CN108768984B - Intrusion detection device and method based on field programmable gate array - Google Patents

Intrusion detection device and method based on field programmable gate array Download PDF

Info

Publication number
CN108768984B
CN108768984B CN201810474570.2A CN201810474570A CN108768984B CN 108768984 B CN108768984 B CN 108768984B CN 201810474570 A CN201810474570 A CN 201810474570A CN 108768984 B CN108768984 B CN 108768984B
Authority
CN
China
Prior art keywords
data
attack information
attack
module
bloom filter
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810474570.2A
Other languages
Chinese (zh)
Other versions
CN108768984A (en
Inventor
史江义
张育智
孟坤
潘伟涛
马佩军
张华春
缪磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN201810474570.2A priority Critical patent/CN108768984B/en
Publication of CN108768984A publication Critical patent/CN108768984A/en
Application granted granted Critical
Publication of CN108768984B publication Critical patent/CN108768984B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A device and a method for detecting intrusion based on a field programmable gate array mainly solve the problems that the existing hardware intrusion detection method is slow in detection speed, unstable in detection speed and dependent on attack characteristics. The device comprises a bloom filter module, a first-in first-out (FIFO) module, a bit vector generation module, a control module and an accurate matching module. The method comprises the steps of grouping known attack information, and generating a bloom filter array through hash operation; dividing attack information packets into subfields; encoding each subfield by a bit vector method to generate a bit vector, and storing the bit vector in a corresponding memory; filtering the data to be detected through a bloom filter array to find suspected attack data; carrying out accurate matching on suspected attack data; and when the matching results are consistent, outputting attack data. The invention has the advantages of high and stable intrusion detection speed, less occupied storage resources and the like.

Description

Intrusion detection device and method based on field programmable gate array
Technical Field
The invention belongs to the technical field of communication, and further relates to an intrusion detection device and method based on a field programmable gate array in the technical field of network communication. The invention can be used for quickly and accurately detecting the malicious attack information contained in the data packet received from the network user.
Background
The intrusion detection is carried out on the network data according to the known attack information base, and the intrusion detection difficulty is increased along with the rapid increase of the attack number in the attack base. The core technology of the intrusion detection device is a multi-pattern matching algorithm, data received by a user are matched with a known attack library, and malicious attack information is obtained if matching results are consistent. The early intrusion detection device is mainly realized by adopting a software mode, and with the continuous increase of the network speed, the serial realization method of the software cannot meet the high-speed network requirement, and the parallelism of a hardware method can be fully utilized to overcome the bottleneck encountered by the software realization method. The existing intrusion detection device realized by hardware is mainly realized based on a state machine, and the methods have the defects of low detection speed, unstable detection speed and dependence on attack characteristics.
Zhao hai and bin proposed an apparatus and method for detecting intrusion in the published "fast multi-pattern matching algorithm and hardware implementation research" of the master academic paper (hangzhou electronic university paper 2012.12). The device comprises a data splitting module, a filtering module, an arbitration module, an address mapping module, a matching control module and a storage module. The data splitting module is used for splitting data according to different offsets; the filtering module is used for rapidly filtering the data and outputting suspected attacking data; the arbitration module is used for sequentially and correspondingly outputting suspected attack data; the address mapping module is used for accessing the storage module by utilizing the data information to acquire a state jump state; the matching control module is used for judging whether matching information exists in the current state; and the storage module is used for storing the information of jumping to the next state. The device has the following defects: the storage module is positioned outside the device main body, and the time delay of accessing the data in the storage module from the address mapping module is long, so that the intrusion detection speed is slow. The method comprises the following implementation steps: firstly, splitting data according to an offset, and filtering most of safety data through a Bloom filter to obtain suspected attack data; secondly, performing state jump by using an AC (Aho-Corasick) algorithm to match the suspected attack data with the information in the attack library, wherein the matching is consistent and the attack information is obtained. The method has the disadvantages that a jump state jump table and a state information table constructed by adopting an AC algorithm are sharply increased along with the increase of the scale of an attack set, and the occupied storage resource is larger; and when the suspected attack data is accurately matched by the AC algorithm, the bloom filter needs to stop working, wait for the matching result of the AC algorithm and reduce the matching speed.
The patent document "high-speed pattern matching algorithm based on field programmable gate array" (application date: 2008.12.30, application number: 200810241135.1, notice number: 1691581B) applied by beijing chang communication science and technology ltd discloses a high-speed pattern matching method for realizing data security detection by using hardware technology. The method is mainly used for detecting network intrusion, and comprises the following implementation steps: firstly, constructing a state jump table and a state information table by using attack information and prefix characteristics thereof according to an AC (Aho-Corasick) algorithm. The state jump table stores the next state number of the jump, and the state information table stores the related information of the current state; secondly, reading a state jump table by using each byte of the data to be detected, and completing data detection through state jump. The method has the following defects: when the prefix characteristics of the attack information are different, the detection speed is greatly different, and the detection speed is unstable.
Disclosure of the invention
The invention aims to provide an intrusion detection device and method based on a programmable gate array (FPGA) aiming at overcoming the defects of the prior art, and solving the problems that a constructed jump state skip list and a constructed state information list occupy more resources, the filtering accuracy is low, the detection speed is slow and unstable, and the like.
The intrusion detection device comprises five modules, namely a bloom filter module, a first-in first-out (FIFO) module, a control module, a bit vector generation module and an accurate matching module;
the bloom filter module is used for dividing known attack information with the same byte number into a group, wherein each group of attack information corresponds to a bloom filter array, performing hash operation on each piece of attack information in each group, setting data with address numbers as hash values in the corresponding bloom filter arrays to be 1, and keeping the data of the rest address numbers unchanged; respectively intercepting a data segment to be detected with the same byte number from the initial bit of the data to be detected in the filtering window for each kind of attack information byte number, performing hash operation on each intercepted data segment to be detected by adopting the same hash function used for generating the bloom filter array to obtain a hash value, reading the data with the address number of the corresponding bloom filter array as the hash value, judging whether the read data is all 1, if so, taking the byte number of the attack information corresponding to the data to be detected and the bloom filter as suspected attack data, and storing the suspected attack information byte number to a first-in first-out (FIFO) module according to a fixed format;
the first-in first-out FIFO module is used for caching the suspected attack data generated by the filtering module and transmitting the suspected attack data to the control module;
the control module is used for analyzing suspected attack data cached by the first-in first-out FIFO module into data to be detected and the number of bytes of attack information required by the precise matching module according to a fixed format and transmitting the data to the precise matching module;
the bit vector generating module is used for dividing attack information with the same byte number in the known attack information into a group, dividing the attack information into a plurality of subfields, respectively encoding each subfield by adopting a bit vector method to generate a corresponding bit vector and storing the bit vector into a corresponding memory of the precise matching module;
the accurate matching module is used for reading corresponding bit vectors according to the suspected attack data, and performing AND operation on all read bit vectors according to phases to obtain result vectors; and judging whether 1 exists in the result vector, if so, indicating that the data to be detected is matched with the attack information, and outputting the byte number of the matched attack information and the attack information number.
The intrusion detection method comprises the following steps:
(1) generating a bloom filter array:
(1a) serially inputting known attack information into a bloom filter module, and dividing the attack information with the same byte number in the read attack information into a group, wherein each group of attack information corresponds to a bloom filter array respectively;
(1b) adopting k different hash functions, carrying out hash operation for k times aiming at each attack information in each group, setting data with address numbers as hash values in the corresponding bloom filter array as 1, and keeping the data of the rest address numbers unchanged, wherein k represents any integer larger than 2;
(2) segmentation attack information into subfields:
(2a) grouping known attack information, and dividing the attack information with the same byte number into a group;
(2b) dividing each group of attack information into L according to byte uniformlyiA/s subfield, wherein LiIndicating the number of bytes of attack information in each group, s indicating the number of bytes of each subfield, s being taken as LiAny positive integer of the integer division;
(3) and (3) encoding by adopting a bit vector method to generate a bit vector:
(3a) respectively allocating a corresponding memory for each subfield, wherein each attack information byte in the subfield is equal to the bit width of the address sequence number of a storage unit in the memory;
(3b) the address sequence number of a first storage unit in a memory is fetched;
(3c) sequentially judging whether the data of each attack information byte in the subfield is equal to the address serial number of the storage unit, if so, setting the bit value of the position corresponding to the address serial number of the storage unit in the generated bit vector to be 1, otherwise, setting the bit value of the position corresponding to the address serial number of the storage unit in the generated bit vector to be 0;
(3d) judging whether the address serial numbers of the storage units are all 1, if so, finishing bit vector encoding, and executing the step (3e), otherwise, adding 1 to the address serial numbers of the storage units and executing the step (3 c);
(3e) storing the bit vector generated by each subfield in a corresponding memory;
(4) and filtering data to be detected:
(4a) setting a filter window of a bloom filter module, wherein the length of the filter window is equal to the total number of bytes of the longest attack information;
(4b) moving a filter window of the bloom filter module to the start bit of the data to be detected;
(4c) respectively intercepting a data segment to be detected with the same byte number from the initial bit of the data to be detected in the filtering window for each kind of attack information byte number, performing hash operation for k times on each intercepted data segment to be detected by adopting the same hash function used for generating the bloom filter array to obtain k hash values, and reading the data with the address number as the hash value in the bloom filter array corresponding to the attack information byte number;
(4d) judging whether the data read from each bloom filter array are not all 1, if so, executing the step (4e), otherwise, executing the step (4 f);
(4e) moving the filtering window backward by one byte, judging whether the filtering window has data to be detected, if so, executing the step (4c), otherwise, terminating the filtering, and executing the step (4 f);
(4f) taking the data to be detected in the filtering window and the number of bytes of attack information corresponding to the bloom filter as suspected attack data, and storing the suspected attack data in a first-in first-out (FIFO) module according to a fixed format;
(5) analyzing suspected attack data:
the suspected attack data is read from the first-in first-out FIFO module, the data information is analyzed according to a fixed format, and the data to be detected and the number of bytes of the corresponding attack information are output to the precise matching module;
(6) matching suspected attack data:
(6a) determining an attack information packet to which the suspected attack data belongs according to the number of bytes of the attack information;
(6b) according to the method of dividing sub-field by the attack information packet, the suspected attack data is divided into liThe/s subfield takes the data information of the divided subfields as address sequence numbers and reads bit vectors in the corresponding memories of the attack information groups according to the subfield division sequence;
(6c) performing AND operation on all bit vectors read from a memory according to bit phases to obtain result vectors;
(6d) judging whether 1 exists in the result vector, if so, indicating that the data to be detected is matched with the known attack information, and executing the step (7), otherwise, indicating that the data to be detected is safe data, and executing the step (6 a);
(7) and (3) outputting attack information:
and outputting the number of bits of the '1' in the result vector and the number of bytes of the attack information.
Compared with the prior art, the invention has the following advantages:
first, because the bloom filter module in the intrusion detection device of the present invention uses the RAM of the field programmable gate array to store the bloom filter array, the problems of long data reading delay and slow intrusion detection speed caused by the storage module being located outside the device main body in the prior art are overcome, so that the present invention has the advantage of high detection speed.
Secondly, because the precise matching module in the intrusion detection device also adopts the RAM in the programmable gate array as a memory for storing the bit vector, the problems of long data reading delay and slow intrusion detection speed caused by the fact that the memory module is positioned outside the device main body in the prior art are solved, and the intrusion detection device has the advantage of high detection speed.
Thirdly, because the intrusion detection method of the invention generates the bit vector by the bit vector method, only the generated bit vector needs to be stored as the attack information characteristic, and the problem that the storage resource occupied by constructing the jump state jump table and the state information table by adopting the AC algorithm in the prior art is large is solved, so that the invention has the advantage of less occupied storage resource.
Fourthly, because the intrusion detection method can simultaneously carry out the filtration of the data to be detected and the matching of the suspected attack data, and the filtration of the data to be detected does not need to wait for the result of the matching of the suspected attack data, the problem of low detection speed caused by the fact that the bloom filter needs to stop working when the suspected attack data are matched in the prior art is solved, and the intrusion detection method has the characteristic of high detection speed.
Fifthly, since the intrusion detection method of the invention converts the attack information into the bloom filter array and the bit vector by generating the bloom filter array and encoding the bit vector by adopting the bit vector method, the prefix of the attack information is not required to be utilized, and the problem of unstable detection speed caused by constructing a state machine by utilizing the prefix of the attack information in the prior art is solved, so that the intrusion detection method has the advantages of stable detection speed and independence on the characteristics of the attack information.
Description of the drawings:
FIG. 1 is a block diagram of the apparatus of the present invention;
FIG. 2 is a flow chart of the method of the present invention;
FIG. 3 is a schematic diagram of the bit vector generated by the bit vector encoding method according to the present invention.
Detailed Description
The invention is further described below with reference to the accompanying drawings.
The structure of the apparatus of the present invention will be further described with reference to fig. 1.
The device comprises a bloom filter module, a first-in first-out (FIFO) module, a control module, a bit vector generation module and an accurate matching module, wherein the bloom filter module, the first-in first-out (FIFO) module, the control module, the bit vector generation module and the accurate matching module are connected through a bus, the output end of the bloom filter module is connected with the input end of the first-in first-out (FIFO) module, the output end of the first-in first-out (FIFO) module is connected with the input end of the control module, and the output end.
The bloom filter module is used for dividing known attack information with the same byte number into a group, wherein each group of attack information corresponds to a bloom filter array, carrying out hash operation on each piece of attack information in each group, setting data with the address number as a hash value in the corresponding bloom filter array as 1, and keeping the data of the rest address numbers unchanged; respectively intercepting a data segment to be detected with the same byte number from the initial bit of the data to be detected in the filtering window for each kind of attack information byte number, carrying out hash operation on each intercepted data segment to be detected by adopting the same hash function used for generating the bloom filter array to obtain a hash value, reading the data with the address number of the corresponding bloom filter array as the hash value, judging whether the read data is all 1, if so, taking the byte number of the attack information corresponding to the data to be detected and the bloom filter as suspected attack data, and storing the suspected attack information byte number to the first-in first-out (FIFO) module according to a fixed format. And a bloom filter array in the bloom filter module is stored by adopting an RAM in a programmable gate array.
And the first-in first-out FIFO module is used for caching the suspected attack data generated by the filtering module and transmitting the suspected attack data to the control module.
And the control module is used for analyzing the suspected attack data cached by the first-in first-out FIFO module into the data to be detected and the number of bytes of attack information required by the precise matching module according to a fixed format and transmitting the data to the precise matching module.
And the bit vector generating module is used for dividing the attack information with the same byte number in the known attack information into a group, dividing the attack information into a plurality of sub-fields, respectively encoding each sub-field by adopting a bit vector method to generate a corresponding bit vector and storing the bit vector into a corresponding memory of the precise matching module.
The accurate matching module is used for reading corresponding bit vectors according to the suspected attack data, and performing AND operation on all read bit vectors according to phases to obtain result vectors; and judging whether 1 exists in the result vector, if so, indicating that the data to be detected is matched with the attack information, and outputting the byte number of the matched attack information and the attack information number. The exact match module uses the RAM in the programmable gate array as a memory to store the bit vectors.
Referring to FIG. 2: the intrusion detection method based on the field programmable gate array of the invention is further described.
And step 1, generating a bloom filter array.
Known attack information is serially input into the bloom filter module, the attack information with the same byte number in the read attack information is divided into a group, and each group of attack information corresponds to a bloom filter array respectively.
And performing hash operation on each attack information in each group for k times by adopting k different hash functions, setting the data with the address number as the hash value in the corresponding bloom filter array as 1, and keeping the data of the rest address numbers unchanged, wherein k represents any integer larger than 2.
And 2, segmenting the attack information into subfields.
Grouping the known attack information, and grouping the attack information with the same byte number into a group.
Dividing each group of attack information into L according to byte uniformlyiA/s subfield, wherein LiIndicating the number of bytes of attack information in each group, s indicating the number of bytes of each subfield, s being taken as LiAny positive integer of the integer division.
And 3, coding by adopting a bit vector method to generate a bit vector.
And respectively allocating a corresponding memory to each subfield, wherein each attack information byte in the subfield is equal to the bit width of the address sequence number of a storage unit in the memory.
And the address sequence number of the first storage unit in the memory is fetched.
And sequentially judging whether the data of each attack information byte in the subfield is equal to the address sequence number of the storage unit, if so, setting the bit value of the position corresponding to the address sequence number of the storage unit in the generated bit vector to be 1, and otherwise, setting the bit value of the position corresponding to the address sequence number of the storage unit in the generated bit vector to be 0.
And judging whether the address sequence numbers of the storage units are all 1, if so, finishing bit vector encoding, and storing the bit vector generated by each subfield in a corresponding memory, otherwise, adding 1 to the address sequence number of the storage unit and then repeatedly judging whether the data of each attack information byte in the subfield is equal to the address sequence number of the storage unit.
Step 3 is further described with reference to fig. 3, which is a schematic diagram of the present invention for encoding and generating a bit vector by using a bit vector method.
In the embodiment of the invention, a group of attack information contains 3 pieces of attack information, and the subfield after division is 2 bits. Attack information corresponding to a certain subfield is 00,11,01, and the bit width of a memory cell address corresponding to the subfield is 2 bits. The attack information 00,11,01 in this subfield is compared with "00" in order, starting from the memory cell address of "00". Wherein, only the 1 st piece of attack information is the same as the address "00", the 1 st bit data of the bit vector in the address "00" is set to 1, and the rest bits are set to 0. The above operation is repeated after adding 1 to the memory cell address until the memory cell address is "11", so far, the attack information in the subfield is converted into a bit vector to be stored in the corresponding memory cell.
And 4, filtering the data to be detected.
And setting a filter window of the bloom filter module, wherein the length of the filter window is equal to the total number of bytes of the longest attack information.
And moving the filtering window of the bloom filter module to the start bit of the data to be detected.
Respectively intercepting a data segment to be detected with the same byte number from the initial bit of the data to be detected in the filtering window for each kind of attack information byte number, carrying out hash operation for k times by adopting the same hash function used for generating the bloom filter array for each kind of intercepted data segment to be detected to obtain k hash values, and reading the data with the address number as the hash value in the bloom filter array corresponding to the attack information byte number.
And judging whether the data read from each bloom filter array is not all 1, if so, moving the filter window backwards by one byte to continue filtering the data to be detected, otherwise, taking the data to be detected in the filter window and the number of bytes of attack information corresponding to the bloom filter as suspected attack data, and storing the suspected attack data in a first-in first-out (FIFO) module according to a fixed format.
And 5, analyzing suspected attack data.
And reading suspected attack data from the first-in first-out FIFO module, analyzing data information according to a fixed format, and outputting the data to be detected and the number of bytes of corresponding attack information to the accurate matching module.
And 6, matching suspected attack data.
And determining the attack information packet to which the suspected attack data belongs according to the number of bytes of the attack information.
According to the method of dividing sub-field by the attack information packet, the suspected attack data is divided into liThe/s subfield takes the data information of the subfield after being divided as the address sequence number and reads the attack information packet according to the subfield dividing sequenceCorresponding to the bit vector in memory.
And performing AND operation on all bit vectors read from the memory according to the bit phase to obtain a result vector.
And (4) judging whether the vector of the result has 1, if so, indicating that the data to be detected is matched with the known attack information, and executing the step 7, otherwise, indicating that the data to be detected is safe data, and continuously matching the next suspected attack data.
And 7, outputting attack information.
And outputting the number of bits of the '1' in the result vector and the number of bytes of the attack information. The bit number of "1" in the result vector represents the matched attack number, for example, if the jth bit of the result vector is 1, it indicates that the jth attack information in the corresponding attack information byte packet matches with the data to be detected, and outputs the detected attack number and the number of bytes of the attack information.

Claims (4)

1. The intrusion detection device based on the field programmable gate array comprises a bloom filter module, a first-in first-out (FIFO) module and a control module, and is characterized by also comprising a bit vector generation module and an accurate matching module, wherein,
the bloom filter module is used for dividing known attack information with the same byte number into a group, wherein each group of attack information corresponds to a bloom filter array, performing hash operation on each piece of attack information in each group, setting data with address numbers as hash values in the corresponding bloom filter arrays to be 1, and keeping the data of the rest address numbers unchanged; respectively intercepting a data segment to be detected with the same byte number from the initial bit of the data to be detected in the filtering window for each kind of attack information byte number, performing hash operation on each intercepted data segment to be detected by adopting the same hash function used for generating the bloom filter array to obtain a hash value, reading the data with the address number of the corresponding bloom filter array as the hash value, judging whether the read data is all 1, if so, taking the byte number of the attack information corresponding to the data to be detected and the bloom filter as suspected attack data, and storing the suspected attack information byte number to a first-in first-out (FIFO) module according to a fixed format;
the first-in first-out FIFO module is used for caching the suspected attack data generated by the filtering module and transmitting the suspected attack data to the control module;
the control module is used for analyzing suspected attack data cached by the first-in first-out FIFO module into data to be detected and the number of bytes of attack information required by the precise matching module according to a fixed format and transmitting the data to the precise matching module;
the bit vector generating module is used for dividing attack information with the same byte number in the known attack information into a group, dividing the attack information into a plurality of subfields, respectively encoding each subfield by adopting a bit vector method to generate a corresponding bit vector and storing the bit vector into a corresponding memory of the precise matching module;
the accurate matching module is used for reading corresponding bit vectors according to the suspected attack data, and performing AND operation on all read bit vectors according to phases to obtain result vectors; and judging whether 1 exists in the result vector, if so, indicating that the data to be detected is matched with the attack information, and outputting the byte number of the matched attack information and the attack information number.
2. The device of claim 1, wherein the bloom filter array of the bloom filter module is stored in RAM of the programmable gate array.
3. The device of claim 1, wherein the exact match module uses a RAM in a programmable gate array as a memory for storing the bit vector.
4. A detection intrusion method based on field programmable gate array is characterized in that a bit vector is generated by adopting a bit vector method to encode, and suspected attack data is matched; the method comprises the following specific steps:
(1) generating a bloom filter array:
(1a) serially inputting known attack information into a bloom filter module, and dividing the attack information with the same byte number in the read attack information into a group, wherein each group of attack information corresponds to a bloom filter array respectively;
(1b) adopting k different hash functions, carrying out hash operation for k times aiming at each attack information in each group, setting data with address numbers as hash values in the corresponding bloom filter array as 1, and keeping the data of the rest address numbers unchanged, wherein k represents any integer larger than 2;
(2) segmentation attack information into subfields:
(2a) grouping known attack information, and dividing the attack information with the same byte number into a group;
(2b) uniformly dividing each group of attack information into L/s subfields according to bytes, wherein L represents the number of bytes of the attack information in each group, s represents the number of bytes of each subfield, and the value of s is any positive integer divided by L;
(3) and (3) encoding by adopting a bit vector method to generate a bit vector:
(3a) respectively allocating a corresponding memory for each subfield, wherein each attack information byte in the subfield is equal to the bit width of the address sequence number of a storage unit in the memory;
(3b) the address sequence number of a first storage unit in a memory is fetched;
(3c) sequentially judging whether the data of each attack information byte in the subfield is equal to the address serial number of the storage unit, if so, setting the bit value of the position corresponding to the address serial number of the storage unit in the generated bit vector to be 1, otherwise, setting the bit value of the position corresponding to the address serial number of the storage unit in the generated bit vector to be 0;
(3d) judging whether the address serial numbers of the storage units are all 1, if so, finishing bit vector encoding, and executing the step (3e), otherwise, adding 1 to the address serial numbers of the storage units and executing the step (3 c);
(3e) storing the bit vector generated by each subfield in a corresponding memory;
(4) and filtering data to be detected:
(4a) setting a filter window of a bloom filter module, wherein the length of the filter window is equal to the total number of bytes of the longest attack information;
(4b) moving a filter window of the bloom filter module to the start bit of the data to be detected;
(4c) respectively intercepting a data segment to be detected with the same byte number from the initial bit of the data to be detected in the filtering window for each kind of attack information byte number, performing hash operation for k times on each intercepted data segment to be detected by adopting the same hash function used for generating the bloom filter array to obtain k hash values, and reading the data with the address number as the hash value in the bloom filter array corresponding to the attack information byte number;
(4d) judging whether the data read from each bloom filter array are not all 1, if so, executing the step (4e), otherwise, executing the step (4 f);
(4e) moving the filtering window backward by one byte, judging whether the filtering window has data to be detected, if so, executing the step (4c), otherwise, terminating the filtering, and executing the step (4 f);
(4f) taking the data to be detected in the filtering window and the number of bytes of attack information corresponding to the bloom filter as suspected attack data, and storing the suspected attack data in a first-in first-out (FIFO) module according to a fixed format;
(5) analyzing suspected attack data:
the suspected attack data is read from the first-in first-out FIFO module, the data information is analyzed according to a fixed format, and the data to be detected and the number of bytes of the corresponding attack information are output to the precise matching module;
(6) matching suspected attack data:
(6a) determining an attack information packet to which the suspected attack data belongs according to the number of bytes of the attack information;
(6b) according to the method for dividing the sub-fields by the attack information packets, the suspected attack data is divided into l/s sub-fields uniformly, the data information of the divided sub-fields is used as an address sequence number, and bit vectors in a memory corresponding to the attack information packets are read according to the sub-field division sequence;
(6c) performing AND operation on all bit vectors read from a memory according to bit phases to obtain result vectors;
(6d) judging whether 1 exists in the result vector, if so, indicating that the data to be detected is matched with the known attack information, and executing the step (7), otherwise, indicating that the data to be detected is safe data, and executing the step (6 a);
(7) and (3) outputting attack information:
and outputting the number of bits of the '1' in the result vector and the number of bytes of the attack information.
CN201810474570.2A 2018-05-17 2018-05-17 Intrusion detection device and method based on field programmable gate array Active CN108768984B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810474570.2A CN108768984B (en) 2018-05-17 2018-05-17 Intrusion detection device and method based on field programmable gate array

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810474570.2A CN108768984B (en) 2018-05-17 2018-05-17 Intrusion detection device and method based on field programmable gate array

Publications (2)

Publication Number Publication Date
CN108768984A CN108768984A (en) 2018-11-06
CN108768984B true CN108768984B (en) 2020-02-21

Family

ID=64006906

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810474570.2A Active CN108768984B (en) 2018-05-17 2018-05-17 Intrusion detection device and method based on field programmable gate array

Country Status (1)

Country Link
CN (1) CN108768984B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101848222A (en) * 2010-05-28 2010-09-29 武汉烽火网络有限责任公司 Inspection method and device of Internet deep packet
CN101958883A (en) * 2010-03-26 2011-01-26 湘潭大学 Bloom Filter and open-source kernel-based method for defensing SYN Flood attack

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9584533B2 (en) * 2014-11-07 2017-02-28 Arbor Networks, Inc. Performance enhancements for finding top traffic patterns

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101958883A (en) * 2010-03-26 2011-01-26 湘潭大学 Bloom Filter and open-source kernel-based method for defensing SYN Flood attack
CN101848222A (en) * 2010-05-28 2010-09-29 武汉烽火网络有限责任公司 Inspection method and device of Internet deep packet

Also Published As

Publication number Publication date
CN108768984A (en) 2018-11-06

Similar Documents

Publication Publication Date Title
US11706020B2 (en) Circuit and method for overcoming memory bottleneck of ASIC-resistant cryptographic algorithms
CN109145158B (en) Processing method of data in bloom filter and bloom filter
CN101848222B (en) Inspection method and device of Internet deep packet
CN110109926B (en) Ordering device and ordering method for Equihash algorithm data
CN110858823B (en) Data packet classification method and device and computer readable storage medium
JP2005524149A5 (en)
CN105739971B (en) Verify generation, application method and the device of file
WO2014067063A1 (en) Duplicate data retrieval method and device
CN105573711B (en) A kind of data cache method and device
CN106789733B (en) Device and method for improving large-scale network flow table searching efficiency
CN103412858A (en) Method for large-scale feature matching of text content or network content analyses
CN109977031B (en) Solid state disk garbage recycling method and solid state disk
CN108768984B (en) Intrusion detection device and method based on field programmable gate array
CN111541617A (en) Data flow table processing method and device for high-speed large-scale concurrent data flow
CN102546293A (en) High speed network flow network address measuring method based on Hash bit string multiplexing
US7661138B1 (en) Finite state automaton compression
CN102316173A (en) Method and device for aggregating network address
CN114943021B (en) TB-level incremental data screening method and device
US20080022403A1 (en) Method and apparatus for a pattern matcher using a multiple skip structure
CN110990897A (en) File fingerprint generation method and device
CN111653318A (en) Acceleration method and device for gene comparison, storage medium and server
US10795580B2 (en) Content addressable memory system
US20170010814A1 (en) Memory with compressed key
US20160105363A1 (en) Memory system for multiple clients
CN114490861A (en) Telemetry data analysis method, device, equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant