CN1282333C - Multiline program loading equialization method of invading detection - Google Patents
Multiline program loading equialization method of invading detection Download PDFInfo
- Publication number
- CN1282333C CN1282333C CN 200410005921 CN200410005921A CN1282333C CN 1282333 C CN1282333 C CN 1282333C CN 200410005921 CN200410005921 CN 200410005921 CN 200410005921 A CN200410005921 A CN 200410005921A CN 1282333 C CN1282333 C CN 1282333C
- Authority
- CN
- China
- Prior art keywords
- packet
- thread
- load
- network
- intrusion detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 56
- 238000000034 method Methods 0.000 title claims abstract description 42
- 230000009545 invasion Effects 0.000 claims abstract description 7
- 230000015572 biosynthetic process Effects 0.000 claims description 11
- 238000012544 monitoring process Methods 0.000 claims description 4
- 238000004891 communication Methods 0.000 claims description 3
- 238000000151 deposition Methods 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 abstract description 4
- 238000012545 processing Methods 0.000 abstract description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000008030 elimination Effects 0.000 description 1
- 238000003379 elimination reaction Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a multithread load equalization method for invasion detection, which relates to the field of network security technology. By adopting multithread concurrent processing of a pipeline type, the network invasion detection mainly comprises the following steps that in step one, a packet capturing thread circularly captures data packets from the network; in step two, each detecting thread circularly reads the data packet in a corresponding queue to carry out regular matching, and the matched data packets are put into an alarming queue; in step three, an alarming thread circularly reads the data packets in the alarming queue, and the data packets are output to alarming. The present invention uses multiple threads to substitute for multiple detectors, the resource utilization rate of a system is improved greatly, and thus, the detection performance of the system adopting the method can be enhanced greatly. Simultaneously, if the method is combined with the traditional two load equalization methods, the load of the whole system can be shared effectively, the occurrence of system bottleneck can be reduced possibly, and the whole efficiency of the system can be enhanced so that the system can be adapted to the invasion detection need under a high-speed network environment.
Description
Technical field
The present invention relates to the multithreading load-balancing method in network security technology field, particularly a kind of intrusion detection.Especially a kind of at multithreading load-balancing method based on the network invasion monitoring of signature analysis.
Background technology
Since Denning since proposing first intruding detection system model in 1987, Intrusion Detection Technique has obtained fast development.Along with popularizing of network in recent years, network invasion monitoring replaces Host Based detection gradually and becomes the main flow of Study of Intrusion Detection.Network Intrusion Detection System (NIDS) is realized detection to attacking by the phase-split network flow.Because the data traffic that makes on the network that develops rapidly of network technology and network application continues to increase, the network bandwidth rapidly improves, traditional 10Mbps network is replaced by 100Mbps, 1000Mbps network rapidly, under environment so at a high speed, entire packet in the network all to be intercepted and captured, and do complicated intrusion detection analysis, it is more and more unable to do what one wishes that traditional Intrusion Detection Technique has seemed.
In order to realize that a large amount of network data analysis is inevitable to the particularly real-time intrusion detection under the 1000Mbps network environment of express network.When the generation speed of data to be analyzed surpasses disposal ability, must cause data to have little time to analyze and just abandon.Draw the loading problem among the NIDS thus, it becomes one of restriction NIDS bottleneck of performance.Therefore, Network Intrusion Detection System is realized load balancing, become the main direction of studying that Network Intrusion Detection System adapts to express network.
The scale of unit interval domestic demand quantity of data packets to be processed, rule base is the two big principal elements that influence the intruding detection system performance.Have now at the intrusion detection load equalization methods and mainly study around these two factors.Its main thought is as shown in Figure 1: control centre (center) is according to factors such as network traffic data, each detector actual treatment abilities, to wait to finish load capacity and share to each detector (sensor), by the intrusion detection of each detector enforcement network data by certain scheme.The load capacity here can be to detect rule in the rule base or the packet in the network.According to the kind difference of institute's load sharing amount, present load-balancing method is divided into following two kinds:
Rule-based multi-detector load balancing method.In the method, the load capacity that control centre shares to each detector is exactly an inbreak detection rule, and each detector is responsible for a part and is detected rule.When some detector occurring and have little time deal with data, quantity that can be by increasing detector or dynamically adjust the detection rule number of each detector to realize load balancing by control centre.
Based on the multi-detector load balancing method of using.In the method, control centre as load capacity, shares the packet of variety classes (http bag, telnet bag, ftp bag, udp bag etc.) to each detector.Each detector only is responsible for the detection of the concrete application network flow of a certain class (or a few class), and the detection rule that they are safeguarded is also only at some concrete application.When some detector occurring and have little time deal with data, can reach the load balancing purpose by increasing the quantity of detector.
More than two kinds of methods come the load sharing amount by increasing detector, reach load balancing to a certain extent, to adapt to express network.But they just finish all testings by simple increase hardware resource basically, and do not start with from the optimization of intruding detection system itself.It is basic identical to detect principle on each detector, so the original bottleneck of detection system here still exists.The flow process of carrying out intrusion detection on each detector is as shown in Figure 2: as can be seen from Figure, system all will pass through parsing → rule match → alarm to each packet of intercepting and capturing and export this process, and system just can remove to intercept and capture next packet then.Yet these three steps all might become the bottleneck of system.Because after bottleneck appears in the processing in any step, all will cause system can not intercept and capture the packet of back, occur serious packet loss phenomenon when system, cause system high rate of failing to report to occur.
Summary of the invention
The object of the present invention is to provide a kind of multithreading load-balancing method of intrusion detection.
Main purpose of the present invention is exactly the serial detecting pattern that breaks traditions, and adopts the multi-thread concurrent of pipeline system to handle, and simultaneously in conjunction with the load-balancing method of intrusion detection, realizes the multithreading load balancing of intrusion detection.
Tradition intrusion detection pattern is the serial detecting pattern, and it is concurrent that the present invention changes serial.With three steps in the basic intrusion detection flow process: by the concurrent execution of three class threads, each thread is only finished function separately respectively for packet capturing, detection, alarm, and cross-thread is realized communication by respective queue.Thereby improved packet capturing, detection, alarm speed greatly, eliminated this three bottlenecks that process causes to system.
The present invention classifies the detection type thread in conjunction with the conventional load equalization methods by the packet kind, each thread only is responsible for safeguarding that a class detects rule, detects a class packet.Thereby make a plurality of threads can handle inhomogeneous packet simultaneously, the load of having shared whole system has effectively improved the whole efficiency of system.
The invention technical scheme
The present invention adopts the multi-thread concurrent of pipeline system to handle and realizes network invasion monitoring in conjunction with the mode of load balancing.
With three steps in the basic intrusion detection flow process is that packet capturing S1, rule match S2, alarm are exported S3 respectively by the concurrent execution of three class threads, and each thread is only finished function separately, and cross-thread is realized communication by respective queue.
The conventional load equalization methods is combined with multithreading, and the detector in the conventional load equalization methods is replaced by thread, and each thread is safeguarded the rule of oneself, parallel carries out separate intrusion detection.
Description of drawings
Fig. 1 is the load balancing method schematic diagram of Network Intrusion Detection System.
Fig. 2 is the intruding detection system flow chart.
Fig. 3 is that the load balancing method based on multithreading of the present invention realizes block diagram.
Fig. 4 is the intrusion detection flow chart based on multithreading load balancing method of the present invention.
Embodiment
The present invention carries out the load balancing that realizes Network Intrusion Detection System by multi-thread concurrent.The specific implementation block diagram as shown in Figure 3.
The key step that the present invention realizes is as follows:
Thread 1: the packet capturing thread is equivalent to control centre.Intercepted data bag from network is put into corresponding formation 1,2 according to the kind (HTTP, TELNET, ICMP etc.) of packet ... n-2;
Thread 2,3 ... n-1: detect thread, be equivalent to each detector.Read separately the rule file of safeguarding, set up corresponding regulation linked, then from formation separately read data packet resolve, rule match, the packet that will need at last to alarm is put into formation n-1;
Thread n: alarm thread.Read the packet among the formation n-1, alarm output.
The whole realization flow figure of three class threads sees Fig. 4.Step S1 wherein, packet capturing thread: from network, catch packet by the circulation of packet capturing thread, the packet capturing thread adopts the mode of monitor bypass to use packet capturing storehouse commonly used to realize the network packet capturing, and according to the packet kind, corresponding detection formation is put in the packet classification of catching.This thread will circulate and realize packet capturing, two operations of classification; Step S2, detection thread: detect thread circulation by each and read the packet that detects separately in the formation, adopt pattern matching algorithm and preset rule commonly used to mate, and the packet that the match is successful is put into the alarm formation.This thread will circulate and realize read data packet, coupling, three operations of storage packet; Step S3, alarm thread: read the packet of alarming in the formation by alarming thread circulation alarm thread, and the main information of packet is exported by depositing the database mode alarm in.This thread will circulate and realize read data packet, two operations of alarm output.In this way, just packet capturing, detection, alarm three steps with serial have become concurrent execution, thereby have improved packet capturing, detection, alarm speed greatly, have eliminated this three bottlenecks that step causes to system.
The load-balancing technique that we propose based on multithreading broken traditional packet capturing → unpack → rule match → alarm export → grab next the bag → ... the serial process mode, adopt the concurrent processing of pipeline system, each thread is only finished function separately, simultaneously in conjunction with existing load-balancing method, the corresponding multi-detector of multithreading, improved usage factor of system resource greatly, thereby the system that adopts this mode is greatly improved on the detection performance.If this pattern is combined with preceding two kinds of load-balancing methods, then can more effectively share the load of whole system simultaneously, the system bottleneck that elimination may occur has improved entire system efficient, makes it more can adapt to the needs of express network development.
Method of the present invention realizes in the mode of multi-thread concurrent, and in conjunction with the legacy network intrusion detection Load-balancing method, replace a plurality of detectors with a plurality of threads, greatly improved system resource Utilization rate, thus the system that adopts this method is greatly improved in the detection performance. With Shi Ruo combines this pattern with traditional two kinds of load-balancing methods, then can more effectively share The load of whole system, the system bottleneck that minimizing may occur improves entire system efficient, makes it More can adapt to the intrusion detection needs under the high speed network environment.
Claims (3)
1, a kind of multithreading load-balancing method that is used for intrusion detection, it is characterized in that, adopt the multi-thread concurrent of pipeline system to handle and realize that in conjunction with the mode of load balancing the step of network invasion monitoring is as follows: with three steps in the basic intrusion detection flow process is that packet capturing S1, rule match S2, alarm output S3 are respectively by the concurrent execution of three class threads, each thread is only finished function separately, and cross-thread is realized communication by respective queue.
2, the multithreading load-balancing method that is used for intrusion detection according to claim 1, it is characterized in that, the conventional load equalization methods is combined with multithreading, detector in the conventional load equalization methods is replaced by thread, each thread is safeguarded the rule of oneself, parallel carries out separate intrusion detection.
3, according to the multithreading load-balancing method of the intrusion detection of claim 1, it is characterized in that, comprise following concrete steps:
Step S1: from network, catch packet by the circulation of packet capturing thread, and, corresponding detection formation is put in the packet classification of catching according to the packet kind;
Step S2: detect thread circulation by each and read packet in the respective queue, mate, and packet that will the match is successful is put into the alarm formation with preset rule;
Step S3: read the packet of alarming in the formation by the circulation of alarm thread, and the main information of packet is exported by depositing the database mode alarm in.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410005921 CN1282333C (en) | 2004-02-24 | 2004-02-24 | Multiline program loading equialization method of invading detection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410005921 CN1282333C (en) | 2004-02-24 | 2004-02-24 | Multiline program loading equialization method of invading detection |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1561032A CN1561032A (en) | 2005-01-05 |
| CN1282333C true CN1282333C (en) | 2006-10-25 |
Family
ID=34439696
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200410005921 Expired - Fee Related CN1282333C (en) | 2004-02-24 | 2004-02-24 | Multiline program loading equialization method of invading detection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1282333C (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101060411B (en) * | 2007-05-23 | 2013-04-03 | 西安交大捷普网络科技有限公司 | A multi-mode matching method for improving the detection rate and efficiency of intrusion detection system |
| US7895425B2 (en) * | 2007-08-03 | 2011-02-22 | Cisco Technology, Inc. | Operation, administration and maintenance (OAM) in a service insertion architecture (SIA) |
| CN101299758B (en) * | 2008-05-21 | 2011-05-11 | 网御神州科技(北京)有限公司 | Well-regulated group system for cosmically processing event as well as processing method |
| CN101729573B (en) * | 2009-12-18 | 2012-05-30 | 四川长虹电器股份有限公司 | Dynamic load balancing method of network intrusion detection |
| CN106792856B (en) * | 2016-12-27 | 2020-04-10 | 武汉虹信通信技术有限责任公司 | Wireless network element management system alarm processing method based on equipment level parallelism |
| CN113626198B (en) * | 2021-08-19 | 2024-03-26 | 上海观安信息技术股份有限公司 | Database flow load balancing system and method |
-
2004
- 2004-02-24 CN CN 200410005921 patent/CN1282333C/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN1561032A (en) | 2005-01-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111614627B (en) | SDN-oriented cross-plane cooperation DDOS detection and defense method and system | |
| US10523692B2 (en) | Load balancing method and apparatus in intrusion detection system | |
| US8095973B2 (en) | Apparatus and method for detecting network attack | |
| US9584533B2 (en) | Performance enhancements for finding top traffic patterns | |
| CN103475653A (en) | Method for detecting network data package | |
| US20090092057A1 (en) | Network Monitoring System with Enhanced Performance | |
| CN107181612A (en) | A kind of visual network method for safety monitoring based on big data | |
| US20120039336A1 (en) | High Performance, High Bandwidth Network Operating System | |
| Jiang et al. | Scalable high-performance parallel design for network intrusion detection systems on many-core processors | |
| CN110222503A (en) | Database audit method, system and equipment under a kind of load of high amount of traffic | |
| Zheng et al. | Algorithms to speedup pattern matching for network intrusion detection systems | |
| CN1282333C (en) | Multiline program loading equialization method of invading detection | |
| CN101729573A (en) | Dynamic load balancing method of network intrusion detection | |
| TW201349797A (en) | A network flow abnormality detection system and a method of the same | |
| Haagdorens et al. | Improving the performance of signature-based network intrusion detection sensors by multi-threading | |
| CN1968180A (en) | Multilevel aggregation-based abnormal flow control method and system | |
| Shuai et al. | Performance optimization of Snort based on DPDK and Hyperscan | |
| Wang et al. | Practice of parallelizing network applications on multi-core architectures | |
| CN1881938A (en) | Method and system for preventing and detecting proxy | |
| CN112468509A (en) | Deep learning technology-based automatic flow data detection method and device | |
| Jiang et al. | Load balancing by ruleset partition for parallel IDS on multi-core processors | |
| Chen et al. | Para-snort: A multi-thread snort on multi-core ia platform | |
| CN1317855C (en) | Invasion detecting system and its invasion detecting method | |
| Li et al. | A parallel packet processing method on multi-core systems | |
| Xiang et al. | Using multi-core processors to support network security applications |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: SHANGHAI INFOT MICROELECTRONICS CO., LTD. Free format text: FORMER OWNER: INST. OF COMPUTING TECHNOLOGY, CHINESE ACADEMY OF SCIENCES Effective date: 20110919 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 100080 HAIDIAN, BEIJING TO: 201203 PUDONG NEW AREA, SHANGHAI |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20110919 Address after: 201203, 11, Lane 572, Lane 115, blue wave road, Zhangjiang hi tech park, Shanghai Patentee after: Shanghai InfoTM Microelectronics Co., Ltd. Address before: 100080 No. 6 South Road, Zhongguancun Academy of Sciences, Beijing Patentee before: Institute of Computing Technology, Chinese Academy of Sciences |
|
| C56 | Change in the name or address of the patentee |
Owner name: SHANGHAI INFOTM MICROELECTRONICS CO., LTD. Free format text: FORMER NAME: SHANGHAI INFOT MICROELECTRONICS CO., LTD. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 201203, 11, Lane 572, Lane 115, blue wave road, Zhangjiang hi tech park, Shanghai Patentee after: Shanghai InfoTM Microelectronics Co., Ltd. Address before: 201203, 11, Lane 572, Lane 115, blue wave road, Zhangjiang hi tech park, Shanghai Patentee before: Shanghai InfoTM Microelectronics Co., Ltd. |
|
| DD01 | Delivery of document by public notice |
Addressee: Shanghai InfoTM Microelectronics Co., Ltd. Document name: Notification to Pay the Fees |
|
| DD01 | Delivery of document by public notice |
Addressee: Shanghai InfoTM Microelectronics Co., Ltd. Document name: Notification to Pay the Fees |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20061025 Termination date: 20170224 |