CN100459579C - Detection method of super-long signaling message based on text coding - Google Patents

Abstract

A kind of detection method based on the superlong signaling message of text coding, comprises the following steps: B1) constructs the superlong message recognition function based on characteristic delimiter according to the signaling agreement of text coding; B2) to the signaling that receives Use the identification function to identify whether the message is a super long message; B3) filter it if it belongs to a super long message, otherwise continue other processing. The identification function includes a feature distance table indicating the maximum space allowed between two feature separators and a feature separator constraint relationship table indicating whether two feature separators allow continuous repetition. This super-long signaling message detection method can be realized by software or hardware, and is used for super-long message detection at the entrance of the network. The method provided by the invention is applicable to the detection of super-long messages in all text-type signaling messages. For different text signaling protocols, it is only necessary to replace and adjust the corresponding parameters of the feature distance table and the feature separator constraint relationship table. That is, so as to effectively prevent hackers from attacking and destroying, and ensure the normal operation of network services.

Description

Detection method of super-long signaling message based on text coding

technical field

The invention relates to network information processing technology, in particular to a method for detecting super-long signaling messages based on text coding.

Background technique

With the increasing trend of network convergence, the next-generation network technology with IMS (abbreviation for IP Multimedia Subsystem, referring to IP Multimedia Subsystem) as the core will bring flexible and convenient network services to people, while the security issues of next-generation networks It has become the focus of the industry's attention. The security of the network border is the foundation of the entire network security. The next-generation network is a converged network that supports users' access anytime and anywhere, so border security is particularly important. Since the next-generation network appears relatively late, there is no special next-generation network intrusion detection tool, especially for the detection of signaling packets. In next-generation networks, signaling protocols such as Session Initiation Protocol (hereinafter abbreviated as SIP), Media Gateway Control Protocol (hereinafter abbreviated as MGCP) and Session Description Protocol (hereinafter abbreviated as SDP) are all based on text encoding and are vulnerable to anomalies. packet attack. In the abnormal data packet attack, the super long data packet is the most commonly used method and the most prominent feature. The attacker sends a large number of overlong data packets to the other server, with the purpose of causing server parsing errors or buffer overflows, resulting in a fatal error on the server side, or crashes, or sudden restarts of the server and other symptoms. The following is an example of an overlong malformed packet:

INVITE sip: bob@biloxi.com

SIP/2.0 000000000000000000000000000000000000000000000000000000000000000000000000

00000000000000000000000000000000000000000000000

  Via: SIP/2.0/UDP pc33.atlanta.com; branch＝z9hG4bK776asdhds

Max-Forwards: 70

  To: Bob<sip: bob@biloxi.com>

From: Alice<sip: alice@atlanta.com>; tag＝1928301774

      Call-ID: a84b4c76e66710@pc33.atlanta.com

CSeq: 314159 INVITE

Contact: <sip: alice@pc33.atlanta.com>

  Content-Type: application/sdp

 Content-Length: 142

Among them, the underlined part is the super-long part of this signaling. There is no doubt that this kind of super-long message signaling may cause the network efficiency to decrease and fail to work normally after entering the system, and the incoming signaling message is effectively detected. It is an effective way to prevent the intrusion of such malformed packets, and the prior art cannot provide the technology to prevent such malicious ultra-long malformed packets, which brings many hidden dangers to the marginal security of the next generation network.

Contents of the invention

The technical problem to be solved by the present invention is to propose a method for detecting network super-long signaling messages against hackers using super-long data packets, which can effectively prevent malformed messages from the edge of the network. In other words, the present invention The purpose of the present invention is how to propose a method for identifying and processing the extra-long message in the signaling message on the basis of analyzing and summarizing the characteristics of the extra-long data packet.

The above-mentioned technical problem of the present invention is solved like this, constructs a kind of detection method based on the superlong signaling message of text coding, comprises the following steps:

A. Receive a signaling message, and judge whether the spacing or adjacent relationship between two adjacent feature separators in the signaling message matches the corresponding parameters in the super-long message identification function, and the super-long message The recognition function is generated based on the feature separator, and the parameters include the maximum distance between any two feature separators or the adjacent relationship that is not allowed;

B. If they match, it is judged that the signaling message is an overlong message;

C. Filtering and processing the overlong message.

In the above detection method provided according to the present invention, the ultra-long message identification function is specifically a feature distance table, and the feature distance table includes the maximum distance between any two feature separators, and step A is specifically: receiving a signaling message text, judging whether the distance between two adjacent feature delimiters in the signaling message is greater than the maximum distance.

In the above detection method provided according to the present invention, the ultra-long message identification function is specifically a feature separator constraint relationship table, and the feature separator constraint relationship table includes adjacent relationships that are not allowed by any two feature separators, Step A specifically includes: receiving a signaling message, and judging whether the adjacency relationship between two adjacent feature separators in the signaling message is not allowed.

In the above-mentioned detection method provided according to the present invention, said steps A and B are specifically step B23, and said step B23 performs the following steps on each line ending with a carriage return and line feed character:

B231) Extract the first feature separator S1 and a subsequent feature separator S2 of this line;

B232) On the basis of the extracted feature separator S1, S2, form a five-tuple (S1, F1, D, S2, F2), wherein, F1 is the first character following the first feature separator S1 ;D is the feature spacing between two feature separators S1 and S2; F2 is the first character immediately following the second feature separator S2;

B233) Carry out three detections to quintuple (S1, F1, D, S2, F2): if F1 is the adjacent relationship of feature separator detection S1 and F1 is to satisfy the not in the constraint relationship table belonging to the feature separator Allowed; if F2 is a feature separator, check whether the adjacent relationship between S2 and F2 is not allowed in the feature separator constraint relationship table; check whether the feature distance D is greater than the S1 specified in the feature distance table and the maximum distance between S2; if any one condition is satisfied in the three detections, then confirm that the message is an overlong message and exit, otherwise, perform step B234);

B234) detect whether to the end of this line, if not to the end of this line, then use the current feature separator S2 as S1, extract the next feature separator as S2, and return to step B232); if you have reached the end of this line, then turn to step B235);

B235) Judging whether all in-line detections are completed, if not, select the next line, and go to step B231); if all in-line detections have been completed, then exit.

In the above-mentioned detection method provided according to the present invention, the inter-line detection step B22 is also included before the step B23, and the inter-line detection step B22 includes the following steps:

B221) Repeat the following steps B222-B223 for each line-forming text segment ending with a carriage return and line feed in the input signaling message, until it is determined that the current message is an overlong message or the input signaling message ends;

B222) produce the quintuple (S1, F1, D, S2, F2) of text section like this, make the first character of the first line text section or the carriage return and line feed character of the previous row of other line text section be S1, follow after S1 The first character is F1, the first carriage return and line feed character after S1 is S2, the first character immediately after S2 is F2, and the distance between the symbol S1 and the symbol S2 is D;

B223) whether above-mentioned quintuple detection S1 and F1 satisfy F1 is a feature delimiter, and judge simultaneously whether the adjacent relationship of S1 and F1 belongs to the feature delimiter constraint relationship table does not allow; detect whether S2 and F2 satisfy F2 yes feature separator, while judging whether the adjacent relationship between S2 and F2 is not allowed in the feature separator constraint relationship table; whether the detection feature distance D satisfies the maximum distance between S1 and S2 specified in the feature distance table ; If any item is satisfied, then confirm that the message is an overlong message and exit; otherwise, take the next line of text and go to step B222.

In the above-mentioned detection method provided according to the present invention, step B224 is also included between said step B22 and said step B23) If the current input signaling message ends and is not confirmed as an overlong message, a Enter the line distribution position table of the position and length of each line text segment of the signaling message, including the first character of the message, the offset from the distance between the carriage return and line feed characters of the previous line, and the finite sequence of carriage return and line feed characters right.

In the above detection method provided according to the present invention, the feature separators include "(", ")", "<", ">", "@", ",", ";", ":", " /", "[", "]", "=", "{", "}", SP, where SP is a space. .

According to the detection method of the super-long signaling message based on text coding provided by the present invention, it can be implemented by software, or it can be made into a special hardware detection device and placed at the entrance of the network for detection. Utilizing the present invention to effectively screen and filter super-long signaling messages can prevent hackers from attacking and destroying servers and ensure the normal operation of network services; at the same time, the method of the present invention is applicable to all text type signaling messages Ultra-long detection, for different text signaling protocols, only need to replace and adjust the corresponding parameters of the feature distance table and the feature separator constraint relationship table, which can ensure network security, especially against the over-long message Malicious attacks can have quite dramatic effects.

Description of drawings

Fig. 1 is a schematic logic block diagram realizing the detection method of the present invention;

Fig. 2 is a schematic flow diagram of using the method of the present invention to detect superlong signaling messages;

Fig. 3 is the schematic flow chart of utilizing the method of the present invention to carry out interline detection;

Fig. 4 is a schematic flow diagram of utilizing the method of the present invention to carry out in-line detection;

Detailed ways

As shown in Figure 1, the detection method of the present invention is to realize the detection of the overlong deformed signaling message based on text encoding, including filter engine 1, data association table 2, feature distance table 3 and feature separator constraint relationship table 44 In this link, message detection can be realized through programs or program segments, or through hardware devices or part of hardware and part of program segments. It is used at the network boundary to filter signaling messages entering the network, and only those that meet the requirements Only signaling packets can pass through, that is, super-long signaling packets are filtered out. Wherein, filter engine 1 receives input signaling message 5, forms data association table 2, compares data association table 2 with characteristic distance table 3, delimiter constraint relationship table 4, and makes a judgment whether it is an overlong message, if If it is an overlong message, it is discarded, and only the signaling message 6 that no longer contains the overlong message is output.

One aspect of the detection of super-long message data in the present invention is based on the detection of feature distances, that is, judging the length between two feature separators, which corresponds to the feature distance table 3 in FIG. 1 . Another aspect of the present invention's detection of super-long message data is based on the detection of the constraint relationship of whether the feature separators allow connection, that is, to judge whether two adjacent feature separators are allowed, and to specify whether to allow the feature separators to be connected. The basis is the feature separator constraint relation Table 4 in Figure 1.

According to the method of the present invention, it is applicable to the detection of superlong messages that appear in all text-encoded signaling messages, as long as according to the specific protocol, the length value between the delimiters and the feature delimiters in the feature spacing table 3 are redefined In the constraint relationship table 4, it is sufficient to prohibit the connected constraint relationship.

More specifically, in the present invention, the ultra-long signaling message refers to text-based coding signaling messages, and each signaling message generally consists of one or several message fields, and each message field There is a range for the length of the signaling packet, and the signaling packet exceeding this range is called an ultra-long signaling packet. In the present invention, the feature represents the trace of the existence or non-existence of some entity or process (such as protocol, virus, file, program writing), including some byte streams and the logical relationship among them. Features include byte features and logical features, which are the basic unit of feature matching. In the present invention, the feature delimiter refers to the delimiter used to judge the length of the message field. In the detection of super-long signaling messages, we use the distance between the feature delimiters, that is, the feature distance, as the basis for detection. The feature separators defined here include: "("/")"/"<"/">"/"@"/","/";"/":"/DQUOTE/"/"/"["/ "]"/"="/"{"/"}"/SP/CR/LF. With the definition of the feature delimiter for identifying the superlong signaling message, defining the feature distance as the allowable distance between the feature delimiters is the basis for judging whether the signaling message is super long in the present invention.

Next, taking the Session Initiation Protocol (Session Initiation Protocol in English, hereinafter abbreviated as SIP) as an example, the feature distance correspondence table shown in Table 1 will be described.

Table 1 Correspondence Table of Session Initiation Protocol Feature Distance

1 SP : @ / CR LF ; = ＜ ＞＞ " " , ... 1 8 256 SP 20 63 32 11 20 63 20 20 : 63 20 63 63 @ 63 63 63 63 63 63 63 / 3 6 10 CR 0 LF 19 256 ; = 40 20 10 20 ＜ 4 ＞＞ " 10 20 63 " , ...

The description of Table 1 is as follows:

1) "1" in the table represents the first character of the signaling message.

2) "..." in the table represents the feature separator not used in the session initiation protocol.

3) The value in the table indicates the distance in bytes between the two feature intervals. For each separator in the table, horizontal judgment is used, such as the second line of space (SP), and each separator is represented in the space The first feature separator that appears later, the number represents the maximum possible length between the space and this separator, and the unit of length is bytes. If no number appears, it means that there is no connection between the two feature separators, which can be reserved use.

4) For other text-based signaling messages such as Media Gateway Control Protocol (English: Media Gateway Control Protocol, abbreviated as MGCP), Session Description Protocol (English: Session Description Protocol, abbreviated as SDP), It is only necessary to adjust the feature spacing according to the respective protocol.

Another aspect of the detection of overlong message data in the present invention is based on the feature separator constraint relationship table, which corresponds to the feature separator constraint relationship table 4 in FIG. 1 . The detection principle is as follows. In general, only a few feature separators are allowed to appear continuously or repeatedly in text-encoded signaling messages (such as colon spaces, semicolon spaces, comma spaces, and space left angle brackets. , space double quotes and space space, etc.), if there are two or more consecutive feature separators in the signaling message, it can also be considered as a super long packet. Table 2 below shows the constraint relationship among the feature separators in the session initiation protocol.

Table 2 Feature Separator Constraint Relationship Table

0x20 : @ / CR LF ; = ＜ ＞＞ " " , ... 0x20 × × × × × × : × × × × × × × × × × @ × × × × × × × × × × × / × × × × × × CR × × × × × × × × × × × × LF × × × × × × × × × × × × ; × × × × × × × × × = × × × × × × × × × × ＜ × × × × × × ＞＞ × × × × × " × × × × × × " × × × × , × × × × × × × × ...

The description of Table 2 is as follows:

1) "..." represents a feature separator not used in the session initiation protocol.

2) "×" indicates that there is a constraint relationship between two feature separators and cannot appear continuously.

3) For other text-encoded signaling datagrams such as Media Gateway Control Protocol (English: Media Gateway Control Protocol, abbreviated as MGCP), Session Description Protocol (English: Session Description Protocol, abbreviated as SDP), Only the constraint relationship between feature separators needs to be adjusted according to the respective protocols.

With the feature distance table and the separation feature constraint relationship table, we can directly detect the overlong message of the input signaling message. The process is briefly described as follows:

Example 1

For any feature separator in the received text, check whether the character directly adjacent to it is a feature separator, and if it is a feature separator, then judge whether the two feature separators belong to the feature separator. Adjacency is not allowed in the constraint relationship table If it is, it means that the current text is detected as an overlong message; for any feature delimiter in the received text, check whether the distance between another feature delimiter with the closest interval exceeds the maximum specified in the feature distance table If it is, it means that the current text is detected as an overlong message.

For realizing the rapid detection of input signaling message, the method of the present invention has utilized a quintuple (S1, F1, D, S2, F2) as data association, and this quintuple can be filter engine 1 among Fig. 1 The result of preprocessing the input data packet 5 is the basis for quickly judging whether the data packet is too long. Each element in the quintuple is described as follows:

S1: The first feature separator extracted.

F1: The first character immediately following the first feature delimiter.

D: The length between two feature separators is the feature spacing.

S2: The second character separator immediately following the first character separator.

F2: The first character immediately following the second feature separator.

In conjunction with Fig. 1, the filtering engine 1 is the core of realizing superlong message detection, and its function includes: 1) analyzing each signaling message entering the network, extracting the characteristic delimiter therein, and filtering the input signaling message Convert to a quintuple set (S1, F1, D, S2, F2); 2) Detect whether the quintuple set (S1, F1, D, S2, F2) belongs to the super-long text specified in the feature distance table; 3) Check whether the five-tuple set (S1, F1, D, S2, F2) belongs to the super long message specified in the feature separator constraint relationship table. At this time, if S1 and F1 are both feature separators or S2 and F2 are both feature delimiter, and it belongs to the situation that the feature delimiter constraint relationship table prohibits connection, then the currently detected message is an overlong message. If it is found to be an overlong packet, the detection will be stopped and the data packet will be filtered out.

Example 2

Each quintuple (S1, F1, D, S2, F2) formed according to the input signaling message is detected as follows: if F1 is a feature separator and whether S1 and F1 satisfy the prohibition of connection in the feature separator constraint relationship table For example, if F2 is a feature separator and whether S2 and f2 meet the prohibition of connection in the feature separator constraint relationship table; whether the feature distance D satisfies the feature distance between S1 and S2 defined in the feature distance table. If any point satisfies the condition of an overlong message, the message is filtered out.

As mentioned above, the quintuple (S1, F1, D1, S2, F2) of any text segment has three detection points, and three points are detected at the same time during detection, if one point meets the condition of an ultra-long message, it is considered that the text segment contains an ultra-long message. Long messages can be filtered out. The above-mentioned detection based on quintuple is also applicable to the inter-row detection and intra-row detection described below by using the method of the present invention.

Example 3

Utilize the method of the present invention to the detection of superlong signaling message, can adopt the detection method that inter-line detection and intra-line detection combine, that is, first judge whether the length of each line in the signaling message is in normal as shown in Figure 2 Range, as long as there is a line that does not meet the requirements, the message will be filtered out; if each line is satisfied, a line distribution position table will be generated to guide the detection within the line to determine whether the feature spacing between the feature separators in each line meets the requirements.

In conjunction with Fig. 2, look at the whole detection process, start to input the signaling message in frame 201, start the interline detection in frame 202, judge the interline detection result in frame 203, if it belongs to a super long message, then in frame 204 It is filtered; Otherwise, in frame 205, generate row position distribution table, start the detection in the row; In frame 206, the detection result in the row is judged, if belong to superlong message, it is filtered in frame 207; Otherwise make letter in frame 208 A decision to pass a message.

To illustrate the interline detection process of block 202, refer to FIG. 3 . Inter-line detection is to judge whether the length between each line meets the condition according to the carriage return and line feed characters. Can be by filter engine 1 among Fig. 1, feature delimiter (carriage return and line feed here) is converted in the quintuple (S1, F1, D, S2, F2), then according to the quintuple ( S1, F1, D, S2, F2) The principle of three-point detection is judged, if it does not belong to the super long message, the detection of the next line is carried out; otherwise, it is considered that the signaling message is too long, and the detection is stopped to filter it out. As can be seen from Fig. 3 that specifically provides the interline detection process, in frame 301, a signaling message is input, and in frame 302, the first character and the first carriage return thereafter are extracted from the input signaling message A newline character constitutes a line ending with a carriage return and a newline character; in box 303, it is mapped (also considered to be expressed or preprocessed as) into a five-tuple (S1, F1, D, S2, F2), in In frame 304, detect whether three detection points in this quintuple have satisfied superlong message; If have, stop detection in frame 305, discard this message; Otherwise detect whether to end of message in frame 306, If the end of the message has been reached, the row distribution position table is formed in frame 307 to detect in the start line; if the end of the message has not been reached yet, the second carriage return and line feed and the next return in the five-tuple are extracted in frame 308 Carry a line break, and go to box 303. After all inter-row detection is completed, a row position distribution table will be generated, as shown in Table 3, which can be used as the basis for intra-row detection.

Table 3 row location distribution table

The first character of the message Offset n1 Carriage return line feed Offset n2 Carriage return line feed ... Carriage return line feed

A brief description of Table 3 is as follows. The offset is relative to the displacement distance between the previous carriage return and line feed characters. In other words, the so-called line position distribution table is used to point out the position and length of each line text segment of the input signaling message. Specifically, it includes the first character of the message, the offset of the distance between the carriage return and line feed characters (characters) of the previous line, and the finite sequence pair composed of the carriage return and line feed characters. For example, if a message has 9 lines, the length of the line position distribution table is 19, which are: first character, n1, CR, n2, CR, n3..., n9, CR. Where CR is a carriage return and line feed character. The process of forming the row position distribution table is actually a counting process.

In the embodiment shown in FIG. 2 , block 205 indicates that on the basis of the inter-row detection indicated in block 202 , the intra-row detection is performed using the row position distribution table shown in Table 3 . Its principle is the same as inter-line detection. Two adjacent feature separators are extracted and mapped into quintuples, and then judged according to the detection principle of quintuples. Otherwise, it considers that the signaling message is too long, stops the detection and filters out the message. If all the in-line checks meet the conditions, the signaling message is considered qualified, and the system allows the signaling message to pass. FIG. 4 shows a detailed flow of inline detection corresponding to block 205 in FIG. 2 . In frame 401, select and extract a row according to the row position distribution table; in frame 402, extract the first feature separator S1 and the second feature separator S2 of this row; in frame 403, use Feature separators S1 and S2 are based on extracting corresponding data to form a five-tuple (S1, F1, D, S2, F2); in frame 404, three detections are implemented to this five-tuple, as any in the three detections One satisfies the condition of overlong message, then enters frame 405 and discards this message and exits detection; As three detections all belong to normal message, then enter frame 406, judge whether to arrive at the end of this line; If have arrived this line At the end, then judge in frame 407 whether to finish detection in all rows, if not finish detection in all rows, then proceed to frame 409 and start the detection of remaining rows and return to frame 402; Making this message in frame 410 is not a super long message, let it pass through normally; As in frame 406, it is detected that the end of the line is not reached, then go to frame 408, and in frame 408, the second of the current five-tuple feature delimiter as S1 and extract the next feature delimiter in this row as S2, and go to frame 403 to continue detection.

In this embodiment, the interline detection is detected by the behavior unit ending with a carriage return and line feed; the inline detection performed after the interline detection is to detect whether the text segment between two feature separators in a line is an extra-long text . The two can detect all possibilities of ultra-long text from different levels.

Example 4

The in-line detection shown in FIG. 4 can be directly performed instead of the inter-line detection shown in FIG. 3 , and in most cases, super-long text in the input text can also be detected in time.

Example 5

This embodiment is a modular representation of implementing the method for detecting network super-long signaling messages of the present invention. In conjunction with FIG. Each converted quintuple (S1, F1, D, S2, F2) is stored in the quintuple unit 2; the filter engine unit 1 is also used to judge whether the quintuple satisfies the feature in the interline detection and inline detection links. If the situation specified in the distance table 3 and the feature delimiter constraint relation table 4 belongs to the super long message, if it belongs to the super long message, then filter the text signaling belonging to the super long message; if it does not belong to the super long message, then output no The text signaling belonging to the super long message continues to be processed. Among them, the feature spacing table 3 is used to store the maximum allowable spacing between any two feature separators, and the feature separator constraint relationship table 4 is used to store whether any two feature separators allow continuous repetition; in the quintuple unit 2 , S1 is the first feature delimiter extracted from the text segment, F1 is the first character following the first feature delimiter; D is the feature spacing between two feature delimiters; S2 is the first The second character separator immediately following the character separator; F2 is the first character immediately following the second character separator.

Aiming at the signaling protocol based on text coding, the present invention proposes a method and a device for detecting malicious attacks of malformed messages by using super-long fields, which can be used in various signaling protocols based on text coding. The above-mentioned embodiments of the present invention are merely illustrative representations rather than restrictive representations. Those skilled in the art may make certain changes to the embodiments of the present invention according to the revelation and teaching of the present invention, but such deformation and changes are still within the scope of protection defined by the claims of the present application.

Claims (7)

1, a kind of detection method of the superlong signaling message based on text code is characterized in that, may further comprise the steps:

A, reception signaling message, whether spacing or the neighbouring relations of judging two adjacent feature separators in the described signaling message conform to corresponding parameters in the overlength message recognition function, described overlength message recognition function generates based on the feature separator, and described parameter comprises the maximum spacing or the unallowed neighbouring relations of any two feature separators;

If B conforms to, judge that described signaling message is the overlength message;

C, described overlength packet filtering is handled.

2, according to the described method of claim 1, it is characterized in that, described overlength message recognition function is specially the feature pitch table, described feature pitch table comprises the maximum spacing of any two feature separators, steps A is specially: receive signaling message, whether the spacing of judging two adjacent feature separators in the described signaling message is greater than described maximum spacing.

3, according to claim 1 or 2 described methods, it is characterized in that, described overlength message recognition function is specially feature separator restriction relation table, described feature separator restriction relation table comprises any two unallowed neighbouring relations of feature separator, steps A is specially: receive signaling message, judge whether the neighbouring relations of two adjacent feature separators in the described signaling message are unallowed.

According to the described method of claim 3, it is characterized in that 4, described steps A and B are specially step B23, described step B23 carries out following steps to each with the row that the new line symbol finishes:

B231) extract first a feature separator S1 of one's own profession and a feature separator S2 thereafter;

B232) on the feature separator S1 that has extracted, S2 basis, form five-tuple (S1, F1, D, S2, F2), wherein, F1 is first character immediately following this first feature separator S1; D is the feature pitch between two feature separator S1 and the S2; F2 is first character of closelying follow behind second feature separator S2; B233) five-tuple (S1, F1, D, S2, F2) is carried out three detections: if whether the neighbouring relations that F1 is the feature separator detects S1 and F1 are unallowed in the described feature separator restriction relation table; If F2 is the feature separator, whether the neighbouring relations that detect S2 and F2 are unallowed in the described feature separator restriction relation table; Whether the detected characteristics space D satisfies greater than S1 that stipulates in the described feature pitch table and the maximum spacing between the S2; If there is any one condition to satisfy in three detections, confirm that then this message is the overlength message and withdraws from, otherwise, execution in step B234);

B234) detect whether arrive this line endings, as not arriving this line endings, then with current feature separator S2 as S1, the next feature separator of extraction as S2, turn back to step B232); As arriving this line endings, then forward step B235 to);

B235) judge whether to finish detection in all row, then select next row as unfinished, forward step B231 to); Then withdraw from as finishing the interior detection of all row.

According to the described method of claim 4, it is characterized in that 5, also comprise before the described step B23 and detect step B22 in the ranks, the described step B22 that detects may further comprise the steps in the ranks:

B221) to each carries out following steps B222-B223 repeatedly with the text chunk of embarking on journey that the new line symbol finishes in the incoming signalling message, be overlength message or incoming signalling ENMES up to definite current message;

B222) produce the five-tuple (S1, F1, D, S2, F2) of text chunk like this, make the initial character of this section of style of writing of winning or the previous row new line symbol of other row text chunk be S1, immediately following first character behind the S1 is F1, first new line symbol of getting behind the S1 is S2, getting first character of closelying follow behind the S2 is F2, and the spacing between symbol S1 and the symbol S2 is D;

B223) above-mentioned five-tuple being detected S1 and F1, whether to satisfy F1 be the feature separator, and it is unallowed whether the neighbouring relations of judging S1 and F1 simultaneously belong to described feature separator restriction relation table; Detecting S2 and F2, whether to satisfy F2 be the feature separator, and it is unallowed whether the neighbouring relations of judging S2 and F2 simultaneously belong to described feature separator restriction relation table; Whether the detected characteristics space D satisfies greater than S1 that stipulates in the described feature pitch table and the maximum spacing between the S2; Satisfy if any any one, confirm that then this message is the overlength message and withdraws from; Otherwise, take off delegation's text chunk, enter step B222.

6, according to the described method of claim 5, it is characterized in that, between described step B22 and described step B23, also comprise step B224) as current incoming signalling ENMES and do not confirm as the overlength message, then be formed for pointing out the position of each row text chunk of incoming signalling message and the capable distributing position table of length, comprise message initial character, right by the finite sequence of forming with respect to the side-play amount and the new line symbol of distance between the previous row new line symbol.

7, according to the described method of claim 1, it is characterized in that, described feature separator comprise " (", ") ", "＜", "＞", " @ ", ", ", "; ", ": ", "/", " [", "] ", "=", " { ", " } ", SP, wherein SP is the space.

Images