CN114666109A - Novel general hardware platform for information security - Google Patents

Novel general hardware platform for information security Download PDF

Info

Publication number
CN114666109A
CN114666109A CN202210243619.XA CN202210243619A CN114666109A CN 114666109 A CN114666109 A CN 114666109A CN 202210243619 A CN202210243619 A CN 202210243619A CN 114666109 A CN114666109 A CN 114666109A
Authority
CN
China
Prior art keywords
module
interface
layer
information security
hardware platform
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210243619.XA
Other languages
Chinese (zh)
Inventor
王斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Longxin Information Technology Co ltd
Original Assignee
Shenzhen Longxin Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Longxin Information Technology Co ltd filed Critical Shenzhen Longxin Information Technology Co ltd
Priority to CN202210243619.XA priority Critical patent/CN114666109A/en
Publication of CN114666109A publication Critical patent/CN114666109A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/213Feature extraction, e.g. by transforming the feature space; Summarisation; Mappings, e.g. subspace methods
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry

Abstract

According to the novel information security universal hardware platform provided by the invention, the data acquisition module acquires Ethernet data packets of each layer in the network model; the data storage module stores the Ethernet data packet acquired by the data acquisition module; the information security module identifies and manages and controls the protocol of the Ethernet data packets of each layer in the network model; the function expansion card is connected with the function module and is used for carrying out deep protocol processing on the Ethernet data packets of each layer in the network model by utilizing the function module; and the CPU management platform manages the information security module and the function expansion card. The platform solves the defects that the performance of the prior art is completely limited by the number and frequency of CPUs (central processing units), the processing speed is very low, the stability is poor and the like.

Description

Novel general hardware platform of information security
Technical Field
The invention belongs to the technical field of communication and information security, and particularly relates to a novel information security universal hardware platform.
Background
The existing domestic network security products are all based on an architecture mode of an industrial personal computer and software, an X86 architecture is adopted, and the technical development and design thresholds of the products are low and easy to realize. The method can basically meet the requirements of small enterprises and industries with low requirements on bandwidth and safety. However, due to the soft processing defect of the X86 architecture, the performance is completely limited by the number and frequency of CPUs, the processing speed is slow, and the stability is poor. In the current era of network high speed, network security products are required to have higher and higher processing capacity, which is also the current technical trend, and the current network security products cannot meet the use requirements.
At present, the information security industry in China does not have a high-performance information security chip which is really and independently designed, does not have the design capability of the information security chip, and the whole industry does not have a hardware platform based on the high-performance information security chip. The price of the current foreign like products is high, which is not good for national safety.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides a novel information security universal hardware platform, which aims to solve the defects that the performance in the prior art is completely limited by the number and frequency of CPUs (central processing units), the processing speed is very low, the stability is poor and the like.
A novel information security universal hardware platform,
the system comprises an information security module 1, a function expansion card 2, a CPU management platform 3, a data acquisition module 4 and a data storage module 5; the function expansion card 2, the CPU management platform 3, the data acquisition module 4 and the data storage module 5 are all connected to the information security module 1;
the data acquisition module 4 is used for acquiring Ethernet data packets of each layer in the network model and transmitting the Ethernet data packets to the data storage module 5, the information security module 1 and the function expansion card 2;
the data storage module 5 is used for storing the Ethernet data packet acquired by the data acquisition module 4;
the information security module 1 is used for carrying out protocol identification and control on Ethernet data packets of each layer in a network model from the data acquisition module;
the function expansion card 2 is connected with the function module and is used for carrying out deep protocol processing on the Ethernet data packets of each layer in the network model by utilizing the function module;
the CPU management platform 3 is used for managing the information security module 1 and the function expansion card 2.
Preferably, the information security module comprises FPGA hardware.
Preferably, the functional modules include at least one of:
the system comprises a virus protection module 201, a content filtering module 202, a deep protocol packet auditing module 203, a customized VPN module 204 and a customized protocol processing module 205.
Preferably, the information security module comprises at least one of the following:
the system comprises an Ethernet protocol analysis module, an Ethernet deep layer analysis module, a flow classification module, a characteristic word search module, a network exchange module, a safety intelligent management module, a network safety module, an address conversion function module, a safety strategy module, a state firewall module, a network behavior analysis and management module, a strategy and routing management module, an audit flow interception and collection module, a flow management and control module, a service quality control module, an aging and management module, a fragmentation/recombination processing module, an encryption and decryption engine module, a host management module, a cache management module, an equipment support module, a CPU channel module, a data channel management module and an expansion function module.
Preferably, the information security module 1 is specifically configured to perform protocol analysis and forwarding processing on ethernet packets in the second layer to the fifth layer in the network model, and perform protocol identification and acceleration processing on ethernet packets in the fifth layer to the seventh layer in the network model; including but not limited to switching, routing, and address translation.
Preferably, the novel information security universal hardware platform further comprises a plurality of PHY modules respectively connected to the information security module 1.
Preferably, the information security module 1 is provided with at least one gigabit ethernet interface, at least one DRAM interface, at least one SRAM interface, at least one PCIE and/or PCI interface.
Preferably, the CPU management platform 3 is provided with at least one SATA interface, at least one CF card, at least one FLASH interface, at least one USB interface, at least one UART interface, at least one ethernet interface, and at least one GPIO interface.
Preferably, the CPU management platform 3 is provided with an embedded operating system layer, a BSP layer, an OSAL/HEL layer, an LSCP software and hardware communication protocol layer, and an OAM layer from bottom to top.
Preferably, the novel information security universal hardware platform comprises at least two RGMII/MII interfaces, at least one XAUI interface, at least one PCIE interface and/or PCI interface, at least one DDR/RLDRAM interface, at least one SRAM interface, at least one UART interface, at least one SATA storage interface, at least one FLASH interface, and at least one USB mobile storage interface.
According to the technical scheme, the novel information security universal hardware platform provided by the invention has the following advantages:
1. the universality is strong: the FPGA is adopted to realize information security processing, is suitable for scenes with various security requirements, and can be customized according to user requirements.
2. High performance: supporting processing capabilities of up to 80G and more bi-directionally.
3. High safety and high reliability: the information security module completes the processing of the network layer, and has higher security and reliability, no security loophole and hidden danger compared with most of platforms which rely on a multi-core processor to complete the network processing;
4. low power consumption: is more environment-friendly and energy-saving.
5. The adaptability is strong: the flexible and upgradable information security module ensures that the product cannot be changed along with the change of the protocol and the user application, and the product has long-time availability through flexible memory configuration and hardware adaptation characteristics.
6. The design threshold of high-performance products is reduced, 80-95% of CPU load is reduced through a hardware acceleration technology, and the problem that high-end products with information safety are difficult to home-produce is solved.
7. The flexibility is good, and scalability is good, can customize the functional module of deep processing according to user's demand.
8. Multiple processor platforms are adapted to support multiple operating systems.
9. The cost performance is excellent: and the cost is low under the condition of realizing the same forwarding performance.
Drawings
In order to more clearly illustrate the detailed description of the invention or the technical solutions in the prior art, the drawings used in the detailed description or the prior art description will be briefly described below. Throughout the drawings, like elements or portions are generally identified by like reference numerals. In the drawings, elements or portions are not necessarily drawn to scale.
Fig. 1 is a block diagram of a novel information security general hardware platform according to an embodiment of the present invention.
Fig. 2 is a block diagram of a novel information security general hardware platform according to an embodiment of the present invention.
Fig. 3 is a functional block diagram of a novel information security general hardware platform according to an embodiment of the present invention.
Fig. 4 is a functional block diagram of a CPU management platform according to an embodiment of the present invention.
Fig. 5 is a block diagram of an information security module acquiring data, converting the data into security problems, and establishing a corresponding machine learning model according to an embodiment of the present invention.
Fig. 6 is a flowchart of K-neighborhood and linear regression algorithm check on suspicious traffic and requests after the information security module is provided with the honeypot system according to the embodiment of the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and therefore are only examples, and the protection scope of the present invention is not limited thereby. It is to be noted that, unless otherwise specified, technical or scientific terms used herein shall have the ordinary meaning as understood by those skilled in the art to which the invention pertains.
It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It is also to be understood that the terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the specification of the present invention and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
As used in this specification and the appended claims, the term "if" may be interpreted contextually as "when", "upon" or "in response to a determination" or "in response to a detection". Similarly, the phrase "if it is determined" or "if a [ described condition or event ] is detected" may be interpreted contextually to mean "upon determining" or "in response to determining" or "upon detecting [ described condition or event ]" or "in response to detecting [ described condition or event ]".
Example (b):
a novel information security universal hardware platform, see figure 1,
the system comprises an information security module 1, a function expansion card 2, a CPU management platform 3, a data acquisition module 4 and a data storage module 5; the function expansion card 2, the CPU management platform 3, the data acquisition module 4 and the data storage module 5 are all connected to the information security module 1;
the data acquisition module 4 is used for acquiring Ethernet data packets of each layer in the network model and transmitting the Ethernet data packets to the data storage module 5, the information security module 1 and the function expansion card 2;
the data storage module 5 is used for storing the Ethernet data packet acquired by the data acquisition module 4;
the information security module 1 is used for carrying out protocol identification and control on Ethernet data packets of each layer in a network model from the data acquisition module;
the function expansion card 2 is connected with the function module and is used for carrying out deep protocol processing on the Ethernet data packets of each layer in the network model by utilizing the function module;
the CPU management platform 3 is used for managing the information security module 1 and the function expansion card 2.
Specifically, the information security module is implemented by high-capacity FPGA hardware. The CPU management platform 3 may be configured to perform built-in management on the information security module 1 and perform centralized management on the function expansion card 2. The data acquisition module is used for acquiring the Ethernet data packet and transmitting the Ethernet data packet to the data storage module for backup so that the original data can be called from the data storage module for auditing when the subsequent data have errors.
The information security module completes protocol analysis of Ethernet data packets (for example, MAC/IP header/IP option/L4 protocol/TCP option/packet Payload in Ethernet messages, etc. are analyzed and identified, thousands of protocols are supported), feature word search (which can perform regular search on message contents, support definition of various rules), flow classification (classification after message protocol identification, corresponding protocol labels are marked for subsequent module processing), network attack protection (including intelligent security processing and state firewalls) (for example, various attack messages of L2-L5 layer such as arp attack/dos attack/flood attack, etc. are identified and protected), security policy (source/destination selection and control are performed based on physical ports/IP addresses + IP protocol + L4 port numbers + VLAN + MAC + security zone, etc., support maximum 25 ten thousand high capacity policies), policy and source routing (selection based on IP address/security zone/VLAN, etc.), L2-L3 layer switching and routing forwarding, network traffic management (source/destination bidirectional control based on MAC/IP/user/physical port/security zone/policy/application layer protocol, etc.), network address translation (including one-to-one, one-to-many, many-to-one, double NAT, etc. multiple modes), network behavior analysis and management (identifying application layer and giving instructions to packets according to user's settings including discard/sample/mirror image/forward/QOS/bandwidth control, etc.), quality of service control (quality of service management to packets based on IP/user/policy/DSCP/TOS/application layer settings, etc.) and the like, Encryption and decryption processing (supporting IPSEC encryption and decryption hardware implementation and supporting various algorithms), fragmentation/recombination processing (supporting packet recombination and sorting processing, supporting packet fragmentation processing), host table management (supporting how large 25 ten thousand host tables), aging processing (performing session-level control on messages and supporting overtime, performing state switching according to the receiving and sending contents of the messages, setting corresponding aging time according to the state, performing aging processing on the overtime messages), input/output cache channel management (scheduling and controlling the input and output of the messages), cache management (storing the messages into an external DDR/RLDRAM, and scheduling and outputting the messages to a target channel according to the processing result of a security chip), and the like. Meanwhile, the information security module can redirect the flow according to the user setting after the protocol identification, copy the flow needing deep protocol processing and send the flow to the function expansion card, and perform deeper network packet processing (including antivirus/content filtering/audit/encryption/decryption/customized protocol processing and the like), thereby realizing the analysis and control of the network flow data.
Specifically, the information security module collects data from a system layer, a network layer, and an application layer. The system layer data is used for solving the problem of system safety, the data mainly comprises chip information, equipment information, system log information, real-time running state information and the like, and the data is mainly used for chip safety, equipment safety and system software safety, for example, data such as position information of a base station and short message logs are collected for pseudo base station detection. The network layer data refers to data closely related to specific network activities, and currently, network packet data or network stream data are commonly used, and are mainly used for detecting botnet network, network intrusion and the like, for example, a large amount of real TCP stream data are collected in an enterprise internal network and are used for carrying out protocol classification and abnormal protocol detection. The application layer data refers to data generated and stored by various application software in a network space, such as mail text information, web logs, social network text information, user personal information and the like, and is mainly used for application software security detection, network public opinion analysis and the like, for example, a large amount of URL data is collected for malicious webpage identification. After data collection is completed, the information security module abstracts and maps network security problems into classification, clustering or dimensionality reduction and other problems which can be solved by a machine learning model, and as shown in fig. 5, detection of inferior chips or hardware trojans, detection of pseudo base stations, virtualization security, credit card fraud and the like can be abstracted into classification problems; equipment identity authentication, social network abnormal account detection, network intrusion detection and the like can be abstracted into a clustering problem; user identity authentication, malicious/abnormal/intrusion detection, forensics analysis, online public sentiment, etc. can be abstracted as both classification problems and clustering problems. If the data is processed by high-dimensional data, the data can be abstracted to a dimension reduction problem, for example, in the problems of equipment identity authentication and malicious webpage identification, because the data dimension is too high, the dimension reduction operation can be performed on the data by utilizing a Principal Component Analysis (PCA) algorithm, a Singular Value Decomposition (SVD) algorithm and the like. With the complexity of the network space security problem becoming higher and higher, the data dimension is increasing continuously, and new requirements are put forward on the network space security. The establishment of the machine learning model provides possibility for solving the network space security problem that the traditional method is difficult to model.
Preferably, as shown in fig. 6, the information security module may further set a honeypot system: generating a honeypot file in an operating system environment, and inducing suspicious traffic or an access request to operate or access the honeypot file; and matching and detecting the data characteristics of the suspicious flow or the access request by using a machine learning model (such as a K-neighborhood + logistic regression algorithm), releasing the normal flow and the access request after obtaining a detection result, blocking the malicious flow and the request and tracking the source.
The function expansion card can be a hardware module realized by FPGA, the platform can transmit Ethernet data packets of each layer needing deep protocol processing in a network model to the function expansion card for processing, the burden of a CPU is greatly reduced, and the processing speed and efficiency of the Ethernet data packets are improved.
Based on the information security general hardware platform, the method can be expanded to realize the identification, analysis, control and management of the behavior and the application flow of the internet user; or the system can also provide various functions such as flow management, flow statistics, data auditing, report analysis and the like, help users to know the integral use condition of the network bandwidth resources, optimize network configuration and ensure the normal and stable operation of key network service application; or authentication management, authorization and statistics are carried out on the user and the equipment, and core functions such as network function, flow management, state firewall, address conversion, attack detection and defense, policy management and the like based on the policy are realized.
The novel information security universal hardware platform adopts a unique duplex system working mode, and the stability and the reliability of the platform are further improved. The novel information security general hardware platform adopts a multi-service concurrent processing method in design, a plurality of parallel processing hardware units are arranged in an information security module, when a plurality of integrated service functions are started, the performance is hardly influenced, and a platform product based on a single-core or multi-core CPU (central processing unit) has 50-95% performance reduction; the information security module of the platform integrates rich functions, is realized by a high-performance FPGA, and has lower power consumption and lower hardware cost compared with the hardware of other similar products. Meanwhile, the platform utilizes a hardware acceleration technology to safely realize various network processing originally performed by a processor to information, and solves the problems that the performance of the prior art is completely limited by the number and frequency of CPUs (central processing units), the processing speed is very low, the stability is poor and the like. The novel information security general hardware platform is separated from service processing, adopts a dual-system working and protecting mechanism, and is safe, reliable and stable.
To sum up, the novel information security universal hardware platform has the following advantages:
1. the universality is strong: the FPGA is adopted to realize information security processing, is suitable for scenes with various security requirements, and can be customized according to user requirements.
2. High performance: support processing capability of up to 80G and more in both directions.
3. High safety and high reliability: the information security module completes the processing of a network layer, and has higher safety and reliability and no security loophole and hidden danger compared with most of platforms which rely on a multi-core processor to complete the network processing;
4. low power consumption: is more environment-friendly and energy-saving.
5. The adaptability is strong: the flexible and upgradable information security module ensures that the product cannot be changed along with the change of the protocol and the user application, and the product has long-time availability through flexible memory configuration and hardware adaptation characteristics.
6. The design threshold of high-performance products is reduced, 80-95% of CPU load is reduced through a hardware acceleration technology, and the problem that high-end products with information safety are difficult to home-produce is solved.
7. The flexibility is good, and scalability is good, can customize the functional module of deep processing according to user's demand.
8. Multiple processor platforms are adapted to support multiple operating systems.
9. The cost performance is excellent: and the cost is low under the condition of realizing the same forwarding performance.
Preferably, the functional modules include at least one of:
the system comprises a virus protection module 201, a content filtering module 202, a deep protocol packet auditing module 203, a customized VPN module 204 and a customized protocol processing module 205.
Specifically, after the data acquisition module deeply acquires the Ethernet big data, the Ethernet big data can be transmitted to the function expansion card, and the function expansion card customizes various functions such as VPN encryption and decryption and the like for information transmission in network security through the virus protection module, the content filtering module and the deep protocol packet auditing module, so that the data acquired by the data acquisition module is safely processed.
Referring to fig. 2, the information security module includes at least one of the following modules:
the system comprises an Ethernet protocol analysis module, an Ethernet deep layer analysis module, a flow classification module, a characteristic word search module, a network exchange module, a safety intelligent management module, a network safety module, an address conversion function module, a safety strategy module, a state firewall module, a network behavior analysis and management module, a strategy and routing management module, an audit flow interception and collection module, a flow management and control module, a service quality control module, an aging and management module, a fragmentation/recombination processing module, an encryption and decryption engine module, a host management module, a cache management module, an equipment support module, a CPU channel module, a data channel management module and an expansion function module.
Preferably, the information security module 1 is specifically configured to perform protocol analysis and forwarding processing on ethernet packets in the second layer to the fifth layer in the network model, and perform protocol identification and acceleration processing on ethernet packets in the fifth layer to the seventh layer in the network model; including but not limited to switching, routing, and address translation.
Preferably, the novel information security universal hardware platform further includes a plurality of phy (physical) modules respectively connected to the information security module 1.
Specifically, for example, the information security module 1 connects three PHY modules, a PHY1 module, a PHY2 module, and a PHY3 module. The PHY module is a physical layer interface in the network model. The PHY module is mainly used for processing digital signals, and the platform needs to be provided with the PHY module aiming at the gigabit Ethernet interface.
Referring to fig. 3, the information security module 1 is provided with at least one gigabit ethernet interface, at least one DRAM interface (optionally DDR/RLDRAM), at least one SRAM interface, at least one PCIE interface, and/or at least one PCI interface.
Specifically, for example, the information security module is provided with a plurality of gigabit ethernet interfaces, a plurality of RLDRAM (low latency dynamic RAM)/DDR (double data rate synchronous dynamic random access memory) cache interfaces, a plurality of SRAM (static random access memory) high-speed interfaces, a plurality of PCIE (high speed serial computer expansion bus standard) interfaces, and 1 PCI (peripheral component interconnect standard) management interface.
The platform provides a plurality of kilomega and a plurality of giga Ethernet interfaces, is responsible for receiving and transmitting network messages, analyzes message network protocols by a chip, deeply analyzes message data contents, distinguishes self-defined different network data streams, and executes processing such as network exchange, safe intelligent management, network safety and the like through a safety strategy control rule defined by a user.
Preferably, the CPU management platform 3 is provided with at least one SATA interface, at least one CF card, at least one FLASH interface, at least one USB interface, at least one UART interface, at least one ethernet interface, and at least one GPIO interface.
Specifically, for example, the CPU management platform is provided with a plurality of SATA (serial hard disk) interfaces, a plurality of cf (compact FLASH) cards, a plurality of FLASH (computer FLASH device) storage interfaces, a plurality of USB built-in interfaces, a plurality of USB expansion interfaces, a plurality of UART interfaces, a plurality of gigabit service management interfaces, and a plurality of General-purpose GPIO (General-purpose input/output) expansion interfaces.
The SATA interface is used for constructing a guidance system and storing a disk; the CF card is used for constructing a guide system; the USB interface can be connected with a USB flash disk for system guidance, can also be connected with USB storage equipment for data interaction with a system, and can store data through an external USB flash disk; the SATA interface has the same function as the CF card, and the SATA interface and the CF card can jointly realize dual-system booting; the UART interface (serial port) is a universal asynchronous receiving and transmitting transmitter, can be connected to equipment through the serial port to realize command and data interaction, and can also be used for performing bottom layer processing and problem positioning on a system; the gigabit Ethernet interface user network data transmission and remote management can realize the web management and command line management of platform products in a remote network access mode, and remote data interaction including upgrading, file transmission and the like; the GPIO is used as a general input/output interface and is used for system function expansion, so that hardware control of the platform is realized, and functions such as sound, indicator light, hardware reset, protocol customization function and the like are expanded.
Referring to fig. 4, the CPU management platform 3 is provided with an embedded operating system layer, a BSP (board level support packet) layer, an OSAL (operating system abstraction layer)/HEL (hardware emulation layer) layer, an LSCP (exception detection algorithm) software and hardware communication protocol layer, and an OAM (operation maintenance management layer) layer from bottom to top.
Specifically, the CPU management platform is provided with an embedded operating system layer, a BSP, an OSAL/HEL, an LSCP software and hardware communication protocol layer and an OAM from bottom to top, an embedded Linux operating system is adopted, the BSP is modified as necessary by combining with a hardware platform, an operating system abstraction layer OSAL is added, the embedded Linux operating system is convenient to transplant among other embedded operating systems, a uniform hardware read-write interface is provided for upper software, and hardware packaging layer HEL is provided for hardware resources by bottom software.
Preferably, the novel information security universal hardware platform comprises at least two RGMII/MII interfaces (gigabit/hundred mega ethernet interfaces), at least one XAUI interface (gigabit ethernet), at least one PCIE interface and/or PCI interface, at least one DDR/RLDRAM interface, at least one SRAM interface, at least one UART interface, at least one SATA storage interface, at least one FLASH interface, and at least one USB mobile storage interface.
Specifically, for example, the platform is provided with a plurality of RGMII/MII data interfaces, a plurality of XAUI data interfaces, a plurality of PCI Express communication interfaces, a plurality of PCI communication interfaces and a plurality of DDR/RDLAM external bus interfaces. The method is used for receiving and transmitting network messages at a line speed, analyzing a message network protocol by a chip, deeply analyzing message data contents, distinguishing different self-defined network data streams, applying a security policy control rule defined by a user, and executing processing such as network exchange, security intelligent management, network security and the like.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; such modifications and substitutions do not depart from the spirit and scope of the present invention, and they should be construed as being included in the following claims and description.

Claims (10)

1. A novel information security universal hardware platform is characterized in that,
the system comprises an information security module (1), a function expansion card (2), a CPU management platform (3), a data acquisition module (4) and a data storage module (5); the function expansion card (2), the CPU management platform (3), the data acquisition module (4) and the data storage module (5) are all connected to the information security module (1);
the data acquisition module (4) is used for acquiring Ethernet data packets of each layer in the network model and transmitting the Ethernet data packets to the data storage module (5), the information security module (1) and the function expansion card (2);
the data storage module (5) is used for storing the Ethernet data packet acquired by the data acquisition module (4);
the information security module (1) is used for carrying out protocol identification and control on Ethernet data packets of each layer in the network model from the data acquisition module;
the function expansion card (2) is connected with the function module and is used for carrying out deep protocol processing on the Ethernet data packets of each layer in the network model by utilizing the function module;
and the CPU management platform (3) is used for managing the information security module (1) and the function expansion card (2).
2. The novel information security universal hardware platform according to claim 1,
the information security module comprises FPGA hardware.
3. The novel information-security universal hardware platform of claim 1,
the functional module comprises at least one of the following modules:
the system comprises a virus protection module (201), a content filtering module (202), a deep protocol packet auditing module (203), a customized VPN module (204) and a customized protocol processing module (205).
4. The novel information-security universal hardware platform of claim 1,
the information security module comprises at least one of the following modules:
the system comprises an Ethernet protocol analysis module, an Ethernet deep layer analysis module, a flow classification module, a characteristic word search module, a network exchange module, a safety intelligent management module, a network safety module, an address conversion function module, a safety strategy module, a state firewall module, a network behavior analysis and management module, a strategy and routing management module, an audit flow interception and collection module, a flow management and control module, a service quality control module, an aging and management module, a fragmentation/recombination processing module, an encryption and decryption engine module, a host management module, a cache management module, an equipment support module, a CPU channel module, a data channel management module and an expansion function module.
5. The novel information-security universal hardware platform of claim 1,
the information security module (1) is specifically used for carrying out protocol analysis and forwarding processing on Ethernet data packets from the second layer to the fifth layer in the network model, and carrying out protocol identification and acceleration processing on Ethernet data packets from the fifth layer to the seventh layer in the network model; including but not limited to switching, routing, and address translation.
6. The novel information-security universal hardware platform of claim 1,
the novel information security universal hardware platform further comprises a plurality of PHY modules respectively connected to the information security module (1).
7. The novel information-security universal hardware platform of claim 1,
the information security module (1) is provided with at least one gigabit Ethernet interface, at least one DRAM interface, at least one SRAM interface, at least one PCIE and/or PCI interface.
8. The novel information-security universal hardware platform of claim 1,
the CPU management platform (3) is provided with at least one SATA interface, at least one CF card, at least one FLASH interface, at least one USB interface, at least one UART interface, at least one Ethernet interface and at least one GPIO interface.
9. The novel information-security universal hardware platform of claim 1,
the CPU management platform (3) is provided with an embedded operating system layer, a BSP layer, an OSAL/HEL layer, an LSCP software and hardware communication protocol layer and an OAM layer from bottom to top.
10. The novel information-security universal hardware platform of claim 1,
the novel information security universal hardware platform comprises at least two RGMII/MII interfaces, at least one XAUI interface, at least one PCIE interface and/or PCI interface, at least one DDR/RLDRAM interface, at least one SRAM interface, at least one UART interface, at least one SATA storage interface, at least one FLASH interface and at least one USB mobile storage interface.
CN202210243619.XA 2022-03-12 2022-03-12 Novel general hardware platform for information security Pending CN114666109A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210243619.XA CN114666109A (en) 2022-03-12 2022-03-12 Novel general hardware platform for information security

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210243619.XA CN114666109A (en) 2022-03-12 2022-03-12 Novel general hardware platform for information security

Publications (1)

Publication Number Publication Date
CN114666109A true CN114666109A (en) 2022-06-24

Family

ID=82028571

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210243619.XA Pending CN114666109A (en) 2022-03-12 2022-03-12 Novel general hardware platform for information security

Country Status (1)

Country Link
CN (1) CN114666109A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN204392296U (en) * 2015-02-10 2015-06-10 杭州优稳自动化系统有限公司 Secure isolation gateway in a kind of industrial control network
CN106161330A (en) * 2015-03-16 2016-11-23 机械工业仪器仪表综合技术经济研究所 A kind of security isolation system being applied to PROFINET EPA
CN109474607A (en) * 2018-12-06 2019-03-15 连云港杰瑞深软科技有限公司 A kind of industrial control network safeguard protection monitoring system
CN111245866A (en) * 2020-03-04 2020-06-05 深圳市龙信信息技术有限公司 Ethernet application layer protocol control system and method based on hardware acceleration
US20200358525A1 (en) * 2017-11-22 2020-11-12 Sino-Telecom Technology Co., Inc. Hardware-based protection group switching method and optical communication equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN204392296U (en) * 2015-02-10 2015-06-10 杭州优稳自动化系统有限公司 Secure isolation gateway in a kind of industrial control network
CN106161330A (en) * 2015-03-16 2016-11-23 机械工业仪器仪表综合技术经济研究所 A kind of security isolation system being applied to PROFINET EPA
US20200358525A1 (en) * 2017-11-22 2020-11-12 Sino-Telecom Technology Co., Inc. Hardware-based protection group switching method and optical communication equipment
CN109474607A (en) * 2018-12-06 2019-03-15 连云港杰瑞深软科技有限公司 A kind of industrial control network safeguard protection monitoring system
CN111245866A (en) * 2020-03-04 2020-06-05 深圳市龙信信息技术有限公司 Ethernet application layer protocol control system and method based on hardware acceleration

Similar Documents

Publication Publication Date Title
CN111371779B (en) Firewall based on DPDK virtualization management system and implementation method thereof
US8724633B2 (en) Internet real-time deep packet inspection and control device and method
CN110168499B (en) Executing context-rich attribute-based services on a host
WO2023087938A1 (en) Data processing method, programmable network card device, physical server, and storage medium
US9755947B2 (en) Hierarchical self-organizing classification processing in a network switch
JP4126707B2 (en) Technology for analyzing the state of information systems
US7515596B2 (en) Full data link bypass
US6131163A (en) Network gateway mechanism having a protocol stack proxy
CN100358280C (en) A network security appliance and realizing method thereof
US9813283B2 (en) Efficient data transfer between servers and remote peripherals
US9356844B2 (en) Efficient application recognition in network traffic
CN114145004B (en) System and method for using DNS messages to selectively collect computer forensic data
US20090092057A1 (en) Network Monitoring System with Enhanced Performance
US20130294231A1 (en) Method of high-speed switching for network virtualization and high-speed virtual switch architecture
CN113794605A (en) Method, system and device for detecting kernel packet loss based on eBPF
JP2010148090A (en) Packet processing method and toe apparatus employing the same
CN111600852A (en) Firewall design method based on programmable data plane
KR20120121668A (en) High Performance System and Method for Blocking Harmful Sites Access on the basis of Network
US20060272012A1 (en) Multifunction server system
CN116743883B (en) Intelligent network card, data processing system and working method thereof
CN113132349A (en) Agent-free cloud platform virtual flow intrusion detection method and device
CN114666109A (en) Novel general hardware platform for information security
US9667540B2 (en) Fiber channel over ethernet (FCoE) frame forwarding system
CN115208690A (en) Screening processing system based on data classification and classification
CN101364895B (en) High performance wideband Internet behavior real-time analysis and management system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination