CN114189368B - Multi-inference engine compatible real-time flow detection system and method - Google Patents

Multi-inference engine compatible real-time flow detection system and method Download PDF

Info

Publication number
CN114189368B
CN114189368B CN202111441567.9A CN202111441567A CN114189368B CN 114189368 B CN114189368 B CN 114189368B CN 202111441567 A CN202111441567 A CN 202111441567A CN 114189368 B CN114189368 B CN 114189368B
Authority
CN
China
Prior art keywords
module
queue
data
inference engine
detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111441567.9A
Other languages
Chinese (zh)
Other versions
CN114189368A (en
Inventor
张成伟
王淇营
卢玮
赵千千
李瑞源
钟国辉
高雅玙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huazhong University of Science and Technology
Original Assignee
Huazhong University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huazhong University of Science and Technology filed Critical Huazhong University of Science and Technology
Priority to CN202111441567.9A priority Critical patent/CN114189368B/en
Publication of CN114189368A publication Critical patent/CN114189368A/en
Application granted granted Critical
Publication of CN114189368B publication Critical patent/CN114189368B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N5/00Computing arrangements using knowledge-based models
    • G06N5/04Inference or reasoning models
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/16Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Evolutionary Computation (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Artificial Intelligence (AREA)
  • Software Systems (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Mathematical Physics (AREA)
  • Medical Informatics (AREA)
  • Computer Hardware Design (AREA)
  • Databases & Information Systems (AREA)
  • Computational Linguistics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Evolutionary Biology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a real-time flow detection system and method compatible with multiple inference engines, belonging to the technical field of communication and information security, wherein the system comprises: the receiving module is used for receiving the data packet from the network card; the flow distribution module is used for taking the quintuple of the data packet as a Hash key, and classifying the data packet according to flow by using an asymmetric Hash algorithm or classifying the data packet according to conversation by using a symmetric Hash algorithm; the submission module is used for converting the stream or the session into data in a tensor format and submitting the data; the detection module inputs data in a tensor format into a trained offline model for flow detection based on a compatible API (application programming interface) corresponding to the inference engine adapter, so that a calculation result is obtained; and the output module is used for analyzing the calculation result and outputting the detection log. The invention improves the receiving and sending packet performance and the throughput of the system by introducing a high-performance data packet processing technology, horizontal expansion and other modes in the system; meanwhile, the system is compatible with a plurality of different inference engines based on the inference engine adapter.

Description

Multi-inference engine compatible real-time flow detection system and method
Technical Field
The invention belongs to the technical field of communication and information security, and particularly relates to a real-time traffic detection system and method compatible with multiple inference engines.
Background
In recent years, the detection of network traffic by using a machine learning method becomes a research focus in recent years, wherein the strong feature expression capability of deep learning plays an important role in the increasingly difficult extraction of malicious traffic features, and the step of manually designing features is omitted in an end-to-end mode, so that the detection coverage of a novel attack means or instruction is accelerated. Most studies, however, emphasize the accuracy of the detection, so they typically employ complex models and data preprocessing methods, resulting in computational inefficiency. However, to minimize the hazards, intrusion detection systems need to detect attacks in real time.
Currently, a widely deployed intrusion detection system based on network traffic is Snort/subcata/Zeek, wherein Snort and subcata are both based on rules and are detected by matching a rule database; zeek supports both rules and extensions of functionality through custom scripts. None of these intrusion detection systems currently provides machine learning support in rule databases and scripts. Some researches construct a real-time intrusion detection system based on machine learning, and a good effect is achieved under the condition of a low-load network. The performance of the network card is continuously increased along with the continuous increase of the network flow processing requirement, the packet receiving and transmitting rate of the conventional commercial network card reaches more than 10Gbit/s, the systems do not consider the scene of large flow in the design, the processing performance is low, and the system cannot adapt to the current network environment.
The traffic detection system facing machine learning is similar to a common traffic detection system, but is different in that a detection program of the traffic detection system facing machine learning is more complex, and a machine learning model is required. However, the calculation amount required by the machine learning model is larger than that of the traditional detection method, so that the calculation efficiency is low, and the real-time processing of the flow is difficult to realize. The traffic cannot be processed in real time, and the malicious attack cannot be responded in time, so that the information security is reduced.
The performance of the existing system for real-time flow detection by using a machine learning method is generally low, and particularly, the performance of the system for detection by using a deep learning model is low. And the existence of various incompatible inference engines also increases the difficulty of model deployment landing and the universality of the flow detection system.
Disclosure of Invention
Aiming at the defects or the improvement requirements of the prior art, the invention provides a real-time traffic detection system and a real-time traffic detection method compatible with multiple inference engines, aiming at improving the packet receiving and sending performance and the throughput of the system by introducing a high-performance data packet processing technology, horizontal expansion and other modes into the system; meanwhile, the system can be compatible with various different inference engines based on the inference engine adapter, so that the technical problems of low real-time flow detection rate and poor compatibility are solved.
To achieve the above object, according to one aspect of the present invention, there is provided a multi-inference engine compatible real-time traffic detection system, comprising:
the receiving module is used for receiving a data packet from a network card, and the network card supports DPDK and a polling mode drive, a receiving side horizontal expansion and a lock-free queue provided by the DPDK;
the shunting module is connected with the receiving module and used for classifying the data packets according to the flow by using an asymmetric hash algorithm or classifying the data packets according to the conversation by using a symmetric hash algorithm by using a five-tuple of the data packets as a hash key;
the submitting module is connected with the shunting module and used for converting the stream or session generated by the shunting module into data in a tensor format and submitting the data;
the detection module is connected with the submission module, is loaded with a trained offline model and is used for inputting the data in the tensor format into the trained offline model for flow detection based on a compatible API (application program interface) corresponding to an inference engine adapter so as to obtain a calculation result;
and the output module is connected with the detection module and used for analyzing the calculation result and outputting a detection log.
In one embodiment, the receiving module, the offloading module, the submitting module, the detecting module, and the outputting module all include one or more threads, and the threads communicate with each other using a lock-free queue.
In one embodiment, the receiving module includes a plurality of threads, each thread corresponds to a network card queue, and the network card queue is used for storing data packets received by the network card;
the shunting module comprises a plurality of threads, and each thread corresponds to one shunting queue; the shunting queue is used for storing the data packets distributed to the shunting module by the receiving module;
the submission module comprises a plurality of threads and corresponds to a submission queue, and the submission queue is used for storing the flow or the session processed by the shunting module;
the detection module comprises a plurality of threads and corresponds to a detection queue; the detection queue is used for storing the data in the tensor format;
the output module comprises a plurality of threads, but only one output queue, and the output queue is used for storing the calculation result.
In one embodiment, the real-time traffic detection system compatible with multiple inference engines further includes:
the relay module is arranged on a communication link of the receiving module and the shunting module, a communication link of the shunting module and the submitting module, and a communication link of the submitting module and the detecting module; and the forwarding module is used for sending the data packet to the next-stage processing node through the forwarding module and sending the data packet to the corresponding processing node through the relay queue when the receiving module, the shunting module and the submitting module send the data packet to the next-stage processing node and the corresponding queue is full, so as to avoid packet loss.
In one embodiment, the throughput of the relay module is the same as the throughput of the receiving module.
In one embodiment, the inference engine adapter is configured to count APIs that must be used in the detection process of each trained offline model, abstract common features of the APIs into an interface, and design a compatibility layer to shield different points, thereby implementing compatibility with multiple inference engines.
According to another aspect of the present invention, there is provided a real-time traffic detection method compatible with multiple inference engines, which is applied to the real-time traffic detection system compatible with multiple inference engines, and the real-time traffic detection method compatible with multiple inference engines includes:
s1: receiving a data packet from a network card, wherein the network card supports DPDK and a polling mode drive, a receiving side horizontal expansion and a lock-free queue provided by the DPDK;
s2: classifying the data packets according to the flow by using an asymmetric hash algorithm or classifying the data packets according to the conversation by using a symmetric hash algorithm by taking the quintuple of the data packets as a hash key;
s3: converting the stream or session generated by the shunting module into data in a tensor format;
s4: inputting the data in the tensor format into the trained offline model for flow detection based on a compatible API (application programming interface) corresponding to the inference engine adapter, so as to obtain a calculation result;
s5: and analyzing the calculation result and outputting a detection log.
According to another aspect of the invention, an electronic device is provided, comprising a memory storing a computer program and a processor implementing the steps of the method described above when executed by the processor.
In general, compared with the prior art, the above technical solution contemplated by the present invention can achieve the following beneficial effects:
the invention provides a real-time flow detection system compatible with multiple inference engines, which improves the packet receiving and sending performance of the system by introducing a high-performance data packet processing technology into the system and adapts to the scene of high-speed flow; the execution efficiency of the machine learning model can be improved through GPU acceleration, and the throughput of the system is improved; the throughput of the system is further improved by introducing modes such as horizontal expansion and the like, so that the system can adapt to a high-speed network environment of 10 Gbit/s; in addition, the data in the tensor format is input into the trained offline model for flow detection based on a compatible API (application programming interface) corresponding to the inference engine adapter, so that a calculation result is obtained, and the system can be compatible with various different inference engines.
Drawings
FIG. 1 is a schematic diagram of a multi-inference engine compatible real-time traffic detection system provided in an embodiment of the present invention;
FIG. 2 is an architecture diagram of a multi-inference engine compatible real-time traffic detection system provided in an embodiment of the present invention;
FIG. 3 is a pipeline diagram of a multi-inference engine compatible real-time traffic detection system provided in an embodiment of the invention;
fig. 4 is a flowchart of a multi-inference engine compatible real-time traffic detection method provided in an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and do not limit the invention. In addition, the technical features involved in the respective embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
As shown in fig. 1, the present invention provides a real-time flow detection system compatible with multiple inference engines, comprising:
the receiving module is used for receiving a data packet from a network card, and the network card supports DPDK and a polling mode drive, a receiving side horizontal expansion and a lock-free queue provided by the DPDK;
the shunting module is connected with the receiving module and used for classifying the data packets according to the flow by using an asymmetric hash algorithm or classifying the data packets according to the conversation by using a symmetric hash algorithm by using a quintuple of the data packets as a hash key;
the submitting module is connected with the shunting module and used for converting the stream or session generated by the shunting module into data in a tensor format and submitting the data;
the detection module is connected with the submission module, is loaded with the trained offline model, and is used for inputting data in a tensor format into the trained offline model for flow detection based on a compatible API (application program interface) corresponding to the inference engine adapter so as to obtain a calculation result;
and the output module is connected with the detection module and used for analyzing the calculation result and outputting the detection log.
Specifically, the invention aims to realize a real-time flow detection system compatible with multiple inference engines, which can be divided into two main parts, namely a data plane and a service plane, from the aspect of functions and three main layers, namely a hardware layer, a runtime layer and an application layer, from the aspect of architecture.
As shown in fig. 2, the specific implementation details of each layer are as follows:
one, data plane
The application layer of the data plane comprises modules such as data packet receiving, data packet shunting, flow submitting, data packet relaying and the like; the operation library layer is a DPDK operation library which comprises EAL, UIO, ring, mempool, mbuf, eth _ dev and other core operation libraries and a high-performance hash table provided by the DPDK; the hardware layer is a network card supporting DPDK.
(1) Receiving module
The receiving module is used for receiving the data packet from the network card and is responsible for solving the real-time problem of the flow detection system. The module relies on the aforementioned multiple DPDK runways, where UIO and eth _ dev cause the module to operate in user mode with zero interruption; the EAL enables the module to run a plurality of DPDK threads, and each thread can be bound to a CPU core to run; mempool allows the module to avoid frequently applying for and releasing memory from the operating system. These factors enable the module to address the real-time nature of the flow detection system.
The data packet is received by using a high-performance data packet processing method, and the data packet is distributed to a plurality of processing queues for further processing through horizontal expansion of a receiving side. This component relies on the poll mode driver, the receive side level extension and the lock-free queue functionality provided by the DPDK runtime.
The network card driver provided by the DPDK operates in a polling mode and operates in a user mode, so that the overhead caused by interruption and system calling is avoided, and the performance of receiving the data packet is improved. The receiving side horizontal expansion function calculates a hash value for each data packet, the data packets can be distributed to a plurality of queues for further processing through the hash value, and the number of processing queues can be adjusted according to needs so as to realize multithreading horizontal expansion. If the symmetric hash key is configured, the hash values of all data packets in the same session can be guaranteed to be the same, and then the data packets can be distributed to the same processing queue, so that the data packets in the session of the same data packet can be prevented from being distributed to the same processing queue, and the data packet distribution failure or repeated distribution is avoided. The lock-free queue function provided by the DPDK is used to efficiently distribute packets to the processing queue for further processing. The lock-free queue can perform enqueuing and dequeuing under the condition of no locking so as to avoid performance loss caused by locking and thread dormancy caused by locking. In addition, the lock-free queue of the DPDK also supports batch enqueue and dequeue, reduces the number of atomic operations, and can reduce the overhead of multi-core cache synchronization.
(2) Shunting module
The function of the offload module is to efficiently divide received packets into flows or sessions to address the performance issues of traffic preprocessing. The module relies on a high performance hash table and hash algorithm provided by the DPDK. The quintuple of the data packet is used as a hash key, the data packet can be classified according to the flow by using an asymmetric hash algorithm, and the data packet can be classified according to the conversation by using a symmetric hash algorithm. However, compared with an asymmetric hash algorithm, the performance of the symmetric hash algorithm provided by the DPDK is much lower, which leads to a scenario of shunting by taking a session as a unit, and the performance is greatly reduced.
An ingenious method for realizing a more efficient symmetric hash algorithm is as follows: the IP addresses in the five-tuple (source IP address, source port, destination IP address, destination port and transport layer protocol) are typically stored in the computer as 32-bit unsigned integer, and the port numbers are typically stored in the computer as 16-bit unsigned integer, both types of data can be larger and smaller and therefore can also be sorted. If the five-tuple IP addresses are sorted in ascending order, the two IP addresses have unique size relationship no matter whether the five-tuple is upstream or downstream, and one same sorted two IP addresses can be obtained. Packets are classified and aggregated into data flows using high performance hash tables. The data packets are classified according to the flow by using a common hash algorithm and the data packets are classified according to the conversation by using a symmetrical hash algorithm by taking the data packets according to the quintuple as a hash key. The component relies on the high performance hash table function provided by the DPDK runtime, the lock-free queue and the open source high performance hash algorithm library xxHash based on the Intel AVX512 instruction set. The hash table is a basis of a shunting algorithm, the xxHash algorithm library is used for further improving the performance of the hash table, the lock-free queue is used for efficiently executing batch dequeue operation from the shunting queue and batch enqueue operation to the submission queue, and the lock-free queue is also used as a simple object pool to eliminate dynamic memory allocation and improve the performance of a shunting module.
(3) Submit module
The submitting module is responsible for submitting the stream or the session produced by the shunting module to the detection module for further processing. The module will call the data input API provided by the detection module to submit the traffic, which inevitably accompanies a large amount of data copying work, and thus becomes a performance hotspot. If the buffer of the submitting module is not available, the data is directly submitted in the shunting module, which causes uncontrollable time delay of the shunting module, further causes jitter of the processing capability of the shunting module, and causes packet loss. The function of this module is therefore to prevent jitter produced during the delivery of data to the detection module from affecting other modules.
(4) Relay module
The relay module has the function of sending the data packet in the relay queue to other processing nodes and is responsible for establishing a system cluster to solve the problem of throughput of the model. The module, like the receive module, relies on a large running library provided by the DPDK, where the Mbuf library is used to modify the data packet. If the current computing node cannot complete the detection of all the traffic, part of the traffic needs to be forwarded to other nodes for further processing. If a node needs to be added, the module needs to be connected with another computing node through a network card, and directly forwards the data packet needing to be relayed to another node. If a plurality of nodes are needed to be added, the module needs to be connected with a switch through a network card, modify the destination MAC address of the data packet and distribute the data packet to the plurality of nodes through the packet switching function of the switch.
2. Service plane
The application layer of the service plane comprises modules such as flow input, model detection, result output and the like; the operation base layer is an inference engine adapter and an inference engine operation base provided by the text; the underlying hardware that relies on is the GPU.
(1) Flow input module
The flow input module is called by the submission module, the function of the flow input module is input flow or conversation, and the flow input module is converted into a tensor format and is responsible for solving the problem of blocking of an inference engine. The module provides a non-blocking external calling interface for the detection module depending on the lock-free queue, so as to avoid packet loss caused by that data packets in the network card queue cannot be consumed in time because a DPDK thread is blocked. The parameters of the interface are a complete stream or a return session, and a required part of each data packet in the stream or the session needs to be copied into a buffer, so that a tensor is constructed. The execution of the module is accompanied by a large amount of memory copy work, which is one of the important factors causing system performance jitter.
(2) Detection module
The function of the detection module is to load the trained offline model, take out the tensor from the detection queue for calculation, and obtain the detection result. The module relies on an inference engine adapter that needs to be used to load a model in a specific format, perform calculations and obtain results of the calculations. The module uses a plurality of threads to execute calculation in parallel, so that the calculation power of the GPU is fully utilized, and the throughput of the model is improved.
(3) Inference engine adapter
The inference engine adapter belongs to a service plane and is used for solving the compatibility problem of the inference engine. For models of different formats, if they are converted into an intermediate format, such as the ONNX format, for execution, problems of incomplete compatibility are encountered, and the frequency of such incompatibility is very high. Because various machine learning frameworks support custom operators to realize the model algorithm, and the custom operators do not have corresponding realization in ONNX Runtime, if the ONNX Runtime is required to support the operators, API programming provided by the ONNX Runtime is required to realize the operators. It is the source code of the system that needs to be modified for the detection module to support this model. If the model is changed every time, the source code needs to be modified to operate, and the system is difficult to use and has no expansibility. In order to avoid the problem that source codes need to be modified when a model is replaced, the API which needs to be used in the model detection process can be counted, common features of the API are abstracted into an interface, a compatibility layer is further designed to shield different points, and finally compatibility of different inference engines is achieved.
(4) Output module
And outputting a function analysis model detection result of the module and outputting a detection log. The module needs to read the system time, splice the strings and write the files. Since the file is a slow IO device, the overhead of writing the file is not negligible. If the work is finished in the detection module, the threads of the detection module can be trapped in more unnecessary blocking states, so that the calculation power of the GPU cannot be fully utilized, and the throughput of the system is reduced. The module uses an independent thread to complete result output work, so that the influence of the overhead on the detection module is avoided, and the reduction of the throughput is prevented.
In one embodiment, the receiving module, the shunting module, the submitting module, the detecting module and the outputting module all comprise one or more threads, and the threads communicate with each other by using a lock-free queue.
In one embodiment, the receiving module comprises a plurality of threads, each thread corresponds to a network card queue, and the network card queue is used for storing data packets received by the network card;
the shunting module comprises a plurality of threads, and each thread corresponds to a shunting queue; the shunting queue is used for storing the data packets distributed to the shunting module by the receiving module;
the submitting module comprises a plurality of threads and corresponds to a submitting queue, and the submitting queue is used for storing the flow or the session processed by the shunting module;
the detection module comprises a plurality of threads and corresponds to a detection queue; the detection queue is used for storing data in a tensor format;
the output module comprises a plurality of threads, but only one output queue, and the output queue is used for storing the calculation result.
As shown in FIG. 3, each type of module in the overall system pipeline contains one or more threads, and the threads communicate with each other using lock-free queues, wherein the functions of the various queues are as follows.
(1) Network card queue
The data packets received by the network card are stored in the network card queue. The receiving module distributes the data packets received from the network card queue through a Hash algorithm. The hash algorithm may use an asymmetric hash algorithm if flow-based forking, whereas a symmetric hash algorithm has to be used if session-based forking. The receiving module comprises a plurality of threads, and each thread is allocated with a network card queue, so that the number of the network card queues is the same as that of the threads of the receiving module.
(2) Shunt queue
The data packets distributed to the shunting module by the receiving module are stored in the shunting queue. The shunting module divides and aggregates the data packets received in the shunting queue into streams or sessions, and then distributes the streams or sessions to the submitting module for processing. The shunting module also comprises a plurality of threads, and each thread corresponds to one shunting queue, so that the number of the shunting queues is the same as that of the shunting module. A data packet needs to be distributed to which shunting module for processing, and then the data packet is added into which shunting queue.
(3) Submission queue
The submission queue stores the flows or sessions processed by the shunting module. The submit module takes the stream or session from the submit queue and submits it to the business plane for processing through the API of the input module. The commit module contains multiple threads, but only one commit queue.
(4) Detection queue
The tensor obtained by converting the input stream by the input module is stored in the detection queue. And the detection module takes out the tensor from the detection queue for calculation and sends the calculation result to the output module for processing. The detection module comprises a plurality of threads, but only one detection queue.
(5) Output queue
The output queue stores the result calculated by the detection module. And the output module takes out the calculation result of the detection module from the output queue, analyzes the calculation result and outputs the calculation result to a file in a formatted manner. The output module contains multiple threads, but only one detection queue.
(6) Relay queue
The data packets to be sent to other computing nodes are stored in the relay queue. When the receiving module, the shunting module and the submitting module send the data packet to the next stage of the pipeline, the situation that the queue is full may be encountered, and at this time, the data packet needs to be forwarded to other computing nodes by the relay module, so as to avoid packet loss. These modules perform the relay operation by placing the packets into a relay queue. The throughput of the relay module is designed to be comparable to that of the receiving module, and in case of full other queues, the relay module can consume the data packets received by all the receiving modules to avoid packet loss.
In one embodiment, the real-time traffic detection system compatible with multiple inference engines further comprises:
the relay module is arranged on a communication link of the receiving module and the shunting module, a communication link of the shunting module and the submitting module, and a communication link of the submitting module and the detecting module; and the data processing module is used for putting the data packets into the relay queue and then sending the data packets to the corresponding processing node through the relay queue when the receiving module, the shunting module and the submitting module send the data packets to the next-stage processing node and the corresponding queue is full, so as to avoid packet loss.
In one embodiment, the throughput of the relay module is the same as the throughput of the receiving module.
In one embodiment, the inference engine adapter is used for counting APIs which must be used in the detection process of each trained offline model, abstracting common features of the APIs into interfaces, and further designing a compatibility layer to shield different points, thereby realizing compatibility with various inference engines.
As shown in fig. 4, the present invention provides a real-time traffic detection method compatible with multiple inference engines, which is applied to the real-time traffic detection system compatible with multiple inference engines, and the real-time traffic detection method compatible with multiple inference engines includes:
s1: receiving a data packet from a network card, wherein the network card supports DPDK and a polling mode drive, a receiving side horizontal expansion and a lock-free queue provided by the DPDK;
s2: taking the quintuple of the data packet as a Hash key, and classifying the data packet according to flow by using an asymmetric Hash algorithm or classifying the data packet according to conversation by using a symmetric Hash algorithm;
s3: converting the stream or session generated by the shunting module into data in a tensor format;
s4: inputting data in a tensor format into a trained offline model for flow detection based on a compatible API (application programming interface) corresponding to an inference engine adapter, so as to obtain a calculation result;
s5: and analyzing the calculation result and outputting a detection log.
According to another aspect of the present invention, there is provided an electronic device comprising a memory and a processor, the memory storing a computer program, the processor implementing the steps of the method described above when executing the computer program.
It will be understood by those skilled in the art that the foregoing is only an exemplary embodiment of the present invention, and is not intended to limit the invention to the particular forms disclosed, since various modifications, substitutions and improvements within the spirit and scope of the invention are possible and within the scope of the appended claims.

Claims (8)

1. A multi-inference engine compatible real-time traffic detection system, comprising:
the receiving module is used for receiving a data packet from a network card, and the network card supports DPDK and a polling mode drive, a receiving side horizontal expansion and a lock-free queue provided by the DPDK; the receiving side horizontal expansion function calculates a hash value for each data packet, the data packets are distributed to a plurality of lock-free queues for further processing through the hash values, and the number of the processed lock-free queues can be adjusted as required to realize multithreading horizontal expansion;
the flow distribution module is connected with the receiving module and is used for classifying the data packets according to flow by using an asymmetric hash algorithm or classifying the data packets according to conversation by using a symmetric hash algorithm by using a quintuple of the data packets as a hash key;
the submitting module is connected with the shunting module and used for converting the stream or session generated by the shunting module into data in a tensor format and submitting the data;
the detection module is connected with the submission module, is loaded with a trained offline model and is used for inputting the data in the tensor format into the trained offline model for flow detection based on a compatible API (application program interface) corresponding to an inference engine adapter so as to obtain a calculation result;
and the output module is connected with the detection module and used for analyzing the calculation result and outputting a detection log.
2. The multi-inference engine compatible real-time traffic detection system of claim 1, wherein said receiving module, said forking module, said submitting module, said detecting module, and said outputting module all comprise one or more threads, each thread communicating using a lock-free queue.
3. The multi-inference engine compatible real-time traffic detection system of claim 2, wherein said receiving module comprises a plurality of threads, each thread corresponding to a network card queue, said network card queue being used to store data packets received by said network card;
the shunting module comprises a plurality of threads, and each thread corresponds to one shunting queue; the shunting queue is used for storing the data packets distributed to the shunting module by the receiving module;
the submission module comprises a plurality of threads and corresponds to a submission queue, and the submission queue is used for storing the stream or the session processed by the shunting module;
the detection module comprises a plurality of threads and corresponds to a detection queue; the detection queue is used for storing the data in the tensor format;
the output module comprises a plurality of threads, but only one output queue, and the output queue is used for storing the calculation result.
4. The multi-inference engine compatible real-time traffic detection system of claim 1, wherein the multi-inference engine compatible real-time traffic detection system further comprises:
the relay module is arranged on a communication link between the receiving module and the shunting module, a communication link between the shunting module and the submitting module, and a communication link between the submitting module and the detecting module; and the forwarding module is used for sending the data packet to the next-stage processing node through the forwarding module and sending the data packet to the corresponding processing node through the relay queue when the receiving module, the shunting module and the submitting module send the data packet to the next-stage processing node and the corresponding queue is full, so as to avoid packet loss.
5. The multi-inference engine compatible real-time traffic detection system of claim 4, wherein the throughput of the relay module is the same as the throughput of the receive module.
6. The multi-inference engine compatible real-time traffic detection system of any of claims 1-5, wherein the inference engine adapter is configured to count APIs that must be used in the detection process of each trained offline model, abstract common features of the APIs into interfaces, and further design a compatibility layer to shield different points, thereby implementing compatibility with multiple inference engines.
7. A multi-inference engine compatible real-time traffic detection method, applied to the multi-inference engine compatible real-time traffic detection system of any one of claims 1-6, the multi-inference engine compatible real-time traffic detection method comprising:
s1: receiving a data packet from a network card, wherein the network card supports DPDK and a polling mode drive, a receiving side horizontal expansion and a lock-free queue provided by the DPDK; the receiving side horizontal expansion function calculates a hash value for each data packet, the data packets are distributed to a plurality of lock-free queues for further processing through the hash values, and the number of the processed lock-free queues can be adjusted as required to realize multithreading horizontal expansion;
s2: classifying the data packets according to the flow by using an asymmetric hash algorithm or classifying the data packets according to the conversation by using a symmetric hash algorithm by taking the quintuple of the data packets as a hash key;
s3: converting the stream or session generated by the shunting module into data in a tensor format;
s4: inputting the data in the tensor format into the trained offline model for flow detection based on a compatible API (application programming interface) corresponding to an inference engine adapter, so as to obtain a calculation result;
s5: and analyzing the calculation result and outputting a detection log.
8. An electronic device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor realizes the steps of the method as claimed in claim 7 when executing the computer program.
CN202111441567.9A 2021-11-30 2021-11-30 Multi-inference engine compatible real-time flow detection system and method Active CN114189368B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111441567.9A CN114189368B (en) 2021-11-30 2021-11-30 Multi-inference engine compatible real-time flow detection system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111441567.9A CN114189368B (en) 2021-11-30 2021-11-30 Multi-inference engine compatible real-time flow detection system and method

Publications (2)

Publication Number Publication Date
CN114189368A CN114189368A (en) 2022-03-15
CN114189368B true CN114189368B (en) 2023-02-14

Family

ID=80603054

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111441567.9A Active CN114189368B (en) 2021-11-30 2021-11-30 Multi-inference engine compatible real-time flow detection system and method

Country Status (1)

Country Link
CN (1) CN114189368B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117081865B (en) * 2023-10-17 2023-12-29 北京启天安信科技有限公司 Network security defense system based on malicious domain name detection method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010111748A1 (en) * 2009-04-01 2010-10-07 Curtin University Of Technology Systems and methods for detecting anomalies from data
CN102122374A (en) * 2011-03-03 2011-07-13 江苏方天电力技术有限公司 Intelligent analysis system for flow abnormity of power automation system
CN107181738A (en) * 2017-04-25 2017-09-19 中国科学院信息工程研究所 A kind of software implementation intruding detection system and method
CN110995678A (en) * 2019-11-22 2020-04-10 北京航空航天大学 Industrial control network-oriented efficient intrusion detection system
CN113259332A (en) * 2021-04-29 2021-08-13 上海电力大学 Multi-type network flow abnormity detection method and system based on end-to-end

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110753064B (en) * 2019-10-28 2021-05-07 中国科学技术大学 Machine learning and rule matching fused security detection system
US20200374310A1 (en) * 2020-08-11 2020-11-26 Intel Corporation Protection from network initiated attacks
CN113472809B (en) * 2021-07-19 2022-06-07 华中科技大学 Encrypted malicious traffic detection method and system and computer equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010111748A1 (en) * 2009-04-01 2010-10-07 Curtin University Of Technology Systems and methods for detecting anomalies from data
CN102122374A (en) * 2011-03-03 2011-07-13 江苏方天电力技术有限公司 Intelligent analysis system for flow abnormity of power automation system
CN107181738A (en) * 2017-04-25 2017-09-19 中国科学院信息工程研究所 A kind of software implementation intruding detection system and method
CN110995678A (en) * 2019-11-22 2020-04-10 北京航空航天大学 Industrial control network-oriented efficient intrusion detection system
CN113259332A (en) * 2021-04-29 2021-08-13 上海电力大学 Multi-type network flow abnormity detection method and system based on end-to-end

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
基于DPDK的流量识别系统的设计与实现;肖中奇;《中国优秀硕士学位论文全文数据库(电子期刊)》;20200315;全文 *
基于无监督学习的网络流量异常检测研究;唐灿;《中国优秀硕士学位论文全文数据库(电子期刊)》;20210815;全文 *

Also Published As

Publication number Publication date
CN114189368A (en) 2022-03-15

Similar Documents

Publication Publication Date Title
CN107196870B (en) DPDK-based traffic dynamic load balancing method
CN109547580B (en) Method and device for processing data message
Cheng et al. Using high-bandwidth networks efficiently for fast graph computation
US20120159132A1 (en) Accelerating Data Packet Parsing
US9356844B2 (en) Efficient application recognition in network traffic
US8923159B2 (en) Processing network traffic
US7675928B2 (en) Increasing cache hits in network processors using flow-based packet assignment to compute engines
US12120021B2 (en) Server fabric adapter for I/O scaling of heterogeneous and accelerated compute systems
US20190158403A1 (en) Shared memory communication in software defined networking
Van Tu et al. Accelerating virtual network functions with fast-slow path architecture using express data path
CN105897587B (en) A kind of data packet classification method
CN111984415A (en) Load balancing method and device based on pipeline forwarding model
WO2024114703A1 (en) Data processing method, intelligent network card, and electronic device
CN114189368B (en) Multi-inference engine compatible real-time flow detection system and method
US20180157514A1 (en) Network traffic management in computing systems
Fu et al. FAS: Using FPGA to accelerate and secure SDN software switches
CN102780616B (en) Network equipment and method and device for message processing based on multi-core processor
US20240121185A1 (en) Hardware distributed architecture
Wang et al. OXDP: Offloading XDP to SmartNIC for Accelerating Packet Processing
Orsák et al. High-speed stateful packet classifier based on TSS algorithm optimized for off-chip memories
EP2328315A1 (en) Processing network traffic
Fais et al. Towards scalable and expressive stream packet processing
Taguchi et al. Fast datapath processing based on hop-by-hop packet aggregation for service function chaining
Lettieri et al. SmartNIC-Accelerated Stream Processing Analytics
Yan et al. PPB: A path-based packet batcher to accelerate vector packet processor

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant