CN115695257A

CN115695257A - Message identification rule base processing method and device and network equipment

Info

Publication number: CN115695257A
Application number: CN202211272549.7A
Authority: CN
Inventors: 柴银萍; 季超; 张思杰; 蔡莎; 陈康; 张添; 雷彦章; 方子明
Original assignee: Dawning Network Technology Co ltd
Current assignee: Dawning Network Technology Co ltd
Priority date: 2022-10-18
Filing date: 2022-10-18
Publication date: 2023-02-03

Abstract

The application relates to a message identification rule base processing method, a message identification rule base processing device, network equipment, a storage medium and a computer program product. The method comprises the following steps: detecting an abnormal message identification rule in a message identification rule base by using a preset abnormal detection strategy, determining an abnormal message detection strategy hit by the abnormal message identification rule, acquiring a target abnormal processing strategy corresponding to the abnormal message identification rule according to the corresponding relation between the abnormal detection strategy and the abnormal processing strategy, and processing the abnormal message identification rule according to the target abnormal processing strategy. After the message identification rule base is processed by the method, the optimization efficiency is high and the optimization degree is high.

Description

Message identification rule base processing method and device and network equipment

Technical Field

The present application relates to the field of deep packet inspection technologies, and in particular, to a method, an apparatus, a network device, a storage medium, and a computer program product for processing a packet identification rule base.

Background

Deep Packet Inspection (DPI) is to perform Deep Inspection on different network application layer loads (such as HTTP, HTTPs, TCP/UDP, DNS, etc.), and determine the validity of a Packet by inspecting the payload of the Packet. When the DPI is adopted to identify the packet, a packet identification rule base needs to be configured and maintained in advance, and the packet identification rule base is generated by adopting a predefined format and is used for identifying the packets corresponding to different applications or protocols.

Internet application is changing day by day, application or protocol is updated quickly, and in order to meet the identification requirement of new application or protocol, the number of rules of the message identification rule base is continuously accumulated, so that the DPI performance based on the message identification rule base is continuously reduced, and technical personnel are required to continuously maintain the message identification rule base to ensure the quality of the message identification rule base.

The above-mentioned way that technical staff maintained the message recognition rule base, efficiency is slow and the degree of optimization is low.

Disclosure of Invention

In view of the foregoing, it is necessary to provide a method, an apparatus, a computer device, a computer readable storage medium, and a computer program product for processing a packet recognition rule base, which can improve the efficiency of optimizing the packet recognition rule base.

In a first aspect, the present application provides a method for processing a message identification rule base. The method comprises the following steps:

detecting an abnormal message identification rule in a message identification rule base by using a preset abnormal detection strategy;

determining an abnormal detection strategy hit by the abnormal message identification rule, and acquiring a target abnormal processing strategy corresponding to the abnormal message identification rule according to the corresponding relation between the abnormal detection strategy and the abnormal processing strategy;

and processing the abnormal message identification rule according to the target abnormal processing strategy.

In one embodiment, the detecting an abnormal packet identification rule in the packet identification rule base by using a preset abnormal detection policy includes:

aiming at each message identification rule in a message identification rule base, obtaining a message sample set corresponding to the message identification rule;

matching each message in the message sample set by using the message identification rule, and determining the matching duration of the message identification rule matching each message in the message sample set;

determining the average matching duration of each matching duration;

and determining the message identification rule as an abnormal message identification rule under the condition that the average matching time length is higher than the matching time length upper limit corresponding to the message identification rule.

And screening out the message identification rules with abnormal performance in the message identification rule base by comparing the average matching duration of each message identification rule with the upper limit of the corresponding matching duration.

In one embodiment, the method further comprises:

determining a target rule type of the message identification rule;

and inquiring the corresponding relation between the rule type and the upper limit of the matching duration, and determining the upper limit of the matching duration matched with the target rule type as the upper limit of the matching duration corresponding to the message identification rule.

The rule types are divided for the message identification rules, different matching time length upper limits are set for different rule types, and performance loss standards are set for different message identification rules according to the difference of the rule types, so that the message identification rules with abnormal performance can be identified more accurately.

In one embodiment, the method further comprises:

determining a plurality of message identification rules of which the rule types are the target rule types in the message identification rule base;

matching each message in the message sample complete set by using the plurality of message identification rules, and acquiring the target matching duration of each message identification rule in the plurality of message identification rules matched with each message in the message sample complete set;

determining a target average matching duration of each target matching duration;

and taking the target average matching time length as the upper limit of the matching time length corresponding to the target rule type and storing the upper limit.

And aiming at the upper limit of the matching time length corresponding to each rule type, taking the target average matching time length of the message identification rule of the rule type in the message identification rule base as the upper limit of the matching time length of the rule type, wherein the upper limit of the matching time length corresponding to each rule type can evaluate whether the performance loss of the network equipment is higher than the average level when the network equipment utilizes the message identification rule to match with the message.

unpacking abnormal messages corresponding to abnormal applications or abnormal protocols with abnormal recognition results and identifying deep messages, and determining target applications or target protocols corresponding to the abnormal messages;

and under the condition that the target application corresponding to the abnormal message is determined to be inconsistent with the abnormal application or the target protocol corresponding to the abnormal message is determined to be inconsistent with the abnormal protocol, determining the message identification rule hit by the abnormal message in the identification log data corresponding to the abnormal application or the abnormal protocol as an abnormal message identification rule.

And analyzing the abnormal message corresponding to the application or protocol with the abnormal identification result to determine whether the message identification rule corresponding to the application or protocol with the abnormal identification result is accurately identified, so as to obtain the abnormal message identification rule for identifying the abnormality in the message identification rule base.

searching candidate abnormal message identification rules which accord with preset abnormal rule characteristics in the message identification rule base;

matching each message in the message sample complete set corresponding to a plurality of applications or protocols by using the candidate message identification rule;

and under the condition that the candidate message identification rule is matched with the messages corresponding to a plurality of applications or protocols, determining the candidate message identification rule as an abnormal message identification rule.

Candidate abnormal message identification rules in the message identification rule base can be screened out through abnormal rule characteristics, then the candidate abnormal message identification rules are further matched with all messages in a message sample complete set corresponding to multiple applications or protocols, and abnormal message identification rules can be screened out.

counting the total hit count value corresponding to each message identification rule in the message identification rule base according to a hit count file for recording the corresponding relation between the message identification rule and the hit count value;

and determining the message identification rule with the total hit count value smaller than the lower limit value of the hit count as an abnormal message identification rule.

And determining the message identification rule corresponding to the application or protocol which is not used in the Internet in the message identification rule base by reading the hit count file, and screening the old and abnormal message identification rule in the message identification rule base.

analyzing a webpage corresponding to each application download website, determining an application identifier of each application in the application download website, and obtaining an application identifier list;

matching the application identification list with application identifications corresponding to the message identification rules in the message identification rule base;

and determining the message identification rule of which the corresponding application identifier is not matched with the application identifier list as an abnormal message identification rule.

The method comprises the steps of firstly obtaining applications still existing in the current Internet, obtaining an application identification list, then determining whether the applications to which each message identification rule in a message identification rule base belongs are still active, and screening out message identification rules corresponding to the applications which cannot appear in the current Internet, namely screening out old and abnormal message identification rules.

In one embodiment, the processing the exception packet identification rule according to the target exception handling policy includes:

deleting the abnormal message identification rule in the message identification rule base under the condition that the abnormal type of the abnormal message identification rule is a non-optimized type;

and under the condition that the abnormal type of the abnormal message identification rule is an optimizable type, optimizing the abnormal message identification rule and then adding the optimized abnormal message identification rule into the message identification rule base.

The message identification rules of different abnormal types are processed differently, so that the message identification rule base is optimized more comprehensively.

In a second aspect, the present application further provides a device for processing a packet identification rule base. The device comprises:

the detection module is used for detecting an abnormal message identification rule in the message identification rule base by using a preset abnormal detection strategy;

the determining module is used for determining an abnormal detection strategy hit by the abnormal message identification rule and acquiring a target abnormal processing strategy corresponding to the abnormal message identification rule according to the corresponding relation between the abnormal detection strategy and the abnormal processing strategy;

and the processing module is used for processing the abnormal message identification rule according to the target abnormal processing strategy.

In a third aspect, the present application further provides a network device. The computer device comprises a memory storing a computer program and a processor implementing the following steps when executing the computer program:

In a fourth aspect, the present application further provides a computer-readable storage medium. The computer-readable storage medium, on which a computer program is stored which, when executed by a processor, carries out the steps of:

In a fifth aspect, the present application further provides a computer program product. The computer program product comprising a computer program which when executed by a processor performs the steps of:

According to the message identification rule base processing method, the message identification rule base processing device, the computer equipment, the storage medium and the computer program product, the abnormal message identification rule in the message identification rule base is automatically detected, the abnormal message identification rule is processed, the abnormal message identification rule is optimized, the message identification rule base is optimized, the optimization efficiency is high, and the optimization degree is high.

Drawings

FIG. 1 is a flow diagram illustrating a method for processing a rule base for message identification in one embodiment;

FIG. 2 is a flowchart illustrating the detailed implementation of step 201 in one embodiment;

FIG. 3 is a schematic flow chart diagram illustrating a method for processing a rule base for message identification in one embodiment;

FIG. 4 is a block diagram of an embodiment of a message recognition rule base processing apparatus;

fig. 5 is an internal structural diagram of a network device in one embodiment.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.

The message identification rule base is an important dependence of the deep message identification technology, and the quality of the message identification rule base can directly influence the efficiency of the deep message identification technology. However, the application layer in the internet is endless, the application version is updated, the deep packet identification meets the identification requirement of new application, the number of rules in the packet identification rule base is continuously accumulated, and the performance pressure on the deep packet identification is increased. The message identification rules in the message identification rule base are generally manually maintained by a plurality of technicians, so that the quality of each message identification rule in the message identification rule base is uneven. For example, the format of a certain message identification rule is problematic. Or the message identification rule A is completely the same as the message identification rule B, or the message identification rule C and the message identification rule D belong to the same applied message identification rule, but the message identification rule C contains all the characteristics of the message identification rule D. Or the feature of the message identification rule E is very weak, which easily causes misidentification, or the writing of the message identification rule F is unreasonable, which causes great performance loss to the deep message identification engine, or the application corresponding to the message identification rule G is stopped (updating and operation is stopped), there is almost no message corresponding to the application in the internet, or the message identification rule H is a message identification rule written before a long time, but the message identification rule H will not be hit by any message in the current internet as the version of the application corresponding to the message identification rule H is upgraded.

In the related art, the packet identification rule base is generally manually maintained by a technician, and specifically, the technician periodically checks each packet identification rule in the packet identification rule base by experience to determine whether each packet identification rule affects the quality of the packet identification rule base, thereby affecting the performance of deep packet inspection. The method for manually maintaining the quality of the message identification rule base by technicians has low efficiency and low optimization degree.

Based on the above, the present application provides a method for processing a message identification rule base, which detects an abnormal message identification rule in the message identification rule base by using a preset abnormal detection strategy, determines an abnormal message detection strategy hit by the abnormal message identification rule, obtains a target abnormal processing strategy corresponding to the abnormal message identification rule according to a corresponding relationship between the abnormal detection strategy and the abnormal processing strategy, and processes the abnormal message identification rule according to the target abnormal processing strategy.

By the message identification rule base processing method, abnormal message identification rules in the message identification rule base are automatically detected, the abnormal message identification rules are processed, the abnormal message identification rules are optimized, the message identification rule base is optimized, and the optimization efficiency is high and the optimization degree is high.

The message identification rule base processing method provided by the embodiment of the application can be applied to the fields of service data flow identification and service data flow control, works from a transmission layer of an open system interconnection communication reference model to an application layer, has high data processing capacity, can identify and manage the flow of the service carried by a network, and can be deployed in network backbone layers, metropolitan area networks and network equipment in enterprises, wherein the network equipment comprises but is not limited to router equipment, firewall equipment, gateway equipment, flow cleaning equipment and the like.

In one embodiment, as shown in fig. 1, a method for identifying rules of a packet is provided, which includes the following steps:

step 101, detecting an abnormal message identification rule in a message identification rule base by using a preset abnormal detection strategy.

The abnormal recognition message rule refers to a message recognition rule which influences the quality of the message recognition rule base in the message recognition rule base. And the preset abnormal detection strategy is used for detecting the abnormal message identification rule in the message identification rule base.

Each message identification rule in the message identification rule base has a fixed format and includes a plurality of fields, for example, a message identification rule may include six fields, each field is separated by a comma, a first field represents a rule id value, a second field represents a characteristic value of the rule, a third field represents an english name of an application, a fourth field represents an id value of the application, the field is a unique identifier of the application, a fifth field is a protocol type value, and a sixth field is a rule priority value, which are shown below for the message identification rule according to an embodiment of the present application:

['0005137','pkt.payload～"com\.tencent\.meeting','tengxunhuiyi','27577','tcp','154']

the id of the message identification rule is 0005137, and the characteristic values of the rule are as follows: payload to com \ tenc ent \ meeting, the message identifies the English name of the application corresponding to the rule: and the tengxunhuiyi, the application id of the application corresponding to the message identification rule is as follows: 27577, the protocol of the message identification rule is as follows: tcp, the rule priority value of the message identification rule is: 154.

specifically, the network device may store a plurality of preset anomaly detection policies, select one of the preset anomaly detection policies, and detect an abnormal packet identification rule in the packet identification rule base. For example, the network device may detect the message identification rules in the message identification rule base one by one, determine whether the message identification rules meet the abnormal condition, and if the message identification rules meet the abnormal condition, determine that the message identification rules are the abnormal message identification rules. For another example, the network device performs an identification result of deep packet identification through the current packet identification rule base, determines an application or protocol with an abnormal identification result, and then determines a corresponding abnormal packet identification rule according to the application or protocol with the abnormal identification result and an abnormal packet corresponding to the application or protocol with the abnormal identification result. For another example, the network device screens out candidate abnormal message identification rules from the message identification rule base according to preset abnormal rule characteristics, then matches a pre-prepared message set with each candidate abnormal message identification rule, and finds out the abnormal message identification rules for hitting the messages corresponding to multiple applications or protocols.

Step 103, determining an anomaly detection strategy hit by the anomaly packet identification rule, and obtaining a target anomaly handling strategy corresponding to the anomaly packet identification rule according to the corresponding relation between the anomaly detection strategy and the anomaly handling strategy.

For example, when the network device detects that the abnormal type of the abnormal packet identification rule a is a performance abnormality in the packet identification rule base by using the abnormal packet detection policy a, that is, when the network device matches with another packet by using the abnormal packet identification rule a, the matching time is long, and at this time, the network device can send the abnormal packet identification rule a to the device where the technician is located, so that the technician rewrites and optimizes the abnormal packet rule. For another example, the network device detects, by using the abnormal packet detection policy B, that the abnormal type of the abnormal packet identification rule B is a repeated abnormality or contains an abnormality in the packet identification rule base, that is, the packet identification rule identical to the abnormal packet identification rule B exists in the packet identification rule base, or the packet identification rule containing all contents of the abnormal packet identification rule B exists in the packet identification rule base, and at this time, the network device may directly delete the packet identification rule B in the packet identification rule base. For another example, the network device detects the abnormal type of the abnormal packet identification rule C as an identification abnormality in the packet identification rule base by using the abnormal packet detection policy C, that is, the packet corresponding to a plurality of applications or protocols can hit the packet identification rule C, and at this time, the network device can perform feature extraction again on the application or protocol corresponding to the packet identification rule C to obtain the packet identification rule C with obvious application features, and add the packet identification rule C into the packet identification rule base. For another example, the network device detects that the abnormal type of the abnormal packet identification rule D is a format abnormality in the packet identification rule base by using the abnormal packet detection policy D, that is, the rule format of the packet identification rule D does not conform to the preset rule format, and at this time, the network device may change the rule format of the packet identification rule D to obtain the packet identification rule D with the correct format and add the packet identification rule D to the packet identification rule base.

Specifically, the network device may store correspondence between different anomaly detection policies and an anomaly handling policy, and determine the anomaly detection policy in which the anomaly packet identification rule is detected, that is, the anomaly detection policy hit by the anomaly packet identification rule, after detecting the anomaly packet identification rule in the packet identification rule base by using a preset anomaly detection policy. And the network equipment determines a target exception handling strategy for handling the exception message identification rule according to the corresponding relation between the stored exception detection strategy and the exception handling strategy.

For example, the network device stores preset anomaly detection policies a, B, and C and preset anomaly handling policies 1, 2, and 3, and also stores a correspondence relationship between the anomaly detection policies and the anomaly handling policies, as shown in table 1 below:

TABLE 1 correspondence between anomaly detection policies and anomaly handling policies

Anomaly detection strategy	Exception handling policy
		Anomaly detection strategy A	Exception handling policy 1
Anomaly detection strategy B	Exception handling policy 2
		Anomaly detection strategy C	Exception handling policy 3

After the network device detects the abnormal message identification rule X in the message identification rule base by using the preset abnormal detection strategy B, the abnormal detection strategy hit by the abnormal message identification rule X is determined to be an abnormal detection strategy B, and according to the corresponding relation between the abnormal detection strategy and the abnormal meeting processing strategy, the abnormal processing strategy corresponding to the abnormal detection strategy B hit by the abnormal message identification rule X is determined to be an abnormal processing strategy 2, namely the target abnormal processing strategy corresponding to the abnormal message identification rule X is determined to be an abnormal processing strategy 2.

And 105, processing the abnormal message identification rule according to the target abnormal processing strategy.

Specifically, after the network device obtains the target exception handling policy corresponding to the exception packet identification rule, the network device completes the processing of the exception packet identification rule according to the target exception handling policy, and the exception packet identification rule is optimized.

In this embodiment, the network device automatically completes optimization of the message identification rule base, and based on a mode of manually optimizing the message identification rule base compared with the related art, the optimization efficiency is high.

In an embodiment, as shown in fig. 2, the step 101 specifically includes:

step A1, aiming at each message identification rule in a message identification rule base, obtaining a message sample set corresponding to the message identification rule.

Wherein, the message sample set comprises a plurality of messages. The messages included in the message sample set corresponding to the message identification rule may be history messages corresponding to the application to which the message identification rule belongs, that is, history messages generated by interaction between the client and the application server to which the message identification rule belongs, or history messages corresponding to multiple applications, that is, history messages generated by interaction between the client and the application servers of the multiple applications.

Specifically, when the network device determines to use a performance anomaly detection policy of a plurality of preset anomaly detection policies, the network device may traverse each packet identification rule in the packet identification rule base, and obtain, for each packet identification rule in the packet identification rule base, a packet sample set corresponding to the packet identification rule.

And A3, matching each message in the message sample set by using the message identification rule, and determining the matching duration of the message identification rule matching each message in the message sample set.

Specifically, the network device traverses each message in the message sample set, sequentially matches the messages in the message sample set with the message identification rule according to the traversal order, starts timing when the matching starts, and ends the technology after the matching ends, so as to obtain the matching duration of the messages in the message sample set and the message identification rule.

And A5, determining the average matching time length of each matching time length.

Specifically, after the network device obtains the matching time length of each message in the message identification rule matching message sample set, the network device adds the matching time lengths and divides the sum by the number of the messages in the message sample set to obtain the average matching time length of each matching time length, namely, the average matching time length = the sum of the matching time lengths and/or the number of the messages in the message sample set.

And A7, determining the message identification rule as an abnormal message identification rule under the condition that the average matching time length is higher than the upper limit of the matching time length corresponding to the message identification rule.

The upper limit of the matching duration corresponding to the message identification rule is used for evaluating a performance loss measurement standard when the network equipment matches the message by using the message identification rule, if the average matching duration of the message identification rule is longer than the matching duration corresponding to the message identification rule, the matching duration of the message identification rule is over long, the performance loss when the network equipment matches the message by using the message identification rule is high, if the average matching duration of the message identification rule is shorter than the matching duration corresponding to the message identification rule, the matching duration of the message identification rule is proper, and the performance loss when the network equipment matches the message by using the message identification rule is in a reasonable range.

In this embodiment, the message identification rules with abnormal performance in the message identification rule base are screened out by comparing the average matching duration of each message identification rule with the upper limit of the corresponding matching duration.

In one embodiment, the method for processing a message identification rule further includes:

and A9, determining the target rule type of the message identification rule.

When the message identification rules are matched, the matching process is different, for example, a part of the message identification rules are field matched at a fixed offset bit of the message, which may be referred to as fixed offset bit matching, and a rule type of the corresponding message identification rule may be referred to as a fixed offset bit matching type. The partial message identification rule is to jump a plurality of fixed offset bits for field matching, and may be referred to as a jump matching, and the rule type of the corresponding message identification rule may be referred to as a jump matching type. The partial message identification rules are matched from the initial position of the message until the matching is successful or the matching is failed to the end position of the message, and the partial message identification rules can be called full packet matching, and the rule types of the corresponding message identification rules can be called full packet matching types.

In general, the matching rules of the packet identification rules may be embodied in different characteristics, for example, the packet identification rule a is:

['0005137','pkt.payload～"com\.tencent\.meeting"','tengxunhuiyi','27577','tcp','154']

the message identification rule B is as follows:

['0002030','pkt.payload～".{99}weibo"','sina_weibo','327','http','160']

the message identification rule C is as follows:

['0002142','pkt.payload～"^\x00\x01.{1}\x00.{5}\x64\x64\x64.{2}\x88\x13"','dazhihui','312','tcp','154']

the content of the message identification rule a without the fixed offset bit is the above full packet matching. The content of message identification rule B with a fixed offset bit, i.e., "{99}", is offset to a specified position for dematching, which is the fixed offset bit matching described above. The message recognition rule C has a plurality of fixed offset bits, i.e., "{1}, {5}, and {2}" which are used for de-matching at a plurality of fixed positions, which is the aforementioned skip matching.

Specifically, the network device reads and analyzes the rule content of the message identification rule, matches the message identification rule with the characteristics of the matching process corresponding to each rule type, such as the above-mentioned rule type including one fixed offset bit, or including multiple fixed offset bits, or not including a fixed offset bit, and determines the rule type that the message identification rule conforms to, so as to obtain the target rule type of the message identification rule.

Step A11, inquiring the corresponding relation between the rule type and the matching time length upper limit, and determining the matching time length upper limit matched with the target rule type as the matching time length upper limit corresponding to the message identification rule.

Because the matching processes of the message identification rules of different rule types are different, the performance loss of the network device when the message identification rules of different rule types are matched with the message is different, and therefore, the upper limit of the matching time length of the performance loss standard when the network device is evaluated to be matched with the message by using the message identification rules is different.

Specifically, the network device stores a corresponding relation between a rule type and a matching time length upper limit, after the network device determines a target rule type of the message identification rule, the network device queries the corresponding relation between the rule type and the matching time length upper limit by taking the target rule type as a matching item, and determines the matching time length upper limit matched with the target rule type as the matching time length upper limit corresponding to the message identification rule.

In this embodiment, rule types are divided for the packet identification rules, different matching time length upper limits are set for different rule types, and according to the difference of the rule types, performance loss standards are set for different packet identification rules, so that packet identification rules with abnormal performance are identified more accurately.

In one embodiment, the message identification rule base processing method further includes:

step A13, determining a plurality of message identification rules with the rule types as target rule types in a message identification rule base.

Specifically, after determining the target rule type of the message identification rule, the network device traverses the rule content of each message identification rule in the message identification rule base, determines the rule type of each message identification rule in the message identification rule base, and obtains a plurality of message identification rules of which the rule type in the message identification rule base is the target rule type.

Step A15, matching each message in the message sample complete set by using the plurality of message identification rules, and obtaining the target matching duration of each message in the plurality of message identification rules matched with each message in the message sample complete set.

Specifically, for each message identification rule in the plurality of message identification rules, the network device traverses each message in the message sample set, sequentially matches the messages in the message sample set with the message identification rule according to the traversal order, starts timing when the matching starts, and ends the timing after the matching ends to obtain the target matching duration of the messages in the message sample set and the message identification rule.

And A17, determining the target average matching time length of each target matching time length.

Specifically, after obtaining the target matching duration of each message in the plurality of message identification rule matching message sample sets, the network device adds up the target matching durations and then divides the sum by the product of the number of messages in the message sample set and the number of rules of the plurality of message identification rules to obtain the target average matching duration of each target matching duration, that is, the target average matching duration = the sum of each target matching duration ÷ (the number of messages in the message sample set × the number of rules of the plurality of message identification rules).

And A19, taking the target average matching time length as the upper limit of the matching time length corresponding to the target rule type and storing the target average matching time length.

Specifically, the network device stores the corresponding relationship between the rule type and the upper limit of the matching duration, and modifies the upper limit of the matching duration corresponding to the rule type as the target rule type into the calculated target average matching duration.

In this embodiment, for the upper limit of the matching duration corresponding to each rule type, the target average matching duration of the packet identification rule of the rule type in the packet identification rule base is used as the upper limit of the matching duration of the rule type, and the upper limit of the matching duration corresponding to each rule type at this time is used to evaluate whether the performance loss when the network device matches the packet with the packet using the packet identification rule is higher than the average level.

In an embodiment, the step 101 specifically includes:

and B1, unpacking and deep message identification are carried out on the abnormal application with the abnormal identification result or the abnormal message corresponding to the abnormal protocol, and the target application or the target protocol corresponding to the normal message is determined.

The abnormal identification result means that the difference between the message quantity value of a certain application or protocol passing through the network equipment and the message count value of the application or protocol hit recorded by the network equipment is too large. Specifically, the quantity value of the messages of a certain application or protocol passing through the network device is much smaller than the message count value of the application or protocol hit recorded by the network device, or the quantity of the messages of a certain application or protocol passing through the network device is much higher than the message count value of the application or protocol hit recorded by the network device. Generally, the difference between the value of the number of messages passing through the network device by an application or protocol and the value of the message count hit by the application or protocol recorded by the network device is higher than 100, and the application or protocol is considered as an application or protocol with an abnormal identification result.

For example, in a message flow passing through the network device, a message corresponding to a certain application or a certain protocol is not included, but a hit count value corresponding to the application or the protocol in the log data is not 0, or in a message flow passing through the network device, the number of messages corresponding to a certain application or a certain protocol is very small, for example, only ten or several messages are included, but a hit count value corresponding to the application or the protocol in the log data is several hundreds. For example, a message stream passing through the network device includes a plurality of messages corresponding to a certain application or a certain protocol, but the hit count value corresponding to the application or the protocol in the log data is 0, or the number of messages corresponding to a certain application or a certain protocol in a message stream passing through the network device is very large, if there are hundreds of messages, but the hit count value corresponding to the application or the protocol in the log data is dozens of messages.

Specifically, after determining an abnormal application or an abnormal protocol with an abnormal identification result, the network device obtains an abnormal message of which the application or the protocol is identified as the abnormal application or the abnormal protocol, unpacks the abnormal message, deletes a protocol header of the abnormal message to obtain a load of the abnormal message, identifies the load of the abnormal message, determines whether the abnormal message carries a key character of an application according to the content of the load of the abnormal message, and further determines a target application or a target protocol to which the abnormal message belongs, namely a target application or a target protocol corresponding to the abnormal message.

And step B3, under the condition that the target application corresponding to the abnormal message is determined to be inconsistent with the abnormal application or the target protocol corresponding to the abnormal message is determined to be inconsistent with the abnormal protocol, determining the message identification rule hit by the abnormal message in the identification log data corresponding to the abnormal application or the abnormal protocol as the abnormal message identification rule.

Specifically, if the network device determines that the target application corresponding to the abnormal packet is inconsistent with the abnormal application or the target protocol corresponding to the abnormal packet is inconsistent with the abnormal protocol, it indicates that the application to which the abnormal packet belongs is determined to be incorrect by the network device, and determines a packet identification rule hit by the abnormal packet by reading identification log data corresponding to the abnormal application or the abnormal protocol, and identifies the packet as the abnormal packet identification rule. If the network device determines that the target application corresponding to the abnormal message is consistent with the abnormal application, or the target protocol corresponding to the abnormal message is consistent with the abnormal protocol, it indicates that the network device determines that the application to which the abnormal message belongs is correct, and the message identification rule hit by the abnormal message is also correct.

In this embodiment, whether the message identification rule corresponding to the application or protocol with the abnormal identification result is accurately identified is determined by analyzing the abnormal message corresponding to the application or protocol with the abnormal identification result, so as to obtain the abnormal message identification rule for identifying the abnormality in the message identification rule base.

In one embodiment, the step 101 specifically includes:

and C1, searching candidate abnormal message identification rules according with the preset abnormal rule characteristics in a message identification rule base.

For example, for a message identification rule with a protocol of tcp or udp, if the number of the features of the hexadecimal byte not 0 is less than four, the feature of the message identification rule is relatively weak, and the message identification rule is easy to hit other applied messages. For the message identification rule with the protocol being http or https, the character string features are very short, and the error hit is easy to occur. The preset abnormal rule features may be written by a technician and input to the network device, or may be obtained by the network device performing feature extraction on the determined abnormal recognition features.

Specifically, the network device traverses the message identification rule in the message identification rule base, matches the message identification rule with the abnormal rule feature, and determines the message identification rule as a candidate abnormal message identification rule if the message identification rule is matched with the abnormal rule feature, that is, the rule content of the message identification rule contains the abnormal rule feature and conforms to the preset abnormal rule feature. If the network equipment determines that the message identification rule is not matched with the abnormal rule characteristic, namely, the rule content of the message identification rule does not contain the abnormal rule characteristic and does not accord with the preset abnormal rule characteristic, traversing the next message identification rule and determining whether the next message identification rule accords with the preset abnormal rule characteristic or not.

And step C3, matching each message in the message sample complete set corresponding to a plurality of applications or protocols by using the candidate message identification rule.

The message sample complete set comprises a plurality of messages, the messages in the message sample complete set are messages corresponding to a plurality of applications or protocols, and the application or protocol to which each message in the message sample complete set belongs is definite, namely, each message in the message sample complete set marks the application or protocol to which the message belongs. Typically, the plurality of messages contained in the message sample corpus are historical messages passing through the network device.

Specifically, for each candidate message identification rule, the network device matches the candidate message identification rule with each message in the message sample complete set one by one, determines whether each message in the message sample complete set meets the rule content of the candidate message identification rule, determines that the message is matched with the candidate abnormal message identification rule if a certain message meets the rule content of the candidate message identification rule, and determines that the message is not matched with the candidate abnormal message identification rule if the certain message does not meet the rule content of the candidate message identification rule.

And step C5, determining the candidate message identification rule as an abnormal message identification rule under the condition that the candidate message identification rule is matched with the messages corresponding to the plurality of applications or protocols.

Specifically, after matching each message in a message sample complete set corresponding to a plurality of applications or protocols by using a candidate message identification rule, the network device obtains a plurality of messages in the message sample complete set matched with the candidate message identification rule, wherein each message in the message sample complete set is marked with an application to which the message belongs, determines the application or protocol to which the plurality of messages matched with the candidate message identification rule belong, and determines that the candidate message identification rule is matched with the messages corresponding to the plurality of applications or protocols if the plurality of messages matched with the candidate message identification rule do not belong to the same application or protocol, and determines the candidate message identification rule as an abnormal message identification rule. If the network equipment determines that a plurality of messages matched with the candidate message identification rule belong to the same application or protocol, the candidate message identification rule is determined to be matched with a message corresponding to only one application or protocol, and the candidate abnormal message identification rule is not an abnormal message identification rule.

In this embodiment, candidate abnormal packet identification rules in the packet identification rule base can be screened out through the abnormal rule features, and then the candidate abnormal packet identification rules are further matched with each packet in the packet sample complete set corresponding to a plurality of applications or protocols, so that the abnormal packet identification rules can be screened out.

In an embodiment, the step 101 specifically includes:

and D1, counting the total hit count value corresponding to each message identification rule in the message identification rule base according to a hit count file for recording the corresponding relation between the message identification rule and the hit count value.

The hit count file is used by the network device to record a hit count value of each message identification rule hit by a message passing through the network device, that is, a corresponding relationship between the message identification rule and the hit count value, and generally records the message identification rule and the hit count value within a period of time, for example, the statistical duration is one month, the hit count file is the message identification rule and the hit count value within one month, or the statistical duration is 10 days, and the hit count file is the message identification rule and the hit count value within ten days. Specifically, when the network device performs deep message detection by using the message identification rule base, for each message passing through the network device, the network device will determine the application or protocol to which the message belongs as the application to which the message identification rule that the message finally hits belongs, and correspondingly will add 1 to the hit count value corresponding to the message identification rule that the message hits.

Specifically, the network device obtains a stored hit count file for recording the corresponding relationship between the message identification rule and the hit count value, reads the content of the hit count file, and counts the total hit count value corresponding to the message identification rule in the message identification rule base. Or the network equipment acquires a plurality of hit count files for storing and recording the corresponding relation between the message identification rules and the hit count values, reads the content of the hit count files, and counts the total hit count value corresponding to the message identification rules in the message identification rule base.

And D3, determining the message identification rule with the total hit count value smaller than the lower limit value of the hit count as an abnormal message identification rule.

The lower limit value of the hit count is generally related to the statistical duration of the hit count file, and the lower limit value of the hit count is generally in positive correlation with the statistical duration of the hit count file, for example, if the statistical duration of the hit count file is 1 month, the lower limit value of the hit count may be 10 or 5, or if the statistical duration of the hit count file is 10 days, the lower limit value of the hit count may be 2 or 0, and if the statistical duration of the hit count file is 1 year, the lower limit value of the hit count may be 50 or 25.

Specifically, after determining the total hit count value of each message identification rule in the message rule base, the network device compares the total hit count value of each message identification rule with the lower count limit value, and then determines the message identification rule with the total hit count value smaller than the lower hit count limit value as the abnormal message identification rule.

In this embodiment, the hit count file is read, and the message identification rule corresponding to the application or protocol that is no longer used in the internet is determined in the message identification rule base, so as to screen out the old and abnormal message identification rule in the message identification rule base.

In an embodiment, the step 101 specifically includes:

and E1, analyzing the webpage corresponding to each application downloading website, determining the application identifier of each application in the application downloading website, and obtaining an application identifier list.

The application downloading website can be a website corresponding to a microsoft application store, an apple application store, a Huacheng application market and a millet application store, and application detailed information of a plurality of applications is recorded on a webpage. The application identifier is used for uniquely identifying one application, and for the same application, the application identifier recorded in the message identification rule is the same as the application identifier recorded in the application download website.

Specifically, the network device may use a crawler technology or the like to parse a webpage corresponding to each application download website, to obtain an application identifier of each application in the application download website, and after summarizing, to obtain an application identifier list.

And E3, matching the application identification list with the application identifications corresponding to the message identification rules in the message identification rule base.

Specifically, for each message identification rule in the message identification rule base, the network device matches the application identifier of the application to which the message identification rule belongs with each application identifier in the application identifier list, and if the application identifier of the application to which the message identification rule belongs is the same as one application identifier in the application identifier list, it is determined that the application identifier corresponding to the message identification rule is matched with the application identifier list; and if the application identifier of the application to which the message identification rule belongs is different from any application identifier in the application identifier list, determining that the application identifier corresponding to the message identification rule is not matched with the application identifier list.

And E5, determining the message identification rule of which the corresponding application identifier is not matched with the application identifier list as an abnormal message identification rule.

Specifically, after each application identifier in the network device application identifier list is matched with each message identification rule in the message identification rule base, a message identification rule of which the corresponding application identifier is not matched with the application identifier list is obtained, and the message identification rule of which the corresponding application identifier is not matched with the application identifier list is determined as an abnormal message identification rule.

In this embodiment, applications still existing in the current internet are obtained to obtain an application identifier list, then whether applications to which each message identification rule in the message identification rule base belongs are still active is determined, and message identification rules corresponding to applications that do not exist in the current internet are screened out, that is, old and abnormal message identification rules are screened out.

In an embodiment, the step 101 specifically includes:

and F1, traversing each message identification rule in the message identification rule base, and identifying the domain name contained in the message identification rule.

Specifically, some packet identification rules may include a domain name, and the network device matches the packet identification rule with a domain name feature to obtain the domain name of the packet identification rule, where, for example, the packet identification rule is: [ '0005137', 'pkt. Payload- "com \ remaining \ meeting'", 'tenxunhuiyi', '27577', 'tcp', '154' ], then the domain name field can be determined to be "remaining.

And F2, simulating to access a server corresponding to the domain name.

Specifically, after the network device identifies a domain name included in the message identification rule, the simulation browser initiates an http or https request, accesses a server corresponding to the domain name, and after the processes of domain name resolution and the like, if a network resource is acquired, it is determined that the access is successful, and the application corresponding to the domain name is valid; if the network resource is successfully acquired, if the response result is 404NOT FOUND, it is determined that the access fails, and the application corresponding to the domain name is invalid.

And F3, determining the message identification rule containing the domain name with access failure as an abnormal message identification rule.

Specifically, after screening out the domain name with failed access, the network device determines the packet identification rule containing the domain name with failed access, and determines the packet identification rule containing the domain name with failed access as the abnormal packet identification rule.

In this embodiment, the old and abnormal message identification rule is screened out by simulating the domain name included in the access message identification rule.

In an embodiment, the step 105 specifically includes:

and 105a, deleting the abnormal message identification rule in the message identification rule base under the condition that the abnormal type of the abnormal message identification rule is a non-optimized type.

The exception type is a non-optimized type, which means that the performance of the network device when using the message identification rule to match the message cannot be improved by optimizing the message identification rule, such as the old exception, or repeated exception, or exception.

Specifically, the network device can record the abnormal type corresponding to each abnormal detection strategy and the corresponding relation between the abnormal type and the non-optimized type, the network device determines the abnormal type of the abnormal message identification rule according to the abnormal detection strategy hit by the abnormal message identification rule, determines whether the abnormal type of the abnormal message identification rule belongs to the non-optimized type according to the corresponding relation between the abnormal type and the non-optimized type, and deletes the abnormal message identification rule in the message identification rule base if the network device determines that the abnormal type of the abnormal message identification rule belongs to the non-optimized type.

And 105b, under the condition that the abnormal type of the abnormal message identification rule is an optimizable type, optimizing the abnormal message identification rule and adding the optimized abnormal message identification rule into a message identification rule base.

The abnormal type is an optimizable type, which means that performance of the network device when using the message identification rule to match the message is improved by optimizing the message identification rule, such as the above performance abnormality or identification abnormality.

Specifically, the network device may record an abnormal type corresponding to each abnormal detection policy and a corresponding relationship between the abnormal type and an optimizable type, determine the abnormal type of the abnormal message identification rule according to the abnormal detection policy hit by the abnormal message identification rule, determine whether the abnormal type of the abnormal message identification rule belongs to the optimizable type according to the corresponding relationship between the abnormal type and the optimizable type, and if the network device determines that the abnormal type of the abnormal message identification rule belongs to the optimizable type, optimize the abnormal message identification rule and add the optimized abnormal message identification rule to the message identification rule base.

When the network equipment optimizes the abnormal message identification rule, the application or protocol to which the abnormal message identification rule belongs can be determined, then messages corresponding to the applications or protocols to which the abnormal message identification rules belong are obtained, feature extraction is carried out again according to the messages to obtain a new message identification rule, and the optimization of the abnormal message equipment rule is completed. The network equipment can also send the abnormal message identification rule to equipment where a technician is located so that the technician can optimize the abnormal message identification rule, the technician can return to the network equipment after optimizing the abnormal message identification rule, and the network equipment can add the optimized abnormal message identification rule into a message identification rule base.

In this embodiment, the message identification rules of different exception types are processed differently, so that the message identification rule base is optimized more comprehensively.

Fig. 3 is a schematic flow chart of a message identification rule base processing method according to an embodiment of the present application.

After the network equipment starts to detect the abnormal message identification rule in the message identification rule base:

step 401a, detecting a message identification rule with repeated exception in a message identification rule base by using a repeated exception detection strategy.

And step 401b, deleting the message identification rule with repeated abnormity in the message identification rule base. And after deleting all the message identification rules with repeated exception, ending the repeated exception processing flow.

Step 402a, detecting the message identification rule with repeated abnormity in the message identification rule base by using an abnormity detection strategy.

And 402b, deleting the contained message identification rule with the contained exception in the message identification rule base. And after deleting all the message identification rules containing the exceptions, ending the flow containing the exceptions.

Step 403a, using the format anomaly detection strategy to detect the message identification rule with the format anomaly in the message identification rule base.

And step 403b, modifying the format of the message identification rule with abnormal format in the message identification rule base. And after all the message identification rules with format exception are subjected to format modification, ending the format exception processing flow.

Step 404a, using the performance anomaly detection strategy to detect the message identification rule with the performance anomaly in the message identification rule base.

And step 404b, performing performance optimization on the message identification rule with performance abnormality in the message identification rule base. And after the performance of all the message identification rules with the performance abnormity is optimized, ending the performance abnormity processing flow.

Step 405a, detecting the message identification rule with the old exception in the message identification rule base by using the old exception detection strategy.

And step 405b, deleting the message identification rules with the old exception in the message identification rule base. And after all the message identification rules with the old exception are deleted, ending the old exception processing flow.

Step 406a, detecting the message identification rule with identification abnormality in the message identification rule base by using the identification abnormality detection strategy.

And step 406b, performing feature re-extraction on the message identification rule with abnormal identification in the message identification rule base to obtain the optimized message identification rule. And after the characteristics of all the message identification rules with identification abnormality are re-extracted, ending the identification abnormality processing flow.

And after the network equipment completes all the abnormal detection strategies, finishing the detection process and completing the optimization of the message identification rule base.

It should be noted that the execution sequence of the anomaly detection policy shown in fig. 3 is only one execution sequence schematically given, and in an exemplary application, the execution sequence of each anomaly detection policy may be adjusted at will, and the network device may execute each anomaly detection policy completely.

It should be understood that, although the steps in the flowcharts related to the embodiments as described above are sequentially displayed as indicated by arrows, the steps are not necessarily performed sequentially as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a part of the steps in the flowcharts related to the embodiments described above may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the execution order of the steps or stages is not necessarily sequential, but may be rotated or alternated with other steps or at least a part of the steps or stages in other steps.

Based on the same inventive concept, the embodiment of the application also provides a device for processing the message identification rule base, which is used for realizing the method for processing the message identification rule base. The implementation scheme for solving the problem provided by the device is similar to the implementation scheme recorded in the method, so that specific limitations in one or more embodiments of the device for processing the message identification rule base provided below can be referred to the limitations on the method for processing the message identification rule base, and are not described herein again.

In one embodiment, as shown in fig. 4, there is provided a message recognition rule base processing apparatus, including:

a detection module 401, configured to detect an abnormal packet identification rule in a packet identification rule base by using a preset abnormal detection policy;

a determining module 403, configured to determine an exception detection policy hit by the exception packet identification rule, and obtain a target exception handling policy corresponding to the exception packet identification rule according to a correspondence between the exception detection policy and the exception handling policy;

and the processing module 405 is configured to process the exception packet identification rule according to the target exception handling policy.

In one embodiment, the detecting module 401 includes an obtaining unit A1 (not shown), a first matching unit A2 (not shown), a first time length determining unit A3 (not shown), and a first abnormality determining unit A4 (not shown), wherein:

the obtaining unit A1 is configured to obtain, for each packet identification rule in the packet identification rule base, a packet sample set corresponding to the packet identification rule;

the first matching unit A2 is configured to match each packet in the packet sample set by using the packet identification rule, and determine a matching duration for the packet identification rule to match each packet in the packet sample set;

the first time length determining unit A3 is configured to determine an average matching time length of each matching time length;

the first anomaly determination unit A4 is configured to determine the packet identification rule as an abnormal packet identification rule when the average matching duration is longer than the upper limit of the matching duration corresponding to the packet identification rule.

In one embodiment, the apparatus further comprises:

a type determining unit A5 (not shown in the figure) configured to determine a target rule type of the packet identification rule;

and an inquiring unit A6 (not shown in the figure) configured to inquire a corresponding relationship between a rule type and a matching duration upper limit, and determine the matching duration upper limit matched with the target rule type as the matching duration upper limit corresponding to the message identification rule.

In one embodiment, the apparatus further comprises:

a first searching unit A7 (not shown in the figure), configured to determine, in the packet identification rule base, a plurality of packet identification rules with rule types of the target rule type;

a second matching unit A8 (not shown in the figure), configured to match each packet in the packet sample complete set by using the multiple packet identification rules, and obtain a target matching duration for each packet identification rule in the multiple packet identification rules to match each packet in the packet sample complete set;

a second period determining unit A9 (not shown in the figure) for determining a target average matching period for each of the target matching periods;

a saving unit a10 (not shown in the figure) configured to take and save the target average matching duration as an upper limit of the matching duration corresponding to the target rule type.

In one embodiment, the detecting module 401 includes an unpacking unit B1 (not shown in the figure) and a second abnormality determining unit B2 (not shown in the figure), wherein:

the unpacking unit B1 is used for unpacking an abnormal application with an abnormal recognition result or an abnormal message corresponding to an abnormal protocol and identifying a deep message, and determining a target application or a target protocol corresponding to the abnormal message;

the second exception determining unit B2 is configured to determine, when it is determined that the target application corresponding to the exception packet is inconsistent with the exception application or the target protocol corresponding to the exception packet is inconsistent with the exception protocol, a packet identification rule hit by the exception packet in the identification log data corresponding to the exception application or the exception protocol as an exception packet identification rule.

In one embodiment, the detecting module 401 includes a second searching unit C1 (not shown), a third matching unit C2 (not shown), and a second abnormality determining unit C3 (not shown), wherein:

the second searching unit C1 is configured to search, in the packet identification rule base, a candidate abnormal packet identification rule that meets a preset abnormal rule characteristic;

the third matching unit C2 is configured to match each packet in the packet sample complete set corresponding to multiple applications or protocols by using the candidate packet identification rule;

the second anomaly determination unit C3 is configured to determine that the candidate packet identification rule is an abnormal packet identification rule when it is determined that the candidate packet identification rule matches with packets corresponding to multiple applications or protocols.

In one embodiment, the detecting module 201 includes a statistical unit D1 (not shown in the figure), and a third anomaly determining unit D2 (not shown in the figure), wherein:

the statistical unit D1 is used for counting the total hit count value corresponding to each message identification rule in the message identification rule base according to a hit count file for recording the corresponding relation between the message identification rule and the hit count value;

and the third anomaly determination unit D2 is configured to determine the packet identification rule in which the total hit count value is smaller than the lower hit count limit value as the abnormal packet identification rule.

In one embodiment, the detecting module 401 includes an analyzing unit E1 (not shown), a fourth matching unit E2 (not shown), and a fourth abnormality determining unit E3 (not shown), wherein:

the analysis unit E1 is configured to analyze a webpage corresponding to each application download website, determine an application identifier of each application in the application download website, and obtain an application identifier list;

the fourth matching unit E2 is configured to match the application identifier list with the application identifiers corresponding to the message identification rules in the message identification rule base;

the fourth anomaly determination unit E3 is configured to determine, as an abnormal packet identification rule, a packet identification rule for which the corresponding application identifier does not match the application identifier list.

In one embodiment, the processing module 405 includes a deleting unit 405A (not shown in the figure), and an optimizing unit 405B (not shown in the figure), wherein:

the deleting unit 405A is configured to delete the abnormal packet identification rule from the packet identification rule base when the abnormal type of the abnormal packet identification rule is a non-optimized type;

the optimizing unit 405B is configured to, when the exception type of the exception packet identification rule is an optimizable type, optimize the exception packet identification rule and add the optimized exception packet identification rule to the packet identification rule base.

All or part of each module in the message identification rule base processing device can be realized by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent of the network equipment

In one embodiment, a network device is provided, the internal structure of which may be as shown in fig. 5. The network device includes a processor, a memory, and a communication interface connected by a system bus. Wherein the processor of the network device is configured to provide computing and control capabilities. The memory of the network device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operating system and the computer program to run on the non-volatile storage medium. The communication interface of the network device is used for carrying out wired or wireless communication with an external terminal, and the wireless communication can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement a message recognition rule base processing method.

Those skilled in the art will appreciate that the architecture shown in fig. 5 is a block diagram of only a portion of the architecture associated with the subject application, and does not constitute a limitation on the network devices to which the subject application applies, as a particular network device may include more or less components than those shown, or combine certain components, or have a different arrangement of components.

In an embodiment, a network device is further provided, which includes a memory and a processor, where the memory stores a computer program, and the processor implements the steps in the foregoing message identification rule base processing method embodiments when executing the computer program.

In one embodiment, a computer readable storage medium is provided, having stored thereon a computer program that, when executed by a processor, performs the steps in each of the message identification rule base processing method embodiments described above.

In one embodiment, a computer program product is provided, comprising a computer program that when executed by a processor performs the steps of the message identification rule base processing method embodiments described above.

It should be noted that, the user information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data for analysis, stored data, presented data, etc.) referred to in the present application are information and data authorized by the user or sufficiently authorized by each party.

It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include a Read-Only Memory (ROM), a magnetic tape, a floppy disk, a flash Memory, an optical Memory, a high-density embedded nonvolatile Memory, a resistive Random Access Memory (ReRAM), a Magnetic Random Access Memory (MRAM), a Ferroelectric Random Access Memory (FRAM), a Phase Change Memory (PCM), a graphene Memory, and the like. Volatile Memory can include Random Access Memory (RAM), external cache Memory, and the like. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others. The databases referred to in various embodiments provided herein may include at least one of relational and non-relational databases. The non-relational database may include, but is not limited to, a block chain based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic devices, quantum computing based data processing logic devices, etc., without limitation.

The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.

The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.

Claims

1. A message recognition rule base processing method is characterized by comprising the following steps:

2. The method according to claim 1, wherein the detecting abnormal packet identification rules in the packet identification rule base by using the preset abnormal detection policy comprises:

determining the average matching duration of each matching duration;

3. The method of claim 2, further comprising:

determining a target rule type of the message identification rule;

4. The method of claim 3, further comprising:

and taking the target average matching time length as the upper limit of the matching time length corresponding to the target rule type and storing the upper limit of the matching time length.

5. The method according to claim 1, wherein the detecting abnormal packet identification rules in the packet identification rule base by using the preset abnormal detection policy comprises:

6. The method according to claim 1, wherein the detecting abnormal packet identification rules in the packet identification rule base by using the preset abnormal detection policy comprises:

and under the condition that the candidate message identification rule is matched with the messages corresponding to a plurality of applications or protocols, determining that the candidate message identification rule is an abnormal message identification rule.

7. The method according to claim 1, wherein the detecting abnormal packet identification rules in the packet identification rule base by using the preset abnormal detection policy comprises:

8. The method according to claim 1, wherein the detecting abnormal packet identification rules in the packet identification rule base by using the preset abnormal detection policy comprises:

9. The method according to any one of claims 1 to 8, wherein the processing the exception packet identification rule according to the target exception handling policy includes:

10. A message recognition rule base processing apparatus, the apparatus comprising:

11. A network device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor realizes the steps of the method of any of claims 1 to 9 when executing the computer program.

12. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 9.

13. A computer program product comprising a computer program, characterized in that the computer program realizes the steps of the method of any one of claims 1 to 9 when executed by a processor.