CN118540107A - P4-based session data packet multimode character string matching method and system - Google Patents
P4-based session data packet multimode character string matching method and system Download PDFInfo
- Publication number
- CN118540107A CN118540107A CN202410543583.6A CN202410543583A CN118540107A CN 118540107 A CN118540107 A CN 118540107A CN 202410543583 A CN202410543583 A CN 202410543583A CN 118540107 A CN118540107 A CN 118540107A
- Authority
- CN
- China
- Prior art keywords
- session
- data packet
- packet
- rule
- string matching
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 38
- 230000007704 transition Effects 0.000 claims abstract description 32
- 230000004044 response Effects 0.000 claims abstract description 12
- 238000001514 detection method Methods 0.000 claims abstract description 9
- 239000000284 extract Substances 0.000 claims description 5
- 238000012545 processing Methods 0.000 claims description 5
- 230000003993 interaction Effects 0.000 claims description 3
- 238000004064 recycling Methods 0.000 claims description 3
- 238000007689 inspection Methods 0.000 abstract description 4
- 238000004364 calculation method Methods 0.000 abstract 1
- 230000006870 function Effects 0.000 description 3
- 230000003139 buffering effect Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 230000009191 jumping Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/22—Matching criteria, e.g. proximity measures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- Data Mining & Analysis (AREA)
- Theoretical Computer Science (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Evolutionary Computation (AREA)
- Evolutionary Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Bioinformatics & Computational Biology (AREA)
- Artificial Intelligence (AREA)
- Life Sciences & Earth Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a P4-based session data packet multimode character string matching method and system, and belongs to the technical field of network security. The method of the invention uses P4 to execute the deep packet inspection algorithm, uses NFA state transition algorithm to convert the effective load into bitmap form and records the bitmap form in the local register; when the P4 network device receives the response packet, a hash result is calculated based on the 32-bit MD5 of the five-tuple uniquely determining the data packet type to find a corresponding request packet, and the detection of the session rule is performed based on the NFA state of the request packet. By implementing the invention, the calculation cost of multi-mode character string matching can be effectively reduced, and the efficiency of extracting the session rule by the system can be obviously improved on the premise of not caching the session request data packet.
Description
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a P4-based session data packet multi-mode character string matching method and system.
Background
Sessions are an important concept in the field of network security, which is commonly used to consist of a set of request and response packets. Session rules refer to multimodal string matching rules that carry pattern information in a specified database in the payloads of request packets and response packets in a set of sessions. As network attack techniques become increasingly complex and hidden, session-level attacks become more serious in network security, such as man-in-the-middle attacks, phishing attacks, session hijacking attacks, and the like. These attacks are typically not performed through a single packet, but rather are performed in a session through a series of ordered and associated packets. These attacks may involve multiple stages including reconnaissance, utilization, command and control communications, and data theft or service destruction. The rule matching at the session level can track and analyze the data packets in the whole session process, thereby revealing the behavior pattern of the attacker and the attack link. By comprehensively analyzing all the data packets in the session, the unobvious attack in the analysis of the single data packet can be identified. The method can reduce the probability of false alarm and missing alarm, thereby improving the detection accuracy. In this context, multimodal matching of session-level packets is particularly important.
Multimode matching is a key technology in the field of network security, and relates to the real-time identification and matching of specific mode sets in network traffic, so as to detect malicious software, prevent network intrusion, realize data loss prevention and the like. However, as network bandwidth and processing power demands increase, conventional multi-mode matching methods have become increasingly difficult to meet.
With the advent of programmable networks, P4 (Programming Protocol-INDEPENDENT PACKET Processors) programmable switches provide new solutions for addressing multi-pattern matching of session-level packets. The P4 switch allows a developer to write codes to define the processing mode of the data packet, so that the specific network function can be met. Such as PPS, BOLT systems, which can satisfy the multi-mode matching of the simple environment of today's high bandwidth network environments. However, in the context of the session packet flow, PPS and BOLT cannot detect the session-level packet, and the comprehensive analysis of the session flow is missing, which may result in missing detection accuracy.
Disclosure of Invention
In order to solve the problems, the invention provides a P4-based session data packet multimode character string matching method and a P4-based session data packet multimode character string matching system.
In a first aspect, an embodiment of the present invention provides a method for matching multi-mode strings of session data packets based on P4, where the method includes the following steps:
s1: the P4 network equipment acquires an NFA state transition entry and a session rule entry from an entry input port;
s2: the P4 network equipment receives a data packet from a receiving port and analyzes the head of the data packet;
S3: after the P4 network equipment mirror copies the data packet, inputting the mirror data packet into a recirculation port, and forwarding the data packet from a forwarding port;
S4: judging whether the mirror image data packet is a session data packet or not based on the data packet head information; if the mirror image data packet is not a session data packet, ending the whole flow, and if the mirror image data packet is a session data packet, executing step S5;
s5: according to the NFA state transition entry, performing NFA state transition processing on a payload part of the mirror data packet; returning to a mode bitmap when the P4 network device pipeline completes the state transition of all payloads, and proceeding to step S6, otherwise forwarding the mirror data packet to the recycling port;
s6: the P4 network equipment maps the mode bitmap into a unidirectional flow rule and temporarily stores the unidirectional flow rule into a memory;
S7: the P4 network device calculates five-tuple hash of the mirror image data packet and judges whether the mirror image data packet is a request packet or a response packet; if the mirror image data packet is a request packet in a session, the P4 network device reads a register based on a five-tuple hash index value; if the mirror image data packet is a response packet in the session, the P4 network device reads a unidirectional flow rule number of the register application request packet based on a hash index value of the reverse quintuple, and proceeds to step S8;
S8: combining the unidirectional flow rule number of the register request packet with the unidirectional flow rule number of the mirror image data packet, and judging whether the input session rule number of the session rule entry is hit or not; if hit, the session rule number is uploaded to a server if hit indicates that the session where the mirror image data packet is located may have an attack, and if miss, the whole flow is ended.
In some possible implementations, the NFA state transition entry contains logic of an NFA state transition, and the P4 network device may parse the packet payload based on the NFA state transition entry; each NFA state transition entry contains the following components: current state, input symbol, transition type.
In some possible embodiments, the session rule entry is used for rule matching of the session flow, and specifically includes: pattern, pattern bits, unidirectional flow bit map unidirectional flow bitmaps, unidirectional flow rule number unidirectional rule id, session rule number session rule id.
In some possible implementations, the session rule entries are designed by the Snort3 intrusion detection system.
In some possible embodiments, the parsing the packet header includes: the P4 network equipment extracts each field in the packet header step by step according to a predefined sequence, and performs recursion analysis; and storing the source port number, the destination port number and the IP number of the obtained data packet into the memory of the P4 network equipment.
In some possible embodiments, the determining whether the mirrored data packet is a session data packet based on the packet header information includes: and judging whether the data packet is a session data packet or not by analyzing the session identifier and the protocol interaction characteristic in the data packet.
In some possible implementations, the pattern bitmap in step S5 maps a pattern set that the payloads of the mirror packets match in all pipelines of the P4 network device.
In some possible implementations, if the mirrored data packet is a request packet in a session, the P4 network device reads a register based on a five-tuple hash index value, including: if the hash value does not conflict, updating quintuple information, a mode bitmap and a unidirectional flow rule number of the mirror image data packet into a register offset corresponding to the hash value; if hash collision occurs, adopting a linear detection method in an open addressing method to gradually detect an empty hash bucket, and writing five-tuple information, a mode bitmap and a unidirectional flow rule number of the mirror image data packet into the hash bucket.
In some possible embodiments, the P4 network device calculates the five-tuple hash of the mirror packet using an MD5 algorithm in step S7.
In a second aspect, the present application further provides a P4-based session packet multimode string matching system, where the system specifically includes:
The issuing module is used for inputting the NFA state transition item and the session rule item into an item input port of the P4 network equipment;
the P4 network device module comprises a P4 network device, and is configured to execute any one of the P4-based session packet multimode string matching methods described in the first aspect;
and the server module comprises a server and is used for receiving the session rule number from the P4 network equipment, extracting corresponding session rule information according to the session rule number and updating a database log based on the session rule information.
By implementing the invention, the following beneficial technical effects are achieved, but not limited to:
(1) Compared with the traditional multi-mode matching algorithm, the method of the invention has the advantage that the multi-mode character string matching method is unloaded to the programmable switch, so that the cost of computing resources is reduced.
(2) The invention provides a deep packet Inspection (DEEP PACKET Inspection, DPI) method without buffering, which can efficiently extract a session rule on the premise of not buffering a session request data packet.
(3) The invention uses P4 to execute the deep packet inspection algorithm, not to buffer the data packet, but to directly extract the effective load in the data packet, and uses NFA state transition algorithm to convert the effective load into bitmap form to record in the local register, thereby avoiding the memory overhead of the buffer data packet.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application.
Fig. 1 is a schematic flow chart of a P4-based session packet multi-mode string matching method according to an embodiment of the present application;
Fig. 2 is a schematic diagram of a P4-based session packet multimode string matching system according to an embodiment of the present application;
fig. 3 is an operation state of a P4 network device register in an application scenario provided in accordance with an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, are intended to fall within the scope of the present invention.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure belongs. Although any methods similar or equivalent to those described herein can also be used in the practice or testing of the present disclosure, only exemplary methods are now described.
It should be understood that the terms "comprises" and "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It is also to be understood that the terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
1-2, FIG. 1 is a method for matching multi-mode character strings of session data packets based on P4 according to an embodiment of the present application, including the following steps:
s1: the P4 network device obtains NFA state transition entries and session rule entries from the entry input port.
Specifically, the NFA state transition entry contains logic content of NFA state transition, and the P4 network device may parse the packet payload based on the NFA state transition entry. For example, each NFA state transition entry may contain the following components: current state, input symbols, transition type, etc.
The conversation rule entry is used for carrying out rule matching on conversation flows. In some possible implementations, the session rule entry may include: pattern, pattern bits, unidirectional flow bit map unidirectional flow bitmaps, unidirectional flow rule number unidirectional rule id, session rule number session rule id.
Preferably, the session rule entry may be designed by Snort3 intrusion detection system.
S2: the P4 network device receives the data packet from the receiving port and parses the data packet header.
Specifically, the parsing the header of the data packet includes parsing a source port number, a destination port number, and an IP number of the data packet, and storing the source port number, the destination port number, and the IP number in a memory of the P4 network device. The process of parsing the header of the packet occurs in a "parsing stage" (Parser) where the P4 network device extracts the fields in the header gradually in a predefined order and recursively parses it to handle some multi-layer encapsulated protocols, such as IP-in-IP, GRE, VXLAN. The P4 network device parser may define a plurality of parse states, each state being responsible for parsing a particular header or performing a particular action, such as jumping to a next state, extracting a field value, discarding a header, etc.
S3: and after the P4 network equipment mirror copies the data packet, inputting the mirror data packet into a recirculation port, and forwarding the data packet from a forwarding port.
S4: judging whether the mirror image data packet is a session data packet or not based on the data packet head information; and if the mirror data packet is not the session data packet, ending the whole flow, and if the mirror data packet is the session data packet, executing step S5.
Specifically, whether the data packet is a session data packet may be determined by analyzing a session identifier (such as a quintuple, etc.) or a protocol interaction characteristic (such as a protocol handshake and termination procedure, a request and response mode, etc.) in the data packet, or whether the data packet belongs to a known session may be queried through a network device session table maintained by the P4 network device. For example, if the source port number or the destination port number of the mirror packet obtained by parsing is 80, the packet may be determined to be an HTTP session packet.
S5: according to the NFA state transition entry, performing NFA state transition processing on a payload part of the mirror data packet; and returning to a mode bitmap when the P4 network device pipeline completes the state transition of all payloads, and proceeding to step S6, otherwise, forwarding the mirror data packet to the recycling port.
Specifically, the pattern bitmap maps a pattern set that the payloads of the mirrored packets match in all pipelines of the P4 network device.
S6: the P4 network device maps the mode bitmap into a unidirectional flow rule and temporarily stores the unidirectional flow rule into a memory. The unidirectional flow rule is in the form of a compressed bitmap, which is responsible for recording the rule number matched by the current packet mode bitmap.
S7: the P4 network device calculates five-tuple hash of the mirror image data packet and judges whether the mirror image data packet is a request packet or a response packet; if the mirror image data packet is a request packet in a session, the P4 network device reads a register based on a five-tuple hash index value; if the mirror data packet is a response packet in the session, the P4 network device reads the unidirectional flow rule number of the register request packet based on the hash index value of the reverse quintuple, and proceeds to step S8. As shown in fig. 3, fig. 3 is an operation state of the P4 network device register in this embodiment.
Specifically, the five-tuple is composed of a source IP, a destination IP, a source port, a destination port, and a transport layer protocol type. And determining whether the mirror image data packet is a request packet or a response packet after locating the response characteristic of the data packet according to the data packet head information and the quintuple hash. If the mirrored data packet is a request packet in a session, the P4 network device reads a register based on a quintuple hash index value, including: if the hash value does not conflict, updating quintuple information, a mode bitmap and a unidirectional flow rule number of the mirror image data packet into a register offset corresponding to the hash value; if hash collision occurs, adopting a linear detection method in an open addressing method to gradually detect an empty hash bucket, and writing five-tuple information, a mode bitmap and a unidirectional flow rule number of the mirror image data packet into the hash bucket.
Preferably, the P4 network device may calculate the five-tuple hash of the mirror packet using an MD5 algorithm in a hash function.
S8: combining the unidirectional flow rule number of the register request packet with the unidirectional flow rule number of the mirror image data packet, and judging whether the input session rule number of the session rule entry is hit or not; if hit, the session rule number is uploaded to a server if hit indicates that the session where the mirror image data packet is located may have an attack, and if miss, the whole flow is ended.
In a second aspect, the embodiment of the present invention further provides a P4-based session packet multimode string matching system, where the system includes the following modules:
And the issuing module is used for inputting the NFA state transition entry and the session rule entry into an entry input port of the P4 network equipment.
The P4 network device module includes a P4 network device, and is configured to execute the P4-based session packet multimodal string matching method according to the embodiment of the first aspect.
And the server module comprises a server and is used for receiving the session rule number from the P4 network equipment, extracting corresponding session rule information according to the session rule number and updating a database log based on the session rule information.
In the embodiments provided herein, it should be understood that the disclosed systems and methods may be implemented in other ways. For example, the system embodiments described above are merely illustrative. For example, each module is divided into only one logic function, and there may be another division manner in actual implementation. In addition, the steps in the method of the embodiment of the invention can be sequentially adjusted, combined and deleted according to actual needs.
The foregoing describes in detail preferred embodiments of the present invention. It should be understood that numerous modifications and variations can be made in accordance with the concepts of the invention without requiring creative effort by one of ordinary skill in the art. Therefore, all technical solutions which can be obtained by logic analysis, reasoning or limited experiments based on the prior art by a person skilled in the art according to the inventive concept shall be within the scope of protection defined by the claims.
Claims (10)
1. The P4-based session data packet multimode character string matching method is characterized by comprising the following steps of:
s1: the P4 network equipment acquires an NFA state transition entry and a session rule entry from an entry input port;
s2: the P4 network equipment receives a data packet from a receiving port and analyzes the head of the data packet;
S3: after the P4 network equipment mirror copies the data packet, inputting the mirror data packet into a recirculation port, and forwarding the data packet from a forwarding port;
S4: judging whether the mirror image data packet is a session data packet or not based on the data packet head information; if the mirror image data packet is not a session data packet, ending the whole flow, and if the mirror image data packet is a session data packet, executing step S5;
s5: according to the NFA state transition entry, performing NFA state transition processing on a payload part of the mirror data packet; returning to a mode bitmap when the P4 network device pipeline completes the state transition of all payloads, and proceeding to step S6, otherwise forwarding the mirror data packet to the recycling port;
s6: the P4 network equipment maps the mode bitmap into a unidirectional flow rule and temporarily stores the unidirectional flow rule into a memory;
S7: the P4 network device calculates five-tuple hash of the mirror image data packet and judges whether the mirror image data packet is a request packet or a response packet; if the mirror image data packet is a request packet in a session, the P4 network device reads a register based on a five-tuple hash index value; if the mirror image data packet is a response packet in the session, the P4 network device reads a unidirectional flow rule number of the register application request packet based on a hash index value of the reverse quintuple, and proceeds to step S8;
S8: combining the unidirectional flow rule number of the register request packet with the unidirectional flow rule number of the mirror image data packet, and judging whether the input session rule number of the session rule entry is hit or not; if hit, the session rule number is uploaded to a server if hit indicates that the session where the mirror image data packet is located may have an attack, and if miss, the whole flow is ended.
2. The method for multimodal string matching of P4-based session data packets of claim 1,
The NFA state transition entry contains logic content of NFA state transition, and the P4 network equipment can analyze the data packet payload based on the NFA state transition entry; each NFA state transition entry contains the following components: current state, input symbol, transition type.
3. The method for multimodal string matching of P4-based session data packets of claim 1,
The session rule entry is used for performing rule matching on the session flow, and specifically comprises the following steps: pattern, pattern bits, unidirectional flow bit map unidirectional flow bitmaps, unidirectional flow rule number unidirectionalruleid, session rule number session ruleid.
4. The method for multimodal string matching of P4-based session data packets of claim 1,
The conversation rule entry is designed through a Snort3 intrusion detection system.
5. The P4-based session packet multimodal string matching method of claim 1, wherein said parsing the packet header comprises:
The P4 network equipment extracts each field in the packet header step by step according to a predefined sequence, and performs recursion analysis; and storing the source port number, the destination port number and the IP number of the obtained data packet into the memory of the P4 network equipment.
6. The P4-based session packet multi-pattern string matching method of claim 1, wherein said determining whether said mirrored packet is a session packet based on packet header information comprises:
and judging whether the data packet is a session data packet or not by analyzing the session identifier and the protocol interaction characteristic in the data packet.
7. The P4-based session packet multimodal string matching method of claim 1, wherein the pattern bitmap in step S5 maps a pattern set that the payloads of the mirror packets match in all pipelines of the P4 network device.
8. The P4-based session packet multimodal string matching method of claim 1, wherein the P4 network device reading the register based on the five-tuple hash index value if the mirrored packet is a request packet in a session, comprising:
if the hash value does not conflict, updating quintuple information, a mode bitmap and a unidirectional flow rule number of the mirror image data packet into a register offset corresponding to the hash value;
If hash collision occurs, adopting a linear detection method in an open addressing method to gradually detect an empty hash bucket, and writing five-tuple information, a mode bitmap and a unidirectional flow rule number of the mirror image data packet into the hash bucket.
9. The method for multimodal string matching of P4-based session data packets of claim 1,
In step S7, the P4 network device calculates a five-tuple hash of the mirror image packet by using an MD5 algorithm.
10. A P4-based conversational packet multimodal string matching system, comprising:
The issuing module is used for inputting the NFA state transition item and the session rule item into an item input port of the P4 network equipment;
A P4 network device module, comprising a P4 network device, configured to perform a P4-based session packet multimodal string matching method as claimed in any one of claims 1-9;
and the server module comprises a server and is used for receiving the session rule number from the P4 network equipment, extracting corresponding session rule information according to the session rule number and updating a database log based on the session rule information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410543583.6A CN118540107A (en) | 2024-04-30 | 2024-04-30 | P4-based session data packet multimode character string matching method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410543583.6A CN118540107A (en) | 2024-04-30 | 2024-04-30 | P4-based session data packet multimode character string matching method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118540107A true CN118540107A (en) | 2024-08-23 |
Family
ID=92380103
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410543583.6A Pending CN118540107A (en) | 2024-04-30 | 2024-04-30 | P4-based session data packet multimode character string matching method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118540107A (en) |
-
2024
- 2024-04-30 CN CN202410543583.6A patent/CN118540107A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Qin et al. | Line-speed and scalable intrusion detection at the network edge via federated learning | |
| US8990259B2 (en) | Anchored patterns | |
| CN107122221B (en) | Compiler for regular expressions | |
| US9275224B2 (en) | Apparatus and method for improving detection performance of intrusion detection system | |
| US8724496B2 (en) | System and method for integrating line-rate application recognition in a switch ASIC | |
| US7949683B2 (en) | Method and apparatus for traversing a compressed deterministic finite automata (DFA) graph | |
| US9015102B2 (en) | Match engine for detection of multi-pattern rules | |
| CN101557329B (en) | Application layer-based data segmenting method and device thereof | |
| US9356844B2 (en) | Efficient application recognition in network traffic | |
| US8336098B2 (en) | Method and apparatus for classifying harmful packet | |
| CN112532642B (en) | Industrial control system network intrusion detection method based on improved Suricata engine | |
| US20050278783A1 (en) | System security approaches using multiple processing units | |
| US10944724B2 (en) | Accelerating computer network policy search | |
| WO2007088397A2 (en) | A method of filtering high data rate traffic | |
| Choi et al. | Implementation and Design of a Zero‐Day Intrusion Detection and Response System for Responding to Network Security Blind Spots | |
| CN118540107A (en) | P4-based session data packet multimode character string matching method and system | |
| CN115190056B (en) | Method, device and equipment for identifying and analyzing programmable flow protocol | |
| Cheng et al. | RAFM: A real-time auto detecting and fingerprinting method for IoT devices | |
| CN114285624B (en) | Attack message identification method, device, network equipment and storage medium | |
| CN116055411B (en) | UPF data flow classification method, system, equipment and medium based on machine learning | |
| CN115333802B (en) | Malicious program detection method and system based on neural network | |
| JP2006236080A (en) | Illegal access detection device and method | |
| Subramanian et al. | Bitmaps and bitmasks: Efficient tools to Compress deterministic automata | |
| CN116055411A (en) | UPF data flow classification method, system, equipment and medium based on machine learning | |
| CN118233176A (en) | DPI deep packet detection flow method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |