CN107682312A - A kind of security protection system and method - Google Patents

A kind of security protection system and method Download PDF

Info

Publication number
CN107682312A
CN107682312A CN201710743670.6A CN201710743670A CN107682312A CN 107682312 A CN107682312 A CN 107682312A CN 201710743670 A CN201710743670 A CN 201710743670A CN 107682312 A CN107682312 A CN 107682312A
Authority
CN
China
Prior art keywords
subsystem
rule
fire
idses
sub
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710743670.6A
Other languages
Chinese (zh)
Inventor
杨慧然
刘超玲
张棪
于光喜
韩言妮
崔华俊
安伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201710743670.6A priority Critical patent/CN107682312A/en
Publication of CN107682312A publication Critical patent/CN107682312A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Abstract

The present invention, which provides a kind of security protection system and method, the system, includes sub-idses, fire wall subsystem and control device subsystem, wherein:Control device subsystem, for updating sub-idses rule and fire wall subsystem rule, the sub-idses rule after renewal and fire wall subsystem rule are issued to sub-idses and fire wall subsystem respectively;Sub-idses, for any data bag to be obtained and detected based on DPDK, the invalid data in testing result is reported into control device subsystem;Fire wall subsystem, for carrying out filtration treatment to any data bag based on DPDK.A kind of security protection system and method provided by the invention, deployment is flexibly and scalability is good, can be well adapted for virtualization and cloud computing platform;With reducing message copy, the features such as nucleophilicity, it can adapt to height and handle up network environment;And to upper strata Open control interface, there is good controllability, be easy to O&M and management.

Description

A kind of security protection system and method
Technical field
The present invention relates to field of computer technology, more particularly, to a kind of security protection system and method.
Background technology
Security protection system includes intruding detection system (Intrusion Detection System, IDS) and fire wall The big major function system of system two.
Traditional intruding detection system is generally made up of hardware, is manufactured and is developed, it is necessary to rely on more by the equipment vendor of specialty Kind equipment and software collaboration operation.IDS products are basically divided into two major classes at present by the source of its input data:Intrusion Detection based on host Intruding detection system (HIDS) and network Network Intrusion Detection System (NIDS).
Except hardware intruding detection system, also there are many invader-inspecting softwares at present.Common invader-inspecting software has Snort, Suricata, Pfsense etc..
Wherein, snort is the intruding detection system of increasing income being most widely used.Snort is a number based on libpcap According to the Network Intrusion Detection System (NIDS) of packet sniffer, and a lightweight.It is performed based on the rule of log recording Content model matches, and detects various attacks and detection, such as buffer overflow, stealthy port scan, CGI attacks, SMB detections Deng.
Traditional firewall system is generally formed by computer hardware and combination of software.Divide from principle, fire wall is then It is segmented into four types:Hardware firewall, Packet Filtering type, Circuit Gateway and the application level gateway of particular design.Peace The complete high firewall system of performance is all that united application polytype fire wall carries out message protection.
Iptables is firewall software common on (SuSE) Linux OS.It is operated in user's space, and rule is formed One list, netfilter (network filter) is allowed to read, the IP for the network that comes in and goes out, data are detected, and realize access control work( Energy.
For above-mentioned existing security protection system, it is seen that the following problem of its generally existing:
Traditional security protection system (including intruding detection system and firewall system) is generally developed by specialized company, is needed Special hardware system is wanted, while needs different hardware and software collaborations to handle, does not possess good autgmentability.In addition, set Standby cost is high, deployment is dumb, it is necessary to which larger man power and material puts into.
Common invader-inspecting software of increasing income, firewall software, although solve conventional security guard system is difficult to portion Administration, the defects of cost is high, prominent performance issue but be present.By taking Snort NIDS as an example, it is gathered based on libpcap messages, Treatment effeciency is low, can not adapt to the network demand of high-throughput.In addition, Snort NIDS using single thread carry out packet check with Handle, also extreme influence and its performance of restriction.And firewall software, such as Iptables, rule is read, flow control efficiency is low Under, the configuration of rule list is highly dependent on, configuration is improper or even can cause traffic bottlenecks.
Conventional security guard system controllability deficiency, lacks unified, real-time, automation regulation management and upload issues control System.By taking Snort NIDS as an example, the rule file by configuring static state carries out the detection and protection of message, and can not monitor in real time can Doubt datagram, and real time modifying rule file.And firewall software, such as Iptables, rely on network management personnel and match somebody with somebody by hand Put, rule is complicated cumbersome, can not also handle packet filtering rules in real time.
The content of the invention
The present invention disposes dumb, performance to solve poor expandability existing for security protection system in the prior art The problem of bad and controllability is insufficient provides a kind of security protection system and method.
On the one hand, the present invention provides a kind of security protection system, including sub-idses, fire wall subsystem and control Device subsystem processed, wherein:
The control device subsystem, for the illegal number in the testing result that is reported according to the sub-idses According to renewal sub-idses rule and fire wall subsystem rule, by the sub-idses rule after the renewal The sub-idses and the fire wall subsystem are issued to respectively with fire wall subsystem rule;
The sub-idses, for based on DPDK datum plane development kits, utilizing the control device subsystem The sub-idses rule issued is obtained and detected to any data bag, and the invalid data in testing result is reported To the control device subsystem;
The fire wall subsystem, the fire wall subsystem for being issued based on DPDK using the control device subsystem are advised Filtration treatment then is carried out to any data bag.
Preferably, the security protection system also includes graphical interface of user, the graphical interface of user and the control Device subsystem connects, for selecting renewal sub-idses rule and/or fire wall subsystem rule for user.
Preferably, the control device subsystem further comprises sub-idses management module and fire wall subsystem Management module, wherein:
The sub-idses management module, for obtaining the invalid data in the testing result, based on described Invalid data renewal sub-idses rule in testing result, by under the sub-idses rule after the renewal It is sent to the sub-idses;
The fire wall subsystem management module, for based on invalid data renewal fire wall in the testing result System convention, the fire wall subsystem rule after the renewal is issued to the fire wall subsystem.
Preferably, the sub-idses further comprise the first control module, first detection module and output mould Block, wherein:
First control module is connected with the control device subsystem, first detection module and output module respectively, is used Sent in the sub-idses rule for issuing the control device subsystem to the first detection module, by the detection As a result the invalid data in, which is wrapped, reaches the control device subsystem;First control module also includes an intrusion detection subsystem System regulation management unit, for storing the sub-idses rule;
The first detection module is connected with first control module and output module respectively, for being copied based on DPDK zero The packet receiving mechanism of shellfish receives any data bag, parses any data bag;Based on DPDK multinuclear mechanism, from the intrusion detection Sub-idses rule corresponding to any data bag after finding and parsing in subsystem regulation management unit, Using with corresponding to any data bag after parsing sub-idses rule, the packet after parsing is entered Row detection, obtain the testing result of any data bag;
The output module is connected with first control module and first detection module, for regularly traveling through the detection As a result;The invalid data known based on the testing result is wrapped and is transmitted to first control module.
Preferably, the fire wall subsystem further comprises the second control module and the second detection module, wherein:
Second control module is connected with the control device subsystem and the second detection module, for by the controller The fire wall subsystem rule that subsystem issues is sent to second detection module;It is anti-that second control module also includes one Wall with flues subsystem regulation management unit, for storing the fire wall subsystem rule;
Second detection module is connected with second control module, is connect for the packet receiving mechanism based on DPDK zero-copy Any data bag is received, parses any data bag;Based on DPDK multinuclear mechanism, from the fire wall subsystem regulation management list Found in member with parsing after any data bag corresponding to fire wall subsystem rule, using with after parsing described in Fire wall subsystem rule corresponding to any data bag, filtration treatment is carried out to any data bag.
On the other hand, the present invention provides a kind of safety protecting method, including:
S1, the invalid data in the testing result that the control device subsystem is reported according to the sub-idses, Sub-idses rule and fire wall subsystem rule are updated, the sub-idses after the renewal are regular and anti- Wall with flues subsystem rule is issued to sub-idses and the fire wall subsystem respectively;
S2, the sub-idses that the sub-idses are issued based on DPDK using the control device subsystem Rule is obtained and detected to any data bag, and the invalid data in testing result is reported into the control device subsystem;
S3, the fire wall subsystem rule that the fire wall subsystem is issued based on DPDK using the control device subsystem Filtration treatment is carried out to any data bag.
Preferably, also include before step S1:S0, to the control device subsystem, sub-idses and fire wall Subsystem is initialized respectively.
Preferably, step S1 further comprises:
S11, the sub-idses management module obtain the invalid data in the testing result;
S12, the sub-idses management module and fire wall subsystem management module are based on the testing result In invalid data update respectively sub-idses rule and fire wall subsystem rule;
S13, the sub-idses management module and fire wall subsystem management module are respectively by entering after renewal Invade detection subsystem rule and fire wall subsystem rule is issued to sub-idses and fire wall subsystem.
Preferably, step S2 further comprises:
S21, the sub-idses rule that first control module issues the control device subsystem are sent extremely The first detection module;
S22, packet receiving mechanism of the first detection module based on DPDK zero-copy receive any data bag, parse any number According to bag;Based on DPDK multinuclear mechanism, found from the sub-idses regulation management unit with after parsing described in Sub-idses rule corresponding to any data bag, utilizes the invasion corresponding to any data bag after parsing Subsystem rule is detected, the packet after parsing is detected, obtains the testing result of any data bag;
S23, the output module timing travel through the testing result;The invalid data that will be known based on the testing result Wrap and be transmitted to first control module.
Preferably, step S3 further comprises:
S31, the fire wall subsystem rule that second control module issues the control device subsystem are sent to institute State the second detection module;
S32, packet receiving mechanism of second detection module based on DPDK zero-copy receive any data bag, and parsing is described to appoint One packet;Based on DPDK multinuclear mechanism, found from the fire wall subsystem regulation management unit and the institute after parsing The fire wall subsystem rule corresponding to any data bag is stated, utilizes the fire prevention corresponding to any data bag after parsing Wall subsystem rule, filtration treatment is carried out to any data bag.
A kind of security protection system and method provided by the invention, based on DPDK, to sub-idses and fire wall Subsystem is designed and realized, and sub-idses and fire wall subsystem are to upper strata Open control interface, deployment Flexibly and scalability is good, can be well adapted for virtualization and cloud computing platform;Copied with message is reduced, the spy such as nucleophilicity Point, high-performance can be provided the acquisition of packet and detectability, it can adapt to height and handle up network environment;And opened to upper strata Control interface, there is good controllability, be easy to O&M and management.
Brief description of the drawings
Fig. 1 is a kind of overall structure diagram of security protection system of the embodiment of the present invention;
Fig. 2 be the embodiment of the present invention a kind of security protection system in control device subsystem structural representation;
Fig. 3 be the embodiment of the present invention a kind of security protection system in sub-idses structural representation;
Fig. 4 be the embodiment of the present invention a kind of security protection system in fire wall subsystem structural representation;
Fig. 5 is a kind of overall flow schematic diagram of safety protecting method of the embodiment of the present invention;
Fig. 6 is control device subsystem workflow schematic diagram in a kind of safety protecting method of the embodiment of the present invention;
Fig. 7 is sub-idses workflow schematic diagram in a kind of safety protecting method of the embodiment of the present invention;
Fig. 8 is fire wall subsystem work schematic flow sheet in a kind of safety protecting method of the embodiment of the present invention.
Embodiment
With reference to the accompanying drawings and examples, the embodiment of the present invention is described in further detail.Implement below Example is used to illustrate the present invention, but is not limited to the scope of the present invention.
Fig. 1 is a kind of overall structure diagram of security protection system of the embodiment of the present invention, as shown in figure 1, of the invention Embodiment provides a kind of security protection system, it is characterised in that including control device subsystem 1, sub-idses 2 and fire prevention Wall subsystem 3, wherein:
The control device subsystem 1, for the illegal number in the testing result that is reported according to the sub-idses 2 According to renewal sub-idses rule and fire wall subsystem rule are regular and anti-by the sub-idses after renewal Wall with flues subsystem rule is issued to the sub-idses 2 and fire wall subsystem 3 respectively;
Sub-idses 2, for based on DPDK datum plane development kits, using under the control device subsystem 1 The sub-idses rule of hair reports the invalid data in testing result to any data bag is obtained and detected To the control device subsystem 1;
Fire wall subsystem 3, for the fire wall subsystem rule issued based on DPDK using the control device subsystem 1 Filtration treatment is carried out to any data bag.
Specifically, a kind of security protection system that the present embodiment provides, based on DPDK, to intruding detection system and fire wall System is designed and realized, and intruding detection system and firewall system are to upper strata Open control interface.DPDK is Intel The datum plane developing instrument collection increased income provided, it is that the efficient processing data packets of user's space carry under IA processor architectures For built-in function and the support of driving, it is different from linux system for the purpose of cross-species transferability, but is absorbed in network application The high-performance treatments of packet, it is to operate in the data provided on user's space using itself to be embodied in DPDK application programs Plane library carrys out transceiving data bag, has bypassed Linux kernel protocol stack to packet processing procedure.
Further, a kind of security protection system that the present embodiment provides includes three subsystems:
The control device subsystem 1 is connected with sub-idses 2 and fire wall subsystem 3, for intrusion detection Subsystem 2 and fire wall subsystem 3 are managed, and are mainly included:Receive sub-idses 2 and fire wall subsystem 3 Registration request is simultaneously responded, and the initialization to sub-idses 2 and fire wall subsystem 3 is managed, and is examined to invasion Survey subsystem 2 and fire wall subsystem 3 sends unified configuration rule file respectively.In addition, when sub-idses 2 detect When occurring invalid data in as a result, the invalid data is then reported control device subsystem 1, controller by sub-idses 2 Subsystem 1 receives the invalid data in the testing result that sub-idses 2 report, and according on sub-idses 2 Invalid data renewal sub-idses rule and fire wall subsystem rule in the testing result of report, and most update at last Sub-idses rule and fire wall subsystem rule afterwards is issued to sub-idses 2 and fire wall subsystem respectively System 3.
The sub-idses 2 are connected with control device subsystem 1, using Snort as object, based on the realization pair of DPDK storehouses The acquisition and detection of packet.Specifically, sub-idses 2 are based on DPDK and obtain any data bag, any data first The content of bag includes content, the state of user's connection activity and behavior of network traffics etc.;Any based on DPDK to acquisition again Packet is detected, and is obtained testing result and is stored, and the testing result refers to travel through sub-idses rule base With the presence or absence of the regularization term of matching, if the regularization term of matching be present, it is illegal to illustrate the packet, then just by matching Action message that regularization term, the regularization term of matching are included, warning message, and the message information of packet in itself is packaged Afterwards, deposit caching.If the regularization term not matched, then match information is masked as being set to 0, and warning message and action are believed It is sky to cease the two fields.The invalid data in testing result is finally obtained, and invalid data is reported into controller subsystem System 1.
The fire wall subsystem 3 is connected with control device subsystem 1, more for the packet receiving mechanism using DPDK zero-copy Network interface card cooperates with received data packet, then using DPDK-ACL algorithms, accurately carries out rule match detection to packet at a high speed, obtain inspection Survey result and stored, the invalid data in testing result is finally reported into control device subsystem 1.
A kind of security protection system provided in an embodiment of the present invention, based on DPDK, to sub-idses and fire wall Subsystem is designed and realized, and sub-idses and fire wall subsystem are to upper strata Open control interface, deployment Flexibly and scalability is good, can be well adapted for virtualization and cloud computing platform;Copied with message is reduced, the spy such as nucleophilicity Point, high-performance can be provided the acquisition of packet and detectability, it can adapt to height and handle up network environment;And opened to upper strata Control interface, there is good controllability, be easy to O&M and management.
Based on above-described embodiment, a kind of security protection system that another embodiment of the present invention provides also includes:Graphical user Interface, the graphical interface of user are connected with the control device subsystem, for selecting renewal sub-idses for user Rule and/or fire wall subsystem rule.
Specifically, control device subsystem opens graphical interface of user to upper strata, when control device subsystem receives invasion inspection When surveying the invalid data that subsystem reports, control device subsystem then transmits the invalid data to graphical interface of user, Yong Hutu Shape interface display invalid data information warning, and renewal sub-idses rule and/or fire wall subsystem are selected by user System rule.In addition, user can also check detection statistics and existing rule etc. by graphical interface of user, can be according to reality Border demand is configured, and is not specifically limited herein.
A kind of security protection system provided in an embodiment of the present invention, figure is opened to user by control device subsystem and connect Mouthful so that user can select renewal sub-idses rule and/or fire wall subsystem to advise by graphical interface of user Then so that user and security protection system can carry out it is good interact, be advantageous to lift Consumer's Experience.
Fig. 2 be the embodiment of the present invention a kind of security protection system in control device subsystem structural representation, such as Fig. 2 institutes Show, based on any of the above-described embodiment, in the present embodiment, the control device subsystem 1 further comprises sub-idses pipe Module 11 and fire wall subsystem management module 12 are managed, wherein:
The sub-idses management module 11, for obtaining the invalid data in the testing result, based on institute The invalid data renewal sub-idses rule in testing result is stated, by the sub-idses rule after the renewal It is issued to the sub-idses 2;
The fire wall subsystem management module 12, for updating fire wall based on the invalid data in the testing result Subsystem rule, the fire wall subsystem 3 is issued to by the fire wall subsystem rule after the renewal.
Specifically, as shown in Fig. 2 the sub-idses management module 11 further comprises rm-cell 111st, statistical management unit 112 and regulation management unit 113, wherein:
Rm-cell 111 is used to register intruding detection system 2, and preserves system registration information;Statistical management unit 112 are used for timing obtains detection statistics to sub-idses 2, and preserves statistical information, and statistical information includes statistics How many message and message species etc. are have detected in certain time;Regulation management unit 113 is advised for sub-idses Renewal then and issue.
Fire wall subsystem management module 12 further comprises rm-cell 121 and regulation management unit 122, its In:Rm-cell 121 is used to register fire wall subsystem 3, and preserves system registration information;Regulation management unit 122 is used In the regular renewal of fire wall subsystem and issue.
Further, control device subsystem 1 also includes an Agent modules 13 in the present embodiment, for scheming with upper-layer user Shape interface interacts, enable a user to by graphical interface of user select renewal sub-idses rule and/or Fire wall subsystem rule, while user can also check detection statistics and existing rule etc. by graphical interface of user, It can according to the actual requirements be configured, be not specifically limited herein.
A kind of security protection system provided in an embodiment of the present invention in control device subsystem by setting intrusion detection System management module and fire wall subsystem management module, so as to realize to sub-idses and the progress of fire wall subsystem Effectively management so that security protection system has good controllability, is easy to O&M and management.
Fig. 3 be the embodiment of the present invention a kind of security protection system in sub-idses structural representation, such as Fig. 3 Shown, based on any of the above-described embodiment, in the present embodiment, the sub-idses 2 further comprise the first control module 21st, first detection module 22 and output module 23, wherein:
First control module 21 respectively with the control device subsystem 1, first detection module 22 and output module 23 Connection, the sub-idses rule for the control device subsystem 1 to be issued are sent to the first detection module 22, Invalid data in the testing result is wrapped and reaches the control device subsystem 1;First control module 21 also includes One sub-idses regulation management unit 215, for storing the sub-idses rule;
The first detection module 22 is connected with first control module 21 and output module 23 respectively, for based on The packet receiving mechanism of DPDK zero-copy receives any data bag, parses any data bag;Based on DPDK multinuclear mechanism, from described The intrusion detection subsystem corresponding to any data bag after parsing is found in sub-idses regulation management unit 215 System rule, using with corresponding to any data bag after parsing sub-idses rule, described in after parsing Packet is detected, and obtains the testing result of any data bag;
The output module 23 is connected with first control module 21 and first detection module 22, for regularly traveling through institute State testing result;The invalid data known based on the testing result is wrapped and is transmitted to first control module 21.
Specifically, as shown in figure 3, first control module 21 respectively with control device subsystem 1, first detection module 22 Connected with output module 23, it further comprises that Agent units 211, detection module administrative unit 212, output module management are single Member 213, log management unit 214, regulation management unit 215.Wherein:
Agent units 211 are used to interact with control device subsystem 1, and interaction content includes:Log-on message, receive rule Then list item, upload suspicious information etc., are communicated by socket sockets and the messaging protocol appointed.Specifically, Agent For the software architecture with autonomy, system can be added independently of or collect deletion without influenceing whole system from system, Agent is real The function of body is more complete, and the scalability of system is better, and interface has been opened to upper strata by Agent, and improve system can Control property.
Detection module administrative unit 212 is responsible for the initialization and management of first detection module 22.
Output module administrative unit 213 is responsible for the initialization and management of output module 23.
Log management unit 214 is responsible for log information caused by the logger module 231 of processing output module 23.
Regulation management unit 215 is used to receive the rule that Agent units 211 issue, to sub-idses rule base It is managed, and is cooperateed with the detection matching unit 222 of first detection module 22.Specifically, regulation management unit 215 can not Rule base, increase or deletion rule are updated disconnectedly.
The first detection module 22 is connected with the first control module 21 and output module 23 respectively, and it further comprises counting According to collecting unit 221 and detection matching unit 222.Wherein:
Packet receiving mechanism of the data acquisition unit 221 based on DPDK zero-copy, bind more network interface cards, more queues collaboration capture data Bag, and packet is parsed.
Detect matching unit 222 to be used to travel through pretreatment plug-in unit, the packet by parsing is pre-processed;And it is based on DPDK multinuclear mechanism, traversal rule storehouse, the packet by pretreatment is scanned and matched, obtains the detection knot of packet Fruit;Testing result is packaged into message, the pending buffering area of deposit according to certain form, so that output module 23 is handled.Its In, the testing result includes:Packet information, match information, warning message and action message.
Specifically, Snort NIDS are filtered to packet, buffered and copied by Libpcap sniffers, by data Bag is delivered to each application buffer.In this process, packet experienced from network to kernel spacing, be empty from kernel Between to user's space twice packet copy.And in embodiments of the present invention, number is realized by the packet receiving mechanism of DPDK zero-copy According to bag zero-copy, in particular to:DPDK environment abstraction layer is realized to operating system nucleus and bottom network interface card I/O operation Shielding, i.e. I/O have bypassed kernel and protocol stack, and packet is directly stored in cache from network, and logarithm is realized in kernel state According to the Decoding Analysis of bag, so as to avoid frequent switching context, and packet is effectively prevented from the numerous copy band of internal memory intermediate frequency The performance issue come.Bind more network interface cards, more queues collaboration capture packet is then to be tied to each queue on multiple network interface cards Collaboration captures to packet on different processor cores, and each equal independent process of core reaches the packet of the queue, reduces Packet can meet under heavy traffic condition in internuclear transmission expense with the flexible number expanding treatment ability of core Packet capture.NIC driver is that each receiving queue sets corresponding interrupt number, by the equilibrium treatment of interruption, or Person sets the compatibility interrupted, so as to realize that queue is tied to different core.Parsing is carried out to the packet to refer to data Bag carries out Decoding Analysis, the message structure that decoded packet data is defined into Snort, for subsequent analysis.
The output module 23 is connected with the first control module 21 and first detection module 22, and it further comprises that daily record is remembered Record unit 231 and match information reporting unit.Wherein:
Logging unit 231 regularly travels through pending buffering area, by the packet stored in pending buffering area Testing result is recorded to system journal.The information of record includes timestamp, message information, match information, processing action etc..
Match information reporting unit 232 is according to OpenSecurity agreements, to the invalid data known based on testing result Bag carries out the encapsulation of message information and action message, and the invalid data after encapsulation is wrapped and is transmitted to the first control module 21.
Sub-idses based on DPDK, are designed by a kind of security protection system provided in an embodiment of the present invention And realization, and sub-idses, to upper strata Open control interface, deployment is flexibly and scalability is good, can be well adapted for Virtualization and cloud computing platform;With reducing message copy, the features such as nucleophilicity, high-performance can be provided the acquisition of packet And detectability, it can adapt to height and handle up network environment;And to upper strata Open control interface, there is good controllability, be easy to O&M and management.
Fig. 4 be the embodiment of the present invention a kind of security protection system in fire wall subsystem structural representation, such as Fig. 4 institutes Show, based on any of the above-described embodiment, in the present embodiment, the fire wall subsystem 3 further comprises the He of the second control module 31 Second detection module 32, wherein:
Second control module 31 is connected with the detection module 32 of control device subsystem 1 and second, for by described in The fire wall subsystem rule that control device subsystem 1 issues is sent to second detection module 32;Second control module 31 also include a fire wall subsystem regulation management unit 313, for storing the fire wall subsystem rule;
Second detection module 32 is connected with second control module 31, for the packet receiving machine based on DPDK zero-copy System receives any data bag, parses any data bag;Based on DPDK multinuclear mechanism, managed from fire wall subsystem rule Reason unit 313 in find with parsing after any data bag corresponding to fire wall subsystem rule, using with parsing Fire wall subsystem rule corresponding to any data bag afterwards, filtration treatment is carried out to any data bag.
Specifically, as shown in figure 4, second control module 31 connects with the detection module 32 of control device subsystem 1 and second Connect, it further comprises Agent units 311, environment configurations unit 312, regulation management unit 313 and log management unit 314. Wherein:
Agent units 311 are used to interact with control device subsystem 1, and interaction content includes:Log-on message, receive rule Then list item etc., communicated by socket sockets and the messaging protocol appointed.Specifically, Agent is with autonomy Software architecture, system can be added independently of or collect deletion without influenceing whole system from system, the function of Agent entities is completeer Standby, the scalability of system is better, has opened interface to upper strata by Agent, has improved the controllability of system.
Environment configurations unit 312 is used for the running environment of unified configuration system.
Regulation management form unit 313 is used to receive the rule that Agent units issue, and rule base is managed, and with the The rule match module cooperative of two detection modules 32.Specifically, regulation management unit 313 can be continuously updated rule base, increase Add or deletion rule.
Log management unit 314 is used to handle log information caused by the logging unit 324 of the second detection module 32.
Second detection module 32 includes packet receiving unit 321, rule match unit 322, processing data packets unit 323 With logging unit 324.Wherein:
Packet reception packet receiving mechanism of the form unit 321 based on DPDK zero-copy, more more queue received data packets of network interface card, and It is deposited into pending buffering area.
Rule match unit 322 is based on DPDK multinuclear mechanism, traversal rule storehouse, the packet in buffer pool is carried out one by one Scanning and matching, if data packet matched a certain rule, delivers to processing data packets unit 323.
The processing such as processing data packets unit 323 is let pass to packet according to rule, abandoned, forwarded, NAT.
Logging unit 324 records the processing information of packet to system journal, records to the content of system journal Including:Timestamp, message information, match information and processing action.
A kind of security protection system provided in an embodiment of the present invention, based on DPDK, fire wall subsystem is designed and Realize, improve processing speed of the fire wall subsystem to packet, and fire wall subsystem is to upper strata Open control interface, really Protecting the rule of fire wall subsystem can obtain timely updates, so that fire wall subsystem more efficient can enter to packet Row filtering.
Fig. 5 is a kind of overall flow schematic diagram of safety protecting method of the embodiment of the present invention, as shown in figure 5, based on upper Any embodiment is stated, the present embodiment provides a kind of safety protecting method, including:S1, the control device subsystem enter according to The invalid data invaded in the testing result that detection subsystem reports, renewal sub-idses rule and fire wall subsystem rule Then, the sub-idses rule after the renewal and fire wall subsystem rule are issued to intrusion detection respectively System and fire wall subsystem;S2, the sub-idses are entered based on DPDK using what the control device subsystem issued Invade detection subsystem rule any data bag is obtained and detected, the invalid data in testing result is reported into the control Device subsystem processed;S3, the fire wall subsystem that the fire wall subsystem is issued based on DPDK using the control device subsystem Rule carries out filtration treatment to any data bag.
Specifically, the sub-idses that Controller Defaults subsystem has been received by first in the present embodiment report upper Invalid data in secondary testing result, and control device subsystem has been reported sub-idses by graphical interface of user Invalid data in last time testing result is shown, so that user updates sub-idses rule and fire wall subsystem Rule.On this basis, control device subsystem is again by the sub-idses rule and fire wall subsystem rule after renewal Sub-idses and fire wall subsystem are issued to respectively;Hereafter, control device subsystem is regularly to sub-idses The request of statistic mixed-state result is sent, sub-idses are received the request, issued based on DPDK using control device subsystem Renewal after sub-idses rule any data bag is obtained and detected, obtain testing result simultaneously will detection knot Fruit is stored, while travels through testing result, invalid data is found out from testing result, and invalid data is reported into control Device subsystem, control device subsystem receives the invalid data in the testing result that sub-idses report, and passes through user Graphical interfaces shows that invalid data updates sub-idses rule and fire wall subsystem rule again for user, finally Control device subsystem will second update after sub-idses rule and fire wall subsystem rule be issued to respectively into Invade detection subsystem and fire wall subsystem;Afterwards, fire wall subsystem receives second of renewal that control device subsystem issues Fire wall subsystem rule afterwards, and the fire wall subsystem after second of the renewal issued based on DPDK using control device subsystem System rule carries out filtration treatment to any data bag.
A kind of safety protecting method provided in an embodiment of the present invention, based on DPDK, to sub-idses and fire wall Subsystem is designed and realized, and sub-idses and fire wall subsystem are to upper strata Open control interface, deployment Flexibly and scalability is good, can be well adapted for virtualization and cloud computing platform;Copied with message is reduced, the spy such as nucleophilicity Point, high-performance can be provided the acquisition of packet and detectability, it can adapt to height and handle up network environment;And opened to upper strata Control interface, there is good controllability, be easy to O&M and management.
Based on any of the above-described embodiment, in the present embodiment, also include before step S1:S0, to the control device subsystem, Sub-idses and fire wall subsystem are initialized respectively.
Specifically, the safety protecting method shown in the safety protecting method and Fig. 5 of the present embodiment is essentially identical, it is identical it Place, here is omitted.Difference is:The safety protecting method of the present embodiment first must to the control device subsystem, Sub-idses and fire wall subsystem are initialized respectively.Wherein:
The initialization procedure of the control device subsystem includes:Start socket to monitor, wait protection node (including invasion Detect subsystem, fire wall subsystem) access, control device subsystem is with protecting node to be communicated with customized protocol format;Even Connect database;Registration timer, for obtaining testing result statistical information to sub-idses.
The initialization of the sub-idses include the initialization of the first control module, first detection module just The initialization of beginningization and output module.Wherein:
The initialization procedure of first control module includes:
Command line parameter parses and the parsing of DPDK configuration files, specifically includes, command line parameter refers to when starting snort Several parameters, first detection module, output module, the quantity of pending buffering area, data are specified in DPDK configuration files and are put down Face IP, the IP of control device subsystem and port;
Agent initialization, is specifically included, and is created socket and is received and parsed through the instruction that control device subsystem is sent, receives Collect local statistical information, control device subsystem is issued after encapsulation;
Registration request is initiated to control device subsystem, is specifically included:First detection module number, output module number, net Card number, pending buffering area number, datum plane IP types and data mesh plane IP information are packaged, to controller subsystem System initiates registration request;
Receive and parse through the regular configuration file that control device subsystem issues;
The initialization of DPDK environment abstraction layers, is specifically included, and DPDK provides the API of oneself, and this step initializes these API;
Buffer circle is initialized, wherein, buffer circle includes:Instruction buffer, statistical information buffering area and wait to locate Manage buffering area;
RSS (recipient's extension) is configured, ensures that the different pieces of information bag for belonging to same flow is sent to same module;
Receiving queue is configured, the quantity of each network card configuration receiving queue is equal to number of modules;
First timer is registered, so that the first control module periodically checks statistical information buffering area, and described in confirmation Whether the statistical information in statistical information buffering area needs to update.
The initialization procedure of first detection module includes:
The copy of matched rule, specifically, the first control module have parsed configuration file, obtain Snort_Config structures Body, when starting first detection module, the pointer of the structure is passed to as parameter, first detection module copy Snort_ Config structures, as local variable;
The registration of plug-in unit is pre-processed, including:ARPspoof、Normalizer、SessionManager、Stream6、 RpcDecode, Bo, HttpInspect, PerfMonitor, SfPortScan, Register Rule Option, kinematic insert Loading, configuration pretreatment plug-in unit;
Check network interface card, queue whether normal work, if irregular working, system exception exits;
Second timer is registered, so that first detection module periodically checks instruction buffer, it is determined whether receive The instruction that first control module is sent;
Start network interface card.
The initialization procedure of output module includes:Output inserter initializes;The 3rd timer is registered, for periodically looking into See whether instruction buffer receives the instruction that the first control module is sent.
It is initial with the second detection module that the initialization of the fire wall subsystem includes initializing for the second control module Change.Wherein:
The initialization procedure of second control module and the initialization of the first control module in above-mentioned sub-idses Process is essentially identical, specifically refers to the initialization procedure of above-mentioned first control module, here is omitted.
The initialization procedure of second detection module includes:
The copy of matched rule, specifically, the second control module have parsed configuration file, obtain rte_acl_field knots Structure body array, when starting the second detection module, the pointer of the structure is passed to as parameter, calls DPDK-ACL interfaces, Regular array is converted into rte_acl_ctx structures, quickly handled for follow-up data bag;
Second timer is registered, for regularly updating rule tree;
Check network interface card, queue whether normal work, if irregular working, system exception exits;
Start network interface card.
A kind of safety protecting method provided in an embodiment of the present invention, by control device subsystem, sub-idses Initialized respectively with fire wall subsystem, so that the function of each subsystem is respectively configured so that each subsystem cooperative achievement is whole The security protection of individual system.
Fig. 6 is control device subsystem workflow schematic diagram, such as Fig. 6 in a kind of safety protecting method of the embodiment of the present invention Shown, based on any of the above-described embodiment, in the present embodiment, step S1 further comprises:S11, the sub-idses pipe Manage the invalid data in the module acquisition testing result;S12, the sub-idses management module and fire wall subsystem System management module updates sub-idses rule and fire wall subsystem respectively based on the invalid data in the testing result System rule;S13, the sub-idses management module and fire wall subsystem management module are respectively by the invasion after renewal Detection subsystem rule and fire wall subsystem rule are issued to sub-idses and fire wall subsystem.
Specifically, when thering is sub-idses and fire wall subsystem to access, control device subsystem receive first into The registration request of detection subsystem and fire wall subsystem is invaded, and responds registration request, log-on message is recorded in database, And sub-idses and fire wall subsystem information are shown on graphical interface of user.Control device subsystem is to invasion simultaneously Detect subsystem and fire wall subsystem node sends unified configuration rule file.Then, sub-idses management mould Block timing is asked to sub-idses transmission acquisition statistical information and receives the statistics of sub-idses testing result Information, database is deposited into, and detection statistics are shown on graphical interface of user.If receive the detection of invalid data bag Information, then be stored in database by invalid data package informatin, and graphical interface of user shows invalid data bag warning message, selected by user Select renewal sub-idses rule and fire wall subsystem rule, sub-idses management module and fire wall subsystem Selection renewal sub-idses rule and fire wall subsystem rule of the management module of uniting based on user, and respectively will renewal Sub-idses rule and fire wall subsystem rule afterwards is issued to sub-idses and fire wall subsystem.
A kind of safety protecting method provided in an embodiment of the present invention, passes through sub-idses in control device subsystem The work compound of management module and fire wall subsystem management module, so as to realize to sub-idses and fire wall subsystem System is effectively managed so that security protection system has good controllability, is easy to O&M and management.
Fig. 7 is sub-idses workflow schematic diagram in a kind of safety protecting method of the embodiment of the present invention, such as Shown in Fig. 7, based on any of the above-described embodiment, in the present embodiment, step S2 further comprises:S21, first control module will The sub-idses rule that the control device subsystem issues is sent to the first detection module;S22, first inspection Survey packet receiving mechanism of the module based on DPDK zero-copy and receive any data bag, parse any data bag;Based on DPDK multinuclear mechanism, The invasion corresponding to any data bag after parsing is found from the sub-idses regulation management unit Detect subsystem rule, using with corresponding to any data bag after parsing sub-idses rule, to parsing The packet afterwards is detected, and obtains the testing result of any data bag;S23, the output module timing travel through Testing result;The invalid data known based on the testing result is wrapped and is transmitted to first control module.
Specifically, in step S21, the circulation of the first control module performs following operate:Wait control device subsystem to send to refer to Order, regular and resolution rules and renewal regular texture body that control device subsystem issues are received, control device subsystem is issued Sub-idses rule is sent to first detection module.
In step S22, first detection module circulation performs following operate:If timer time arrives, from instruction buffer The middle instruction sent of extraction control device subsystem, perform after analysis instruction corresponding to processing routine;The receiving queue of binding is traveled through, The packet of each queue is obtained, and Decoding Analysis is carried out to each packet;Traversal pretreatment plug-in unit, after decoded analysis Packet pre-processed;Traversal rule storehouse, detection matching is carried out to packet after pretreatment, obtains the inspection of packet Survey result;Testing result is packaged into message, the pending buffering area of deposit according to certain form, for output module processing. Wherein, the testing result includes:Packet information, match information, warning message and action message etc..
Specifically, the traversal pretreatment plug-in unit, carries out pretreatment to the packet by parsing and refers to:By time Pretreatment plug-in unit is gone through to check the packet after parsing, is therefrom found suspicious " behavior " of packet, packet is by pretreatment Carry out rule match detection again afterwards.The function by realization of pretreatment plug-in unit mainly includes:Simulate inserting for tcpip stack function Part, such as the restructuring of TIP fragments and TCP flow restructuring plug-in unit;Decoding plug-in, such as http decoding plug-ins, unicode decoding plug-ins, rpc solutions Code plug-in unit and telnet decoding plug-ins etc.;Rule match can not carry out plug-in unit used during attack detecting, as port scan plug-in unit, Spade abnormal intrusion detections plug-in unit, bo detection plug-in unit and arp fraud detection plug-in units etc., pretreatment plug-in unit can be according to actual need Carry out flexible configuration.
It is described to be based on DPDK multinuclear mechanism, traversal rule storehouse, the packet by pretreatment is scanned and With referring to:Each equal independent process of core reaches the packet of the core, and feature present in pretreated packet is divided Analysis, traversal rule storehouse, the feature for analyzing gained is matched one by one with the rule in rule base, when the feature and rule base In a certain item rule when matching, then can determine whether that the packet includes intrusion behavior, i.e. the packet is illegal.
Wherein, the rule in the rule base meets Snort rule formation specifications, and Snort rules are divided into two logics Part:Regular head and RuleOption.Regular head include rule action, agreement, source and target ip addresses and netmask, source and Destination port information, and direction operation symbol;RuleOption part includes the specific portion of warning message content and the bag to be checked Point, it is made up of option keyword and its parameter.
The testing result is packaged into message according to certain form and is stored in pending buffering area (ToBeProcessed_RingBuffer), wherein ToBeProcessed_RingBuffer is a buffer circle, is used for Store the testing result of all packets, including the message information of packet, the Rule Information matched, warning message and rule Processing action, message is stored using buffer circle, continually storage allocation, and access buffer circle can not had to Speed quickly, high performance data access can be provided.
In step S23, output module circulation performs following operate:If timer time arrives, carried from instruction buffer Instruction fetch, perform after analysis instruction corresponding to processing routine;Pending buffering area is traveled through, parses message, the content of message is passed Log management unit is passed, and by log management unit time recording to system journal, wherein, the content of record includes:Time Stamp, message information, match information and processing action etc.;Update global statistics information, including processing data bag number, specific protocol Number etc., so that control device subsystem is via Agent unit timing acquisitions.If know packet for illegal number according to testing result According to bag, then the encapsulation of message information and action message is carried out to invalid data bag according to OpenSecurity agreements, and will encapsulation Invalid data bag afterwards passes to output module administrative unit, then passes to control device subsystem by Agent units.
Sub-idses based on DPDK, are designed by a kind of safety protecting method provided in an embodiment of the present invention And realization, and sub-idses, to upper strata Open control interface, deployment is flexibly and scalability is good, can be well adapted for Virtualization and cloud computing platform;With reducing message copy, the features such as nucleophilicity, high-performance can be provided the acquisition of packet And detectability, it can adapt to height and handle up network environment;And to upper strata Open control interface, there is good controllability, be easy to O&M and management.
Fig. 8 be the embodiment of the present invention a kind of safety protecting method in fire wall subsystem work schematic flow sheet, such as Fig. 8 Shown, based on any of the above-described embodiment, in the present embodiment, step S3 further comprises:S31, second control module will be controlled The fire wall subsystem rule that device subsystem processed issues is sent to second detection module;S32, the second detection module base Any data bag is received in the packet receiving mechanism of DPDK zero-copy, parses any data bag;Based on DPDK multinuclear mechanism, from institute State the fire wall subsystem corresponding to any data bag after finding and parsing in fire wall subsystem regulation management unit System rule, using with corresponding to any data bag after parsing fire wall subsystem rule, to any data bag Carry out filtration treatment.
Specifically, in step S31, the circulation of the second control module performs following operate:Wait control device subsystem to send to refer to Order, the rule that control device subsystem issues, and resolution rules are received, update rte_acl_field Array for structural body, finally will control The fire wall subsystem rule that device subsystem processed issues is sent to the second detection module.
In step S32, the circulation of the second detection module performs following operate:The receiving queue of binding is traveled through, acquisition each connects The packet of queue is received, Decoding Analysis is carried out to packet;Rte_acl_ctx rule trees are traveled through, detection is carried out to packet Match somebody with somebody;According to testing result, packet is handled, processing mode includes:Abandon, forward, NAT;The data that needs are abandoned Bag, the buffering area of the direct free packets;The packet that needs are forwarded, according to the forwarding end specified in the rule of matching Mouthful, packet is transferred;Packet to needing NAT, address conversion, root are carried out according to the address specified in the rule of matching According to specified port, packet is sent.
A kind of safety protecting method provided in an embodiment of the present invention, based on DPDK, fire wall subsystem is designed and Realize, improve processing speed of the fire wall subsystem to packet, and fire wall subsystem is to upper strata Open control interface, really Protecting the rule of fire wall subsystem can obtain timely updates, so that fire wall subsystem more efficient can enter to packet Row filtering.
Summary, a kind of security protection system and method provided by the invention, based on DPDK, to sub-idses It is designed and realizes with fire wall subsystem, and sub-idses and fire wall subsystem connects to upper strata Open control Mouthful, deployment is flexibly and scalability is good, can be well adapted for virtualization and cloud computing platform;With reduction message copy, parent The features such as nuclearity, high-performance can be provided the acquisition of packet and detectability, it can adapt to height and handle up network environment;And to Upper strata Open control interface, there is good controllability, be easy to O&M and management.
Finally, the present processes are only preferable embodiment, are not intended to limit the scope of the present invention.It is all Within the spirit and principles in the present invention, any modification, equivalent substitution and improvements made etc., the protection of the present invention should be included in Within the scope of.

Claims (10)

1. a kind of security protection system, it is characterised in that including sub-idses, fire wall subsystem and controller subsystem System, wherein:
The control device subsystem, for the invalid data in the testing result that is reported according to the sub-idses, more New sub-idses rule and fire wall subsystem rule, by the sub-idses rule after the renewal and fire prevention Wall subsystem rule is issued to sub-idses and the fire wall subsystem respectively;
The sub-idses, for based on DPDK datum plane development kits, being issued using the control device subsystem Sub-idses rule any data bag is obtained and detected, the invalid data in testing result is reported into institute State control device subsystem;
The fire wall subsystem, the fire wall subsystem rule for being issued based on DPDK using the control device subsystem are right Any data bag carries out filtration treatment.
2. system according to claim 1, it is characterised in that also including graphical interface of user, the graphical interface of user It is connected with the control device subsystem, for selecting renewal sub-idses rule and/or fire wall subsystem for user Rule.
3. system according to claim 1, it is characterised in that the control device subsystem further comprises intrusion detection System management module and fire wall subsystem management module, wherein:
The sub-idses management module, for obtaining the invalid data in the testing result, based on the detection As a result the invalid data renewal sub-idses rule in, the sub-idses rule after the renewal is issued to The sub-idses;
The fire wall subsystem management module, for updating fire wall subsystem based on the invalid data in the testing result Rule, the fire wall subsystem rule after the renewal is issued to the fire wall subsystem.
4. system according to claim 1, it is characterised in that the sub-idses further comprise the first control Module, first detection module and output module, wherein:
First control module is connected with the control device subsystem, first detection module and output module respectively, for inciting somebody to action The sub-idses rule that the control device subsystem issues is sent to the first detection module, by the testing result In invalid data wrap and reach the control device subsystem;First control module also includes a sub-idses and advised Then administrative unit, for storing the sub-idses rule;
The first detection module is connected with first control module and output module respectively, for based on DPDK zero-copy Packet receiving mechanism receives any data bag, parses any data bag;Based on DPDK multinuclear mechanism, from the intrusion detection subsystem Found in system regulation management unit and the sub-idses rule corresponding to any data bag after parsing, utilization With the sub-idses rule corresponding to any data bag after parsing, the packet after parsing is examined Survey, obtain the testing result of any data bag;
The output module is connected with first control module and first detection module, for regularly traveling through the detection knot Fruit;The invalid data known based on the testing result is wrapped and is transmitted to first control module.
5. system according to claim 1, it is characterised in that the fire wall subsystem further comprises the second control mould Block and the second detection module, wherein:
Second control module is connected with the control device subsystem and the second detection module, for by the controller subsystem The fire wall subsystem rule issued of uniting is sent to second detection module;Second control module also includes a fire wall Subsystem regulation management unit, for storing the fire wall subsystem rule;
Second detection module is connected with second control module, is received and is appointed for the packet receiving mechanism based on DPDK zero-copy One packet, parse any data bag;Based on DPDK multinuclear mechanism, from the fire wall subsystem regulation management unit Find with parsing after any data bag corresponding to fire wall subsystem rule, using with it is described any after parsing Fire wall subsystem rule corresponding to packet, filtration treatment is carried out to any data bag.
A kind of 6. safety protecting method based on any described systems of claim 1-5, it is characterised in that including:
S1, the invalid data in the testing result that the control device subsystem is reported according to the sub-idses, renewal Sub-idses rule and fire wall subsystem rule, by the sub-idses rule and fire wall after the renewal Subsystem rule is issued to sub-idses and the fire wall subsystem respectively;
S2, the sub-idses rule that the sub-idses are issued based on DPDK using the control device subsystem Any data bag is obtained and detected, the invalid data in testing result is reported into the control device subsystem;
S3, the fire wall subsystem is based on DPDK using the fire wall subsystem rule that the control device subsystem issues to appointing One packet carries out filtration treatment.
7. according to the method for claim 6, it is characterised in that also include before step S1:S0, to the controller subsystem System, sub-idses and fire wall subsystem are initialized respectively.
8. according to the method for claim 6, it is characterised in that step S1 further comprises:
S11, the sub-idses management module obtain the invalid data in the testing result;
S12, the sub-idses management module and fire wall subsystem management module are based in the testing result Invalid data updates sub-idses rule and fire wall subsystem rule respectively;
S13, the sub-idses management module and fire wall subsystem management module respectively examine the invasion after renewal Survey subsystem rule and fire wall subsystem rule is issued to sub-idses and fire wall subsystem.
9. according to the method for claim 6, it is characterised in that step S2 further comprises:
S21, the sub-idses rule that first control module issues the control device subsystem are sent to described First detection module;
S22, packet receiving mechanism of the first detection module based on DPDK zero-copy receive any data bag, parse any data Bag;Based on DPDK multinuclear mechanism, appoint described in after finding and parsing from the sub-idses regulation management unit Sub-idses rule corresponding to one packet, is examined using with the invasion corresponding to any data bag after parsing Subsystem rule is surveyed, the packet after parsing is detected, obtains the testing result of any data bag;
S23, the output module timing travel through the testing result;The invalid data known based on the testing result is wrapped It is transmitted to first control module.
10. according to the method for claim 6, it is characterised in that step S3 further comprises:
S31, the fire wall subsystem rule that second control module issues the control device subsystem are sent to described the Two detection modules;
S32, packet receiving mechanism of second detection module based on DPDK zero-copy receive any data bag, parse any number According to bag;Based on DPDK multinuclear mechanism, appoint described in after finding and parsing from the fire wall subsystem regulation management unit Corresponding to one packet fire wall subsystem rule, using with corresponding to any data bag after parsing fire wall System convention, filtration treatment is carried out to any data bag.
CN201710743670.6A 2017-08-25 2017-08-25 A kind of security protection system and method Pending CN107682312A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710743670.6A CN107682312A (en) 2017-08-25 2017-08-25 A kind of security protection system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710743670.6A CN107682312A (en) 2017-08-25 2017-08-25 A kind of security protection system and method

Publications (1)

Publication Number Publication Date
CN107682312A true CN107682312A (en) 2018-02-09

Family

ID=61134772

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710743670.6A Pending CN107682312A (en) 2017-08-25 2017-08-25 A kind of security protection system and method

Country Status (1)

Country Link
CN (1) CN107682312A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108566382A (en) * 2018-03-21 2018-09-21 北京理工大学 The fire wall adaptive ability method for improving of rule-based life cycle detection
CN108736571A (en) * 2018-05-31 2018-11-02 国网河南省电力公司检修公司 Protective relaying device intelligent management system
CN109495504A (en) * 2018-12-21 2019-03-19 东软集团股份有限公司 A kind of firewall box and its message processing method and medium
CN110505189A (en) * 2018-05-18 2019-11-26 深信服科技股份有限公司 Recognition methods, identification equipment and the storage medium that terminal security agency breaks through
CN110636084A (en) * 2019-11-08 2019-12-31 北京天地和兴科技有限公司 Method for filtering access interface of user-mode firewall

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1668015A (en) * 2004-12-20 2005-09-14 华中科技大学 Cooperative intrusion detection based large-scale network security defense system
CN105516091A (en) * 2015-11-27 2016-04-20 武汉邮电科学研究院 Secure flow filter and filtering method based on software defined network (SDN) controller
CN105577567A (en) * 2016-01-29 2016-05-11 国家电网公司 Network data packet parallel processing method based on Intel DPDK
US20160197946A1 (en) * 2015-01-07 2016-07-07 CounterTack, Inc. System and Method for Monitoring a Computer System Using Machine Interpretable Code
CN106161398A (en) * 2015-04-21 2016-11-23 北京信威通信技术股份有限公司 Packet snapping method and device
US20170160954A1 (en) * 2015-12-02 2017-06-08 Macau University Of Science And Technology High-Efficient Packet I/O Engine for Commodity PC

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1668015A (en) * 2004-12-20 2005-09-14 华中科技大学 Cooperative intrusion detection based large-scale network security defense system
US20160197946A1 (en) * 2015-01-07 2016-07-07 CounterTack, Inc. System and Method for Monitoring a Computer System Using Machine Interpretable Code
CN106161398A (en) * 2015-04-21 2016-11-23 北京信威通信技术股份有限公司 Packet snapping method and device
CN105516091A (en) * 2015-11-27 2016-04-20 武汉邮电科学研究院 Secure flow filter and filtering method based on software defined network (SDN) controller
US20170160954A1 (en) * 2015-12-02 2017-06-08 Macau University Of Science And Technology High-Efficient Packet I/O Engine for Commodity PC
CN105577567A (en) * 2016-01-29 2016-05-11 国家电网公司 Network data packet parallel processing method based on Intel DPDK

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
凌质亿: "《面向高速网络环境的实时入侵检测系统的研究与实现》", 《中国学位论文全文数据库》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108566382A (en) * 2018-03-21 2018-09-21 北京理工大学 The fire wall adaptive ability method for improving of rule-based life cycle detection
CN108566382B (en) * 2018-03-21 2020-12-08 北京理工大学 Firewall self-adaption capability improving method based on rule life cycle detection
CN110505189A (en) * 2018-05-18 2019-11-26 深信服科技股份有限公司 Recognition methods, identification equipment and the storage medium that terminal security agency breaks through
CN108736571A (en) * 2018-05-31 2018-11-02 国网河南省电力公司检修公司 Protective relaying device intelligent management system
CN109495504A (en) * 2018-12-21 2019-03-19 东软集团股份有限公司 A kind of firewall box and its message processing method and medium
CN110636084A (en) * 2019-11-08 2019-12-31 北京天地和兴科技有限公司 Method for filtering access interface of user-mode firewall

Similar Documents

Publication Publication Date Title
CN107682312A (en) A kind of security protection system and method
CN107181738B (en) Software intrusion detection system and method
US20160171102A1 (en) Runtime adaptable search processor
CN104715201A (en) Method and system for detecting malicious acts of virtual machine
CN103312689A (en) Network hiding method for computer and network hiding system based on method
CN106452925A (en) Method, apparatus and system for detecting faults in NFV system
US20200287932A1 (en) Agentless security of virtual machines for outbound transmissions using a network interface controller
Bos et al. Towards software-based signature detection for intrusion prevention on the network card
CN102035847A (en) User access behavior processing method and system and client
Chi Intrusion detection system based on snort
US10873534B1 (en) Data plane with flow learning circuit
CN109189652A (en) A kind of acquisition method and system of close network terminal behavior data
CN106936805B (en) A kind of defence method and system of network attack
KR101454838B1 (en) Cloud enterprise security management system for interworking of Hypervisor-based virtual network and host intrusion prevention system
CN105871643B (en) Network operation emulation mode based on Routing Protocol
Duan et al. NetStar: A future/promise framework for asynchronous network functions
De Sensi et al. Dpi over commodity hardware: implementation of a scalable framework using fastflow
Branco et al. Architecture for automation of malware analysis
Peng Research of network intrusion detection system based on snort and NTOP
US10038649B2 (en) Packet generation and injection
CN107835268A (en) A kind of domain name data acquisition method, system and device
FI127335B (en) Logging of data traffic in a computer network
CN112688932A (en) Honeypot generation method, honeypot generation device, honeypot generation equipment and computer readable storage medium
CN110198300A (en) A kind of honey jar operation system fingerprint concealment method and device
CN109413001A (en) The method and device of safeguard protection is carried out to the interaction data in cloud computing system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20180209

RJ01 Rejection of invention patent application after publication