[go: up one dir, main page]

CN117294516A - Message security policy matching method and device, electronic equipment and storage medium - Google Patents

Message security policy matching method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN117294516A
CN117294516A CN202311356164.3A CN202311356164A CN117294516A CN 117294516 A CN117294516 A CN 117294516A CN 202311356164 A CN202311356164 A CN 202311356164A CN 117294516 A CN117294516 A CN 117294516A
Authority
CN
China
Prior art keywords
index
security policy
target
sub
tuple
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311356164.3A
Other languages
Chinese (zh)
Inventor
王江涛
樊荣
万立
王庆年
黄哲
赵大胜
王啸原
李杨
李�瑞
周浩宇
李剑
黄秀
汪沛然
肖威
高子轩
田宵
罗章琪
王隽
李晨琪
高照
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Ship Communication Research Institute 722 Research Institute Of China Shipbuilding Corp
Original Assignee
Wuhan Ship Communication Research Institute 722 Research Institute Of China Shipbuilding Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Ship Communication Research Institute 722 Research Institute Of China Shipbuilding Corp filed Critical Wuhan Ship Communication Research Institute 722 Research Institute Of China Shipbuilding Corp
Priority to CN202311356164.3A priority Critical patent/CN117294516A/en
Publication of CN117294516A publication Critical patent/CN117294516A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention provides a message security policy matching method, a device, electronic equipment and a storage medium, belonging to the technical field of computers, wherein the method comprises the following steps: extracting a target five-tuple based on the target message; aiming at each target element in the target five-tuple, determining a coincidence item corresponding to the target element through binary search based on the target element and a local tuple ordering table; determining first index information corresponding to each target element based on a security policy address index table and coincidence items corresponding to each target element, wherein the first index information is used for representing an address range of a security policy matched with the target element; and matching the security policy of the target five-tuple based on the first index information corresponding to each target element. By adopting binary search, the method avoids carrying out item-by-item analysis on each item in the local lookup table, and can reduce the range matching period of the five-tuple from the number of items Num to Log 2 Num, improve the matching efficiency.

Description

Message security policy matching method and device, electronic equipment and storage medium
Technical Field
The invention belongs to the technical field of computers, and in particular relates to a message security policy matching method, a device, electronic equipment and a storage medium.
Background
With the rapid popularity of the internet and the increasing demand for multimedia services, the link rate of networks has evolved to 10Gb/s or even higher. In order to design routers that meet network requirements, it is important to study high-speed route lookup algorithms.
In the related art, the security policy of the message is generally matched by performing item-by-item analysis on each table entry in the local lookup table through five-tuple range matching. However, as the number of entries in the lookup table increases, the lookup time increases, and if the number of entries increases by one time, the matching time increases by one time, resulting in lower matching efficiency of the message security policy.
Disclosure of Invention
Aiming at the problems existing in the prior art, the embodiment of the invention provides a message security policy matching method, a device, electronic equipment and a storage medium.
In a first aspect, the present invention provides a method for matching a security policy of a message, including:
extracting a target five-tuple based on the target message;
for each target element in the target five-tuple, determining a coincidence item corresponding to the target element through binary search based on the target element and a local tuple ordering table, wherein the local tuple ordering table is determined by ordering each element of a local tuple according to element types and element numerical values, and the coincidence item is an element with the smallest difference between the numerical values of the target element in the same type of coincidence elements of the local tuple ordering table;
Determining first index information corresponding to each target element based on a security policy address index table and a coincidence item corresponding to each target element, wherein the security policy address index table is used for representing a corresponding relation between each element of a local tuple and a storage address of a security policy, and the first index information is used for representing an address range of the security policy matched with the target element;
and matching the security policy of the target five-tuple based on the first index information corresponding to each target element.
Optionally, according to the method for matching the message security policy provided by the present invention, the local tuple ordering table includes a local maximum value element ordering sub-table of each element category and a local minimum value element ordering sub-table of each element category, the local maximum value element ordering sub-table is determined by ordering maximum value elements belonging to the same category in a big-to-small ordering manner, the maximum value elements are used for indicating a value upper limit, the local minimum value element ordering sub-table is determined by ordering minimum value elements belonging to the same category in a small-to-big ordering manner, the minimum value elements are used for indicating a value lower limit, and the coincidence items corresponding to the target elements include a maximum value coincidence item and a minimum value coincidence item;
The determining, based on the target element and the local tuple ordering table, the coincidence item corresponding to the target element through binary search includes:
determining a maximum value coincidence item corresponding to the target element through binary search based on the target element and a local maximum value tuple element sorting sub-table corresponding to the element category to which the target element belongs;
and determining a minimum value coincidence item corresponding to the target element through binary search based on the target element and a local minimum value element sorting sub-table corresponding to the element category to which the target element belongs.
Optionally, according to the method for matching the security policy of the message provided by the present invention, the security policy address index table includes: an index sub-table corresponding to each sorting sub-table in the local tuple sorting table, wherein one element in the sub-table of the local tuple sorting table corresponds to one index item in the index sub-table, the sub-table of the local tuple sorting table and the corresponding index sub-table adopt the same sorting mode, and the index sub-table is used for storing all index items in the table in groups based on the number of index items in a preset group and the corresponding sorting mode;
For the index groups in the index sub-table, the first J bit values of all index items in the (n+1) th index group are determined based on the number of index items in the preset group and the security policy address range defined by the (N) th index group, the first J bit values of all index items in the 1 st index group are 0, the last I bit values of all index items in the index group are determined based on the storage addresses of the corresponding security policies of corresponding elements in the sub-table of the local tuple ordering table, N is a positive integer, and the bit number of one index item is J+I;
the determining the first index information corresponding to each target element based on the security policy address index table and the coincidence item corresponding to each target element includes:
determining a first index group corresponding to the maximum value coincidence item and a second index group corresponding to the minimum value coincidence item based on a maximum value coincidence item and a minimum value coincidence item corresponding to the target element and an index sub-table corresponding to an element category to which the target element belongs;
splicing the first J bit values of each index item in the first index group, determining a first security policy address range, and splicing the first J bit values of each index item in the second index group, determining a second security policy address range;
Determining a third security policy address range based on the last I bit values of each index item in the first index group, and determining a fourth security policy address range based on the last I bit values of each index item in the second index group;
determining a fifth security policy address range adapted to the maximum conforming item based on the first security policy address range and the third security policy address range, and determining a sixth security policy address range adapted to the minimum conforming item based on the second security policy address range and the fourth security policy address range;
and performing a union operation based on the fifth security policy address range and the sixth security policy address range, and determining first index information corresponding to the target element.
Optionally, according to the method for matching a security policy of a message provided by the present invention, the matching a security policy of the target five-tuple based on the first index information corresponding to each target element includes:
performing parallel operation based on the first index information corresponding to each target element, and determining second index information;
determining one or more security policies that match the target five-tuple based on the second index information;
And screening the security policies matched with the target five-tuple based on preset priority configuration, and determining the security policies of the target five-tuple.
Optionally, according to the method for matching a message security policy provided by the present invention, the local tuple ordering table includes a local maximum value element ordering sub-table of each element category and a local minimum value element ordering sub-table of each element category, and the local tuple ordering table is obtained by:
based on a pre-configured lookup table, sorting maximum value elements belonging to the same class according to a sorting mode from large to small, and determining a local maximum value element sorting sub-table of each element class, wherein the maximum value elements are used for indicating a value upper limit;
based on a pre-configured lookup table, sorting the minimum value elements belonging to the same class according to a small-to-large sorting mode, and determining a local minimum value element sorting sub-table of each element class, wherein the minimum value elements are used for indicating a value lower limit;
the lookup table comprises a plurality of table entries, wherein any one of the table entries comprises an element for representing the upper limit of the five-tuple value, an element for representing the lower limit of the five-tuple value and a security policy address corresponding to the table entry.
Optionally, according to the method for matching the message security policy provided by the present invention, the security policy address index table is obtained by:
determining an index sub-table corresponding to each sort sub-table in the local tuple sort table based on the storage addresses of the corresponding security policies of each sort sub-table and each element in the sort sub-table in the local tuple sort table;
determining the security policy address index table based on each index sub-table;
wherein, an element in a sub-table of the local tuple ordering table corresponds to an index item in the index sub-table, and the sub-table of the local tuple ordering table and the corresponding index sub-table adopt the same ordering mode.
Optionally, according to the method for matching a security policy of a message provided by the present invention, the determining an index sub-table corresponding to each of the sorting sub-tables in the local tuple sorting table based on the storage addresses of each of the sorting sub-tables in the local tuple sorting table and the corresponding security policy of each of the elements in the sorting sub-tables includes:
for any one target sorting sub-table, grouping elements in the target sorting sub-table in sequence based on the number of index items in a preset group, and determining a plurality of element groups;
Based on the storage addresses of the corresponding security policies of the elements in the 1 st element group, determining the last I bit values of the index items in the 1 st index group, and determining the security policy address range defined by the 1 st index group, wherein the first J bit values of the index items in the 1 st index group are 0;
determining the first J bit values of all the index items in the (N+1) th index group based on the number of the index items in the preset group and the security policy address range defined by the (N) th index group, determining the last I bit values of all the index items in the (N+1) th index group based on the storage addresses of the corresponding security policies of all the elements in the (N+1) th element group, and determining the security policy address range defined by the (N+1) th index group;
determining a target index sub-table corresponding to the target rank sub-table based on the index groups corresponding to the element groups;
n is a positive integer, the bit number of one index item is J+I, the value of J is determined based on the table item number configuration of the lookup table and the index item number in the preset group, and the value of I is determined based on the storage address bit number of the security policy.
In a second aspect, the present invention further provides a device for matching a security policy of a message, including:
The extraction module is used for extracting the target five-tuple based on the target message;
the binary search module is used for determining a coincidence item corresponding to each target element in the target five-tuple through binary search based on the target element and a local tuple ordering table;
the index information determining module is used for determining first index information corresponding to each target element based on a security policy address index table and the coincidence item corresponding to each target element;
and the security policy matching module is used for matching the security policy of the target five-tuple based on the first index information corresponding to each target element.
In a third aspect, the present invention also provides an electronic device, including: at least one memory for storing a program; at least one processor for executing a memory-stored program, which when executed is adapted to carry out the method described in the first aspect or any one of the possible implementations of the first aspect.
In a fourth aspect, the invention also provides a computer readable storage medium storing a computer program which, when run on a processor, causes the processor to perform the method described in the first aspect or any one of the possible implementations of the first aspect.
It will be appreciated that the advantages of the second to fourth aspects may be found in the relevant description of the first aspect and are not repeated here.
In general, the above technical solutions conceived by the present invention have the following beneficial effects compared with the prior art:
by configuring the local tuple ordering table and the security policy address index table, each target element in the target five-tuple can be targetedAnd (3) performing binary search on the local tuple ordering table to determine the coincidence item corresponding to each target element, analyzing the address range of the security policy matched with each target element through the security policy address index table to determine the first index information corresponding to each target element, and further matching the security policy of the message based on the first index information corresponding to each target element. Because of adopting binary search, the method can avoid carrying out item-by-item analysis on each item in the local lookup table, and can reduce the range matching period of the five-tuple from the item number Num to Log 2 Num, reduce the clock cycle that matches, improve the matching efficiency of the safe tactics of message.
Drawings
In order to more clearly illustrate the invention or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a data structure of a lookup table provided in the related art;
FIG. 2 is a flow chart of a message security policy matching method provided by the invention;
FIG. 3 is a schematic diagram of a data structure of a local tuple ordering table according to the present invention;
FIG. 4 is a schematic diagram of a data structure of a security policy address index table according to the present invention;
FIG. 5 is a second diagram illustrating a data structure of a security policy address index table according to the present invention;
FIG. 6 is a third diagram illustrating a data structure of a security policy address index table according to the present invention;
fig. 7 is a schematic structural diagram of a packet security policy matching device provided by the present invention.
Detailed Description
In order to facilitate a clearer understanding of various embodiments of the present invention, some relevant background knowledge is first presented as follows.
Fig. 1 is a schematic diagram of a data structure of a lookup table provided in the related art, as shown in fig. 1, where the lookup table may be a data table configured locally in advance, and any one of entries in the lookup table may include a local maximum TUPLE (e.g., max_tune in fig. 1) and a local minimum TUPLE (e.g., min_tune in fig. 1), where the local maximum TUPLE includes an element (maximum element) for representing an upper limit of a five-TUPLE value, and the local minimum TUPLE includes an element (minimum element) for representing a lower limit of a five-TUPLE value. One entry in the lookup table corresponds to a storage address of a security policy, for example, as shown in fig. 1, entry 0 corresponds to a storage address Add0 of security policy number sa_id0, entry 1 corresponds to a storage address Add1 of security policy number sa_id1, and so on. Based on the security policy number sa_id, a corresponding security policy can be obtained by address lookup.
In the related art, the security policy of the message is generally matched by performing item-by-item analysis on each table entry in the local lookup table through five-tuple range matching. For example, for a source IP address, each entry in the lookup table can represent the maximum source IP address and the minimum IP address upper and lower limits, and when performing range matching, if the IP address to be matched (the IP address of the target five-tuple, which is a target element of the target five-tuple) is within the range of a certain entry, the security policy index corresponding to the entry is valid. For example, as shown in fig. 1, if the target five-tuple satisfies the ranges of the table entry 0 and the table entry 1, it is indicated that the corresponding Add0 (the Add in fig. 1 represents the storage address of the security policy) and Add1 are valid indexes, and the sa_id stored in Add0 and Add1 is extracted, so that the corresponding policy is extracted according to the sa_id, and thus the processing mode of the target packet is determined. As can be seen, as the number of entries in the lookup table increases, the lookup time increases, and if the number of entries increases by one, the matching time increases by one, resulting in lower matching efficiency of the message security policy.
In order to overcome the defects, the invention provides a message security policy matching method, a device, electronic equipment and a storage medium, and the matching efficiency of the message security policy can be improved by adopting binary search.
The present invention will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
The term "and/or" herein is an association relationship describing an associated object, and means that there may be three relationships, for example, a and/or B may mean: a exists alone, A and B exist together, and B exists alone. The symbol "/" herein indicates that the associated object is or is a relationship, e.g., A/B indicates A or B.
The terms "first" and "second" and the like in the description and in the claims are used for distinguishing between different objects and not for describing a particular sequential order of objects. For example, the first response message and the second response message, etc. are used to distinguish between different response messages, and are not used to describe a particular order of response messages.
In embodiments of the invention, words such as "exemplary" or "such as" are used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" or "e.g." in an embodiment should not be taken as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete fashion.
In the description of the embodiments of the present invention, unless otherwise specified, the meaning of "plurality" means two or more, for example, the meaning of a plurality of processing units means two or more, or the like; the plurality of elements means two or more elements and the like.
Next, the technical scheme provided in the embodiment of the present invention is described.
Fig. 2 is a schematic flow chart of a method for matching a security policy according to the present invention, and as shown in fig. 2, an execution body of the method for matching a security policy may be an electronic device, for example, a Field programmable gate array (Field-Programmable Gate Array, FPGA) or the like. The method comprises the following steps:
step S101, extracting target five-tuple based on the target message.
It is understood that the elements of the five-tuple include a source IP address, a source port, a destination IP address, a destination port, and a transport layer protocol number.
Step S102, aiming at each target element in the target five-tuple, determining a coincidence item corresponding to the target element through binary search based on the target element and a local tuple ordering table, wherein the local tuple ordering table is determined by ordering each element of the local tuple according to the element category and the element value, and the coincidence item is one element with the smallest difference between the values of the target element in the same type of coincidence elements of the local tuple ordering table.
Binary search, also known as binary search, is an algorithm that searches an ordered array or table for a particular element.
The local tuple may be a tuple in an entry of a lookup table. The local tuple may be a local maximum tuple or a local minimum tuple.
Step S103, determining first index information corresponding to each target element based on a security policy address index table and coincidence items corresponding to each target element, wherein the security policy address index table is used for representing the corresponding relation between each element of the local tuple and the storage address of the security policy, and the first index information is used for representing the address range of the security policy matched with the target element.
Alternatively, in the case where the execution body is an FPGA, the local tuple ordering table and the security policy address index table may be stored through a block random access memory (Block Random Access Memory, BRAM) of the FPGA.
Step S104, based on the first index information corresponding to each target element, the security policy of the target five-tuple is matched.
It will be appreciated that by configuring the local tuple ordering table and the security policy address index table, a binary search can be performed on the local tuple ordering table for each target element in the target five-tuple to determine each target element The corresponding coincidence item can further analyze the address range of the security policy matched with each target element through the security policy address index table to determine the first index information corresponding to each target element, and further can be matched with the security policy of the message based on the first index information corresponding to each target element. Because of adopting binary search, the method can avoid carrying out item-by-item analysis on each item in the local lookup table, and can reduce the range matching period of the five-tuple from the item number Num to Log 2 Num, reduce the clock cycle that matches, improve the matching efficiency of the safe tactics of message.
Optionally, according to the method for matching the message security policy provided by the present invention, the local tuple ordering table includes a local maximum element ordering sub-table of each element class and a local minimum element ordering sub-table of each element class, the local maximum element ordering sub-table is determined by ordering maximum elements belonging to the same class in a big-to-small ordering manner, the maximum elements are used for indicating a value upper limit, the local minimum element ordering sub-table is determined by ordering minimum elements belonging to the same class in a small-to-big ordering manner, the minimum elements are used for indicating a value lower limit, and the coincidence items corresponding to the target elements include a maximum coincidence item and a minimum coincidence item;
Based on the target element and the local tuple ordering table, determining the coincidence item corresponding to the target element through binary search, including:
determining a maximum value coincidence item corresponding to the target element through binary search based on the target element and a local maximum value tuple element ranking sub-table corresponding to the element category to which the target element belongs;
and determining a minimum value coincidence item corresponding to the target element through binary search based on the target element and a local minimum value element ranking sub-table corresponding to the element category to which the target element belongs.
Specifically, the local tuple ordering table may include a local maximum element ordering sub-table of each element class and a local minimum element ordering sub-table of each element class, where the local maximum element ordering sub-table is determined by ordering maximum elements belonging to the same class in a big-to-small ordering manner, the maximum elements are used to indicate an upper value limit, the local minimum element ordering sub-table is determined by ordering minimum elements belonging to the same class in a small-to-big ordering manner, the minimum elements are used to indicate a lower value limit, and the coincidence items corresponding to the target elements include a maximum coincidence item and a minimum coincidence item.
It may be understood that, for the maximum value coincidence item corresponding to the target element, the maximum value coincidence item and the target element belong to the same element category (for example, belong to the element category of the source IP address), the maximum value coincidence item coincides with the target element (the value of the maximum value coincidence item is greater than or equal to the value of the target element, and indicates coincidence), and the maximum value coincidence item is an element with the smallest difference between the values of the target element and the same type of coincidence element in the local maximum value element ranking sub-table.
It may be understood that, for the minimum value coincidence item corresponding to the target element, the minimum value coincidence item and the target element belong to the same element category (for example, belong to the element category of the source IP address), the minimum value coincidence item coincides with the target element (the minimum value coincidence item has a value smaller than or equal to the value of the target element, and indicates coincidence), and the minimum value coincidence item is an element with the smallest difference between the values of the target element in the same category of the local minimum value element ranking sub-table.
Optionally, fig. 3 is a schematic data structure of the local tuple ordering table provided by the present invention, as shown in fig. 3, for local maximum value elements, the maximum value elements belonging to the same class may be ordered in a big-to-small ordering manner, so as to determine a local maximum value element ordering sub-table, max_src0 is the maximum value in the ordering sub-table, and max_srcn is the minimum value in the ordering sub-table.
Optionally, fig. 4 is one of the data structures of the security policy address index table provided by the present invention, as shown in fig. 4, one element in the sub-table of the local tuple ordering table corresponds to one index entry in the index sub-table, for example, the corresponding element of the first index entry (whose value is 0X … 00000020) in fig. 4 is max_src0, the corresponding element of the second index entry (whose value is 0X … 00000120) is max_src1, and so on.
As shown in fig. 4, the index entry of the local maximum index sub-table may represent a security policy address range in the case of taking the value of the corresponding element as the upper limit of the value. In the case that the number of entries in the lookup table is 256, as shown in fig. 4, one index entry may be represented by 256 bits, where one bit in the index entry corresponds to one security policy address, for example, the lowest bit in the index entry corresponds to security policy address Add0, the highest bit in the index entry corresponds to security policy address Add255, and so on, the correspondence between each bit in the index entry and the security policy address may be obtained. Further, if the lowest bit value of the index item is 1, the security policy address range indicating the index item includes the security policy address Add0, if the lowest bit value of the index item is 0, the security policy address range indicating the index item does not include the security policy address Add0, and so on, by judging the value of each bit of the index item, the security policy address range of the index item can be determined.
For example, as shown in fig. 4, after the binary search is adopted for the source IP address in the target five-tuple, the position of the corresponding value is between max_src2 and max_src3, where max_src2 is the corresponding coincidence item of the source IP address in the target five-tuple, which indicates that Add5, add8 and Add13 satisfy the condition, the value of 0x.. 00002120 corresponding to max_src2 in the security policy address index table may be fetched (corresponding to one-time reading BRAM when the execution body is an FPGA), and the value of 0x.. 00002120 is used as the first index information corresponding to the source IP address in the target five-tuple.
Optionally, taking a local maximum value element sorting sub-table of a certain element class (for example, a source IP address, a source port, a destination IP address, a destination port or a transport layer protocol number) as an example, if the local maximum value element sorting sub-table is determined by sorting maximum value elements belonging to the same class in a sorting manner from large to small, firstly, a target element in a tuple (a target five-tuple) to be matched can be compared with an element with an address of 128 in the local maximum value element sorting sub-table (assuming 256 items in the sub-table) in a numerical value, if the former is greater than the latter, which indicates that the element with the address of greater than 128 is smaller than the target element, then the next element with the address of 64 in the local maximum value element sorting sub-table can be compared with the element with the address of 96 in the middle of 128 or 64 in a sorting manner, if the value of the target element is smaller than the element with the value of 64, and if the value of the target element is smaller than the element with the value of 64 in the local maximum value element sorting sub-table, then the element with the address of 128 is greater than the target element with the maximum value in the largest value in the sorting table, namely, the element with the value of the largest value in the sorting table is met, and the largest element in the sorting order of the largest element is obtained. Accordingly, the security policy corresponding to the element ranked before the maximum coincidence item in the local maximum element ranking is eligible.
Alternatively, taking a local minimum element sorting sub-table of a certain element class (such as a source IP address, a source port, a destination IP address, a destination port or a transport layer protocol number) as an example, the local minimum element sorting sub-table is determined by sorting minimum elements belonging to the same class in a small-to-large sorting manner, firstly, a value size comparison can be performed between a target element in a tuple (target five-tuple) to be matched and an element with an address of 128 in the local minimum element sorting sub-table (assuming 256 items in the sub-table), if the former is greater than the latter, the element with an address of 128 is indicated to be greater than the target element, then the value of the element with an address of 64 in the local minimum element sorting sub-table can be compared with the value of the element with an address of 64 if the value of the target element is greater than the element with an address of 64, if the elements in the interval from the address 128 to the address 64 in the local minimum element sorting sub-table are not smaller than the target element, the next step may be to compare with the elements in the intermediate address 96 with the addresses 128 and 64, and sequentially perform binary comparison, so that the address of the target element in the local minimum element sorting sub-table (that is, the address corresponding to the minimum coincidence item, in the minimum element sorting sub-table, the value of the minimum coincidence item is smaller than or equal to the value of the target element, the value of the element ranked before the minimum coincidence item is smaller than the value of the target element, and the value of the element ranked after the minimum coincidence item is larger than the value of the target element), that is, the element ranked before the minimum coincidence item in the local minimum element sorting coincides with the target element. Accordingly, the security policy corresponding to the element ranked before the minimum coincidence item in the local minimum element ranking is eligible.
Optionally, according to the method for matching the message security policy provided by the present invention, the security policy address index table includes: the index sub-tables corresponding to all the sorting sub-tables in the local tuple sorting table, one element in the sub-tables of the local tuple sorting table corresponds to one index item in the index sub-table, the sub-tables of the local tuple sorting table and the corresponding index sub-tables adopt the same sorting mode, and the index sub-tables are used for storing all the index items in the table in groups based on the number of index items in a preset group and the corresponding sorting mode;
for an index group in an index sub-table, the first J bit values of each index item in the (n+1) th index group are determined based on the number of index items in a preset group and a security policy address range defined by the (N) th index group, the first J bit values of each index item in the (1) st index group are 0, the last I bit values of each index item in the index group are determined based on the storage addresses of the corresponding security policies of corresponding elements in the sub-table of the local tuple ordering table, N is a positive integer, and the bit number of one index item is J+I;
determining first index information corresponding to each target element based on the security policy address index table and the coincidence item corresponding to each target element, including:
Determining a first index group corresponding to the maximum value coincidence item and a second index group corresponding to the minimum value coincidence item based on the maximum value coincidence item and the minimum value coincidence item corresponding to the target element and an index sub-table corresponding to the element category to which the target element belongs;
splicing the first J bit values of each index item in the first index group, determining a first security policy address range, and splicing the first J bit values of each index item in the second index group, determining a second security policy address range;
determining a third security policy address range based on the last I bit values of each index item in the first index group, and determining a fourth security policy address range based on the last I bit values of each index item in the second index group;
determining a fifth security policy address range adapted to the maximum conforming item based on the first security policy address range and the third security policy address range, and determining a sixth security policy address range adapted to the minimum conforming item based on the second security policy address range and the fourth security policy address range;
and carrying out a union operation based on the fifth security policy address range and the sixth security policy address range, and determining first index information corresponding to the target element.
It will be appreciated that if the local tuple ordering table includes a local maximum element ordering sub-table and a local minimum element ordering sub-table of a certain element class (for example, the element class of the source IP address), the security policy address index table includes an index sub-table corresponding to the local maximum element ordering sub-table of the corresponding element class and an index sub-table corresponding to the local minimum element ordering sub-table of the corresponding element class.
Optionally, in the case that the number of entries of the lookup table is 256, the number of entries of the local maximum element ranking sub-table, the number of entries of the local minimum element ranking sub-table, and the number of entries of the security policy address index table are also 256.
Optionally, fig. 5 is a second schematic diagram of a data structure of the security policy address index table provided by the present invention, as shown in fig. 5, in the case that the number of entries of the lookup table is 256, the value of I may be 8, that is, the index entry indicates, by 8 bits, the storage address of the corresponding security policy of the corresponding element. In this case, the number of index items in the preset group may be 4, and correspondingly, the value of J may be 64 (256/4). In this case, the bit number of the index entry is 72 (64+8).
Optionally, as shown in fig. 5, the first J bit values of each index item in the 2 nd index group (e.g., group 2 in fig. 5) are determined based on the number of index items in the preset group and the security policy address range defined by the 1 st index group (e.g., group 1 in fig. 5), the first J bit values of each index item in the 1 st index group are 0, and the last I bit values of each index item in the index group are determined based on the storage addresses of the corresponding security policies of the corresponding elements in the sub-table of the local tuple ordering table.
Optionally, as shown in fig. 5, in the case that the number of entries in the lookup table is 256 and the number of index entries in the preset group is 4, based on the maximum value coincidence item corresponding to the target element, the storage address of the maximum value coincidence item in the local maximum value element sorting sub-table may be determined, and after the storage address and 0b11111100 are subjected to an and operation to mask the lower two bits, the index group number corresponding to the maximum value coincidence item may be determined, and based on the index sub-table corresponding to the element category to which the target element belongs and the index group number corresponding to the maximum value coincidence item, the first index group corresponding to the maximum value coincidence item may be determined.
Optionally, under the condition that the number of table entries of the lookup table is 256 and the number of index items in the preset group is 4, based on the minimum value coincidence item corresponding to the target element, a storage address of the minimum value coincidence item in the local minimum value element sorting sub-table can be determined, and the storage address and 0b11111100 are subjected to AND operation so as to mask the lower two bits, a corresponding index group number of the minimum value coincidence item can be determined, and based on the index sub-table corresponding to the element category to which the target element belongs and the corresponding index group number of the minimum value coincidence item, a second index group corresponding to the minimum value coincidence item can be determined.
Optionally, in the case that the number of entries in the lookup table is 256 and the number of index entries in the preset group is 4, after determining that the maximum value accords with the first index group corresponding to the entry, the first J bit values of each index entry in the first index group may be spliced to determine a first security policy address range (the security policy address range defined by the index group arranged before the first index group), where the bit number of the first security policy address range is 256 (64×4). The last I bits of the index item in the first index group, which is arranged before the index item corresponding to the maximum value coincidence item, may be decoded based on the index item corresponding to the maximum value coincidence item (which is one index item in the first index group) and the last I bit values of each index item in the first index group, the address represented by the I bits is converted into the address represented by 256bits, one or more decoding results (the decoding results have 256 bits) are obtained, and all the decoding results are subjected to or operation, so that the third security policy address range (the security policy address range defined by the index item in the first index group, which is arranged before the index item corresponding to the maximum value coincidence item) may be determined. And then, the fifth security policy address range adapted to the maximum value conforming item can be determined by performing an or operation based on the first security policy address range and the third security policy address range.
For example, as shown in fig. 5, when the maximum value coincidence item is max_src5, the first index group is group 2, and the first index item (last 8 bits store Add 7) and the second index item (last 8 bits store Add 9) in group 2 are index items arranged before the index item corresponding to max_src5. Furthermore, the Add7 address represented by 8 bits may be converted into the Add7 address represented by 256bits, and the Add9 address represented by 8 bits may be converted into the Add9 address represented by 256bits, so that two decoding results (the decoding results have 256 bits) may be obtained, and all the decoding results may be subjected to or operation, so that the third security policy address range may be determined.
The fifth security policy address range includes: the security policy address range defined by the index group arranged before the first index group, and the security policy address range defined by the index item arranged before the index item corresponding to the maximum coincidence item in the first index group.
Thus, by address resolution of each index entry in the first index set, a fifth security policy address range may be determined.
Optionally, in the case that the number of entries in the lookup table is 256 and the number of index entries in the preset group is 4, after determining that the minimum value matches the second index group corresponding to the entry, the first J bit values of each index entry in the second index group may be spliced to determine a second security policy address range (the security policy address range defined by the index groups arranged before the second index group), where the number of bits of the second security policy address range is 256 (64×4). The last I bits of the index item in the second index group, which is arranged before the index item corresponding to the minimum conforming item, may be decoded based on the index item corresponding to the minimum conforming item (which is one index item in the second index group) and the last I bit values of each index item in the second index group, the address represented by the I bits is converted into the address represented by 256bits, one or more decoding results (the decoding results have 256 bits) are obtained, and all the decoding results are subjected to or operation, so that a fourth security policy address range (the security policy address range defined by the index item in the second index group, which is arranged before the index item corresponding to the minimum conforming item) may be determined. And then an or operation can be performed based on the second security policy address range and the fourth security policy address range to determine a sixth security policy address range adapted to the minimum conforming item.
The sixth security policy address range includes: the security policy address range defined by the index group arranged before the second index group, and the security policy address range defined by the index item arranged before the index item corresponding to the minimum conforming item in the second index group.
Thus, by address resolution of the index entries in the second index set, a sixth security policy address range may be determined.
It will be appreciated that in the case of an FPGA as the execution subject, one clock cycle is required to decode one index entry. Similarly, in the case where the number of index items in the preset group is 4, four clock cycles are required to decode the 4 index items in one index group.
In the case of FPGA as the execution subject, it takes one clock cycle to perform an or operation on the first and third security policy address ranges (to determine the fifth security policy address range adapted to the maximum conforming item). Similarly, performing an OR operation on the second security policy address range and the fourth security policy address range (to determine a sixth security policy address range that is adapted to the minimum conforming item) requires one clock cycle.
Optionally, fig. 6 is a third schematic diagram of a data structure of the security policy address index table provided by the present invention, as shown in fig. 6, and the first index information corresponding to the target element may be determined based on the fifth security policy address range (e.g., the full policy address range of the maximum value coincidence item in fig. 6) and the sixth security policy address range (e.g., the full policy address range of the minimum value coincidence item in fig. 6) by performing a union operation.
It will be appreciated that assuming that the number of entries in the lookup table is 256, in the case of using the data structure shown in fig. 4, the number of bits occupied by one index entry in the index sub-table is 256, and in the case of using the data structure shown in fig. 5 (the index sub-table is used for storing the index entries in the table in groups based on the number of index entries in the preset group and the corresponding ordering manner), the number of bits occupied by one index entry in the index sub-table is 72, and it is seen that the storage space can be saved by storing the index entries in groups.
Optionally, according to the method for matching the security policy of the message provided by the present invention, based on the first index information corresponding to each target element, the security policy of the target five-tuple is matched, including:
Performing parallel operation based on the first index information corresponding to each target element, and determining second index information;
determining one or more security policies that match the target five-tuple based on the second index information;
and screening the security policies matched with the target five-tuple based on the preset priority configuration, and determining the security policies of the target five-tuple.
Specifically, the elements of the five-tuple comprise a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol number, and correspondingly, the first index information corresponding to each target element comprises first index information corresponding to the source IP address of the target five-tuple, first index information corresponding to the source port of the target five-tuple, first index information corresponding to the destination IP address of the target five-tuple, first index information corresponding to the destination port of the target five-tuple and first index information corresponding to the transport layer protocol number of the target five-tuple.
By combining the first index information corresponding to each target element, the address range of the security policy matched with all target elements, namely the address range represented by the second index information, can be determined, and then one or more security policies matched with the target five-tuple can be determined.
The preset priority configuration is used for indicating priorities among different security policies, and based on the preset priority configuration, security policies matched with the target five-tuple can be screened to determine the target security policy of the target five-tuple.
Optionally, according to the method for matching a message security policy provided by the present invention, the local tuple ordering table includes a local maximum value element ordering sub-table of each element category and a local minimum value element ordering sub-table of each element category, and the local tuple ordering table is obtained by:
based on a pre-configured lookup table, sorting maximum value elements belonging to the same class according to a sorting mode from large to small, and determining a local maximum value element sorting sub-table of each element class, wherein the maximum value elements are used for indicating a value upper limit;
based on a pre-configured lookup table, sorting the minimum value elements belonging to the same class according to a small-to-large sorting mode, and determining a local minimum value element sorting sub-table of each element class, wherein the minimum value elements are used for indicating a value lower limit;
the lookup table comprises a plurality of table entries, wherein any one table entry comprises an element for representing the upper limit of the five-tuple value, an element for representing the lower limit of the five-tuple value and a security policy address corresponding to the table entry.
Optionally, according to the method for matching the message security policy provided by the invention, the security policy address index table is obtained through the following steps:
determining an index sub-table corresponding to each sort sub-table in the local tuple sort table based on the storage addresses of the corresponding security policies of each sort sub-table and each element in the sort sub-table in the local tuple sort table;
determining a security policy address index table based on each index sub-table;
wherein, an element in the sub-table of the local tuple ordering table corresponds to an index item in the index sub-table, and the sub-table of the local tuple ordering table and the corresponding index sub-table adopt the same ordering mode.
Specifically, the local maximum index sub-table of each element class may be determined based on the local maximum element ranking sub-table of each element class and the storage address of the corresponding security policy of each element in the local maximum element ranking sub-table.
The local minimum index sub-table for each element class may be determined based on the local minimum element rank sub-table for each element class and the storage address of the corresponding security policy for each element in the local minimum element rank sub-table.
It will be appreciated that the memory addresses of the corresponding security policies of the elements in the ranking sub-table may be obtained by looking up the table. For example, for the sorted sub-table in fig. 4, it may be determined by the lookup table that the storage address of the corresponding security policy of the element max_src0 is Add5, the storage address of the corresponding security policy of the element max_src1 is Add8, the storage address of the corresponding security policy of the element max_src2 is Add13, the storage address of the corresponding security policy of the element max_src3 is Add4, and the storage address of the corresponding security policy of the element max_srcn is Add77.
The correspondence between index entries and elements, and the value of an index entry are illustrated below, for example, as shown in fig. 4, an index entry of the local maximum index table may represent a security policy address range in a case where a value of a corresponding element (for example, a corresponding element of the first index entry in fig. 4 is max_src0, a corresponding element of the second index entry is max_src1, and the like) is taken as an upper value limit. In the case that the number of entries in the lookup table is 256, as shown in fig. 4, one index entry may be represented by 256 bits, where one bit in the index entry corresponds to one security policy address, for example, the lowest bit in the index entry corresponds to security policy address Add0, the highest bit in the index entry corresponds to security policy address Add255, and so on, the correspondence between each bit in the index entry and the security policy address may be obtained. Further, if the lowest bit value of the index item is 1, the security policy address range indicating the index item includes the security policy address Add0, if the lowest bit value of the index item is 0, the security policy address range indicating the index item does not include the security policy address Add0, and so on, by judging the value of each bit of the index item, the security policy address range of the index item can be determined.
For example, as shown in fig. 4, the corresponding element of the first index entry is max_src0, the first index entry represents a security policy address range in the case of taking the value of max_src0 as the upper limit of the value, it may be determined that the security policy address range of the first index entry in fig. 4 includes ADD5, and accordingly, it may be determined that the value of the first index entry is 0X … 00000020 (256 bits in total). As shown in fig. 4, the corresponding element of the second index item is max_src1, the second index item represents a security policy address range with the value of max_src2 as the upper limit of the value, it may be determined that the security policy address range of the second index item in fig. 4 includes ADD5 and ADD8, and accordingly, it may be determined that the value of the first index item is 0X … 00000120 (256 bits in total). Similarly, the values of the index entries in the index sub-table can be determined.
Optionally, according to the method for matching the message security policy provided by the present invention, determining an index sub-table corresponding to each of the sorting sub-tables in the local tuple sorting table based on the storage addresses of each of the sorting sub-tables in the local tuple sorting table and the corresponding security policy of each of the elements in the sorting sub-tables, including:
For any one target sorting sub-table, grouping elements in the target sorting sub-table according to the sequence based on the number of index items in a preset group, and determining a plurality of element groups;
based on the storage addresses of the corresponding security policies of the elements in the 1 st element group, determining the last I bit values of the index items in the 1 st index group, and determining the security policy address range defined by the 1 st index group, wherein the first J bit values of the index items in the 1 st index group are 0;
determining the first J bit values of all the index items in the (N+1) th index group based on the number of the index items in the preset group and the security policy address range defined by the (N) th index group, determining the last I bit values of all the index items in the (N+1) th index group based on the storage addresses of the corresponding security policies of all the elements in the (N+1) th element group, and determining the security policy address range defined by the (N+1) th index group;
determining a target index sub-table corresponding to the target sorting sub-table based on the index groups corresponding to the element groups;
n is a positive integer, the bit number of one index item is J+I, the value of J is determined based on the table item number configuration of a lookup table and the number of index items in a preset group, and the value of I is determined based on the storage address bit number of a security policy.
For example, as shown in fig. 5, based on the storage address of the corresponding security policy of each element in the 1 st element group (e.g., group 1 in fig. 5), the last I (where the value of I in fig. 5 is 8) bit value of each index item in the 1 st index group is determined, and the security policy address range defined by the 1 st index group is determined, where the previous J (where the value of J in fig. 5 is 64) bit value of each index item in the 1 st index group is 0.
For example, as shown in fig. 5, the first J bit values of each index item in the 2 nd index group (e.g., group 2 in fig. 5) are determined based on the number of index items in the preset group (the number of index items in the preset group is 4) and the security policy address range defined by the 1 st index group, and the last I bit values of each index item in the 2 nd index group are determined based on the storage addresses of the corresponding security policies of each element in the 2 nd element group (e.g., the storage address of the corresponding security policy of the element max_src4 is Add7, the storage address of the corresponding security policy of the element max_src5 is Add9, the storage address of the corresponding security policy of the element max_src6 is Add25, the storage address of the corresponding security policy of the element max_src7 is Add 33), and the security policy address range defined by the 2 nd index group is determined.
The message security policy matching device provided by the invention is described below, and the message security policy matching device described below and the message security policy matching method described above can be referred to correspondingly.
Fig. 7 is a schematic structural diagram of a packet security policy matching device provided by the present invention, where, as shown in fig. 7, the device includes: the system comprises an extraction module 10, a binary search module 20, an index information determination module 30 and a security policy matching module 40, wherein:
an extracting module 10, configured to extract a target five-tuple based on the target packet;
the binary search module 20 is configured to determine, for each target element in the target five-tuple, a coincidence item corresponding to the target element by binary search based on the target element and the local tuple ordering table, where the local tuple ordering table is determined by ordering each element of the local tuple according to the element category and the element value, and the coincidence item is an element with a smallest difference between values of the coincident elements in the same class of the local tuple ordering table and the target element;
the index information determining module 30 is configured to determine first index information corresponding to each target element based on a security policy address index table and a coincidence item corresponding to each target element, where the security policy address index table is used to represent a correspondence between each element of the local tuple and a storage address of the security policy, and the first index information is used to represent an address range of the security policy matched with the target element;
The security policy matching module 40 is configured to match the security policy of the target five-tuple based on the first index information corresponding to each target element.
Specifically, by using the binary search module, binary search is performed for each target element in the target quintuple based on the target element and the local tuple ordering table, so that each table entry in the local query table can be prevented from being analyzed item by item, and the matching period of the range of the quintuple can be reduced from the number of table entries Num to Log 2 Num, reduce the clock cycle that matches, improve the matching efficiency of the safe tactics of message.
It should be understood that, the foregoing apparatus is used to perform the method in the foregoing embodiment, and corresponding program modules in the apparatus implement principles and technical effects similar to those described in the foregoing method, and reference may be made to corresponding processes in the foregoing method for the working process of the apparatus, which are not repeated herein.
Based on the method in the above embodiment, the embodiment of the invention provides an electronic device. The apparatus may include: at least one memory for storing programs and at least one processor for executing the programs stored by the memory. Wherein the processor is adapted to perform the method described in the above embodiments when the program stored in the memory is executed.
Based on the method in the above embodiment, the embodiment of the present invention provides a computer-readable storage medium storing a computer program, which when executed on a processor, causes the processor to perform the method in the above embodiment.
Based on the method in the above embodiments, an embodiment of the present invention provides a computer program product, which when run on a processor causes the processor to perform the method in the above embodiments.
It is to be appreciated that the processor in embodiments of the invention may be a central processing unit (centralprocessing unit, CPU), other general purpose processor, digital signal processor (digital signalprocessor, DSP), application specific integrated circuit (application specific integrated circuit, ASIC), field programmable gate array (field programmable gate array, FPGA) or other programmable logic device, transistor logic device, hardware components, or any combination thereof. The general purpose processor may be a microprocessor, but in the alternative, it may be any conventional processor.
The steps of the method in the embodiment of the present invention may be implemented by hardware, or may be implemented by executing software instructions by a processor. The software instructions may be comprised of corresponding software modules that may be stored in random access memory (random access memory, RAM), flash memory, read-only memory (ROM), programmable ROM (PROM), erasable programmable PROM (EPROM), electrically erasable programmable EPROM (EEPROM), registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC.
In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, produces a flow or function in accordance with embodiments of the present invention, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in or transmitted across a computer-readable storage medium. The computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by a wired (e.g., coaxial cable, fiber optic, digital Subscriber Line (DSL)), or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a DVD), or a semiconductor medium (e.g., a Solid State Disk (SSD)), or the like.
It will be appreciated that the various numerical numbers referred to in the embodiments of the present invention are merely for ease of description and are not intended to limit the scope of the embodiments of the present invention.
It will be readily appreciated by those skilled in the art that the foregoing description is merely a preferred embodiment of the invention and is not intended to limit the invention, but any modifications, equivalents, improvements or alternatives falling within the spirit and principles of the invention are intended to be included within the scope of the invention.

Claims (10)

1. The message security policy matching method is characterized by comprising the following steps:
extracting a target five-tuple based on the target message;
for each target element in the target five-tuple, determining a coincidence item corresponding to the target element through binary search based on the target element and a local tuple ordering table, wherein the local tuple ordering table is determined by ordering each element of a local tuple according to element types and element numerical values, and the coincidence item is an element with the smallest difference between the numerical values of the target element in the same type of coincidence elements of the local tuple ordering table;
determining first index information corresponding to each target element based on a security policy address index table and a coincidence item corresponding to each target element, wherein the security policy address index table is used for representing a corresponding relation between each element of a local tuple and a storage address of a security policy, and the first index information is used for representing an address range of the security policy matched with the target element;
And matching the security policy of the target five-tuple based on the first index information corresponding to each target element.
2. The method for matching message security policies according to claim 1, wherein the local tuple ordering table comprises a local maximum value element ordering sub-table of each element category and a local minimum value element ordering sub-table of each element category, the local maximum value element ordering sub-table is determined by ordering maximum value elements belonging to the same category in a big-to-small ordering manner, the maximum value elements are used for indicating a value upper limit, the local minimum value element ordering sub-table is determined by ordering minimum value elements belonging to the same category in a small-to-big ordering manner, the minimum value elements are used for indicating a value lower limit, and the coincidence items corresponding to the target elements comprise a maximum value coincidence item and a minimum value coincidence item;
the determining, based on the target element and the local tuple ordering table, the coincidence item corresponding to the target element through binary search includes:
determining a maximum value coincidence item corresponding to the target element through binary search based on the target element and a local maximum value tuple element sorting sub-table corresponding to the element category to which the target element belongs;
And determining a minimum value coincidence item corresponding to the target element through binary search based on the target element and a local minimum value element sorting sub-table corresponding to the element category to which the target element belongs.
3. The method for matching a security policy according to claim 2, wherein the security policy address index table comprises: an index sub-table corresponding to each sorting sub-table in the local tuple sorting table, wherein one element in the sub-table of the local tuple sorting table corresponds to one index item in the index sub-table, the sub-table of the local tuple sorting table and the corresponding index sub-table adopt the same sorting mode, and the index sub-table is used for storing all index items in the table in groups based on the number of index items in a preset group and the corresponding sorting mode;
for the index groups in the index sub-table, the first J bit values of all index items in the (n+1) th index group are determined based on the number of index items in the preset group and the security policy address range defined by the (N) th index group, the first J bit values of all index items in the 1 st index group are 0, the last I bit values of all index items in the index group are determined based on the storage addresses of the corresponding security policies of corresponding elements in the sub-table of the local tuple ordering table, N is a positive integer, and the bit number of one index item is J+I;
The determining the first index information corresponding to each target element based on the security policy address index table and the coincidence item corresponding to each target element includes:
determining a first index group corresponding to the maximum value coincidence item and a second index group corresponding to the minimum value coincidence item based on a maximum value coincidence item and a minimum value coincidence item corresponding to the target element and an index sub-table corresponding to an element category to which the target element belongs;
splicing the first J bit values of each index item in the first index group, determining a first security policy address range, and splicing the first J bit values of each index item in the second index group, determining a second security policy address range;
determining a third security policy address range based on the last I bit values of each index item in the first index group, and determining a fourth security policy address range based on the last I bit values of each index item in the second index group;
determining a fifth security policy address range adapted to the maximum conforming item based on the first security policy address range and the third security policy address range, and determining a sixth security policy address range adapted to the minimum conforming item based on the second security policy address range and the fourth security policy address range;
And performing a union operation based on the fifth security policy address range and the sixth security policy address range, and determining first index information corresponding to the target element.
4. The method for matching the security policy of the message according to claim 1, wherein the matching the security policy of the target five-tuple based on the first index information corresponding to each target element includes:
performing parallel operation based on the first index information corresponding to each target element, and determining second index information;
determining one or more security policies that match the target five-tuple based on the second index information;
and screening the security policies matched with the target five-tuple based on preset priority configuration, and determining the security policies of the target five-tuple.
5. The method for matching a security policy of any of claims 1-4, wherein said local tuple ordering table comprises a local maximum element ordering sub-table for each element class and a local minimum element ordering sub-table for each element class, said local tuple ordering table being obtained by:
based on a pre-configured lookup table, sorting maximum value elements belonging to the same class according to a sorting mode from large to small, and determining a local maximum value element sorting sub-table of each element class, wherein the maximum value elements are used for indicating a value upper limit;
Based on a pre-configured lookup table, sorting the minimum value elements belonging to the same class according to a small-to-large sorting mode, and determining a local minimum value element sorting sub-table of each element class, wherein the minimum value elements are used for indicating a value lower limit;
the lookup table comprises a plurality of table entries, wherein any one of the table entries comprises an element for representing the upper limit of the five-tuple value, an element for representing the lower limit of the five-tuple value and a security policy address corresponding to the table entry.
6. The method for matching security policies of claim 5, wherein the security policy address index table is obtained by:
determining an index sub-table corresponding to each sort sub-table in the local tuple sort table based on the storage addresses of the corresponding security policies of each sort sub-table and each element in the sort sub-table in the local tuple sort table;
determining the security policy address index table based on each index sub-table;
wherein, an element in a sub-table of the local tuple ordering table corresponds to an index item in the index sub-table, and the sub-table of the local tuple ordering table and the corresponding index sub-table adopt the same ordering mode.
7. The method according to claim 6, wherein determining an index sub-table corresponding to each of the sorted sub-tables in the local tuple sorted list based on the storage addresses of the respective sorted sub-tables in the local tuple sorted list and the respective security policies of the respective elements in the sorted sub-tables comprises:
for any one target sorting sub-table, grouping elements in the target sorting sub-table in sequence based on the number of index items in a preset group, and determining a plurality of element groups;
based on the storage addresses of the corresponding security policies of the elements in the 1 st element group, determining the last I bit values of the index items in the 1 st index group, and determining the security policy address range defined by the 1 st index group, wherein the first J bit values of the index items in the 1 st index group are 0;
determining the first J bit values of all the index items in the (N+1) th index group based on the number of the index items in the preset group and the security policy address range defined by the (N) th index group, determining the last I bit values of all the index items in the (N+1) th index group based on the storage addresses of the corresponding security policies of all the elements in the (N+1) th element group, and determining the security policy address range defined by the (N+1) th index group;
Determining a target index sub-table corresponding to the target rank sub-table based on the index groups corresponding to the element groups;
n is a positive integer, the bit number of one index item is J+I, the value of J is determined based on the table item number configuration of the lookup table and the index item number in the preset group, and the value of I is determined based on the storage address bit number of the security policy.
8. A message security policy matching device, comprising:
the extraction module is used for extracting the target five-tuple based on the target message;
the binary search module is used for determining a coincidence item corresponding to each target element in the target five-tuple through binary search based on the target element and a local tuple ordering table;
the index information determining module is used for determining first index information corresponding to each target element based on a security policy address index table and the coincidence item corresponding to each target element;
and the security policy matching module is used for matching the security policy of the target five-tuple based on the first index information corresponding to each target element.
9. An electronic device, comprising:
At least one memory for storing a program;
at least one processor for executing the memory-stored program, which processor is adapted to perform the method according to any of claims 1-7, when the memory-stored program is executed.
10. A non-transitory computer readable storage medium storing a computer program, characterized in that the computer program, when run on a processor, causes the processor to perform the method of any of claims 1-7.
CN202311356164.3A 2023-10-18 2023-10-18 Message security policy matching method and device, electronic equipment and storage medium Pending CN117294516A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311356164.3A CN117294516A (en) 2023-10-18 2023-10-18 Message security policy matching method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311356164.3A CN117294516A (en) 2023-10-18 2023-10-18 Message security policy matching method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN117294516A true CN117294516A (en) 2023-12-26

Family

ID=89253394

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311356164.3A Pending CN117294516A (en) 2023-10-18 2023-10-18 Message security policy matching method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN117294516A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119788431A (en) * 2025-03-11 2025-04-08 山东华翼微电子技术股份有限公司 FPGA-based gigabit IPSec large-scale security policy query method and device

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119788431A (en) * 2025-03-11 2025-04-08 山东华翼微电子技术股份有限公司 FPGA-based gigabit IPSec large-scale security policy query method and device

Similar Documents

Publication Publication Date Title
US9171153B2 (en) Bloom filter with memory element
CN104702588B (en) Parser, packet processing apparatus, and related method
US20150242429A1 (en) Data matching based on hash table representations of hash tables
CN105634855B (en) The abnormality recognition method and device of network address
US20150186502A1 (en) Method and apparatus and computer readable medium for computing string similarity metric
WO2019060326A1 (en) Parsing system event logs while streaming
US20220012550A1 (en) Internal Load Balancer for Tree-Based Ensemble Classifiers
CN117294516A (en) Message security policy matching method and device, electronic equipment and storage medium
US11200250B2 (en) Method and system for optimizing validations carried out for input data at a data warehouse
CN101938474B (en) Network intrusion detection and protection method and device
CN110661913B (en) User sorting method and device and electronic equipment
CN110334104B (en) List updating method and device, electronic equipment and storage medium
CN113127767B (en) Mobile phone number extraction method and device, electronic equipment and storage medium
US9235639B2 (en) Filter regular expression
US11256859B2 (en) Extending a classification database by user interactions
CN110708414B (en) Telephone number sorting method and device and electronic equipment
CN104077361A (en) Big data sequencing method and system
CN110110081B (en) Hierarchical classification processing method and system for mobile internet mass monitoring data
US20210382904A1 (en) Refining a search request to a content provider
JP2022104892A (en) Identification method of long tail keyword, keyword retrieval method, and computer equipment
CN113992364A (en) Network data packet blocking optimization method and system
CN114358143A (en) A kind of alarm event classification method, device, equipment and storage medium
CN113535783A (en) Streaming data processing method, system, computer device and readable storage medium
CN113535722A (en) Mapping-based DAG traceability sampling method, system, equipment and storage medium
US20190207958A1 (en) Multi-pattern policy detection system and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination