CN101729573B - Dynamic load balancing method of network intrusion detection - Google Patents
Dynamic load balancing method of network intrusion detection Download PDFInfo
- Publication number
- CN101729573B CN101729573B CN2009103117726A CN200910311772A CN101729573B CN 101729573 B CN101729573 B CN 101729573B CN 2009103117726 A CN2009103117726 A CN 2009103117726A CN 200910311772 A CN200910311772 A CN 200910311772A CN 101729573 B CN101729573 B CN 101729573B
- Authority
- CN
- China
- Prior art keywords
- execution
- engine
- packet
- load
- load balancing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of network safety and discloses a multi-detection engine load balancing method applied to a network intrusion defensive system. In the invention, a multi-kernel network service processor is used as a hardware basis, a plurality of processing kernels of the multi-kernel network service processor are used as detection engines, and load balancing among a plurality of kernels, the detection accuracy and the processing demands of gigabit processing line speed are ensured by utilizing a dynamic load balancing method based on a stream. The dynamic load balancing method of network intrusion detection comprises the following steps of updating and maintaining a detection engine real-time load table, sending a data package, updating and maintaining a data package sending table and balancing a load. Through concrete implementation of the steps, the integrity of the stream can be ensured so as to enable subsequent detection or other processing to be more accurate. The dynamic load balancing method is simultaneously adopted so as to enable the loading amounts of each processing engine to have equal distribution and fast response. The invention is particularly suitable for intrusion detection in the gigabit network environment.
Description
Technical field
The present invention relates to the network security technology field.Be particularly related to and utilize polycaryon processor to carry out intrusion detection, and utilize a plurality of nuclear operation intrusion detection engines to carry out parallel detection, utilize the dynamic load balancing method adjustment respectively to detect the method for the load of nuclear.
Background technology
Attack in the face of serious day by day network intrusions, the Internet security expert proposes a lot of solutions.Intrusion detection (IDS) system model that denning proposed in 1987 was widely used in a very long time.But the defence capability of intrusion detection is its deadly defect, and a lot of invasions are very fast, and intrusion prevention is untimely will to cause heavy losses.International well-known survey institute Gartner is weighed in a research report in 2003 and invades detection system " extremely ".Gartner thinks that IDS can not bring additional safety to network, can increase keeper's puzzlement on the contrary, and the suggestion user uses intrusion prevention system (IPS, Intrusion Prevention System) to replace IDS.Gartner company thinks to have only online or Host Based attack to stop (real-time blocking) to be only the most effectively intrusion prevention system.Because the data traffic that makes on the network that develops rapidly of network technology and network application continues to increase, the network bandwidth rapidly improves, and traditional 10Mbps network is replaced by 100Mbps, 1000Mbps network rapidly.Under environment so at a high speed, entire packet in the network to be intercepted and captured, and do invasion check and analysis or other analyzing and processing, traditional Technical Architecture has been not enough to deal with, and must use special-purpose network service processing chip.
The high CUP dominant frequency monokaryon X86 IA frame serverPC of the many employings of traditional network invasion monitoring and intrusion prevention safety product; But the bottleneck that the X86 framework exists makes it can not reach the gigabit disposal ability; I/O, system bus and memory speed, protocol overhead also are the bottlenecks of X86 framework, and the X86 framework has no advantage aspect network processes.Special-purpose afterwards network services processor is developed; But single CPU is difficult to satisfy the demand that gigabit wire speed is handled; Along with Intel in 2006 and the AMD polycaryon processor that releases one after another, CPU gets into the multinuclear epoch, has satisfied the hardware requirement that gigabit wire speed that network security detects is handled based on the dedicated network service processor of multinuclear; Though the dominant frequency of the single nuclear of polycaryon processor is not high, utilize a plurality of nuclear concurrent workings just to be easy to reach this requirement.In order to realize the particularly online in real time intrusion detection under the gigabit networking environment of express network, need carry out data analysis to disposing node through intrusion prevention.When etc. the generation speed of data to be analyzed when surpassing disposal ability, will influence network service quality.Even specialized application also must be used a plurality of detection engines in the network of network server.Therefore, the online system that network packet is carried out intrusion detection must carry out load balancing, the good bad influence detection accuracy and the detection speed of SiteServer LBS.Load-balancing method can be divided into two kinds according to the difference of the method for salary distribution, and a kind of is that static load distributes, and a kind of is that dynamic load distributes.Just utilize the average information of system load, and the method for the current load state of ignorance system is called as static load and distributes.The method of adjusting task division according to the current load state of system is called as the dynamic load distribution.Compare with the static load distribution method, adopt simple dynamically adjustment strategy, can significantly improve load balancing property, its performance approaches to adopt the method for complicated dynamically adjustment strategy.But dynamic load allocating method does not guarantee message sequence usually, and therefore, message load distributes should adopt dynamic load allocating method as far as possible, adopts appropriate policies to guarantee that message is not out of order simultaneously, between harmonious and packet out-ordering rate, makes balance.
Summary of the invention
Technical problem to be solved by this invention; A kind of many detections engine load equalization methods that is applied in the network intrusion prevention system is proposed exactly; With the multi-core network service processor is hardware foundation; A plurality of process nuclear of using the multi-core network service processor are formed the distributed treatment cluster as detecting engine.Utilization guarantees that based on the dynamic load balancing method of stream load balancing between multinuclear, assurance detect the processing demands of accuracy rate and gigabit processing linear speed.
The technical scheme that the present invention solve the technical problem employing is; The dynamic load balancing method of network invasion monitoring; Comprise the renewal that detects the engine real-time loading liquifier and safeguard step, packet issue step, the renewal of delivering under the packet and safeguard step and the load balancing step; It is characterized in that:
Detect the renewal of engine real-time loading liquifier and safeguard that concrete steps are following:
A1, arrive when timer time, recalls information collect function collect all session number Si (t) that detect processing engines, detect pending number of data packets Pi (t) in the pending formation of engine, detect engine memory usage Mi (t), detect the nuclear utilance Ci (t) of engine;
The load capacity Li (t) of a2, calculating respective detection engine: L
i(t)=a
1S
i(t)/S+a
2M
i(t)+a
3P
i(t)/P+a
4C
i(t); I=1,2 ... N;
Wherein, N is for detecting the quantity of engine; a
1, a
2, a
3, a
4Represent session number, memory usage, pending number-of-packet, nuclear utilance influence coefficient respectively to load, they with
Constant S is for detecting the tolerable maximum number of sessions of engine, and constant P is for detecting the maximum acceptable pending number of data packets of engine;
A3, call the load judgment function and need to judge whether load balancing; Load balancing if desired, execution in step a4; Otherwise execution in step a5;
A4, execution load balance process function; Continue execution in step a5;
A5, renewal loading liquifier;
The renewal of a6, detection of end engine real-time loading liquifier and safeguard step;
Packet to issue concrete steps following:
B1, from input rank, obtain the current five-tuple hash value of waiting to issue packet;
B2, utilize and to search algorithm and search the hash value whether current data packet is arranged under packet, delivering, if hit, execution in step b3; If miss, carry out b6;
The TCP flag bit of b3, inspection packet if its flag bit is one of among FIN or the RST, explains that this is that a session stops packet, execution in step b4, otherwise execution in step b5;
The corresponding list item of corresponding current hash value during b4, deletion are delivered down, this conversation end;
B5, issue packet and hit in deliver down in the formation of corresponding engine number of list item; Return step b1;
B6, missly show that a new session arrives, search the minimum engine of load in the engine load table number, current data packet is issued in the corresponding formation to be detected;
The hash value of b7, the session that will newly arrive, assigned detection engine number, the current time generates a new following forwarding list item, delivers under upgrading;
B8, return step b1;
The renewal of delivering under the packet and safeguard that concrete steps are following:
C1, judge it is the renewal which kind of reason causes according to the parameter of call function transmission; If the renewal that timer causes, execution in step c2; Otherwise execution in step c6;
C2, obtain the current pointer delivered down,, read down and deliver next list item if just to have begun then be head pointer; Whether be list item that TCP connect, if not execution in step c3 if detecting list item; If execution in step c5;
C3, the update time of judging list item and the difference of current time are upgraded threshold value Th, execution in step c4 if surpass; Otherwise execution in step c5;
C4, remove entries; Continue execution in step c5;
C5, judge whether the tail node of chained list, if then return step c2, otherwise execution in step c9;
C6, judge whether it is that new connection arrives, if carry out step c7 down; Otherwise execution in step c8;
C7, add new list item, execution in step c9;
C8, remove entries; Continue execution in step c9;
The renewal of delivering under c9, the end data packet and safeguard step;
The load balancing concrete steps are following:
After d1, loading liquifier upgrade and accomplish, read the list item of loading liquifier;
D2, judge that whether the load of current engine surpasses the threshold value of regulation, if surpass, execution in step d3; Otherwise, execution in step d4;
D3, current list item is added the overload chained list; Continue execution in step d4;
D4, read next list item, judge whether to be sky, if, execution in step d5; Otherwise, return steps d 2;
Whether d5, judgement overload chained list are empty, if sky, then execution in step d8; Otherwise, execution in step d6;
If have only a list item in the d6 chained list, show and have only an engine overload, call the load balancing function, the part connection is assigned to the little engine of load; Continue execution in step d8; Otherwise execution in step d7;
If a plurality of detection engine overloads of d7 are called abnormality processing function;
D8, end.
The invention has the beneficial effects as follows, realize parallel detection through utilizing the multi-core network service processor, and can be according to concrete applied environment expansion and system virtualization (intrusion prevention system invents a plurality of detection engines, practices thrift cost).The present invention is directed to the not isotonicity of load-balancing algorithm, propose load-balancing method, guaranteed that same communication data is assigned to the same detection engine, improve detection accuracy based on stream.The present invention considers from engineering and practicality, adopts a kind of simple dynamic load balancing method, has solved the problem that the load inequality of static load equalization algorithm under high speed network environment is exaggerated; Avoided the complexity of complex load equalization algorithm simultaneously.
The main applied environment of the present invention:
Backbone network node under the gigabit networking environment can be a computer communication network, realized the like environment such as broadcasting and television network that bilateral network is transformed.
Can carry out system virtualization to different environment, hardware system is based on the multi-core network service processor.
Below in conjunction with embodiment the present invention is described in further detail.
Embodiment
A plurality of process nuclear of utilizing the multi-core network service processor of the present invention's innovation constitute the distributed treatment cluster, adopt a kind of dynamic load leveling algorithm that is fit to very much practical applications.To the not order-preserving shortcoming of load balancing, the method that a kind of protected data is flowed integrality combines with load-balancing algorithm, proposes a kind of load balancing solution of based on network real-time online data processing equipment, and engineering practicability is strong.
The quality of the algorithm of data flow integrity, load balancing is two principal elements that influence the intruding detection system performance.The accuracy that the integrality influence of data flow detects, the packet of same session will be assigned on the detection engine.The good bad influence detection speed of load-balancing algorithm makes each detect engine as far as possible and is not all working under the full load condition.
Along with the continuous increase of various application software, traditional can not accurately detect present invasion based on the packet intrusion detection below the transport layer, must carry out the deep layer protocal analysis.Expansion for ease, each detects engine and preferably accomplishes identical functions.Simultaneously, can realize the virtual detection engine function, save lower deployment cost.
Need carry out the packet reduction as last packet being carried out load balancing, under typical TCP/IP protocol environment, mainly be to carry out ip fragmentation reorganization, TCP session reorganization etc., also can carry out the deep layer protocal analysis.A lot of special-purpose network services processor all will be caught functional utilization hardware such as bag, reduction and realized, the present invention carries out many engine load equilibriums after above-mentioned work is accomplished.
Can session of unique differentiation according to the cryptographic hash of the five-tuple in the packet (agreement, source port, source IP address, destination interface, purpose IP address), general special-purpose network services processor can generate this value automatically, also can oneself try to achieve.
The present invention utilizes a plurality of nuclears to realize the processing engine parallel processings that detect more, must handle following problem well so:
Problem of load balancing.Each speed possibility that detects processing engines packet to be detected is different; Particular content with packet is relevant; So the packet load capacity of distributing in each formation to be detected that detects engine will change; Detect processing engine and be in idle condition otherwise can occur one, but other the extremely busy situation of detection engine, influence the operating efficiency of system.So must be in the face of the problem of load balancing to the engines that detect more.
The integrality of data is another problems that need consider, and the integrality of data affects the accuracy of detection or the validity of processing.The accuracy that detects or the validity of processing are the important performance indexes of a system.The shunting of data can not be arbitrarily; If do not ensure the complete of session; The equilibrium of simple proof load; The data that the invasion that comes from certain IP address is so attacked just possibly be assigned to the different detection engine after by subpackage, and the detection engine can't obtain complete data and detect, and phenomenon will occur failing to report.Therefore, the load balancing strategy must guarantee that the packet of all same connections is sent to same detector.
The load balancing policing issue.Current load balancing strategy mainly contains following several kinds of forms: strategy 1; Detect engine and be directed against the specific protocol strategy: each detection engine all is directed against specific protocol (like http, ftp, telnet etc.) packet and detects; Shortcoming is that the data packet number of variety of protocol on the possible objective network is different; And, therefore be difficult to reach effect of load balance along with the time changes and changes; Strategy 2; Detecting engine is responsible for specific for the strategy of protection target: specific detection engine is responsible for by the main frame of specific IP in the protecting network; Shortcoming is that synchronization is protected the mass flow discrepancy of target even, and by day part flow in a day of protection target also in continuous variation, do not have versatility; Strategy 3, each detects engine general policies: general engine is meant the engine that can carry out intrusion detection and analysis to all-network data flow (data flow that comprises all application protocols or all destination hosts).Based on this strategy, load equalizer can not receive the restriction of packet application protocol type and destination host address, and only according to load-balancing algorithm network data flow is distributed in each follow-up utility engines.
Reduce the problem of expense.Keep less state information.The state information of preserving current stream needs ample resources, therefore will keep less state information, makes algorithm simple, and expense is little, to satisfy data message linear speed processing requirements.
Consider from versatility; The present invention adopts the third load balancing strategy; Be that each detects the general strategy of engine; Adopt the versatility strategy to also have convenient expansion (increase and detect engine), can carry out benefits such as checkout equipment is virtual, consider the integrality and the low overhead issues of data, adopted a dynamic load leveling algorithm based on stream.
The present invention has utilized a dynamic load leveling algorithm based on stream, at first considers the leading indicator of reaction detection engine load amount: the nuclear utilance Ci (t) of the pending number of data packets Pi (t) in the pending formation of the session number Si (t) of detection processing engines, detection engine, the memory usage Mi (t) that detects engine, detection engine.These indexs have reflected detection engine t load capacity Li (t) constantly:
L
i(t)=a
1S
i(t)/S+a
2M
i(t)+a
3P
i(t)/P+a
4C
i(t);i=1,2,…N;(1)
Wherein, N is for detecting the quantity of engine; a
1, a
2, a
3, a
4Represent session number, memory usage, pending number-of-packet, nuclear utilance influence coefficient respectively to load, they with
Constant S is for detecting the tolerable maximum number of sessions of engine, and constant P is for detecting the maximum acceptable pending number of data packets of engine.
Distinguishing different sessions mainly identifies with five-tuple: < protocol number; Source IP; Source port, purpose IP, destination interface >; For connectionless protocol (like UDP, ICMP etc.) we to be defined in all packets that have identical five-tuple sign in the close utmost point short time T be a session, on network processing unit of the present invention, can generate the cryptographic hash of a five-tuple automatically to new packet.
Load balancing mainly contains following major part:
One, detects the renewal and the maintenance of engine real-time loading liquifier.Comprise in the loading liquifier: detect engine number, session number to be detected, packet surplus, detect nuclear utilance, memory usage, current detection engine load amount.This table adopts the sequence list storage, after one period given very short time interval, upgrades.The collection of information can be adopted special thread or utilize management control nuclear to carry out.The structure that detects the engine real-time loading liquifier is following:
Detecting the renewal and the maintenance of engine real-time loading liquifier is implemented by following steps:
The first step; When timer time arrives, recalls information collect function collect all session number Si (t) that detect processing engines, detect pending number of data packets Pi (t) in the pending formation of engine, detect engine memory usage Mi (t), detect the nuclear utilance Ci (t) of engine.
Second step is according to the load capacity Li (t) of formula 1 calculating respective detection engine.
The 3rd step, call the load judgment function and need to judge whether load balancing, load balancing carried out for the 4th step if desired; Otherwise carried out for the 5th step.
In the 4th step, carry out the load balance process function.
In the 5th step, upgrade loading liquifier.Loading liquifier is very little, but can not upgrade frequently, otherwise will influence systematic function.
The 6th step, the renewal of detection of end engine real-time loading liquifier and safeguard step.
Two, packet issues.This flow process is carried out computing and operation based on delivering under the packet with the engine load table.When a new session arrives, to select an engine according to the principle that present load is minimum, and in delivering down, add a distributed recorder corresponding to this session, all packets of same session subsequently all are distributed to this engine.As long as the five-tuple of reception packet does not have corresponding record in being identified at down and delivering, just think the beginning of a new session.When a conversation end, just with this conversation recording under deliver deletion.For the tcp data bag, FIN and RST sign are used for finishing a session.For the packet of connectionless protocol (UDP, ICM P etc.), and the packet of imperfect TCP connection, then utilize the record item " update time " in the table regularly to remove overtime conversation recording.The data structure of following forwarding list item is following:
Issuing by following concrete steps of packet implemented:
The first step obtains the current five-tuple hash value of waiting to issue packet from input rank.
In second step, utilize and to search algorithm and search the hash value whether current data packet is arranged under packet, delivering.If hit, carried out for the 3rd step; If miss, carried out for the 6th step.
In the 3rd step, the TCP flag bit of inspection packet is the packet of FIN or RST if it is a flag bit, explains that this is that a session stops packet.Carried out for the 4th step, otherwise carried out for the 5th step.
The 4th step, the corresponding list item of corresponding current hash value during deletion is delivered down, this conversation end.
In the 5th step, issue packet and hit in deliver down in the formation of corresponding engine number of list item.Return the first step.
The 6th step missly showed that a new session arrived, and searched the minimum engine of load in the engine load table number, and current data packet is issued in the corresponding formation to be detected.
The 7th step, with the hash value of the session that newly arrives, assigned detection engine number, the current time generates a new following forwarding list item, delivers under upgrading.Adopt when delivering under upgrading by the ordering of hash value size.
In the 8th step, return the first step.
Three, renewal of delivering under the packet and maintenance.Owing to just detect after in express network, can not a session being recombinated fully, that kind needs the data in buffer amount can be very big, is necessary so deliver under setting up.Under comprise in delivering: engine number, update time, five-tuple < protocol number, source IP, source port, purpose IP, destination interface >.Under a conversation end, new session arrival or timer time arrive, and upgrade, deliver.Handle connectionless communication and adopt regularly update method.
The renewal of delivering under the packet and safeguard that concrete steps are following:
The first step is the renewal which kind of reason causes according to the parameter determining of call function transmission.If the renewal that timer causes is carried out next step; Otherwise carried out for the 6th step.
Second step obtained the current pointer delivered down, if just to have begun then be head pointer, read down and delivered next list item, and whether detect list item is the list item that TCP connects, if not execution next step; If carried out for the 5th step.
The 3rd step, judge the update time of list item and the difference of current time, upgrade threshold value Th (threshold value Th can be confirmed by system according to the size of network traffic data and the ability of network services processor voluntarily) if surpass, carry out next step; Otherwise carried out for the 5th step.
The 4th step, remove entries.
The 5th goes on foot, and judges whether the tail node of chained list, if otherwise returned for second step, otherwise carried out for the 9th step.
In the 6th step, judge whether it is that new connection arrives, if carry out next step; Otherwise carried out for the 8th step.
The 7th step, add new list item, carried out for the 9th step.
The 8th step, remove entries.
In the 9th step, finish.
Four, load balancing.When the load capacity of certain detection engine surpasses certain threshold values LTh (threshold value LTh can confirm as reference point with ultimate load); The packet that should be assigned to this engine carries out load balancing; Be assigned to other and detect in engines, this situation possibly occur when the session of a detection engine all is big flow session, when this situation appears in a plurality of engines; Produce warning, call abnormality processing function.The load balancing function only is called after loading liquifier upgrades, and is called by the load renewal function.
The load balancing concrete steps are following:
After the first step, loading liquifier are upgraded and accomplished, read the list item of sequential storage loading liquifier.
In second step, judge that whether the load of current engine surpasses the threshold value LTh of regulation, if surpass, carries out next step; Otherwise, carried out for the 4th step.
In the 3rd step, current list item is added the overload chained list.
The 4th step, read next list item, judge whether to be sky, if carried out for the 5th step; Otherwise, carried out for second step.
In the 5th step, judge that whether the overload chained list is empty, if empty, then carries out for the 8th step; Otherwise, carry out next step.
The 6th step if having only a list item in the chained list, showed and has only an engine overload, called the load balancing function, part was connected be assigned to the little engine of load.Otherwise carry out next step.
In the 7th step, a plurality of detection engines overload is called abnormality processing function, can consider whether be unusual appearance the such as Denial of Service attack, be not emphasis of the present invention here.
In the 8th step, finish.
The present invention can guarantee the integrality that flows to make subsequent detection or other processing more accurate.Adopt dynamic load balancing method simultaneously, make the load capacity of each processing engine divide balancing, corresponding quick.Utilize the framework of a plurality of processing engine to make some based on network application under the gigabit networking environment can not become network bottleneck.
Claims (2)
1. the dynamic load balancing method of network invasion monitoring comprises the renewal that detects the engine real-time loading liquifier and safeguards step, packet issue step, the renewal of delivering under the packet and safeguard step and the load balancing step; It is characterized in that:
Detect the renewal of engine real-time loading liquifier and safeguard that concrete steps are following:
A1, arrive when timer time, recalls information collect function collect all session number Si (t) that detect processing engines, detect pending number of data packets Pi (t) in the pending formation of engine, detect engine memory usage Mi (t), detect the nuclear utilance Ci (t) of engine;
The load capacity Li (t) of a2, calculating respective detection engine:
L
i(t)=a
1S
i(t)/S+a
2M
i(t)+a
3P
i(t)/P+a
4C
i(t);i=1,2,…N;
Wherein, N is for detecting the quantity of engine; a
1, a
2, a
3, a
4Represent session number, memory usage, pending number-of-packet, nuclear utilance influence coefficient respectively to load, they with
Constant S is for detecting the tolerable maximum number of sessions of engine, and constant P is for detecting the maximum acceptable pending number of data packets of engine;
A3, call the load judgment function and need to judge whether load balancing; Load balancing if desired, execution in step a4; Otherwise execution in step a5;
A4, execution load balance process function; Continue execution in step a5;
A5, renewal loading liquifier;
The renewal of a6, detection of end engine real-time loading liquifier and safeguard step;
Packet to issue concrete steps following:
B1, from input rank, obtain the current five-tuple hash value of waiting to issue packet;
B2, utilize and to search algorithm and search the hash value whether current data packet is arranged under packet, delivering, if hit, execution in step b3; If miss, carry out b6;
The TCP flag bit of b3, inspection packet if its flag bit is one of among FIN or the RST, explains that this is that a session stops packet, execution in step b4, otherwise execution in step b5;
The corresponding list item of corresponding current hash value during b4, deletion are delivered down, this conversation end;
B5, issue packet and hit in deliver down in the formation of corresponding engine number of list item; Return step b1;
B6, missly show that a new session arrives, search the minimum engine of load in the engine load table number, current data packet is issued in the corresponding formation to be detected;
The hash value of b7, the session that will newly arrive, assigned detection engine number, the current time generates a new following forwarding list item, delivers under upgrading;
B8, return step b1;
The renewal of delivering under the packet and safeguard that concrete steps are following:
C1, judge it is the renewal which kind of reason causes according to the parameter of call function transmission; If the renewal that timer causes, execution in step c2; Otherwise execution in step c6;
C2, obtain the current pointer delivered down,, read down and deliver next list item if just to have begun then be head pointer; Whether be list item that TCP connect, if not execution in step c3 if detecting list item; If execution in step c5;
C3, the update time of judging list item and the difference of current time are upgraded threshold value Th, execution in step c4 if surpass; Otherwise execution in step c5;
C4, remove entries; Continue execution in step c5;
C5, judge whether the tail node of chained list, if then return step c2, otherwise execution in step c9;
C6, judge whether it is that new connection arrives, if carry out step c7 down; Otherwise execution in step c8;
C7, add new list item, execution in step c9;
C8, remove entries; Continue execution in step c9;
The renewal of delivering under c9, the end data packet and safeguard step;
The load balancing concrete steps are following:
After d1, loading liquifier upgrade and accomplish, read the list item of loading liquifier;
D2, judge that whether the load of current engine surpasses the threshold value of regulation, if surpass, execution in step d3; Otherwise, execution in step d4;
D3, current list item is added the overload chained list; Continue execution in step d4;
D4, read next list item, judge whether to be sky, if, execution in step d5; Otherwise, return steps d 2;
Whether d5, judgement overload chained list are empty, if sky, then execution in step d8; Otherwise, execution in step d6;
If have only a list item in the d6 chained list, show and have only an engine overload, call the load balancing function, the part connection is assigned to the little engine of load; Continue execution in step d8; Otherwise execution in step d7;
If a plurality of detection engine overloads of d7 are called abnormality processing function;
D8, end.
2. the dynamic load balancing method of network invasion monitoring according to claim 1 is characterized in that, among the step b7, when delivering under upgrading, presses the five-tuple hash value size ordering of packet.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009103117726A CN101729573B (en) | 2009-12-18 | 2009-12-18 | Dynamic load balancing method of network intrusion detection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009103117726A CN101729573B (en) | 2009-12-18 | 2009-12-18 | Dynamic load balancing method of network intrusion detection |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101729573A CN101729573A (en) | 2010-06-09 |
| CN101729573B true CN101729573B (en) | 2012-05-30 |
Family
ID=42449771
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009103117726A Active CN101729573B (en) | 2009-12-18 | 2009-12-18 | Dynamic load balancing method of network intrusion detection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101729573B (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101909067A (en) * | 2010-08-26 | 2010-12-08 | 北京天融信科技有限公司 | Antivirus method and system for secure gateway cluster |
| CN103023942B (en) * | 2011-09-27 | 2016-08-03 | 北京奇虎科技有限公司 | A kind of server load balancing method, Apparatus and system |
| CN103078806B (en) * | 2013-01-11 | 2015-10-14 | 合肥寰景信息技术有限公司 | A kind of load balance scheduling algorithm based on Q value method |
| CN104579995A (en) * | 2013-10-12 | 2015-04-29 | 郑州冰川网络技术有限公司 | A multilink session holding method |
| CN104702532B (en) * | 2015-02-11 | 2019-03-15 | 新华三技术有限公司 | A kind of method for processing business and equipment |
| CN105407096B (en) * | 2015-11-26 | 2019-03-19 | 深圳市风云实业有限公司 | Message data detection method based on flow management |
| CN106445667A (en) * | 2016-09-27 | 2017-02-22 | 西安交大捷普网络科技有限公司 | Method for improving auditing framework CPU load balancing |
| CN107959634A (en) * | 2016-10-14 | 2018-04-24 | 北京计算机技术及应用研究所 | A kind of IP data packet shunt methods based on Hash technologies |
| CN111694662B (en) * | 2020-05-26 | 2023-04-25 | 陕西森印多西网络科技有限责任公司 | Balance method of low load and packet loss rate in DIDS based on reinforcement learning |
| CN113918228B (en) * | 2021-09-15 | 2023-10-13 | 成都安恒信息技术有限公司 | Memory file system starting method based on multi-CPU architecture |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1561032A (en) * | 2004-02-24 | 2005-01-05 | 中国科学院计算技术研究所 | Multiline program loading equialization method of invading detection |
| CN1838588A (en) * | 2006-04-26 | 2006-09-27 | 南京大学 | Invasion detecting method and system based on high-speed network data processing platform |
| CN101394362A (en) * | 2008-11-12 | 2009-03-25 | 清华大学 | Method for load balance to multi-core network processor based on flow fragmentation |
| CN101577705A (en) * | 2008-05-08 | 2009-11-11 | 北京东华合创数码科技股份有限公司 | Multi-core paralleled network traffic load balancing method and system |
-
2009
- 2009-12-18 CN CN2009103117726A patent/CN101729573B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1561032A (en) * | 2004-02-24 | 2005-01-05 | 中国科学院计算技术研究所 | Multiline program loading equialization method of invading detection |
| CN1838588A (en) * | 2006-04-26 | 2006-09-27 | 南京大学 | Invasion detecting method and system based on high-speed network data processing platform |
| CN101577705A (en) * | 2008-05-08 | 2009-11-11 | 北京东华合创数码科技股份有限公司 | Multi-core paralleled network traffic load balancing method and system |
| CN101394362A (en) * | 2008-11-12 | 2009-03-25 | 清华大学 | Method for load balance to multi-core network processor based on flow fragmentation |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101729573A (en) | 2010-06-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101729573B (en) | Dynamic load balancing method of network intrusion detection | |
| CN107196870B (en) | DPDK-based traffic dynamic load balancing method | |
| CN1206600C (en) | Full distribution type aggregation network servicer system | |
| US10079740B2 (en) | Packet capture engine for commodity network interface cards in high-speed networks | |
| CN108200086B (en) | High-speed network data packet filtering device | |
| US20080002731A1 (en) | Full data link bypass | |
| EP1592197B1 (en) | Network amplification attack mitigation | |
| CN103139093B (en) | Based on the express network data stream load equalization scheduling method of FPGA | |
| CN103049336A (en) | Hash-based network card soft interrupt and load balancing method | |
| US20140122743A1 (en) | Shared interface among multiple compute units | |
| CN103916387A (en) | DDOS attack protection method and system | |
| CN108028828A (en) | A kind of distributed denial of service ddos attack detection method and relevant device | |
| CN101420419B (en) | Adaptive high-speed network flow layered sampling and collecting method | |
| CN102404211A (en) | Method and device for realizing load balancing of processors under AMP framework | |
| Zhang et al. | Characterizing and orchestrating NFV-ready servers for efficient edge data processing | |
| CN103441952A (en) | Network data package processing method based on multi-core or many-core embedded processor | |
| Limmer et al. | Adaptive load balancing for parallel IDS on multi-core systems using prioritized flows | |
| CN1964322A (en) | A method for kilomega NIDS parallel processing based on NP and BS | |
| Abdelmoniem et al. | IncastGuard: An efficient TCP-incast mitigation mechanism for cloud networks | |
| CN101860486A (en) | Dynamic load balancing mechanism based on leaky bucket algorithm | |
| Xinidis et al. | Design and implementation of a high-performance network intrusion prevention system | |
| Li et al. | A parallel packet processing method on multi-core systems | |
| Zou et al. | P4RSS: Load-Aware Intra-Server Load Balancing with Programmable Switching ASICs | |
| CN115858152B (en) | DNS load balancing performance optimization scheme based on single port | |
| Wu et al. | Why does flow director cause packet reordering? |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |