CN107181738A - A kind of software implementation intruding detection system and method - Google Patents
A kind of software implementation intruding detection system and method Download PDFInfo
- Publication number
- CN107181738A CN107181738A CN201710279176.9A CN201710279176A CN107181738A CN 107181738 A CN107181738 A CN 107181738A CN 201710279176 A CN201710279176 A CN 201710279176A CN 107181738 A CN107181738 A CN 107181738A
- Authority
- CN
- China
- Prior art keywords
- core
- detection
- packet
- message
- output
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of software implementation intruding detection system and method, wherein, the system includes:Core, detection core and output three levels of core are controlled, wherein, the control core is used to interact with top level control device, and manages the information produced by detection core and output core;The detection core is used to packet is acquired and parsed based on DPDK, and traversal rule storehouse carries out detection matching to the packet after parsing;The output core, which is used for timing, will detect that the detection matching result that is obtained of core is recorded to system journal, and the invalid data package informatin that will be known according to the detection matching result be packaged after report control core.A kind of software implementation intruding detection system and method that the present invention is provided, deployment is flexibly and scalability is good, is copied with message is reduced, the features such as nucleophilicity, the disposal ability of message, and upper strata Open control interface can be obviously improved, with controllability, compatible very well it can virtualize and cloud computing platform.
Description
Technical field
The present invention relates to safety monitoring technology field, more particularly, to a kind of software implementation intruding detection system and method.
Background technology
Intruding detection system (Intrusion Detection System, IDS) is a kind of for monitoring network or calculating
The software application or hardware device of malicious event in machine, its energy continuous monitoring network traffics find to violate in system activity
The abnormal behaviour of security strategy and the sign attacked, and generation system daily record is to administrative unit, so as to realize to invading or attacking
That hits timely responding to and handling.
Traditional intruding detection system includes hardware intruding detection system and software implementation intruding detection system.Wherein, hardware
Intruding detection system is generally made up of hardware, is manufactured by the equipment vendor of specialty and exploitation is, it is necessary to rely on plurality of devices and software association
Biconditional operation.IDS hardware products are basically divided into two major classes at present by the source of its input data:Host Intrusion Detection System system
System (Host-based IDS, HIDS) and based-wed CL (Network-based IDS, NIDS).
Mainly the network of main frame is connected in real time for Host Intrusion Detection System system and Audit log carries out intelligence
It can analyze and judge, major product includes:ISS Real Secure OS Sensor, Emerald expert-BSM etc..It is based on
The intruding detection system of network is applied in the important network segment, and feature is carried out to each packet or suspicious packet
Analysis, major product includes:ISS Real SecureNetwork Sensor, Cisco Secure IDS, China United Green League's " ice
Eye " intrusion detection system, kingnet security KIDS, Hisense's " cobra " intruding detection system and Netpower " day eye " network
Intrusion detection system etc..
Except hardware intruding detection system, also there are many invader-inspecting softwares at present.Common invader-inspecting software has
Iptables, Snort, Suricata and Pfsense etc..Wherein, Snort is the intrusion detection system that increases income being most widely used
System.Snort is a Packet Sniffer based on libpcap, is also the Network Intrusion Detection System of a lightweight
(NIDS).Its rule based on log recording matches to perform content model, detects various attacks and detection, and such as buffering area overflows
Go out, stealthy port scan, CGI attack and SMB detections etc..
There is problems with prior art:Traditional hardware intruding detection system is generally by specialized company's exploitation, it is necessary to specially
The hardware system of door, while needing different hardware and software collaboration processing, does not possess good autgmentability.In addition, equipment into
This height, deployment are dumb, it is necessary to larger man power and material's input.And common invader-inspecting software of increasing income, overcome tradition
The defect of hardware intruding detection system, but in the presence of prominent performance issue.By taking SnortNIDS as an example, it is based on libpcap messages
Collection, treatment effeciency is low, it is impossible to adapt to the network demand of existing cloud computing platform high-throughput.In addition, SnortNIDS is using single
Thread carries out packet check and processing, also extreme influence and its performance of restriction.Also, traditional intruding detection system controllability is not
Foot.By taking SnortNIDS as an example, the detection and protection of message are carried out by configuring the rule file of static state, it is impossible to which monitoring can in real time
Doubt data traffic, and real time modifying rule file.Existing intruding detection system oneself do not adapt to switching technology and express network
Development, can be caused under heavy traffic condition intruding detection system serious packet loss in addition paralyse.
The content of the invention
The present invention provides a kind of software implementation intruding detection system and method, can solve the problem that and exists in existing intruding detection system
Poor expandability, dispose that dumb, performance is not good and poor controllability, it is impossible to adapt to asking for switching technology and express network development
Topic.
Several nouns are explained first:
DPDK:DataPlane DevelopmentKit, data surface development kit;
RSS:Receive-Side Scaling, recipient's extension.
According to an aspect of the present invention there is provided a kind of software implementation intruding detection system, including:Control core, detection core and
Three levels of core are exported, wherein,
The control core is used to interact with top level control device, and manages the information produced by detection core and output core;
The detection core is used to packet is acquired and parsed based on DPDK, and traversal rule storehouse is to after parsing
The packet carries out detection matching;
The output core, which is used for timing, will detect that the detection matching result that is obtained of core is recorded to system journal, and by basis
The invalid data package informatin that the detection matching result is known reports control core after being packaged.
Wherein, the detection core further comprises:Data acquisition module and detection matching module;Wherein,
The data acquisition module, for the packet receiving mechanism based on DPDK zero-copy, binds many network interface cards, many queues collaboration and catches
Packet is obtained, and the packet is parsed;
The detection matching module, for traveling through pretreatment plug-in unit, is pre-processed to the packet by parsing;
And based on DPDK multinuclear mechanism, traversal rule storehouse is scanned and matched to the packet by pretreatment, obtains described
The detection matching result of packet;The detection matching result is packaged into message according to certain form, pending delay is stored in
Area is rushed, for output core processing;Wherein, the detection matching result includes:Packet information, match information, warning message and
Action message.
Wherein, the output core further comprises:Logger module and match information reporting module;Wherein,
The logger module, for regularly traveling through pending buffering area, will be stored in the pending buffering area
The detection matching result of packet record to system journal;
The match information reporting module, for according to OpenSecurity agreements, to based on the detection matching result
The invalid data bag known carries out the encapsulation of message information and action message, and the invalid data after encapsulation is wrapped is transmitted to
Control core;
Wherein, record to the content of system journal includes:Timestamp, message information, match information and processing action.
Wherein, the control core further comprises:Agent (agency) module, detection core management module, regular library management mould
Block, log management module and output core management module;Wherein,
The Agent modules are used to interact with controller by socket sockets and the messaging protocol appointed,
Wherein, the content interacted includes:Log-on message, reception rule and upload suspicious information;
The detection core management module is used to detection core is initialized and managed;
The regular database management module be used for receive the rule that Agent modules are issued, rule base is managed, and with inspection
Survey the detection matching module collaboration of core;
The log management module is used to be managed the log information produced by the logger module of output core;
The output core management module is used to output core is initialized and managed.
There is provided a kind of software implementation invasion based on above-mentioned software implementation intruding detection system according to another aspect of the present invention
Detection method, comprises the following steps:
S1, is initialized respectively to control core, detection core and output core;
S2, detection core is acquired and parsed to packet based on DPDK, and by traversal rule storehouse to after parsing
The packet carry out detection matching;
S3, will detect that the detection matching result that core is obtained is recorded to system journal when output is appraised and decided, and will be according to described
The invalid data package informatin that detection matching result is known reports control core after being packaged.
Wherein, initialization is carried out to control core described in step S1 to further comprise:
S111, resolve command row parameter and DPDK configuration files;
S112, initializes Agent modules;
S113, believes detection check figure mesh, output check figure mesh, network interface card number, pending buffering area number and data plane IP
Breath is packaged, and registration request is initiated to controller;
S114, receives and parses through the regular configuration file that controller is issued;
S115, initializes DPDK environment abstraction layer;
S116, initializes buffer circle, wherein, the buffer circle includes:Instruction buffer, statistical information buffering
Area and pending buffering area;
S117, configuration RSS (recipient's extension), it is ensured that the different messages for belonging to same data flow are sent to same core;
S118, configuration transmit queue and receiving queue, wherein, each one transmit queue of network card configuration, receiving queue
Quantity is equal to check figure;
S119, registers first timer, checks statistical information buffering area for control nuclear periodicity and confirms the system
Whether the statistical information in meter message buffer needs to update.
Wherein, initialization is carried out to detection core described in step S1 to further comprise:
S121, copies rule base, and pretreatment plug-in unit is registered, loaded and configured;
S122, registers second timer, checks instruction buffer for detection nuclear periodicity, it is determined whether receive control
The instruction that device processed is sent.
Wherein, initialization is carried out to output core described in step S1 to further comprise:
S131, initializes output inserter;
S132, registers the 3rd timer, checks instruction buffer for output nuclear periodicity, it is determined whether receive control
The instruction that device processed is sent.
Wherein, step S2 further comprises:
Circulation performs following steps:
S21, if receiving the signal of synchronous statistical information, synchronous statistical information;
S22, if the second timer time arrives, extracts the instruction that controller is sent, parsing is described from instruction buffer
Corresponding processing routine is performed after instruction;
S23, the bound receiving queue of traversal, to each receiving queue, extracts the packet in the queue, and to every
Individual packet performs following operate:
S231, Decoding Analysis is carried out to packet;
S232, traversal pretreatment plug-in unit, is pre-processed to the packet after decoded analysis;
S233, traversal rule storehouse carries out detection matching to the packet after pretreatment, obtains the packet
Detect matching result;
S234, is packaged into message according to certain form by the detection matching result, is stored in pending buffering area, for
Export core processing;Wherein, the detection matching result includes:Packet information, match information, warning message and action message.
Wherein, step S3 further comprises:
Each while circulations perform following steps:
S31, if the 3rd timer time is arrived, extracts from instruction buffer and instructs, performed after analysis instruction corresponding
Processing routine;
S32, travels through every message in pending buffering area, and following operate is performed to every message:
S321, parses message, and the content of the message is passed into log management module, and by log management module timing
Record to system journal, wherein, the content of record includes:Timestamp, message information, match information and processing action;
S322, if knowing that packet is invalid data bag according to detection matching result, according to OpenSecurity agreements
The encapsulation of message information and action message is carried out to the invalid data bag, and the invalid data bag after encapsulation is passed to
Core management module is exported, then controller is passed to by Agent modules.
A kind of software implementation intruding detection system and method proposed by the present invention, compared with prior art, can be obtained following
Beneficial effect:Lightweight, pure software, can flexible deployment, favorable expandability;Packet receiving mechanism based on DPDK zero-copy, many network interface cards,
Many queues cooperate with receiving network data bag, can effectively lift the capture rate of packet;Using DPDK multinuclear mechanism, it will collect
The data flow arrived carries out decoding classification and pattern match, can effectively lift efficiency of intrusion detection, can preferably adapt to height and gulp down
Tell network environment;And to upper strata Open control interface, can preferably compatible virtualization and cloud computing platform with controllability.
Brief description of the drawings
Fig. 1 is a kind of Organization Chart of the software implementation intruding detection system provided according to one embodiment of the invention;
Fig. 2 is a kind of schematic flow sheet of the software implementation intrusion detection method provided according to another embodiment of the present invention;
Fig. 3 shows for the initialization procedure of a kind of software implementation intruding detection system that is provided according to another embodiment of the present invention
It is intended to;
Fig. 4 is a kind of processing data packets process of the software implementation intrusion detection method provided according to another embodiment of the present invention
Schematic diagram.
Embodiment
With reference to the accompanying drawings and examples, the embodiment to the present invention is described in further detail.Implement below
Example is used to illustrate the present invention, but is not limited to the scope of the present invention.
As shown in figure 1, a kind of Organization Chart of the software implementation intruding detection system provided for one embodiment of the invention, including:
Core 1, detection core 2 and output core 3 are controlled, wherein,
The control core 1 is used to interact with top level control device, and manages the letter produced by detection core 2 and output core 3
Breath;
The detection core 2 is used to packet is acquired and parsed based on DPDK, and traversal rule storehouse is to after parsing
The packet carry out detection matching;
The output core 3, which is used for timing, will detect that the detection matching result that is obtained of core 2 is recorded to system journal, and by root
The invalid data package informatin invalid data package informatin known according to the detection matching result reports control core 1 after being packaged.
A kind of software implementation intruding detection system provided in an embodiment of the present invention, using SnortNIDS intruding detection systems as pair
As based on DPDK, having carried out design and realization again.DPDK is that the datum plane increased income that Intel is provided develops work
Tool collection, the support of built-in function and driving is provided for the efficient processing data packets of user's space under IA processor architectures.Specifically, originally
The software implementation intruding detection system that inventive embodiments are provided includes three levels:
Control core 1 is responsible for interacting with top level control device, and detection core 2 and output core 3 are managed, wherein, with
The content that controller is interacted includes:Receive user configuring, and configuration parameter is sent to detection core 2 and output core 3, report
Suspicious information is to controller, and uploads log-on message to controller etc..Information produced by detection core 2 and output core 3 is entered
Row management includes:The initialization procedure of detection core 2 and output core 3 is managed, the rule base in configuration detection core 2 will be defeated
Go out the information record that core 3 exported to enter system journal or be saved into database.
