

103、规则匹配设备将报文规则的特征字与报文规则的域标识符进行预设数量的哈希函数运算生成预设数量的哈希值。103. The rule matching device performs a preset number of hash function operations on the feature word of the message rule and the domain identifier of the message rule to generate a preset number of hash values.

104、规则匹配设备分别在每一个哈希函数对应的哈希表中查找对应的哈希值的地址中存储的数据。若每个哈希值的地址中存储的数据均为预设值,则报文规则匹配成功;否则报文规则匹配失败。104. The rule matching device respectively searches the data stored in the address of the corresponding hash value in the hash table corresponding to each hash function. If the data stored in the address of each hash value is a preset value, the message rule matching is successful; otherwise, the message rule matching fails.

此处预设数量的哈希函数为多个不同的哈希算法,一般为4个哈希函数,每一个哈希函数对应一个哈希表。四个哈希表都存储于芯片内,表的宽度一般为1bit,深度可以自行设定,一般为32K。哈希表能够将关键字(此处为报文规则的特征字与报文规则的域标识符)映射到表中的一个地址(即哈希表的行号),优选的,将通过哈希函数运算得到的函数值直接作为行号,建立映射关系。如果函数值映射的地址中没有存储预设值,代表这条规则并未出现,即匹配失败。The preset number of hash functions here are multiple different hash algorithms, generally 4 hash functions, and each hash function corresponds to a hash table. The four hash tables are all stored in the chip. The width of the table is generally 1 bit, and the depth can be set by yourself, generally 32K. The hash table can map the keyword (here, the feature word of the message rule and the domain identifier of the message rule) to an address in the table (that is, the line number of the hash table), preferably, it will pass the hash The function value obtained by the function operation is directly used as the row number to establish a mapping relationship. If there is no preset value stored in the address of the function value mapping, it means that this rule does not appear, that is, the matching fails.

本发明的实施例提供的规则匹配方法,通过将报文规则的特征字与报文规则的域标识符进行预设数量的哈希函数运算生成预设数量的哈希值,分别在每一个哈希函数对应的哈希表中查找对应的哈希值的地址中存储的数据,若每个哈希值的地址中存储的数据均为预设值,则报文规则匹配成功,否则报文规则匹配失败,从而提高了规则匹配的效率。The rule matching method provided by the embodiment of the present invention generates a preset number of hash values by performing a preset number of hash function operations on the feature word of the message rule and the domain identifier of the message rule, respectively in each hash Find the data stored in the address of the corresponding hash value in the hash table corresponding to the hash function. If the data stored in the address of each hash value is the default value, the message rule matches successfully, otherwise the message rule The matching fails, thus improving the efficiency of rule matching.

进一步的,本发明的另一实施例提供一种规则匹配方法,参照图2所示,该方法包括:Further, another embodiment of the present invention provides a rule matching method, as shown in FIG. 2, the method includes:

201、规则匹配设备在待匹配规则中提取待匹配规则的特征字,生成待匹配规则的域标识符,并获取待匹配规则的组标识符。201. The rule matching device extracts a feature word of the rule to be matched from the rule to be matched, generates a domain identifier of the rule to be matched, and obtains a group identifier of the rule to be matched.

如果待匹配规则有固定偏移,则其关键字还包括待匹配规则的偏移值。If the rule to be matched has a fixed offset, its keyword also includes the offset value of the rule to be matched.

具体的,规则匹配设备从待匹配规则中提取待匹配规则的特征字,根据待匹配规则生成待匹配规则的域标识符及待匹配规则的偏移值,根据待匹配规则获取待匹配规则的组标识符。待匹配规则的偏移值代表了待匹配规则位置偏移的字符数,待匹配规则的组标识符代表该待匹配规则属于哪一组。待匹配规则的组标识符、待匹配规则的偏移值、待匹配规则的特征字和待匹配规则的域标识符之间都是一一对应的。Specifically, the rule matching device extracts the feature words of the rules to be matched from the rules to be matched, generates the domain identifier of the rules to be matched and the offset value of the rules to be matched according to the rules to be matched, and obtains the group of rules to be matched according to the rules to be matched identifier. The offset value of the rule to be matched represents the number of characters offset by the position of the rule to be matched, and the group identifier of the rule to be matched represents which group the rule to be matched belongs to. There is a one-to-one correspondence between the group identifier of the rule to be matched, the offset value of the rule to be matched, the feature word of the rule to be matched, and the domain identifier of the rule to be matched.

202、规则匹配设备将待匹配规则的特征字与待匹配规则的域标识符进行预设数量的哈希函数运算生成预设数量的标准哈希值。202. The rule matching device performs a preset number of hash function operations on the feature word of the rule to be matched and the domain identifier of the rule to be matched to generate a preset number of standard hash values.

如果待匹配规则有偏移值,则要将待匹配规则的特征字、待匹配规则的域标识符和待匹配规则的偏移值进行预设数量的哈希函数运算生成预设数量的标准哈希值。If the rule to be matched has an offset value, the characteristic word of the rule to be matched, the domain identifier of the rule to be matched and the offset value of the rule to be matched shall be subjected to a preset number of hash function operations to generate a preset number of standard hashes Greek value.

203、规则匹配设备分别在每一个哈希函数对应的哈希表中查找对应的标准哈希值的地址,并将每个标准哈希值的地址中存储的数据改为预设值。203. The rule matching device looks up the address of the corresponding standard hash value in the hash table corresponding to each hash function, and changes the data stored in the address of each standard hash value to a preset value.

可选的,本发明的实施例中哈希表宽度为1bit,哈希表地址中存储的初始值为0,将初始值改为1作为预设值。Optionally, in the embodiment of the present invention, the width of the hash table is 1 bit, the initial value stored in the address of the hash table is 0, and the initial value is changed to 1 as the default value.

204、规则匹配设备在预设数量的哈希函数中选择一个哈希函数作为预设的主哈希函数,将待匹配规则的特征字与待匹配规则的域标识符进行预设的主哈希函数运算得到标准主哈希值。204. The rule matching device selects a hash function from a preset number of hash functions as a preset main hash function, and performs a preset main hash on the feature word of the rule to be matched and the domain identifier of the rule to be matched The function operation obtains the standard primary hash value.

如果待匹配规则有偏移值,则要将待匹配规则的特征字、待匹配规则的域标识符和待匹配规则的偏移值进行预设的主哈希函数运算得到标准主哈希值,If the rule to be matched has an offset value, the characteristic word of the rule to be matched, the domain identifier of the rule to be matched and the offset value of the rule to be matched shall be subjected to a preset main hash function operation to obtain a standard main hash value,

205、规则匹配设备将标准主哈希值作为Entry表的预设行地址,将待匹配规则的特征字、待匹配规则的域标识符和待匹配规则的组标识符存入Entry表的预设行地址对应的Entry表的行。205. The rule matching device uses the standard primary hash value as the preset row address of the Entry table, and stores the characteristic word of the rule to be matched, the domain identifier of the rule to be matched, and the group identifier of the rule to be matched into the preset row address of the Entry table. The row of the Entry table corresponding to the row address.

如果待匹配规则有偏移值,也要将待匹配规则的偏移值存入Entry表的预设行地址对应的行中。If the rule to be matched has an offset value, the offset value of the rule to be matched should also be stored in the row corresponding to the preset row address of the Entry table.

其中,Entry表是存储于芯片外的固定宽度的表,其深度和哈希表一致,Entry表的行号和预设的主哈希函数的哈希表的行号也是一致的。Entry表用于存放规则的关键字以便于进行精确匹配。Wherein, the Entry table is a fixed-width table stored outside the chip, and its depth is consistent with that of the hash table, and the line number of the Entry table is also consistent with the line number of the hash table of the preset main hash function. The Entry table is used to store the keywords of the rules for exact matching.

206、规则匹配设备在报文中提取报文规则,在报文规则中提取报文规则的特征字,并根据报文规则生成报文规则的域标识符。206. The rule matching device extracts a message rule from the message, extracts a feature word of the message rule from the message rule, and generates a domain identifier of the message rule according to the message rule.

如果报文规则位置固定,还要根据报文规则获取报文规则的偏移值。If the position of the message rule is fixed, the offset value of the message rule is also obtained according to the message rule.

207、规则匹配设备将报文规则的特征字与报文规则的域标识符进行预设数量的哈希函数运算生成预设数量的哈希值。207. The rule matching device performs a preset number of hash function operations on the feature word of the message rule and the domain identifier of the message rule to generate a preset number of hash values.

如果报文规则有偏移值,则要将报文规则的特征字、报文规则的域标识符和报文规则的偏移值进行预设数量的哈希函数运算生成预设数量的哈希值。If the message rule has an offset value, the signature word of the message rule, the domain identifier of the message rule and the offset value of the message rule are subjected to a preset number of hash function operations to generate a preset number of hashes value.

208、规则匹配设备分别在每一个哈希函数对应的哈希表中查找对应的哈希值的地址中存储的数据。若每个哈希值的地址中存储的数据均为预设值,则报文规则匹配成功;否则报文规则匹配失败。208. The rule matching device respectively searches the data stored in the address of the corresponding hash value in the hash table corresponding to each hash function. If the data stored in the address of each hash value is a preset value, the message rule matching is successful; otherwise, the message rule matching fails.

对照步骤202,可选的,预设值是1,如果存储的数据是1,代表待匹配规则中含有这个规则,即报文规则匹配成功,如果存储的数据是0,代表待匹配规则中不含有这个规则,即报文规则匹配不成功。Compared with step 202, optional, the default value is 1. If the stored data is 1, it means that the rule to be matched contains this rule, that is, the message rule matches successfully. If the stored data is 0, it means that the rule to be matched does not If this rule is included, the packet rule is not matched successfully.

209、规则匹配设备将报文规则的特征字与报文规则的域标识符进行预设的主哈希函数运算得到主哈希值。209. The rule matching device performs a preset primary hash function operation on the feature word of the message rule and the domain identifier of the message rule to obtain a primary hash value.

如果报文规则有偏移值,则要将报文规则的特征字、报文规则的域标识符和报文规则的偏移值进行预设的主哈希函数运算得到主哈希值。If the message rule has an offset value, the signature word of the message rule, the domain identifier of the message rule and the offset value of the message rule are subjected to a preset primary hash function operation to obtain a primary hash value.

210、规则匹配设备将主哈希值作为Entry表的行地址,在Entry表的行地址对应的行中,根据待匹配规则的组标识符查找报文规则的特征字与报文规则的域标识符。210. The rule matching device uses the main hash value as the row address of the Entry table, and in the row corresponding to the row address of the Entry table, searches for the feature word of the message rule and the field identifier of the message rule according to the group identifier of the rule to be matched symbol.

如果报文规则有偏移值,则规则匹配设备在Entry表的行地址对应的行中,根据待匹配规则的组标识符查找报文规则的特征字、报文规则的域标识符和报文规则的报文规则的偏移值。If the message rule has an offset value, the rule matching device searches the feature word of the message rule, the field identifier of the message rule, and the message in the row corresponding to the row address of the Entry table according to the group identifier of the rule to be matched. The offset value of the packet rule of the rule.

若查找到报文规则的特征字与报文规则的域标识符,或查找到报文规则的特征字、报文规则的域标识符和报文规则的偏移值,则表示待匹配规则中包含这个规则,报文规则匹配成功,否则,就表示待匹配规则中不包含这个规则,报文规则匹配失败。If the feature word of the message rule and the field identifier of the message rule are found, or the feature word of the message rule, the field identifier of the message rule, and the offset value of the message rule are found, it means that in the rule to be matched If this rule is included, the message rule matching is successful; otherwise, it means that the rule to be matched does not contain this rule, and the message rule matching fails.

可选的,参照图3所示,在规则匹配设备获取待匹配规则的关键字之前,该方法还包括对位置不固定的规则进行分组的方法,包括以下步骤:Optionally, as shown in FIG. 3, before the rule matching device obtains the keyword of the rule to be matched, the method also includes a method for grouping rules whose positions are not fixed, including the following steps:

301、规则匹配设备将位置不固定的匹配规则的起始字符改写为预设起始字符。301. The rule matching device rewrites a start character of a matching rule whose position is not fixed to a preset start character.

一般,位置不固定的规则的起始字符为*,本发明的实施例中,优选的,可以将起始字符改为^。Generally, the starting character of the rule whose position is not fixed is *, and in the embodiment of the present invention, preferably, the starting character can be changed to ^.

302、规则匹配设备在位置不固定的匹配规则(即起始字符为预设字符的规则)中,提取含有达到阈值长度的相同字符的匹配规则。302. The rule matching device extracts, from the matching rules whose positions are not fixed (that is, the rules whose starting character is a preset character), the matching rules containing the same character whose length reaches a threshold value.

303、规则匹配设备将达到阈值长度的相同字符作为一条匹配规则替换含有达到阈值长度的相同字符的匹配规则。303. The rule matching device uses the same character whose length reaches the threshold as a matching rule to replace the matching rule containing the same character whose length reaches the threshold.

例如规则(1)^abcdede,规则(2)^abcdegid,这两条规则可以合并为一条新的规则^abcde,也就是将两个相似规则的共同部分提取出来作为新的规则参与分组。For example, rule (1) ^abcdede, rule (2) ^abcdegid, these two rules can be combined into a new rule ^abcde, that is, the common part of two similar rules is extracted as a new rule to participate in grouping.

304、规则匹配设备在位置不固定的匹配规则的特征字中选择预设特征字,提取预设特征字,将位置不固定的匹配规则中拥有共同预设特征字的规则分为一组。304. The rule matching device selects preset feature words from the feature words of the matching rules whose positions are not fixed, extracts the preset feature words, and divides the rules having the same preset feature words among the matching rules whose positions are not fixed into a group.

本发明的实施例中,在选择预设特征字的时候,优选的,可以选取对应规则数少的特征字,保留经常在匹配的时候命中的特征字,只有在没有其他特征字的情况下再选择经常命中的特征字。In the embodiment of the present invention, when selecting a preset feature word, preferably, a feature word with a small number of corresponding rules can be selected, and the feature word that is often hit when matching is kept, and only when there are no other feature words Select frequently hit feature words.

305、规则匹配设备计算同一个预设特征字在不同位置不固定的匹配规则中的最大偏移值,在同一组的每个位置不固定的匹配规则中,将预设特征字的偏移值改写为最大偏移值,即增加“^.{MaxOffset-Current Offset}”,其中,“.”表示对任意规则增加该字符串,这样可以使得预设特征字在不同规则中的最大偏移值都为Max Offset。305. The rule matching device calculates the maximum offset value of the same preset feature word in different matching rules whose positions are not fixed, and in the same group of matching rules where each position is not fixed, the offset value of the preset feature word Rewrite it as the maximum offset value, that is, add "^.{MaxOffset-Current Offset}", where "." means adding the string for any rule, so that the maximum offset value of the preset feature word in different rules Both are Max Offset.

本发明的实施例提供的规则匹配方法,通过将报文规则的特征字与报文规则的域标识符进行预设数量的哈希函数运算生成预设数量的哈希值,分别在每一个哈希函数对应的哈希表中查找对应的哈希值的地址中存储的数据,若每个哈希值的地址中存储的数据均为预设值,则报文规则匹配成功,否则报文规则匹配失败,从而提高了规则匹配的效率。The rule matching method provided by the embodiment of the present invention generates a preset number of hash values by performing a preset number of hash function operations on the feature word of the message rule and the domain identifier of the message rule, respectively in each hash Find the data stored in the address of the corresponding hash value in the hash table corresponding to the hash function. If the data stored in the address of each hash value is the default value, the message rule matches successfully, otherwise the message rule The matching fails, thus improving the efficiency of rule matching.

本发明的实施例提供一种规则匹配设备,参照图4所示,该规则匹配设备40包括相互连接的提取单元401和匹配单元402。An embodiment of the present invention provides a rule matching device. Referring to FIG. 4 , the rule matching device 40 includes an extraction unit 401 and a matching unit 402 connected to each other.

其中,提取单元401,用于在报文中提取报文规则,在报文规则中提取特征字,并生成报文规则的域标识符,将报文规则的特征字与报文规则的域标识符传输至匹配单元402。Wherein, the extracting unit 401 is used to extract the message rules in the message, extract the feature words in the message rules, and generate the domain identifier of the message rules, and combine the feature words of the message rules with the domain identifiers of the message rules The character is transmitted to the matching unit 402.

匹配单元402,用于接收提取单元401传输的报文规则的特征字与报文规则的域标识符,将报文规则的特征字与报文规则的域标识符进行预设数量的哈希函数运算生成预设数量的哈希值,分别在每一个哈希函数对应的哈希表中查找对应的哈希值的地址中存储的数据,若每个哈希值的地址中存储的数据均为预设值,则报文规则匹配成功;否则匹配不成功。The matching unit 402 is configured to receive the feature word of the message rule and the domain identifier of the message rule transmitted by the extraction unit 401, and perform a preset number of hash functions on the feature word of the message rule and the domain identifier of the message rule The operation generates a preset number of hash values, and the data stored in the address of the corresponding hash value is searched in the hash table corresponding to each hash function. If the data stored in the address of each hash value is If the preset value is set, the packet rule matches successfully; otherwise, the match fails.

本发明的实施例提供的规则匹配设备,通过将报文规则的特征字与报文规则的域标识符进行预设数量的哈希函数运算生成预设数量的哈希值,分别在每一个哈希函数对应的哈希表中查找对应的哈希值的地址中存储的数据,若每个哈希值的地址中存储的数据均为预设值,则报文规则匹配成功,否则报文规则匹配失败,从而提高了规则匹配的效率。The rule matching device provided by the embodiment of the present invention generates a preset number of hash values by performing a preset number of hash function operations on the feature word of the message rule and the domain identifier of the message rule, respectively in each hash Find the data stored in the address of the corresponding hash value in the hash table corresponding to the hash function. If the data stored in the address of each hash value is the default value, the message rule matches successfully, otherwise the message rule The matching fails, thus improving the efficiency of rule matching.

可选的,提取单元401在待匹配规则中提取待匹配规则的特征字,并生成待匹配规则的域标识符,将待匹配规则的特征字与待匹配规则的域标识符传输至匹配单元402。Optionally, the extraction unit 401 extracts the feature words of the rules to be matched from the rules to be matched, and generates a domain identifier of the rules to be matched, and transmits the feature words of the rules to be matched and the domain identifier of the rules to be matched to the matching unit 402 .

匹配单元402接收提取单元401传输的待匹配规则的特征字与待匹配规则的域标识符,将待匹配规则的特征字与待匹配规则的域标识符进行预设数量的哈希函数运算生成预设数量的标准哈希值,分别在每一个哈希函数对应的哈希表中查找对应的标准哈希值的地址,并将每个标准哈希值的地址中存储的数据改为预设值。The matching unit 402 receives the feature word of the rule to be matched and the domain identifier of the rule to be matched transmitted by the extraction unit 401, and performs a preset number of hash function operations on the feature word of the rule to be matched and the domain identifier of the rule to be matched to generate a preset Set the number of standard hash values, look up the address of the corresponding standard hash value in the hash table corresponding to each hash function, and change the data stored in the address of each standard hash value to the preset value .

可选的,匹配单元402,还用于在预设数量的哈希函数中选择一个哈希函数作为预设的主哈希函数,将待匹配规则的特征字与待匹配规则的域标识符进行预设的主哈希函数运算得到标准主哈希值,将标准主哈希值作为Entry表的预设行地址,将待匹配规则的特征字与待匹配规则的域标识符存入Entry表的预设行地址对应的Entry表的行。Optionally, the matching unit 402 is also configured to select a hash function from a preset number of hash functions as a preset main hash function, and compare the feature word of the rule to be matched with the domain identifier of the rule to be matched The preset main hash function is calculated to obtain the standard main hash value, and the standard main hash value is used as the preset row address of the Entry table, and the feature word of the rule to be matched and the domain identifier of the rule to be matched are stored in the entry table The row of the Entry table corresponding to the preset row address.

匹配单元402,还用于将报文规则的特征字与报文规则的域标识符进行预设的主哈希函数运算得到主哈希值,将主哈希值作为Entry表的行地址,在Entry表的行地址对应的Entry表的行中,查找报文规则的特征字与报文规则的域标识符,若查找到报文规则的特征字与报文规则的域标识符,则报文规则匹配成功,否则报文规则匹配失败。The matching unit 402 is also used to perform a preset main hash function operation on the feature word of the message rule and the domain identifier of the message rule to obtain the main hash value, and use the main hash value as the row address of the Entry table, in In the row of the Entry table corresponding to the row address of the Entry table, search for the feature word of the message rule and the field identifier of the message rule. If the feature word of the message rule and the field identifier of the message rule are found, the message The rule matching is successful, otherwise the packet rule matching fails.

具体的,提取单元401,还用于根据待匹配规则获取待匹配规则的组标识符,将待匹配规则的组标识符传输至匹配单元402,待匹配规则的组标识符与待匹配规则的特征字及待匹配规则的域标识符一一对应。Specifically, the extracting unit 401 is also used to obtain the group identifier of the rule to be matched according to the rule to be matched, and transmit the group identifier of the rule to be matched to the matching unit 402. The group identifier of the rule to be matched and the feature of the rule to be matched There is a one-to-one correspondence between the word and the domain identifier of the rule to be matched.

匹配单元402接收提取单元401传输的待匹配规则的组标识符,将待匹配规则的组标识符存入Entry表的预设行地址对应的Entry表的行,以便于匹配单元402根据待匹配规则的组标识符在Entry表的行地址对应的行中查找报文规则的特征字与报文规则的域标识符。The matching unit 402 receives the group identifier of the rule to be matched transmitted by the extracting unit 401, and stores the group identifier of the rule to be matched into the row of the Entry table corresponding to the preset row address of the Entry table, so that the matching unit 402 can match the rule according to the rule to be matched. Find the feature word of the message rule and the domain identifier of the message rule in the row corresponding to the row address of the Entry table.

进一步的,提取单元401,还用于根据待匹配规则获取待匹配规则的偏移值,并将待匹配规则的偏移值传输至匹配单元402。Further, the extracting unit 401 is further configured to obtain the offset value of the rule to be matched according to the rule to be matched, and transmit the offset value of the rule to be matched to the matching unit 402 .

匹配单元402接收提取单元401传输的待匹配规则的偏移值,将待匹配规则的特征字、待匹配规则的域标识符和待匹配规则的偏移值进行预设数量的哈希函数运算生成预设数量的标准哈希值。The matching unit 402 receives the offset value of the rule to be matched transmitted by the extraction unit 401, performs a preset number of hash function operations on the feature word of the rule to be matched, the domain identifier of the rule to be matched, and the offset value of the rule to be matched to generate A preset number of standard hashes.

提取单元401,还用于根据报文规则获取报文规则的偏移值,并将报文规则的偏移值传输至匹配单元402。The extracting unit 401 is further configured to obtain an offset value of the message rule according to the message rule, and transmit the offset value of the message rule to the matching unit 402 .

匹配单元402接收提取单元401传输的报文规则的偏移值,将报文规则的特征字、报文规则的域标识符和报文规则的偏移值进行预设数量的哈希函数运算生成预设数量的哈希值。The matching unit 402 receives the offset value of the message rule transmitted by the extraction unit 401, performs a preset number of hash function operations on the feature word of the message rule, the domain identifier of the message rule, and the offset value of the message rule to generate A preset number of hashes.

进一步可选的,匹配单元402,还用于将待匹配规则的特征字、待匹配规则的域标识符和待匹配规则的偏移值进行预设的主哈希函数运算得到标准主哈希值,将主哈希值作为Entry表的预设行地址,将待匹配规则的特征字、待匹配规则的域标识符和待匹配规则的偏移值存入Entry表的预设行地址对应的Entry表的行。Further optionally, the matching unit 402 is also configured to perform a preset primary hash function operation on the feature word of the rule to be matched, the domain identifier of the rule to be matched, and the offset value of the rule to be matched to obtain a standard primary hash value , use the main hash value as the preset row address of the Entry table, store the feature word of the rule to be matched, the domain identifier of the rule to be matched, and the offset value of the rule to be matched into the entry corresponding to the preset row address of the Entry table the rows of the table.

匹配单元402,还用于将报文规则的特征字、报文规则的域标识符和报文规则的偏移值进行预设的主哈希函数运算得到主哈希值,将主哈希值作为Entry表的行地址,在Entry表的行地址对应的Entry表的行中,查找报文规则的特征字、报文规则的域标识符和报文规则的偏移值。The matching unit 402 is also configured to perform a preset primary hash function operation on the feature word of the message rule, the domain identifier of the message rule, and the offset value of the message rule to obtain a primary hash value, and convert the primary hash value to As the row address of the Entry table, in the row of the Entry table corresponding to the row address of the Entry table, search for the feature word of the message rule, the domain identifier of the message rule, and the offset value of the message rule.

可选的,该规则匹配设备40还包括分组单元403。Optionally, the rule matching device 40 further includes a grouping unit 403 .

分组单元403用于将位置不固定的待匹配规则的起始字符改写为预设起始字符;The grouping unit 403 is used to rewrite the initial character of the rule to be matched whose position is not fixed to a preset initial character;

分组单元403在位置不固定的匹配规则中,提取含有达到阈值长度的相同字符的匹配规则;将阈值长度的相同字符作为一条匹配规则替换含有达到阈值长度的相同字符的匹配规则。The grouping unit 403 extracts the matching rules containing the same character reaching the threshold length from the matching rules whose positions are not fixed; takes the same character having the threshold length as a matching rule to replace the matching rule containing the same character reaching the threshold length.

分组单元403在位置不固定的匹配规则的特征字中选择预设特征字,提取预设特征字,将位置不固定的匹配规则中拥有共同预设特征字的规则分为一组。The grouping unit 403 selects a preset feature word from the feature words of the matching rules whose position is not fixed, extracts the preset feature word, and divides the rules having the same preset feature word among the matching rules whose position is not fixed into a group.

分组单元403计算同一个预设特征字在不同的位置不固定的匹配规则中的最大偏移值,在同一组的每个位置不固定的规则中,将预设特征字的偏移值改写为最大偏移值。The grouping unit 403 calculates the maximum offset value of the same preset feature word in different matching rules whose positions are not fixed, and rewrites the offset value of the preset feature word as Maximum offset value.

本发明的实施例提供的规则匹配方法及设备,通过将报文规则的特征字与报文规则的域标识符进行预设数量的哈希函数运算生成预设数量的哈希值,分别在每一个哈希函数对应的哈希表中查找对应的哈希值的地址中存储的数据,若每个哈希值的地址中存储的数据均为预设值,则报文规则匹配成功,否则报文规则匹配失败,从而提高了规则匹配的效率。The rule matching method and equipment provided by the embodiments of the present invention generate a preset number of hash values by performing a preset number of hash function operations on the feature word of the message rule and the domain identifier of the message rule, respectively, in each Find the data stored in the address of the corresponding hash value in the hash table corresponding to a hash function. If the data stored in the address of each hash value is the preset value, the message rule matches successfully, otherwise it reports text rule matching failure, thus improving the efficiency of rule matching.

本发明的另一实施例提供了一种规则匹配设备,参照图5所示。该设备可以嵌入或本身就是微处理计算机,比如:通用计算机、客户定制机、手机终端或平板机等便携设备,该规则匹配设备5001包括:至少一个处理器5011、存储器5012、和总线5013,该至少一个处理器5011和存储器5012通过总线5013连接并完成相互间的通信。Another embodiment of the present invention provides a rule matching device, as shown in FIG. 5 . The device can be embedded or itself is a microprocessor computer, such as: a general-purpose computer, a custom machine, a mobile phone terminal or a tablet machine and other portable devices. The rule matching device 5001 includes: at least one processor 5011, a memory 5012, and a bus 5013. At least one processor 5011 and memory 5012 are connected through a bus 5013 to complete mutual communication.

该总线5013可以是ISA(Industry Standard Architecture,工业标准体系结构)总线、PCI(Peripheral Component,外部设备互连)总线或EISA(Extended Industry Standard Architecture,扩展工业标准体系结构)总线等。该总线5013可以分为地址总线、数据总线、控制总线等。为便于表示,图5中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。其中:The bus 5013 may be an ISA (Industry Standard Architecture, industry standard architecture) bus, a PCI (Peripheral Component, external device interconnection) bus, or an EISA (Extended Industry Standard Architecture, extended industry standard architecture) bus, etc. The bus 5013 can be divided into address bus, data bus, control bus and so on. For ease of representation, only one thick line is used in FIG. 5 , but it does not mean that there is only one bus or one type of bus. in:

存储器5012用于存储可执行程序代码,该程序代码包括计算机操作指令。存储器5012可能包含高速RAM存储器,也可能还包括非易失性存储器(non-volatile memory),例如至少一个磁盘存储器。The memory 5012 is used to store executable program codes, which include computer operation instructions. The memory 5012 may include a high-speed RAM memory, and may also include a non-volatile memory (non-volatile memory), such as at least one disk memory.

处理器5011可能是一个中央处理器5011(Central ProcessingUnit,简称为CPU),或者是特定集成电路(Application SpecificIntegrated Circuit,简称为ASIC),或者是被配置成实施本发明实施例的一个或多个集成电路。本发明中,处理器5011用于调用存储器5012中的程序代码,用以执行上述设备实施例中提取单元、匹配单元及分组单元的操作,具体描述参照图4对应的设备实施例,这里不再赘述。The processor 5011 may be a central processing unit 5011 (Central Processing Unit, referred to as CPU), or a specific integrated circuit (Application Specific Integrated Circuit, referred to as ASIC), or one or more integrated circuits configured to implement the embodiments of the present invention circuit. In the present invention, the processor 5011 is used to call the program code in the memory 5012 to execute the operations of the extraction unit, the matching unit, and the grouping unit in the above-mentioned device embodiments. For a specific description, refer to the device embodiment corresponding to FIG. 4 , which will not be repeated here. repeat.

本发明的实施例提供的规则匹配方法及设备,通过将报文规则的特征字与报文规则的域标识符进行预设数量的哈希函数运算生成预设数量的哈希值,分别在每一个哈希函数对应的哈希表中查找对应的哈希值的地址中存储的数据,若每个哈希值的地址中存储的数据均为预设值,则报文规则匹配成功,否则报文规则匹配失败,从而提高了规则匹配的效率。The rule matching method and equipment provided by the embodiments of the present invention generate a preset number of hash values by performing a preset number of hash function operations on the feature word of the message rule and the domain identifier of the message rule, respectively, in each Find the data stored in the address of the corresponding hash value in the hash table corresponding to a hash function. If the data stored in the address of each hash value is the preset value, the message rule matches successfully, otherwise it reports text rule matching failure, thus improving the efficiency of rule matching.

以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应所述以权利要求的保护范围为准。The above is only a specific embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Anyone skilled in the art can easily think of changes or substitutions within the technical scope disclosed in the present invention. Should be covered within the protection scope of the present invention. Therefore, the protection scope of the present invention should be based on the protection scope of the claims.

Claims (22)

1. a kind of rule matching method it is characterised in that
Rule match equipment extracts message rule in messages;
Described rule match equipment extracts tagged word in described message rule, and generates described report The relam identifier of literary composition rule;
Described rule match equipment is by the domain of the tagged word of described message rule and described message rule Identifier carries out the cryptographic Hash of the hash function computing generation predetermined number of predetermined number;
Search corresponding described Hash in the corresponding Hash table of each described hash function respectively The data of storage in the address of value;
If in the address of each described cryptographic Hash, the data of storage is preset value, described message Rule match success;Otherwise it fails to match for described message rule.
2. method according to claim 1 is it is characterised in that described rule match equipment Before extracting message rule in messages, also include:
Described rule match equipment extracts the feature of described rule to be matched in rule to be matched Word, and generate the relam identifier of described rule to be matched;
The relam identifier of the tagged word of described rule to be matched and described rule to be matched is carried out institute The hash function computing stating predetermined number generates the Standard Hash value of predetermined number;
Search corresponding described respectively in the corresponding described Hash table of each described hash function The address of Standard Hash value, and the data of storage in the address of each described Standard Hash value is changed For described preset value.
3. method according to claim 2 is it is characterised in that described rule match equipment Extract tagged word in described message rule, and after generating the relam identifier of described message rule, Also include:
Described rule match equipment is by the domain of the tagged word of described message rule and described message rule Identifier carries out default main hash function computing and obtains main cryptographic Hash;
Using described main cryptographic Hash as entrance Entry table row address, in the row of described Entry table In the corresponding row in address, search the tagged word of described message rule and the domain mark of described message rule Know symbol;
If finding the tagged word of described message rule and the relam identifier of described message rule, The match is successful for described message rule;Otherwise it fails to match for described message rule.
4. method according to claim 3 is it is characterised in that described rule match equipment Extract the tagged word of described rule to be matched in rule to be matched, and generate described rule to be matched After relam identifier then, also include:
Described rule match equipment selects a Hash letter in the hash function of described predetermined number Number is as described default main hash function;
The relam identifier of the tagged word of described rule to be matched and described rule to be matched is carried out institute State default main hash function computing and obtain the main cryptographic Hash of standard;
Using main for described standard cryptographic Hash as the default row address of described Entry table, treat described Join the tagged word of rule and the relam identifier of described rule to be matched is stored in the pre- of described Entry table If the row of row address corresponding Entry table.
5. method according to claim 4 is it is characterised in that methods described also includes:
The group of described rule match equipment rule to be matched according to described Rule to be matched Identifier, the group identifier of described rule to be matched and described regular tagged word to be matched and institute The relam identifier stating rule to be matched corresponds;
The group identifier of described rule to be matched is stored in described Entry by described rule match equipment The row of the default row address corresponding Entry table of table, in order to the group according to described rule to be matched Identifier searches the feature of described message rule in the corresponding row of row address of described Entry table Word and the relam identifier of described message rule.
6. method according to claim 5 it is characterised in that
Described rule match equipment is by the domain of the tagged word of described message rule and described message rule Before identifier carries out the cryptographic Hash of hash function computing generation predetermined number of predetermined number, also Including:
Described rule match equipment obtains the skew of described message rule according to described message rule Value;
Described rule match equipment is by the domain of the tagged word of described message rule and described message rule Identifier carries out the cryptographic Hash of the hash function computing generation predetermined number of predetermined number, including:
Described rule match equipment is by the domain of the tagged word of described message rule, described message rule The deviant of identifier and described message rule carries out the hash function computing life of described predetermined number Become the described cryptographic Hash of predetermined number;
Described rule match equipment is by tagged word and the described rule to be matched of described rule to be matched Relam identifier carry out described predetermined number hash function computing generate predetermined number standard breathe out Before uncommon value, also include:
Described rule match equipment according to described Rule to be matched to be matched rule inclined Shifting value;
Described rule match equipment is by tagged word and the described rule to be matched of described rule to be matched Relam identifier carry out described predetermined number hash function computing generate predetermined number standard breathe out Uncommon value, including:
Described rule match equipment by described to be matched rule tagged word, described rule to be matched Relam identifier and the deviant of described rule to be matched carry out the hash function of described predetermined number Computing generates the described Standard Hash value of predetermined number.
7. method according to claim 6 it is characterised in that
Described rule match equipment is by the domain of the tagged word of described message rule and described message rule Identifier carries out default main hash function computing and obtains main cryptographic Hash, and described main cryptographic Hash is made For the row address of described Entry table, in the row address corresponding Entry table of described Entry table In row, search the tagged word of described message rule and the relam identifier of described message rule, including:
Described rule match equipment is by the domain of the tagged word of described message rule, described message rule The deviant of identifier and described message rule carries out described default main hash function computing and obtains Described main cryptographic Hash, using described main cryptographic Hash as described Entry table row address, described In the row of row address corresponding Entry table of Entry table, the tagged word of the described message rule of lookup, The relam identifier of described message rule and the deviant of described message rule;
The described tagged word by described rule to be matched is entered with the relam identifier of described rule to be matched The described default main hash function computing of row obtains the main cryptographic Hash of standard, by main for described standard Hash Value as described Entry table default row address, by described to be matched rule tagged word with described The relam identifier of rule to be matched is stored in the default row address corresponding Entry table of described Entry table Row, including:
Described rule match equipment by described to be matched rule tagged word, described rule to be matched Relam identifier and the deviant of described rule to be matched carry out described default main hash function fortune Calculation obtains the main cryptographic Hash of described standard, and main for described standard cryptographic Hash is pre- as described Entry table If row address, by the relam identifier of the tagged word of described rule to be matched, described rule to be matched The default row address being stored in described Entry table with the deviant of described rule to be matched is corresponding The row of Entry table.
8. the method according to any one of claim 2-6 is it is characterised in that described rule Before matching unit extracts the tagged word of described rule to be matched in rule to be matched, also include:
The bebinning character of unfixed for position matched rule is rewritten as pre- by described rule match equipment If bebinning character;
The matched rule that bebinning character is rewritten as default bebinning character is entered by described rule match equipment Row packet, in order to described rule match equipment using the matched rule after described packet as described Rule to be matched.
9. method according to claim 8 is it is characterised in that described rule match equipment The matched rule that bebinning character is rewritten as default bebinning character is grouped, including:
Described rule match equipment selects in the tagged word of the unfixed matched rule in described position Default tagged word, extracts described default tagged word;
Described rule match equipment is jointly described by having in unfixed for described position matched rule The rule of default tagged word is divided into one group.
10. method according to claim 9 is it is characterised in that described rule match sets Before the standby default tagged word of selection in the tagged word of the unfixed matched rule in described position, also Including:
Described rule match equipment, in the unfixed matched rule in described position, extracts containing reaching Matched rule to the identical characters of threshold length;
The described identical characters reaching threshold length are mated by described rule match equipment as one Rule replaces the described matched rule containing the identical characters reaching threshold length.
11. methods according to claim 9 are it is characterised in that described rule match sets It is divided into one for by having the rule jointly presetting tagged word in unfixed for described position matched rule Group, also includes:
Described rule match equipment calculates same described default tagged word in different described positions Maximum deviation value in unfixed matched rule;
Described rule match equipment is on the described position of described same group each unfixed coupling rule In then, the deviant of described default tagged word is rewritten as described maximum deviation value.
A kind of 12. rule match equipment are it is characterised in that include:
Extraction unit, for extracting message rule in messages, extracts in described message rule Tagged word, and generate the relam identifier of described message rule, by the tagged word of described message rule Transmit to matching unit with the relam identifier of described message rule;
Described matching unit, for receiving the spy of the described message rule of described extraction unit transmission Levy the relam identifier of word and described message rule, by the tagged word of described message rule and described report The relam identifier of literary composition rule carries out the Hash of the hash function computing generation predetermined number of predetermined number Value, searches corresponding described Hash respectively in the corresponding Hash table of each described hash function The data of storage in the address of value, if the data of storage is in the address of each described cryptographic Hash Preset value, then the match is successful for described message rule;Otherwise it fails to match for described message rule.
13. equipment according to claim 12 it is characterised in that
Described extraction unit, is additionally operable to extract the spy of described rule to be matched in rule to be matched Levy word, and generate described regular relam identifier to be matched, by the feature of described rule to be matched Word is transmitted to described matching unit with the relam identifier of described rule to be matched;
Described matching unit, is additionally operable to receive the rule described to be matched of described extraction unit transmission Tagged word with described to be matched rule relam identifier, by described to be matched rule tagged word The hash function computing carrying out described predetermined number with the relam identifier of described rule to be matched generates The Standard Hash value of predetermined number, respectively in the corresponding described Hash of each described hash function The address of corresponding described Standard Hash value is searched in table, and by each described Standard Hash value In address, the data of storage is changed to described preset value.
14. equipment according to claim 13 it is characterised in that
Described matching unit, is additionally operable to the tagged word of described message rule and described message rule Relam identifier carry out default main hash function computing and obtain main cryptographic Hash, by described main Hash It is worth the row address as entrance Entry table, in the corresponding Entry of row address of described Entry table In the row of table, search the tagged word of described message rule and the relam identifier of described message rule, If finding the tagged word of described message rule and the relam identifier of described message rule, described The match is successful for message rule;Otherwise it fails to match for described message rule.
15. equipment according to claim 14 it is characterised in that
Described matching unit, is additionally operable to select a Kazakhstan in the hash function of described predetermined number Uncommon function as described default main hash function, by the tagged word of described rule to be matched and institute The relam identifier stating rule to be matched carries out described default main hash function computing and obtains standard master Cryptographic Hash, using main for described standard cryptographic Hash as described Entry table default row address, will be described The tagged word of rule to be matched is stored in described Entry table with the relam identifier of described rule to be matched Default row address corresponding Entry table row.
16. equipment according to claim 15 it is characterised in that
Described extraction unit, is additionally operable to rule to be matched according to described Rule to be matched Group identifier, by described to be matched rule group identifier transmit to described matching unit, institute State the group identifier of rule to be matched and the tagged word of described rule to be matched and described rule to be matched Relam identifier then corresponds;
Described matching unit, is additionally operable to receive the rule described to be matched of described extraction unit transmission Group identifier, the group identifier of described rule to be matched is stored in the default row of described Entry table The row of address corresponding Entry table, in order to described matching unit according to described rule to be matched Group identifier searches the spy of described message rule in the corresponding row of row address of described Entry table Levy the relam identifier of word and described message rule.
17. equipment according to claim 16 it is characterised in that
Described extraction unit, is additionally operable to obtain the inclined of described message rule according to described message rule Shifting value, and the deviant of described message rule is transmitted to described matching unit;
Described matching unit, is additionally operable to receive the described message rule of described extraction unit transmission Deviant, by the tagged word of described message rule, the relam identifier of described message rule and described The hash function computing that the deviant of message rule carries out described predetermined number generates predetermined number Described cryptographic Hash;
Described extraction unit, is additionally operable to rule to be matched according to described Rule to be matched Deviant, and by described to be matched rule deviant transmit to described matching unit;
Described matching unit, is additionally operable to receive the rule described to be matched of described extraction unit transmission Deviant, by described to be matched rule tagged word, described to be matched rule relam identifier The hash function computing carrying out described predetermined number with the deviant of described rule to be matched generates pre- If the described Standard Hash value of quantity.
18. equipment according to claim 17 it is characterised in that
Described matching unit, is additionally operable to the tagged word of described message rule, described message rule Relam identifier and the deviant of described message rule carry out described default main hash function computing Obtain described main cryptographic Hash, using described main cryptographic Hash as described Entry table row address, in institute State in the row of row address corresponding Entry table of Entry table, search the feature of described message rule The deviant of word, the relam identifier of described message rule and described message rule;
Described matching unit, is additionally operable to the tagged word, described to be matched of described rule to be matched The deviant of the relam identifier of rule and described rule to be matched carries out described default main Hash letter Number computing obtains the main cryptographic Hash of described standard, using main for described standard cryptographic Hash as described Entry table Default row address, by described to be matched rule tagged word, described to be matched rule domain mark It is corresponding with the default row address that the deviant of described rule to be matched is stored in described Entry table to know symbol Entry table row.
19. equipment according to any one of claim 13-17 are it is characterised in that described rule Then matching unit also includes grouped element;
Described grouped element, for being rewritten as the bebinning character of unfixed for position matched rule Default bebinning character;
Described grouped element, is additionally operable to bebinning character is rewritten as the coupling rule of default bebinning character Then it is grouped, in order to described matching unit using the matched rule after described packet as described Rule to be matched.
20. equipment according to claim 19 it is characterised in that
Described grouped element, is additionally operable in the tagged word of the unfixed matched rule in described position Select default tagged word, extract described default tagged word, by unfixed for described position coupling rule The rule having described default tagged word jointly in then is divided into one group.
21. equipment according to claim 20 it is characterised in that
Described grouped element, is additionally operable in the unfixed matched rule in described position, extraction contains There is the matched rule of the identical characters reaching threshold length, reach the identical of threshold length by described Character replaces the described coupling containing the identical characters reaching threshold length as a matched rule Rule.
22. equipment according to claim 20 it is characterised in that
Described grouped element, is additionally operable to calculate same described default tagged word described in different Maximum deviation value in the unfixed matched rule in position, in described same group each institute's rheme Put in unfixed matched rule, the deviant of described default tagged word is rewritten as described maximum Deviant.
CN201310317781.2A 2013-07-25 2013-07-25 A kind of rule matching method and device Active CN103414701B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310317781.2A CN103414701B (en) 2013-07-25 2013-07-25 A kind of rule matching method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310317781.2A CN103414701B (en) 2013-07-25 2013-07-25 A kind of rule matching method and device

Publications (2)

Publication Number Publication Date
CN103414701A CN103414701A (en) 2013-11-27
CN103414701B true CN103414701B (en) 2017-03-01

Family

ID=49607687

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310317781.2A Active CN103414701B (en) 2013-07-25 2013-07-25 A kind of rule matching method and device

Country Status (1)

Country Link
CN (1) CN103414701B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105024985B (en) * 2014-04-30 2019-04-02 深圳市中兴微电子技术有限公司 A kind of message processing method and device
CN105100023B (en) * 2014-05-21 2018-10-16 腾讯科技(深圳)有限公司 Data packet feature extracting method and device
CN107426053B (en) * 2017-07-26 2021-01-05 成都科来软件有限公司 Automatic construction method for data packet load
CN109391590A (en) * 2017-08-07 2019-02-26 中国科学院信息工程研究所 A kind of regular description method and construction method, medium of network-oriented access control
CN113726830B (en) * 2020-05-25 2023-09-12 网联清算有限公司 Message identifier generation method and device
CN112702277B (en) * 2020-12-15 2023-01-10 锐捷网络股份有限公司 Load balancing configuration optimization method and device
CN112685612B (en) * 2020-12-31 2022-08-30 武汉思普崚技术有限公司 Feature code searching and matching method, device and storage medium
CN114422389B (en) * 2022-02-24 2023-09-12 成都北中网芯科技有限公司 High-speed real-time network data monitoring method based on hash and hardware acceleration

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101286936A (en) * 2008-05-16 2008-10-15 华为技术有限公司 Method and apparatus for data message processing
CN101582109A (en) * 2009-06-10 2009-11-18 成都市华为赛门铁克科技有限公司 Data encryption method and device, data decryption method and device and solid state disk
CN102158398A (en) * 2011-02-25 2011-08-17 杭州华三通信技术有限公司 Method and device for forwarding messages
CN102870116A (en) * 2012-06-30 2013-01-09 华为技术有限公司 Method and apparatus for content matching
CN102868571A (en) * 2012-08-07 2013-01-09 华为技术有限公司 Method and device for rule matching

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101286936A (en) * 2008-05-16 2008-10-15 华为技术有限公司 Method and apparatus for data message processing
CN101582109A (en) * 2009-06-10 2009-11-18 成都市华为赛门铁克科技有限公司 Data encryption method and device, data decryption method and device and solid state disk
CN102158398A (en) * 2011-02-25 2011-08-17 杭州华三通信技术有限公司 Method and device for forwarding messages
CN102870116A (en) * 2012-06-30 2013-01-09 华为技术有限公司 Method and apparatus for content matching
CN102868571A (en) * 2012-08-07 2013-01-09 华为技术有限公司 Method and device for rule matching

Also Published As

Publication number Publication date
CN103414701A (en) 2013-11-27

Similar Documents

Publication Publication Date Title
CN103414701B (en) A kind of rule matching method and device
US9112915B2 (en) Method and apparatus for protocol parsing
CN109951435B (en) Equipment identifier providing method and device and risk control method and device
CN107147501A (en) Time stamp processing method and device
CN106203139A (en) A kind of data local desensitization method
CN109768992A (en) Webpage malicious scanning processing method and device, terminal device, readable storage medium storing program for executing
CN112235104B (en) A data encryption transmission method, system, terminal and storage medium
CN105592011A (en) Account login method and account login device
CN104025520B (en) Lookup table creation method and query method, and controller, forwarding device and system therefor
CN107451467A (en) A kind of weak passwurd check method and device
CN116545921A (en) Message forwarding method, device, equipment and storage medium based on ECMP
CN107798004A (en) Keyword lookup method, apparatus and terminal
CN105657677A (en) Short message sending method, short message gateway and service platform
CN105516114B (en) Method and device for scanning vulnerability based on webpage hash value and electronic equipment
WO2020019524A1 (en) Data processing method and device
CN109145589A (en) Application program acquisition methods and device
CN109871685B (en) RTF file analysis method and device
CN115664859A (en) Data security analysis method, device, equipment and medium based on cloud printing scene
CN104539538B (en) The IP address matching process of router and the data packet forwarding method of router
CN112771524B (en) Camouflage detection based on fuzzy inclusion
US8495050B2 (en) Identifying universal resource locator rewriting rules
CN117668896A (en) Method and device for ciphertext data search and computer
CN105847516A (en) Method and device for managing contact person information
CN105553982A (en) Security detection method and system for router and router
CN113922972B (en) Data forwarding method and device based on MD5 identification code

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20191225

Address after: 314413 No.2, Fengshou Avenue, Haining Economic and knitting industrial park, Jiaxing City, Zhejiang Province

Patentee after: Zhejiang Haining Warp Knitting Industrial Park Development Co.,Ltd.

Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen

Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd.

TR01 Transfer of patent right
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20131127

Assignee: Haining Xinwang Cloth Industry Co.,Ltd.

Assignor: Zhejiang Haining Warp Knitting Industrial Park Development Co.,Ltd.

Contract record no.: X2024980025289

Denomination of invention: A rule matching method and device

Granted publication date: 20170301

License type: Common License

Record date: 20241118

EE01 Entry into force of recordation of patent licensing contract