CN113765877A - Session identification method and device, electronic equipment and computer readable medium - Google Patents

Session identification method and device, electronic equipment and computer readable medium Download PDF

Info

Publication number
CN113765877A
CN113765877A CN202110180504.6A CN202110180504A CN113765877A CN 113765877 A CN113765877 A CN 113765877A CN 202110180504 A CN202110180504 A CN 202110180504A CN 113765877 A CN113765877 A CN 113765877A
Authority
CN
China
Prior art keywords
message
identifier
state
session
session structure
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110180504.6A
Other languages
Chinese (zh)
Inventor
刘遇哲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jingdong Century Trading Co Ltd
Beijing Wodong Tianjun Information Technology Co Ltd
Original Assignee
Beijing Jingdong Century Trading Co Ltd
Beijing Wodong Tianjun Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jingdong Century Trading Co Ltd, Beijing Wodong Tianjun Information Technology Co Ltd filed Critical Beijing Jingdong Century Trading Co Ltd
Priority to CN202110180504.6A priority Critical patent/CN113765877A/en
Publication of CN113765877A publication Critical patent/CN113765877A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/166IP fragmentation; TCP segmentation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Abstract

The embodiment of the disclosure discloses a session identification method, a session identification device, an electronic device and a computer readable medium. One embodiment of the method comprises: extracting information of the message in the cache to obtain quintuple information, wherein the quintuple information comprises a session structure body identifier; matching a target session structure matched with the session structure identifier included in the quintuple information from a preset session structure library; in response to the successful matching, carrying out message state identification on the message to obtain a message state identifier; and updating the target session structure body based on the message state identification and a preset message state matching tree. This embodiment may improve the security of the network.

Description

Session identification method and device, electronic equipment and computer readable medium
Technical Field
Embodiments of the present disclosure relate to the field of computer technologies, and in particular, to a session identification method, an apparatus, an electronic device, and a computer-readable medium.
Background
The conversation identification method is a technology for identifying the conversation in the network flow. At present, a common session identification method is to perform character string identification on a session in traffic by using a character string identification engine in a mainstream detection system to obtain an identification result.
However, when the above method is adopted for session identification, the following technical problems often exist:
when one message in the session is divided into multiple segments for transmission, the string recognition engine is not easy to accurately recognize the session, so that the network risk in the session cannot be recognized, and the network security is reduced.
Disclosure of Invention
This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the detailed description. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.
Some embodiments of the present disclosure propose a session identification method, apparatus, electronic device and computer readable medium to solve one or more of the technical problems mentioned in the background section above.
In a first aspect, some embodiments of the present disclosure provide a session identification method, including: extracting information of the message in the cache to obtain quintuple information, wherein the quintuple information comprises a session structure body identifier; matching a target session structure matched with the session structure identifier included in the quintuple information from a preset session structure library; in response to the successful matching, carrying out message state identification on the message to obtain a message state identifier; and updating the target session structure body based on the message state identification and a preset message state matching tree.
Optionally, the method further includes: in response to a failure to match, creating an initial session structure; and adding the message state identifier of the message to the initial session structure.
Optionally, the performing packet state identification on the packet to obtain a packet state identifier includes: and performing state recognition on the target character string included in the message to generate a state identifier as a message state recognition identifier.
Optionally, the target session structure includes a state tree; and updating the target session structure based on the message state identifier and a preset message state matching tree, including: in response to determining that a next hop node identifier exists in a preset next hop node identifier list and is matched with the message state identifier, determining a message transmission direction from the message state identifier to the matched next hop node identifier; in response to determining that the message transmission direction is the same as the transmission direction corresponding to the message state identifier, adding the message transmission direction as state information of a child node to the state tree, wherein the state tree is used for recording a jump relationship of the message from the message state identifier to the message matching identifier; and adding the quintuple information into the target session structure body to update the target session structure body.
Optionally, the updating the target session structure based on the message state identifier and a preset message state matching tree further includes: and taking the child node of the next hop node matched with the message state identifier in the message state matching tree as the next hop node to be matched to obtain a list of the next hop node identifiers to be matched, wherein the list of the next hop node identifiers to be matched is used for identifying the message corresponding to the message in the cache.
Optionally, the updating the target session structure based on the message state identifier and a preset message state matching tree further includes: and storing the depth value of the next hop node matched with the message state identifier in the message state matching tree to the node of the state tree corresponding to the message.
Optionally, the message further includes application information; and the above method further comprises: and in response to determining that the next hop node matched with the message state identifier is a leaf node of the message state matching tree, storing application information included in the message into the leaf node of the state tree to determine that the target session structure is updated, wherein the updated target session structure is used for representing a recognition result of a session corresponding to the message.
In a second aspect, some embodiments of the present disclosure provide a session identification apparatus, comprising: the message extraction unit is configured to extract the message in the cache to obtain quintuple information, wherein the quintuple information comprises a session structure body identifier; a selecting unit configured to match a target session structure matched with the session structure identifier included in the quintuple information from a preset session structure library; the message state identification unit is configured to respond to successful matching and carry out message state identification on the message to obtain a message state identifier; and the updating unit is configured to update the target session structure body based on the message state identifier and a preset message state matching tree.
Optionally, the session identification apparatus further includes: an initial session structure body creation unit configured to create an initial session structure body in response to a matching failure; and the initial session structure adding unit is configured to add the message state identifier of the message into the initial session structure.
Optionally, the message status identification unit is further configured to: and performing state recognition on the target character string included in the message to generate a state identifier as a message state recognition identifier.
Optionally, the target session structure includes a state tree; and the update unit is further configured to: in response to determining that a next hop node identifier exists in a preset next hop node identifier list and is matched with the message state identifier, determining a message transmission direction from the message state identifier to the matched next hop node identifier; in response to determining that the message transmission direction is the same as the transmission direction corresponding to the message state identifier, adding the message transmission direction as state information of a child node to the state tree, wherein the state tree is used for recording a jump relationship of the message from the message state identifier to the message matching identifier; and adding the quintuple information into the target session structure body to update the target session structure body.
Optionally, the update unit is further configured to: and taking the child node of the next hop node matched with the message state identifier in the message state matching tree as the next hop node to be matched to obtain a list of the next hop node identifiers to be matched, wherein the list of the next hop node identifiers to be matched is used for identifying the message corresponding to the message in the cache.
Optionally, the update unit is further configured to: and storing the depth value of the next hop node matched with the message state identifier in the message state matching tree to the node of the state tree corresponding to the message.
Optionally, the message further includes application information; and the update unit further includes: and the storage subunit is configured to, in response to determining that the next hop node matching the packet state identifier is a leaf node of the packet state matching tree, store application information included in the packet into the leaf node of the state tree to determine that the target session structure is updated, where the updated target session structure is used to represent a recognition result of a session corresponding to the packet.
In a third aspect, some embodiments of the present disclosure provide an electronic device, comprising: one or more processors; a storage device having one or more programs stored thereon, which when executed by one or more processors, cause the one or more processors to implement the method described in any of the implementations of the first aspect.
In a fourth aspect, some embodiments of the present disclosure provide a computer readable medium on which a computer program is stored, wherein the program, when executed by a processor, implements the method described in any of the implementations of the first aspect.
The above embodiments of the present disclosure have the following advantages: by the session identification method of some embodiments of the disclosure, the security of the network can be improved. Specifically, the reason why the network security is not high is that: when one message in the session is divided into multiple segments for transmission, the string recognition engine cannot recognize the session, so that the network risk existing in the session cannot be recognized. Based on this, in the session identification method of some embodiments of the present disclosure, first, a session structure is introduced, which may be used to store the identification result of the packet corresponding to the same session. Therefore, when one message in a session is divided into a plurality of segments for transmission, the recognition results of the plurality of segments can be recorded in one session structure. Therefore, the introduced conversation structure body is used as the identification result for representing the conversation, and the identification of the conversation of the transmission of the message divided into a plurality of segments can be completed. Therefore, the situation that when one message in the session is divided into a plurality of segments for transmission, the session cannot be identified can be avoided. Thereby, it is made possible to identify the cyber risk existing in such a session to some extent. Furthermore, the security of the network is improved.
Drawings
The above and other features, advantages and aspects of various embodiments of the present disclosure will become more apparent by referring to the following detailed description when taken in conjunction with the accompanying drawings. Throughout the drawings, the same or similar reference numbers refer to the same or similar elements. It should be understood that the drawings are schematic and that elements and elements are not necessarily drawn to scale.
FIG. 1 is a schematic diagram of one application scenario of a session identification method according to some embodiments of the present disclosure;
fig. 2 is a flow diagram of some embodiments of a session identification method according to the present disclosure;
FIG. 3 is a schematic diagram of a message state matching tree in a session identification method according to some embodiments of the present disclosure;
FIG. 4 is a flow diagram of still further embodiments of a session identification method according to the present disclosure;
FIG. 5 is a schematic block diagram of some embodiments of a session identification apparatus according to the present disclosure;
FIG. 6 is a schematic structural diagram of an electronic device suitable for use in implementing some embodiments of the present disclosure.
Detailed Description
Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While certain embodiments of the present disclosure are shown in the drawings, it is to be understood that the disclosure may be embodied in various forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided for a more thorough and complete understanding of the present disclosure. It should be understood that the drawings and embodiments of the disclosure are for illustration purposes only and are not intended to limit the scope of the disclosure.
It should be noted that, for convenience of description, only the portions related to the related invention are shown in the drawings. The embodiments and features of the embodiments in the present disclosure may be combined with each other without conflict.
It should be noted that the terms "first", "second", and the like in the present disclosure are only used for distinguishing different devices, modules or units, and are not used for limiting the order or interdependence relationship of the functions performed by the devices, modules or units.
It is noted that references to "a", "an", and "the" modifications in this disclosure are intended to be illustrative rather than limiting, and that those skilled in the art will recognize that "one or more" may be used unless the context clearly dictates otherwise.
The names of messages or information exchanged between devices in the embodiments of the present disclosure are for illustrative purposes only, and are not intended to limit the scope of the messages or information.
The present disclosure will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
Fig. 1 is a schematic diagram of an application scenario of a session identification method of some embodiments of the present disclosure.
In the application scenario of fig. 1, first, the computing device 101 may extract information of the packet 102 in the cache to obtain five-tuple information 103, where the five-tuple information 103 includes a session structure identifier 1031. As an example, the above-mentioned five tuple information 103 may be [ message source IP (internet protocol address): 192. 1.1, message source port 2020, message destination IP: 192. 2.2, message destination port number 2021, session fabric identifier 10. Then, the computing device 101 may match out the target session structure 105 matching the session structure identifier 1031 included in the above five tuple information from the preset session structure library 104. Then, in response to a successful match, the computing device 101 may perform message state recognition on the message 102 to obtain the message state identifier 106. As an example, the packet status identifier 106 may be: and (II) performing secondary filtration. Finally, the computing device 101 may update the target session structure 105 based on the message state identifier 106 and a predetermined message state matching tree 107.
The computing device 101 may be hardware or software. When the computing device is hardware, it may be implemented as a distributed cluster composed of multiple servers or terminal devices, or may be implemented as a single server or a single terminal device. When the computing device is embodied as software, it may be installed in the hardware devices enumerated above. It may be implemented, for example, as multiple software or software modules to provide distributed services, or as a single software or software module. And is not particularly limited herein.
It should be understood that the number of computing devices in FIG. 1 is merely illustrative. There may be any number of computing devices, as implementation needs dictate.
With continued reference to fig. 2, a flow diagram 200 of some embodiments of a session identification method according to the present disclosure is shown. The conversation identification method comprises the following steps:
step 201, extracting information of the message in the cache to obtain five-tuple information.
In some embodiments, an execution body (e.g., the computing device 101 shown in fig. 1) of the session identification method may extract information of the packet in the cache, so as to obtain five-tuple information. The quintuple information may include a session structure identifier. The information extraction may be to select required information from the message as quintuple information. For example, the source IP, the source port number, the destination IP, the destination port number, and the session structure id of the packet may be selected from the above-mentioned packets. The session structure identifier may be a unique identifier of the session structure, and the session structure may be used to store an identification result of a packet corresponding to the same session.
As an example, the above five tuple information may be: [ message source IP: 192. 1.1, message source port 2020, message destination IP: 192. 2.2, message destination port number 2021, session fabric identifier 10.
Step 202, matching a target session structure matched with the session structure identifier included in the quintuple information from a preset session structure library.
In some embodiments, the execution subject may match a target session structure matching the session structure id included in the quintuple information from a preset session structure library. The session structure library may be composed of session structures corresponding to different identified sessions. The session structure may be a string. There is a unique identification key (i.e., session structure identification) for each session structure. Since each session will hold a key uniquely identified by the session structure. Therefore, each conversation structure can have a one-to-one correspondence with the conversation through the key. The matching may be that the session structure id is the same as the unique id key of one session structure in the session structure library.
And 203, responding to the successful matching, and performing message state identification on the message to obtain a message state identifier.
In some embodiments, the executing agent may perform packet status recognition on the packet in response to a successful matching, so as to obtain a packet status identifier. In response to the successful matching, it may be determined that the target session structure is successfully selected, and it may be characterized that at least one other packet in the session to which the packet belongs is identified. The message state recognition can be carried out in the following way: the message state recognition may be performed by a recognition algorithm (e.g., a Hyperscan flow pattern recognition method). The message state identifier may be a serial number used for uniquely identifying a character string in the message. For example, the message status identifier: and (II) performing secondary filtration.
And step 204, updating the target session structure based on the message state identifier and a preset message state matching tree.
In some embodiments, the executing agent may update the target session structure based on the packet status identifier and a preset packet status matching tree. The message state matching tree can represent a set of message migration conditions in a network and is used for detecting whether the transmission direction of the message is correct or not. As shown in fig. 3, the root node of the packet state matching tree may be labeled 0. Child nodes (e.g., (r), (g), etc.) may include unique identification sequence numbers for message strings. The leaf nodes (e.g., + r, ninc, r, etc.) may include: and the unique identification serial number sequence is formed by the unique identification serial numbers corresponding to the root node to the current leaf node. Specifically, the message state identifier and a corresponding child node in the message state matching tree may be determined, and the unique identifier serial number of the child node is added to the target session structure, so as to update the target session structure. In addition, because the message state identifier and the node in the message state matching tree are both serial numbers used for uniquely identifying the character string in the message, the child node of the message state identifier in the message state matching tree can be determined. Actually, each message in the cache is identified, and the identification result is added to the target session structural body corresponding to the message. When the message corresponding to a session is identified, it may indicate that the session is identified.
Optionally, the executing body may further include the following steps:
in a first step, an initial session structure is created in response to a failure to match. The matching failure may be a failure in determining that the target session structure is selected, and may represent that the packet is the first identified packet in the session to which the packet belongs. The initial session structure may be created by: and determining the session structure body identification different from the session structure body identification of each session structure body in the session structure body library as the unique identification of the created initial session structure body. For example, the session structure identifier of each session structure in the session structure library may be: [10001, 10002, 10003]. Then, the session structure identifier of the created initial session structure may be: "10004". Thereafter, the above five tuple information may be added to the created initial session structure body. The created initial session structure body may include a message state identifier field for storing a state identifier of the message.
As an example, the initial session structure created above may be "10004": "[ message source IP: 192. 1.1, message source port 2020, message destination IP: 192. 2.2, message destination port number 2021, session structure identifier 10004, message state identifier: [0]]".
And secondly, adding the message state identifier of the message into the initial session structure body. Specifically, the message state identifier of the message may be added to the message state identification field in the initial session structure, and a message state identifier transition symbol "→" may be added.
As an example, the message state identifier of the message may be: 1. then, the added initial session structure may be "10004": "[ message source IP: 192. 1.1, message source port 2020, message destination IP: 192. 2.2, message destination port number 2021, session structure identifier 10004, message state identifier: [0 → r ] ] ".
The above embodiments of the present disclosure have the following advantages: by the session identification method of some embodiments of the disclosure, the security of the network can be improved. Specifically, the reason why the network security is not high is that: when one message in the session is divided into multiple segments for transmission, the string recognition engine cannot recognize the session, so that the network risk existing in the session cannot be recognized. Based on this, in the session identification method of some embodiments of the present disclosure, first, a session structure is introduced, which may be used to store the identification result of the packet corresponding to the same session. Therefore, when one message in a session is divided into a plurality of segments for transmission, the recognition results of the plurality of segments can be recorded in one session structure. Therefore, the introduced conversation structure body is used as the identification result for representing the conversation, and the identification of the conversation of the transmission of the message divided into a plurality of segments can be completed. Therefore, the situation that when one message in the session is divided into a plurality of segments for transmission, the session cannot be identified can be avoided. Thereby, it is made possible to identify the cyber risk existing in such a session to some extent. Furthermore, the security of the network is improved.
With continued reference to fig. 4, fig. 4 illustrates a flow 400 of some embodiments of a session identification method according to the present disclosure. The conversation identification method comprises the following steps:
step 401, extracting information from the message in the cache to obtain five-tuple information.
Step 402, matching a target session structure matched with the session structure identifier included in the quintuple information from a preset session structure library.
In some embodiments, the specific implementation manner and technical effects of steps 401 and 402 can refer to steps 201 and 202 in the embodiments corresponding to fig. 2, which are not described herein again.
And 403, in response to the successful matching, performing message state identification on the message to obtain a message state identifier.
In some embodiments, the performing, by the executing agent, a message state identification of the message to obtain a message state identifier may include the following steps:
and performing message state identification on the target character string included in the message to generate a state identifier as a message state identification identifier. The message state recognition can be performed through an improved character string recognition algorithm (for example, a Hyperscan block pattern recognition method). The improved character string recognition algorithm can introduce a state tree, and the recognition result of the character string recognition algorithm can be used as a node of the state tree. The state tree may form a corresponding relationship with the session, and each node corresponds to an identification result of one packet in the session, and is used to characterize a state migration process of the packet in the session.
Step 404, in response to determining that the next hop node identifier in the preset list of next hop node identifiers matches the message state identifier, determining a message transmission direction from the message state identifier to the matched next hop node identifier.
In some embodiments, the executing body may determine a message transmission direction from the message status identifier to the matched next hop node identifier in response to determining that the next hop node identifier in the preset next hop node identifier list matches the message status identifier. The next hop node identifier list may be used to identify the packet corresponding to the packet in the cache. The message corresponding to the above message may be: and the session including the message belongs to. The matching may be that a next hop node identifier in the next hop node identifier list is the same as the message status identifier. The message transmission direction (e.g., response direction or request direction) from the determined message status identifier to the matched next hop node identifier may be: and acquiring the message transmission direction stored in the node corresponding to the matched next hop node representation identifier.
Step 405, in response to determining that the transmission direction of the packet is the same as the transmission direction corresponding to the packet status identifier, adding the packet transmission direction as the status information of the child node to the status tree.
In some embodiments, the executing agent may add the message transmission direction as state information of a child node to the state tree in response to determining that the message transmission direction is the same as the transmission direction corresponding to the message state identifier, where the target session structure may include a state tree. The state tree may be a string. The root node of the state tree may be 0, and each child node corresponds to each packet in the session to which the packet belongs, and is configured to store a packet transmission direction of the packet to represent a skip relationship between packet state identifiers. Therefore, the state tree may be used to record a skip relationship of the packet from the packet state identifier to the packet matching identifier. The determination that the transmission direction of the message is the same as the transmission direction corresponding to the message state identifier can represent that the transmission direction of the message is correct. Adding the message transmission direction as the state information of the child node to the state tree may be: the message transmission direction (e.g., the direction of the request) is added to the state tree as state information of the child node.
As an example, the state tree may be: [ root node: "0" → child node 1: "request direction" ].
And 406, adding the quintuple information to the target session structure body to update the target session structure body.
In some embodiments, the execution body may add the quintuple information to the target session structure to update the target session structure.
As an example, the above five tuple information may be: [ message source IP: 192. 1.1, message source port 2020, message destination IP: 192. 2.2, message destination port number 2021, session fabric identifier 10. The updated target session structure may be: "[ message source IP: 192. 1.1, message source port 2020, message destination IP: 192. 2.2, message destination port number 2021, session fabric identifier 10004, state tree: [ root node: "0" → child node 1: "request direction" ] ".
In some optional implementation manners of some embodiments, the execution main body may further take a child node of the next hop node matched with the packet state identifier in the packet state matching tree as a next hop node to be matched, so as to obtain a list of identifiers of the next hop node to be matched. The list of the next hop node identifiers to be matched is used for identifying the messages corresponding to the messages in the cache.
In some optional implementation manners of some embodiments, the execution main body may further store a depth value of the next-hop node matched with the packet state identifier in the packet state matching tree to a node of the state tree corresponding to the packet. Specifically, as shown in fig. 3, the next hop node matched with the message state identifier (r) may be (c). Then, the depth value of the matching tree in the above message state may be 3.
In some optional implementation manners of some embodiments, the message may further include application information, and the executing body may further store, in response to determining that the next-hop node matching the message state identifier is a leaf node of the message state matching tree, the application information included in the message into the leaf node of the state tree to determine that the target session structure update is completed. And the updated target session structure is used for representing the identification result of the session corresponding to the message. Specifically, it is determined that the next hop node matched with the packet status identifier is a leaf node of the packet status matching tree, which may indicate that the packet is the last packet identified in the session to which the packet belongs. It can also characterize that the session to which the message belongs is identified and completed.
As can be seen from fig. 4, compared with the description of some embodiments corresponding to fig. 2, the flow 400 of the session identification method of some embodiments corresponding to fig. 4 embodies a step of expanding the update of the target session structure. Whether the recognition result of the message state identification is accurate can be determined according to a preset message state matching tree. A state tree is introduced to record the message transmission direction and related information (e.g., depth value and application information, etc.) of the message. The method is used for representing the jumping states of different messages in the same session. Therefore, for the condition that one message is divided into a plurality of segments for transmission, the skip state of the plurality of segments of messages can be recorded to represent the recognition result of the message. Thus, the recognition capability of the session is further improved. Further, the security of the network is improved.
With further reference to fig. 5, as an implementation of the methods shown in the above figures, the present disclosure provides some embodiments of a session identification apparatus, which correspond to those shown in fig. 2, and which may be applied in various electronic devices.
As shown in fig. 5, the session identification apparatus 500 of some embodiments includes: an information extraction unit 501, a selection unit 502, a message state identification unit 503, and an update unit 504. The message extraction unit is configured to extract information of the message in the cache to obtain quintuple information, wherein the quintuple information comprises a session structure identifier; a selecting unit configured to match a target session structure matched with the session structure identifier included in the quintuple information from a preset session structure library; the message state identification unit is configured to respond to successful matching and carry out message state identification on the message to obtain a message state identifier; and the updating unit is configured to update the target session structure body based on the message state identifier and a preset message state matching tree.
In some optional implementations of some embodiments, the above-mentioned display data sending apparatus 500 further includes: an initial session structure body creation unit (not shown in the figure) configured to create an initial session structure body in response to a matching failure; and the initial session structure adding unit is configured to add the message state identifier of the message into the initial session structure.
In some optional implementations of some embodiments, the message state identification unit 503 is further configured to: and performing state recognition on the target character string included in the message to generate a state identifier as a message state recognition identifier.
In some optional implementations of some embodiments, the target session structure includes a state tree; and the update unit 504 is further configured to: in response to determining that a next hop node identifier exists in a preset next hop node identifier list and is matched with the message state identifier, determining a message transmission direction from the message state identifier to the matched next hop node identifier; in response to determining that the message transmission direction is the same as the transmission direction corresponding to the message state identifier, adding the message transmission direction as state information of a child node to the state tree, wherein the state tree is used for recording a jump relationship of the message from the message state identifier to the message matching identifier; and adding the quintuple information into the target session structure body to update the target session structure body.
In some optional implementations of some embodiments, the updating unit 504 is further configured to: and taking the child node of the next hop node matched with the message state identifier in the message state matching tree as the next hop node to be matched to obtain a list of the next hop node identifiers to be matched, wherein the list of the next hop node identifiers to be matched is used for identifying the message corresponding to the message in the cache.
In some optional implementations of some embodiments, the updating unit 504 is further configured to: and storing the depth value of the next hop node matched with the message state identifier in the message state matching tree to the node of the state tree corresponding to the message.
In some optional implementation manners of some embodiments, the message further includes application information; and the updating unit 504 further includes: and a storage subunit (not shown in the figure), configured to, in response to determining that the next hop node matching the packet state identifier is a leaf node of the packet state matching tree, store application information included in the packet into the leaf node of the state tree to determine that the target session structure is updated, where the updated target session structure is used to represent a recognition result of a session corresponding to the packet.
It will be understood that the elements described in the apparatus 500 correspond to various steps in the method described with reference to fig. 2. Thus, the operations, features and resulting advantages described above with respect to the method are also applicable to the apparatus 500 and the units included therein, and are not described herein again.
As shown in fig. 6, electronic device 600 may include a processing means (e.g., central processing unit, graphics processor, etc.) 601 that may perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)602 or a program loaded from a storage means 608 into a Random Access Memory (RAM) 603. In the RAM603, various programs and data necessary for the operation of the electronic apparatus 600 are also stored. The processing device 601, the ROM 602, and the RAM603 are connected to each other via a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
Generally, the following devices may be connected to the I/O interface 605: input devices 606 including, for example, a touch screen, touch pad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc.; output devices 607 including, for example, a Liquid Crystal Display (LCD), a speaker, a vibrator, and the like; storage 608 including, for example, tape, hard disk, etc.; and a communication device 609. The communication means 609 may allow the electronic device 600 to communicate with other devices wirelessly or by wire to exchange data. While fig. 6 illustrates an electronic device 600 having various means, it is to be understood that not all illustrated means are required to be implemented or provided. More or fewer devices may alternatively be implemented or provided. Each block shown in fig. 6 may represent one device or may represent multiple devices as desired.
In particular, according to some embodiments of the present disclosure, the processes described above with reference to the flow diagrams may be implemented as computer software programs. For example, some embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In some such embodiments, the computer program may be downloaded and installed from a network through the communication device 609, or installed from the storage device 608, or installed from the ROM 602. The computer program, when executed by the processing device 601, performs the above-described functions defined in the methods of some embodiments of the present disclosure.
It should be noted that the computer readable medium described above in some embodiments of the present disclosure may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In some embodiments of the disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In some embodiments of the present disclosure, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.
In some embodiments, the clients, servers may communicate using any currently known or future developed network Protocol, such as HTTP (HyperText Transfer Protocol), and may interconnect with any form or medium of digital data communication (e.g., a communications network). Examples of communication networks include a local area network ("LAN"), a wide area network ("WAN"), the Internet (e.g., the Internet), and peer-to-peer networks (e.g., ad hoc peer-to-peer networks), as well as any currently known or future developed network.
The computer readable medium may be embodied in the electronic device; or may exist separately without being assembled into the electronic device. The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: extracting information of the message in the cache to obtain quintuple information, wherein the quintuple information comprises a session structure body identifier; matching a target session structure matched with the session structure identifier included in the quintuple information from a preset session structure library; in response to the successful matching, carrying out message state identification on the message to obtain a message state identifier; and updating the target session structure body based on the message state identification and a preset message state matching tree.
Computer program code for carrying out operations for embodiments of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in some embodiments of the present disclosure may be implemented by software, and may also be implemented by hardware. The described units may also be provided in a processor, and may be described as: a processor includes an information extraction unit, a selection unit, a message state identification unit, and an update unit. The names of these units do not form a limitation on the unit itself in some cases, and for example, the updating unit may also be described as "a unit that updates the target session structure based on the message state identifier and a preset message state matching tree".
The functions described herein above may be performed, at least in part, by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: field Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs), Application Specific Standard Products (ASSPs), systems on a chip (SOCs), Complex Programmable Logic Devices (CPLDs), and the like.
The foregoing description is only exemplary of the preferred embodiments of the disclosure and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the invention in the embodiments of the present disclosure is not limited to the specific combination of the above-mentioned features, but also encompasses other embodiments in which any combination of the above-mentioned features or their equivalents is made without departing from the inventive concept as defined above. For example, the above features and (but not limited to) technical features with similar functions disclosed in the embodiments of the present disclosure are mutually replaced to form the technical solution.

Claims (10)

1. A session identification method, comprising:
extracting information of the message in the cache to obtain quintuple information, wherein the quintuple information comprises a session structure body identifier;
matching a target session structure matched with the session structure identifier included in the quintuple information from a preset session structure library;
in response to the successful matching, carrying out message state identification on the message to obtain a message state identifier;
and updating the target session structural body based on the message state identification and a preset message state matching tree.
2. The method of claim 1, wherein the method further comprises:
in response to a failure to match, creating an initial session structure;
and adding the message state identifier of the message to the initial session structure body.
3. The method according to claim 1, wherein the performing packet state identification on the packet to obtain a packet state identifier comprises:
and performing state recognition on the target character string included in the message to generate a state identifier as a message state recognition identifier.
4. The method of claim 1, wherein the target session structure comprises a state tree; and
the updating the target session structure based on the message state identifier and a preset message state matching tree includes:
responding to the fact that the next hop node identification exists in a preset next hop node identification list and is matched with the message state identification, and determining the message transmission direction from the message state identification to the matched next hop node identification;
in response to determining that the message transmission direction is the same as the transmission direction corresponding to the message state identifier, adding the message transmission direction as state information of a child node to the state tree, wherein the state tree is used for recording a skip relation of the message from the message state identifier to the message matching identifier;
and adding the quintuple information into the target session structure body to update the target session structure body.
5. The method according to claim 4, wherein the updating the target session structure based on the packet status identifier and a preset packet status matching tree further comprises:
and taking the child node of the next hop node matched with the message state identifier in the message state matching tree as the next hop node to be matched to obtain a list of the next hop node identifiers to be matched, wherein the list of the next hop node identifiers to be matched is used for identifying the message corresponding to the message in the cache.
6. The method according to claim 5, wherein the updating the target session structure based on the packet status identifier and a preset packet status matching tree further comprises:
and storing the depth value of the next hop node matched with the message state identifier in the message state matching tree to the node of the state tree corresponding to the message.
7. The method of claim 5, wherein the message further comprises application information; and
the method further comprises the following steps:
and in response to determining that the next hop node matched with the message state identifier is a leaf node of the message state matching tree, storing application information included in the message into the leaf node of the state tree to determine that the target session structure is updated, wherein the updated target session structure is used for representing the recognition result of the session corresponding to the message.
8. A session identification apparatus comprising:
the message extraction unit is configured to extract information of the message in the cache to obtain quintuple information, wherein the quintuple information comprises a session structure body identifier;
a selecting unit configured to match a target session structure matched with the session structure identifier included in the quintuple information from a preset session structure library;
the message state identification unit is configured to respond to successful matching and carry out message state identification on the message to obtain a message state identifier;
and the updating unit is configured to update the target session structural body based on the message state identifier and a preset message state matching tree.
9. An electronic device, comprising:
one or more processors;
a storage device having one or more programs stored thereon,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-7.
10. A computer-readable medium, on which a computer program is stored, wherein the program, when executed by a processor, implements the method of any one of claims 1-7.
CN202110180504.6A 2021-02-08 2021-02-08 Session identification method and device, electronic equipment and computer readable medium Pending CN113765877A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110180504.6A CN113765877A (en) 2021-02-08 2021-02-08 Session identification method and device, electronic equipment and computer readable medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110180504.6A CN113765877A (en) 2021-02-08 2021-02-08 Session identification method and device, electronic equipment and computer readable medium

Publications (1)

Publication Number Publication Date
CN113765877A true CN113765877A (en) 2021-12-07

Family

ID=78786617

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110180504.6A Pending CN113765877A (en) 2021-02-08 2021-02-08 Session identification method and device, electronic equipment and computer readable medium

Country Status (1)

Country Link
CN (1) CN113765877A (en)

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007081933A (en) * 2005-09-15 2007-03-29 Hitachi Ltd Relay system and call admission method
CN101009660A (en) * 2007-01-19 2007-08-01 杭州华为三康技术有限公司 Universal method and device for processing the match of the segmented message mode
CN101562604A (en) * 2008-04-17 2009-10-21 北京启明星辰信息技术股份有限公司 Non-cache model matching method based on message flow data
US20100161795A1 (en) * 2008-12-22 2010-06-24 Kindsight Apparatus and method for multi-user nat session identification and tracking
CN102546363A (en) * 2010-12-21 2012-07-04 深圳市恒扬科技有限公司 Message processing method, device and equipment
US20120278480A1 (en) * 2011-04-28 2012-11-01 Paul Ionescu System and method for identifying session identification information
CN106161479A (en) * 2016-09-21 2016-11-23 杭州迪普科技有限公司 A kind of supported feature is across the coding attack detection method wrapped and device
CN107800626A (en) * 2016-08-31 2018-03-13 阿里巴巴集团控股有限公司 Processing method, device and the equipment of data message
CN109672589A (en) * 2018-12-29 2019-04-23 江苏博智软件科技股份有限公司 A kind of implementation method of the data message depth recognition based on DPI
CN110224935A (en) * 2018-03-02 2019-09-10 华为技术有限公司 A kind of method and device handling multicast data message
CN110445874A (en) * 2019-08-14 2019-11-12 京东数字科技控股有限公司 A kind of conversation processing method, device, equipment and storage medium
CN111464525A (en) * 2020-03-30 2020-07-28 绿盟科技集团股份有限公司 Session identification method, session identification device, session identification control equipment and storage medium
CN112019516A (en) * 2020-08-03 2020-12-01 杭州迪普科技股份有限公司 Access control method, device, equipment and storage medium for shared file

Patent Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007081933A (en) * 2005-09-15 2007-03-29 Hitachi Ltd Relay system and call admission method
CN101009660A (en) * 2007-01-19 2007-08-01 杭州华为三康技术有限公司 Universal method and device for processing the match of the segmented message mode
CN101562604A (en) * 2008-04-17 2009-10-21 北京启明星辰信息技术股份有限公司 Non-cache model matching method based on message flow data
US20100161795A1 (en) * 2008-12-22 2010-06-24 Kindsight Apparatus and method for multi-user nat session identification and tracking
CN102546363A (en) * 2010-12-21 2012-07-04 深圳市恒扬科技有限公司 Message processing method, device and equipment
US20120278480A1 (en) * 2011-04-28 2012-11-01 Paul Ionescu System and method for identifying session identification information
CN107800626A (en) * 2016-08-31 2018-03-13 阿里巴巴集团控股有限公司 Processing method, device and the equipment of data message
CN106161479A (en) * 2016-09-21 2016-11-23 杭州迪普科技有限公司 A kind of supported feature is across the coding attack detection method wrapped and device
CN110224935A (en) * 2018-03-02 2019-09-10 华为技术有限公司 A kind of method and device handling multicast data message
CN109672589A (en) * 2018-12-29 2019-04-23 江苏博智软件科技股份有限公司 A kind of implementation method of the data message depth recognition based on DPI
CN110445874A (en) * 2019-08-14 2019-11-12 京东数字科技控股有限公司 A kind of conversation processing method, device, equipment and storage medium
CN111464525A (en) * 2020-03-30 2020-07-28 绿盟科技集团股份有限公司 Session identification method, session identification device, session identification control equipment and storage medium
CN112019516A (en) * 2020-08-03 2020-12-01 杭州迪普科技股份有限公司 Access control method, device, equipment and storage medium for shared file

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
毕夏安;张大方;谢鲲;牟晓玲;: "基于H.323协议的VoIP语音流量识别", 计算机应用, no. 09, 1 September 2008 (2008-09-01) *

Similar Documents

Publication Publication Date Title
CN113259394B (en) Cross-domain user authentication method, system and equipment based on routing computation
CN111930709B (en) Data storage method, apparatus, electronic device, and computer readable medium
WO2023202276A1 (en) Domain name resolution request processing method and apparatus, and device, medium and program product
CN111158637A (en) Block chain-based random number generation method, equipment and storage medium
CN112416632A (en) Event communication method and device, electronic equipment and computer readable medium
US11368297B2 (en) Method and apparatus for updating digital certificate
CN113760536A (en) Data caching method and device, electronic equipment and computer readable medium
CN114500633B (en) Data forwarding method, related device, program product and data transmission system
CN114461247A (en) Hot update method, device, electronic equipment and computer readable medium
US11411862B2 (en) Method, electronic device and computer-readable medium for processing data generated by service
CN113765877A (en) Session identification method and device, electronic equipment and computer readable medium
CN111614660B (en) Method and device for detecting safety verification defects and electronic equipment
CN113553206A (en) Data event execution method and device, electronic equipment and computer readable medium
CN114115941A (en) Resource sending method, page rendering method, device, electronic equipment and medium
CN113381938A (en) Data packet sending method and device, storage medium and electronic equipment
CN113283891A (en) Information processing method and device and electronic equipment
CN115297046B (en) Gateway information sending method, device, electronic equipment, medium and product
CN114039770B (en) Access control method, device, storage medium and electronic equipment
CN114828140B (en) Service flow message forwarding method and device, storage medium and electronic equipment
CN117424764B (en) System resource access request information processing method and device, electronic equipment and medium
US9363226B2 (en) Method for double IP address recovery
CN111314457B (en) Method and device for setting virtual private cloud
CN112887213B (en) Message cleaning method and device
CN114430364A (en) Information display method and device, electronic equipment and computer readable medium
CN114124533A (en) Data interception method and device, electronic equipment and computer readable medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination