Specific embodiment
Here exemplary embodiment will be illustrated in detail, its example is illustrated in the accompanying drawings.Following description is related toDuring accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represent same or analogous key element.Following exemplary embodimentDescribed in implementation method do not represent and the consistent all implementation methods of the present invention.Conversely, they be only with it is such as appendedThe example of the consistent apparatus and method of some aspects being described in detail in claims, of the invention.
It is the purpose only merely for description specific embodiment in terminology used in the present invention, and is not intended to be limiting the present invention." one kind ", " described " and " being somebody's turn to do " of singulative used in the present invention and appended claims is also intended to include majorityForm, unless context clearly shows that other implications.It is also understood that term "and/or" used herein refers to and wrapsMay be combined containing one or more associated any or all of project listed.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the present inventionA little information should not necessarily be limited by these terms.These terms are only used for being distinguished from each other open same type of information.For example, not departing fromIn the case of the scope of the invention, the first information can also be referred to as the second information, and similarly, the second information can also be referred to asOne information.Depending on linguistic context, word as used in this " if " can be construed to " ... when " or " when ...When " or " in response to determining ".
Fig. 1 is the network architecture diagram that is applicable of extracting method of the characteristic information that the present invention is provided, as shown in figure 1, the netNetwork Organization Chart includes:Client 11, safeguard 12, service equipment 13, management equipment 14.Wherein, client 11 is arranged onOn personal computer (Personal Computer, referred to as PC), client 11 can also be arranged on mobile phone, panel computer, intelligenceOn the terminal devices such as energy wrist-watch;Safeguard 12 is the equipment with function of safety protection;Service equipment 13 is to client 11The server of business service is provided, for example, the server for linking up business service immediately is provided;Management equipment 14 is by simulating clientThe user behavior that end 11 produces, the characteristic information extraction from service traffics, and characteristic information is uploaded into safeguard 12, so thatThe feature based information of safeguard 12, can after identification to being identified with characteristic information identical behavior produced by client 11The deliberate action such as intercepted or passed through to the behavior, in another embodiment scene, management equipment 14 will can also be extractedCharacteristic information be uploaded to webpage, for the equipment for needing download configuration characteristic information provides download service.Generally, management equipment 14Message on the basis of one of them message to be extracted in two or more message to be extracted is determined, in two or more message to be extractedEach message to be extracted type of message it is identical, type of message include HTTP (HyperTextTransfer Protocol, referred to as HTTP) message, transmission control protocol (Transmission Control Protocol,Referred to as TCP) message and UDP (User Datagram Protocol, referred to as UDP) message etc..ManagementField information in first preset field of benchmark message is defined as benchmark field information by equipment 14, herein to the first predetermined wordSection length be not limited, based on preset matching rule, management equipment 14 respectively by two or more message to be extracted except baseField information in second preset field of each message to be extracted beyond quasi- message is matched with benchmark field information,Second preset field is identical with the length of the first preset field.Wherein, for different types of message, preset matching rule is notTogether, for example, being directed to HTTP message, more crucial field information is carried in HTTP message header fields, generally only needs concernWhether there is characteristic information in HTTP message header fields, therefore preset matching rule is for HTTP message header fieldsIn field information matched;Looked into, it is necessary to carry out feature from the full content of message for TCP message and UDP messagesAsk, therefore preset matching rule is to be matched for the entirety of message.When the number of times that the match is successful is more than or equal to defaultDuring matching threshold, represent high with benchmark field information identical field information frequency of occurrence, be the industry with identical services serviceThe possibility of business flow is high, and benchmark field information is defined as characteristic information by management equipment 14.By the embodiment of the present invention, when needDuring the characteristic information substantial amounts to be extracted, it is possible to reduce feature information extraction process it is time-consuming, and avoid extracting improper lossTarget signature information falsely drops non-targeted characteristic information, improves the accuracy rate of feature information extraction.
It is that the present invention is further described, there is provided the following example:
Fig. 2 is the embodiment flow chart for the extracting method of characteristic information that the present invention is provided, and example is carried out with reference to Fig. 1Property explanation, as shown in Fig. 2 comprising the following steps:
Step 201:Message, two on the basis of one of them message to be extracted in two or more message to be extracted is determinedThe type of message of each message to be extracted in message to be extracted is identical above.
Step 202:Field information in first preset field of benchmark message is defined as benchmark field information.
Step 203:Based on preset matching rule, respectively by two or more message to be extracted in addition to benchmark messageField information in second preset field of each message to be extracted is matched with benchmark field information.
Step 204:It is true based on benchmark field information when the number of times that the match is successful is more than or equal to preset matching threshold valueDetermine characteristic information.
Optionally, before the execution of above-mentioned steps 201- steps 204, can also carry out step 200 (not shown).
Step 200:Two or more message to be extracted is determined based on type identification, type identification is used to mark a kind of message classType.
Optionally, on the basis of above-mentioned steps 201- steps 204, step 205- steps 206 be can also carry out (in figure notShow).
Step 205:Determine the storage location information of characteristic information.
Step 206:Based on the first default displaying rule, by the storage location information of characteristic information and the first preset fieldLength information is shown.
Optionally, on the basis of above-mentioned steps 201- steps 204, can also carry out step 207 (not shown).
Step 207:Based on the second default displaying rule, characteristic information is shown.
In step 201, in one embodiment, management equipment 14 obtains two or more message to be extracted, and two or more is treatedExtract message in each message to be extracted type of message it is identical, type of message include HTTP message, TCP message andUDP messages etc., herein management equipment 14 how to obtain two or more message to be extracted, specific method refer to step 200 orCorrelation step description in Fig. 3, is not described further first herein.In the two or more message to be extracted that management equipment 14 will getMessage on the basis of one of them message determination to be extracted.It will be appreciated by persons skilled in the art that management equipment 14 is obtained hereinThe quantity of message to be extracted is taken, a upper limit can be generally set, for example, 40 HTTP messages flowed through in network interface card are obtained, should40 HTTP messages can be included:The HTTP request message that management equipment 14 sends to the direction of service equipment 13, service equipment 13The HTTP feedback messages returned to the direction of management equipment 14, two kinds of messages of transmission direction, because service traffics are at the interaction initial stage,The information consulted each other can be carried, therefore chooses the message at interaction initial stage and be easy to faster accurate characteristic information extraction.
In step 202., in one embodiment, management equipment 14 believes the field in the first preset field of benchmark messageBreath is defined as benchmark field information.Length and the first preset field herein to the first preset field is specific in benchmark messagePosition does not limit.Specifically, so that benchmark message is a HTTP message as an example, before the first preset field is the HTTP message10 bytes, the field information in first preset field is, for example, " GET/1qqad ", then benchmark field information is " GET/1qqad ", wherein " qq " can be expressed as certain money links up the service traffics produced by applying immediately.
In step 203, in one embodiment, based on preset matching rule, management equipment 14 respectively treats two or moreExtract the field information and benchmark in the second preset field of each message to be extracted in addition to benchmark message in messageField information is matched, and during matching, can continuously be matched from left to right.Wherein, for different types of message, in advanceIf matched rule is different, for example, being directed to HTTP message, more crucial field information is carried in HTTP message header fields,Generally need to only pay close attention to the presence or absence of characteristic information in HTTP message header fields, therefore preset matching rule is for HTTPField information in header field is matched;For TCP message and UDP messages, it is necessary to from the full content of messageIn carry out characteristic query, therefore preset matching rule is to be matched for the entirety of message, and preset matching rule may be used also in additionTo set the character types of specific matching, character types include:Numeral, letter, symbol etc..With reference to step 202, with except benchmark reportAs a example by also having 5 messages to be extracted beyond text, before the second preset field of 5 messages to be extracted is each message to be extracted10 bytes, the field information in preceding 10 bytes of 5 messages to be extracted is respectively " GET/2qqcr ", " GET/3qqwe”、“GET/4qqkk”、“GET/5qqaw”、“GET/6qquy”.Matching numeral, pipe are ignored with preset matching rule regulationReason equipment 14 is respectively by " GET/2qqcr ", " GET/3qqwe ", " GET/4qqkk ", " GET/5qqaw ", " GET/6qquy " and baseLetter and character in quasi- field information " GET/1qqad " are matched.
In step 204, in one embodiment, when the number of times that the match is successful is more than or equal to preset matching threshold value,Characteristic information is determined based on benchmark field information.Preset matching threshold value is, for example, 5, with reference to step 203, " GET/2qqcr ",In " GET/3qqwe ", " GET/4qqkk ", " GET/5qqaw ", " GET/6qquy " and benchmark field information " GET/1qqad "" GET/qq " the match is successful, and management equipment 14 is based on benchmark field information " GET/1qqad ", and " GET/qq " is determined to be characterized letterBreath.
Optionally, before the execution of above-mentioned steps 201- steps 204, step 200 is can also carry out, it is necessary to illustrate,Step 200 in the present embodiment is optional step, not necessarily step.
In step 200, in one embodiment, management equipment 14 determines two or more report to be extracted based on type identificationText, type identification includes for marking a kind of type of message, type of message:HTTP message, TCP message and UDP messages etc..ToolBody, management equipment 14 determines that the method for message to be extracted more than described two includes based on type identification:Based on type identification,Management equipment 14 determines two or more message to be extracted from the whole flows for flowing through network interface card, and management equipment 14 is searched and flows through network interface cardFlow in message whether carry with type identification identical mark, management equipment 14 will carry identical with type identificationThe message of mark be defined as message to be extracted, message to be extracted is obtained in real time;Based on type identification, management equipment 14 is from having delayedTwo or more message to be extracted is determined in the flow deposited, for example, management equipment 14 gets the flow that other equipment has been cached, pipeReason equipment 14 will carry the message identified with type identification identical and be defined as message to be extracted.
Optionally, on the basis of above-mentioned steps 201- steps 204, step 205- steps 206 be can also carry out, it is necessary to sayBright, the step 205- steps 206 in the present embodiment are optional step, not necessarily step.
In step 205, in one embodiment, management equipment 14 determines the storage location information of characteristic information, to manageThe type of message of the message to be extracted that equipment 14 is obtained is TCP message, the length of the first preset field for as a example by 10 bytes, pipeReason equipment 14 treats the benchmark field information in the first preset field in benchmark message and each in addition to benchmark messageExtract message the second preset field in field information matched with benchmark field information, wherein, the first preset field andThe position of the second preset field is not fixed, and the first preset field and the second preset field are real by the byte that moves rightNow to the matching of the field information of whole positions in message to be extracted.Management equipment 14 believes correspondence existing characteristics in benchmark messageThe positional information of breath is defined as storage location information, for example, 10,15,18,20, represent 10 bytes, 15 words in benchmark messageSection, 18 bytes, 20 byte existing characteristics information.
In step 206, in one embodiment, based on the first default displaying rule, the storage location of characteristic information is believedThe length information of breath and the first preset field is shown.For example, herein can be by the interaction in management equipment 14Software pair, 10,15,18,20 and 10 bytes are shown, and are easy to administrative staff to set the extraction scope of characteristic information.
Optionally, on the basis of above-mentioned steps 201- steps 204, step 207 is can also carry out, it is necessary to illustrate,Step 207 in the present embodiment is optional step, not necessarily step.
In step 207, in one embodiment, based on the second default displaying rule, management equipment 14 enters characteristic informationRow displaying, can be shown, with reference to following steps by the interactive software in management equipment 14 to characteristic information herein, can also be shown for condition to be matched herein by the condition to be matched mentioned in rapid Fig. 3.
Optionally, in one embodiment, the feature based information of management equipment 14 generation characteristic information list, and upload the spyLevy information list.With reference to step 204, the generation characteristic information list of the feature based information " GET/qq " of management equipment 14.Optionally,The information such as port, IP address, protocol number can also be recorded in this feature information list.Management equipment 14 can be by this feature informationList is uploaded to safeguard 12 so that the feature based information of safeguard 12 to produced by client 11 with characteristic information phaseSame behavior is intercepted, and in another embodiment scene, the characteristic information that management equipment 14 will can also be extracted is uploaded toWebpage, for the equipment for needing download configuration characteristic information provides download service.
In the embodiment of the present invention, management equipment determines one of them message to be extracted in two or more message to be extractedOn the basis of message, and the field information in the first preset field of benchmark message is defined as benchmark field information.Based on defaultMatched rule, when the second predetermined word of each message to be extracted in addition to benchmark message in two or more message to be extractedWhen field information in section is more than or equal to preset matching threshold value with the benchmark field information number of times that the match is successful, management equipmentCharacteristic information is determined based on benchmark field information, the time-consuming of feature information extraction process is reduced, and avoid because extraction is improperLose target signature information or falsely drop non-targeted characteristic information, improve the accuracy rate of feature information extraction.
Fig. 3 is the embodiment flow chart of the extracting method of another characteristic information that the present invention is provided, and management equipment 14 is obtainedThe method for taking two or more message to be extracted can also be based on type identification and at least one condition to be matched determine two withUpper message to be extracted, condition to be matched is default for the type of message of type identification mark, and specific management equipment 14 is such asWhat determines two or more message to be extracted based on type identification and at least one condition to be matched, and the embodiment of the present invention combines figure1st, Fig. 2, it is illustrative, as shown in figure 3, comprising the following steps:
Step 301:Whether type identification is carried in the message that lookup gets.
Step 302:When type identification is carried in the message for getting, the message that will be got is to be matched with least oneEach condition to be matched in condition is matched one by one.
Step 303:When the match is successful for the message and each condition to be matched for getting, the message that will be got is trueIt is set to message to be extracted.
Step 304:When the quantity of message to be extracted is two or more, more than two messages to be extracted are defined as twoMessage to be extracted more than individual.
In step 301, whether management equipment 14 carries type identification in searching the message for getting.Management equipment 14 is trueThe method of the fixed message for getting includes:Management equipment 14 determines the report for getting from the whole flows for flowing through network interface cardText;Management equipment 14 determines the message for getting from the flow for having cached, specifically, management equipment 14 is searched flows through network interface cardFlow in message whether carry and type identification identical mark;Management equipment 14 searches the report in the flow for having cachedWhether text carries and type identification identical mark, the flow for the having cached other equipment that for example, management equipment 14 getsThe flow for having cached.
In step 302, when type identification is carried in the message for getting, message that management equipment 14 will get withEach condition to be matched at least one condition to be matched is matched one by one, and condition to be matched is for type identification markThe type of message of note is default.For example, being directed to HTTP message, condition to be matched can be:Whether matching Host header fields haveHave " .* .qq .com .cn ", whether matching User-Agent header fields have " .* android " etc..
In step 303, when the match is successful for the message and each condition to be matched for getting, management equipment 14 willThe message for getting is defined as message to be extracted.
In step 304, when the quantity of message to be extracted is two or more, management equipment 14 is waited to carry by more than twoTake message and be defined as two or more message to be extracted.
In the embodiment of the present invention, how type identification is based on to management equipment 14 and at least one condition to be matched determines twoMessage to be extracted more than individual has carried out exemplary illustration, and whether management equipment 14 carries type mark in searching the message for gettingKnow, when type identification is carried in the message for getting, management equipment 14 is based at least one condition to be matched and determines to getMessage whether be message to be extracted, when message to be extracted quantity be two or more when, management equipment 14 will be more than twoMessage to be extracted is defined as two or more message to be extracted, and further the feature of message to be extracted is carried out by condition to be matchedLimit, improve the accuracy of message to be extracted.
Corresponding to the extracting method of features described above information, the invention allows for the hardware knot of the management equipment shown in Fig. 4Composition.Refer to Fig. 4, in hardware view, the management equipment include processor, internal bus, network interface, internal memory and it is non-easilyThe property lost memory, the hardware required for other business are also possible that certainly.It is right that processor reads from nonvolatile memoryThe computer program answered forms the extraction element of characteristic information to then operation in internal memory on logic level.Certainly, except softOutside part implementation, the present invention is not precluded from other implementations, such as mode of logical device or software and hardware combining etc.Deng, that is to say, that the executive agent of following handling process is not limited to each logic unit, or hardware or logic devicePart.
Fig. 5 is the embodiment block diagram of the extraction element for characteristic information that the present invention is provided, as shown in figure 5, this featureThe extraction element of information can include:Benchmark message determining module 51, field information determining module 52, field information matching module53rd, characteristic information determining module 54, wherein:
Benchmark message determining module 51, for one of them message to be extracted in two or more message to be extracted to be determinedOn the basis of message, the type of message of each message to be extracted in two or more message to be extracted is identical;
Field information determining module 52, for the first of the benchmark message determined in benchmark message determining module 51 to be presetField information in field is defined as benchmark field information;
Field information matching module 53, for based on preset matching rule, respectively by two or more message to be extractedField information and field information determining module in second preset field of each message to be extracted in addition to benchmark messageThe benchmark field information determined in 52 is matched;
Characteristic information determining module 54, for when the number of times that the match is successful in field information matching module 53 is more than or waitsWhen preset matching threshold value, characteristic information is determined based on benchmark field information.
Fig. 6 is the embodiment block diagram of the extraction element of another characteristic information that the present invention is provided, as shown in fig. 6, upperState on the basis of embodiment illustrated in fig. 5, the extraction element of characteristic information also includes:
First message determining module 55, for determining the two or more in benchmark message determining module 51 based on type identificationMessage to be extracted, type identification is used to mark a kind of type of message.
In one embodiment, the first message determining module 55 in the extraction element of characteristic information includes:
First message determination sub-module 551, for based on type identification, benchmark being determined from the whole flows for flowing through network interface cardTwo or more message to be extracted in message determining module 51;Or,
Second message determination sub-module 552, for based on type identification, determining that benchmark message is true from the flow for having cachedTwo or more message to be extracted in cover half block 51.
In one embodiment, the extraction element of characteristic information also includes:
Second message determining module 56, for determining that benchmark message is true based on type identification and at least one condition to be matchedTwo or more message to be extracted in cover half block 51, condition to be matched is default for the type of message of type identification mark.
In one embodiment, the second message determining module 56 in the extraction element of characteristic information includes:
Type identification searches submodule 561, and whether the second message determining module is carried in the message got for lookupType identification in 56;
Condition matching sub module 562, for when type identification search submodule 561 in the message for getting in carry classWhen type is identified, the message that will be got is matched one by one with each condition to be matched at least one condition to be matched;
3rd message determination sub-module 563, for when the message for getting in condition matching sub module 562 and eachWhen the match is successful, the message that will be got is defined as message to be extracted to condition to be matched;
4th message determination sub-module 564, for when the quantity of the message to be extracted in the 3rd message determination sub-module 563During for two or more, more than two messages to be extracted are defined as two or more message to be extracted.
In one embodiment, the extraction element of characteristic information also includes:
3rd message determining module 57, for determining that type identification searches submodule from the whole flows for flowing through network interface cardThe message for getting in 561;Or,
4th message determining module 58, in the determination type identification lookup submodule 561 from the flow for having cachedThe message for getting.
In one embodiment, the extraction element of characteristic information also includes:
Storage location determining module 59, the storage position of the characteristic information for determining to determine in characteristic information determining module 54Confidence ceases;
First display module 60, for based on the first default displaying rule, by what is determined in storage location determining module 59The storage location information of characteristic information and the length information of the first preset field are shown.
In one embodiment, the extraction element of characteristic information also includes:
Second display module 61, for based on the second default displaying rule, by what is determined in characteristic information determining module 54Characteristic information is shown.
The function of unit and the implementation process of effect correspond to step in specifically referring to the above method in said apparatusImplementation process, will not be repeated here.
For device embodiment, because it corresponds essentially to embodiment of the method, so related part is referring to method realityApply the part explanation of example.Device embodiment described above is only schematical, wherein described as separating componentThe unit of explanation can be or may not be physically separate, and the part shown as unit can be or can alsoIt is not physical location, you can with positioned at a place, or can also be distributed on multiple NEs.Can be according to realitySelection some or all of module therein is needed to realize the purpose of the present invention program.Those of ordinary skill in the art are not payingIn the case of going out creative work, you can to understand and implement.
As seen from the above-described embodiment, management equipment is true by one of them message to be extracted in two or more message to be extractedIt is set to benchmark message, and the field information in the first preset field of benchmark message is defined as benchmark field information.Based on pre-If matched rule, when each message to be extracted in addition to benchmark message in two or more message to be extracted second presetsWhen field information in field is more than or equal to preset matching threshold value with the benchmark field information number of times that the match is successful, management setsIt is standby that characteristic information is determined based on benchmark field information, the time-consuming of feature information extraction process is reduced, and avoid because extracting notWhen losing target signature information or falsely dropping non-targeted characteristic information, the accuracy rate of feature information extraction is improve.
Those skilled in the art considering specification and after putting into practice invention disclosed herein, will readily occur to it is of the invention itsIts embodiment.It is contemplated that cover any modification of the invention, purposes or adaptations, these modifications, purposes orPerson's adaptations follow general principle of the invention and including undocumented common knowledge in the art of the inventionOr conventional techniques.Description and embodiments are considered only as exemplary, and true scope and spirit of the invention are by followingClaim is pointed out.
Also, it should be noted that term " including ", "comprising" or its any other variant be intended to nonexcludabilityComprising so that process, method, commodity or equipment including a series of key elements not only include those key elements, but also wrappingInclude other key elements being not expressly set out, or also include for this process, method, commodity or equipment is intrinsic wantsElement.In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that wanted including describedAlso there is other identical element in process, method, commodity or the equipment of element.
Presently preferred embodiments of the present invention is the foregoing is only, is not intended to limit the invention, it is all in essence of the inventionWithin god and principle, any modification, equivalent substitution and improvements done etc. should be included within the scope of protection of the invention.