CN108768984A - Device and method is invaded in detection based on field programmable gate array - Google Patents

Device and method is invaded in detection based on field programmable gate array Download PDF

Info

Publication number
CN108768984A
CN108768984A CN201810474570.2A CN201810474570A CN108768984A CN 108768984 A CN108768984 A CN 108768984A CN 201810474570 A CN201810474570 A CN 201810474570A CN 108768984 A CN108768984 A CN 108768984A
Authority
CN
China
Prior art keywords
data
attack
attack information
module
broome
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810474570.2A
Other languages
Chinese (zh)
Other versions
CN108768984B (en
Inventor
史江义
张育智
孟坤
潘伟涛
马佩军
张华春
缪磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN201810474570.2A priority Critical patent/CN108768984B/en
Publication of CN108768984A publication Critical patent/CN108768984A/en
Application granted granted Critical
Publication of CN108768984B publication Critical patent/CN108768984B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Device and method is invaded in a kind of detection based on field programmable gate array, and it is slower mainly to solve existing hardware detection inbreak method detection speed, and detection speed is unstable, the problem of depending on attack signature.Its device includes Broome filtering module, first in, first out fifo module, bit vectors generation module, control module and accurate matching module.Its method and step includes generating Broome by hashing operation and filtering array known attack information block;Attack information block is divided into subfield;Each subfield is encoded by bit vectors method and generates bit vectors, and is stored in corresponding memory;Array is filtered by Broome to be filtered data to be tested, finds doubtful attack data;Doubtful attack data are accurately matched;When matching result is consistent, output attack data.The present invention has many advantages, such as that detection invasion speed is high and stablizes, and it is less to occupy storage resource.

Description

Device and method is invaded in detection based on field programmable gate array
Technical field
The invention belongs to field of communication technology, the one kind further related in network communication technology field can based on scene Device and method is invaded in the detection for programming gate array.The present invention can be used for from the data packet that the network user receives, quickly and accurate Really detect malicious attack information wherein included.
Background technology
Detection invasion is detected network data according to known attack information bank, with attack number in attack library Sharp increase, the difficulty for detecting invasion are increasing.Detection invasion device core technology be multi-pattern matching algorithm, pass through by The data that user receives are matched with known attack library, the consistent as malicious attack information of matching result.Early stage Detection invasion device mainly uses software mode to realize that, with the continuous growth of network speed, the serial implementation method of software is The network demand of high speed is cannot be satisfied, the bottle that the concurrency of hardware approach can be made full use of software implementation method is overcome to encounter Neck.Hard-wired detection invasion device existing at present is based primarily upon state machine realization, such method is disadvantageous in that Detection speed is slower, and detection speed is unstable, depends on attack signature.
Master thesis " quick multi-pattern matching algorithm and Research of Hardware Implementation " (the Hangzhou electricity that Zhao Haibin is delivered at it Sub- university paper 2012.12) in propose it is a kind of detection invasion device and method.The device of the invention includes that data split mould Block, filtering module, arbitration modules, address mapping module, match control module and memory module.Wherein, data split module, use In data are split according to different offsets;Filtering module exports doubtful attack for carrying out fast filtering to data Data;Arbitration modules, the doubtful attack data for sequentially accordingly exporting;Address mapping module, for utilizing data information Memory module is accessed, state transition state is obtained;Match control module, for judging that whether there is or not match informations under current state;It deposits Module is stored up, for storing the information for jumping to NextState.Shortcoming is existing for the device:Memory module is located at device master The outside of body it is longer to access the data delay in memory module so that detection invasion speed is slower from address mapping module.The party The implementation steps of method are:First, data are split by offset, and pass through Bloom Filter (Bloom filter) mistake Most of secure data is filtered, doubtful attack data are obtained;Second, state transition is carried out by AC (Aho-Corasick) algorithm Doubtful attack data are matched with the information attacked in library, consistent matching is attack information.It is insufficient existing for this method Place is to redirect state transition table and status information table using AC algorithms structure, the urgency with the increase of attack set size Increase severely big, it is larger to occupy storage resource;And when AC algorithms accurately match doubtful attack data, Bloom Filter It needs to be stopped, waits for the matching result of AC algorithms, reduce matching speed.
Patent document " high speed based on field programmable gate array of the Beijing QQ Technology Co., Ltd. in its application The pattern matching algorithm " (applying date:2008.12.30 application number:200810241135.1 notification number:It is disclosed in 1691581B) A kind of high-speed mode matching process for realizing data safety detection using hardware technology.This method enters mainly for detection of network It invades, implementation steps are:First, information will be attacked using attack information and its prefix characteristic according to AC (Aho-Corasick) algorithms Build state transition table and status information table.State transition table preserves the next state number redirected, and status information table preservation is worked as The relevant information of preceding state;Second, using each byte reading state jump list of data to be tested, completed by state transition Data Detection.Shortcoming existing for this method is:It needs to utilize attack information when building state transition table and status information table Prefix so that when regular prefix characteristic difference, detection speed differs greatly, and causes detection speed unstable.
The content of invention
It is an object of the invention in view of the above shortcomings of the prior art, provide a kind of detection based on programmable gate array Device and method is invaded, state transition table and the more resource of status information table occupancy is redirected with solve to build, filters accuracy rate It is low, the problems such as detection speed is slow and unstable.
The detection invasion device of the present invention includes Broome filtering module, first in, first out fifo module, control module, bit Five vectorial generation module, accurate matching module modules;
The Broome filtering module, for the identical known attack information of byte number to be divided into one group, every group of attack letter Breath corresponds to a Broome and filters array respectively, carries out Hash operation for each attack information in each grouping, will correspond to Address number is that the data of cryptographic Hash are set as 1 in Broome filtering array, and the data of remaining address number are constant;Each is attacked respectively The equal data to be tested section of the start bit interception byte number of information word joint number data to be tested from filter window is hit, to cutting Each data to be tested section taken uses and generates identical hash function used in Broome filtering array, carries out Hash behaviour Make, obtain cryptographic Hash, reads the data that address number in corresponding Broome filtering array is cryptographic Hash, judge whether read data It is all 1, if so, data to be tested attack information word joint number corresponding with Bloom Filter is pressed as doubtful attack data Set form is stored to first in, first out fifo module;
The first in, first out fifo module, the doubtful attack data for caching filtering module generation, by doubtful attack number According to passing to control module;
The control module, the doubtful attack data for caching first in, first out fifo module are parsed by set form The data to be tested and attack information word joint number that accurate matching module needs, and pass to accurate matching module;
The bit vectors generation module, for the identical attack information of byte number in known attack information to be divided into one Attack information is divided into multiple subfields by group, using bit vectors method, is encoded to each subfield generate correspondence respectively Bit vectors and store in the corresponding memory of accurate matching module;
The accurate matching module, for according to doubtful attack data, corresponding bit vectors being read, by all readings Bit vectors step-by-step is mutually carried out and is operated, and obtains result vector;It whether there is 1 in judging result vector, if so, explanation is to be detected Data are with attack information matches, the attack information word joint number that will match to and attack information encoding output.
The detection inbreak method of the present invention, includes the following steps:
(1) it generates Broome and filters array:
Known attack information serial input Broome filtering module will be read byte number phase in attack information by (1a) Same attack information is divided into one group, and every group of attack information corresponds to a Broome and filters array respectively;
(1b) carries out k Hash fortune using k different hash functions, for each attack information in each grouping It calculates, it is that the data of cryptographic Hash are set as 1 that corresponding Broome, which is filtered address number in array, and the data of remaining address number are constant, In, k indicates the arbitrary integer more than 2;
(2) segmentation attack information is subfield:
(2a) is grouped known attack information, and the identical attack information of byte number is divided into one group;
Every group of attack information is equably divided into L by (2b) by bytei/ s subfield, wherein LiIt indicates to attack in every group Information word joint number, s indicate the byte number of each subfield, and the value of s is by LiThe arbitrary positive integer divided exactly;
(3) bit vectors method coding is used to generate bit vectors:
(3a) is respectively that each subfield distributes a corresponding memory, wherein letter is attacked each of in subfield It is equal with access unit address serial number bit wide in memory to cease byte;
First access unit address serial number in (3b) access to memory;
(3c) each of judges in subfield whether are the data of attack information byte and access unit address serial number successively It is equal, if so, 1 will be set as in the bit vectors of generation with the bit value on memory unit address serial number corresponding position, it is no Then, 0 will be set as with the bit value on memory unit address serial number corresponding position in the bit vectors of generation;
(3d) judges whether access unit address serial number is all 1, if so, completing bit vectors coding, executes step (3e) otherwise executes step (3c) after memory unit address serial number is added 1;
The bit vectors that each subfield generates are stored in corresponding memory by (3e);
(4) data to be tested are filtered:
The filter window of Broome filtering module is arranged in (4a), and the length of the filter window is equal to the word of longest attack information Section sum;
The filter window of Broome filtering module is moved to the start bit of data to be tested by (4b);
(4c) intercepts byte number to the start bit of each attack information word joint number data to be tested from filter window respectively Equal data to be tested section uses each data to be tested section intercepted and generates used in Broome filtering array Identical hash function carries out k hashing operation, obtains k cryptographic Hash, reads Broome mistake corresponding with attack information word joint number Filter the data that address number in array is cryptographic Hash;
(4d) judges to filter whether the data read in array are not all 1 from each Broome, if so, thening follow the steps (4e) otherwise executes step (4f);
(4e) will move a byte after filter window, judge whether filter window has data to be tested, if so, executing step Suddenly (4c) otherwise terminates filtering, executes step (4f);
(4f) by the data to be tested attack information word joint number corresponding with Bloom Filter in filter window, as doubting Like attack data, by set form storage to first in, first out fifo module;
(5) doubtful attack data are parsed:
Doubtful attack data are read from first in, first out fifo module, data information is parsed according to set form, it will be to be detected Data are output to accurate matching module with corresponding attack information word joint number;
(6) doubtful attack data are matched:
(6a) determines the attack information block belonging to doubtful attack data according to attack information word joint number;
(6b) divides the method for subfield according to affiliated attack information block, is l by doubtful attack data even partitioni/s A subfield, the data information of subfield reads affiliated attack letter as address serial number by subfield segmentation sequence using after segmentation Bit vectors in the corresponding memory of breath grouping;
All bit vectors step-by-steps read from memory are mutually carried out and are operated by (6c), obtain result vector;
It whether there is 1 in (6d) judging result vector, if so, illustrate data to be tested and known attack information matches, Step (7) is executed, otherwise, illustrates that data to be tested are secure data, executes step (6a);
(7) output attack information:
Export the digit and attack information word joint number in result vector where " 1 ".
The present invention has the following advantages that compared with prior art:
First, since the Broome filtering module in the detection invasion device of the present invention is using field programmable gate array RAM stores Broome and filters array, overcomes the reading number that memory module is come positioned at the external belt of apparatus main body in the prior art Longer according to being delayed, slow problem is invaded in detection so that the present invention has the advantages that detection speed is high.
Second, since the accurate matching module in the detection invasion device of the present invention also uses in programmable gate array Memories of the RAM as stored bits vector overcomes what memory module in the prior art was come positioned at the external belt of apparatus main body It is longer to read data delay, slow problem is invaded in detection so that the present invention has the advantages that detection speed is high.
Third, since the detection inbreak method of the present invention generates bit vectors by bit vectors method, it is only necessary to store The bit vectors of generation as attack information characteristics, overcome use in the prior art AC algorithms structure redirect state transition table and The larger problem of storage resource that status information table occupies so that the present invention has the advantages that less with occupancy storage resource.
4th, since the detection inbreak method filtering data to be tested and the doubtful attack data of matching of the present invention can be simultaneously It carries out, filtering data to be tested without waiting for matching attacking to doubtful in the prior art as a result, overcoming for doubtful attack data When hitting data and being matched, Bloom Filter needs the slow problem of the detection speed brought that is stopped so that the present invention has Want detection speed high.
5th, since the detection inbreak method of the present invention filters array and using bit vectors method by generating Broome Coding generates bit vectors and is converted to Broome array and bit vectors by information is attacked, before need not utilizing attack information Sew, overcomes in the prior art due to needing the detection speed brought using attack information prefix structure state machine is unstable to ask Topic so that the present invention stablizes with detection speed, the advantage unrelated with attack information characteristics.
Description of the drawings:
Fig. 1 is the structure diagram of apparatus of the present invention;
Fig. 2 is the flow chart of the method for the present invention;
Fig. 3 is the schematic diagram that the present invention generates bit vectors using bit vectors method coding.
Specific implementation mode
The present invention will be further described below in conjunction with the accompanying drawings.
With reference to attached drawing 1, the structure of the device of the invention is further described.
The inventive system comprises Broome filtering module, first in, first out fifo module, control module, bit vectors to generate Module, accurate matching module are connected by bus between each module, output end and the first in, first out FIFO of Broome filtering module The input terminal of module is connected, and the output end of first in, first out fifo module is connected with the input terminal of control module, control module it is defeated Outlet is connected with the input terminal of accurate matching module.
Broome filtering module, for the identical known attack information of byte number to be divided into one group, every group of attack information point Not Dui Ying Broome filter array, carry out Hash operation for each attack information in each grouping, will corresponding cloth Shandong Address number is that the data of cryptographic Hash are set as 1 in nurse filtering array, and the data of remaining address number are constant;Each attack is believed respectively The equal data to be tested section of the start bit interception byte number of byte number data to be tested from filter window is ceased, to what is intercepted Each data to be tested section uses and generates identical hash function used in Broome filtering array, carries out hashing operation, obtains To cryptographic Hash, the data that address number in corresponding Broome filtering array is cryptographic Hash are read, judge to read whether data are all 1, if so, by data to be tested attack information word joint number corresponding with Bloom Filter, as doubtful attack data, by fixation Format is stored to first in, first out fifo module.Broome filter module Broome filtering array in the block is using in programmable gate array RAM storage.
First in, first out fifo module, the doubtful attack data for caching filtering module generation pass doubtful attack data Pass control module.
Control module, the doubtful attack data for caching first in, first out fifo module are parsed into accurately by set form The data to be tested and attack information word joint number that matching module needs, and pass to accurate matching module.
Bit vectors generation module will for the identical attack information of byte number in known attack information to be divided into one group Attack information is divided into multiple subfields, using bit vectors method, generates corresponding ratio to each subfield coding respectively Special vector is simultaneously stored into the corresponding memory of accurate matching module.
Accurate matching module, with for according to doubtful attack data, reading corresponding bit vectors, by the ratio of all readings Special vector step-by-step is mutually carried out and is operated, and obtains result vector;It whether there is 1 in judging result vector, if so, illustrating number to be detected According to attack information matches, the attack information word joint number that will match to and attack information encoding export.Accurate matching module uses Memories of the RAM as stored bits vector in programmable gate array.
With reference to attached drawing 2:The detection inbreak method based on field programmable gate array of the present invention is further described.
Step 1, it generates Broome and filters array.
By known attack information serial input Broome filtering module, and it is identical to read byte number in attack information Attack information is divided into one group, and every group of attack information corresponds to a Broome and filters array respectively.
Using k different hash functions, k Hash operation is carried out for each attack information in each grouping, it will Address number is that the data of cryptographic Hash are set as 1 in corresponding Broome filtering array, and the data of remaining address number are constant, wherein k tables Show the arbitrary integer more than 2.
Step 2, segmentation attack information is subfield.
Known attack information is grouped, the identical attack information of byte number is divided into one group.
Every group of attack information is equably divided into L by bytei/ s subfield, wherein LiIt indicates to attack information in every group Byte number, s indicate the byte number of each subfield, and the value of s is by LiThe arbitrary positive integer divided exactly.
Step 3, it is encoded using bit vectors method and generates bit vectors.
Respectively each subfield distributes a corresponding memory, wherein information word is attacked each of in subfield Section is equal with access unit address serial number bit wide in memory.
First access unit address serial number in access to memory.
Each of judge in subfield whether the data of attack information byte are equal with access unit address serial number successively, If so, by being set as 1 with the bit value on memory unit address serial number corresponding position in the bit vectors of generation, it otherwise, will In the bit vectors of generation 0 is set as with the bit value on memory unit address serial number corresponding position.
Judge whether access unit address serial number is all 1, if so, bit vectors coding is completed, by each subfield The bit vectors of generation are stored in corresponding memory, otherwise, after memory unit address serial number is added 1 repeat to judge in subfield Each of attack information byte data it is whether equal with access unit address serial number.
With reference to attached drawing 3 the present invention using bit vectors method coding generate bit vectors schematic diagram, to step 3 do into The explanation of one step.
Include 3 attack information altogether in the embodiment of the present invention, in one group of attack information, the subfield after segmentation is 2 ratios It is special.It is 00,11,01 in the corresponding attack information of a certain subfield, the corresponding memory unit address bit wide of the subfield is 2 ratios It is special.Since memory unit address is " 00 ", the attack information 00,11,01 in the subfield is made comparisons with " 00 " successively.Its In, only the 1st article attack information is identical as address " 00 ", then the 1st data of bit vectors in address " 00 " is set as 1, Remaining position is set as 0.It will be repeated above operation after memory unit address plus 1, until memory unit address is " 11 ", so far Attack information in subfield is converted to bit vectors to be stored in corresponding storage unit.
Step 4, data to be tested are filtered.
The filter window of Broome filtering module is set, and the length of the filter window is total equal to the byte of longest attack information Number.
The filter window of Broome filtering module is moved to the start bit of data to be tested.
It is equal to the start bit interception byte number of each attack information word joint number data to be tested from filter window respectively Data to be tested section, to each data to be tested section for being intercepted use with generate it is identical used in Broome filtering array Hash function carries out k hashing operation, obtains k cryptographic Hash, reads Broome corresponding with attack information word joint number and filters number Address number is the data of cryptographic Hash in group.
Judge to filter whether the data read in array are not all 1 from each Broome, if so, by moving one after filter window A byte continues to filter data to be tested, otherwise, attacks the data to be tested in filter window are corresponding with Bloom Filter Information word joint number is hit, as doubtful attack data, by set form storage to first in, first out fifo module.
Step 5, doubtful attack data are parsed.
Doubtful attack data are read from first in, first out fifo module, data information is parsed according to set form, it will be to be detected Data are output to accurate matching module with corresponding attack information word joint number.
Step 6, doubtful attack data are matched.
The attack information block belonging to doubtful attack data is determined according to attack information word joint number.
The method for dividing subfield according to affiliated attack information block, is l by doubtful attack data even partitioni/ s son Field, the data information of subfield reads affiliated attack information point as address serial number by subfield segmentation sequence using after segmentation Bit vectors in the corresponding memory of group.
All bit vectors step-by-steps read from memory are mutually carried out and operated, result vector is obtained.
It whether there is 1 in judging result vector, if so, illustrating data to be tested and known attack information matches, execute Step 7, otherwise, illustrate that data to be tested are secure data, continue to match next doubtful attack data.
Step 7, output attack information.
Export the digit and attack information word joint number in result vector where " 1 ".Digit table in result vector where " 1 " Show matched attack number, for example, result vector jth position is 1, then illustrates that j-th strip is attacked in corresponding attack information byte grouping Information is matched with data to be tested, the attack detected is numbered and attacked the output of information word joint number.

Claims (4)

1. device, including Broome filtering module, first in, first out FIFO are invaded in a kind of detection based on field programmable gate array Module, control module, which is characterized in that further include bit vectors generation module, accurate matching module, wherein
The Broome filtering module, for the identical known attack information of byte number to be divided into one group, every group of attack information point Not Dui Ying Broome filter array, carry out Hash operation for each attack information in each grouping, will corresponding cloth Shandong Address number is that the data of cryptographic Hash are set as 1 in nurse filtering array, and the data of remaining address number are constant;Each attack is believed respectively The equal data to be tested section of the start bit interception byte number of byte number data to be tested from filter window is ceased, to what is intercepted Each data to be tested section uses and generates identical hash function used in Broome filtering array, carries out hashing operation, obtains To cryptographic Hash, the data that address number in corresponding Broome filtering array is cryptographic Hash are read, judge to read whether data are all 1, if so, by data to be tested attack information word joint number corresponding with Bloom Filter, as doubtful attack data, by fixation Format is stored to first in, first out fifo module;
The first in, first out fifo module, the doubtful attack data for caching filtering module generation pass doubtful attack data Pass control module;
The control module, the doubtful attack data for caching first in, first out fifo module are parsed into accurately by set form The data to be tested and attack information word joint number that matching module needs, and pass to accurate matching module;
The bit vectors generation module will for the identical attack information of byte number in known attack information to be divided into one group Attack information is divided into multiple subfields, using bit vectors method, generates corresponding ratio to each subfield coding respectively Special vector is simultaneously stored into the corresponding memory of accurate matching module;
The accurate matching module, for according to doubtful attack data, corresponding bit vectors being read, by the bit of all readings Vectorial step-by-step is mutually carried out and is operated, and obtains result vector;It whether there is 1 in judging result vector, if so, illustrating data to be tested With attack information matches, the attack information word joint number that will match to and attack information encoding output.
2. device is invaded in the detection according to claim 1 based on field programmable gate array, which is characterized in that the cloth Nurse filter module Broome filtering array in the block in Shandong is using the RAM storages in programmable gate array.
3. device is invaded in the detection according to claim 1 based on field programmable gate array, which is characterized in that the essence Memory of the true matching module using the RAM in programmable gate array as stored bits vector.
4. a kind of detection inbreak method based on field programmable gate array, which is characterized in that encoded using bit vectors method Bit vectors are generated, doubtful attack data are matched;The specific steps of this method include as follows:
(1) it generates Broome and filters array:
(1a) is by known attack information serial input Broome filtering module, and it is identical to read byte number in attack information Attack information is divided into one group, and every group of attack information corresponds to a Broome and filters array respectively;
(1b) carries out k Hash operation using k different hash functions, for each attack information in each grouping, will Address number is that the data of cryptographic Hash are set as 1 in corresponding Broome filtering array, and the data of remaining address number are constant, wherein k tables Show the arbitrary integer more than 2;
(2) segmentation attack information is subfield:
(2a) is grouped known attack information, and the identical attack information of byte number is divided into one group;
Every group of attack information is equably divided into L by (2b) by bytei/ s subfield, wherein LiIt indicates to attack information in every group Byte number, s indicate the byte number of each subfield, and the value of s is by LiThe arbitrary positive integer divided exactly;
(3) bit vectors method coding is used to generate bit vectors:
(3a) is respectively that each subfield distributes a corresponding memory, wherein information word is attacked each of in subfield Section is equal with access unit address serial number bit wide in memory;
First access unit address serial number in (3b) access to memory;
(3c) each of judges in subfield whether the data of attack information byte are equal with access unit address serial number successively, If so, by being set as 1 with the bit value on memory unit address serial number corresponding position in the bit vectors of generation, it otherwise, will In the bit vectors of generation 0 is set as with the bit value on memory unit address serial number corresponding position;
(3d) judges whether access unit address serial number is all 1, if so, completing bit vectors coding, executes step (3e), Otherwise, step (3c) is executed after memory unit address serial number being added 1;
The bit vectors that each subfield generates are stored in corresponding memory by (3e);
(4) data to be tested are filtered:
The filter window of Broome filtering module is arranged in (4a), and the length of the filter window is total equal to the byte of longest attack information Number;
The filter window of Broome filtering module is moved to the start bit of data to be tested by (4b);
(4c) is equal to the start bit interception byte number of each attack information word joint number data to be tested from filter window respectively Data to be tested section, to each data to be tested section for being intercepted use with generate it is identical used in Broome filtering array Hash function carries out k hashing operation, obtains k cryptographic Hash, reads Broome corresponding with attack information word joint number and filters number Address number is the data of cryptographic Hash in group;
(4d) judges to filter whether the data read in array are not all 1 from each Broome, if so, (4e) is thened follow the steps, Otherwise, step (4f) is executed;
(4e) will move a byte after filter window, judge whether filter window has data to be tested, if so, thening follow the steps (4c) otherwise terminates filtering, executes step (4f);
(4f) attacks the data to be tested attack information word joint number corresponding with Bloom Filter in filter window as doubtful Data are hit, by set form storage to first in, first out fifo module;
(5) doubtful attack data are parsed:
Doubtful attack data are read from first in, first out fifo module, data information are parsed according to set form, by data to be tested It is output to accurate matching module with corresponding attack information word joint number;
(6) doubtful attack data are matched:
(6a) determines the attack information block belonging to doubtful attack data according to attack information word joint number;
(6b) divides the method for subfield according to affiliated attack information block, is l by doubtful attack data even partitioni/ s son Field, the data information of subfield reads affiliated attack information point as address serial number by subfield segmentation sequence using after segmentation Bit vectors in the corresponding memory of group;
All bit vectors step-by-steps read from memory are mutually carried out and are operated by (6c), obtain result vector;
It whether there is 1 in (6d) judging result vector, if so, illustrating data to be tested and known attack information matches, execute Step (7) otherwise illustrates that data to be tested are secure data, executes step (6a);
(7) output attack information:
Export the digit and attack information word joint number in result vector where " 1 ".
CN201810474570.2A 2018-05-17 2018-05-17 Intrusion detection device and method based on field programmable gate array Active CN108768984B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810474570.2A CN108768984B (en) 2018-05-17 2018-05-17 Intrusion detection device and method based on field programmable gate array

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810474570.2A CN108768984B (en) 2018-05-17 2018-05-17 Intrusion detection device and method based on field programmable gate array

Publications (2)

Publication Number Publication Date
CN108768984A true CN108768984A (en) 2018-11-06
CN108768984B CN108768984B (en) 2020-02-21

Family

ID=64006906

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810474570.2A Active CN108768984B (en) 2018-05-17 2018-05-17 Intrusion detection device and method based on field programmable gate array

Country Status (1)

Country Link
CN (1) CN108768984B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101848222A (en) * 2010-05-28 2010-09-29 武汉烽火网络有限责任公司 Inspection method and device of Internet deep packet
CN101958883A (en) * 2010-03-26 2011-01-26 湘潭大学 Bloom Filter and open-source kernel-based method for defensing SYN Flood attack
US20160134503A1 (en) * 2014-11-07 2016-05-12 Arbor Networks, Inc. Performance enhancements for finding top traffic patterns

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101958883A (en) * 2010-03-26 2011-01-26 湘潭大学 Bloom Filter and open-source kernel-based method for defensing SYN Flood attack
CN101848222A (en) * 2010-05-28 2010-09-29 武汉烽火网络有限责任公司 Inspection method and device of Internet deep packet
US20160134503A1 (en) * 2014-11-07 2016-05-12 Arbor Networks, Inc. Performance enhancements for finding top traffic patterns

Also Published As

Publication number Publication date
CN108768984B (en) 2020-02-21

Similar Documents

Publication Publication Date Title
CN101848222B (en) Inspection method and device of Internet deep packet
CN102184197B (en) Regular expression matching method based on smart finite automaton (SFA)
CN107800631B (en) Method and apparatus for efficient matching of TCAM rules using hash tables in RAM
WO2011011916A1 (en) Regular expression matching method and system, and searching device
CN106959962B (en) A kind of multi-pattern match method and apparatus
CN103617226B (en) A kind of matching regular expressions method and device
CN110858823B (en) Data packet classification method and device and computer readable storage medium
CN102420771B (en) Method for increasing concurrent transmission control protocol (TCP) connection speed in high-speed network environment
WO2017172183A1 (en) Pipelined hash table with reduced collisions
CN103154884A (en) Pattern detection
CN102075430A (en) Compression and message matching method for deep message detection deterministic finite automation (DFA) state transfer tables
CN105843933A (en) Index building method for distributed memory columnar database
CN102253957A (en) TCAM (Ternary Content Addressable Memory) multi-mode character string matching method and device
CN113568587B (en) Smart city real-time data processing method, system and storage medium
CN102156748A (en) Method for constructing alphabet compression based extend finite automaton
CN104253754A (en) ACL (access control list) fast matching method and equipment
CN108768984A (en) Device and method is invaded in detection based on field programmable gate array
EP3264716B1 (en) State transition compression mechanism to efficiently compress dfa based regular expression signatures
CN109934583A (en) The generation method of credible random number sequence in a kind of block chain
US20020087537A1 (en) Method and apparatus for searching a data stream for character patterns
Bandi et al. Fast algorithms for heavy distinct hitters using associative memories
CN105553483B (en) A kind of method and device generating LZ77
Goyal et al. AnyFI: An anytime frequent itemset mining algorithm for data streams
CN106294348B (en) For the real-time sort method and device of real-time report data
CN108415889A (en) A kind of text similarity detection method for once replacing hash algorithm based on cum rights

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant