CN101815015B - Network flow quick security check engine facing content - Google Patents
Network flow quick security check engine facing content Download PDFInfo
- Publication number
- CN101815015B CN101815015B CN2010101116454A CN201010111645A CN101815015B CN 101815015 B CN101815015 B CN 101815015B CN 2010101116454 A CN2010101116454 A CN 2010101116454A CN 201010111645 A CN201010111645 A CN 201010111645A CN 101815015 B CN101815015 B CN 101815015B
- Authority
- CN
- China
- Prior art keywords
- content
- flow
- characteristic
- detection
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 claims abstract description 26
- 238000012545 processing Methods 0.000 claims description 19
- 238000001914 filtration Methods 0.000 claims description 14
- 238000007619 statistical method Methods 0.000 claims description 6
- 230000036541 health Effects 0.000 claims description 5
- 238000012937 correction Methods 0.000 claims description 2
- 230000007480 spreading Effects 0.000 claims description 2
- 230000000007 visual effect Effects 0.000 claims description 2
- 238000000034 method Methods 0.000 abstract description 3
- 230000008569 process Effects 0.000 abstract description 2
- 230000002349 favourable effect Effects 0.000 abstract 1
- 230000000694 effects Effects 0.000 description 6
- 238000011161 development Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 208000001613 Gambling Diseases 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000001066 destructive effect Effects 0.000 description 1
- 239000002360 explosive Substances 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 239000011159 matrix material Substances 0.000 description 1
- 230000035800 maturation Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Images
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a network flow quick security check engine facing content, which is characterized in that a system is composed of four subsystems, i.e. network flow characteristic detection, network content assembly line type depth detection and treatment, harmful content flow vestige statistic analysis, and flow characteristic and content characteristic repository (characteristic control register). The steps are as follows: detecting flow external characteristics, classifying and treating based on the strategy, adopting the assembly line detection and treatment process, and quickly detecting and indentifying passing flow on the basis of the preset characteristic repository. The assembly line treatment system is divided according to functions, has undivided and efficient treatment function and has relevant comprehensive function. A specially designed flow vestige analyzer can help the system to continuously accumulate qualitative characteristic information to ensure that the system has self-learning function so as to continuously improve performance. The invention has wide application prospect and favorable practical value.
Description
Technical field
The present invention relates to a kind ofly be particularly related to towards content aware network traffics detection technique specifically a kind of network flow quick security check engine towards content.
Background technology
Network security is seriously to perplex the biggest obstacle of network and information application always; Though industry is continually developed diverse network security tools such as building fire compartment wall, intrusion detection, IPS, anti-virus, anti-Trojan, anti-fishing for a long time; Also obtained effect preferably; But the high chi evil spirit in road is high one zhang, and diverse network harm software constantly updates, constantly makes a variation, constantly develops, and becomes worse greatly.And along with the improving constantly of the network bandwidth, and the continuous expansion of network size and userbase, network traffics are explosive growth just apace, thereby the diverse network security tool is proved definitely inferior on performance, are difficult to deal with.
More serious is, compares with network infringements such as traditional hacker, virus, wooden horses, and the fail safe of content is to human, bigger to the destructive power of society.Such as various yellow information, yellow phonotape and videotape, yellowly play, give currency to stories of sex and violence, network defraud, network gambling, harmful propagate or the like, had a strong impact on social safety, national safety, household safe, individual health of human body.Unfortunately, the instrument of these harmful Web contents of control processing is but very limited, and relevant at present practical product also is in that stage of very elementary development, and is not only fairly simple on function, more very low on performance.
Solve the function and the bottleneck of performance problem of network security tool, except the higher algorithm of the stronger efficient of development function, main approach is to adopt artificial intelligence and software systems hardwareization technology.The present invention is exactly a further investigation on this developing direction and puts into practice; Employing based on the Characteristic Recognition of strategy with traffic classification; Handle through the semantic information of multimedia Characteristic Recognition of pipeline system on this basis, realize degree of depth identification the fast detecting and the content of network traffics.
Summary of the invention
The purpose of this invention is to provide a kind of network flow quick security check engine towards content.
The objective of the invention is to realize by following mode, mainly by network flow characteristic detect, Web content pipeline system depth detection with processing, be harmful to the statistical analysis of content flow person's movements and expression, traffic characteristic and content characteristic storehouse (characteristic control register) four big subsystems and form.
The groundwork step is following:
Network traffics are input to the buffer of " stream/detection of packets subsystem "; Detector carries out matching detection according to the various characteristic segments while convection current/packet package in the feature register and (mainly detects form and type attribute; Do not detect payload content), detected type is divided into secure and trusted, harmful, uncertain three major types unusually.According to the processing policy in the strategy controller, harmful unusually stream/grouping is discarded into dustbin then, directly delivers to green put-through channel safe and reliable; The uncertain content depth that sends to is detected processing subsystem.
(1) content detection processing subsystem at first is stored in uncertain content and detects the input-buffer district, detects identification through text detector, voice detector, visual detector and related detector, is transferred to the information filtering buffer area then.
(2) at the information filtering buffer area; The relevant identification information of sending according to each detector of front by text filter, acoustic filter, picture filter; Implement convection current/grouping and carry out filtration treatment, will be harmful to content and be dropped into dustbin, good content is sent to the flow synthesizer.
(3) the flow synthesizer is responsible for spreading with the information on the green channel with through the green that the good information of filtration treatment is integrated into " secure and trusted " and is delivered in the network of back.
(4) the content characteristic control register is deposited the semantic feature control section (these characteristic segments have a lot of bars) of various harmful contents, supplies each detector/filter network flow to be handled on content detection and filtration streamline as operating basis.
(5) stream characteristic control register is deposited a series of pattern information (characteristic segments) and tactful control information about all kinds of websites, flow, packet package security feature; Deliver to the feature register and the strategy controller of stream/detection of packets subsystem, so that control is to the processing of network traffics.
(6) unusual person's movements and expression statistical analysis subsystem, accept the secure ID information of the various streams that each content detector sends---for example from the Health Category of content in certain website or URL (message address) flow, through statistical analysis after a while; Judge the safety or the health index of all kinds of streams; When surpassing preset threshold, promptly send corresponding report, the report reciever can be back-stage management person; Also each characteristic control register, strategy are controlled device, and reciever is Correction and Control information in view of the above.
Excellent effect of the present invention is following:
(1) flow safety detection and content detection are filtered comprehensively to be the exchange architecture of one, to have improved the fiting effect between the two, reduced many coupling links between the two, can effectively improve processing speed, reduce and realize cost;
(2) stream/packet package detector makes follow-up scale to content detection lower greatly, thereby increases substantially contents processing speed through flow is implemented the classification processing based on strategy;
(3) based on the content detection and the Processing Structure of feed forward type pipelining; Make that the detector operating process of each medium dimension is very fast simple---be particularly suitable for concurrent on a large scale vector calculus or matrix operation; And the result that will detect is ahead of seized packet package and delivers to content filter, can effectively accelerate the processing speed to dividing into groups;
(3) setting of characteristic control register has realized control and has operated in structural independence, and the system that guaranteed has characteristics such as constantly evolution, constantly expansion, constantly upgrading, flexible configuration;
(4) design of unusual person's movements and expression analytic function can make engine have the function of continuous self-study, helps improving constantly effect and the efficient that detects identification.
Description of drawings
Accompanying drawing 1 is the structural representation towards the network flow quick security check engine of content.
Embodiment
Explanation at length below with reference to accompanying drawing the network flow quick security check engine towards content of the present invention being done.
Network flow quick security check engine towards content of the present invention; Based on network traffics detecting processing system of the present invention; Can unify to realize efficiently that network flow monitoring function and bad Web content detect filtering function; And can under relatively low cost situation, improve treatment effeciency exponentially.Particularly along with to the research of network traffic content identification deeply with the more proposition of good algorithm, can realize upgrading expansion continuously, thereby can dependable flow detect the desirability of effect and information filtering effect system.Such system is particularly suitable for big-and-middle-sized communication network, big-and-middle-sized enterprises and institutions network, big-and-middle-sized internet node, catenet safety detection center, large-scale Internet bar; And to the various places of performance requirement height to harmful content erotic, so the present invention is with a wide range of applications and good practical value.
Embodiment
Detect and information filtering engine or system based on network traffics of the present invention; Can adopt Host Based software to realize, also can adopt very lagre scale integrated circuit (VLSIC) (like network flow quick security check engine) to realize with hardware towards the network flow quick security check engine SIC of content, FPG towards content.A kind of implementation in back is main developing direction, and method and points for attention when specifically realizing are following:
(1) each subsystem is preferably on the same chip and realizes, particularly flow detector, content detection and filtration, characteristic control register three sub-systems are placed on the adjacent position of same chip as far as possible, so that guarantee that operation is high-speed;
(2) the characteristic control register is deposited stream/grouping feature control field, and the quantity of these fields may be very big.If the quantity of feature field is big (such as above several ten thousand) too; Can consider characteristic control child register is divided into two parts; A part is placed on the chip at detector/filter place, and another part is placed on the other chip (particularly those characteristic segments that are of little use relatively, the processing time is required undemanding relatively characteristic segments);
(3) unusual person's movements and expression analyzing subsystem also is placed on the same chip as far as possible, because the discrepancy holding wire of this module is many, is put into the outside inconvenience;
(4) dustbin generally will be put into chip exterior.Particularly when system is constantly ripe, very accurate owing to the detection of flow is handled, so dustbin can remove;
(5) the flow synthesizer is fairly simple, on the shared sheet resource seldom, so should be put on the sheet as far as possible;
(6) other part of system such as power supply, network interface, debugging/monitor-interface, management software etc. can be with reference to the network device processing of maturation.
Claims (1)
1. network flow quick security check system towards content; It is characterized in that comprising; Stream/detection of packets, Web content pipeline system depth detection and processing, unusual person's movements and expression statistical analysis, traffic characteristic and content characteristic control register four big subsystems, wherein:
Stream/detection of packets subsystem comprises input buffer, strategy controller and feature register; Stream/detection of packets subsystem carries out matching detection according to the various characteristic segments while convection current/packet package in the feature register; Detected type is divided into secure and trusted, harmful, uncertain three major types unusually; Then according to the processing policy in the strategy controller; Unusually harmful stream/grouping is discarded into dustbin, directly delivers to green put-through channel with safe and reliable, uncertain Web content pipeline system depth detection and the processing subsystem of sending to;
Web content pipeline system depth detection and processing subsystem; It is used for; At first uncertain content is stored in and detects the input-buffer district, detect identification, be transferred to the information filtering buffer area then through text detector, voice detector, visual detector and related detector; At the information filtering buffer area; By the relevant identification information that text filter, acoustic filter, picture filter are sent according to each detector of front, implement convection current/grouping and carry out filtration treatment, will be harmful to content and be dropped into dustbin; Good content is sent to the flow synthesizer, and the flow synthesizer is responsible for spreading with the information on the green channel with through the green that the good information of filtration treatment is integrated into " secure and trusted " and is delivered in the network of back;
Traffic characteristic and content characteristic control register subsystem; It comprises content characteristic control register and stream characteristic control register; Wherein, The content characteristic control register is deposited the semantic feature control section of various harmful contents, supplies each detector or filter network flow to be handled on content detection and filtration streamline as operating basis; Stream characteristic control register is deposited a series of pattern information and policy control informations about all kinds of websites, flow, packet package security feature, delivers to the feature register and the strategy controller of stream/detection of packets subsystem, and control is to the processing of network traffics;
Unusual person's movements and expression statistical analysis subsystem is accepted the secure ID information of the various streams that each content detector sends, and comprises the Health Category from content in certain website or the URL flow; Through statistical analysis after a while, judge the safety or the health index of all kinds of streams, when surpassing preset threshold; Promptly send corresponding report; The report reciever is back-stage management person, or each characteristic control register, strategy controller, and reciever is Correction and Control information in view of the above.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010101116454A CN101815015B (en) | 2010-02-22 | 2010-02-22 | Network flow quick security check engine facing content |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010101116454A CN101815015B (en) | 2010-02-22 | 2010-02-22 | Network flow quick security check engine facing content |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101815015A CN101815015A (en) | 2010-08-25 |
| CN101815015B true CN101815015B (en) | 2012-04-25 |
Family
ID=42622138
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010101116454A Active CN101815015B (en) | 2010-02-22 | 2010-02-22 | Network flow quick security check engine facing content |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101815015B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102164129A (en) * | 2011-03-19 | 2011-08-24 | 东北电力大学 | Linkage method for firewall and intrusion-detection system |
| CN102594819B (en) * | 2012-02-16 | 2016-04-06 | 深信服网络科技(深圳)有限公司 | The method and apparatus of scanning is resolved based on single |
| CN103580950A (en) * | 2012-12-27 | 2014-02-12 | 哈尔滨安天科技股份有限公司 | Detection method and system combining real-time detection and asynchronous detection |
| CN111651658A (en) * | 2020-06-05 | 2020-09-11 | 杭州安恒信息技术股份有限公司 | Method and computer equipment for automatically identifying website based on deep learning |
| CN114584516A (en) * | 2022-01-26 | 2022-06-03 | 国网思极紫光(青岛)微电子科技有限公司 | Ethernet MAC controller and method for receiving data thereof |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101350781A (en) * | 2008-07-31 | 2009-01-21 | 成都市华为赛门铁克科技有限公司 | Method, equipment and system for monitoring flux |
-
2010
- 2010-02-22 CN CN2010101116454A patent/CN101815015B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101350781A (en) * | 2008-07-31 | 2009-01-21 | 成都市华为赛门铁克科技有限公司 | Method, equipment and system for monitoring flux |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101815015A (en) | 2010-08-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110753064B (en) | Machine learning and rule matching fused security detection system | |
| CN101815015B (en) | Network flow quick security check engine facing content | |
| CN107959690A (en) | DDoS attack cross-layer cooperative defense method based on software defined network | |
| WO2021196691A1 (en) | Method and apparatus for detecting network attack | |
| KR20200052881A (en) | Malware host netflow analysis system and method | |
| CN106936667A (en) | A kind of main frame real-time identification method based on application rs traffic distributed analysis | |
| US20060191008A1 (en) | Apparatus and method for accelerating intrusion detection and prevention systems using pre-filtering | |
| CN109922048B (en) | Method and system for detecting serial scattered hidden threat intrusion attacks | |
| CN104158800A (en) | Detection method of DDoS (Distributed Denial of Service) attack for software defined network (SDN) | |
| CN104579823A (en) | Large-data-flow-based network traffic abnormality detection system and method | |
| CN103916288B (en) | A kind of Botnet detection methods and system based on gateway with local | |
| CN110392013A (en) | A kind of Malware recognition methods, system and electronic equipment based on net flow assorted | |
| CN104022924A (en) | Method for detecting HTTP (hyper text transfer protocol) communication content | |
| CN102801659A (en) | Implementation method and device for security gateway based on stream strategy | |
| CN107122657B (en) | Database agent device for defending SQL injection attack | |
| CN101483649A (en) | Network safe content processing card based on FPGA | |
| CN104796405A (en) | Inverted connection detection method and device | |
| CN110839042B (en) | Flow-based self-feedback malicious software monitoring system and method | |
| Abbasi et al. | Deep learning-based feature extraction and optimizing pattern matching for intrusion detection using finite state machine | |
| CN106789954A (en) | A kind of method and apparatus of the DDOS attack identification based on multi -CPU | |
| Van et al. | An anomaly-based intrusion detection architecture integrated on openflow switch | |
| CN115695041B (en) | DDOS attack detection and protection method and application based on SDN | |
| KR20140117217A (en) | Method and apparatus of the traffic classification using big data analysis | |
| US11128646B1 (en) | Apparatus and method for cloud-based accelerated filtering and distributed available compute security processing | |
| Thinh et al. | High‐performance anomaly intrusion detection system with ensemble neural networks on reconfigurable hardware |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 250100 Ji'nan high tech Zone, Shandong, No. 1036 wave road Patentee after: Tianyuan Communication Information System Co., Ltd. Address before: 250014 Shandong Province, Lixia District of Ji'nan City Kiln Road No. 224 Patentee before: Langchao Communication Information System Co., Ltd. |
|
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 250100 S06 tower, 1036, Chao Lu Road, hi tech Zone, Ji'nan, Shandong. Patentee after: INSPUR COMMUNICATION AND INFORMATION SYSTEM Co.,Ltd. Address before: No. 1036, Shandong high tech Zone wave road, Ji'nan, Shandong Patentee before: INSPUR TIANYUAN COMMUNICATION INFORMATION SYSTEM Co.,Ltd. |