CN113098895A - DPDK-based network traffic isolation system - Google Patents
DPDK-based network traffic isolation system Download PDFInfo
- Publication number
- CN113098895A CN113098895A CN202110452447.2A CN202110452447A CN113098895A CN 113098895 A CN113098895 A CN 113098895A CN 202110452447 A CN202110452447 A CN 202110452447A CN 113098895 A CN113098895 A CN 113098895A
- Authority
- CN
- China
- Prior art keywords
- module
- filtering
- dpdk
- network
- filtering rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Abstract
A DPDK-based network traffic isolation system comprises a tested network, a twin network, a gateway, a DPDK module, a detection and filtration module, a filtration rule submission module and a filtration rule distribution module; the DPDK module is used for inquiring and modifying the messages received and sent by the network card at the gateway according to the filtering rule, and the DPDK module is arranged on the gateway; the detection module is used for analyzing, detecting and filtering the flow packet and is arranged in the network to be detected; the filtering rule submitting module is used for receiving the filtering rules sent by the filtering and distributing module and sending the filtering rules to the driving module; the filtering rule distribution module is used for distributing filtering rules imported from other places and sending the filtering rules to the driving module. According to the invention, flexible and quick isolation strategy configuration can be effectively carried out on the flow, malicious flow is detected in real time, the isolation strategy is dynamically modified, the flow at the gateway can be quickly shunted, and the malicious flow can be quickly isolated.
Description
Technical Field
The invention relates to the technical field of flow isolation, in particular to a DPDK-based network flow isolation system.
Background
With the continuous development of internet technology, the traffic scale of data center networks and national backbone networks is also continuously increased, and the traditional network traffic isolation method cannot adapt to the current high-speed network environment. Although the performance of hardware is continuously improved in terms of traffic isolation, large-scale traffic and useless malicious traffic have great influence on the traffic isolation of the multi-core processor, and a great deal of overhead problems exist in the processing of large-scale data messages in the Linux system, including data copying from an application layer to a system layer, interrupt processing and context switching of the system, and the like. Therefore, for the multi-core processor, the traffic isolation is an urgent problem to be solved. The GAP technology in the prior art is a technology for realizing secure data transmission and resource sharing under the condition that two or more networks are not communicated through special hardware, adopts unique hardware design, ensures that a link layer between the networks is disconnected at any time, blocks a TCP/IP protocol and other network protocols, and can remarkably improve the security strength of an internal user network.
Disclosure of Invention
Objects of the invention
In order to solve the technical problems in the background art, the invention provides a DPDK-based network traffic isolation system which is developed on the basis of the DPDK, is added with traffic analysis and identification functions, can identify and locate common protocols, can quickly forward traffic packets, is added with a traffic detection function, respectively detects different characteristics of common malicious traffic, and can realize malicious traffic detection of password blasting, DDOS, SQL injection and the like at present. The method can effectively and flexibly and quickly configure the isolation strategy for the flow, detect the malicious flow in real time, dynamically modify the isolation strategy, quickly shunt the flow at the gateway and quickly isolate the malicious flow.
(II) technical scheme
The invention provides a DPDK-based network traffic isolation system, which comprises a tested network, a twin network, a gateway, a DPDK module, a detection filtering module, a filtering rule submitting module and a filtering rule distributing module;
the filtering rule submitting module is in communication connection with the filtering rule distribution module, and the filtering rule submitting module is in communication connection with the driving module in a named pipeline mode; the filtering rule distribution module is in network connection with the driving module;
the DPDK module is used for inquiring and modifying the messages received and sent by the network card at the gateway according to the filtering rule, and the DPDK module is arranged on the gateway;
the detection module is used for analyzing, detecting and filtering the flow packet and is arranged in the network to be detected;
the filtering rule submitting module is used for receiving the filtering rules sent by the filtering and distributing module and sending the filtering rules to the driving module;
the filtering rule distribution module is used for distributing filtering rules imported from other places and sending the filtering rules to the driving module.
Preferably, the driver module is kni module in DPDK.
Preferably, the detection filtering module analyzes the traffic packet by using a traffic packet analysis library of the DPDK itself to obtain a network layer protocol, the traffic packet is filtered by using a cache filtering rule, then malicious traffic is filtered by using the filtering rule, and a packet header of the malicious traffic packet, including an IP destination address and a check code, is modified to be led into a preset twin network, and the packet header of the packet sent back from the twin network is also modified by using the IP source address and the check code.
Preferably, the importing mode of the filtering rule distribution module includes two modes of local importing and importing after traffic analysis.
The technical scheme of the invention has the following beneficial technical effects: the method is developed on the basis of DPDK, the functions of flow analysis and identification are added, common protocols can be identified and positioned, flow packets can be rapidly forwarded, the function of flow detection is added, different feature detections are respectively carried out on common malicious flows, and malicious flow detection such as password blasting, DDOS (distributed denial of service) and SQL (structured query language) injection can be realized at present. The method can effectively and flexibly and quickly configure the isolation strategy for the flow, detect the malicious flow in real time, dynamically modify the isolation strategy, quickly shunt the flow at the gateway and quickly isolate the malicious flow.
Drawings
Fig. 1 is a schematic structural diagram of a DPDK-based network traffic isolation system according to the present invention.
Fig. 2 is a schematic structural diagram of an kni module in the DPDK-based network traffic isolation system according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the accompanying drawings in conjunction with the following detailed description. It should be understood that the description is intended to be exemplary only, and is not intended to limit the scope of the present invention. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present invention.
As shown in fig. 1-2, a DPDK-based network traffic isolation system provided in the present invention includes a tested network, a twin network, a gateway, a DPDK module, a detection filtering module, a filtering rule submitting module, and a filtering rule distributing module;
the filtering rule submitting module is in communication connection with the filtering rule distribution module, and the filtering rule submitting module is in communication connection with the driving module in a named pipeline mode; the filtering rule distribution module is in network connection with the driving module;
the DPDK module is used for inquiring and modifying the messages received and sent by the network card at the gateway according to the filtering rule, and the DPDK module is arranged on the gateway;
the detection module is used for analyzing, detecting and filtering the flow packet and is arranged in the network to be detected;
the filtering rule submitting module is used for receiving the filtering rules sent by the filtering and distributing module and sending the filtering rules to the driving module; for the submitting mode of the filtering rules, a filtering rule obtaining process is independently started on the machine, the filtering rule obtaining process is communicated with a DPDK module in a named pipeline mode, the filtering rules are sent to the DPDK module, the DPDK module independently starts a thread polling mode to be communicated with the filtering rule obtaining process, the filtering rules are obtained in real time and cached in a memory of the DPDK module in real time for malicious flow detection, the filtering rule submitting module is communicated with the DPDK module and is also communicated with an external filtering rule distribution module to receive the filtering rules sent by the external filtering rule distribution module, and the whole filtering rule is coded by base64 and output in a standardized mode;
the filtering rule distribution module is used for distributing filtering rules imported from other places and sending the filtering rules to the driving module.
In the invention, the flow analysis and identification functions are added on the basis of DPDK, common protocols can be identified and positioned, flow packets can be rapidly forwarded, the flow detection function is added, different feature detections are respectively carried out on common malicious flows, and the malicious flow detection of password blasting, DDOS, SQL injection and the like can be realized at present. The method can effectively and flexibly and quickly configure the isolation strategy for the flow, detect the malicious flow in real time, dynamically modify the isolation strategy, quickly shunt the flow at the gateway and quickly isolate the malicious flow.
In an alternative embodiment, the driver module employs kni module in DPDK; an kni module is a DPDK module which allows application messages of a user plane to access a kernel protocol stack interface library, in a kni module, mbuf is converted into skb, only one memory copy is needed, the middle mbuf is transmitted from a user mode to a kernel mode, all that is needed is memory zero copy, and system call and copy _ to _ user ()/copy _ from _ user () operation do not exist in the middle; allowing a user to check the message of the dpdk through standard linux net tools; the message enters a normal kernel protocol stack; by utilizing the kni module, messages received and sent by the network card can be inquired and modified at the gateway, so that the purpose of detecting and shunting malicious traffic is achieved.
In an optional embodiment, the detection filtering module analyzes the traffic packet by using a traffic packet analysis library of a DPDK itself to obtain a network layer protocol, the traffic packet is filtered by using a cache filtering rule, then malicious traffic is filtered by using the filtering rule, and a packet header of the malicious traffic packet, including an IP destination address and a check code, is modified to be led into a preset twin network, and the packet header of the packet sent back from the twin network is also modified by using the IP source address and the check code; the attacker is mistakenly regarded as a data packet sent back by the real network, and the purpose of deceiving the attacker is achieved.
In an optional embodiment, the import mode of the filter rule distribution module includes two modes, namely local import and import after traffic analysis; dynamic modification of the filtering rules is facilitated.
It is to be understood that the above-described embodiments of the present invention are merely illustrative of or explaining the principles of the invention and are not to be construed as limiting the invention. Therefore, any modification, equivalent replacement, improvement and the like made without departing from the spirit and scope of the present invention should be included in the protection scope of the present invention. Further, it is intended that the appended claims cover all such variations and modifications as fall within the scope and boundaries of the appended claims or the equivalents of such scope and boundaries.
Claims (4)
1. A DPDK-based network traffic isolation system is characterized by comprising a tested network, a twin network, a gateway, a DPDK module, a detection filtering module, a filtering rule submitting module and a filtering rule distributing module;
the filtering rule submitting module is in communication connection with the filtering rule distribution module, and the filtering rule submitting module is in communication connection with the driving module in a named pipeline mode; the filtering rule distribution module is in network connection with the driving module;
the DPDK module is used for inquiring and modifying the messages received and sent by the network card at the gateway according to the filtering rule, and the DPDK module is arranged on the gateway;
the detection module is used for analyzing, detecting and filtering the flow packet and is arranged in the network to be detected;
the filtering rule submitting module is used for receiving the filtering rules sent by the filtering and distributing module and sending the filtering rules to the driving module;
the filtering rule distribution module is used for distributing filtering rules imported from other places and sending the filtering rules to the driving module.
2. The DPDK-based network traffic isolation system of claim 1, wherein the driver module uses kni module in DPDK.
3. The DPDK-based network traffic isolation system of claim 1, wherein the detection filtering module analyzes the traffic packet using a traffic packet analysis library of the DPDK itself, and analyzes the traffic packet to a network layer protocol, the traffic packet is filtered using a caching filtering rule, and then filters malicious traffic using the filtering rule, and modifies a packet header of a malicious traffic packet, including an IP destination address and a check code, so as to be led into a preset twin network, and a packet sent back from the twin network is also modified by the packet header, including an IP source address and a check code.
4. The DPDK-based network traffic isolation system of claim 1, wherein the import mode of the filter rule distribution module includes two modes, namely local import and import after traffic analysis.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110452447.2A CN113098895A (en) | 2021-04-26 | 2021-04-26 | DPDK-based network traffic isolation system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110452447.2A CN113098895A (en) | 2021-04-26 | 2021-04-26 | DPDK-based network traffic isolation system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113098895A true CN113098895A (en) | 2021-07-09 |
Family
ID=76679887
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110452447.2A Pending CN113098895A (en) | 2021-04-26 | 2021-04-26 | DPDK-based network traffic isolation system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113098895A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114124503A (en) * | 2021-11-15 | 2022-03-01 | 北京邮电大学 | Intelligent network sensing method for optimizing efficiency of progressive concurrent cache |
| CN115102777A (en) * | 2022-07-11 | 2022-09-23 | 上海磐御网络科技有限公司 | Isolation guiding method and system for network flow |
| CN115412289A (en) * | 2022-07-19 | 2022-11-29 | 中国人民解放军军事科学院系统工程研究院 | Network isolation safety system, method and medium based on edge cloud intelligent twin |
| WO2024058735A1 (en) * | 2022-09-15 | 2024-03-21 | Bts Kurumsal Bi̇li̇şi̇m Teknoloji̇leri̇ Anoni̇m Şi̇rketi̇ | Digital twin-enabled ddos attack detection system and method for autonomous core networks |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150188772A1 (en) * | 2013-12-27 | 2015-07-02 | Iosif Gasparakis | Hybrid sdn controller |
| CN106790309A (en) * | 2017-03-31 | 2017-05-31 | 山东超越数控电子有限公司 | A kind of filtering module for being applied to multi-protocols security gateway system and its application |
| CN110290098A (en) * | 2018-03-19 | 2019-09-27 | 华为技术有限公司 | A kind of method and device of defending against network attacks |
| CN110417675A (en) * | 2019-07-29 | 2019-11-05 | 广州竞远安全技术股份有限公司 | The network shunt method, apparatus and system of high-performance probe under a kind of SOC |
| US20200028791A1 (en) * | 2019-09-27 | 2020-01-23 | Intel Corporation | Changing a time sensitive networking schedule implemented by a softswitch |
| CN110753064A (en) * | 2019-10-28 | 2020-02-04 | 中国科学技术大学 | Machine learning and rule matching fused security detection system |
| CN110808971A (en) * | 2019-10-30 | 2020-02-18 | 中国科学院信息工程研究所 | Deep embedding-based unknown malicious traffic active detection system and method |
| CN111294319A (en) * | 2018-12-07 | 2020-06-16 | 网宿科技股份有限公司 | Method and device for realizing OpenVPN network isolation under DPDK framework |
| CN111756712A (en) * | 2020-06-12 | 2020-10-09 | 广州锦行网络科技有限公司 | Method for forging IP address and preventing attack based on virtual network equipment |
| CN112381121A (en) * | 2020-10-28 | 2021-02-19 | 中国科学院信息工程研究所 | Unknown class network flow detection and identification method based on twin network |
| CN112422481A (en) * | 2019-08-22 | 2021-02-26 | 华为技术有限公司 | Trapping method, system and forwarding equipment for network threats |
| CN112491901A (en) * | 2020-11-30 | 2021-03-12 | 北京锐驰信安技术有限公司 | Network flow fine screening device and method |
-
2021
- 2021-04-26 CN CN202110452447.2A patent/CN113098895A/en active Pending
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150188772A1 (en) * | 2013-12-27 | 2015-07-02 | Iosif Gasparakis | Hybrid sdn controller |
| CN106790309A (en) * | 2017-03-31 | 2017-05-31 | 山东超越数控电子有限公司 | A kind of filtering module for being applied to multi-protocols security gateway system and its application |
| CN110290098A (en) * | 2018-03-19 | 2019-09-27 | 华为技术有限公司 | A kind of method and device of defending against network attacks |
| CN111294319A (en) * | 2018-12-07 | 2020-06-16 | 网宿科技股份有限公司 | Method and device for realizing OpenVPN network isolation under DPDK framework |
| CN110417675A (en) * | 2019-07-29 | 2019-11-05 | 广州竞远安全技术股份有限公司 | The network shunt method, apparatus and system of high-performance probe under a kind of SOC |
| CN112422481A (en) * | 2019-08-22 | 2021-02-26 | 华为技术有限公司 | Trapping method, system and forwarding equipment for network threats |
| US20200028791A1 (en) * | 2019-09-27 | 2020-01-23 | Intel Corporation | Changing a time sensitive networking schedule implemented by a softswitch |
| CN110753064A (en) * | 2019-10-28 | 2020-02-04 | 中国科学技术大学 | Machine learning and rule matching fused security detection system |
| CN110808971A (en) * | 2019-10-30 | 2020-02-18 | 中国科学院信息工程研究所 | Deep embedding-based unknown malicious traffic active detection system and method |
| CN111756712A (en) * | 2020-06-12 | 2020-10-09 | 广州锦行网络科技有限公司 | Method for forging IP address and preventing attack based on virtual network equipment |
| CN112381121A (en) * | 2020-10-28 | 2021-02-19 | 中国科学院信息工程研究所 | Unknown class network flow detection and identification method based on twin network |
| CN112491901A (en) * | 2020-11-30 | 2021-03-12 | 北京锐驰信安技术有限公司 | Network flow fine screening device and method |
Non-Patent Citations (2)
| Title |
|---|
| CSDN博客,庞叶蒙: "DPDK-KERNEL NIC INTERFACE(内核NIC接口)", 《HTTPS://BLOG.CSDN.NET/PANGYEMENG/ARTICLE/DETAILS/77718217》 * |
| 肖中奇: "基于DPDK的流量识别系统的设计与实现", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114124503A (en) * | 2021-11-15 | 2022-03-01 | 北京邮电大学 | Intelligent network sensing method for optimizing efficiency of progressive concurrent cache |
| CN114124503B (en) * | 2021-11-15 | 2022-09-27 | 北京邮电大学 | Intelligent network sensing method for optimizing efficiency of progressive concurrent cache |
| CN115102777A (en) * | 2022-07-11 | 2022-09-23 | 上海磐御网络科技有限公司 | Isolation guiding method and system for network flow |
| CN115412289A (en) * | 2022-07-19 | 2022-11-29 | 中国人民解放军军事科学院系统工程研究院 | Network isolation safety system, method and medium based on edge cloud intelligent twin |
| CN115412289B (en) * | 2022-07-19 | 2023-04-07 | 中国人民解放军军事科学院系统工程研究院 | Network isolation safety system, method and medium based on edge cloud intelligent twin |
| WO2024058735A1 (en) * | 2022-09-15 | 2024-03-21 | Bts Kurumsal Bi̇li̇şi̇m Teknoloji̇leri̇ Anoni̇m Şi̇rketi̇ | Digital twin-enabled ddos attack detection system and method for autonomous core networks |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113098895A (en) | DPDK-based network traffic isolation system | |
| CN110445770B (en) | Network attack source positioning and protecting method, electronic equipment and computer storage medium | |
| CN108701187B (en) | Apparatus and method for hybrid hardware-software distributed threat analysis | |
| US8732833B2 (en) | Two-stage intrusion detection system for high-speed packet processing using network processor and method thereof | |
| CN100558089C (en) | A kind of content filtering gateway implementation method of filter Network Based | |
| US8341739B2 (en) | Managing network security | |
| US9356844B2 (en) | Efficient application recognition in network traffic | |
| CN104767752A (en) | Distributed network isolating system and method | |
| KR20050032765A (en) | In-line mode network intrusion detection/prevention system and method therefor | |
| CN100454895C (en) | Method for raising network security via message processing | |
| WO2011026336A1 (en) | System and method for filtering long short message | |
| US20060224886A1 (en) | System for finding potential origins of spoofed internet protocol attack traffic | |
| CN101340293A (en) | Packet safety detection method and device | |
| CN108833430B (en) | Topology protection method of software defined network | |
| CN101014048A (en) | Distributed firewall system and method for realizing content diction of firewall | |
| CN112422567B (en) | Network intrusion detection method oriented to large flow | |
| CN101741745B (en) | Method and system for identifying application traffic of peer-to-peer network | |
| CN102497297A (en) | System and method for realizing deep packet inspection technology based on multi-core and multi-thread | |
| EP1542406A2 (en) | Mechanism for detection of attacks based on impersonation in a wireless network | |
| CN110572380A (en) | TCP reinjection plugging method and device | |
| CN115174676A (en) | Convergence and shunt method and related equipment thereof | |
| CN103001966B (en) | The process of a kind of private network IP, recognition methods and device | |
| KR101275709B1 (en) | Packet processing system for network based data loss prevention capable of distributed processing depending on application protocol and method thereof | |
| CN101753456B (en) | Method and system for detecting flow of peer-to-peer network | |
| CN106656656A (en) | Network device package capture method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210709 |