Method for inspecting deep packets based on suffix automaton regular engine structure

A deep packet inspection and automaton technology, applied in the field of network security, can solve the problems of DFA engine space explosion and NFA engine performance degradation, and achieve the effect of shortening response time, solving space waste, and efficient intrusion detection

Inactive Publication Date: 2013-08-21
NORTHEASTERN UNIV
View PDF4 Cites 16 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0013] The purpose of the present invention is to provide a deep packet detection method based on the suffix automaton regular engine structure, which can effectively solve the problems in the prior art...

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method for inspecting deep packets based on suffix automaton regular engine structure
  • Method for inspecting deep packets based on suffix automaton regular engine structure
  • Method for inspecting deep packets based on suffix automaton regular engine structure

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0084] Embodiment 1: A kind of deep packet inspection method based on the regular engine construction of suffix automata, such as figure 1 shown, including the following steps:

[0085] S1, the intrusion detection system extracts attack features to construct regular expressions;

[0086] S2, constructing a suffix NFA engine and using it for multi-pattern matching;

[0087] S3, obtaining the application layer protocol data packet and the log file of the Web server from the Web server;

[0088] S4, performing deep packet inspection on the above-mentioned protocol data packets and log files and sending the inspection results to the firewall;

[0089] S5. IP source tracing is carried out, and after the attack source is traced, the IP address of the attack source is sent to the firewall for packet filtering.

[0090] The specific method of constructing the suffix NFA engine described in step S2 includes:

[0091] a. Group regular expressions;

[0092] b. Integrate multiple reg...

Embodiment 2

[0117] Embodiment 2: a kind of deep packet inspection method based on suffix automata regular engine construction, comprises the following steps:

[0118] S1, the intrusion detection system extracts attack features to construct regular expressions;

[0119] S2, constructing a suffix NFA engine and using it for multi-pattern matching;

[0120] S3, obtaining the application layer protocol data packet and the log file of the Web server from the Web server;

[0121] S4, performing deep packet inspection on the above-mentioned protocol data packets and log files, and sending the inspection results to the firewall.

[0122] The specific method of constructing the suffix NFA engine described in step S2 includes:

[0123] a. Group regular expressions;

[0124] b. Integrate multiple regular expressions in each group into one regular expression by OR operation;

[0125] c. Rewrite the integrated regular expression into a reverse Polish form to obtain a suffix regular expression;

...

experiment example

[0150] The number of regular expressions supported by the hardware regular engine is extremely limited, which is not suitable for the current network information system, especially the deep packet inspection application of the cloud computing system. In the current soft engine systems such as Snort, a single DFA matching multiple regular expressions has the problem of space explosion, and the traditional NFA engine has the problem of sharp decline in parallel matching performance. Moreover, there are currently only four theories or methods for constructing regularization engines, and practical systems are basically implemented based on Thompson automata. The NFA engine obtained by the existing automaton construction theory is not the smallest, and a classic example is used to compare and illustrate as follows:

[0151] Adopt the present invention and various existing methods of constructing NFA to realize the NFA construction of the same regular expression r, wherein,

[0152...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a method for inspecting deep packets based on a suffix automaton regular engine structure. The method comprises the following steps: S1, intruding an inspection system, extracting attack features and constructing regular expression, S2, constructing suffix nondeterministic finite automaton (NFA) engine and utilizing the suffix NFA engine to conduct multiple-pattern matching, S3, obtaining application layer protocol data packets and Web server log files from a Web server, S4, conducting deep packet inspecting on the protocol data packets and the log files and sending inspecting results to a firewall. According to the method for inspecting the deep packets based on the suffix automaton regular engine structure, matching of the multiple regular expression of a deterministic finite automaton (DFA) can be achieved by using a single automaton in a NFA mode, the problems that the NFA can not achieve the matching of the multiple regular expression and space explosion occurs when the DFA achieves the matching of the multiple regular expression are solved, the space size of the NFA is effectively reduced, the problems that a traditional NFA engine constructing method is waste in space and invalid traversal exists in the process of executing mode matching are solved, response time of deep packet inspecting is effectively shortened, and whole performance and efficiency of a system are improved.

Description

technical field [0001] The invention relates to a deep packet detection method based on a suffix automata regular engine structure, belonging to the technical field of network security. Background technique [0002] In recent years, attack techniques and attack tools specifically targeting the application layer are gradually replacing previous attacks targeting the network layer and transport layer. Among them, denial of service attacks are implemented at the application layer, such as XML-based denial of service attacks (eXtensible Markup Language-based Denial of Service: X-DoS) and HTTP-based denial of service attacks (Hypertext Transfer Protocol-based Denial of Service: H-DoS ) has become the most serious security threat faced by Web technology and cloud computing. On the one hand, it is because this type of attack is very simple to implement, and on the other hand, because these attack data packets are transmitted on the network with normal protocol data packets, which ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): H04L29/06H04L12/26
Inventor 敬茂华
Owner NORTHEASTERN UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap