Rule matching method and device

A rule and device technology, applied in the field of network security, can solve problems such as large memory usage, skyrocketing number of state machines, and slow matching speed

Active Publication Date: 2021-06-18
NSFOCUS INFORMATION TECHNOLOGY CO LTD +1
View PDF9 Cites 1 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Among them, the AC engine is suitable for small-scale rule matching systems. If there are many identification features in the rule set, the number of generated state machines will skyrocket, resulting in a problem of large memory usage; the regular engine is generally divided into two stages when working: Compile stage and rule matching stage, in which the compilation stage is used to compile the rule set into a state machine. In the compilation stage, there are many identification features in the rule set, which leads to a large number of generated state machines, which eventually leads to the problem of large memory usage. slow down

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Rule matching method and device
  • Rule matching method and device
  • Rule matching method and device

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0085] The rule system can be divided into two parts: rule set and rule engine. Among them, the rule set contains multiple rules, each rule contains multiple identification features, and one or more logical constraint relationships are allowed between the identification features in each rule, especially for character string features, multiple characters in the rule There can be a logical AND relationship between the strings, which is used to indicate that multiple strings must all match successfully; there can also be a logical or relationship, which means that any string can be matched successfully; there can also be a mixed relationship of logical and and logical or. Wherein, the character string feature may also be called a pattern string from the perspective of character matching.

[0086] The current mainstream rule system is to use all pattern strings according to the flow direction defined by the matching rules (including but not limited to: message request direction re...

Embodiment 2

[0263] Based on the same inventive concept, the embodiment of the present invention also provides a device for rule matching. Since the device is the device in the method in the embodiment of the present invention, and the problem-solving principle of the device is similar to the method, the For the implementation of the equipment, refer to the implementation of the method, and repeated descriptions will not be repeated.

[0264] Such as Figure 10 As shown, the device includes a processor 1000 and a memory 1001, the memory is used to store a program executable by the processor, and the processor is used to read the program in the memory and perform the following steps:

[0265] Determine the pattern string contained in at least one rule in the rule set;

[0266] Splitting the set of rules into a plurality of subsets, wherein at least one subset includes a first rule, and the first rule is a rule including at least one non-logical AND pattern string; any subset includes a secon...

Embodiment 3

[0285] Based on the same inventive concept, the embodiment of the present invention also provides a device for rule matching. Since the device is the device in the method in the embodiment of the present invention, and the problem-solving principle of the device is similar to the method, the For the implementation of the device, reference may be made to the implementation of the method, and repeated descriptions will not be repeated.

[0286] Such as Figure 11 As shown, the device includes:

[0287] A determining unit 1100, configured to determine a pattern string contained in at least one rule in the rule set;

[0288] A splitting unit 1101, configured to split the set of rules into multiple subsets, wherein at least one of the subsets includes a first rule, and the first rule is a rule including at least one non-logical AND pattern string; any sub-set the set includes a second rule, the second rule being a rule comprising a pattern string of at least one logical AND relat...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a rule matching method and device, which are used for splitting rule sets according to a logical relationship so as to reduce the scale of a state machine generated by a single rule set, reduce memory occupation and improve the rule matching performance and matching speed. The method comprises the following steps: determining a pattern string contained in at least one rule in a rule set; spliting the rule set into a plurality of subsets, wherein, at least one subset comprises a first rule, and the first rule is a rule comprising at least one non-logical and relational pattern string, any subset comprises a second rule, and the second rule is a rule comprising at least one logic and relationship pattern string; and performing rule matching on the acquired flow data according to the rule contained in the subset.

Description

technical field [0001] The invention relates to the technical field of network security, in particular to a rule matching method and equipment thereof. Background technique [0002] The rule system is widely used in security devices, and provides multiple functions such as threat identification, application identification, AV (Anti Virus, anti-virus) detection, URL (uniform resource locator, uniform resource location system) identification, and the like. The rule system can be divided into two parts: rule set and rule engine. [0003] The rule set is used to determine the characteristics of the target to be identified (that is, network traffic). The rule set contains multiple rules, and each rule contains multiple identification features, which can be port features, length constraints, offset constraints, string features, etc. One or more logical constraint relationships exist among the identification features in each rule. [0004] The rule engine is used to realize the s...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): H04L12/24H04L29/06
CPCH04L41/083H04L63/1416
Inventor 赵洪亮谢正明叶建伟黄俊
Owner NSFOCUS INFORMATION TECHNOLOGY CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap