[go: up one dir, main page]

CN118540107A - P4-based session data packet multimode character string matching method and system - Google Patents

P4-based session data packet multimode character string matching method and system Download PDF

Info

Publication number
CN118540107A
CN118540107A CN202410543583.6A CN202410543583A CN118540107A CN 118540107 A CN118540107 A CN 118540107A CN 202410543583 A CN202410543583 A CN 202410543583A CN 118540107 A CN118540107 A CN 118540107A
Authority
CN
China
Prior art keywords
data packet
session
network device
packet
rule
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410543583.6A
Other languages
Chinese (zh)
Inventor
刘亚萍
何德凯
张硕
陈世越
王子齐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou University
Original Assignee
Guangzhou University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou University filed Critical Guangzhou University
Priority to CN202410543583.6A priority Critical patent/CN118540107A/en
Publication of CN118540107A publication Critical patent/CN118540107A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/22Matching criteria, e.g. proximity measures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Data Mining & Analysis (AREA)
  • Theoretical Computer Science (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Evolutionary Computation (AREA)
  • Evolutionary Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明提供了一种基于P4的会话数据包多模式字符串匹配方法与系统,属于网络安全技术领域。其中本发明所述方法,利用P4执行深度包检测算法,并使用NFA状态转移算法将有效负载转换成位图的形式记录在本地寄存器中;在P4网络设备收到响应包时,基于唯一确定数据包类型的五元组的32位MD5计算出哈希结果以寻找到对应的请求包,并基于该请求包NFA状态做会话规则的检测。通过实施本发明,可以有效减少多模式字符串匹配的计算开销,而且可以在不缓存会话请求数据包的前提下,显著提高了系统提取会话规则的效率。

The present invention provides a method and system for multi-mode string matching of session data packets based on P4, belonging to the field of network security technology. The method of the present invention uses P4 to execute a deep packet inspection algorithm, and uses an NFA state transition algorithm to convert the effective load into a bitmap form and record it in a local register; when the P4 network device receives a response packet, a hash result is calculated based on the 32-bit MD5 of a five-tuple that uniquely determines the type of the data packet to find the corresponding request packet, and the session rule is detected based on the NFA state of the request packet. By implementing the present invention, the computational overhead of multi-mode string matching can be effectively reduced, and the efficiency of extracting session rules by the system can be significantly improved without caching session request data packets.

Description

一种基于P4的会话数据包多模式字符串匹配方法与系统A multi-mode string matching method and system for session data packets based on P4

技术领域Technical Field

本发明属于网络安全技术领域,具体涉及一种基于P4的会话数据包多模式字符串匹配方法与系统。The invention belongs to the technical field of network security, and in particular relates to a multi-mode string matching method and system for session data packets based on P4.

背景技术Background Art

会话是网络安全领域中的重要概念,它通常用于由一组请求数据包和响应数据包组成。会话规则指的是在一组会话中,请求包和响应包的有效负载中携带了指定数据库中的模式信息的多模式字符串匹配规则。随着网络攻击技术日益复杂和隐蔽,会话级别的攻击在网络安全中愈发严重,比如中间人攻击、网络钓鱼攻击和会话劫持攻击等。这些攻击通常不是通过单个数据包进行的,而是通过一系列有序而相关联的数据包在会话中执行的。这些攻击可能涉及多个阶段,包括侦察、利用、命令和控制通信,以及数据窃取或服务破坏。会话级别的规则匹配能够跟踪和分析整个会话过程中的数据包,从而揭示攻击者的行为模式和攻击链路。通过对会话中所有数据包的综合分析,能够识别出单个数据包分析中不明显的攻击。这种方法可以降低误报和漏报的概率,从而提高检测的准确性。在这种背景下,会话级别数据包的多模式匹配显得尤为重要。Session is an important concept in the field of network security. It is usually used to consist of a set of request packets and response packets. Session rules refer to multi-pattern string matching rules that carry pattern information in a specified database in the payload of request packets and response packets in a set of sessions. As network attack techniques become increasingly complex and covert, session-level attacks are becoming more and more serious in network security, such as man-in-the-middle attacks, phishing attacks, and session hijacking attacks. These attacks are usually not carried out through a single packet, but through a series of ordered and related packets in a session. These attacks may involve multiple stages, including reconnaissance, exploitation, command and control communications, and data theft or service destruction. Session-level rule matching can track and analyze packets throughout the session, thereby revealing the attacker's behavior patterns and attack links. Through comprehensive analysis of all packets in a session, attacks that are not obvious in the analysis of a single packet can be identified. This approach can reduce the probability of false positives and false negatives, thereby improving the accuracy of detection. In this context, multi-pattern matching of session-level packets is particularly important.

多模式匹配是网络安全领域一项关键技术,它涉及在网络流量中实时识别和匹配特定的模式集合,用以检测恶意软件、防止网络入侵、实现数据损失预防等。但随着网络带宽和处理能力的需求日益增长,传统的多模式匹配方法逐渐难以满足这些需求。Multi-pattern matching is a key technology in the field of network security, which involves real-time identification and matching of specific pattern sets in network traffic to detect malware, prevent network intrusions, and achieve data loss prevention. However, with the growing demand for network bandwidth and processing power, traditional multi-pattern matching methods are gradually unable to meet these needs.

随着可编程网络的出现,P4(Programming Protocol-Independent PacketProcessors)可编程交换机为解决会话级别数据包的多模式匹配提供了新的解决方案。P4交换机允许开发人员编写代码来自定义数据包的处理方式,进而可以满足特定的网络功能。例如PPS、BOLT系统,它们能满足当今高带宽网络环境的简单环境的多模式匹配。但在会话数据包流的环境下,PPS和BOLT无法检测会话级别数据包,缺失对会话流的综合分析,从而会导致检测精度缺失。With the emergence of programmable networks, P4 (Programming Protocol-Independent Packet Processors) programmable switches provide a new solution for multi-mode matching of session-level packets. P4 switches allow developers to write code to customize the way packets are processed, which can meet specific network functions. For example, PPS and BOLT systems can meet the multi-mode matching of simple environments in today's high-bandwidth network environments. However, in the context of session packet flows, PPS and BOLT cannot detect session-level packets, and the lack of comprehensive analysis of session flows will lead to a lack of detection accuracy.

发明内容Summary of the invention

为了解决上述问题,本发明提供了一种基于P4的会话数据包多模式字符串匹配方法与系统。In order to solve the above problems, the present invention provides a P4-based session data packet multi-mode string matching method and system.

第一方面,本发明实施例提供了一种基于P4的会话数据包多模式字符串匹配方法,该方法包括以下步骤:In a first aspect, an embodiment of the present invention provides a method for matching session data packets using multiple modes based on P4, the method comprising the following steps:

S1:P4网络设备从条目输入端口获取NFA状态转移条目和会话规则条目;S1: The P4 network device obtains the NFA state transition entry and session rule entry from the entry input port;

S2:所述P4网络设备从接收端口接收数据包,并解析所述数据包头部;S2: The P4 network device receives a data packet from a receiving port and parses the data packet header;

S3:所述P4网络设备镜像拷贝所述数据包后将镜像数据包输入再循环端口,并从转发端口转发所述数据包;S3: the P4 network device mirrors the data packet, inputs the mirrored data packet into the recirculation port, and forwards the data packet from the forwarding port;

S4:基于数据包头部信息,判断所述镜像数据包是否为一个会话数据包;若所述镜像数据包不是会话数据包,则结束整个流程,若所述镜像数据包是会话数据包,则执行步骤S5;S4: Based on the data packet header information, determine whether the mirrored data packet is a session data packet; if the mirrored data packet is not a session data packet, end the entire process; if the mirrored data packet is a session data packet, execute step S5;

S5:根据所述NFA状态转移条目,对所述镜像数据包的有效负载部分进行NFA状态转移处理;当所述P4网络设备流水线完成所有有效负载的状态转移时,返回一个模式位图,并进入步骤S6,否则将所述镜像数据包转发至所述再循环端口;S5: According to the NFA state transition entry, perform NFA state transition processing on the payload part of the mirrored data packet; when the P4 network device pipeline completes the state transition of all payloads, return a mode bitmap and enter step S6, otherwise forward the mirrored data packet to the recirculation port;

S6:所述P4网络设备将所述模式位图映射成单向流规则并暂存到内存中;S6: The P4 network device maps the mode bitmap into a unidirectional flow rule and temporarily stores it in a memory;

S7:所述P4网络设备计算所述镜像数据包的五元组哈希,并判断所述镜像数据包是请求包还是响应包;若所述镜像数据包是会话中的请求包,则所述P4网络设备基于五元组哈希索引值读取寄存器;若所述镜像数据包是会话中的响应包,则所述P4网络设备基于反向五元组的哈希索引值读取寄存器中请求包的单向流规则号,并进入步骤S8;S7: The P4 network device calculates the five-tuple hash of the mirrored data packet, and determines whether the mirrored data packet is a request packet or a response packet; if the mirrored data packet is a request packet in the session, the P4 network device reads the register based on the five-tuple hash index value; if the mirrored data packet is a response packet in the session, the P4 network device reads the one-way flow rule number of the request packet in the register based on the reverse five-tuple hash index value, and enters step S8;

S8:将寄存器请求包的单向流规则号和所述镜像数据包的单向流规则号进行组合,判断是否命中输入的所述会话规则条目的会话规则号;若命中,说明所述镜像数据包所在的会话可能存在攻击行为,则将所述会话规则号上传至服务器,若未命中,则结束整个流程。S8: Combine the unidirectional flow rule number of the register request packet and the unidirectional flow rule number of the mirror data packet to determine whether they hit the session rule number of the input session rule entry; if they hit, it means that the session where the mirror data packet is located may have attack behavior, and then upload the session rule number to the server; if they do not hit, then end the entire process.

在一些可能的实施方式中,所述NFA状态转移条目包含NFA状态转移的逻辑内容,P4网络设备可以基于NFA状态转移条目进行数据包有效负载的解析;每个所述NFA状态转移条目包含以下几个组成部分:当前状态、输入符号、转移类型。In some possible implementations, the NFA state transition entry includes the logical content of the NFA state transition, and the P4 network device can parse the data packet payload based on the NFA state transition entry; each of the NFA state transition entries includes the following components: current state, input symbol, and transition type.

在一些可能的实施方式中,所述会话规则条目用于对会话流进行规则匹配,具体包括:模式pattern、模式位图pattern bitmaps、单向流位图unidirectional flowbitmaps、单向流规则号unidirectional rule id、会话规则号session rule id。In some possible implementations, the session rule entry is used to perform rule matching on the session flow, and specifically includes: pattern, pattern bitmaps, unidirectional flow bitmaps, unidirectional flow rule number unidirectional rule id, and session rule number session rule id.

在一些可能的实施方式中,所述会话规则条目通过Snort3入侵检测系统进行设计。In some possible implementations, the session rule entry is designed through a Snort3 intrusion detection system.

在一些可能的实施方式中,所述解析所述数据包头部,包括:所述P4网络设备按照预定义的顺序逐步提取包头中的各个字段,并进行递归解析;解析获得的所述数据包的源端口号、目的端口号以及IP号存放至所述P4网络设备的内存中。In some possible implementations, parsing the data packet header includes: the P4 network device gradually extracting each field in the packet header in a predefined order and performing recursive parsing; and storing the source port number, destination port number, and IP number of the data packet obtained by parsing into the memory of the P4 network device.

在一些可能的实施方式中,所述基于数据包头部信息,判断所述镜像数据包是否为一个会话数据包,包括:通过解析数据包中的会话标识符以及协议交互特征判断该数据包是否为会话数据包。In some possible implementations, determining whether the mirrored data packet is a session data packet based on data packet header information includes: determining whether the data packet is a session data packet by parsing a session identifier and a protocol interaction feature in the data packet.

在一些可能的实施方式中,步骤S5中的所述模式位图映射了,在所述P4网络设备所有流水线中所述镜像数据包的有效负载所匹配的模式集合。In some possible implementations, the pattern bitmap in step S5 maps a set of patterns matched by the payload of the mirrored data packet in all pipelines of the P4 network device.

在一些可能的实施方式中,所述若所述镜像数据包是会话中的请求包,则所述P4网络设备基于五元组哈希索引值读取寄存器,包括:若哈希值没有发生冲突,则将所述镜像数据包的五元组信息、模式位图和单向流规则号更新到该哈希值对应的寄存器偏移中;若发生哈希冲突,则采用开放定址法中的线性探测方法,逐步探测空的哈希桶,并将所述镜像数据包的五元组信息、模式位图和单向流规则号写入所述哈希桶中。In some possible implementations, if the mirrored data packet is a request packet in a session, the P4 network device reads a register based on a five-tuple hash index value, including: if there is no hash value conflict, updating the five-tuple information, mode bitmap, and unidirectional flow rule number of the mirrored data packet to the register offset corresponding to the hash value; if a hash conflict occurs, using a linear detection method in an open addressing method to gradually detect empty hash buckets, and writing the five-tuple information, mode bitmap, and unidirectional flow rule number of the mirrored data packet into the hash bucket.

在一些可能的实施方式中,步骤S7中所述P4网络设备采用MD5算法计算所述镜像数据包的五元组哈希。In some possible implementations, in step S7, the P4 network device uses the MD5 algorithm to calculate the five-tuple hash of the mirrored data packet.

第二方面,本申请还提出一种基于P4的会话数据包多模式字符串匹配系统,该系统具体包括:In a second aspect, the present application also proposes a session data packet multi-mode string matching system based on P4, the system specifically comprising:

下发模块,用于向P4网络设备的条目输入端口输入NFA状态转移条目和会话规则条目;A sending module, used for inputting NFA state transition entries and session rule entries into an entry input port of a P4 network device;

P4网络设备模块,包含P4网络设备,用于执行上述第一方面所述任一种基于P4的会话数据包多模式字符串匹配方法;A P4 network device module, comprising a P4 network device, configured to execute any one of the P4-based session data packet multi-mode string matching methods described in the first aspect above;

服务器模块,包含服务器,用于接收来自所述P4网络设备的会话规则号,根据所述会话规则号提取对应的会话规则信息,并基于所述会话规则信息更新数据库日志。The server module includes a server, which is used to receive a session rule number from the P4 network device, extract corresponding session rule information according to the session rule number, and update a database log based on the session rule information.

通过实施本发明,具有但并不仅限于以下有益技术效果:By implementing the present invention, the following beneficial technical effects are achieved but not limited to:

(1)本发明方法相比于传统的多模式匹配算法,将多模式字符串匹配方法卸载到可编程交换机上,从而减少了计算资源开销。(1) Compared with the traditional multi-pattern matching algorithm, the method of the present invention offloads the multi-pattern string matching method to the programmable switch, thereby reducing the computing resource overhead.

(2)本发明提出了一种不需要缓存的深度数据包检测(Deep Packet Inspection,DPI)方法,可以在不缓存会话请求数据包的前提下,高效地提取会话规则。(2) The present invention proposes a deep packet inspection (DPI) method that does not require caching, which can efficiently extract session rules without caching session request packets.

(3)本发明利用P4执行深度包检测算法,不缓存数据包,而是直接提取数据包中的有效负载,通过使用NFA状态转移算法将有效负载转换成位图的形式记录在本地寄存器中,从而避免了缓存数据包的内存开销。(3) The present invention utilizes P4 to execute a deep packet inspection algorithm. It does not cache data packets, but directly extracts the payload in the data packets. It converts the payload into a bitmap using the NFA state transition algorithm and records it in a local register, thereby avoiding the memory overhead of caching data packets.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

构成本申请的一部分的附图用来提供对本申请的进一步理解,本申请的示意性实施例及其说明用于解释本申请,并不构成对本申请的不当限定。The drawings constituting a part of the present application are used to provide a further understanding of the present application. The illustrative embodiments of the present application and their descriptions are used to explain the present application and do not constitute an improper limitation on the present application.

图1是根据本申请实施例提供的一种基于P4的会话数据包多模式字符串匹配方法流程示意图;FIG1 is a flow chart of a method for multi-mode string matching of session data packets based on P4 according to an embodiment of the present application;

图2是根据本申请实施例提供的一种基于P4的会话数据包多模式字符串匹配系统框架示意图;FIG2 is a schematic diagram of a P4-based session data packet multi-mode string matching system framework according to an embodiment of the present application;

图3是根据本申请实施例提供的应用场景下P4网络设备寄存器的运行状态。FIG. 3 is an operational state of a P4 network device register in an application scenario provided according to an embodiment of the present application.

具体实施方式DETAILED DESCRIPTION

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明的一部分实施例,而不是全部的实施例。基于本发明的实施例,本领域的普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will be combined with the drawings in the embodiments of the present invention to clearly and completely describe the technical solutions in the embodiments of the present invention. Obviously, the described embodiments are only part of the embodiments of the present invention, not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of the present invention.

除非另外定义,否则本文中使用的所有技术和科学术语具有与本公开所属领域中的技术人员普遍理解的相同的含义。虽然与本文中描述的方法类似或等同的任何方法也可以用于本公开的实践或测试,但是现在仅描述示例性方法。Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by those skilled in the art to which the present disclosure belongs. Although any methods similar or equivalent to those described herein can also be used in the practice or testing of the present disclosure, only exemplary methods are now described.

应当理解,当在本说明书和所附权利要求书中使用时,术语“包括”和“包含”指示所描述特征、整体、步骤、操作、元素和/或组件的存在,但并不排除一个或多个其它特征、整体、步骤、操作、元素、组件和/或其集合的存在或添加。It should be understood that when used in this specification and the appended claims, the terms "include" and "comprises" indicate the presence of described features, integers, steps, operations, elements and/or components, but do not exclude the presence or addition of one or more other features, integers, steps, operations, elements, components and/or combinations thereof.

还应当理解,在此本发明说明书中所使用的术语仅仅是出于描述特定实施例的目的而并不意在限制本发明。如在本发明说明书和所附权利要求书中所使用的那样,除非上下文清楚地指明其它情况,否则单数形式的“一”、“一个”及“该”意在包括复数形式。It should also be understood that the terms used in this specification of the present invention are only for the purpose of describing specific embodiments and are not intended to limit the present invention. As used in the specification of the present invention and the appended claims, unless the context clearly indicates otherwise, the singular forms "a", "an" and "the" are intended to include plural forms.

第一方面,请参阅图1-2,图1是本申请实施例提供的一种基于P4的会话数据包多模式字符串匹配方法,包括如下步骤:In the first aspect, please refer to FIG. 1-2. FIG. 1 is a multi-mode string matching method for session data packets based on P4 provided in an embodiment of the present application, comprising the following steps:

S1:P4网络设备从条目输入端口获取NFA状态转移条目和会话规则条目。S1: The P4 network device obtains the NFA state transition entry and the session rule entry from the entry input port.

具体地,所述NFA状态转移条目包含NFA状态转移的逻辑内容,P4网络设备可以基于NFA状态转移条目进行数据包有效负载的解析。举例来说,每个所述NFA状态转移条目可以包含以下几个组成部分:当前状态、输入符号、转移类型等。Specifically, the NFA state transition entry includes the logical content of the NFA state transition, and the P4 network device can parse the data packet payload based on the NFA state transition entry. For example, each of the NFA state transition entries can include the following components: current state, input symbol, transition type, etc.

所述会话规则条目则用于对会话流进行规则匹配。在一些可能的实施方式中,所述会话规则条目可以包括:模式pattern、模式位图pattern bitmaps、单向流位图unidirectional flow bitmaps、单向流规则号unidirectional rule id、会话规则号session rule id。The session rule entry is used to perform rule matching on the session flow. In some possible implementations, the session rule entry may include: pattern, pattern bitmaps, unidirectional flow bitmaps, unidirectional rule id, and session rule id.

优选地,所述会话规则条目可以通过Snort3入侵检测系统进行设计。Preferably, the session rule entry can be designed by a Snort3 intrusion detection system.

S2:所述P4网络设备从接收端口接收数据包,并解析所述数据包头部。S2: The P4 network device receives a data packet from a receiving port and parses the data packet header.

具体地,所述解析所述数据包头部,包括解析获得所述数据包的源端口号、目的端口号以及IP号,并存放至所述P4网络设备的内存中。解析所述数据包头部的过程发生在“解析阶段”(Parser),该阶段所述P4网络设备按照预定义的顺序逐步提取包头中的各个字段,并进行递归解析,以处理一些多层封装的协议,如IP-in-IP、GRE、VXLAN等。P4网络设备解析器可以定义多个解析状态,每个状态负责解析特定包头或执行特定动作,如跳转到下一个状态、提取字段值、丢弃包头等。Specifically, the parsing of the data packet header includes parsing to obtain the source port number, destination port number and IP number of the data packet, and storing them in the memory of the P4 network device. The process of parsing the data packet header occurs in the "parsing stage" (Parser). In this stage, the P4 network device gradually extracts each field in the packet header in a predefined order and performs recursive parsing to process some multi-layer encapsulation protocols, such as IP-in-IP, GRE, VXLAN, etc. The P4 network device parser can define multiple parsing states, each state is responsible for parsing a specific packet header or performing a specific action, such as jumping to the next state, extracting field values, discarding the packet header, etc.

S3:所述P4网络设备镜像拷贝所述数据包后将镜像数据包输入再循环端口,并从转发端口转发所述数据包。S3: The P4 network device mirrors the data packet and inputs the mirrored data packet into a recirculation port, and forwards the data packet from a forwarding port.

S4:基于数据包头部信息,判断所述镜像数据包是否为一个会话数据包;若所述镜像数据包不是会话数据包,则结束整个流程,若所述镜像数据包是会话数据包,则执行步骤S5。S4: Based on the data packet header information, determine whether the mirrored data packet is a session data packet; if the mirrored data packet is not a session data packet, end the entire process; if the mirrored data packet is a session data packet, execute step S5.

具体地,可以通过解析数据包中的会话标识符(如五元组等)或者协议交互特征(如协议握手与终止过程、请求与响应模式等)判断该数据包是否为会话数据包,也可以通过P4网路设备维护的网络设备会话表查询该数据包是否属于已知会话。举例来说,若解析获得所述镜像数据包的源端口号或目的端口号为80,则可以判断该数据包为HTTP会话数据包。Specifically, it is possible to determine whether the data packet is a session data packet by parsing the session identifier (such as a five-tuple, etc.) or the protocol interaction characteristics (such as the protocol handshake and termination process, request and response mode, etc.) in the data packet, or to query whether the data packet belongs to a known session through the network device session table maintained by the P4 network device. For example, if the source port number or the destination port number of the mirrored data packet obtained by parsing is 80, it can be determined that the data packet is an HTTP session data packet.

S5:根据所述NFA状态转移条目,对所述镜像数据包的有效负载部分进行NFA状态转移处理;当所述P4网络设备流水线完成所有有效负载的状态转移时,返回一个模式位图,并进入步骤S6,否则将所述镜像数据包转发至所述再循环端口。S5: According to the NFA state transfer entry, perform NFA state transfer processing on the payload part of the mirrored data packet; when the P4 network device pipeline completes the state transfer of all payloads, return a mode bitmap and enter step S6, otherwise forward the mirrored data packet to the recycling port.

具体地,所述模式位图映射了,在所述P4网络设备所有流水线中所述镜像数据包的有效负载所匹配的模式集合。Specifically, the pattern bitmap maps a set of patterns matched by the payload of the mirrored data packet in all pipelines of the P4 network device.

S6:所述P4网络设备将所述模式位图映射成单向流规则并暂存到内存中。所述单向流规则是一种压缩位图的形式存在,它负责记录当前数据包模式位图所匹配的规则号。S6: The P4 network device maps the mode bitmap into a unidirectional flow rule and temporarily stores it in the memory. The unidirectional flow rule exists in the form of a compressed bitmap, which is responsible for recording the rule number matched by the current data packet mode bitmap.

S7:所述P4网络设备计算所述镜像数据包的五元组哈希,并判断所述镜像数据包是请求包还是响应包;若所述镜像数据包是会话中的请求包,则所述P4网络设备基于五元组哈希索引值读取寄存器;若所述镜像数据包是会话中的响应包,则所述P4网络设备基于反向五元组的哈希索引值读取寄存器中请求包的单向流规则号,并进入步骤S8。如图3所示,图3为本实施例中P4网络设备寄存器的其中一种运行状态。S7: The P4 network device calculates the five-tuple hash of the mirrored data packet and determines whether the mirrored data packet is a request packet or a response packet; if the mirrored data packet is a request packet in a session, the P4 network device reads the register based on the five-tuple hash index value; if the mirrored data packet is a response packet in a session, the P4 network device reads the one-way flow rule number of the request packet in the register based on the reverse five-tuple hash index value, and enters step S8. As shown in Figure 3, Figure 3 is one of the operating states of the P4 network device register in this embodiment.

具体地,所述五元组由源IP、目的IP、源端口、目的端口以及传输层协议类型组成。根据数据包头部信息与五元组哈希,定位数据包的响应特征后,可以判断所述镜像数据包是请求包还是响应包。若所述镜像数据包是会话中的请求包,则所述P4网络设备基于五元组哈希索引值读取寄存器,包括:若哈希值没有发生冲突,则将所述镜像数据包的五元组信息、模式位图和单向流规则号更新到该哈希值对应的寄存器偏移中;若发生哈希冲突,则采用开放定址法中的线性探测方法,逐步探测空的哈希桶,并将所述镜像数据包的五元组信息、模式位图和单向流规则号写入所述哈希桶中。Specifically, the five-tuple consists of a source IP, a destination IP, a source port, a destination port, and a transport layer protocol type. After locating the response characteristics of the data packet based on the data packet header information and the five-tuple hash, it can be determined whether the mirror data packet is a request packet or a response packet. If the mirror data packet is a request packet in a session, the P4 network device reads the register based on the five-tuple hash index value, including: if there is no hash value conflict, the five-tuple information, mode bitmap, and unidirectional flow rule number of the mirror data packet are updated to the register offset corresponding to the hash value; if a hash conflict occurs, the linear detection method in the open addressing method is used to gradually detect empty hash buckets, and the five-tuple information, mode bitmap, and unidirectional flow rule number of the mirror data packet are written into the hash bucket.

优选地,所述P4网络设备可以采用哈希函数中的MD5算法计算所述镜像数据包的五元组哈希。Preferably, the P4 network device may use an MD5 algorithm in a hash function to calculate a five-tuple hash of the mirrored data packet.

S8:将寄存器请求包的单向流规则号和所述镜像数据包的单向流规则号进行组合,判断是否命中输入的所述会话规则条目的会话规则号;若命中,说明所述镜像数据包所在的会话可能存在攻击行为,则将所述会话规则号上传至服务器,若未命中,则结束整个流程。S8: Combine the unidirectional flow rule number of the register request packet and the unidirectional flow rule number of the mirror data packet to determine whether they hit the session rule number of the input session rule entry; if they hit, it means that the session where the mirror data packet is located may have attack behavior, and then upload the session rule number to the server; if they do not hit, then end the entire process.

第二方面,本发明实施例还提供了一种基于P4的会话数据包多模式字符串匹配系统,该系统包括以下模块:In a second aspect, an embodiment of the present invention further provides a session data packet multi-mode string matching system based on P4, the system comprising the following modules:

下发模块,用于向P4网络设备的条目输入端口输入NFA状态转移条目和会话规则条目。The sending module is used to input NFA state transition entries and session rule entries to the entry input port of the P4 network device.

P4网络设备模块,包含P4网络设备,用于执行上述第一方面实施例所述基于P4的会话数据包多模式字符串匹配方法。The P4 network device module includes a P4 network device, which is used to execute the P4-based session data packet multi-mode string matching method described in the first aspect embodiment.

服务器模块,包含服务器,用于接收来自所述P4网络设备的会话规则号,根据所述会话规则号提取对应的会话规则信息,并基于所述会话规则信息更新数据库日志。The server module includes a server, which is used to receive a session rule number from the P4 network device, extract corresponding session rule information according to the session rule number, and update a database log based on the session rule information.

在本发明所提供的实施例中,应当理解,所揭露的系统和方法,可以通过其它的方式实现。例如,以上所描述的系统实施例仅仅是示意性的。例如,各个模块的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。此外,本发明实施例方法中的步骤也可以根据实际需要进行顺序调整、合并和删减。In the embodiments provided by the present invention, it should be understood that the disclosed systems and methods can be implemented in other ways. For example, the system embodiments described above are only schematic. For example, the division of each module is only a logical function division, and there may be other division methods in actual implementation. In addition, the steps in the method of the embodiment of the present invention can also be adjusted in order, merged and deleted according to actual needs.

以上详细描述了本发明的较佳具体实施例。应当理解,本领域的普通技术无需创造性劳动就可以根据本发明的构思作出诸多修改和变化。因此,凡本技术领域中技术人员依本发明的构思在现有技术的基础上通过逻辑分析、推理或者有限的试验可以得到的技术方案,皆应在由权利要求书所确定的保护范围内。The preferred specific embodiments of the present invention are described in detail above. It should be understood that ordinary technicians in the field can make many modifications and changes based on the concept of the present invention without creative work. Therefore, all technical solutions that can be obtained by technicians in the technical field based on the concept of the present invention through logical analysis, reasoning or limited experiments on the basis of the prior art should be within the scope of protection determined by the claims.

Claims (10)

1.一种基于P4的会话数据包多模式字符串匹配方法,其特征在于,包括以下步骤:1. A multi-mode string matching method for session data packets based on P4, characterized in that it comprises the following steps: S1:P4网络设备从条目输入端口获取NFA状态转移条目和会话规则条目;S1: The P4 network device obtains the NFA state transition entry and session rule entry from the entry input port; S2:所述P4网络设备从接收端口接收数据包,并解析所述数据包头部;S2: The P4 network device receives a data packet from a receiving port and parses the data packet header; S3:所述P4网络设备镜像拷贝所述数据包后将镜像数据包输入再循环端口,并从转发端口转发所述数据包;S3: the P4 network device mirrors the data packet, inputs the mirrored data packet into the recirculation port, and forwards the data packet from the forwarding port; S4:基于数据包头部信息,判断所述镜像数据包是否为一个会话数据包;若所述镜像数据包不是会话数据包,则结束整个流程,若所述镜像数据包是会话数据包,则执行步骤S5;S4: Based on the data packet header information, determine whether the mirrored data packet is a session data packet; if the mirrored data packet is not a session data packet, end the entire process; if the mirrored data packet is a session data packet, execute step S5; S5:根据所述NFA状态转移条目,对所述镜像数据包的有效负载部分进行NFA状态转移处理;当所述P4网络设备流水线完成所有有效负载的状态转移时,返回一个模式位图,并进入步骤S6,否则将所述镜像数据包转发至所述再循环端口;S5: According to the NFA state transition entry, perform NFA state transition processing on the payload part of the mirrored data packet; when the P4 network device pipeline completes the state transition of all payloads, return a mode bitmap and enter step S6, otherwise forward the mirrored data packet to the recirculation port; S6:所述P4网络设备将所述模式位图映射成单向流规则并暂存到内存中;S6: The P4 network device maps the mode bitmap into a unidirectional flow rule and temporarily stores it in a memory; S7:所述P4网络设备计算所述镜像数据包的五元组哈希,并判断所述镜像数据包是请求包还是响应包;若所述镜像数据包是会话中的请求包,则所述P4网络设备基于五元组哈希索引值读取寄存器;若所述镜像数据包是会话中的响应包,则所述P4网络设备基于反向五元组的哈希索引值读取寄存器中请求包的单向流规则号,并进入步骤S8;S7: The P4 network device calculates the five-tuple hash of the mirrored data packet, and determines whether the mirrored data packet is a request packet or a response packet; if the mirrored data packet is a request packet in the session, the P4 network device reads the register based on the five-tuple hash index value; if the mirrored data packet is a response packet in the session, the P4 network device reads the one-way flow rule number of the request packet in the register based on the reverse five-tuple hash index value, and enters step S8; S8:将寄存器请求包的单向流规则号和所述镜像数据包的单向流规则号进行组合,判断是否命中输入的所述会话规则条目的会话规则号;若命中,说明所述镜像数据包所在的会话可能存在攻击行为,则将所述会话规则号上传至服务器,若未命中,则结束整个流程。S8: Combine the unidirectional flow rule number of the register request packet and the unidirectional flow rule number of the mirror data packet to determine whether they hit the session rule number of the input session rule entry; if they hit, it means that the session where the mirror data packet is located may have attack behavior, and then upload the session rule number to the server; if they do not hit, then end the entire process. 2.根据权利要求1所述的基于P4的会话数据包多模式字符串匹配方法,其特征在于,2. The method for multi-mode string matching of session data packets based on P4 according to claim 1, characterized in that: 所述NFA状态转移条目包含NFA状态转移的逻辑内容,P4网络设备可以基于NFA状态转移条目进行数据包有效负载的解析;每个所述NFA状态转移条目包含以下几个组成部分:当前状态、输入符号、转移类型。The NFA state transition entry includes the logical content of the NFA state transition, and the P4 network device can parse the data packet payload based on the NFA state transition entry; each of the NFA state transition entries includes the following components: current state, input symbol, and transition type. 3.根据权利要求1所述的基于P4的会话数据包多模式字符串匹配方法,其特征在于,3. The method for multi-mode string matching of session data packets based on P4 according to claim 1, characterized in that: 所述会话规则条目用于对会话流进行规则匹配,具体包括:模式pattern、模式位图pattern bitmaps、单向流位图unidirectional flow bitmaps、单向流规则号unidirectionalruleid、会话规则号session ruleid。The session rule entry is used to perform rule matching on the session flow, and specifically includes: pattern pattern, pattern bitmaps, unidirectional flow bitmaps, unidirectional flow rule number unidirectionalruleid, and session rule number session ruleid. 4.根据权利要求1所述的基于P4的会话数据包多模式字符串匹配方法,其特征在于,4. The method for multi-mode string matching of session data packets based on P4 according to claim 1, characterized in that: 所述会话规则条目通过Snort3入侵检测系统进行设计。The session rule entries are designed through the Snort3 intrusion detection system. 5.根据权利要求1所述的基于P4的会话数据包多模式字符串匹配方法,其特征在于,所述解析所述数据包头部,包括:5. The method for multi-mode string matching of session data packets based on P4 according to claim 1, characterized in that the parsing of the data packet header comprises: 所述P4网络设备按照预定义的顺序逐步提取包头中的各个字段,并进行递归解析;解析获得的所述数据包的源端口号、目的端口号以及IP号存放至所述P4网络设备的内存中。The P4 network device gradually extracts each field in the packet header in a predefined order and performs recursive parsing; the source port number, destination port number and IP number of the data packet obtained by parsing are stored in the memory of the P4 network device. 6.根据权利要求1所述的基于P4的会话数据包多模式字符串匹配方法,其特征在于,所述基于数据包头部信息,判断所述镜像数据包是否为一个会话数据包,包括:6. The method for multi-mode string matching of session data packets based on P4 according to claim 1, characterized in that judging whether the mirror data packet is a session data packet based on data packet header information comprises: 通过解析数据包中的会话标识符以及协议交互特征判断该数据包是否为会话数据包。By parsing the session identifier and protocol interaction characteristics in the data packet, it is determined whether the data packet is a session data packet. 7.根据权利要求1所述的基于P4的会话数据包多模式字符串匹配方法,其特征在于,步骤S5中的所述模式位图映射了,在所述P4网络设备所有流水线中所述镜像数据包的有效负载所匹配的模式集合。7. The P4-based session data packet multi-mode string matching method according to claim 1 is characterized in that the mode bitmap in step S5 maps the set of patterns matched by the payload of the mirrored data packet in all pipelines of the P4 network device. 8.根据权利要求1所述的基于P4的会话数据包多模式字符串匹配方法,其特征在于,所述若所述镜像数据包是会话中的请求包,则所述P4网络设备基于五元组哈希索引值读取寄存器,包括:8. The method for multi-mode string matching of session data packets based on P4 according to claim 1, characterized in that if the mirror data packet is a request packet in a session, the P4 network device reads a register based on a five-tuple hash index value, comprising: 若哈希值没有发生冲突,则将所述镜像数据包的五元组信息、模式位图和单向流规则号更新到该哈希值对应的寄存器偏移中;If there is no conflict in the hash value, the five-tuple information, mode bitmap and unidirectional flow rule number of the mirrored data packet are updated to the register offset corresponding to the hash value; 若发生哈希冲突,则采用开放定址法中的线性探测方法,逐步探测空的哈希桶,并将所述镜像数据包的五元组信息、模式位图和单向流规则号写入所述哈希桶中。If a hash conflict occurs, a linear detection method in an open addressing method is used to gradually detect empty hash buckets, and the five-tuple information, mode bitmap and unidirectional flow rule number of the mirrored data packet are written into the hash bucket. 9.根据权利要求1所述的基于P4的会话数据包多模式字符串匹配方法,其特征在于,9. The method for multi-mode string matching of session data packets based on P4 according to claim 1, characterized in that: 步骤S7中所述P4网络设备采用MD5算法计算所述镜像数据包的五元组哈希。In step S7, the P4 network device uses the MD5 algorithm to calculate the five-tuple hash of the mirrored data packet. 10.一种基于P4的会话数据包多模式字符串匹配系统,其特征在于,包括:10. A multi-mode string matching system for session data packets based on P4, characterized by comprising: 下发模块,用于向P4网络设备的条目输入端口输入NFA状态转移条目和会话规则条目;A sending module, used for inputting NFA state transition entries and session rule entries into an entry input port of a P4 network device; P4网络设备模块,包含P4网络设备,用于执行权利要求1-9任一项所述一种基于P4的会话数据包多模式字符串匹配方法;A P4 network device module, comprising a P4 network device, for executing a P4-based session data packet multi-mode string matching method according to any one of claims 1 to 9; 服务器模块,包含服务器,用于接收来自所述P4网络设备的会话规则号,根据所述会话规则号提取对应的会话规则信息,并基于所述会话规则信息更新数据库日志。The server module includes a server, which is used to receive a session rule number from the P4 network device, extract corresponding session rule information according to the session rule number, and update a database log based on the session rule information.
CN202410543583.6A 2024-04-30 2024-04-30 P4-based session data packet multimode character string matching method and system Pending CN118540107A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410543583.6A CN118540107A (en) 2024-04-30 2024-04-30 P4-based session data packet multimode character string matching method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410543583.6A CN118540107A (en) 2024-04-30 2024-04-30 P4-based session data packet multimode character string matching method and system

Publications (1)

Publication Number Publication Date
CN118540107A true CN118540107A (en) 2024-08-23

Family

ID=92380103

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410543583.6A Pending CN118540107A (en) 2024-04-30 2024-04-30 P4-based session data packet multimode character string matching method and system

Country Status (1)

Country Link
CN (1) CN118540107A (en)

Similar Documents

Publication Publication Date Title
Qin et al. Line-speed and scalable intrusion detection at the network edge via federated learning
US20220263736A1 (en) Method and system for deep packet inspection in software defined networks
CN101095310B (en) Packet parsing processor and the method for parsing grouping in the processor
KR101868720B1 (en) Compiler for regular expressions
US8990259B2 (en) Anchored patterns
US7831822B2 (en) Real-time stateful packet inspection method and apparatus
US7706378B2 (en) Method and apparatus for processing network packets
CN112532642B (en) A Network Intrusion Detection Method for Industrial Control System Based on Improved Suricata Engine
US20140324900A1 (en) Intelligent Graph Walking
CN101009660B (en) Universal method and device for processing the match of the segmented message mode
CN101656677A (en) Message diversion processing method and device
Gupta et al. Deep4r: Deep packet inspection in p4 using packet recirculation
CN111865996A (en) Data detection method and device and electronic equipment
EP1980081A2 (en) A method of filtering high data rate traffic
CN118540107A (en) P4-based session data packet multimode character string matching method and system
EP1757039A2 (en) Programmable packet parsing processor
CN112532610A (en) Intrusion prevention detection method and device based on TCP segmentation
KR100862193B1 (en) APPARATUS AND METHOD FOR MANAGING IPv6 SESSION BASED HARDWARE
CN116318801A (en) SOHO router data modification method
CN117857171A (en) Network attack detection method, device, electronic equipment and storage medium
HK1193278B (en) Compiler for regular expressions
HK1193278A (en) Compiler for regular expressions
HK1208104A1 (en) A method and computer system of compiling a pattern into a non-deterministic finite automata (nfa) graph

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination