CN104104557A - Deep packet detection device orienting IPv6 security gateway - Google Patents
Deep packet detection device orienting IPv6 security gateway Download PDFInfo
- Publication number
- CN104104557A CN104104557A CN201410286319.5A CN201410286319A CN104104557A CN 104104557 A CN104104557 A CN 104104557A CN 201410286319 A CN201410286319 A CN 201410286319A CN 104104557 A CN104104557 A CN 104104557A
- Authority
- CN
- China
- Prior art keywords
- classification
- reduction
- unit
- piecemeal
- rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 36
- 230000009467 reduction Effects 0.000 claims abstract description 253
- 230000007246 mechanism Effects 0.000 claims abstract description 66
- 238000007781 pre-processing Methods 0.000 claims abstract description 17
- 230000008878 coupling Effects 0.000 claims description 127
- 238000010168 coupling process Methods 0.000 claims description 127
- 238000005859 coupling reaction Methods 0.000 claims description 127
- 238000000034 method Methods 0.000 claims description 25
- 238000005192 partition Methods 0.000 claims description 23
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 claims description 19
- 238000012545 processing Methods 0.000 claims description 18
- 230000014509 gene expression Effects 0.000 claims description 10
- 239000000284 extract Substances 0.000 claims description 4
- 238000013507 mapping Methods 0.000 claims description 4
- 230000015572 biosynthetic process Effects 0.000 claims description 3
- 230000008569 process Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 6
- 238000001914 filtration Methods 0.000 description 4
- 239000000203 mixture Substances 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000002829 reductive effect Effects 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 230000003139 buffering effect Effects 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 238000005457 optimization Methods 0.000 description 2
- 238000000638 solvent extraction Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 239000008358 core component Substances 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000008030 elimination Effects 0.000 description 1
- 238000003379 elimination reaction Methods 0.000 description 1
- 239000002360 explosive Substances 0.000 description 1
- 238000005206 flow analysis Methods 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 238000013138 pruning Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a deep packet detection device orienting an IPv6 security gateway. The device comprises a double-matching core unit 102, a multistage assembly line preprocessing parallel mechanism 112 which is connected with the double-matching core unit 102 and is invoked via a basic operation interface, and a multipath search matching parallel mechanism 114. The double-matching core unit 102 comprises a main matching core 1 and a shadow matching core 2. The main matching core 1 and the shadow matching core 2 respectively comprise an engine configuration parameter unit 104, a preprocessing primitive operation unit 106, a class search high-speed classification unit 108 and a class reduction high-speed classification unit 110. The basic operation interface comprises a rule parsing interface 116, a rule matching preprocessing interface 118, a rule matching classification interface 120 and a rule matching engine configuration interface 122. With the help of the technical scheme, deep packet detection orienting an IPv6 network can be realized.
Description
Technical field
The present invention relates to traffic classification and recognition technology field, particularly relate to a kind of deep packet detection device towards IPv6 security gateway.
Background technology
In the prior art, the recognition and classification of application or agreement is the basis of information filtering, flow analysis, Bandwidth Management, secure communication and the Internet supervision and O&M, and the rule match based on protocol characteristic coupling is the key technology of network message classification.Correspondingly, rule match engine is traffic management gateway, information filtering fire compartment wall, intrusion detection and system of defense, anti-virus gateway, Spam filtering gateway, UTM, the core component of the disparate networks security gateways such as VPN, in order to message is classified, traffic identification and application perception, it is forwarding of packets, QoS queue scheduling, load balancing, the prerequisite of information filtering and network measure and basis, it is positioned in the critical path of every message processing, under high speed network environment, its coupling and classification capacity will be one of bottleneck of whole system performance.
Protocol characteristic (or fingerprint, signature, keyword) refers to that the flow of certain network application is different from some AD HOC strings of other flows, the type of definite network traffics that can be unique; Protocol characteristic is described concrete network application with the form of safety regulation conventionally.Safety regulation is defined according to certain grammer by some dimensions such as a stack features pattern string, sign/type, action or field, accurately describes complicated context and semantic information; Many rules are according to certain priority orders composition rule set.Characteristic matching mainly refers to accurately string coupling and matching regular expressions, and wherein, accurately string coupling can be divided into again monotype coupling and multi-mode matching; Rule match refers to the multi-mode characteristic matching of carrying out based on whole regular collection.
Deep-packet detection (Deep Packet Inspection, referred to as DPI) is seven layers of important rule match technology of a class.Different from three to four layers of multidimensional bag classifying rules matching technique of carrying out message classification based on five-tuple (being source-order IP address, source-eye end mouth, protocol type), deep-packet detection master is if it were not for utilizing heading information as search key, but the application layer payload segment that is deep into message carries out content analysis, to survey, whether there are a plurality of feature mode strings of appointment in rule or mate specific regular expression, conventionally need to carry out byte-by-byte scanning; In addition, pattern string quantity, length and the deviation post of each rule may be not identical, and the same position of same rule also may have a plurality of pattern strings.And on the other hand, in order to identify network application or the agreement with well-known server ip address, well-known serve port, conventionally also the five-tuple fields such as the IP address of heading, port, agreement are approximately decided to be to the optional part of deep-packet detection rule.
IPv4 network is to the evolution of IPv6 network, the ever-increasing network bandwidth, the new application of new business and the huge network traffics that emerge in an endless stream, and the design that makes high-performance deep-packet detection rule match engine is faced with huge challenge with realizing.First, existing deep-packet detection rule employing standard regular expression grammer is described and uses finite automata DFA to realize, but the syntactic property of regular expression complexity has far exceeded the demand of network security rule, the explosive expansion issues of finite automaton chance generation state memory headroom when regular collection is larger.And for a large class application/protocol identification class application, the common standard of comparison of its protocol format and fixing, the length of traffic characteristic keyword and deviation post can pre-determine, rule syntax that therefore can definition, simple.Secondly, along with the transition of IPv4 to IPv6, the length of IP address rises to 128 by original 32, and the mandatory use of the security mechanism based on IPSec standard makes message load from expressly becoming ESP ciphertext, and existing rule match technology can not adapt to this new variation completely.Again, the performance scalability of existing rule match engine generally a little less than, along with renewal and the scale of regular collection constantly expands, regular preliminary treatment and rule match speed are all fast-descending trend, are difficult to realize real-time response and linear speed and process.Finally, existing rule match engine cannot be realized configurable regular collection preliminary treatment and mate core texture upgrading, because preprocessing process and rule match core are all hard coded, when demand for security change or the variation of application situation, for example rule schemata changes, and all can only start anew to realize again.
Summary of the invention
In view of the above problems, the present invention has been proposed to a kind of deep packet detection device towards IPv6 security gateway that overcomes the problems referred to above or address the above problem is at least in part provided.
The invention provides a kind of deep packet detection device towards IPv6 security gateway, comprise: two coupling core cells 102, and the multi-stage pipeline preliminary treatment parallel mechanism structure 112 that is connected with two coupling core cells 102 and calls by basic operation interface, search coupling parallel mechanism structure 114 with multichannel, wherein, two coupling core cells 102 comprise main coupling core 1 and shadow coupling core 2, main coupling core 1 and shadow coupling core 2 comprise respectively engine configuration parameter unit 104, preliminary treatment primitive operation unit 106, classification search high speed taxon 108, classification reduction high speed taxon 110, basic operation interface comprises: rule parsing interface 116, rule match preliminary treatment interface 118, rule match sort interface 120 and rule match engine configuration interface 122,
Engine configuration parameter unit 104, for being configured by 122 pairs of engine configuration parameters of rule match engine configuration interface;
Preliminary treatment primitive operation unit 106, for regular collection is carried out to preliminary treatment primitive operation, wherein, preliminary treatment primitive operation comprises: regular piecemeal longitudinal projection, subpoint and interval clustering and classification set reduction cluster;
Classification is searched high speed taxon 108 and is comprised classification search tree unit 402 and classification look-up table unit 404, and the classification look-up table in the classification search tree in classification search tree unit 402 and classification look-up table unit 404 carries out preliminary treatment by the subpoint of preliminary treatment primitive operation unit 106 and interval clustering operation to the projection end points sequence of larger regular piecemeal and standard rule piecemeal and basic interval respectively and generated;
Classification reduction high speed taxon 110 comprises classification binary reduction unit 406 and classification ternary reduction unit 408, and classification binary reduction unit 406 and classification ternary reduction unit 408 carry out reduction cluster preprocessing by the classification set reduction cluster operation of preliminary treatment primitive operation unit 106 to two or three the classification set in classification search tree, classification look-up table and the set of reduction classification and generated;
Multi-stage pipeline preliminary treatment parallel mechanism structure 112, by rule match preliminary treatment interface 118, called, for creating preprocessing tasks thread pool according to pipeline configuration parameter, and the thread in preprocessing tasks thread pool is assigned to corresponding core cpu successively binds, the shadow coupling core 2 of selected two coupling core cells 102, by rule parsing interface 116, load the regular collection of shadow coupling core 2, regular collection is carried out to piecemeal, regular collection according to engine configuration parameter after to piecemeal calls the regular piecemeal longitudinal projection operation of preliminary treatment primitive operation unit 106 successively, subpoint and interval clustering operation, and classification set reduction cluster operation, the matched rule collection that shadow is mated to core 2 is upgraded or upgrades, activate shadow coupling core 2 and switched to main coupling core 1, enable new matched rule collection, former main coupling core switches to shadow coupling core and transfers to armed state,
Multichannel is searched coupling parallel mechanism structure 114 and is called by rule match sort interface 120, multichannel is searched coupling parallel mechanism structure 114 by classification search tree unit 402, classification look-up table unit 404, classification binary reduction unit 406, according to the engine configuration parameter of engine configuration parameter unit 104 settings, combining cascade with classification ternary reduction unit 408 forms, the classification search tree and the search tree reduction unit that comprise binary or ternary, classification look-up table and look-up table reduction unit, classification search tree and look-up table reduction unit, and the combination reduction unit of reduction unit and reduction unit, wherein, multichannel is searched coupling parallel mechanism structure 114 and is searched unit and classification reduction cell formation multiclass classification streamline by classification, classification is searched the first order node that unit belongs to multiclass classification streamline, classification reduction unit belongs to the second level node of multiclass classification streamline to final stage node, multichannel is searched coupling parallel mechanism structure 114 for the message to be sorted of input is carried out to piecemeal, message partition is carried out to classification successively to be searched, the classification logotype that classification reduction operation output are hit and associated regular subset.
Preferably, multichannel search coupling parallel mechanism structure 114 specifically for: the region of the stem regular length of the message load of the message to be sorted of input and the zone definitions of afterbody regular length are that characteristic signature extracts and mates district, and are divided into some standard piecemeals according to the fixed size of regular territory appointment; The piecemeal that IPv6 address and transport layer port number is approximately decided to be to deep-packet detection rule, and using IPv6 address as independent larger piecemeal.
Preferably, multi-stage pipeline preliminary treatment parallel mechanism structure 112 specifically for: according to one or more accurate model strings, interval value, prefix or the regular expression of appointment, regular collection is carried out to piecemeal.
Preferably, preliminary treatment primitive operation unit 106 specifically for:
The operation of rule piecemeal longitudinal projection: by regular piecemeal longitudinal projection on transverse axis, piecemeal projection end points is sorted and union operation, the end points sequence of create-rule piecemeal; Between the projected area of the same piecemeal of Different Rule, if before and after it between the proparea of adjacent interval between right endpoint and back zone left end point belong to neighbours' end points, these two end points are merged into an end points; Between a plurality of projected area of the same piecemeal of wall scroll rule, according to the position relationship between interval, it is carried out to interval and laterally merge, eliminate merged empty projection end points; According to the regular piecemeal end points sequence of obtaining, be divided into nonoverlapping some basic intervals by piecemeal Value space is complete;
Subpoint and interval clustering operation: for each end points or the interval in regular piecemeal end points sequence, traversal rule set successively, generation comprises this end points or interval regular subset, and itself and the regular subset that end points or interval have generated are above carried out to cluster, according to the result of cluster, give its unique type identification; The subpoint of standard piecemeal, type identification and respective rule subset are carried out associated, generate classification look-up table; The projection end points of larger piecemeal and basic interval, type identification and respective rule subset are carried out associated, generate classification search tree;
Classification set reduction cluster operation: use cartesian product mode to carry out reduction cluster operation two or three classification set, generate the set of a reduction classification; To the associated regular collection of type identification of two or three classification set that are under the jurisdiction of the respectively create-rule subset that seeks common ground, and the regular subset that it is generated with reduction operation above carries out cluster operation, and then give its unique type identification according to the result of cluster; And corresponding one by one with the type identification tuple that participates in epicycle reduction cluster operation; Type identification tuple, reduction cluster operation coding, newtype sign and corresponding regular subset are carried out associated, generation classification reduction look-up table.
Preferably, the built-in classification search tree in classification search tree unit 402 is to have search tree between the AVL y-bend equilibrium area of rigorous equilibrium constraint; The internal node of the corresponding range lookup tree of larger piecemeal projection end points, the leaf node of the corresponding range lookup tree of basic interval, node all marks corresponding type identification;
Classification search tree unit 402 specifically for: receive a searching value as input, and export a classification logotype, this classification logotype has implied regular subset associated with it.
Preferably, the built-in classification look-up table in classification look-up table unit 404 is direct index table or hash table; Direct index table consists of the relationship maps of primary index value and type identification; Hash table consists of the hashed value of primary index value and the relationship maps of type identification, and wherein hashed value is asked mould and obtains certain fixed value by primary index value, and the conflict of hashed value adopts chained list method to solve;
Classification look-up table unit 404 specifically for: receive an index value as input, and export a classification logotype, wherein classification logotype has implied regular subset associated with it.
Preferably, classification binary reduction unit 406 or classification ternary reduction unit 408 comprise a type identification tuple coding unit and a classification reduction look-up table; Type identification tuple coding unit is carried out the mapping from binary or ternary type identification tuple to reduction operation coding, and the index value using output encoder as classification reduction look-up table; Classification reduction look-up table be direct index table or hash table;
Classification binary reduction unit 406 or classification ternary reduction unit 408 specifically for: receive two or three type identifications as input, and export a classification logotype, wherein classification logotype has implied regular subset associated with it.
Preferably, multi-stage pipeline preliminary treatment parallel mechanism structure 112 comprises preliminary treatment thread pond, object memory pool and some streamline task nodes of multi-core CPU binding; In each CPU core and thread pool, some threads are bound, the phased mission of independent scheduling, executed in parallel rule pretreated stream waterline; Object memory pool refers to the memory object of some fixed sizes that pre-first to file retains, and memory object is frequently applied for and reclaims; Streamline task node according to engine configuration parameter and precedence call successively executing rule piecemeal longitudinal projection operation, subpoint operate and classification set reduction cluster operation with interval clustering; Streamline task node the interim preliminary treatment primitive operation of each performed piecemeal of this node is carried out to multithreading, parallel processing;
Multi-stage pipeline preliminary treatment parallel mechanism structure 112 specifically for: receive regular collection as input, regular collection, after the processing of the whole nodes of streamline, generates and exports rule match accelerating engine coupling core.
Preferably, the classification streamline node that multichannel is searched coupling parallel mechanism structure 114 carries out multichannel to the interim sort operation of each performed piecemeal of this node and searches coupling and parallel processing;
Multichannel search coupling parallel mechanism structure 114 specifically for: receive message partition as input, message partition after the processing of the whole nodes of classification streamline, generate and export the regular subset of finally hitting.
Preferably, wherein, engine configuration parameter comprises: pipeline configuration parameter and reduction operations table, pipeline configuration parameter comprises: pipeline series, flowing water node piecemeal quantity at different levels, flowing water node divide block type and classification to search mode, wherein, the classification that reduction operations table has been described each piecemeal of flowing water nodes at different levels is searched reduction combination and the cascade system between unit, classification binary or ternary reduction unit; The strategy that adopts of reduction combination comprise: the piecemeal that logical semantics is similar or relevant carries out reduction combination; In larger piecemeal and standard partitioned logic, be divided into two large classes, and piecemeal preferential and of the same type carries out reduction combination operation; Under the constraints of meeting spatial complexity, preferentially select ternary reduction unit.
Beneficial effect of the present invention is as follows:
By means of the technical scheme of the embodiment of the present invention, can realize the deep-packet detection to IPv6 network.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to better understand technological means of the present invention, and can be implemented according to the content of specification, and for above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.
Accompanying drawing explanation
By reading below detailed description of the preferred embodiment, various other advantage and benefits will become cheer and bright for those of ordinary skills.Accompanying drawing is only for the object of preferred implementation is shown, and do not think limitation of the present invention.And in whole accompanying drawing, by identical reference symbol, represent identical parts.In the accompanying drawings:
Fig. 1 is the structural representation of the deep packet detection device towards IPv6 security gateway of the embodiment of the present invention;
Fig. 2 is the schematic diagram of method of partition of the deep-packet detection rule of the embodiment of the present invention;
Fig. 3 a is the perspective view of single codomain of the same piecemeal of many rules of the regular piecemeal longitudinal projection of the embodiment of the present invention;
Fig. 3 b is the perspective view of a plurality of codomains of the same piecemeal of wall scroll rule of the regular piecemeal longitudinal projection of the embodiment of the present invention;
Fig. 4 a is the classification search tree cell schematics of high speed taxon of the rule match engine of the embodiment of the present invention;
Fig. 4 b is the classification look-up table cell schematics of high speed taxon of the rule match engine of the embodiment of the present invention;
Fig. 4 c is the binary reduction cell schematics of high speed taxon of the rule match engine of the embodiment of the present invention;
Fig. 4 d is the ternary reduction cell schematics of high speed taxon of the rule match engine of the embodiment of the present invention;
Fig. 5 is the schematic diagram of the built-in interval classification balanced binary search tree in the classification search tree unit of the embodiment of the present invention;
Fig. 6 is that the multi-stage pipeline preliminary treatment parallel mechanism structure of the embodiment of the present invention carries out pretreated flow chart to regular collection;
Fig. 7 a is classification search tree and the classification search tree binary reduction cell schematics of the embodiment of the present invention;
Fig. 7 b is the combination reduction cell schematics of classification binary reduction unit and the classification binary reduction unit of the embodiment of the present invention;
Fig. 8 is the rule match accelerating engine schematic diagram of the embodiment of the present invention.
Embodiment
Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail.Although shown exemplary embodiment of the present disclosure in accompanying drawing, yet should be appreciated that and can realize the disclosure and the embodiment that should do not set forth limits here with various forms.On the contrary, it is in order more thoroughly to understand the disclosure that these embodiment are provided, and can by the scope of the present disclosure complete convey to those skilled in the art.
According to embodiments of the invention, a kind of deep packet detection device towards IPv6 security gateway is provided, Fig. 1 is the structural representation of the deep packet detection device towards IPv6 security gateway of the embodiment of the present invention, as shown in Figure 1, according to the deep packet detection device towards IPv6 security gateway of the embodiment of the present invention, comprise: two coupling core cells 102, and the multi-stage pipeline preliminary treatment parallel mechanism structure 112 that is connected with two coupling core cells 102 and calls by basic operation interface, search coupling parallel mechanism structure 114 with multichannel, wherein, two coupling core cells 102 comprise main coupling core 1 and shadow coupling core 2, main coupling core 1 and shadow coupling core 2 comprise respectively engine configuration parameter unit 104, preliminary treatment primitive operation unit 106, classification search high speed taxon 108, classification reduction high speed taxon 110, basic operation interface comprises: rule parsing interface 116, rule match preliminary treatment interface 118, rule match sort interface 120 and rule match engine configuration interface 122,
Engine configuration parameter unit 104, for being configured by 122 pairs of engine configuration parameters of rule match engine configuration interface; Engine configuration parameter comprises: pipeline configuration parameter and reduction operations table, pipeline configuration parameter comprises: pipeline series, flowing water node piecemeal quantity at different levels, flowing water node divide block type and classification to search mode, wherein, the classification that reduction operations table has been described each piecemeal of flowing water nodes at different levels is searched reduction combination and the cascade system between unit, classification binary or ternary reduction unit; The strategy that adopts of reduction combination comprise: the piecemeal that logical semantics is similar or relevant carries out reduction combination; In larger piecemeal and standard partitioned logic, be divided into two large classes, and piecemeal preferential and of the same type carries out reduction combination operation; Under the constraints of meeting spatial complexity, preferentially select ternary reduction unit.
Preliminary treatment primitive operation unit 106, for regular collection is carried out to preliminary treatment primitive operation, wherein, preliminary treatment primitive operation comprises: regular piecemeal longitudinal projection, subpoint and interval clustering and classification set reduction cluster;
Preliminary treatment primitive operation unit 106 specifically for:
The operation of rule piecemeal longitudinal projection: by regular piecemeal longitudinal projection on transverse axis, piecemeal projection end points is sorted and union operation, the end points sequence of create-rule piecemeal; Between the projected area of the same piecemeal of Different Rule, if before and after it between the proparea of adjacent interval between right endpoint and back zone left end point belong to neighbours' end points, these two end points are merged into an end points; Between a plurality of projected area of the same piecemeal of wall scroll rule, according to the position relationship between interval, it is carried out to interval and laterally merge, eliminate merged empty projection end points; According to the regular piecemeal end points sequence of obtaining, be divided into nonoverlapping some basic intervals by piecemeal Value space is complete;
Subpoint and interval clustering operation: for each end points or the interval in regular piecemeal end points sequence, traversal rule set successively, generation comprises this end points or interval regular subset, and itself and the regular subset that end points or interval have generated are above carried out to cluster, according to the result of cluster, give its unique type identification; The subpoint of standard piecemeal, type identification and respective rule subset are carried out associated, generate classification look-up table; The projection end points of larger piecemeal and basic interval, type identification and respective rule subset are carried out associated, generate classification search tree;
Classification set reduction cluster operation: use cartesian product mode to carry out reduction cluster operation two or three classification set, generate the set of a reduction classification; To the associated regular collection of type identification of two or three classification set that are under the jurisdiction of the respectively create-rule subset that seeks common ground, and the regular subset that it is generated with reduction operation above carries out cluster operation, and then give its unique type identification according to the result of cluster; And corresponding one by one with the type identification tuple that participates in epicycle reduction cluster operation; Type identification tuple, reduction cluster operation coding, newtype sign and corresponding regular subset are carried out associated, generation classification reduction look-up table.
Classification is searched high speed taxon 108 and is comprised classification search tree unit 402 and classification look-up table unit 404, and the classification look-up table in the classification search tree in classification search tree unit 402 and classification look-up table unit 404 carries out preliminary treatment by the subpoint of preliminary treatment primitive operation unit 106 and interval clustering operation to the projection end points sequence of larger regular piecemeal and standard rule piecemeal and basic interval respectively and generated;
The built-in classification search tree in classification search tree unit 402 is to have search tree between the AVL y-bend equilibrium area of rigorous equilibrium constraint; The internal node of the corresponding range lookup tree of larger piecemeal projection end points, the leaf node of the corresponding range lookup tree of basic interval, node all marks corresponding type identification;
Classification search tree unit 402 specifically for: receive a searching value as input, and export a classification logotype, this classification logotype has implied regular subset associated with it.
The built-in classification look-up table in classification look-up table unit 404 is direct index table or hash table; Direct index table consists of the relationship maps of primary index value and type identification; Hash table consists of the hashed value of primary index value and the relationship maps of type identification, and wherein hashed value is asked mould and obtains certain fixed value by primary index value, and the conflict of hashed value adopts chained list method to solve;
Classification look-up table unit 404 specifically for: receive an index value as input, and export a classification logotype, wherein classification logotype has implied regular subset associated with it.
Classification reduction high speed taxon 110 comprises classification binary reduction unit 406 and classification ternary reduction unit 408, and classification binary reduction unit 406 and classification ternary reduction unit 408 carry out reduction cluster preprocessing by the classification set reduction cluster operation of preliminary treatment primitive operation unit 106 to two or three the classification set in classification search tree, classification look-up table and the set of reduction classification and generated;
Classification binary reduction unit 406 or classification ternary reduction unit 408 comprise a type identification tuple coding unit and a classification reduction look-up table; Type identification tuple coding unit is carried out the mapping from binary or ternary type identification tuple to reduction operation coding, and the index value using output encoder as classification reduction look-up table; Classification reduction look-up table be direct index table or hash table;
Classification binary reduction unit 406 or classification ternary reduction unit 408 specifically for: receive two or three type identifications as input, and export a classification logotype, wherein classification logotype has implied regular subset associated with it.
Multi-stage pipeline preliminary treatment parallel mechanism structure 112, by rule match preliminary treatment interface 118, called, for creating preprocessing tasks thread pool according to pipeline configuration parameter, and the thread in preprocessing tasks thread pool is assigned to corresponding core cpu successively binds, the shadow coupling core 2 of selected two coupling core cells 102, by rule parsing interface 116, load the regular collection of shadow coupling core 2, regular collection is carried out to piecemeal, regular collection according to engine configuration parameter after to piecemeal calls the regular piecemeal longitudinal projection operation of preliminary treatment primitive operation unit 106 successively, subpoint and interval clustering operation, and classification set reduction cluster operation, the matched rule collection that shadow is mated to core 2 is upgraded or upgrades, activate shadow coupling core 2 and switched to main coupling core 1, enable new matched rule collection, former main coupling core switches to shadow coupling core and transfers to armed state,
Multi-stage pipeline preliminary treatment parallel mechanism structure 112 specifically for: according to one or more accurate model strings, interval value, prefix or the regular expression of appointment, regular collection is carried out to piecemeal.
Multi-stage pipeline preliminary treatment parallel mechanism structure 112 comprises preliminary treatment thread pond, object memory pool and some streamline task nodes of multi-core CPU binding; In each CPU core and thread pool, some threads are bound, the phased mission of independent scheduling, executed in parallel rule pretreated stream waterline; Object memory pool refers to the memory object of some fixed sizes that pre-first to file retains, and memory object is frequently applied for and reclaims; Streamline task node according to engine configuration parameter and precedence call successively executing rule piecemeal longitudinal projection operation, subpoint operate and classification set reduction cluster operation with interval clustering; Streamline task node the interim preliminary treatment primitive operation of each performed piecemeal of this node is carried out to multithreading, parallel processing;
Multi-stage pipeline preliminary treatment parallel mechanism structure 112 specifically for: receive regular collection as input, regular collection, after the processing of the whole nodes of streamline, generates and exports rule match accelerating engine coupling core.
Multichannel is searched coupling parallel mechanism structure 114 and is called by rule match sort interface 120, multichannel is searched coupling parallel mechanism structure 114 by classification search tree unit 402, classification look-up table unit 404, classification binary reduction unit 406, according to the engine configuration parameter of engine configuration parameter unit 104 settings, combining cascade with classification ternary reduction unit 408 forms, the classification search tree and the search tree reduction unit that comprise binary or ternary, classification look-up table and look-up table reduction unit, classification search tree and look-up table reduction unit, and the combination reduction unit of reduction unit and reduction unit, wherein, multichannel is searched coupling parallel mechanism structure 114 and is searched unit and classification reduction cell formation multiclass classification streamline by classification, classification is searched the first order node that unit belongs to multiclass classification streamline, classification reduction unit belongs to the second level node of multiclass classification streamline to final stage node, multichannel is searched coupling parallel mechanism structure 114 for the message to be sorted of input is carried out to piecemeal, message partition is carried out to classification successively to be searched, the classification logotype that classification reduction operation output are hit and associated regular subset.
Multichannel search coupling parallel mechanism structure 114 specifically for: the region of the stem regular length of the message load of the message to be sorted of input and the zone definitions of afterbody regular length are that characteristic signature extracts and mates district, and are divided into some standard piecemeals according to the fixed size of regular territory appointment; The piecemeal that IPv6 address and transport layer port number is approximately decided to be to deep-packet detection rule, and using IPv6 address as independent larger piecemeal.
The classification streamline node that multichannel is searched coupling parallel mechanism structure 114 carries out multichannel to the interim sort operation of each performed piecemeal of this node and searches coupling and parallel processing;
Multichannel search coupling parallel mechanism structure 114 specifically for: receive message partition as input, message partition after the processing of the whole nodes of classification streamline, generate and export the regular subset of finally hitting.
Below the technique scheme of the embodiment of the present invention is elaborated.
The problems referred to above that the embodiment of the present invention exists in order to solve existing deep-packet detection rule match engine, provide a kind of deep packet inspection method towards IPv6 security gateway and configurable high-performance deep-packet detection rule match engine.
For achieving the above object, the embodiment of the present invention provides a kind of deep packet detection device towards IPv6 and 64 bit platform security gateways, comprising: configurable regular preliminary treatment and rule match accelerating engine and basic framework thereof; The method of partition of deep-packet detection rule; The preliminary treatment primitive operations such as rule piecemeal longitudinal projection, subpoint and interval clustering, classification set reduction cluster; The high speed taxons such as classification search tree, classification look-up table, classification binary or ternary reduction; Multi-stage pipeline preliminary treatment, multichannel are searched the parallel mechanism structures such as coupling; Two coupling core architecture of main coupling core and shadow coupling core.
In one or more embodiment of the present invention, described configurable regular preliminary treatment and rule match accelerating engine adopt two coupling core architecture of described main coupling core and shadow coupling core, built-in described regular piecemeal longitudinal projection, subpoint and interval clustering, preliminary treatment primitive operation and the described classification search trees such as classification set reduction cluster, classification look-up table, the high speed taxons such as classification binary or ternary reduction, and the multi-stage pipeline preliminary treatment described in using, multichannel is searched coupling and is waited parallel mechanism structure to realize the Quick Pretreatment of rule set and coupling, described basic framework provides the basic operation interfaces such as rule parsing interface, rule match preliminary treatment interface, rule match sort interface and rule match engine configuration interface.
In one or more embodiment of the present invention, the method of partition of described deep-packet detection rule, by IPv6 message load (if IPSec ESP ciphertext, should first decipher and obtain expressly) the region of stem regular length (for example 50 bytes) and the zone definitions of afterbody regular length (for example 4 bytes) be that characteristic signature extracts and mates district, and for example, be divided into some standard piecemeals according to the fixed size of regular territory appointment (2 bytes); Meanwhile, IPv6 address and transport layer port number are approximately decided to be to the piecemeal of deep-packet detection rule, and using IPv6 address as independent larger piecemeal; The value of rule piecemeal can be specified one or more accurate model strings, prefix, interval value or regular expression.
In one or more embodiment of the present invention, the preliminary treatment primitive operation of described regular piecemeal longitudinal projection, comprise: described regular piecemeal longitudinal projection on transverse axis, described piecemeal projection end points sorts and the operations such as merging, the end points sequence of create-rule piecemeal; Between the described projected area of the same piecemeal of Different Rule, if before and after it between the proparea of adjacent interval between right endpoint and back zone left end point belong to neighbours' end points, these two end points are merged into an end points; Between a plurality of described projected area of the same piecemeal of wall scroll rule, according to comprising between interval, intersect, the position relationship such as adjacent or separated, it is carried out to the horizontal merging in interval, eliminate merged empty projection end points; Described regular piecemeal end points sequence is divided into nonoverlapping some basic intervals piecemeal Value space is complete.
In one or more embodiment of the present invention, the preliminary treatment primitive operation of described piecemeal subpoint and interval clustering, comprise: between each end points or cut section in the end points sequence of described piecemeal projection, traversal rule set successively, generation comprises this end points or interval regular subset, and itself and the regular subset that end points or interval have generated are carried out to cluster, and then give its unique type identification according to the result of cluster above; The subpoint of described standard piecemeal, described type identification and respective rule subset are carried out associated, generate classification look-up table; The projection end points of described larger piecemeal and basic interval, described type identification and respective rule subset are carried out associated, generate classification search tree.
In one or more embodiment of the present invention, described classification search tree high speed taxon, the built-in classification search tree described in it is for having search tree between the AVL y-bend equilibrium area of rigorous equilibrium constraint (difference in height that is the left and right subtree of node mostly is 1 most); The internal node of the corresponding described range lookup tree of described larger piecemeal projection end points, the leaf node of the corresponding described range lookup tree of basic interval, node all marks corresponding type identification; Described classification search tree high speed taxon is accepted a searching value (for example message partition) as input, and exports a classification logotype, and this classification logotype has implied regular subset associated with it.
In one or more embodiment of the present invention, described classification look-up table high speed taxon, the built-in classification look-up table described in it is direct index table or hash table; Described direct index table consists of the relationship maps of (primary index value, type identification); Described hash table consists of the relationship maps of (hashed value of primary index value, type identification), and wherein hashed value for example, is asked mould to certain fixed value (65536) by primary index value and obtain, and the conflict of described hashed value adopts the solution of chained list method; Described classification look-up table high speed taxon is accepted an index value (for example message partition) as input, and exports a classification logotype, and wherein classification logotype has implied regular subset associated with it.
In one or more embodiment of the present invention, the preliminary treatment primitive operation of described classification set reduction cluster, comprising: two or three described classification set use cartesian product mode to carry out reduction cluster operation, generate the set of a reduction classification; To being under the jurisdiction of respectively the associated regular collection of type identification of two or three the described classification set create-rule subset that seeks common ground, and the regular subset that it is generated with reduction operation above carries out cluster operation, and then give its unique type identification according to the result of cluster; Described reduction cluster operation Unified coding, initial value is 0, every to take turns operation increment be 1, and corresponding one by one with the type identification tuple that participates in epicycle reduction cluster operation; Described type identification tuple, described reduction cluster operation coding, described newtype sign and corresponding regular subset are carried out associated, generation classification reduction look-up table.
In one or more embodiment of the present invention, described classification binary or ternary reduction high speed taxon, comprise the classification reduction look-up table described in type identification tuple coding unit described in one and; Described type identification tuple coding unit is carried out the mapping from described binary or ternary type identification tuple to described reduction operation coding, and the index value using described output encoder as described classification reduction look-up table; Described classification reduction look-up table is described direct index table or described hash table; Described classification binary or ternary reduction high speed taxon are accepted two or three type identifications as input, and export a classification logotype, and wherein classification logotype has implied regular subset associated with it.
In one or more embodiment of the present invention, described multi-stage pipeline preliminary treatment parallel mechanism structure comprises preliminary treatment thread pond, object memory pool and some streamline task nodes of multi-core CPU binding; In each CPU core and described thread pool, some threads are bound, the phased mission of independent scheduling, executed in parallel rule pretreated stream waterline; Described object memory pool refers to the memory object of some fixed sizes that pre-first to file retains, and described memory object is frequently applied for and reclaims, and comprises the interval data object that waits of described regular piecemeal; Described streamline task node is carried out described regular piecemeal longitudinal projection, described subpoint and interval clustering, described interim preliminary treatment primitive operations such as classification set reduction cluster successively according to engine configuration parameter and precedence; Described streamline task node carries out multithreading, parallel processing to the performed interim preliminary treatment primitive operation of described each piecemeal of this node; Described multi-stage pipeline preliminary treatment parallel mechanism structure is accepted regular collection as input, and described regular collection, after the processing of the whole nodes of described streamline, generates and export described rule match accelerating engine coupling core.
In one or more embodiment of the present invention, described multichannel is searched coupling parallel mechanism structure and is formed by the various combination cascade between described classification search tree unit, classification look-up table unit and binary or ternary classification search tree and the nodes such as combination reduction unit of search tree reduction unit, classification look-up table and look-up table reduction unit, classification search tree and look-up table reduction unit, reduction unit and reduction unit, and composition and classification streamline; Described multichannel is searched coupling and is adopted and the similar flow process of pretreated stream waterline, and each described node carries out successively according to engine configuration parameter and precedence that described classification is searched, described binary or ternary reduction and the described interim sort operation such as combination reduction; Described classification streamline node carries out multichannel to the performed interim sort operation of described each piecemeal of this node and searches coupling, parallel processing; Described multichannel is searched coupling parallel mechanism structure and is accepted message partition as input, and described message partition, after the processing of the whole nodes of described classification streamline, generates and export the described regular subset of finally hitting.
In one or more embodiment of the present invention, described configurable regular preliminary treatment and rule match accelerating engine adopt two coupling cores, hot standby framework, comprise main coupling core and shadow coupling core; Described coupling core comprises described engine configuration parameter and described classification search tree unit, described classification look-up table unit and described classification binary or ternary reduction unit; When carrying out rule match, described multichannel is searched coupling parallel mechanism structure and is used described main coupling core, and described main coupling core is in active state, and described shadow coupling core is standby; When carrying out rule set upgrading, described rule set is through the preliminary treatment of described multi-stage pipeline preliminary treatment parallel mechanism structure, described shadow coupling core is modified and upgrades, the also seamless hot-swap that is activated is immediately new described main coupling core, described former main coupling core becomes described shadow coupling core, is converted to armed state.
In one or more embodiment of the present invention, described rule parsing interface comprises rule set buffering area parsing interface, rule set document analysis interface, wall scroll rule parsing interface and regular piecemeal configuration interface; Wherein, described regular piecemeal configuration interface comprises that regular piecemeal adds interface, regular piecemeal delete interface, regular piecemeal modification interface and redundant rule elimination interface.Described rule parsing interface is called by described multi-stage pipeline preliminary treatment parallel mechanism structure.
In one or more embodiment of the present invention, described rule match preliminary treatment interface comprises regular preliminary treatment interface and rule upgrading preliminary treatment interface.Multi-stage pipeline preliminary treatment parallel mechanism structure described in described rule match preliminary treatment interface interchange carries out preliminary treatment or upgrading to regular collection, generates and export described rule match accelerating engine coupling core.
In one or more embodiment of the present invention, the multichannel described in described rule match sort interface drives is searched coupling parallel mechanism structure and is carried out rule match classification, generates and export the described regular subset of finally hitting.
In one or more embodiment of the present invention, described rule match engine configuration interface comprises engine configuration parameter interface and engine readjustment registration interface; Described engine configuration parameter comprises that pipeline series, flowing water node piecemeal quantity at different levels, flowing water node divide block type and classification to search pipeline configuration parameter and the reduction operations tables such as mode (search tree or look-up table); The classification that described reduction operations table has been described described in each piecemeals of described flowing water nodes at different levels is searched reduction combination and the cascade system between unit, classification binary or ternary reduction unit; The strategy that described reduction combination adopts comprises: 1) the similar or relevant piecemeal of logical semantics is carried out to reduction combination; 2) in the larger piecemeal described in and described standard partitioned logic, be divided into two large classes, and piecemeal preferential and of the same type carries out reduction combination operation; 3), under the constraints of meeting spatial complexity, preferentially select described ternary reduction unit.Described engine configuration parameter interface is for configuring described engine configuration parameter, and described engine readjustment registration interface is for configuring described wall scroll rule parsing interface to support the deep-packet detection rule of multiple different syntax formats.
Below in conjunction with accompanying drawing, the technique scheme real-time to the present invention is illustrated.
Fig. 1 has provided configurable regular preliminary treatment that the embodiment of the present invention provides and the block diagram of rule match accelerating engine and basic framework 100 (corresponding to the above-mentioned deep packet detection device towards IPv6 security gateway) thereof.As shown in Figure 1, described configurable regular preliminary treatment and rule match accelerating engine comprise that two coupling core cells 102, engine configuration parameter unit 104, preliminary treatment primitive operation unit 106, the classification of main coupling core and shadow coupling core search high speed taxon 108, classification reduction high speed taxon 110, multi-stage pipeline preliminary treatment parallel mechanism structure 112, multichannel and search coupling parallel mechanism structure 114; Described basic framework comprises the basic operation interfaces such as rule parsing interface 116, rule match preliminary treatment interface 118, rule match sort interface 120 and rule match engine configuration interface 122.
Described two coupling core cell 102 comprises main coupling core 1 and shadow coupling core 2, described coupling core comprises described engine configuration parameter unit 104, described classification is searched high speed taxon 108, described classification reduction high speed taxon 110, and by described multi-stage pipeline preliminary treatment parallel mechanism structure 112, according to engine configuration parameters such as the pipeline configuration parameter of described engine configuration parameter unit 104 and reduction operations tables, regular collection is carried out successively the regular piecemeal longitudinal projection of described preliminary treatment primitive operation unit 106, subpoint and interval clustering, preliminary treatment primitive operations such as classification set reduction cluster and generating, the engine configuration parameter of described engine configuration parameter unit 104 arranges by described rule match engine configuration interface 122.When carrying out rule match, described multichannel is searched the described main coupling core 1 that coupling parallel mechanism structure 114 is used in active state, and described shadow coupling core 2 is standby; When carrying out regular collection upgrading, described regular collection is through the preliminary treatment of described multi-stage pipeline preliminary treatment parallel mechanism structure 112, described shadow coupling core 2 is modified and upgrades, the also seamless hot-swap that is activated is immediately new described main coupling core, described former main coupling core becomes described shadow coupling core, transfers to armed state.
Fig. 2 is the schematic diagram of method of partition of the deep-packet detection rule of the embodiment of the present invention.The method of partition of described deep-packet detection rule is that the region of 50 bytes and zone definitions that afterbody regular length is 4 bytes are feature extracting and matching district by the stem regular length of message load, and is divided into some standard piecemeals according to the form of the fixed size of regular territory appointment 2 bytes.Meanwhile, the IPv6/IPv4 address of heading and transport layer port number are approximately decided to be to the piecemeal of described deep-packet detection rule, and using IPv6/IPv4 address as independent larger piecemeal.Described message load should be clear-text message, if IPSec ESP ciphertext or other cryptographic protocol message should first be decrypted by TSM Security Agent assembly.The value of rule piecemeal can be specified one or more accurate model strings, interval value, prefix or regular expression, for prefix and regular expression, need to use rewriting technique unification to be converted into interval coupling.For fairly large described deep-packet detection regular collection, regular collection can be divided into a plurality of subsets, a plurality of rule match micro engines of instantiation, and adopt internal memory compress technique to reduce the space requirement of engine.
Described preliminary treatment primitive operation unit 106 comprises the preliminary treatment primitive operations such as regular piecemeal longitudinal projection, subpoint and interval clustering, classification set reduction cluster, and is driven by described multi-stage pipeline preliminary treatment parallel mechanism structure 112.
As shown in Figure 3 a, 3 b, this operates the projection on transverse axis of regular piecemeal, generates end points sequence and is divided into nonoverlapping some basic intervals piecemeal Value space is complete.Wherein, Fig. 3 a has provided the example of certain piecemeal projection on transverse axis of four rule R0, R1, R2 and R3, and wherein, right half side 304 is piecemeal projection generally, and left half side 302 is the piecemeal projection under neighbours' end points combination situation.The right endpoint 159 of R0 piecemeal is with the left end point 160 of R1 piecemeal, the right endpoint of R3 piecemeal 127 belongs to neighbours' end points with the left end point 128 of R2 piecemeal, and after neighbours' end points union operation, projection end points quantity reduces two.Fig. 3 b has provided the projection example of a plurality of codomains of the same piecemeal of wall scroll rule, four codomain S0, S1, S2 and S3 of this rule piecemeal respectively according to comprising, intersect, the adjacent or complete position relationship such as separated, by horizontal union operation, eliminate empty projection end points, reduced real projection end points and the basic interval quantity of final generation.The operation of described regular piecemeal longitudinal projection has realized the beta pruning optimization that final generated described classification is searched the interval classification balance search tree that high speed taxon 108 comprises, thereby has improved the efficiency of rule match search procedure.
As shown in Fig. 4 a-d, described classification is searched high speed taxon 108 and is comprised classification search tree unit 402 and classification look-up table unit 404, by the described subpoint of described preliminary treatment primitive operation unit 106 and interval clustering primitive operation, the projection end points sequence of described larger regular piecemeal and described standard rule piecemeal and basic interval is carried out to preliminary treatment respectively and is generated.
In one embodiment of the invention, the integer searching value of length between 16 and 128 usingd as input in described classification search tree unit 402, output length is the integer class label of 16, and the realization of unit internal searching logic adopts the interval classification balanced binary of AVL search tree mode.As shown in Figure 5, the projection end points sequence of internal node rule of correspondence piecemeal R0~R7 of the interval classification balanced binary of the described AVL search tree that described classification search tree unit 402 is built-in, the corresponding composition rule piecemeal of leaf node Value space [0,2
128-1] basic interval, the regular cluster classification logotype C0~C7 under each node all marks, this classification logotype has implied regular subset associated with it.The integer searching value of length between 16 and 24 usingd as input in described classification look-up table unit 404, output length is the integer class label of 16, the built-in direct classification index consisting of the relationship maps of (index value, type identification) in unit is tabled look-up or hash table.
As shown in Figure 4, described classification reduction high speed taxon 110 comprises classification binary reduction unit 406 and classification ternary reduction unit 408, by the described classification set reduction cluster primitive operation of described preliminary treatment primitive operation unit 106, two or three classification set such as described classification search tree, described classification look-up table and the set of described reduction classification is carried out to reduction cluster preprocessing and is generated.Integer classification searching value that two or three length are 16 is usingd as input in described classification binary reduction unit 406 or classification ternary reduction unit 408, output length is the integer class label of 16, and the realization of unit internal logic adopts the mode of classification reduction look-up table described in described type identification tuple coding unit cascade.
As shown in Figure 6, described multi-stage pipeline preliminary treatment parallel mechanism structure 112 comprises preliminary treatment thread pond, object memory pool and streamline first order node 602, streamline intermediate node 604 and the streamline final stage node 606 of multi-core CPU binding, and is called by described rule match preliminary treatment interface 118.It is as follows that 112 pairs of regular collections of described multi-stage pipeline preliminary treatment parallel mechanism structure carry out pretreated main flow process:
Step 1, reads the streamline parameter that the system configuration parameters such as core cpu number and described engine configuration parameter unit 104 comprise, and creates described preprocessing tasks thread pool, and thread is assigned to corresponding core cpu successively binds;
Step 2, enters streamline first order node 602:
Step 21, the shadow core of selected described rule match engine, the preprocessing process of rule set will upgrade or upgrade described coupling core, to enable new matched rule collection;
Step 22, load and resolution rules collection, call described rule parsing interface 116, from rule set buffering area or filec descriptor read successively wall scroll rule, according to described regular method of partition, resolve and cut apart rule string, each piecemeal of decimation rule also adds described regular piecemeal to pending regular piecemeal chained list;
Step 23, the pending piecemeal queue that flowing water node 602 at the corresponding levels is read in circulation: if there is pending piecemeal, partitioning pretreatment task is dropped into described thread pool, and perform step step 24-25; If without piecemeal, go to described streamline next stage node;
Step 24, divides block type if piecemeal is standard, carries out following operation:
A) regular piecemeal is carried out on transverse axis to the described regular piecemeal longitudinal projection operation of described preliminary treatment primitive operation unit 106, described projection end points sequence and the basic interval of create-rule set;
B) for each end points or basic interval in projection end points sequence, carry out described subpoint and the interval clustering operation of described preliminary treatment primitive operation unit 106, generate the regular subset and associated classification logotype that comprise described end points or basic interval;
C) set up the relationship maps of the subpoint of described standard piecemeal, described type identification and respective rule subset, generate described classification look-up table unit 404;
Step 25, if piecemeal is for dividing more greatly block type, carry out following operation:
A) regular piecemeal is carried out on transverse axis to the described regular piecemeal longitudinal projection operation of described preliminary treatment primitive operation unit 106, by the neighbours' end points between projected area, merge with horizontal merging and wait optimization method, generate minimum regular collection projection end points sequence and basic interval;
B) based on projection end points sequence, generate the internal node that comprises monodrome in described search tree and the leaf node that comprises interval value, and and then generate the interval balanced binary search tree of AVL;
C) for internal node and the leaf node of search tree, carry out described subpoint and the interval clustering operation of described preliminary treatment primitive operation unit 106, generate the regular subset and associated classification logotype that comprise described node;
D) described node, described type identification and respective rule subset are carried out associated, generate described classification search tree unit 402;
Step 3, enters streamline intermediate node 604 to final stage node 606, and every grade of flowing water node circulation is carried out to following steps:
Step 31, the pending piecemeal queue that flowing water node at the corresponding levels is read in circulation: if there is pending piecemeal, partitioning pretreatment task is dropped into described thread pool, and perform step 32-34; If without piecemeal, go to described streamline next stage node;
Step 32, the reduction operations table parameter comprising according to described engine configuration parameter unit 104, reads this piecemeal in flowing water node at the corresponding levels and carries out the required corresponding sub-block cluster classification set of flowing water node above of reduction operation;
Step 33, according to described reduction operations table, this piecemeal is carried out to described classification set reduction operations:
If a) this piecemeal should carry out binary reduction operations, successively the whole classification set under two piecemeals of prime flowing water node are carried out the described classification set reduction cluster primitive operation of described preliminary treatment primitive operation unit 106, the regular collection of every two particular category generates described reductive rule subset, the type identification of association and described reduction cluster operation Unified coding;
B) if this piecemeal should carry out ternary reduction operations, successively the whole classification set under three piecemeals of prime flowing water node are carried out the described classification set reduction cluster primitive operation of described preliminary treatment primitive operation unit 106, the regular collection of every three particular category generates described reductive rule subset, the type identification of association and described reduction cluster operation Unified coding;
Step 34, carries out described type identification tuple, described reduction cluster operation coding, described type identification and reductive rule subset accordingly associated, generates respectively described classification binary reduction unit 406 and described classification ternary reduction unit 408;
Step 4, after the processing of the whole nodes of streamline, regular collection has completed preprocessing process.
Described multichannel is searched engine configuration parameter that coupling parallel mechanism structure 114 arranges according to described engine configuration parameter unit 104 by described classification search tree unit 402, described classification look-up table unit 404 and described classification binary reduction unit 406, described classification ternary reduction unit 408 and is combined cascade and formed, and comprises the classification search tree of binary or ternary and the combination reduction unit of search tree reduction unit, classification look-up table and look-up table reduction unit, classification search tree and look-up table reduction unit, reduction unit and reduction unit.Described multichannel is searched coupling parallel mechanism structure 114 composition and classification streamlines, and wherein, described classification is searched the first order node that unit belongs to described classification streamline, and the second level node that described classification reduction unit belongs to described classification streamline is to final stage node.
Shown in Fig. 7 a-b, classification search tree described in Fig. 7 a and classification search tree binary reduction unit are formed by described classification binary reduction unit 706 cascades of 702,704 and one of two described classification search tree unit, have realized a kind search tree unit--the binary reduction operations of the parallel associating in search tree unit.Message partition to be sorted is usingd as input in described classification search tree unit 702 and 704, and as output, sends into next stage node classification binary reduction unit 706 using searching the classification logotype obtaining, and after the search operation of binary reduction, exports new classification logotype.The combination reduction unit of the classification binary reduction unit described in Fig. 7 b and classification binary reduction unit is formed by described classification binary reduction unit 712 cascades of 708,710 and one of two described classification binary reduction unit, has realized a kind binary reduction unit--the binary reduction operations of the parallel associating in binary reduction unit.The classification logotype output of even higher level of node is usingd as inputting in described classification binary reduction unit 708 and 710, and binary reduction is searched to the classification logotype obtaining and as output, send into next stage node classification binary reduction unit 712, after the search operation of binary reduction, export new classification logotype.
Fig. 8 is the schematic diagram of the rule match accelerating engine of the embodiment of the present invention, as shown in Figure 8, the reclassify streamline that described rule match accelerating engine 800 is searched coupling parallel mechanism structure by described multichannel forms, and 7 message partition inputs and 1 classification output are externally provided.Described streamline parameter is set to: described streamline first order node comprises 7 classifications and searches unit, comprising 3 classification search tree unit (811,812,813) and 4 classification look-up table unit (814,815,816,817), respectively corresponding 7 regular piecemeals, and accept corresponding message partition input; Described streamline second level node comprises 3 classification reduction unit, comprising 2 classification binary reduction unit (821,823) and 1 classification ternary reduction unit 822; Described streamline third level node is final stage node, comprises 1 classification ternary reduction unit 831.Described reduction operations table parameter is set to: described classification search that unit 811,812 combines and with unit 821 cascades of described classification binary reduction, described classification search that unit 813,814,815 combines and with unit 822 cascades of described classification ternary reduction, described classification search that unit 816,817 combines and with unit 823 cascades of described classification binary reduction, described classification reduction unit 821,822,823 combine and with unit 831 cascades of described classification ternary reduction.The classification logotype that the message partition of 800 pairs of inputs of described rule match accelerating engine carries out that classification is searched successively, classification reduction operation output are hit and associated regular subset.
The main flow process that described rule match accelerating engine 800 carries out rule match is as follows:
Step 1, the message to be sorted of input is carried out to piecemeal, be divided into successively 805,16 piecemeals 806 of 804,16 piecemeals of 803,16 piecemeals of 802,32 piecemeals of 801,128 piecemeals of 128 piecemeals and 16 piecemeals 807, call described rule match sort interface 120 and carry out rule match classification, and and then drive described multichannel search coupling parallel mechanism structure reclassify streamline;
Step 2, enters classification streamline first order node: piecemeal 801 input classification search tree unit 811, and search and obtain and export classification logotype CID
1; Piecemeal 802 input classification search tree unit 812, search and obtain and export classification logotype CID
2; Piecemeal 803 input classification search tree unit 813, search and obtain and export classification logotype CID
3; Piecemeal 804 input classification look-up table unit 814, search and obtain and export classification logotype CID
4; Piecemeal 805 input classification look-up table unit 815, search and obtain and export classification logotype CID
5; Piecemeal 806 input classification look-up table unit 816, search and obtain and export classification logotype CID
6; Piecemeal 807 input classification look-up table unit 817, search and obtain and export classification logotype CID
7;
Step 3, enters classification streamline second level node: the output CID of streamline first order node
1and CID
2send into classification binary reduction unit 821, after the search operation of binary reduction, export classification logotype CID
8; The output CID of streamline first order node
3, CID
4and CID
5send into classification ternary reduction unit 822, after the search operation of ternary reduction, export classification logotype CID
9; The output CID of streamline first order node
6and CID
7send into classification binary reduction unit 823, after the search operation of binary reduction, export classification logotype CID
10;
Step 4, enters classification streamline third level node: the output CID of streamline second level node
8, CID
9and CID
10send into classification ternary reduction unit 831, after the search operation of ternary reduction, export final classification logotype CID.
In sum, by means of the technical scheme of the embodiment of the present invention, can realize the deep-packet detection to IPv6 network.
Obviously, those skilled in the art can carry out various changes and modification and not depart from the spirit and scope of the present invention the present invention.Like this, if within of the present invention these are revised and modification belongs to the scope of the claims in the present invention and equivalent technologies thereof, the present invention is also intended to comprise these changes and modification interior.
Claims (10)
1. the deep packet detection device towards IPv6 security gateway, it is characterized in that, comprise: two coupling core cells (102), and the multi-stage pipeline preliminary treatment parallel mechanism structure (112) that is connected and calls by basic operation interface with described two coupling core cells (102), search coupling parallel mechanism structure (114) with multichannel, wherein, described two coupling core cells (102) comprise main coupling core (1) and shadow coupling core (2), described main coupling core (1) and described shadow coupling core (2) comprise respectively engine configuration parameter unit (104), preliminary treatment primitive operation unit (106), described classification is searched high speed taxon (108), described classification reduction high speed taxon (110), described basic operation interface comprises: rule parsing interface (116), rule match preliminary treatment interface (118), rule match sort interface (120) and rule match engine configuration interface (122),
Described engine configuration parameter unit (104), for being configured engine configuration parameter by described rule match engine configuration interface (122);
Described preliminary treatment primitive operation unit (106), for regular collection is carried out to preliminary treatment primitive operation, wherein, described preliminary treatment primitive operation comprises: regular piecemeal longitudinal projection, subpoint and interval clustering and classification set reduction cluster;
Described classification is searched high speed taxon (108) and is comprised classification search tree unit (402) and classification look-up table unit (404), and the classification look-up table in the classification search tree in described classification search tree unit (402) and described classification look-up table unit (404) carries out preliminary treatment by the described subpoint of described preliminary treatment primitive operation unit (106) and interval clustering operation to the projection end points sequence of larger regular piecemeal and standard rule piecemeal and basic interval respectively and generated;
Described classification reduction high speed taxon (110) comprises classification binary reduction unit (406) and classification ternary reduction unit (408), and described classification binary reduction unit (406) and described classification ternary reduction unit (408) carry out reduction cluster preprocessing by the described classification set reduction cluster operation of described preliminary treatment primitive operation unit (106) to two or three the classification set in described classification search tree, described classification look-up table and the set of reduction classification and generated;
Described multi-stage pipeline preliminary treatment parallel mechanism structure (112), by described rule match preliminary treatment interface (118), called, for creating preprocessing tasks thread pool according to described pipeline configuration parameter, and the thread in described preprocessing tasks thread pool is assigned to corresponding core cpu successively binds, the shadow coupling core (2) of selected described two coupling core cells (102), by described rule parsing interface (116), load the regular collection of described shadow coupling core (2), described regular collection is carried out to piecemeal, regular collection according to described engine configuration parameter after to piecemeal calls the regular piecemeal longitudinal projection operation of described preliminary treatment primitive operation unit (106) successively, subpoint and interval clustering operation, and classification set reduction cluster operation, the matched rule collection of described shadow coupling core (2) is upgraded or upgraded, activate described shadow coupling core (2) and switched to described main coupling core (1), enable new matched rule collection, former main coupling core switches to shadow coupling core and transfers to armed state,
Described multichannel is searched coupling parallel mechanism structure (114) and is called by described rule match sort interface (120), described multichannel is searched coupling parallel mechanism structure (114) by described classification search tree unit (402), described classification look-up table unit (404), described classification binary reduction unit (406), according to the engine configuration parameter of described engine configuration parameter unit (104) setting, combining cascade with described classification ternary reduction unit (408) forms, the classification search tree and the search tree reduction unit that comprise binary or ternary, classification look-up table and look-up table reduction unit, classification search tree and look-up table reduction unit, and the combination reduction unit of reduction unit and reduction unit, wherein, described multichannel is searched coupling parallel mechanism structure (114) and is searched unit and classification reduction cell formation multiclass classification streamline by classification, described classification is searched the first order node that unit belongs to described multiclass classification streamline, the second level node that described classification reduction unit belongs to described multiclass classification streamline is to final stage node, described multichannel is searched coupling parallel mechanism structure (114) for the message to be sorted of input is carried out to piecemeal, message partition is carried out to classification successively to be searched, the classification logotype that classification reduction operation output are hit and associated regular subset.
2. device as claimed in claim 1, it is characterized in that, described multichannel search coupling parallel mechanism structure (114) specifically for: the region of the stem regular length of the message load of the message to be sorted of input and the zone definitions of afterbody regular length are that characteristic signature extracts and mates district, and are divided into some standard piecemeals according to the fixed size of regular territory appointment; The piecemeal that IPv6 address and transport layer port number is approximately decided to be to deep-packet detection rule, and using IPv6 address as independent larger piecemeal.
3. device as claimed in claim 1, it is characterized in that, described multi-stage pipeline preliminary treatment parallel mechanism structure (112) specifically for: according to one or more accurate model strings, interval value, prefix or the regular expression of appointment, described regular collection is carried out to piecemeal.
4. device as claimed in claim 1, is characterized in that, described preliminary treatment primitive operation unit (106) specifically for:
The operation of rule piecemeal longitudinal projection: by regular piecemeal longitudinal projection on transverse axis, piecemeal projection end points is sorted and union operation, the end points sequence of create-rule piecemeal; Between the projected area of the same piecemeal of Different Rule, if before and after it between the proparea of adjacent interval between right endpoint and back zone left end point belong to neighbours' end points, these two end points are merged into an end points; Between a plurality of projected area of the same piecemeal of wall scroll rule, according to the position relationship between interval, it is carried out to interval and laterally merge, eliminate merged empty projection end points; According to the regular piecemeal end points sequence of obtaining, be divided into nonoverlapping some basic intervals by piecemeal Value space is complete;
Subpoint and interval clustering operation: for each end points or the interval in regular piecemeal end points sequence, traversal rule set successively, generation comprises this end points or interval regular subset, and itself and the regular subset that end points or interval have generated are above carried out to cluster, according to the result of cluster, give its unique type identification; The subpoint of described standard piecemeal, described type identification and respective rule subset are carried out associated, generate classification look-up table; The projection end points of described larger piecemeal and basic interval, described type identification and respective rule subset are carried out associated, generate classification search tree;
Classification set reduction cluster operation: use cartesian product mode to carry out reduction cluster operation two or three classification set, generate the set of a reduction classification; To being under the jurisdiction of respectively the associated regular collection of type identification of two or three the described classification set create-rule subset that seeks common ground, and the regular subset that it is generated with reduction operation above carries out cluster operation, and then give its unique type identification according to the result of cluster; And corresponding one by one with the type identification tuple that participates in epicycle reduction cluster operation; Type identification tuple, reduction cluster operation coding, newtype sign and corresponding regular subset are carried out associated, generation classification reduction look-up table.
5. device as claimed in claim 1, is characterized in that, the built-in classification search tree in described classification search tree unit (402) is to have search tree between the AVL y-bend equilibrium area of rigorous equilibrium constraint; The internal node of the corresponding described range lookup tree of described larger piecemeal projection end points, the leaf node of the corresponding described range lookup tree of basic interval, node all marks corresponding type identification;
Described classification search tree unit (402) specifically for: receive a searching value as input, and export a classification logotype, this classification logotype has implied regular subset associated with it.
6. device as claimed in claim 1, is characterized in that, the built-in classification look-up table in described classification look-up table unit (404) is direct index table or hash table; Described direct index table consists of the relationship maps of primary index value and type identification; Described hash table consists of the hashed value of primary index value and the relationship maps of type identification, and wherein hashed value is asked mould and obtains certain fixed value by primary index value, and the conflict of described hashed value adopts chained list method to solve;
Described classification look-up table unit (404) specifically for: receive an index value as input, and export a classification logotype, wherein classification logotype has implied regular subset associated with it.
7. device as claimed in claim 1, is characterized in that, described classification binary reduction unit (406) or described classification ternary reduction unit (408) comprise a type identification tuple coding unit and a classification reduction look-up table; Described type identification tuple coding unit is carried out the mapping from binary or ternary type identification tuple to reduction operation coding, and the index value using output encoder as classification reduction look-up table; Described classification reduction look-up table is direct index table or hash table;
Described classification binary reduction unit (406) or described classification ternary reduction unit (408) specifically for: receive two or three type identifications as input, and export a classification logotype, wherein classification logotype has implied regular subset associated with it.
8. device as claimed in claim 1, is characterized in that, described multi-stage pipeline preliminary treatment parallel mechanism structure (112) comprises preliminary treatment thread pond, object memory pool and some streamline task nodes of multi-core CPU binding; In each CPU core and described thread pool, some threads are bound, the phased mission of independent scheduling, executed in parallel rule pretreated stream waterline; Described object memory pool refers to the memory object of some fixed sizes that pre-first to file retains, and described memory object is frequently applied for and reclaims; Described streamline task node according to engine configuration parameter and precedence call successively executing rule piecemeal longitudinal projection operation, described subpoint operates and classification set reduction cluster operation with interval clustering; Described streamline task node carries out multithreading, parallel processing to the interim preliminary treatment primitive operation of each performed piecemeal of this node;
Described multi-stage pipeline preliminary treatment parallel mechanism structure (112) specifically for: receive regular collection as input, described regular collection, after the processing of the whole nodes of described streamline, generates and exports rule match accelerating engine coupling core.
9. device as claimed in claim 1, is characterized in that, the described classification streamline node that described multichannel is searched coupling parallel mechanism structure (114) carries out multichannel to the interim sort operation of each performed piecemeal of this node and searches coupling and parallel processing;
Described multichannel search coupling parallel mechanism structure (114) specifically for: receive message partition as input, described message partition, after the processing of the whole nodes of described classification streamline, generates and exports the described regular subset of finally hitting.
10. device as claimed in claim 1, it is characterized in that, described engine configuration parameter comprises: pipeline configuration parameter and reduction operations table, described pipeline configuration parameter comprises: pipeline series, flowing water node piecemeal quantity at different levels, flowing water node divide block type and classification to search mode, wherein, the classification that described reduction operations table has been described each piecemeal of described flowing water nodes at different levels is searched reduction combination and the cascade system between unit, classification binary or ternary reduction unit; The strategy that described reduction combination adopts comprises: the piecemeal that logical semantics is similar or relevant carries out reduction combination; In larger piecemeal and standard partitioned logic, be divided into two large classes, and piecemeal preferential and of the same type carries out reduction combination operation; Under the constraints of meeting spatial complexity, preferentially select ternary reduction unit.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410286319.5A CN104104557B (en) | 2014-06-24 | 2014-06-24 | Deep packet detection device orienting IPv6 security gateway |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410286319.5A CN104104557B (en) | 2014-06-24 | 2014-06-24 | Deep packet detection device orienting IPv6 security gateway |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104104557A true CN104104557A (en) | 2014-10-15 |
| CN104104557B CN104104557B (en) | 2017-03-22 |
Family
ID=51672377
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410286319.5A Active CN104104557B (en) | 2014-06-24 | 2014-06-24 | Deep packet detection device orienting IPv6 security gateway |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104104557B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106470166A (en) * | 2015-08-19 | 2017-03-01 | 深圳中兴网信科技有限公司 | A kind for the treatment of method and apparatus of data communication message |
| CN110381034A (en) * | 2019-06-25 | 2019-10-25 | 苏州浪潮智能科技有限公司 | A kind of message processing method, device, equipment and readable storage medium storing program for executing |
| CN112087532A (en) * | 2020-08-28 | 2020-12-15 | 中国移动通信集团黑龙江有限公司 | Information acquisition method, device, device and storage medium |
| CN112307279A (en) * | 2020-10-29 | 2021-02-02 | 宜通世纪物联网研究院(广州)有限公司 | DPI service identification method and device, electronic equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102075430A (en) * | 2011-01-25 | 2011-05-25 | 无锡网芯科技有限公司 | Compression and message matching method for deep message detection deterministic finite automation (DFA) state transfer tables |
| CN102497297A (en) * | 2011-12-13 | 2012-06-13 | 曙光信息产业(北京)有限公司 | System and method for realizing deep packet inspection technology based on multi-core and multi-thread |
| CN103281158A (en) * | 2013-05-13 | 2013-09-04 | 昊优明镝(天津)科技有限公司 | Method for detecting communication granularity of deep web and detection equipment thereof |
| US8601567B2 (en) * | 2009-05-08 | 2013-12-03 | At&T Intellectual Property I, L.P. | Firewall for tunneled IPv6 traffic |
-
2014
- 2014-06-24 CN CN201410286319.5A patent/CN104104557B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8601567B2 (en) * | 2009-05-08 | 2013-12-03 | At&T Intellectual Property I, L.P. | Firewall for tunneled IPv6 traffic |
| CN102075430A (en) * | 2011-01-25 | 2011-05-25 | 无锡网芯科技有限公司 | Compression and message matching method for deep message detection deterministic finite automation (DFA) state transfer tables |
| CN102497297A (en) * | 2011-12-13 | 2012-06-13 | 曙光信息产业(北京)有限公司 | System and method for realizing deep packet inspection technology based on multi-core and multi-thread |
| CN103281158A (en) * | 2013-05-13 | 2013-09-04 | 昊优明镝(天津)科技有限公司 | Method for detecting communication granularity of deep web and detection equipment thereof |
Non-Patent Citations (1)
| Title |
|---|
| 朱国胜: "高速低功耗深度报文检测方法", 《通信学报》 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106470166A (en) * | 2015-08-19 | 2017-03-01 | 深圳中兴网信科技有限公司 | A kind for the treatment of method and apparatus of data communication message |
| CN110381034A (en) * | 2019-06-25 | 2019-10-25 | 苏州浪潮智能科技有限公司 | A kind of message processing method, device, equipment and readable storage medium storing program for executing |
| CN110381034B (en) * | 2019-06-25 | 2022-02-22 | 苏州浪潮智能科技有限公司 | Message processing method, device, equipment and readable storage medium |
| CN112087532A (en) * | 2020-08-28 | 2020-12-15 | 中国移动通信集团黑龙江有限公司 | Information acquisition method, device, device and storage medium |
| CN112307279A (en) * | 2020-10-29 | 2021-02-02 | 宜通世纪物联网研究院(广州)有限公司 | DPI service identification method and device, electronic equipment and storage medium |
| CN112307279B (en) * | 2020-10-29 | 2024-09-20 | 广东宜通联云智能信息有限公司 | DPI service identification method and device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104104557B (en) | 2017-03-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Tong et al. | Accelerating decision tree based traffic classification on FPGA and multicore platforms | |
| US11418632B2 (en) | High speed flexible packet classification using network processors | |
| Lerner et al. | The Case for Network Accelerated Query Processing. | |
| US9984144B2 (en) | Efficient lookup of TCAM-like rules in RAM | |
| CN104112026B (en) | A kind of short message text sorting technique and system | |
| US20170053012A1 (en) | High-performance bloom filter array | |
| US8599859B2 (en) | Iterative parsing and classification | |
| CN108875064B (en) | OpenFlow multidimensional data matching search method based on FPGA | |
| WO2009015603A1 (en) | Regular expression compiling system, matching system, compiling method and matching method | |
| CN101154228A (en) | A segmented pattern matching method and device thereof | |
| CN105897587B (en) | A kind of data packet classification method | |
| CN104679790B (en) | The method of distributed rule automotive engine system, building method and executing rule processing | |
| US20200134308A1 (en) | Configuring and performing character pattern recognition in a data plane circuit | |
| CN104104557A (en) | Deep packet detection device orienting IPv6 security gateway | |
| Abbasi et al. | MBitCuts: optimal bit-level cutting in geometric space packet classification | |
| Wang et al. | Memory-based architecture for multicharacter Aho–Corasick string matching | |
| US9043264B2 (en) | Scanning data streams in real-time against large pattern collections | |
| Meiners et al. | Hardware based packet classification for high speed internet routers | |
| SE531947C2 (en) | Procedure, device and system for multi-field classification in a data communication network | |
| Shen et al. | Optimizing multi-dimensional packet classification for multi-core systems | |
| US9590897B1 (en) | Methods and systems for network devices and associated network transmissions | |
| Zou et al. | An identification decision tree learning model for self-management in virtual radio access network: IDTLM | |
| Li et al. | Binary-tree-based high speed packet classification system on FPGA | |
| US9177252B2 (en) | Incremental DFA compilation with single rule granularity | |
| Jose et al. | Gigabit network intrusion detection system using extended Bloom filter in reconfigurable hardware |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C53 | Correction of patent of invention or patent application | ||
| CB02 | Change of applicant information |
Address after: 100085 Beijing, East Road, No. 1, building on the north side of the building, Room 301, room 3 Applicant after: Beijing heaven melts letter Science Technologies Co., Ltd. Address before: 100085 Beijing, East Road, No. 1, building on the north side of the building, Room 301, room 3 Applicant before: BEIJING TOPSEC TECHNOLOGY CO., LTD. |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: APPLICANT; FROM: BEIJING TOPSEC TECHNOLOGY CO., LTD. TO: BEIJING HEAVEN MELTS LETTER SCIENCE TECHNOLOGIES CO., LTD. |
|
| CB02 | Change of applicant information |
Address after: 100085 Beijing, East Road, No. 1, building on the north side of the building, Room 301, room 3 Applicant after: BEIJING TOPSEC TECHNOLOGY CO., LTD. Address before: 100085 Beijing, East Road, No. 1, building on the north side of the building, Room 301, room 3 Applicant before: Beijing heaven melts letter Science Technologies Co., Ltd. |
|
| COR | Change of bibliographic data | ||
| CB02 | Change of applicant information |
Address after: 100085 Beijing, East Road, No. 1, building on the north side of the building, Room 301, room 3 Applicant after: Beijing heaven melts letter Science Technologies Co., Ltd. Address before: 100085 Beijing, East Road, No. 1, building on the north side of the building, Room 301, room 3 Applicant before: BEIJING TOPSEC TECHNOLOGY CO., LTD. |
|
| COR | Change of bibliographic data | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |