[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN118337480A - Multi-mode character string matching method for disordered data packet based on P4 - Google Patents

Multi-mode character string matching method for disordered data packet based on P4 Download PDF

Info

Publication number
CN118337480A
CN118337480A CN202410543581.7A CN202410543581A CN118337480A CN 118337480 A CN118337480 A CN 118337480A CN 202410543581 A CN202410543581 A CN 202410543581A CN 118337480 A CN118337480 A CN 118337480A
Authority
CN
China
Prior art keywords
data packet
data
order
packet
data packets
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410543581.7A
Other languages
Chinese (zh)
Inventor
刘亚萍
高士杰
张硕
陈世越
王子齐
吴子杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou University
Original Assignee
Guangzhou University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou University filed Critical Guangzhou University
Priority to CN202410543581.7A priority Critical patent/CN118337480A/en
Publication of CN118337480A publication Critical patent/CN118337480A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/22Matching criteria, e.g. proximity measures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Data Mining & Analysis (AREA)
  • Theoretical Computer Science (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Evolutionary Computation (AREA)
  • Evolutionary Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a multi-mode character string matching method of disordered data packets based on P4, wherein a system comprises a issuing module, P4 network equipment, disordered data packet processing modules, a rule extraction module, a data processing module and a database module, wherein the P4 network equipment judges whether an analysis data packet is a fragmented or segmented data packet, the disordered data packet processing modules order the disordered fragmented or segmented data packets and then send the ordered fragmented or segmented data packets to the data processing module to execute an algorithm, and then the ordered data packets are input into the rule extraction module, and the database stores logs output by the rule extraction module; by the multi-mode matching method for the disordered data packets, the detection efficiency and accuracy of the disordered data packets are improved, the disordered data packets are simply and rapidly ordered, and the data reading accuracy is improved.

Description

一种基于P4的乱序数据包的多模式字符串匹配方法A multi-pattern string matching method for out-of-order data packets based on P4

技术领域Technical Field

本发明属于乱序数据包处理领域,特别涉及一种基于P4的乱序数据包的多模式字符串匹配方法。The invention belongs to the field of disordered data packet processing, and in particular relates to a multi-mode character string matching method for disordered data packets based on P4.

背景技术Background technique

多模式字符串匹配是网络安全领域的一个核心技术,它广泛应用于入侵检测系统(IDS)、内容感知防火墙和网络监控系统。在这些应用中,必须对经过网络的数据包进行快速而准确的检查,以识别恶意软件、病毒签名、垃圾邮件或其他预定义的字符串模式。随着网络带宽的增加和数据流量的急剧膨胀,传统的多模式字符串匹配方法逐渐出现瓶颈。Multi-pattern string matching is a core technology in the field of network security. It is widely used in intrusion detection systems (IDS), content-aware firewalls, and network monitoring systems. In these applications, data packets passing through the network must be quickly and accurately checked to identify malware, virus signatures, spam, or other predefined string patterns. With the increase in network bandwidth and the rapid expansion of data traffic, traditional multi-pattern string matching methods are gradually reaching bottlenecks.

近年来,可编程数据平面的出现,尤其是基于P4(Programming Protocol-Independent Packet Processors)的可编程交换机,为解决高速网络环境中的字符串匹配问题提供了新的机遇。P4允许研究者和工程师编写代码,直接控制数据包在网络设备中的处理方式,从而可以设计定制化的数据包处理逻辑,以满足特定的网络功能需求。许多研究尝试将多模式字符串匹配方法部署在P4上,有效利用P4的硬件处理速度快且灵活的特性,如有研究将AC等字符串匹配算法从CPU卸载到专用ASIC芯片上,以提高性能,典型的方法有PPS和BOLT.这些研究性能达到Tbps以上,在满足高带宽网络需求的同时,为入侵检测系统提供了一类新的解决方法.In recent years, the emergence of programmable data planes, especially programmable switches based on P4 (Programming Protocol-Independent Packet Processors), has provided new opportunities for solving string matching problems in high-speed network environments. P4 allows researchers and engineers to write code to directly control how packets are processed in network devices, so that customized packet processing logic can be designed to meet specific network function requirements. Many studies have attempted to deploy multi-mode string matching methods on P4, effectively utilizing the fast and flexible hardware processing characteristics of P4. For example, some studies have unloaded string matching algorithms such as AC from the CPU to dedicated ASIC chips to improve performance. Typical methods include PPS and BOLT. These studies have achieved performance of more than Tbps, which provides a new type of solution for intrusion detection systems while meeting the needs of high-bandwidth networks.

然而,这种方法虽然满足了性能需求,但在部署中存在巨大缺陷。在实际网络中,分片和分段的数据包可能由于负载均衡等原因而在传输过程中出现乱序等特殊情况,而当今最先进的基于P4的多模式字符串匹配算法PPS和BOLT并无法解决该问题。当PPS、BOLT遇到乱序的分片和分段数据包时,因为没有相应的机制,只会单纯将其当成一个单独的数据包,而对于攻击规则很多是存在多个模式字符串(比如Snort3大部分规则包含两个以上模式字符串),当模式字符串分布在同属完整数据包的不同分片或分段数据包时,PPS、BOLT将检测失败,并导致检测精度丢失。However, although this method meets the performance requirements, it has huge defects in deployment. In actual networks, fragmented and segmented data packets may be out of order during transmission due to load balancing and other reasons, and the most advanced P4-based multi-pattern string matching algorithms PPS and BOLT cannot solve this problem. When PPS and BOLT encounter out-of-order fragmented and segmented data packets, they will simply treat them as a single data packet because there is no corresponding mechanism. For many attack rules, there are multiple pattern strings (for example, most Snort3 rules contain more than two pattern strings). When the pattern strings are distributed in different fragments or segmented data packets that belong to the same complete data packet, PPS and BOLT will fail to detect and cause loss of detection accuracy.

此外,由于内存和计算资源的限制,在P4交换机上不能采用传统的缓存与重组的方法部署多模式字符串匹配算法,这为我们的实现带来诸多挑战.In addition, due to the limitations of memory and computing resources, the traditional caching and reorganization methods cannot be used to deploy multi-pattern string matching algorithms on P4 switches, which brings many challenges to our implementation.

为了避免检测的精度丢失,正确匹配出乱序分片和分段数据包的匹配情况,开发一种基于P4的乱序数据包的多模式字符串匹配方法尤为重要。这种方法需要能够在维持高吞吐量和低延迟的同时,能够精确的区分数据包是否乱序,并做出正确的执行。In order to avoid the loss of detection accuracy and correctly match the matching of out-of-order fragments and segmented packets, it is particularly important to develop a multi-mode string matching method for out-of-order packets based on P4. This method needs to be able to accurately distinguish whether the packet is out of order and make correct execution while maintaining high throughput and low latency.

发明内容Summary of the invention

有鉴于现有技术的上述缺陷,本发明的目的在于提供一种基于P4的乱序数据包的多模式字符串匹配方法。In view of the above-mentioned defects of the prior art, an object of the present invention is to provide a multi-mode string matching method for out-of-order data packets based on P4.

本发明的上述技术目的是通过如下方案实现的:The above technical objectives of the present invention are achieved through the following solutions:

一种基于P4的乱序数据包的多模式字符串匹配方法,包括如下步骤:A multi-mode string matching method for out-of-order data packets based on P4, comprising the following steps:

S1:初始化确定NFA根状态和状态转移流表条目;S1: Initialize and determine the NFA root state and state transition flow table entries;

S2:获取待解析数据包并解析为解析数据包,根据数据包头部信息和协议确定数据包特征生成索引,判断解析数据包和待解析数据包是否为分段数据包或分片数据包,若是则执行S4,若不是则执行S3;S2: Get the data packet to be parsed and parse it into a parsed data packet, determine the data packet characteristics and generate an index according to the data packet header information and protocol, and determine whether the parsed data packet and the data packet to be parsed are segmented data packets or fragmented data packets. If so, execute S4, otherwise execute S3;

S3:对所述解析数据包的有效负载执行NFA状态转移,读取所述解析数据包对应的NFA状态,若有则提取,若无则赋予根状态,将结果发送至规则提取模块后结束;S3: Execute NFA state transfer on the payload of the parsed data packet, read the NFA state corresponding to the parsed data packet, extract it if it exists, and assign it to the root state if it does not exist, and end after sending the result to the rule extraction module;

S4:判断所述分片数据包或所述分段数据包的索引值是否与已缓存的数据包有相互连续的对应索引值,若有,执行S5;S4: Determine whether the index value of the fragmented data packet or the segmented data packet has a corresponding index value that is continuous with the cached data packet, and if so, execute S5;

若无,则暂时缓存;If not, cache it temporarily;

S5:根据状态转移流表执行预设规则字符串偏移,将状态转移流表内对应NFA状态赋予数据包,并判断该分片或分段是否为最后一个,S5: Execute the preset rule string offset according to the state transition flow table, assign the corresponding NFA state in the state transition flow table to the data packet, and determine whether the fragment or segment is the last one.

若不是,执行前述NFA状态更新操作,并执行多模式匹配算法,释放当前的缓存,If not, execute the aforementioned NFA state update operation and execute the multi-pattern matching algorithm to release the current cache.

若是,执行多模式匹配算法,并更新NFA状态,将处理后的数据包提交到规则提取模块;If yes, execute the multi-pattern matching algorithm, update the NFA state, and submit the processed data packet to the rule extraction module;

S6:接收规则提取模块输出的信息,查看数据包头部是否存在规则信息,若有则生成日志发送数据库保存。S6: Receive the information output by the rule extraction module, check whether there is rule information in the data packet header, and if so, generate a log and send it to the database for storage.

进一步,所述S2中解析所述带解析数据包获得数据包头部数据和有效负载。Furthermore, in S2, the parsed data packet is parsed to obtain data packet header data and a valid load.

进一步,所述S2中所述待解析数据包为当P4网络设备从接收端口收到数据包时,会产生镜像数据包并将数据包本体发送至转发端口。Furthermore, the data packet to be parsed in S2 is a mirrored data packet generated when the P4 network device receives the data packet from the receiving port and sends the data packet body to the forwarding port.

进一步,所述S2中所述索引为所述数据包的IP头部的源地址、目的地址、协议字段、identification字段,或源IP,目的IP,源端口,目的端口、传输层协议类型。Furthermore, the index in S2 is the source address, destination address, protocol field, identification field, or source IP, destination IP, source port, destination port, and transport layer protocol type of the IP header of the data packet.

进一步,对所述数据包的状态进行判断,判断内容包括:Further, the status of the data packet is judged, and the judgment content includes:

根据数据包的头部信息判断是否为分片数据包或分段数据包,若是,则进行乱序判断,若否则执行S3;Determine whether it is a fragmented data packet or a segmented data packet according to the header information of the data packet. If so, perform a disorder judgment. If not, execute S3;

乱序判断内容包括:根据数据包头部信息判断是否为乱序分片数据包或乱序分段数据包,若是则执行S4,若否则执行S3。The out-of-order judgment content includes: judging whether it is an out-of-order fragmented data packet or an out-of-order segmented data packet according to the header information of the data packet, if so, executing S4, if not, executing S3.

进一步,所述S4中缓存在本地的信息经过预设时间后发送回P4寄存器,跳转执行S4。Furthermore, the information cached locally in S4 is sent back to the P4 register after a preset time, and the process jumps to execute S4.

进一步,一种乱序数据包处理系统,所述系统包括:Furthermore, a system for processing out-of-order data packets comprises:

下发模块,用于下发NFA根状态、状态转移流表的条目和模式字符串映射规则流表的条目到P4网络设备;A sending module, used for sending NFA root state, entries of state transition flow table and entries of pattern string mapping rule flow table to P4 network device;

P4网络设备,从接收端口获取初始数据包,将初始数据包镜像成镜像数据包转发至转发端口,同时,对镜像数据包执行模式匹配算法;还用于对权利要求1-6的任一项所述的方法进行数据处理;The P4 network device obtains an initial data packet from a receiving port, mirrors the initial data packet into a mirrored data packet and forwards it to a forwarding port, and at the same time, performs a pattern matching algorithm on the mirrored data packet; and is also used to perform data processing on the method described in any one of claims 1 to 6;

乱序数据包处理模块,接收通过多模式匹配算法后的数据包的乱序数据包;An out-of-order data packet processing module receives out-of-order data packets after passing through a multi-pattern matching algorithm;

规则提取模块,接收通过多模式匹配算法后的数据包的非分片数据包、非分段数据包、规则数据包和处理完成的乱序数据包;A rule extraction module receives non-fragmented data packets, non-segmented data packets, rule data packets and processed out-of-order data packets after the data packets pass the multi-mode matching algorithm;

数据处理模块,对数据包执行多模式匹配算法;A data processing module that performs a multi-pattern matching algorithm on data packets;

数据库模块,存储规则提取模块输出的日志。The database module stores the logs output by the rule extraction module.

本发明相比现有技术具有以下优点:Compared with the prior art, the present invention has the following advantages:

(1)该方法针对复杂网络场景中,分片数据包乱序的复杂情况设计了基于可编程交换机的乱序数据包多模式匹配方法,这种方法提高了乱序数据包的检测效率和准确性,使乱序数据包简易快捷排序,提高了数据读取准确性,相比于传统的多模式匹配算法,该方法将多模式字符串匹配方法卸载到可编程交换机上,从而减少了计算资源开销。(1) This method designs a multi-pattern matching method for out-of-order packets based on programmable switches to address the complex situation of out-of-order fragmented packets in complex network scenarios. This method improves the detection efficiency and accuracy of out-of-order packets, makes it easy and quick to sort out out-of-order packets, and improves data reading accuracy. Compared with traditional multi-pattern matching algorithms, this method offloads the multi-pattern string matching method to the programmable switch, thereby reducing computing resource overhead.

(2)该方法融合了多个模块,包括下发模块,P4网络设备,规则提取模块和乱序数据包处理模块,这样的复合模块设计将数据平面,控制平面和计算平面分离,各个模块各司其职,提高了系统的效率和维护性。(2) This method integrates multiple modules, including the sending module, P4 network equipment, rule extraction module and out-of-order packet processing module. This composite module design separates the data plane, control plane and computing plane. Each module performs its own function, which improves the efficiency and maintainability of the system.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1是本发明一个较佳实施例的系统结构图;FIG1 is a system structure diagram of a preferred embodiment of the present invention;

图2是本发明一个较佳实施例的P4网络设备寄存器示意图;FIG2 is a schematic diagram of a P4 network device register according to a preferred embodiment of the present invention;

图3是本发明一个较佳实施例的P4网络设备处理数据包流程图;3 is a flow chart of a P4 network device processing a data packet according to a preferred embodiment of the present invention;

图4是本发明一个较佳实施例的乱序数据包处理模块流程图;FIG4 is a flow chart of an out-of-order data packet processing module according to a preferred embodiment of the present invention;

图5是本发明一个较佳实施例的下发流表条目示意图。FIG5 is a schematic diagram of a flow table entry sent down according to a preferred embodiment of the present invention.

具体实施方式Detailed ways

下面对本发明的实施例作详细说明,下述的实施例在以本发明技术方案为前提下进行实施,给出了详细的实施方式和具体的操作过程,但本发明的保护范围不限于下述的实施例。The embodiments of the present invention are described in detail below. The following embodiments are implemented on the premise of the technical solution of the present invention, and detailed implementation methods and specific operation processes are given, but the protection scope of the present invention is not limited to the following embodiments.

一种基于P4的乱序数据包的多模式字符串匹配方法,如图3~4所示的流程,A multi-mode string matching method for out-of-order data packets based on P4, as shown in the process of Figures 3 and 4,

S1:初始化确定NFA根状态、状态转移流表条目和模式字符串映射规则流表的条目;S1: Initialize and determine the NFA root state, state transition flow table entries, and pattern string mapping rule flow table entries;

S2:获取待解析数据包并解析为解析数据包,根据数据包头部信息和协议确定数据包特征生成索引,判断解析数据包和待解析数据包是否为分段数据包或分片数据包,若是则执行S4,若不是则执行S3;S2: Get the data packet to be parsed and parse it into a parsed data packet, determine the data packet characteristics and generate an index according to the data packet header information and protocol, and determine whether the parsed data packet and the data packet to be parsed are segmented data packets or fragmented data packets. If so, execute S4, otherwise execute S3;

S3:对所述解析数据包的有效负载执行NFA状态转移,读取所述解析数据包对应的NFA状态,若有则提取,若无则赋予根状态,将结果发送至规则提取模块后结束;S3: Execute NFA state transfer on the payload of the parsed data packet, read the NFA state corresponding to the parsed data packet, extract it if it exists, and assign it to the root state if it does not exist, and end after sending the result to the rule extraction module;

S4:判断所述分片数据包或所述分段数据包的索引值是否与已缓存的数据包有相互连续的对应索引值,若有,执行S5;S4: Determine whether the index value of the fragmented data packet or the segmented data packet has a corresponding index value that is continuous with the cached data packet, and if so, execute S5;

若无,则暂时缓存;If not, cache it temporarily;

S5:根据状态转移流表执行预设规则字符串偏移,将状态转移流表内对应NFA状态赋予数据包,并判断该分片或分段是否为最后一个,S5: Execute the preset rule string offset according to the state transition flow table, assign the corresponding NFA state in the state transition flow table to the data packet, and determine whether the fragment or segment is the last one.

若不是,执行前述NFA状态更新操作,并执行多模式匹配算法,释放当前的缓存,If not, execute the aforementioned NFA state update operation and execute the multi-pattern matching algorithm to release the current cache.

若是,执行多模式匹配算法,并更新NFA状态,将处理后的数据包提交到规则提取模块;If yes, execute the multi-pattern matching algorithm, update the NFA state, and submit the processed data packet to the rule extraction module;

S6:接收规则提取模块输出的信息,查看数据包头部是否存在规则信息,若有则生成日志发送数据库保存。S6: Receive the information output by the rule extraction module, check whether there is rule information in the data packet header, and if so, generate a log and send it to the database for storage.

本实施例中的所述步骤S1中初始化为下发模块负责下发NFA根状态、状态转移流表的条目和模式字符串映射规则流表的条目到P4网络设备,P4网络设备基于下发模块的配置进行多模式字符串匹配算法,如图1所示。In step S1 of this embodiment, the issuing module is initialized to be responsible for issuing the NFA root state, entries of the state transition flow table and entries of the pattern string mapping rule flow table to the P4 network device. The P4 network device performs a multi-pattern string matching algorithm based on the configuration of the issuing module, as shown in FIG1 .

本实施例中的所述步骤S2中获取待解析数据包由P4网络设备解析所述带解析数据包获得数据包头部数据和有效负载。所述待解析数据包为当P4网络设备从接收端口收到数据包时,会产生镜像数据包并将数据包本体发送至转发端口。后续的多模式匹配算法针对该镜像数据包执行,且镜像数据包在执行完多模式匹配算法后就会被销毁,不会被缓存。In the step S2 of this embodiment, the data packet to be parsed is obtained by the P4 network device parsing the parsed data packet to obtain the data packet header data and the effective load. The data packet to be parsed is a mirror data packet generated when the P4 network device receives the data packet from the receiving port and sends the data packet body to the forwarding port. The subsequent multi-mode matching algorithm is executed for the mirror data packet, and the mirror data packet will be destroyed after the multi-mode matching algorithm is executed and will not be cached.

本实施例中的所述步骤S2中所述索引为所述数据包的IP头部的源地址、目的地址、协议字段、identification字段,或源IP,目的IP,源端口,目的端口、传输层协议类型。即针对IP分片的情况,设计了一种五元组,它以分片数据包IP头部的源地址、目的地址、协议字段、identification字段组成,作为唯一区分分片包的特征;针对TCP分段情况,设计另一种五元组,它由源IP,目的IP,源端口,目的端口,传输层协议类型组成,作为区分唯一分段包的特征。In the step S2 of this embodiment, the index is the source address, destination address, protocol field, identification field, or source IP, destination IP, source port, destination port, and transport layer protocol type of the IP header of the data packet. That is, for the case of IP fragmentation, a five-tuple is designed, which is composed of the source address, destination address, protocol field, and identification field of the IP header of the fragmented data packet as the unique feature to distinguish the fragmented packet; for the case of TCP segmentation, another five-tuple is designed, which is composed of the source IP, destination IP, source port, destination port, and transport layer protocol type as the feature to distinguish the unique fragmented packet.

本实施例中的所述S2步骤基于五元组的哈希结果读取寄存器信息,判断该数据包是否为分片或分段数据包。The step S2 in this embodiment reads the register information based on the hash result of the five-tuple to determine whether the data packet is a fragmented or segmented data packet.

本实施例中的所述步骤S3中具体的NFA状态转移方法为:针对寄存器的NFA状态信息,对该数据包的有效负载根据NFA状态转移条目执行NFA状态转移算法,如图5所示,初始状态为s0,当数据包有效负载中的下一个字符匹配上ro时,则将状态转移至s2,并将有效负载后移两个字符在完成最终的状态转移后,将检测规则结果发送到规则提取模块,如图5所示,当匹配上字符串模式信息1010后,表示匹配上了规则1。The specific NFA state transfer method in step S3 of this embodiment is: for the NFA state information of the register, the NFA state transfer algorithm is executed on the payload of the data packet according to the NFA state transfer entry, as shown in Figure 5, the initial state is s0, when the next character in the payload of the data packet matches ro, the state is transferred to s2, and the payload is shifted back two characters. After completing the final state transfer, the detection rule result is sent to the rule extraction module, as shown in Figure 5, when the string pattern information 1010 is matched, it means that rule 1 is matched.

本实施例中的对所述数据包的状态进行判断,判断内容包括:In this embodiment, the status of the data packet is judged, and the judgment content includes:

根据数据包的头部信息判断是否为分片数据包或分段数据包,若是,则进行乱序判断,若否则执行S3;Determine whether it is a fragmented data packet or a segmented data packet according to the header information of the data packet. If so, perform a disorder judgment. If not, execute S3;

乱序判断内容包括:根据数据包头部信息判断是否为乱序分片数据包或乱序分段数据包,若是则执行S4,若否则执行S3。The out-of-order judgment content includes: judging whether it is an out-of-order fragmented data packet or an out-of-order segmented data packet according to the header information of the data packet, if so, executing S4, if not, executing S3.

即判断数据包是否为乱序的IP分片数据包,基于当前数据包的IP分片字段和寄存器中记录的上一个分片数据包的IP分片信息进行对比,That is, to determine whether the data packet is an out-of-order IP fragment data packet, the IP fragment field of the current data packet is compared with the IP fragment information of the previous fragment data packet recorded in the register.

若差值的绝对值与当前数据包的MTU(最大传输单元)大小一致,则说明该数据包不是乱序的IP分片数据包;If the absolute value of the difference is consistent with the MTU (maximum transmission unit) size of the current data packet, it means that the data packet is not an out-of-order IP fragment data packet;

否则该数据包是乱序的IP分片数据包,将该数据包连同当前寄存器中记录的对应数据包的信息一起发送到乱序数据包处理模块。Otherwise, the data packet is an out-of-order IP fragment data packet, and the data packet is sent to the out-of-order data packet processing module together with the information of the corresponding data packet recorded in the current register.

判断数据包是否为乱序的TCP分段数据包,基于当前数据包的TCP分段字段和寄存器中记录的上一个分段数据包的TCP分段字段进行对比。Determine whether the data packet is an out-of-order TCP segmented data packet based on a comparison between the TCP segmentation field of the current data packet and the TCP segmentation field of the previous segmented data packet recorded in the register.

本实施例中的所述步骤S4,在乱序数据包处理模块收到携带寄存器信息的乱序的分片或者分段数据包时,乱序数据包处理模块缓存当前的乱序数据包和它携带的寄存器信息,并等待后续的乱序数据包到达。当新的乱序数据包并且未携带寄存器信息到达时,乱序数据包处理模块基于五元组哈希索引值读取缓存的寄存器信息,判断所述乱序分片数据包或所述乱序分段数据包的索引值是否有相互连续的对应索引值,In step S4 of this embodiment, when the out-of-order data packet processing module receives an out-of-order fragment or segment data packet carrying register information, the out-of-order data packet processing module caches the current out-of-order data packet and the register information it carries, and waits for the subsequent out-of-order data packet to arrive. When a new out-of-order data packet arrives without register information, the out-of-order data packet processing module reads the cached register information based on the five-tuple hash index value, determines whether the index value of the out-of-order fragment data packet or the out-of-order segment data packet has a corresponding index value that is continuous with each other,

若有,执行S5;If yes, execute S5;

若无,则暂时缓存,缓存在本地的信息经过预设时间后发送回P4寄存器,跳转重新执行S4。If not, it is temporarily cached, and the locally cached information is sent back to the P4 register after a preset time, and the jump is re-executed in S4.

本实施例中的所述步骤S5的NFA状态转移为,基于从P4网络设备所记录的寄存器信息中的已匹配到的NFA状态进行预设规则字符串偏移,最后根据数据网络层报文头的MF字段或传输层报文头的FIN字段判断该分片或分段是否为最后一个;The NFA state transfer in step S5 in this embodiment is to perform a preset rule string offset based on the matched NFA state in the register information recorded by the P4 network device, and finally determine whether the fragment or segment is the last one according to the MF field of the data network layer message header or the FIN field of the transport layer message header;

若MF=1或者FIN=0,则不是,说明后续还有分片或分段数据包为到达,此时执行前述NFA状态跟新操作,并执行多模式匹配算法然后释放掉当前缓存的数据包;If MF=1 or FIN=0, it is not, indicating that there are fragmented or segmented data packets to arrive later. At this time, the aforementioned NFA state update operation is executed, and the multi-pattern matching algorithm is executed to release the currently cached data packets;

若MF=0或FIN=1,则是,执行多模式匹配算法,并更新NFA状态,将处理后的数据包提交到规则提取模块。If MF=0 or FIN=1, the multi-pattern matching algorithm is executed, the NFA state is updated, and the processed data packet is submitted to the rule extraction module.

本实施例中还包括系统结构,如图1所示,包括下发模块、P4网络设备、乱序数据包处理模块、规则提取模块、数据处理模块和数据库模块。The present embodiment also includes a system structure, as shown in FIG1 , including a sending module, a P4 network device, a disordered data packet processing module, a rule extraction module, a data processing module and a database module.

下发模块,用于下发NFA根状态、状态转移流表的条目和模式字符串映射规则流表的条目到P4网络设备;A sending module, used for sending NFA root state, entries of state transition flow table and entries of pattern string mapping rule flow table to P4 network device;

P4网络设备,用于将经入端口进入的数据包正常转发至出端口,并镜像一份数据包,也用于对所述数据包进行数据处理,解析数据包内容,完成字符串匹配,更新数据包映射的规则信息;还用于对本实施例中的任一项所述的方法进行数据处理;P4网络设备寄存器如图2。The P4 network device is used to forward the data packets entering through the input port to the output port normally, and mirror a copy of the data packet. It is also used to process the data packet, parse the data packet content, complete string matching, and update the rule information of data packet mapping; it is also used to process the data of any method in this embodiment; the P4 network device register is shown in Figure 2.

乱序数据包处理模块,接收通过多模式匹配算法后的数据包的乱序数据包;An out-of-order data packet processing module receives out-of-order data packets after passing through a multi-pattern matching algorithm;

规则提取模块,接收通过多模式匹配算法后的数据包的非分片数据包、非分段数据包、规则数据包和处理完成的乱序数据包;A rule extraction module receives non-fragmented data packets, non-segmented data packets, rule data packets and processed out-of-order data packets after the data packets pass the multi-mode matching algorithm;

数据处理模块,对数据包执行多模式匹配算法;A data processing module that performs a multi-pattern matching algorithm on data packets;

数据库模块,存储规则提取模块输出的日志,以表的形式存储来规则提取模块提取的数据,便于后期查询和调取。The database module stores the logs output by the rule extraction module and stores the data extracted by the rule extraction module in the form of tables to facilitate later query and retrieval.

综上所述,基于乱序数据包的多模式字符串匹配技术,该方法针对复杂网络场景中,分片数据包乱序的复杂情况设计了一种基于可编程交换机的乱序数据包多模式匹配方法,这种方法提高了系统的计算速度,并提高了准确性,相比于传统的多模式匹配算法,该方法将多模式字符串匹配方法卸载到可编程交换机上,从而减少了计算资源开销。In summary, based on the multi-pattern string matching technology of out-of-order data packets, this method designs a multi-pattern matching method for out-of-order data packets based on programmable switches for the complex situation of out-of-order fragmented data packets in complex network scenarios. This method improves the calculation speed of the system and improves the accuracy. Compared with the traditional multi-pattern matching algorithm, this method offloads the multi-pattern string matching method to the programmable switch, thereby reducing the computing resource overhead.

以上详细描述了本发明的较佳具体实施例。应当理解,本领域的普通技术无需创造性劳动就可以根据本发明的构思作出诸多修改和变化。因此,凡本技术领域中技术人员依本发明的构思在现有技术的基础上通过逻辑分析、推理或者有限的试验可以得到的技术方案,皆应在由权利要求书所确定的保护范围内。The preferred specific embodiments of the present invention are described in detail above. It should be understood that ordinary technicians in the field can make many modifications and changes based on the concept of the present invention without creative work. Therefore, all technical solutions that can be obtained by technicians in the technical field based on the concept of the present invention through logical analysis, reasoning or limited experiments on the basis of the prior art should be within the scope of protection determined by the claims.

Claims (7)

1. A multi-mode character string matching method of an out-of-order data packet based on P4 is characterized by comprising the following steps:
s1: initializing and determining NFA root states and state transfer flow table entries;
S2: acquiring a data packet to be analyzed and analyzing the data packet to be analyzed into an analysis data packet, determining data packet characteristics according to data packet head information and a protocol to generate an index, judging whether the analysis data packet and the data packet to be analyzed are segmented data packets or fragmented data packets, if so, executing S4, and if not, executing S3;
S3: performing NFA state transition on the effective load of the analysis data packet, reading the NFA state corresponding to the analysis data packet, extracting if yes, giving a root state if no, and ending after sending the result to a rule extraction module;
S4: judging whether the index value of the fragmented data packet or the segmented data packet and the cached data packet have corresponding index values which are continuous with each other, and if so, executing S5;
if not, temporary caching is performed;
s5: executing preset rule character string offset according to the state transfer flow table, giving data packets corresponding to NFA states in the state transfer flow table, judging whether the fragments or segments are the last,
If not, the NFA status update operation is performed, and a multi-pattern matching algorithm is performed, releasing the current cache,
If yes, executing a multi-mode matching algorithm, updating the NFA state, and submitting the processed data packet to a rule extraction module;
S6: and receiving information output by the rule extraction module, checking whether rule information exists in the data packet head, and if so, generating a log and transmitting a database for storage.
2. The method for multimodal string matching for P4-based out-of-order packets as recited in claim 1, wherein said parsing said parsed packet in S2 obtains header data and a payload.
3. The method for matching multi-mode strings of P4-based out-of-order data packets according to claim 1, wherein the data packet to be parsed in S2 is a mirror data packet generated when a P4 network device receives the data packet from a receiving port and sends a data packet body to a forwarding port.
4. The method for matching multi-mode strings of P4-based out-of-order packets according to claim 1, wherein said index in S2 is a source address, a destination address, a protocol field, an identification field, or a source IP, a destination IP, a source port, a destination port, a transport layer protocol type of an IP header of said packet.
5. The method for matching multi-pattern character strings of P4-based out-of-order data packets according to claim 1, wherein the judging the state of the data packets comprises:
Judging whether the data packet is a fragmented data packet or a segmented data packet according to the head information of the data packet, if so, carrying out disorder judgment, and if not, executing S3;
the disorder judgment content comprises: and judging whether the packet head information is an out-of-order fragmented packet or an out-of-order segmented packet, if so, executing S4, and if not, executing S3.
6. The method for matching multi-pattern strings of out-of-order data packets based on P4 according to claim 1, wherein the information buffered in S4 is sent back to the P4 register after a preset time passes, and the step S4 is performed in a skip mode.
7. An out-of-order packet processing system, the system comprising:
the issuing module is used for issuing the NFA root state, the entry of the state transfer flow table and the entry of the mode character string mapping rule flow table to the P4 network equipment;
P4 network equipment acquires an initial data packet from a receiving port, mirrors the initial data packet into a mirror image data packet, forwards the mirror image data packet to a forwarding port, and simultaneously executes a pattern matching algorithm on the mirror image data packet; also for data processing of the method of any of claims 1-6;
The out-of-order data packet processing module is used for receiving out-of-order data packets of the data packets after passing through the multi-mode matching algorithm;
The rule extraction module is used for receiving the non-fragmented data packet, the non-segmented data packet, the rule data packet and the processed out-of-order data packet of the data packet after the multi-mode matching algorithm;
the data processing module is used for executing a multi-mode matching algorithm on the data packet;
and the database module is used for storing the log output by the rule extraction module.
CN202410543581.7A 2024-04-30 2024-04-30 Multi-mode character string matching method for disordered data packet based on P4 Pending CN118337480A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410543581.7A CN118337480A (en) 2024-04-30 2024-04-30 Multi-mode character string matching method for disordered data packet based on P4

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410543581.7A CN118337480A (en) 2024-04-30 2024-04-30 Multi-mode character string matching method for disordered data packet based on P4

Publications (1)

Publication Number Publication Date
CN118337480A true CN118337480A (en) 2024-07-12

Family

ID=91764186

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410543581.7A Pending CN118337480A (en) 2024-04-30 2024-04-30 Multi-mode character string matching method for disordered data packet based on P4

Country Status (1)

Country Link
CN (1) CN118337480A (en)

Similar Documents

Publication Publication Date Title
US7930516B1 (en) Linked list traversal with reduced memory accesses
CN103415836B (en) The network processing unit of expedited data Packet analyzing and method
US8180803B2 (en) Deterministic finite automata (DFA) graph compression
US10091248B2 (en) Context-aware pattern matching accelerator
US7949683B2 (en) Method and apparatus for traversing a compressed deterministic finite automata (DFA) graph
EP2214115B1 (en) Efficient application identification with network devices
CN110753064A (en) Machine learning and rule matching fused security detection system
US7596809B2 (en) System security approaches using multiple processing units
CN112558948A (en) Method and device for identifying message under mass flow
US10587514B1 (en) Filtering control plane decision requests for forwarding network packets
US9961147B2 (en) Communication apparatus, information processor, communication method, and computer-readable storage medium
CN112532642B (en) A Network Intrusion Detection Method for Industrial Control System Based on Improved Suricata Engine
KR101018575B1 (en) System and method for processing RGB packets in a high speed network application using the RGB packet buffer
CN101938474B (en) Network intrusion detection and protection method and device
CN118337480A (en) Multi-mode character string matching method for disordered data packet based on P4
US20060080467A1 (en) Apparatus and method for high performance data content processing
US11025650B2 (en) Multi-pattern policy detection system and method
US7661138B1 (en) Finite state automaton compression
Arshad et al. A short review on faster and more reliable tcp reassembly for high-speed networks in deep packet inspection
Mahdinia et al. Attack signature matching using graphics processors in high-performance intrusion detection systems
CN119155364B (en) Internet traffic rapid classification and identification method based on optimized DFA regular expression matching
CN114448904A (en) Method for application identification and fine-grained flow control in Open VSwitch software switch
CN117938774A (en) Single buffer broken packet splicing algorithm for communication equipment to continuously receive and unpack packets at high speed
CN119232664A (en) Message unloading intelligent network card based on ARM+ASIC heterogeneous realization
CN118316653A (en) A multi-mode string matching method and system for fragmented data packets

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination