CN103746919A - Method for quickly classifying network packets through combining multi-way decision tree and Hash tables - Google Patents
Method for quickly classifying network packets through combining multi-way decision tree and Hash tables Download PDFInfo
- Publication number
- CN103746919A CN103746919A CN201410015602.4A CN201410015602A CN103746919A CN 103746919 A CN103746919 A CN 103746919A CN 201410015602 A CN201410015602 A CN 201410015602A CN 103746919 A CN103746919 A CN 103746919A
- Authority
- CN
- China
- Prior art keywords
- tree
- splay
- hash table
- network
- hash
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention relates to the technical field of network packet classification and particularly relates to a method for quickly classifying network packets through combining a multi-way decision tree and Hash tables. According to the method for quickly classifying the network packets through combining the multi-way decision tree and the Hash tables, provided by the invention, rules of the network packets are rapidly positioned by adopting a Splay multi-way decision tree and Hash table combined method; according to the network packet classifying method, the network packets are subjected to protocol judgment firstly, Hash tables for protocols, such as a TCP (Transmission Control Protocol), a UDP (User Datagram Protocol) and an ICMP (Internet Control Message Protocol), are established respectively and are calculated according to the address and port of an IP (Internet Protocol), corresponding Splay stretch-tree nodes are traversed after corresponding Hash table values are found, agreeable rules are searched for, and Splay stretch trees have the characteristic that recently-accessed nodes are Root nodes, so that the packet classifying speed can be better increased.
Description
Technical field
The present invention relates to classifying network packet technical field, particularly a kind of combination multichannel decision tree and Hash table carry out the method for network packet Fast Classification.
Background technology
In today of network application fast development, the application such as data center, P2P, Video Applications and ecommerce is universal gradually.Network adapter speed improves constantly, and 100,000,000, the network interface card speed of gigabit has higher requirement to network security product.Network security product comprises as performance measurement indexs such as gateways: the resource cost rate of throughput and message repeating rate, concurrent connection number, system etc.The efficiency of packet classification algorithm directly determines the size of throughput.
Existing classifying network packet algorithm, comprises two points of Trie trees, the binary search algorithm based on prefix, RFC algorithm and Hash (HASH) table algorithms etc., at time complexity and space complexity, cuts both ways.The packet classification that can be used for IPv4 and IPv6 dual stack has RFC algorithm and HASH algorithm etc.IPv6 address has been increased to 128, and rule searching algorithm is needed to time and the Geng Duo memory spaces searched more.RFC algorithm classification speed is fast, memory space is relevant to dimension.EMS memory occupation amount is many, parallel computation.IPv6 packet classification has the IPv6 packet classification of stream label.Based on Trie algorithm, at IPv6 environment, take too much internal memory, inapplicable.Network data wraps under multi-core environment, follows the principles as follows: the queue of a bag is just accessed by a core; A bag can only be by a core processing.
The evaluation index of algorithm has the renewal speed of a point speed packet, the memory space needing and rule etc.Also have extended capability whether to support IPv6 etc.Hash calculates and need to obtain network address classification according to former positions, IP address, according to the classification extraction network address, address part.Then at corresponding Hash table, search.
Summary of the invention
In order to solve the problem of prior art, the invention provides a kind of method that combination multichannel decision tree and Hash table carry out network packet Fast Classification, network packet adopts the quick locating rule of method of Splay multichannel decision tree and Hash table combination, the speed of raising bag classification that can be more.
The technical solution adopted in the present invention is as follows:
Combination multichannel decision tree and Hash table carry out a method for network packet Fast Classification, comprise the following steps:
First A, classifying network packet method do agreement judgement to packet, for different agreement, set up respectively Hash table;
B, Hash table calculate according to the address of IP agreement and port, then find corresponding Hash tabular value;
C, travel through corresponding Splay and stretch tree node, search the rule meeting, it is Root node that Splay stretches the node that tree has recent visit.
Network data packetization technique, refers under high speed network environment, sorting algorithm when network safety system is done high-rate fitration to packet, the technology of consideration Time & Space Complexity to better balance point.
Multichannel decision-making refers to the judgement of network data packet protocol, according to works such as conventional protocol type TCP, UDP and ICMP, classifies.Build respectively regular Splay tree structure.
Splay stretches tree: be self-adjusting binary search tree.In order to reduce inquiry practice, looked into the node that frequency is high nearest from Root (tree root).Splay rule tree has been added to the restriction of regular priority, the high rule of priority is near tree root.
Hash table, does Hash function according to IP address and port etc. and calculates.Require the packet Hash that same TCP, UDP connect to arrive same address.
According to the feature of procotol flow, be divided into TCP, UDP and ICMP agreement, to each agreement, under the prerequisite of inquiry Hash table, the Splay that builds multichannel decision-making stretches tree.Because Splay tree has the node of recent visit from the nearest feature of root node of tree, can find the earliest matched rule.
Under high speed network environment, the network data subpackage of communication is had to following operation and feature:
A, according to the networking rule four-tuple of local IP/ remote I P, local port/remote port, calculate create-rule Hash table;
B, network packet are classified for the first time and are adopted agreement to split, and are divided into TCP, UDP and ICMP agreement;
C, the Splay that adopts Splay to stretch under tree algorithm generation different agreement stretch tree.
The network node of recent visit stretches the root of tree near Splay, according to the feature to access to netwoks, the packet that IP repeats address to send has accounted for majority.After agreement is split, network service contrast Hash table.Navigate to after cryptographic Hash, then Splay is stretched to tree and search.Therefore algorithm can be tackled network package in earliest time, avoids recurring rule comparison.Improved the efficiency of package access.
IPv6 agreement stretches the foundation of tree to Hash lookup and Splay, in accordance with following steps:
A, 16,32,48,64 the most frequently used prefixes of employing IPv6 are set up Hash table;
B, utilize dichotomy to search Hash table;
C, under different hash tables, set up Splay stretch tree structure;
D, the earliest legal packet is tackled.
First the present invention makes protocol type to network packet and splits, and it is binary sort tree that Splay stretches tree.In O (logn), complete insertion, search and deletion action.For reducing query time, the high node of enquiry frequency is in the most close tree root position.According to the feature of network service, identical communication connection data can repeat transmitting-receiving.Adopt Splay to stretch data tree structure, can meet refusal rule the earliest.Splay stretches tree search operation best-case time complexity O (1), the moment the earliest at network security module to communication data packet rule match, judge the rule meeting, and packet is tackled.After the foundation of Hash table adopts IP address prefix and port hybrid to calculate, the value obtaining and prime number delivery obtain cryptographic Hash.The data packet head domain of dependence is done after Hash calculation, obtained cryptographic Hash.Under this cryptographic Hash, set up regular Splay and stretch tree.
Splay stretches the foundation of tree and calculates corresponding value according to IP address prefix, deposits corresponding Splay in and stretches tree node.For IPv6 address, be the feature of 4 times of IPv4 addresses, at Splay, stretch on the node of tree, can the segmentation of IPv6 address calculate Splay stretching, extension tree or preserve corresponding data structure at node.
Packet fast classification algorithm is according to following regular:
A. according to transport layer protocol, be categorized as TCP, UDP and ICMP etc.;
B. regular key is extracted to the calculating of doing Hash function.According to Hash table size, choose suitable prime number value and do mod computing, obtain Hash table nodal value;
C. under corresponding Hash table node, set up conflict Splay tree structure;
The value KEY that d.Splay stretches tree is calculated by IP address and port;
E. for IPv6 address, can choose prefix and do the calculating of Splay stretching, extension tree KEY value.Remaining figure place is made value of data structure of Splay stretching, extension tree node, while clashing, adopts linear linked list to solve Hash conflict.
Splay stretch tree structure according to the following rules:
A. according to IP address computation respective value, can be converted into decimal number 74 and leave Splay in and stretch tree as node KEY value as 01001010;
B. rule is made to processed, if the address that does not contain asterisk wildcard is high priority.The address that comprises asterisk wildcard is low priority, more close Leaf node;
C.Splay stretches the recent visit node of tree near Root node.While doing net mate, be compared at first;
D., more than asterisk wildcard network security rule is likely mated once, the rule that regular priority is high is selected;
E. for IPv6 address, owing to being 128.Can select prefix addresses as Splay, to stretch the calculated value of tree, the IPv6 interface ID of respective nodes etc. deposits in data structure in analog value.
If f. there is conflict for the interface ID such as IPv6 etc., adopt linear list to solve Hash conflict.
The beneficial effect that the technical scheme that the embodiment of the present invention provides is brought is:
The method that this patent proposes can exact matching protocol domain, the prefix territory of IP address and the commensurate in scope of port.Hash table searched to employing binary search.This method more has competitiveness searching aspect consuming time and extensibility.The today of constantly weeding out the old and bring forth the new at network device hardware and software, to express network is data packet matched a kind of new method proposed.
Network packet adopts the quick locating rule of method of Splay multichannel decision tree and Hash table combination, first classifying network packet method does agreement judgement to packet, the agreements such as TCP, UDP and ICMP are set up respectively to Hash table, Hash table calculates according to the address of IP agreement and port, find again after corresponding Hash tabular value, travel through corresponding Splay and stretch tree node, search the rule meeting, the node that Splay stretching, extension tree has recent visit is the feature of Root node, therefore the speed of raising bag that can be more classification.
Accompanying drawing explanation
Fig. 1 is that Splay of the present invention stretches tree structure schematic diagram;
Fig. 2 is packet fast classification algorithm schematic diagram of the present invention.
Embodiment
For making the object, technical solutions and advantages of the present invention clearer, below in conjunction with accompanying drawing, embodiment of the present invention is described further in detail.
Embodiment mono-
The present invention is that a kind of network packet adopts Splay to stretch the Fast Packet Classification method of tree and Hash calculating.In network application, be tending towards high speed and complicated today, Packetization and technology that network safety system adopts, require at memory space, and the aspects such as the speed of service and update complexity reach a higher requirement.This patent adopts Splay to stretch tree and builds regular node, to the rule of different agreement, adopts Hash to calculate location fast.Meet the feature of network service, the IP address of recent visit etc. can repeated accesses.At Splay, stretch the calculating of coupling the earliest of tree and can find the rule meeting.In efficiency, most data packets often can find corresponding rule through comparison for several times.For network security packet classification has proposed a new method.
The bag sorting technique of network safety system, the throughput on network and network speed etc. have very important impact.Network service is made to high speed filtering packets, need an optimal balance point of a Time & Space Complexity.Communication flows at a high speed, to the equipment of the deployment secure systems such as server, is proposing severe threat aspect concurrent connection and network security defence.According to the feature of network service, there is the node of recent visit to stretch from the Splay of the nearest feature of root the data structure that tree is deposited and mates as rule.Auxiliary with hash table algorithm, can reach than similar Hash table coupling and the more excellent result that obtains of tree finding algorithm.
Operation principle of the present invention:
1, in the practice of network data package rapid classification method, concrete implementation step is:
A. pretreatment stage, presses protocol classification to rule.Be divided into TCP, UDP etc., make Hash table and build and calculate;
B.Hash value adopts IP address and port to do to calculate rear and prime number delivery, and the value obtaining joins regular Hash table;
C. the method that adopts 16 segmentations to calculate to IP address, the method that adopts parallel computation to mate;
The node KEY value of d.Splay tree obtains according to the conversion values of 16 segmentations in IP address;
E. rule arranges priority, avoids recurring rule coupling.First search the rule that priority is high, priority is low takes second place;
F. at memory space and inquiry velocity, reach good performance balance;
H. for the processing of 128 of IPv6 addresses, can first to prefix, be Splay and stretch the calculating of setting;
The data structure of g.Splay node, can deposit the attributes such as the interface ID of IPv6;
I. find the Splay of IPv6 to stretch after tree node, then docking port ID compare.
This packet classification method has improved subpackage efficiency.
2,, in the time of under network high-speed communication environment, the access to netwoks flow process of applying the network safety system of this Packetization is:
A. adopt NDIS bottom layer driving to package interception and monitoring, obtain transport layer protocol value;
B. according to IP packet header thresholding, communication data packet is judged to IPv4 or IPv6;
C. resolve IP packet header and obtain transport layer protocol TCP, UDP and ICMP etc.;
D. the data packet head of different agreement is extracted to crucial thresholding (IP address, port) and do HASH calculating;
E. in Hash table, use the identical hash value of binary chop;
F. find hash value to do coupling below.Otherwise press system default processing;
G. calculate Splay corresponding to IP address and stretch tree KEY value, at Splay, stretch tree and search this KEY value;
If h. find KEY value, as be IPv4, according to the rule action operation in data structure.Next step processing is done in IPv6 address;
128 of i.IPv6 addresses, do next step judgement comparison to the interface ID of IPv6 address;
J. interface ID value is kept at linear linked list, by binary chop, searches;
K. find by rule process, otherwise press system default operation;
L. for the comparison of asterisk wildcard rule, the rule that priority is high first compares, and is then the low rule of priority.
The foregoing is only preferred embodiment of the present invention, in order to limit the present invention, within the spirit and principles in the present invention not all, any modification of doing, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.
Claims (5)
1. a method of carrying out network packet Fast Classification in conjunction with multichannel decision tree and Hash table, comprises the following steps:
First A, classifying network packet method do agreement judgement to packet, for different agreement, set up respectively Hash table;
B, Hash table calculate according to the address of IP agreement and port, then find corresponding Hash tabular value;
C, travel through corresponding Splay and stretch tree node, search the rule meeting, it is Root node that Splay stretches the node that tree has recent visit.
2. a kind of combination multichannel decision tree according to claim 1 and Hash table carry out the method for network packet Fast Classification, it is characterized in that, according to the feature of procotol flow, be divided into TCP, UDP and ICMP agreement, to each agreement, under the prerequisite of inquiry Hash table, the Splay that builds multichannel decision-making stretches tree.
3. a kind of combination multichannel decision tree according to claim 1 and Hash table carry out the method for network packet Fast Classification, it is characterized in that, under high speed network environment, the network data subpackage of communication are had to following operation and feature:
A, according to the networking rule four-tuple of local IP/ remote I P, local port/remote port, calculate create-rule Hash table;
B, network packet are classified for the first time and are adopted agreement to split, and are divided into TCP, UDP and ICMP agreement;
C, the Splay that adopts Splay to stretch under tree algorithm generation different agreement stretch tree.
4. a kind of combination multichannel decision tree according to claim 1 and Hash table carry out the method for network packet Fast Classification, it is characterized in that, the network node of recent visit stretches the root of tree near Splay, according to the feature to access to netwoks, the packet that IP repeats address to send has accounted for majority, after agreement is split, and network service contrast Hash table, navigate to after cryptographic Hash, then Splay is stretched to tree and search.
5. a kind of combination multichannel decision tree according to claim 1 and Hash table carry out the method for network packet Fast Classification, it is characterized in that, IPv6 agreement stretches the foundation of tree to Hash lookup and Splay, in accordance with following steps:
A, 16,32,48,64 the most frequently used prefixes of employing IPv6 are set up Hash table;
B, utilize dichotomy to search Hash table;
C, under different hash tables, set up Splay stretch tree structure;
D, the earliest legal packet is tackled.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410015602.4A CN103746919A (en) | 2014-01-14 | 2014-01-14 | Method for quickly classifying network packets through combining multi-way decision tree and Hash tables |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410015602.4A CN103746919A (en) | 2014-01-14 | 2014-01-14 | Method for quickly classifying network packets through combining multi-way decision tree and Hash tables |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103746919A true CN103746919A (en) | 2014-04-23 |
Family
ID=50503910
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410015602.4A Pending CN103746919A (en) | 2014-01-14 | 2014-01-14 | Method for quickly classifying network packets through combining multi-way decision tree and Hash tables |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103746919A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104539538A (en) * | 2014-12-26 | 2015-04-22 | 成都致云科技有限公司 | IP address matching method and data package forwarding method of router |
| CN105187436A (en) * | 2015-09-25 | 2015-12-23 | 中国航天科工集团第二研究院七〇六所 | Packet filtering host network control method based on hash table |
| CN106656816A (en) * | 2016-09-18 | 2017-05-10 | 首都师范大学 | Distributed ipv6 routing lookup method and distributed ipv6 routing lookup system |
| CN107483343A (en) * | 2017-09-29 | 2017-12-15 | 湖南恒茂高科股份有限公司 | Address table storage lookup method, device, computer equipment and readable storage medium storing program for executing |
| CN109754021A (en) * | 2019-01-11 | 2019-05-14 | 湖南大学 | Online packet classification method based on range member group searching |
| CN110377977A (en) * | 2019-06-28 | 2019-10-25 | 南方电网科学研究院有限责任公司 | Detection method, device and the storage medium of sensitive information leakage |
| CN112055015A (en) * | 2020-09-02 | 2020-12-08 | 许继集团有限公司 | Station control layer network data processing method of power protection device |
| CN113132261A (en) * | 2019-12-31 | 2021-07-16 | 北京金山云网络技术有限公司 | Traffic data packet classification method and device and electronic equipment |
| CN113507395A (en) * | 2021-06-21 | 2021-10-15 | 华东师范大学 | State tracking device for network data flow |
| CN114884877A (en) * | 2022-06-14 | 2022-08-09 | 电子科技大学 | IPv6 route searching method combining hash table and HOT |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1633111A (en) * | 2005-01-14 | 2005-06-29 | 中国科学院计算技术研究所 | High-speed network traffic flow classification method |
| CN101035131A (en) * | 2007-02-16 | 2007-09-12 | 杭州华为三康技术有限公司 | Protocol recognition method and device |
| WO2012163091A1 (en) * | 2011-06-02 | 2012-12-06 | 中兴通讯股份有限公司 | Data location, reorganization method and device |
-
2014
- 2014-01-14 CN CN201410015602.4A patent/CN103746919A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1633111A (en) * | 2005-01-14 | 2005-06-29 | 中国科学院计算技术研究所 | High-speed network traffic flow classification method |
| CN101035131A (en) * | 2007-02-16 | 2007-09-12 | 杭州华为三康技术有限公司 | Protocol recognition method and device |
| WO2012163091A1 (en) * | 2011-06-02 | 2012-12-06 | 中兴通讯股份有限公司 | Data location, reorganization method and device |
Non-Patent Citations (1)
| Title |
|---|
| 罗青林: "适合应用层协议分类的多正则表达式匹配方法研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104539538B (en) * | 2014-12-26 | 2017-11-28 | 成都致云科技有限公司 | The IP address matching process of router and the data packet forwarding method of router |
| CN104539538A (en) * | 2014-12-26 | 2015-04-22 | 成都致云科技有限公司 | IP address matching method and data package forwarding method of router |
| CN105187436A (en) * | 2015-09-25 | 2015-12-23 | 中国航天科工集团第二研究院七〇六所 | Packet filtering host network control method based on hash table |
| CN105187436B (en) * | 2015-09-25 | 2019-03-08 | 中国航天科工集团第二研究院七〇六所 | A kind of packet filtering mainframe network control method based on hash table |
| CN106656816B (en) * | 2016-09-18 | 2019-09-24 | 首都师范大学 | Distributed ipv6 method for searching route and system |
| CN106656816A (en) * | 2016-09-18 | 2017-05-10 | 首都师范大学 | Distributed ipv6 routing lookup method and distributed ipv6 routing lookup system |
| CN107483343A (en) * | 2017-09-29 | 2017-12-15 | 湖南恒茂高科股份有限公司 | Address table storage lookup method, device, computer equipment and readable storage medium storing program for executing |
| CN109754021B (en) * | 2019-01-11 | 2022-03-18 | 湖南大学 | Online packet classification method based on range tuple search |
| CN109754021A (en) * | 2019-01-11 | 2019-05-14 | 湖南大学 | Online packet classification method based on range member group searching |
| CN110377977A (en) * | 2019-06-28 | 2019-10-25 | 南方电网科学研究院有限责任公司 | Detection method, device and the storage medium of sensitive information leakage |
| CN113132261A (en) * | 2019-12-31 | 2021-07-16 | 北京金山云网络技术有限公司 | Traffic data packet classification method and device and electronic equipment |
| CN112055015A (en) * | 2020-09-02 | 2020-12-08 | 许继集团有限公司 | Station control layer network data processing method of power protection device |
| CN112055015B (en) * | 2020-09-02 | 2023-06-06 | 许继集团有限公司 | Power protection device station control layer network data processing method |
| CN113507395A (en) * | 2021-06-21 | 2021-10-15 | 华东师范大学 | State tracking device for network data flow |
| CN113507395B (en) * | 2021-06-21 | 2023-02-03 | 华东师范大学 | State tracking device for network data flow |
| CN114884877A (en) * | 2022-06-14 | 2022-08-09 | 电子科技大学 | IPv6 route searching method combining hash table and HOT |
| CN114884877B (en) * | 2022-06-14 | 2023-02-03 | 电子科技大学 | IPv6 route searching method combining hash table and HOT |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103746919A (en) | Method for quickly classifying network packets through combining multi-way decision tree and Hash tables | |
| US6691168B1 (en) | Method and apparatus for high-speed network rule processing | |
| Bremler-Barr et al. | Space-efficient TCAM-based classification using gray coding | |
| CN104348716B (en) | A kind of message processing method and equipment | |
| KR101409563B1 (en) | Method and apparatus for identifying application protocol | |
| Ganegedara et al. | StrideBV: Single chip 400G+ packet classification | |
| US9191468B2 (en) | Traffic classification | |
| US8139586B2 (en) | Enhanced packet classification | |
| US7136926B1 (en) | Method and apparatus for high-speed network rule processing | |
| CN108965248B (en) | P2P botnet detection system and method based on traffic analysis | |
| Shelly et al. | Flow caching for high entropy packet fields | |
| CN111953552B (en) | Data flow classification method and message forwarding equipment | |
| Sun et al. | Tree-based minimization of TCAM entries for packet classification | |
| Garsva et al. | Packet size distribution tendencies in computer network flows | |
| Kekely et al. | Packet classification with limited memory resources | |
| CN114710378B (en) | Parallel message classification searching method and system based on decision tree | |
| CN105207904B (en) | Processing method, device and the router of message | |
| WO2017065627A1 (en) | Early classification of network flows | |
| Chang et al. | A high-speed and memory efficient pipeline architecture for packet classification | |
| Lee et al. | Hybrid memory-efficient multimatch packet classification for NIDS | |
| Dener et al. | Rfse-gru: Data balanced classification model for mobile encrypted traffic in big data environment | |
| Hurley et al. | Classifying network protocols: a ‘two-way’flow approach | |
| Avudaiammal et al. | Network processor based high speed packet classifier for multimedia applications | |
| Zarei et al. | Automated dataset generation for training peer-to-peer machine learning classifiers | |
| CN104348729B (en) | A kind of Internet streaming sorting technique of software and hardware combining |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20140423 |
|
| WD01 | Invention patent application deemed withdrawn after publication |