CN107181738A - A kind of software implementation intruding detection system and method - Google Patents

A kind of software implementation intruding detection system and method Download PDF

Info

Publication number
CN107181738A
CN107181738A CN201710279176.9A CN201710279176A CN107181738A CN 107181738 A CN107181738 A CN 107181738A CN 201710279176 A CN201710279176 A CN 201710279176A CN 107181738 A CN107181738 A CN 107181738A
Authority
CN
China
Prior art keywords
core
detection
packet
message
output
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710279176.9A
Other languages
Chinese (zh)
Other versions
CN107181738B (en
Inventor
杨慧然
刘超玲
张棪
于光喜
韩言妮
陈鑫
崔华俊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201710279176.9A priority Critical patent/CN107181738B/en
Publication of CN107181738A publication Critical patent/CN107181738A/en
Application granted granted Critical
Publication of CN107181738B publication Critical patent/CN107181738B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a kind of software implementation intruding detection system and method, wherein, the system includes:Core, detection core and output three levels of core are controlled, wherein, the control core is used to interact with top level control device, and manages the information produced by detection core and output core;The detection core is used to packet is acquired and parsed based on DPDK, and traversal rule storehouse carries out detection matching to the packet after parsing;The output core, which is used for timing, will detect that the detection matching result that is obtained of core is recorded to system journal, and the invalid data package informatin that will be known according to the detection matching result be packaged after report control core.A kind of software implementation intruding detection system and method that the present invention is provided, deployment is flexibly and scalability is good, is copied with message is reduced, the features such as nucleophilicity, the disposal ability of message, and upper strata Open control interface can be obviously improved, with controllability, compatible very well it can virtualize and cloud computing platform.

Description

A kind of software implementation intruding detection system and method
Technical field
The present invention relates to safety monitoring technology field, more particularly, to a kind of software implementation intruding detection system and method.
Background technology
Intruding detection system (Intrusion Detection System, IDS) is a kind of for monitoring network or calculating The software application or hardware device of malicious event in machine, its energy continuous monitoring network traffics find to violate in system activity The abnormal behaviour of security strategy and the sign attacked, and generation system daily record is to administrative unit, so as to realize to invading or attacking That hits timely responding to and handling.
Traditional intruding detection system includes hardware intruding detection system and software implementation intruding detection system.Wherein, hardware Intruding detection system is generally made up of hardware, is manufactured by the equipment vendor of specialty and exploitation is, it is necessary to rely on plurality of devices and software association Biconditional operation.IDS hardware products are basically divided into two major classes at present by the source of its input data:Host Intrusion Detection System system System (Host-based IDS, HIDS) and based-wed CL (Network-based IDS, NIDS).
Mainly the network of main frame is connected in real time for Host Intrusion Detection System system and Audit log carries out intelligence It can analyze and judge, major product includes:ISS Real Secure OS Sensor, Emerald expert-BSM etc..It is based on The intruding detection system of network is applied in the important network segment, and feature is carried out to each packet or suspicious packet Analysis, major product includes:ISS Real SecureNetwork Sensor, Cisco Secure IDS, China United Green League's " ice Eye " intrusion detection system, kingnet security KIDS, Hisense's " cobra " intruding detection system and Netpower " day eye " network Intrusion detection system etc..
Except hardware intruding detection system, also there are many invader-inspecting softwares at present.Common invader-inspecting software has Iptables, Snort, Suricata and Pfsense etc..Wherein, Snort is the intrusion detection system that increases income being most widely used System.Snort is a Packet Sniffer based on libpcap, is also the Network Intrusion Detection System of a lightweight (NIDS).Its rule based on log recording matches to perform content model, detects various attacks and detection, and such as buffering area overflows Go out, stealthy port scan, CGI attack and SMB detections etc..
There is problems with prior art:Traditional hardware intruding detection system is generally by specialized company's exploitation, it is necessary to specially The hardware system of door, while needing different hardware and software collaboration processing, does not possess good autgmentability.In addition, equipment into This height, deployment are dumb, it is necessary to larger man power and material's input.And common invader-inspecting software of increasing income, overcome tradition The defect of hardware intruding detection system, but in the presence of prominent performance issue.By taking SnortNIDS as an example, it is based on libpcap messages Collection, treatment effeciency is low, it is impossible to adapt to the network demand of existing cloud computing platform high-throughput.In addition, SnortNIDS is using single Thread carries out packet check and processing, also extreme influence and its performance of restriction.Also, traditional intruding detection system controllability is not Foot.By taking SnortNIDS as an example, the detection and protection of message are carried out by configuring the rule file of static state, it is impossible to which monitoring can in real time Doubt data traffic, and real time modifying rule file.Existing intruding detection system oneself do not adapt to switching technology and express network Development, can be caused under heavy traffic condition intruding detection system serious packet loss in addition paralyse.
The content of the invention
The present invention provides a kind of software implementation intruding detection system and method, can solve the problem that and exists in existing intruding detection system Poor expandability, dispose that dumb, performance is not good and poor controllability, it is impossible to adapt to asking for switching technology and express network development Topic.
Several nouns are explained first:
DPDK:DataPlane DevelopmentKit, data surface development kit;
RSS:Receive-Side Scaling, recipient's extension.
According to an aspect of the present invention there is provided a kind of software implementation intruding detection system, including:Control core, detection core and Three levels of core are exported, wherein,
The control core is used to interact with top level control device, and manages the information produced by detection core and output core;
The detection core is used to packet is acquired and parsed based on DPDK, and traversal rule storehouse is to after parsing The packet carries out detection matching;
The output core, which is used for timing, will detect that the detection matching result that is obtained of core is recorded to system journal, and by basis The invalid data package informatin that the detection matching result is known reports control core after being packaged.
Wherein, the detection core further comprises:Data acquisition module and detection matching module;Wherein,
The data acquisition module, for the packet receiving mechanism based on DPDK zero-copy, binds many network interface cards, many queues collaboration and catches Packet is obtained, and the packet is parsed;
The detection matching module, for traveling through pretreatment plug-in unit, is pre-processed to the packet by parsing; And based on DPDK multinuclear mechanism, traversal rule storehouse is scanned and matched to the packet by pretreatment, obtains described The detection matching result of packet;The detection matching result is packaged into message according to certain form, pending delay is stored in Area is rushed, for output core processing;Wherein, the detection matching result includes:Packet information, match information, warning message and Action message.
Wherein, the output core further comprises:Logger module and match information reporting module;Wherein,
The logger module, for regularly traveling through pending buffering area, will be stored in the pending buffering area The detection matching result of packet record to system journal;
The match information reporting module, for according to OpenSecurity agreements, to based on the detection matching result The invalid data bag known carries out the encapsulation of message information and action message, and the invalid data after encapsulation is wrapped is transmitted to Control core;
Wherein, record to the content of system journal includes:Timestamp, message information, match information and processing action.
Wherein, the control core further comprises:Agent (agency) module, detection core management module, regular library management mould Block, log management module and output core management module;Wherein,
The Agent modules are used to interact with controller by socket sockets and the messaging protocol appointed, Wherein, the content interacted includes:Log-on message, reception rule and upload suspicious information;
The detection core management module is used to detection core is initialized and managed;
The regular database management module be used for receive the rule that Agent modules are issued, rule base is managed, and with inspection Survey the detection matching module collaboration of core;
The log management module is used to be managed the log information produced by the logger module of output core;
The output core management module is used to output core is initialized and managed.
There is provided a kind of software implementation invasion based on above-mentioned software implementation intruding detection system according to another aspect of the present invention Detection method, comprises the following steps:
S1, is initialized respectively to control core, detection core and output core;
S2, detection core is acquired and parsed to packet based on DPDK, and by traversal rule storehouse to after parsing The packet carry out detection matching;
S3, will detect that the detection matching result that core is obtained is recorded to system journal when output is appraised and decided, and will be according to described The invalid data package informatin that detection matching result is known reports control core after being packaged.
Wherein, initialization is carried out to control core described in step S1 to further comprise:
S111, resolve command row parameter and DPDK configuration files;
S112, initializes Agent modules;
S113, believes detection check figure mesh, output check figure mesh, network interface card number, pending buffering area number and data plane IP Breath is packaged, and registration request is initiated to controller;
S114, receives and parses through the regular configuration file that controller is issued;
S115, initializes DPDK environment abstraction layer;
S116, initializes buffer circle, wherein, the buffer circle includes:Instruction buffer, statistical information buffering Area and pending buffering area;
S117, configuration RSS (recipient's extension), it is ensured that the different messages for belonging to same data flow are sent to same core;
S118, configuration transmit queue and receiving queue, wherein, each one transmit queue of network card configuration, receiving queue Quantity is equal to check figure;
S119, registers first timer, checks statistical information buffering area for control nuclear periodicity and confirms the system Whether the statistical information in meter message buffer needs to update.
Wherein, initialization is carried out to detection core described in step S1 to further comprise:
S121, copies rule base, and pretreatment plug-in unit is registered, loaded and configured;
S122, registers second timer, checks instruction buffer for detection nuclear periodicity, it is determined whether receive control The instruction that device processed is sent.
Wherein, initialization is carried out to output core described in step S1 to further comprise:
S131, initializes output inserter;
S132, registers the 3rd timer, checks instruction buffer for output nuclear periodicity, it is determined whether receive control The instruction that device processed is sent.
Wherein, step S2 further comprises:
Circulation performs following steps:
S21, if receiving the signal of synchronous statistical information, synchronous statistical information;
S22, if the second timer time arrives, extracts the instruction that controller is sent, parsing is described from instruction buffer Corresponding processing routine is performed after instruction;
S23, the bound receiving queue of traversal, to each receiving queue, extracts the packet in the queue, and to every Individual packet performs following operate:
S231, Decoding Analysis is carried out to packet;
S232, traversal pretreatment plug-in unit, is pre-processed to the packet after decoded analysis;
S233, traversal rule storehouse carries out detection matching to the packet after pretreatment, obtains the packet Detect matching result;
S234, is packaged into message according to certain form by the detection matching result, is stored in pending buffering area, for Export core processing;Wherein, the detection matching result includes:Packet information, match information, warning message and action message.
Wherein, step S3 further comprises:
Each while circulations perform following steps:
S31, if the 3rd timer time is arrived, extracts from instruction buffer and instructs, performed after analysis instruction corresponding Processing routine;
S32, travels through every message in pending buffering area, and following operate is performed to every message:
S321, parses message, and the content of the message is passed into log management module, and by log management module timing Record to system journal, wherein, the content of record includes:Timestamp, message information, match information and processing action;
S322, if knowing that packet is invalid data bag according to detection matching result, according to OpenSecurity agreements The encapsulation of message information and action message is carried out to the invalid data bag, and the invalid data bag after encapsulation is passed to Core management module is exported, then controller is passed to by Agent modules.
A kind of software implementation intruding detection system and method proposed by the present invention, compared with prior art, can be obtained following Beneficial effect:Lightweight, pure software, can flexible deployment, favorable expandability;Packet receiving mechanism based on DPDK zero-copy, many network interface cards, Many queues cooperate with receiving network data bag, can effectively lift the capture rate of packet;Using DPDK multinuclear mechanism, it will collect The data flow arrived carries out decoding classification and pattern match, can effectively lift efficiency of intrusion detection, can preferably adapt to height and gulp down Tell network environment;And to upper strata Open control interface, can preferably compatible virtualization and cloud computing platform with controllability.
Brief description of the drawings
Fig. 1 is a kind of Organization Chart of the software implementation intruding detection system provided according to one embodiment of the invention;
Fig. 2 is a kind of schematic flow sheet of the software implementation intrusion detection method provided according to another embodiment of the present invention;
Fig. 3 shows for the initialization procedure of a kind of software implementation intruding detection system that is provided according to another embodiment of the present invention It is intended to;
Fig. 4 is a kind of processing data packets process of the software implementation intrusion detection method provided according to another embodiment of the present invention Schematic diagram.
Embodiment
With reference to the accompanying drawings and examples, the embodiment to the present invention is described in further detail.Implement below Example is used to illustrate the present invention, but is not limited to the scope of the present invention.
As shown in figure 1, a kind of Organization Chart of the software implementation intruding detection system provided for one embodiment of the invention, including: Core 1, detection core 2 and output core 3 are controlled, wherein,
The control core 1 is used to interact with top level control device, and manages the letter produced by detection core 2 and output core 3 Breath;
The detection core 2 is used to packet is acquired and parsed based on DPDK, and traversal rule storehouse is to after parsing The packet carry out detection matching;
The output core 3, which is used for timing, will detect that the detection matching result that is obtained of core 2 is recorded to system journal, and by root The invalid data package informatin invalid data package informatin known according to the detection matching result reports control core 1 after being packaged.
A kind of software implementation intruding detection system provided in an embodiment of the present invention, using SnortNIDS intruding detection systems as pair As based on DPDK, having carried out design and realization again.DPDK is that the datum plane increased income that Intel is provided develops work Tool collection, the support of built-in function and driving is provided for the efficient processing data packets of user's space under IA processor architectures.Specifically, originally The software implementation intruding detection system that inventive embodiments are provided includes three levels:
Control core 1 is responsible for interacting with top level control device, and detection core 2 and output core 3 are managed, wherein, with The content that controller is interacted includes:Receive user configuring, and configuration parameter is sent to detection core 2 and output core 3, report Suspicious information is to controller, and uploads log-on message to controller etc..Information produced by detection core 2 and output core 3 is entered Row management includes:The initialization procedure of detection core 2 and output core 3 is managed, the rule base in configuration detection core 2 will be defeated Go out the information record that core 3 exported to enter system journal or be saved into database.
Detect that core 2 is used for the zero-copy packet receiving mechanism based on DPDK, bind many network interface card many queues and network packet is carried out Collection, and Decoding Analysis is carried out to the packet received by packet decoder;Then, by traveling through pretreatment plug-in unit to through solution Packet after code is pre-processed;Based on DPDK multinuclear mechanism, feature present in pretreated packet is divided Analysis, the feature obtained by analysis is matched one by one with the rule in rule base, a certain item in the feature and rule base When rule matches, then it would know that the packet includes intrusion behavior, be illegal.Wherein, the rule base is according to Snort Rule forms the set for the detected rule that specification is write out.Detect that core 2, by the detection matching result of all packets obtained, is pressed Message is packaged into according to certain form, and deposit caching supplies out core 3 and handled, wherein, the detection matching result refers to time Rule table entry of the rule base with the presence or absence of matching is gone through, if there is the regularization term of matching, it is illegal to illustrate the packet, then Just by the regularization term of matching, matching regularization term included action message, warning message, and packet in itself message letter After breath is packaged, deposit caching.If the regularization term not matched, then being masked as of match information can be set to 0, alarm signal The two fields are sky to breath with action message.
Output core 3 is then used for timing and records the detection matching result for detecting the packet that core 2 is obtained to system journal, And control core 1 is reported after the invalid data bag known according to the detection matching result is packaged, control core 1 continues will The invalid data after encapsulation, which is wrapped, is transmitted to controller.Export core 3 and the detection of all packets collected is matched into knot Fruit all recorded system journal, wherein, the content recorded is determined according to detection matching result, including:Timestamp, message letter Breath, match information and processing action;And export after the invalid data bag known according to detection matching is packaged by core 3 and upload Give control core 1.
A kind of software implementation intruding detection system provided in an embodiment of the present invention, deployment is flexibly and scalability is good, with subtracting The features such as understatement text copy, nucleophilicity, high-performance can be provided the acquisition of packet and detectability, and control is opened to upper strata Interface processed, can be compatible with virtualization and cloud computing platform with controllability.
Another embodiment of the present invention, on the basis of above-described embodiment, the detection core 2 includes:Data acquisition module 21 With detection matching module 22;Wherein,
The data acquisition module 21, for the packet receiving mechanism based on DPDK zero-copy, binds many network interface cards, many queues collaboration Packet is captured, and the packet is parsed;
The detection matching module 22, for traveling through pretreatment plug-in unit, is located in advance to the packet by parsing Reason;And based on DPDK multinuclear mechanism, traversal rule storehouse is scanned and matched to the packet by pretreatment, obtains The detection matching result of the packet;The detection matching result is packaged into message according to certain form, is stored in and waits to locate Buffering area is managed, so that output core 3 is handled;
Wherein, the detection matching result includes:Packet information, match information, warning message and action message.
Specifically, SnortNIDS is filtered to packet, buffered and copied by Libpcap sniffers, by packet It is delivered to each application buffer.In this process, packet experienced from network to kernel spacing, from kernel spacing To user's space, packet is copied twice.And in embodiments of the present invention, data are realized by the packet receiving mechanism of DPDK zero-copy The zero-copy of bag, is specifically referred to:DPDK environment abstraction layer realizes the screen to operating system nucleus and bottom network interface card I/O operation Cover, i.e. I/O has bypassed kernel and protocol stack, and packet is directly stored in cache from network, and is realized in kernel state to data The Decoding Analysis of bag, so as to avoid frequent switching context, and is effectively prevented from packet and is brought in the numerous copy of internal memory intermediate frequency Performance issue.It is then to be tied to each queue on multiple network interface cards not to bind many network interface cards, many queues collaboration capture packet Cooperateed with same processor core and packet is captured, each equal independent process of core reaches the packet of the queue, reduces Packet is in internuclear transmission expense, it is possible to the flexible number expanding treatment ability of core, meet under heavy traffic condition Packet capture.NIC driver is that each receiving queue sets corresponding interrupt number, by the equilibrium treatment of interruption, or The compatibility interrupted is set, so as to realize that queue is tied to different cores.Parsing is carried out to the packet to refer to packet Carry out Decoding Analysis, the message structure that decoded packet data is defined into Snort, for subsequent analysis.
Specifically, traversal pretreatment plug-in unit, carries out pretreatment to the packet by parsing and refers to:It is pre- by traversal Processing plug-in unit come check parsing after packet, therefrom find packet suspicious " behavior ", packet after pretreatment again Carry out rule match detection.The function by realization of pretreatment plug-in unit mainly includes:The plug-in unit of tcpip stack function is simulated, such as TIP fragments are recombinated and TCP flow recombinates plug-in unit;Decoding plug-in, such as http decoding plug-ins, unicode decoding plug-ins, rpc decodings are inserted Part and telnet decoding plug-ins etc.;Rule match can not carry out plug-in unit used during attack detecting, such as port scan plug-in unit, Spade abnormal intrusion detections plug-in unit, bo detection plug-in unit and arp fraud detection plug-in units etc., pretreatment plug-in unit can be according to actual need Carry out flexible configuration.
Based on DPDK multinuclear mechanism, traversal rule storehouse is scanned to the packet by pretreatment and matching is Refer to:Each equal independent process of core reaches the packet of the core, and feature present in pretreated packet is analyzed, time Rule base is gone through, the feature obtained by analysis is matched one by one with the rule in rule base, when in the feature and rule base When a certain item rule matches, then can determine whether the packet is illegal comprising intrusion behavior, the i.e. packet.
Wherein, the rule in the rule base meets Snort rule formation specifications, and Snort rules are divided into two logics Part:Regular head and RuleOption.Regular head comprising rule action, agreement, source and target ip addresses and netmask, source and Destination port information, and direction operation symbol;Specific portion of the RuleOption part comprising warning message content and the bag to be checked Point, it is made up of option keyword and its parameter.
The detection matching result is packaged into message according to certain form and pending buffering area is stored in (ToBeProcessed_RingBuffer), wherein ToBeProcessed_RingBuffer is a buffer circle, is used for Store the detection matching result of all packets, including the message information of packet, the Rule Information matched, warning message and The processing action of rule, message is stored using buffer circle, can be without continually storage allocation, and it is slow to access annular The speed for rushing area quickly, can provide high performance data access.
A kind of software implementation intruding detection system provided in an embodiment of the present invention, the packet receiving mechanism based on DPDK zero-copy is more Network interface card, many queues collaboration receiving network data bag, can effectively lift the capture rate of packet;Using DPDK multinuclear mechanism, The data flow collected is subjected to decoding classification and pattern match, efficiency of intrusion detection can be effectively lifted, can preferably fit Height is answered to handle up network environment.
Another embodiment of the present invention, on the basis of above-described embodiment, output core 3 includes logger module 31 and matching Information reporting module 32;Wherein,
The logger module 31, for regularly traveling through pending buffering area, will be deposited in the pending buffering area The detection matching result of the packet of storage is recorded to system journal;
The match information reporting module 32, for according to Open Security agreements, to based on the detection matching knot The invalid data bag that fruit is known carries out the encapsulation of message information and action message, and the invalid data after encapsulation is wrapped into biography Give control core;
Wherein, record to the content of system journal includes:Timestamp, message information, match information and processing action.
Specifically, data traffic is recalled and analyzed for the ease of system manager, fully understand web-based history Environment, adjustment in time and updates rule base, it is necessary to which intruding detection system is to the detection information of the packet of all process the system Preserved, these data are commonly stored in the journal file or specific database that user specifies.
Logger module 31 travels through pending buffering area ToBeProcessed_RingBuffer by timing, reads Every message in ToBeProcessed_RingBuffer, after being parsed to message, by the inspection of accessed packet Matching result is surveyed to record into system journal, wherein, the content recorded includes:Timestamp, message information, match information and place Reason is acted.Processing action refers to after matched rule to the packet action to be performed, be divided into alert, log, pass, Activate and dynamic.
The match information reporting module 32, if knowing that packet is invalid data bag, root according to detection matching result Carry out the encapsulation of message information and action message to invalid data bag according to Open Security agreements, and by described in after encapsulation Invalid data bag, passes to output core management module, then report controller by Agent modules.
A kind of software implementation intruding detection system provided in an embodiment of the present invention, is realized to intrusion detection using buffer circle The reception and transmission of relevant information, using the teaching of the invention it is possible to provide high-performance intrusion detection warning message output.
Another embodiment of the present invention, on the basis of above-described embodiment, control core 1 includes:Agent modules 11, detection core Management module 12, regular database management module 13, log management module 14 and output core management module 15;Wherein,
The Agent modules 11 are used to be responsible for carrying out with controller by socket sockets and the messaging protocol appointed Interaction, wherein, the content interacted includes:Log-on message, reception rule and upload suspicious information;
Specifically, Agent be the software architecture with autonomy, can be added independently of system or from system collect deletion without Whole system is influenceed, the function of Agent entities is more complete, and the scalability of system is better, is opened by Agent to upper strata Interface, improves the controllability of system.
The detection core management module 12 is used to detection core is initialized and managed;
The regular database management module 13 is used to receive the rule that Agent modules 11 are issued, and rule base is managed, and With detecting that the detection matching module 22 of core 2 is cooperateed with;
Specifically, regular database management module 13 can be continuously updated rule base, increase or deletion rule.
The log management module 14 is used to manage the log information produced by the logger module 31 of output core 3 Reason;
The output core management module 15 is used to output core 3 is initialized and managed.
Specifically, message transmission that core management module 15 reports match information reporting module is exported to Agent modules 11.
A kind of software implementation intruding detection system provided in an embodiment of the present invention, is developed to upper strata by Agent modules and connect Mouthful, it is easy to regulation rule storehouse as needed, improves the controllability of system, and the pipe to lower floor is realized by multiple management modules Reason.
Another embodiment of the present invention provides a kind of software implementation intrusion detection method, based on soft described in each embodiment as described above Part intruding detection system, as shown in Fig. 2 comprising the following steps:
S1, is initialized respectively to control core, detection core and output core;
S2, detection core is based on DPDK, and packet is acquired and parsed, and by traversal rule storehouse to after parsing The packet carry out detection matching;
S3, will detect that the detection matching result that core is obtained is recorded to system journal when output is appraised and decided, and will be according to described The invalid data package informatin that detection matching result is known reports control core after being packaged.
Specifically, it is necessary first to which control core, detection core and output core are initialized respectively, as shown in figure 3, being this hair A kind of schematic diagram of the initialization procedure for software implementation intruding detection system that bright embodiment is provided.Wherein, core initialization package is controlled Include:The parsing of parameter configuration and DPDK configuration files is completed, the communication connection set up between Agent modules and controller is received The rule that controller is issued, initializes to DPDK environment abstraction layer, buffer circle is initialized, configuration data Bag reception and transmit queue and registration timer etc.;Detection core initialization is included:Configuration pretreatment plug-in unit, copy controller The rule issued, registration timer, so that detection verification packet is monitored matching;Output core initialization is included:Initially Change routing table, initialize output inserter, registration timer, so that output core sends testing result.
Specifically, packet receiving mechanism of the step S2 based on DPDK zero-copy, binds many network interface cards, many queues collaboration capture data Bag, and the packet is parsed;Then, traversal pretreatment plug-in unit, is located in advance to the packet by parsing Reason;And based on DPDK multinuclear mechanism, traversal rule storehouse is scanned and matched to the packet by pretreatment, obtains The detection matching result of the packet;The detection matching result is packaged into message according to certain form, is stored in and waits to locate Buffering area ToBeProcessed_RingBuffer is managed, for output core processing.
Step S3 timing traversal ToBeProcessed_RingBuffer first, by the detection matching result of all packets Record to system journal;Then, if knowing that packet is invalid data bag according to the detection matching result, according to Open Security agreements carry out the encapsulation of message information and action message to the invalid data bag, and will be described illegal after encapsulation Packet is uploaded to control core, then the suspicious message after encapsulation is reported into controller by control core.
A kind of software implementation intrusion detection method provided in an embodiment of the present invention, zero-copy handbag mechanism based on DPDK and many Core mechanism, with message copy and nucleophilicity feature is reduced, can provide high performance packet capture and detection, can be preferable Compatible virtualization and the security protection of cloud computing platform.
Another embodiment of the present invention, on the basis of above-described embodiment, carries out initialization to control core and further comprises:
S111, resolve command row parameter and DPDK configuration files;
S112, initializes Agent modules;
S113, believes detection check figure mesh, output check figure mesh, network interface card number, pending buffering area number and data plane IP Breath is packaged, and registration request is initiated to controller;
S114, receives and parses through the regular configuration file that controller is issued;
S115, initializes DPDK environment abstraction layer;
S116, initializes buffer circle, wherein, buffer circle includes:Instruction buffer, statistical information buffering area and Pending buffering area;
S117, configuration RSS (recipient's extension), it is ensured that the different messages for belonging to same data flow are sent to same core;
S118, configuration transmit queue and receiving queue, wherein, each one transmit queue of network card configuration, receiving queue Quantity is equal to check figure;
S119, registers first timer, checks statistical information buffering area for control nuclear periodicity and confirms the system Whether the statistical information in meter message buffer needs to update.
Specifically, command line parameter resolves to parameter required when starting Snort, DPDK configuration file middle fingers in S111 Determine to detect core, exported core and IP and the end of quantity, CPU mask, datum plane IP and the controller of pending buffering area Mouthful.
S112, is initialized to Agent modules, sets up logical between controller by creating socket sockets Letter, receives and parses through the instruction that controller is sent, and collects local statistical information, will issue control after the local statistical information encapsulation Device processed.
S113 is flat to detection check figure mesh, output check figure mesh, network interface card number, pending buffering area gBuffer numbers and data The information such as face IP information are packaged, and registration request is initiated to controller, and controller is received after registration request, record these letters Cease and respond registration request.Meanwhile, controller sends unified regular configuration file to protection node.Wherein, the data are put down Face IP information includes datum plane IP types and data plane IP addresses.
Receive and parse through the regular configuration file that controller issues in S114 to refer to, controller issues Snort rule configurations File, in system initialization, parses to the regular configuration files of the Snort, is successively read every rule, parses every Rule, is represented with corresponding rule syntax, is carried out tissue to rule in internal memory, rule syntax tree is set up, by packet and institute State rule syntax tree to be matched, if matching in the presence of certain rule with the packet, mean that and detect an attack.
S115, is initialized to DPDK environment abstraction layer, and DPDK provides the API of oneself, and this step initializes these API;
Buffer circle (Ring Buffer) is initialized in S116, wherein, Ring Buffer include:Instruction buffer (Policy_RingBuffer), statistical information buffering area (Info_RingBuffer) and pending buffering area (ToBeProceessed_RingBuffer), wherein, instruction buffer be used for storage controller instruction, statistical information buffering area For stored statistical information, pending buffering area is used for the detection information for storing invalid data bag.
S117, carrys out load balancing using RSS and forwards packet to multiple cores, RSS is allocation of packets to different teams In row, it is ensured that the different messages for belonging to same data flow are sent to same core.
S118, configuration transmit queue and receiving queue, each one transmit queue of network card configuration, and the quantity of receiving queue Equal to check figure;
S119, registers first timer, the statistical information checked for control nuclear periodicity in statistical information buffering area Whether need to update, if the statistical information needs to update, control core sends signal to each detection core and output core.
A kind of software implementation intrusion detection method provided in an embodiment of the present invention, core protocol is bypassed by environment abstraction layer Stack, optimizes internal memory, buffering area and queue management, and provides the load-balancing technique based on many queues of network interface card and stream identification, from And enable this method with realizing high-performance packet obtain and detect.
Another embodiment of the present invention, on the basis of above-described embodiment, carries out initialization to detection core and further comprises:
S121, copies rule base, and pretreatment plug-in unit is registered, loaded and configured;
S122, registers second timer, checks instruction buffer for detection nuclear periodicity, it is determined whether receive control The instruction that device processed is sent.
Specifically, it is to have parsed regular configuration file in control core that step S121, which copies rule base, obtains Snort_ Config structures, when starting detection core, the pointer of the structure is incoming as parameter, detection core copy Snort_ Config structures, are used as local variable;Pretreatment plug-in unit is registered, loaded and configured, the pretreatment plug-in unit includes: ARPspoof、Normalizer、SessionManager、Stream6、RpcDecode、Bo、HttpInspect、 PerfMonitor and SfPortScan etc..
Step S122 registers second timer, wherein, the second timer is used to check instruction with detecting nuclear periodicity Buffering area, to determine whether to receive the instruction that controller is sent.
A kind of software implementation intrusion detection method provided in an embodiment of the present invention, passes through the copy control in initialization detection core The rule that device is issued, is capable of the dynamic modification of implementation rule, so as to realize the real-time monitoring to suspicious data.
Another embodiment of the present invention, on the basis of above-described embodiment, carries out initialization to output core and further comprises:
S131, initializes output inserter;
S132, registers the 3rd timer, checks instruction buffer for output nuclear periodicity, it is determined whether receive control The instruction that device processed is sent.
Specifically, step S131 initializes output inserter, including SYN Cookie and SYN Proxy, passes through output inserter The relevant information of invalid data bag is recorded into system journal or controller is uploaded to.
Step S132 registers the 3rd timer, wherein, the 3rd timer is used to check instruction with exporting nuclear periodicity Buffering area, to determine whether to receive the instruction that controller is sent.
A kind of software implementation intrusion detection method provided in an embodiment of the present invention, by being initialized to output core, to insert Part form is exported to the relevant information of intrusion detection, is easy to system manager to recall and analyze data traffic.
Another embodiment of the present invention, on the basis of above-described embodiment, step S2 further comprises:
Circulation performs following steps:
S21, if receiving the signal of synchronous statistical information, synchronous statistical information;
S22, if the second timer time arrives, extracts the instruction that controller is sent, parsing is described from instruction buffer Corresponding processing routine is performed after instruction;
S23, the bound receiving queue of traversal, to each receiving queue, extracts the packet in the queue, and to every Individual packet performs following operate:
S231, Decoding Analysis is carried out to packet;
S232, traversal pretreatment plug-in unit, is pre-processed to the packet after decoded analysis;
S233, traversal rule storehouse carries out detection matching to the packet after pretreatment, obtains the packet Detect matching result;
S234, is packaged into message according to certain form by the detection matching result, is stored in pending buffering area, for Core processing is exported, wherein, the detection matching result includes:Packet information, match information, warning message and action message.
Specifically, a kind of data of software implementation intrusion detection method of another embodiment of the present invention offer are provided The schematic diagram of bag processing procedure, step S2 detection cores are based on DPDK, and packet is acquired and parsed, and traversal rule storehouse pair The packet after parsing carries out detection matching and further comprised:
Circulation performs following steps:
If detection core receives the information of synchronous statistical information, synchronous statistical information, if the second timer time arrives, The instruction that controller is issued is extracted from buffer circle instruction buffer, starts to capture packet and detected.Detection The bound receiving queue of core traversal, to each receiving queue, extracts the packet in the queue, and each packet is held Row is following to be operated:Data acquisition module carries out Decoding Analysis to packet;Matching module traversal pretreatment plug-in unit is detected, to through solution The packet after code division analysis is pre-processed;Traversal rule storehouse, detection is carried out to the packet after pretreatment Match somebody with somebody, obtain the detection matching result of the packet;The detection matching result is packaged into message according to certain form, deposited Enter pending buffering area ToBeProcessed_RingBuffer, for output core processing.
A kind of software implementation intrusion detection method provided in an embodiment of the present invention, the packet receiving mechanism based on DPDK zero-copy is more Network interface card, many queues collaboration receiving network data bag, can effectively lift the capture rate of packet;Using DPDK multinuclear mechanism, The packet collected is decoded and pattern match, efficiency of intrusion detection can be effectively lifted, height can be preferably adapted to Handle up network environment.
Another embodiment of the present invention, on the basis of above-described embodiment, the step S3 further comprises:
Each while circulations perform following operate:
S31, if the 3rd timer time is arrived, extracts from instruction buffer and instructs, performed after analysis instruction corresponding Processing routine;
Every message in S32, traversal ToBeProcessed_RingBuffer, and following grasp is performed to every message Make:
S321, parses message, and the content of the message is passed into log management module, and by log management module timing Record to system journal, wherein, the content of record includes:Timestamp, message information, match information and processing action;
S322, if knowing that packet is invalid data bag according to detection matching result, according to OpenSecurity agreements The encapsulation of message information and action message is carried out to the invalid data bag, and the invalid data bag after encapsulation is passed to Core management module is exported, then controller is passed to by Agent modules.
Specifically, illustrated with reference to Fig. 4, the inspection for the packet that core is obtained will be detected when output is appraised and decided described in step S3 Survey matching result to record to system journal, and report after the invalid data bag is packaged and further comprise:
Each while circulations perform following operate:
If the 3rd timing is arrived, output core extracts the finger that controller is issued from buffer circle instruction buffer Order, starts to export the intrusion detection result that detection core is got.Every in the pending buffering area of output core traversal disappears Breath, and following operate is performed to every message:
The logger module of output core is parsed to message, is obtained the detection matching result of packet, is stated described The detection matching result of packet passes to the log management module of control core, and by log management module time recording to system Daily record, wherein, the content of record includes:Timestamp, message information, match information and processing action.
When the match information reporting module for exporting core knows packet for invalid data bag according to detection matching result, according to OpenSecurity agreements carry out the encapsulation of message information and action message to the invalid data bag, and by described in after encapsulation Invalid data bag passes to the output core management module of control core, then passes to controller by Agent modules, then will by controller The invalid data bag after encapsulation is preserved to customer data base.
A kind of software implementation intruding detection system provided in an embodiment of the present invention, is realized to intrusion detection using buffer circle The reception and transmission of relevant information, using the teaching of the invention it is possible to provide high-performance intrusion detection warning message output.
A kind of software implementation intruding detection system and method that the various embodiments described above of the present invention are proposed, lightweight, pure software, Can flexible deployment, favorable expandability;Packet receiving mechanism based on DPDK zero-copy, many network interface cards, many queues collaboration receiving network data bag, The capture rate of packet can effectively be lifted;Using DPDK multinuclear mechanism, by the data flow collected carry out decoding classification and Pattern match, can effectively lift efficiency of intrusion detection, can preferably adapt to height and handle up network environment;And open control to upper strata Interface processed, can preferably compatible virtualization and cloud computing platform with controllability.
Finally, the present processes are only preferably embodiment, are not intended to limit the scope of the present invention.It is all Within the spirit and principles in the present invention, any modification, equivalent substitution and improvements made etc. should be included in the protection of the present invention Within the scope of.

Claims (10)

1. a kind of software implementation intruding detection system, it is characterised in that including:Core, detection core and output three levels of core are controlled, its In,
The control core is used to interact with top level control device, and manages the information produced by detection core and output core;
The detection core is used to packet is acquired and parsed based on DPDK, and traversal rule storehouse is to described in after parsing Packet carries out detection matching;
The output core, which is used for timing, will detect that the detection matching result that core is obtained is recorded to system journal, and will be according to described The invalid data package informatin that detection matching result is known reports control core after being packaged.
2. system according to claim 1, it is characterised in that the detection core further comprises:Data acquisition module and Detect matching module;Wherein,
The data acquisition module, for the packet receiving mechanism based on DPDK zero-copy, binds many network interface cards, many queues collaboration capture number Parsed according to bag, and to the packet;
The detection matching module, for traveling through pretreatment plug-in unit, is pre-processed to the packet by parsing;And base In DPDK multinuclear mechanism, traversal rule storehouse is scanned and matched to the packet by pretreatment, obtains the data The detection matching result of bag;The detection matching result is packaged into message according to certain form, pending buffering area is stored in, For output core processing;
Wherein, the detection matching result includes:Packet information, match information, warning message and action message.
3. system according to claim 1, it is characterised in that the output core further comprises:Logger module and Match information reporting module;Wherein,
The logger module, for regularly traveling through pending buffering area, the number that will be stored in the pending buffering area Recorded according to the detection matching result of bag to system journal;
The match information reporting module, for according to OpenSecurity agreements, to being known based on the detection matching result Invalid data bag carry out the encapsulation of message information and action message, and the invalid data after encapsulation wrapped be transmitted to control Core;
Wherein, record to the content of system journal includes:Timestamp, message information, match information and processing action.
4. system according to claim 1, it is characterised in that the control core further comprises:Agent (agency) mould Block, detection core management module, regular database management module, log management module and output core management module;Wherein,
The Agent modules are used to interact with controller by socket sockets and the messaging protocol appointed, wherein, The content interacted includes:Log-on message, reception rule and upload suspicious information;
The detection core management module is used to detection core is initialized and managed;
The regular database management module is used to receive the rule that Agent modules are issued, and rule base is managed, and with detecting core Detection matching module collaboration;
The log management module is used to be managed the log information produced by the logger module of output core;
The output core management module is used to output core is initialized and managed.
5. a kind of software implementation intrusion detection method based on any systems of claim 1-4, it is characterised in that including following Step:
S1, is initialized respectively to control core, detection core and output core;
S2, detection core is acquired and parsed to packet based on DPDK, and by traversal rule storehouse to the institute after parsing State packet and carry out detection matching;
S3, will detect that the detection matching result that core is obtained is recorded to system journal when output is appraised and decided, and will be according to the detection The invalid data package informatin that matching result is known reports control core after being packaged.
6. method according to claim 5, it is characterised in that to control core initialize further described in step S1 Including:
S111, resolve command row parameter and DPDK configuration files;
S112, initializes Agent modules;
S113, enters to detection check figure mesh, output check figure mesh, network interface card number, pending buffering area number and data plane IP information Row encapsulation, registration request is initiated to controller;
S114, receives and parses through the regular configuration file that controller is issued;
S115, initializes DPDK environment abstraction layer;
S116, initializes buffer circle, wherein, buffer circle includes:Instruction buffer, statistical information buffering area and wait to locate Manage buffering area;
S117, configuration RSS (recipient's extension), it is ensured that the different messages for belonging to same data flow are sent to same core;
S118, configuration transmit queue and receiving queue, wherein, each one transmit queue of network card configuration, the quantity of receiving queue Equal to check figure;
S119, registers first timer, and statistical information buffering area is checked for control nuclear periodicity and the statistics letter is confirmed Whether the statistical information in breath buffering area needs to update.
7. method according to claim 5, it is characterised in that to detection core initialize further described in step S1 Including:
S121, copies rule base, and pretreatment plug-in unit is registered, loaded and configured;
S122, registers second timer, checks instruction buffer for detection nuclear periodicity, it is determined whether receive controller The instruction sent.
8. method according to claim 5, it is characterised in that to output core initialize further described in step S1 Including:
S131, initializes output inserter;
S132, registers the 3rd timer, checks instruction buffer for output nuclear periodicity, it is determined whether receive controller The instruction sent.
9. method according to claim 5, it is characterised in that step S2 further comprises:
Circulation performs following steps:
S21, if receiving the signal of synchronous statistical information, synchronous statistical information;
S22, if the second timer time arrives, extracts the instruction that controller is sent from instruction buffer, parses the instruction After perform corresponding processing routine;
S23, the bound receiving queue of traversal, to each receiving queue, extracts the packet in the queue, and to every number Following operate is performed according to bag:
S231, Decoding Analysis is carried out to packet;
S232, traversal pretreatment plug-in unit, is pre-processed to the packet after decoded analysis;
S233, traversal rule storehouse carries out detection matching to the packet after pretreatment, obtains the detection of the packet Matching result;
S234, is packaged into message according to certain form by the detection matching result, pending buffering area is stored in, for output Core processing;Wherein, the detection matching result includes:Packet information, match information, warning message and action message.
10. method according to claim 5, it is characterised in that step S3 further comprises:
Each while circulations perform following steps:
S31, if the 3rd timer time is arrived, corresponding processing is performed after extracting instruction, analysis instruction from instruction buffer Program;
S32, travels through every message in pending buffering area, and following operate is performed to every message:
S321, parses message, the content of the message is passed into log management module, and by log management module time recording To system journal, wherein, the content of record includes:Timestamp, message information, match information and processing action;
S322, if knowing that packet is invalid data bag according to detection matching result, according to OpenSecurity agreements to institute State invalid data bag and carry out the encapsulation of message information and action message, and the invalid data bag after encapsulation is passed into output Core management module, then controller is passed to by Agent modules.
CN201710279176.9A 2017-04-25 2017-04-25 Software intrusion detection system and method Active CN107181738B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710279176.9A CN107181738B (en) 2017-04-25 2017-04-25 Software intrusion detection system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710279176.9A CN107181738B (en) 2017-04-25 2017-04-25 Software intrusion detection system and method

Publications (2)

Publication Number Publication Date
CN107181738A true CN107181738A (en) 2017-09-19
CN107181738B CN107181738B (en) 2020-09-11

Family

ID=59830905

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710279176.9A Active CN107181738B (en) 2017-04-25 2017-04-25 Software intrusion detection system and method

Country Status (1)

Country Link
CN (1) CN107181738B (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107911237A (en) * 2017-11-10 2018-04-13 南京邮电大学 Data packet quick determination method in a kind of user's space based on DPDK
CN108632110A (en) * 2018-03-23 2018-10-09 广州网测科技有限公司 Equipment performance test method, system, computer equipment and storage medium
CN109451045A (en) * 2018-12-12 2019-03-08 成都九洲电子信息系统股份有限公司 A kind of high-speed message acquisition network card control method can configure customized Ethernet header
CN109495504A (en) * 2018-12-21 2019-03-19 东软集团股份有限公司 A kind of firewall box and its message processing method and medium
CN110138797A (en) * 2019-05-27 2019-08-16 北京知道创宇信息技术股份有限公司 A kind of message processing method and device
CN110798366A (en) * 2018-08-01 2020-02-14 阿里巴巴集团控股有限公司 Task logic processing method, device and equipment
CN110995678A (en) * 2019-11-22 2020-04-10 北京航空航天大学 Industrial control network-oriented efficient intrusion detection system
CN113132349A (en) * 2021-03-12 2021-07-16 中国科学院信息工程研究所 Agent-free cloud platform virtual flow intrusion detection method and device
CN113157447A (en) * 2021-04-13 2021-07-23 中南大学 RPC load balancing method based on intelligent network card
CN113765785A (en) * 2021-08-19 2021-12-07 东北大学 DPDK-based novel multi-path transmission scheme
CN114189368A (en) * 2021-11-30 2022-03-15 华中科技大学 Multi-inference engine compatible real-time flow detection system and method
CN114866332A (en) * 2022-06-08 2022-08-05 上海百功半导体有限公司 Lightweight intrusion detection system and method for optical communication equipment
CN114900347A (en) * 2022-04-28 2022-08-12 重庆长安汽车股份有限公司 Ethernet-based intrusion detection method and data packet distribution method
US11526602B2 (en) * 2017-12-05 2022-12-13 Audi Ag Data-processing device, complete entity, and method for operating a data-processing device or complete entity

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1668015A (en) * 2004-12-20 2005-09-14 华中科技大学 Cooperative intrusion detection based large-scale network security defense system
CN101409623A (en) * 2008-11-26 2009-04-15 湖南大学 Mode matching method facing to high speed network
US20100146623A1 (en) * 2008-10-31 2010-06-10 Namjoshi Kedar S Method and apparatus for pattern matching for intrusion detection/prevention systems
CN101841470A (en) * 2010-03-29 2010-09-22 东南大学 High-speed capturing method of bottom-layer data packet based on Linux
CN105516091A (en) * 2015-11-27 2016-04-20 武汉邮电科学研究院 Secure flow filter and filtering method based on software defined network (SDN) controller
CN105577567A (en) * 2016-01-29 2016-05-11 国家电网公司 Network data packet parallel processing method based on Intel DPDK

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1668015A (en) * 2004-12-20 2005-09-14 华中科技大学 Cooperative intrusion detection based large-scale network security defense system
US20100146623A1 (en) * 2008-10-31 2010-06-10 Namjoshi Kedar S Method and apparatus for pattern matching for intrusion detection/prevention systems
CN101409623A (en) * 2008-11-26 2009-04-15 湖南大学 Mode matching method facing to high speed network
CN101841470A (en) * 2010-03-29 2010-09-22 东南大学 High-speed capturing method of bottom-layer data packet based on Linux
CN105516091A (en) * 2015-11-27 2016-04-20 武汉邮电科学研究院 Secure flow filter and filtering method based on software defined network (SDN) controller
CN105577567A (en) * 2016-01-29 2016-05-11 国家电网公司 Network data packet parallel processing method based on Intel DPDK

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
HONEYICS: "《CSDN,https://blog.csdn.net/youjianzhou/article/details/52411881》", 2 September 2016 *
刘峰飞: ""基于数据挖掘的Snort入侵检测系统的研究"", 《中国优秀硕士学位论文全文数据库 信息科技辑 2008年第06期》 *

Cited By (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107911237B (en) * 2017-11-10 2021-05-04 南京邮电大学 DPDK-based rapid detection method for data packets in user space
CN107911237A (en) * 2017-11-10 2018-04-13 南京邮电大学 Data packet quick determination method in a kind of user's space based on DPDK
US11526602B2 (en) * 2017-12-05 2022-12-13 Audi Ag Data-processing device, complete entity, and method for operating a data-processing device or complete entity
CN108632110A (en) * 2018-03-23 2018-10-09 广州网测科技有限公司 Equipment performance test method, system, computer equipment and storage medium
CN108632110B (en) * 2018-03-23 2020-06-19 北京网测科技有限公司 Device performance testing method, system, computer device and storage medium
CN110798366A (en) * 2018-08-01 2020-02-14 阿里巴巴集团控股有限公司 Task logic processing method, device and equipment
CN110798366B (en) * 2018-08-01 2023-02-24 阿里巴巴集团控股有限公司 Task logic processing method, device and equipment
CN109451045A (en) * 2018-12-12 2019-03-08 成都九洲电子信息系统股份有限公司 A kind of high-speed message acquisition network card control method can configure customized Ethernet header
CN109495504A (en) * 2018-12-21 2019-03-19 东软集团股份有限公司 A kind of firewall box and its message processing method and medium
CN110138797B (en) * 2019-05-27 2021-12-14 北京知道创宇信息技术股份有限公司 Message processing method and device
CN110138797A (en) * 2019-05-27 2019-08-16 北京知道创宇信息技术股份有限公司 A kind of message processing method and device
CN110995678B (en) * 2019-11-22 2021-07-23 北京航空航天大学 Industrial control network-oriented efficient intrusion detection system
CN110995678A (en) * 2019-11-22 2020-04-10 北京航空航天大学 Industrial control network-oriented efficient intrusion detection system
CN113132349A (en) * 2021-03-12 2021-07-16 中国科学院信息工程研究所 Agent-free cloud platform virtual flow intrusion detection method and device
CN113157447A (en) * 2021-04-13 2021-07-23 中南大学 RPC load balancing method based on intelligent network card
CN113157447B (en) * 2021-04-13 2023-08-29 中南大学 RPC load balancing method based on intelligent network card
CN113765785A (en) * 2021-08-19 2021-12-07 东北大学 DPDK-based novel multi-path transmission scheme
CN113765785B (en) * 2021-08-19 2022-07-05 东北大学 DPDK-based multipath transmission method
CN114189368A (en) * 2021-11-30 2022-03-15 华中科技大学 Multi-inference engine compatible real-time flow detection system and method
CN114189368B (en) * 2021-11-30 2023-02-14 华中科技大学 Multi-inference engine compatible real-time flow detection system and method
CN114900347A (en) * 2022-04-28 2022-08-12 重庆长安汽车股份有限公司 Ethernet-based intrusion detection method and data packet distribution method
CN114900347B (en) * 2022-04-28 2023-04-14 重庆长安汽车股份有限公司 Ethernet-based intrusion detection method and data packet distribution method
CN114866332A (en) * 2022-06-08 2022-08-05 上海百功半导体有限公司 Lightweight intrusion detection system and method for optical communication equipment

Also Published As

Publication number Publication date
CN107181738B (en) 2020-09-11

Similar Documents

Publication Publication Date Title
CN107181738A (en) A kind of software implementation intruding detection system and method
US11750653B2 (en) Network intrusion counter-intelligence
Jamshed et al. {mOS}: A Reusable Networking Stack for Flow Monitoring Middleboxes
US7415723B2 (en) Distributed network security system and a hardware processor therefor
US7685254B2 (en) Runtime adaptable search processor
CN102739473B (en) Network detecting method using intelligent network card
CN107682312A (en) A kind of security protection system and method
US20120117610A1 (en) Runtime adaptable security processor
EP3465987B1 (en) Logging of traffic in a computer network
KR20210087399A (en) Security for container networks
Bos et al. Towards software-based signature detection for intrusion prevention on the network card
Wang et al. Design and implementation of an intrusion detection system by using extended BPF in the Linux kernel
De Bruijn et al. Safecard: a gigabit ips on the network card
CN115086021A (en) Campus network intrusion detection method, device, equipment and storage medium
Peng Research of network intrusion detection system based on snort and NTOP
Schuff et al. Design alternatives for a high-performance self-securing ethernet network interface
CN116458120A (en) Protecting network resources from known threats
Chen et al. Evolving switch architecture toward accommodating in-network intelligence
CN112637244A (en) Threat detection method for common and industrial control protocols and ports
Dhaka et al. Application layer proxy detection, prevention with predicted load optimization
Watanabe et al. Performance of network intrusion detection cluster system
Goodgion Active Response Using Host-Based Intrusion Detection System and Software-Defined Networking
Bonafiglia Improving the performance of Virtualized Network Services based on NFV and SDN.
Gogunska Study of the cost of measuring virtualized networks
Ognibene Toward efficient DDoS detection with eBPF

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant