CN101488946A - Packet detection method and system - Google Patents
Packet detection method and system Download PDFInfo
- Publication number
- CN101488946A CN101488946A CNA2008100562658A CN200810056265A CN101488946A CN 101488946 A CN101488946 A CN 101488946A CN A2008100562658 A CNA2008100562658 A CN A2008100562658A CN 200810056265 A CN200810056265 A CN 200810056265A CN 101488946 A CN101488946 A CN 101488946A
- Authority
- CN
- China
- Prior art keywords
- data message
- message
- strategy
- detection
- described data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/026—Capturing of monitoring data using flow identification
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明涉及一种报文检测方法及系统,其中一种方法包括:根据检测策略检测接收到的数据报文;当所述数据报文满足所述检测策略时,转发所述数据报文;根据配置策略确定是否复制所述数据报文,若是,则复制所述数据报文,并根据深层次检测策略检测复制的数据报文。另一种方法包括:根据检测策略检测接收到的数据报文;当所述数据报文满足所述检测策略时,复制所述数据报文,根据深层次检测策略检测复制的数据报文;根据配置策略确定是否转发所述数据报文,若是,则转发所述数据报文。本发明满足了实时业务的需求,避免了DPI/DFI检测设备成为报文转发的瓶颈,实现了网络运营商对业务的感知和控制功能。
The present invention relates to a message detection method and system, wherein a method includes: detecting a received data message according to a detection strategy; when the data message satisfies the detection strategy, forwarding the data message; The configuration policy determines whether to copy the data message, if yes, the data message is copied, and the copied data message is detected according to the deep detection policy. Another method includes: detecting a received data packet according to a detection strategy; when the data packet satisfies the detection strategy, duplicating the data packet, and detecting the copied data packet according to a deep-level detection strategy; The configuration policy determines whether to forward the data packet, and if so, forwards the data packet. The invention satisfies the requirement of real-time business, prevents DPI/DFI detection equipment from becoming the bottleneck of message forwarding, and realizes the network operator's perception and control function of business.
Description
Technical field
The embodiment of the invention relates to network security technology, relates in particular to a kind of message detecting method and system.
Background technology
Continuous development along with the IP technology, the IP broadband services becomes bright spot, IP network is gradually from carrying single internet service to the carrying data, voice, video, big customer's special line, 3G, next generation network (NextGeneration Network, hereinafter to be referred as: NGN), IP Multimedia System (IP MultimediaSubsystem, hereinafter to be referred as: IMS), internet protocol TV (Internet Protocol Television, hereinafter to be referred as: IPTV) wait the multiple services direction of operation level to make the transition, in transformation process, IP network is in fail safe, reliability, the change of essence also will take place on the QoS.
Continuous development along with network technology, various new application emerge in an endless stream, as peer-to-peer network (Peer toPeer, hereinafter to be referred as: P2P), online game, emerging services such as Web TV, taken the most of bandwidth in the Internet, from present domestic statistics, the cross-domain flow of P2P has taken 80% bandwidth at main line, under the monthly payment tariff mode in unlimited time of China broadband, most bandwidth of network are shared by small number of users, and these users do not pay corresponding cost expense, have but influenced other most of users' network quality, cause network in various degree congested to occur, greatly reduce the user experience of other application.Meanwhile, computer network is subjected to more and more severe attack and invasion, causes very tremendous loss, the corresponding reduction of profitability for user and operator.Attack though fire compartment wall has been alleviated partly, the propagation and the attack of virus seems unable to do what one wishes to common fire compartment wall in IP bag payload for hiding oneself.In recent years, the development trend of network attack turns to higher layer applications gradually, according to one's analysis, at present network attack concentrate on application layer more than 70%, and should numeral in rising trend.Just because of this, content safety begins to become the problem of most critical in the present information security.
The main cause that causes above phenomenon is that operator lacks effectively a control and differentiation means to the user, user's What for had not on the net both been known by operator, also have no idea the to provide assurance of a different service quality, the grade of service to different user, can't realize that message detects and traffic identification, cause having increased operating cost of operator, reduced client's satisfaction.Therefore, how to realize that message detects and traffic identification, sensing network is used, and Network control and management means are provided, and the harmonious network that structure can operation and management is very important.
A kind of new technological means---deep packet inspection technology (Deep Packet Inspection, hereinafter to be referred as: DPI) and the degree of depth/dynamic flow detection technique (Deep/Dynamic Flow Inspection, hereinafter to be referred as: DFI), can use by sensing network, the means of network control and management are provided to operator.So-called " degree of depth " is relative with the detection layers second phase of common message, common message detects and only detects the content of IP bag below 4 layers, comprise source address, destination address, source port, destination interface and type of service, and DPI/DFI is except the level to the front detects, also increased the application layer detection, can discern various application and content thereof, and control and manage.
Following two kinds of DPI/DFI message detection schemes have been proposed in the prior art:
As shown in Figure 1, for the available technology adopting series system carries out the system schematic that DPI detects, in this network, the DPI/DFI checkout equipment is between convergence-level and Access Layer, also can be deployed in convergence-level and IP/ multi protocol label exchange (Multiprotocol Label Switch, hereinafter to be referred as: MPLS) between the backbone network, all enter access network or all need to detect through the DPI/DFI checkout equipment from the message that access network sends, and have only the message of coincidence detection strategy just to allow to enter network or send from network.
As shown in Figure 2, for the available technology adopting parallel way is carried out the system schematic that DPI detects, in this network, DPI/DFI checkout equipment side hangs over network access server (Network AccessServer, hereinafter to be referred as: NAS) other, also can hang over by other network equipment according to network actual conditions side, all enter access network or all need through NAS from the message that access network sends, NAS copies to the DPI/DFI checkout equipment with message and detects, in the process that the DPI/DFI checkout equipment detects, message continues to enter access network or sends from access network, unaffected, after the DPI/DFI checkout equipment identifies illegal business, abandon the message of the illegal business that enters access network or leave access network by NAS.
In the process that realizes the embodiment of the invention, the inventor finds above two kinds of schemes, and there are the following problems at least: adopt series system to carry out the scheme that DPI detects, because all messages all pass through the DPI/DFI checkout equipment, cause the DPI/DFI checkout equipment to become the bottleneck that message is transmitted, cause transmission delay, especially real time business is had a significant impact; It is dumb to detect strategy simultaneously, can't dispose the detection strategy according to network condition and dynamic requirements.Adopt parallel way to carry out the scheme that DPI detects because DPI/DFI checkout equipment side hangs in the network, professional real-time control ability a little less than, reduced the control effect; It is dumb to detect strategy simultaneously, can't dispose the detection strategy according to network condition and dynamic requirements.
Summary of the invention
The embodiment of the invention provides a kind of message detecting method and system, by different level message is detected with realization, can satisfy the demand of real time business, avoids the DPI/DFI checkout equipment to become the bottleneck that message is transmitted.
The embodiment of the invention provides a kind of message detecting method, comprising:
Detect the data message that receives according to detecting strategy;
When described data message satisfies described detection strategy, transmit described data message;
Determine whether to duplicate described data message according to collocation strategy, if then duplicate described data message, and detect strategy according to profound level and detect the data message that duplicates.
The embodiment of the invention also provides a kind of message detecting method, comprising:
Detect the data message that receives according to detecting strategy;
When described data message satisfies described detection strategy, duplicate described data message, detect strategy according to profound level and detect the data message that duplicates;
Determine whether to transmit described data message according to collocation strategy, if then transmit described data message.
The embodiment of the invention provides a kind of message detection system, comprising:
Detection module is used for detecting the data message that receives according to detecting strategy;
Forwarding module is used for transmitting described data message when described data message satisfies described detection strategy;
Determination module is used for determining whether to duplicate described data message according to collocation strategy;
Replication module is used for duplicating described data message when determining to duplicate described data message;
Profound detection module is used for detecting strategy according to profound level and detects the data message that duplicates.
The embodiment of the invention also provides a kind of message detection system, comprising:
Detection module is used for detecting the data message that receives according to detecting strategy;
Replication module is used for duplicating described data message when described data message satisfies described detection strategy;
Profound detection module is used for detecting strategy according to profound level and detects the data message that duplicates;
Determination module is used for determining whether to transmit described data message according to collocation strategy;
Forwarding module is used for transmitting described data message when determining to transmit described data message.
The message detecting method of the embodiment of the invention and system, at first detect data message according to detecting strategy, further detect data message according to profound strategy, realized by different level the data message being detected, solved the equilibrium problem between data message detection and the rapid data message forwarding performance, satisfied the demand of real time business, avoided the DPI/DFI checkout equipment to become the bottleneck that message is transmitted, realized perception and the controlled function of Virtual network operator business.
Description of drawings
Fig. 1 carries out the system schematic that DPI detects for the available technology adopting series system;
Fig. 2 carries out the system schematic that DIP detects for the available technology adopting parallel way;
Fig. 3 is the network architecture schematic diagram of the embodiment of the invention;
Fig. 4 is the flow chart of the embodiment of the invention one message detecting method;
Fig. 5 is the flow chart of the embodiment of the invention two message detecting methods;
Fig. 6 is the schematic diagram of the embodiment of the invention one message detection system;
Fig. 7 is the NGN network architecture schematic diagram that the embodiment of the invention detects based on data message;
Fig. 8 is the schematic diagram of the embodiment of the invention two message detection systems.
Embodiment
Below by drawings and Examples, the technical scheme of the embodiment of the invention is described in further detail.
As shown in Figure 3, network architecture schematic diagram for the embodiment of the invention, comprise user terminal, access network, NAS, content detection and control module and IP/MPLS backbone network in this network, wherein comprise the stream detection module among the NAS, be used for detecting data message according to detecting strategy; Content detection and control module are used for detecting strategy according to profound level and detect data message.。
As shown in Figure 4, be the flow chart of the embodiment of the invention one message detecting method.Before the step of carrying out present embodiment, pre-configured detection strategy of content detection and control module and the profound strategy that detects, specifically, content detection and control module according to operation needs portion configuration within it profoundly detect strategy, and be NAS configuration detection strategy.With the speech business is example, detects strategy and can be five-tuple (source address, address, place, source port, place port and protocol type) and traffic characteristic model (as wrapping length, connect speed, transmitting amount of bytes, inter-packet gap etc.); With the IPTV Business Stream is example, detects strategy and can be five-tuple and service protocol essential characteristic word strategy.
Present embodiment specifically comprises the steps:
Wherein collocation strategy can be operator according to the network operation situation and configured strategy, when data message satisfies when detecting strategy, whether need further to carry out profound level detection by pre-configured decision.
When data message did not satisfy the detection strategy, for example, the stream detection module detected the data message that is not that normal five-tuple is transmitted; Perhaps, when the user used speech business, the stream detection module detected the bag length of data message more than 400 bytes (usually about Bao Changwei 150 bytes of speech business data message), and the duration is very long, illustrates that this data message is not the speech business message; Perhaps, when the user watched the IPTV Business Stream, the stream detection module detected and is not the required RTP of IPTV (Realtime Transport Protocol is hereinafter to be referred as RTP) service protocol essential characteristic word, but other professional tagged word; Then flowing detection module can write this data message in the blacklist, and further, the stream detection module can send alarm notification to NAS, and NAS directly abandons this data message; Perhaps, the stream detection module reduces the priority of this data message, and in the processing procedure of data message, the data message that priority is high will obtain priority treatment.
When data message did not satisfy profound level detection strategy, content detection and control module sent alarm notification to NAS; NAS abandons this data message according to alarm notification; For example, when the user watched the IPTV Business Stream, the IPTV Business Stream that content detection and control module detect under this message did not have copyright, or illegal Business Stream message, then notifies NAS to abandon the data message that sends from five-tuple.
Further, content detection and control module can also detect the result that strategy detects according to profound level, data message is classified, and the data message is carried out traffic management, this traffic management can comprise the management and the scheduling of data message formation, and the supervision of data message flow and shaping.
Message is detected present embodiment and corresponding strategies is distributed in the different functional entitys, by different level message is detected, solved the equilibrium problem between data message detection and the rapid data message forwarding performance, both satisfied the demand of real time business, avoided the DPI/DFI checkout equipment to become the bottleneck that message is transmitted, can control and manage Business Stream again, realize perception and the controlled function of Virtual network operator business.
As shown in Figure 5, flow chart for the embodiment of the invention two message detecting methods, before the step of carrying out present embodiment, need configuration detection strategy and the profound strategy that detects, specifically, content detection and control module detect strategy according to needs portion's configuration within it of operation is profound, and are NAS configuration detection strategy.With the speech business is example, detects strategy and can be five-tuple (source address, address, place, source port, place port and protocol type) and traffic characteristic model (as wrapping length, connect speed, transmitting amount of bytes, inter-packet gap etc.); With the IPTV Business Stream is example, detects strategy and can be five-tuple and service protocol essential characteristic word strategy.
Present embodiment specifically comprises the steps:
Wherein collocation strategy can be operator according to the network operation situation and configured strategy, can whether need to transmit by pre-configured decision when data message satisfies when detecting strategy; Also can be to detect tactful result by profound level to determine collocation strategy, for example collocation strategy can be set to: when data message satisfies profound level detection strategy, and the forwarding data message.
When data message did not satisfy the detection strategy, for example, the stream detection module detected the data message that is not that normal five-tuple is transmitted; Perhaps, when the user used speech business, the stream detection module detected the bag length of data message more than 400 bytes (usually about Bao Changwei 150 bytes of speech business data message), and the duration is very long, illustrates that this data message is not the speech business message; Perhaps, when the user watched the IPTV Business Stream, the stream detection module detected and is not the required RTP of IPTV (Realtime Transport Protocol is hereinafter to be referred as RTP) service protocol essential characteristic word, but other professional tagged word; Then flowing detection module can write this data message in the blacklist, and further, the stream detection module can send alarm notification to NAS, and NAS directly abandons this data message; Perhaps, the stream detection module reduces the priority of this data message, and in the processing procedure of data message, the data message that priority is high will obtain priority treatment.
When data message did not satisfy profound level detection strategy, content detection and control module sent alarm notification to NAS; NAS abandons this data message according to alarm notification; For example, when the user watched the IPTV Business Stream, the IPTV Business Stream that content detection and control module detect under this message did not have copyright, or illegal Business Stream message, then notifies NAS to abandon the data message that sends from five-tuple.
Further, content detection and control module can also detect the result that strategy detects according to profound level, data message is classified, and the data message is carried out traffic management, this traffic management can comprise the management and the scheduling of data message formation, and the supervision of data message flow and shaping.
Message is detected present embodiment and corresponding strategies is distributed in the different functional entitys, by different level message is detected, solved the equilibrium problem between data message detection and the rapid data message forwarding performance, both satisfied the demand of real time business, avoided the DPI/DFI checkout equipment to become the bottleneck that message is transmitted, can control and manage Business Stream again, realize perception and the controlled function of Virtual network operator business.
As shown in Figure 6, the schematic diagram for the embodiment of the invention one message detection system specifically comprises: detection module 11 is used for detecting the data message that receives according to detecting strategy; Forwarding module 12 is used for transmitting described data message when described data message satisfies described detection strategy; Determination module 13 is used for determining whether to duplicate described data message according to collocation strategy; Replication module 14 is used for duplicating described data message when determining to duplicate described data message; Profound detection module 15 is used for detecting strategy according to profound level and detects the data message that duplicates.
Present embodiment can also comprise: configuration module 16 is used to dispose described detection strategy and the described profound strategy that detects; Alarm module 17 is used for when described data message does not satisfy described detection strategy, does not perhaps satisfy profoundly when detecting strategy when the described data message that duplicates, and sends alarm notification; Processing module 18 is used for when described data message does not satisfy described detection strategy described data message being write in the blacklist;
Wherein processing module can comprise discard module, is used for abandoning the data message in the described blacklist according to described alarm notification; Also can comprise priority block, be used for reducing the priority of the data message of described blacklist.
As shown in Figure 7, be the NGN network architecture schematic diagram of the embodiment of the invention based on the data message detection, wherein detection module is positioned at transport network layer, in the equipment of access network and IP/MPLS backbone network, be subjected to the control of profound detection module, mainly the data message is discerned substantially, reported various flow informations to profound detection module.Profound detection module is positioned at the network control layer of transport network layer, further, it can be the part of network attachment control system and/or resource acceptance control system, also can be separately at network control layer as a content detection and control system, be independent of current network attachment control system and resource acceptance control system.Profound detection module is mainly used in the data message is carried out profound level detection and content recognition; To the detection module configuration detection strategy among the NAS; Controlled function to detection module can be provided; Traffic management control can also be provided, optimize message forwarding path, thereby guarantee the service quality of data message according to the network needs.
Present embodiment has solved the equilibrium problem between message detection and the rapid data forwarding performance, both satisfied the demand of real time business, avoided the DPI/DFI checkout equipment to become the bottleneck that message is transmitted, can control and manage Business Stream again, realize perception and the controlled function of Virtual network operator business.
As shown in Figure 8, the schematic diagram for the embodiment of the invention two message detection systems specifically comprises: detection module 21 is used for detecting the data message that receives according to detecting strategy; Replication module 22 is used for duplicating described data message when described data message satisfies described detection strategy; Profound detection module 23 is used for detecting strategy according to profound level and detects the data message that duplicates; Determination module 24 is used for determining whether to transmit described data message according to collocation strategy; Forwarding module 25 is used for transmitting described data message when determining to transmit described data message.
Present embodiment can also comprise: configuration module 26 is used to dispose described detection strategy and the described profound strategy that detects; Alarm module 27 is used for when described data message does not satisfy described detection strategy, does not perhaps satisfy profoundly when detecting strategy when the described data message that duplicates, and sends alarm notification; Processing module 28 is used for when described data message does not satisfy described detection strategy described data message being write in the blacklist.
Wherein processing module can comprise discard module, is used for abandoning the data message in the described blacklist according to described alarm notification; Also can comprise priority block, be used for reducing the priority of the data message of described blacklist.
Present embodiment detection module 21 can be positioned at transport network layer, and profound detection module 23 is positioned at network control layer, and this is described identical with the embodiment of the invention one message detection system.
Present embodiment has solved the equilibrium problem between message detection and the rapid data forwarding performance, both satisfied the demand of real time business, avoided the DPI/DFI checkout equipment to become the bottleneck that message is transmitted, can control and manage Business Stream again, realize perception and the controlled function of Virtual network operator business.
It should be noted that at last: above embodiment only in order to the technical scheme of the explanation embodiment of the invention, is not intended to limit; Although the embodiment of the invention is had been described in detail with reference to previous embodiment, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of each embodiment technical scheme of the embodiment of the invention.
Claims (38)
1, a kind of message detecting method is characterized in that comprising:
Detect the data message that receives according to detecting strategy;
When described data message satisfies described detection strategy, transmit described data message;
Determine whether to duplicate described data message according to collocation strategy, if then duplicate described data message, and detect strategy according to profound level and detect the data message that duplicates.
2, message detecting method according to claim 1 is characterized in that, also comprises before the described data message that detection receives according to the detection strategy: dispose described detection strategy and described profound detection strategy.
3, message detecting method according to claim 1 is characterized in that also comprising: when described data message does not satisfy described detection strategy, described data message is write in the blacklist.
4, message detecting method according to claim 3 is characterized in that, also comprises afterwards described data message is write in the blacklist: send alarm notification, abandon the data message in the described blacklist.
5, message detecting method according to claim 3 is characterized in that, also comprises afterwards described data message being write in the blacklist: the priority that reduces the data message in the described blacklist.
6, message detecting method according to claim 1 is characterized in that, also comprises after the described data message that detection is duplicated according to profound level detection strategy: when the described data message that duplicates does not satisfy profound level detection strategy, and the transmission alarm notification.
7, according to the arbitrary described message detecting method of claim 1-6, it is characterized in that, after the described data message that detection is duplicated according to profound level detection strategy, also comprise: the result who detects the strategy detection according to profound level, described data message is classified, and described data message is carried out traffic management.
8, message detecting method according to claim 7 is characterized in that, described traffic management comprises the management and the scheduling of data message formation, and the supervision of data message flow and shaping.
9, message detecting method according to claim 6 is characterized in that, also comprises after described transmission alarm notification: according to described alarm notification, abandon described data message.
10, message detecting method according to claim 9, it is characterized in that, the described data message that detection receives according to the detection strategy is specially: according to five-tuple and traffic characteristic model strategy, perhaps five-tuple and service protocol essential characteristic word strategy detect the data message that receives.
11, message detecting method according to claim 10 is characterized in that, the described data message that abandons is specially: abandon the data message that sends from described five-tuple.
12, a kind of message detecting method is characterized in that comprising:
Detect the data message that receives according to detecting strategy;
When described data message satisfies described detection strategy, duplicate described data message, detect strategy according to profound level and detect the data message that duplicates;
Determine whether to transmit described data message according to collocation strategy, if then transmit described data message.
13, message detecting method according to claim 12 is characterized in that, also comprises before the described data message that detection receives according to the detection strategy: dispose described detection strategy and described profound detection strategy.
14, message detecting method according to claim 12 is characterized in that also comprising: when described data message does not satisfy described detection strategy, described data message is write in the blacklist.
15, message detecting method according to claim 14 is characterized in that, also comprises afterwards described data message is write in the blacklist: send alarm notification, abandon the data message in the described blacklist.
16, message detecting method according to claim 14 is characterized in that, also comprises afterwards described data message being write in the blacklist: the priority that reduces the data message in the described blacklist.
17, message detecting method according to claim 12 is characterized in that, also comprises after the described data message that detection is duplicated according to profound level detection strategy: when the described data message that duplicates does not satisfy profound level detection strategy, and the transmission alarm notification.
18, according to the arbitrary described message detecting method of claim 12-17, it is characterized in that, after the described data message that detection is duplicated according to profound level detection strategy, also comprise: the result who detects the strategy detection according to profound level, described data message is classified, and described data message is carried out traffic management.
19, message detecting method according to claim 18 is characterized in that, described traffic management comprises the management and the scheduling of data message formation, and the supervision of data message flow and shaping.
20, message detecting method according to claim 17 is characterized in that, also comprises after described transmission alarm notification: according to described alarm notification, abandon described data message.
21, message detecting method according to claim 20, it is characterized in that, the described data message that detection receives according to the detection strategy is specially: according to five-tuple and traffic characteristic model strategy, perhaps five-tuple and service protocol essential characteristic word strategy detect the data message that receives.
22, message detecting method according to claim 21 is characterized in that, the described data message that abandons is specially: abandon the data message that sends from described five-tuple.
23, a kind of message detection system is characterized in that comprising:
Detection module is used for detecting the data message that receives according to detecting strategy;
Forwarding module is used for transmitting described data message when described data message satisfies described detection strategy;
Determination module is used for determining whether to duplicate described data message according to collocation strategy;
Replication module is used for duplicating described data message when determining to duplicate described data message;
Profound detection module is used for detecting strategy according to profound level and detects the data message that duplicates.
24, message detection system according to claim 23 is characterized in that also comprising: configuration module is used to dispose described detection strategy and the described profound strategy that detects.
25, message detection system according to claim 24, it is characterized in that also comprising: alarm module, be used for when described data message does not satisfy described detection strategy, perhaps do not satisfy profoundly when detecting strategy when the described data message that duplicates, send alarm notification.
26, message detection system according to claim 25 is characterized in that also comprising: processing module is used for when described data message does not satisfy described detection strategy described data message being write in the blacklist.
27, message detection system according to claim 26 is characterized in that, described processing module comprises discard module, is used for abandoning the data message in the described blacklist according to described alarm notification.
28, message detection system according to claim 26 is characterized in that, described processing module comprises priority block, is used for reducing the priority of the data message of described blacklist.
29, according to the arbitrary described message detection system of claim 23-28, it is characterized in that described detection module is positioned at transport network layer.
30, message detection system according to claim 29 is characterized in that, described profound detection module is positioned at network control layer.
31, a kind of message detection system is characterized in that comprising:
Detection module is used for detecting the data message that receives according to detecting strategy;
Replication module is used for duplicating described data message when described data message satisfies described detection strategy;
Profound detection module is used for detecting strategy according to profound level and detects the data message that duplicates;
Determination module is used for determining whether to transmit described data message according to collocation strategy;
Forwarding module is used for transmitting described data message when determining to transmit described data message.
32, message detection system according to claim 31 is characterized in that also comprising: configuration module is used to dispose described detection strategy and the described profound strategy that detects.
33, message detection system according to claim 32, it is characterized in that also comprising: alarm module, be used for when described data message does not satisfy described detection strategy, perhaps do not satisfy profoundly when detecting strategy when the described data message that duplicates, send alarm notification.
34, message detection system according to claim 33 is characterized in that also comprising: processing module is used for when described data message does not satisfy described detection strategy described data message being write in the blacklist.
35, message detection system according to claim 34 is characterized in that, described processing module comprises discard module, is used for abandoning the data message in the described blacklist according to described alarm notification.
36, message detection system according to claim 34 is characterized in that, described processing module comprises priority block, is used for reducing the priority of the data message of described blacklist.
37, according to the arbitrary described message detection system of claim 31-36, it is characterized in that described detection module is positioned at transport network layer.
According to the described message detection system of claim 37, it is characterized in that 38, described profound detection module is positioned at network control layer.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008100562658A CN101488946A (en) | 2008-01-16 | 2008-01-16 | Packet detection method and system |
| PCT/CN2008/072525 WO2009089701A1 (en) | 2008-01-16 | 2008-09-25 | Method and system for packet inspection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008100562658A CN101488946A (en) | 2008-01-16 | 2008-01-16 | Packet detection method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101488946A true CN101488946A (en) | 2009-07-22 |
Family
ID=40885062
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2008100562658A Pending CN101488946A (en) | 2008-01-16 | 2008-01-16 | Packet detection method and system |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN101488946A (en) |
| WO (1) | WO2009089701A1 (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011022992A1 (en) * | 2009-08-28 | 2011-03-03 | 中兴通讯股份有限公司 | Control element, forwarding element and routing method for internet protocol network |
| CN101986609A (en) * | 2009-07-29 | 2011-03-16 | 中兴通讯股份有限公司 | Method and system for realizing network flow cleaning |
| CN101741744B (en) * | 2009-12-17 | 2011-12-14 | 东南大学 | Network flow identification method |
| CN101764754B (en) * | 2009-12-28 | 2012-07-25 | 东南大学 | Sample acquiring method in business identifying system based on DPI and DFI |
| CN103096166A (en) * | 2011-10-18 | 2013-05-08 | 南京中新赛克科技有限责任公司 | Internet protocol television (IPTV) front-end monitoring system and method |
| CN103237039A (en) * | 2013-05-10 | 2013-08-07 | 汉柏科技有限公司 | Message forwarding method and message forwarding device |
| CN103607354A (en) * | 2013-11-26 | 2014-02-26 | 中国联合网络通信集团有限公司 | Flow control method, DPI equipment and system |
| CN103618641A (en) * | 2013-11-25 | 2014-03-05 | 北京邮电大学 | Data packet detecting and monitoring system based on multiple-core network processor and capable of being deployed fast |
| CN103888307A (en) * | 2012-12-20 | 2014-06-25 | 中国电信股份有限公司 | Method, user side board card and broadband access gateway used for optimizing deep packet detection |
| WO2016033986A1 (en) * | 2014-09-01 | 2016-03-10 | 中兴通讯股份有限公司 | Method and apparatus for implementing deep packet inspection |
| CN106507414A (en) * | 2016-10-12 | 2017-03-15 | 杭州迪普科技股份有限公司 | Message forwarding method and device |
| CN107172107A (en) * | 2017-07-24 | 2017-09-15 | 中国人民解放军信息工程大学 | The transparent management-control method and equipment of a kind of differentiated service stream early stage passback |
| CN111817917A (en) * | 2020-07-03 | 2020-10-23 | 中移(杭州)信息技术有限公司 | A method, device, server and storage medium for deep packet inspection |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA2712542C (en) | 2010-08-25 | 2012-09-11 | Ibm Canada Limited - Ibm Canada Limitee | Two-tier deep analysis of html traffic |
| CN102025623B (en) * | 2010-12-07 | 2013-03-20 | 苏州迈科网络安全技术股份有限公司 | Intelligent network flow control method |
| CN103152277A (en) * | 2011-12-07 | 2013-06-12 | 北京网康科技有限公司 | Method for improving network flow control performance and device thereof |
| CN102868638A (en) * | 2012-08-16 | 2013-01-09 | 苏州迈科网络安全技术股份有限公司 | Method and system for dynamically regulating bandwidth |
| CN104468253B (en) | 2013-09-23 | 2019-07-12 | 中兴通讯股份有限公司 | A kind of deep-packet detection control method and device |
| CN105743681B (en) * | 2014-12-12 | 2019-04-05 | 国家电网公司 | A kind of the time delay visual analysis method and system of process layer communication network |
| CN109275045B (en) * | 2018-09-06 | 2020-12-25 | 东南大学 | DFI-based mobile terminal encrypted video advertisement traffic identification method |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8396927B2 (en) * | 2004-12-21 | 2013-03-12 | Alcatel Lucent | Detection of unwanted messages (spam) |
| US7719966B2 (en) * | 2005-04-13 | 2010-05-18 | Zeugma Systems Inc. | Network element architecture for deep packet inspection |
| CN1937623A (en) * | 2006-10-18 | 2007-03-28 | 华为技术有限公司 | Method and system for controlling network business |
| CN100440811C (en) * | 2006-12-25 | 2008-12-03 | 杭州华三通信技术有限公司 | Network attack detection method and device |
| CN100474819C (en) * | 2007-05-17 | 2009-04-01 | 华为技术有限公司 | A deep message detection method, network device and system |
-
2008
- 2008-01-16 CN CNA2008100562658A patent/CN101488946A/en active Pending
- 2008-09-25 WO PCT/CN2008/072525 patent/WO2009089701A1/en active Application Filing
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101986609A (en) * | 2009-07-29 | 2011-03-16 | 中兴通讯股份有限公司 | Method and system for realizing network flow cleaning |
| WO2011022992A1 (en) * | 2009-08-28 | 2011-03-03 | 中兴通讯股份有限公司 | Control element, forwarding element and routing method for internet protocol network |
| CN101997826A (en) * | 2009-08-28 | 2011-03-30 | 中兴通讯股份有限公司 | Routing methods of control net element, forwarding net element and internet protocol network |
| CN101741744B (en) * | 2009-12-17 | 2011-12-14 | 东南大学 | Network flow identification method |
| CN101764754B (en) * | 2009-12-28 | 2012-07-25 | 东南大学 | Sample acquiring method in business identifying system based on DPI and DFI |
| CN103096166B (en) * | 2011-10-18 | 2017-07-11 | 南京中新赛克科技有限责任公司 | A kind of IPTV front ends monitoring system and method |
| CN103096166A (en) * | 2011-10-18 | 2013-05-08 | 南京中新赛克科技有限责任公司 | Internet protocol television (IPTV) front-end monitoring system and method |
| CN103888307A (en) * | 2012-12-20 | 2014-06-25 | 中国电信股份有限公司 | Method, user side board card and broadband access gateway used for optimizing deep packet detection |
| CN103237039A (en) * | 2013-05-10 | 2013-08-07 | 汉柏科技有限公司 | Message forwarding method and message forwarding device |
| CN103618641A (en) * | 2013-11-25 | 2014-03-05 | 北京邮电大学 | Data packet detecting and monitoring system based on multiple-core network processor and capable of being deployed fast |
| CN103618641B (en) * | 2013-11-25 | 2017-01-11 | 北京邮电大学 | Data packet detecting and monitoring system based on multiple-core network processor and capable of being deployed fast |
| CN103607354B (en) * | 2013-11-26 | 2016-09-07 | 中国联合网络通信集团有限公司 | A kind of flow control methods, DPI equipment and system |
| CN103607354A (en) * | 2013-11-26 | 2014-02-26 | 中国联合网络通信集团有限公司 | Flow control method, DPI equipment and system |
| WO2016033986A1 (en) * | 2014-09-01 | 2016-03-10 | 中兴通讯股份有限公司 | Method and apparatus for implementing deep packet inspection |
| CN105406977A (en) * | 2014-09-01 | 2016-03-16 | 中兴通讯股份有限公司 | Depth package detection implementation method and device |
| CN106507414A (en) * | 2016-10-12 | 2017-03-15 | 杭州迪普科技股份有限公司 | Message forwarding method and device |
| CN106507414B (en) * | 2016-10-12 | 2020-02-11 | 杭州迪普科技股份有限公司 | Message forwarding method and device |
| CN107172107A (en) * | 2017-07-24 | 2017-09-15 | 中国人民解放军信息工程大学 | The transparent management-control method and equipment of a kind of differentiated service stream early stage passback |
| CN107172107B (en) * | 2017-07-24 | 2019-08-13 | 中国人民解放军信息工程大学 | A kind of transparent management-control method and equipment of the passback of differentiated service stream early stage |
| CN111817917A (en) * | 2020-07-03 | 2020-10-23 | 中移(杭州)信息技术有限公司 | A method, device, server and storage medium for deep packet inspection |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2009089701A1 (en) | 2009-07-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101488946A (en) | Packet detection method and system | |
| CN100474819C (en) | A deep message detection method, network device and system | |
| US7710869B1 (en) | Packet routing to reduce susceptibility to disturbances | |
| US7281058B1 (en) | Delivering and receiving multicast content across a unicast network | |
| US8077607B2 (en) | Dynamic response to traffic bursts in a computer network | |
| CN103718507A (en) | Method and apparatus for rapid switchover from primary to standby multicast trees | |
| CN109565501A (en) | For selecting the technology of content distributing network entity | |
| US8817792B2 (en) | Data forwarding method, data processing method, system and relevant devices | |
| WO2006111635A1 (en) | Method and system for transmitting a multicast stream in data exchange network | |
| CN102165740A (en) | Congestion control method and device | |
| WO2011022992A1 (en) | Control element, forwarding element and routing method for internet protocol network | |
| KR101280132B1 (en) | Device and method for estimating the filling rate of the input buffers of clients of a real-time content distribution | |
| KR101688682B1 (en) | Fast lsp alert mechanism | |
| CN109561072B (en) | Link detection method and system | |
| KR20080086473A (en) | Systems and / or Methods for Downstream Bidding | |
| CN101425868A (en) | Method and system for media transmission quality monitoring and controlling | |
| CN1897567A (en) | Method for improving transmission reliability in virtual exchange system | |
| CN106254267A (en) | A kind of data forwarding paths method of adjustment and gateway device | |
| EP1825621B1 (en) | System and method for improving the quality of real time multimedia sessions | |
| JP2009053969A (en) | Service providing system, filtering device, filtering method and message confirmation method | |
| CN102480471A (en) | Method for realizing QoS (quality of service) processing in monitoring RRPP (rapid ring protection protocol) ring and network node | |
| CN101299716A (en) | Method, apparatus and system for transmitting service data | |
| JP2005102104A (en) | IP multicast distribution system, rate control method thereof, program thereof, and recording medium | |
| WO2006076850A1 (en) | A process method for dealing with device overload in the communication network | |
| CN106550222B (en) | A video stream sending method and network camera |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20090722 |