技术领域Technical Field
本申请涉及工控安全技术领域,尤其涉及一种工控防火墙白名单规则匹配方法、装置、电子设备和计算机可读存储介质。The present application relates to the field of industrial control security technology, and in particular to an industrial control firewall whitelist rule matching method, device, electronic device and computer-readable storage medium.
背景技术Background Art
目前,白名单技术已经成为工控安全防护的基础性技术,基于工业控制网络,只要工艺流程、业务数据固定下来,白名单就基本稳定。其中,基于防火墙的深度解析技术可以针对工控现场的MODBUS、OPC等做工控协议层面的白名单。进而对系统环境中的流量进行白名单检查,阻断非法协议报文。因此白名单匹配是工控防火墙的典型防护动作,匹配效率的高低直接影响整机的吞吐、业务时延等系统性能,因此,如何更好的实现白名单规则匹配成为亟待解决的问题。At present, whitelist technology has become a basic technology for industrial control security protection. Based on the industrial control network, as long as the process flow and business data are fixed, the whitelist is basically stable. Among them, the deep analysis technology based on the firewall can make a whitelist at the industrial control protocol level for MODBUS, OPC, etc. at the industrial control site. Then, the traffic in the system environment is checked by whitelist to block illegal protocol messages. Therefore, whitelist matching is a typical protection action of the industrial control firewall. The matching efficiency directly affects the system performance such as the throughput and business delay of the whole machine. Therefore, how to better realize the whitelist rule matching has become an urgent problem to be solved.
发明内容Summary of the invention
本发明的目的旨在至少在一定程度上解决相关技术中的技术问题之一。The object of the present invention is to solve one of the technical problems in the related art at least to a certain extent.
为此,本发明的第一个目的在于提出一种工控防火墙白名单规则匹配方法。该方法通过利用白名单规则的梯度实现更高效率的匹配,提高了匹配效率,规避因白名单规则扩充而导致匹配性能线性下降的问题。To this end, the first purpose of the present invention is to propose a whitelist rule matching method for an industrial control firewall. The method achieves more efficient matching by utilizing the gradient of whitelist rules, thereby improving matching efficiency and avoiding the problem of linear decline in matching performance due to the expansion of whitelist rules.
本申请的第二个目的在于提出一种工控防火墙白名单规则匹配装置。The second objective of the present application is to provide an industrial control firewall whitelist rule matching device.
本申请的第三个目的在于提出一种电子设备。The third objective of the present application is to provide an electronic device.
本申请的第四个目的在于提出一种计算机可读存储介质。A fourth objective of the present application is to provide a computer-readable storage medium.
为达到上述目的,本申请第一方面实施例提出了一种工控防火墙白名单规则匹配方法,所述方法包括:获取白名单规则,并对白名单规则中的字段排序及获取字段的梯度值;根据字段的梯度值,设置第一梯度字段过滤规则和非第一梯度字段过滤规则;获取待匹配报文,采用第一梯度字段过滤规则对待匹配报文进行初级过滤,得到过滤后的白名单规则列表,采用非第一梯度字段过滤规则对过滤后的白名单规则列表进行二级过滤,得到目标白名单规则列表;根据目标白名单规则列表,对目标白名单规则列表中剩余的规则项数进行规则判定。To achieve the above-mentioned purpose, the first aspect of the present application proposes a whitelist rule matching method for an industrial control firewall, the method comprising: obtaining whitelist rules, sorting the fields in the whitelist rules and obtaining the gradient values of the fields; setting first gradient field filtering rules and non-first gradient field filtering rules according to the gradient values of the fields; obtaining messages to be matched, using the first gradient field filtering rules to perform primary filtering on the messages to be matched, obtaining a filtered whitelist rule list, using non-first gradient field filtering rules to perform secondary filtering on the filtered whitelist rule list, obtaining a target whitelist rule list; and performing rule determination on the number of remaining rule items in the target whitelist rule list according to the target whitelist rule list.
根据本申请实施例的工控防火墙白名单规则匹配方法,可获取白名单规则,并对白名单规则中的字段排序及获取字段的梯度值,然后根据字段的梯度值,设置第一梯度字段过滤规则和非第一梯度字段过滤规则,获取待匹配报文,采用第一梯度字段过滤规则对待匹配报文进行初级过滤,得到过滤后的白名单规则列表,采用非第一梯度字段过滤规则对过滤后的白名单规则列表进行二级过滤,得到目标白名单规则列表,之后根据目标白名单规则列表,对目标白名单规则列表中剩余的规则项数进行规则判定。该方法通过利用白名单规则的梯度实现更高效率的匹配,提高了匹配效率,规避因白名单规则扩充而导致匹配性能线性下降的问题。According to the industrial control firewall whitelist rule matching method of the embodiment of the present application, the whitelist rule can be obtained, and the fields in the whitelist rule can be sorted and the gradient value of the field can be obtained. Then, according to the gradient value of the field, the first gradient field filtering rule and the non-first gradient field filtering rule are set to obtain the message to be matched, and the first gradient field filtering rule is used to perform primary filtering on the message to be matched to obtain the filtered whitelist rule list, and the non-first gradient field filtering rule is used to perform secondary filtering on the filtered whitelist rule list to obtain the target whitelist rule list, and then according to the target whitelist rule list, the number of rule items remaining in the target whitelist rule list is determined by rule. This method achieves more efficient matching by utilizing the gradient of the whitelist rule, improves the matching efficiency, and avoids the problem of linear decline in matching performance due to the expansion of the whitelist rule.
根据本申请的一个实施例,所述对所述白名单规则中的字段排序及获取所述字段的梯度值,包括:对所述白名单规则中的字段进行排序,得到所述字段排序列表;根据所述字段排序列表,计算所述字段排序列表中所述字段的梯度值。According to one embodiment of the present application, sorting the fields in the whitelist rules and obtaining the gradient values of the fields include: sorting the fields in the whitelist rules to obtain the field sorting list; and calculating the gradient values of the fields in the field sorting list based on the field sorting list.
根据本申请的一个实施例,还包括:根据所述字段的梯度值,组成梯度值数组;获取所述梯度值数组中所述梯度值最大的字段,并将所述梯度值最大的字段作为进行所述初级过滤的第一梯度字段,将其他字段作为进行所述二级过滤的非第一梯度字段。According to one embodiment of the present application, it also includes: forming a gradient value array according to the gradient value of the field; obtaining the field with the largest gradient value in the gradient value array, and using the field with the largest gradient value as the first gradient field for the primary filtering, and using other fields as non-first gradient fields for the secondary filtering.
根据本申请的一个实施例,所述根据所述字段的梯度值,组成梯度值数组,包括:获取所述字段的n和n+1时刻的梯度值,并判断所述n和所述n+1时刻的所述梯度值是否相等;若否,所述字段的梯度值增加1,以对所述字段的梯度值更新,并将更新后的所述字段的梯度值压栈进所述梯度值数组中。According to one embodiment of the present application, the gradient value array is formed based on the gradient value of the field, including: obtaining the gradient values of the field at time n and n+1, and determining whether the gradient values at time n and time n+1 are equal; if not, the gradient value of the field is increased by 1 to update the gradient value of the field, and the updated gradient value of the field is pushed into the gradient value array.
根据本申请的一个实施例,所述获取待匹配报文,所述采用所述第一梯度字段过滤规则对待匹配报文进行初级过滤,包括:对所述待匹配报文进行报文解析,得到所述待匹配报文的第一梯度字段的值;在所述字段排序列表中做二分查找,找到与所述第一梯度字段的值相等的白名单规则列表,并将与所述第一梯度字段的值相等的白名单规则列表作为所述过滤后的白名单规则列表。According to one embodiment of the present application, the obtaining of the message to be matched and the use of the first gradient field filtering rule to perform primary filtering on the message to be matched include: performing message parsing on the message to be matched to obtain the value of the first gradient field of the message to be matched; performing a binary search in the field sorting list to find a whitelist rule list equal to the value of the first gradient field, and using the whitelist rule list equal to the value of the first gradient field as the filtered whitelist rule list.
根据本申请的一个实施例,所述采用所述非第一梯度字段过滤规则对所述过滤后的白名单规则列表进行二级过滤,得到目标白名单规则列表,包括:对所述待匹配报文进行报文解析,得到所述待匹配报文的字段的值;获取所述过滤后的白名单规则列表中与所述字段的值相同的规则,并将与所述字段的值相同的规则更新至所述过滤后的白名单规则列表,并将所述更新过滤的白名单规则列表作为目标白名单规则列表。According to one embodiment of the present application, the non-first gradient field filtering rule is used to perform secondary filtering on the filtered whitelist rule list to obtain a target whitelist rule list, including: performing message parsing on the message to be matched to obtain the value of the field of the message to be matched; obtaining the rule in the filtered whitelist rule list that is the same as the value of the field, and updating the rule that is the same as the value of the field to the filtered whitelist rule list, and using the updated filtered whitelist rule list as the target whitelist rule list.
根据本申请的一个实施例,所述根据所述目标白名单规则列表,对所述目标白名单规则列表中剩余的规则项数进行规则判定,包括:判断所述目标白名单规则列表中剩余的规则项数是否为空,若否,则所述白名单规则匹配成功。According to one embodiment of the present application, the number of rule items remaining in the target whitelist rule list is determined based on the target whitelist rule list, including: determining whether the number of rule items remaining in the target whitelist rule list is empty, and if not, the whitelist rule matches successfully.
为达到上述目的,本申请第二方面实施例提出了一种工控防火墙白名单规则匹配装置,所述装置包括:获取模块,用于获取白名单规则,并对所述白名单规则中的字段排序及获取所述字段的梯度值;设置模块,用于根据所述字段的梯度值,设置第一梯度字段过滤规则和非第一梯度字段过滤规则;过滤模块,用于获取待匹配报文,采用所述第一梯度字段过滤规则对所述待匹配报文进行初级过滤,得到过滤后的白名单规则列表,采用所述非第一梯度字段过滤规则对所述过滤后的白名单规则列表进行二级过滤,得到目标白名单规则列表;判定模块,用于根据所述目标白名单规则列表,对所述目标白名单规则列表中剩余的规则项数进行规则判定。To achieve the above-mentioned purpose, the second aspect embodiment of the present application proposes a whitelist rule matching device for an industrial control firewall, and the device includes: an acquisition module, used to obtain whitelist rules, sort the fields in the whitelist rules and obtain the gradient value of the field; a setting module, used to set a first gradient field filtering rule and a non-first gradient field filtering rule according to the gradient value of the field; a filtering module, used to obtain a message to be matched, use the first gradient field filtering rule to perform primary filtering on the message to be matched, obtain a filtered whitelist rule list, use the non-first gradient field filtering rule to perform secondary filtering on the filtered whitelist rule list, and obtain a target whitelist rule list; a judgment module, used to perform rule judgment on the number of rule items remaining in the target whitelist rule list according to the target whitelist rule list.
根据本申请实施例的工控防火墙白名单规则匹配装置,可获取白名单规则,并对白名单规则中的字段排序及获取字段的梯度值,然后根据字段的梯度值,设置第一梯度字段过滤规则和非第一梯度字段过滤规则,获取待匹配报文,采用第一梯度字段过滤规则对待匹配报文进行初级过滤,得到过滤后的白名单规则列表,采用非第一梯度字段过滤规则对过滤后的白名单规则列表进行二级过滤,得到目标白名单规则列表,之后根据目标白名单规则列表,对目标白名单规则列表中剩余的规则项数进行规则判定。由此通过利用白名单规则的梯度实现更高效率的匹配,提高了匹配效率,规避因白名单规则扩充而导致匹配性能线性下降的问题。According to the industrial control firewall whitelist rule matching device of the embodiment of the present application, the whitelist rule can be obtained, and the fields in the whitelist rule can be sorted and the gradient value of the field can be obtained. Then, according to the gradient value of the field, the first gradient field filtering rule and the non-first gradient field filtering rule are set to obtain the message to be matched, and the first gradient field filtering rule is used to perform primary filtering on the message to be matched to obtain the filtered whitelist rule list, and the non-first gradient field filtering rule is used to perform secondary filtering on the filtered whitelist rule list to obtain the target whitelist rule list, and then according to the target whitelist rule list, the number of rule items remaining in the target whitelist rule list is determined by the rule. Thus, by utilizing the gradient of the whitelist rule to achieve more efficient matching, the matching efficiency is improved, and the problem of linear decline in matching performance due to the expansion of the whitelist rule is avoided.
为达到上述目的,本申请第三方面实施例提出了电子设备,包括:存储器、处理器及存储在所述存储器上并可在所述处理器上运行的计算机程序,所述处理器执行所述计算机程序时,实现本申请第一方面实施例所述的工控防火墙白名单规则匹配方法。To achieve the above-mentioned objectives, the third aspect embodiment of the present application proposes an electronic device, comprising: a memory, a processor, and a computer program stored in the memory and executable on the processor. When the processor executes the computer program, the industrial control firewall whitelist rule matching method described in the first aspect embodiment of the present application is implemented.
为达到上述目的,本申请第四方面实施例提出了一种计算机可读存储介质,所述计算机程序被处理器执行时实现本申请第一方面实施例所述的工控防火墙白名单规则匹配方法。To achieve the above objectives, the fourth aspect of the present application provides a computer-readable storage medium, and when the computer program is executed by a processor, it implements the industrial control firewall whitelist rule matching method described in the first aspect of the present application.
本申请附加的方面和优点将在下面的描述中部分给出,部分将从下面的描述中变得明显,或通过本申请的实践了解到。Additional aspects and advantages of the present application will be given in part in the description below, and in part will become apparent from the description below, or will be learned through the practice of the present application.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
本申请上述的和/或附加的方面和优点从下面结合附图对实施例的描述中将变得明显和容易理解,其中:The above and/or additional aspects and advantages of the present application will become apparent and easily understood from the following description of the embodiments in conjunction with the accompanying drawings, in which:
图1是根据本申请一个实施例的工控防火墙白名单规则匹配方法的流程图;FIG1 is a flow chart of a method for matching whitelist rules of an industrial control firewall according to an embodiment of the present application;
图2是根据本申请一个具体实施例的工控防火墙白名单规则匹配方法的流程图;FIG2 is a flow chart of a method for matching whitelist rules of an industrial control firewall according to a specific embodiment of the present application;
图3是根据本申请一个实施例的工控防火墙白名单规则匹配装置的结构示意图;FIG3 is a schematic diagram of the structure of a whitelist rule matching device for an industrial control firewall according to an embodiment of the present application;
图4是根据本申请一个实施例的电子设备的结构示意图。FIG. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
具体实施方式DETAILED DESCRIPTION
下面详细描述本发明的实施例,所述实施例的示例在附图中示出,其中自始至终相同或类似的标号表示相同或类似的元件或具有相同或类似功能的元件。下面通过参考附图描述的实施例是示例性的,旨在用于解释本发明,而不能理解为对本发明的限制。Embodiments of the present invention are described in detail below, examples of which are shown in the accompanying drawings, wherein the same or similar reference numerals throughout represent the same or similar elements or elements having the same or similar functions. The embodiments described below with reference to the accompanying drawings are exemplary and are intended to be used to explain the present invention, and should not be construed as limiting the present invention.
目前,白名单技术已经成为工控安全防护的基础性技术,基于工业控制网络,只要工艺流程、业务数据固定下来,白名单就基本稳定。其中,基于防火墙的深度解析技术可以针对工控现场的MODBUS、OPC等做工控协议层面的白名单。进而对系统环境中的流量进行白名单检查,阻断非法协议报文。因此白名单匹配是工控防火墙的典型防护动作,匹配效率的高低直接影响整机的吞吐、业务时延等系统性能,因此,如何更好的实现白名单规则匹配成为亟待解决的问题。At present, whitelist technology has become a basic technology for industrial control security protection. Based on the industrial control network, as long as the process flow and business data are fixed, the whitelist is basically stable. Among them, the deep analysis technology based on the firewall can make a whitelist at the industrial control protocol level for MODBUS, OPC, etc. at the industrial control site. Then, the traffic in the system environment is checked by whitelist to block illegal protocol messages. Therefore, whitelist matching is a typical protection action of the industrial control firewall. The matching efficiency directly affects the system performance such as the throughput and business delay of the whole machine. Therefore, how to better realize the whitelist rule matching has become an urgent problem to be solved.
为此,本申请提出了一种工控防火墙白名单规则匹配方法、装置、电子设备和计算机可读存储介质。To this end, the present application proposes an industrial control firewall whitelist rule matching method, device, electronic device and computer-readable storage medium.
图1是根据本申请一个实施例的工控防火墙白名单规则匹配方法的流程图。需要说明的是,本申请实施例的工控防火墙白名单规则匹配方法可应用于本申请实施例的工控防火墙白名单规则匹配装置,该装置可配置在电子设备上。其中,在本发明的实施例中,该电子设备可以是PC机或移动终端(例如手机、平板电脑、PAD、个人数字助理等具有各种操作系统的硬件设备)。FIG1 is a flow chart of a whitelist rule matching method for an industrial control firewall according to an embodiment of the present application. It should be noted that the whitelist rule matching method for an industrial control firewall in an embodiment of the present application can be applied to a whitelist rule matching device for an industrial control firewall in an embodiment of the present application, and the device can be configured on an electronic device. In the embodiment of the present invention, the electronic device can be a PC or a mobile terminal (such as a mobile phone, a tablet computer, a PAD, a personal digital assistant, and other hardware devices with various operating systems).
如图1所示,该工控防火墙白名单规则匹配方法包括:As shown in Figure 1, the industrial control firewall whitelist rule matching method includes:
S110,获取白名单规则,并对白名单规则中的字段排序及获取字段的梯度值。S110, obtaining whitelist rules, sorting the fields in the whitelist rules and obtaining gradient values of the fields.
在本申请的实施例中,可通过电子设备获取白名单规则,并对白名单规则中的字段排序及获取字段的梯度值。In an embodiment of the present application, the whitelist rules may be obtained through an electronic device, and the fields in the whitelist rules may be sorted and the gradient values of the fields may be obtained.
其中,在本申请的实施例中,可通过对白名单规则中的字段进行排序,得到字段排序列表,然后根据字段排序列表,计算字段排序列表中字段的梯度值,进而可获取字段的梯度值。具体地实现过程可参考后续实施例。In the embodiment of the present application, the fields in the whitelist rule can be sorted to obtain a field sorting list, and then the gradient value of the field in the field sorting list is calculated according to the field sorting list, thereby obtaining the gradient value of the field. The specific implementation process can refer to the subsequent embodiments.
S120,根据字段的梯度值,设置第一梯度字段过滤规则和非第一梯度字段过滤规则。S120: Setting a first gradient field filtering rule and a non-first gradient field filtering rule according to the gradient value of the field.
在本申请的实施例中,可根据字段的梯度值,组成梯度值数组,然后获取梯度值数组中梯度值最大的字段,并将梯度值最大的字段作为进行初级过滤的第一梯度字段,将其他字段作为进行二级过滤的非第一梯度字段。具体地实现过程可参考后续实施例。In the embodiment of the present application, a gradient value array can be formed according to the gradient value of the field, and then the field with the largest gradient value in the gradient value array is obtained, and the field with the largest gradient value is used as the first gradient field for primary filtering, and other fields are used as non-first gradient fields for secondary filtering. The specific implementation process can be referred to the subsequent embodiments.
S130,获取待匹配报文,采用第一梯度字段过滤规则对待匹配报文进行初级过滤,得到过滤后的白名单规则列表,采用非第一梯度字段过滤规则对过滤后的白名单规则列表进行二级过滤,得到目标白名单规则列表。S130, obtaining a message to be matched, using the first gradient field filtering rule to perform primary filtering on the message to be matched, obtaining a filtered whitelist rule list, using a non-first gradient field filtering rule to perform secondary filtering on the filtered whitelist rule list, obtaining a target whitelist rule list.
也就是说,设置第一梯度字段过滤规则和非第一梯度字段过滤规则后,获取待匹配报文,采用第一梯度字段过滤规则对待匹配报文进行初级过滤,得到过滤后的白名单规则列表,采用非第一梯度字段过滤规则对过滤后的白名单规则列表进行二级过滤,得到目标白名单规则列表。That is to say, after setting the first gradient field filtering rules and the non-first gradient field filtering rules, obtain the message to be matched, use the first gradient field filtering rules to perform primary filtering on the matching message to obtain a filtered whitelist rule list, and use the non-first gradient field filtering rules to perform secondary filtering on the filtered whitelist rule list to obtain the target whitelist rule list.
S140,根据目标白名单规则列表,对目标白名单规则列表中剩余的规则项数进行规则判定。S140: According to the target whitelist rule list, rule determination is performed on the number of rule items remaining in the target whitelist rule list.
在本申请的一个实施例中,通过判断目标白名单规则列表中剩余的规则项数是否为空,若否,则待匹配报文匹配成功。In one embodiment of the present application, it is determined whether the number of remaining rule items in the target whitelist rule list is empty. If not, the message to be matched is matched successfully.
根据本申请实施例的工控防火墙白名单规则匹配方法,可获取白名单规则,并对白名单规则中的字段排序及获取字段的梯度值,然后根据字段的梯度值,设置第一梯度字段过滤规则和非第一梯度字段过滤规则,获取待匹配报文,采用第一梯度字段过滤规则对待匹配报文进行初级过滤,得到过滤后的白名单规则列表,采用非第一梯度字段过滤规则对过滤后的白名单规则列表进行二级过滤,得到目标白名单规则列表,之后根据目标白名单规则列表,对目标白名单规则列表中剩余的规则项数进行规则判定。该方法通过利用白名单规则的梯度实现更高效率的匹配,提高了匹配效率,规避因白名单规则扩充而导致匹配性能线性下降的问题。According to the industrial control firewall whitelist rule matching method of the embodiment of the present application, the whitelist rule can be obtained, and the fields in the whitelist rule can be sorted and the gradient value of the field can be obtained. Then, according to the gradient value of the field, the first gradient field filtering rule and the non-first gradient field filtering rule are set to obtain the message to be matched, and the first gradient field filtering rule is used to perform primary filtering on the message to be matched to obtain the filtered whitelist rule list, and the non-first gradient field filtering rule is used to perform secondary filtering on the filtered whitelist rule list to obtain the target whitelist rule list, and then according to the target whitelist rule list, the number of rule items remaining in the target whitelist rule list is determined by rule. This method achieves more efficient matching by utilizing the gradient of the whitelist rule, improves the matching efficiency, and avoids the problem of linear decline in matching performance due to the expansion of the whitelist rule.
为了本领域人员更容易理解本申请,图2是根据本发明一个具体实施例所提供的工控防火墙白名单规则匹配方法的流程图,如图2所示,该工控防火墙白名单规则匹配方法可以包括:In order to make it easier for those skilled in the art to understand the present application, FIG2 is a flow chart of an industrial control firewall whitelist rule matching method provided according to a specific embodiment of the present invention. As shown in FIG2, the industrial control firewall whitelist rule matching method may include:
S210,获取白名单规则,并对白名单规则中的字段排序,得到字段排序列表。S210, obtaining whitelist rules, and sorting the fields in the whitelist rules to obtain a field sorting list.
在本申请的实施例中,可通过电子设备获取白名单规则,并对白名单规则中的字段排序,得到字段排序列表。In an embodiment of the present application, a whitelist rule may be obtained through an electronic device, and fields in the whitelist rule may be sorted to obtain a field sorting list.
举例而言,将白名单规则的i个字段进行排序,得到字段排序列表orderList_i[]。For example, the i fields of the whitelist rule are sorted to obtain the field sorting list orderList_i[].
S220,根据字段排序列表,计算字段排序列表中字段的梯度值。S220, calculating the gradient value of the field in the field sorting list according to the field sorting list.
也就是说,获取到字段排序列表,可计算字段排序列表中字段的梯度值。That is to say, after obtaining the sorted list of fields, the gradient values of the fields in the sorted list of fields can be calculated.
例如,可通过依次遍历字段排序列表,计算字段排序列表中每个字段的梯度值。For example, the gradient value of each field in the field sorting list can be calculated by traversing the field sorting list in sequence.
举例而言,可将规则中各个字段分别排序组成有序链表,然后从每个字段的链表计算这个字段的梯度值以字段sip的链表为例,沿链表比较相邻两个节点的值,如果值有变化则梯度值+1,否则梯度值不变,直到遍历到链表尾,得到该字段最终的梯度值。For example, the fields in the rule can be sorted into an ordered linked list, and then the gradient value of the field can be calculated from the linked list of each field. Taking the linked list of field sip as an example, the values of two adjacent nodes are compared along the linked list. If the value changes, the gradient value is +1, otherwise the gradient value remains unchanged, until the end of the linked list is traversed to obtain the final gradient value of the field.
S230,根据字段的梯度值,设置第一梯度字段过滤规则和非第一梯度字段过滤规则。S230: Setting a first gradient field filtering rule and a non-first gradient field filtering rule according to the gradient value of the field.
在本申请的实施例中,根据字段的梯度值,组成梯度值数组,然后获取梯度值数组中梯度值最大的字段,并将梯度值最大的字段作为进行初级过滤的第一梯度字段,将其他字段作为进行二级过滤的非第一梯度字段。In an embodiment of the present application, a gradient value array is formed according to the gradient values of the fields, and then the field with the largest gradient value in the gradient value array is obtained, and the field with the largest gradient value is used as the first gradient field for primary filtering, and the other fields are used as non-first gradient fields for secondary filtering.
其中,根据字段的梯度值,组成梯度值数组的实现过程可为:可通过获取字段的n和n+1时刻的梯度值,并判断n和n+1时刻的梯度值是否相等;若否,字段的梯度值增加1,以对字段的梯度值更新,并将更新后的字段的梯度值压栈进梯度值数组中。Among them, according to the gradient value of the field, the implementation process of forming the gradient value array can be: the gradient values of the field at time n and n+1 can be obtained, and it can be determined whether the gradient values at time n and n+1 are equal; if not, the gradient value of the field is increased by 1 to update the gradient value of the field, and the updated gradient value of the field is pushed into the gradient value array.
需要说明的是,通过判断n和n+1时刻的梯度值是否相等,可确定字段梯度值是否发生变化,当发生变化时,将字段梯度值增加1。It should be noted that by judging whether the gradient values at time n and time n+1 are equal, it can be determined whether the field gradient value has changed. If it has changed, the field gradient value is increased by 1.
举例而言,计算字段排序列表orderList_i[]中i个字段的梯度值,组成梯度值数组grade[],具体为:依次遍历字段排序列表orderList_i[],计算列表中每个字段的梯度值,并且当字段i的值有变化时,将该字段的梯度值+1,然后将i个字段的梯度值压栈进梯度值数组grade[]中。For example, the gradient values of the i fields in the field sort list orderList_i[] are calculated to form the gradient value array grade[]. Specifically, the field sort list orderList_i[] is traversed in sequence, the gradient value of each field in the list is calculated, and when the value of field i changes, the gradient value of the field is increased by 1, and then the gradient values of the i fields are pushed into the gradient value array grade[].
S240,获取待匹配报文,采用第一梯度字段过滤规则对待匹配报文进行初级过滤,得到过滤后的白名单规则列表。S240, obtaining a message to be matched, and performing primary filtering on the message to be matched using a first gradient field filtering rule to obtain a filtered whitelist rule list.
在本申请的实施例中,可获取待匹配报文,对待匹配报文进行报文解析,得到待匹配报文的第一梯度字段的值,然后在字段排序列表中做二分查找,找到与第一梯度字段的值相等的白名单规则列表,并将与第一梯度字段的值相等的白名单规则列表作为过滤后的白名单规则列表。In an embodiment of the present application, a message to be matched can be obtained, and the message to be matched can be parsed to obtain the value of the first gradient field of the message to be matched, and then a binary search is performed in the field sorting list to find a whitelist rule list equal to the value of the first gradient field, and the whitelist rule list equal to the value of the first gradient field is used as the filtered whitelist rule list.
举例而言,对待匹配报文进行报文解析,得到待匹配报文的第一梯度字段的值x,然后在字段排序列表orderList_i[]中做二分查找,找到所有与第一梯度字段的值x相等的白名单规则列表hit_list[],并将与第一梯度字段的值x相等的白名单规则列表hit_list[]作为过滤后的白名单规则列表。For example, the message to be matched is parsed to obtain the value x of the first gradient field of the message to be matched, and then a binary search is performed in the field sorting list orderList_i[] to find all whitelist rule lists hit_list[] that are equal to the value x of the first gradient field, and the whitelist rule list hit_list[] that is equal to the value x of the first gradient field is used as the filtered whitelist rule list.
例如,对待匹配报文进行报文解析的具体过程可为:假设每条白名单规则有n个字段,实际上每个字段都是对应报文应用层特定位置,其中,报文解析是指将报文应用层特定位置处的字段值取出来;规则匹配就是将从报文应用层特定位置处的字段值与白名单规则值进行比较。For example, the specific process of parsing the message to be matched can be: assuming that each whitelist rule has n fields, in fact, each field corresponds to a specific position of the message application layer, wherein message parsing refers to taking out the field value at the specific position of the message application layer; rule matching is to compare the field value at the specific position of the message application layer with the whitelist rule value.
S250,采用非第一梯度字段过滤规则对过滤后的白名单规则列表进行二级过滤,得到目标白名单规则列表。S250, performing secondary filtering on the filtered whitelist rule list using a non-first gradient field filtering rule to obtain a target whitelist rule list.
在本申请的实施例中,可对待匹配报文进行报文解析,得到待匹配报文的字段的值,然后获取过滤后的白名单规则列表中与字段的值相同的规则,并将与字段的值相同的规则更新至目标白名单规则列表,并将所述更新过滤的白名单规则列表作为目标白名单规则列表。In an embodiment of the present application, message parsing can be performed on the message to be matched to obtain the value of the field of the message to be matched, and then the rule in the filtered whitelist rule list that is the same as the value of the field is obtained, and the rule that is the same as the value of the field is updated to the target whitelist rule list, and the updated filtered whitelist rule list is used as the target whitelist rule list.
需要说明的是,经过第一级梯度字段过滤后,有可能还有多条规则,具体命中哪一条,需要逐字段进行匹配过滤,对应地,对待匹配报文进行报文解析,得到待匹配报文的字段的值,例如,如果当前要匹配sip,则待匹配报文的字段的值是从待匹配报文中取的sip的值;如果当前要匹配的是sport,则待匹配报文的字段的值是从待匹配报文中取的sport的值。It should be noted that after the first-level gradient field filtering, there may still be multiple rules. To determine which one is hit, it is necessary to match and filter field by field. Correspondingly, the message to be matched is parsed to obtain the value of the field of the message to be matched. For example, if sip is currently to be matched, the value of the field of the message to be matched is the value of sip taken from the message to be matched; if sport is currently to be matched, the value of the field of the message to be matched is the value of sport taken from the message to be matched.
举例而言,对待匹配报文进行报文解析,解析得到待匹配报文字段i的值pkt_field_i,采用非第一梯度字段过滤规则对过滤后的白名单规则列表进行二级过滤,即从过滤后的白名单规则列表hit_list[]中找字段i值等于pkt_field_i的规则,将其更新到过滤后的白名单规则列表hit_list[],并将更新过滤的白名单规则列表作为目标白名单规则列表。For example, the message to be matched is parsed to obtain the value pkt_field_i of the field i of the message to be matched, and the filtered whitelist rule list is subjected to secondary filtering using a non-first gradient field filtering rule, that is, the rule whose field i value is equal to pkt_field_i is found from the filtered whitelist rule list hit_list[], and it is updated to the filtered whitelist rule list hit_list[], and the updated filtered whitelist rule list is used as the target whitelist rule list.
S260,判断目标白名单规则列表中剩余的规则项数是否为空。S260, determining whether the number of remaining rule items in the target whitelist rule list is empty.
举例而言,通过重复采用非第一梯度字段过滤规则进行白名单规则过滤,直至目标白名单规则列表为空或剩余最后一条规则。For example, whitelist rule filtering is performed by repeatedly using non-first gradient field filtering rules until the target whitelist rule list is empty or the last rule remains.
S270,若否,则白名单规则匹配成功。S270, if not, the whitelist rule matches successfully.
举例而言,若目标白名单规则列表中剩余最后一条规则,则当前待匹配报文命中该规则,白名单规则匹配成功。For example, if there is only one rule left in the target whitelist rule list, the current message to be matched hits the rule, and the whitelist rule is matched successfully.
S280,若是,则白名单规则匹配失败。S280: If yes, the whitelist rule matching fails.
举例而言,若目标白名单规则列表为空,则表示当前待匹配报文没有命中任一白名单规则,即白名单规则匹配失败。For example, if the target whitelist rule list is empty, it means that the current message to be matched does not hit any whitelist rule, that is, the whitelist rule matching fails.
根据本申请实施例的工控防火墙白名单规则匹配方法,通过获取白名单规则,并对白名单规则中的字段排序,得到字段排序列表,根据字段排序列表,计算字段排序列表中字段的梯度值,根据字段的梯度值,设置第一梯度字段过滤规则和非第一梯度字段过滤规则,获取待匹配报文,采用第一梯度字段过滤规则对待匹配报文进行初级过滤,得到过滤后的白名单规则列表,采用非第一梯度字段过滤规则对过滤后的白名单规则列表进行二级过滤,得到目标白名单规则列表,判断目标白名单规则列表中剩余的规则项数是否为空,若否,则白名单规则匹配成功,若是,则白名单规则匹配失败。该方法通过利用白名单规则的梯度实现更高效率的匹配,白名单规则梯度越高,匹配效率越高,提高了匹配效率,提升工控设备整机吞吐性能,降低业务延迟,规避因白名单规则扩充而导致匹配性能线性下降的问题。According to the industrial control firewall whitelist rule matching method of the embodiment of the present application, by obtaining the whitelist rule and sorting the fields in the whitelist rule, a field sorting list is obtained, and according to the field sorting list, the gradient value of the field in the field sorting list is calculated, and according to the gradient value of the field, the first gradient field filtering rule and the non-first gradient field filtering rule are set, and the to-be-matched message is obtained, and the first gradient field filtering rule is used to perform primary filtering on the to-be-matched message to obtain the filtered whitelist rule list, and the non-first gradient field filtering rule is used to perform secondary filtering on the filtered whitelist rule list to obtain the target whitelist rule list, and it is determined whether the number of remaining rule items in the target whitelist rule list is empty, if not, the whitelist rule matching is successful, and if so, the whitelist rule matching fails. This method achieves more efficient matching by utilizing the gradient of the whitelist rule. The higher the gradient of the whitelist rule, the higher the matching efficiency, which improves the matching efficiency, improves the throughput performance of the entire industrial control equipment, reduces service delays, and avoids the problem of linear decline in matching performance due to the expansion of the whitelist rule.
与上述几种实施例提供的工控防火墙白名单规则匹配方法相对应,本申请的一种实施例还提供一种工控防火墙白名单规则匹配装置,由于本申请实施例提供的工控防火墙白名单规则匹配装置与上述几种实施例提供的工控防火墙白名单规则匹配方法相对应,因此在工控防火墙白名单规则匹配方法的实施方式也适用于本实施例提供的工控防火墙白名单规则匹配装置,在本实施例中不再详细描述。图3是根据本申请一个实施例的工控防火墙白名单规则匹配装置的结构示意图。Corresponding to the industrial control firewall whitelist rule matching method provided in the above-mentioned embodiments, an embodiment of the present application further provides an industrial control firewall whitelist rule matching device. Since the industrial control firewall whitelist rule matching device provided in the embodiment of the present application corresponds to the industrial control firewall whitelist rule matching method provided in the above-mentioned embodiments, the implementation method of the industrial control firewall whitelist rule matching method is also applicable to the industrial control firewall whitelist rule matching device provided in this embodiment, and will not be described in detail in this embodiment. Figure 3 is a structural schematic diagram of an industrial control firewall whitelist rule matching device according to an embodiment of the present application.
如图3所示,该工控防火墙白名单规则匹配装置300可以包括:获取模块310、设置模块320、过滤模块330和判定模块340。As shown in FIG. 3 , the industrial control firewall whitelist rule matching device 300 may include: an acquisition module 310 , a setting module 320 , a filtering module 330 and a determination module 340 .
具体地,获取模块310,用于获取白名单规则,并对所述白名单规则中的字段排序及获取所述字段的梯度值;Specifically, the acquisition module 310 is used to acquire whitelist rules, sort the fields in the whitelist rules and acquire the gradient values of the fields;
设置模块320,用于根据所述字段的梯度值,设置第一梯度字段过滤规则和非第一梯度字段过滤规则;A setting module 320, configured to set a first gradient field filtering rule and a non-first gradient field filtering rule according to the gradient value of the field;
过滤模块330,用于获取待匹配报文,采用所述第一梯度字段过滤规则对所述待匹配报文进行初级过滤,得到过滤后的白名单规则列表,采用所述非第一梯度字段过滤规则对所述过滤后的白名单规则列表进行二级过滤,得到目标白名单规则列表;A filtering module 330 is used to obtain a message to be matched, perform primary filtering on the message to be matched using the first gradient field filtering rule to obtain a filtered whitelist rule list, and perform secondary filtering on the filtered whitelist rule list using the non-first gradient field filtering rule to obtain a target whitelist rule list;
判定模块340,用于根据所述目标白名单规则列表,对所述目标白名单规则列表中剩余的规则项数进行规则判定。The determination module 340 is configured to perform rule determination on the number of rule items remaining in the target whitelist rule list according to the target whitelist rule list.
根据本申请实施例的工控防火墙白名单规则匹配装置,可获取白名单规则,并对白名单规则中的字段排序及获取字段的梯度值,然后根据字段的梯度值,设置第一梯度字段过滤规则和非第一梯度字段过滤规则,获取待匹配报文,采用第一梯度字段过滤规则对待匹配报文进行初级过滤,得到过滤后的白名单规则列表,采用非第一梯度字段过滤规则对过滤后的白名单规则列表进行二级过滤,得到目标白名单规则列表,之后根据目标白名单规则列表,对目标白名单规则列表中剩余的规则项数进行规则判定。由此通过利用白名单规则的梯度实现更高效率的匹配,提高了匹配效率,规避因白名单规则扩充而导致匹配性能线性下降的问题。According to the industrial control firewall whitelist rule matching device of the embodiment of the present application, the whitelist rule can be obtained, and the fields in the whitelist rule can be sorted and the gradient value of the field can be obtained. Then, according to the gradient value of the field, the first gradient field filtering rule and the non-first gradient field filtering rule are set to obtain the message to be matched, and the first gradient field filtering rule is used to perform primary filtering on the message to be matched to obtain the filtered whitelist rule list, and the non-first gradient field filtering rule is used to perform secondary filtering on the filtered whitelist rule list to obtain the target whitelist rule list, and then according to the target whitelist rule list, the number of rule items remaining in the target whitelist rule list is determined by the rule. Thus, by utilizing the gradient of the whitelist rule to achieve more efficient matching, the matching efficiency is improved, and the problem of linear decline in matching performance due to the expansion of the whitelist rule is avoided.
在本申请的一个实施例中,所述获取模块310,包括:第一获取单元,用于对所述白名单规则中的字段进行排序,得到所述字段排序列表;计算单元,用于根据所述字段排序列表,计算所述字段排序列表中所述字段的梯度值。In one embodiment of the present application, the acquisition module 310 includes: a first acquisition unit, used to sort the fields in the whitelist rules to obtain the field sorting list; and a calculation unit, used to calculate the gradient value of the field in the field sorting list based on the field sorting list.
在本申请的一个实施例中,还包括:第二获取单元,用于根据所述字段的梯度值,组成梯度值数组;第三获取单元,用于获取所述梯度值数组中所述梯度值最大的字段,并将所述梯度值最大的字段作为进行所述初级过滤的第一梯度字段,将其他字段作为进行所述二级过滤的非第一梯度字段。In one embodiment of the present application, it also includes: a second acquisition unit, used to form a gradient value array according to the gradient value of the field; a third acquisition unit, used to obtain the field with the largest gradient value in the gradient value array, and use the field with the largest gradient value as the first gradient field for the primary filtering, and use other fields as non-first gradient fields for the secondary filtering.
在本申请的一个实施例中,所述第二获取单元,具体用于:获取所述字段的n和n+1时刻的梯度值,并判断所述n和所述n+1时刻的所述梯度值是否相等;若否,所述字段的梯度值增加1,以对所述字段的梯度值更新,并将更新后的所述字段的梯度值压栈进所述梯度值数组中。In one embodiment of the present application, the second acquisition unit is specifically used to: obtain the gradient values of the field at time n and n+1, and determine whether the gradient values at time n and time n+1 are equal; if not, the gradient value of the field is increased by 1 to update the gradient value of the field, and the updated gradient value of the field is pushed into the gradient value array.
在本申请的一个实施例中,所述过滤模块330,具体用于:对所述待匹配报文进行报文解析,得到所述待匹配报文的第一梯度字段的值;在所述字段排序列表中做二分查找,找到与所述第一梯度字段的值相等的白名单规则列表,并将与所述第一梯度字段的值相等的白名单规则列表作为所述过滤后的白名单规则列表。In one embodiment of the present application, the filtering module 330 is specifically used to: perform message parsing on the message to be matched to obtain the value of the first gradient field of the message to be matched; perform a binary search in the field sorting list to find a whitelist rule list equal to the value of the first gradient field, and use the whitelist rule list equal to the value of the first gradient field as the filtered whitelist rule list.
在本申请的一个实施例中,所述过滤模块330,具体用于:对所述待匹配报文进行报文解析,得到所述待匹配报文的字段的值;获取所述过滤后的白名单规则列表中与所述字段的值相同的规则,并将与所述字段的值相同的规则更新至所述过滤后的白名单规则列表,并将所述更新过滤的白名单规则列表作为目标白名单规则列表。In one embodiment of the present application, the filtering module 330 is specifically used to: perform message parsing on the message to be matched to obtain the value of the field of the message to be matched; obtain the rule in the filtered whitelist rule list that is the same as the value of the field, and update the rule that is the same as the value of the field to the filtered whitelist rule list, and use the updated filtered whitelist rule list as the target whitelist rule list.
在本申请的一个实施例中,所述判定模块340,具体用于:判断所述目标白名单规则列表中剩余的规则项数是否为空,若否,则所述白名单规则匹配成功。In one embodiment of the present application, the determination module 340 is specifically used to determine whether the number of remaining rule items in the target whitelist rule list is empty, and if not, the whitelist rule is matched successfully.
根据本申请实施例的装置,下面参考图4,其示出了适于用来实现本申请实施例的电子设备(例如图1中的终端设备或服务器)400的结构示意图。本申请实施例中的终端设备可以包括但不限于诸如移动电话、笔记本电脑、数字广播接收器、PDA(个人数字助理)、PAD(平板电脑)、PMP(便携式多媒体播放器)、车载终端(例如车载导航终端)等等的移动终端以及诸如数字TV、台式计算机等等的固定终端。图4示出的电子设备仅仅是一个示例,不应对本申请实施例的功能和使用范围带来任何限制。According to the apparatus of the embodiment of the present application, with reference to FIG4 below, it shows a schematic diagram of the structure of an electronic device (e.g., the terminal device or server in FIG1 ) 400 suitable for implementing the embodiment of the present application. The terminal device in the embodiment of the present application may include, but is not limited to, mobile terminals such as mobile phones, laptops, digital broadcast receivers, PDAs (personal digital assistants), PADs (tablet computers), PMPs (portable multimedia players), vehicle-mounted terminals (e.g., vehicle-mounted navigation terminals), etc., and fixed terminals such as digital TVs, desktop computers, etc. The electronic device shown in FIG4 is only an example and should not bring any limitation to the functions and scope of use of the embodiment of the present application.
如图4所示,电子设备400可以包括处理装置(例如中央处理器、图形处理器等)401,其可以根据存储在只读存储器(ROM)402中的程序或者从存储装置408加载到随机访问存储器(RAM)403中的程序而执行各种适当的动作和处理。在RAM 403中,还存储有电子设备400操作所需的各种程序和数据。处理装置401、ROM 402以及RAM 403通过总线404彼此相连。输入/输出(I/O)接口405也连接至总线404。As shown in FIG4 , the electronic device 400 may include a processing device (e.g., a central processing unit, a graphics processing unit, etc.) 401, which can perform various appropriate actions and processes according to a program stored in a read-only memory (ROM) 402 or a program loaded from a storage device 408 into a random access memory (RAM) 403. In the RAM 403, various programs and data required for the operation of the electronic device 400 are also stored. The processing device 401, the ROM 402, and the RAM 403 are connected to each other via a bus 404. An input/output (I/O) interface 405 is also connected to the bus 404.
通常,以下装置可以连接至I/O接口405:包括例如触摸屏、触摸板、键盘、鼠标、摄像头、麦克风、加速度计、陀螺仪等的输入装置406;包括例如液晶显示器(LCD)、扬声器、振动器等的输出装置407;包括例如磁带、硬盘等的存储装置408;以及通信装置409。通信装置409可以允许电子设备400与其他设备进行无线或有线通信以交换数据。虽然图4示出了具有各种装置的电子设备400,但是应理解的是,并不要求实施或具备所有示出的装置。可以替代地实施或具备更多或更少的装置。Typically, the following devices may be connected to the I/O interface 405: input devices 406 including, for example, a touch screen, a touchpad, a keyboard, a mouse, a camera, a microphone, an accelerometer, a gyroscope, etc.; output devices 407 including, for example, a liquid crystal display (LCD), a speaker, a vibrator, etc.; storage devices 408 including, for example, a magnetic tape, a hard disk, etc.; and communication devices 409. The communication device 409 may allow the electronic device 400 to communicate wirelessly or wired with other devices to exchange data. Although FIG. 4 shows an electronic device 400 with various devices, it should be understood that it is not required to implement or have all the devices shown. More or fewer devices may be implemented or have alternatively.
特别地,根据本申请的实施例,上文参考流程图描述的过程可以被实现为计算机软件程序。例如,本申请的实施例包括一种计算机程序产品,其包括承载在非暂态计算机可读介质上的计算机程序,该计算机程序包含用于执行流程图所示的方法的程序代码。在这样的实施例中,该计算机程序可以通过通信装置409从网络上被下载和安装,或者从存储装置408被安装,或者从ROM 402被安装。在该计算机程序被处理装置401执行时,执行本申请实施例的方法中限定的上述功能。In particular, according to an embodiment of the present application, the process described above with reference to the flowchart can be implemented as a computer software program. For example, an embodiment of the present application includes a computer program product, which includes a computer program carried on a non-transitory computer-readable medium, and the computer program includes a program code for executing the method shown in the flowchart. In such an embodiment, the computer program can be downloaded and installed from the network through the communication device 409, or installed from the storage device 408, or installed from the ROM 402. When the computer program is executed by the processing device 401, the above-mentioned functions defined in the method of the embodiment of the present application are executed.
需要说明的是,本申请上述的计算机可读介质可以是计算机可读信号介质或者计算机可读存储介质或者是上述两者的任意组合。计算机可读存储介质例如可以是——但不限于——电、磁、光、电磁、红外线、或半导体的系统、装置或器件,或者任意以上的组合。计算机可读存储介质的更具体的例子可以包括但不限于:具有一个或多个导线的电连接、便携式计算机磁盘、硬盘、随机访问存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(EPROM或闪存)、光纤、便携式紧凑磁盘只读存储器(CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合。在本申请中,计算机可读存储介质可以是任何包含或存储程序的有形介质,该程序可以被指令执行系统、装置或者器件使用或者与其结合使用。而在本申请中,计算机可读信号介质可以包括在基带中或者作为载波一部分传播的数据信号,其中承载了计算机可读的程序代码。这种传播的数据信号可以采用多种形式,包括但不限于电磁信号、光信号或上述的任意合适的组合。计算机可读信号介质还可以是计算机可读存储介质以外的任何计算机可读介质,该计算机可读信号介质可以发送、传播或者传输用于由指令执行系统、装置或者器件使用或者与其结合使用的程序。计算机可读介质上包含的程序代码可以用任何适当的介质传输,包括但不限于:电线、光缆、RF(射频)等等,或者上述的任意合适的组合。It should be noted that the computer-readable medium mentioned above in the present application may be a computer-readable signal medium or a computer-readable storage medium or any combination of the above two. The computer-readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, device or device, or any combination of the above. More specific examples of computer-readable storage media may include, but are not limited to: an electrical connection with one or more wires, a portable computer disk, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the above. In the present application, a computer-readable storage medium may be any tangible medium containing or storing a program that can be used by or in combination with an instruction execution system, device or device. In the present application, a computer-readable signal medium may include a data signal propagated in a baseband or as part of a carrier wave, which carries a computer-readable program code. This propagated data signal may take a variety of forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the above. The computer readable signal medium may also be any computer readable medium other than a computer readable storage medium, which may send, propagate or transmit a program for use by or in conjunction with an instruction execution system, apparatus or device. The program code contained on the computer readable medium may be transmitted using any suitable medium, including but not limited to: wires, optical cables, RF (radio frequency), etc., or any suitable combination of the above.
在一些实施方式中,客户端、服务器可以利用诸如HTTP(HyperText TransferProtocol,超文本传输协议)之类的任何当前已知或未来研发的网络协议进行通信,并且可以与任意形式或介质的数字数据通信(例如,通信网络)互连。通信网络的示例包括局域网(“LAN”),广域网(“WAN”),网际网(例如,互联网)以及端对端网络(例如,ad hoc端对端网络),以及任何当前已知或未来研发的网络。In some embodiments, the client and the server may communicate using any currently known or future developed network protocol such as HTTP (HyperText Transfer Protocol), and may be interconnected with any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include a local area network ("LAN"), a wide area network ("WAN"), an internet (e.g., the Internet), and a peer-to-peer network (e.g., an ad hoc peer-to-peer network), as well as any currently known or future developed network.
上述计算机可读介质可以是上述电子设备中所包含的;也可以是单独存在,而未装配入该电子设备中。The computer-readable medium may be included in the electronic device, or may exist independently without being incorporated into the electronic device.
上述计算机可读介质承载有一个或者多个程序,当上述一个或者多个程序被该电子设备执行时,使得该电子设备:获取至少两个网际协议地址;向节点评价设备发送包括所述至少两个网际协议地址的节点评价请求,其中,所述节点评价设备从所述至少两个网际协议地址中,选取网际协议地址并返回;接收所述节点评价设备返回的网际协议地址;其中,所获取的网际协议地址指示内容分发网络中的边缘节点。The computer-readable medium carries one or more programs. When the one or more programs are executed by the electronic device, the electronic device: obtains at least two Internet Protocol addresses; sends a node evaluation request including the at least two Internet Protocol addresses to a node evaluation device, wherein the node evaluation device selects an Internet Protocol address from the at least two Internet Protocol addresses and returns it; receives the Internet Protocol address returned by the node evaluation device; wherein the obtained Internet Protocol address indicates an edge node in a content distribution network.
或者,上述计算机可读介质承载有一个或者多个程序,当上述一个或者多个程序被该电子设备执行时,使得该电子设备:接收包括至少两个网际协议地址的节点评价请求;从所述至少两个网际协议地址中,选取网际协议地址;返回选取出的网际协议地址;其中,接收到的网际协议地址指示内容分发网络中的边缘节点。Alternatively, the computer-readable medium carries one or more programs, and when the one or more programs are executed by the electronic device, the electronic device: receives a node evaluation request including at least two Internet Protocol addresses; selects an Internet Protocol address from the at least two Internet Protocol addresses; and returns the selected Internet Protocol address; wherein the received Internet Protocol address indicates an edge node in a content distribution network.
可以以一种或多种程序设计语言或其组合来编写用于执行本申请的操作的计算机程序代码,上述程序设计语言包括但不限于面向对象的程序设计语言—诸如Java、Smalltalk、C++,还包括常规的过程式程序设计语言—诸如“C”语言或类似的程序设计语言。程序代码可以完全地在用户计算机上执行、部分地在用户计算机上执行、作为一个独立的软件包执行、部分在用户计算机上部分在远程计算机上执行、或者完全在远程计算机或服务器上执行。在涉及远程计算机的情形中,远程计算机可以通过任意种类的网络——包括局域网(LAN)或广域网(WAN)—连接到用户计算机,或者,可以连接到外部计算机(例如利用因特网服务提供商来通过因特网连接)。Computer program code for performing the operations of the present application may be written in one or more programming languages or a combination thereof, including, but not limited to, object-oriented programming languages, such as Java, Smalltalk, C++, and conventional procedural programming languages, such as "C" or similar programming languages. The program code may be executed entirely on the user's computer, partially on the user's computer, as a separate software package, partially on the user's computer and partially on a remote computer, or entirely on a remote computer or server. In cases involving a remote computer, the remote computer may be connected to the user's computer via any type of network, including a local area network (LAN) or a wide area network (WAN), or may be connected to an external computer (e.g., via the Internet using an Internet service provider).
附图中的流程图和框图,图示了按照本申请各种实施例的系统、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上,流程图或框图中的每个方框可以代表一个模块、程序段、或代码的一部分,该模块、程序段、或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意,在有些作为替换的实现中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个接连地表示的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,框图和/或流程图中的每个方框、以及框图和/或流程图中的方框的组合,可以用执行规定的功能或操作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令的组合来实现。The flow chart and block diagram in the accompanying drawings illustrate the possible architecture, function and operation of the system, method and computer program product according to various embodiments of the present application. In this regard, each square box in the flow chart or block diagram can represent a module, a program segment or a part of a code, and the module, the program segment or a part of the code contains one or more executable instructions for realizing the specified logical function. It should also be noted that in some alternative implementations, the functions marked in the square box can also occur in a sequence different from that marked in the accompanying drawings. For example, two square boxes represented in succession can actually be executed substantially in parallel, and they can sometimes be executed in the opposite order, depending on the functions involved. It should also be noted that each square box in the block diagram and/or flow chart, and the combination of the square boxes in the block diagram and/or flow chart can be implemented with a dedicated hardware-based system that performs a specified function or operation, or can be implemented with a combination of dedicated hardware and computer instructions.
描述于本申请实施例中所涉及到的单元可以通过软件的方式实现,也可以通过硬件的方式来实现。其中,单元的名称在某种情况下并不构成对该单元本身的限定,例如,第一获取单元还可以被描述为“获取至少两个网际协议地址的单元”。The units involved in the embodiments described in the present application may be implemented by software or hardware. The name of the unit does not limit the unit itself in some cases. For example, the first acquisition unit may also be described as a "unit for acquiring at least two Internet Protocol addresses".
本文中以上描述的功能可以至少部分地由一个或多个硬件逻辑部件来执行。例如,非限制性地,可以使用的示范类型的硬件逻辑部件包括:现场可编程门阵列(FPGA)、专用集成电路(ASIC)、专用标准产品(ASSP)、片上系统(SOC)、复杂可编程逻辑设备(CPLD)等等。The functions described above herein may be performed at least in part by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: field programmable gate arrays (FPGAs), application specific integrated circuits (ASICs), application specific standard products (ASSPs), systems on chips (SOCs), complex programmable logic devices (CPLDs), and the like.
在本申请的上下文中,机器可读介质可以是有形的介质,其可以包含或存储以供指令执行系统、装置或设备使用或与指令执行系统、装置或设备结合地使用的程序。机器可读介质可以是机器可读信号介质或机器可读储存介质。机器可读介质可以包括但不限于电子的、磁性的、光学的、电磁的、红外的、或半导体系统、装置或设备,或者上述内容的任何合适组合。机器可读存储介质的更具体示例会包括基于一个或多个线的电气连接、便携式计算机盘、硬盘、随机存取存储器(RAM)、只读存储器(ROM)、可擦除可编程只读存储器(EPROM或快闪存储器)、光纤、便捷式紧凑盘只读存储器(CD-ROM)、光学储存设备、磁储存设备、或上述内容的任何合适组合。In the context of the present application, a machine-readable medium may be a tangible medium that may contain or store a program for use by or in conjunction with an instruction execution system, device, or equipment. A machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, or equipment, or any suitable combination of the foregoing. A more specific example of a machine-readable storage medium may include an electrical connection based on one or more lines, a portable computer disk, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
以上描述仅为本申请的较佳实施例以及对所运用技术原理的说明。本领域技术人员应当理解,本申请中所涉及的公开范围,并不限于上述技术特征的特定组合而成的技术方案,同时也应涵盖在不脱离上述公开构思的情况下,由上述技术特征或其等同特征进行任意组合而形成的其它技术方案。例如上述特征与本申请中公开的(但不限于)具有类似功能的技术特征进行互相替换而形成的技术方案。The above description is only a preferred embodiment of the present application and an explanation of the technical principles used. Those skilled in the art should understand that the scope of disclosure involved in the present application is not limited to the technical solution formed by a specific combination of the above technical features, but should also cover other technical solutions formed by any combination of the above technical features or their equivalent features without departing from the above disclosed concept. For example, the above features are replaced with the technical features with similar functions disclosed in this application (but not limited to) by each other to form a technical solution.
此外,虽然采用特定次序描绘了各操作,但是这不应当理解为要求这些操作以所示出的特定次序或以顺序次序执行来执行。在一定环境下,多任务和并行处理可能是有利的。同样地,虽然在上面论述中包含了若干具体实现细节,但是这些不应当被解释为对本申请的范围的限制。在单独的实施例的上下文中描述的某些特征还可以组合地实现在单个实施例中。相反地,在单个实施例的上下文中描述的各种特征也可以单独地或以任何合适的子组合的方式实现在多个实施例中。In addition, although each operation is described in a specific order, this should not be construed as requiring these operations to be performed in the specific order shown or to be performed in a sequential order. Under certain circumstances, multitasking and parallel processing may be advantageous. Similarly, although some specific implementation details are included in the above discussion, these should not be construed as limiting the scope of the application. Some features described in the context of a separate embodiment can also be implemented in a single embodiment in combination. On the contrary, the various features described in the context of a single embodiment can also be implemented in multiple embodiments individually or in any suitable sub-combination mode.
尽管已经采用特定于结构特征和/或方法逻辑动作的语言描述了本主题,但是应当理解所附权利要求书中所限定的主题未必局限于上面描述的特定特征或动作。相反,上面所描述的特定特征和动作仅仅是实现权利要求书的示例形式。Although the subject matter has been described in language specific to structural features and/or methodological logical actions, it should be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or actions described above. On the contrary, the specific features and actions described above are merely example forms of implementing the claims.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210231645.0ACN114598530B (en) | 2022-03-09 | 2022-03-09 | Industrial control firewall white list rule matching method and device and related equipment |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210231645.0ACN114598530B (en) | 2022-03-09 | 2022-03-09 | Industrial control firewall white list rule matching method and device and related equipment |
| Publication Number | Publication Date |
|---|---|
| CN114598530A CN114598530A (en) | 2022-06-07 |
| CN114598530Btrue CN114598530B (en) | 2024-10-22 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210231645.0AActiveCN114598530B (en) | 2022-03-09 | 2022-03-09 | Industrial control firewall white list rule matching method and device and related equipment |
| Country | Link |
|---|---|
| CN (1) | CN114598530B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116208373A (en)* | 2022-12-30 | 2023-06-02 | 北京天融信网络安全技术有限公司 | Message filtering configuration method, device, electronic equipment and medium |
| CN116450581B (en)* | 2023-04-10 | 2024-02-13 | 中国人民解放军61660部队 | Local quick matching method and system for white list and electronic equipment |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106790068A (en)* | 2016-12-21 | 2017-05-31 | 西安兖矿科技研发设计有限公司 | A kind of method for accelerating industry control firewall rule to match |
| CN109672669A (en)* | 2018-12-03 | 2019-04-23 | 国家计算机网络与信息安全管理中心 | The filter method and device of traffic messages |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9237128B2 (en)* | 2013-03-15 | 2016-01-12 | International Business Machines Corporation | Firewall packet filtering |
| US10628702B1 (en)* | 2017-09-27 | 2020-04-21 | Government of the United States as represented by Director, National Security Agency | Method of matching a query image to a template image and extracting information from the query image |
| CN110460623A (en)* | 2019-09-27 | 2019-11-15 | 杭州九略智能科技有限公司 | A kind of processing system, method and terminal for Industry Control puppy parc |
| CN111966682B (en)* | 2020-08-14 | 2022-06-14 | 苏州浪潮智能科技有限公司 | White list protection matching method, system, terminal and storage medium |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106790068A (en)* | 2016-12-21 | 2017-05-31 | 西安兖矿科技研发设计有限公司 | A kind of method for accelerating industry control firewall rule to match |
| CN109672669A (en)* | 2018-12-03 | 2019-04-23 | 国家计算机网络与信息安全管理中心 | The filter method and device of traffic messages |
| Publication number | Publication date |
|---|---|
| CN114598530A (en) | 2022-06-07 |
| Publication | Publication Date | Title |
|---|---|---|
| CN114629911B (en) | Method, device, equipment, medium and program product for processing domain name resolution request | |
| CN114598530B (en) | Industrial control firewall white list rule matching method and device and related equipment | |
| CN111858518A (en) | Method and device for updating reference document, electronic equipment and storage medium | |
| CN111858381B (en) | Application fault tolerance capability test method, electronic device and medium | |
| CN110795446A (en) | List updating method and device, readable medium and electronic equipment | |
| CN111309254B (en) | Data processing method, device, readable medium and electronic device | |
| CN111240834A (en) | Task execution method, apparatus, electronic device and storage medium | |
| CN114741686A (en) | Method and device for detecting program white list and related equipment | |
| CN114938395B (en) | Service response method, device, equipment and storage medium | |
| CN113240108B (en) | Model training method, device and electronic equipment | |
| WO2025130751A1 (en) | Resolution address processing method and apparatus, medium and electronic device | |
| CN113032808B (en) | Data processing method and device, readable medium and electronic equipment | |
| CN113051400B (en) | Labeling data determining method and device, readable medium and electronic equipment | |
| CN113672780A (en) | Method, device, equipment and storage medium for detecting directed graph closed loop | |
| CN113220281A (en) | Information generation method and device, terminal equipment and storage medium | |
| CN111143355B (en) | Data processing method and device | |
| WO2024212453A1 (en) | Video processing method and apparatus, device and storage medium | |
| CN116679930A (en) | Construction method, device, electronic equipment and storage medium of a front-end project | |
| CN111209042B (en) | Method, device, medium and electronic equipment for establishing function stack | |
| CN118740742A (en) | Data processing method, device, electronic device and storage medium | |
| CN118118393A (en) | Functional testing method, device, electronic device and storage medium | |
| CN114429388A (en) | Order information updating method and device, electronic equipment and computer readable medium | |
| CN112115154A (en) | Data processing and data query method, device, equipment and computer readable medium | |
| CN114036053B (en) | Test method, device, readable medium and electronic device | |
| CN116703262B (en) | Distribution resource adjustment method, device, electronic equipment and computer-readable medium |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | Address after:200241 room a501, building 3, No. 1588, Zixing Road, Minhang District, Shanghai Applicant after:China Guanghe Digital Technology Co.,Ltd. Applicant after:CHINA TECHENERGY Co.,Ltd. Address before:200241 room a501, building 3, No. 1588, Zixing Road, Minhang District, Shanghai Applicant before:SHANGHAI CHINA NUCLEAR POWER ENGINEERING TECHNOLOGY CO.,LTD. Applicant before:CHINA TECHENERGY Co.,Ltd. | |
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |