CN109743260A - A kind of device and method that network flow is filtered based on improved ACBM algorithm - Google Patents
A kind of device and method that network flow is filtered based on improved ACBM algorithm Download PDFInfo
- Publication number
- CN109743260A CN109743260A CN201811588423.4A CN201811588423A CN109743260A CN 109743260 A CN109743260 A CN 109743260A CN 201811588423 A CN201811588423 A CN 201811588423A CN 109743260 A CN109743260 A CN 109743260A
- Authority
- CN
- China
- Prior art keywords
- rule
- module
- algorithm
- acbm
- network flow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of device and method being filtered based on improved ACBM algorithm to network flow, device includes: data receiver and sending module, Switching Module, packet parsing module and control module;Method includes the following steps: that data receiver and sending module access the network flow being divided by the interface provided;The message up sending that Switching Module receives data reception module is to Cavium chip;Control module is responsible for the switching of port type and issuing for rule;Improved ACBM algorithm is responsible for the creation and update of rule tree;Packet parsing module carries out parsing to message by Cavium processor and extracts message information;The rule being previously written in the message information and rule list for fitting through the extraction of Cavium processor of rule is compared, and obtains matching result.The present invention can be improved the performance of device and reduce costs.
Description
Technical field
The present invention relates to network securitys and data Center Technology field, especially a kind of to be based on improved ACBM algorithm to net
The device and method that network flow is filtered.
Background technique
The network flow filtration system of mainstream at present, system mainly by data acquisition equipment, traffic filtering server with
And rule server composition, traffic filtering algorithm are realized using traditional ACBM algorithm.Data acquisition equipment is responsible for being divided net
The access of network flow, and carry out load balancing is distributed to traffic filtering server.Traffic filtering server is responsible for setting acquisition
The flow of standby acquisition is analyzed, and judges whether the network flow of filtering in need, if flow matches filtering rule, to flow
Discarding operation is done, the flow of non-matching rule is sent to background analysis server.
Rule server load-store and issue rule.The process of its data surface are as follows: exchanged in network flow by center
After machine or router, it is divided, a flow continues to access corresponding Internet Server, another flow connects
Enter to data acquisition equipment;After data acquisition equipment receives flow, after carrying out load balancing to flow, it is distributed to traffic filtering clothes
Business device;Traffic filtering server analyzes flow, judges whether the network flow of filtering in need, if flow matches filter
Rule, then do discarding operation to flow, and the flow of non-matching rule is sent to background analysis server.
Since ACBM algorithm is in more new character strings tree, need to push over character string tree reconstruction, thus its have it is biggish
Time overhead, and with the increase of regular quantity, time overhead can become very big, so resulting in current network flow mistake
The fewer of the regular quantity support of device is filtered, because the reconstruction time of character string tree is longer, is not able to satisfy if regular quantity is more
The application scenarios of real time filtering.Further, since traditional network flow filter device uses server to carry out dividing for flow
Analysis, package processing capability is weaker, and performance is lower.
Summary of the invention
Technical problem to be solved by the present invention lies in provided one kind and carried out based on improved ACBM algorithm to network flow
The device and method of filtering can be improved the performance of device and reduce costs.
Network flow is filtered based on improved ACBM algorithm in order to solve the above technical problems, the present invention provides one kind
Device, comprising: data receiver and sending module, Switching Module, packet parsing module and control module;Data receiver and transmission
Module accesses the network flow being divided by the interface provided;The message up sending that Switching Module receives data reception module
To Cavium chip;Control module is responsible for the switching of port type and issuing for rule;Packet parsing module passes through Cavium
Processor carries out parsing to message and extracts message information.
Preferably, interface type supports 32XGE, 32GE, 8XGE+16GE, 8XGEW+16XGE.
Correspondingly, a kind of method being filtered based on improved ACBM algorithm to network flow, is included the following steps:
(1) network flow that data receiver and sending module are divided by the interface access provided;
(2) message up sending that Switching Module receives data reception module is to Cavium chip;
(3) control module is responsible for the switching of port type and issuing for rule;
(4) improved ACBM algorithm is responsible for the creation and update of rule tree;Wherein ACBM algorithm is a kind of multi-mode character
String matching algorithm;
(5) packet parsing module carries out parsing to message by Cavium processor and extracts message information;
(6) rule being previously written in the regular message information and rule list for fitting through the extraction of Cavium processor into
Row compares, and obtains matching result;Wherein rule list is the matching rule that control module is handed down to chip.
Preferably, in step (1), port type supports 32XGE, 32GE, 8XGE+16GE, 8XGEW+16XGE.
Preferably, in step (5), Cavium company provides the high-performance of a 64 MIPS frameworks, low delay, low function
The packet of the network processing unit of consumption, the process performance with 80Gbps, 10 microseconds handles delay.
The invention has the benefit that the present invention improves ACBM algorithm, in addition or deletion rule, pass through
The mode of dynamic more new character strings tree carries out the update of rule, reduces time overhead, substantially increases network flow filtering dress
The rule capacity set;Furthermore combine high-performance and low-cost Cavium processor, devise collection data acquisition, data analysis, with
And traffic filtering improves the performance of device and reduces costs in the network flow filter device of one.
Detailed description of the invention
Fig. 1 is the device of the invention structural schematic diagram.
Fig. 2 is data surface forwarding process schematic diagram of the invention.
Fig. 3 is method flow schematic diagram of the invention.
Specific embodiment
As illustrated in fig. 1 and 2, a kind of device that network flow is filtered based on improved ACBM algorithm, including data
It receives and sending module, Switching Module, packet parsing, control module.It is characterized in that the data receiver and sending module can
To provide High Density Interface type abundant, such as 32XGE or 32GE or 8XGE+16GE interface, the packet parsing module tool
There is the process performance of 160Gbps, there are 10 delicate Forwarding Delays below, and power consumption is lower, the ACBM algorithm is a kind of use
In multiple patterns string matching;The Cavium processor is a kind of network processing unit of high-performance low delay low-power consumption;
The improvement of the ACBM algorithm is dynamic more new character strings tree, the entry-into-force time of rule is reduced, according to above-mentioned setting and hair
Cloth realizes the real time filtering of network flow by improved ACBM algorithm in conjunction with high performance Cavium.
Specifically, the improved ACBM algorithm in the present embodiment includes the update of character string tree and the matching of character string, institute
State the update that Policy Updates refer to character string tree;The algorithm that jumps is for searching the specific location of matched character in character string;
The character location information array is for storing the number that each character occurs in each position;The child node chained list is for adding
Fast matched character string speed;By improving the update method of character string tree, by the way of not pushing over reconstruction original characters string tree,
The method more new character strings tree of insertion and deletion of node is carried out in original characters string tree, thus implementation rule it is real-time more
Newly.
As shown in figure 3, a kind of method being filtered based on improved ACBM algorithm to network flow, this method include with
Lower step:
S1. the network flow that the data receiver and sending module are divided by the interface access provided;Wherein institute
It states port type and supports 32XGE, 32GE, 8XGE+16GE, 8XGEW+16XGE;
S2. the message up sending that the Switching Module receives data reception module is to Cavium chip;
S3. the control module is responsible for the switching of port type and issuing for rule;
S4. the improved ACBM algorithm is responsible for the creation and update of rule tree;Wherein ACBM algorithm is a kind of multi-mode
String matching algorithm;
S5. the packet parsing carries out parsing to message by Cavium processor and extracts message information;It is wherein described
The high-performance of a 64 MIPS frameworks of Cavium company, low delay, the network processing unit of low-power consumption, with 80Gbps
Process performance, the packets of 10 microseconds handles delay;
S6. the rule being previously written in the message information and rule list for fitting through the extraction of Cavium processor of the rule
It is then compared, obtains matching result.
Wherein the rule list is the matching rule that control module is handed down to chip;Wherein the algorithm that jumps is for searching
The specific location of matched character in character string;Wherein the character location information array is for storing each character in each position
The number for setting appearance has these information, so that it may know the minimum position that every kind of character occurs, and not have to the entire rule of traversal
All features concentrated;Wherein child node chained list is divided into several segments by the child node chain table segmenting, when matching, according to what is looked into
Which child node is child node be, which section the available node belongs in, then can be from the pointer of this section of chained list, at most
Searching 16 times can be obtained the child node, accelerate matching speed.
The addition and deletion of rule greatly reduce rule using the method for dynamic creation character string tree
Entry-into-force time;Wherein the entry-into-force time is promoted by original second grade to Millisecond;Wherein the dynamic creation refers to and does not push over
Original characters string tree;When wherein the regular length information array is for adding with deletion rule, without traversing all rule again
It then can be obtained by the regular length of new minimum.
Control plane process is as follows:
Corresponding filtering rule is issued, it is dynamic to create character string tree, process description after receiving the rule issued are as follows:
Assuming that the first rule is abcd, then a corresponding character string tree is created;There is a new regular dcf again at this time, checks former
Character string tree discovery d exists in root node before, does not have to create, in the node of the second level, without c pairs of character
The child node answered, therefore a byte point is created, character f is the child node of c, therefore also to create a child node;Thus complete
The dynamic of character string tree updates, and there is no original characters string tree is pushed over reconstruction.
After receiving message, need to carry out the matching of rule, process description are as follows: assuming that will be in " substring
Searching algorithm " lookup " search ", when just starting, substring and text flush left, as a result in second word
It finds to mismatch at symbol, then moves substring backward;Mobile method is that character seen after current substring
(in first character string ' i').Obviously, regardless of it is mobile how much, this character is the comparison that participate in next step certainly,
That is this character must be in substring if be matched in next step.So substring can be moved, make in substring most
This character on the right is aligned with it.In present substring ' search' and there is no ' i', then it is big can directly to skip one for explanation
Piece makees the comparison of next step that character after ' i', and comparison result, first character just mismatches, then sees son
Go here and there that subsequent character, be ' r', it appears in antepenulatimate in substring, and substring is then moved backward three, makes two
A ' r' alignment, find current successful match.
Data surface forwarding process is as follows:
The flow that the interface access of equipment is divided will be sent to by Switching Module by Switching Module on flow
Cavium processor is handled.
Cavium processor carries out the matching of parsing with rule to message, what the message of non-matching rule was directly abandoned
Operation, for the message of matching rule, is sent to background server.
Claims (5)
1. a kind of device being filtered based on improved ACBM algorithm to network flow characterized by comprising data receiver
With sending module, Switching Module, packet parsing module and control module;Data receiver is connect with sending module by the interface provided
Enter the network flow being divided;The message up sending that Switching Module receives data reception module is to Cavium chip;Control mould
Block is responsible for the switching of port type and issuing for rule;Packet parsing module parses message by Cavium processor
Extract message information.
2. the device being filtered as described in claim 1 based on improved ACBM algorithm to network flow, which is characterized in that
Interface type supports 32XGE, 32GE, 8XGE+16GE, 8XGEW+16XGE.
3. a kind of method being filtered based on improved ACBM algorithm to network flow, which comprises the steps of:
(1) network flow that data receiver and sending module are divided by the interface access provided;
(2) message up sending that Switching Module receives data reception module is to Cavium chip;
(3) control module is responsible for the switching of port type and issuing for rule;
(4) improved ACBM algorithm is responsible for the creation and update of rule tree;Wherein ACBM algorithm is a kind of multi-mode character string
With algorithm;
(5) packet parsing module carries out parsing to message by Cavium processor and extracts message information;
(6) rule being previously written in the regular message information and rule list for fitting through the extraction of Cavium processor is compared
Compared with obtaining matching result;Wherein rule list is the matching rule that control module is handed down to chip.
4. the method being filtered as claimed in claim 3 based on improved ACBM algorithm to network flow, which is characterized in that
In step (1), port type supports 32XGE, 32GE, 8XGE+16GE, 8XGEW+16XGE.
5. the method being filtered as claimed in claim 3 based on improved ACBM algorithm to network flow, which is characterized in that
In step (5), Cavium company provide the high-performance of a 64 MIPS frameworks, low delay, low-power consumption network processing unit,
The packet of its process performance with 80Gbps, 10 microseconds handles delay.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811588423.4A CN109743260A (en) | 2018-12-25 | 2018-12-25 | A kind of device and method that network flow is filtered based on improved ACBM algorithm |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811588423.4A CN109743260A (en) | 2018-12-25 | 2018-12-25 | A kind of device and method that network flow is filtered based on improved ACBM algorithm |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109743260A true CN109743260A (en) | 2019-05-10 |
Family
ID=66359745
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811588423.4A Pending CN109743260A (en) | 2018-12-25 | 2018-12-25 | A kind of device and method that network flow is filtered based on improved ACBM algorithm |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109743260A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110336798A (en) * | 2019-06-19 | 2019-10-15 | 南京中新赛克科技有限责任公司 | Message matching filtering method and device based on DPI |
| CN115225327A (en) * | 2022-06-17 | 2022-10-21 | 北京启明星辰信息安全技术有限公司 | Intrusion detection method with pre-matching rules based on FPGA network card |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1870498A (en) * | 2006-06-26 | 2006-11-29 | 北京启明星辰信息技术有限公司 | Adaptive multi-model matching method and system |
| CN103475653A (en) * | 2013-09-05 | 2013-12-25 | 北京科能腾达信息技术股份有限公司 | Method for detecting network data package |
-
2018
- 2018-12-25 CN CN201811588423.4A patent/CN109743260A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1870498A (en) * | 2006-06-26 | 2006-11-29 | 北京启明星辰信息技术有限公司 | Adaptive multi-model matching method and system |
| CN103475653A (en) * | 2013-09-05 | 2013-12-25 | 北京科能腾达信息技术股份有限公司 | Method for detecting network data package |
Non-Patent Citations (1)
| Title |
|---|
| 于洪伟: "基于多核处理器高效入侵检测技术研究与实现", 《中国优秀硕士学位论文全文数据库》 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110336798A (en) * | 2019-06-19 | 2019-10-15 | 南京中新赛克科技有限责任公司 | Message matching filtering method and device based on DPI |
| CN115225327A (en) * | 2022-06-17 | 2022-10-21 | 北京启明星辰信息安全技术有限公司 | Intrusion detection method with pre-matching rules based on FPGA network card |
| CN115225327B (en) * | 2022-06-17 | 2023-10-27 | 北京启明星辰信息安全技术有限公司 | Intrusion detection method with pre-matching rule based on FPGA network card |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20190327345A1 (en) | Method and apparatus for forwarding heterogeneous protocol message and network switching device | |
| US11496393B2 (en) | Method and apparatus for forwarding packet based on integrated flow table | |
| CN110381054A (en) | Message parsing method, device, equipment and computer readable storage medium | |
| CN111600796B (en) | Flow identification device and method based on configurable analysis field | |
| JP2016502370A (en) | Method and apparatus for matching flow tables and switch | |
| CN105589664B (en) | Virtual memory high speed transmission method | |
| CN111049747B (en) | Intelligent virtual network path planning method for large-scale container cluster | |
| US20130138920A1 (en) | Method and apparatus for packet processing and a preprocessor | |
| CN108881033B (en) | LTE network-oriented high-speed user tracing method based on FPGA + NPU | |
| CN102255754B (en) | Serial accessing high speed backbone network traffic acquisition and monitoring method | |
| CN107276916B (en) | Switch flow table management method based on protocol non-perception forwarding technology | |
| CN109743260A (en) | A kind of device and method that network flow is filtered based on improved ACBM algorithm | |
| CN106375362A (en) | Cache synchronization method and system for distributed server | |
| CN108173763B (en) | Message processing method, device and system | |
| CN105743702B (en) | A kind of subscription recognition methods of GOOSE message | |
| CN115225734A (en) | Message processing method and network equipment | |
| CN109450940B (en) | Device and method for realizing network flow plugging | |
| US11012542B2 (en) | Data processing method and apparatus | |
| CN103078869B (en) | A kind of system and method thereof of accelerating session forwarding | |
| WO2024146520A1 (en) | Data processing method, apparatus and device, and storage medium | |
| CN110768911B (en) | Method, device, equipment, system and storage medium for efficient flow drainage | |
| CN106789706B (en) | Network shunting system based on TCAM | |
| CN105608215B (en) | Hbase data-erasure method and device in PaaS system | |
| CN116015796A (en) | Flow table updating method and device, firewall equipment and storage medium | |
| CN107749809B (en) | ATCA integration-based high-efficiency dynamic convergence mechanism implementation method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190510 |