[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN102916967A - Method and device for protocol resolution - Google Patents

Method and device for protocol resolution Download PDF

Info

Publication number
CN102916967A
CN102916967A CN2012104206911A CN201210420691A CN102916967A CN 102916967 A CN102916967 A CN 102916967A CN 2012104206911 A CN2012104206911 A CN 2012104206911A CN 201210420691 A CN201210420691 A CN 201210420691A CN 102916967 A CN102916967 A CN 102916967A
Authority
CN
China
Prior art keywords
state machine
structure elucidation
agreement
segmentation
machine
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2012104206911A
Other languages
Chinese (zh)
Other versions
CN102916967B (en
Inventor
耿玉磊
徐文广
吴富强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
HUNAN QIANMENG INDUSTRIAL INTELLIGENT SYSTEM CO., LTD.
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201210420691.1A priority Critical patent/CN102916967B/en
Publication of CN102916967A publication Critical patent/CN102916967A/en
Application granted granted Critical
Publication of CN102916967B publication Critical patent/CN102916967B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Computer And Data Communications (AREA)
  • Stored Programmes (AREA)

Abstract

The invention provides a method and a device for protocol resolution. The method comprises the steps of compiling a dividing mode of a protocol into a structure dividing state machine according to a resolution demand of the protocol, compiling an identification mode of the protocol into a structure identification state machine, compiling a resolution mode of the protocol into a structure resolution state machine, loading the structure dividing state machine, the structure identification state machine and the structure resolution state machine, and conducting resolution processing on messages adopting the protocol according to the structure dividing state machine, the structure identification state machine and the structure resolution state machine. According to the method, the resolution processing is conducted on the messages according to the structure dividing state machine, the structure identification state machine and the structure resolution state machine, so that a hardware framework and the specific protocol can be decoupled, and the flexible configuration in the protocol resolution procedure can be achieved. In addition, as the protocol resolution procedure is realized by the state machines, processing procedures driven by the state machines can be executed in parallel, and the protocol resolution speed is increased.

Description

The method and apparatus of protocol analysis
Technical field
The present invention relates to the communications field, and particularly, relate to the method and apparatus of analysis protocol.
Background technology
Protocol analysis refers to the content of network packet is carried out the process of labor.Protocol analysis carries out Decoding Analysis from the distinctive systematicness of network communication protocol to data, the structure of packet, obtains profound data, provides accurate, detailed information for analyzing packet.
Explosivity development and broadband services rapid growth along with Network, operator is at dynamic sensing, policy control, quality of service (the Quality of Service of business, QoS) the field face huge challenges such as safety guarantee of guarantee and network and business, therefore impelled deep-packet detection (Deep Packet Inspection, DPI), intrusion detection (Intrusion detection system, IDS), the fast development of the network application such as network security, and protocol analysis is one of key technology in these business.For example, in DPI, by protocol analysis, the agreement of can identification more accurately and fast carrying and the special packet content of being concerned about; In IDS, utilize protocol analysis can effectively identify the attack that utilizes agreement.
Existing protocol analysis method generally includes two processes, at first the keyword in the agreement character stream is mated, and then the keyword that the match is successful is carried out parse operation.Along with the raising of network speed, the increase of protocol type and the quick renewal of agreement, requirement to the speed of protocol analysis and flexibility is more and more higher, and in the above-mentioned protocol analysis method, for different protocol analysis demands, need the different hardware circuit of exploitation to realize analytical capabilities, so very flexible.In addition, two processes of above-mentioned protocol analysis method can only be carried out in serial, cause resolution speed to be difficult to improve.
Summary of the invention
The embodiment of the invention provides the method and apparatus of protocol analysis, can realize the flexible configuration of protocol analysis process, and improves the speed of protocol analysis.
First aspect, a kind of method of protocol analysis is provided, has comprised: according to the parsing demand of agreement, the partitioning scheme of this agreement has been compiled as the segmentation of structures state machine, the RM of this agreement is compiled as structure status recognition machine, and the analysis mode of this agreement is compiled as the structure elucidation state machine; Load this segmentation of structures state machine, this structure status recognition machine and this structure elucidation state machine; According to this segmentation of structures state machine, this structure status recognition machine and this structure elucidation state machine, the message that adopts this agreement is carried out dissection process.
In conjunction with first aspect, in the possible implementation of the first, this is according to the parsing demand of agreement, the dividing mode of this agreement is compiled as the segmentation of structures state machine, the RM of this agreement is compiled as structure status recognition machine, and the analysis mode of this agreement is compiled as the structure elucidation state machine, comprise: according to the parsing demand of this agreement, the partitioning scheme that this agreement is divided into a plurality of protocol elements is compiled as this segmentation of structures state machine, and type identification mode that will these a plurality of protocol elements is compiled as this structure status recognition machine, and the analysis mode of each protocol element is compiled as this structure elucidation state machine.
In conjunction with the possible implementation of the first of first aspect, in the possible implementation of the second, the partitioning scheme that this agreement is divided into a plurality of protocol elements comprises: according to the form of this agreement, determine the order of these a plurality of protocol elements and the separator between this a plurality of protocol elements; According to the order of these a plurality of protocol elements and the separator between this a plurality of protocol elements, this agreement is divided into this a plurality of protocol elements.
In conjunction with the possible implementation of the first of first aspect or the possible implementation of the second of first aspect, in the third possible implementation, this is according to this segmentation of structures state machine, this structure status recognition machine and this structure elucidation state machine, the message that adopts this agreement is carried out dissection process, comprise: according to this segmentation of structures state machine, this structure status recognition machine and this structure elucidation state machine, carry out concurrently the cutting apart of a plurality of functional units in this message, type identification and parsing, wherein this functional unit is corresponding one by one with this protocol element.
The third possible implementation in conjunction with first aspect, in the 4th kind of possible implementation of first aspect, this is according to this segmentation of structures state machine, this structure status recognition machine and this structure elucidation state machine, carry out cutting apart a plurality of functional units in this message concurrently, type identification and parsing, comprise: the command information that reads the node of this segmentation of structures state machine according to the entry address of this configuration state machine, and according to the command information of the node of this segmentation of structures state machine, carry out cutting apart a plurality of functional units in this message, and the command information that reads the node of this structure status recognition machine according to the entry address of this structure status recognition machine, and according to the command information of the node of this structure status recognition machine, determine the type of this functional unit, and the command information that reads the node of this structure elucidation state machine according to the entry address of this structure elucidation state machine, and according to the command information of the node of this structure elucidation state machine, carry out parse operation to determining this functional unit after the type.
In conjunction with the possible implementation of the first of first aspect or first aspect or possible implementation or the third possible implementation of first aspect or the 4th kind of possible implementation of first aspect of the second of first aspect, in the 5th kind of possible implementation, also comprise: the resolution rules according to newly-increased, upgrade this structure elucidation state machine.
The 5th kind of possible implementation in conjunction with first aspect, in the 6th kind of possible implementation, the parsing demand that this basis is newly-increased, this structure elucidation state machine is upgraded, comprise: according to this newly-increased resolution rules, will be compiled as newly-increased structure elucidation state machine with the analysis mode of the protocol element of this newly-increased resolution rules indication; Determine the entry address of this newly-increased structure elucidation state machine, and should increase the structure elucidation state machine newly according to the entry address storage of this newly-increased structure elucidation state machine; The entry address of this newly-increased structure elucidation state machine of record in the entrance Backup Data; The entry address of this structure elucidation state machine in the entrance master data is loaded in this entrance Backup Data; This entrance Backup Data is switched to new entrance master data.
Second aspect, a kind of device for protocol analysis is provided, comprise: resolve compiler, list item administration module, parallel parsing module and resolve control module, wherein, this resolves compiler, is used for the parsing demand according to agreement, and the partitioning scheme of this agreement is compiled as the segmentation of structures state machine, the RM of this agreement is compiled as structure status recognition machine, and the analysis mode of this agreement is compiled as the structure elucidation state machine; This list item administration module is used for this segmentation of structures state machine, this structure status recognition machine and this structure elucidation state machine loads to the parsing module that should walk abreast; This resolves control module, is used for control and should walks abreast parsing module according to this segmentation of structures state machine, this structure status recognition machine and this structure elucidation state machine, and the message that adopts this agreement is carried out dissection process.
In conjunction with second aspect, in the possible implementation of the first, this resolves compiler specifically for the parsing demand according to this agreement, the partitioning scheme that this agreement is divided into a plurality of protocol elements is compiled as this segmentation of structures state machine, and type identification mode that will these a plurality of protocol elements is compiled as this structure status recognition machine, and the analysis mode of each protocol element is compiled as this structure elucidation state machine.
In conjunction with the possible implementation of the first of second aspect or second aspect, in the possible implementation of the second, this resolves control module specifically should walk abreast parsing module according to this segmentation of structures state machine, this structure status recognition machine and this structure elucidation state machine for control, carry out concurrently the cutting apart of a plurality of functional units in this message, type identification and parsing, wherein this functional unit is corresponding one by one with this protocol element.
In conjunction with the possible implementation of the second of second aspect, in the third possible implementation, this parallel parsing module comprises segmentation of structures submodule, structure recognin module and structure elucidation submodule; This list item administration module specifically is used for this segmentation of structures state machine loads is arrived this segmentation of structures submodule, and this structure status recognition machine is loaded into this structure recognin module, and this structure elucidation state machine loads is arrived this structure elucidation submodule; This parsing control module specifically is used for this segmentation of structures submodule of control, this structure recognin module and this structure elucidation submodule and carries out concurrently the cutting apart of a plurality of functional units of this message, type identification and parsing.
In conjunction with the third possible implementation of second aspect, in the 4th kind of possible implementation, also comprise at least one analytics engine,
This segmentation of structures submodule specifically is used for reading the command information of the node of this segmentation of structures state machine according to the entry address of this configuration state machine, and sends the command information of the node of this segmentation of structures state machine to this parsing control module; This parsing control module specifically is used for sending to this at least one analytics engine the command information of the node of this segmentation of structures state machine; This at least one analytics engine is used for the command information according to the node of this segmentation of structures state machine, carries out cutting apart a plurality of functional units in this message; This structure recognin module specifically is used for reading the command information of the node of this structure status recognition machine according to the entry address of this structure status recognition machine, and sends the command information of the node of this structure status recognition machine to this parsing control module; This parsing control module specifically is used for sending to this at least one analytics engine the command information of the node of this structure status recognition machine; This at least one analytics engine is used for the command information according to the node of this structure status recognition machine, determines the type of each functional unit; This structure elucidation submodule specifically is used for reading the command information of the node of this structure elucidation state machine according to the entry address of this structure elucidation state machine, and sends the command information of the node of this structure elucidation state machine to this parsing control module; This parsing control module specifically is used for sending to this at least one analytics engine the command information of the node of this structure elucidation state machine; This at least one analytics engine is used for the command information according to the node of this structure elucidation state machine, carries out parse operation to determining this functional unit after the type.
In conjunction with the possible implementation of the first of second aspect or second aspect or possible implementation or the third possible implementation of second aspect or the 4th kind of possible implementation of second aspect of the second of second aspect, in the 5th kind of possible implementation, this list item administration module also is used for according to newly-increased resolution rules, and this structure elucidation state machine is upgraded.
The 5th kind of possible implementation in conjunction with second aspect, in the 6th kind of possible implementation, this list item administration module specifically is used for according to should newly-increased resolution rules, will be compiled as newly-increased structure elucidation state machine with the analysis mode of the protocol element of this newly-increased resolution rules indication; Determine the entry address of this newly-increased structure elucidation state machine, and should increase the structure elucidation state machine newly according to the entry address storage of this newly-increased structure elucidation state machine; The entry address of this newly-increased structure elucidation state machine of record in the entrance Backup Data; The entry address of this structure elucidation state machine in the entrance master data is loaded in this entrance Backup Data; This entrance Backup Data is switched to new entrance master data.
In the embodiment of the invention, by the parsing demand according to agreement, the partitioning scheme of agreement is compiled as the segmentation of structures state machine, the RM of agreement is compiled as structure status recognition machine, and the analysis mode of agreement is compiled as the structure elucidation state machine, and according to the segmentation of structures state machine, structure status recognition machine and structure elucidation state machine carry out dissection process to the message that adopts this agreement, so that drive the hardware resolving that just can carry on an agreement by state machine, thereby can with hardware structure and concrete agreement decoupling zero, can realize the flexible configuration of protocol analysis process.And, realize the protocol analysis process by state machine, so that the processing procedure that each state machine drives can executed in parallel, thereby can improve the speed of protocol analysis.
Description of drawings
In order to be illustrated more clearly in the technical scheme of the embodiment of the invention, the below will do to introduce simply to the accompanying drawing of required use in the embodiment of the invention, apparently, below described accompanying drawing only be some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is the indicative flowchart according to the method for the protocol analysis of the embodiment of the invention.
Fig. 2 is the schematic diagram according to an example of the Compiler Structure segmentation state machine of the embodiment of the invention.
Fig. 3 is the schematic diagram according to an example of the Compiler Structure status recognition machine of the embodiment of the invention.
Fig. 4 is the schematic diagram according to an example of the Compiler Structure parse state machine of the embodiment of the invention.
Fig. 5 is the indicative flowchart of the protocol analysis process of according to an embodiment of the invention message.
Fig. 6 is the indicative flowchart according to the process of the renewal structure elucidation state machine of the embodiment of the invention.
Fig. 7 is the schematic diagram according to an example of the renewal structure elucidation state machine of the embodiment of the invention.
Fig. 8 is the schematic block diagram according to the device that is used for protocol analysis of the embodiment of the invention.
Fig. 9 is the schematic block diagram that is used for according to another embodiment of the present invention the device of protocol analysis.
Figure 10 is the carry on an agreement schematic diagram of the process of resolving of the device according to the embodiment of the invention.
Figure 11 is the schematic block diagram according to an example of the device that is used for protocol analysis of the embodiment of the invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment is a part of embodiment of the present invention, rather than whole embodiment.Based on the embodiment among the present invention, the every other embodiment that those of ordinary skills obtain under the prerequisite of not making creative work should belong to the scope of protection of the invention.
Fig. 1 is the indicative flowchart according to the method for the protocol analysis of the embodiment of the invention.The method of Fig. 1 is carried out by the device that is used for protocol analysis.
110, according to the parsing demand of agreement, the partitioning scheme of agreement is compiled as the segmentation of structures state machine, the RM of agreement is compiled as structure status recognition machine, and the analysis mode of agreement is compiled as the structure elucidation state machine.
In the embodiment of the invention, agreement can comprise the text based agreement or based on binary agreement etc., for example this agreement can be HTML (Hypertext Markup Language) (HyperText Transfer Protocol, HTTP).
120, loading structure segmentation state machine, structure status recognition machine and structure elucidation state machine.
130, according to segmentation of structures state machine, structure status recognition machine and structure elucidation state machine, the message that adopts this agreement is carried out dissection process.
The process of protocol analysis can comprise cutting procedure, identifying and resolving, so the mode of protocol analysis can comprise partitioning scheme, RM and analysis mode.The device that is used for protocol analysis can be according to the parsing demand of agreement, partitioning scheme, RM and the analysis mode compiling of agreement are respectively segmentation of structures state machine, structure status recognition machine and structure elucidation state machine, segmentation of structures state machine, structure status recognition machine and structure elucidation state machine loads are arrived hardware, namely segmentation of structures state machine list item, structure status recognition machine list item and structure elucidation state machine list item are loaded into hardware, thereby can drive hardware implement to the process of the protocol analysis of message by each state machine.Like this, for different agreements, just can finish the protocol analysis process by the structure that changes state machine, need not to change hardware structure, thereby with hardware structure and concrete agreement decoupling zero, can realize the flexible configuration of protocol analysis process.In addition, drive hardware implement protocol analysis process by state machine, so that the processing procedure that each state machine drives can executed in parallel, thereby can improve the speed of protocol analysis.
In the embodiment of the invention, by the parsing demand according to agreement, the partitioning scheme of agreement is compiled as the segmentation of structures state machine, the RM of agreement is compiled as structure status recognition machine, and the analysis mode of agreement is compiled as the structure elucidation state machine, and according to the segmentation of structures state machine, structure status recognition machine and structure elucidation state machine carry out dissection process to the message that adopts this agreement, so that drive the hardware resolving that just can carry on an agreement by state machine, thereby can with hardware structure and concrete agreement decoupling zero, can realize the flexible configuration of protocol analysis process.And, realize the protocol analysis process by state machine, so that the processing procedure that each state machine drives can executed in parallel, thereby can improve the speed of protocol analysis.
Alternatively, as an embodiment, in step 110, can be according to the parsing demand of agreement, the partitioning scheme that agreement is divided into a plurality of protocol elements is compiled as the segmentation of structures state machine, and the type identification mode of a plurality of protocol elements is compiled as structure status recognition machine, and the analysis mode of each protocol element is compiled as the structure elucidation state machine.
After agreement is divided into a plurality of protocol elements, and do not know the field type of each protocol element, therefore need to identify the type of each protocol element, after the type identification to each protocol element, can carry out concrete parsing to each protocol element.Therefore, partitioning scheme, type identification mode and the analysis mode of protocol element can be compiled as respectively segmentation of structures state machine, structure status recognition machine and structure elucidation state machine.
The type identification mode of protocol element can be: determine the keyword in the protocol element; According to the keyword in the protocol element, determine the type of protocol element.In addition, the type identification mode of protocol element can also be alternate manner of the prior art, and the embodiment of the invention is not construed as limiting this.
Alternatively, as another embodiment, in step 110, the partitioning scheme that agreement is divided into a plurality of protocol elements can be: according to the form of agreement, determine the order of a plurality of protocol elements and the separator between a plurality of protocol element; According to the order of a plurality of protocol elements and the separator between a plurality of protocol element, agreement is divided into a plurality of protocol elements.
Alternatively, as another embodiment, in step 130, can be according to segmentation of structures state machine, structure status recognition machine and structure elucidation state machine, carry out concurrently the cutting apart of a plurality of functional units in the message, type identification and parsing, wherein functional unit is corresponding one by one with protocol element.
Alternatively, as another embodiment, in step 130, can be according to the command information of the node of the entry address read structure segmentation state machine of configuration state machine, and according to the command information of the node of segmentation of structures state machine, carry out cutting apart a plurality of functional units in the message; Can be according to the command information of the node of the entry address read structure status recognition machine of structure status recognition machine, and according to the command information of the node of structure status recognition machine, determine the type of functional unit; According to the command information of the node of the entry address read structure parse state machine of structure elucidation state machine, and according to the command information of the node of structure elucidation state machine, carry out parse operation to determining the functional unit after the type.
Each node of segmentation of structures state machine can be stored command information, command information can comprise command code and corresponding operating parameter, after the reading command information, can decode to command information, carry out corresponding operation according to command code and corresponding operating parameter that command information comprises.
Each node of structure status recognition machine can be stored command information, command information can comprise command code and corresponding operating parameter, after the reading command information, can decode to command information, according to command code and corresponding operating parameter that command information comprises functional unit is carried out corresponding operation, for example matching operation.
Each node of structure elucidation state machine can be stored command information, command information can comprise command code and corresponding operating parameter, after the reading command information, can decode to command information, carry out corresponding operation, such as contents extraction operation, calculating operation, decision operation, conversion operations or register setting operation etc. according to command code and corresponding operating parameter that command information comprises to determining the functional unit after the type.
In embodiments of the present invention, can carry out concurrently the cutting apart of a plurality of functional units in the message, type identification and parsing, for example, after the segmentation of structures state machine is partitioned into a functional unit, structure status recognition machine can carry out type identification to this functional unit, after structure status recognition machine was determined the type of this functional unit, the structure elucidation state machine can carry out parse operation to this functional unit.And meanwhile, the segmentation of structures state machine can be partitioned into next functional unit, and structure status recognition machine can carry out type identification to next functional unit, the like.Therefore, to functional unit cut apart, type identification and parsing can be to carry out concurrently, thereby can improve resolution speed.
Alternatively, as another embodiment, can according to newly-increased resolution rules, the structure elucidation state machine be upgraded.
Alternatively, as another embodiment, can be according to newly-increased resolution rules, will be compiled as newly-increased structure elucidation state machine with the analysis mode of the protocol element of newly-increased resolution rules indication; Determine the entry address of newly-increased structure elucidation state machine, and increase the structure elucidation state machine newly according to the entry address storage of newly-increased structure elucidation state machine; The entry address of the newly-increased structure elucidation state machine of record in the entrance Backup Data; The entry address of the structure elucidation state machine in the entrance master data is loaded in the entrance Backup Data; The entrance Backup Data is switched to new entrance master data.
Describe the embodiment of the invention in detail below in conjunction with concrete example.It should be noted that these examples just in order to help those skilled in the art to understand better the embodiment of the invention, and the scope of the unrestricted embodiment of the invention.
Fig. 2 is the schematic diagram according to an example of the Compiler Structure segmentation state machine of the embodiment of the invention.
The partitioning scheme that the device that is used for protocol analysis can be divided into agreement a plurality of protocol elements is compiled as the segmentation of structures state machine.The partitioning scheme that agreement is divided into a plurality of protocol elements can comprise: according to the form of agreement, determine the order of a plurality of protocol elements and the separator between a plurality of protocol element; According to the order of a plurality of protocol elements and the separator between a plurality of protocol element, agreement is divided into a plurality of protocol elements.
In Fig. 2, describe take this agreement as HTTP as example.
As shown in Figure 2, the device that is used for protocol analysis can be according to the order of each protocol element of HTTP and the separator between each protocol element, HTTP is divided into a plurality of protocol elements: method name (Method), universal resource identifier (Uniform Resource Identifier, URI), HTTP version number (Version), header field and entity (body).The device that is used for protocol analysis can be compiled as the partitioning scheme of HTTP the segmentation of structures state machine.
Behind the Compiler Structure segmentation state machine, the device that is used for protocol analysis can be stored in the entry address (namely initial address) of segmentation of structures state machine into oral thermometer.Like this, in follow-up process, can according to the entry address that enters the segmentation of structures state machine of storing in the oral thermometer, obtain the segmentation of structures state machine.
Fig. 3 is the schematic diagram according to an example of the Compiler Structure status recognition machine of the embodiment of the invention.
The device that is used for protocol analysis can be compiled as the type identification mode of a plurality of protocol elements structure status recognition machine.The type identification mode of a plurality of protocol elements can comprise: determine the keyword in each protocol element; According to the keyword in each protocol element, determine the type of each protocol element.
The compilation process of structure status recognition machine can be as follows:
Step 1: whether all protocol elements compile is finished, as finishes, and then compilation process finishes; As unfinished, then forward step 2 to.
Step 2: whether this protocol element needs identification, identifies the type of this protocol element such as needs, then forwards step 3 to.
In addition, if do not need to identify the type of this protocol element, then skip this protocol element, judge whether next protocol element needs identification.
Step 3: the character string that needs in this protocol element to identify is compiled as structure status recognition machine, and each node represents the coupling of a character in the structure status recognition machine.
Step 4: generate and report ID(Identity, ID) node is updated into oral thermometer; If need to continue the type of identification protocol unit, then forward step 1 to.
Report the ID that the ID node can the output protocol unit.
Enter oral thermometer and can be used for the entry address of storage organization status recognition machine, and can store the ID of each protocol element.The entry address of the structure status recognition machine that the ID of protocol element and this protocol element are corresponding is corresponding.
In Fig. 3, describe take this agreement as HTTP as example.
Suppose that the header field that needs among the HTTP to identify is " host " and " date ", then the structure status recognition machine of correspondence can be as shown in Figure 3 respectively for header field " host " and " date ", wherein node 1 to node 6 is matched node, the coupling that is used for character string, the function of node 7 and node 8 are respectively the ID of header field " host " and " date " to be reported after the string matching success.
In addition, can be in the entry address that enters oral thermometer storage organization status recognition machine for the device of protocol analysis.As shown in Figure 3, suppose that the ID of header field host and data is " 4 ", node 0 can be pointed in the entry address of the structure status recognition machine that header field is corresponding so; The ID that supposes entity (body) comprises node 9 for " 5 " and structure status recognition machine corresponding to body, and node 9 can be pointed in the entry address of the structure status recognition machine that body is corresponding so.
Fig. 4 is the schematic diagram according to an example of the Compiler Structure parse state machine of the embodiment of the invention.
The device that is used for protocol analysis can be compiled as the analysis mode of each protocol element the structure elucidation state machine.In Fig. 4, describe take this agreement as HTTP as example.
As shown in Figure 4, suppose the analysis mode of the header field among the HTTP " Transfer-enconding " to be: determine whether there is character string " chunked " in the header field " Transfer-enconding ", if there is this character string, the value of corresponding register is set then.The structure elucidation state machine that header field " Transfer-enconding " is corresponding so can be as shown in Figure 4, and wherein node 0 to node 6 is carried out the matching process of " chunked ", and after the match is successful, node 7 was carried out the setting up procedure of register.
Again for example, as shown in Figure 4, the structure elucidation state machine that header field " host " is corresponding can comprise node 8 to node 9, and concrete analysis mode can define according to the parsing demand of reality.
Enter oral thermometer and can store the entry address of ID and the structure elucidation state machine of each protocol element, the entry address of the structure elucidation state machine that the ID of protocol element and this protocol element are corresponding is corresponding.For example, as shown in Figure 4, suppose that the ID of header field " Transfer-enconding " is " 1 ", node 0 can be pointed in the entry address of the structure elucidation state machine that header field " Transfer-enconding " is corresponding so.The ID that supposes header field " host " is " 2 ", and node 8 can be pointed in the entry address of the structure elucidation state machine that header field " host " is corresponding so.
Fig. 5 is the indicative flowchart of the protocol analysis process of according to an embodiment of the invention message.
The device that is used for protocol analysis can according to segmentation of structures state machine, structure status recognition machine and structure elucidation state machine, carry out dissection process to the message that adopts this agreement.In Fig. 5, describe take agreement as HTTP as example, then need the message that adopts HTTP is carried out dissection process.In Fig. 5, numeral 1 to 7 can represent the implementation to this packet parsing processing.
(1) segmentation of structures
Can drive hardware the message that adopts this agreement is cut apart according to the segmentation of structures state machine, this message is divided into a plurality of functional units, functional unit and protocol element are one to one.
The process of segmentation of structures can be as follows:
A: whether the segmentation of structures process of judging message finishes.If so, then finish this process.If not, then forward b to.
B: the command information of the node of read structure segmentation state machine, carry out dividing processing according to command information to message;
C: the result store that will cut apart namely will be cut apart each functional unit that obtains and be stored in the message unit buffer memory, and preserve the ID of corresponding functional unit in the message unit buffer memory.Forward a to.
As shown in Figure 5, this message can be split into a plurality of functional units: GET, URI, Http/1.1, host and Content-type etc.These functional units and corresponding ID can be stored in the message unit buffer memory.
(2) structure identification
Can drive hardware the functional unit of this message is identified according to structure status recognition machine, determine the type of functional unit.
The process of structure identification can be as follows:
E: judge whether the message unit buffer memory finishes dealing with.If so, then finish this process.If not, then forward f to.
F: read the ID of the functional unit in the message unit buffer memory, determine the entry address of structure status recognition machine according to the ID of functional unit.
G: according to the entry address of structure status recognition machine, the command information of the node of read structure status recognition machine is determined the type of functional unit according to command information.For example, can carry out keyword match to functional unit, thereby determine the type of functional unit.
H: the ID that will determine the functional unit after the type is stored in the differential threshold buffer memory.Forward e to.
For example, as shown in Figure 5, ID that can read functions unit " GET " determines the structure status recognition machine that functional unit " GET " is corresponding, thereby " GET " identifies to functional unit, and will determine that the ID of the functional unit " GET " of type is stored in the identification buffer memory territory.Can also determine according to structure status recognition machine corresponding to functional unit " Host " type of functional unit " Host ", the ID that determines the functional unit " Host " of type is stored in the differential threshold buffer memory.
(3) structure elucidation
I: judge whether the data in the differential threshold buffer memory finish dealing with.If so, then finish this process.If not, then forward j to.
J: read the ID of the functional unit in the differential threshold buffer memory, determine the entry address of structure elucidation state machine according to the ID of functional unit.
K: according to the entry address of structure elucidation state machine, the command information of the node of read structure parse state machine carries out dissection process according to command information to functional unit.
L: the result of dissection process is reported.Forward i to.
For example, as shown in Figure 5, ID that can read functions unit " GET " determines the entry address of the structure elucidation state machine that functional unit " GET " is corresponding, thereby functional unit " GET " is carried out parse operation.Structure elucidation state machine that can also be corresponding according to functional unit " Host ", " Host " carries out parse operation to functional unit.
This shows, since be according to segmentation of structures state machine, structure status recognition machine and structure elucidation state machine to each functional unit of message cut apart, type identification and parsing, therefore can with hardware structure and concrete agreement decoupling zero, can realize the flexible configuration of resolving.In addition, owing to carry out each process of dissection process by state machine, therefore to the cutting apart of each functional unit, type identification and resolve and to carry out concurrently, thereby can improve the speed of protocol analysis.
Fig. 6 is the indicative flowchart according to the process of the renewal structure elucidation state machine of the embodiment of the invention.
Owing to be independent compilation between the structure elucidation state machine of each protocol element, can determine the entry address of each structure elucidation state machine according to entering oral thermometer, so can upgrade the structure elucidation state machine by the mode that is updated into oral thermometer.
Memory space can include oral thermometer district and state table district.The state table district can be used for store status table, the i.e. list item of each state machine.Enter the oral thermometer district and can be divided into main storage area and backup area.What the main storage area can be used for each state machine of storage enters oral thermometer, i.e. entrance master data.Backup area can be used for storage entrance Backup Data.
601, judge whether that all newly-increased resolution rules finish dealing with.
If have newly-increased resolution rules also to be untreated, then forward step 602 to.
If all newly-increased resolution rules are finished dealing with, then forward step 606 to.
602, read untreated resolution rules.
603, according to untreated resolution rules, the analysis mode of the protocol element of this resolution rules indication is compiled as newly-increased structure elucidation state machine, and according to address administration table for being dispensed into port address by newly-increased structure elucidation state machine.
Can will increase the structure elucidation state machine newly according to the entry address deposits to state table district corresponding to this entry address.
604, address administration table is upgraded.
605, the entry address that increases the structure elucidation state machine newly is stored in backup area.
606, if all newly-increased resolution rules are finished dealing with the entrance master data after then packing output is upgraded.
The entrance master data in original main storage area can be loaded in the backup area, like this, storing the entry address of newly-increased structure elucidation state machine and the entry address of original structure elucidation state machine in the backup area, be that data exchange in the backup area is the entrance master data after upgrading, with the entrance master data output after upgrading.Namely, backup area is switched to new main storage area.
607, the data of the state table after packing output is upgraded.
Like this, just can finish the renewal process of structure elucidation state machine.In renewal process, only need to switch the new legacy data into the oral thermometer district, needn't switch the total data of memory space, the space that whole memory space is backed up can be saved, thereby the heat upgrading without backup space can be realized.
Fig. 7 is the schematic diagram according to an example of the renewal structure elucidation state machine of the embodiment of the invention.
As shown in Figure 7, there is the old oral thermometer that enters in main storage area originally, and oldly enters in the oral thermometer to include port address 1, entry address 2 and entry address 3.
If there is newly-increased resolution rules, then according to behind the newly-increased newly-increased structure elucidation state machine of resolution rules compiling, can be dispensed into port address 4 for this newly-increased structure elucidation state machine, this entry address 4 is corresponding to the NEWADD part in the state table of state table district storage, and therefore can increase the structure elucidation state machine newly is stored in the NEWADD part.Backup area newly enter record entry address 4 in the oral thermometer, and newly enter oral thermometer with what old entry address 1 to the entry address 3 that enters in the oral thermometer was loaded into backup area.Backup area is switched to new main storage area, so just finished the renewal process of structure parse state machine.
Fig. 8 is the schematic block diagram according to the device that is used for protocol analysis of the embodiment of the invention.The device 800 of Fig. 8 comprises resolves compiler 810, list item administration module 820, parallel parsing module 830 and resolves control module 840.
Resolve compiler 810 according to the parsing demand of agreement, the partitioning scheme of agreement is compiled as the segmentation of structures state machine, the RM of agreement is compiled as structure status recognition machine, and the analysis mode of agreement is compiled as the structure elucidation state machine.List item manager 820 arrives parallel parsing module 830 with segmentation of structures state machine, structure status recognition machine and structure elucidation state machine loads.Resolve the parallel parsing module 830 of control module 840 controls according to segmentation of structures state machine, structure status recognition machine and structure elucidation state machine, the message that adopts this agreement is carried out dissection process.
In the embodiment of the invention, by the parsing demand according to agreement, the partitioning scheme of agreement is compiled as the segmentation of structures state machine, the RM of agreement is compiled as structure status recognition machine, and the analysis mode of agreement is compiled as the structure elucidation state machine, and according to the segmentation of structures state machine, structure status recognition machine and structure elucidation state machine carry out dissection process to the message that adopts this agreement, so that drive the hardware resolving that just can carry on an agreement by state machine, thereby can with hardware structure and concrete agreement decoupling zero, can realize the flexible configuration of protocol analysis process.And, realize the protocol analysis process by state machine, so that the processing procedure that each state machine drives can executed in parallel, thereby can improve the speed of protocol analysis.
Device other function of 800 and operation can with reference to the detailed process of the embodiment of the method for top Fig. 1 to Fig. 7, for fear of repetition, repeat no more herein.
Alternatively, as an embodiment, resolving compiler 810 can be according to the parsing demand of agreement, the partitioning scheme that this agreement is divided into a plurality of protocol elements is compiled as the segmentation of structures state machine, and the type identification mode of a plurality of protocol elements is compiled as structure status recognition machine, and the analysis mode of each protocol element is compiled as the structure elucidation state machine.
Alternatively, as another embodiment, resolve control module 840 and can control parallel parsing module 830 according to segmentation of structures state machine, structure status recognition machine and structure elucidation state machine, carry out concurrently the cutting apart of a plurality of functional units in the message, type identification and parsing, wherein functional unit is corresponding one by one with protocol element.
Alternatively, as another embodiment, Fig. 9 is the schematic block diagram that is used for according to another embodiment of the present invention the device of protocol analysis.As shown in Figure 9, parallel parsing module 830 can comprise segmentation of structures submodule 850, structure recognin module 860 and structure elucidation submodule 870.List item administration module 820 can be with the segmentation of structures state machine loads to segmentation of structures submodule 850, and structure status recognition machine is loaded into structure recognin module 860, and with the structure elucidation state machine loads to structure elucidation submodule 870.
Resolving control module 840 can control segmentation of structures submodule 850, structure recognin module 860 and structure elucidation submodule 870 and carry out concurrently the cutting apart of a plurality of functional units in the message, type identification and parsing.
In the embodiment of the invention, cut apart submodule, structure recognin module and structure elucidation submodule by control structure and carry out concurrently can improving the speed of protocol analysis to the cutting apart of a plurality of functional units in the message, type identification and parsing.
Alternatively, as another embodiment, as shown in Figure 9, device 800 also can comprise at least one analytics engine 880.
Segmentation of structures submodule 850 can be according to the command information of the node of the entry address read structure segmentation state machine of configuration state machine, and to the command information of resolving control module 840 and send the node of segmentation of structures state machines; Parsing control module 840 can send to analytics engine 880 command information of the node of described segmentation of structures state machine; Analytics engine 880 can according to the command information of the node of segmentation of structures state machine, carry out cutting apart a plurality of functional units in the message.
Structure recognin module 860 can be according to the command information of the node of the entry address read structure status recognition machine of structure status recognition machine, and to the command information of resolving control module 840 and send the node of structure status recognition machines; Parsing control module 840 can send to analytics engine 880 command information of the node of structure status recognition machines; Analytics engine 880 can according to the command information of the node of structure status recognition machine, be determined the type of each functional unit.
Structure elucidation submodule 870 can be according to the command information of the node of the entry address read structure parse state machine of structure elucidation state machine, and to the command information of resolving control module 840 and send the node of structure elucidation state machines; Parsing control module 840 can send to analytics engine 880 command information of the node of structure elucidation state machines; Analytics engine 880 can according to the command information of the node of structure elucidation state machine, be carried out parse operation to determining the functional unit after the type.
To it should be noted that the convenience in order describing, only to show an analytics engine among Fig. 9, but in the embodiment of the invention, the number of analytics engine can also be more.Like this, by resolving control module a plurality of analytics engines are dispatched, thereby can be realized the parallel work-flow of a plurality of analytics engines.
Alternatively, as another embodiment, list item administration module 820 also can according to newly-increased resolution rules, upgrade the structure elucidation state machine.
Alternatively, as another embodiment, list item administration module 820 can be according to newly-increased resolution rules, will be compiled as newly-increased structure elucidation state machine with the analysis mode of the protocol element of newly-increased resolution rules indication; Determine the entry address of newly-increased structure elucidation state machine, and increase the structure elucidation state machine newly according to the entry address storage of newly-increased structure elucidation state machine; The entry address of the newly-increased structure elucidation state machine of record in the entrance Backup Data; The entry address of the structure elucidation state machine in the entrance master data is loaded in the entrance Backup Data; The entrance Backup Data is switched to new entrance master data.
Figure 10 is the carry on an agreement schematic diagram of the process of resolving of the device 800 according to the embodiment of the invention.Concrete process among Figure 10 can with reference to the embodiment of the method for embodiment and Fig. 1 to Fig. 7 of top Fig. 8 and Fig. 9, for fear of repetition, repeat no more herein.
Figure 11 is the schematic block diagram according to an example of the device that is used for protocol analysis of the embodiment of the invention.
As shown in figure 11, device 900 can be a nonrestrictive embodiment of device 800.Device 900 can pass through field programmable gate array (Field-Programmable Gate Array, FPGA) to be realized.
In device 900, resolve compiler 810a according to the parsing demand of agreement, the partitioning scheme of agreement is compiled as the segmentation of structures state machine, the RM of agreement is compiled as structure status recognition machine, and the analysis mode of agreement is compiled as the structure elucidation state machine.
Parallel parsing module 830a can comprise segmentation of structures submodule 850a, structure recognin module 860a and structure elucidation submodule 870a.
List item manager 820a to segmentation of structures submodule 850a, and is loaded into structure recognin module 860a with structure status recognition machine with the segmentation of structures state machine loads, and with the structure elucidation state machine loads to structure elucidation submodule 870a.
Resolve control module 840a and can manage process of analysis, scheduling controlling segmentation of structures submodule 850a, structure recognin module 860a and structure elucidation submodule 870a carry out dissection process to message.For example, segmentation of structures submodule 850a can carry out cutting apart a plurality of functional units in the message according to the segmentation of structures state machine, structure recognin module 860a can be according to the type identification of structure status recognition machine execution to functional unit, and structure elucidation submodule 870a can be according to the parsing of structure elucidation state machine execution to functional unit.
Device can comprise a plurality of analytics engines in 900, for example installs analytics engine 880-1 in 900 to analytics engine 880-n, and wherein n represents the number of analytics engine, and n is positive integer.Resolving control module 840a can carry out to the concrete operations in the cutting apart of a plurality of functional units of message, type identification and each process of parsing, such as operations such as matching operation, contents extraction operation, calculating operation, decision operation, conversion operations or register arrange to analytics engine 880-n scheduling analytics engine 880-1.
In the embodiment of the invention, by resolving compiler according to the parsing demand of agreement, the partitioning scheme of agreement is compiled as the segmentation of structures state machine, the RM of agreement is compiled as structure status recognition machine, and the analysis mode of agreement is compiled as the structure elucidation state machine, resolve the parallel parsing module of control module control according to the segmentation of structures state machine, structure status recognition machine and structure elucidation state machine carry out dissection process to the message that adopts this agreement, so that drive the hardware resolving that just can carry on an agreement by state machine, thereby can with hardware structure and concrete agreement decoupling zero, can realize the flexible configuration of protocol analysis process.And, realize the protocol analysis process by state machine, so that the processing procedure that each state machine drives can executed in parallel, thereby can improve the speed of protocol analysis.
Those of ordinary skills can recognize, unit and the algorithm steps of each example of describing in conjunction with embodiment disclosed herein can be realized with the combination of electronic hardware or computer software and electronic hardware.These functions are carried out with hardware or software mode actually, depend on application-specific and the design constraint of technical scheme.The professional and technical personnel can specifically should be used for realizing described function with distinct methods to each, but this realization should not thought and exceeds scope of the present invention.
The those skilled in the art can be well understood to, and is the convenience described and succinct, and the specific works process of the system of foregoing description, device and unit can with reference to the corresponding process among the preceding method embodiment, not repeat them here.
In several embodiment that the application provides, should be understood that disclosed system, apparatus and method can realize by another way.For example, device embodiment described above only is schematic, for example, the division of described unit, only be that a kind of logic function is divided, during actual the realization other dividing mode can be arranged, for example a plurality of unit or assembly can in conjunction with or can be integrated into another system, or some features can ignore, or do not carry out.Another point, the shown or coupling each other discussed or direct-coupling or communication connection can be by some interfaces, indirect coupling or the communication connection of device or unit can be electrically, machinery or other form.
Described unit as separating component explanation can or can not be physically to separate also, and the parts that show as the unit can be or can not be physical locations also, namely can be positioned at a place, perhaps also can be distributed on a plurality of network element.Can select according to the actual needs wherein some or all of unit to realize the purpose of present embodiment scheme.
In addition, each functional unit in each embodiment of the present invention can be integrated in the processing unit, also can be that the independent physics of unit exists, and also can be integrated in the unit two or more unit.
If described function realizes with the form of SFU software functional unit and during as independently production marketing or use, can be stored in the computer read/write memory medium.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words or the part of this technical scheme can embody with the form of software product, this computer software product is stored in the storage medium, comprise that some instructions are with so that a computer equipment (can be personal computer, server, the perhaps network equipment etc.) carry out all or part of step of the described method of each embodiment of the present invention.And aforesaid storage medium comprises: the various media that can be program code stored such as USB flash disk, portable hard drive, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disc or CD.
The above; be the specific embodiment of the present invention only, but protection scope of the present invention is not limited to this, anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; can expect easily changing or replacing, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of described claim.

Claims (14)

1. the method for a protocol analysis is characterized in that, comprising:
According to the parsing demand of agreement, the partitioning scheme of described agreement is compiled as the segmentation of structures state machine, the RM of described agreement is compiled as structure status recognition machine, and the analysis mode of described agreement is compiled as the structure elucidation state machine;
Load described segmentation of structures state machine, described structure status recognition machine and described structure elucidation state machine;
According to described segmentation of structures state machine, described structure status recognition machine and described structure elucidation state machine, the message that adopts described agreement is carried out dissection process.
2. method according to claim 1, it is characterized in that, described parsing demand according to agreement, the dividing mode of described agreement is compiled as the segmentation of structures state machine, the RM of described agreement is compiled as structure status recognition machine, and the analysis mode of described agreement is compiled as the structure elucidation state machine, comprising:
Parsing demand according to described agreement, the partitioning scheme that described agreement is divided into a plurality of protocol elements is compiled as described segmentation of structures state machine, and the type identification mode of described a plurality of protocol elements is compiled as described structure status recognition machine, and the analysis mode of each protocol element is compiled as described structure elucidation state machine.
3. method according to claim 2 is characterized in that, the partitioning scheme that described agreement is divided into a plurality of protocol elements comprises:
According to the form of described agreement, determine the order of described a plurality of protocol elements and the separator between described a plurality of protocol element;
According to the order of described a plurality of protocol elements and the separator between described a plurality of protocol element, described agreement is divided into described a plurality of protocol element.
4. according to claim 2 or 3 described methods, it is characterized in that, describedly according to described segmentation of structures state machine, described structure status recognition machine and described structure elucidation state machine the message that adopts described agreement carried out dissection process, comprising:
According to described segmentation of structures state machine, described structure status recognition machine and described structure elucidation state machine, carry out concurrently the cutting apart of a plurality of functional units in the described message, type identification and parsing, wherein said functional unit is corresponding one by one with described protocol element.
5. method according to claim 4, it is characterized in that, described according to described segmentation of structures state machine, described structure status recognition machine and described structure elucidation state machine, carry out concurrently the cutting apart of a plurality of functional units in the described message, type identification and parsing are comprised:
Read the command information of the node of described segmentation of structures state machine according to the entry address of described configuration state machine, and according to the command information of the node of described segmentation of structures state machine, carry out the cutting apart of a plurality of functional units in the described message, and
Read the command information of the node of described structure status recognition machine according to the entry address of described structure status recognition machine, and according to the command information of the node of described structure status recognition machine, determine the type of described functional unit, and
Read the command information of the node of described structure elucidation state machine according to the entry address of described structure elucidation state machine, and according to the command information of the node of described structure elucidation state machine, carry out parse operation to determining the described functional unit after the type.
6. each described method in 5 according to claim 1 is characterized in that, also comprises:
Resolution rules according to newly-increased upgrades described structure elucidation state machine.
7. method according to claim 6 is characterized in that, the parsing demand that described basis is newly-increased is upgraded described structure elucidation state machine, comprising:
According to described newly-increased resolution rules, will be compiled as newly-increased structure elucidation state machine with the analysis mode of the protocol element of described newly-increased resolution rules indication;
Determine the entry address of described newly-increased structure elucidation state machine, and store described newly-increased structure elucidation state machine according to the entry address of described newly-increased structure elucidation state machine;
The entry address of the described newly-increased structure elucidation state machine of record in the entrance Backup Data;
The entry address of the described structure elucidation state machine in the entrance master data is loaded in the described entrance Backup Data;
Described entrance Backup Data is switched to new entrance master data.
8. a device that is used for protocol analysis is characterized in that, comprising:
Resolve compiler, list item administration module, parallel parsing module and resolve control module, wherein,
Described parsing compiler, be used for the parsing demand according to agreement, the partitioning scheme of described agreement is compiled as the segmentation of structures state machine, the RM of described agreement is compiled as structure status recognition machine, and the analysis mode of described agreement is compiled as the structure elucidation state machine;
Described list item administration module is used for described segmentation of structures state machine, described structure status recognition machine and described structure elucidation state machine loads to described parallel parsing module;
Described parsing control module is used for controlling described parallel parsing module according to described segmentation of structures state machine, described structure status recognition machine and described structure elucidation state machine, and the message that adopts described agreement is carried out dissection process.
9. device according to claim 8, it is characterized in that, described parsing compiler specifically is used for the parsing demand according to described agreement, the partitioning scheme that described agreement is divided into a plurality of protocol elements is compiled as described segmentation of structures state machine, and the type identification mode of described a plurality of protocol elements is compiled as described structure status recognition machine, and the analysis mode of each protocol element is compiled as described structure elucidation state machine.
10. according to claim 8 or 9 described devices, it is characterized in that, described parsing control module specifically is used for controlling described parallel parsing module according to described segmentation of structures state machine, described structure status recognition machine and described structure elucidation state machine, carry out concurrently the cutting apart of a plurality of functional units in the described message, type identification and parsing, wherein said functional unit is corresponding one by one with described protocol element.
11. device according to claim 10 is characterized in that, described parallel parsing module comprises segmentation of structures submodule, structure recognin module and structure elucidation submodule;
Described list item administration module specifically is used for described segmentation of structures state machine loads to described segmentation of structures submodule, and described structure status recognition machine is loaded into described structure recognin module, and with described structure elucidation state machine loads to described structure elucidation submodule;
Described parsing control module specifically is used for controlling described segmentation of structures submodule, described structure recognin module and described structure elucidation submodule and carries out concurrently the cutting apart of a plurality of functional units of described message, type identification and parsing.
12. device according to claim 11 is characterized in that, also comprises at least one analytics engine,
Described segmentation of structures submodule specifically is used for reading the command information of the node of described segmentation of structures state machine according to the entry address of described configuration state machine, and sends the command information of the node of described segmentation of structures state machine to described parsing control module; Described parsing control module specifically is used for sending to described at least one analytics engine the command information of the node of described segmentation of structures state machine; Described at least one analytics engine is used for the command information according to the node of described segmentation of structures state machine, carries out cutting apart a plurality of functional units in the described message;
Described structure recognin module specifically is used for reading the command information of the node of described structure status recognition machine according to the entry address of described structure status recognition machine, and sends the command information of the node of described structure status recognition machine to described parsing control module; Described parsing control module specifically is used for sending to described at least one analytics engine the command information of the node of described structure status recognition machine; Described at least one analytics engine is used for the command information according to the node of described structure status recognition machine, determines the type of each functional unit;
Described structure elucidation submodule specifically is used for reading the command information of the node of described structure elucidation state machine according to the entry address of described structure elucidation state machine, and sends the command information of the node of described structure elucidation state machine to described parsing control module; Described parsing control module specifically is used for sending to described at least one analytics engine the command information of the node of described structure elucidation state machine; Described at least one analytics engine is used for the command information according to the node of described structure elucidation state machine, carries out parse operation to determining the described functional unit after the type.
13. each described device in 12 is characterized in that according to claim 8, described list item administration module also is used for according to newly-increased resolution rules, and described structure elucidation state machine is upgraded.
14. device according to claim 13 is characterized in that, described list item administration module specifically is used for according to described newly-increased resolution rules, will be compiled as newly-increased structure elucidation state machine with the analysis mode of the protocol element of described newly-increased resolution rules indication; Determine the entry address of described newly-increased structure elucidation state machine, and store described newly-increased structure elucidation state machine according to the entry address of described newly-increased structure elucidation state machine; The entry address of the described newly-increased structure elucidation state machine of record in the entrance Backup Data; The entry address of the described structure elucidation state machine in the entrance master data is loaded in the described entrance Backup Data; Described entrance Backup Data is switched to new entrance master data.
CN201210420691.1A 2012-10-29 2012-10-29 The method and apparatus of protocol analysis Expired - Fee Related CN102916967B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210420691.1A CN102916967B (en) 2012-10-29 2012-10-29 The method and apparatus of protocol analysis

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210420691.1A CN102916967B (en) 2012-10-29 2012-10-29 The method and apparatus of protocol analysis

Publications (2)

Publication Number Publication Date
CN102916967A true CN102916967A (en) 2013-02-06
CN102916967B CN102916967B (en) 2015-11-25

Family

ID=47615201

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210420691.1A Expired - Fee Related CN102916967B (en) 2012-10-29 2012-10-29 The method and apparatus of protocol analysis

Country Status (1)

Country Link
CN (1) CN102916967B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106817372A (en) * 2017-01-21 2017-06-09 厦门天锐科技股份有限公司 A kind of protocol analysis system and method based on multimode machine supervising
WO2017156795A1 (en) * 2016-03-12 2017-09-21 武汉芯泰科技有限公司 Programmable and reconfigurable frame processor
CN108920186A (en) * 2018-06-25 2018-11-30 杭州电子科技大学 A kind of movement instruction analysis method and device
CN111817888A (en) * 2020-06-29 2020-10-23 中孚安全技术有限公司 Weblog analysis method based on single state machine
CN113691486A (en) * 2020-05-19 2021-11-23 中移(成都)信息通信科技有限公司 Message modification method, device, equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101635711A (en) * 2009-08-14 2010-01-27 广东省环境监测中心 Programmable character communication method
CN101933314A (en) * 2008-02-01 2010-12-29 三菱电机株式会社 Communication analysis device and communication analysis method
CN102098331A (en) * 2010-12-29 2011-06-15 北京锐安科技有限公司 Method and system for reducing WEB type application contents
CN102413141A (en) * 2011-11-30 2012-04-11 华为技术有限公司 Network message parsing method and communication equipment
CN102647414A (en) * 2012-03-30 2012-08-22 华为技术有限公司 Protocol analysis method, protocol analysis device and protocol analysis system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101933314A (en) * 2008-02-01 2010-12-29 三菱电机株式会社 Communication analysis device and communication analysis method
CN101635711A (en) * 2009-08-14 2010-01-27 广东省环境监测中心 Programmable character communication method
CN102098331A (en) * 2010-12-29 2011-06-15 北京锐安科技有限公司 Method and system for reducing WEB type application contents
CN102413141A (en) * 2011-11-30 2012-04-11 华为技术有限公司 Network message parsing method and communication equipment
CN102647414A (en) * 2012-03-30 2012-08-22 华为技术有限公司 Protocol analysis method, protocol analysis device and protocol analysis system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
刘艳敏: "基于嵌套FSM的URL解析方法", 《中国科技论文在线》 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017156795A1 (en) * 2016-03-12 2017-09-21 武汉芯泰科技有限公司 Programmable and reconfigurable frame processor
US10785057B2 (en) 2016-03-12 2020-09-22 Wuhan Syntek Ltd. Programmable and reconfigurable frame processor
CN106817372A (en) * 2017-01-21 2017-06-09 厦门天锐科技股份有限公司 A kind of protocol analysis system and method based on multimode machine supervising
CN108920186A (en) * 2018-06-25 2018-11-30 杭州电子科技大学 A kind of movement instruction analysis method and device
CN113691486A (en) * 2020-05-19 2021-11-23 中移(成都)信息通信科技有限公司 Message modification method, device, equipment and storage medium
CN113691486B (en) * 2020-05-19 2023-09-19 中移(成都)信息通信科技有限公司 Method, device, equipment and storage medium for modifying message
CN111817888A (en) * 2020-06-29 2020-10-23 中孚安全技术有限公司 Weblog analysis method based on single state machine

Also Published As

Publication number Publication date
CN102916967B (en) 2015-11-25

Similar Documents

Publication Publication Date Title
CN102647414B (en) Protocol analysis method, protocol analysis device and protocol analysis system
CN113271237B (en) Industrial control protocol analysis method and device, storage medium and processor
EP2763069A1 (en) Method and device for multiple engine virus killing
CN102916967B (en) The method and apparatus of protocol analysis
CN103092742A (en) Optimization method and system of program logging
CN106897072A (en) Traffic engineered call method, device and electronic equipment
CN103905379A (en) Method for identifying internet users and device thereof
CN105095059A (en) Method and device for automated testing
US9916223B2 (en) Automatically complete a specific software task using hidden tags
CN103268183A (en) Processing method and device for information report
CN103713933A (en) Method, device and system for converging hotspot functions and variables in computer programs
CN110069929B (en) Vulnerability disposal analysis method and construction method and device of analysis model thereof
CN110209562A (en) A kind of log analysis method and Analysis server
CN104077503A (en) Processing method and device for APK (Android Package) files
CN103645893A (en) Software requirement checking method and requirement checking system
KR101860995B1 (en) Automatic Service Configuration Methods utilizing Thing Functions and Cloud Services
CN104348905A (en) Method and device for pushing message in off-line way
CN104063306A (en) Automatic login method, device and system in intelligent terminal software testing
US10360139B2 (en) Identifying transport-level encoded payloads
KR101364599B1 (en) Method and system for deciding harmfulness of software application
CN106681852B (en) A kind of method of adjustment and device of browser compatibility
CN107193721B (en) Method and device for generating log
CN103914329B (en) Program compiling method and device
CN107403013A (en) The recognition methods of Web service behavior and device
CN114090514A (en) Log retrieval method and device for distributed system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20170509

Address after: 510640 Guangdong City, Tianhe District Province, No. five, road, public education building, unit 371-1, unit 2401

Patentee after: Guangdong Gaohang Intellectual Property Operation Co., Ltd.

Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen

Patentee before: Huawei Technologies Co., Ltd.

CB03 Change of inventor or designer information

Inventor after: Chen Yong

Inventor after: Peng Yi

Inventor after: Lu Chenghua

Inventor after: Li Qingyuan

Inventor after: Wu Ji

Inventor before: Geng Yulei

Inventor before: Xu Wenguang

Inventor before: Wu Fuqiang

CB03 Change of inventor or designer information
TR01 Transfer of patent right

Effective date of registration: 20170525

Address after: 414000 Hunan Province, Yueyang City Economic Development Zone Industrial Park qikang Montevideo Road No. 28

Patentee after: HUNAN QIANMENG INDUSTRIAL INTELLIGENT SYSTEM CO., LTD.

Address before: 510640 Guangdong City, Tianhe District Province, No. five, road, public education building, unit 371-1, unit 2401

Patentee before: Guangdong Gaohang Intellectual Property Operation Co., Ltd.

TR01 Transfer of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20151125

Termination date: 20191029

CF01 Termination of patent right due to non-payment of annual fee