CN116055191B - Network intrusion detection method and device, electronic equipment and storage medium - Google Patents

Network intrusion detection method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN116055191B
CN116055191B CN202310051407.6A CN202310051407A CN116055191B CN 116055191 B CN116055191 B CN 116055191B CN 202310051407 A CN202310051407 A CN 202310051407A CN 116055191 B CN116055191 B CN 116055191B
Authority
CN
China
Prior art keywords
data
current
preset
buffer
matched
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310051407.6A
Other languages
Chinese (zh)
Other versions
CN116055191A (en
Inventor
周昔元
关创创
张�杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Zhuoxun Zhian Technology Co ltd
Original Assignee
Chengdu Zhuoxun Zhian Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Zhuoxun Zhian Technology Co ltd filed Critical Chengdu Zhuoxun Zhian Technology Co ltd
Priority to CN202310051407.6A priority Critical patent/CN116055191B/en
Publication of CN116055191A publication Critical patent/CN116055191A/en
Application granted granted Critical
Publication of CN116055191B publication Critical patent/CN116055191B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/70Admission control; Resource allocation
    • H04L47/72Admission control; Resource allocation using reservation actions during connection setup
    • H04L47/722Admission control; Resource allocation using reservation actions during connection setup at the destination endpoint, e.g. reservation of terminal resources or buffer space
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a network intrusion detection method, a device, an electronic device and a storage medium, which are applied to a Surica framework, wherein the method comprises the following steps: receiving network data, and analyzing GTP protocol data in the network data based on a preset analysis algorithm to obtain analysis data; caching the network data into a key-value database based on the analysis data, and formatting the network data according to a preset data format to obtain formatted data; writing the formatted data into a current sub-buffer area in a preset cyclic buffer area to obtain current buffer data; processing the current buffer data according to the processing type of the current buffer data to obtain data to be matched; and sending the data to be matched to the FPGA and matching with preset rules in the FPGA, and determining an intrusion detection result of the network data according to the matching result, thereby improving the detection efficiency of network intrusion detection and reducing the memory consumption.

Description

Network intrusion detection method and device, electronic equipment and storage medium
Technical Field
The present application relates to the field of computer technologies, and in particular, to a network intrusion detection method, apparatus, electronic device, and storage medium.
Background
With the rapid development of big data and artificial intelligence technology, the scale of network users is continuously enlarged, and more network traffic and network security problems are introduced. The intrusion detection technology is a result of continuous development of network technology, and by monitoring and analyzing information and behaviors of a computer network and judging existence of abnormal information, network attacks can be effectively detected.
Different from passive defending antivirus software, intrusion detection in the network information management system is to match and compare the network access information with a template preset in a system rule base, so that unsafe information is detected, and as all network access information needs to be checked, detection efficiency is low, memory consumption is high, and even adverse effects on network performance are caused.
Therefore, how to improve the detection efficiency of network intrusion detection and reduce the memory consumption is a technical problem to be solved at present.
Disclosure of Invention
The embodiment of the application provides a network intrusion detection method, a network intrusion detection device, electronic equipment and a storage medium, which are used for improving the detection efficiency of network intrusion detection and reducing the memory consumption.
In a first aspect, a network intrusion detection method is provided, which is applied to a surica framework, and the method includes: receiving network data, and analyzing GTP protocol data in the network data based on a preset analysis algorithm to obtain analysis data; caching the network data into a key-value database based on the analysis data, and formatting the network data according to a preset data format to obtain formatted data; writing the formatted data into a current sub-buffer area in a preset circulating buffer area to obtain current buffer data; processing the current buffer data according to the processing type of the current buffer data to obtain data to be matched, wherein the processing type comprises a creating operation, a modifying operation or a deleting operation; and sending the data to be matched to an FPGA, matching the data with preset rules in the FPGA, and determining an intrusion detection result of the network data according to a matching result.
In a second aspect, a network intrusion detection device is provided, which is applied to a surica framework, and the device includes: the analysis module is used for receiving the network data, and analyzing GTP protocol data in the network data based on a preset analysis algorithm to obtain analysis data; the formatting module is used for caching the network data into a key-value database based on the analysis data, and formatting the network data according to a preset data format to obtain formatted data; the writing module is used for writing the formatted data into a current sub-buffer area in a preset circulating buffer area to obtain current buffer data; the processing module is used for processing the current buffer data according to the processing type of the current buffer data to obtain data to be matched, wherein the processing type comprises a creating operation, a modifying operation or a deleting operation; and the matching module is used for sending the data to be matched to the FPGA and matching the data with preset rules in the FPGA, and determining an intrusion detection result of the network data according to the matching result.
In a third aspect, there is provided an electronic device comprising: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to perform the network intrusion detection method of the first aspect via execution of the executable instructions.
In a fourth aspect, a computer readable storage medium is provided, on which a computer program is stored, which computer program, when being executed by a processor, implements the network intrusion detection method according to the first aspect.
By applying the technical scheme, receiving network data, and analyzing GTP protocol data in the network data based on a preset analysis algorithm to obtain analysis data; caching the network data into a key-value database based on the analysis data, and formatting the network data according to a preset data format to obtain formatted data; writing the formatted data into a current sub-buffer area in a preset cyclic buffer area to obtain current buffer data; processing the current buffer data according to the processing type of the current buffer data to obtain data to be matched, wherein the processing type comprises a creating operation, a modifying operation or a deleting operation; and sending the data to be matched to the FPGA and matching with preset rules in the FPGA, and determining an intrusion detection result of the network data according to the matching result, thereby improving the detection efficiency of network intrusion detection and reducing the memory consumption.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of a network intrusion detection method according to an embodiment of the present application;
FIG. 2 is a schematic diagram of a default circular buffer in an embodiment of the present application;
fig. 3 is a schematic structural diagram of a network intrusion detection device according to an embodiment of the present application;
fig. 4 shows a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
The embodiment of the application provides a network intrusion detection method, which is applied to a Surica framework, as shown in fig. 1, and comprises the following steps:
step S101, receiving network data, and analyzing GTP protocol data in the network data based on a preset analysis algorithm to obtain analysis data.
In this embodiment, network intrusion detection is performed based on a surica framework, which is an intrusion detection engine based on open source signature, and aims to improve protocol identification and introduce script-based detection. For protocol identification, surica allows a network administrator to define protocol types or specific ports in a protocol file and provides a large number of keywords that can be used to match protocol fields, no longer using pattern matching to match keywords, but rather introduces script-based detection and well-designed data structures to parse and record flow information.
The network data may be a network data flow obtained from a network operator, which includes GTP (GPRSTunnelingProtocol ) protocol data. Analyzing the GTP protocol data based on a preset analysis algorithm to obtain analysis data, wherein the analysis data comprises network access information, identity IDs (including but not limited to IMEI, MSISDN, IMSI and the like), position information and the like of each user.
Step S102, caching the network data into a key-value database based on the analysis data, and formatting the network data according to a preset data format to obtain formatted data.
In this embodiment, in order to ensure reliable intrusion detection on network data, the network data needs to be cached and formatted first, specifically, a key value is determined based on the analysis data, the network data is cached in a key-value database, and the network data is formatted based on a preset data format to obtain formatted data.
Alternatively, the key-value database may be a redis database, and the preset data format may be any one of binary, JSON, and XML.
Step S103, writing the formatted data into a current sub-buffer in a preset circular buffer to obtain current buffer data.
In this embodiment, in order to avoid performance degradation caused by multiple copies of the memory, a preset circular buffer is preset to receive formatted data. The preset circular buffer zone is an annular queue formed by a plurality of sub-buffer zones, and data packets of formatted data can be directly written into each sub-buffer zone in turn for corresponding processing. And writing the formatted data into a current sub-buffer in a preset cyclic buffer to obtain current buffer data.
Optionally, the formatted data is sent to the current sub-buffer based on a UDP (user datagram protocol) connection created based on a socket schema.
Step S104, processing the current buffer data according to the processing type of the current buffer data to obtain data to be matched, wherein the processing type comprises a creating operation, a modifying operation or a deleting operation.
In this embodiment, the processing for the current buffered data includes three processing types, which are a create operation, a modify operation, or a delete operation, respectively. And processing the current buffer data according to the processing type corresponding to the current buffer data to obtain the data to be matched.
In some embodiments of the present application, the current buffered data is processed according to the operation type of the current buffered data to obtain data to be matched, specifically:
determining a current hash value according to the hash factor of the current buffer data;
inquiring a preset hash table according to the current hash value, and processing the current buffer data according to the operation type and the inquiring result to obtain data to be matched;
the hash factor comprises a GTP protocol version, an intranet IP address and an extranet IP address.
In this embodiment, the preset hash table is previously established according to the cached data in the FPGA (FieldProgrammableGate Array ), the GTP protocol version, the intranet IP address and the extranet IP address in the current buffered data are used as hash factors, the current hash value is calculated, then the preset hash table is queried based on the current hash value, a query result is obtained, and then the current buffered data are processed according to the operation type and the query result, so as to obtain the data to be matched, thereby being capable of more efficiently processing the current buffered data.
Those skilled in the art can flexibly set different hash factors as required, which does not affect the protection scope of the present application.
In some embodiments of the present application, a preset hash table is queried according to the current hash value, and the current buffered data is processed according to the operation type and the query result to obtain data to be matched, specifically:
if the processing type is the creation operation or the modification operation and the current hash value does not exist in the preset hash table, filling the current hash value into the preset hash table, and taking the current buffer data as the data to be matched;
and if the processing type is the modification operation and the current hash value exists in the preset hash table, deleting old data corresponding to the current hash value in the FPGA, and taking the current buffer data as the data to be matched.
In this embodiment, if the processing type is a creating operation or a modifying operation, and the preset hash table does not have a current hash value, it is indicated that the FPGA does not have old data corresponding to the current hash value, and data modification is not required, at this time, the current hash value is filled into the preset hash table, and the current buffer data is used as data to be matched, and then the data to be matched can be written into the FPGA, thereby completing the creating operation or the modifying operation; if the processing type is modification operation and the current hash value exists in the preset hash table, the fact that old data exists in the FPGA is indicated, the old data needs to be modified, specifically, the old data is deleted in the FPGA, then the current buffer data is used as data to be matched, and the data to be matched can be written into the FPGA subsequently, so that modification operation is completed.
When the processing type is the creation operation or the modification operation, the data to be matched is determined according to the query result of the preset hash table, so that the data to be matched can be obtained more accurately.
In some embodiments of the present application, after querying a preset hash table according to the current hash value, the method further includes:
if the processing type is the creation operation and the current hash value exists in the preset hash table, updating the time stamp of the old data;
if the processing type is the deleting operation and the current hash value exists in the preset hash table, deleting the current hash value from the preset hash table and deleting the old data in the FPGA;
and if the processing type is the deleting operation and the current hash value does not exist in the preset hash table, the current sub-buffer area is emptied.
In this embodiment, if the processing type is a creation operation and the current hash value exists in the preset hash table, it is indicated that old data already exists in the FPGA, and the creation is not required, and only the timestamp of the old data is required to be updated, so that the creation operation is completed; if the processing type is a deleting operation and the current hash value exists in the preset hash table, the old data exists in the FPGA, at the moment, the current hash value is deleted from the preset hash table, the old data is deleted in the FPGA, and the deleting operation is completed; if the processing type is a deleting operation and the current hash value does not exist in the preset hash table, the fact that the old data needing to be deleted does not exist in the FPGA is indicated, the current sub-buffer area is emptied at the moment, and the deleting operation is completed, so that the accurate processing of the current buffer data is ensured, and the reliability of network intrusion detection is improved.
In some embodiments of the present application, the preset circular buffer includes a head pointer, a receiving pointer, and a processing pointer, the head pointer points to a head sub-buffer in the preset circular buffer, the formatted data is written into the current sub-buffer based on the receiving pointer, and the current buffered data is acquired and processed based on the processing pointer.
In this embodiment, the data receiving and processing are performed on the preset circular buffer based on the head pointer, the receiving pointer and the processing pointer, so that the current buffer data is received and processed more efficiently.
In a specific application scenario of the present application, as shown in fig. 2, a preset circular buffer is composed of a plurality of buf buffers (i.e., sub-buffers), after the circular buffer is initialized, ring_mem_poll_head pointers (i.e., head pointers), ring_mem_poll_put pointers (i.e., receiving pointers), ring_mem_poll_get pointers (i.e., processing pointers) all point to the head sub-buffer, after formatted data is received, the formatted data is written into the current buf buffer (i.e., the current sub-buffer) through the ring_mem_poll_put pointers, and when it is detected that the current buf buffer is not empty, the current buffered data is acquired and processed based on the ring_mem_poll_get pointers.
Optionally, the receiving pointer is controlled by a data receiving thread, and the processing pointer is controlled by a data processing thread.
In some embodiments of the application, the method further comprises:
after the current buffer data is obtained, the receiving pointer is pointed to the next sub-buffer area of the current sub-buffer area;
and after the data to be matched are obtained, the current sub-buffer is emptied.
In this embodiment, after the current buffered data is obtained, the receiving pointer is pointed to the next sub-buffer of the current sub-buffer, so as to continue to receive the formatted data based on the receiving pointer and write into the next sub-buffer, thereby reducing the time of memory copying and improving the data receiving capability; after the data to be matched is obtained, the current sub-buffer is emptied to write the new formatted data into the current sub-buffer, so that the data processing can be efficiently performed.
In a specific application scenario of the present application, as shown in fig. 2, after obtaining the current buffered data, a ring_mem_poll_put pointer is pointed to the next sub-buffer of the current sub-buffer. After the data to be matched is obtained, the current sub-buffer pointed to by the ring_mem_poll_get pointer is emptied.
In some embodiments of the present application, after obtaining the parsed data, the method further includes:
caching time data of the network data, and judging whether overtime unprocessed data exists in the preset circulating buffer zone or the FPGA according to the time data;
if yes, deleting the overtime unprocessed data.
In this embodiment, when network data is cached, time data of the network data is cached, whether overtime unprocessed data exists in a preset circulation buffer area or an FPGA is judged according to the time data, and if so, the overtime unprocessed data is deleted, thereby improving reliability of network intrusion detection.
Optionally, the timeout unprocessed data is detected based on a data timeout thread.
Step S105, the data to be matched are sent to an FPGA and matched with preset rules in the FPGA, and intrusion detection results of the network data are determined according to the matching results.
In this embodiment, a preset rule is set in the FPGA, the data to be matched is sent to the FPGA to be matched with the preset rule, and an intrusion detection result of the network data is determined according to the matching result.
Optionally, the data to be matched is sent to the FPGA based on a DPDK (data plane development kit) mode, so that the number of interruption and the number of memory copies can be reduced, and the data transmission efficiency is improved.
In some embodiments of the present application, the process of matching the data to be matched with the preset rule includes the following steps:
step 1, calculating a hash value according to IP related information in data to be matched;
step 2, calculating a ddr query address through a hash value, sending a query command, and reading table item information;
step 3, comparing the content to be matched according to the query return result, information type (excluding non-GPRS such as fixed network) and the like;
step 4, if the matching is performed, storing matching content according to the priority, and judging a linked list pointer at the same time, wherein the coverage priority with high priority is low;
step 5, if the linked list pointer is non-null and the pointer check has no error, transmitting a linked list inquiry command;
step 6, returning the query, and repeatedly executing the steps 1-5;
step 7, if the linked list pointer is null or the pointer check has errors, completing the matching inquiry of the data to be matched;
step 8, matching and outputting are completed;
and 9, returning to an initial state.
In some embodiments of the present application, a TCAM table, a DDR mapping table, and a DDR sharing table are provided in the FPGA, where the preset initial table is simplified according to the length of the preset initial table, the simplified table is used as a first table entry to sequentially fill the TCAM table, the corresponding first preset initial table entry is filled into the DDR mapping table, and if more than one preset initial table entry is provided, other preset initial table entries except the first preset initial table entry are sequentially stored in the DDR sharing table. The process for matching the data to be matched with the preset rules comprises the following steps:
step a, inquiring whether the data to be matched is matched with the item data in the TCAM list, if so, ending the inquiry, otherwise, executing the step b;
step b, inquiring whether the data to be matched is matched with the item data in the DDR mapping table, if so, ending the inquiry, otherwise, executing the step c;
and c, inquiring whether the data to be matched is matched with the table entry data in the DDR sharing table or not until the table entry data in the DDR sharing table and the data to be matched are completely inquired.
In this embodiment, the data to be matched first enters the TCAM table, and the TCAM table is quickly matched according to the simplified table entry, and screens out the data conforming to the simplified table entry, at which time the data size is greatly reduced. If the DDR mapping table needs to be further queried, the DDR mapping table is queried, whether the DDR mapping table is matched with a preset initial table entry is confirmed, and if the DDR mapping table is matched with the preset initial table entry, the flow is ended. If the list items are not matched, continuing to inquire the DDR shared list, and confirming whether other preset initial list items are matched or not until all the preset initial list items corresponding to the simplified list items are inquired.
By applying the technical scheme, receiving network data, and analyzing GTP protocol data in the network data based on a preset analysis algorithm to obtain analysis data; caching the network data into a key-value database based on the analysis data, and formatting the network data according to a preset data format to obtain formatted data; writing the formatted data into a current sub-buffer area in a preset cyclic buffer area to obtain current buffer data; processing the current buffer data according to the processing type of the current buffer data to obtain data to be matched, wherein the processing type comprises a creating operation, a modifying operation or a deleting operation; and sending the data to be matched to the FPGA and matching with preset rules in the FPGA, and determining an intrusion detection result of the network data according to the matching result, thereby improving the detection efficiency of network intrusion detection and reducing the memory consumption.
In order to further explain the technical idea of the application, the technical scheme of the application is described with specific application scenarios.
The embodiment of the application provides a network intrusion detection method which is applied to a Surica framework and comprises the following steps:
step one, front-stage treatment.
Specifically, network data is received, GTP protocol data in the network data is analyzed based on a preset analysis algorithm, and the obtained networking information, identity ID (including but not limited to IMEI, MSISDN, IMSI and the like), position information and the like of each user are taken as analysis data. And then determining a key value based on the analysis data, caching the network data into a key-value database, and formatting the network data based on a preset data format to obtain formatted data. And writing the formatted data into a current sub-buffer in a preset circular buffer through UDP connection to obtain current buffer data, wherein the UDP connection is created based on a socket mode.
Step two, middle section treatment.
A data receiving thread section: receiving formatted data transmitted from a front section by adopting UDP connection, writing the formatted data into a current buf buffer area in a preset circulation buffer area through a ring_mem_poll_put pointer, and then pointing the ring_mem_poll_put pointer to a next buf buffer area to wait for continuously receiving the data;
a data processing thread section: when the data processing thread detects that the data exists in the buf buffer area corresponding to the ring_mem_poll_get pointer, the data processing is divided into three types, namely create (i.e. creating operation), modify (i.e. modifying operation) and delete (i.e. deleting operation), after the processing is completed, the data in the buf buffer area is emptied, and the receiving thread waits for receiving the data to use, and the following three types of detailed processing flows are respectively provided:
the create flow: after the data processing thread acquires data according to the ring_mem_poll_get pointer, when detecting that the processing type is create, using GTP_V (GTP protocol version), inner_ip (intranet IP address) and outer_ip (extranet IP address) as hash factors, calculating a hash value, using the hash value as a row number of a preset hash table, inquiring the preset hash table by using the acquired hash value, if the hash value does not exist in the preset hash table, issuing corresponding current buffer data as new data to the FPGA, otherwise, updating a timestamp of old data corresponding to the hash value in the FPGA;
modification flow: after the data processing thread acquires data according to the ring_mem_poll_get pointer, when detecting that the processing type is modification, using GTP_ V, inner _ip and outer_ip as hash factors, calculating a hash value, using the hash value as a line number of a preset hash table, inquiring the preset hash table by using the acquired hash value, deleting old data corresponding to the hash value in the FPGA if the hash value exists in the preset hash table, and issuing corresponding current buffer data as new data to the FPGA; if the hash value does not exist in the preset hash table, directly issuing corresponding current buffer data to the FPGA as new data;
delete flow: after the data processing thread acquires data according to the ring_mem_poll_get pointer, when detecting that the operation type is delete, using GTP_ V, inner _ip and outer_ip as hash factors, calculating a hash value, using the hash value as a row number of a preset hash table, inquiring the preset hash table by using the acquired hash value, deleting the hash value from the preset hash table if the hash value exists in the preset hash table, and deleting corresponding old data in the FPGA; if the hash value does not exist in the preset hash table, the current buf buffer area is emptied, and data processing in the next buf buffer area is carried out.
And step three, post-stage treatment.
Specifically, the data output from the middle section is sent to the FPGA based on the DPDK mode.
And step four, matching processing of the FPGA.
Specifically, the data sent by the back end is matched with a preset rule, and the intrusion detection result of the network data is determined according to the matching result.
The embodiment of the application also provides a network intrusion detection device, which is applied to a Surica framework, as shown in fig. 3, and comprises:
the parsing module 301 is configured to receive network data, parse GTP protocol data in the network data based on a preset parsing algorithm, and obtain parsed data;
the formatting module 302 is configured to cache the network data to a key-value database based on the parsing data, and format the network data according to a preset data format to obtain formatted data;
a writing module 303, configured to write the formatted data into a current sub-buffer in a preset circular buffer, to obtain current buffered data;
the processing module 304 is configured to process the current buffered data according to a processing type of the current buffered data to obtain data to be matched, where the processing type includes a creating operation, a modifying operation, or a deleting operation;
and the matching module 305 is used for sending the data to be matched to the FPGA and matching with preset rules in the FPGA, and determining an intrusion detection result of the network data according to the matching result.
In a specific application scenario, the processing module 304 is specifically configured to:
determining a current hash value according to the hash factor of the current buffer data;
inquiring a preset hash table according to the current hash value, and processing the current buffer data according to the operation type and the inquiring result to obtain data to be matched;
the hash factor comprises a GTP protocol version, an intranet IP address and an extranet IP address.
In a specific application scenario, the processing module 304 is further specifically configured to:
if the processing type is the creation operation or the modification operation and the current hash value does not exist in the preset hash table, filling the current hash value into the preset hash table, and taking the current buffer data as the data to be matched;
and if the processing type is the modification operation and the current hash value exists in the preset hash table, deleting old data corresponding to the current hash value in the FPGA, and taking the current buffer data as the data to be matched.
In a specific application scenario, the processing module 304 is further specifically configured to:
if the processing type is the creation operation and the current hash value exists in the preset hash table, updating the time stamp of the old data;
if the processing type is the deleting operation and the current hash value exists in the preset hash table, deleting the current hash value from the preset hash table and deleting the old data in the FPGA;
and if the processing type is the deleting operation and the current hash value does not exist in the preset hash table, the current sub-buffer area is emptied.
In a specific application scenario, the preset circular buffer area includes a head pointer, a receiving pointer and a processing pointer, the head pointer points to a head sub-buffer area in the preset circular buffer area, the formatted data is written into the current sub-buffer area based on the receiving pointer, and the current buffer data is acquired and processed based on the processing pointer.
In a specific application scenario, the processing module 304 is further configured to:
after the current buffer data is obtained, the receiving pointer is pointed to the next sub-buffer area of the current sub-buffer area;
and after the data to be matched are obtained, the current sub-buffer is emptied.
In a specific application scenario, the device further includes a timeout processing module, configured to:
caching time data of the network data, and judging whether overtime unprocessed data exists in the preset circulating buffer zone or the FPGA according to the time data;
if yes, deleting the overtime unprocessed data.
By applying the above technical solution, the network intrusion detection device is applied to a surica framework, and the device includes: the analysis module is used for receiving the network data, and analyzing GTP protocol data in the network data based on a preset analysis algorithm to obtain analysis data; the formatting module is used for caching the network data into a key-value database based on the analysis data, and formatting the network data according to a preset data format to obtain formatted data; the writing module is used for writing the formatted data into a current sub-buffer area in a preset circulating buffer area to obtain current buffer data; the processing module is used for processing the current buffer data according to the processing type of the current buffer data to obtain data to be matched, wherein the processing type comprises a creating operation, a modifying operation or a deleting operation; the matching module is used for sending the data to be matched to the FPGA and matching with preset rules in the FPGA, and determining an intrusion detection result of the network data according to the matching result, so that the detection efficiency of network intrusion detection is improved, and the memory consumption is reduced.
The embodiment of the application also provides an electronic device, as shown in fig. 4, which comprises a processor 401, a communication interface 402, a memory 403 and a communication bus 404, wherein the processor 401, the communication interface 402 and the memory 403 complete communication with each other through the communication bus 404,
a memory 403 for storing executable instructions of the processor;
a processor 401 configured to execute via execution of the executable instructions:
receiving network data, and analyzing GTP protocol data in the network data based on a preset analysis algorithm to obtain analysis data;
caching the network data into a key-value database based on the analysis data, and formatting the network data according to a preset data format to obtain formatted data;
writing the formatted data into a current sub-buffer area in a preset circulating buffer area to obtain current buffer data;
processing the current buffer data according to the processing type of the current buffer data to obtain data to be matched, wherein the processing type comprises a creating operation, a modifying operation or a deleting operation;
and sending the data to be matched to an FPGA, matching the data with preset rules in the FPGA, and determining an intrusion detection result of the network data according to a matching result.
The communication bus may be a PCI (peripheral component interconnect) bus, an EISA (extended industrial standard architecture) bus, or the like. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.
The communication interface is used for communication between the terminal and other devices.
The memory may include RAM (random access memory) or may include nonvolatile memory, such as at least one disk memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.
The processor may be a general-purpose processor, including a CPU (central processing unit), an NP (network processor), and the like; but also DSP (DigitalSignal Processing), ASIC (application specific integrated circuit), FPGA or other programmable logic device, discrete gate or transistor logic device, discrete hardware components.
In yet another embodiment of the present application, a computer readable storage medium is provided, in which a computer program is stored, which when executed by a processor implements the network intrusion detection method as described above.
In yet another embodiment of the present application, there is also provided a computer program product containing instructions that, when run on a computer, cause the computer to perform the network intrusion detection method as described above.
In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, produces a flow or function in accordance with embodiments of the present application, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by a wired (e.g., coaxial cable, fiber optic, digital subscriber line), or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid state disk), etc.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
In this specification, each embodiment is described in a related manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments.
The foregoing description is only of the preferred embodiments of the present application and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application are included in the protection scope of the present application.

Claims (8)

1. A network intrusion detection method, applied to a surica framework, the method comprising:
receiving network data, and analyzing GTP protocol data in the network data based on a preset analysis algorithm to obtain analysis data;
caching the network data into a key-value database based on the analysis data, and formatting the network data according to a preset data format to obtain formatted data;
writing the formatted data into a current sub-buffer area in a preset circulating buffer area to obtain current buffer data;
processing the current buffer data according to the processing type of the current buffer data to obtain data to be matched, wherein the processing type comprises a creating operation, a modifying operation or a deleting operation;
the data to be matched are sent to an FPGA and matched with preset rules in the FPGA, and an intrusion detection result of the network data is determined according to the matching result;
processing the current buffer data according to the operation type of the current buffer data to obtain data to be matched, wherein the data to be matched is specifically:
determining a current hash value according to the hash factor of the current buffer data;
inquiring a preset hash table according to the current hash value, and processing the current buffer data according to the operation type and the inquiring result to obtain data to be matched;
the hash factor comprises a GTP protocol version, an intranet IP address and an extranet IP address, and the preset hash table is established in advance according to cached data in the FPGA;
inquiring a preset hash table according to the current hash value, and processing the current buffer data according to the operation type and the inquiring result to obtain data to be matched, wherein the data to be matched are specifically:
if the processing type is the creation operation or the modification operation and the current hash value does not exist in the preset hash table, filling the current hash value into the preset hash table, and taking the current buffer data as the data to be matched;
and if the processing type is the modification operation and the current hash value exists in the preset hash table, deleting old data corresponding to the current hash value in the FPGA, and taking the current buffer data as the data to be matched.
2. The method of claim 1, wherein after querying a preset hash table based on the current hash value, the method further comprises:
if the processing type is the creation operation and the current hash value exists in the preset hash table, updating the time stamp of the old data;
if the processing type is the deleting operation and the current hash value exists in the preset hash table, deleting the current hash value from the preset hash table and deleting the old data in the FPGA;
and if the processing type is the deleting operation and the current hash value does not exist in the preset hash table, the current sub-buffer area is emptied.
3. The method of claim 1, wherein the pre-set circular buffer includes a head pointer, a receive pointer, and a process pointer, the head pointer pointing to a head sub-buffer in the pre-set circular buffer, the formatted data being written to the current sub-buffer based on the receive pointer, the current buffered data being retrieved and processed based on the process pointer.
4. A method as claimed in claim 3, wherein the method further comprises:
after the current buffer data is obtained, the receiving pointer is pointed to the next sub-buffer area of the current sub-buffer area;
and after the data to be matched are obtained, the current sub-buffer is emptied.
5. The method of claim 1, wherein after obtaining the parsed data, the method further comprises:
caching time data of the network data, and judging whether overtime unprocessed data exists in the preset circulating buffer zone or the FPGA according to the time data;
if yes, deleting the overtime unprocessed data.
6. A network intrusion detection device for use in a surica framework, the device comprising:
the analysis module is used for receiving the network data, and analyzing GTP protocol data in the network data based on a preset analysis algorithm to obtain analysis data;
the formatting module is used for caching the network data into a key-value database based on the analysis data, and formatting the network data according to a preset data format to obtain formatted data;
the writing module is used for writing the formatted data into a current sub-buffer area in a preset circulating buffer area to obtain current buffer data;
the processing module is used for processing the current buffer data according to the processing type of the current buffer data to obtain data to be matched, wherein the processing type comprises a creating operation, a modifying operation or a deleting operation;
the matching module is used for sending the data to be matched to the FPGA and matching with preset rules in the FPGA, and determining an intrusion detection result of the network data according to a matching result;
the processing module is specifically configured to:
determining a current hash value according to the hash factor of the current buffer data;
inquiring a preset hash table according to the current hash value, and processing the current buffer data according to the operation type and the inquiring result to obtain data to be matched;
the hash factor comprises a GTP protocol version, an intranet IP address and an extranet IP address, and the preset hash table is established in advance according to cached data in the FPGA;
the processing module is further specifically configured to:
if the processing type is the creation operation or the modification operation and the current hash value does not exist in the preset hash table, filling the current hash value into the preset hash table, and taking the current buffer data as the data to be matched;
and if the processing type is the modification operation and the current hash value exists in the preset hash table, deleting old data corresponding to the current hash value in the FPGA, and taking the current buffer data as the data to be matched.
7. An electronic device, comprising:
a processor; and
a memory for storing executable instructions of the processor;
wherein the processor is configured to perform the network intrusion detection method of any one of claims 1-5 via execution of the executable instructions.
8. A computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the network intrusion detection method according to any one of claims 1 to 5.
CN202310051407.6A 2023-02-02 2023-02-02 Network intrusion detection method and device, electronic equipment and storage medium Active CN116055191B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310051407.6A CN116055191B (en) 2023-02-02 2023-02-02 Network intrusion detection method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310051407.6A CN116055191B (en) 2023-02-02 2023-02-02 Network intrusion detection method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN116055191A CN116055191A (en) 2023-05-02
CN116055191B true CN116055191B (en) 2023-09-29

Family

ID=86118217

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310051407.6A Active CN116055191B (en) 2023-02-02 2023-02-02 Network intrusion detection method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116055191B (en)

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102299843A (en) * 2011-06-28 2011-12-28 北京安天电子设备有限公司 Network data processing method based on graphic processing unit (GPU) and buffer area, and system thereof
CN102571494A (en) * 2012-01-12 2012-07-11 东北大学 Field programmable gate array-based (FPGA-based) intrusion detection system and method
CN103281336A (en) * 2013-06-19 2013-09-04 上海众恒信息产业股份有限公司 Network intrusion detection method
CN110222503A (en) * 2019-04-26 2019-09-10 西安交大捷普网络科技有限公司 Database audit method, system and equipment under a kind of load of high amount of traffic
CN110417609A (en) * 2018-04-26 2019-11-05 中移(苏州)软件技术有限公司 A kind of statistical method of network flow, device, electronic equipment and storage medium
CN112217772A (en) * 2019-07-11 2021-01-12 中移(苏州)软件技术有限公司 Protocol stack implementation method, device and storage medium
CN112532642A (en) * 2020-12-07 2021-03-19 河北工业大学 Industrial control system network intrusion detection method based on improved Suricata engine
CN112650452A (en) * 2020-12-31 2021-04-13 成都卓讯智安科技有限公司 Data query method and equipment
CN114244752A (en) * 2021-12-16 2022-03-25 锐捷网络股份有限公司 Flow statistical method, device and equipment
CN114978725A (en) * 2022-05-25 2022-08-30 北京天融信网络安全技术有限公司 Message processing method and device, electronic equipment and medium
CN115664814A (en) * 2022-10-26 2023-01-31 中国农业银行股份有限公司 Network intrusion detection method and device, electronic equipment and storage medium

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8522348B2 (en) * 2009-07-29 2013-08-27 Northwestern University Matching with a large vulnerability signature ruleset for high performance network defense
US20140101761A1 (en) * 2012-10-09 2014-04-10 James Harlacher Systems and methods for capturing, replaying, or analyzing time-series data

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102299843A (en) * 2011-06-28 2011-12-28 北京安天电子设备有限公司 Network data processing method based on graphic processing unit (GPU) and buffer area, and system thereof
CN102571494A (en) * 2012-01-12 2012-07-11 东北大学 Field programmable gate array-based (FPGA-based) intrusion detection system and method
CN103281336A (en) * 2013-06-19 2013-09-04 上海众恒信息产业股份有限公司 Network intrusion detection method
CN110417609A (en) * 2018-04-26 2019-11-05 中移(苏州)软件技术有限公司 A kind of statistical method of network flow, device, electronic equipment and storage medium
CN110222503A (en) * 2019-04-26 2019-09-10 西安交大捷普网络科技有限公司 Database audit method, system and equipment under a kind of load of high amount of traffic
CN112217772A (en) * 2019-07-11 2021-01-12 中移(苏州)软件技术有限公司 Protocol stack implementation method, device and storage medium
CN112532642A (en) * 2020-12-07 2021-03-19 河北工业大学 Industrial control system network intrusion detection method based on improved Suricata engine
CN112650452A (en) * 2020-12-31 2021-04-13 成都卓讯智安科技有限公司 Data query method and equipment
CN114244752A (en) * 2021-12-16 2022-03-25 锐捷网络股份有限公司 Flow statistical method, device and equipment
CN114978725A (en) * 2022-05-25 2022-08-30 北京天融信网络安全技术有限公司 Message processing method and device, electronic equipment and medium
CN115664814A (en) * 2022-10-26 2023-01-31 中国农业银行股份有限公司 Network intrusion detection method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN116055191A (en) 2023-05-02

Similar Documents

Publication Publication Date Title
US11063966B2 (en) Data-graph information retrieval using automata
US10983995B2 (en) Information retrieval using automata
CN109643358B (en) Cross-tenant data leakage isolation
US10965530B2 (en) Multi-stage network discovery
US10621180B2 (en) Attribute-based detection of anomalous relational database queries
WO2021012509A1 (en) Method, device, and computer storage medium for detecting abnormal account
JP2017526253A (en) Method and system for facilitating terminal identifiers
EP3857853B1 (en) System and methods for automated computer security policy generation and anomaly detection
US9363140B2 (en) System and method for analyzing and reporting gateway configurations and rules
US10606825B1 (en) Flexible installation of data type validation instructions for security data for analytics applications
CN115357590A (en) Recording method and device for data change, electronic device and storage medium
CN115729555A (en) Software component analysis method, device, terminal device and storage medium
US9398041B2 (en) Identifying stored vulnerabilities in a web service
CN116055191B (en) Network intrusion detection method and device, electronic equipment and storage medium
EP3260997A1 (en) Method and system for enforcing user policy on database records
CN112800194A (en) Interface change identification method, device, equipment and storage medium
US10367691B2 (en) Multi platform static semantic consistency checking of network configurations
EP3570183B1 (en) Data-graph information retrieval using automata
WO2022078001A1 (en) Method and apparatus for managing static rule, and electronic device and storage medium
CN110968267B (en) Data management method, device, server and system
US20210144123A1 (en) Serialization of firewall rules with user, device, and application correlation
US10740303B2 (en) Composite file system commands
CN116708024B (en) Threat information collision screening method, gateway system, electronic device and storage medium
US11825299B2 (en) Customized code bundle to enable secure communication from internet of things devices at wireless networks
US11121905B2 (en) Managing data schema differences by path deterministic finite automata

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant