Method and system for detecting white list of data stream based on regular expression

Abstract

The invention discloses a method for detecting a white list of a data stream based on a regular expression. The method comprises the following steps: S1, acquiring a network data stream; S2, detectinga service protocol: carrying out service protocol detection on the network data flow, and judging whether the network data flow conforms to a service protocol or not; if the judgment result of the service protocol is no, discarding the service protocol; if the service protocol judgment result is yes, identifying the network data flow as a service data flow, and executing the next step; S3, restoring the session message to obtain a complete message; S4, making message analysis on the complete message to obtain message data, wherein the message data comprises a parameter value, an instruction and an instruction parameter; and S5, executing white list learning processing or white list detection processing on the message data according to the current mode. The invention further discloses thesystem for detecting white list of the data stream based on a regular expression. The recognizable effective service data stream is released, and data of various new and old attack behaviors is marked as abnormal service stream data to be intercepted so as to carry out accurate detection and protection on the system.

Description

technical field [0001] The invention relates to the field of system detection, in particular to a method and a system for detecting data stream whitelists based on regular expressions. Background technique [0002] With the rapid development of network information technology, network attacks emerge in an endless stream, and network security problems are becoming more and more serious. However, traditional blacklist-based detection technology is becoming more and more difficult to block various new attacks. Penetration attacks aimed at political and economic interests are still on the rise, such as hacking, virus ravages, network paralysis, homepage tampering and other security incidents occur frequently and become increasingly severe, leading to network server intrusion and loss of sensitive data on the server , network system crashes and server downtime, etc., normal business cannot be carried out. [0003] The biggest disadvantage of blacklist detection based on virus det...

AI Technical Summary

Problems solved by technology

Penetration attacks aimed at political and economic interests are still on the rise. Various security incidents such as hacking, virus ravages, network paralysis, and homepage tampering occur frequently and become more serious, leading to the intrusion of network servers and the loss of sensitive server data. , network system crashes and server downtime, etc., normal business cannot be carried out

[0003]The biggest disadvantage of blacklist detection based on virus detection, IDS\IPS protection, WAF (web application firewall), etc. Overdetection

The existing whitelist detection technology is mainly based on the access control of the link layer, network layer, transport layer, and some application layers. Attackers can bypass the protection by disguising the source address, or in the existing business service system. Initiate penetration attacks against application service flaws

Images