CN116366318A - Network security engine acceleration method, device, equipment and storage medium - Google Patents
Network security engine acceleration method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN116366318A CN116366318A CN202310274778.0A CN202310274778A CN116366318A CN 116366318 A CN116366318 A CN 116366318A CN 202310274778 A CN202310274778 A CN 202310274778A CN 116366318 A CN116366318 A CN 116366318A
- Authority
- CN
- China
- Prior art keywords
- data
- queue
- data packet
- decryption
- decrypted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a network security engine acceleration method, a device, equipment and a storage medium, which relate to the field of network security and comprise the following steps: extracting data packets from Rx queues of the multi-queue network card, determining a session related to the data packets according to meta information extracted from the data packets, and determining whether to block the data packets according to session information; if not, the key information and the ciphertext data are extracted from the data packet and written into the decryption device; and reading decrypted data obtained by decrypting the ciphertext data by the decryption device through the key information from the decryption device in a polling mode, carrying out HTTP analysis on the decrypted data, sending the analyzed data to a security engine for threat detection, and determining whether to block the data packet based on a detection result. According to the method and the device, the preprocessing flow in the security engine is realized in the VPP protocol stack, the decryption of the HTTPS is unloaded to the decryption equipment, the resource cost of the CPU can be reduced, the processing performance of the security engine is improved, and the acceleration of the network security engine is realized.
Description
Technical Field
The present invention relates to the field of network security, and in particular, to a method, an apparatus, a device, and a storage medium for accelerating a network security engine.
Background
With the development of the internet, network traffic has been increased in a burst manner, for example, the traffic ratio on an SSL (Secure Socket Layer, secure socket layer protocol) layer is increased year by year, the security engine is high in cost for processing encrypted traffic, the common traffic is 50gbps,100gbps traffic, and the like, and since the conventional network security engine, for example, snort (i.e. defense system), surica (network threat detection engine), modSecurity (Web application firewall) has serious performance problems, the overall performance of the system is severely limited by decryption performance, and cannot process large-scale network traffic, that is, the conventional network security engine usually receives data packets from a kernel and then maps the data packets to a user state for analysis, but the manner of exchanging data is quite inefficient in a large-traffic scenario, the data packet can be a performance bottleneck, although the network security engine can offload part of functions to kernel mode processing, the offloading function is very limited, and the system is easy to be unstable, while part of the network security engine also transmits and receives data packets from user mode, the problem of the bottleneck of receiving packets can be solved, but the HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer, hypertext transfer protocol on secure socket layer) decryption needs to be implemented in CPU (Central Processing Unit ), the CPU processing decryption is inefficient, and the data packet processing protocol stack and the network security engine need deep binding, which can cause that the balance of the performance and the detection capability of the security engine is difficult to be achieved in the complex logic processing, the expansion capability is not possessed, and the attack mode of hackers is increasingly complex, the attack methods are various, and hidden danger of data safety still exists.
Disclosure of Invention
Accordingly, the present invention is directed to a method, apparatus, device and storage medium for accelerating a network security engine, which can reduce the resource overhead of a CPU, greatly improve the processing performance of the security engine, and reduce the processing pressure of the network security engine, thereby realizing acceleration of the network security engine. The specific scheme is as follows:
in a first aspect, the present application discloses a network security engine acceleration method applied to a VPP worker thread, including:
extracting a data packet from an Rx queue of a preconfigured multi-queue network card, and extracting meta information in the data packet;
determining a session related to the data packet according to the meta information, and determining whether to block the data packet according to session information of the session;
if the data packet is not blocked, extracting key information and ciphertext data from the data packet, and writing the key information and the ciphertext data into decryption equipment;
reading decrypted data obtained by decrypting the ciphertext data by the decryption device through the key information from the decryption device in a polling mode, and carrying out HTTP analysis on the decrypted data to obtain analyzed data;
and sending the analyzed data to a security engine to perform threat detection to obtain a corresponding detection result, and determining whether to block the data packet based on the detection result.
Optionally, before extracting the data packet from the Rx queue of the preconfigured multi-queue network card, the method further includes:
checking whether an Rx queue of a preconfigured multi-queue network card is written into a data packet of a memory or not in a polling mode; the Rx queue records the address of the data packet in the memory;
correspondingly, the extracting the data packet from the Rx queue of the preconfigured multi-queue network card includes:
and if the data packet written into the memory is checked through the polling mode in the Rx queue, the data packet is extracted from the Rx queue of the preconfigured multi-queue network card.
Optionally, after checking whether the Rx queue of the preconfigured multi-queue network card has the data packet written into the memory in the polling mode, the method further includes:
if the data packets which are not written into the memory by the Rx queue are checked in the polling mode, continuing to poll and check whether the data packets which are written into the memory are stored in the Rx queue.
Optionally, the extracting meta information in the data packet includes:
and extracting the IP address, the port and the protocol type in the data packet.
Optionally, the determining whether to block the data packet based on the detection result includes:
if the detection result shows that the threat is detected, blocking the data packet, and re-executing the step of reading decrypted data obtained by decrypting the ciphertext data by using the key information from the decryption device in a polling mode and the subsequent steps thereof;
allowing the data packet to pass if the detection result indicates that the threat is not detected;
correspondingly, if no threat is detected, after allowing the data packet to pass, the method further comprises:
writing the released data packet into a Tx queue of the multi-queue network card, informing the multi-queue network card so that the multi-queue network card can acquire data from the Tx queue, and sending the data to a service end for processing.
Optionally, the extracting the key information and the ciphertext data from the data packet includes:
and carrying out HTTPS analysis on the data packet to obtain the key information and ciphertext data of SSL/TLS.
Optionally, the writing the key information and the ciphertext data into the decryption device includes:
the key information is sent to decryption equipment, and the ciphertext data is written into a queue to be decrypted;
correspondingly, the reading the decrypted data obtained by the decrypting device decrypting the ciphertext data by using the key information from the decrypting device in a polling mode comprises the following steps:
monitoring whether the queue to be decrypted is empty or not through the decryption equipment;
when the decryption equipment monitors that the queue to be decrypted is not empty, obtaining data to be decrypted from the queue to be decrypted through the decryption equipment, and decrypting the data to be decrypted by utilizing the key information corresponding to the data to be decrypted to obtain decrypted data;
polling the decryption completion queue to monitor whether the decryption completion queue is empty; the decryption completion queue is a queue for storing the decrypted data written by the decryption device;
and when the decryption completion queue is monitored to be not empty, acquiring the decrypted data from the decryption completion queue.
In a second aspect, the present application discloses a network security engine acceleration device, applied to a VPP worker thread, comprising:
the first extraction module is used for extracting data packets from an Rx queue of a preconfigured multi-queue network card;
the meta information extraction module is used for extracting meta information in the data packet;
a session determining module, configured to determine a session related to the data packet according to the meta information;
the first blocking module is used for determining whether to block the data packet according to the session information of the session;
the second extraction module is used for extracting key information and ciphertext data from the data packet if the data packet is not blocked, and writing the key information and the ciphertext data into the decryption device;
the data reading module is used for reading decrypted data obtained by the decryption device decrypting the ciphertext data by utilizing the key information from the decryption device in a polling mode;
the data decryption module is used for carrying out HTTP analysis on the decrypted data to obtain analyzed data;
the data sending module is used for sending the analyzed data to the security engine to perform threat detection to obtain a corresponding detection result;
and the second blocking module is used for determining whether to block the data packet based on the detection result.
In a third aspect, the present application discloses an electronic device comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the steps of the network security engine acceleration method disclosed above.
In a fourth aspect, the present application discloses a computer-readable storage medium for storing a computer program; wherein the computer program when executed by a processor implements the steps of the previously disclosed network security engine acceleration method.
It can be seen that the present application provides a network security engine acceleration method applied to a VPP worker thread, including: extracting a data packet from an Rx queue of a preconfigured multi-queue network card, and extracting meta information in the data packet; determining a session related to the data packet according to the meta information, and determining whether to block the data packet according to session information of the session; if the data packet is not blocked, extracting key information and ciphertext data from the data packet, and writing the key information and the ciphertext data into decryption equipment; reading decrypted data obtained by decrypting the ciphertext data by the decryption device through the key information from the decryption device in a polling mode, and carrying out HTTP analysis on the decrypted data to obtain analyzed data; and sending the analyzed data to a security engine to perform threat detection to obtain a corresponding detection result, and determining whether to block the data packet based on the detection result. Therefore, the VPP-based security engine architecture realizes the preprocessing flow in the security engine in the VPP protocol stack and unloads the decryption of HTTPS to the decryption device, so that the resource cost of a CPU can be reduced, the processing performance of the security engine is greatly improved, the processing pressure of the network security engine is reduced, and the acceleration of the network security engine is realized.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a network security engine acceleration method disclosed in the present application;
FIG. 2 is a flowchart of a particular network security engine acceleration method disclosed herein;
FIG. 3 is a schematic diagram of a network security engine acceleration framework disclosed herein;
FIG. 4 is a schematic diagram of a network security engine accelerator disclosed in the present application;
fig. 5 is a block diagram of an electronic device disclosed in the present application.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Currently, because the conventional network security engine has serious performance problems, the overall performance of the system is severely limited by decryption performance, the attack mode of a hacker is increasingly complex, the attack method is various, and hidden danger of data security still exists. Therefore, the application provides a new network security engine acceleration scheme, which can reduce the resource expense of a CPU, greatly improve the processing performance of the security engine and reduce the processing pressure of the network security engine, thereby realizing the acceleration of the network security engine.
The embodiment of the invention discloses a network security engine acceleration method which is applied to a VPP working thread, and is shown in FIG. 1, and the method comprises the following steps:
step S11: and extracting the data packet from the Rx queue of the preconfigured multi-queue network card, and extracting meta information in the data packet.
It can be understood that after the multi-queue network card is preconfigured, when a user accesses a background service, the multi-queue network card can receive a data packet, and then the multi-queue network card distributes a plurality of data packets to different Rx queues through a preset distribution algorithm, so when the VPP working thread starts to start, the data packet can be extracted from the Rx queues of the preconfigured multi-queue network card, then the meta information of the data packet is extracted, and specifically, the IP address, the port and the protocol type in the data packet are extracted.
It is noted that VPP (Vector Packet Processing ) is an extensible open source framework that provides the functionality of a network switch or router. Vector processing is a process of processing multiple data packets at once, with low latency. The preset distribution algorithm is a hash algorithm, and can ensure that data packets of the same session can be distributed to the same Rx queue, each working thread is bound with one Rx queue, the life cycle of one data packet is ensured to be only one working thread or one CPU core, the life cycle of the data packet is in the same CPU, the CPU is friendly to cache, and multiple performance optimization skills such as NUMA perception, data prefetching, CPU instruction optimization, vector processing and the like can be adopted, so that the CPU has good performance. Wherein a session means that data packets with a plurality of identical meta-information are categorized into the same processing context, i.e. a session, which is used for recording the processing state, i.e. the data packets in the same session have the same IP address, the same port and the same protocol type.
In this embodiment, before extracting the data packet from the Rx queue of the preconfigured multi-queue network card, the method further includes: checking whether an Rx queue of a preconfigured multi-queue network card is written into a data packet of a memory or not in a polling mode; the Rx queue records the address of the data packet in the memory. It can be understood that if the Rx queue is checked by the polling mode to see if there is a data packet written in the memory in the Rx queue, polling is continued to see if there is a data packet written in the memory in the Rx queue. And if the data packet written into the memory is checked through the polling mode, executing the steps of extracting the data packet from the Rx queue of the preconfigured multi-queue network card and extracting meta-information in the data packet.
Step S12: and determining a session related to the data packet according to the meta information, and determining whether to block the data packet according to session information of the session.
In this embodiment, meta information of the data packet is extracted, that is, an IP address, a port and a protocol type of the data packet are determined, and then a session related to the data packet may be determined according to the meta information, and whether to block the data packet may be determined according to session information of the session. If the session information does not meet the corresponding condition, blocking the data packet, i.e. not allowing the current session to pass.
Step S13: and if the data packet is not blocked, extracting key information and ciphertext data from the data packet, and writing the key information and the ciphertext data into decryption equipment.
If the session information meets the corresponding conditions, the data packet is not blocked, namely the current session is released, then the key information and the ciphertext data are extracted from the data packet, the key information and the ciphertext data are written into the decryption device, specifically, the data packet is subjected to HTTPS analysis to obtain the key information and the ciphertext data of SSL/TLS (Transport Layer Security, secure transmission layer), the key information is sent to the decryption device, and the ciphertext data are written into a queue to be decrypted. It can be understood that in this embodiment, the decryption task of HTTPS is offloaded to the decryption device, so that the processing burden of the CPU is greatly reduced, and the processing performance of the security engine is greatly improved.
Step S14: and reading decrypted data obtained by decrypting the ciphertext data by the decryption device through the key information from the decryption device in a polling mode, and carrying out HTTP analysis on the decrypted data to obtain analyzed data.
In this embodiment, the decryption device completes decryption of ciphertext data, and the VPP worker thread reads decrypted data obtained by decrypting the ciphertext data by the decryption device using the key information from the decryption device in a polling manner, and performs HTTP analysis on the decrypted data to obtain analyzed data. Specifically, monitoring whether the queue to be decrypted is empty or not through the decryption device; when the decryption equipment monitors that the queue to be decrypted is not empty, obtaining data to be decrypted from the queue to be decrypted through the decryption equipment, and decrypting the data to be decrypted by utilizing the key information corresponding to the data to be decrypted to obtain decrypted data; then polling the decryption completion queue to monitor whether the decryption completion queue is empty; the decryption completion queue is a queue for storing the decrypted data written by the decryption device; and when the decryption completion queue is monitored to be not empty, acquiring the decrypted data from the decryption completion queue, and finally carrying out HTTP analysis on the decrypted data to obtain analyzed data.
Step S15: and sending the analyzed data to a security engine to perform threat detection to obtain a corresponding detection result, and determining whether to block the data packet based on the detection result.
It should be noted that, the network security engine represents a class of traffic engines capable of identifying hacker-initiated actions according to traffic characteristics, blocking attacks, and releasing normal traffic, such as WAF (Web Application Firewall, web application protection wall), IDS (Intrusion Detection System ), IPS (Intrusion Prevention System, intrusion prevention system), and the like.
In this embodiment, after performing HTTP analysis on the decrypted data to obtain parsed data, the parsed data is sent to a security engine to perform threat detection to obtain a corresponding detection result, and whether to block the data packet is determined based on the detection result. It can be understood that if the detection result indicates that a threat is detected, the data packet is blocked, and the step of reading decrypted data obtained by decrypting the ciphertext data using the key information from the decryption device by polling and the subsequent steps thereof are re-performed; and if the detection result shows that the threat is not detected, allowing the data packet to pass through, writing the released data packet into a Tx queue of the multi-queue network card, informing the multi-queue network card so that the multi-queue network card can acquire data from the Tx queue, and sending the data to a service end for processing. And when a threat is detected, session information may also be updated and the step of determining whether to block the data packet based on the session information may be skipped.
Therefore, in the embodiment of the application, the security engine architecture based on the VPP realizes the preprocessing flow in the security engine in the VPP protocol stack and unloads the decryption of the HTTPS to the decryption device, so that the resource cost of the CPU can be reduced, the processing performance of the security engine is greatly improved, the processing pressure of the network security engine is reduced, and the acceleration of the network security engine is realized.
For example, referring to fig. 2, an input data packet is acquired through a polling mode, meta information of the data packet is extracted, whether a corresponding session exists or not is determined according to the meta information, if the corresponding session does not exist, a session is created, if the corresponding session exists, whether the data packet is blocked or not is determined according to session information of the session, if the data packet is not blocked, HTTPS analysis is performed on the data packet to obtain key information and ciphertext data of SSL/TLS, the key information and ciphertext data are written into a decryption device, namely, a decryption task of HTTPS is unloaded into the decryption device, the key information and ciphertext data corresponding to the current data packet are written into a decryption device, after the operation of associating the key information with the ciphertext data is completed, the decryption device continues to poll to obtain a new data packet, and after the decryption device completes decryption, the plaintext data is written into a decryption completion queue, namely, VPP Worker polls the decryption completion queue, when the decryption completion queue is monitored not to be empty, the decrypted data is read from the decryption completion queue, the VPP Worker analyzes the decrypted data, the HTTP is performed, the decrypted data is transmitted to the security threat engine is detected, and the security threat is detected, if the corresponding session is detected, and if the security threat information is not detected, the network is detected, and the security threat information is updated is transmitted.
For another example, referring to fig. 3, when the client accesses the background service, the multi-queue network card may receive the data packet, and the network card may distribute the data packets to different Rx queues, where each working thread binds with one Rx queue. The working thread checks whether a data packet is written into the memory or not through a polling mode, if yes, the data packet is taken out from the Rx queue, meta information is extracted from the data packet, namely an IP address, a port, a protocol type and the like of the data packet are extracted, the data packet is associated with the session according to the meta information, namely the session related to the data packet is determined according to the meta information, further whether the data packet is blocked or not is determined according to the session content, if the data packet is not blocked, HTTPS analysis is carried out on the data packet to obtain key information and ciphertext data of SSL/TLS, the key information is sent to the decryption equipment, the ciphertext data is written into the queue to be decrypted, when the decryption equipment finds that the queue to be decrypted is not empty, the data to be decrypted is obtained from the queue to be decrypted, after the decryption equipment finishes decryption, the data is written into the decryption completion queue, when the decryption completion queue is not empty, the data is taken out from the decryption completion queue, HTTP analysis is carried out on the data packet, then the data packet is carried out after the HTTP analysis is carried out on the data packet, if the data packet is not blocked, and then the network card is directly processed, if the network card is required to be updated, if the data packet is not is read, the network card is read, and if the data is required to be directly processed, the network card is read from the network card is read, and the data is sent from the network card after the data queue, if the data is not is obtained, if the data is empty, the data is obtained. Therefore, the VPP captures the data packet in a polling mode, and the preprocessing flow in the security engine is realized in the VPP protocol stack, so that the expenditure of the data packet in the preprocessing stage is reduced, wherein the decryption task is unloaded to the special hardware decryption equipment, the processing burden of the CPU is greatly reduced, and the processing performance of the security engine is improved.
Correspondingly, the embodiment of the application also discloses a network security engine accelerating device, which is applied to the VPP working thread, and is shown in FIG. 4, and the device comprises:
a first extraction module 11, configured to extract a data packet from an Rx queue of a preconfigured multi-queue network card;
a meta information extraction module 12, configured to extract meta information in the data packet;
a session determining module 13, configured to determine a session related to the data packet according to the meta information;
a first blocking module 14, configured to determine whether to block the data packet according to session information of the session;
a second extraction module 15, configured to extract key information and ciphertext data from the data packet if the data packet is not blocked, and write the key information and ciphertext data into a decryption device;
a data reading module 16, configured to read, by means of polling, decrypted data obtained by the decryption device decrypting the ciphertext data using the key information from the decryption device;
the data decryption module 17 is configured to perform HTTP analysis on the decrypted data to obtain parsed data;
the data sending module 18 is configured to send the parsed data to the security engine for threat detection to obtain a corresponding detection result;
a second blocking module 19, configured to determine whether to block the data packet based on the detection result.
From the above, in the VPP-based security engine architecture in this embodiment, the preprocessing flow in the security engine is implemented in the VPP protocol stack, and the decryption of HTTPS is offloaded to the decryption device, so that the resource overhead of the CPU can be reduced, the processing performance of the security engine is greatly improved, and the processing pressure of the network security engine is reduced, thereby implementing acceleration of the network security engine.
In some specific embodiments, the network security engine acceleration device may specifically include:
the data packet checking module is used for checking whether the Rx queue of the preconfigured multi-queue network card is in a data packet written into the memory or not in a polling mode; the Rx queue records the address of the data packet in the memory;
in some specific embodiments, the first extraction module 11 may specifically include:
and the first extraction unit is used for extracting the data packet from the Rx queue of the preconfigured multi-queue network card if the Rx queue is checked to be in the data packet written into the memory in the polling mode.
In some specific embodiments, the data packet viewing module may specifically include:
and the polling checking unit is used for continuously checking whether the Rx queue has the data packet written into the memory or not if the Rx queue does not have the data packet written into the memory by the polling mode.
In some specific embodiments, the meta information extraction module 12 may specifically include:
and extracting the IP address, the port and the protocol type in the data packet.
In some specific embodiments, the second blocking module 19 may specifically include:
a blocking unit, configured to block the data packet and re-execute the step of reading, from the decryption device, decrypted data obtained by decrypting the ciphertext data using the key information and subsequent steps thereof, if the detection result indicates that a threat is detected;
in some specific embodiments, the second blocking module 19 may specifically include:
a releasing unit, configured to allow the data packet to pass if the detection result indicates that no threat is detected;
in some specific embodiments, after allowing the data packet to pass if the detection result indicates that no threat is detected, the method specifically may include:
and the data processing unit is used for writing the released data packet into a Tx queue of the multi-queue network card, notifying the multi-queue network card so that the multi-queue network card can acquire data from the Tx queue, and sending the data to a service end for processing.
In some specific embodiments, the second extraction module 15 may specifically include:
and the extraction unit is used for carrying out HTTPS analysis on the data packet to obtain the key information and ciphertext data of SSL/TLS.
In some specific embodiments, the second extraction module 15 may specifically include:
a key transmission unit configured to transmit the key information to a decryption device;
the ciphertext writing unit is used for writing the ciphertext data into a queue to be decrypted;
in some specific embodiments, the data reading module 16 may specifically include:
the monitoring unit is used for monitoring whether the queue to be decrypted is empty or not through the decryption equipment;
the first data acquisition unit is used for acquiring data to be decrypted from the queue to be decrypted through the decryption equipment when the decryption equipment monitors that the queue to be decrypted is not empty, and decrypting the data to be decrypted by utilizing the key information corresponding to the data to be decrypted to obtain decrypted data;
the polling monitoring unit is used for polling the decryption completion queue to monitor whether the decryption completion queue is empty; the decryption completion queue is a queue for storing the decrypted data written by the decryption device;
and the second data acquisition unit is used for acquiring the decrypted data from the decryption completion queue when the decryption completion queue is not empty.
Further, the embodiment of the application also provides electronic equipment. Fig. 5 is a block diagram of an electronic device 20, according to an exemplary embodiment, and the contents of the diagram should not be construed as limiting the scope of use of the present application in any way.
Fig. 5 is a schematic structural diagram of an electronic device 20 according to an embodiment of the present application. The electronic device 20 may specifically include: at least one processor 21, at least one memory 22, a power supply 23, a communication interface 24, an input output interface 25, and a communication bus 26. Wherein the memory 22 is configured to store a computer program that is loaded and executed by the processor 21 to implement relevant steps in the network security engine acceleration method disclosed in any of the foregoing embodiments. In addition, the electronic device 20 in the present embodiment may be specifically an electronic computer.
In this embodiment, the power supply 23 is configured to provide an operating voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and an external device, and the communication protocol to be followed is any communication protocol applicable to the technical solution of the present application, which is not specifically limited herein; the input/output interface 25 is used for acquiring external input data or outputting external output data, and the specific interface type thereof may be selected according to the specific application requirement, which is not limited herein.
The memory 22 may be a carrier for storing resources, such as a read-only memory, a random access memory, a magnetic disk, or an optical disk, and the resources stored thereon may include an operating system 221, a computer program 222, and the like, and the storage may be temporary storage or permanent storage.
The operating system 221 is used for managing and controlling various hardware devices on the electronic device 20 and computer programs 222, which may be Windows Server, netware, unix, linux, etc. The computer program 222 may further include a computer program that can be used to perform other specific tasks in addition to the computer program that can be used to perform the network security engine acceleration method performed by the electronic device 20 disclosed in any of the previous embodiments.
Further, the embodiment of the application also discloses a computer readable storage medium, wherein the computer readable storage medium stores a computer program, and when the computer program is loaded and executed by a processor, the steps of the network security engine acceleration method disclosed in any of the previous embodiments are realized.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The above description of the network security engine acceleration method, device, equipment and storage medium provided by the present invention applies specific examples to illustrate the principles and embodiments of the present invention, and the above examples are only used to help understand the method and core ideas of the present invention; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present invention, the present description should not be construed as limiting the present invention in view of the above.
Claims (10)
1. A network security engine acceleration method, applied to a VPP worker thread, comprising:
extracting a data packet from an Rx queue of a preconfigured multi-queue network card, and extracting meta information in the data packet;
determining a session related to the data packet according to the meta information, and determining whether to block the data packet according to session information of the session;
if the data packet is not blocked, extracting key information and ciphertext data from the data packet, and writing the key information and the ciphertext data into decryption equipment;
reading decrypted data obtained by decrypting the ciphertext data by the decryption device through the key information from the decryption device in a polling mode, and carrying out HTTP analysis on the decrypted data to obtain analyzed data;
and sending the analyzed data to a security engine to perform threat detection to obtain a corresponding detection result, and determining whether to block the data packet based on the detection result.
2. The network security engine acceleration method of claim 1, further comprising, prior to extracting the data packet from the Rx queue of the preconfigured multi-queue network card:
checking whether an Rx queue of a preconfigured multi-queue network card is written into a data packet of a memory or not in a polling mode; the Rx queue records the address of the data packet in the memory;
correspondingly, the extracting the data packet from the Rx queue of the preconfigured multi-queue network card includes:
and if the data packet written into the memory is checked through the polling mode in the Rx queue, the data packet is extracted from the Rx queue of the preconfigured multi-queue network card.
3. The acceleration method of claim 2, wherein the checking whether the Rx queue of the preconfigured multi-queue network card has a packet written into the memory by polling further comprises:
if the data packets which are not written into the memory by the Rx queue are checked in the polling mode, continuing to poll and check whether the data packets which are written into the memory are stored in the Rx queue.
4. The network security engine acceleration method of claim 1, wherein the extracting meta information in the data packet comprises:
and extracting the IP address, the port and the protocol type in the data packet.
5. The network security engine acceleration method of claim 1, wherein the determining whether to block the data packet based on the detection result comprises:
if the detection result shows that the threat is detected, blocking the data packet, and re-executing the step of reading decrypted data obtained by decrypting the ciphertext data by using the key information from the decryption device in a polling mode and the subsequent steps thereof;
allowing the data packet to pass if the detection result indicates that the threat is not detected;
correspondingly, if no threat is detected, after allowing the data packet to pass, the method further comprises:
writing the released data packet into a Tx queue of the multi-queue network card, informing the multi-queue network card so that the multi-queue network card can acquire data from the Tx queue, and sending the data to a service end for processing.
6. The network security engine acceleration method of claim 1, wherein the extracting key information and ciphertext data from the data packet comprises:
and carrying out HTTPS analysis on the data packet to obtain the key information and ciphertext data of SSL/TLS.
7. The network security engine acceleration method of any one of claims 1-6, wherein the writing of the key information and the ciphertext data into a decryption device comprises:
the key information is sent to decryption equipment, and the ciphertext data is written into a queue to be decrypted;
correspondingly, the reading the decrypted data obtained by the decrypting device decrypting the ciphertext data by using the key information from the decrypting device in a polling mode comprises the following steps:
monitoring whether the queue to be decrypted is empty or not through the decryption equipment;
when the decryption equipment monitors that the queue to be decrypted is not empty, obtaining data to be decrypted from the queue to be decrypted through the decryption equipment, and decrypting the data to be decrypted by utilizing the key information corresponding to the data to be decrypted to obtain decrypted data;
polling the decryption completion queue to monitor whether the decryption completion queue is empty; the decryption completion queue is a queue for storing the decrypted data written by the decryption device;
and when the decryption completion queue is monitored to be not empty, acquiring the decrypted data from the decryption completion queue.
8. A network security engine acceleration device, for use with a VPP worker thread, comprising:
the first extraction module is used for extracting data packets from an Rx queue of a preconfigured multi-queue network card;
the meta information extraction module is used for extracting meta information in the data packet;
a session determining module, configured to determine a session related to the data packet according to the meta information;
the first blocking module is used for determining whether to block the data packet according to the session information of the session;
the second extraction module is used for extracting key information and ciphertext data from the data packet if the data packet is not blocked, and writing the key information and the ciphertext data into the decryption device;
the data reading module is used for reading decrypted data obtained by the decryption device decrypting the ciphertext data by utilizing the key information from the decryption device in a polling mode;
the data decryption module is used for carrying out HTTP analysis on the decrypted data to obtain analyzed data;
the data sending module is used for sending the analyzed data to the security engine to perform threat detection to obtain a corresponding detection result;
and the second blocking module is used for determining whether to block the data packet based on the detection result.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the steps of the network security engine acceleration method of any one of claims 1 to 7.
10. A computer-readable storage medium storing a computer program; wherein the computer program when executed by a processor implements the steps of the network security engine acceleration method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310274778.0A CN116366318A (en) | 2023-03-15 | 2023-03-15 | Network security engine acceleration method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310274778.0A CN116366318A (en) | 2023-03-15 | 2023-03-15 | Network security engine acceleration method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116366318A true CN116366318A (en) | 2023-06-30 |
Family
ID=86913296
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310274778.0A Pending CN116366318A (en) | 2023-03-15 | 2023-03-15 | Network security engine acceleration method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116366318A (en) |
-
2023
- 2023-03-15 CN CN202310274778.0A patent/CN116366318A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10375086B2 (en) | System and method for detection of malicious data encryption programs | |
| WO2016006520A1 (en) | Detection device, detection method and detection program | |
| JP5018329B2 (en) | Program for controlling communication device and communication device | |
| US8898451B2 (en) | Method and system for monitoring encrypted data transmissions | |
| US20170034189A1 (en) | Remediating ransomware | |
| EP1569413A2 (en) | Method and system for filtering communications to prevent exploitation of a software vulnerability | |
| US10735501B2 (en) | System and method for limiting access request | |
| US8701180B2 (en) | Securing communications between different network zones | |
| KR20160114037A (en) | Automated runtime detection of malware | |
| CN113542253B (en) | Network flow detection method, device, equipment and medium | |
| US10015205B1 (en) | Techniques for traffic capture and reconstruction | |
| CN109951546B (en) | Transaction request processing method, device, equipment and medium based on intelligent contract | |
| US20140115705A1 (en) | Method for detecting illegal connection and network monitoring apparatus | |
| KR20230004222A (en) | System and method for selectively collecting computer forensic data using DNS messages | |
| US10469594B2 (en) | Implementation of secure socket layer intercept | |
| CN111371774A (en) | Information processing method and device, equipment and storage medium | |
| CN113225351B (en) | Request processing method and device, storage medium and electronic equipment | |
| CN112653671A (en) | Network communication method, device, equipment and medium for client and server | |
| US10032027B2 (en) | Information processing apparatus and program for executing an electronic data in an execution environment | |
| Rapier et al. | High speed bulk data transfer using the SSH protocol | |
| CN114978752A (en) | Weak password detection method and device, electronic equipment and computer readable storage medium | |
| CN112751866B (en) | Network data transmission method and system | |
| US20030110377A1 (en) | Method of and apparatus for data transmission | |
| CN109361712B (en) | Information processing method and information processing device | |
| CN116366318A (en) | Network security engine acceleration method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |