WO2012083748A1

WO2012083748A1 - Method and device for cross-packet inspection of protocol based on deep packet inspection

Info

Publication number: WO2012083748A1
Application number: PCT/CN2011/080798
Authority: WO
Inventors: 付饶; 徐敏锋; 时立峰; 程贵锋
Original assignee: 华为技术有限公司
Priority date: 2010-12-22
Filing date: 2011-10-14
Publication date: 2012-06-28
Also published as: CN102143151A; CN102143151B

Abstract

Embodiments of the present invention provide a method and device for cross-packet inspection of a protocol based on deep packet inspection. The method for cross-packet inspection of a protocol based on deep packet inspection comprises: acquiring packets having different features in the same stream (101); determining whether each packet hits a certain rule (102); if the packet hits a certain rule, determining, according to the hit rule and the sequence of the packet, whether the stream hits a certain protocol (103). The embodiments of the present invention may perform cross-packet inspection of the protocol, be applicable to a multi-packet multi-rule application scenario, and have desired extensibility and flexibility.

Description

一种基于深度包检测的协议跨包检测方法和装置本申请要求于 2010年 12月 22日提交中国专利局、申请号为 201010601625. 5、发明名称为"一种基于深度包检测的协议跨包检测方法和装置"的中国专利申请的优先权，其全部内容通过引用结合在本申请中。技术领域本发明涉及深度包检测（DPI, Deep Packet Inspection) 技术，尤其涉及一种基于 Method and device for detecting cross-package detection based on deep packet inspection This application claims to be submitted to the Chinese Patent Office on December 22, 2010, and the application number is 201010601625. 5, the invention name is "a protocol based on deep packet inspection. The priority of the Chinese Patent Application, the entire disclosure of which is incorporated herein by reference. TECHNICAL FIELD The present invention relates to Deep Packet Inspection (DPI) technology, and in particular to a method based on

DPI的协议跨包检测方法和装置。背景技术对通信设备来说，利用 DPI开展基于业务控制为基础的精细化管理，是后续网络发展的必然选择，而基于协议的检测技术是当前需要解决的应用技术之一。例如，需要对用户的点对点下载、即时视频、即时聊天等业务进行精细化管理。网络上的协议有些是靠通信设备之间的报文识别（例如握手报文）完成的，这样就不可避免在协议识别的时候需要将多个握手报文对应的某一个协议识别出来。或者有些场景下在协议识别的时候需要将存在于多个分片中的某一个协议识别出来。 DPI protocol cross-packet detection method and device. BACKGROUND OF THE INVENTION For communication equipment, the use of DPI to carry out refined management based on service control is an inevitable choice for subsequent network development, and protocol-based detection technology is one of the application technologies currently needed to be solved. For example, it is necessary to fine-tune the user's peer-to-peer download, instant video, live chat and other services. Some protocols on the network are completed by message identification (such as handshake packets) between communication devices. Therefore, it is inevitable to identify a certain protocol corresponding to multiple handshake messages when the protocol is identified. Or in some scenarios, it is necessary to identify one of the multiple fragments in the protocol identification.

传统的硬件 DPI查找是基于 DFA (Deterministic Finite Automaton, 确定性有限自动机）或非确定性有限自动机（Nondeterministic Finite Automaton, FA)的一种查找技术。将需要查找的协议拆分为不同的规则，将这些规则编译为 DFA或 NFA，硬件用编译好的 DFA或 FA对待匹配的每个报文进行匹配，如果匹配中对应的规则，则认为匹配到某种协议，否则认为匹配失败。 The traditional hardware DPI lookup is based on a DFA (Deterministic Finite Automaton) or a non-deterministic Finite Automaton (FA). The protocol to be searched is split into different rules, and the rules are compiled into DFA or NFA. The hardware matches each message to be matched by the compiled DFA or FA. If the corresponding rule is matched, the match is considered to be matched. Some kind of agreement, otherwise the match is considered to have failed.

在实现本发明过程中，发明人发现现有技术中至少存在如下问题：现有的 DPI无法解决协议的跨包检测功能。发明内容 In the process of implementing the present invention, the inventors have found that at least the following problems exist in the prior art: The existing DPI cannot solve the cross-packet detection function of the protocol. Summary of the invention

本发明实施例提供一种基于深度包检测的协议跨包检测方法和装置，以进行协议的跨包检测，可以适用于多包多规则的应用场景。 The embodiment of the invention provides a cross-packet detection method and a device for detecting a cross-packet based on deep packet inspection, which can be applied to a multi-package and multi-rule application scenario.

一方面，本发明实施例提供了一种基于深度包检测的协议跨包检测方法，所述方法包括：获取同一流中多个不同特征的报文；判断每个报文是否命中某一规则；如果报文命中某一规则，则根据命中的规则以及所述报文的顺序判断所述流是否命中某一种协议。 In one aspect, the embodiment of the present invention provides a protocol cross-packet detection method based on deep packet detection, where the method includes: acquiring packets of different characteristics in the same stream; determining whether each packet hits a certain rule; If newspaper If a certain rule is hit, it is determined according to the rule of the hit and the order of the message whether the stream hits a certain protocol.

另一方面，本发明实施例提供了一种基于深度包检测的协议跨包检测装置，所述装置包括：获取单元，用于获取同一流中多个不同特征的报文；第一判断单元，用于判断每个报文是否命中某一规则；第二判断单元，用于如果报文命中某一规则，则根据命中的规则以及所述报文的顺序判断所述流是否命中某一种协议。 On the other hand, an embodiment of the present invention provides a protocol cross-packet detection apparatus based on deep packet detection, where the apparatus includes: an acquiring unit, configured to acquire a packet of a plurality of different features in the same stream; It is used to determine whether each message hits a certain rule. The second determining unit is configured to determine, if the packet hits a certain rule, whether the stream hits a certain protocol according to the hitting rule and the order of the packet. .

上述技术方案具有如下有益效果：因为对同一流中多个不同特征的报文分别判断是否命中规则，再根据命中的规则以及所述报文的顺序判断所述流是否命中某一种协议，所以可以进行协议的跨包检测，并适用于多包多规则的应用场景，可扩展性和灵活性好。附图说明为了更清楚地说明本发明实施例或现有技术中的技术方案，下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍，显而易见地，下面描述中的附图仅仅是本发明的一些实施例，对于本领域普通技术人员来讲，在不付出创造性劳动性的前提下，还可以根据这些附图获得其他的附图。 The foregoing technical solution has the following beneficial effects: because the packets of a plurality of different features in the same stream are respectively determined to be hit rules, and then according to the rules of hitting and the order of the messages, it is determined whether the stream hits a certain protocol, so It can perform cross-packet detection of protocols and is applicable to multi-package and multi-rule application scenarios with good scalability and flexibility. BRIEF DESCRIPTION OF THE DRAWINGS In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings to be used in the embodiments or the description of the prior art will be briefly described below, and obviously, in the following description The drawings are only some of the embodiments of the present invention, and other drawings may be obtained from those skilled in the art without departing from the drawings.

图 1是为本发明实施例一种基于深度包检测的协议跨包检测方法流程图；图 2为本发明实施例多步长算法字符拆分示意图； 1 is a flowchart of a protocol cross-packet detection method based on deep packet inspection according to an embodiment of the present invention; FIG. 2 is a schematic diagram of character splitting of a multi-step algorithm according to an embodiment of the present invention;

图 3为本发明实施例多步长算法字符分解后的树枝结构示意图； 3 is a schematic structural diagram of a tree branch after multi-step algorithm character decomposition according to an embodiment of the present invention;

图 4为本发明应用实例一种基于深度包检测的协议跨包检测方法流程图；图 5为本发明实施例一种基于深度包检测的协议跨包检测装置结构示意图。具体实施方式下面将结合本发明实施例中的附图，对本发明实施例中的技术方案进行清楚、完整地描述，显然，所描述的实施例仅仅是本发明一部分实施例，而不是全部的实施例。基于本发明中的实施例，本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例，都属于本发明保护的范围。 4 is a flowchart of a cross-packet detection method based on deep packet inspection according to an application example of the present invention; FIG. 5 is a schematic structural diagram of a protocol cross-packet detection apparatus based on deep packet inspection according to an embodiment of the present invention. The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. example. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.

如图 1所示，为本发明实施例一种基于深度包检测的协议跨包检测方法流程图，所述方法包括： As shown in FIG. 1 , it is a flowchart of a cross-packet detection method based on deep packet inspection according to an embodiment of the present invention, where the method includes:

101、获取同一流中多个不同特征的报文。 101. Obtain a packet of multiple different features in the same stream.

上述同一流即同一种业务，可以通过流字段进行区分，流字段可以是 MAC (Medi a Acces s Cont ro l , 媒体访问控制）地址、 IP地址或者端口号中的一种或多种。上述不同特征报文大部份情况以 3层以上的报文净荷 (payload)进行区分，也可能进一步根据 1 层的 MAC地址或 3层的 IP地址等信息进行区分。 The same flow, that is, the same service, can be distinguished by a flow field, which can be MAC (Medi a Acces s Cont ro l, media access control) One or more of an address, an IP address, or a port number. Most of the above different feature messages are differentiated by three or more message payloads, and may be further classified according to information such as a layer 1 MAC address or a layer 3 IP address.

102、判断每个报文是否命中某一规则。 102. Determine whether each message hits a certain rule.

判断每个报文是否命中某一规则可以采用通常的规则匹配引擎进行查找匹配，例如确定有限自动机（Determini s t ic Fini te Automa ton , DFA ) 或非确定有限自动机 (Nondetermini s t ic Fini te Automa ton, NFA)。多个报文可以分别进入多个规则匹配引擎进行并行查找匹配，以提高匹配效率。 Determining whether each message hits a certain rule can use the usual rule matching engine to perform search matching, such as determining a finite automaton (DFA) or a non-deterministic finite automaton (Nondetermini st ic Fini te Automa) Ton, NFA). Multiple messages can enter multiple rule matching engines for parallel search matching to improve matching efficiency.

可选的，可以利用流的标识信息（例如标识 ID或者流字段）查取流表，判断所述流在所述流表中是否已命中某一种协议，如果流表中没有命中的协议，则再判断每个报文是否命中某一规则；如果所述流在所述流表中已命中某一种协议，则直接进行后续相应的业务处理（例如进行相应的统计、流量管理等一些网络精细化管理操作）。 Optionally, the flow information may be searched by using the identifier information of the flow, such as the identifier ID or the flow field, to determine whether the flow has hit a certain protocol in the flow table, if there is no hit protocol in the flow table, Then, it is determined whether each packet hits a certain rule; if the flow has hit a certain protocol in the flow table, the subsequent corresponding service processing is directly performed (for example, performing corresponding statistics, traffic management, and the like) Fine management operations).

103、如果报文命中某一规则，则根据命中的规则以及所述报文的顺序判断所述流是否命中某一种协议。 103. If the message hits a certain rule, it is determined according to the rule of the hit and the order of the message whether the stream hits a certain protocol.

当采用多个并行的规则匹配引擎对报文匹配时，由于规则匹配引擎对各个报文进行查找匹配时消耗的时间不同，可能出现输出报文的匹配结果的顺序与报文进入规则匹配引擎的顺序不完全相同的情况。此时，可以根据所述报文顺序将命中的规则进行排序，以判断所述流是否命中某一种协议。 When multiple parallel rule matching engines are used to match packets, the time that the rule matching engine searches for and matches each message is different. The order of the matching results of the output packets may be matched with the packet entering the rule matching engine. The order is not exactly the same. At this time, the hit rules may be sorted according to the message sequence to determine whether the stream hits a certain protocol.

判断根据报文顺序排序后的规则对应哪一种协议的方法可以有多种。例如，可以直接用排序后的规则与预设的多个协议的规则序列一一比较，如果排序后的规则与其中某一种协议对应的规则序列完全匹配，则确定该排序后的规则对应的流与该规则序列对应的协议匹配。又例如，可以对预设的多个协议的规则序列建立状态跳转表，根据该状态跳转表确定与排序后的规则匹配的规则序列，该状态跳转表也可以由通常的规则匹配引擎，例如 DFA或 NFA，实现。此外，还可以利用多步长算法建立状态跳转表以判断所述流是否对应命中某一种协议。如果所述流对应命中某一种协议，则输出命中协议类型。可选的，可以保存一张流表，流表中保存各个流是否已知与某一种协议对应，以及与哪一种协议对应。输出命中协议类型后，可以将流表中该流的对应标志置为有效，并记录命中协议类型，后续接收到该流的报文时可以不再进行协议跨包检测，直接进行后续相应的业务处理。 There are various methods for judging which protocol the rule according to the order of the messages corresponds to. For example, the sorted rule may be directly compared with the rule sequence of the preset multiple protocols. If the sorted rule completely matches the rule sequence corresponding to one of the protocols, the corresponding rule is determined. The flow matches the protocol corresponding to the rule sequence. For another example, a state jump table may be established for a preset rule sequence of multiple protocols, and a rule sequence matching the sorted rule may be determined according to the state jump table, and the state jump table may also be used by a normal rule matching engine. , such as DFA or NFA, is implemented. In addition, a multi-step algorithm can also be used to establish a state jump table to determine whether the stream corresponds to a certain protocol. If the stream corresponds to hit a certain protocol, the hit protocol type is output. Optionally, a flow table may be saved, and the flow table stores whether each flow is known to correspond to a certain protocol, and which protocol corresponds to. After the hit protocol type is output, the corresponding flag of the flow in the flow table can be set to be valid, and the hit protocol type can be recorded. After receiving the packet of the flow, the protocol cross-packet detection can be omitted, and the subsequent corresponding service is directly performed. deal with.

可选的，本发明实施例可以利用多步长算法查找以判断所述流是否对应命中某一种协议可以提高查找效率。多步长算法即一种多模式精确匹配算法，基本思想是按一定的步长把特征字符串分成几个子串，按照子串的跳转状态来最终确定输出状态，即将规则序列分成几个子串生成状态跳转表。多步长算法举例：如图 2所示，为本发明实施例多步长算法字符拆分示意图。如图 3所示，为本发明实施例多步长算法字符分解后的树枝结构示意图。起始态都统一为 q。，当输入不同的字符时经过中间态跳转到不同的状态，其中 S1— S6为输出态，即最终的匹配状态。 Optionally, the embodiment of the present invention may use a multi-step algorithm to search to determine whether the stream corresponds to one of the hits. The protocol can improve the efficiency of the search. The multi-step algorithm is a multi-mode exact matching algorithm. The basic idea is to divide the feature string into several sub-strings according to a certain step size, and finally determine the output state according to the jump state of the sub-string, that is, divide the rule sequence into several sub-strings. Generate a state jump table. Multi-step algorithm example: As shown in FIG. 2, it is a schematic diagram of character splitting of a multi-step algorithm according to an embodiment of the present invention. As shown in FIG. 3, it is a schematic diagram of a tree structure after multi-step algorithm character decomposition according to an embodiment of the present invention. The starting states are unified to q. When inputting different characters, the intermediate state jumps to a different state, where S1 - S6 are output states, that is, the final matching state.

可选的，本发明实施例可以维护 3个表，表的具体内容见下： Optionally, the embodiment of the present invention can maintain three tables, and the specific contents of the table are as follows:

1)流表，维护同一流的协议命中标记以及报文的序列号和协议类型，见下表 1 ; 1) Flow table, maintain the protocol hit flag of the same stream and the serial number and protocol type of the message, see Table 1 below;

在不利用流表判断流在流表中是否已命中某一种协议时， Va l id 字段和 protoco l 字段可省略。在不采用多个并行的规则匹配引擎对报文匹配时，可以不分配报文序列号， Sn字段可省略。 The Va l id field and the protoco l field may be omitted when the flow table is not used to determine whether the flow has hit a certain protocol in the flow table. When multiple parallel rule matching engines are not used to match packets, the sequence number of the message may not be allocated, and the Sn field may be omitted.

报文的序列号可以供规则匹配引擎获取。例如，可以将流表中原始 Sn置为 0，当进来第一个报文时，将 Sn加 1，即将 1作为该报文的报文序列号提供给规则匹配引擎，后续再依次进来不同特征的报文，则 Sn再依次加 1，并将加 1后的 Sn值依次作为后续不同特征报文的报文序列号。 The serial number of the message can be obtained by the rule matching engine. For example, the original Sn in the flow table can be set to 0. When the first packet is received, Sn is incremented by 1, and the sequence number of the message as the message is provided to the rule matching engine, and subsequent features are successively entered. For the message, Sn is added 1 in turn, and the value of Sn after adding 1 is sequentially used as the sequence number of the message of the subsequent different feature messages.

每个流有其对应的流表，可以有多种方式表明各个流与流表的对应关系，例如，可以建立流表在存储器中的地址与流字段的对应关系，当接收到报文后根据流字段得到对应的流表在存储器中的地址。也可以为每个流分配相应的标识（ident if ier , ID) ，并在对应的流表中记录该标识，当接收到报文后根据流字段得到对应的标识，根据该标识查找相应的流表。还可以在流表中记录对应流的流字段，当接收到报文后根据流字段查找相应的流表。 Each flow has its corresponding flow table, and there may be multiple ways to indicate the corresponding relationship between each flow and the flow table. For example, the correspondence between the address of the flow table in the memory and the flow field may be established, and after receiving the message, according to The stream field gets the address of the corresponding stream table in memory. You can also assign a corresponding identifier (ident if ier , ID) to each stream, and record the identifier in the corresponding flow table. After receiving the packet, the corresponding identifier is obtained according to the flow field, and the corresponding stream is searched according to the identifier. table. You can also record the flow field of the corresponding flow in the flow table. After receiving the packet, look up the corresponding flow table according to the flow field.

2)流中间状态表，维护各个报文与其命中的规则的对应关系，见下表 2 ;

2) The flow intermediate state table maintains the correspondence between each message and its hit rule, as shown in Table 2 below;

表 2 流中间状态表 Table 2 Flow intermediate status table

当规则匹配引擎对报文匹配后，输出该报文匹配的结果即规则号以及该报文的报文序列号。在不采用多个并行的规则匹配引擎对报文匹配时，输出报文的匹配结果的顺序与报文进入规则匹配引擎的顺序相同，可以不分配报文序列号，无需根据所述报文顺序将命中的规则进行排序并维护流中间状态表，直接根据规则匹配引擎输出的匹配结果判断该流是否命中某一种协议。 After the rule matching engine matches the packet, the result of matching the packet is the rule number and the packet sequence number of the packet. Output sequence of matching results when packets are not matched by multiple parallel rule matching engines The sequence of the message matching rule matching engine is the same, the message sequence number may not be allocated, the hit rule is not sorted according to the message sequence, and the flow intermediate state table is maintained, and the matching result output by the rule matching engine is directly determined. Whether the stream hits a certain protocol.

当采用多个并行的规则匹配引擎对报文匹配时，由于规则匹配引擎对各个报文进行查找匹配时消耗的时间不同，可能出现输出报文的匹配结果的顺序与报文进入规则匹配弓 I擎的顺序不完全相同的情况。此时可以维护流中间状态表，可以将各个报文的报文序列号及匹配的结果即规则号保存在流中间状态表中。根据该流中间状态表，就可以按照报文序列号对于报文命中规则进行排序，每个命中规则的报文都对应不同的规则号，报文序列号由规则匹配引擎给出。 Va l id字段可以在流中间状态表的表项中，也可以为流中间状态表单独设置一个排序标记，此时流中间状态表各个表项仅包括报文序列号和规则号的对应关系。当规则匹配引擎还有未完成查找匹配的报文时，可以将 Va l id置为 0; 当该流的所有报文都完成查找匹配后，可以将 Va l id置为 1，以进行排序。根据报文序列号顺序将命中的规则进行排序后，可以判断所述流是否对应命中某一种协议。 When multiple parallel rule matching engines are used to match packets, the time that the rule matching engine searches for and matches each message is different. The order of the matching results of the output packets may match the packet entry rules. The order of the engine is not exactly the same. In this case, you can maintain the flow intermediate state table. You can save the packet sequence number of each packet and the matching result, that is, the rule number, in the flow intermediate state table. According to the flow intermediate state table, the packet hitting rules can be sorted according to the message sequence number, and each hit rule message corresponds to a different rule number, and the message sequence number is given by the rule matching engine. The Va l id field can be set in the table of the flow intermediate state table, or a sorting flag can be set separately for the flow intermediate state table. In this case, each entry in the flow intermediate state table includes only the correspondence between the message sequence number and the rule number. When the rule matching engine still has not completed the search for matching packets, Va l id can be set to 0. After all the packets of the flow have been searched and matched, Va l id can be set to 1 for sorting. After the hit rules are sorted according to the sequence number of the message sequence, it can be determined whether the stream corresponds to a certain protocol.

3)用于协议规则匹配的状态跳转表，可以参照上文根据报文序列号顺序将命中的规则进行排序后，查找是否匹配某一种协议，见下表 3，为状态跳转表。

3) For the state jump table used for protocol rule matching, refer to the above to sort the rules according to the sequence of the message sequence to find whether it matches a certain protocol. See Table 3 below for the state jump table.

表 3 状态跳转表 Table 3 Status Jump Table

当采用其他方式查找判断根据报文顺序排序后的规则对应哪一种协议，例如采用直接用排序后的规则与预设的多个协议的规则序列一一比较的方式时，不需要使用状态跳转表。 When other methods are used to find out which protocol the rule is sorted according to the order of the message, for example, when the rule that is directly sorted is compared with the rule sequence of the preset multiple protocols, the state jump is not required. Transfer table.

上述表 3说明： Table 3 above states:

Va l id, 表示表项是否有效标记，用来表示该表项是否初始化的标记，表项有效后面的内容才有意义，否则后面的内容无意义。应用该标记是为了保护后续表项内容，防止表项还没有初始化时查找异常的情况，该标记可以省略。 Va l id, indicating whether the entry is a valid tag, indicating whether the entry is initialized or not. The content of the entry is valid after the entry is valid, otherwise the latter content is meaningless. This flag is applied to protect the contents of subsequent entries and to prevent the exception from being found when the entry has not been initialized. This flag can be omitted.

Curr_rule id: 当前规则号，用来和当前的规则号比较。 Curr_rule id: The current rule number, used to compare with the current rule number.

Next— addr : 当 Curr— rule id或者 Curr— s ta t e匹配不成功，即 Curr— rule id和状态机的当前规则号不匹配，或者 Cun s ta te 和状态机的当前状态不匹配时，根据该 Next -addr查找下一条表项；如果没有下一条表项，则此时的值为特定值，例如 0，表示查找失败。 Protocol: 协议号，如果命中某协议则为相对应的协议号，为默认值，例如 0，则表示不命中任何协议。 Next— addr : When Curr— rule id or Curr_ s ta te match is unsuccessful, that is, Curr— rule id does not match the current rule number of the state machine, or Cun s te te and the current state of the state machine do not match, according to The Next-addr looks for the next entry; if there is no next entry, the value at this time is a specific value, such as 0, indicating that the lookup failed. Protocol: The protocol number. If a protocol is hit, it is the corresponding protocol number. If it is the default value, for example, 0, it means that no protocol is hit.

Curr.state: 当前状态，用来和状态机的当前状态比较。 Curr.state: The current state, used to compare with the current state of the state machine.

Next-state: 下一个跳转状态。当 Curr— ruleid和 Curr_state匹配成功，且协议号为默认值时 (不为默认值表示已经命中协议，可以停止查表），将此处的下一个状态取出，作为状态机的当前状态，即将状态机迁移到该 Next— state, 并进行下一次查找，直至协议命中为止。 Next-state: Next jump state. When Curr_ ruleid and Curr_state match successfully, and the protocol number is the default value (not the default value indicates that the protocol has been hit, you can stop the table lookup), and the next state is taken out as the current state of the state machine. The machine migrates to the Next-state and performs the next lookup until the protocol hits.

因为通常规则号和当前状态的数量远大于协议数量，比如规则号长度为 16bit,当前状态长度为 8bit，总共 24bit，而协议数量通常在一千个左右，这样简单的线性查找效率较低。此时可以使用散列（Hash)算法查找状态跳转表。举例来说，在设置状态跳转表时，可以对各个表项的 Curr_ruleid和 Curr_state做 hash,将 hash的结果作为该表项的存储地址，当 hash冲突时，用 Next_addr标示与该表项 hash冲突的其它表项的存储地址。在查找状态跳转表时，对状态机的当前规则号和当前状态做 hash, 查找存储地址为该 hash的结果的表项，如果 Curr_ruleid和 Curr_state匹配成功，则输出协议号或进行状态迁移，如果 Curr_ruleid或者 Curr_state匹配不成功则根据 Next— addr查找其它 hash冲突的表项，如果所有 hash冲突表项都查找完毕还没有找到匹配成功的表项，则查找失败。 Because the number of rule numbers and current state is usually much larger than the number of protocols, such as the rule number length is 16 bits, the current state length is 8 bits, a total of 24 bits, and the number of protocols is usually about one thousand, so the simple linear search efficiency is low. At this point, you can use the hash algorithm to find the state jump table. For example, when setting the state jump table, you can hash the Curr_ruleid and Curr_state of each entry, and use the hash result as the storage address of the entry. When the hash conflicts, use Next_addr to mark the hash conflict with the entry. The storage address of other entries. When searching for the state jump table, hash the current rule number and current state of the state machine, and find the entry whose storage address is the result of the hash. If the Curr_ruleid and Curr_state match successfully, the protocol number is output or the state transition is performed. If the Curr_ruleid or Curr_state match is unsuccessful, the other hash conflict entries are searched according to Next-addr. If all the hash conflict entries have not been found, the search fails.

这个例子是针对整个处理流程的： This example is for the entire process:

以下举具体实例进行说明：同一流 The following is a specific example to illustrate: the same stream

如图 4所示，为本发明应用实例一种基于深度包检测的协议跨包检测方法流程图，所述方法包括： As shown in FIG. 4, a flow chart of a cross-packet detection method based on deep packet inspection is provided in the application example of the present invention, and the method includes:

401、获取待检测报文 1; 401. Obtain a packet to be detected.

402、查取流表（流表此时是无效的，协议还未命中）； 402, check the flow table (the flow table is invalid at this time, the agreement has not hit);

403、流表未命中； 403, the flow meter missed;

404、进行规则查找； 404. Perform rule search;

405、命中规则 1; 405, hit rule 1;

406、进行报文排序（基于业务进行排序，此时只有报文 1) 406. Sort the message (sort according to the service, only the message 1 at this time)

407、多步长算法查找不命中； 407, multi-step algorithm to find misses;

408、进行后续处理； 408. Perform subsequent processing;

409、获取待检测报文 2; 410、查取流表（流表此时是无效的，协议还未命中）； 409. Obtain a packet to be detected 2; 410, check the flow table (the flow table is invalid at this time, the agreement has not hit);

411、流表未命中； 411, the flow meter missed;

412、进行规则查找； 412. Perform rule search.

413、未命中任何规则； 413. Missing any rules;

414、进行后续处理； 414. Perform subsequent processing;

415、获取待检测报文 3; 415. Obtain a packet to be detected 3;

416、查取流表（流表此时是无效的，协议还未命中）； 416, check the flow table (the flow table is invalid at this time, the agreement has not hit);

417、流表未命中； 417, the flow meter missed;

418、进行规则查找； 418. Perform rule search;

419、命中规则 2 ; 419, hit rule 2;

420、进行报文排序（基于业务进行排序，排序后的结果为 1、 3，对应的规则为 1、) ； 420. Perform message sorting (sorting based on service, the result after sorting is 1, 3, and the corresponding rule is 1,);

421、多步长算法查找不命中； 421, the multi-step algorithm finds a miss;

422、进行后续处理； 422. Perform subsequent processing;

423、获取待检测报文 4; 423. Obtain a packet to be detected 4;

424、查取流表（流表此时是无效的，协议还未命中）； 424, check the flow table (the flow table is invalid at this time, the agreement has not hit);

425、流表未命中； 425, the flow meter missed;

426、进行规则查找； 426. Perform rule search;

427、命中规则 3; 427, hit rules 3;

428、进行报文排序（基于业务进行排序，排序后的结果为 1、 3、 4，对应的规则为、 2、 3 ) ； 428. Perform message sorting (sorting based on services, and the sorted results are 1, 3, and 4, and the corresponding rules are 2, 3);

429、多步长算法查找不命中； 429. The multi-step algorithm finds a miss;

430、进行后续处理； 430, performing subsequent processing;

431、获取待检测报文 5 ; 431. Obtain a message to be detected 5;

432、查取流表（流表此时是无效的，协议还未命中）； 432, check the flow table (the flow table is invalid at this time, the agreement has not hit);

433、流表未命中； 433, the flow meter missed;

434、进行规则查找； 434. Perform rule search;

435、未命中任何规则； 435, missed any rules;

436、进行后续处理； 436. Perform subsequent processing;

437、获取待检测报文 6; 438、查取流表（流表此时是无效的，协议还未命中）； 437. Obtain a packet to be detected 6; 438, check the flow table (the flow table is invalid at this time, the agreement has not hit);

439、流表未命中； 439, the flow meter missed;

440、进行规则查找； 440. Perform rule search;

441、命中规则 4 ; 441, hit rule 4;

442、进行报文排序（基于业务进行排序，排序后的结果为 1、 3、 4、 6，对应的规则为 1、 2、 3、 4 ) ； 442. Sorting the messages (sorted based on the service, the ranked results are 1, 3, 4, 6, and the corresponding rules are 1, 2, 3, 4);

443、多步长算法查找命中，输出命中协议 1，同时回写流表，将流表的无效位置为有效； 443, the multi-step algorithm finds the hit, outputs the hit protocol 1, and writes back the flow table, and the invalid position of the flow table is valid;

444、进行后续处理； 444, for subsequent processing;

445、获取后续待检测报文； 445. Obtain a subsequent to-be-tested message.

446、查取流表（流表此时是有效的，协议已经命中）； 446, check the flow table (the flow table is valid at this time, the agreement has hit);

447、流表有效、后续报文不进行规则查找，排序、多步长算法查找，直接进行相关业务处理； 447. The flow table is valid, the subsequent messages are not searched by rules, the sorting, the multi-step algorithm is searched, and the related service is directly processed;

448、进行后续处理；上述对于同一种业务（即同一流)需要查找是否命中某一个协议，从该流中提取 6个不同的特征的报文，判断这 6个不同的特征的报文中每个报文否命中某一规则，例如报文 1命中规则 1，报文 3命中规则 2，报文 4命中规则 3，报文 6命中规则 4，然后则根据报文顺序将命中的规则进行排序，例如排序后为规则 1、规则 2、规则 3、规则 4，然后利用规则 1、规则 2、规则 3、规则 4这一顺序序列去匹配某一协议匹配，以判断该流是否命中某一种协议。例如当检测到的规则 1、规则 2、规则 3、规则 4命中协议 1时，即认为这种业务命中协议 1。 448. Perform subsequent processing; for the same service (that is, the same flow), it is required to find whether to hit a certain protocol, and extract six different characteristics of the message from the flow, and determine each of the six different characteristics of the message. Whether a message hits a certain rule, for example, message 1 hits rule 1, message 3 hits rule 2, message 4 hits rule 3, message 6 hits rule 4, and then sorts the hit rules according to the message order. For example, after sorting, it is rule 1, rule 2, rule 3, rule 4, and then use the sequence of rules 1, rule 2, rule 3, and rule 4 to match a certain protocol match to determine whether the stream hits one of the types. protocol. For example, when the detected rule 1, rule 2, rule 3, and rule 4 hit the protocol 1, the service hit protocol 1 is considered.

本发明实施例是在传统的 DP I查找技术上面进行优化，在传统的 DP I查找技术根据流中间状态表进行报文对应的规则排序来解决协议的跨包检测技术。另外利用排序好的规则序列查找匹配协议时，可以利用多步长算法以提高协议查找效率。本发明实施例还可以增加流表查找流的匹配协议，对于同一命中协议的流后续不需要进行 DP I查找，只需要在流表上打上相应标签即可，极大的提高了整体的查找性能。针对现有技术 DP I查找技术比较单一，无法解决协议的跨包检测功能，只能简单的解决单包单规则的应用场景，本发明实施例可以进行协议的跨包检测，并适用于多包多规则的应用场景，可扩展性和灵活性好。对应于上述方法实施例，如图 5所示，为本发明实施例一种基于深度包检测的协议跨包检测装置结构示意图，所述装置包括： The embodiment of the present invention optimizes the traditional DP I search technology, and solves the cross-packet detection technology of the protocol in the conventional DP I search technology according to the flow intermediate state table. In addition, when using the sorted rule sequence to find the matching protocol, a multi-step algorithm can be utilized to improve the protocol search efficiency. The embodiment of the present invention can also increase the matching protocol of the flow table search flow. For the flow of the same hit protocol, the DP I search does not need to be performed, and only the corresponding label needs to be marked on the flow table, which greatly improves the overall search performance. . In the prior art, the DP I search technology is relatively simple, and the cross-packet detection function of the protocol cannot be solved, and the application scenario of the single-packet-single rule can be simply solved. The embodiment of the present invention can perform cross-packet detection of the protocol, and is applicable to multiple packets. Multi-rule application scenarios, scalability and flexibility. Corresponding to the foregoing method embodiment, as shown in FIG. 5, which is a schematic structural diagram of a protocol cross-packet detection apparatus based on deep packet detection according to an embodiment of the present invention, where the apparatus includes:

获取单元 51，用于获取同一流中多个不同特征的报文； The obtaining unit 51 is configured to acquire a packet of multiple different features in the same stream.

第一判断单元 52，用于判断每个报文是否命中某一规则； The first determining unit 52 is configured to determine whether each message hits a certain rule;

第二判断单元 53，用于如果报文命中某一规则，则根据命中的规则以及所述报文的顺序判断所述流是否命中某一种协议。 The second judging unit 53 is configured to judge whether the stream hits a certain protocol according to the hitting rule and the order of the packet if the packet hits a certain rule.

上述获取单元 51 获取的同一流即同一种业务，可以通过流字段进行区分，流字段可以是 MAC地址、 IP地址或者端口号中的一种或多种。上述不同特征报文大部份情况以 3层以上的报文净荷进行区分，也可能进一步根据 1层的 MAC地址或 3层的 I P地址等信息进行区分。 The same flow obtained by the obtaining unit 51, that is, the same service, may be distinguished by a flow field, which may be one or more of a MAC address, an IP address, or a port number. Most of the above-mentioned different feature messages are distinguished by more than three layers of message payloads, and may be further distinguished according to information such as the layer 1 MAC address or the layer 3 IP address.

第一判断单元 52判断每个报文是否命中某一规则可以采用通常的规则匹配引擎进行查找匹配，例如确定有限自动机 DFA或非确定有限自动机 NFA。多个报文可以分别进入多个规则匹配引擎进行并行查找匹配，以提高匹配效率。 The first judging unit 52 judges whether each message hits a certain rule or can perform a lookup match using a usual rule matching engine, for example, determining a finite automaton DFA or a non-deterministic finite automaton NFA. Multiple packets can be entered into multiple rule matching engines for parallel lookup matching to improve matching efficiency.

可选的，所述装置还可以包括：第三判断单元 54，用于在所述第一判断单元判断每个报文是否命中某一规则之前，利用流的标识信息查取流表，判断所述流在所述流表中是否已命中某一种协议，如果流表中没有命中的协议，则再通过所述第一判断单元判断每个报文是否命中某一规则。 Optionally, the device may further include: a third determining unit 54, configured to: before the first determining unit determines whether each packet hits a certain rule, use the identifier information of the stream to check the flow table, and determine the location Whether the flow has hit a certain protocol in the flow table. If there is no hit protocol in the flow table, it is determined by the first determining unit whether each message hits a certain rule.

可选的，所述第二判断单元 53具体用于根据所述报文顺序将命中的规则进行排序，以判断所述流是否命中某一种协议。 Optionally, the second determining unit 53 is specifically configured to sort the hit rules according to the message sequence to determine whether the stream hits a certain protocol.

当所述第二判断单元 53采用多个并行的规则匹配引擎对报文匹配时，由于规则匹配引擎对各个报文进行查找匹配时消耗的时间不同，可能出现输出报文的匹配结果的顺序与报文进入规则匹配引擎的顺序不完全相同的情况。此时，所述第二判断单元 53可以根据所述报文顺序将命中的规则进行排序，以判断所述流是否命中某一种协议。 When the second judging unit 53 uses a plurality of parallel rule matching engines to match the packets, the time that the rule matching engine searches for and matches each packet is different, and the order of the matching results of the output packets may occur. The case where the message enters the rule matching engine is not exactly the same. At this time, the second determining unit 53 may sort the hit rules according to the message sequence to determine whether the stream hits a certain protocol.

所述第二判断单元 53判断根据报文顺序排序后的规则对应哪一种协议的方法可以有多种。例如，可以直接用排序后的规则与预设的多个协议的规则序列一一比较，如果排序后的规则与其中某一种协议对应的规则序列完全匹配，则确定该排序后的规则对应的流与该规则序列对应的协议匹配。又例如，可以对预设的多个协议的规则序列建立状态跳转表，根据该状态跳转表确定与排序后的规则匹配的规则序列，该状态跳转表也可以由通常的规则匹配引擎，例如 DFA或 NFA，实现。此外，可选的，所述装置还可以包括：查找单元 55，用于利用多步长算法查找以判断所述流是否命中某一种协议，可以利用多步长算法建立状态跳转表以判断所述流是否对应命中某一种协议。如果所述流对应命中某一种协议，则输出命中协议类型。可选的，可以保存一张流表，流表中保存各个流是否已知与某一种协议对应，以及与哪一种协议对应。可选的，所述装置还可以包括：标记单元 56，用于如果所述流命中某一种协议，则输出命中协议类型后，可以将流表中该流的对应标志置为有效，并记录命中协议类型，后续接收到该流的报文时可以不再进行协议跨包检测，直接进行后续相应的业务处理。 The second determining unit 53 may determine that there are multiple methods for determining which protocol the rule according to the order of the messages corresponds to. For example, the sorted rule may be directly compared with the rule sequence of the preset multiple protocols. If the sorted rule completely matches the rule sequence corresponding to one of the protocols, the corresponding rule is determined. The flow matches the protocol corresponding to the rule sequence. For another example, a state jump table may be established for a preset rule sequence of multiple protocols, and a rule sequence matching the sorted rule may be determined according to the state jump table, and the state jump table may also be used by a normal rule matching engine. , such as DFA or NFA, is implemented. In addition, optionally, the device may also include The search unit 55 is configured to use a multi-step algorithm to determine whether the stream hits a certain protocol, and the multi-step algorithm may be used to establish a state jump table to determine whether the stream corresponds to a certain protocol. If the stream corresponds to hit a certain protocol, the hit protocol type is output. Optionally, a flow table may be saved, and the flow table stores whether each flow is known to correspond to a certain protocol, and which protocol corresponds to. Optionally, the device may further include: a marking unit 56, configured to: if the stream hits a certain protocol, after outputting the hit protocol type, the corresponding flag of the stream in the flow table may be valid and recorded The type of the hit protocol is used. When the packets of the stream are received, the protocol cross-packet detection can be performed and the subsequent corresponding service processing can be directly performed.

可选的，本发明实施例查找单元 55可以利用多步长算法查找以判断所述流是否对应命中某一种协议可以提高查找效率。可选的，本发明实施例查找单元 55 可以维护 3 个表，表的具体内容见上述表 1、表 2和表 3 : Optionally, the searching unit 55 of the embodiment of the present invention may use a multi-step algorithm to search to determine whether the stream corresponds to a certain protocol, which may improve the searching efficiency. Optionally, the searching unit 55 of the embodiment of the present invention can maintain three tables. For details of the table, see Table 1, Table 2, and Table 3 above:

表 1中的报文的序列号可以供规则匹配引擎获取。例如，可以将流表中原始 Sn置为 0，当进来第一个报文时，将 Sn加 1，即将 1作为该报文的报文序列号提供给规则匹配引擎，后续再依次进来不同特征的报文，则 Sn再依次加 1，并将加 1后的 Sn值依次作为后续不同特征报文的报文序列号。每个流有其对应的流表，可以有多种方式表明各个流与流表的对应关系，例如，可以建立流表在存储器中的地址与流字段的对应关系，当接收到报文后根据流字段得到对应的流表在存储器中的地址。也可以为每个流分配相应的标识 ID，并在对应的流表中记录该标识，当接收到报文后根据流字段得到对应的标识，根据该标识查找相应的流表。还可以在流表中记录对应流的流字段，当接收到报文后根据流字段查找相应的流表。 The sequence number of the message in Table 1 can be obtained by the rule matching engine. For example, the original Sn in the flow table can be set to 0. When the first packet is received, Sn is incremented by 1, and the sequence number of the message as the message is provided to the rule matching engine, and subsequent features are successively entered. For the message, Sn is added 1 in turn, and the value of Sn after adding 1 is sequentially used as the sequence number of the message of the subsequent different feature messages. Each flow has its corresponding flow table, and there may be multiple ways to indicate the corresponding relationship between each flow and the flow table. For example, the correspondence between the address of the flow table in the memory and the flow field may be established, and after receiving the message, according to The stream field gets the address of the corresponding stream table in memory. You can also assign a corresponding ID to each stream, and record the identifier in the corresponding flow table. After receiving the packet, the corresponding identifier is obtained according to the flow field, and the corresponding flow table is searched according to the identifier. The flow field of the corresponding stream may also be recorded in the flow table, and after receiving the message, the corresponding flow table is searched according to the flow field.

表 2为流中间状态表，当规则匹配引擎对报文匹配后，输出该报文匹配的结果即规则号以及该报文的报文序列号。在不采用多个并行的规则匹配引擎对报文匹配时，输出报文的匹配结果的顺序与报文进入规则匹配引擎的顺序相同，可以不分配报文序列号，无需根据所述报文顺序将命中的规则进行排序并维护流中间状态表，直接根据规则匹配引擎输出的匹配结果判断该流是否命中某一种协议。当采用多个并行的规则匹配引擎对报文匹配时，由于规则匹配引擎对各个报文进行查找匹配时消耗的时间不同，可能出现输出报文的匹配结果的顺序与报文进入规则匹配引擎的顺序不完全相同的情况。此时可以维护流中间状态表，可以将各个报文的报文序列号及匹配的结果即规则号保存在流中间状态表中。根据该流中间状态表，就可以按照报文序列号对于报文命中规则进行排序，每个命中规则的报文都对应不同的规则号，报文序列号由规则匹配引擎给出。 Va l id字段可以在流中间状态表的表项中，也可以为流中间状态表单独设置一个排序标记，此时流中间状态表各个表项仅包括报文序列号和规则号的对应关系。当规则匹配引擎还有未完成查找匹配的报文时，可以将 Va l id置为 0 ; 当该流的所有报文都完成查找匹配后，可以将 Va l id置为 1，以进行排序。根据报文序列号顺序将命中的规则进行排序后，可以判断所述流是否对应命中某一种协议。 Table 2 shows the flow intermediate status table. After the rule matching engine matches the message, the result of matching the message is the rule number and the message sequence number of the message. When the matching of the packets is not performed by the multiple parallel matching engines, the order of matching the output packets is the same as the order of the packets entering the rule matching engine. The sequence of the packets may not be allocated, and the sequence of the packets is not required. Sort the hit rules and maintain the flow intermediate state table, and directly judge whether the flow hits a certain protocol according to the matching result output by the rule matching engine. When multiple parallel rule matching engines are used to match packets, the time that the rule matching engine searches for and matches each packet is different. The order of the matching results of the output packets may be matched with the packet entering the rule matching engine. The order is not exactly the same. At this time, the flow intermediate state table can be maintained, and the message sequence number of each message and the matching result, that is, the rule number, can be saved in the flow intermediate state table. According to the flow intermediate state table, the packet hitting rules can be sorted according to the message sequence number, and each hit rule packet corresponds to a different rule number, and the message sequence number is given by the rule matching engine. The Va l id field can be set in the entry of the flow intermediate state table, or a separate sorting flag can be set for the flow intermediate state table. Each entry in the flow intermediate state table includes only the correspondence between the sequence number of the packet and the rule number. When the rule matching engine still has not completed matching matching packets, Va l id can be set to 0. When all the packets of the stream are found to match, Va l id can be set to 1 for sorting. After the hit rules are sorted according to the sequence number of the message sequence, it can be determined whether the stream corresponds to a certain protocol.

表 3为用于协议规则匹配的状态跳转表，可以参照上文根据报文序列号顺序将命中的规则进行排序后，查找是否匹配某一种协议。当采用其他方式查找判断根据报文顺序排序后的规则对应哪一种协议，例如采用直接用排序后的规则与预设的多个协议的规则序列一一比较的方式时，不需要使用状态跳转表。因为通常规则号和当前状态的数量远大于协议数量，比如规则号长度为 16b i t ,当前状态长度为 8b i t，总共 24b i t，而协议数量通常在一千个左右，这样简单的线性查找效率较低。此时可以使用散列（Hash)算法查找状态跳转表。举例来说，在设置状态跳转表时，可以对各个表项的 Cunrule id和 Curr. s ta te 做 hash, 将 hash 的结果作为该表项的存储地址，当 hash 冲突时，用 Next -addr标示与该表项 hash冲突的其它表项的存储地址。在查找状态跳转表时，对状态机的当前规则号和当前状态做 hash, 查找存储地址为该 hash 的结果的表项，如果 Curr_rule id和 Curr_ s ta te匹配成功，则输出协议号或进行状态迁移，如果 Curr_rule id 或者 Curr_ s ta te匹配不成功则根据 Next _addr查找其它 hash冲突的表项，如果所有 hash冲突表项都查找完毕还没有找到匹配成功的表项，则查找失败。 Table 3 shows the state jump table used for protocol rule matching. You can refer to the above rules to sort the rules according to the sequence number of the packets to find whether they match a certain protocol. When other methods are used to find out which protocol the rule is sorted according to the order of the message, for example, when the rule that is directly sorted is compared with the rule sequence of the preset multiple protocols, the state jump is not required. Transfer table. Because usually the number of rules and current state is much larger than the number of protocols, such as the rule number length is 16b it, the current state length is 8b it, a total of 24b it, and the number of protocols is usually about one thousand, so the simple linear search efficiency is better. low. At this point, you can use the hash algorithm to find the state jump table. For example, when setting the state jump table, you can hash the Cunrule id and Curr. s ta te of each entry, and use the hash result as the storage address of the entry. When the hash conflicts, use Next -addr. Indicates the storage address of other entries that conflict with the hash of the entry. When searching for the state jump table, hash the current rule number and current state of the state machine, and find the entry whose storage address is the result of the hash. If the Curr_rule id and Curr_sta te match successfully, the protocol number is output or State transition. If the Curr_rule id or Curr_ s ta te match is unsuccessful, the other hash conflict entries are searched according to Next _addr. If all the hash conflict entries have not been found, the search fails.

本发明实施例是在传统的 DPI查找技术上面进行优化，在传统的 DPI查找技术根据流中间状态表进行报文对应的规则排序来解决协议的跨包检测技术。另外利用排序好的规则序列查找匹配协议时，可以利用多步长算法以提高协议查找效率。本发明实施例还可以增加流表查找流的匹配协议，对于同一命中协议的流后续不需要进行 DPI查找，只需要在流表上打上相应标签即可，极大的提高了整体的查找性能。针对现有技术 DPI查找技术比较单一，无法解决协议的跨包检测功能，只能简单的解决单包单规则的应用场景，本发明实施例可以进行协议的跨包检测，并适用于多包多规则的应用场景，可扩展性和灵活性好。 The embodiment of the present invention optimizes the traditional DPI search technology, and the traditional DPI search technology solves the cross-packet detection technology of the protocol according to the flow intermediate state table. In addition, when a matching rule sequence is used to find a matching protocol, a multi-step algorithm can be utilized to improve protocol search efficiency. In the embodiment of the present invention, the matching protocol of the flow table search flow can be added. For the flow of the same hit protocol, the DPI search is not required, and only the corresponding label needs to be marked on the flow table, which greatly improves the overall search performance. The DPI search technology of the prior art is relatively simple, and the cross-packet detection function of the protocol cannot be solved, and the application scenario of the single-packet-single rule can be simply solved. The embodiment of the present invention can perform cross-packet detection of the protocol, and is applicable to multiple packets. The application scenario of the rule is extensible and flexible.

本领域普通技术人员可以理解实现上述实施例方法中的全部或部分步骤是可以通过程序来指令相关硬件来完成，所述的程序可以存储于一计算机可读取存储介质中，该程序在执行时，包括上述全部或部分步骤，所述的存储介质，如： ROM/RAM, 磁盘、光盘等。 A person skilled in the art can understand that all or part of the steps of implementing the above embodiments can be completed by a program instructing related hardware, and the program can be stored in a computer readable storage medium. The storage medium includes all or part of the above steps, such as: ROM/RAM, magnetic disk, optical disk, and the like.

以上所述的具体实施方式，对本发明的目的、技术方案和有益效果进行了进一步详细说明，所应理解的是，以上所述仅为本发明的具体实施方式而已，并不用于限定本发明的保护范围，凡在本发明的精神和原则之内，所做的任何修改、等同替换、改进等，均应包含在本发明的保护范围之内。 The specific embodiments described above further detail the object, technical solution and beneficial effects of the present invention. It is to be understood that the foregoing is only illustrative of the embodiments of the present invention, and is not intended to limit the scope of the invention, any modifications and equivalents within the spirit and scope of the invention Replacement, improvement, etc., are all included in the scope of the present invention.

Claims

权利要求 Rights request

1、一种基于深度包检测的协议跨包检测方法，其特征在于，所述方法包括：获取同一流中多个不同特征的报文； A cross-packet detection method based on deep packet inspection, wherein the method includes: acquiring packets of different characteristics in the same stream;

判断每个报文是否命中某一规则； Determine whether each message hits a certain rule;

如果报文命中某一规则，则根据命中的规则以及所述报文的顺序判断所述流是否命中某一种协议。 If the message hits a certain rule, it is determined whether the stream hits a certain protocol according to the hit rule and the order of the message.

2、如权利要求 1所述方法，其特征在于，所述根据命中的规则以及所述报文的顺序判断所述流是否命中某一种协议，包括根据所述报文顺序将命中的规则进行排序，以判断所述流是否命中某一种协议。 2. The method according to claim 1, wherein the determining whether the stream hits a certain protocol according to a rule of a hit and an order of the packet comprises: performing a hit rule according to the sequence of the message Sort to determine if the stream hits a certain protocol.

3、如权利要求 1所述方法，其特征在于，在所述判断每个报文是否命中某一规则之前，还包括： 3. The method according to claim 1, wherein before the determining whether each message hits a certain rule, the method further includes:

利用流的标识信息查取流表，判断所述流在所述流表中是否已命中某一种协议，如果流表中没有命中的协议，则再判断每个报文是否命中某一规则。 The flow table is used to check the flow table, and it is determined whether the flow has hit a certain protocol in the flow table. If there is no hit protocol in the flow table, it is determined whether each message hits a certain rule.

4、如权利要求 1所述方法，其特征在于，所述判断所述流是否命中某一种协议，包括： The method of claim 1, wherein the determining whether the stream hits a certain protocol comprises:

利用多步长算法查找以判断所述流是否命中某一种协议。 A multi-step algorithm is used to find if the stream hits a certain protocol.

5、如权利要 2所述方法，其特征在于，所述判断所述流是否命中某一种协议之后，还包括，如果所述流命中某一种协议，则输出命中协议类型，并将流表中该流的对应标志置为有效，并记录所述命中协议类型。 5. The method of claim 2, wherein the determining whether the stream hits a certain protocol further comprises: if the stream hits a certain protocol, outputting a hit protocol type, and The corresponding flag of the flow in the table is set to valid, and the hit protocol type is recorded.

6、一种基于深度包检测的协议跨包检测装置，其特征在于，所述装置包括：获取单元，用于获取同一流中多个不同特征的报文； A cross-packet detection device based on deep packet inspection, wherein the device includes: an acquiring unit, configured to acquire a packet of a plurality of different features in the same stream;

第一判断单元，用于判断每个报文是否命中某一规则； a first determining unit, configured to determine whether each message hits a certain rule;

第二判断单元，用于如果报文命中某一规则，则根据命中的规则以及所述报文的顺序判断所述流是否命中某一种协议。 The second determining unit is configured to determine, according to the hitting rule and the order of the packet, whether the stream hits a certain protocol if the packet hits a certain rule.

7、如权利要求 6所述装置，其特征在于， 7. Apparatus according to claim 6 wherein:

所述第二判断单元具体用于根据所述报文顺序将命中的规则进行排序，以判断所述流是否命中某一种协议。 The second determining unit is specifically configured to sort the hit rules according to the message sequence to determine whether the stream hits a certain protocol.

8、如权利要求 6所述装置，其特征在于，所述装置还包括： 8. The device of claim 6, wherein the device further comprises:

第三判断单元，用于在所述第一判断单元判断每个报文是否命中某一规则之前，利用流的标识信息查取流表，判断所述流在所述流表中是否已命中某一种协议，如果流表中没有命中的协议，则再通过所述第一判断单元判断每个报文是否命中某一规则。 a third determining unit, configured to: before the first determining unit determines whether each message hits a certain rule, The flow table is used to check the flow table, and it is determined whether the flow has hit a certain protocol in the flow table. If there is no hit protocol in the flow table, then each report is determined by the first determining unit. Whether the text hits a certain rule.

9、如权利要求 6所述装置，其特征在于，所述装置还包括： 9. The device of claim 6, wherein the device further comprises:

查找单元，用于利用多步长算法查找以判断所述流是否命中某一种协议。 A searching unit is configured to search by using a multi-step algorithm to determine whether the stream hits a certain protocol.

10、如权利要求 6所述装置，其特征在于，所述装置还包括： The device of claim 6, wherein the device further comprises:

标记单元，用于如果所述流命中某一种协议，则输出命中协议类型，并将流表中该流的对应标志置为有效，并记录所述命中协议类型。 And a marking unit, configured to output a hit protocol type if the stream hits a certain protocol, and set a corresponding flag of the stream in the flow table to be valid, and record the hit protocol type.