CN112769785B - Network integrated depth detection device and method based on rack switch equipment - Google Patents

Network integrated depth detection device and method based on rack switch equipment Download PDF

Info

Publication number
CN112769785B
CN112769785B CN202011604231.5A CN202011604231A CN112769785B CN 112769785 B CN112769785 B CN 112769785B CN 202011604231 A CN202011604231 A CN 202011604231A CN 112769785 B CN112769785 B CN 112769785B
Authority
CN
China
Prior art keywords
service
detection
forwarding
data
service data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011604231.5A
Other languages
Chinese (zh)
Other versions
CN112769785A (en
Inventor
詹晋川
杨鑫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Forward Industrial Co Ltd
Original Assignee
Shenzhen Forward Industrial Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Forward Industrial Co Ltd filed Critical Shenzhen Forward Industrial Co Ltd
Priority to CN202011604231.5A priority Critical patent/CN112769785B/en
Publication of CN112769785A publication Critical patent/CN112769785A/en
Application granted granted Critical
Publication of CN112769785B publication Critical patent/CN112769785B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a network integrated depth detection device and method based on rack switch equipment. The invention optimizes the traditional mode of superposition deployment, deploys the data security detection equipment at the key position of the network to carry out the low-efficiency processing concept of detection processing on the network service, adopts a brand new design idea of embedded security protection integration of the network communication equipment, considers the security detection and data forwarding requirements, integrates the security protection module and the data exchange equipment, integrates the security protection system in the equipment, cooperates with the high-speed backboard communication channel of the original rack equipment, carries the parallel depth detection technology of the high-performance multi-core engine, and realizes the rapid depth security detection and forwarding processing of the data packet.

Description

Network integrated depth detection device and method based on rack switch equipment
Technical Field
The invention relates to the technical field of network protection, in particular to a network integrated depth detection device and method based on rack switch equipment.
Background
Along with the continuous expansion of the current communication network scale, the intrusion behaviors of the network and the computer system are gradually increased, and the safety monitoring and early warning is an important ring of network protection, and as the threat can be timely found and the alarm can be sent out in advance, the threat hazard degree can be effectively reduced, and even the threat can be killed in the sprouting stage, the network space safety early warning is very interesting. For traditional exchanger equipment, including rack-mounted exchangers, network operation and maintenance means such as traditional SNMP, CLI, SYSLOG and third party packet grabbing tool analysis are mostly adopted for safety protection of network traffic, and for slightly rich-function exchanger equipment, a filtering and screening technology for data packets based on fixed fields of L2-L4 is adopted for checking the data traffic. With the advent of the diversity, complexity and variability of communication modes, traditional security filtering protection techniques have struggled in some complex and high-end networks, which presents a greater challenge to further security of the network, and specialized security detection filtering devices have emerged. Under the general network architecture, the security detection filtering equipment is deployed at the key position of the network by adopting a superposition deployment mode, and data are subjected to finer and deeper analysis and filtering, so that the security of the network in a complex environment is ensured.
The current technical scheme is that the traditional network operation and maintenance means such as SNMP, CLI, SYSLOG and third party packet grabbing tool analysis cannot track network state information in real time, the network state is not collected rapidly, network flow optimization is carried out on corresponding scenes in time, the method belongs to a passive network protection mode, and rapid response to network intrusion and attack behaviors cannot be carried out timely.
Moreover, the ACL access control strategy technology for filtering and screening the data packet based on the fixed field of L2-L4 has single relative protection mode and thicker protection granularity, can not resist new network threat at all, and can not meet the requirements of data refinement and intelligent detection in some complex network environments.
Based on the above safety consideration, although a new protection system is added to the general network architecture to independently and deeply filter and detect data, the method of separating and superposing the switching network equipment and the safety detection filtering equipment is adopted under the traditional network architecture, the safety protection strategy configuration and the network traffic switching scheduling are mutually independent, the uniform linkage cannot be effectively carried out, all network traffic is required to be uniformly delivered to the safety detection filtering equipment for summarizing and analyzing, and the performance and the effectiveness cannot be guaranteed, so that the improvement of the dynamic defense efficiency is hindered.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides a network integrated depth detection device and method based on rack switch equipment.
In order to achieve the aim of the invention, the invention adopts the following technical scheme:
in a first aspect, the invention provides a network integrated depth detection device based on rack switch equipment, which comprises a main control board, a switch board, a data service board, a safety protection board and a backboard interconnecting the main control board, the switch board, the data service board and the safety protection board for data communication;
the main control board is used for running all control plane protocols and issuing control instructions to other boards;
the exchange board is used for dispatching and forwarding the service data and the safety monitoring data between the data service board and the safety protection board;
the data service board is used for exchanging service data and carrying out primary security screening, detection, filtering and forwarding on the service data;
the safety protection plate is used for carrying out deep detection and safety protection on the service data.
Further, the switching board specifically adopts a switching unit to forward service data, a switching matrix module is arranged in the switching unit, service data messages are forwarded to a safety protection board when secondary defense detection is needed, corresponding routing table items are searched through analyzing message heads of the service data messages when the secondary defense detection is not needed, and service data are distributed to corresponding data service boards to carry out board-crossing forwarding.
Further, the data service board specifically adopts a service forwarding unit to obtain external user service data received by the line card, performs first-level defense detection on the service data, forwards the detected security data to the switching unit of the switching board, and simultaneously receives the service data message forwarded by the switching unit and forwards the service data message from the corresponding physical port by searching the corresponding forwarding table item.
Further, the service forwarding unit is configured to perform data exchange by hardware packaging a service data packet to be forwarded into a packet format identified by the switching unit, and perform coarse-grained traffic cleaning and forwarding on the service data.
Further, the first exchange chip specifically performs flow cleaning on the L2-L4 layer field, including active attack defense, security access control and depth detection pre-judgment;
the active attack defense specifically counts the number of the data streams of the suspected attack message in a set counting period, and compares the counted data streams with a set threshold value when the counting period is over; if the set threshold value is exceeded, judging that the attack message is generated, and discarding the service data message of the type in an interval period; otherwise, judging the message as a safety message, and forwarding the service data message to the exchange unit for corresponding table lookup forwarding;
the security access control specifically comprises the steps of filtering a message stream according to a configurable KEY value to perform ACL control access;
the depth detection pre-judgment specifically comprises the steps of pre-judging and screening the data flow in advance according to a configured safety strategy filtering list, and directly sending the data to a safety protection plate for protection detection.
Further, the safety protection plate specifically adopts a safety protection unit to carry out secondary defense detection, and the safety protection unit comprises a plurality of groups of processing chips and a group of second exchange chips;
the processing chip is used for parallel processing of deep protection detection of various service data messages;
the second switching chip is used for hardware packaging and decapsulating the service data message which needs to be forwarded between the processing chip and the switching unit into a message format recognized by the processing chip and the switching unit.
Further, the security protection unit is internally provided with a deep packet detection module, and adopts a behavior analysis method, a legal flow identification method, a characteristic identification filtering method, an abnormal flow baseline learning method, a dynamic fingerprint identification method and a reverse detection method to carry out deep security detection on attack messages of all fields of an L2-L7 layer of illegal invasion, a malformed message attack, a scanning snoop attack, flooding or flow type attack.
In a second aspect, the present invention further provides a method for applying the depth detection device, including the following steps:
s1, acquiring external user service data received by a corresponding line card by utilizing a service forwarding unit of a data service board;
s2, analyzing the data message by utilizing a service forwarding unit, carrying out primary defense detection by inquiring a local access control list, and forwarding security data of the primary defense detection to a switching unit of a switching board;
s3, forwarding the service data message according to user configuration by using the switching unit; if the second-level defense detection is needed, forwarding the service data message to a safety protection plate, and performing step S4; if the second-level defense detection is not needed, searching a corresponding routing table item through analyzing a message header of the service data message, and distributing the service data message to a corresponding service forwarding unit to perform step S6;
s4, receiving the service data message forwarded by the exchange unit by utilizing the safety protection unit of the safety protection plate, performing secondary defense detection on the service data message, and forwarding the safety data of the secondary defense detection to the exchange unit of the exchange plate;
s5, receiving the service data message forwarded by the safety protection unit by utilizing the switching unit, and forwarding the service data message to the service forwarding unit;
s6, receiving the service data message forwarded by the switching unit by utilizing the service forwarding unit, searching a corresponding forwarding table entry, and forwarding the service data message from a corresponding physical port.
The invention has the following beneficial effects:
(1) The invention is different from the passive network protection mode of the traditional network operation and maintenance means, adopts an optimized active detection mode, and can respond to network intrusion and attack behaviors quickly in time;
(2) The invention integrates a safety protection module under the traditional frame exchange equipment architecture, an endogenous safety protection system adopts an architecture of one-time analysis and multi-service parallel processing, realizes the rapid deep and fine safety inspection and forwarding processing of the core network data packet, and realizes the deep detection of the service data packet from L2-L7;
(3) According to the invention, under the condition of optimizing the traditional network system structure, a low-efficiency processing concept of detecting and processing network services by deploying the safety detection equipment at a key position of a network in a superposition deployment mode is optimized, a brand-new design idea of integrating safety protection into a whole network communication equipment is adopted, the safety detection and data forwarding requirements are considered, a safety protection module and a data exchange equipment are integrally designed, an endogenous safety protection system is matched with a high-speed backboard communication channel of the original rack equipment, and a high-performance multi-core engine parallel deep detection technology is carried out, so that rapid deep safety detection and forwarding processing of data packets are realized.
Drawings
Fig. 1 is a schematic diagram of a network integrated depth detection device based on a rack switch device according to the present invention;
fig. 2 is a schematic diagram of data interaction of a network integrated depth detection device based on a rack switch device according to the present invention;
FIG. 3 is a diagram illustrating statistics of messages according to an embodiment of the present invention;
fig. 4 is a schematic flow chart of a network integrated depth detection method based on a rack switch device according to the present invention;
FIG. 5 is a diagram of a conventional defense detection process according to an embodiment of the present invention;
fig. 6 is a graph of a defense detection process in an embodiment of the invention.
Detailed Description
The following description of the embodiments of the present invention is provided to facilitate understanding of the present invention by those skilled in the art, but it should be understood that the present invention is not limited to the scope of the embodiments, and all the inventions which make use of the inventive concept are protected by the spirit and scope of the present invention as defined and defined in the appended claims to those skilled in the art.
Example 1
As shown in fig. 1, an embodiment of the present invention provides a network integrated depth detection device based on a rack switch device, which includes a main control board, a switch board, a data service board, a security protection board, and a back board interconnecting the main control board, the switch board, the data service board, and the security protection board.
The main control board is a central nerve of the rack-mounted equipment and is responsible for management and instruction issuing of a complete machine system; the control method is used for running all control plane protocols and issuing control instructions to other boards.
The exchange board is responsible for scheduling and forwarding of service data and safety monitoring data of the whole system, and is a necessary guarantee center for data communication between the interconnection data service board and the safety protection board; the method is used for scheduling and forwarding the service data and the safety monitoring data between the data service board and the safety protection board.
The data service board is responsible for primary screening and receiving and transmitting of user data flowing through the whole system; the method is used for exchanging service data, and simultaneously carrying out primary security screening, detection, filtering and forwarding on the service data.
The security protection plate applies a deep packet detection technology and is responsible for deep analysis, refined access control and intelligent defense of the service data of the whole system; the method is used for carrying out deep detection and safety protection on the service data.
The backboard is used for connecting communication channels among the main control board, the exchange board, the service board and the security board.
The invention adopts a plane distributed architecture system, integrates frame type exchange equipment and safety protection equipment, adopts a architecture of one-time analysis and multi-service parallel processing, and realizes the rapid deep and fine safety inspection and forwarding processing of the core network data packet by an endogenous safety protection system. Specifically, under the current frame type switch equipment architecture, the function of the service line card is upgraded, and the embedded safety protection unit is specially used for deep safety protection aiming at a refined network, so that unified linkage of traditional equipment and safety protection equipment is achieved, and deep refined protection is carried out.
Under the traditional network architecture, the special data security detection filtering equipment is deployed, the security detection filtering equipment is deployed at the key position of the network through physical position superposition, and the data is analyzed and filtered specially. Deployment costs as well as post-maintenance costs are also relatively high. The safety protection strategy configuration and the network traffic exchange scheduling are mutually independent, and unified linkage cannot be effectively performed. And the communication equipment in the whole network often shares one safety detection filter equipment, so that data traffic needs to be additionally introduced into a remote safety detection filter equipment for data safety check. On one hand, the network topology is complicated to build, on the other hand, a plurality of devices share one safety detection filtering device, the performance and the effectiveness cannot be guaranteed, the data processing capacity is greatly reduced, and the network forwarding efficiency is affected.
The invention relies on the design concept of the embedded safety protection integration of the network equipment, considers the requirements of the respective architectures of the safety protection and the data exchange, carries out the integrated fusion design of the safety protection and the data exchange, and internally generates the safety protection system, thereby combining various safety monitoring modules with the network equipment aiming at the diversified trend of network intrusion and attack, and fully playing the advantages of each equipment so as to realize the real-time and efficient detection of the attack. Meanwhile, in order to improve the processing performance of the embedded safety protection module, the safety protection module adopts the technologies of parallel depth detection of high-performance multi-core engines and the like, is formed by stacking a plurality of safety engines in parallel in a framework, and each safety engine adopts the DPDK (data plane development kit) parallel processing technology, so that the parallel processing capability of the multi-core processor is fully exerted, and the rapid depth safety inspection and forwarding processing of the data packet are realized.
According to the invention, under the condition of optimizing the traditional network architecture, a low-efficiency processing concept of detecting and processing network services by deploying the safety detection filtering equipment at a key position of a network in a superposition deployment mode is optimized, a brand-new design idea of integrating safety protection into a whole is adopted for the network communication equipment, the safety protection module and the data exchange equipment are designed integrally, a high-speed backboard communication channel of the original rack equipment is matched, and a high-performance multi-core engine parallel deep detection technology is carried, so that the rapid deep safety detection and forwarding processing of data packets are realized.
In this embodiment, as shown in fig. 2, the main control board specifically adopts a main control unit to control and issue instructions to the overall system, the main control unit is a control plane of the overall system, and all control plane protocols run in the main control unit to realize centralized management of the control plane.
In this embodiment, as shown in fig. 2, the switch board specifically adopts a switch unit to receive the cross-board service data packet from each line card to forward service data, and the switch unit embeds a switch matrix module, forwards the service data packet to the security protection board when the second-level defense detection is required, searches the corresponding routing table entry by analyzing the header of the service data packet when the second-level defense detection is not required, and distributes the service data packet to the corresponding data service board to forward the cross-board.
In this embodiment, as shown in fig. 2, the data service board specifically adopts a service forwarding unit to obtain external user service data received by the line card, performs first-level defense detection on the service data, forwards the detected security data to the switching unit of the switching board, and simultaneously receives a service data packet forwarded by the switching unit and forwards the service data packet from a corresponding physical port by searching a local forwarding table entry.
The service forwarding unit comprises a first switching chip, and is used for hardware packaging the service data message to be forwarded into a message format identified by the switching unit for data exchange, and performing coarse-grained flow cleaning and forwarding on the service data.
The service forwarding unit specifically cleans the L2-L4 layer field, including active attack defense, security access control and deep detection pre-judgment; wherein the method comprises the steps of
The active attack defense specifically counts the number of the data streams of the suspected attack message in a set counting period, and compares the counted data streams with a set threshold value when the counting period is over; if the set threshold value is exceeded, judging that the attack message is generated, and discarding the service data message of the type in an interval period; otherwise, the security message is judged, and the service data message is forwarded to the switching unit for corresponding table lookup forwarding.
The invention is different from the passive network protection mode of the traditional network operation and maintenance means, adopts an optimized active detection mode, and can respond to network intrusion and attack behaviors quickly in time.
As shown in fig. 3, the present invention divides the time axis into an interval period and a statistical period. A counter and a threshold are set for each suspected attack message. And counting the number of certain suspected messages in the counting period, comparing the counted number with a configured threshold value when the counting period is ended, if the counted number exceeds the threshold value, considering the counted number as an attack message, and discarding the messages of the type in the interval period. Otherwise, not discarding. The next statistics period and interval period repeat the above actions.
The security access control specifically filters the message flow according to the configurable KEY value to perform ACL control access, and executes corresponding ACTION, and is mainly applied to policy routing, and the application is as follows:
1) Discarding messages with potential threats to network security;
2) Routing L3 message;
3) Forwarding control messages to the CPU, such as OAM type messages;
4) Distributing new priority, VLAN ID and VRF to select message flow;
5) Counting or measuring a given message flow across the plurality of ports;
6) Redirecting a message flow to a new outlet or port group;
7) One message stream is redirected based on the exit modification or mirroring.
The depth detection pre-judgment is specifically to integrate a security policy filtering list in the service forwarding module, wherein the list comprises a filtering trusted list and a suspicious list. And configuring a corresponding suspicious list by the user according to the actual environment requirement. When the equipment soaks the service flow, the flow screening is carried out, if suspicious service data is found, the data is sent to a safety protection unit, and the depth detection and analysis are carried out.
In this embodiment, as shown in fig. 2, the security protection board specifically adopts a security protection unit to perform secondary defense detection, where the security protection unit includes multiple groups of processing chips and a group of second exchange chips; wherein the method comprises the steps of
The processing chip is used for parallel processing of deep protection detection of various service data messages; each group of CPU is connected with multiple high-speed communication channels, so that each service data flow is prevented from being congested concurrently in peak period, and service forwarding performance is improved.
The second exchange chip is used for hardware packaging and decapsulating the service data message which needs to be forwarded between the processing chip and the exchange unit into a message format identified by the processing chip and the exchange unit, and completing the efficient transfer of the message.
The security protection unit is internally provided with a deep packet detection module, adopts technologies such as behavior analysis, legal traffic identification, feature identification and filtration, abnormal traffic baseline learning, dynamic fingerprint identification, reverse detection and the like, detects illegal invasion (such as WEB attack invasion, virus invasion, camouflage invasion and the like), malformed message attack (such as Winnuke, tearDrop and the like), scanning snoop attack (such as host scanning, port scanning, route option detection and the like), flooding or traffic attack (such as various Flood attacks, CC attacks and the like), and covers invasion and attack protection of all ranges of L2-L7 layers, thereby realizing refined deep security detection of network traffic.
The invention integrates the safety protection module under the traditional frame exchange equipment architecture, adopts the architecture of once analysis and multi-service parallel processing, and an endogenous safety protection system, thereby realizing the rapid deep and fine safety inspection and forwarding processing of the core network data packet and realizing the deep detection of the service data packet from L2-L7.
Although the access control strategy technology adopted by the traditional service flow filtering and detecting technology can meet most general requirements, the access control strategy technology is mainly used for carrying out message identification based on the traditional IP data packet detecting technology, the detected message field is relatively fixed, the detection depth is limited, and an attacker can easily disguise as legal messages to carry out communication deception by utilizing the limitations of the traditional technology, so that important information of a user is stolen.
The technology of the invention adopts an intelligent analysis method based on a deep packet inspection technology to complete an application recognition function, mainly takes the deep packet inspection technology as a core, and combines the technologies based on message content (application fingerprint) recognition and behavior characteristics to realize automatic recognition and intelligent classification of the application in the network. The automatic identification and intelligent classification of the application in the network are realized by adopting a plurality of identification technologies based on protocol identification, content and behavior identification and the like. In the detection process, a framework of one-time analysis and multi-service parallel processing is adopted. The application analysis and feature matching processing of the core is processed at high speed by a hardware acceleration module, each security service tracks the processing result in parallel and updates the state, when the conditions of threat features are all met, the response action is triggered immediately according to the security policy, and when the conditions are not met, the tracking state is automatically adjusted, so that the high-speed forwarding of the traffic with safe detection is ensured. By applying the high-performance deep packet inspection protection technology, the intensity and granularity of the security protection in the communication network can be greatly enhanced by the characteristic identification coverage L2-L7 through the first-stage security protection of the service module and the second-stage security protection of the security protection module, and the communication network environment is extremely powerful and stable and reliable.
Example 2
Based on the network integrated depth detection device described in embodiment 1, the embodiment of the invention also provides a network integrated depth detection method applying the device, as shown in fig. 4, comprising the following steps:
s1, acquiring external user service data received by a corresponding line card by utilizing a service forwarding unit of a data service board;
s2, analyzing the data message by utilizing a service forwarding unit, carrying out primary defense detection by inquiring a local access control list, and forwarding security data of the primary defense detection to a switching unit of a switching board;
s3, forwarding the service data message according to user configuration by using the switching unit; if the second-level defense detection is needed, forwarding the service data message to a safety protection plate, and performing step S4; if the second-level defense detection is not needed, searching a corresponding routing table item through analyzing a message header of the service data message, and distributing the service data message to a corresponding service forwarding unit to perform step S6;
s4, receiving the service data message forwarded by the exchange unit by utilizing the safety protection unit of the safety protection plate, performing secondary defense detection on the service data message, and forwarding the safety data of the secondary defense detection to the exchange unit of the exchange plate;
s5, receiving the service data message forwarded by the safety protection unit by utilizing the switching unit, and forwarding the service data message to the service forwarding unit;
s6, receiving the service data message forwarded by the switching unit by utilizing the service forwarding unit, searching a corresponding forwarding table entry, and forwarding the service data message from a corresponding physical port.
The technical effects of the network integrated depth detection device and method of the invention are compared and analyzed with the prior art.
The traditional network operation and maintenance means such as SNMP, CLI, SYSLOG and third party packet grabbing tool analysis often start to analyze and deploy protection actions after attack or invasion actions are generated and even after the attack actions reach some purposes, and the analysis actions also occupy a large amount of time, so that network state information cannot be tracked in real time, network states are not collected rapidly, network traffic optimization is performed in time for corresponding scenes, and a large amount of effort is put into manpower and resource investment. The safety, the failure and the response timeliness cannot be guaranteed. The primary and secondary protection technologies related by the invention are all active defenses. By adopting a real-time security detection technology triggered by a flow state, the state and the characteristics of the service message are actively matched to identify an illegal message, so that the network security and the protection efficiency are greatly improved, network attack and intrusion behaviors can be timely and efficiently detected, and the protection behaviors can be immediately made, and the attack and intrusion viruses are blocked outside the network at the first time.
As can be seen from the graph of fig. 5, the conventional defense detection means starts from the start of detection at time t0, the attack behavior cannot be identified until time t1, and after a certain protection means is made for the attack behavior, the attack behavior starts to take effect and stabilize at time t2, and the attack behavior is not defended in time, so that the attack intrusion behavior may already reach a certain purpose in the process. Moreover, the traditional defense only reduces the probability of invasion due to single protective measures, reduces the volume of invasion from P1 to P2, and cannot truly and completely isolate all attack behaviors.
After the technology of the invention is used, as shown in the graph of fig. 6, once the detection is started, the attack behavior can be immediately detected and the defending behavior can be made from multiple angles and multiple layers by means of the active intelligent detection by the self safety protection module of the system without depending on checking logs, the passive detection mode of a third party analysis tool and the like, and the detection and defending behavior can be immediately validated basically after the defending detection is started at the time t0, and most of even all invasion and attack behaviors are isolated, so that the normal safety communication of the network is comprehensively protected.
Although the access control strategy technology adopted by the traditional service flow filtering and detecting technology can meet most general requirements, the access control strategy technology is mainly used for carrying out message identification based on the traditional IP data packet detecting technology, the detected message field is relatively fixed, the detection depth is limited, and an attacker can easily disguise as legal messages to carry out communication deception by utilizing the limitations of the traditional technology, so that important information of a user is stolen.
The invention adopts an intelligent analysis method based on a deep packet inspection technology to complete an application recognition function, mainly takes the deep packet inspection technology as a core, and combines the technologies based on message content (application fingerprint) recognition and behavior characteristics to realize automatic recognition and intelligent classification of the application in the network. The automatic identification and intelligent classification of the applications in the network are realized by adopting a plurality of identification technologies based on protocol identification, content + behavior identification and the like, as shown in table 1.
TABLE 1 comparison of conventional detection techniques and depth detection techniques
Figure BDA0002870061490000131
Figure BDA0002870061490000141
In the detection process, a framework of one-time analysis and multi-service parallel processing is adopted. The application analysis and feature matching processing of the core is processed at high speed by a hardware acceleration module, each security service tracks the processing result in parallel and updates the state, when the conditions of threat features are all met, the response action is triggered immediately according to the security policy, and when the conditions are not met, the tracking state is automatically adjusted, so that the high-speed forwarding of the traffic with safe detection is ensured. By applying the high-performance deep packet inspection protection technology, the intensity and granularity of the security protection in the communication network can be greatly enhanced by the characteristic identification coverage L2-L7 through the first-stage security protection of the service module and the second-stage security protection of the security protection module, and the communication network environment is extremely powerful and stable and reliable.
Under the traditional network architecture, the special safety detection filtering equipment is deployed, the safety detection filtering equipment is deployed at the key position of the network through physical superposition, and the data is analyzed and filtered specially. Deployment costs as well as post-maintenance costs are also relatively high. The safety protection strategy configuration and the network traffic exchange scheduling are mutually independent, and unified linkage cannot be effectively performed. And the communication equipment in the whole network often shares one safety detection filter equipment, so that data traffic needs to be additionally introduced into a remote safety detection filter equipment for data safety check. On one hand, the network topology is complicated to build, on the other hand, a plurality of devices share one safety detection filtering device, the performance and the effectiveness cannot be guaranteed, the data processing capacity is greatly reduced, and the network forwarding efficiency is affected.
The invention relies on the design concept of the embedded safety protection integration of the network equipment, considers the requirements of the respective architectures of the safety protection and the data exchange, carries out the integrated fusion design of the safety protection and the data exchange, and internally generates the safety protection system, thereby combining various safety monitoring modules with the network equipment aiming at the diversified trend of network intrusion and attack, and fully playing the advantages of each equipment so as to realize the real-time and efficient detection of the attack. Meanwhile, in order to improve the processing performance of the embedded safety protection module, the safety protection module adopts the technologies of parallel depth detection of high-performance multi-core engines and the like, is formed by stacking a plurality of safety engines in parallel in a framework, and each safety engine adopts the DPDK (data plane development kit) parallel processing technology, so that the parallel processing capability of the multi-core processor is fully exerted, and the rapid depth safety inspection and forwarding processing of the data packet are realized. Specific examples are shown in Table 2:
table 2 comparison of traditional protection architecture and Integrated core network device architecture
Figure BDA0002870061490000151
Figure BDA0002870061490000161
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The principles and embodiments of the present invention have been described in detail with reference to specific examples, which are provided to facilitate understanding of the method and core ideas of the present invention; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present invention, the present description should not be construed as limiting the present invention in view of the above.
Those of ordinary skill in the art will recognize that the embodiments described herein are for the purpose of aiding the reader in understanding the principles of the present invention and should be understood that the scope of the invention is not limited to such specific statements and embodiments. Those of ordinary skill in the art can make various other specific modifications and combinations from the teachings of the present disclosure without departing from the spirit thereof, and such modifications and combinations remain within the scope of the present disclosure.

Claims (5)

1. The network integrated depth detection device based on the rack switch equipment is characterized by comprising a main control board, a switch board, a data service board, a safety protection board and a backboard for interconnecting the data communication among the main control board, the switch board, the data service board and the safety protection board;
the main control board is used for running all control plane protocols and issuing control instructions to other boards;
the exchange board is used for dispatching and forwarding the service data and the safety monitoring data between the data service board and the safety protection board;
the data service board is used for exchanging service data and carrying out primary security screening, detection, filtering and forwarding on the service data;
the data service board specifically adopts a service forwarding unit to acquire external user service data received by a line card, performs primary defense detection on the service data, forwards the detected safety data to a switching unit of the switching board, and simultaneously receives a service data message forwarded by the switching unit and forwards the service data message from a corresponding physical port by searching a corresponding forwarding table item;
the service forwarding unit is used for hardware packaging the service data message to be forwarded into a message format identified by the switching unit for data exchange, and performing coarse-grained flow cleaning and forwarding on the service data;
the service forwarding unit specifically performs flow cleaning on the L2-L4 layer field, including active attack defense, security access control and depth detection pre-judgment;
the active attack defense specifically counts the number of the data streams of the suspected attack message in a set counting period, and compares the counted data streams with a set threshold value when the counting period is over; if the set threshold value is exceeded, judging that the attack message is generated, and discarding the service data message of the type in an interval period; otherwise, judging the message as a safety message, and forwarding the service data message to the exchange unit for corresponding table lookup forwarding;
the security access control specifically comprises the steps of filtering a message stream according to a configurable KEY value to perform ACL control access;
the depth detection pre-judgment specifically comprises the steps of pre-judging and screening data flow in a pre-stage mode according to a configured safety strategy filtering list, and directly sending the data to a safety protection plate for protection detection;
the safety protection plate is used for carrying out deep detection and safety protection on the service data.
2. The network integrated depth detection device based on rack switch equipment according to claim 1, wherein the switch board specifically adopts a switch unit to forward service data, a switch matrix module is built in the switch unit, service data messages are forwarded to a safety protection board when secondary defense detection is needed, a corresponding routing table item is searched through a message header of the resolved service data messages when the secondary defense detection is not needed, and service data is distributed to a corresponding data service board to perform board crossing forwarding.
3. The network integrated depth detection device based on the rack switch equipment according to claim 1, wherein the safety protection plate specifically adopts a safety protection unit to perform secondary defense detection, and the safety protection unit comprises a plurality of groups of processing chips and a group of second switching chips;
the processing chip is used for parallel processing of deep protection detection of various service data messages;
the second switching chip is used for hardware packaging and decapsulating the service data message which needs to be forwarded between the processing chip and the switching unit into a message format recognized by the processing chip and the switching unit.
4. The network integrated depth detection device based on rack switch equipment according to claim 3, wherein the security protection unit is provided with a built-in depth packet detection module, and adopts a behavior analysis, legal traffic identification, feature identification and filtration, abnormal traffic baseline learning, dynamic fingerprint identification and reverse detection method to carry out depth security detection on attack messages of all fields of L2-L7 layers of illegal invasion, malformed message attack, scanning snoop attack, flooding or traffic attack.
5. A method of using the depth detection apparatus of any one of claims 1 to 4, comprising the steps of:
s1, acquiring external user service data received by a corresponding line card by utilizing a service forwarding unit of a data service board;
s2, analyzing the data message by utilizing a service forwarding unit, carrying out primary defense detection by inquiring a local access control list, and forwarding security data of the primary defense detection to a switching unit of a switching board;
s3, forwarding the service data message according to user configuration by using the switching unit; if the second-level defense detection is needed, forwarding the service data message to a safety protection plate, and performing step S4; if the second-level defense detection is not needed, searching a corresponding routing table item through analyzing a message header of the service data message, and distributing the service data message to a corresponding service forwarding unit to perform step S6;
s4, receiving the service data message forwarded by the exchange unit by utilizing the safety protection unit of the safety protection plate, performing secondary defense detection on the service data message, and forwarding the safety data of the secondary defense detection to the exchange unit of the exchange plate;
s5, receiving the service data message forwarded by the safety protection unit by utilizing the switching unit, and forwarding the service data message to the service forwarding unit;
s6, receiving the service data message forwarded by the switching unit by utilizing the service forwarding unit, searching a corresponding forwarding table entry, and forwarding the service data message from a corresponding physical port.
CN202011604231.5A 2020-12-29 2020-12-29 Network integrated depth detection device and method based on rack switch equipment Active CN112769785B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011604231.5A CN112769785B (en) 2020-12-29 2020-12-29 Network integrated depth detection device and method based on rack switch equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011604231.5A CN112769785B (en) 2020-12-29 2020-12-29 Network integrated depth detection device and method based on rack switch equipment

Publications (2)

Publication Number Publication Date
CN112769785A CN112769785A (en) 2021-05-07
CN112769785B true CN112769785B (en) 2023-06-27

Family

ID=75697344

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011604231.5A Active CN112769785B (en) 2020-12-29 2020-12-29 Network integrated depth detection device and method based on rack switch equipment

Country Status (1)

Country Link
CN (1) CN112769785B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113301053B (en) * 2021-05-31 2023-04-07 深圳市风云实业有限公司 High-performance network boundary protection detection system and method based on expandability
CN114201427B (en) * 2022-02-18 2022-05-17 之江实验室 Parallel deterministic data processing device and method
CN114553546B (en) * 2022-02-24 2023-07-04 杭州迪普科技股份有限公司 Message grabbing method and device based on network application
CN117439765A (en) * 2023-09-08 2024-01-23 重庆数智融合创新科技有限公司 Data storage forwarding method and system based on application awareness

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101483649A (en) * 2009-02-10 2009-07-15 浪潮电子信息产业股份有限公司 Network safe content processing card based on FPGA
CN102571738A (en) * 2010-12-08 2012-07-11 中国电信股份有限公司 Intrusion prevention system (IPS) based on virtual local area network (VLAN) exchange and system thereof
CN103888307A (en) * 2012-12-20 2014-06-25 中国电信股份有限公司 Method, user side board card and broadband access gateway used for optimizing deep packet detection
CN104811400A (en) * 2014-01-26 2015-07-29 杭州迪普科技有限公司 Distributed network apparatus
CN107769992A (en) * 2017-09-15 2018-03-06 通鼎互联信息股份有限公司 A kind of packet parsing shunt method and device
CN108471389A (en) * 2018-03-12 2018-08-31 电子科技大学 A kind of switch system based on service function chain
CN208623847U (en) * 2018-07-06 2019-03-19 中国联合网络通信集团有限公司 A kind of card insert type electronic equipment
CN111478863A (en) * 2020-04-14 2020-07-31 深圳市风云实业有限公司 Switch system and network port time synchronization method thereof

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101483649A (en) * 2009-02-10 2009-07-15 浪潮电子信息产业股份有限公司 Network safe content processing card based on FPGA
CN102571738A (en) * 2010-12-08 2012-07-11 中国电信股份有限公司 Intrusion prevention system (IPS) based on virtual local area network (VLAN) exchange and system thereof
CN103888307A (en) * 2012-12-20 2014-06-25 中国电信股份有限公司 Method, user side board card and broadband access gateway used for optimizing deep packet detection
CN104811400A (en) * 2014-01-26 2015-07-29 杭州迪普科技有限公司 Distributed network apparatus
CN107769992A (en) * 2017-09-15 2018-03-06 通鼎互联信息股份有限公司 A kind of packet parsing shunt method and device
CN108471389A (en) * 2018-03-12 2018-08-31 电子科技大学 A kind of switch system based on service function chain
CN208623847U (en) * 2018-07-06 2019-03-19 中国联合网络通信集团有限公司 A kind of card insert type electronic equipment
CN111478863A (en) * 2020-04-14 2020-07-31 深圳市风云实业有限公司 Switch system and network port time synchronization method thereof

Also Published As

Publication number Publication date
CN112769785A (en) 2021-05-07

Similar Documents

Publication Publication Date Title
CN112769785B (en) Network integrated depth detection device and method based on rack switch equipment
Tan et al. A new framework for DDoS attack detection and defense in SDN environment
Wang et al. SGS: Safe-guard scheme for protecting control plane against DDoS attacks in software-defined networking
US7493659B1 (en) Network intrusion detection and analysis system and method
Douligeris et al. DDoS attacks and defense mechanisms: a classification
KR100609170B1 (en) system of network security and working method thereof
US7424744B1 (en) Signature based network intrusion detection system and method
CN103491060B (en) A kind of method, apparatus and system of defence Web attacks
CN108289088A (en) Abnormal traffic detection system and method based on business model
Wang et al. SECO: SDN sEcure COntroller algorithm for detecting and defending denial of service attacks
Cramer et al. New methods of intrusion detection using control-loop measurement
Jiang et al. BSD‐Guard: A Collaborative Blockchain‐Based Approach for Detection and Mitigation of SDN‐Targeted DDoS Attacks
Cui et al. DDoS detection and defense mechanism for SDN controllers with K-Means
Ouyang et al. A novel framework of defense system against DoS attacks in wireless sensor networks
Zhenqi et al. Netflow based intrusion detection system
CN112702347A (en) SDN-based intrusion detection technology
Kumar et al. An integrated approach for defending against distributed denial-of-service (DDoS) attacks
Ibrahim et al. Sdn-based intrusion detection system
Xu et al. An effective table-overflow attack and defense in software-defined networking
Bhale et al. An adaptive and lightweight solution to detect mixed rate ip spoofed ddos attack in iot ecosystem
Abou Haidar et al. High perception intrusion detection system using neural networks
Menaria et al. Comparative study of distributed intrusion detection in ad-hoc networks
Singh et al. Comparative study of various distributed intrusion detection systems for WLAN
KR100456637B1 (en) Network security service system including a classifier based on blacklist
JP2006325091A (en) Network attach defense system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant