CN110908798B - Multi-process cooperative network traffic analysis method and device - Google Patents

Multi-process cooperative network traffic analysis method and device Download PDF

Info

Publication number
CN110908798B
CN110908798B CN201911089657.9A CN201911089657A CN110908798B CN 110908798 B CN110908798 B CN 110908798B CN 201911089657 A CN201911089657 A CN 201911089657A CN 110908798 B CN110908798 B CN 110908798B
Authority
CN
China
Prior art keywords
taa
sub
flow
main
processes
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911089657.9A
Other languages
Chinese (zh)
Other versions
CN110908798A (en
Inventor
丁剑明
刘鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN201911089657.9A priority Critical patent/CN110908798B/en
Publication of CN110908798A publication Critical patent/CN110908798A/en
Application granted granted Critical
Publication of CN110908798B publication Critical patent/CN110908798B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5027Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/546Message passing systems or structures, e.g. queues
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/08Protocols for interworking; Protocol conversion
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2209/00Indexing scheme relating to G06F9/00
    • G06F2209/54Indexing scheme relating to G06F9/54
    • G06F2209/548Queue

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a multi-process collaborative network flow analysis method, which comprises the following steps: the main flow auditing engine process, namely the main TAA process, creates a specified number of sub TAA processes for processing network flow; an interprocess communication link is arranged between the sub TAA process and the main TAA process, each sub TAA process and the main TAA process share a global structure, the members of the global structure comprise a queue for storing flow files distributed to the sub TAA processes and a counting identifier, and for each flow file, the counting identifier is increased by one when a message of the flow file is analyzed; and the main TAA process distributes the flow files stored by the acquisition process to the sub TAA processes in sequence, and the flow files distributed to the sub TAA processes are inserted into the queues of the sub TAA processes in sequence. The invention also relates to a multi-process cooperative network flow analysis device. By the method and the device, the data analysis rate can be effectively improved, and the packet loss rate is reduced.

Description

Multi-process cooperative network traffic analysis method and device
Technical Field
The present invention relates to the field of network traffic analysis, and in particular, to a method and an apparatus for analyzing multi-process cooperative network traffic.
Background
The network flow analysis is an operation aiming at collecting network flow and analyzing and auditing the network flow, the flow is collected by a network card and then transmitted to an application layer for analysis, and finally application layer data is obtained, for example, the analysis flow of wireshark to modbus is as follows:
1. the network card collects the flow (message/original flow message);
2. analyzing the frame data, ether data, ip data, tcp data, modbus data and the like of the message from low to high in sequence according to an OSI model;
3. and outputting the obtained result.
The collection in the operation is performed by one process independently, and the analysis processing (including output) is responsible for the other process, which is also a commonly adopted mode in the whole market and academia at present. The method is simple and easy to understand, and a one-to-one producer-consumer model is adopted.
However, it is found that the above method is a good solution for a not too large network traffic, but in the face of the impact of a large traffic, the above method may cause a serious packet loss problem, and the packet loss rate is positively correlated with the traffic size. And when the flow reaches a certain amount, the message processing capacity tends to be saturated, and the flow load which is increased by continuously increasing the flow is basically completely abandoned. Observing the CPU occupation at the moment, the single CPU occupation can reach about 100 percent, the whole CPU occupation is relatively abundant, and the used system environment is as follows: intel (R) Core (TM) i7-3555LE CPU@2.50GHz,memory: and 16G, using a flow auditing engine TAA by the flow analysis platform. Through analysis, the phenomenon that one core is difficult and multiple cores are surrounded can be determined to occur during message processing. When the network flow is reduced, the occupation of a system CPU is reduced from 100%, and the packet loss rate is reduced. Therefore, the performance of the single-core CPU is the most direct factor influencing message analysis.
Disclosure of Invention
In order to solve the above problems, the present invention provides a multi-process collaborative network traffic analysis method and apparatus, when the network traffic is severe, multiple messages are cached and written into a file in batch, so that the IO operation frequency of the system is reduced, the occupation of the system CPU is reduced to a certain extent, more importantly, multiple processes with the same number as the system CPU are created to collaboratively and concurrently process the network traffic, thereby improving the performance of message analysis and avoiding serious packet loss under the impact of large traffic.
According to an aspect of the present invention, there is also provided a method for multi-process collaborative network traffic analysis, the method including:
a main flow auditing engine process, namely a main TAA process, creates a specified number of sub TAA processes for processing network flow;
an interprocess communication link is arranged between the sub TAA process and the main TAA process, each sub TAA process and the main TAA process share a global structure, the members of the global structure comprise a queue for storing flow files distributed to the sub TAA processes and a counting identifier, and for each flow file, the counting identifier is increased by one when a message of the flow file is analyzed;
the main TAA process distributes the flow files saved by the acquisition process to the sub TAA processes in sequence, and for each sub TAA process, the distributed flow files are inserted into the queue of the flow files of the sub TAA process in sequence, and the position of a queue starting file of the sub TAA process is given to serve as the position where the sub TAA process starts to read the flow files;
removing a flow file from a queue of a sub TAA process after the sub TAA process analyzes the flow file, and simultaneously returning the counting identifier to zero;
the method for processing the network traffic by using the main traffic auditing engine process, namely the main TAA process to create the sub TAA processes with the specified number comprises the following steps: and if the number of the sub-TAA processes is not specified, the main TAA process automatically detects the number of the system CPU cores and takes the number of the system CPU cores as the specified number.
According to another aspect of the present invention, there is provided a multi-process collaborative network traffic analysis apparatus for a main traffic audit engine process, i.e., a main TAA process, the apparatus including:
a first creation module for creating a specified number of sub-TAA processes for processing network traffic;
a link setting module, configured to set an interprocess communication link between a sub-TAA process and a main TAA process, where each sub-TAA process and the main TAA process share a global structure, and members of the global structure include a queue that stores traffic files distributed to the sub-TAA processes and a count identifier, and for each traffic file, add one to the count identifier every time a message is analyzed;
the file distribution module is used for sequentially distributing the flow files stored in the acquisition process to the sub-TAA processes, and for each sub-TAA process, sequentially inserting the distributed flow files into the queue of the flow files of the sub-TAA process, and giving the position of a queue start file of the sub-TAA process as the position where the sub-TAA process starts to read the flow files;
removing a flow file from a queue of a sub TAA process after the sub TAA process analyzes the flow file, and simultaneously returning the counting identifier to zero;
wherein creating a specified number of sub-TAA processes for processing network traffic comprises: and if the number of the sub-TAA processes is not specified, automatically detecting the number of the system CPU cores and taking the number of the system CPU cores as the specified number.
In addition, a message (message) is a data unit exchanged and transmitted in the network, that is, a data block to be sent by the station at one time.
The message contains complete data information to be sent, and the message is very inconsistent in length, unlimited in length and variable. The message is also a unit of network transmission, and can be continuously encapsulated into packets, packets and frames for transmission in the transmission process, wherein the encapsulation mode is to add some information sections, namely data organized by a certain format of a message header. For example, the message type, message version, message length, message entity, etc. are contained in the message.
The application message is mostly when communication is needed among a plurality of systems, such as an ESB system of a bank, a gateway system and a UnionPay system. The intermediate message takes over the functions of loading and transporting data, and the formats of the messages in the three systems may be different from each other, but the data carried by the messages are the same. The message authentication mode includes the authentication of the traditional encryption mode, the message authentication code mode using a secret key, the authentication using a one-way hash function and the digital signature authentication mode. When a station wants to send a message, it attaches a destination address to the message, and the network node sends the message to the next node according to the destination address information on the message, and forwards the message to the destination node one by one. After each node receives the whole message and checks it, it temporarily stores the message, then uses the route information to find out the address of the next node, and then transmits the whole message to the next node.
When the message is adopted for network data transmission, the method has the following advantages:
(1) The circuit utilization rate is high; because many messages can share the channel between two nodes in a time-sharing manner, the requirement on the transmission capability of a circuit is lower for the same communication traffic;
(2) On a circuit switched network, when the traffic becomes large, new calls cannot be accepted; on the message switching network, the message can still be received when the communication volume is large, but the transmission delay is increased;
(3) A message switch can send a message to multiple destinations, which is difficult to do by circuit-switched networks;
(4) The packet-switched network can perform speed and code conversion.
It can be seen that the present invention has at least two important aspects:
(1) For the analysis process for processing the network flow, multi-core resources are fully utilized, a plurality of processes with the same number as the number of system CPU cores are created to cooperatively and parallelly process the network flow, the phenomenon that one core is difficult and multi-core is surrounded when the message is processed is avoided, and the message processing capacity is improved by multiple times of the original processing capacity;
(2) When the network flow is severe, a plurality of messages are cached and written into the file in batches, so that the IO operation frequency of the system is reduced, the system calling times are reduced, and the real-time property of message processing is ensured by adopting a mode of writing the file in real time when the network flow is relatively small.
Drawings
Embodiments of the invention will now be described with reference to the accompanying drawings, in which:
fig. 1 is a flowchart illustrating a multi-process collaborative network traffic parsing method according to an embodiment of the present invention.
Fig. 2 is a flowchart illustrating another step of a multi-process collaborative network traffic parsing method according to an embodiment of the present invention.
Fig. 3 is a flowchart illustrating another step of a multi-process collaborative network traffic parsing method according to an embodiment of the present invention.
Fig. 4 is a block diagram illustrating an architecture of a multi-process cooperative network traffic analyzing apparatus according to an embodiment of the present invention.
Fig. 5 is a block diagram illustrating another structure of a multi-process cooperative network traffic analyzing apparatus according to an embodiment of the present invention.
Fig. 6 is a block diagram illustrating another structure of a multi-process cooperative network traffic analyzing apparatus according to an embodiment of the present invention.
Detailed Description
Embodiments of a method and an apparatus for multi-process collaborative network traffic analysis according to the present invention will be described in detail below with reference to the accompanying drawings.
In the prior art, when network traffic analysis is performed, an acquisition process, an analysis process, and a message playing process are created in a system to sequentially complete acquisition of network data and message analysis operations.
A system for performing network traffic analysis generally adopts a multi-core, i.e., multi-CPU, hardware environment;
in actual operation, a comparison table of experimental data of the acquisition process can be obtained as shown in table 1.
Figure BDA0002266472180000051
Figure BDA0002266472180000061
TABLE 1
As can be seen from Table 1, the acquisition process can easily cope even in the face of an impact exceeding 40 MB/s. For industrial applications, the capability of one CPU core basically meets the needs of most scenarios.
In actual practice, a table of experimental data showing how the analysis was carried out is shown in table 2.
Player pps (frame) Flow (MB/s) Single CPU occupancy (%) Total CPUidle (%) Actual processing pps (frame)
2000 1.84 61.8-73.1 55.0 ~2000
4000 3.60 97.3-100.0 49.0 ~3030
8000 7.13 99.7-101.0 48.7 ~3030
15000 13.37 100.0-100.7 48.0 ~3030
TABLE 2
As can be seen from table 2, when pps reaches a certain amount, pps continues to be increased, actual processing of pps does not increase, the utilization rate of the single-core CPU reaches a limit, and the utilization rate of the total idle CPU does not change basically, which indicates that the processing capability of the single-core CPU cannot be improved even if the flow is increased after the performance of the single-core CPU is exhausted, and meanwhile, for a real-time system, once the flow cannot be processed in real time, the flow is discarded, which inevitably brings a serious test on the packet processing rate or the packet loss rate. In addition, the total idle CPU utilization rate is still considerable, so that it is conceivable that if each CPU can be fully utilized, the resolution rate can be inevitably increased to a better level, and the packet loss is reduced.
Based on the above analysis, if it is desired to increase the message parsing rate, the following two methods are available: the first way is to improve the single-core performance of the CPU, but the improvement of the single-core performance is not optimistic in view of the development situation of the modern CPU, including the way that INTEL company and AMD company are also moving toward multi-core stacking to improve the overall performance of the CPU; the second way is to fully utilize the advantage of multiple cores, to distribute the most CPU consuming parsing steps to multiple CPU cores, while reducing CPU occupancy by some other means, such as reducing I/O usage frequency. Therefore, the first method is difficult to implement, and the technical problem of packet loss in the parsing process can only be solved by the second method, however, a specific solution corresponding to the second method is not provided in the prior art.
In order to overcome the defects, the invention builds a multi-process cooperative network traffic analysis method and a multi-process cooperative network traffic analysis device, and can effectively solve the corresponding technical problems.
Fig. 1 is a flowchart illustrating a multi-process collaborative network traffic parsing method according to an embodiment of the present invention, the method including:
a main flow auditing engine process, namely a main TAA process, creates a specified number of sub TAA processes for processing network flow;
an interprocess communication link is arranged between the sub TAA process and the main TAA process, each sub TAA process and the main TAA process share a global structure, the members of the global structure comprise a queue for storing flow files distributed to the sub TAA processes and a counting identifier, and for each flow file, the counting identifier is increased by one when a message of the flow file is analyzed;
the main TAA process distributes the flow files saved by the acquisition process to the sub TAA processes in sequence, and for each sub TAA process, the distributed flow files are inserted into the queue of the flow files of the sub TAA process in sequence, and the position of a queue starting file of the sub TAA process is given to serve as the position where the sub TAA process starts to read the flow files;
removing a flow file from a queue of a sub TAA process after the sub TAA process analyzes the flow file, and simultaneously returning the counting identifier to zero;
the method for processing the network traffic by the main traffic auditing engine process, namely the main TAA process, comprises the following steps of: and if the number of the sub-TAA processes is not specified, the main TAA process automatically detects the number of the system CPU cores and takes the number of the system CPU cores as the specified number.
Next, the specific steps of the multi-process cooperative network traffic analysis method of the present invention will be further described.
Fig. 2 is a flowchart illustrating another step of a multi-process collaborative network traffic parsing method according to an embodiment of the present invention.
As shown in fig. 2, after the main TAA process sequentially distributes the traffic files stored in the acquisition process to the sub-TAA processes, the multi-process collaborative network traffic analysis method may further include:
the main TAA process monitors the running condition of the sub TAA processes at any time, when one sub TAA process crashes, the main TAA process sequentially delivers the residual unresolved flow files in the queue of the crashed sub TAA process to other sub TAA processes, and continues to analyze the message from the position of the counting identification, or restarts a new sub TAA process, delivers the residual unresolved flow files in the queue of the crashed sub TAA process to the restarted new sub TAA process, and continues to analyze the message from the position of the counting identification;
when the main TAA process finds that the flow is smaller than the preset speed threshold value and the number of the flow files in each queue of each sub TAA process is not uniform, part of the flow files of the sub TAA process with more flow files are uniformly distributed to the sub TAA process with less flow files to balance the load.
Fig. 3 is a flowchart illustrating another step of a multi-process collaborative network traffic parsing method according to an embodiment of the present invention.
As shown in fig. 3, before the main traffic auditing engine process, i.e., the main TAA process, creates a specified number of sub-TAA processes for processing network traffic, the multi-process collaborative network traffic parsing method may further include:
the main TAA process creates a traffic collection process.
In the multi-process collaborative network traffic parsing method:
the flow acquisition process is used for caching all the acquired messages and writing the messages into a flow file in batch when the flow acquisition rate is detected to be greater than or equal to the preset rate threshold;
and the flow acquisition process is also used for writing the acquired messages into a flow file in real time when the flow acquisition rate is detected to be smaller than the preset rate threshold.
Fig. 4 is a block diagram illustrating a structure of a multi-process cooperative network traffic analysis apparatus according to an embodiment of the present invention, the apparatus is used for a main traffic audit engine process, i.e., a main TAA process, and the apparatus includes:
a first creation module for creating a specified number of sub-TAA processes for processing network traffic;
a link setting module, configured to set an inter-process communication link between the sub-TAA process and the main TAA process, where each sub-TAA process and the main TAA process share a global structure, and members of the global structure include a queue that stores traffic files distributed to the sub-TAA processes and a count identifier, and the count identifier is incremented for each traffic file every time a message of the traffic file is analyzed;
the file distribution module is used for sequentially distributing the flow files stored in the acquisition process to the sub-TAA processes, and for each sub-TAA process, sequentially inserting the distributed flow files into the queue of the flow files of the sub-TAA process, and giving the position of a queue start file of the sub-TAA process as the position where the sub-TAA process starts to read the flow files;
removing a flow file from a queue of a sub TAA process after the sub TAA process analyzes the flow file, and simultaneously returning the counting identifier to zero;
wherein creating a specified number of sub-TAA processes for processing network traffic comprises: and if the number of the sub-TAA processes is not specified, automatically detecting the number of the system CPU cores and taking the number of the system CPU cores as the specified number.
Next, a specific configuration of the multiprocess cooperative network traffic analysis apparatus of the present invention will be further described.
Fig. 5 is a block diagram illustrating another structure of a multi-process cooperative network traffic analyzing apparatus according to an embodiment of the present invention.
As shown in fig. 5, the multi-process collaborative network traffic analysis apparatus may further include:
the operation monitoring module is used for monitoring the operation condition of the sub TAA process at any moment, when a certain sub TAA process is broken down, sequentially handing over the residual unresolved flow files in the queue of the broken down sub TAA process to other sub TAA processes, and continuing to analyze the message from the position of the counting identification, or restarting a new sub TAA process, handing over the residual unresolved flow files in the queue of the broken down sub TAA process to the restarted new sub TAA process, and continuing to analyze the message from the position of the counting identification;
and the load balancing module is used for uniformly distributing part of the flow files of the sub-TAA process with more flow files to the sub-TAA process with less flow files to balance the load when the flow is smaller than the preset rate threshold and the number of the flow files in each queue of each sub-TAA process is uneven.
Fig. 6 is a block diagram illustrating another structure of a multi-process cooperative network traffic analyzing apparatus according to an embodiment of the present invention.
As shown in fig. 6, the multi-process collaborative network traffic analysis apparatus may further include:
and the second creating module is used for creating a flow acquisition process.
In the multi-process collaborative network traffic analysis device:
the flow acquisition process is used for caching all the acquired messages and writing the messages into a flow file in batch when the flow acquisition rate is detected to be greater than or equal to the preset rate threshold;
and the flow acquisition process is also used for writing the acquired messages into a flow file in real time when the flow acquisition rate is detected to be smaller than the preset rate threshold.
In actual practice, a table of experimental data comparison using a plurality of sub-TAA analysis processes is obtained as shown in table 3:
Figure BDA0002266472180000101
Figure BDA0002266472180000111
TABLE 3
As can be seen from the comparison between the data in table 3 and table 2, in the face of the same traffic impact, the actual number of processing frames in the parsing mode using multiple sub-TAA parsing processes is much larger than the actual number of processing frames in the parsing mode using a single parsing process, that is, the packet loss rate in the parsing mode using multiple sub-TAA parsing processes is much smaller than the packet loss rate in the parsing mode using a single parsing process, and the packet processing rate increases with the increase of the number of processes and is in a linear proportional relationship when the cpu resource is not exhausted.
In summary, the multi-process collaborative network traffic analysis method and apparatus of the present invention, on one hand, reduce CPU occupation by using some technical means, and on the other hand, increase the message analysis rate of network data under large flow by creating multiple processes to fully utilize multi-core resources, reduce packet loss rate while improving message analysis performance, and also reduce CPU occupation.
Finally, it should be noted that each functional device in the embodiments of the present invention may be integrated into one processing device, or each device may exist alone physically, or two or more devices may be integrated into one device.
The functions, if implemented in the form of software-enabled devices and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk, and various media capable of storing program codes.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (2)

1. A multi-process collaborative network traffic parsing method, the method comprising:
a main flow auditing engine process, namely a main TAA process, creates a specified number of sub TAA processes for processing network flow;
an interprocess communication link is arranged between the sub TAA process and the main TAA process, each sub TAA process and the main TAA process share a global structure, the members of the global structure comprise a queue for storing flow files distributed to the sub TAA processes and a counting identifier, and for each flow file, the counting identifier is increased by one when a message of the flow file is analyzed;
the main TAA process distributes the flow files saved by the acquisition process to the sub TAA processes in sequence, and for each sub TAA process, the distributed flow files are inserted into the queue of the flow files of the sub TAA process in sequence, and the position of a queue starting file of the sub TAA process is given to serve as the position where the sub TAA process starts to read the flow files;
removing a flow file from a queue of a sub TAA process after the sub TAA process analyzes the flow file, and simultaneously returning the counting identifier to zero;
the method for processing the network traffic by the main traffic auditing engine process, namely the main TAA process, comprises the following steps of: if the number of the sub-TAA processes is not specified, the main TAA process automatically detects the number of the system CPU cores and takes the number of the system CPU cores as the specified number;
the main TAA process creates a flow acquisition process; the flow acquisition process is used for caching all the acquired messages and writing the messages into a flow file in batch when the flow acquisition rate is detected to be greater than or equal to a preset flow rate threshold value;
the flow acquisition process is further used for writing the acquired messages into a flow file in real time when the flow acquisition rate is detected to be smaller than the preset flow rate threshold;
the main TAA process monitors the running condition of the sub TAA processes at any time, when one sub TAA process crashes, the main TAA process sequentially delivers the residual unresolved flow files in the queue of the crashed sub TAA process to other sub TAA processes, and continues to analyze the message from the position of the counting identification, or restarts a new sub TAA process, delivers the residual unresolved flow files in the queue of the crashed sub TAA process to the restarted new sub TAA process, and continues to analyze the message from the position of the counting identification;
when the main TAA process finds that the flow is smaller than the preset speed threshold value and the number of the flow files in each queue of each sub TAA process is not uniform, part of the flow files of the sub TAA process with more flow files are uniformly distributed to the sub TAA process with less flow files to balance the load.
2. A multi-process cooperative network traffic analysis device is used for a main traffic audit engine process (main TAA process), and is characterized by comprising the following steps: a first creation module for creating a specified number of sub-TAA processes for processing network traffic; a link setting module, configured to set an inter-process communication link between the sub-TAA process and the main TAA process, where each sub-TAA process and the main TAA process share a global structure, and members of the global structure include a queue that stores traffic files distributed to the sub-TAA processes and a count identifier, and the count identifier is incremented for each traffic file every time a message of the traffic file is analyzed; the file distribution module is used for sequentially distributing the flow files stored in the acquisition process to the sub-TAA processes, and for each sub-TAA process, sequentially inserting the distributed flow files into the queue of the flow files of the sub-TAA process, and giving the position of a queue start file of the sub-TAA process as the position where the sub-TAA process starts to read the flow files; removing a flow file from a queue of a sub TAA process after the sub TAA process analyzes the flow file, and simultaneously returning the counting identifier to zero; wherein creating a specified number of sub-TAA processes for processing network traffic comprises: if the number of the TAA processes is not specified, automatically detecting the number of the CPU cores of the system and taking the number of the CPU cores as the specified number;
the operation monitoring module is used for monitoring the operation condition of the sub TAA process at any moment, when a certain sub TAA process is broken down, sequentially handing over the residual unresolved flow files in the queue of the broken down sub TAA process to other sub TAA processes, and continuing to analyze the message from the position of the counting identification, or restarting a new sub TAA process, handing over the residual unresolved flow files in the queue of the broken down sub TAA process to the restarted new sub TAA process, and continuing to analyze the message from the position of the counting identification; the load balancing module is used for uniformly distributing part of the flow files of the sub-TAA processes with more flow files to the sub-TAA processes with less flow files to balance the load when the flow is smaller than a preset rate threshold value and the number of the flow files in each queue of each sub-TAA process is uneven;
the second establishing module is used for establishing a flow acquisition process; the flow acquisition process is used for caching all the acquired messages and writing the messages into a flow file in batch when the flow acquisition rate is detected to be greater than or equal to a preset flow rate threshold value; and the flow acquisition process is also used for writing the acquired messages into a flow file in real time when the flow acquisition rate is detected to be smaller than the preset flow rate threshold value.
CN201911089657.9A 2019-11-08 2019-11-08 Multi-process cooperative network traffic analysis method and device Active CN110908798B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911089657.9A CN110908798B (en) 2019-11-08 2019-11-08 Multi-process cooperative network traffic analysis method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911089657.9A CN110908798B (en) 2019-11-08 2019-11-08 Multi-process cooperative network traffic analysis method and device

Publications (2)

Publication Number Publication Date
CN110908798A CN110908798A (en) 2020-03-24
CN110908798B true CN110908798B (en) 2022-11-25

Family

ID=69817137

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911089657.9A Active CN110908798B (en) 2019-11-08 2019-11-08 Multi-process cooperative network traffic analysis method and device

Country Status (1)

Country Link
CN (1) CN110908798B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111694783B (en) * 2020-06-11 2021-06-25 福建宏创科技信息有限公司 Parallel data analysis method and device applied to DPI equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1578272A (en) * 2003-07-11 2005-02-09 株式会社日立制作所 Packet forwarding device equipped with statistics collection device and statistics collection method
CN109936551A (en) * 2017-12-19 2019-06-25 中国电信股份有限公司 Defence method, defence installation and the controller of domain name system attack

Family Cites Families (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1536497A (en) * 2003-04-04 2004-10-13 上海广电应确信有限公司 Flame-proof wall for imlementing packet filtering and its method for implementing packet filtering
JP6015342B2 (en) * 2012-10-24 2016-10-26 富士通株式会社 Information processing method, program, information processing apparatus, and information processing system
CN103281213B (en) * 2013-04-18 2016-04-06 西安交通大学 A kind of network traffic content extracts and analyzes search method
JP6421753B2 (en) * 2013-08-22 2018-11-14 日本電気株式会社 System, service platform, application server, and method
CN104821924B (en) * 2014-01-30 2018-11-27 西门子公司 A kind of processing method of network data packets, device and network processing device
JP2015176401A (en) * 2014-03-17 2015-10-05 株式会社リコー information processing system, information processing method, and program
CN104978321B (en) * 2014-04-02 2018-12-04 阿里巴巴集团控股有限公司 Construct the method, apparatus of data queue and the method from its insertion and consumer objects
CN104158757B (en) * 2014-08-21 2017-07-07 福建星海通信科技有限公司 A kind of gps data enters library processing method and system
CN104503909A (en) * 2014-12-18 2015-04-08 浪潮(北京)电子信息产业有限公司 Method and device for testing IO (input/output) performance of magnetic disk
CN104468629B (en) * 2014-12-30 2018-10-09 北京奇虎科技有限公司 A kind of method and apparatus of Batch sending message
US10853277B2 (en) * 2015-06-24 2020-12-01 Intel Corporation Systems and methods for isolating input/output computing resources
CN105138410A (en) * 2015-08-31 2015-12-09 北京锐安科技有限公司 Message queue achievement method and device based on disk buffer
CN105549952A (en) * 2015-12-03 2016-05-04 上海高性能集成电路设计中心 Two-stage buffer issue regulation and control device based on scoreboard principle
CN108306832B (en) * 2018-01-29 2021-07-27 北京启明星辰信息安全技术有限公司 Network traffic shunting method and device
CN108809748A (en) * 2018-03-26 2018-11-13 北京天融信网络安全技术有限公司 Network audit collecting method and related device, equipment and storage medium
CN110222503A (en) * 2019-04-26 2019-09-10 西安交大捷普网络科技有限公司 Database audit method, system and equipment under a kind of load of high amount of traffic
CN110417675B (en) * 2019-07-29 2020-12-01 广州竞远安全技术股份有限公司 Network shunting method, device and system of high-performance probe under SOC (System on chip)

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1578272A (en) * 2003-07-11 2005-02-09 株式会社日立制作所 Packet forwarding device equipped with statistics collection device and statistics collection method
CN109936551A (en) * 2017-12-19 2019-06-25 中国电信股份有限公司 Defence method, defence installation and the controller of domain name system attack

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Dynamic Feature Analysis and Measurement for Large-Scale Network Traffic Monitoring;Xiaohong Guan等;《IEEE Transactions on Information Forensics and Security》;20100812;第905-919页 *
高性能网络服务器框架的研究与实现;郭庆涛等;《计算机工程》;20131215;第70-74页 *

Also Published As

Publication number Publication date
CN110908798A (en) 2020-03-24

Similar Documents

Publication Publication Date Title
CN106972985B (en) Method for accelerating data processing and forwarding of DPI (deep packet inspection) equipment and DPI equipment
US11888744B2 (en) Spin-leaf network congestion control method, node, system, and storage medium
CN109525495B (en) Data processing device and method and FPGA board card
US20100229182A1 (en) Log information issuing device, log information issuing method, and program
US11095674B2 (en) DDoS attack detection method and device
CN107454120A (en) The method of network attack defending system and defending against network attacks
CN111782140A (en) Network data packet storage method and device, computer equipment and storage medium
CN112543149B (en) Method for preventing IPFIX message from being lost, application thereof and ASIC chip
CN106921665A (en) A kind of message processing method and the network equipment
CN112383585A (en) Message processing system and method and electronic equipment
CN110908798B (en) Multi-process cooperative network traffic analysis method and device
CN112019407A (en) Forwarding equipment data testing method and device, computer equipment and storage medium
CN107819697B (en) Data transmission method, switch and data center
JP2020088517A (en) Communication apparatus, and control method and program of communication apparatus
Pan et al. Nb-cache: Non-blocking in-network caching for high-performance content routers
CN113448729B (en) Load balancing method, device, equipment and storage medium
US8819107B2 (en) Relay apparatus, recording medium storing a relay program, and a relay method
CN113014555B (en) Method and device for determining attack event, electronic equipment and storage medium
WO2021128936A1 (en) Message processing method and apparatus
CN104243395B (en) A kind of high frequency time write operation method, interface message processor (IMP) and system
CN109542662B (en) Memory management method, device, server and storage medium
CN109347760B (en) Data sending method and device
CN108449252B (en) Dump method and device for access log
CN115396319B (en) Data stream slicing method, device, equipment and storage medium
CN115988574B (en) Data processing method, system, equipment and storage medium based on flow table

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant