CN112769785B - Network integrated depth detection device and method based on rack switch equipment - Google Patents
Network integrated depth detection device and method based on rack switch equipment Download PDFInfo
- Publication number
- CN112769785B CN112769785B CN202011604231.5A CN202011604231A CN112769785B CN 112769785 B CN112769785 B CN 112769785B CN 202011604231 A CN202011604231 A CN 202011604231A CN 112769785 B CN112769785 B CN 112769785B
- Authority
- CN
- China
- Prior art keywords
- service
- detection
- forwarding
- data
- service data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network integrated depth detection device and method based on rack switch equipment. The invention optimizes the traditional mode of superposition deployment, deploys the data security detection equipment at the key position of the network to carry out the low-efficiency processing concept of detection processing on the network service, adopts a brand new design idea of embedded security protection integration of the network communication equipment, considers the security detection and data forwarding requirements, integrates the security protection module and the data exchange equipment, integrates the security protection system in the equipment, cooperates with the high-speed backboard communication channel of the original rack equipment, carries the parallel depth detection technology of the high-performance multi-core engine, and realizes the rapid depth security detection and forwarding processing of the data packet.
Description
Technical Field
The invention relates to the technical field of network protection, in particular to a network integrated depth detection device and method based on rack switch equipment.
Background
Along with the continuous expansion of the current communication network scale, the intrusion behaviors of the network and the computer system are gradually increased, and the safety monitoring and early warning is an important ring of network protection, and as the threat can be timely found and the alarm can be sent out in advance, the threat hazard degree can be effectively reduced, and even the threat can be killed in the sprouting stage, the network space safety early warning is very interesting. For traditional exchanger equipment, including rack-mounted exchangers, network operation and maintenance means such as traditional SNMP, CLI, SYSLOG and third party packet grabbing tool analysis are mostly adopted for safety protection of network traffic, and for slightly rich-function exchanger equipment, a filtering and screening technology for data packets based on fixed fields of L2-L4 is adopted for checking the data traffic. With the advent of the diversity, complexity and variability of communication modes, traditional security filtering protection techniques have struggled in some complex and high-end networks, which presents a greater challenge to further security of the network, and specialized security detection filtering devices have emerged. Under the general network architecture, the security detection filtering equipment is deployed at the key position of the network by adopting a superposition deployment mode, and data are subjected to finer and deeper analysis and filtering, so that the security of the network in a complex environment is ensured.
The current technical scheme is that the traditional network operation and maintenance means such as SNMP, CLI, SYSLOG and third party packet grabbing tool analysis cannot track network state information in real time, the network state is not collected rapidly, network flow optimization is carried out on corresponding scenes in time, the method belongs to a passive network protection mode, and rapid response to network intrusion and attack behaviors cannot be carried out timely.
Moreover, the ACL access control strategy technology for filtering and screening the data packet based on the fixed field of L2-L4 has single relative protection mode and thicker protection granularity, can not resist new network threat at all, and can not meet the requirements of data refinement and intelligent detection in some complex network environments.
Based on the above safety consideration, although a new protection system is added to the general network architecture to independently and deeply filter and detect data, the method of separating and superposing the switching network equipment and the safety detection filtering equipment is adopted under the traditional network architecture, the safety protection strategy configuration and the network traffic switching scheduling are mutually independent, the uniform linkage cannot be effectively carried out, all network traffic is required to be uniformly delivered to the safety detection filtering equipment for summarizing and analyzing, and the performance and the effectiveness cannot be guaranteed, so that the improvement of the dynamic defense efficiency is hindered.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides a network integrated depth detection device and method based on rack switch equipment.
In order to achieve the aim of the invention, the invention adopts the following technical scheme:
in a first aspect, the invention provides a network integrated depth detection device based on rack switch equipment, which comprises a main control board, a switch board, a data service board, a safety protection board and a backboard interconnecting the main control board, the switch board, the data service board and the safety protection board for data communication;
the main control board is used for running all control plane protocols and issuing control instructions to other boards;
the exchange board is used for dispatching and forwarding the service data and the safety monitoring data between the data service board and the safety protection board;
the data service board is used for exchanging service data and carrying out primary security screening, detection, filtering and forwarding on the service data;
the safety protection plate is used for carrying out deep detection and safety protection on the service data.
Further, the switching board specifically adopts a switching unit to forward service data, a switching matrix module is arranged in the switching unit, service data messages are forwarded to a safety protection board when secondary defense detection is needed, corresponding routing table items are searched through analyzing message heads of the service data messages when the secondary defense detection is not needed, and service data are distributed to corresponding data service boards to carry out board-crossing forwarding.
Further, the data service board specifically adopts a service forwarding unit to obtain external user service data received by the line card, performs first-level defense detection on the service data, forwards the detected security data to the switching unit of the switching board, and simultaneously receives the service data message forwarded by the switching unit and forwards the service data message from the corresponding physical port by searching the corresponding forwarding table item.
Further, the service forwarding unit is configured to perform data exchange by hardware packaging a service data packet to be forwarded into a packet format identified by the switching unit, and perform coarse-grained traffic cleaning and forwarding on the service data.
Further, the first exchange chip specifically performs flow cleaning on the L2-L4 layer field, including active attack defense, security access control and depth detection pre-judgment;
the active attack defense specifically counts the number of the data streams of the suspected attack message in a set counting period, and compares the counted data streams with a set threshold value when the counting period is over; if the set threshold value is exceeded, judging that the attack message is generated, and discarding the service data message of the type in an interval period; otherwise, judging the message as a safety message, and forwarding the service data message to the exchange unit for corresponding table lookup forwarding;
the security access control specifically comprises the steps of filtering a message stream according to a configurable KEY value to perform ACL control access;
the depth detection pre-judgment specifically comprises the steps of pre-judging and screening the data flow in advance according to a configured safety strategy filtering list, and directly sending the data to a safety protection plate for protection detection.
Further, the safety protection plate specifically adopts a safety protection unit to carry out secondary defense detection, and the safety protection unit comprises a plurality of groups of processing chips and a group of second exchange chips;
the processing chip is used for parallel processing of deep protection detection of various service data messages;
the second switching chip is used for hardware packaging and decapsulating the service data message which needs to be forwarded between the processing chip and the switching unit into a message format recognized by the processing chip and the switching unit.
Further, the security protection unit is internally provided with a deep packet detection module, and adopts a behavior analysis method, a legal flow identification method, a characteristic identification filtering method, an abnormal flow baseline learning method, a dynamic fingerprint identification method and a reverse detection method to carry out deep security detection on attack messages of all fields of an L2-L7 layer of illegal invasion, a malformed message attack, a scanning snoop attack, flooding or flow type attack.
In a second aspect, the present invention further provides a method for applying the depth detection device, including the following steps:
s1, acquiring external user service data received by a corresponding line card by utilizing a service forwarding unit of a data service board;
s2, analyzing the data message by utilizing a service forwarding unit, carrying out primary defense detection by inquiring a local access control list, and forwarding security data of the primary defense detection to a switching unit of a switching board;
s3, forwarding the service data message according to user configuration by using the switching unit; if the second-level defense detection is needed, forwarding the service data message to a safety protection plate, and performing step S4; if the second-level defense detection is not needed, searching a corresponding routing table item through analyzing a message header of the service data message, and distributing the service data message to a corresponding service forwarding unit to perform step S6;
s4, receiving the service data message forwarded by the exchange unit by utilizing the safety protection unit of the safety protection plate, performing secondary defense detection on the service data message, and forwarding the safety data of the secondary defense detection to the exchange unit of the exchange plate;
s5, receiving the service data message forwarded by the safety protection unit by utilizing the switching unit, and forwarding the service data message to the service forwarding unit;
s6, receiving the service data message forwarded by the switching unit by utilizing the service forwarding unit, searching a corresponding forwarding table entry, and forwarding the service data message from a corresponding physical port.
The invention has the following beneficial effects:
(1) The invention is different from the passive network protection mode of the traditional network operation and maintenance means, adopts an optimized active detection mode, and can respond to network intrusion and attack behaviors quickly in time;
(2) The invention integrates a safety protection module under the traditional frame exchange equipment architecture, an endogenous safety protection system adopts an architecture of one-time analysis and multi-service parallel processing, realizes the rapid deep and fine safety inspection and forwarding processing of the core network data packet, and realizes the deep detection of the service data packet from L2-L7;
(3) According to the invention, under the condition of optimizing the traditional network system structure, a low-efficiency processing concept of detecting and processing network services by deploying the safety detection equipment at a key position of a network in a superposition deployment mode is optimized, a brand-new design idea of integrating safety protection into a whole network communication equipment is adopted, the safety detection and data forwarding requirements are considered, a safety protection module and a data exchange equipment are integrally designed, an endogenous safety protection system is matched with a high-speed backboard communication channel of the original rack equipment, and a high-performance multi-core engine parallel deep detection technology is carried out, so that rapid deep safety detection and forwarding processing of data packets are realized.
Drawings
Fig. 1 is a schematic diagram of a network integrated depth detection device based on a rack switch device according to the present invention;
fig. 2 is a schematic diagram of data interaction of a network integrated depth detection device based on a rack switch device according to the present invention;
FIG. 3 is a diagram illustrating statistics of messages according to an embodiment of the present invention;
fig. 4 is a schematic flow chart of a network integrated depth detection method based on a rack switch device according to the present invention;
FIG. 5 is a diagram of a conventional defense detection process according to an embodiment of the present invention;
fig. 6 is a graph of a defense detection process in an embodiment of the invention.
Detailed Description
The following description of the embodiments of the present invention is provided to facilitate understanding of the present invention by those skilled in the art, but it should be understood that the present invention is not limited to the scope of the embodiments, and all the inventions which make use of the inventive concept are protected by the spirit and scope of the present invention as defined and defined in the appended claims to those skilled in the art.
Example 1
As shown in fig. 1, an embodiment of the present invention provides a network integrated depth detection device based on a rack switch device, which includes a main control board, a switch board, a data service board, a security protection board, and a back board interconnecting the main control board, the switch board, the data service board, and the security protection board.
The main control board is a central nerve of the rack-mounted equipment and is responsible for management and instruction issuing of a complete machine system; the control method is used for running all control plane protocols and issuing control instructions to other boards.
The exchange board is responsible for scheduling and forwarding of service data and safety monitoring data of the whole system, and is a necessary guarantee center for data communication between the interconnection data service board and the safety protection board; the method is used for scheduling and forwarding the service data and the safety monitoring data between the data service board and the safety protection board.
The data service board is responsible for primary screening and receiving and transmitting of user data flowing through the whole system; the method is used for exchanging service data, and simultaneously carrying out primary security screening, detection, filtering and forwarding on the service data.
The security protection plate applies a deep packet detection technology and is responsible for deep analysis, refined access control and intelligent defense of the service data of the whole system; the method is used for carrying out deep detection and safety protection on the service data.
The backboard is used for connecting communication channels among the main control board, the exchange board, the service board and the security board.
The invention adopts a plane distributed architecture system, integrates frame type exchange equipment and safety protection equipment, adopts a architecture of one-time analysis and multi-service parallel processing, and realizes the rapid deep and fine safety inspection and forwarding processing of the core network data packet by an endogenous safety protection system. Specifically, under the current frame type switch equipment architecture, the function of the service line card is upgraded, and the embedded safety protection unit is specially used for deep safety protection aiming at a refined network, so that unified linkage of traditional equipment and safety protection equipment is achieved, and deep refined protection is carried out.
Under the traditional network architecture, the special data security detection filtering equipment is deployed, the security detection filtering equipment is deployed at the key position of the network through physical position superposition, and the data is analyzed and filtered specially. Deployment costs as well as post-maintenance costs are also relatively high. The safety protection strategy configuration and the network traffic exchange scheduling are mutually independent, and unified linkage cannot be effectively performed. And the communication equipment in the whole network often shares one safety detection filter equipment, so that data traffic needs to be additionally introduced into a remote safety detection filter equipment for data safety check. On one hand, the network topology is complicated to build, on the other hand, a plurality of devices share one safety detection filtering device, the performance and the effectiveness cannot be guaranteed, the data processing capacity is greatly reduced, and the network forwarding efficiency is affected.
The invention relies on the design concept of the embedded safety protection integration of the network equipment, considers the requirements of the respective architectures of the safety protection and the data exchange, carries out the integrated fusion design of the safety protection and the data exchange, and internally generates the safety protection system, thereby combining various safety monitoring modules with the network equipment aiming at the diversified trend of network intrusion and attack, and fully playing the advantages of each equipment so as to realize the real-time and efficient detection of the attack. Meanwhile, in order to improve the processing performance of the embedded safety protection module, the safety protection module adopts the technologies of parallel depth detection of high-performance multi-core engines and the like, is formed by stacking a plurality of safety engines in parallel in a framework, and each safety engine adopts the DPDK (data plane development kit) parallel processing technology, so that the parallel processing capability of the multi-core processor is fully exerted, and the rapid depth safety inspection and forwarding processing of the data packet are realized.
According to the invention, under the condition of optimizing the traditional network architecture, a low-efficiency processing concept of detecting and processing network services by deploying the safety detection filtering equipment at a key position of a network in a superposition deployment mode is optimized, a brand-new design idea of integrating safety protection into a whole is adopted for the network communication equipment, the safety protection module and the data exchange equipment are designed integrally, a high-speed backboard communication channel of the original rack equipment is matched, and a high-performance multi-core engine parallel deep detection technology is carried, so that the rapid deep safety detection and forwarding processing of data packets are realized.
In this embodiment, as shown in fig. 2, the main control board specifically adopts a main control unit to control and issue instructions to the overall system, the main control unit is a control plane of the overall system, and all control plane protocols run in the main control unit to realize centralized management of the control plane.
In this embodiment, as shown in fig. 2, the switch board specifically adopts a switch unit to receive the cross-board service data packet from each line card to forward service data, and the switch unit embeds a switch matrix module, forwards the service data packet to the security protection board when the second-level defense detection is required, searches the corresponding routing table entry by analyzing the header of the service data packet when the second-level defense detection is not required, and distributes the service data packet to the corresponding data service board to forward the cross-board.
In this embodiment, as shown in fig. 2, the data service board specifically adopts a service forwarding unit to obtain external user service data received by the line card, performs first-level defense detection on the service data, forwards the detected security data to the switching unit of the switching board, and simultaneously receives a service data packet forwarded by the switching unit and forwards the service data packet from a corresponding physical port by searching a local forwarding table entry.
The service forwarding unit comprises a first switching chip, and is used for hardware packaging the service data message to be forwarded into a message format identified by the switching unit for data exchange, and performing coarse-grained flow cleaning and forwarding on the service data.
The service forwarding unit specifically cleans the L2-L4 layer field, including active attack defense, security access control and deep detection pre-judgment; wherein the method comprises the steps of
The active attack defense specifically counts the number of the data streams of the suspected attack message in a set counting period, and compares the counted data streams with a set threshold value when the counting period is over; if the set threshold value is exceeded, judging that the attack message is generated, and discarding the service data message of the type in an interval period; otherwise, the security message is judged, and the service data message is forwarded to the switching unit for corresponding table lookup forwarding.
The invention is different from the passive network protection mode of the traditional network operation and maintenance means, adopts an optimized active detection mode, and can respond to network intrusion and attack behaviors quickly in time.
As shown in fig. 3, the present invention divides the time axis into an interval period and a statistical period. A counter and a threshold are set for each suspected attack message. And counting the number of certain suspected messages in the counting period, comparing the counted number with a configured threshold value when the counting period is ended, if the counted number exceeds the threshold value, considering the counted number as an attack message, and discarding the messages of the type in the interval period. Otherwise, not discarding. The next statistics period and interval period repeat the above actions.
The security access control specifically filters the message flow according to the configurable KEY value to perform ACL control access, and executes corresponding ACTION, and is mainly applied to policy routing, and the application is as follows:
1) Discarding messages with potential threats to network security;
2) Routing L3 message;
3) Forwarding control messages to the CPU, such as OAM type messages;
4) Distributing new priority, VLAN ID and VRF to select message flow;
5) Counting or measuring a given message flow across the plurality of ports;
6) Redirecting a message flow to a new outlet or port group;
7) One message stream is redirected based on the exit modification or mirroring.
The depth detection pre-judgment is specifically to integrate a security policy filtering list in the service forwarding module, wherein the list comprises a filtering trusted list and a suspicious list. And configuring a corresponding suspicious list by the user according to the actual environment requirement. When the equipment soaks the service flow, the flow screening is carried out, if suspicious service data is found, the data is sent to a safety protection unit, and the depth detection and analysis are carried out.
In this embodiment, as shown in fig. 2, the security protection board specifically adopts a security protection unit to perform secondary defense detection, where the security protection unit includes multiple groups of processing chips and a group of second exchange chips; wherein the method comprises the steps of
The processing chip is used for parallel processing of deep protection detection of various service data messages; each group of CPU is connected with multiple high-speed communication channels, so that each service data flow is prevented from being congested concurrently in peak period, and service forwarding performance is improved.
The second exchange chip is used for hardware packaging and decapsulating the service data message which needs to be forwarded between the processing chip and the exchange unit into a message format identified by the processing chip and the exchange unit, and completing the efficient transfer of the message.
The security protection unit is internally provided with a deep packet detection module, adopts technologies such as behavior analysis, legal traffic identification, feature identification and filtration, abnormal traffic baseline learning, dynamic fingerprint identification, reverse detection and the like, detects illegal invasion (such as WEB attack invasion, virus invasion, camouflage invasion and the like), malformed message attack (such as Winnuke, tearDrop and the like), scanning snoop attack (such as host scanning, port scanning, route option detection and the like), flooding or traffic attack (such as various Flood attacks, CC attacks and the like), and covers invasion and attack protection of all ranges of L2-L7 layers, thereby realizing refined deep security detection of network traffic.
The invention integrates the safety protection module under the traditional frame exchange equipment architecture, adopts the architecture of once analysis and multi-service parallel processing, and an endogenous safety protection system, thereby realizing the rapid deep and fine safety inspection and forwarding processing of the core network data packet and realizing the deep detection of the service data packet from L2-L7.
Although the access control strategy technology adopted by the traditional service flow filtering and detecting technology can meet most general requirements, the access control strategy technology is mainly used for carrying out message identification based on the traditional IP data packet detecting technology, the detected message field is relatively fixed, the detection depth is limited, and an attacker can easily disguise as legal messages to carry out communication deception by utilizing the limitations of the traditional technology, so that important information of a user is stolen.
The technology of the invention adopts an intelligent analysis method based on a deep packet inspection technology to complete an application recognition function, mainly takes the deep packet inspection technology as a core, and combines the technologies based on message content (application fingerprint) recognition and behavior characteristics to realize automatic recognition and intelligent classification of the application in the network. The automatic identification and intelligent classification of the application in the network are realized by adopting a plurality of identification technologies based on protocol identification, content and behavior identification and the like. In the detection process, a framework of one-time analysis and multi-service parallel processing is adopted. The application analysis and feature matching processing of the core is processed at high speed by a hardware acceleration module, each security service tracks the processing result in parallel and updates the state, when the conditions of threat features are all met, the response action is triggered immediately according to the security policy, and when the conditions are not met, the tracking state is automatically adjusted, so that the high-speed forwarding of the traffic with safe detection is ensured. By applying the high-performance deep packet inspection protection technology, the intensity and granularity of the security protection in the communication network can be greatly enhanced by the characteristic identification coverage L2-L7 through the first-stage security protection of the service module and the second-stage security protection of the security protection module, and the communication network environment is extremely powerful and stable and reliable.
Example 2
Based on the network integrated depth detection device described in embodiment 1, the embodiment of the invention also provides a network integrated depth detection method applying the device, as shown in fig. 4, comprising the following steps:
s1, acquiring external user service data received by a corresponding line card by utilizing a service forwarding unit of a data service board;
s2, analyzing the data message by utilizing a service forwarding unit, carrying out primary defense detection by inquiring a local access control list, and forwarding security data of the primary defense detection to a switching unit of a switching board;
s3, forwarding the service data message according to user configuration by using the switching unit; if the second-level defense detection is needed, forwarding the service data message to a safety protection plate, and performing step S4; if the second-level defense detection is not needed, searching a corresponding routing table item through analyzing a message header of the service data message, and distributing the service data message to a corresponding service forwarding unit to perform step S6;
s4, receiving the service data message forwarded by the exchange unit by utilizing the safety protection unit of the safety protection plate, performing secondary defense detection on the service data message, and forwarding the safety data of the secondary defense detection to the exchange unit of the exchange plate;
s5, receiving the service data message forwarded by the safety protection unit by utilizing the switching unit, and forwarding the service data message to the service forwarding unit;
s6, receiving the service data message forwarded by the switching unit by utilizing the service forwarding unit, searching a corresponding forwarding table entry, and forwarding the service data message from a corresponding physical port.
The technical effects of the network integrated depth detection device and method of the invention are compared and analyzed with the prior art.
The traditional network operation and maintenance means such as SNMP, CLI, SYSLOG and third party packet grabbing tool analysis often start to analyze and deploy protection actions after attack or invasion actions are generated and even after the attack actions reach some purposes, and the analysis actions also occupy a large amount of time, so that network state information cannot be tracked in real time, network states are not collected rapidly, network traffic optimization is performed in time for corresponding scenes, and a large amount of effort is put into manpower and resource investment. The safety, the failure and the response timeliness cannot be guaranteed. The primary and secondary protection technologies related by the invention are all active defenses. By adopting a real-time security detection technology triggered by a flow state, the state and the characteristics of the service message are actively matched to identify an illegal message, so that the network security and the protection efficiency are greatly improved, network attack and intrusion behaviors can be timely and efficiently detected, and the protection behaviors can be immediately made, and the attack and intrusion viruses are blocked outside the network at the first time.
As can be seen from the graph of fig. 5, the conventional defense detection means starts from the start of detection at time t0, the attack behavior cannot be identified until time t1, and after a certain protection means is made for the attack behavior, the attack behavior starts to take effect and stabilize at time t2, and the attack behavior is not defended in time, so that the attack intrusion behavior may already reach a certain purpose in the process. Moreover, the traditional defense only reduces the probability of invasion due to single protective measures, reduces the volume of invasion from P1 to P2, and cannot truly and completely isolate all attack behaviors.
After the technology of the invention is used, as shown in the graph of fig. 6, once the detection is started, the attack behavior can be immediately detected and the defending behavior can be made from multiple angles and multiple layers by means of the active intelligent detection by the self safety protection module of the system without depending on checking logs, the passive detection mode of a third party analysis tool and the like, and the detection and defending behavior can be immediately validated basically after the defending detection is started at the time t0, and most of even all invasion and attack behaviors are isolated, so that the normal safety communication of the network is comprehensively protected.
Although the access control strategy technology adopted by the traditional service flow filtering and detecting technology can meet most general requirements, the access control strategy technology is mainly used for carrying out message identification based on the traditional IP data packet detecting technology, the detected message field is relatively fixed, the detection depth is limited, and an attacker can easily disguise as legal messages to carry out communication deception by utilizing the limitations of the traditional technology, so that important information of a user is stolen.
The invention adopts an intelligent analysis method based on a deep packet inspection technology to complete an application recognition function, mainly takes the deep packet inspection technology as a core, and combines the technologies based on message content (application fingerprint) recognition and behavior characteristics to realize automatic recognition and intelligent classification of the application in the network. The automatic identification and intelligent classification of the applications in the network are realized by adopting a plurality of identification technologies based on protocol identification, content + behavior identification and the like, as shown in table 1.
TABLE 1 comparison of conventional detection techniques and depth detection techniques
In the detection process, a framework of one-time analysis and multi-service parallel processing is adopted. The application analysis and feature matching processing of the core is processed at high speed by a hardware acceleration module, each security service tracks the processing result in parallel and updates the state, when the conditions of threat features are all met, the response action is triggered immediately according to the security policy, and when the conditions are not met, the tracking state is automatically adjusted, so that the high-speed forwarding of the traffic with safe detection is ensured. By applying the high-performance deep packet inspection protection technology, the intensity and granularity of the security protection in the communication network can be greatly enhanced by the characteristic identification coverage L2-L7 through the first-stage security protection of the service module and the second-stage security protection of the security protection module, and the communication network environment is extremely powerful and stable and reliable.
Under the traditional network architecture, the special safety detection filtering equipment is deployed, the safety detection filtering equipment is deployed at the key position of the network through physical superposition, and the data is analyzed and filtered specially. Deployment costs as well as post-maintenance costs are also relatively high. The safety protection strategy configuration and the network traffic exchange scheduling are mutually independent, and unified linkage cannot be effectively performed. And the communication equipment in the whole network often shares one safety detection filter equipment, so that data traffic needs to be additionally introduced into a remote safety detection filter equipment for data safety check. On one hand, the network topology is complicated to build, on the other hand, a plurality of devices share one safety detection filtering device, the performance and the effectiveness cannot be guaranteed, the data processing capacity is greatly reduced, and the network forwarding efficiency is affected.
The invention relies on the design concept of the embedded safety protection integration of the network equipment, considers the requirements of the respective architectures of the safety protection and the data exchange, carries out the integrated fusion design of the safety protection and the data exchange, and internally generates the safety protection system, thereby combining various safety monitoring modules with the network equipment aiming at the diversified trend of network intrusion and attack, and fully playing the advantages of each equipment so as to realize the real-time and efficient detection of the attack. Meanwhile, in order to improve the processing performance of the embedded safety protection module, the safety protection module adopts the technologies of parallel depth detection of high-performance multi-core engines and the like, is formed by stacking a plurality of safety engines in parallel in a framework, and each safety engine adopts the DPDK (data plane development kit) parallel processing technology, so that the parallel processing capability of the multi-core processor is fully exerted, and the rapid depth safety inspection and forwarding processing of the data packet are realized. Specific examples are shown in Table 2:
table 2 comparison of traditional protection architecture and Integrated core network device architecture
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The principles and embodiments of the present invention have been described in detail with reference to specific examples, which are provided to facilitate understanding of the method and core ideas of the present invention; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present invention, the present description should not be construed as limiting the present invention in view of the above.
Those of ordinary skill in the art will recognize that the embodiments described herein are for the purpose of aiding the reader in understanding the principles of the present invention and should be understood that the scope of the invention is not limited to such specific statements and embodiments. Those of ordinary skill in the art can make various other specific modifications and combinations from the teachings of the present disclosure without departing from the spirit thereof, and such modifications and combinations remain within the scope of the present disclosure.
Claims (5)
1. The network integrated depth detection device based on the rack switch equipment is characterized by comprising a main control board, a switch board, a data service board, a safety protection board and a backboard for interconnecting the data communication among the main control board, the switch board, the data service board and the safety protection board;
the main control board is used for running all control plane protocols and issuing control instructions to other boards;
the exchange board is used for dispatching and forwarding the service data and the safety monitoring data between the data service board and the safety protection board;
the data service board is used for exchanging service data and carrying out primary security screening, detection, filtering and forwarding on the service data;
the data service board specifically adopts a service forwarding unit to acquire external user service data received by a line card, performs primary defense detection on the service data, forwards the detected safety data to a switching unit of the switching board, and simultaneously receives a service data message forwarded by the switching unit and forwards the service data message from a corresponding physical port by searching a corresponding forwarding table item;
the service forwarding unit is used for hardware packaging the service data message to be forwarded into a message format identified by the switching unit for data exchange, and performing coarse-grained flow cleaning and forwarding on the service data;
the service forwarding unit specifically performs flow cleaning on the L2-L4 layer field, including active attack defense, security access control and depth detection pre-judgment;
the active attack defense specifically counts the number of the data streams of the suspected attack message in a set counting period, and compares the counted data streams with a set threshold value when the counting period is over; if the set threshold value is exceeded, judging that the attack message is generated, and discarding the service data message of the type in an interval period; otherwise, judging the message as a safety message, and forwarding the service data message to the exchange unit for corresponding table lookup forwarding;
the security access control specifically comprises the steps of filtering a message stream according to a configurable KEY value to perform ACL control access;
the depth detection pre-judgment specifically comprises the steps of pre-judging and screening data flow in a pre-stage mode according to a configured safety strategy filtering list, and directly sending the data to a safety protection plate for protection detection;
the safety protection plate is used for carrying out deep detection and safety protection on the service data.
2. The network integrated depth detection device based on rack switch equipment according to claim 1, wherein the switch board specifically adopts a switch unit to forward service data, a switch matrix module is built in the switch unit, service data messages are forwarded to a safety protection board when secondary defense detection is needed, a corresponding routing table item is searched through a message header of the resolved service data messages when the secondary defense detection is not needed, and service data is distributed to a corresponding data service board to perform board crossing forwarding.
3. The network integrated depth detection device based on the rack switch equipment according to claim 1, wherein the safety protection plate specifically adopts a safety protection unit to perform secondary defense detection, and the safety protection unit comprises a plurality of groups of processing chips and a group of second switching chips;
the processing chip is used for parallel processing of deep protection detection of various service data messages;
the second switching chip is used for hardware packaging and decapsulating the service data message which needs to be forwarded between the processing chip and the switching unit into a message format recognized by the processing chip and the switching unit.
4. The network integrated depth detection device based on rack switch equipment according to claim 3, wherein the security protection unit is provided with a built-in depth packet detection module, and adopts a behavior analysis, legal traffic identification, feature identification and filtration, abnormal traffic baseline learning, dynamic fingerprint identification and reverse detection method to carry out depth security detection on attack messages of all fields of L2-L7 layers of illegal invasion, malformed message attack, scanning snoop attack, flooding or traffic attack.
5. A method of using the depth detection apparatus of any one of claims 1 to 4, comprising the steps of:
s1, acquiring external user service data received by a corresponding line card by utilizing a service forwarding unit of a data service board;
s2, analyzing the data message by utilizing a service forwarding unit, carrying out primary defense detection by inquiring a local access control list, and forwarding security data of the primary defense detection to a switching unit of a switching board;
s3, forwarding the service data message according to user configuration by using the switching unit; if the second-level defense detection is needed, forwarding the service data message to a safety protection plate, and performing step S4; if the second-level defense detection is not needed, searching a corresponding routing table item through analyzing a message header of the service data message, and distributing the service data message to a corresponding service forwarding unit to perform step S6;
s4, receiving the service data message forwarded by the exchange unit by utilizing the safety protection unit of the safety protection plate, performing secondary defense detection on the service data message, and forwarding the safety data of the secondary defense detection to the exchange unit of the exchange plate;
s5, receiving the service data message forwarded by the safety protection unit by utilizing the switching unit, and forwarding the service data message to the service forwarding unit;
s6, receiving the service data message forwarded by the switching unit by utilizing the service forwarding unit, searching a corresponding forwarding table entry, and forwarding the service data message from a corresponding physical port.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011604231.5A CN112769785B (en) | 2020-12-29 | 2020-12-29 | Network integrated depth detection device and method based on rack switch equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011604231.5A CN112769785B (en) | 2020-12-29 | 2020-12-29 | Network integrated depth detection device and method based on rack switch equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112769785A CN112769785A (en) | 2021-05-07 |
CN112769785B true CN112769785B (en) | 2023-06-27 |
Family
ID=75697344
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011604231.5A Active CN112769785B (en) | 2020-12-29 | 2020-12-29 | Network integrated depth detection device and method based on rack switch equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112769785B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113301053B (en) * | 2021-05-31 | 2023-04-07 | 深圳市风云实业有限公司 | High-performance network boundary protection detection system and method based on expandability |
CN114201427B (en) * | 2022-02-18 | 2022-05-17 | 之江实验室 | Parallel deterministic data processing device and method |
CN114553546B (en) * | 2022-02-24 | 2023-07-04 | 杭州迪普科技股份有限公司 | Message grabbing method and device based on network application |
CN117439765A (en) * | 2023-09-08 | 2024-01-23 | 重庆数智融合创新科技有限公司 | Data storage forwarding method and system based on application awareness |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101483649A (en) * | 2009-02-10 | 2009-07-15 | 浪潮电子信息产业股份有限公司 | Network safe content processing card based on FPGA |
CN102571738A (en) * | 2010-12-08 | 2012-07-11 | 中国电信股份有限公司 | Intrusion prevention system (IPS) based on virtual local area network (VLAN) exchange and system thereof |
CN103888307A (en) * | 2012-12-20 | 2014-06-25 | 中国电信股份有限公司 | Method, user side board card and broadband access gateway used for optimizing deep packet detection |
CN104811400A (en) * | 2014-01-26 | 2015-07-29 | 杭州迪普科技有限公司 | Distributed network apparatus |
CN107769992A (en) * | 2017-09-15 | 2018-03-06 | 通鼎互联信息股份有限公司 | A kind of packet parsing shunt method and device |
CN108471389A (en) * | 2018-03-12 | 2018-08-31 | 电子科技大学 | A kind of switch system based on service function chain |
CN208623847U (en) * | 2018-07-06 | 2019-03-19 | 中国联合网络通信集团有限公司 | A kind of card insert type electronic equipment |
CN111478863A (en) * | 2020-04-14 | 2020-07-31 | 深圳市风云实业有限公司 | Switch system and network port time synchronization method thereof |
-
2020
- 2020-12-29 CN CN202011604231.5A patent/CN112769785B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101483649A (en) * | 2009-02-10 | 2009-07-15 | 浪潮电子信息产业股份有限公司 | Network safe content processing card based on FPGA |
CN102571738A (en) * | 2010-12-08 | 2012-07-11 | 中国电信股份有限公司 | Intrusion prevention system (IPS) based on virtual local area network (VLAN) exchange and system thereof |
CN103888307A (en) * | 2012-12-20 | 2014-06-25 | 中国电信股份有限公司 | Method, user side board card and broadband access gateway used for optimizing deep packet detection |
CN104811400A (en) * | 2014-01-26 | 2015-07-29 | 杭州迪普科技有限公司 | Distributed network apparatus |
CN107769992A (en) * | 2017-09-15 | 2018-03-06 | 通鼎互联信息股份有限公司 | A kind of packet parsing shunt method and device |
CN108471389A (en) * | 2018-03-12 | 2018-08-31 | 电子科技大学 | A kind of switch system based on service function chain |
CN208623847U (en) * | 2018-07-06 | 2019-03-19 | 中国联合网络通信集团有限公司 | A kind of card insert type electronic equipment |
CN111478863A (en) * | 2020-04-14 | 2020-07-31 | 深圳市风云实业有限公司 | Switch system and network port time synchronization method thereof |
Also Published As
Publication number | Publication date |
---|---|
CN112769785A (en) | 2021-05-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112769785B (en) | Network integrated depth detection device and method based on rack switch equipment | |
Tan et al. | A new framework for DDoS attack detection and defense in SDN environment | |
Wang et al. | SGS: Safe-guard scheme for protecting control plane against DDoS attacks in software-defined networking | |
US7493659B1 (en) | Network intrusion detection and analysis system and method | |
Douligeris et al. | DDoS attacks and defense mechanisms: a classification | |
KR100609170B1 (en) | system of network security and working method thereof | |
US7424744B1 (en) | Signature based network intrusion detection system and method | |
CN103491060B (en) | A kind of method, apparatus and system of defence Web attacks | |
CN108289088A (en) | Abnormal traffic detection system and method based on business model | |
Wang et al. | SECO: SDN sEcure COntroller algorithm for detecting and defending denial of service attacks | |
Cramer et al. | New methods of intrusion detection using control-loop measurement | |
Jiang et al. | BSD‐Guard: A Collaborative Blockchain‐Based Approach for Detection and Mitigation of SDN‐Targeted DDoS Attacks | |
Cui et al. | DDoS detection and defense mechanism for SDN controllers with K-Means | |
Ouyang et al. | A novel framework of defense system against DoS attacks in wireless sensor networks | |
Zhenqi et al. | Netflow based intrusion detection system | |
CN112702347A (en) | SDN-based intrusion detection technology | |
Kumar et al. | An integrated approach for defending against distributed denial-of-service (DDoS) attacks | |
Ibrahim et al. | Sdn-based intrusion detection system | |
Xu et al. | An effective table-overflow attack and defense in software-defined networking | |
Bhale et al. | An adaptive and lightweight solution to detect mixed rate ip spoofed ddos attack in iot ecosystem | |
Abou Haidar et al. | High perception intrusion detection system using neural networks | |
Menaria et al. | Comparative study of distributed intrusion detection in ad-hoc networks | |
Singh et al. | Comparative study of various distributed intrusion detection systems for WLAN | |
KR100456637B1 (en) | Network security service system including a classifier based on blacklist | |
JP2006325091A (en) | Network attach defense system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |