Packet data detection method based on flow management

Abstract

The invention discloses a message data detection method based on stream management. The method comprises the following steps of: receiving data message data in a network, and extracting five-element array information in current message data; sequencing the five-element array information, converting the five-element array information into identification numbers through a hash algorithm, and judging whether flows with the same identification numbers as the five-element array information exist or not; if yes, judging the direction of the current message data; judging whether the current message data are the next message data of the former message data in the direction or not, and if yes, reading a detection state of the former message data in the direction from the flows and adopting an AC algorithm to detect the next message data following the detection state of the former message data; and determining whether buffered message data which are not detected exist in the direction in a flow management memory or not, if yes, repeating the AC algorithm detection flow, and finally updating the last detection state into the flow management memory.

Description

technical field [0001] The invention relates to the technical field of network information transmission security, in particular to a message data detection method based on flow management. Background technique [0002] With the development of the network and the emergence of various application layer protocols, devices based on packet data content analysis and detection (such as IPS, protocol identification, behavior audit, etc.) are correspondingly produced. The main working principle of these devices is to find some specific keywords (deep inspection / status inspection) from the application layer information of the message data, so as to achieve the purpose of identifying information such as protocols, viruses, and attacks. [0003] Because of the characteristics of the tcp protocol, the data of the communication parties is usually not sent in one message data, but is usually sent in multiple message data. For this feature, attackers often hide key information such as viru...

AI Technical Summary

Problems solved by technology

[0005] However, if the user data is reorganized and detected according to the above method, it will bring the following two problems: 1. Stream reorganization needs to cache multiple data of the same stream, and then copy the user data together after reaching a certain time , to re-test the reorganized data, which will take up a lot of device resources and greatly reduce the processing performance of the device

2. When an attack or virus is detected by reorganization, since the original user data does not contain attack and virus information, the original data has "bypassed" the attack detection device and reached the user's host, and the attack and virus have already taken effect, so when the reorganization detection When the attack and virus information is released, it is too late, and only a warning message can be issued to inform the user

Images