Detect that core 2 is used for the zero-copy packet receiving mechanism based on DPDK, bind many network interface card many queues and network packet is carried out
Collection, and Decoding Analysis is carried out to the packet received by packet decoder;Then, by traveling through pretreatment plug-in unit to through solution
Packet after code is pre-processed;Based on DPDK multinuclear mechanism, feature present in pretreated packet is divided
Analysis, the feature obtained by analysis is matched one by one with the rule in rule base, a certain item in the feature and rule base
When rule matches, then it would know that the packet includes intrusion behavior, be illegal.Wherein, the rule base is according to Snort
Rule forms the set for the detected rule that specification is write out.Detect that core 2, by the detection matching result of all packets obtained, is pressed
Message is packaged into according to certain form, and deposit caching supplies out core 3 and handled, wherein, the detection matching result refers to time
Rule table entry of the rule base with the presence or absence of matching is gone through, if there is the regularization term of matching, it is illegal to illustrate the packet, then
Just by the regularization term of matching, matching regularization term included action message, warning message, and packet in itself message letter
After breath is packaged, deposit caching.If the regularization term not matched, then being masked as of match information can be set to 0, alarm signal
The two fields are sky to breath with action message.
Output core 3 is then used for timing and records the detection matching result for detecting the packet that core 2 is obtained to system journal,
And control core 1 is reported after the invalid data bag known according to the detection matching result is packaged, control core 1 continues will
The invalid data after encapsulation, which is wrapped, is transmitted to controller.Export core 3 and the detection of all packets collected is matched into knot
Fruit all recorded system journal, wherein, the content recorded is determined according to detection matching result, including:Timestamp, message letter
Breath, match information and processing action;And export after the invalid data bag known according to detection matching is packaged by core 3 and upload
Give control core 1.
A kind of software implementation intruding detection system provided in an embodiment of the present invention, deployment is flexibly and scalability is good, with subtracting
The features such as understatement text copy, nucleophilicity, high-performance can be provided the acquisition of packet and detectability, and control is opened to upper strata
Interface processed, can be compatible with virtualization and cloud computing platform with controllability.
Another embodiment of the present invention, on the basis of above-described embodiment, the detection core 2 includes:Data acquisition module 21
With detection matching module 22;Wherein,
The data acquisition module 21, for the packet receiving mechanism based on DPDK zero-copy, binds many network interface cards, many queues collaboration
Packet is captured, and the packet is parsed;
The detection matching module 22, for traveling through pretreatment plug-in unit, is located in advance to the packet by parsing
Reason;And based on DPDK multinuclear mechanism, traversal rule storehouse is scanned and matched to the packet by pretreatment, obtains
The detection matching result of the packet;The detection matching result is packaged into message according to certain form, is stored in and waits to locate
Buffering area is managed, so that output core 3 is handled;
Wherein, the detection matching result includes:Packet information, match information, warning message and action message.
Specifically, SnortNIDS is filtered to packet, buffered and copied by Libpcap sniffers, by packet
It is delivered to each application buffer.In this process, packet experienced from network to kernel spacing, from kernel spacing
To user's space, packet is copied twice.And in embodiments of the present invention, data are realized by the packet receiving mechanism of DPDK zero-copy
The zero-copy of bag, is specifically referred to:DPDK environment abstraction layer realizes the screen to operating system nucleus and bottom network interface card I/O operation
Cover, i.e. I/O has bypassed kernel and protocol stack, and packet is directly stored in cache from network, and is realized in kernel state to data
The Decoding Analysis of bag, so as to avoid frequent switching context, and is effectively prevented from packet and is brought in the numerous copy of internal memory intermediate frequency
Performance issue.It is then to be tied to each queue on multiple network interface cards not to bind many network interface cards, many queues collaboration capture packet
Cooperateed with same processor core and packet is captured, each equal independent process of core reaches the packet of the queue, reduces
Packet is in internuclear transmission expense, it is possible to the flexible number expanding treatment ability of core, meet under heavy traffic condition
Packet capture.NIC driver is that each receiving queue sets corresponding interrupt number, by the equilibrium treatment of interruption, or
The compatibility interrupted is set, so as to realize that queue is tied to different cores.Parsing is carried out to the packet to refer to packet
Carry out Decoding Analysis, the message structure that decoded packet data is defined into Snort, for subsequent analysis.
Specifically, traversal pretreatment plug-in unit, carries out pretreatment to the packet by parsing and refers to:It is pre- by traversal
Processing plug-in unit come check parsing after packet, therefrom find packet suspicious " behavior ", packet after pretreatment again
Carry out rule match detection.The function by realization of pretreatment plug-in unit mainly includes:The plug-in unit of tcpip stack function is simulated, such as
TIP fragments are recombinated and TCP flow recombinates plug-in unit;Decoding plug-in, such as http decoding plug-ins, unicode decoding plug-ins, rpc decodings are inserted
Part and telnet decoding plug-ins etc.;Rule match can not carry out plug-in unit used during attack detecting, such as port scan plug-in unit,
Spade abnormal intrusion detections plug-in unit, bo detection plug-in unit and arp fraud detection plug-in units etc., pretreatment plug-in unit can be according to actual need
Carry out flexible configuration.
Based on DPDK multinuclear mechanism, traversal rule storehouse is scanned to the packet by pretreatment and matching is
Refer to:Each equal independent process of core reaches the packet of the core, and feature present in pretreated packet is analyzed, time
Rule base is gone through, the feature obtained by analysis is matched one by one with the rule in rule base, when in the feature and rule base
When a certain item rule matches, then can determine whether the packet is illegal comprising intrusion behavior, the i.e. packet.
Wherein, the rule in the rule base meets Snort rule formation specifications, and Snort rules are divided into two logics
Part:Regular head and RuleOption.Regular head comprising rule action, agreement, source and target ip addresses and netmask, source and
Destination port information, and direction operation symbol;Specific portion of the RuleOption part comprising warning message content and the bag to be checked
Point, it is made up of option keyword and its parameter.
The detection matching result is packaged into message according to certain form and pending buffering area is stored in
(ToBeProcessed_RingBuffer), wherein ToBeProcessed_RingBuffer is a buffer circle, is used for
Store the detection matching result of all packets, including the message information of packet, the Rule Information matched, warning message and
The processing action of rule, message is stored using buffer circle, can be without continually storage allocation, and it is slow to access annular
The speed for rushing area quickly, can provide high performance data access.
A kind of software implementation intruding detection system provided in an embodiment of the present invention, the packet receiving mechanism based on DPDK zero-copy is more
Network interface card, many queues collaboration receiving network data bag, can effectively lift the capture rate of packet;Using DPDK multinuclear mechanism,
The data flow collected is subjected to decoding classification and pattern match, efficiency of intrusion detection can be effectively lifted, can preferably fit
Height is answered to handle up network environment.
Another embodiment of the present invention, on the basis of above-described embodiment, output core 3 includes logger module 31 and matching
Information reporting module 32;Wherein,
The logger module 31, for regularly traveling through pending buffering area, will be deposited in the pending buffering area
The detection matching result of the packet of storage is recorded to system journal;
The match information reporting module 32, for according to Open Security agreements, to based on the detection matching knot
The invalid data bag that fruit is known carries out the encapsulation of message information and action message, and the invalid data after encapsulation is wrapped into biography
Give control core;
Wherein, record to the content of system journal includes:Timestamp, message information, match information and processing action.
Specifically, data traffic is recalled and analyzed for the ease of system manager, fully understand web-based history
Environment, adjustment in time and updates rule base, it is necessary to which intruding detection system is to the detection information of the packet of all process the system
Preserved, these data are commonly stored in the journal file or specific database that user specifies.
Logger module 31 travels through pending buffering area ToBeProcessed_RingBuffer by timing, reads
Every message in ToBeProcessed_RingBuffer, after being parsed to message, by the inspection of accessed packet
Matching result is surveyed to record into system journal, wherein, the content recorded includes:Timestamp, message information, match information and place
Reason is acted.Processing action refers to after matched rule to the packet action to be performed, be divided into alert, log, pass,
Activate and dynamic.
The match information reporting module 32, if knowing that packet is invalid data bag, root according to detection matching result
Carry out the encapsulation of message information and action message to invalid data bag according to Open Security agreements, and by described in after encapsulation
Invalid data bag, passes to output core management module, then report controller by Agent modules.
A kind of software implementation intruding detection system provided in an embodiment of the present invention, is realized to intrusion detection using buffer circle
The reception and transmission of relevant information, using the teaching of the invention it is possible to provide high-performance intrusion detection warning message output.
Another embodiment of the present invention, on the basis of above-described embodiment, control core 1 includes:Agent modules 11, detection core
Management module 12, regular database management module 13, log management module 14 and output core management module 15;Wherein,
The Agent modules 11 are used to be responsible for carrying out with controller by socket sockets and the messaging protocol appointed
Interaction, wherein, the content interacted includes:Log-on message, reception rule and upload suspicious information;
Specifically, Agent be the software architecture with autonomy, can be added independently of system or from system collect deletion without
Whole system is influenceed, the function of Agent entities is more complete, and the scalability of system is better, is opened by Agent to upper strata
Interface, improves the controllability of system.
The detection core management module 12 is used to detection core is initialized and managed;
The regular database management module 13 is used to receive the rule that Agent modules 11 are issued, and rule base is managed, and
With detecting that the detection matching module 22 of core 2 is cooperateed with;
Specifically, regular database management module 13 can be continuously updated rule base, increase or deletion rule.
The log management module 14 is used to manage the log information produced by the logger module 31 of output core 3
Reason;
The output core management module 15 is used to output core 3 is initialized and managed.
Specifically, message transmission that core management module 15 reports match information reporting module is exported to Agent modules 11.
A kind of software implementation intruding detection system provided in an embodiment of the present invention, is developed to upper strata by Agent modules and connect
Mouthful, it is easy to regulation rule storehouse as needed, improves the controllability of system, and the pipe to lower floor is realized by multiple management modules
Reason.
Another embodiment of the present invention provides a kind of software implementation intrusion detection method, based on soft described in each embodiment as described above
Part intruding detection system, as shown in Fig. 2 comprising the following steps:
S1, is initialized respectively to control core, detection core and output core;
S2, detection core is based on DPDK, and packet is acquired and parsed, and by traversal rule storehouse to after parsing
The packet carry out detection matching;
S3, will detect that the detection matching result that core is obtained is recorded to system journal when output is appraised and decided, and will be according to described
The invalid data package informatin that detection matching result is known reports control core after being packaged.
Specifically, it is necessary first to which control core, detection core and output core are initialized respectively, as shown in figure 3, being this hair
A kind of schematic diagram of the initialization procedure for software implementation intruding detection system that bright embodiment is provided.Wherein, core initialization package is controlled
Include:The parsing of parameter configuration and DPDK configuration files is completed, the communication connection set up between Agent modules and controller is received
The rule that controller is issued, initializes to DPDK environment abstraction layer, buffer circle is initialized, configuration data
Bag reception and transmit queue and registration timer etc.;Detection core initialization is included:Configuration pretreatment plug-in unit, copy controller
The rule issued, registration timer, so that detection verification packet is monitored matching;Output core initialization is included:Initially
Change routing table, initialize output inserter, registration timer, so that output core sends testing result.
Specifically, packet receiving mechanism of the step S2 based on DPDK zero-copy, binds many network interface cards, many queues collaboration capture data
Bag, and the packet is parsed;Then, traversal pretreatment plug-in unit, is located in advance to the packet by parsing
Reason;And based on DPDK multinuclear mechanism, traversal rule storehouse is scanned and matched to the packet by pretreatment, obtains
The detection matching result of the packet;The detection matching result is packaged into message according to certain form, is stored in and waits to locate
Buffering area ToBeProcessed_RingBuffer is managed, for output core processing.
Step S3 timing traversal ToBeProcessed_RingBuffer first, by the detection matching result of all packets
Record to system journal;Then, if knowing that packet is invalid data bag according to the detection matching result, according to Open
Security agreements carry out the encapsulation of message information and action message to the invalid data bag, and will be described illegal after encapsulation
Packet is uploaded to control core, then the suspicious message after encapsulation is reported into controller by control core.
A kind of software implementation intrusion detection method provided in an embodiment of the present invention, zero-copy handbag mechanism based on DPDK and many
Core mechanism, with message copy and nucleophilicity feature is reduced, can provide high performance packet capture and detection, can be preferable
Compatible virtualization and the security protection of cloud computing platform.
Another embodiment of the present invention, on the basis of above-described embodiment, carries out initialization to control core and further comprises:
S111, resolve command row parameter and DPDK configuration files;
S112, initializes Agent modules;
S113, believes detection check figure mesh, output check figure mesh, network interface card number, pending buffering area number and data plane IP
Breath is packaged, and registration request is initiated to controller;
S114, receives and parses through the regular configuration file that controller is issued;
S115, initializes DPDK environment abstraction layer;
S116, initializes buffer circle, wherein, buffer circle includes:Instruction buffer, statistical information buffering area and
Pending buffering area;
S117, configuration RSS (recipient's extension), it is ensured that the different messages for belonging to same data flow are sent to same core;
S118, configuration transmit queue and receiving queue, wherein, each one transmit queue of network card configuration, receiving queue
Quantity is equal to check figure;
S119, registers first timer, checks statistical information buffering area for control nuclear periodicity and confirms the system
Whether the statistical information in meter message buffer needs to update.
Specifically, command line parameter resolves to parameter required when starting Snort, DPDK configuration file middle fingers in S111
Determine to detect core, exported core and IP and the end of quantity, CPU mask, datum plane IP and the controller of pending buffering area
Mouthful.
S112, is initialized to Agent modules, sets up logical between controller by creating socket sockets
Letter, receives and parses through the instruction that controller is sent, and collects local statistical information, will issue control after the local statistical information encapsulation
Device processed.
S113 is flat to detection check figure mesh, output check figure mesh, network interface card number, pending buffering area gBuffer numbers and data
The information such as face IP information are packaged, and registration request is initiated to controller, and controller is received after registration request, record these letters
Cease and respond registration request.Meanwhile, controller sends unified regular configuration file to protection node.Wherein, the data are put down
Face IP information includes datum plane IP types and data plane IP addresses.
Receive and parse through the regular configuration file that controller issues in S114 to refer to, controller issues Snort rule configurations
File, in system initialization, parses to the regular configuration files of the Snort, is successively read every rule, parses every
Rule, is represented with corresponding rule syntax, is carried out tissue to rule in internal memory, rule syntax tree is set up, by packet and institute
State rule syntax tree to be matched, if matching in the presence of certain rule with the packet, mean that and detect an attack.
S115, is initialized to DPDK environment abstraction layer, and DPDK provides the API of oneself, and this step initializes these
API;
Buffer circle (Ring Buffer) is initialized in S116, wherein, Ring Buffer include:Instruction buffer
(Policy_RingBuffer), statistical information buffering area (Info_RingBuffer) and pending buffering area
(ToBeProceessed_RingBuffer), wherein, instruction buffer be used for storage controller instruction, statistical information buffering area
For stored statistical information, pending buffering area is used for the detection information for storing invalid data bag.
S117, carrys out load balancing using RSS and forwards packet to multiple cores, RSS is allocation of packets to different teams
In row, it is ensured that the different messages for belonging to same data flow are sent to same core.
S118, configuration transmit queue and receiving queue, each one transmit queue of network card configuration, and the quantity of receiving queue
Equal to check figure;
S119, registers first timer, the statistical information checked for control nuclear periodicity in statistical information buffering area
Whether need to update, if the statistical information needs to update, control core sends signal to each detection core and output core.
A kind of software implementation intrusion detection method provided in an embodiment of the present invention, core protocol is bypassed by environment abstraction layer
Stack, optimizes internal memory, buffering area and queue management, and provides the load-balancing technique based on many queues of network interface card and stream identification, from
And enable this method with realizing high-performance packet obtain and detect.
Another embodiment of the present invention, on the basis of above-described embodiment, carries out initialization to detection core and further comprises:
S121, copies rule base, and pretreatment plug-in unit is registered, loaded and configured;
S122, registers second timer, checks instruction buffer for detection nuclear periodicity, it is determined whether receive control
The instruction that device processed is sent.
Specifically, it is to have parsed regular configuration file in control core that step S121, which copies rule base, obtains Snort_
Config structures, when starting detection core, the pointer of the structure is incoming as parameter, detection core copy Snort_
Config structures, are used as local variable;Pretreatment plug-in unit is registered, loaded and configured, the pretreatment plug-in unit includes:
ARPspoof、Normalizer、SessionManager、Stream6、RpcDecode、Bo、HttpInspect、
PerfMonitor and SfPortScan etc..
Step S122 registers second timer, wherein, the second timer is used to check instruction with detecting nuclear periodicity
Buffering area, to determine whether to receive the instruction that controller is sent.
A kind of software implementation intrusion detection method provided in an embodiment of the present invention, passes through the copy control in initialization detection core
The rule that device is issued, is capable of the dynamic modification of implementation rule, so as to realize the real-time monitoring to suspicious data.
Another embodiment of the present invention, on the basis of above-described embodiment, carries out initialization to output core and further comprises:
S131, initializes output inserter;
S132, registers the 3rd timer, checks instruction buffer for output nuclear periodicity, it is determined whether receive control
The instruction that device processed is sent.
Specifically, step S131 initializes output inserter, including SYN Cookie and SYN Proxy, passes through output inserter
The relevant information of invalid data bag is recorded into system journal or controller is uploaded to.
Step S132 registers the 3rd timer, wherein, the 3rd timer is used to check instruction with exporting nuclear periodicity
Buffering area, to determine whether to receive the instruction that controller is sent.
A kind of software implementation intrusion detection method provided in an embodiment of the present invention, by being initialized to output core, to insert
Part form is exported to the relevant information of intrusion detection, is easy to system manager to recall and analyze data traffic.
Another embodiment of the present invention, on the basis of above-described embodiment, step S2 further comprises:
Circulation performs following steps:
S21, if receiving the signal of synchronous statistical information, synchronous statistical information;
S22, if the second timer time arrives, extracts the instruction that controller is sent, parsing is described from instruction buffer
Corresponding processing routine is performed after instruction;
S23, the bound receiving queue of traversal, to each receiving queue, extracts the packet in the queue, and to every
Individual packet performs following operate:
S231, Decoding Analysis is carried out to packet;
S232, traversal pretreatment plug-in unit, is pre-processed to the packet after decoded analysis;
S233, traversal rule storehouse carries out detection matching to the packet after pretreatment, obtains the packet
Detect matching result;
S234, is packaged into message according to certain form by the detection matching result, is stored in pending buffering area, for
Core processing is exported, wherein, the detection matching result includes:Packet information, match information, warning message and action message.
Specifically, a kind of data of software implementation intrusion detection method of another embodiment of the present invention offer are provided
The schematic diagram of bag processing procedure, step S2 detection cores are based on DPDK, and packet is acquired and parsed, and traversal rule storehouse pair
The packet after parsing carries out detection matching and further comprised:
Circulation performs following steps:
If detection core receives the information of synchronous statistical information, synchronous statistical information, if the second timer time arrives,
The instruction that controller is issued is extracted from buffer circle instruction buffer, starts to capture packet and detected.Detection
The bound receiving queue of core traversal, to each receiving queue, extracts the packet in the queue, and each packet is held
Row is following to be operated:Data acquisition module carries out Decoding Analysis to packet;Matching module traversal pretreatment plug-in unit is detected, to through solution
The packet after code division analysis is pre-processed;Traversal rule storehouse, detection is carried out to the packet after pretreatment
Match somebody with somebody, obtain the detection matching result of the packet;The detection matching result is packaged into message according to certain form, deposited
Enter pending buffering area ToBeProcessed_RingBuffer, for output core processing.
A kind of software implementation intrusion detection method provided in an embodiment of the present invention, the packet receiving mechanism based on DPDK zero-copy is more
Network interface card, many queues collaboration receiving network data bag, can effectively lift the capture rate of packet;Using DPDK multinuclear mechanism,
The packet collected is decoded and pattern match, efficiency of intrusion detection can be effectively lifted, height can be preferably adapted to
Handle up network environment.
Another embodiment of the present invention, on the basis of above-described embodiment, the step S3 further comprises:
Each while circulations perform following operate:
S31, if the 3rd timer time is arrived, extracts from instruction buffer and instructs, performed after analysis instruction corresponding
Processing routine;
Every message in S32, traversal ToBeProcessed_RingBuffer, and following grasp is performed to every message
Make:
S321, parses message, and the content of the message is passed into log management module, and by log management module timing
Record to system journal, wherein, the content of record includes:Timestamp, message information, match information and processing action;
S322, if knowing that packet is invalid data bag according to detection matching result, according to OpenSecurity agreements
The encapsulation of message information and action message is carried out to the invalid data bag, and the invalid data bag after encapsulation is passed to
Core management module is exported, then controller is passed to by Agent modules.
Specifically, illustrated with reference to Fig. 4, the inspection for the packet that core is obtained will be detected when output is appraised and decided described in step S3
Survey matching result to record to system journal, and report after the invalid data bag is packaged and further comprise:
Each while circulations perform following operate:
If the 3rd timing is arrived, output core extracts the finger that controller is issued from buffer circle instruction buffer
Order, starts to export the intrusion detection result that detection core is got.Every in the pending buffering area of output core traversal disappears
Breath, and following operate is performed to every message:
The logger module of output core is parsed to message, is obtained the detection matching result of packet, is stated described
The detection matching result of packet passes to the log management module of control core, and by log management module time recording to system
Daily record, wherein, the content of record includes:Timestamp, message information, match information and processing action.
When the match information reporting module for exporting core knows packet for invalid data bag according to detection matching result, according to
OpenSecurity agreements carry out the encapsulation of message information and action message to the invalid data bag, and by described in after encapsulation
Invalid data bag passes to the output core management module of control core, then passes to controller by Agent modules, then will by controller
The invalid data bag after encapsulation is preserved to customer data base.
A kind of software implementation intruding detection system provided in an embodiment of the present invention, is realized to intrusion detection using buffer circle
The reception and transmission of relevant information, using the teaching of the invention it is possible to provide high-performance intrusion detection warning message output.
A kind of software implementation intruding detection system and method that the various embodiments described above of the present invention are proposed, lightweight, pure software,
Can flexible deployment, favorable expandability;Packet receiving mechanism based on DPDK zero-copy, many network interface cards, many queues collaboration receiving network data bag,
The capture rate of packet can effectively be lifted;Using DPDK multinuclear mechanism, by the data flow collected carry out decoding classification and
Pattern match, can effectively lift efficiency of intrusion detection, can preferably adapt to height and handle up network environment;And open control to upper strata
Interface processed, can preferably compatible virtualization and cloud computing platform with controllability.
Finally, the present processes are only preferably embodiment, are not intended to limit the scope of the present invention.It is all
Within the spirit and principles in the present invention, any modification, equivalent substitution and improvements made etc. should be included in the protection of the present invention
Within the scope of.
Claims (10)
1. a kind of software implementation intruding detection system, it is characterised in that including:Core, detection core and output three levels of core are controlled, its
In,
The control core is used to interact with top level control device, and manages the information produced by detection core and output core;
The detection core is used to packet is acquired and parsed based on DPDK, and traversal rule storehouse is to described in after parsing
Packet carries out detection matching;
The output core, which is used for timing, will detect that the detection matching result that core is obtained is recorded to system journal, and will be according to described
The invalid data package informatin that detection matching result is known reports control core after being packaged.
2. system according to claim 1, it is characterised in that the detection core further comprises:Data acquisition module and
Detect matching module;Wherein,
The data acquisition module, for the packet receiving mechanism based on DPDK zero-copy, binds many network interface cards, many queues collaboration capture number
Parsed according to bag, and to the packet;
The detection matching module, for traveling through pretreatment plug-in unit, is pre-processed to the packet by parsing;And base
In DPDK multinuclear mechanism, traversal rule storehouse is scanned and matched to the packet by pretreatment, obtains the data
The detection matching result of bag;The detection matching result is packaged into message according to certain form, pending buffering area is stored in,
For output core processing;
Wherein, the detection matching result includes:Packet information, match information, warning message and action message.
3. system according to claim 1, it is characterised in that the output core further comprises:Logger module and
Match information reporting module;Wherein,
The logger module, for regularly traveling through pending buffering area, the number that will be stored in the pending buffering area
Recorded according to the detection matching result of bag to system journal;
The match information reporting module, for according to OpenSecurity agreements, to being known based on the detection matching result
Invalid data bag carry out the encapsulation of message information and action message, and the invalid data after encapsulation wrapped be transmitted to control
Core;
Wherein, record to the content of system journal includes:Timestamp, message information, match information and processing action.
4. system according to claim 1, it is characterised in that the control core further comprises:Agent (agency) mould
Block, detection core management module, regular database management module, log management module and output core management module;Wherein,
The Agent modules are used to interact with controller by socket sockets and the messaging protocol appointed, wherein,
The content interacted includes:Log-on message, reception rule and upload suspicious information;
The detection core management module is used to detection core is initialized and managed;
The regular database management module is used to receive the rule that Agent modules are issued, and rule base is managed, and with detecting core
Detection matching module collaboration;
The log management module is used to be managed the log information produced by the logger module of output core;
The output core management module is used to output core is initialized and managed.
5. a kind of software implementation intrusion detection method based on any systems of claim 1-4, it is characterised in that including following
Step:
S1, is initialized respectively to control core, detection core and output core;
S2, detection core is acquired and parsed to packet based on DPDK, and by traversal rule storehouse to the institute after parsing
State packet and carry out detection matching;
S3, will detect that the detection matching result that core is obtained is recorded to system journal when output is appraised and decided, and will be according to the detection
The invalid data package informatin that matching result is known reports control core after being packaged.
6. method according to claim 5, it is characterised in that to control core initialize further described in step S1
Including:
S111, resolve command row parameter and DPDK configuration files;
S112, initializes Agent modules;
S113, enters to detection check figure mesh, output check figure mesh, network interface card number, pending buffering area number and data plane IP information
Row encapsulation, registration request is initiated to controller;
S114, receives and parses through the regular configuration file that controller is issued;
S115, initializes DPDK environment abstraction layer;
S116, initializes buffer circle, wherein, buffer circle includes:Instruction buffer, statistical information buffering area and wait to locate
Manage buffering area;
S117, configuration RSS (recipient's extension), it is ensured that the different messages for belonging to same data flow are sent to same core;
S118, configuration transmit queue and receiving queue, wherein, each one transmit queue of network card configuration, the quantity of receiving queue
Equal to check figure;
S119, registers first timer, and statistical information buffering area is checked for control nuclear periodicity and the statistics letter is confirmed
Whether the statistical information in breath buffering area needs to update.
7. method according to claim 5, it is characterised in that to detection core initialize further described in step S1
Including:
S121, copies rule base, and pretreatment plug-in unit is registered, loaded and configured;
S122, registers second timer, checks instruction buffer for detection nuclear periodicity, it is determined whether receive controller
The instruction sent.
8. method according to claim 5, it is characterised in that to output core initialize further described in step S1
Including:
S131, initializes output inserter;
S132, registers the 3rd timer, checks instruction buffer for output nuclear periodicity, it is determined whether receive controller
The instruction sent.
9. method according to claim 5, it is characterised in that step S2 further comprises:
Circulation performs following steps:
S21, if receiving the signal of synchronous statistical information, synchronous statistical information;
S22, if the second timer time arrives, extracts the instruction that controller is sent from instruction buffer, parses the instruction
After perform corresponding processing routine;
S23, the bound receiving queue of traversal, to each receiving queue, extracts the packet in the queue, and to every number
Following operate is performed according to bag:
S231, Decoding Analysis is carried out to packet;
S232, traversal pretreatment plug-in unit, is pre-processed to the packet after decoded analysis;
S233, traversal rule storehouse carries out detection matching to the packet after pretreatment, obtains the detection of the packet
Matching result;
S234, is packaged into message according to certain form by the detection matching result, pending buffering area is stored in, for output
Core processing;Wherein, the detection matching result includes:Packet information, match information, warning message and action message.
10. method according to claim 5, it is characterised in that step S3 further comprises:
Each while circulations perform following steps:
S31, if the 3rd timer time is arrived, corresponding processing is performed after extracting instruction, analysis instruction from instruction buffer
Program;
S32, travels through every message in pending buffering area, and following operate is performed to every message:
S321, parses message, the content of the message is passed into log management module, and by log management module time recording
To system journal, wherein, the content of record includes:Timestamp, message information, match information and processing action;
S322, if knowing that packet is invalid data bag according to detection matching result, according to OpenSecurity agreements to institute
State invalid data bag and carry out the encapsulation of message information and action message, and the invalid data bag after encapsulation is passed into output
Core management module, then controller is passed to by Agent modules.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710279176.9A CN107181738B (en) | 2017-04-25 | 2017-04-25 | Software intrusion detection system and method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710279176.9A CN107181738B (en) | 2017-04-25 | 2017-04-25 | Software intrusion detection system and method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107181738A true CN107181738A (en) | 2017-09-19 |
CN107181738B CN107181738B (en) | 2020-09-11 |
Family
ID=59830905
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710279176.9A Active CN107181738B (en) | 2017-04-25 | 2017-04-25 | Software intrusion detection system and method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107181738B (en) |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107911237A (en) * | 2017-11-10 | 2018-04-13 | 南京邮电大学 | Data packet quick determination method in a kind of user's space based on DPDK |
CN108632110A (en) * | 2018-03-23 | 2018-10-09 | 广州网测科技有限公司 | Equipment performance test method, system, computer equipment and storage medium |
CN109451045A (en) * | 2018-12-12 | 2019-03-08 | 成都九洲电子信息系统股份有限公司 | A kind of high-speed message acquisition network card control method can configure customized Ethernet header |
CN109495504A (en) * | 2018-12-21 | 2019-03-19 | 东软集团股份有限公司 | A kind of firewall box and its message processing method and medium |
CN110138797A (en) * | 2019-05-27 | 2019-08-16 | 北京知道创宇信息技术股份有限公司 | A kind of message processing method and device |
CN110798366A (en) * | 2018-08-01 | 2020-02-14 | 阿里巴巴集团控股有限公司 | Task logic processing method, device and equipment |
CN110995678A (en) * | 2019-11-22 | 2020-04-10 | 北京航空航天大学 | Industrial control network-oriented efficient intrusion detection system |
CN113132349A (en) * | 2021-03-12 | 2021-07-16 | 中国科学院信息工程研究所 | Agent-free cloud platform virtual flow intrusion detection method and device |
CN113157447A (en) * | 2021-04-13 | 2021-07-23 | 中南大学 | RPC load balancing method based on intelligent network card |
CN113765785A (en) * | 2021-08-19 | 2021-12-07 | 东北大学 | DPDK-based novel multi-path transmission scheme |
CN114189368A (en) * | 2021-11-30 | 2022-03-15 | 华中科技大学 | Multi-inference engine compatible real-time flow detection system and method |
CN114866332A (en) * | 2022-06-08 | 2022-08-05 | 上海百功半导体有限公司 | Lightweight intrusion detection system and method for optical communication equipment |
CN114900347A (en) * | 2022-04-28 | 2022-08-12 | 重庆长安汽车股份有限公司 | Ethernet-based intrusion detection method and data packet distribution method |
US11526602B2 (en) * | 2017-12-05 | 2022-12-13 | Audi Ag | Data-processing device, complete entity, and method for operating a data-processing device or complete entity |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1668015A (en) * | 2004-12-20 | 2005-09-14 | 华中科技大学 | Cooperative intrusion detection based large-scale network security defense system |
CN101409623A (en) * | 2008-11-26 | 2009-04-15 | 湖南大学 | Mode matching method facing to high speed network |
US20100146623A1 (en) * | 2008-10-31 | 2010-06-10 | Namjoshi Kedar S | Method and apparatus for pattern matching for intrusion detection/prevention systems |
CN101841470A (en) * | 2010-03-29 | 2010-09-22 | 东南大学 | High-speed capturing method of bottom-layer data packet based on Linux |
CN105516091A (en) * | 2015-11-27 | 2016-04-20 | 武汉邮电科学研究院 | Secure flow filter and filtering method based on software defined network (SDN) controller |
CN105577567A (en) * | 2016-01-29 | 2016-05-11 | 国家电网公司 | Network data packet parallel processing method based on Intel DPDK |
-
2017
- 2017-04-25 CN CN201710279176.9A patent/CN107181738B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1668015A (en) * | 2004-12-20 | 2005-09-14 | 华中科技大学 | Cooperative intrusion detection based large-scale network security defense system |
US20100146623A1 (en) * | 2008-10-31 | 2010-06-10 | Namjoshi Kedar S | Method and apparatus for pattern matching for intrusion detection/prevention systems |
CN101409623A (en) * | 2008-11-26 | 2009-04-15 | 湖南大学 | Mode matching method facing to high speed network |
CN101841470A (en) * | 2010-03-29 | 2010-09-22 | 东南大学 | High-speed capturing method of bottom-layer data packet based on Linux |
CN105516091A (en) * | 2015-11-27 | 2016-04-20 | 武汉邮电科学研究院 | Secure flow filter and filtering method based on software defined network (SDN) controller |
CN105577567A (en) * | 2016-01-29 | 2016-05-11 | 国家电网公司 | Network data packet parallel processing method based on Intel DPDK |
Non-Patent Citations (2)
Title |
---|
HONEYICS: "《CSDN,https://blog.csdn.net/youjianzhou/article/details/52411881》", 2 September 2016 * |
刘峰飞: ""基于数据挖掘的Snort入侵检测系统的研究"", 《中国优秀硕士学位论文全文数据库 信息科技辑 2008年第06期》 * |
Cited By (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107911237B (en) * | 2017-11-10 | 2021-05-04 | 南京邮电大学 | DPDK-based rapid detection method for data packets in user space |
CN107911237A (en) * | 2017-11-10 | 2018-04-13 | 南京邮电大学 | Data packet quick determination method in a kind of user's space based on DPDK |
US11526602B2 (en) * | 2017-12-05 | 2022-12-13 | Audi Ag | Data-processing device, complete entity, and method for operating a data-processing device or complete entity |
CN108632110A (en) * | 2018-03-23 | 2018-10-09 | 广州网测科技有限公司 | Equipment performance test method, system, computer equipment and storage medium |
CN108632110B (en) * | 2018-03-23 | 2020-06-19 | 北京网测科技有限公司 | Device performance testing method, system, computer device and storage medium |
CN110798366A (en) * | 2018-08-01 | 2020-02-14 | 阿里巴巴集团控股有限公司 | Task logic processing method, device and equipment |
CN110798366B (en) * | 2018-08-01 | 2023-02-24 | 阿里巴巴集团控股有限公司 | Task logic processing method, device and equipment |
CN109451045A (en) * | 2018-12-12 | 2019-03-08 | 成都九洲电子信息系统股份有限公司 | A kind of high-speed message acquisition network card control method can configure customized Ethernet header |
CN109495504A (en) * | 2018-12-21 | 2019-03-19 | 东软集团股份有限公司 | A kind of firewall box and its message processing method and medium |
CN110138797B (en) * | 2019-05-27 | 2021-12-14 | 北京知道创宇信息技术股份有限公司 | Message processing method and device |
CN110138797A (en) * | 2019-05-27 | 2019-08-16 | 北京知道创宇信息技术股份有限公司 | A kind of message processing method and device |
CN110995678B (en) * | 2019-11-22 | 2021-07-23 | 北京航空航天大学 | Industrial control network-oriented efficient intrusion detection system |
CN110995678A (en) * | 2019-11-22 | 2020-04-10 | 北京航空航天大学 | Industrial control network-oriented efficient intrusion detection system |
CN113132349A (en) * | 2021-03-12 | 2021-07-16 | 中国科学院信息工程研究所 | Agent-free cloud platform virtual flow intrusion detection method and device |
CN113157447A (en) * | 2021-04-13 | 2021-07-23 | 中南大学 | RPC load balancing method based on intelligent network card |
CN113157447B (en) * | 2021-04-13 | 2023-08-29 | 中南大学 | RPC load balancing method based on intelligent network card |
CN113765785A (en) * | 2021-08-19 | 2021-12-07 | 东北大学 | DPDK-based novel multi-path transmission scheme |
CN113765785B (en) * | 2021-08-19 | 2022-07-05 | 东北大学 | DPDK-based multipath transmission method |
CN114189368A (en) * | 2021-11-30 | 2022-03-15 | 华中科技大学 | Multi-inference engine compatible real-time flow detection system and method |
CN114189368B (en) * | 2021-11-30 | 2023-02-14 | 华中科技大学 | Multi-inference engine compatible real-time flow detection system and method |
CN114900347A (en) * | 2022-04-28 | 2022-08-12 | 重庆长安汽车股份有限公司 | Ethernet-based intrusion detection method and data packet distribution method |
CN114900347B (en) * | 2022-04-28 | 2023-04-14 | 重庆长安汽车股份有限公司 | Ethernet-based intrusion detection method and data packet distribution method |
CN114866332A (en) * | 2022-06-08 | 2022-08-05 | 上海百功半导体有限公司 | Lightweight intrusion detection system and method for optical communication equipment |
Also Published As
Publication number | Publication date |
---|---|
CN107181738B (en) | 2020-09-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107181738A (en) | A kind of software implementation intruding detection system and method | |
US11750653B2 (en) | Network intrusion counter-intelligence | |
Jamshed et al. | {mOS}: A Reusable Networking Stack for Flow Monitoring Middleboxes | |
US7415723B2 (en) | Distributed network security system and a hardware processor therefor | |
US7685254B2 (en) | Runtime adaptable search processor | |
CN102739473B (en) | Network detecting method using intelligent network card | |
CN107682312A (en) | A kind of security protection system and method | |
US20120117610A1 (en) | Runtime adaptable security processor | |
EP3465987B1 (en) | Logging of traffic in a computer network | |
KR20210087399A (en) | Security for container networks | |
Bos et al. | Towards software-based signature detection for intrusion prevention on the network card | |
Wang et al. | Design and implementation of an intrusion detection system by using extended BPF in the Linux kernel | |
De Bruijn et al. | Safecard: a gigabit ips on the network card | |
CN115086021A (en) | Campus network intrusion detection method, device, equipment and storage medium | |
Peng | Research of network intrusion detection system based on snort and NTOP | |
Schuff et al. | Design alternatives for a high-performance self-securing ethernet network interface | |
CN116458120A (en) | Protecting network resources from known threats | |
Chen et al. | Evolving switch architecture toward accommodating in-network intelligence | |
CN112637244A (en) | Threat detection method for common and industrial control protocols and ports | |
Dhaka et al. | Application layer proxy detection, prevention with predicted load optimization | |
Watanabe et al. | Performance of network intrusion detection cluster system | |
Goodgion | Active Response Using Host-Based Intrusion Detection System and Software-Defined Networking | |
Bonafiglia | Improving the performance of Virtualized Network Services based on NFV and SDN. | |
Gogunska | Study of the cost of measuring virtualized networks | |
Ognibene | Toward efficient DDoS detection with eBPF |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |