Matching rule engine supporting combined expression of multivariate protocol variables

Abstract

The invention discloses a matching rule engine supporting a combined expression of multivariate protocol variables, and relates to the technical field of information. The matching rule engine is composed of a rule definition device, a lexical parser, a grammar parser, a compiler and a binary code generator. The rule definition device is composed of a rule input device, a rule detection engine anda rule output device. According to the matching rule engine, an extended Berkeley packet filtering technology is improved, so that rule grammar of the matching rule engine can be customized, and function nesting calling, function variable reference, cache range offset and nesting expression evaluation are supported. According to the matching rule engine, the JIT technology is adopted, dynamic compilation is carried out into machine code operation, the execution efficiency can be comparable to that of a C program, and good system portability is achieved.

Description

technical field [0001] The present invention relates to the field of information technology, especially the field of information security technology. Background technique [0002] With the rapid development of network communication technology and information technology, the Internet has penetrated into all areas of people's work, study and life. While the Internet is profoundly changing people's real life, it also brings unprecedented problems of network security and information security. At present, the global network security situation is extremely severe. Network threats such as network attacks, infiltration and privilege escalation, viruses, Trojan horses, extortion and extortion are increasingly rampant, and network attacks represented by APT are increasing; personal information and commercial data are subject to large-scale leakage and violations. Taking advantage of the frequent occurrence of malicious website attacks targeting critical information infrastructure, th...

AI Technical Summary

Problems solved by technology

When multiple protocol variables need to be combined for detection, because each protocol variable is not in the same continuous address space, the extended Berkeley packet filtering technology program cannot be executed correctly

[0012] In the existing technology, the extended Berkeley packet filtering technology program cannot determine which address the constant string will be loaded into the memory in the future when compiling, so it is stipulated that the constant data string cannot be directly embedded in the source code of the ebpf program, including: character strings, regular expressions and binary strings and mixed character and binary strings

However, it is often necessary to input a keyword string or a regular expression string or a binary string to be matched in a security matching rule, which results in the prior art's extended Berkeley packet filtering technology mechanism being unable to meet the rule matching requirements of multiple protocol variable combinations

Images