CN113079172B - Audit strategy matching method and device - Google Patents

Audit strategy matching method and device Download PDF

Info

Publication number
CN113079172B
CN113079172B CN202110394387.3A CN202110394387A CN113079172B CN 113079172 B CN113079172 B CN 113079172B CN 202110394387 A CN202110394387 A CN 202110394387A CN 113079172 B CN113079172 B CN 113079172B
Authority
CN
China
Prior art keywords
node
condition
identifier
global
traffic information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110394387.3A
Other languages
Chinese (zh)
Other versions
CN113079172A (en
Inventor
郑晓凤
唐涛
乐翔
楚兵
黄晓波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ningbo Helishi Information Security Research Institute Co ltd
Original Assignee
Ningbo Helishi Information Security Research Institute Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ningbo Helishi Information Security Research Institute Co ltd filed Critical Ningbo Helishi Information Security Research Institute Co ltd
Priority to CN202110394387.3A priority Critical patent/CN113079172B/en
Publication of CN113079172A publication Critical patent/CN113079172A/en
Application granted granted Critical
Publication of CN113079172B publication Critical patent/CN113079172B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application provides a matching method and device of audit strategies, wherein a multi-branch tree structure state machine is adopted to store condition information included by the audit strategies, conflicts among the condition information can be reduced, the searching time can be shortened when the audit strategies are searched in the state machine, and the matching efficiency of the audit strategies is improved. And the condition global identification represents the condition information, so that the storage space of the state machine can be reduced, and the memory space is saved.

Description

Audit strategy matching method and device
Technical Field
The application relates to the technical field of network security audit, in particular to a matching method and device of an audit strategy.
Background
The network security audit system generally monitors the state of the network in real time, detects intrusion behavior in the network, tracks network security events and retains network data based on a network audit strategy.
The matching of the network audit strategy for the network security audit system is critical, but how to match the network audit strategy quickly becomes a problem.
Disclosure of Invention
In order to solve the above technical problem, embodiments of the present application provide a matching method and apparatus for an audit policy, so as to achieve the purpose of matching the audit policy, and the technical scheme is as follows:
a matching method of an audit strategy comprises the following steps:
analyzing the network traffic to be processed to obtain at least one piece of traffic information;
selecting one of the at least one piece of flow information as to-be-used flow information, inputting the to-be-used flow information into a matching engine, and obtaining a conditional global identification corresponding to the to-be-used flow information;
acquiring an identifier of a non-leaf node in a pre-constructed state machine, and obtaining a sub-node identifier based on the identifier of the non-leaf node and the conditional global identifier, wherein the state machine is a state machine which distributes the conditional global identifier corresponding to conditional information included in an auditing strategy according to a multi-branch tree structure, and a path from a root node to a leaf node in the state machine corresponds to a complete auditing strategy;
judging whether the state machine can jump from the non-leaf node to a child node corresponding to the child node identifier or not;
if yes, judging whether the child node corresponding to the child node identification is a leaf node;
if the node is a leaf node, outputting the information of the auditing strategy corresponding to the path from the root node to the child node corresponding to the child node identifier;
and if not, returning and executing the step of selecting one from the at least one piece of condition information as the traffic information to be used.
Optionally, the inputting the traffic information to be used to a matching engine to obtain a conditional global identifier corresponding to the traffic information to be used includes:
inputting the traffic information to be used into a matching engine, searching a hash value corresponding to the traffic information to be used in a pre-constructed first hash table by the matching engine, and if the hash value is found, taking the found hash value as a conditional global identifier corresponding to the traffic information to be used;
the first hash table includes a mapping relationship between a plurality of condition information and hash values corresponding thereto, and the hash values corresponding to each of the adjustment information are different from each other.
Optionally, the inputting the traffic information to be used to a matching engine to obtain a conditional global identifier corresponding to the traffic information to be used includes:
inputting the traffic information to be used into a matching engine, calculating a hash value of the traffic information to be used by the matching engine, and using the hash value as a conditional global identifier of the traffic information to be used.
Optionally, the determining whether the state machine can jump from the non-leaf node to the child node corresponding to the child node identifier includes:
and judging whether the sub-node identification exists in the hash table of the non-leaf node in the state machine.
Optionally, the process of constructing the state machine includes:
acquiring a condition global identifier of a plurality of condition information of at least one to-be-installed auditing strategy, setting an identifier of a root node of a state machine as a set value, and taking the root node as a father node;
selecting one condition global identification from the condition global identifications of the plurality of condition information of the audit strategy to be installed as a condition global identification to be installed;
acquiring the global identifier of the condition to be installed, acquiring a hash value based on the global identifier of the condition to be installed and the identifier of the father node, and judging whether the hash value exists in a hash table of the father node or not;
if the hash value exists, returning to execute the step of selecting one condition global identifier from the condition global identifiers of the plurality of condition information of the audit strategy to be installed as a condition global identifier to be installed;
if the hash value does not exist, inserting the hash value into a hash table of the father node, taking a node corresponding to the global identifier of the condition to be installed as a child node of the father node, and inserting the child node into the state machine;
judging whether the audit strategy condition information corresponding to the global identifier of the condition to be installed is the last condition information of the audit strategy to be installed;
if not, taking the node corresponding to the condition global identification to be installed as a father node, and returning to execute the condition global identification of the condition information of the audit strategy to be installed, and selecting one as the condition global identification to be installed;
and if the condition information is the last condition information, mounting the index information of the audit strategy to be installed on the node corresponding to the global identification of the condition to be installed.
An apparatus for matching an audit policy, comprising:
the first obtaining module is used for analyzing the network traffic to be processed to obtain at least one piece of traffic information;
the first determining module is used for selecting one from at least one piece of flow information as the flow information to be used;
the second obtaining module is used for inputting the traffic information to be used into a matching engine and obtaining a conditional global identifier corresponding to the traffic information to be used;
a second determining module, configured to obtain an identifier of a non-leaf node in a pre-constructed state machine, and obtain a child node identifier based on the identifier of the non-leaf node and the conditional global identifier, where the state machine is a state machine that distributes conditional global identifiers corresponding to conditional information included in an audit policy according to a multi-way tree structure, and a path from a root node to a leaf node in the state machine corresponds to a complete audit policy;
a first judging module, configured to judge whether a child node corresponding to the child node identifier can be skipped from the non-leaf node in the state machine;
and the second judgment module is used for jumping from the non-leaf node to the child node corresponding to the child node identifier in the state machine, judging whether the child node corresponding to the child node identifier is a leaf node, if the child node is the leaf node, the execution output module outputs information of an audit strategy corresponding to a path from the root node to the child node corresponding to the child node identifier, and if the child node is not the leaf node, the first determination module is executed to select one from at least one condition information as traffic information to be used.
Optionally, the second determining module is specifically configured to:
inputting the traffic information to be used into a matching engine, searching a hash value corresponding to the traffic information to be used in a pre-constructed first hash table by the matching engine, and if the hash value is found, taking the found hash value as a conditional global identifier corresponding to the traffic information to be used;
the first hash table includes a mapping relationship between a plurality of condition information and hash values corresponding thereto, and the hash values corresponding to each of the adjustment information are different from each other.
Optionally, the second determining module is specifically configured to:
inputting the traffic information to be used into a matching engine, calculating a hash value of the traffic information to be used by the matching engine, and using the hash value as a conditional global identifier of the traffic information to be used.
Optionally, the first determining module is specifically configured to:
and judging whether the sub-node identification exists in the hash table of the non-leaf node in the state machine.
Optionally, the apparatus further comprises: a build module to:
acquiring a condition global identifier of a plurality of condition information of at least one to-be-installed auditing strategy, setting an identifier of a root node of a state machine as a set value, and taking the root node as a father node;
selecting one condition global identification from the condition global identifications of the plurality of pieces of condition information of the audit strategy to be installed as a condition global identification to be installed;
acquiring the global identifier of the condition to be installed, obtaining a hash value based on the global identifier of the condition to be installed and the identifier of the father node, and judging whether the hash value exists in a hash table of the father node or not;
if the hash value exists, returning to execute the step of selecting one condition global identifier from the condition global identifiers of the plurality of condition information of the audit strategy to be installed as a condition global identifier to be installed;
if the hash value does not exist, inserting the hash value into a hash table of the father node, and taking the node corresponding to the global identifier of the condition to be installed as a child node of the father node and inserting the child node into the state machine;
judging whether the audit strategy condition information corresponding to the global identifier of the condition to be installed is the last condition information of the audit strategy to be installed;
if not, taking the node corresponding to the condition global identification to be installed as a father node, and returning to execute the condition global identification of the condition information of the audit strategy to be installed, and selecting one as the condition global identification to be installed;
and if the condition information is the last condition information, mounting the index information of the audit strategy to be installed on the node corresponding to the global identifier of the condition to be installed.
Compared with the prior art, the beneficial effect of this application is:
in the application, the condition information included by the audit strategy is stored by adopting the state machine with the multi-branch tree structure, so that the conflict between the condition information can be reduced, the searching time can be shortened when the audit strategy is searched in the state machine, and the efficiency of audit strategy matching is improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive labor.
Fig. 1 is a schematic flowchart of embodiment 1 of a matching method for an audit policy provided in the present application;
FIG. 2 is a flow chart of a method for constructing a state machine provided by the present application;
FIG. 3 is a flow chart of embodiment 2 of an auditing strategy matching method provided by the present application;
FIG. 4 is a flow chart of embodiment 3 of the matching method of the audit policy provided by the present application;
fig. 5 is a schematic logical structure diagram of a matching device for an audit policy provided in the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described clearly and completely with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only some embodiments of the present application, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Next, a method for matching an audit policy disclosed in an embodiment of the present application is introduced, and as shown in fig. 1, a flowchart of embodiment 1 of the method for matching an audit policy provided by the present application may include the following steps:
and step S11, analyzing the network traffic to be processed to obtain at least one piece of traffic information.
The traffic information may be, but is not limited to, IP address, port, protocol, or traffic content information.
Step S12, selecting one from at least one of the traffic information as traffic information to be used.
And step S13, inputting the traffic information to be used into a matching engine, and obtaining a conditional global identifier corresponding to the traffic information to be used.
And step S14, acquiring the identification of the non-leaf node in a pre-constructed state machine, and acquiring the sub-node identification based on the identification of the non-leaf node and the conditional global identification.
The state machine is used for distributing condition global identification corresponding to condition information included in the auditing strategy according to a multi-branch tree structure, and a path from a root node to a leaf node in the state machine corresponds to a complete auditing strategy.
It will be appreciated that a complete audit policy consists of a plurality of condition information.
It should be noted that the identity of each node in the state machine is different.
In this embodiment, referring to fig. 2, a process for building the state machine may include, but is not limited to, the following steps as shown in fig. 2:
step S141, obtaining a condition global identification of a plurality of condition information of at least one to-be-installed auditing strategy, setting an identification of a root node of a state machine as a set value, and taking the root node as a father node.
The condition global identifications of all condition information of the audit strategy to be installed are different. The determination process of the conditional global identity of each condition information may be, but is not limited to: and calculating the hash value of each piece of condition information by using a set hash algorithm, and taking the calculated hash value as the condition global identification of the condition information.
And step S142, selecting one condition global identification from the condition global identifications of the plurality of condition information of the audit strategies to be installed as the condition global identification to be installed.
Step S143, obtaining the global mark of the condition to be installed, and obtaining a hash value based on the global mark of the condition to be installed and the mark of the father node.
Step S144, determining whether the hash value exists in the hash table of the parent node.
If the hash value exists, returning to execute the step S142; if the hash value does not exist, step S145 is executed.
And S145, inserting the hash value into a hash table of the father node, taking the node corresponding to the global identifier of the condition to be installed as a child node of the father node, and inserting the child node into the state machine.
Step S146, judging whether the audit strategy condition information corresponding to the global identifier of the condition to be installed is the last condition information of the audit strategy to be installed;
if not, go to step S147; if yes, go to step S148.
And step S147, taking the node corresponding to the global identifier of the condition to be installed as a father node, and returning to execute the step S142.
And S148, mounting the index information of the audit strategy to be installed on the node corresponding to the global identifier of the condition to be installed.
The index information may be, but is not limited to: the memory address in the memory.
And step S15, judging whether the state machine can jump from the non-leaf node to the child node corresponding to the child node identification.
If yes, go to step S16.
In this embodiment, the step of determining whether the state machine can jump from the non-leaf node to the child node corresponding to the child node identifier may include:
and judging whether the sub-node identification exists in the hash table of the non-leaf node in the state machine.
And step S16, judging whether the child node corresponding to the child node identification is a leaf node.
If yes, go to step S17; if not, the process returns to step S12.
And step S17, outputting the information of the auditing strategy corresponding to the path from the root node to the child node corresponding to the child node identifier.
In this embodiment, when it is determined that the child node corresponding to the child node identifier is a leaf node in step S16, the information of the audit policy corresponding to the path from the root node to the child node corresponding to the child node identifier, which is mounted on the leaf node, may be obtained from the leaf node, and after the information of the audit policy corresponding to the path from the root node to the child node corresponding to the child node identifier is obtained, the information of the audit policy corresponding to the path from the root node to the child node corresponding to the child node identifier is output.
In the method, the condition information included by the audit strategy is stored by adopting the state machine with the multi-branch tree structure, so that the conflict between the condition information can be reduced, the searching time can be shortened when the audit strategy is searched in the state machine, and the efficiency of audit strategy matching is improved.
And the condition global identification represents the condition information, so that the storage space of the state machine can be reduced, and the memory space is saved.
As another optional embodiment of the present application, referring to fig. 3, a schematic flow chart of embodiment 2 of a matching method of an audit policy provided by the present application is provided, where this embodiment mainly relates to a refinement scheme of the matching method of the audit policy described in the above embodiment 1, as shown in fig. 3, the method may include, but is not limited to, the following steps:
and step S21, analyzing the network traffic to be processed to obtain at least one piece of traffic information.
Step S22, selecting one from at least one of the traffic information as traffic information to be used.
The detailed procedures of steps S21-S22 can be found in the related descriptions of steps S11-S12 in embodiment 1, and are not repeated herein.
Step S23, inputting the traffic information to be used to a matching engine, searching, by the matching engine, a hash value corresponding to the traffic information to be used in a first hash table that is pre-constructed, and if the hash value is found, using the found hash value as a conditional global identifier corresponding to the traffic information to be used.
The first hash table includes a mapping relationship between a plurality of condition information and hash values corresponding thereto, and the hash values corresponding to each of the adjustment information are different from each other.
The building process of the first hash table may include:
and calculating hash values of each condition information included in the plurality of to-be-installed auditing strategies by using a set hash algorithm, and forming a first hash table by mapping relations between the hash values and the condition information.
Step S23 is a specific implementation manner of step S13 in example 1.
And step S24, acquiring the identification of the non-leaf node in a pre-constructed state machine, and acquiring the sub-node identification based on the identification of the non-leaf node and the conditional global identification.
The state machine is used for distributing condition global identification corresponding to condition information included in the auditing strategy according to a multi-branch tree structure, and a path from a root node to a leaf node in the state machine corresponds to a complete auditing strategy.
Step S25, judging whether the state machine can jump from the non-leaf node to the child node corresponding to the child node identification;
if yes, go to step S26.
Step S26, judging whether the child node corresponding to the child node identification is a leaf node;
if yes, go to step S27; if not, the process returns to step S22.
And step S27, outputting the information of the auditing strategy corresponding to the path from the root node to the child node corresponding to the child node identification.
The detailed procedures of steps S24-S27 can be found in the related descriptions of steps S14-S17 in embodiment 1, and are not repeated herein.
In this embodiment, the traffic information to be used is input to the matching engine, and the matching engine searches the hash value corresponding to the traffic information to be used in the pre-constructed first hash table, so that the searching efficiency can be shortened, and the efficiency of matching the audit policy is further improved.
As another optional embodiment of the present application, referring to fig. 4, a schematic flow chart of embodiment 3 of a matching method of an audit policy provided by the present application is provided, where this embodiment mainly relates to a refinement scheme of the matching method of the audit policy described in the above embodiment 1, as shown in fig. 4, the method may include, but is not limited to, the following steps:
and step S31, analyzing the network traffic to be processed to obtain at least one piece of traffic information.
Step S32, selecting one from at least one of the traffic information as traffic information to be used.
The detailed procedures of steps S31-S32 can be found in the related descriptions of steps S11-S12 in embodiment 1, and are not repeated herein.
Step S33, inputting the traffic information to be used into a matching engine, calculating a hash value of the traffic information to be used by the matching engine, and using the hash value as a conditional global identifier of the traffic information to be used.
The matching engine may calculate the hash value of the traffic information to be used by using a set hash algorithm.
Step S33 is a specific implementation manner of step S13 in example 1.
And step S34, acquiring the identification of the non-leaf node in a pre-constructed state machine, and acquiring the sub-node identification based on the identification of the non-leaf node and the conditional global identification.
The state machine is used for distributing condition global identification corresponding to condition information included in the auditing strategy according to a multi-branch tree structure, and a path from a root node to a leaf node in the state machine corresponds to a complete auditing strategy.
Step S35, judging whether the state machine can jump from the non-leaf node to the child node corresponding to the child node identification;
if yes, go to step S36.
Step S36, judging whether the child node corresponding to the child node identification is a leaf node;
if yes, go to step S37; if not, the process returns to step S32.
And step S37, outputting the information of the auditing strategy corresponding to the path from the root node to the child node corresponding to the child node identification.
The detailed procedures of steps S34-S37 can be found in the related descriptions of steps S14-S17 in embodiment 1, and are not repeated herein.
Next, a matching device of the audit policy provided by the present application is introduced, and the matching device of the audit policy described below and the matching method of the audit policy described above may be referred to correspondingly.
Referring to fig. 5, the matching device of the audit policy includes: the device comprises a first obtaining module 100, a first determining module 200, a second obtaining module 300, a second determining module 400, a first judging module 500, a second judging module 600 and an output module 700.
The first obtaining module 100 is configured to analyze network traffic to be processed to obtain at least one piece of traffic information.
A first determining module 200, configured to select one of the at least one piece of traffic information as the to-be-used traffic information.
A second obtaining module 300, configured to input the traffic information to be used to a matching engine, and obtain a conditional global identifier corresponding to the traffic information to be used.
A second determining module 400, configured to obtain an identifier of a non-leaf node in a pre-constructed state machine, and obtain a sub-node identifier based on the identifier of the non-leaf node and the conditional global identifier, where the state machine is a state machine that distributes conditional global identifiers corresponding to condition information included in an auditing policy according to a multi-way tree structure, and a path from a root node to a leaf node in the state machine corresponds to a complete auditing policy.
A first determining module 500, configured to determine whether a child node corresponding to the child node identifier can be skipped from the non-leaf node in the state machine.
A second determining module 600, configured to skip from the non-leaf node to a child node corresponding to the child node identifier in the state machine, determine whether the child node corresponding to the child node identifier is a leaf node, if the child node is the leaf node, execute the output module 700 to output information of an audit policy corresponding to a path from the root node to the child node corresponding to the child node identifier, and if the child node is the non-leaf node, execute the first determining module to select one of the at least one piece of condition information as traffic information to be used.
In this embodiment, the second determining module 400 may be specifically configured to:
inputting the traffic information to be used into a matching engine, searching a hash value corresponding to the traffic information to be used in a pre-constructed first hash table by the matching engine, and if the hash value is found, taking the found hash value as a conditional global identifier corresponding to the traffic information to be used;
the first hash table includes a mapping relationship between a plurality of condition information and hash values corresponding thereto, and the hash values corresponding to each of the adjustment information are different from each other.
In this embodiment, the second determining module 400 may be specifically configured to:
inputting the traffic information to be used into a matching engine, calculating a hash value of the traffic information to be used by the matching engine, and using the hash value as a conditional global identifier of the traffic information to be used.
In this embodiment, the first determining module 500 may be specifically configured to:
and judging whether the sub-node identification exists in the hash table of the non-leaf node in the state machine.
In this embodiment, the apparatus may further include: a build module to:
acquiring a condition global identifier of a plurality of condition information of at least one to-be-installed auditing strategy, setting an identifier of a root node of a state machine as a set value, and taking the root node as a father node;
selecting one condition global identification from the condition global identifications of the plurality of condition information of the audit strategy to be installed as a condition global identification to be installed;
acquiring the global identifier of the condition to be installed, acquiring a hash value based on the global identifier of the condition to be installed and the identifier of the father node, and judging whether the hash value exists in a hash table of the father node or not;
if the hash value exists, returning to execute the step of selecting one condition global identification from the condition global identifications of the plurality of pieces of condition information of the audit strategy to be installed as a condition global identification to be installed;
if the hash value does not exist, inserting the hash value into a hash table of the father node, taking a node corresponding to the global identifier of the condition to be installed as a child node of the father node, and inserting the child node into the state machine;
judging whether the audit strategy condition information corresponding to the global identifier of the condition to be installed is the last condition information of the audit strategy to be installed;
if not, taking the node corresponding to the condition global identification to be installed as a father node, and returning to execute the condition global identification of the condition information of the audit strategy to be installed, and selecting one as the condition global identification to be installed;
and if the condition information is the last condition information, mounting the index information of the audit strategy to be installed on the node corresponding to the global identification of the condition to be installed.
It should be noted that each embodiment is mainly described as a difference from the other embodiments, and the same and similar parts between the embodiments may be referred to each other. For the device-like embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the units may be implemented in one or more software and/or hardware when implementing the present application.
From the above description of the embodiments, it is clear to those skilled in the art that the present application can be implemented by software plus necessary general hardware platform. Based on such understanding, the technical solutions of the present application may be essentially or partially implemented in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments of the present application.
The matching method and device for the audit policy provided by the application are introduced in detail, a specific example is applied in the description to explain the principle and implementation of the application, and the description of the above embodiment is only used to help understand the method and core ideas of the application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.

Claims (10)

1. A matching method for an audit policy is characterized by comprising the following steps:
analyzing the network traffic to be processed to obtain at least one piece of traffic information;
selecting one of the at least one flow information as to-be-used flow information, inputting the to-be-used flow information into a matching engine, and obtaining a conditional global identifier corresponding to the to-be-used flow information;
acquiring an identifier of a non-leaf node in a pre-constructed state machine, and obtaining a sub-node identifier based on the identifier of the non-leaf node and the conditional global identifier, wherein the state machine is a state machine which distributes the conditional global identifier corresponding to flow information included in an auditing strategy according to a multi-branch tree structure, and a path from a root node to a leaf node in the state machine corresponds to a complete auditing strategy;
judging whether the state machine can jump from the non-leaf node to a child node corresponding to the child node identifier or not;
if yes, judging whether the child node corresponding to the child node identification is a leaf node;
if the node is a leaf node, outputting the information of the auditing strategy corresponding to the path from the root node to the child node corresponding to the child node identifier;
and if not, returning to execute the step of selecting one from the at least one piece of traffic information as the traffic information to be used.
2. The method according to claim 1, wherein the inputting the traffic information to be used to a matching engine to obtain a conditional global identifier corresponding to the traffic information to be used comprises:
inputting the traffic information to be used into a matching engine, searching a hash value corresponding to the traffic information to be used in a pre-constructed first hash table by the matching engine, and if the hash value is found, taking the found hash value as a conditional global identifier corresponding to the traffic information to be used;
the first hash table includes a mapping relationship between a plurality of pieces of traffic information and hash values corresponding thereto, and the hash values corresponding to each piece of traffic information are different from each other.
3. The method according to claim 1, wherein the inputting the traffic information to be used to a matching engine to obtain a conditional global identifier corresponding to the traffic information to be used comprises:
inputting the traffic information to be used into a matching engine, calculating a hash value of the traffic information to be used by the matching engine, and using the hash value as a conditional global identifier of the traffic information to be used.
4. The method of claim 1, wherein said determining whether a jump from the non-leaf node to the child node in the state machine identifies a corresponding child node comprises:
and judging whether the sub-node identification exists in the hash table of the non-leaf node in the state machine.
5. The method of claim 1, wherein the building process of the state machine comprises:
acquiring conditional global identification of a plurality of flow information of at least one to-be-installed auditing strategy, setting identification of a root node of a state machine as a set value, and taking the root node as a father node;
selecting one of the condition global identifications of the plurality of flow information of the audit strategy to be installed as a condition global identification to be installed;
acquiring the global identifier of the condition to be installed, acquiring a hash value based on the global identifier of the condition to be installed and the identifier of the father node, and judging whether the hash value exists in a hash table of the father node or not;
if the hash value exists, returning to execute the step of selecting one condition global identification from the condition global identifications of the plurality of flow information of the to-be-installed auditing strategy as the to-be-installed condition global identification;
if the hash value does not exist, inserting the hash value into a hash table of the father node, taking a node corresponding to the global identifier of the condition to be installed as a child node of the father node, and inserting the child node into the state machine;
judging whether the flow information of the auditing strategy corresponding to the global identifier of the condition to be installed is the last flow information of the auditing strategy to be installed;
if not, taking the node corresponding to the condition global identification to be installed as a father node, and returning to execute the condition global identification of the plurality of flow information of the audit strategy to be installed, and selecting one of the condition global identifications as the condition global identification to be installed;
and if the current flow information is the last flow information, mounting the index information of the audit strategy to be installed on the node corresponding to the global identifier of the condition to be installed.
6. An apparatus for matching an audit policy, comprising:
the first obtaining module is used for analyzing the network traffic to be processed to obtain at least one piece of traffic information;
the first determining module is used for selecting one from at least one piece of flow information as the flow information to be used;
the second obtaining module is used for inputting the traffic information to be used into a matching engine and obtaining a conditional global identifier corresponding to the traffic information to be used;
a second determining module, configured to obtain an identifier of a non-leaf node in a pre-constructed state machine, and obtain a sub-node identifier based on the identifier of the non-leaf node and the conditional global identifier, where the state machine is a state machine that distributes the conditional global identifier corresponding to traffic information included in an auditing policy according to a multi-branch tree structure, and a path from a root node to a leaf node in the state machine corresponds to a complete auditing policy;
a first judging module, configured to judge whether a child node corresponding to the child node identifier can be skipped from the non-leaf node in the state machine;
and the second judging module is used for jumping from the non-leaf node to the child node corresponding to the child node identifier in the state machine, judging whether the child node corresponding to the child node identifier is a leaf node, if the child node is the leaf node, the execution output module outputs information of an auditing strategy corresponding to a path from the root node to the child node corresponding to the child node identifier, and if the child node is not the leaf node, the first determining module is executed to select one from at least one flow information as the flow information to be used.
7. The apparatus of claim 6, wherein the second determining module is specifically configured to:
inputting the traffic information to be used into a matching engine, searching a hash value corresponding to the traffic information to be used in a pre-constructed first hash table by the matching engine, and if the hash value is found, taking the found hash value as a conditional global identifier corresponding to the traffic information to be used;
the first hash table includes a mapping relationship between a plurality of pieces of traffic information and hash values corresponding thereto, and the hash values corresponding to each piece of traffic information are different from each other.
8. The apparatus of claim 6, wherein the second determining module is specifically configured to:
inputting the traffic information to be used into a matching engine, calculating a hash value of the traffic information to be used by the matching engine, and using the hash value as a conditional global identifier of the traffic information to be used.
9. The apparatus of claim 6, wherein the first determining module is specifically configured to:
and judging whether the sub-node identification exists in the hash table of the non-leaf node in the state machine.
10. The apparatus of claim 6, further comprising: a build module to:
acquiring conditional global identification of a plurality of flow information of at least one to-be-installed auditing strategy, setting identification of a root node of a state machine as a set value, and taking the root node as a father node;
selecting one of the condition global identifications of the plurality of flow information of the audit strategy to be installed as a condition global identification to be installed;
acquiring the global identifier of the condition to be installed, obtaining a hash value based on the global identifier of the condition to be installed and the identifier of the father node, and judging whether the hash value exists in a hash table of the father node or not;
if the hash value exists, returning to execute the step of selecting one condition global identification from the condition global identifications of the plurality of flow information of the to-be-installed auditing strategy as the to-be-installed condition global identification;
if the hash value does not exist, inserting the hash value into a hash table of the father node, taking a node corresponding to the global identifier of the condition to be installed as a child node of the father node, and inserting the child node into the state machine;
judging whether the flow information of the auditing strategy corresponding to the global identifier of the condition to be installed is the last flow information of the auditing strategy to be installed;
if not, taking the node corresponding to the condition global identifier to be installed as a father node, and returning to execute the condition global identifier of the plurality of flow information of the audit strategy to be installed, and selecting one as the condition global identifier to be installed;
and if the current flow information is the last flow information, mounting the index information of the audit strategy to be installed on the node corresponding to the global identifier of the condition to be installed.
CN202110394387.3A 2021-04-13 2021-04-13 Audit strategy matching method and device Active CN113079172B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110394387.3A CN113079172B (en) 2021-04-13 2021-04-13 Audit strategy matching method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110394387.3A CN113079172B (en) 2021-04-13 2021-04-13 Audit strategy matching method and device

Publications (2)

Publication Number Publication Date
CN113079172A CN113079172A (en) 2021-07-06
CN113079172B true CN113079172B (en) 2022-08-16

Family

ID=76617462

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110394387.3A Active CN113079172B (en) 2021-04-13 2021-04-13 Audit strategy matching method and device

Country Status (1)

Country Link
CN (1) CN113079172B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102890735A (en) * 2012-07-09 2013-01-23 南京南瑞继保电气有限公司 Modeling method of strategy table and strategy table searching match of stable control device
US8370931B1 (en) * 2008-09-17 2013-02-05 Trend Micro Incorporated Multi-behavior policy matching for malware detection
CN112468416A (en) * 2020-10-23 2021-03-09 曙光网络科技有限公司 Network flow mirroring method and device, computer equipment and storage medium

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9100417B2 (en) * 2007-09-12 2015-08-04 Avaya Inc. Multi-node and multi-call state machine profiling for detecting SPIT
CN101958897B (en) * 2010-09-27 2013-10-09 北京***工程研究所 Correlation analysis method of security incident and system
CN106487803A (en) * 2016-11-10 2017-03-08 深圳市任子行科技开发有限公司 Pattern matching algorithm and system for big flow Network Intrusion Detection System
CN106990994B (en) * 2017-03-06 2020-11-27 王铭鑫 Tree atom state machine and implementation method and device of control logic interface thereof
CN111314302A (en) * 2020-01-17 2020-06-19 山东超越数控电子股份有限公司 Network log auditing method, equipment and medium
CN112286873A (en) * 2020-10-30 2021-01-29 西安奥卡云数据科技有限公司 Hash tree caching method and device
CN112437070B (en) * 2020-11-16 2022-11-15 深圳市永达电子信息股份有限公司 Operation-based spanning tree state machine integrity verification calculation method and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8370931B1 (en) * 2008-09-17 2013-02-05 Trend Micro Incorporated Multi-behavior policy matching for malware detection
CN102890735A (en) * 2012-07-09 2013-01-23 南京南瑞继保电气有限公司 Modeling method of strategy table and strategy table searching match of stable control device
CN112468416A (en) * 2020-10-23 2021-03-09 曙光网络科技有限公司 Network flow mirroring method and device, computer equipment and storage medium

Also Published As

Publication number Publication date
CN113079172A (en) 2021-07-06

Similar Documents

Publication Publication Date Title
Amudha Dilated transaction access and retrieval: Improving the information retrieval of blockchain-assimilated internet of things transactions
CN109118353B (en) Data processing method and device of wind control model
Buijs et al. Improving business process models using observed behavior
US20110016451A1 (en) Method and system for generating test cases for a software application
CN111008521B (en) Method, device and computer storage medium for generating wide table
CN103778148A (en) Life cycle management method and equipment for data file of Hadoop distributed file system
Blum et al. Beam search for the longest common subsequence problem
CN104488248A (en) File synchronization method, server and terminal
CN113986241B (en) Configuration method and device of business rules based on knowledge graph
CN106202492A (en) The Metadata Service optimization method of a kind of NFS and system
CN110716950A (en) Method, device and equipment for establishing aperture system and computer storage medium
CN111813378B (en) Code base construction system, method and related device
CN111726249B (en) Configuration file processing method and device of network equipment
CN112351088A (en) CDN cache method, device, computer equipment and storage medium
CN113098888A (en) Abnormal behavior prediction method, device, equipment and storage medium
CN113672692B (en) Data processing method, data processing device, computer equipment and storage medium
US20130086133A1 (en) Method and apparatus for file revision tracking
CN111177481A (en) User identifier mapping method and device
CN113079172B (en) Audit strategy matching method and device
CN107239568B (en) Distributed index implementation method and device
CN111176901B (en) HDFS deleted file recovery method, terminal device and storage medium
CN105912573B (en) Data updating method and device
CN104636467A (en) Construction method and device for off-line audio library and corresponding server audio library
US20160098428A1 (en) Creating and handling identification for a resource in a configuration database
CN111143582B (en) Multimedia resource recommendation method and device for updating association words in double indexes in real time

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant