CN107547511B - Message processing method and device - Google Patents
Message processing method and device Download PDFInfo
- Publication number
- CN107547511B CN107547511B CN201710559801.5A CN201710559801A CN107547511B CN 107547511 B CN107547511 B CN 107547511B CN 201710559801 A CN201710559801 A CN 201710559801A CN 107547511 B CN107547511 B CN 107547511B
- Authority
- CN
- China
- Prior art keywords
- application
- message
- session
- syn
- belongs
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The embodiment of the invention provides a message processing method and a device, which are applied to deep message detection equipment, and the method comprises the following steps: receiving a SYN message; identifying a first application to which the SYN message belongs by using the PBAR; recording the first application as an application corresponding to the session established by using the SYN message, and marking the first application as invalid; receiving a service message; if the application mark corresponding to the session to which the service message belongs is invalid, identifying a second application to which the service message belongs by using an NBAR; and when the second application is a preset specified application, performing data filtering on the service message sent based on the session to which the service message belongs. By applying the embodiment of the invention, the safety of message interaction between devices can be improved.
Description
Technical Field
The present invention relates to the field of packet detection technologies, and in particular, to a packet processing method and apparatus.
Background
Deep Packet Inspection (DPI) technology is an application-layer-based traffic Inspection and control technology, which performs Deep Inspection on different network application layer loads, such as hypertext transfer Protocol (HTTP), Domain Name System (DNS), and the like, and determines validity of a Packet by inspecting payload of the Packet. Deep packet inspection is an important technology in applications such as Intrusion detection systems (IDS, Intrusion detection systems)/Intrusion Prevention systems (IPS, Intrusion detection systems), application identification, network monitoring, and content auditing.
The existing DPI equipment has two methods for identifying applications, one is port-based Application identification (PBAR), which identifies an Application to which a message belongs according to a mapping relationship between a port and the Application, the PBAR may include a predefined PBAR and/or a custom PBAR, wherein the predefined PBAR identifies the Application to which the message belongs according to the mapping relationship between the predefined port and the Application, and the custom PBAR identifies the Application to which the message belongs according to the mapping relationship between the user-defined port and the Application; the other is content-based application Recognition (NBAR), which extracts message features from a message and identifies the application to which the message belongs by matching the extracted message features with feature items in a feature library.
PBAR is typically used to identify the application to which a message (e.g., SYN message) for a three-way handshake in the TCP/IP protocol belongs. NBAR is generally used to identify an application to which a service packet sent based on a session is attributed after the session is successfully established through three-way handshake. The specific process of DPI device identification application is as follows:
when the DPI device identifies the application to which the SYN message belongs by using the PBAR, two situations can be distinguished:
in case one, if the identified application is identified by the predefined PBAR, the identified application is not added to the session information corresponding to the session established based on the SYN message. After the session is successfully established, when a service message sent based on the session is received, the NBAR is used for identifying the application to which the service message belongs, and then the application identified by the NBAR is recorded in the session information corresponding to the session;
and in case two, if the application is identified by the user-defined PBAR, the identified application is added to the session information corresponding to the session established based on the SYN message. Therefore, after the session is successfully established, when the service message sent based on the session is received, the NBAR is not utilized to perform application identification on the service message. This is because, in general, the customized PBAR has a higher priority than the NBAR, and therefore, if the application to which the SYN message belongs is identified by using the customized PBAR, the application to which the service message sent based on the session belongs is not identified by using the NBAR.
However, the DPI device only performs data filtering on the service packet identified by the NBAR, that is, the DPI device cannot perform data filtering on the service packet sent based on the session established in the second case.
Disclosure of Invention
The embodiment of the invention aims to provide a message processing method and a message processing device so as to improve the safety of message interaction between devices. The specific technical scheme is as follows:
in a first aspect, an embodiment of the present invention provides a packet processing method, which is applied to a deep packet inspection device, and the method includes:
receiving a SYN message;
identifying a first application to which the SYN message belongs by using the PBAR;
recording the first application as an application corresponding to the session established by using the SYN message, and marking the first application as invalid;
receiving a service message;
if the application mark corresponding to the session to which the service message belongs is invalid, identifying a second application to which the service message belongs by using an NBAR;
and when the second application is a preset specified application, performing data filtering on the service message sent based on the session to which the service message belongs.
In a second aspect, an embodiment of the present invention further provides a packet processing apparatus, which is applied to a deep packet inspection device, and the apparatus includes:
a first receiving unit, configured to receive a SYN packet;
a first identification unit, configured to identify, by using a PBAR, a first application to which the SYN packet belongs;
a first recording unit, configured to record the first application as an application corresponding to a session established using the SYN packet, and mark the first application as invalid;
a second receiving unit, configured to receive a service packet;
a second identification unit, configured to identify, if an application flag corresponding to a session to which the service packet belongs is invalid, a second application to which the service packet belongs by using NBAR;
and the filtering unit is used for performing data filtering on the service message sent based on the session to which the service message belongs when the second application is a preset specified application.
In the scheme, when the PBAR identifies the first application to which the SYN packet belongs, the deep packet inspection device may record the first application as the application corresponding to the session established using the SYN packet, and mark the application as invalid, so that when receiving the service packet, the deep packet inspection device may identify the service packet using NBAR because the application mark corresponding to the session to which the service packet belongs is invalid, and further, may implement data filtering on the service packet. Therefore, the embodiment of the invention can realize data filtering on the received service message, thereby improving the safety of message interaction between devices.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of a message processing method according to an embodiment of the present invention;
fig. 2 is another flowchart of a message processing method according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a message processing apparatus according to an embodiment of the present invention;
fig. 4 is another schematic structural diagram of a message processing apparatus according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the embodiments and features of the embodiments may be combined with each other without conflict. The present invention will be described in detail below with reference to the embodiments with reference to the attached drawings.
In order to improve the security of message interaction between a message sending device and a message receiving device, embodiments of the present invention provide a message processing method and apparatus.
First, a method for processing a message according to an embodiment of the present invention is described below.
The message processing method provided by the embodiment of the invention is applied to a message processing device. Specifically, an execution main body of the message processing method provided by the embodiment of the present invention may be a DPI device, where the DPI device is connected between a message sending device and a message receiving device, and the DPI device may implement detection and control on a network application layer message, so as to ensure security of message data content.
As shown in fig. 1, the message processing method provided in the embodiment of the present invention may include the following steps:
s101, receiving a SYN message.
The SYN message is the first message in the three-way handshake of the TCP/IP protocol, and the DPI device may first receive the SYN message sent by the message sending device.
And S102, identifying the first application to which the SYN message belongs by using the PBAR.
It is noted that the DPI device is configured with a PBAR, wherein the PBAR can include a predefined PBAR and/or a custom PBAR. When only the predefined PBAR is configured in the DPI device, the DPI device may identify, when receiving the SYN packet, the first application to which the received SYN packet belongs, using the predefined PBAR. When the DPI equipment is configured with both the predefined PBAR and the custom PBAR, the DPI equipment firstly identifies the first application to which the received SYN message belongs according to the custom PBAR because the priority of the custom PBAR is higher than that of the predefined PBAR. Specifically, the process of identifying the first application to which the SYN message belongs by using the PBAR may include: and when the DPI equipment is not configured with a custom PBAR, when the DPI equipment receives the SYN message, acquiring a port in the SYN message, and identifying a first application to which the SYN message belongs according to a mapping relation between the port in the predefined PBAR and the application. When the DPI device is configured with a custom PBAR, a port in the received SYN message may be acquired, and a first application to which the received SYN message belongs is identified according to a mapping relationship between the port in the custom PBAR and the application. For example, when receiving a SYN message sent by a terminal to a server, the DPI device may obtain a port 23456 in the SYN message, and when a mapping relationship between the port 23456 and an application WXYZ exists in a custom PBAR, may identify a first application to which the SYN message belongs as WXYZ.
S103, recording the first application as an application corresponding to the session established by the SYN message, and marking the first application as invalid.
In the embodiment of the present invention, when it is determined that the packet sending device and the packet receiving device successfully establish a session through three handshakes, the DPI device may record the first application identified in step S102 as an application corresponding to the session established using the SYN packet, and mark that the first application is invalid. If the DPI equipment is configured with the custom PBAR, the first application identified by the custom PBAR can be added to an application field in the session information corresponding to the session established based on the SYN message, and when the first application is invalid, the first application identified by the custom PBAR is added to the session information corresponding to the session established based on the SYN message, and the first application is not effective. If the DPI equipment is not provided with the user-defined PBAR, the first application identified by the predefined PBAR is not added to an application field in the session information corresponding to the session established based on the SYN message, and the first application is valid or invalid, so that the step of identifying the application to which the service message belongs by the NBAR is not influenced.
Specifically, in the DPI device, different applications correspond to different ID values, which is convenient to understand, in the embodiment of the present invention, after the first application is recorded as an application corresponding to a session established by using a SYN packet, the ID value corresponding to the first application may be used as the first ID value.
For example, if the ID value corresponding to the first application WXYZ is "10", the first ID value may be "10".
In an implementation manner of the embodiment of the present invention, the DPI device may write the first ID value into the five-layer protocol ID value, and add a flag bit to the five-layer protocol ID value, where different sessions correspond to different five-layer protocol ID values. Further, the flag bit may be set to an invalid state, which here corresponds to marking the first application as invalid.
The first ID value and the five-layer protocol ID value are both binary numbers, and different five-layer protocol ID values can be obtained by different first ID values. Wherein the step of writing the first ID value to the five-layer protocol ID value can be performed using prior art techniques.
In the embodiment of the present invention, the flag bit added to the five-layer protocol ID value may be set at the highest bit of the five-layer protocol ID value, wherein the valid flag bit is at least one bit. For example, if the five-layer protocol ID value is "1100", the highest bit of the five-layer protocol ID value is "1", and a bit is added to the left of the highest bit "1", the five-layer protocol is changed to "01100", where "0" of the highest bit of "01100" is an added flag bit, and the "0" of the highest bit may indicate that the five-layer protocol ID value is in an invalid state, i.e., mark the first application as invalid.
In this embodiment, the specific position and the number of bits of the valid flag bit are not limited, and it is reasonable that the valid flag bit is disposed on the left side of the highest bit, and is one bit, or is disposed on the right side of the lowest bit, or is two or more bits as in the above example.
S104, receiving the service message.
In the embodiment of the present invention, after the first application is marked as invalid, further, the service packet sent by the packet sending device may be received.
S105, if the application mark corresponding to the session to which the service message belongs is invalid, identifying a second application to which the service message belongs by using NBAR.
In the embodiment of the present invention, if the SYN packet is identified by using the custom PBAR to obtain the first application to which the SYN belongs, the first application may be added to the session information corresponding to the session established based on the SYN packet, and since the application corresponding to the session established using the SYN packet, that is, the first application is invalid, the DPI device may identify the second application to which the service packet belongs by using the NBAR after receiving the service packet belonging to the session established using the SYN packet.
Specifically, the process of identifying the second application to which the service packet belongs by using the NBAR may be: and identifying the characteristics of the received service message, and identifying the second application to which the service message belongs according to the characteristics.
And S106, when the second application is a preset specified application, performing data filtering on the service message sent based on the session to which the service message belongs.
After the NBAR is used to identify the second application to which the service packet belongs, it may be determined whether the second application is a preset specific application, and if the second application is the preset specific application, data filtering may be performed on the received service packet.
The preset specific application may include: HTTP, SMTP, and FTP.
In an implementation manner of the embodiment of the present invention, after identifying the second application to which the service packet belongs, an ID value corresponding to the second application may be determined according to a preset mapping relationship between the application and the ID value, where the ID value corresponding to the second application is used as the second ID value. For example, if the second application is HTTP, and the preset mapping relationship between the application and the ID value includes the correspondence between the application "HTTP" and the ID value "20", the application "20" is determined as the ID value corresponding to the second application, and further, the application "20" may be used as the second ID value.
Further, the second ID value may be written to a six-layer protocol ID value, where different sessions correspond to different six-layer protocol ID values. It can be seen that the six-layer protocol ID value corresponds to the second application. When determining that the second application to which the service message belongs corresponds to the six-layer protocol ID value, judging whether the six-layer protocol ID value meets a preset condition, namely whether the second application is a preset specified application, and determining whether to perform data filtering on the message sent based on the session according to a judgment result. Wherein, whether the six-layer protocol ID value meets the preset condition comprises the following steps: searching whether an ID value equal to the ID value of the six-layer protocol exists in a pre-stored ID table; if so, the preset condition is met, otherwise, the preset condition is not met.
In the embodiment of the present invention, when the deep packet inspection device identifies the first application to which the SYN packet belongs by using the PBAR, the deep packet inspection device may record the first application as the application corresponding to the session established by using the SYN packet, and mark the application as invalid, so that when receiving the service packet, the deep packet inspection device may identify the service packet by using the NBAR because the application mark corresponding to the session to which the service packet belongs is invalid, and further, may implement data filtering on the service packet. Therefore, the embodiment of the invention can realize data filtering on the received service message, thereby improving the safety of message interaction between devices.
On the basis of the embodiment shown in fig. 1, the method further comprises: and recording the second application and the application field in the session information of the session to which the service message belongs.
Specifically, if the DPI device determines that the packet sending device and the packet receiving device successfully establish a session through three handshakes, the DPI device may record the first application in step S102 as an application corresponding to the session established using the SYN packet, and mark that the first application is invalid. In this embodiment, regardless of whether the first application is identified according to the predefined PBAR or the customized PBAR, the first application is not recorded in the application field of the session information, but the second application is recorded in the application field of the session information after the NBAR is used to identify the second application to which the service packet belongs.
Optionally, the message processing method according to the embodiment of the present invention may further include the following steps:
and recording the first application in a first field included in an application field in session information of a session established by the SYN message.
Specifically, an application field in session information of a session established using the SYN packet is split into a first field and a second field. The first application to which the SYN message belongs may be recorded in the first field after identifying the first application with PBAR.
Optionally, the first application is recorded as an application corresponding to a session established by using the SYN packet, and the process of marking as invalid may be: and recording the first application as the application corresponding to the session established by using the SYN message, marking the first application as valid, and modifying the mark as invalid after recording the first application in the first field included in the application field of the session information of the session established by using the SYN message.
Specifically, the DPI device may establish session information of a session to which the SYN packet belongs by using the SYN packet, identify a first application to which the SYN packet belongs, and mark a record of the first application as valid, so that the DPI device may record the first application in a first field in a state where the record of the first application is marked as valid, and further mark the record of the first application as invalid after the record of the first application in the first field.
Further, the second application may be recorded in a second field included in an application field in the session information of the session to which the service packet belongs.
In this way, the user is facilitated to view the applications recorded in the first field and the second field.
A message processing method provided in the embodiment of the present invention is described below with reference to a specific application example. As shown in fig. 2, the message processing method may include:
s201, a SYN message is received.
Before the DPI device receives the service packet, it may detect that the packet sending device and the packet receiving device perform three-way handshake, that is, the DPI device may first receive the SYN packet.
S202, identifying the first application to which the SYN message belongs by using the PBAR.
In the embodiment of the present invention, after detecting that the first handshake of the three-way handshake is performed by the packet sending device and the packet receiving device, that is, at the stage of receiving the SYN packet, the DPI device may obtain the port in the received SYN packet, and identify the application corresponding to the port in the SYN packet according to the mapping relationship between the port and the application in the predefined PBAR or the custom PBAR, where the application corresponding to the port in the SYN packet is used as the first application to which the SYN packet belongs.
S203, recording the first application as an application corresponding to the session established by the SYN message, and marking the first application as valid.
After determining that the packet sending device and the packet receiving device have undergone three-way handshake and successfully establish a session, the DPI device may record the first application identified in step S202 as an application corresponding to the session established using the SYN packet, and mark that the first application is valid.
S204, recording the first application in a first field included in an application field in the session information of the session established by using the SYN message.
In this embodiment, the application field in the session information is split into the first field and the second field, so the first application can be recorded in the first field.
S205, the mark is modified to be invalid.
After the first application is recorded in the first field included in the application field in the session information of the session established using the SYN message, the state of the first application may be further modified, that is, the first application may be modified from a valid state to an invalid state.
And S206, if the application mark corresponding to the session to which the received service message belongs is invalid, identifying a second application to which the service message belongs by using the NBAR.
The processes and beneficial effects of step S206 and step S105 are the same, and are not described herein again.
S207, recording the second application in a second field included in an application field in the session information of the session to which the service packet belongs.
In the embodiment of the invention, the first application which uses PBAR to identify the SYN message is recorded in the first field, and the second application which uses NBAR to identify the service message is recorded in the second field. In this way, the user is facilitated to view the application of the first field and second field records.
And S208, when the second application is a preset specified application, performing data filtering on the service message sent based on the session to which the service message belongs.
The process and beneficial effects of step S208 and step S106 are the same, and are not described herein again.
When the PBAR identifies the first application to which the SYN packet belongs, the deep packet inspection device may record the first application as an application corresponding to a session established using the SYN packet, and mark the application as invalid, so that when receiving a service packet, the deep packet inspection device may identify the service packet using NBAR because the application mark corresponding to the session to which the service packet belongs is invalid, and further may implement data filtering on the service packet. Therefore, the embodiment of the invention can realize data filtering on the received service message, thereby improving the safety of message interaction between devices.
With respect to the above method embodiments, the present invention further provides a corresponding apparatus embodiment, and fig. 3 is a packet processing apparatus provided in the embodiment of the present invention, which is applied to a deep packet inspection device, and the apparatus may include:
a first receiving unit 310, configured to receive a SYN packet;
a first identifying unit 320, configured to identify, by using a PBAR, a first application to which the SYN packet belongs;
a first recording unit 330, configured to record the first application as an application corresponding to a session established by using the SYN packet, and mark the first application as invalid;
a second receiving unit 340, configured to receive a service packet;
a second identifying unit 350, configured to identify, if the application flag corresponding to the session to which the service packet belongs is invalid, a second application to which the service packet belongs by using NBAR;
and a filtering unit 360, configured to perform data filtering on the service packet sent based on the session to which the service packet belongs when the second application is a preset specified application.
In the embodiment of the present invention, when the deep packet inspection device identifies the first application to which the SYN packet belongs by using the PBAR, the deep packet inspection device may record the first application as the application corresponding to the session established by using the SYN packet, and mark the application as invalid, so that when receiving the service packet, the deep packet inspection device may identify the service packet by using the NBAR because the application mark corresponding to the session to which the service packet belongs is invalid, and further, may implement data filtering on the service packet. Therefore, the embodiment of the invention can realize data filtering on the received service message, thereby improving the safety of message interaction between devices.
Optionally, as shown in fig. 4, on the basis of including the first receiving unit 310, the first identifying unit 320, the first recording unit 330, the second receiving unit 340, the second identifying unit 350, and the filtering unit 360, the apparatus further includes:
a second recording unit 370, configured to record the second application in an application field in the session information of the session to which the service packet belongs.
Optionally, the second recording unit 370 is further configured to record the first application in a first field included in an application field in session information of a session established by using the SYN packet.
Optionally, the first recording unit 330 is specifically configured to:
recording the first application as an application corresponding to the session established by using the SYN message, and marking the first application as valid;
and after the first application is recorded in the first field included in the application field of the session information of the session established by the SYN message, modifying the mark to be invalid.
Optionally, the second recording unit 370 is further configured to record the second application in a second field included in an application field in the session information of the session to which the service packet belongs.
An embodiment of the present invention further provides a deep packet inspection device, including a processor and a machine-readable storage medium, where the machine-readable storage medium stores a machine-executable instruction capable of being executed by the processor, and the processor is caused by the machine-executable instruction to: the method comprises the following steps:
receiving a SYN message;
identifying a first application to which the SYN message belongs by using the PBAR;
recording the first application as an application corresponding to the session established by using the SYN message, and marking the first application as invalid;
receiving a service message;
if the application mark corresponding to the session to which the service message belongs is invalid, identifying a second application to which the service message belongs by using an NBAR;
and when the second application is a preset specified application, performing data filtering on the service message sent based on the session to which the service message belongs.
Embodiments of the present invention also provide a machine-readable storage medium having stored thereon machine-executable instructions that, when invoked and executed by a processor, cause the processor to: the method comprises the following steps:
receiving a SYN message;
identifying a first application to which the SYN message belongs by using the PBAR;
recording the first application as an application corresponding to the session established by using the SYN message, and marking the first application as invalid;
receiving a service message;
if the application mark corresponding to the session to which the service message belongs is invalid, identifying a second application to which the service message belongs by using an NBAR;
and when the second application is a preset specified application, performing data filtering on the service message sent based on the session to which the service message belongs.
For the device/deep packet inspection apparatus/machine-readable storage medium embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and for relevant points, reference may be made to the partial description of the method embodiment.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.
Claims (10)
1. A message processing method is applied to a deep message detection device, and the method comprises the following steps:
receiving a SYN message;
identifying a first application to which the SYN message belongs by using the PBAR;
recording the first application as an application corresponding to the session established by using the SYN message, and marking the first application as invalid;
receiving a service message;
if the application mark corresponding to the session to which the service message belongs is invalid, identifying a second application to which the service message belongs by using an NBAR;
and when the second application is a preset specified application, performing data filtering on the service message sent based on the session to which the service message belongs.
2. The method of claim 1, further comprising:
and recording the second application in an application field in the session information of the session to which the service message belongs.
3. The method of claim 1, further comprising:
and recording the first application in a first field included in an application field in session information of a session established by the SYN message.
4. The method of claim 1, wherein recording the first application as an application corresponding to the session established with the SYN message and marking as invalid comprises:
recording the first application as an application corresponding to the session established by using the SYN message, and marking the first application as valid;
and after the first application is recorded in the first field included in the application field of the session information of the session established by the SYN message, modifying the mark to be invalid.
5. The method according to any one of claims 1, 3, and 4, further comprising:
and recording the second application in a second field included in an application field in the session information of the session to which the service message belongs.
6. A message processing apparatus, applied to a deep message inspection device, the apparatus comprising:
a first receiving unit, configured to receive a SYN packet;
a first identification unit, configured to identify, by using a PBAR, a first application to which the SYN packet belongs;
a first recording unit, configured to record the first application as an application corresponding to a session established using the SYN packet, and mark the first application as invalid;
a second receiving unit, configured to receive a service packet;
a second identification unit, configured to identify, if an application flag corresponding to a session to which the service packet belongs is invalid, a second application to which the service packet belongs by using NBAR;
and the filtering unit is used for performing data filtering on the service message sent based on the session to which the service message belongs when the second application is a preset specified application.
7. The apparatus of claim 6, further comprising:
and the second recording unit is used for recording the second application in an application field in the session information of the session to which the service message belongs.
8. The apparatus of claim 6, wherein the first recording unit is further configured to:
and recording the first application in a first field included in an application field in session information of a session established by the SYN message.
9. The apparatus according to claim 6, wherein the first recording unit is specifically configured to:
recording the first application as an application corresponding to the session established by using the SYN message, and marking the first application as valid;
and after the first application is recorded in the first field included in the application field of the session information of the session established by the SYN message, modifying the mark to be invalid.
10. The apparatus according to any one of claims 6, 8 and 9, wherein the first recording unit is further configured to:
and recording the second application in a second field included in an application field in the session information of the session to which the service message belongs.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710559801.5A CN107547511B (en) | 2017-07-11 | 2017-07-11 | Message processing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710559801.5A CN107547511B (en) | 2017-07-11 | 2017-07-11 | Message processing method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107547511A CN107547511A (en) | 2018-01-05 |
| CN107547511B true CN107547511B (en) | 2020-10-30 |
Family
ID=60970656
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710559801.5A Active CN107547511B (en) | 2017-07-11 | 2017-07-11 | Message processing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107547511B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109922144B (en) * | 2019-02-28 | 2022-09-16 | 北京百度网讯科技有限公司 | Method and apparatus for processing data |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101350781A (en) * | 2008-07-31 | 2009-01-21 | 成都市华为赛门铁克科技有限公司 | Method, equipment and system for monitoring flux |
| CN102055645A (en) * | 2009-11-11 | 2011-05-11 | 上海贝尔股份有限公司 | Method and device for automatically classifying IP service data streams in access network |
| CN102315974A (en) * | 2011-10-17 | 2012-01-11 | 北京邮电大学 | Stratification characteristic analysis-based method and apparatus thereof for on-line identification for TCP, UDP flows |
| CN103023670A (en) * | 2011-09-20 | 2013-04-03 | 中兴通讯股份有限公司 | Message service type identifying method and message service type identifying device based on data processing installation (DPI) |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8402538B2 (en) * | 2008-12-03 | 2013-03-19 | Electronics And Telecommunications Research Institute | Method and system for detecting and responding to harmful traffic |
-
2017
- 2017-07-11 CN CN201710559801.5A patent/CN107547511B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101350781A (en) * | 2008-07-31 | 2009-01-21 | 成都市华为赛门铁克科技有限公司 | Method, equipment and system for monitoring flux |
| CN102055645A (en) * | 2009-11-11 | 2011-05-11 | 上海贝尔股份有限公司 | Method and device for automatically classifying IP service data streams in access network |
| CN103023670A (en) * | 2011-09-20 | 2013-04-03 | 中兴通讯股份有限公司 | Message service type identifying method and message service type identifying device based on data processing installation (DPI) |
| CN102315974A (en) * | 2011-10-17 | 2012-01-11 | 北京邮电大学 | Stratification characteristic analysis-based method and apparatus thereof for on-line identification for TCP, UDP flows |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107547511A (en) | 2018-01-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109525558B (en) | Data leakage detection method, system, device and storage medium | |
| CN107733581B (en) | Rapid internet asset feature detection method and device based on whole network environment | |
| CN106663166A (en) | Detection device, detection method and detection program | |
| CN111460445B (en) | Sample program malicious degree automatic identification method and device | |
| CN101529862A (en) | Methods and apparatus for detecting unwanted traffic in one or more packet networks utilizing string analysis | |
| CN111726364B (en) | Host intrusion prevention method, system and related device | |
| US9444830B2 (en) | Web server/web application server security management apparatus and method | |
| CN104639391A (en) | Method for generating network flow record and corresponding flow detection equipment | |
| CN112118249B (en) | Security protection method and device based on log and firewall | |
| CN110798427A (en) | Anomaly detection method, device and equipment in network security defense | |
| EP3242240A1 (en) | Malicious communication pattern extraction device, malicious communication pattern extraction system, malicious communication pattern extraction method and malicious communication pattern extraction program | |
| CN114095274A (en) | Attack studying and judging method and device | |
| CN107547511B (en) | Message processing method and device | |
| CN105262730A (en) | Monitoring method and device based on enterprise domain name safety | |
| US20120066176A1 (en) | Methods, Systems, and Products for Anonymous Loan Documents | |
| US11916942B2 (en) | Automated identification of false positives in DNS tunneling detectors | |
| CN113965418B (en) | Attack success judgment method and device | |
| CN108234484B (en) | Computer readable storage medium for tracing Trojan horse source and Trojan horse source tracing system applying same | |
| CN103096321A (en) | Method for detecting malicious server and device for the same | |
| CN104158921B (en) | The screening technique and device of equipment in LAN | |
| CN110719263B (en) | Multi-tenant DNS security management method, device and storage medium | |
| CN113965392B (en) | Malicious server detection method, system, readable medium and electronic equipment | |
| CN110784469B (en) | Method and system for identifying abnormal login by identifying forged MAC address | |
| WO2019207764A1 (en) | Extraction device, extraction method, recording medium, and detection device | |
| CN109214212B (en) | Information leakage prevention method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |