CN114285634A - Deep detection method, device, medium and monitoring system for data message - Google Patents
Deep detection method, device, medium and monitoring system for data message Download PDFInfo
- Publication number
- CN114285634A CN114285634A CN202111587759.0A CN202111587759A CN114285634A CN 114285634 A CN114285634 A CN 114285634A CN 202111587759 A CN202111587759 A CN 202111587759A CN 114285634 A CN114285634 A CN 114285634A
- Authority
- CN
- China
- Prior art keywords
- message
- detection
- detection result
- protocol stack
- fpga
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 240
- 238000012544 monitoring process Methods 0.000 title claims abstract description 36
- 238000000034 method Methods 0.000 claims abstract description 43
- 238000007689 inspection Methods 0.000 claims description 21
- 238000004590 computer program Methods 0.000 claims description 6
- 238000010586 diagram Methods 0.000 description 8
- 238000012545 processing Methods 0.000 description 8
- 238000001914 filtration Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 3
- 230000003044 adaptive effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008707 rearrangement Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention discloses a method, a device, a medium and a monitoring system for deep detection of data messages. The method is executed by a CPU in a data message monitoring system, and comprises the following steps: storing the received message to be subjected to depth detection in a target memory area of a kernel space, and notifying a target storage address of the target memory area to a user protocol stack in the CPU; and performing depth detection on the message to be subjected to depth detection in a target storage area matched with the target storage address through the user protocol stack to obtain a detection result message. The technical scheme of the embodiment of the invention improves the deep detection capability of the CPU on the data message and improves the performance of the network security monitoring system.
Description
Technical Field
The embodiment of the invention relates to computer technology, in particular to a method, a device, a medium and a monitoring system for deep detection of data messages.
Background
In existing various network security devices, generally, an FPGA performs common Packet Inspection, analyzes contents below an IP Packet layer 4, including a source address, a destination address, a source port, a destination port, and a protocol type, and a CPU performs Deep Packet Inspection (DPI), wherein the DPI adds application layer analysis to identify various applications and contents thereof.
At present, when a CPU in a network security device performs deep packet inspection, deep inspection of a data packet is mainly realized through cooperation of a kernel protocol stack and a user protocol stack.
In the process of implementing the invention, the inventor finds that the prior art mainly has the following defects: in a traditional kernel protocol stack, the processing of a network data message has many performance bottlenecks, such as performance consumption caused by local failure, interrupt processing, kernel copying and system calling, which seriously affect the receiving and sending of the data message, thereby affecting the deep detection capability of a CPU (central processing unit) auxiliary FPGA (field programmable gate array) on the data message and the performance of a network security monitoring system.
Disclosure of Invention
The embodiment of the invention provides a method, a device, a medium and a monitoring system for deep detection of data messages, which are used for improving the deep detection capability of a CPU (central processing unit) on the data messages and improving the performance of a network security monitoring system.
In a first aspect, an embodiment of the present invention provides a method for deep inspection of a data packet, where the method is executed by a CPU in a data packet monitoring system, and the method includes:
storing the received message to be subjected to depth detection in a target memory area of a kernel space, and notifying a target storage address of the target memory area to a user protocol stack in the CPU;
and performing depth detection on the message to be subjected to depth detection in a target storage area matched with the target storage address through the user protocol stack to obtain a detection result message.
Further, a deep detection program is registered in advance in a user protocol stack of the CPU, and the deep detection program is used for detecting a message on a transport layer protocol;
performing depth detection on the message to be subjected to depth detection in a target storage area matched with the target storage address through the user protocol stack, wherein the depth detection includes:
and executing the depth detection program through the user protocol stack, and performing depth detection on the message to be subjected to depth detection in a target storage area matched with the target storage address.
Further, before storing the received packet to be depth detected in the target memory area of the kernel space, the method further includes:
receiving a message to be subjected to depth detection sent by an FPGA (field programmable gate array) in the data message monitoring system, wherein the message to be subjected to depth detection is obtained after the FPGA performs detection under a message transport layer protocol on an original message received by a switching module;
after the deep detection is performed on the message to be subjected to the deep detection in the target storage area matched with the target storage address through the user protocol stack to obtain a detection result message, the method further comprises the following steps:
through the user protocol stack, when the detection result message is determined to meet the forwarding condition, rewriting the detection result message into the target memory area;
and acquiring the detection result message from the target memory area, and sending the detection result message to the FPGA so as to send the detection result message to the switching module for forwarding through the FPGA.
Further, after performing deep detection on the packet to be subjected to deep detection in the target storage area matched with the target storage address through the user protocol stack to obtain a detection result packet, the method further includes:
and clearing the target memory area when the detection result message is determined not to meet the forwarding condition through the user protocol stack.
Further, storing the received message to be depth detected in a target memory area of a kernel space, and notifying a target storage address of the target memory area to a user protocol stack in the CPU, including:
storing the received message to be subjected to depth detection in a target memory area of a kernel space through a driving unit, and notifying a target storage address of the target memory area to a user protocol stack in the CPU;
acquiring the detection result message from the target memory area, and sending the detection result message to the FPGA, including:
and acquiring the detection result message from the target memory area through the driving unit, and sending the detection result message to the FPGA.
Further, the method further comprises:
acquiring an access control list rule through the user protocol stack, and issuing the access control list rule to the FPGA;
the access control list rule is a rule used by the FPGA for detection under a message transport layer protocol.
In a second aspect, an embodiment of the present invention further provides a depth detection apparatus for data packets, which is executed by a CPU in a data packet monitoring system, and the apparatus includes:
the message storage module is used for storing the received message to be subjected to depth detection in a target memory area of a kernel space and notifying a target storage address of the target memory area to a user protocol stack in the CPU;
and the message depth detection module is used for carrying out depth detection on the message to be subjected to depth detection in a target storage area matched with the target storage address through the user protocol stack to obtain a detection result message.
In a third aspect, an embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored thereon, where the computer program, when executed by a processor, implements the method for deep inspection of a data packet according to any embodiment of the present invention.
In a fourth aspect, an embodiment of the present invention further provides a network data packet monitoring system, where the system includes: the system comprises a switching module, an FPGA and a CPU;
the switching module is used for receiving an original message and sending the original message to the FPGA; or receiving a detection result message sent by the FPGA, and forwarding the detection result message;
the FPGA is used for receiving an original message sent by a switching module and an access control list rule issued by a user protocol stack, detecting the original message under a message transport layer protocol according to the access control list rule to obtain a message to be detected deeply, and sending the message to be detected deeply to a CPU; or, receiving a detection result message sent by the CPU, and sending the detection result message to the switching module;
the CPU is configured to implement the method for deep inspection of a data packet according to any embodiment of the present invention.
Further, the switching module includes: a first port and a second port;
the first port is used for receiving an original message and sending the original message to the FPGA;
and the second port is used for receiving a detection result message sent by the FPGA and forwarding the detection result message.
The method comprises the steps that a CPU in a data message monitoring system stores received messages to be subjected to depth detection in a target memory area of a kernel space, and notifies a target storage address of the target memory area to a user protocol stack in the CPU; through the technical means that the user protocol stack carries out depth detection on the message to be subjected to depth detection in the target storage area matched with the target storage address to obtain a detection result message, the problem that the performance of a network security monitoring system is wasted due to possible local failure, interrupt processing, kernel copying, system calling and the like when a CPU receives the data message and carries out depth detection through the kernel protocol stack and the user protocol stack in the prior art is solved, the depth detection capability of the CPU on the data message is improved, and the performance of the network security monitoring system is improved.
Drawings
Fig. 1A is a flowchart of a deep inspection method for a data packet according to an embodiment of the present invention;
fig. 1B is a diagram of a specific application scenario of detection under a message transport layer protocol according to an embodiment of the present invention;
fig. 1C is a specific application scenario diagram of deep packet inspection according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a depth detection apparatus for data packets according to a second embodiment of the present invention;
fig. 3 is a schematic structural diagram of a network data packet monitoring system according to a fourth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Example one
Fig. 1A is a flowchart of a depth detection method for a data packet according to an embodiment of the present invention, where this embodiment is applicable to a situation of performing depth detection on a network data packet, and the method may be executed by a CPU in a data packet monitoring system, and the method may be executed by a depth detection device for a data packet, and the device may be implemented in a software and/or hardware manner, and may be generally integrated in a data packet monitoring system, and specifically includes the following steps:
s110, storing the received message to be subjected to the depth detection in a target memory area of a kernel space, and notifying a target storage address of the target memory area to a user protocol stack in the CPU.
The message to be deeply detected may be a message that needs to analyze an application layer of the message and identify an application and a content, in addition to detecting a source address, a destination address, a source port, a destination port, and a protocol type of the message. The target memory area may be a storage area of the packet to be deeply detected in the CPU. The target storage address may refer to a storage address corresponding to the target memory area, and may be a storage directory address, for example.
Specifically, the message to be subjected to depth detection may be received and stored in a target memory area of the CPU kernel space, and a user protocol stack in the CPU is notified of a target storage address corresponding to the target memory area.
Before storing the received message to be deeply detected in the target memory area of the kernel space, the method may further include: and receiving a message to be subjected to depth detection sent by the FPGA in the data message monitoring system.
The message to be deeply detected can be obtained by the FPGA detecting the original message received by the exchange module under a message transmission layer protocol. The original message may refer to a message received by a receiving port of the switching module without any processing in the network communication.
Optionally, after the FPGA of the data packet monitoring system filters the detection under the original packet transport layer protocol received by the switching module, the packet to be subjected to depth detection is obtained, and further, the packet to be subjected to depth detection may be sent to the CPU for depth detection.
Fig. 1B is a diagram illustrating a specific application scenario of detection under a packet transport layer protocol according to an embodiment of the present invention. Programming a safety filter program to the FPGA in advance, and installing adaptive system software in the FPGA; and configuring basic IP filtering functions of the designated switching ports to the FPGA through system software. Corresponding protocol messages and other messages are quickly marked on the line of the switching port (namely, the original message is received on the switching port). The other switching port checks for normal messages after filtering out IP messages that are not allowed to pass (i.e. the other switching port can forward normal messages after detection under the message transport layer protocol by the security filter).
The security filtering program is used for detecting the original message under a message transmission layer protocol. The original messages in the specific application scene do not need to be subjected to deep detection.
Specifically, an exchange port of an exchange module receives an original message, the original message is issued to an access control list rule of the FPGA through a CPU, the access control list is quickly searched through a Ternary Content Addressable Memory (TCAM), and the FPGA is assisted to perform preliminary message detection and filter out an IP message containing sensitive information, so as to obtain a normal message; further, normal forwarding is performed via another switching port of the switching module.
And S120, performing deep detection on the message to be subjected to deep detection in a target storage area matched with the target storage address through the user protocol stack to obtain a detection result message.
Wherein the target storage area may be a storage area corresponding to the target storage address. The detection result message may be a message obtained by screening out unsafe messages after performing deep detection application and content on the message to be subjected to deep detection.
Specifically, after receiving the storage notification of the message to be subjected to deep detection, the user protocol stack may directly perform deep detection on the currently processed message to be subjected to deep detection in the application layer in the target storage region matched with the target storage address of the message to be subjected to deep detection, so as to obtain a detection result message.
Optionally, a deep inspection program is registered in advance in a user protocol stack of the CPU, where the deep inspection program is used to perform packet inspection on a transport layer protocol; based on this, in an optional implementation manner of this embodiment, performing, by the user protocol stack, deep detection on the packet to be deep detected in the target storage area matched with the target storage address may include: and executing the depth detection program through the user protocol stack, and performing depth detection on the message to be subjected to depth detection in a target storage area matched with the target storage address.
The depth detection program may be a pre-written program, and is pre-registered in a user protocol stack of the CPU.
Specifically, in a target storage area matched with a target storage address of a message to be subjected to deep detection, deep detection can be directly performed on a currently processed message to be subjected to deep detection by executing a deep detection program registered in advance in a user protocol stack. It should be noted that, the traditional CPU assists the FPGA in performing depth detection on the data packet, and the kernel protocol stack performs a part of detection, and the user protocol stack performs a part of detection, but the embodiment of the present invention integrates a complete depth detection function and is performed by a depth detection program.
Optionally, after performing deep detection on the packet to be subjected to deep detection in the target storage area matched with the target storage address through the user protocol stack to obtain a detection result packet, the method may further include: through the user protocol stack, when the detection result message is determined to meet the forwarding condition, rewriting the detection result message into the target memory area; acquiring the detection result message from the target memory area, and sending the detection result message to the FPGA so as to send the detection result message to the switching module for forwarding through the FPGA;
the forwarding condition may refer to a condition that the content of the currently obtained detection result message does not contain a violation or an illegal rule.
Specifically, after the detection result message is obtained, whether the detection result message can be forwarded or not can be judged, and if yes, the detection result message can be directly rewritten into the target memory area through the user protocol stack; further, the detection result message is obtained from the target memory area and is sent to the FPGA; and the detection result message is sent to the switching module through the FPGA for normal forwarding. Correspondingly, through the user protocol stack, when it is determined that the detection result message does not satisfy the forwarding condition, the target memory area is emptied, which can be understood as removing the detection result message that does not satisfy the forwarding condition from the target memory area.
In another case, for a detection result packet satisfying the forwarding condition, if there is a modification request for the forwarding destination address of the detection result packet, the packet header of the detection result packet may be modified by a depth detection program registered in advance in the user protocol stack, so as to implement the modified forwarding logic.
In an optional implementation manner of this embodiment, based on the above operations, storing the received packet to be depth-detected in a target memory area of a kernel space, and notifying a target storage address of the target memory area to a user protocol stack in the CPU may include:
storing the received message to be subjected to depth detection in a target memory area of a kernel space through a driving unit, and notifying a target storage address of the target memory area to a user protocol stack in the CPU; acquiring the detection result message from the target memory area, and sending the detection result message to the FPGA, including: and acquiring the detection result message from the target memory area through the driving unit, and sending the detection result message to the FPGA.
Wherein the driving unit may include: a DPDK drive unit or a Netmap drive unit.
Specifically, the received message to be subjected to the depth detection may be stored in a target memory area of the kernel space through a driving unit of the CPU, and a target storage address of the target memory area is notified to the user protocol stack. After the user protocol stack performs depth detection on the depth message to be detected to obtain a detection result message, and stores the detection result message meeting the forwarding condition in the target memory region, the detection result message can be taken out from the target memory region through the driving unit and sent to the FPGA.
Fig. 1C is a diagram of a specific application scenario of deep packet inspection according to an embodiment of the present invention. Programming a safety filter program to the FPGA in advance, and installing adaptive system software in the FPGA; configuring a depth filtering function of a designated switching port to an FPGA (the depth filtering function is completed by the assistance of a CPU in the application scene) through system software; corresponding protocol messages and other messages are quickly typed through the exchange port line. And checking and filtering normal messages after the IP messages which are not allowed to pass through at the other switching port (namely, after the other switching port can forward the messages subjected to detection under the message transmission layer protocol through the security filter program, the messages needing depth detection are assisted by the CPU to finish the normal messages subjected to depth detection).
Specifically, an exchange port of an exchange module receives an original message, the original message is issued to an access control list rule of the FPGA through a user protocol stack, the access control list is quickly searched through a TCAM, and the FPGA is assisted to perform preliminary message detection and filter out a message containing sensitive information to obtain a message to be subjected to depth detection; further storing the message to be subjected to depth detection into a memory area of a CPU kernel space through Netmap drive; further, after the user protocol stack carries out deep detection through a pre-registered deep detection program, a detection result message is obtained; and the user protocol stack rewrites the detection result message meeting the forwarding condition into the memory region again, sends the detection result message to the FPGA through the Netmap drive, and performs normal forwarding through the switching module.
According to the technical scheme of the embodiment of the invention, a CPU in a data message monitoring system is used for storing a received message to be subjected to depth detection in a target memory area of a kernel space and informing a user protocol stack in the CPU of a target memory address of the target memory area; through the technical means that the user protocol stack carries out depth detection on the message to be subjected to depth detection in the target storage area matched with the target storage address to obtain a detection result message, the problem that in the prior art, when the CPU receives the data message, the performance of a network security monitoring system is wasted due to local failure, interrupt processing, kernel copying, system calling and the like when the CPU carries out depth detection through the kernel protocol stack and the user protocol stack is solved, the depth detection capability of the CPU on the data message is improved, and the performance of the network security monitoring system is improved.
On the basis of the above technical solution, the method for deep detecting a data packet may further include: acquiring an access control list rule through the user protocol stack, and issuing the access control list rule to the FPGA;
the access control list rule is a rule used by the FPGA for detection under a message transport layer protocol.
Specifically, the access control list rule can be issued to the FPGA through a depth detection program registered in advance in the user protocol stack, and the FPGA can implement detection under a message transport layer protocol through the access control list rule.
Example two
Fig. 2 is a schematic structural diagram of a deep inspection device for data packets according to a second embodiment of the present invention. The device can execute the depth detection method of the data message provided by any embodiment of the invention, and the device is executed by a CPU in a data message monitoring system. Referring to fig. 2, the apparatus includes: a message storage module 210 and a message depth detection module 220. Wherein:
a message storage module 210, configured to store a received message to be depth-detected in a target memory area of a kernel space, and notify a user protocol stack in the CPU of a target storage address of the target memory area;
the message depth detection module 220 is configured to perform depth detection on the message to be depth-detected in the target storage area matched with the target storage address through the user protocol stack, so as to obtain a detection result message.
According to the technical scheme of the embodiment of the invention, a CPU in a data message monitoring system is used for storing a received message to be subjected to depth detection in a target memory area of a kernel space and informing a user protocol stack in the CPU of a target memory address of the target memory area; through the technical means that the user protocol stack carries out depth detection on the message to be subjected to depth detection in the target storage area matched with the target storage address to obtain a detection result message, the problem that in the prior art, when the CPU receives the data message, the performance of a network security monitoring system is wasted due to local failure, interrupt processing, kernel copying, system calling and the like when the CPU carries out depth detection through the kernel protocol stack and the user protocol stack is solved, the depth detection capability of the CPU on the data message is improved, and the performance of the network security monitoring system is improved.
In the above apparatus, optionally, a depth detection program is registered in advance in a user protocol stack of the CPU, where the depth detection program is used to perform packet detection on a transport layer protocol;
the packet depth detection module 220 may be specifically configured to:
and executing the depth detection program through the user protocol stack, and performing depth detection on the message to be subjected to depth detection in a target storage area matched with the target storage address.
Optionally, in the above apparatus, the apparatus further includes a to-be-deep-detected packet receiving module, specifically configured to, before storing the received to-be-deep-detected packet in a target memory area of the kernel space:
receiving a message to be subjected to depth detection sent by an FPGA (field programmable gate array) in the data message monitoring system, wherein the message to be subjected to depth detection is obtained after the FPGA performs detection under a message transport layer protocol on an original message received by a switching module;
the method further includes a detection result message forwarding module, specifically configured to, after performing deep detection on the message to be deep detected in a target storage area matched with the target storage address through the user protocol stack to obtain a detection result message, include:
a detection result message rewriting subunit, configured to rewrite, by the user protocol stack, the detection result message into the target memory area when it is determined that the detection result message satisfies a forwarding condition;
and the detection result message sending subunit is configured to obtain the detection result message from the target memory area, send the detection result message to the FPGA, and send the detection result message to the switching module for forwarding through the FPGA.
In the foregoing apparatus, optionally, the apparatus further includes a target memory area clearing module, which is specifically configured to, after performing, by the user protocol stack, deep detection on the packet to be deep-detected in a target memory area matched with the target memory address to obtain a detection result packet:
and clearing the target memory area when the detection result message is determined not to meet the forwarding condition through the user protocol stack.
In the above apparatus, optionally, the message storage module 210 may be specifically configured to:
storing the received message to be subjected to depth detection in a target memory area of a kernel space through a driving unit, and notifying a target storage address of the target memory area to a user protocol stack in the CPU;
the detection result message sending subunit may be further configured to:
and acquiring the detection result message from the target memory area through the driving unit, and sending the detection result message to the FPGA.
In the above apparatus, optionally, the driving unit may include: a DPDK drive unit or a Netmap drive unit.
The above apparatus, optionally, the deep detection apparatus for data packets further includes an access control list rule issuing module, which may be specifically configured to:
acquiring an access control list rule through the user protocol stack, and issuing the access control list rule to the FPGA;
the access control list rule is a rule used by the FPGA for detection under a message transport layer protocol.
The depth detection device for the data message provided by the embodiment of the invention can execute the depth detection method for the data message provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
EXAMPLE III
A third embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program is used to execute a method for deep inspection of a data packet when executed by a processor, and the method is executed by a CPU in a data packet monitoring system, and the method includes:
storing the received message to be subjected to depth detection in a target memory area of a kernel space, and notifying a target storage address of the target memory area to a user protocol stack in the CPU;
and performing depth detection on the message to be subjected to depth detection in a target storage area matched with the target storage address through the user protocol stack to obtain a detection result message.
Of course, the computer-readable storage medium provided in the embodiments of the present invention stores thereon a computer program, which is not limited to the method operations described above, and may also perform related operations in the depth detection method for data packets provided in any embodiment of the present invention.
From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly, can also be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.
It should be noted that, in the embodiment of the depth detection apparatus for data packets, each unit and each module included in the embodiment are only divided according to functional logic, but are not limited to the above division, as long as corresponding functions can be implemented; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.
Example four
Fig. 3 is a schematic structural diagram of a network data packet monitoring system according to a fourth embodiment of the present invention, as shown in fig. 3, the system includes: a switching module 310, an FPGA320, and a CPU 330;
the switching module 310 is configured to receive an original packet and send the original packet to the FPGA; or receiving a detection result message sent by the FPGA, and forwarding the detection result message;
the FPGA320 is configured to receive an original packet sent by a switching module and an access control list rule issued by a user protocol stack, perform detection under a packet transport layer protocol on the original packet according to the access control list rule, obtain a packet to be subjected to deep detection, and send the packet to be subjected to deep detection to the CPU; or, receiving a detection result message sent by the CPU, and sending the detection result message to the switching module;
the CPU330 is configured to implement the method for deep inspection of a data packet according to any embodiment of the present invention, where the method is executed by a CPU in a data packet monitoring system, and the method includes:
storing the received message to be subjected to depth detection in a target memory area of a kernel space, and notifying a target storage address of the target memory area to a user protocol stack in the CPU;
and performing depth detection on the message to be subjected to depth detection in a target storage area matched with the target storage address through the user protocol stack to obtain a detection result message.
In the above system, optionally, the switching module 310 includes: a first port and a second port;
the first port is used for receiving an original message and sending the original message to the FPGA;
and the second port is used for receiving a detection result message sent by the FPGA and forwarding the detection result message.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.
Claims (10)
1. A method for deep inspection of data packets, characterized in that, it is executed by a CPU in a data packet monitoring system, the method includes:
storing the received message to be subjected to depth detection in a target memory area of a kernel space, and notifying a target storage address of the target memory area to a user protocol stack in the CPU;
and performing depth detection on the message to be subjected to depth detection in a target storage area matched with the target storage address through the user protocol stack to obtain a detection result message.
2. The method according to claim 1, wherein a deep inspection program is registered in advance in a user protocol stack of the CPU, and the deep inspection program is used for performing packet inspection above a transport layer protocol;
performing depth detection on the message to be subjected to depth detection in a target storage area matched with the target storage address through the user protocol stack, wherein the depth detection includes:
and executing the depth detection program through the user protocol stack, and performing depth detection on the message to be subjected to depth detection in a target storage area matched with the target storage address.
3. The method according to claim 1, before storing the received packet to be deep-tested in a target memory area of kernel space, further comprising:
receiving a message to be subjected to depth detection sent by an FPGA (field programmable gate array) in the data message monitoring system, wherein the message to be subjected to depth detection is obtained after the FPGA performs detection under a message transport layer protocol on an original message received by a switching module;
after the deep detection is performed on the message to be subjected to the deep detection in the target storage area matched with the target storage address through the user protocol stack to obtain a detection result message, the method further comprises the following steps:
through the user protocol stack, when the detection result message is determined to meet the forwarding condition, rewriting the detection result message into the target memory area;
and acquiring the detection result message from the target memory area, and sending the detection result message to the FPGA so as to send the detection result message to the switching module for forwarding through the FPGA.
4. The method according to claim 3, wherein after performing deep inspection on the packet to be deep inspected in the target storage area matched with the target storage address through the user protocol stack to obtain an inspection result packet, the method further comprises:
and clearing the target memory area when the detection result message is determined not to meet the forwarding condition through the user protocol stack.
5. The method according to claim 3, wherein storing the received packet to be depth-detected in a target memory area of a kernel space, and notifying a target storage address of the target memory area to a user protocol stack in the CPU, comprises:
storing the received message to be subjected to depth detection in a target memory area of a kernel space through a driving unit, and notifying a target storage address of the target memory area to a user protocol stack in the CPU;
acquiring the detection result message from the target memory area, and sending the detection result message to the FPGA, including:
and acquiring the detection result message from the target memory area through the driving unit, and sending the detection result message to the FPGA.
6. The method according to any one of claims 3-5, further comprising:
acquiring an access control list rule through the user protocol stack, and issuing the access control list rule to the FPGA;
the access control list rule is a rule used by the FPGA for detection under a message transport layer protocol.
7. A device for deep inspection of data packets, the device being implemented by a CPU in a data packet monitoring system, the method comprising:
the message storage module is used for storing the received message to be subjected to depth detection in a target memory area of a kernel space and notifying a target storage address of the target memory area to a user protocol stack in the CPU;
and the message depth detection module is used for carrying out depth detection on the message to be subjected to depth detection in a target storage area matched with the target storage address through the user protocol stack to obtain a detection result message.
8. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out a method for deep inspection of a data packet according to any one of claims 1 to 6.
9. A network data message monitoring system, comprising: the system comprises a switching module, an FPGA and a CPU;
the switching module is used for receiving an original message and sending the original message to the FPGA; or receiving a detection result message sent by the FPGA, and forwarding the detection result message;
the FPGA is used for receiving an original message sent by a switching module and an access control list rule issued by a user protocol stack, detecting the original message under a message transport layer protocol according to the access control list rule to obtain a message to be detected deeply, and sending the message to be detected deeply to a CPU; or, receiving a detection result message sent by the CPU, and sending the detection result message to the switching module;
the CPU is configured to implement the deep inspection method for the data packet according to any one of claims 1 to 6.
10. The system of claim 9, wherein the switching module comprises: a first port and a second port;
the first port is used for receiving an original message and sending the original message to the FPGA;
and the second port is used for receiving a detection result message sent by the FPGA and forwarding the detection result message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111587759.0A CN114285634B (en) | 2021-12-23 | Depth detection method, device, medium and monitoring system for data message |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111587759.0A CN114285634B (en) | 2021-12-23 | Depth detection method, device, medium and monitoring system for data message |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114285634A true CN114285634A (en) | 2022-04-05 |
| CN114285634B CN114285634B (en) | 2024-06-04 |
Family
ID=
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106209684A (en) * | 2016-07-14 | 2016-12-07 | 深圳市永达电子信息股份有限公司 | A kind of method forwarding detection scheduling based on Time Triggered |
| CN107547566A (en) * | 2017-09-29 | 2018-01-05 | 新华三信息安全技术有限公司 | A kind of method and device of processing business message |
| US20180034778A1 (en) * | 2016-07-29 | 2018-02-01 | ShieldX Networks, Inc. | Systems and methods for accelerated pattern matching |
| CN109547580A (en) * | 2019-01-22 | 2019-03-29 | 网宿科技股份有限公司 | A kind of method and apparatus handling data message |
| US20200021885A1 (en) * | 2018-07-13 | 2020-01-16 | Avago Technologies International Sales Pte. Limited | Secure monitoring of system-on-chip applications |
| CN111614631A (en) * | 2020-04-29 | 2020-09-01 | 江苏深网科技有限公司 | User mode assembly line framework firewall system |
| CN112039731A (en) * | 2020-11-05 | 2020-12-04 | 武汉绿色网络信息服务有限责任公司 | DPI (deep packet inspection) identification method and device, computer equipment and storage medium |
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106209684A (en) * | 2016-07-14 | 2016-12-07 | 深圳市永达电子信息股份有限公司 | A kind of method forwarding detection scheduling based on Time Triggered |
| US20180034778A1 (en) * | 2016-07-29 | 2018-02-01 | ShieldX Networks, Inc. | Systems and methods for accelerated pattern matching |
| CN107547566A (en) * | 2017-09-29 | 2018-01-05 | 新华三信息安全技术有限公司 | A kind of method and device of processing business message |
| US20200021885A1 (en) * | 2018-07-13 | 2020-01-16 | Avago Technologies International Sales Pte. Limited | Secure monitoring of system-on-chip applications |
| CN109547580A (en) * | 2019-01-22 | 2019-03-29 | 网宿科技股份有限公司 | A kind of method and apparatus handling data message |
| CN111614631A (en) * | 2020-04-29 | 2020-09-01 | 江苏深网科技有限公司 | User mode assembly line framework firewall system |
| CN112039731A (en) * | 2020-11-05 | 2020-12-04 | 武汉绿色网络信息服务有限责任公司 | DPI (deep packet inspection) identification method and device, computer equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2933955B1 (en) | Deep packet inspection method, device, and coprocessor | |
| US10021033B2 (en) | Context driven policy based packet capture | |
| JP3954385B2 (en) | System, device and method for rapid packet filtering and packet processing | |
| US8769678B2 (en) | Cloud-based gateway security scanning | |
| CN109766694B (en) | Program protocol white list linkage method and device of industrial control host | |
| CN115174269B (en) | Linux host network communication security protection method and device | |
| CN113067810B (en) | Network packet capturing method, device, equipment and medium | |
| CN111555936B (en) | Industrial control asset detection method, device and equipment | |
| US20230118136A1 (en) | Deep packet analysis | |
| CN112929376A (en) | Flow data processing method and device, computer equipment and storage medium | |
| CN101582880B (en) | Method and system for filtering messages based on audited object | |
| US11522892B2 (en) | Method and device for intrusion detection in a computer network | |
| CN114285634A (en) | Deep detection method, device, medium and monitoring system for data message | |
| CN114285634B (en) | Depth detection method, device, medium and monitoring system for data message | |
| CN111641659A (en) | Method, device, equipment and storage medium for preventing central processing unit of switch from being attacked | |
| CN114584391B (en) | Method, device, equipment and storage medium for generating abnormal flow processing strategy | |
| CN112615867B (en) | Data packet detection method and device | |
| US11729188B2 (en) | Method and device for intrusion detection in a computer network | |
| CN111628980B (en) | Policy adjustment method, device, equipment and storage medium | |
| CN113453278A (en) | TCP packet segmentation packaging method based on 5G UPF and terminal | |
| CN115914253A (en) | Network data packet capturing method, client and server | |
| CN106549969A (en) | Data filtering method and device | |
| CN114024759B (en) | Security policy management and control method, device, computer equipment and medium | |
| CN115333853B (en) | Network intrusion detection method and device and electronic equipment | |
| CN114826680B (en) | Vehicle-mounted data processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |