CN101800698A - Flow limit system and method thereof based on network processor - Google Patents
Flow limit system and method thereof based on network processor Download PDFInfo
- Publication number
- CN101800698A CN101800698A CN201010104551A CN201010104551A CN101800698A CN 101800698 A CN101800698 A CN 101800698A CN 201010104551 A CN201010104551 A CN 201010104551A CN 201010104551 A CN201010104551 A CN 201010104551A CN 101800698 A CN101800698 A CN 101800698A
- Authority
- CN
- China
- Prior art keywords
- current limliting
- flow
- strategy
- micromodule
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a flow limit system and a method thereof based on a network processor, the system comprises a network processor and a supervisory computer; the network processor is connected with a DRAM memory and a SRAM memory; the network processor is provided with an MSF exchanging structure, a flow sniffing micromodule, a flow filtering micromodule, a learning machine and an Xscale management interface. The high speed performance of the network processor is effectively utilized, a relevant flow limiting policy is made through the self-learning function of the learning machine, different flow limiting policies are carried out according to the state of network packets which are stored in the DRAM memory and a policy table in the SRAM memory, normal network flow is ensured to be unblocked, and the data flow of untrusted users and blacklist users can be quickly and effectively limited, thereby achieving the purpose of protecting the system.
Description
Technical field
The present invention relates to filed of network information security, particularly a kind of flow limit system of processor Network Based and method thereof.
Background technology
Along with the fast development of network, network security problem is also serious day by day.From the analysis to most of network safety events, the network traffics when security threat takes place all can show unusually, so network traffics are detected and limit, the safety that ensures network are had very positive meaning.Exception of network traffic is meant that tangible irregular variation takes place flow in the interior network of certain period.Generally speaking, cause the reason of exception of network traffic can roughly be divided into two classes: system or network configuration mistake cause network traffics to reach environment and bear limit; The attack of malice takes place.Up to now, there is a large amount of domestic and international researchers that the detection technique of exception flow of network has been carried out deep research, and obtained a lot of positive achievements.Relatively more classical exception flow of network detection method has: based on the abnormal flow detection method of statistical models, based on the detection method of normality threshold baseline, based on the detection method of Markov chain with based on detection method of wavelet analysis or the like.According to these methods detect network traffics occur unusual after, just can take appropriate measures and carry out current limliting.
But and the abnormal flow restriction technologies that the abnormal flow detection technique is complementary just relatively lags behind.At present, flow restriction generally all is associated together with load balancing, so that take flow restriction just reach the purpose of system load balancing, though this can guarantee the stability of system, but the QoS of difficult assurance high-quality (service quality, Quality of Service).On the other hand, ICP/IP protocol self has the congested control technology relevant with flow restriction, and this has control action preferably for normal flow, and also can guarantee necessary QoS, but when relating to abnormal flow, it is unable to do what one wishes just to seem, can't guarantee necessary QoS.Moreover existing flow limitation method mostly lacks adaptivity and intelligent.
Definition according to international network processor meeting (Network Processors Conference): network processing unit is a kind of programming device, it specifically is applied to the various tasks of the communications field, such as the converging of bag processing, protocal analysis, route querying, sound/data, fire compartment wall or QoS or the like.So the detection that network processing unit is applied in the network is a very suitable scheme.
Summary of the invention
The objective of the invention is to overcome the shortcoming of above-mentioned prior art with not enough, a kind of flow limit system of processor Network Based is provided, the present invention adopts and formulates the current limliting strategy based on flow status, and this not only can guarantee the stability of system, and can guarantee QoS well.
Another object of the present invention is to provide the flow limitation method of the flow limit system of above-mentioned a kind of processor Network Based.
The objective of the invention is to be achieved through the following technical solutions: a kind of flow limit system of processor Network Based comprises network processing unit and host computer; Described network processing unit is connected with and is used to store the DRAM memory of packet raw information and is used to store flow state information and current limliting Policy Table's SRAM memory; Described network processing unit is provided with:
The MSF switching fabric that links to each other with external network (Medium Exchange structure, Media SwitchFabric) is used for the receiving network data bag, and deposits packet raw information in the DRAM memory;
Flow is smelt the spy micromodule, is used for reading the packet raw information of DRAM memory and carries out flow and smell spy, draws corresponding flow status information and deposits the SRAM memory in and be uploaded to learning machine;
The traffic filtering micromodule is used for carrying out the current limliting strategy among the SRAM memory current limliting Policy Table;
Learning machine, be used for the packet raw information of real-time learning DRAM memory and corresponding flow status information thereof to adjust corresponding current limliting strategy, with the current limliting Policy Table of adjusted current limliting policy update to the SRAM memory, and the information that will adjust the current limliting strategy feeds back to host computer by the Xscale administration interface;
The Xscale administration interface is used to realize communicating by letter between learning machine and the host computer.
Described MSF switching fabric and DRAM memory, flow are smelt and are visited micromodule and DRAM memory, flow and smell between spy micromodule and SRAM memory, MSF switching fabric and traffic filtering micromodule and Xscale administration interface and the host computer and all be connected by pci bus, intercommunication, the processing speed of network processing unit effectively are provided, and the communication speed of network processing unit and host computer.
Described learning machine is smelt spy micromodule, traffic filtering micromodule and Xscale administration interface with DRAM memory, SRAM memory, flow respectively and is connected by the chip internal bus of learning machine.
For realizing the present invention better, the network processing unit that the present invention adopts is the second generation network processing unit of Intel Company
IXP2850, compare with the first generation, it fully and has all sidedly considered the statistical property of network data flow, and has taked corresponding hardware acceleration device and software engineering, greatly improve the processing speed of network packet, and shortened the construction cycle of network application to a great extent.
The flow limitation method of the flow limit system of above-mentioned a kind of processor Network Based, specific as follows:
A. host computer is assigned predetermined current limliting strategy to learning machine through the Xscale administration interface, and learning machine deposits this predetermined limit Flow Policy in the current limliting Policy Table of SRAM memory;
B.MSF switching fabric receiving network data bag, and deposit packet raw information in the DRAM memory;
C. flow is smelt and is visited micromodule and read the packet raw information in the DRAM memory in real time and carry out flow and smell spy, draws corresponding flow status information and deposits the SRAM memory in and be uploaded to learning machine;
D. the packet raw information of learning machine real-time learning DRAM memory and flow status information accordingly thereof, adjust corresponding current limliting strategy, with the current limliting Policy Table of adjusted current limliting policy update to the SRAM memory, and the information that will adjust the current limliting strategy feeds back to host computer by the Xscale administration interface; The traffic filtering micromodule is carried out the current limliting strategy among the current limliting Policy Table in the SRAM memory.
In the said method, described host computer can be provided with user interface, described Xscale administration interface adopts socket (socket) communication protocol and host computer to communicate, give host computer with the feedback information of learning machine being adjusted the current limliting strategy, and host computer is assigned predetermined current limliting strategy to learning machine, also is to adopt socket (socket) communication protocol to assign by user interface.The socket that adopts is the select model, and can it can automatically judge whether there are data on the socket, perhaps write data to a socket.The select function filters out the socket that meets the demands in the set of formulating, application program only need travel through the socket chained list, handles one by one.The advantage of this protocol is to make communication more quick, and because there is an effective service all the time in server end, just can communicate Data transmission in real time; In addition,, just connect, effectively utilized system resource so have only when needing to pass data owing to be the select model.
In the said method, the described host computer of step a is assigned predetermined current limliting strategy behind learning machine through the Xscale administration interface, and the current limliting strategy that learning machine also will be scheduled to is placed on self independently among the current limliting Policy Table of memory block; Behind the corresponding current limliting strategy of the described learning machine adjustment of steps d, learning machine also will this adjusted current limliting policy update to described self current limliting Policy Table of memory block independently, upgrade its independently purpose of memory block in time to reach, make things convenient for learning machine apace with reference to the current limliting strategy.
In the said method, the packet raw information of the described learning machine real-time learning of steps d DRAM memory and corresponding flow status information thereof, adjust corresponding current limliting strategy, with the current limliting Policy Table of adjusted current limliting policy update to the SRAM memory, and the information that will adjust the current limliting strategy feeds back to host computer by the Xscale administration interface; The traffic filtering micromodule is carried out the current limliting strategy among the current limliting Policy Table in the SRAM memory, and its concrete operations are:
Learning machine is resolved the packet raw information in the DRAM memory, extract its header packet information earlier to confirm affiliated user, travel through self independently current limliting Policy Table in the memory block according to this user again, if this user is not in the current limliting Policy Table, then read flow and smell the pairing flow status information of this packet raw information that micromodule transmits of visiting, carry out the abnormal flow analysis to judge whether flow is unusual according to flow status information, if normal flow, then allow it normally pass through, if abnormal flow, then this user is added among the current limliting Policy Table and related concrete current limliting strategy, upgrade the current limliting Policy Table in the SRAM memory simultaneously, by corresponding current limliting strategy among the current limliting Policy Table in the traffic filtering micromodule execution SRAM memory;
If this user is in the current limliting Policy Table, then by corresponding current limliting strategy among the current limliting Policy Table in the traffic filtering micromodule execution SRAM memory;
After the current limliting strategy execution, flow is smelt and is visited micromodule and carry out flow and smell and visit and the flow status after the current limliting is passed to learning machine, learning machine judges according to the pairing current limliting strategy of this flow status whether the flow status after the current limliting is up to standard, if it is up to standard, current limliting strategy that then should correspondence is independently deleted the current limliting Policy Table of memory block from himself, and upgrades current limliting Policy Table in the SRAM memory; If not up to standard, then adjust the pairing current limliting strategy of this flow status, and upgrade himself independently current limliting Policy Table in memory block and the SRAM memory, carry out adjusted current limliting strategy by the traffic filtering micromodule.Like this, learning machine has just been finished the self study process one time.
In the said method, described current limliting strategy specifically comprises: trusted user list and corresponding user list and corresponding stateless current limliting strategy thereof based on the current limliting strategy of state, unknown trusting relationship thereof, and blacklist and corresponding complete filtering policy thereof.
The traffic filtering micromodule is carried out described current limliting strategy based on state, and its operation is specially: protect trusted user's proper communication based on the flow status information in the SRAM memory, protect mutual communication stream.
The traffic filtering micromodule is carried out stateless current limliting strategy; its operation is specially: being prerequisite with protection system safety takes optionally current limliting of corresponding stateless to the user of unknown trusting relationship; if promptly the communication flows that is produced by the user of unknown trusting relationship is within the reasonable tolerance range of the memory capacity of system; then do not carry out current limliting, otherwise just carry out some or all of current limliting.
The complete filtering policy of traffic filtering micromodule, its operation is specially: so long as belong to communication user in the blacklist, just limit its communication stream fully, its security threat that brings is isolated outside the system fully.
Corresponding to the particular content of above-mentioned current limliting strategy, the described traffic filtering micromodule of steps d is carried out the current limliting strategy among the current limliting Policy Table in the SRAM memory, and the concrete operations of this current limliting are:
For the network packet of receiving, extract its header packet information earlier to confirm affiliated user, judge whether to want current limliting again;
Whether the user belongs to the black list user under at first judging, if then carry out complete filtering policy and carry out current limliting; If not, judge then whether it is the user of unknown trusting relationship, if the user of unknown trusting relationship takes stateless current limliting strategy to carry out current limliting; If do not belong to the user that the black list user does not belong to unknown trusting relationship yet, then judge whether to be the trusted user, if then carry out current limliting strategy based on state.
In the said method, the current limliting Policy Table of described SRAM memory comprises monobasic current limliting Policy Table and ternary current limliting Policy Table, and what store among the monobasic current limliting Policy Table is that the trusted user list reaches the current limliting strategy based on state, and blacklist and complete filtering policy; What ternary current limliting Policy Table stored is the user list and the stateless current limliting strategy of unknown trusting relationship.
Compared with prior art, the invention has the advantages that: the present invention adopts and constantly adjusts the current limliting strategy based on flow status, carries out flow restriction to obtain stable current limliting strategy, and this not only can guarantee the stability of system, and guaranteed qos has well remedied the defective of prior art; On the other hand, the present invention has adopted the principle of learning machine self study, and this just makes this current-limiting method have adaptivity and intelligent; At last, the present invention adopts the express network processor
IXP2850 develops, and not only can shorten the construction cycle, and has given full play to the high speed performance of network processing unit, makes this method can be applied in the network environment at a high speed.
Description of drawings
Shown in Figure 1 is the system block diagram of the flow limit system of a kind of processor Network Based of the present invention;
Shown in Figure 2 is the flow chart of realizing flow limitation method in system shown in Figure 1;
Shown in Figure 3 is the self study process schematic diagram of learning machine in the system shown in Figure 1.
Embodiment
The present invention is further elaborated below in conjunction with execution mode and accompanying drawing, but embodiments of the present invention are not limited only to this.
As shown in Figure 1, a kind of flow limit system of processor Network Based comprises network processing unit and host computer; Described network processing unit is connected with DRAM memory and SRAM memory.
Wherein, the DRAM memory is used to store packet raw information, comprises source address, destination address, source port number, destination slogan, protocol type and packet size etc.; The SRAM memory is used to store flow state information and current limliting Policy Table, and flow status information comprises flow size and time etc.
Network processing unit is made of micro engine bunch, Xscale Core and MSF switching fabric on hardware.
Network processing unit comprises in software that MSF switching fabric, flow are smelt and visits micromodule, traffic filtering micromodule, learning machine and Xscale administration interface.Wherein, flow is smelt and is visited micromodule and traffic filtering micromodule and be arranged in the micro engine bunch, and described Xscale administration interface and learning machine are arranged among the Xscale Core.
Wherein, the MSF switching fabric links to each other with external network, be responsible for connecting extraneous network and express network processor IXP2850, network data flow is by MSF switching fabric inflow/outflow express network processor IXP2850, specifically be used for the receiving network data bag, and deposit packet raw information in the DRAM memory.
Flow smells that to visit micromodule be the overseer of strategy execution situation, just contrasts the concrete effect of current limliting as can be seen again by the flow before and after the current limliting strategy execution is smelt spy, allows suitably the make adjustment decision of strategy of learning machine then.Specifically be used for reading the packet raw information of DRAM memory and carry out flow and smell spy, draw corresponding flow status information and deposit the SRAM memory in and be uploaded to learning machine.
The traffic filtering micromodule is the executor of current limliting strategy, is used for carrying out the current limliting strategy among the SRAM memory current limliting Policy Table, and control MSF switching fabric is to carry out current limliting.
Learning machine is responsible for the feedback of assigning of current limliting strategy and strategy execution situation, it is used for the packet raw information of real-time learning DRAM memory and corresponding flow status information thereof to adjust corresponding current limliting strategy, with the current limliting Policy Table of adjusted current limliting policy update to the SRAM memory, and the information that will adjust the current limliting strategy feeds back to host computer by the Xscale administration interface.
The Xscale administration interface is used to realize communicating by letter between learning machine and the host computer.
On the annexation, MSF switching fabric and DRAM memory, flow are smelt and are visited micromodule and DRAM memory, flow and smell between spy micromodule and SRAM memory, MSF switching fabric and traffic filtering micromodule and Xscale administration interface and the host computer and all be connected by pci bus, intercommunication, the processing speed of network processing unit effectively are provided, and the communication speed of network processing unit and host computer.
Learning machine is smelt spy micromodule, traffic filtering micromodule and Xscale administration interface with DRAM memory, SRAM memory, flow respectively and is connected by the chip internal bus of learning machine.
For realizing the present invention better, the network processing unit that the present invention adopts is the second generation network processing unit of Intel Company
IXP2850, compare with the first generation, it fully and has all sidedly considered the statistical property of network data flow, and has taked corresponding hardware acceleration device and software engineering, greatly improve the processing speed of network packet, and shortened the construction cycle of network application to a great extent.
Described host computer is provided with user interface, user interface provides the interactive mode with described Xscale administration interface close friend, described Xscale administration interface adopts socket communication protocol and host computer to communicate, give host computer with the feedback information of learning machine being adjusted the current limliting strategy, and host computer is assigned predetermined current limliting strategy to learning machine, also be to adopt socket communication protocol to assign, the interactive mode with described Xscale administration interface close friend be provided by user interface.
As shown in Figure 2, the flow limitation method of above-mentioned flow limit system, specific as follows:
A. initialization system: comprise that host computer formulates initial current limliting strategy, promptly formulate trusted user list and corresponding user list and corresponding stateless current limliting strategy thereof thereof based on the current limliting strategy of state, unknown trusting relationship, and blacklist and corresponding complete filtering policy thereof, host computer is assigned predetermined current limliting strategy to learning machine through the Xscale administration interface, and learning machine deposits this predetermined limit Flow Policy in the current limliting Policy Table of SRAM memory; Comprise that host computer is loaded into program code in the network processing unit; Comprise network processing unit and external network, link to each other as local area network (LAN), so that system can obtain real-time network data.
B. the network packet raw information that enters system by the MSF switching fabric deposits the DRAM memory in, need canned data to comprise source IP address, purpose IP address, source port (if having), destination interface (if having), protocol type, interaction mode (if having), this collection process is finished by the MSF switching fabric.
C. the flow of micro engine is smelt and is visited micromodule and read the packet raw information in the DRAM memory in real time and carry out flow and smell spy, drawing corresponding flow status information deposits the SRAM memory in and is uploaded to learning machine, the flow status information that need obtain comprises source IP address, purpose IP address, destination interface (if having), protocol type, flow size, time point, because the micro engine frequency of network processing unit IXP2850 reaches 1400 megahertzes, so can satisfy the network processes requirement that flow is 1Gbit/s.
D. the packet raw information of learning machine real-time learning DRAM memory and flow status information accordingly thereof, adjust corresponding current limliting strategy, with the current limliting Policy Table of adjusted current limliting policy update to the SRAM memory, and the information that will adjust the current limliting strategy feeds back to host computer by the Xscale administration interface; The traffic filtering micromodule is carried out the current limliting strategy among the current limliting Policy Table in the SRAM memory.
The described host computer of step a is assigned predetermined current limliting strategy behind learning machine through the Xscale administration interface, and the current limliting strategy that learning machine also will be scheduled to is placed on self independently among the current limliting Policy Table of memory block; Behind the corresponding current limliting strategy of the described learning machine adjustment of steps d, learning machine also will this adjusted current limliting policy update to described self current limliting Policy Table of memory block independently, upgrade its independently purpose of memory block in time to reach, make things convenient for learning machine apace with reference to the current limliting strategy.
The traffic filtering micromodule is carried out described current limliting strategy based on state, and its operation is specially: protect trusted user's proper communication based on the flow status information in the SRAM memory, protect mutual communication stream.
The traffic filtering micromodule is carried out stateless current limliting strategy; its operation is specially: being prerequisite with protection system safety takes optionally current limliting of corresponding stateless to the user of unknown trusting relationship; if promptly the communication flows that is produced by the user of unknown trusting relationship is within the reasonable tolerance range of the memory capacity of system; then do not carry out current limliting, otherwise just carry out some or all of current limliting.
The complete filtering policy of traffic filtering micromodule, its operation is specially: so long as belong to communication user in the blacklist, just limit its communication stream fully, its security threat that brings is isolated outside the system fully.
Corresponding to the particular content of above-mentioned current limliting strategy, the described traffic filtering micromodule of steps d is carried out the current limliting strategy among the current limliting Policy Table in the SRAM memory, and the concrete operations of this current limliting are:
For the network packet of receiving, extract its header packet information earlier to confirm affiliated user, judge whether to want current limliting again;
Whether the user belongs to the black list user under at first judging, if then carry out complete filtering policy and carry out current limliting; If not, judge then whether it is the user of unknown trusting relationship, if the user of unknown trusting relationship, take stateless current limliting strategy to carry out current limliting, specifically be the current limliting Policy Table among the contrast SRAM, see to belong to which kind of stateless selective filter, such as restriction 80%, perhaps 50%, or pass through or the like fully; If do not belong to the user that the black list user does not belong to unknown trusting relationship yet; then judge whether to be the trusted user; if; then carry out current limliting strategy based on state; such as the ongoing current limliting 50% more alternately of protection earlier its all; perhaps protect it all mutual always, do not carry out any filtration or the like.
The current limliting Policy Table of described SRAM memory comprises monobasic current limliting Policy Table and ternary current limliting Policy Table, and what store among the monobasic current limliting Policy Table is that the trusted user list reaches the current limliting strategy based on state, and blacklist and complete filtering policy; What ternary current limliting Policy Table stored is the user list and the stateless current limliting strategy of unknown trusting relationship.
As shown in Figure 3, the packet raw information of the described learning machine real-time learning of steps d DRAM memory and corresponding flow status information thereof, adjust corresponding current limliting strategy, with the current limliting Policy Table of adjusted current limliting policy update to the SRAM memory, and the information that will adjust the current limliting strategy feeds back to host computer by the Xscale administration interface; The traffic filtering micromodule is carried out the current limliting strategy among the current limliting Policy Table in the SRAM memory, and its concrete operations are:
Learning machine is resolved the packet raw information in the DRAM memory, extract its header packet information earlier to confirm affiliated user, travel through self independently current limliting Policy Table in the memory block according to this user again, if this user is not in the current limliting Policy Table, then read flow and smell the pairing flow status information of this packet raw information that micromodule transmits of visiting, carry out the abnormal flow analysis to judge whether flow is unusual according to flow status information, if normal flow, then allow it normally pass through, if abnormal flow, then this user is added among the current limliting Policy Table and related concrete current limliting strategy, upgrade the current limliting Policy Table in the SRAM memory simultaneously, by corresponding current limliting strategy among the current limliting Policy Table in the traffic filtering micromodule execution SRAM memory;
If this user is in the current limliting Policy Table, then by corresponding current limliting strategy among the current limliting Policy Table in the traffic filtering micromodule execution SRAM memory;
After the current limliting strategy execution, flow is smelt and is visited micromodule and carry out flow and smell and visit and the flow status after the current limliting is passed to learning machine, whether learning machine is judged to the flow status after the current limliting up to standard according to the pairing current limliting strategy of this flow status, if it is up to standard, current limliting strategy that then should correspondence is from himself independently deletion of current limliting Policy Table the memory block, and upgrades current limliting Policy Table in the SRAM memory; If not up to standard, then adjust the pairing current limliting strategy of this flow status, and upgrade himself independently current limliting Policy Table in memory block and the SRAM memory, carry out adjusted current limliting strategy by the traffic filtering micromodule.
For example, it is that source IP address is that the user of 16.6.0.8 is the unknown relation user that bar current limliting strategy is arranged among the current limliting Policy Table, need be not limited to below the 3M when its communication flows reaches 6M.The traffic filtering micromodule is that current limliting is carried out in the communication of 16.6.0.8 according to this current limliting strategy to source IP, take to abandon again the method for 1 packet by 1 packet, elapsed time interval T (can size be set according to specific requirement) afterwards, smell and visit its flow still for 4.5M, promptly also do not reach standard, then to adjust the current limliting strategy, can be adjusted into the method that 3 packets only pass through 1 that receives, elapsed time interval T again, smell and visit its flow and dropped to 2.5M, promptly reached standard, feedback procedure is finished.For other two kinds of users, class of operation seemingly.
More than described particular device system and the method step realized according to principle of the present invention, but scope of the present invention is not limited only to this.All examples that drop in claims and the coordinate scope thereof are contained in the present invention.
Claims (9)
1. the flow limit system of a processor Network Based is characterized in that: comprise network processing unit and host computer; Described network processing unit is connected with and is used to store the DRAM memory of packet raw information and is used to store flow state information and current limliting Policy Table's SRAM memory; Described network processing unit is provided with:
The MSF switching fabric that links to each other with external network is used for the receiving network data bag, and deposits packet raw information in the DRAM memory;
Flow is smelt the spy micromodule, is used for reading the packet raw information of DRAM memory and carries out flow and smell spy, draws corresponding flow status information and deposits the SRAM memory in and be uploaded to learning machine;
The traffic filtering micromodule is used for carrying out the current limliting strategy among the SRAM memory current limliting Policy Table;
Learning machine, be used for the packet raw information of real-time learning DRAM memory and corresponding flow status information thereof to adjust corresponding current limliting strategy, with the current limliting Policy Table of adjusted current limliting policy update to the SRAM memory, and the information that will adjust the current limliting strategy feeds back to host computer by the Xscale administration interface;
The Xscale administration interface is used to realize communicating by letter between learning machine and the host computer.
2. the flow limit system of a kind of processor Network Based according to claim 1, it is characterized in that: described network processing unit is the second generation network processing unit of Intel Company
IXP2850, described MSF switching fabric and DRAM memory, flow are smelt and are visited micromodule and DRAM memory, flow and smell between spy micromodule and SRAM memory, MSF switching fabric and traffic filtering micromodule and Xscale administration interface and the host computer and all be connected by pci bus, described learning machine is smelt spy micromodule, traffic filtering micromodule and Xscale administration interface with DRAM memory, SRAM memory, flow respectively and is connected by the chip internal bus of learning machine.
3. the flow limitation method of the flow limit system of a kind of processor Network Based according to claim 1 realization is characterized in that, and is specific as follows:
A. host computer is assigned predetermined current limliting strategy to learning machine through the Xscale administration interface, and learning machine deposits this predetermined limit Flow Policy in the current limliting Policy Table of SRAM memory;
B.MSF switching fabric receiving network data bag, and deposit packet raw information in the DRAM memory;
C. flow is smelt and is visited micromodule and read the packet raw information in the DRAM memory in real time and carry out flow and smell spy, draws corresponding flow status information and deposits the SRAM memory in and be uploaded to learning machine;
D. the packet raw information of learning machine real-time learning DRAM memory and flow status information accordingly thereof, adjust corresponding current limliting strategy, with the current limliting Policy Table of adjusted current limliting policy update to the SRAM memory, and the information that will adjust the current limliting strategy feeds back to host computer by the Xscale administration interface; The traffic filtering micromodule is carried out the current limliting strategy among the current limliting Policy Table in the SRAM memory.
4. the flow limitation method of a kind of processor Network Based according to claim 3, it is characterized in that: the described host computer of step a is assigned predetermined current limliting strategy behind learning machine through the Xscale administration interface, and the current limliting strategy that learning machine also will be scheduled to is placed on self independently among the current limliting Policy Table of memory block; Behind the corresponding current limliting strategy of the described learning machine adjustment of steps d, learning machine also will this adjusted current limliting policy update to described self current limliting Policy Table of memory block independently.
5. the flow limitation method of a kind of processor Network Based according to claim 3, it is characterized in that: described host computer is provided with user interface, described Xscale administration interface adopts socket communication agreement and host computer to communicate, and learning machine is adjusted the feedback information of current limliting strategy and is given host computer; And host computer is assigned predetermined current limliting strategy to learning machine, also is to adopt the socket communication agreement to assign by user interface.
6. the flow limitation method of a kind of processor Network Based according to claim 3, it is characterized in that: the packet raw information of the described learning machine real-time learning of steps d DRAM memory and corresponding flow status information thereof, adjust corresponding current limliting strategy, with the current limliting Policy Table of adjusted current limliting policy update to the SRAM memory, and the information that will adjust the current limliting strategy feeds back to host computer by the Xscale administration interface; The traffic filtering micromodule is carried out the current limliting strategy among the current limliting Policy Table in the SRAM memory, and its concrete operations are:
Learning machine is resolved the packet raw information in the DRAM memory, extract its header packet information earlier to confirm affiliated user, travel through self independently current limliting Policy Table in the memory block according to this user again, if this user is not in the current limliting Policy Table, then read flow and smell the pairing flow status information of this packet raw information that micromodule transmits of visiting, carry out the abnormal flow analysis to judge whether flow is unusual according to flow status information, if normal flow, then allow it normally pass through, if abnormal flow, then this user is added among the current limliting Policy Table and related concrete current limliting strategy, upgrade the current limliting Policy Table in the SRAM memory simultaneously, by corresponding current limliting strategy among the current limliting Policy Table in the traffic filtering micromodule execution SRAM memory;
If this user is in the current limliting Policy Table, then by corresponding current limliting strategy among the current limliting Policy Table in the traffic filtering micromodule execution SRAM memory;
After the current limliting strategy execution, flow is smelt and is visited micromodule and carry out flow and smell and visit and the flow status after the current limliting is passed to learning machine, whether learning machine is judged to the flow status after the current limliting up to standard according to the pairing current limliting strategy of this flow status, if it is up to standard, current limliting strategy that then should correspondence is from himself independently deletion of current limliting Policy Table the memory block, and upgrades current limliting Policy Table in the SRAM memory; If not up to standard, then adjust the pairing current limliting strategy of this flow status, and upgrade himself independently current limliting Policy Table in memory block and the SRAM memory, carry out adjusted current limliting strategy by the traffic filtering micromodule.
7. the flow limitation method of a kind of processor Network Based according to claim 3, it is characterized in that: described current limliting strategy specifically comprises: trusted user list and corresponding user list and corresponding stateless current limliting strategy thereof based on the current limliting strategy of state, unknown trusting relationship thereof, and blacklist and corresponding complete filtering policy thereof.
8. the flow limitation method of a kind of processor Network Based according to claim 7, it is characterized in that: the traffic filtering micromodule is carried out described current limliting strategy based on state, its operation is specially: protect trusted user's proper communication based on the flow status information in the SRAM memory, protect mutual communication stream;
The traffic filtering micromodule is carried out stateless current limliting strategy, its operation is specially: being prerequisite with protection system safety takes optionally current limliting of corresponding stateless to the user of unknown trusting relationship, if promptly the communication flows that is produced by the user of unknown trusting relationship is within the reasonable tolerance range of the memory capacity of system, then do not carry out current limliting, otherwise just carry out some or all of current limliting;
The complete filtering policy of traffic filtering micromodule, its operation is specially: so long as belong to communication user in the blacklist, just limit its communication stream fully, its security threat that brings is isolated outside the system fully.
9. the flow limitation method of a kind of processor Network Based according to claim 7 is characterized in that: the described traffic filtering micromodule of steps d is carried out the current limliting strategy among the current limliting Policy Table in the SRAM memory, and the concrete operations of this current limliting are:
For the network packet of receiving, extract its header packet information earlier to confirm affiliated user, judge whether to want current limliting again;
Whether the user belongs to the black list user under judging, if then carry out complete filtering policy and carry out current limliting; If not, judge then whether it is the user of unknown trusting relationship, if the user of unknown trusting relationship takes stateless current limliting strategy to carry out current limliting; If do not belong to the user that the black list user does not belong to unknown trusting relationship yet, then judge whether to be the trusted user, if then carry out current limliting strategy based on state.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010101045514A CN101800698B (en) | 2010-01-29 | 2010-01-29 | Flow limit system and method thereof based on network processor |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010101045514A CN101800698B (en) | 2010-01-29 | 2010-01-29 | Flow limit system and method thereof based on network processor |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101800698A true CN101800698A (en) | 2010-08-11 |
| CN101800698B CN101800698B (en) | 2012-02-01 |
Family
ID=42596200
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010101045514A Expired - Fee Related CN101800698B (en) | 2010-01-29 | 2010-01-29 | Flow limit system and method thereof based on network processor |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101800698B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108306780A (en) * | 2017-09-07 | 2018-07-20 | 上海金融期货信息技术有限公司 | A kind of system and method for the virtual machine communication quality self-optimizing based on cloud environment |
| CN109413122A (en) * | 2017-08-16 | 2019-03-01 | 深圳市中兴微电子技术有限公司 | Data processing method, network processor and computer storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1324840C (en) * | 2003-06-18 | 2007-07-04 | 中兴通讯股份有限公司 | A method for performing speed limiting on data traffic by network processor |
| CN101193061B (en) * | 2006-12-14 | 2011-07-13 | 中兴通讯股份有限公司 | Multi-Qos-based traffic control method |
-
2010
- 2010-01-29 CN CN2010101045514A patent/CN101800698B/en not_active Expired - Fee Related
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109413122A (en) * | 2017-08-16 | 2019-03-01 | 深圳市中兴微电子技术有限公司 | Data processing method, network processor and computer storage medium |
| CN109413122B (en) * | 2017-08-16 | 2022-05-13 | 深圳市中兴微电子技术有限公司 | Data processing method, network processor and computer storage medium |
| CN108306780A (en) * | 2017-09-07 | 2018-07-20 | 上海金融期货信息技术有限公司 | A kind of system and method for the virtual machine communication quality self-optimizing based on cloud environment |
| CN108306780B (en) * | 2017-09-07 | 2021-07-20 | 上海金融期货信息技术有限公司 | Cloud environment-based virtual machine communication quality self-optimization system and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101800698B (en) | 2012-02-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101873640B (en) | Flow processing method, device and mobile terminal | |
| CN106464577B (en) | Network system, control device, communication device and communication control method | |
| CN104079492B (en) | The methods, devices and systems that flow table is configured in a kind of OpenFlow networks | |
| CN104685507B (en) | Virtual secure device architecture is provided to virtual cloud foundation structure | |
| CN103534989B (en) | Flow control based on priority in distributed frame agreement (DFP) exchange network framework | |
| CN100559775C (en) | The parallel data link layer controllers of the network switching equipment | |
| CN101431449B (en) | Network flux cleaning system | |
| CN1875585B (en) | Dynamic unknown L2 flooding control with MAC limits | |
| CN105871811B (en) | Control the method and controller of application program permission | |
| CN105812340B (en) | A kind of method and apparatus of virtual network access outer net | |
| CN103348635B (en) | Network system, control unit and optimum route control method | |
| CN104320278B (en) | Wide Area Network implementation method and equipment based on software defined network SDN | |
| CN102474444B (en) | A method of limiting the amount of network traffic reaching a local node operating according to an industrial Ethernet protocol | |
| US20200296624A1 (en) | Frame aggregation method, network setting frame sending method, and device | |
| CN105282191B (en) | SiteServer LBS, controller and method | |
| CN105245555B (en) | One kind is used for electric power serial server communication protocol security protection system | |
| Huang et al. | Software-defined QoS provisioning for fog computing advanced wireless sensor networks | |
| CN103152282A (en) | Single logical network interface for advanced load balancing and fail-over functionality | |
| CN103763154A (en) | Network flow detection method | |
| CN102904730A (en) | Intelligent acceleration network card capable of filtering and picking traffic according to protocol, port and IP address | |
| CN102904729A (en) | Intelligent boost network card supporting multiple applications according to protocol and port shunt | |
| CN109271793A (en) | Internet of Things cloud platform device class recognition methods and system | |
| CN105991441B (en) | The method and apparatus that route forwarding table is issued to BGP Route Selection | |
| CN104410581A (en) | Configuration information design and information extraction of AFDX (Avionics Full Duplex Switched Ethernet) network | |
| CN103997439A (en) | Flow monitoring method, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20120201 Termination date: 20220129 |