[go: up one dir, main page]

CN111817960B - Message forwarding method and device of flow control equipment - Google Patents

Message forwarding method and device of flow control equipment Download PDF

Info

Publication number
CN111817960B
CN111817960B CN202010719584.3A CN202010719584A CN111817960B CN 111817960 B CN111817960 B CN 111817960B CN 202010719584 A CN202010719584 A CN 202010719584A CN 111817960 B CN111817960 B CN 111817960B
Authority
CN
China
Prior art keywords
rule
message
matching result
matching
hit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010719584.3A
Other languages
Chinese (zh)
Other versions
CN111817960A (en
Inventor
葛安康
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPtech Information Technology Co Ltd
Original Assignee
Hangzhou DPtech Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPtech Information Technology Co Ltd filed Critical Hangzhou DPtech Information Technology Co Ltd
Priority to CN202010719584.3A priority Critical patent/CN111817960B/en
Publication of CN111817960A publication Critical patent/CN111817960A/en
Application granted granted Critical
Publication of CN111817960B publication Critical patent/CN111817960B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/14Routing performance; Theoretical aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/50Queue scheduling
    • H04L47/62Queue scheduling characterised by scheduling criteria
    • H04L47/625Queue scheduling characterised by scheduling criteria for service slots or service orders
    • H04L47/6275Queue scheduling characterised by scheduling criteria for service slots or service orders based on priority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The disclosure relates to a message forwarding method and device for a flow control device, an electronic device and a computer readable medium. The method comprises the following steps: analyzing the message acquired from the network to generate quintuple information; carrying out rule matching on the quintuple information and a preset rule to generate a matching result, wherein the matching result comprises a subsequent user mark, a hit mark and the highest priority; determining a target server based on the highest priority when the hit flag is valid; and packaging the matching result and the message, and sending the result to the target server. The message forwarding method, the message forwarding device, the electronic device and the computer readable medium of the flow control device can send suspicious messages to all target servers needing to analyze the suspicious messages, and can reduce the number of times of rule searching and the pressure of rule searching.

Description

Message forwarding method and device of flow control equipment
Technical Field
The present disclosure relates to the field of computer information processing, and in particular, to a packet forwarding method and apparatus for a stream control device, an electronic device, and a computer readable medium
Background
In order to avoid network attack and guarantee the security of network communication, intervention is usually required to be performed on the network environment where the network environment is located, and access to a flow control device is one way. And (4) appropriately screening the flow corresponding to the message in the network in the flow control equipment, limiting the flow from the known dangerous IP and analyzing the suspicious flow. And sending the suspicious message from the flow control equipment to the server, and judging by the server to finally decide to limit or pass the characteristic flow. In the actual use process, there is a situation that a plurality of servers need to analyze the message, and after the first server makes a judgment and returns to the flow control device, the flow needs to be sent to the next server, so that the flow needs to be forwarded for multiple times according to the priority of the server.
When traffic hits multiple rules, the traffic is always directed to the highest priority user, and the remaining users cannot view the traffic. In the actual use process, the possibility that multiple users need to analyze the traffic exists, so a priority forwarding method is derived. The priority forwarding method cannot ensure that all servers which hit the rules can analyze the message, and can also cause the problem of redundant searching rules.
Therefore, a new message forwarding method and apparatus for a flow control device, an electronic device, and a computer readable medium are needed.
The above information disclosed in this background section is only for enhancement of understanding of the background of the disclosure and therefore it may contain information that does not constitute prior art that is already known to a person of ordinary skill in the art.
Disclosure of Invention
In view of this, the present disclosure provides a message forwarding method and apparatus for a flow control device, an electronic device, and a computer readable medium, which can send suspicious messages to all target servers that need to analyze the suspicious messages, and can reduce the number of rule lookups and reduce the rule lookup pressure.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows, or in part will be obvious from the description, or may be learned by practice of the disclosure.
According to an aspect of the present disclosure, a method for forwarding a packet of a flow control device is provided, where the method includes: analyzing the message acquired from the network to generate quintuple information; carrying out rule matching on the quintuple information and a preset rule to generate a matching result, wherein the matching result comprises a subsequent user mark, a hit mark and the highest priority; determining a target server based on the highest priority when the hit flag is valid; and packaging the matching result and the message, and sending the result to the target server.
In an exemplary embodiment of the present disclosure, before performing rule matching on the five-tuple information and a preset rule to generate a matching result, the method further includes: marking the subsequent users, the hit marks and the highest priority as invalid.
In an exemplary embodiment of the present disclosure, further comprising: the target server acquires return data, wherein the return data comprises a subsequent user mark, a hit mark, a highest priority and a message; updating the preset rule when the subsequent user mark is valid; carrying out rule matching on the quintuple information of the message and the updated preset rule to generate a secondary matching result; when the hit mark in the secondary matching result is valid, determining a target server based on the highest priority; and packaging the matching result and the message, and sending the result to the target server.
In an exemplary embodiment of the present disclosure, further comprising: and when the subsequent user mark is invalid, sending the message back to the network.
In an exemplary embodiment of the present disclosure, updating the preset rule includes: and setting the subsequent user mark as invalid, setting the hit mark as valid, and assigning the highest priority to the priority of the previous user of the preset rule.
In an exemplary embodiment of the present disclosure, rule matching the quintuple information with a preset rule to generate a matching result includes: carrying out rule matching on the quintuple information and a preset rule; in the rule matching result, when the number of hit rules is equal to 1, setting the subsequent user mark as invalid; and in the rule matching result, when the number of the hit rules is more than 1, setting the subsequent user mark to be effective.
In an exemplary embodiment of the present disclosure, the matching result further includes: forwarding the flag bit; and matching the quintuple information with a preset rule to generate a matching result, wherein the matching result comprises the following steps: matching the quintuple information with each rule in preset rules in sequence based on the forwarding flag bit; and generating a matching result after traversing the preset rule.
In an exemplary embodiment of the present disclosure, the forwarding flag is implemented by a random access memory, and a plurality of flag bits of the random access memory correspond to the forwarding flag bits of the plurality of servers.
In an exemplary embodiment of the present disclosure, rule matching the five-tuple information with each rule in preset rules in sequence based on the forwarding flag bit includes: when the priority of the current hit rule is smaller than the highest priority, taking the current hit rule as the current highest priority; comparing the rules of subsequent hits to the current highest priority; and determining the state of the subsequent user mark according to the comparison result and the forwarding flag bit.
According to an aspect of the present disclosure, a packet forwarding apparatus of a flow control device is provided, where the apparatus includes: the analysis module is used for analyzing the message acquired from the network to generate quintuple information; the matching module is used for carrying out rule matching on the quintuple information and a preset rule to generate a matching result, and the matching result comprises a subsequent user mark, a hit mark and the highest priority; a target module to determine a target server based on the highest priority when the hit flag is valid; and the sending module is used for packaging the matching result and the message and sending the result to the target server.
In an exemplary embodiment of the present disclosure, further comprising: the return module is used for acquiring return data by the target server, wherein the return data comprises a subsequent user mark, a hit mark, a highest priority and a message; the updating module is used for updating the preset rule when the subsequent user mark is valid; the second matching module is used for carrying out rule matching on the quintuple information of the message and the updated preset rule to generate a second matching result, and when a hit mark in the second matching result is valid, the target server is determined based on the highest priority; and packaging the matching result and the message, and sending the result to the target server.
According to an aspect of the present disclosure, an electronic device is provided, the electronic device including: one or more processors; storage means for storing one or more programs; when executed by one or more processors, cause the one or more processors to implement a method as above.
According to an aspect of the disclosure, a computer-readable medium is proposed, on which a computer program is stored, which program, when being executed by a processor, carries out the method as above.
According to the message forwarding method, the message forwarding device, the electronic device and the computer readable medium of the flow control device, messages acquired from a network are analyzed to generate quintuple information; carrying out rule matching on the quintuple information and a preset rule to generate a matching result, wherein the matching result comprises a subsequent user mark, a hit mark and the highest priority; determining a target server based on the highest priority when the hit flag is valid; and the matching result and the message are packaged and sent to the target server, so that the suspicious message can be sent to all target servers needing to be analyzed, the rule searching times can be reduced, and the rule searching pressure can be reduced.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings. The drawings described below are merely some embodiments of the present disclosure, and other drawings may be derived from those drawings by those of ordinary skill in the art without inventive effort.
Fig. 1 is a schematic diagram of a packet forwarding method of a flow control device in the prior art.
Fig. 2 is a schematic diagram of a packet forwarding method of a flow control device in the prior art.
Fig. 3 is a flowchart illustrating a message forwarding method of a flow control device according to an exemplary embodiment.
Fig. 4 is a flowchart illustrating a message forwarding method of a flow control device according to another exemplary embodiment.
Fig. 5 is a flowchart illustrating a message forwarding method of a flow control device according to another exemplary embodiment.
Fig. 6 is a flowchart illustrating a message forwarding method of a flow control device according to another exemplary embodiment.
Fig. 7 is a block diagram illustrating a packet forwarding apparatus of a flow control device according to an exemplary embodiment.
Fig. 8 is a block diagram illustrating a packet forwarding apparatus of a flow control device according to another exemplary embodiment.
FIG. 9 is a block diagram illustrating an electronic device in accordance with an example embodiment.
FIG. 10 is a block diagram illustrating a computer-readable medium in accordance with an example embodiment.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The same reference numerals denote the same or similar parts in the drawings, and thus, a repetitive description thereof will be omitted.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the subject matter of the present disclosure can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and so forth. In other instances, well-known methods, devices, implementations, or operations have not been shown or described in detail to avoid obscuring aspects of the disclosure.
The block diagrams shown in the figures are functional entities only and do not necessarily correspond to physically separate entities. I.e. these functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor means and/or microcontroller means.
The flow charts shown in the drawings are merely illustrative and do not necessarily include all of the contents and operations/steps, nor do they necessarily have to be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the actual execution sequence may be changed according to the actual situation.
It will be understood that, although the terms first, second, third, etc. may be used herein to describe various components, these components should not be limited by these terms. These terms are used to distinguish one element from another. Thus, a first component discussed below may be termed a second component without departing from the teachings of the disclosed concept. As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.
It is to be understood by those skilled in the art that the drawings are merely schematic representations of exemplary embodiments, and that the blocks or processes shown in the drawings are not necessarily required to practice the present disclosure and are, therefore, not intended to limit the scope of the present disclosure.
As shown in fig. 1, a flow control device is accessed into a network, and after a message flow enters the device, the message is firstly analyzed, so as to obtain five-tuple information of the flow, namely sip, dip, port, dport and protocol. And carrying out rule matching on the acquired quintuple information, taking the user with the highest priority from the hit rules, and sending the user with the highest priority to the user with the highest priority after message encapsulation. If the flow does not hit the rule, the flow is not processed and is directly passed. And after the user with the highest priority analyzes and processes, the flow is sent back to the equipment. And merging the flow which misses the rule and the flow sent back by the server, and returning to the normal network again.
The rule is a section of data stored in the DDR, comprises quintuple information, quintuple interest bits, user priority and the like, and is divided into a next rule process and a rule checking process. The quintuple interest bit represents the concerned part in the quintuple, 5 bits respectively represent sip, dip, sport, dport and protocol, 1 represents interest, and 0 represents not interest. The user priority is 1-255, the highest is 1, and the lowest is 255. For example, there are currently 3 users, user 1 wants to view TCP messages from 1.1.1.1, user 2 wants to view messages addressed to 2.2.2.2, and user 3 wants to view messages from 1.1.1.1 and messages addressed to 2.2.2.2, where the information stored in the rule DDR is shown in table 1.
TABLE 1 data stored in DDR
Rules Sip Dip Sport Dport Protocol Quintuple care bit User priority
1 1.1.1.1 0 0 0 6 10001 1
2 0 2.2.2.2 0 0 0 01000 2
3 1.1.1.1 0 0 0 0 10000 3
4 0 2.2.2.2 0 0 0 01000 3
When a TCP flow from 1.1.1.1 to 2.2.2.3 passes through the device, the flow control device does the following:
(1) inquiring rule 1, hitting, and storing user priority as 1;
(2) query rule 2, miss;
(3) inquiring rule 3, hitting, comparing user priorities, and still storing user priority 1 when the user priority is low in the hit;
(4) query rule 4, miss.
And finally forwarding the flow to a server corresponding to the user by the flow control equipment.
When traffic hits multiple rules, the traffic is always directed to the highest priority user, and the remaining users cannot view the traffic. In the actual use process, the possibility that multiple users need to analyze the traffic exists, so a priority forwarding method is derived. When the traffic is sent back from the server to the flow control device, it is determined whether the traffic needs to be forwarded to another user again, as shown in fig. 2.
In the prior art, the maximum matching times are configured, and when the maximum matching times are reduced to 0, the multi-time forwarding process is terminated.
(1) The flow enters the equipment and configures the maximum matching times N;
(2) analyzing the quintuple and matching rules;
(3) if the rule is hit, packaging the message, the user priority and the maximum matching times N and sending the packaged message to a server; if the rule is not hit, the flow returns to the normal network;
(4) and when the server returns the equipment, judging whether the maximum matching times is 0 or not. If the traffic is 0, the traffic returns to the normal network; if not, the maximum matching number is reduced by 1 and the result returns to (2).
The inventors of the present disclosure found that the prior art solutions have the following disadvantages:
(1) when there are many matching rules, it is still not guaranteed that all users who hit the rules analyze the traffic. When the traffic hits a user rule that exceeds N, subsequent users cannot obtain the traffic for analysis.
(2) When the matching rules are few, the redundancy of one-time checking rule can be caused. The last time the traffic lookup rule of the device is returned from the server, and when the rule is not hit, the traffic returns to the normal network, and the lookup is unnecessary.
(3) User priority is not reflected. In the prior art, N users are regarded as parallel users, and traffic is continuously forwarded to subsequent users unconditionally. While the users in actual use have priorities, for some users, if the high-level users have already analyzed, the low-level users do not analyze any more.
In view of various defects in the prior art, the inventor of the present disclosure provides a message forwarding method for a flow control device, which can send message traffic to all user servers with hit rules; the last rule matching of redundancy is eliminated, and whether a certain message flow needs to be forwarded or not can be judged according to the configuration of an administrator. The present disclosure is described in detail below with reference to specific examples.
Fig. 3 is a flowchart illustrating a message forwarding method of a flow control device according to an exemplary embodiment. The message forwarding method 30 of the flow control device at least includes steps S302 to S308.
As shown in fig. 3, in S302, the packet acquired from the network is parsed to generate five tuple information. The quintuple information is sip, dip, sport, dport and protocol information, more specifically, the quintuple concerned bit represents the concerned part in the quintuple, 5 bits respectively represent sip, dip, sport, dport and protocol, 1 represents concerned, and 0 represents not concerned. The user priority is 1-255, the highest is 1, and the lowest is 255.
In S304, the quintuple information and a preset rule are subjected to rule matching to generate a matching result, where the matching result includes a subsequent user tag, a hit tag, and a highest priority.
Before the matching of the quintuple information and the preset rule is performed to generate the matching result, the method further comprises the following steps: marking the subsequent users, the hit marks and the highest priority as invalid.
More specifically, for example, the quintuple information may be rule-matched with a preset rule; in the rule matching result, when the number of hit rules is equal to 1, setting the subsequent user mark as invalid; and in the rule matching result, when the number of the hit rules is more than 1, setting the subsequent user mark to be effective. When the flow enters the device, the subsequent user mark, the hit mark and the highest priority are cleared. And analyzing the quintuple, and searching the rules according to the quintuple, wherein if all the rules are not hit, the flow directly returns to the normal network. If the rule of only one user is hit, the subsequent user is marked as 0; if more than one user's rule is hit, the subsequent user is marked as 1. And packaging the original message, a subsequent user mark, the highest priority and the like, and uploading to a server.
In S306, when the hit flag is valid, a target server is determined based on the highest priority. And when the rule is hit, determining a target server according to the highest priority user corresponding to the hit rule.
In S308, the matching result and the packet are encapsulated and sent to the target server.
According to the message forwarding method of the flow control equipment, the message acquired from the network is analyzed to generate quintuple information; carrying out rule matching on the quintuple information and a preset rule to generate a matching result, wherein the matching result comprises a subsequent user mark, a hit mark and the highest priority; determining a target server based on the highest priority when the hit flag is valid; and the matching result and the message are packaged and sent to the target server, so that the suspicious message can be sent to all target servers needing to be analyzed, the rule searching times can be reduced, and the rule searching pressure can be reduced.
It is clearly understood that this disclosure describes how to make and use specific examples, but the principles of this disclosure are not limited to any details of these examples. Rather, these principles can be applied to many other embodiments based on the teachings of the present disclosure.
Fig. 4 is a flowchart illustrating a message forwarding method of a flow control device according to another exemplary embodiment. The flow 40 shown in fig. 4 is a detailed description of the server return data processing.
As shown in fig. 4, in S402, the target server obtains return data, where the return data includes a subsequent user tag, a hit tag, a highest priority, and a packet. Since all rules are traversed when the first traffic enters the device, the rules of which users are hit can be known in the traversal process, and a flag can be carried when the rules are sent to the server to indicate whether the users have subsequent low-priority users or not. When the flow returns to the equipment from the server, the mark is kept, and the equipment judges whether rule matching is needed again according to the mark.
In S404, when the subsequent user flag is valid, the preset rule is updated. Wherein updating the preset rule comprises: and setting the subsequent user mark as invalid, setting the hit mark as valid, and assigning the highest priority to the priority of the previous user of the preset rule.
Further comprising: and when the subsequent user mark is invalid, sending the message back to the network. After the flow returns to the equipment from the server, judging the subsequent user mark, if the flow is 0, returning the flow to the normal network, and not checking the rule; if the value is 1, returning to the analysis module for processing. And after the flow returns to the analysis, resetting the mark of the subsequent user, setting the hit mark to be 1, and assigning the highest priority to the priority of the previous user searched by the rule. During rule searching, the user with the priority higher than that of the previous user is regarded as miss, and the user with the highest priority is searched in the user with the priority lower than that of the previous user. The subsequent operation is the same as the first search.
In S406, rule matching is performed on the five-tuple information of the packet and the updated preset rule to generate a secondary matching result.
In S408, when the hit flag in the secondary matching result is valid, the target server is determined based on the highest priority.
In S410, the matching result and the packet are encapsulated and sent to the target server.
Fig. 5 is a flowchart illustrating a message forwarding method of a flow control device according to another exemplary embodiment. The flow 50 shown in fig. 5 is a detailed description of the overall process of the flow control apparatus.
As shown in fig. 5, in S502, a message is received by the network.
In S504, the subsequent user flag is cleared, and the previous user priority is assigned.
In S506, the quintuple information is parsed and the rule is searched.
In S507, the rule hits.
In S510, the subsequent user tag and the highest priority are updated according to the hit.
In S512, the message is sent to the current highest priority user.
In S514, the data returned by the server is received.
In S516, the subsequent user marks.
Since all rules are traversed when the first traffic enters the device, the rules of which users are hit can be known in the traversal process, and a flag can be carried when the rules are sent to the server to indicate whether the users have subsequent low-priority users or not. When the flow returns to the equipment from the server, the mark is kept, and the equipment judges whether rule matching is needed again according to the mark.
As shown in fig. 5, when traffic enters the device, the subsequent user flag, the hit flag, and the highest priority are all cleared. And analyzing the quintuple, and searching the rules according to the quintuple, wherein if all the rules are not hit, the flow directly returns to the normal network. If the rule of only one user is hit, the subsequent user is marked as 0; if more than one user's rule is hit, the subsequent user is marked as 1. And packaging the original message, a subsequent user mark, the highest priority and the like, and uploading to a server.
After the flow returns to the equipment from the server, judging the subsequent user mark, if the flow is 0, returning the flow to the normal network, and not checking the rule; if the value is 1, returning to the analysis module for processing. And after the flow returns to the analysis, resetting the mark of the subsequent user, setting the hit mark to be 1, and assigning the highest priority to the priority of the previous user searched by the rule. During rule searching, the user with the priority higher than that of the previous user is regarded as miss, and the user with the highest priority is searched in the user with the priority lower than that of the previous user. The subsequent operation is the same as the first search.
According to the message forwarding method of the flow control equipment, the message flow carries the follow-up user mark, if the mark is 1, the mark indicates that the user needs to analyze, and the suspicious flow can be sent to all the users needing to analyze; when the equipment is returned to the last time, the carried subsequent user is marked as 0, the rule is not searched any more, and the pressure of searching the rule is reduced;
fig. 6 is a flowchart illustrating a message forwarding method of a flow control device according to another exemplary embodiment. The flow 60 shown in fig. 6 is a further description of "when the matching result includes the forwarding flag, the matching result is generated by performing rule matching on the five-tuple information and the preset rule". The forwarding flag bit is implemented by a random access memory, and a plurality of flag bits of the random access memory correspond to the forwarding flag bits of a plurality of servers.
As shown in fig. 6, in S602, the next rule is queried.
In S604, the rule hits.
In S606, the priority is lower than the priority of the previous user.
In S608, there is a hit rule before.
In S610, the priorities are compared.
In S612, the status of the forwarding flag of the lower priority user is looked up.
In S614, the forwarding flag bit is valid.
In S616, the subsequent user flag is set to 1.
In S618, the highest priority is updated.
In S620, the rule has traversed.
The rule is searched and added with a forwarding zone bit, and the forwarding zone bit can be understood as a forwarding switch to meet the requirement that a low-priority user does not analyze any more after a high-priority user analyzes. The forwarding flag bit can be realized by adopting a RAM of 256x1, and corresponding to user priorities of 1-255, 1bit of each priority indicates effective or ineffective. The forwarding flag bit can be configured by an administrator, and only the value in the RAM needs to be modified without resetting the rule.
The rule matching process is shown in fig. 6. And combining the quintuple information acquired by the analysis module with information such as a subsequent user mark 0, a hit mark, a previous user priority and the like, and entering a rule matching module. If the rule is not hit, the next rule is directly searched. If the priority of the current hit rule is higher than the priority of the previous user or equal to the priority of the previous user, the users have already analyzed the rule, and the next rule can be directly searched without analyzing the rule again. Among the rules that are lower in priority than the previous user, the rule that hits first is directly taken as the highest priority at present. And comparing the rules of the subsequent hits with the current highest priority, and obtaining and updating the highest priority after comparison. Meanwhile, after comparing the priorities of the two hit rules, the lower priority can be obtained, and the lower priority is used as an address query RAM to obtain a forwarding zone bit. When the forwarding flag bit is valid, it indicates that there are other users that need to analyze the message except the current highest priority user, and sets the following user flag to 1, otherwise, keeps the following user flag unchanged. And judging the priority of the rules one by one until all the rules are traversed, and taking the result out of the rule matching module.
According to the message forwarding method of the flow control device, an administrator can configure whether a message forwarding function is needed. For part of parallel users, a switch needing forwarding can be configured to be 1, and the flow is always sent to the user once no matter whether other users analyze the flow; for some low priority users, the forwarding required switch may be configured to be 0, and as long as there is a higher priority user who analyzes the traffic, there is no need to send one copy to the user.
Those skilled in the art will appreciate that all or part of the steps implementing the above embodiments are implemented as computer programs executed by a CPU. When executed by the CPU, performs the functions defined by the above-described methods provided by the present disclosure. The program may be stored in a computer readable storage medium, which may be a read-only memory, a magnetic or optical disk, or the like.
Furthermore, it should be noted that the above-mentioned figures are only schematic illustrations of the processes involved in the methods according to exemplary embodiments of the present disclosure, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
The following are embodiments of the disclosed apparatus that may be used to perform embodiments of the disclosed methods. For details not disclosed in the embodiments of the apparatus of the present disclosure, refer to the embodiments of the method of the present disclosure.
Fig. 7 is a block diagram illustrating a packet forwarding apparatus of a flow control device according to an exemplary embodiment. As shown in fig. 7, the message forwarding apparatus 70 of the flow control device includes: parsing module 702, matching module 704, target module 706, and sending module 708.
The parsing module 702 is configured to parse a packet acquired from a network to generate quintuple information;
the matching module 704 is configured to perform rule matching on the quintuple information and a preset rule to generate a matching result, where the matching result includes a subsequent user tag, a hit tag, and a highest priority;
the target module 706 is configured to determine a target server based on the highest priority when the hit flag is valid;
the sending module 708 is configured to encapsulate the matching result and the packet, and send the encapsulated matching result and the packet to the target server.
Fig. 8 is a block diagram illustrating a packet forwarding apparatus of a flow control device according to another exemplary embodiment. As shown in fig. 8, the message forwarding apparatus 80 of the flow control device includes: returning to block 802, update block 804, and secondary match block 806.
The return module 802 is configured to obtain return data from the target server, where the return data includes a subsequent user tag, a hit tag, a highest priority, and a packet;
the updating module 804 is configured to update the preset rule when the subsequent user flag is valid;
the secondary matching module 806 is configured to perform rule matching on the quintuple information of the packet and the updated preset rule to generate a secondary matching result, and determine a target server based on the highest priority when a hit mark in the secondary matching result is valid; and packaging the matching result and the message, and sending the result to the target server.
According to the message forwarding device of the flow control equipment, the message acquired from the network is analyzed to generate quintuple information; carrying out rule matching on the quintuple information and a preset rule to generate a matching result, wherein the matching result comprises a subsequent user mark, a hit mark and the highest priority; determining a target server based on the highest priority when the hit flag is valid; and the matching result and the message are packaged and sent to the target server, so that the suspicious message can be sent to all target servers needing to be analyzed, the rule searching times can be reduced, and the rule searching pressure can be reduced.
FIG. 9 is a block diagram illustrating an electronic device in accordance with an example embodiment.
An electronic device 900 according to this embodiment of the disclosure is described below with reference to fig. 9. The electronic device 900 shown in fig. 9 is only an example and should not bring any limitations to the functionality or scope of use of the embodiments of the present disclosure.
As shown in fig. 9, the electronic device 900 is embodied in the form of a general purpose computing device. Components of electronic device 900 may include, but are not limited to: at least one processing unit 910, at least one storage unit 920, a bus 930 connecting different system components (including the storage unit 920 and the processing unit 910), a display unit 940, and the like.
Wherein the storage unit stores program codes, which can be executed by the processing unit 910, so that the processing unit 910 performs the steps according to various exemplary embodiments of the present disclosure described in the above-mentioned electronic prescription flow processing method section of this specification. For example, the processing unit 910 may perform the steps as shown in fig. 2, 3, 4, 5.
The storage unit 920 may include a readable medium in the form of a volatile storage unit, such as a random access memory unit (RAM)9201 and/or a cache memory unit 9202, and may further include a read only memory unit (ROM) 9203.
The memory unit 920 may also include a program/utility 9204 having a set (at least one) of program modules 9205, such program modules 9205 including but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
Bus 930 can be any of several types of bus structures including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local bus using any of a variety of bus architectures.
The electronic device 900 may also communicate with one or more external devices 900' (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device 900, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device 900 to communicate with one or more other computing devices. Such communication may occur via input/output (I/O) interface 950. Also, the electronic device 900 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN) and/or a public network, such as the Internet) via the network adapter 960. The network adapter 960 may communicate with other modules of the electronic device 900 via the bus 930. It should be appreciated that although not shown, other hardware and/or software modules may be used in conjunction with the electronic device 900, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, as shown in fig. 10, the technical solution according to the embodiment of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, or a network device, etc.) to execute the above method according to the embodiment of the present disclosure.
The software product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable storage medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable storage medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
The computer readable medium carries one or more programs which, when executed by a device, cause the computer readable medium to perform the functions of: analyzing the message acquired from the network to generate quintuple information; carrying out rule matching on the quintuple information and a preset rule to generate a matching result, wherein the matching result comprises a subsequent user mark, a hit mark and the highest priority; determining a target server based on the highest priority when the hit flag is valid; and packaging the matching result and the message, and sending the result to the target server. The computer readable medium may also implement the following functions: the target server acquires return data, wherein the return data comprises a subsequent user mark, a hit mark, a highest priority and a message; updating the preset rule when the subsequent user mark is valid; carrying out rule matching on the quintuple information of the message and the updated preset rule to generate a secondary matching result; when the hit mark in the secondary matching result is valid, determining a target server based on the highest priority; and packaging the matching result and the message, and sending the result to the target server.
Those skilled in the art will appreciate that the modules described above may be distributed in the apparatus according to the description of the embodiments, or may be modified accordingly in one or more apparatuses unique from the embodiments. The modules of the above embodiments may be combined into one module, or further split into multiple sub-modules.
Exemplary embodiments of the present disclosure are specifically illustrated and described above. It is to be understood that the present disclosure is not limited to the precise arrangements, instrumentalities, or instrumentalities described herein; on the contrary, the disclosure is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.

Claims (8)

1. A message forwarding method of a flow control device comprises the following steps:
analyzing the message acquired from the network to generate quintuple information;
carrying out rule matching on the quintuple information and a preset rule to generate a matching result, wherein the matching result comprises a subsequent user mark, a hit mark and the highest priority;
determining a target server based on the highest priority when the hit flag is valid;
packaging the matching result and the message, and sending the matching result and the message to the target server;
obtaining return data from the target server, wherein the return data comprises a subsequent user mark, a hit mark, a highest priority and a message;
updating the preset rule when the subsequent user mark is valid;
carrying out rule matching on the quintuple information of the message and the updated preset rule to generate a secondary matching result;
when the hit mark in the secondary matching result is valid, determining a target server based on the highest priority;
packaging the matching result and the message, and sending the matching result and the message to the target server;
and when the subsequent user mark is invalid, sending the message back to the network.
2. The method of claim 1, wherein before the matching the five-tuple information with a preset rule to generate a matching result, the method further comprises:
marking the subsequent users, the hit marks and the highest priority as invalid.
3. The method of claim 1, wherein updating the preset rules comprises:
and setting the subsequent user mark as invalid, setting the hit mark as valid, and assigning the highest priority to the priority of the previous user of the preset rule.
4. The method of claim 1, wherein the rule matching the quintuple information with a preset rule to generate a matching result comprises:
carrying out rule matching on the quintuple information and a preset rule;
in the rule matching result, when the number of hit rules is equal to 1, setting the subsequent user mark as invalid;
and in the rule matching result, when the number of the hit rules is more than 1, setting the subsequent user mark to be effective.
5. The method of claim 1, wherein the matching result further comprises: forwarding the flag bit;
and matching the quintuple information with a preset rule to generate a matching result, wherein the matching result comprises the following steps:
matching the quintuple information with each rule in preset rules in sequence based on the forwarding flag bit;
and generating a matching result after traversing the preset rule.
6. The method of claim 5, wherein the forwarding flag is implemented by a random access memory having a plurality of flag bits corresponding to forwarding flag bits of a plurality of servers.
7. The method of claim 5, wherein rule matching the quintuple information with each of preset rules in turn based on the forwarding flag bit comprises:
when the priority of the current hit rule is smaller than the highest priority, taking the current hit rule as the current highest priority;
comparing the rules of subsequent hits to the current highest priority;
and determining the state of the subsequent user mark according to the comparison result and the forwarding flag bit.
8. A message forwarding device of a flow control device comprises:
the analysis module is used for analyzing the message acquired from the network to generate quintuple information;
the matching module is used for carrying out rule matching on the quintuple information and a preset rule to generate a matching result, and the matching result comprises a subsequent user mark, a hit mark and the highest priority;
a target module to determine a target server based on the highest priority when the hit flag is valid;
the sending module is used for packaging the matching result and the message and sending the matching result and the message to the target server;
the return module is used for acquiring return data from the target server, wherein the return data comprises a subsequent user mark, a hit mark, a highest priority and a message;
the updating module is used for updating the preset rule when the subsequent user mark is valid;
the second matching module is used for carrying out rule matching on the quintuple information of the message and the updated preset rule to generate a second matching result, and when a hit mark in the second matching result is valid, the target server is determined based on the highest priority; packaging the matching result and the message, and sending the matching result and the message to the target server; and sending the message back to the network when the subsequent user is marked as invalid.
CN202010719584.3A 2020-07-23 2020-07-23 Message forwarding method and device of flow control equipment Active CN111817960B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010719584.3A CN111817960B (en) 2020-07-23 2020-07-23 Message forwarding method and device of flow control equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010719584.3A CN111817960B (en) 2020-07-23 2020-07-23 Message forwarding method and device of flow control equipment

Publications (2)

Publication Number Publication Date
CN111817960A CN111817960A (en) 2020-10-23
CN111817960B true CN111817960B (en) 2022-02-01

Family

ID=72860972

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010719584.3A Active CN111817960B (en) 2020-07-23 2020-07-23 Message forwarding method and device of flow control equipment

Country Status (1)

Country Link
CN (1) CN111817960B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112637090B (en) * 2020-12-30 2023-04-07 上海欣诺通信技术股份有限公司 Dynamic multilevel flow control method based on programmable switching chip
CN112804154A (en) * 2021-01-04 2021-05-14 北京金山云网络技术有限公司 Message processing method and device, electronic equipment and medium
CN112925528B (en) * 2021-01-28 2024-06-04 北京达佳互联信息技术有限公司 Data transmission method, device, electronic equipment and storage medium
CN112968841B (en) * 2021-03-04 2023-04-07 杭州迪普信息技术有限公司 Message convergence and distribution method and device and electronic equipment
CN114006868B (en) * 2021-10-30 2024-04-26 杭州迪普信息技术有限公司 Flow screening method and device
CN114265869B (en) * 2021-12-21 2024-12-13 中国电信股份有限公司 Data message forwarding method and device, storage medium and electronic device
CN114363257B (en) * 2021-12-29 2023-10-17 杭州迪普信息技术有限公司 Five-tuple matching method and device for tunnel message
CN114760108B (en) * 2022-03-22 2023-04-25 杭州迪普科技股份有限公司 Message matching method and device
CN114900468B (en) * 2022-05-25 2024-04-12 曙光网络科技有限公司 Rule matching method, device, equipment and storage medium

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8792491B2 (en) * 2010-08-12 2014-07-29 Citrix Systems, Inc. Systems and methods for multi-level quality of service classification in an intermediary device
US8724496B2 (en) * 2011-11-30 2014-05-13 Broadcom Corporation System and method for integrating line-rate application recognition in a switch ASIC
US9071529B2 (en) * 2012-10-08 2015-06-30 Telefonaktiebolaget L M Ericsson (Publ) Method and apparatus for accelerating forwarding in software-defined networks
CN105553876B (en) * 2014-11-04 2019-06-14 华为技术有限公司 Packet processing method and network node
CN107342926A (en) * 2017-06-13 2017-11-10 国家计算机网络与信息安全管理中心 A method for fast matching and distribution of multiple services
CN110278152B (en) * 2018-08-31 2020-05-29 新华三信息安全技术有限公司 A method and device for establishing a fast forwarding table
CN109510776B (en) * 2018-10-12 2022-07-12 新华三技术有限公司合肥分公司 Flow control method and device

Also Published As

Publication number Publication date
CN111817960A (en) 2020-10-23

Similar Documents

Publication Publication Date Title
CN111817960B (en) Message forwarding method and device of flow control equipment
US10176321B2 (en) Leveraging behavior-based rules for malware family classification
US10410127B2 (en) Identification and classification of web traffic inside encrypted network tunnels
US10038706B2 (en) Systems, devices, and methods for separating malware and background events
US20080256187A1 (en) Method and System for Filtering Electronic Messages
JP2005071359A (en) Url-based filtering for electronic communication and web page
US10158733B2 (en) Automated DPI process
CN114006956A (en) Message data analysis method, device and device
US11128641B2 (en) Propagating belief information about malicious and benign nodes
CN114697066A (en) Network threat detection method and device
CN114363257B (en) Five-tuple matching method and device for tunnel message
CN113098865B (en) Browser fingerprint acquisition method and device, electronic equipment and storage medium
CN114124822B (en) Message matching processing device and method
CN112733104B (en) Account registration request processing method and device
CN114006831A (en) Message data processing method and device
CN113179317B (en) Test system and method for content rewriting device
CN114006868A (en) Flow screening method and device
CN114422164B (en) Five-tuple table entry issuing device and method
CN111988405A (en) Message rewriting method of load balancing device and load balancing device
WO2016118153A1 (en) Marking nodes for analysis based on domain name system resolution
CN113992358B (en) Distribution method and device of network security policy
CN113329035B (en) Method and device for detecting attack domain name, electronic equipment and storage medium
CN119577744A (en) Attack detection method, device, attack detection equipment and storage medium
CN111628984B (en) Information processing method, device, equipment and medium
KR20070060865A (en) How to save pattern matching policy and how to control alarm

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant