CN109376546A - Data packet auditing method, system, device and storage medium based on global rule - Google Patents
Data packet auditing method, system, device and storage medium based on global rule Download PDFInfo
- Publication number
- CN109376546A CN109376546A CN201811141058.2A CN201811141058A CN109376546A CN 109376546 A CN109376546 A CN 109376546A CN 201811141058 A CN201811141058 A CN 201811141058A CN 109376546 A CN109376546 A CN 109376546A
- Authority
- CN
- China
- Prior art keywords
- data packet
- rule
- matching
- audit
- global rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
This application discloses a kind of data packet auditing method based on global rule, multiple single dimension data packets completely are split as to Audit data packet by each, each single dimension data packet need to only be carried out using the specific match parameter for including under Corresponding matching dimension later, can finally be determined based on global rule belonging to each matching result single audit regulation corresponding with each specifically match parameter should be to the matched target global rule of Audit data packet.Due to partial data only required comprising corresponding single audit regulation matching in each single audit regulation data packet, not comprising the part unrelated with corresponding single audit regulation, what will not be repeated as many times successively carries out different matching operations to data packet, matching time-consuming and time complexity can be significantly reduced, data packet audit efficiency is promoted.The application further simultaneously discloses a kind of data packet auditing system, device and computer readable storage medium based on global rule, has above-mentioned beneficial effect.
Description
Technical field
This application involves database audit technical field, in particular to a kind of data packet auditing party based on global rule
Method, system, device and computer readable storage medium.
Background technique
Network security product is all used with the reinforcement that data safety is realized, under most application scenarios to come to network
Between the data transmitted carry out content auditing and control.
For content auditing, for data packet to be audited one by one, now used in audit measure are as follows: will be each
Completely be matched with every matching audit regulation respectively to Audit data packet, exclude only one audit regulation of voucher can according to
Whether obtaining auditing with result the case where (data packet let pass with do not let pass) conclusion, content type is more, practical scene is more multiple
Under miscellaneous scene, it usually needs audited using the complicated audit regulation comprising a plurality of variety classes audit regulation, i.e. base
The judgement whether global rule comprising a plurality of audit regulation is to audit.
In such cases, the judgement for needing to complete to constitute all single audit regulations of a global rule, can be comprehensive
It closes each respective matching result of single audit regulation finally obtains the conclusion for whether being matched with corresponding global rule, and then is matching
It is acted on the basis of this global rule according to the audit for global rule setting to execute corresponding audit operation.To obtain the final product
To whether match Mr. Yu global rule matching it is time-consuming directly determine final data packet audit efficiency, and existing realization side
The matching of formula is time-consuming directly proportional to the single audit regulation item number for including in global rule, because every audit regulation is required to pair
Content matching completely is carried out to Audit data packet, especially in the case where possessing a plurality of global rule, is advised with greater need for the overall situation
All single audit regulations for including in then are matched respectively, cause its matching to take a long time, time complexity it is higher, audit
Efficiency is lower.
Therefore, how to overcome items technological deficiency present in available data packet auditing method, it is time-consuming to provide a kind of matching
It is shorter, time complexity is lower, the higher data packet auditing method of audit efficiency is that those skilled in the art are urgently to be resolved asks
Topic.
Summary of the invention
The purpose of the application is to provide a kind of data packet auditing method based on global rule, will be each completely wait audit
Data packet is split as multiple single dimension data packets, wherein the single audit regulation for including in the quantity and global rule of fractionation
Quantity is identical, and the corresponding matching dimensionality of each single audit regulation quantity, later only need to be to each single dimension data packet
It is carried out using the specific match parameter for including under Corresponding matching dimension, it finally can be based on each matching result and each specific
Global rule belonging to the corresponding single audit regulation of match parameter determines should be to the matched target global rule of Audit data packet.
Due to, only comprising partial data needed for corresponding single audit regulation matching, do not include in each single audit regulation data packet with
The unrelated part of corresponding single audit regulation, what will not be repeated as many times successively carries out different matching operations to data packet, can
Matching time-consuming and time complexity are significantly reduced, data packet audit efficiency is promoted.
The another object of the application is the provision of a kind of data packet auditing system, device and calculating based on global rule
Machine readable storage medium storing program for executing.
To achieve the above object, this application provides a kind of the data packet auditing method based on global rule, the data packet
Auditing method includes:
The each matching dimensionality for including will be concentrated to split by matching dimensionality respectively to Audit data packet, obtains and match
The single dimension data packet of the identical quantity of number of dimensions;Wherein, each matching dimensionality is corresponding with exclusive according to the difference of feature
Data split mode, and the parameter set for storing specific match parameter is also corresponding under each matching dimensionality;
Parameter matching is carried out by the parameter set of Corresponding matching dimension to each single dimension data packet, obtains each institute
State the matching result of specific match parameter;
To Audit data according to the determination of global rule belonging to the matching result and each specific match parameter
Matched target global rule is wrapped, and executes audit movement corresponding with the target global rule.
Optionally, the data packet auditing method further include:
When increasing new global rule, the new specific match parameter for including by the new global rule is updated to corresponding matching
In the parameter set of dimension.
Optionally, the global rule according to belonging to the matching result and each specific match parameter determines described pending
Count the matched target global rule of packet, comprising:
It is determined according to the matching result described to the specific match parameter of the matched target of Audit data packet;
It determines global rule belonging to each specific match parameter of the target, obtains each alternative rule set;
Each alternative rule set is done and operation, is obtained and operation result;
When it is described with operation result non-empty when, determine it is described to Audit data packet be matched with it is described with include in operation result
Global rule;
When it is described with operation result be empty set when, determine it is described do not matched to Audit data packet it is any current existing complete
Office's rule.
Optionally, the data packet auditing method further include:
Different priority is set for different global rules;
When described when the matched target global rule quantity of Audit data packet is greater than 1, determined only according to the priority
One target global rule.
To achieve the above object, present invention also provides a kind of the data packet auditing system based on global rule, the data
Packet auditing system includes:
Completely to Audit data packet split cells, for include every will to be concentrated by matching dimensionality respectively to Audit data packet
A matching dimensionality is split, and the single dimension data packet of quantity identical as matching dimensionality number is obtained;Wherein, each matching
Dimension is corresponding with exclusive data according to the difference of feature and splits mode, and storage tool is also corresponding under each matching dimensionality
The parameter set of body match parameter;
Parameter matching unit, for joining to each single dimension data packet by the parameter set of Corresponding matching dimension
Number matching, obtains the matching result of each specific match parameter;
Global rule determination unit is advised for the overall situation according to belonging to the matching result and each specific match parameter
To the matched target global rule of Audit data packet described in then determining, and it is dynamic to execute audit corresponding with the target global rule
Make.
Optionally, the data packet auditing system further include:
Parameter set updating unit, new specific for including by the new global rule when increasing new global rule
It is updated to parameter in the parameter set of corresponding matching dimensionality.
Optionally, the global rule determination unit includes:
The specific match parameter of target determines subelement, described to Audit data packet for being determined according to the matching result
The specific match parameter of the target matched;
Alternative rule set establishes subelement, for determining global rule belonging to each specific match parameter of the target,
Obtain each alternative rule set;
It obtains and operation result with operation subelement for being done to each alternative rule set and operation;
Non-empty determines subelement, for being matched with to Audit data packet described in judgement when described and operation result non-empty
The global rule for including in described and operation result;
Empty set determines subelement, for when it is described with operation result be empty set when, determine it is described to Audit data packet not
Assigned in any current existing global rule.
Optionally, the data packet auditing system further include:
Priority level initializing unit, for different priority to be arranged for different global rules;
Unique objects global rule determination unit, it is described to the matched target global rule quantity of Audit data packet for working as
When greater than 1, unique target global rule is determined according to the priority.
To achieve the above object, present invention also provides a kind of data packet audit device, which includes:
Memory, for storing computer program;
Processor, realizing the data packet auditing method as described in above content when for executing the computer program
Step.
To achieve the above object, described computer-readable to deposit present invention also provides a kind of computer readable storage medium
It is stored with computer program on storage media, the number as described in above content is realized when the computer program is executed by processor
The step of according to packet auditing method.
Obviously, a kind of data packet auditing method based on global rule provided herein, will be each complete pending
It counts packet and is split as multiple single dimension data packets, wherein the single audit rule for including in the quantity and global rule of fractionation
Then quantity is identical, and the corresponding matching dimensionality of each single audit regulation quantity, later only need to be to each single dimension data
Packet is carried out using the specific match parameter for including under Corresponding matching dimension, can finally be based on each matching result and each tool
Global rule belonging to the corresponding single audit regulation of body match parameter determines should be to the matched target overall situation rule of Audit data packet
Then.Due to, only comprising partial data needed for corresponding single audit regulation matching, not wrapped in each single audit regulation data packet
Containing the part unrelated with corresponding single audit regulation, what will not be repeated as many times successively carries out different matching operations to data packet,
Matching time-consuming and time complexity can be significantly reduced, data packet audit efficiency is promoted.The application additionally provides a kind of base simultaneously
In data packet auditing system, device and the computer readable storage medium of global rule, there is above-mentioned beneficial effect, herein no longer
It repeats.
Detailed description of the invention
In order to illustrate the technical solutions in the embodiments of the present application or in the prior art more clearly, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
The embodiment of application for those of ordinary skill in the art without creative efforts, can also basis
The attached drawing of offer obtains other attached drawings.
Fig. 1 is a kind of flow chart of the data packet auditing method based on global rule provided by the embodiments of the present application;
Fig. 2 is a kind of method of determining target global rule in the data packet auditing method that provides of the embodiment of the present application one
Flow chart;
Fig. 3 (a) is a kind of rule index bitmap of source IP provided by the embodiments of the present application;
Fig. 3 (b) is a kind of rule index bitmap of destination port provided by the embodiments of the present application;
Fig. 3 (c) is a kind of rule index bitmap of Apply Names provided by the embodiments of the present application;
Fig. 3 (d) is a kind of rule index bitmap of database name provided by the embodiments of the present application;
Fig. 4 is the matched process of policing rule of a kind of relational calculus provided by the embodiments of the present application and set operation mixing
Figure;
Fig. 5 (a) is the schematic diagram of first time provided by the embodiments of the present application and operation result;
Fig. 5 (b) is second of schematic diagram with operation result provided by the embodiments of the present application;
Fig. 5 (c) is the schematic diagram of third time provided by the embodiments of the present application and operation result.
Fig. 6 is a kind of structural block diagram of the data packet auditing system based on global rule provided by the embodiments of the present application.
Specific embodiment
The core of the application is to provide a kind of data packet auditing method, system, device and computer based on global rule
Readable storage medium storing program for executing is completely split as multiple single dimension data packets to Audit data packet for each, wherein the quantity of fractionation
It is identical as the single audit regulation quantity for including in global rule, and the corresponding matching dimension of each single audit regulation quantity
Degree later only need to be carried out each single dimension data packet using the specific match parameter for including under Corresponding matching dimension,
It can finally be determined based on global rule belonging to each matching result single audit regulation corresponding with each specifically match parameter
It should be to the matched target global rule of Audit data packet.Due to only single careful comprising corresponding in each single audit regulation data packet
Partial data needed for counting rule match, not comprising the part unrelated with corresponding single audit regulation, pair that will not be repeated as many times
Data packet successively carries out different matching operations, can significantly reduce matching time-consuming and time complexity, promotes data packet audit
Efficiency.
To keep the purposes, technical schemes and advantages of the embodiment of the present application clearer, below in conjunction with the embodiment of the present application
In attached drawing, the technical scheme in the embodiment of the application is clearly and completely described, it is clear that described embodiment is
Some embodiments of the present application, instead of all the embodiments.Based on the embodiment in the application, those of ordinary skill in the art
All other embodiment obtained without making creative work, shall fall in the protection scope of this application.
Embodiment one
Below in conjunction with Fig. 1, Fig. 1 is a kind of data packet auditing method based on global rule provided by the embodiments of the present application
Flow chart, specifically includes the following steps:
S101: each matching dimensionality for including will be concentrated to split by matching dimensionality respectively to Audit data packet, obtained
The single dimension data packet of quantity identical as matching dimensionality number;
Wherein, the usually corresponding a kind of single audit regulation of each matching dimensionality, such as to the audit regulation of source IP address, right
The audit regulation of purpose IP address, to whether comprising specific audit regulation of character string relevant to database name etc., i.e.,
Every single audit regulation of class would generally be divided into a matching dimensionality, and the set comprising each matching dimensionality is referred to as matching dimension
Degree collection, during carrying out data packet fractionation by matching dimensionality, it is also necessary to the data characteristics according to the single audit regulation of every class
It sets corresponding data and splits mode, it can be only comprising corresponding single audit rule to obtain data packet by way of the data fractionation
It then audits required target data, for auditing to source IP address, according to the special format of IP address and source IP
The position feature that location is different from purpose IP address can be obtained by single dimension data packet only comprising source IP address.
On this basis, under a kind of single audit regulation, can also difference according to the actual situation, there are multiple specific
With parameter, such as the source IP address audit regulation requirement that a global rule includes is 1.1.1.1 wait audit to source IP address
Data packet is audited, and the source IP address audit regulation that another global rule includes but requires to be 2.2.2.2 to source IP address
Audit to Audit data packet etc., 1.1.1.1 and 2.2.2.2 at this time is under source IP address audit regulation is this kind of
One specific match parameter, is both contained in corresponding parameter set.
It should be noted that according to the decision procedure of each single audit regulation two major classes can be classified as: relational calculus and
Set operation, relational calculus generally include the operation relations such as to be equal to, be not equal to, be more than or equal to;Set operation is often referred between set
The operation such as intersection, difference set is sought, corresponding result is usually expressed as including and not including.I.e. the application does not limit single examine
Operation type belonging to meter rule, may be implemented.
This step is intended to completely concentrate each matching for including to tie up by matching dimensionality respectively to Audit data packet for one
Degree is split, and the single dimension data packet of quantity identical as matching dimensionality number is obtained.In i.e. each single dimension data packet only
Single audit regulation comprising corresponding classification is required to Audit data when carrying out subsequent match, not comprising with other classifications
Single audit regulation is relevant to Audit data, therefore will significantly contract for the matching time-consuming of each single dimension data packet
It is short, it will not go to flog a dead horse, while according to the difference of performance, parallel form can also be taken in matching further to shorten
Matching is time-consuming, because being completely independent for the matching process of each single dimension data packet.
During obtaining the single audit regulation of every class corresponding data fractionation mode, except single being examined according to every kind
The composition characteristic of meter rule split and extracted it is outer, can also according to the audit keyword of every kind of single audit regulation whether by
One section of continuous character string includes to extract and split;It can also determine the respectively premise to Audit data packet composition format
Under, according to the single audit regulation for including in global rule be its artificial fractionation for delimiting corresponding single audit regulation data packet and
Extraction scope etc., method is varied, can according to the actual situation under in Audit data packet constitute data complexity and
The suitable mode of requirement flexible choice for splitting extraction accuracy realizes this purpose, herein and is not specifically limited.
S102: parameter matching is carried out by the parameter set of Corresponding matching dimension to each single dimension data packet, is obtained each
The matching result of specific match parameter;
On the basis of S101, this step be intended to each single dimension data packet by Corresponding matching dimension parameter set into
The matching of row parameter, obtains the matching result of each specific match parameter.
It should be noted that if include 4 single audit regulations in a global rule, usually this 4 single audit rule
The single audit regulation of variety classes is then belonged to, because except in the case of very special, it is not necessary that setting two is congener
Audit regulation, such as wherein an audit regulation sets source IP address as 1.1.1.1, therefore only exists in Audit data packet
Source IP address is equal or different to two kinds of situations of 1.1.1.1, if there is also the similar audits that another source IP address is 3.3.3.3
Rule, it will cause matching result conflict, therefore the single audit regulation for including in global rule in most cases is all each
From certain one kind audit is represented, one kind is usually also referred to as a dimension in the industry.
In the case, still assume to include 4 single audit regulations (i.e. four matching dimensionalities) in a global rule,
Therefore corresponding 4 single dimension data packets can be obtained, this 4 single dimension data packets can be advised using corresponding single audit respectively
The specific match parameter for including in then is matched, and then obtains the matching result of every single audit regulation, due to finally wanting
Whether what is obtained should match and the conclusion of the global rule comprising this four single audit regulations to Audit data packet, it is also necessary to tie
Close this four matching results finally obtain the conclusion whether matched with corresponding global rule.
And under practical application scene, often there are many global rules, and different global rule packets under normal conditions
The single audit regulation type and quantity contained are identical, such as there are 10 global rules, this 10 global rules are all to source IP
Whether address purpose IP address, MAC Address, is integrated comprising this 4 single audit regulations of certain database, but is formed every
The specific match parameter affirmative of global rule is different, also just at most there are 10 source IP address, 10 purpose IP address,
10 MAC Address and 10 kinds of databases, this 10 specific source IP address constitute the parameter set of source IP matching dimensionality, 10 tools
The purpose IP address of body constitutes the parameter set of destination IP matching dimensionality, 10 specific MAC Address constitute the parameter of MAC matching dimensionality
Collection, 10 kinds of specific databases constitute the parameter of database matching dimension.
Under such scene, one completely can be split as four single dimension data packets to Audit data packet, respectively
For source IP data packet, destination IP data packet, MAC data packet and database data packet, the matching process with source IP data packet is
Example, it is necessary to the specific source IP address of the 10 source IP data packet is just contained in respectively in the parameter set of source IP matching dimensionality into
Row matching, it is final to determine which the matching result being matched in this 10 specific source IP address, other single dimension datas
The matching process of packet is similar.
S103: matched to Audit data packet according to the determination of global rule belonging to matching result and each specific match parameter
Target global rule, and execute audit movement corresponding with target global rule.
On the basis of S102, it is true that this step is intended to the global rule according to belonging to matching result and each specific match parameter
Determine to the matched target global rule of Audit data packet, and execute audit movement corresponding with target global rule, specifically may
There is the case where mismatching with any existing global rule, can also occur being matched with the feelings of a plurality of global rule simultaneously
Condition, under normal conditions by reasonable design, the overwhelming majority will appear the case where only meeting a wherein global rule, be because
The follow-up audit movement occurred when if being matched with a plurality of global rule simultaneously after considering the problems of executes conflict.Certainly, may be used
This problem is solved so that execution priority when conflict is arranged, herein and is not specifically limited.
For example, first global rule includes A1, B1, C1 and D1 tetra- single careful when there are two global rules
Meter rule, Article 2 global rule include tetra- single audit regulations of A2, B2, C2 and D2, and one can quilt to Audit data packet
Split and extract 4 single audit regulation data packets (A, B, C and D), it is assumed that A obtains matched after the strategy matching of A1
As a result, also obtained after the strategy matching of A2 matched as a result, B obtains unmatched result, through B2 after the strategy matching of B1
Strategy matching after obtain matched as a result, C obtains matched result, after the strategy matching of C2 after the strategy matching of C1
To it is matched as a result, D obtained after the strategy matching of D1 matched result, obtain after the strategy matching of D2 it is matched as a result,
Therefore the Audit data packet is matched with A2, B2, C2 and D2 simultaneously, therefore it is complete to can determine that the Audit data packet is matched with Article 2
Office rule, due to the Audit data packet and it is non-concurrent be matched with A1, B1, C1 and D1, can determine that this to Audit data packet
First global rule is not matched.
On the basis of determining matched with certain existing global rule according to each matching result, it is also necessary to according to setting in advance
The fixed audit movement needed to be implemented when being matched with the global rule, generally includes to audit or do not audit two kinds, the former represents
Need to carry out the Audit data packet subsequent audit process, the latter represents this and waits for that Audit data packet is the number for needing " letting off "
According to packet.
Based on the above-mentioned technical proposal, a kind of data packet auditing method based on global rule provided by the embodiments of the present application,
Multiple single dimension data packets completely are split as to Audit data packet by each, wherein in the quantity and global rule of fractionation
The single audit regulation quantity for including is identical, and the corresponding matching dimensionality of each single audit regulation quantity, only needs later pair
Each single dimension data packet is carried out using the specific match parameter for including under Corresponding matching dimension, finally can be based on each
Global rule belonging to matching result single audit regulation corresponding with each specifically match parameter determines should be to Audit data packet
Matched target global rule.As needed for only being matched comprising corresponding single audit regulation in each single audit regulation data packet
Partial data, not comprising the part unrelated with corresponding single audit regulation, what will not be repeated as many times successively carry out data packet
Different matching operations can significantly reduce matching time-consuming and time complexity, promote data packet audit efficiency.
Embodiment two
Below in conjunction with Fig. 2, a kind of determining target is global in the data packet auditing method that Fig. 2 provides for the embodiment of the present application one
The flow chart of the method for rule, the present embodiment provide the feasible determining target global rule of one kind only for one S103 of embodiment
Method does not change the scheme of other steps, and specific implementation step is as follows:
S201: it is determined according to matching result to the specific match parameter of the matched target of Audit data packet;
This step is intended to obtain the ginseng that each single dimension data packet splitted out is specifically matched with Corresponding matching dimension
The specific match parameter of which of manifold, matched specific match parameter are named as the specific match parameter of target.
S202: determining global rule belonging to the specific match parameter of each target, obtains each alternative rule set;
On the basis of S201, this step is intended to the global rule according to belonging to target design parameter, obtains and each list
The corresponding alternative rule set of dimension data packet, the quantity of the alternative rule set is identical as the quantity of single dimension data packet,
And in the alternative rule set include is global rule corresponding with the specific match parameter of each target, because of a single dimension
Data packet may be matched with multiple specific match parameters, and a specific match parameter may also belong to multiple global rules simultaneously.
S203: doing each alternative rule set and operation, obtains and operation result;
Each single matched global rule of dimension data packet is defined, only in S202 to finally obtain by each single
The complete global rule matching result to Audit data that dimension data packet is constituted, it is also necessary to comprehensive each single dimension data packet
The global rule matched obtains final conclusion, and specific method is to do to each alternative rule set and operation, obtains and operation result.
It is that a kind of basic logical operation mode, symbol are expressed as in computer with operation, participates in two numbers of operation
According to by binary digit progress and operation, operation rule: 0&0=0;0&1=0;1&0=0;1&1=1;That is: two are simultaneously
" 1 " is just as a result " 1 ", is otherwise 0.The purpose of this step, which is to select, to be existed simultaneously in each single dimension data packet pair
The global rule for the alternative rule set answered is equivalent to the intersection for taking each alternative rule set, when with the realization of computer binary system, as
With operation.
S204: when with operation result non-empty, determine the overall situation for being matched with to Audit data packet with including in operation result
Rule;
S205: when being empty set with operation result, determine not matching any current existing overall situation to Audit data packet
Rule.
In another embodiment of the application, it is also contemplated that there may be include multiple global rules with operation result
The case where, different priority is set in advance for different global rules, when to the matched target overall situation rule of Audit data packet
When then quantity is greater than 1, unique target global rule is determined according to priority.Possess highest priority specifically, can choose
That execute, can also according to particular/special requirements that may be present all in practical application scene, choose priority it is placed in the middle or
That minimum executes, and herein and is not specifically limited.
In another embodiment of the application, can also include by new global rule when increasing new global rule
New specific match parameter is updated in the parameter set of corresponding matching dimensionality.Can first judge when specific operation be in new global rule
It is no to there is new specific match parameter, it is still only the new combination of one kind of existing specific match parameter, if a kind of new group
The membership for also needing to increase between original specific match parameter and new global rule is closed, if it exists new specific matching ginseng
Number only need to add it to the parameter set of Corresponding matching dimension and set membership.
Embodiment three
The present embodiment will provide a kind of specific reality in conjunction with a practical application scene on the basis of the various embodiments described above
Existing mode, please also refer to Fig. 3 (a) (b) (c) (d), Fig. 4 and Fig. 5 (a) (b) (c), actual environment locating for the present embodiment is such as
The following table 1:
1 strategy of table, rule, dimension sample table
As shown in table 1, it is assumed that user establishes 2 strategies to safety product, is respectively designated as A strategy and B is tactful, and every
Strategy is comprising the movement audit after source IP, destination port, Apply Names, 4 dimensions of database name and a matching or does not examine
Meter, the matching way of source IP dimension be equal to, the matching way of destination port dimension be not equal to, the matching of Apply Names dimension
Mode be the matching way comprising, database name dimension be not comprising.Wherein A strategy include 1 rule, source IP 1.1.1.1,
Destination port is 1521, Apply Names oracle, database name a, and the movement after rule match is not audit.B strategy packet
Containing 3 rules, the first rule source IP is 3.3.3.3, destination port 1433, Apply Names are SQL Server, database
Entitled ab, the movement after rule match are audit.Second rule source IP is 5.5.5.5, target port 3306, Apply Names are
Mysql, database name abc, the movement after rule match are audit.Third rule source IP is 1.1.1.1, destination port is
1522, Apply Names be Java oracle, database name abcd, the movement after rule match is audit.
2 strategies created for above-mentioned user totally 4 rule, carries out its match parameter first, in accordance with different dimensions pre-
Processing.Source IP, destination port, Apply Names, database name dimension are pre-processed respectively.We are stored with 4 positions
Some occurrence of the dimension is either with or without a certain item in 4 global rules of hit, if a certain global rule of hit,
The position 1, otherwise sets 0.
The matching way of source IP is equal to that is, the source IP in data packet is equal with the source IP in rule just matches this rules and regulations
Then.According to the matching principle being equal to, we are located 1.1.1.1,3.3.3.3,5.5.5.5,1.1.1.1 of source IP dimension in advance
Reason is the rule index mode of Fig. 3 (a).
As shown in Fig. 3 (a), the corresponding rule of source IP 1.1.1.1 is global rule 0 and global rule 3, so tying in storage
In the rule index bitmap of fruit, the 0th and the 3rd position 1, remaining position 0.Source IP 3.3.3.3 corresponds to global rule 1, so
In the rule index bitmap of storage result, the 1st position 1, remaining position 0.Source IP 5.5.5.5 corresponds to global rule 2, so
In the rule index bitmap of storage result, the 2nd position 1, remaining position 0.
The matching way of target port is not equal to i.e. target port not phase in target port in data packet and rule
Deng then matching this rule.According to the matching principle being not equal to, we carry out target port 1521,1433,3306,1522 pre-
Processing is the rule index mode of Fig. 3 (b).
As shown in Fig. 3 (b), not equal to target port 1521 rule be global rule 1, global rule 2, global rule 3,
So in the rule index bitmap of storage result, the 1st, 2,3 positions 1, the 0th position 0.Not equal to the rule of target port 1433
It is then global rule 0, global rule 2, global rule 3, so in the rule index bitmap of storage result, the 0th, 2,3
Set the 1, the 1st position 0.Rule not equal to target port 3306 is global rule 0, global rule 1, global rule 3, so depositing
In the rule index bitmap for storing up result, the 0th, 1,3 positions 1, the 2nd position 0.Rule not equal to target port 1522 is the overall situation
Regular 0, global rule 1, global rule 2, thus in the rule index bitmap of storage result, the 0th, 1,2 positions 1, the 3rd
Set 0.
The matching way of Apply Names is comprising even the corresponding Apply Names of current data packet include fixed in certain rule
The Apply Names of justice, then match this rule.According to comprising matching principle, by Apply Names oracle, SQL Server,
The rule index mode that mysql, Java oracle pretreatment are Fig. 3 (c).
As shown in Fig. 3 (c), the rule comprising oracle Apply Names is global rule 0, global rule 3, so storing
As a result in rule index bitmap, the 0th, 3 positions 1, the 1st, 2 positions 0.Rule comprising SQL Server Apply Names is complete
Office's rule 1, thus in the rule index bitmap of storage result, the 1st position 1, remaining position 0.Include mysql Apply Names
Rule be global rule 2, so in the rule index bitmap of storage result, the 2nd position 1, remaining position 0.Include
The rule of Javaoracle Apply Names is global rule 3, so in the rule index bitmap of storage result, the 3rd position
1, remaining position 0.
The matching way of database name is not comprising the database name even accessed in current data packet does not include in rule
The database name of definition then matches this rule.According to the matching principle not included, database name a, ab, abc, d are pre-processed
For the rule index mode of Fig. 3 (d).
As shown in Fig. 3 (d), the rule not comprising database name a is global rule 3, so in the regular rope of storage result
Draw in bitmap, the 3rd position 1, remaining position 0.Rule not comprising database name ab is global rule 0, global rule 3, institute
With in the rule index bitmap of storage result, the 0th, 3 positions 1, remaining position 0.Rule not comprising database name abc is complete
Office regular 0, global rule 1, global rule 3, thus in the rule index bitmap of storage result, the 0th, 1,3 positions 1, the 2nd
Set 0.Rule not comprising database name d is global rule 0, global rule 1, global rule 2, so in the rule of storage result
It indexes in bitmap, the 0th, 1,2 positions 1, the 3rd position 0.
It is shown in Fig. 4 to be mentioned for the present embodiment next incorporated by reference to Fig. 4 the above are the preprocessing process of each dimension of rule
The policing rule matching process of a kind of relational calculus and set operation mixing that supply.
Step 1: initialization rule match result r is full 0 xf, i.e. strictly all rules matching position 1, default strictly all rules are equal
Matching;
Step 2: judging whether dimension matching is completed, third step is not completed away, the 7th step is otherwise turned;
Step 3: taking out the value d that data packet corresponds to current dimension;
Step 4: the value d using the current dimension of data packet is matched in the corresponding pre-processed results p of current dimension,
Obtain the matched result di of current dimension rule;
Step 5: by the result r of rule match before and current dimension rule matching result di progress and operation, i.e. r=
R&di, to obtain new rule match result r;
Step 6: whether judgment rule matching result r is equal to 0, turn the 7th step if being equal to 0, indicates current data packet
Any rule is not matched.If r is not equal to 0, turn second step;
Step 7: obtaining the rule match result set r of current data packet, wherein n-th is 1, it is complete that expression has matched nth
Office's rule.
Illustrate the policing rule of relational calculus provided by the present embodiment and set operation mixing with two examples below
Matching process:
First example, the current source IP by safety product data packet are 1.1.1.1, target port 1521, apply
Entitled oracle, database name abc.
The first step matches source IP.With in the pretreated result of source data packet IP1.1.1.1 source IP shown in Fig. 3 (a)
It is matched, the matching way of source IP is equal to rule match result such as Fig. 5 (a) through overmatching, equal to source IP 1.1.1.1
Shown in source IP dimension matching result.It obviously, is global rule 0, global rule 3 equal to source IP 1.1.1.1.By source IP dimension
Matching result and rule match initial results full 0 xf carry out and operation, matching result be 0 and 3;
Second step matches destination port.With packet rs destination port 1521 in the pretreated knot of Fig. 3 (b) destination port
It is matched in fruit, the matching way of destination port is not equal to through overmatching, the rule match result not equal to 1521 is as schemed
Destination port dimension matching result shown in 5 (a).It is global rule 1, global rule not equal to the rule of destination port 1521
2, global rule 3.
Then, the matching result of source IP dimension and destination port dimension is done by regular position and is operated with (&), result is as schemed
Shown in 5 (a).Therefrom it is known that the rule for matching source IP dimension and destination port dimension simultaneously is the (first time of global rule 3
Rule match result);
Third step matches Apply Names.Located in advance with the Apply Names oracle in data packet in the Apply Names of Fig. 3 (c)
It is matched in reason result.The matching way of Apply Names is comprising through overmatching, the overall situation comprising Apply Names oracle is advised
Then matching result Apply Names dimension matching result as shown in Fig. 5 (b).I.e. the rule comprising Apply Names oracle is the overall situation
Regular 1, global rule 3.
Then the rule match result before current procedures is pressed into regular position with this step Apply Names dimension matching result
It does and operates, shown in result such as Fig. 5 (b).Therefrom it is known that matching source IP dimension, destination port dimension, application name simultaneously
The rule of dimension is referred to as global rule 3 (second of rule match result);
4th step, matched data library name.Database name with the database name abc in data packet in Fig. 3 (d) pre-processes knot
It is matched in fruit.The matching way of Apply Names is not comprising through overmatching, the global rule of database name abc matches knot
Fruit database name dimension matching result as shown in Fig. 5 (c).I.e. the rule not comprising database name abc is global rule 0, entirely
Office regular 1, global rule 3.
Then, by the rule match result and the matching result step-by-step of this step database name dimension rule before current procedures
It does and operates, shown in result such as Fig. 5 (c).Therefrom it is known that matching source IP dimension, destination port dimension, application name simultaneously
Dimension, the rule of database name dimension are referred to as global rule 3 (third time rule match result).
Second example, the current source IP by safety product data packet are 2.2.2.2, target port 1522, apply
Entitled mysql, database name a.
The first step matches source IP.It is carried out in the pretreated result of Fig. 3 (a) source IP with source data packet IP2.2.2.2
Match.Since in the source IP list of source IP 2.2.2.2 not after the pre-treatment, so matching result is full 0, i.e. current data packet does not have
Any global rule is matched, entire matching process terminates in advance.
Fig. 6 is referred to below, and Fig. 6 is a kind of data packet auditing system based on global rule provided by the embodiments of the present application
Structural block diagram, which may include:
Completely to Audit data packet split cells 100, for that will include by matching dimensionality concentration respectively to Audit data packet
Each matching dimensionality split, obtain the single dimension data packet of quantity identical as matching dimensionality number;Wherein, each described
Matching dimensionality is corresponding with exclusive data according to the difference of feature and splits mode, and is also corresponding with and deposits under each matching dimensionality
Put the parameter set of specific match parameter;
Parameter matching unit 200, for each single dimension data packet by Corresponding matching dimension parameter set into
The matching of row parameter, obtains the matching result of each specific match parameter;
Global rule determination unit 300, for complete according to belonging to the matching result and each specific match parameter
Office's rule is determining described to the matched target global rule of Audit data packet, and executes examine corresponding with the target global rule
Meter movement.
Further, which can also include:
Parameter set updating unit, new specific for including by the new global rule when increasing new global rule
It is updated to parameter in the parameter set of corresponding matching dimensionality.
Wherein, the global rule determination unit 300 may include:
The specific match parameter of target determines subelement, described to Audit data packet for being determined according to the matching result
The specific match parameter of the target matched;
Alternative rule set establishes subelement, for determining global rule belonging to each specific match parameter of the target,
Obtain each alternative rule set;
It obtains and operation result with operation subelement for being done to each alternative rule set and operation;
Non-empty determines subelement, for being matched with to Audit data packet described in judgement when described and operation result non-empty
The global rule for including in described and operation result;
Empty set determines subelement, for when it is described with operation result be empty set when, determine it is described to Audit data packet not
Assigned in any current existing global rule.
Further, which can also include:
Priority level initializing unit, for different priority to be arranged for different global rules;
Unique objects global rule determination unit, it is described to the matched target global rule quantity of Audit data packet for working as
When greater than 1, unique target global rule is determined according to the priority.
Based on the above embodiment, present invention also provides a kind of data packet audit device, data packet audit may include
Memory and processor, wherein have computer program in the memory, which calls the computer journey in the memory
When sequence, step provided by above-described embodiment may be implemented.Certainly, which can also include various necessary
Network interface, power supply and other components etc..
Present invention also provides a kind of computer readable storage mediums, have computer program thereon, the computer program
Step provided by above-described embodiment may be implemented when being performed terminal or processor execution.The storage medium may include: U
Disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access
Memory, RAM), the various media that can store program code such as magnetic or disk.
Each embodiment is described in a progressive manner in specification, the highlights of each of the examples are with other realities
The difference of example is applied, the same or similar parts in each embodiment may refer to each other.For device disclosed in embodiment
Speech, since it is corresponded to the methods disclosed in the examples, so being described relatively simple, related place is referring to method part illustration
?.
Specific examples are used herein to illustrate the principle and implementation manner of the present application, and above embodiments are said
It is bright to be merely used to help understand the present processes and its core concept.For those skilled in the art,
Under the premise of not departing from the application principle, can also to the application, some improvement and modification can also be carried out, these improvement and modification
It falls into the protection scope of the claim of this application.
It should be noted that in the present specification, relational terms such as first and second and the like are used merely to one
A entity or operation with another entity or operate distinguish, without necessarily requiring or implying these entities or operation it
Between there are any actual relationship or orders.Moreover, the terms "include", "comprise" or its any other variant are intended to
Cover non-exclusive inclusion, so that the process, method, article or equipment for including a series of elements not only includes those
Element, but also other elements including being not explicitly listed, or further include for this process, method, article or setting
Standby intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that
There is also other identical elements in the process, method, article or equipment for including element.
Claims (10)
1. a kind of data packet auditing method based on global rule characterized by comprising
The each matching dimensionality for including will be concentrated to split by matching dimensionality respectively to Audit data packet, obtained and matching dimensionality
The single dimension data packet of the identical quantity of number;Wherein, each matching dimensionality is corresponding with exclusive number according to the difference of feature
According to the mode of fractionation, and the parameter set for storing specific match parameter is also corresponding under each matching dimensionality;
Parameter matching is carried out by the parameter set of Corresponding matching dimension to each single dimension data packet, obtains each tool
The matching result of body match parameter;
To Audit data packet according to the determination of global rule belonging to the matching result and each specific match parameter
The target global rule matched, and execute audit movement corresponding with the target global rule.
2. method according to claim 1, which is characterized in that further include:
When increasing new global rule, the new specific match parameter for including by the new global rule is updated to corresponding matching dimensionality
Parameter set in.
3. method according to claim 1, which is characterized in that according to the matching result and each specific match parameter institute
The global rule of category determines described to the matched target global rule of Audit data packet, comprising:
It is determined according to the matching result described to the specific match parameter of the matched target of Audit data packet;
It determines global rule belonging to each specific match parameter of the target, obtains each alternative rule set;
Each alternative rule set is done and operation, is obtained and operation result;
When it is described with operation result non-empty when, determine it is described to Audit data packet be matched with it is described with include in operation result it is complete
Office's rule;
When described and operation result is empty set, judgement is described not to match any current existing overall situation rule to Audit data packet
Then.
4. method according to any one of the claim 1 to 3, which is characterized in that further include:
Different priority is set for different global rules;
When described when the matched target global rule quantity of Audit data packet is greater than 1, determined according to the priority unique
Target global rule.
5. a kind of data packet auditing system based on global rule characterized by comprising
Completely to Audit data packet split cells, for that each of will include respectively by matching dimensionality concentration to Audit data packet
It is split with dimension, obtains the single dimension data packet of quantity identical as matching dimensionality number;Wherein, each matching dimensionality
Exclusive data are corresponding with according to the difference of feature and split mode, and specific of storage is also corresponding under each matching dimensionality
Parameter set with parameter;
Parameter matching unit, for carrying out parameter by the parameter set of Corresponding matching dimension to each single dimension data packet
Match, obtains the matching result of each specific match parameter;
Global rule determination unit, it is true for the global rule according to belonging to the matching result and each specific match parameter
It is fixed described to the matched target global rule of Audit data packet, and execute audit movement corresponding with the target global rule.
6. system according to claim 5, which is characterized in that further include:
Parameter set updating unit, for when increasing new global rule, the new specific matching for including by the new global rule to be joined
Number is updated in the parameter set of corresponding matching dimensionality.
7. system according to claim 5, which is characterized in that the global rule determination unit includes:
The specific match parameter of target determines subelement, described matched to Audit data packet for being determined according to the matching result
The specific match parameter of target;
Alternative rule set establishes subelement, for determining global rule belonging to each specific match parameter of the target, obtains
Each alternative rule set;
It obtains and operation result with operation subelement for being done to each alternative rule set and operation;
Non-empty determines subelement, when being used for when described with operation result non-empty, is matched with described in judgement to Audit data packet described
With the global rule for including in operation result;
Empty set determines subelement, is used for when described and operation result is empty set, and judgement is described not to be matched to Audit data packet
Any current existing global rule.
8. according to any one of claim 5 to 7 system, which is characterized in that further include:
Priority level initializing unit, for different priority to be arranged for different global rules;
Unique objects global rule determination unit, for being greater than when described to the matched target global rule quantity of Audit data packet
When 1, unique target global rule is determined according to the priority.
9. a kind of data packet audit device characterized by comprising
Memory, for storing computer program;
Processor is realized when for executing the computer program and is based on global rule as Claims 1-4 is described in any item
Data packet auditing method the step of.
10. a kind of computer readable storage medium, which is characterized in that be stored with computer on the computer readable storage medium
Program, when the computer program is executed by processor realize as Claims 1-4 it is described in any item based on global rule
The step of data packet auditing method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811141058.2A CN109376546B (en) | 2018-09-28 | 2018-09-28 | Data packet auditing method, system, device and storage medium based on global rule |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811141058.2A CN109376546B (en) | 2018-09-28 | 2018-09-28 | Data packet auditing method, system, device and storage medium based on global rule |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109376546A true CN109376546A (en) | 2019-02-22 |
| CN109376546B CN109376546B (en) | 2022-04-29 |
Family
ID=65402914
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811141058.2A Active CN109376546B (en) | 2018-09-28 | 2018-09-28 | Data packet auditing method, system, device and storage medium based on global rule |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109376546B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112685611A (en) * | 2020-12-31 | 2021-04-20 | 恒安嘉新(北京)科技股份公司 | Data filtering method and device, storage medium and electronic equipment |
| CN113139797A (en) * | 2020-02-18 | 2021-07-20 | 国网河北省电力有限公司 | High-efficiency power auditing method based on satellite map technology |
| CN113395213A (en) * | 2021-06-10 | 2021-09-14 | 哲库科技(北京)有限公司 | Configuration method of routing table item, storage medium, electronic equipment and mobile terminal |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101753542A (en) * | 2008-12-03 | 2010-06-23 | 北京天融信网络安全技术有限公司 | Method and device for speeding up matching of filter rules of firewalls |
| US20120102543A1 (en) * | 2010-10-26 | 2012-04-26 | 360 GRC, Inc. | Audit Management System |
| CN103188042A (en) * | 2011-12-31 | 2013-07-03 | 重庆重邮信科通信技术有限公司 | Matching method and matching accelerator of Internet protocol (IP) data package |
| CN108462717A (en) * | 2018-03-21 | 2018-08-28 | 北京理工大学 | The firewall rule sets under discrimination optimization method of rule-based match hit rate and distribution variance |
-
2018
- 2018-09-28 CN CN201811141058.2A patent/CN109376546B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101753542A (en) * | 2008-12-03 | 2010-06-23 | 北京天融信网络安全技术有限公司 | Method and device for speeding up matching of filter rules of firewalls |
| US20120102543A1 (en) * | 2010-10-26 | 2012-04-26 | 360 GRC, Inc. | Audit Management System |
| CN103188042A (en) * | 2011-12-31 | 2013-07-03 | 重庆重邮信科通信技术有限公司 | Matching method and matching accelerator of Internet protocol (IP) data package |
| CN108462717A (en) * | 2018-03-21 | 2018-08-28 | 北京理工大学 | The firewall rule sets under discrimination optimization method of rule-based match hit rate and distribution variance |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113139797A (en) * | 2020-02-18 | 2021-07-20 | 国网河北省电力有限公司 | High-efficiency power auditing method based on satellite map technology |
| CN112685611A (en) * | 2020-12-31 | 2021-04-20 | 恒安嘉新(北京)科技股份公司 | Data filtering method and device, storage medium and electronic equipment |
| CN113395213A (en) * | 2021-06-10 | 2021-09-14 | 哲库科技(北京)有限公司 | Configuration method of routing table item, storage medium, electronic equipment and mobile terminal |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109376546B (en) | 2022-04-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105912600B (en) | Question and answer knowledge base and its method for building up, intelligent answer method and system | |
| CN109376546A (en) | Data packet auditing method, system, device and storage medium based on global rule | |
| CN104423968B (en) | It designs the method for service logic, execute its server and storage medium | |
| CN109144997A (en) | Data correlation method, device and storage medium | |
| CN101122983A (en) | Condition configuration management method | |
| CN110008266A (en) | Data interchange file analysis method and device | |
| CN109344230A (en) | Code library file generation, code search, connection, optimization and transplantation method | |
| CN103488475B (en) | Multidimensional data analysis system and multidimensional data analysis method | |
| CN108427731A (en) | Processing method, device, terminal device and the medium of page code | |
| CN108304522A (en) | Comparison method, device and the terminal device of difference between a kind of database | |
| CN107240011B (en) | Index configuration processing method and system | |
| CN105204920B (en) | A kind of implementation method and device of the distributed computing operation based on mapping polymerization | |
| US10635662B2 (en) | Signature detection | |
| CN110263155A (en) | The training method and system of data classification method, data classification model | |
| CN103577455A (en) | Data processing method and system for database aggregating operation | |
| CN109857833A (en) | A kind of regulation engine implementation method, device and electronic equipment | |
| CN103942056B (en) | A kind of man-machine interaction method and device based on scene | |
| CN110134589A (en) | Generation method, device, computer equipment and the storage medium of interface testing use-case | |
| CN108874873A (en) | Data query method, apparatus, storage medium and processor | |
| CN113449116A (en) | Map construction and early warning method, device and medium | |
| CN114996319B (en) | Data processing method, device and equipment based on rule engine and storage medium | |
| CN108460038A (en) | Rule matching method and its equipment | |
| CN112204540A (en) | Bitmap filter, method for generating the same, and method for performing connection using the bitmap filter | |
| US11720614B2 (en) | Method and system for generating a response to an unstructured natural language (NL) query | |
| Kollia et al. | Cost based query ordering over OWL ontologies |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |