CN1282333C - Multiline program loading equialization method of invading detection - Google Patents
Multiline program loading equialization method of invading detection Download PDFInfo
- Publication number
- CN1282333C CN1282333C CN 200410005921 CN200410005921A CN1282333C CN 1282333 C CN1282333 C CN 1282333C CN 200410005921 CN200410005921 CN 200410005921 CN 200410005921 A CN200410005921 A CN 200410005921A CN 1282333 C CN1282333 C CN 1282333C
- Authority
- CN
- China
- Prior art keywords
- thread
- data packets
- intrusion detection
- load balancing
- alarm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 70
- 238000000034 method Methods 0.000 title claims abstract description 42
- 239000000523 sample Substances 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000007405 data analysis Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明涉及网络安全技术领域的一种入侵检测的多线程负载均衡方法。通过采用流水线式的多线程并发处理,网络入侵检测的主要步骤:S1,抓包线程循环从网络中捕获数据包;S2,各个检测线程循环读取相应队列中的数据包,进行规则匹配,并将匹配的数据包放入告警队列;S3,告警线程循环读取告警队列中的数据包,并告警输出。以多个线程代替多个探测器,大大提高了系统资源的利用率,从而使采用这种方法的系统在检测性能上有了很大的提高。同时若将这种模式与传统的两种负载均衡方法相结合,则能更有效地分担整个系统的负载,减少可能出现的系统瓶颈,提高系统整体效率,使其更能适应高速网络环境下的入侵检测需要。
The invention relates to a multi-thread load balancing method for intrusion detection in the technical field of network security. By adopting pipelined multi-thread concurrent processing, the main steps of network intrusion detection: S1, the packet capture thread cyclically captures data packets from the network; S2, each detection thread cyclically reads the data packets in the corresponding queue, performs rule matching, and Put the matching data packets into the alarm queue; S3, the alarm thread reads the data packets in the alarm queue cyclically, and outputs an alarm. Replacing multiple detectors with multiple threads greatly improves the utilization rate of system resources, so that the detection performance of the system adopting this method is greatly improved. At the same time, if this mode is combined with the traditional two load balancing methods, it can more effectively share the load of the entire system, reduce possible system bottlenecks, improve the overall efficiency of the system, and make it more adaptable to high-speed network environments. Intrusion detection required.
Description
技术领域technical field
本发明涉及网络安全技术领域,特别是一种入侵检测的多线程负载均衡方法。尤其是一种针对基于特征分析的网络入侵检测的多线程负载均衡方法。The invention relates to the technical field of network security, in particular to a multi-thread load balancing method for intrusion detection. In particular, a multithreaded load balancing method for network intrusion detection based on signature analysis.
背景技术Background technique
自从Denning在1987年提出第一个入侵检测系统模型以来,入侵检测技术得到了快速的发展。随着近几年网络的普及,网络入侵检测已逐渐取代基于主机的检测而成为入侵检测研究的主流。网络入侵检测系统(NIDS)通过分析网络流量来实现对攻击的检测。由于网络技术和网络应用的迅速发展使得网络上的数据流量不断加大,网络带宽飞速提高,传统的10Mbps网络已迅速被100Mbps、1000Mbps网络所取代,在如此高速的环境下,要将网络中全部数据包都截获下来,并做复杂的入侵检测分析,传统的入侵检测技术已显得越来越力不从心。Since Denning proposed the first intrusion detection system model in 1987, intrusion detection technology has developed rapidly. With the popularization of network in recent years, network intrusion detection has gradually replaced host-based detection and has become the mainstream of intrusion detection research. A network intrusion detection system (NIDS) detects attacks by analyzing network traffic. Due to the rapid development of network technology and network applications, the data traffic on the network is continuously increasing, and the network bandwidth is rapidly increasing. The traditional 10Mbps network has been quickly replaced by 100Mbps and 1000Mbps networks. The data packets are all intercepted, and complex intrusion detection and analysis are performed. The traditional intrusion detection technology has become more and more powerless.
为了实现对高速网络特别是1000Mbps网络环境下的实时入侵检测,大量的网络数据分析是不可避免的。当待分析数据的产生速度超过处理能力时,必然导致数据来不及分析就丢弃。由此引出NIDS中的负载问题,它成为制约NIDS性能的瓶颈之一。因此,对网络入侵检测系统实现负载均衡,已成为网络入侵检测系统适应高速网络的一个主要研究方向。In order to realize real-time intrusion detection on high-speed network, especially in 1000Mbps network environment, a large amount of network data analysis is inevitable. When the generation speed of the data to be analyzed exceeds the processing capacity, the data will inevitably be discarded before it can be analyzed in time. This leads to the load problem in NIDS, which becomes one of the bottlenecks restricting the performance of NIDS. Therefore, to achieve load balance for network intrusion detection system has become a main research direction for network intrusion detection system to adapt to high-speed network.
单位时间内需要处理的数据包的数量、规则库的规模是影响入侵检测系统性能的两大主要因素。现有针对入侵检测的负载均衡方法主要围绕这两个因素进行研究。它的主要思路如图1所示:控制中心(center)根据网络数据流量、各探测器实际处理能力等因素,将待完成负载量按一定方案分担给各探测器(sensor),由各探测器实施对网络数据的入侵检测。这里的负载量可以是检测规则库中的规则或者网络中的数据包。根据所分担负载量的种类不同,目前的负载均衡方法分为以下两种:The number of data packets to be processed per unit time and the size of the rule base are two main factors affecting the performance of an intrusion detection system. The existing load balancing methods for intrusion detection mainly focus on these two factors. Its main idea is shown in Figure 1: the control center (center) distributes the load to be completed to each sensor (sensor) according to a certain plan according to factors such as network data flow and the actual processing capacity of each sensor. Implement intrusion detection on network data. The payload here may be a rule in the detection rule base or a data packet in the network. According to the different types of load sharing, the current load balancing methods are divided into the following two types:
·基于规则的多探测器负载均衡法。在该方法中,控制中心分担给各探测器的负载量就是入侵检测规则,每个探测器负责一部分检测规则。当出现某些探测器来不及处理数据时,可以通过增加探测器的数量或者由控制中心动态地调整各探测器的检测规则数以实现负载均衡。· Rule-based multi-probe load balancing method. In this method, the load shared by the control center to each detector is the intrusion detection rule, and each detector is responsible for a part of the detection rule. When some detectors are too late to process data, load balancing can be achieved by increasing the number of detectors or dynamically adjusting the number of detection rules of each detector by the control center.
·基于应用的多探测器负载均衡法。在该方法中,控制中心将不同种类(http包、telnet包、ftp包、udp包等)的数据包作为负载量,分担给各探测器。每个探测器只负责某一类(或几类)具体应用网络流量的检测,它们维护的检测规则也仅仅针对某些具体应用。当出现某些探测器来不及处理数据时,可通过增加探测器的数量,达到负载均衡目的。· Application-based multi-probe load balancing method. In this method, the control center distributes data packets of different types (http packets, telnet packets, ftp packets, udp packets, etc.) as loads to each detector. Each detector is only responsible for the detection of a certain type (or several types) of specific application network traffic, and the detection rules they maintain are only for certain specific applications. When some probes are too late to process data, you can increase the number of probes to achieve load balancing.
以上两种方法通过增加探测器来分担负载量,在一定程度上达到负载均衡,以适应高速网络。但是,它们基本上只是通过简单的增加硬件资源来完成所有的检测工作,而没从入侵检测系统本身的优化入手。每个探测器上检测原理基本相同,因此检测系统原有的瓶颈在这里依然存在。每个探测器上进行入侵检测的流程如图2所示:由图中可以看出,系统对截获的每一个数据包都要经过解析→规则匹配→告警输出这个过程,然后系统才会去截获下一个数据包。然而,这三个步骤都有可能成为系统的瓶颈。当系统因为在任何一步的处理出现瓶颈后,都将导致系统不能截获后面的数据包,出现严重的丢包现象,导致系统出现极高的漏报率。The above two methods share the load by adding detectors, and achieve load balancing to a certain extent to adapt to high-speed networks. However, they basically complete all the detection work by simply increasing hardware resources, without starting from the optimization of the intrusion detection system itself. The detection principle on each detector is basically the same, so the original bottleneck of the detection system still exists here. The flow of intrusion detection on each detector is shown in Figure 2: As can be seen from the figure, the system will go through the process of parsing → rule matching → alarm output for each intercepted data packet, and then the system will intercept next packet. However, all three steps may become the bottleneck of the system. When the system has a bottleneck in any step of processing, the system will not be able to intercept the subsequent data packets, and serious packet loss will occur, resulting in a very high false negative rate in the system.
发明内容Contents of the invention
本发明的目的在于提供一种入侵检测的多线程负载均衡方法。The purpose of the present invention is to provide a multi-thread load balancing method for intrusion detection.
本发明的主要目的就是打破传统的串行检测模式,采用流水线式的多线程并发处理,同时结合入侵检测的负载均衡方法,实现入侵检测的多线程负载均衡。The main purpose of the present invention is to break the traditional serial detection mode, adopt pipelined multi-thread concurrent processing, and combine the load balancing method of intrusion detection to realize the multi-thread load balance of intrusion detection.
传统入侵检测模式为串行检测模式,本发明改串行为并发。将基本入侵检测流程中的三个步骤:抓包、检测、告警分别由三类线程并发执行,各线程只完成各自功能,线程间通过相应队列实现通信。从而大大提高了抓包、检测、告警速度,消除了这三个过程给系统造成的瓶颈。The traditional intrusion detection mode is a serial detection mode, and the present invention changes the serial behavior to be concurrent. The three steps in the basic intrusion detection process: packet capture, detection, and alarm are executed concurrently by three types of threads. Each thread only completes its own function, and the threads communicate through corresponding queues. Thus, the speed of packet capture, detection, and alarm is greatly improved, and the bottleneck caused by these three processes to the system is eliminated.
本发明结合传统负载均衡方法,将检测类线程按数据包种类进行分类,每个线程只负责维护一类检测规则,检测一类数据包。从而使多个线程可同时处理不同类的数据包,有效地分担了整个系统的负载,提高了系统的整体效率。The invention combines the traditional load balancing method to classify the detection threads according to the types of data packets, and each thread is only responsible for maintaining one type of detection rules and detecting one type of data packets. Therefore, multiple threads can process different types of data packets at the same time, effectively sharing the load of the entire system, and improving the overall efficiency of the system.
发明技术方案invention technical solution
本发明采用流水线式的多线程并发处理并结合负载均衡的方式实现网络入侵检测。The invention realizes network intrusion detection by means of pipelined multi-thread concurrent processing combined with load balancing.
将基本入侵检测流程中的三个步骤即抓包S1、规则匹配S2、告警输出S3分别由三类线程并发执行,各线程只完成各自功能,线程间通过相应队列实现通信。The three steps in the basic intrusion detection process, that is, packet capture S1, rule matching S2, and alarm output S3, are executed concurrently by three types of threads. Each thread only completes its own function, and the threads communicate through corresponding queues.
把传统负载均衡方法与多线程结合,传统负载均衡方法中的探测器由线程代替,各线程维护自己的规则,并行的进行相互独立的入侵检测。Combining the traditional load balancing method with multi-threading, the detectors in the traditional load balancing method are replaced by threads, each thread maintains its own rules, and performs independent intrusion detection in parallel.
附图说明Description of drawings
图1是网络入侵检测系统的负载均衡法示意图。Fig. 1 is a schematic diagram of a load balancing method of a network intrusion detection system.
图2是入侵检测系统流程图。Figure 2 is a flow chart of the intrusion detection system.
图3是本发明的基于多线程的负载均衡法实现框图。Fig. 3 is a block diagram of the implementation of the load balancing method based on multithreading in the present invention.
图4是本发明的基于多线程负载均衡法的入侵检测流程图。Fig. 4 is a flow chart of the intrusion detection based on the multi-thread load balancing method of the present invention.
具体实施方式Detailed ways
本发明通过多线程并发执行来实现网络入侵检测系统的负载均衡。具体实现框图如图3所示。The invention realizes the load balance of the network intrusion detection system through multi-thread concurrent execution. The specific implementation block diagram is shown in Figure 3.
本发明实现的主要步骤如下:The main steps that the present invention realizes are as follows:
线程1:抓包线程,相当于控制中心。从网络中截获数据包,根据数据包的种类(HTTP、TELNET、ICMP等)放入相应的队列1、2…n-2;Thread 1: Packet capture thread, which is equivalent to the control center. Intercept data packets from the network and put them into corresponding queues 1, 2...n-2 according to the type of data packets (HTTP, TELNET, ICMP, etc.);
线程2、3…n-1:检测线程,相当于各个探测器。读取各自维护的规则文件,建立相应的规则链表,然后从各自队列中读取数据包进行解析、规则匹配,最后将需要告警的数据包放入队列n-1;Threads 2, 3...n-1: detection threads, equivalent to each detector. Read the rule files maintained by each, establish the corresponding rule list, then read the data packets from the respective queues for parsing and rule matching, and finally put the data packets that need to be alarmed into the queue n-1;
线程n:告警线程。读取队列n-1中的数据包,告警输出。Thread n: Alarm thread. Read the data packets in the queue n-1, and output the alarm.
三类线程的整体实现流程图见图4。其中步骤S1,抓包线程:由抓包线程循环从网络中捕获数据包,抓包线程采用旁路监听的方式使用常用的抓包库实现网络抓包,并根据数据包种类,把捕获的数据包分类放入对应的检测队列。该线程将循环实现抓包、分类两个操作;步骤S2,检测线程:由各个检测线程循环读取各自检测队列中的数据包,采用常用的模式匹配算法与预先设定的规则进行匹配,并将匹配成功的数据包放入告警队列。该线程将循环实现读取数据包、匹配、存储数据包三个操作;步骤S3,告警线程:由告警线程循环告警线程读取告警队列中的数据包,并将数据包的主要信息通过存入数据库方式告警输出。该线程将循环实现读取数据包、告警输出两个操作。通过这种方式,就将串行的抓包、检测、告警三步骤变成了并发执行,从而大大提高了抓包、检测、告警速度,消除了这三个步骤给系统造成的瓶颈。The overall implementation flow chart of the three types of threads is shown in Figure 4. Among them, step S1, packet capture thread: the packet capture thread loops to capture data packets from the network. Packets are classified into corresponding detection queues. This thread will loop to realize the two operations of packet capture and classification; step S2, detection thread: the data packets in the respective detection queues are cyclically read by each detection thread, and the commonly used pattern matching algorithm is used to match with the preset rules, and Put the successfully matched data packets into the alarm queue. This thread will loop to realize the three operations of reading data packets, matching, and storing data packets; step S3, alarm thread: read the data packets in the alarm queue by the alarm thread loop alarm thread, and store the main information of the data packets through the Alarm output in database mode. This thread will loop to realize two operations of reading data packets and alarm output. In this way, the serial three steps of packet capture, detection, and alarm are turned into concurrent execution, thereby greatly improving the speed of packet capture, detection, and alarm, and eliminating the bottleneck caused by these three steps to the system.
我们提出的基于多线程的负载均衡技术打破了传统的抓包→解包→规则匹配→告警输出→抓下一个包→……的串行处理方式,采用流水线式的并发处理,各个线程只完成各自的功能,同时结合现有负载均衡方法,多线程对应多探测器,大大提高了系统资源的利用率,从而使采用这种方式的系统在检测性能上有了很大的提高。同时若将这种模式与前两种负载均衡方法相结合,则能更有效地分担整个系统的负载,消除可能出现的系统瓶颈,提高了系统整体效率,使其更能适应高速网络发展的需要。The multi-thread-based load balancing technology we proposed breaks the traditional serial processing method of capturing packets→unpacking→rule matching→alarm output→grabbing the next packet→…, adopts pipelined concurrent processing, and each thread only completes Each function, combined with the existing load balancing method, multi-thread corresponds to multi-detector, greatly improves the utilization rate of system resources, so that the detection performance of the system adopting this method has been greatly improved. At the same time, if this mode is combined with the first two load balancing methods, it can more effectively share the load of the entire system, eliminate possible system bottlenecks, improve the overall efficiency of the system, and make it more adaptable to the needs of high-speed network development. .
本发明的方法以多线程并发的方式实现,并结合传统网络入侵检测的负载均衡方法,以多个线程代替多个探测器,大大提高了系统资源的利用率,从而使采用这种方法的系统在检测性能上有了很大的提高。同时若将这种模式与传统的两种负载均衡方法相结合,则能更有效地分担整个系统的负载,减少可能出现的系统瓶颈,提高系统整体效率,使其更能适应高速网络环境下的入侵检测需要。The method of the present invention is implemented in a multi-thread concurrent manner, combined with the load balancing method of traditional network intrusion detection, and replaces multiple detectors with multiple threads, which greatly improves the utilization rate of system resources, so that the system using this method The detection performance has been greatly improved. At the same time, if this mode is combined with the traditional two load balancing methods, it can more effectively share the load of the entire system, reduce possible system bottlenecks, improve the overall efficiency of the system, and make it more adaptable to high-speed network environments. Intrusion detection required.
Claims (3)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410005921 CN1282333C (en) | 2004-02-24 | 2004-02-24 | Multiline program loading equialization method of invading detection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410005921 CN1282333C (en) | 2004-02-24 | 2004-02-24 | Multiline program loading equialization method of invading detection |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1561032A CN1561032A (en) | 2005-01-05 |
| CN1282333C true CN1282333C (en) | 2006-10-25 |
Family
ID=34439696
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200410005921 Expired - Fee Related CN1282333C (en) | 2004-02-24 | 2004-02-24 | Multiline program loading equialization method of invading detection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1282333C (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101060411B (en) * | 2007-05-23 | 2013-04-03 | 西安交大捷普网络科技有限公司 | A multi-mode matching method for improving the detection rate and efficiency of intrusion detection system |
| US7895425B2 (en) * | 2007-08-03 | 2011-02-22 | Cisco Technology, Inc. | Operation, administration and maintenance (OAM) in a service insertion architecture (SIA) |
| CN101299758B (en) * | 2008-05-21 | 2011-05-11 | 网御神州科技(北京)有限公司 | Well-regulated group system for cosmically processing event as well as processing method |
| CN101729573B (en) * | 2009-12-18 | 2012-05-30 | 四川长虹电器股份有限公司 | A Dynamic Load Balancing Method for Network Intrusion Detection |
| CN106792856B (en) * | 2016-12-27 | 2020-04-10 | 武汉虹信通信技术有限责任公司 | Wireless network element management system alarm processing method based on equipment level parallelism |
| CN113626198B (en) * | 2021-08-19 | 2024-03-26 | 上海观安信息技术股份有限公司 | Database flow load balancing system and method |
-
2004
- 2004-02-24 CN CN 200410005921 patent/CN1282333C/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN1561032A (en) | 2005-01-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Paxson et al. | An architecture for exploiting multi-core processors to parallelize network intrusion prevention | |
| Antonello et al. | Deep packet inspection tools and techniques in commodity platforms: Challenges and trends | |
| US8756337B1 (en) | Network packet inspection flow management | |
| CN110995678B (en) | An efficient intrusion detection system for industrial control network | |
| Jiang et al. | Scalable high-performance parallel design for network intrusion detection systems on many-core processors | |
| CN1881950A (en) | Packet classification acceleration using spectral analysis | |
| CN103475653A (en) | Method for detecting network data package | |
| Zheng et al. | Algorithms to speedup pattern matching for network intrusion detection systems | |
| CN100345132C (en) | Parallel processing method and system | |
| CN1282333C (en) | Multiline program loading equialization method of invading detection | |
| CN114189368B (en) | Multi-inference engine compatible real-time flow detection system and method | |
| Hsieh et al. | A high-throughput DPI engine on GPU via algorithm/implementation co-optimization | |
| Shuai et al. | Performance optimization of Snort based on DPDK and Hyperscan | |
| Sommer et al. | An architecture for exploiting multi‐core processors to parallelize network intrusion prevention | |
| CN101699788A (en) | Modularized network intrusion detection system | |
| Hung et al. | Efficient GPGPU-based parallel packet classification | |
| Mughaid et al. | Detection of trojan horse in the internet of things: Comparative evaluation of machine learning approaches | |
| CN104618392B (en) | Intelligent matching method for NGINX-MODSECURITY security rules | |
| Al-Dalky et al. | Accelerating snort NIDS using NetFPGA-based Bloom filter | |
| CN102780616A (en) | Network equipment and method and device for message processing based on multi-core processor | |
| Xinidis et al. | Design and implementation of a high-performance network intrusion prevention system | |
| Schuff et al. | Design alternatives for a high-performance self-securing ethernet network interface | |
| Xiang et al. | Using multi-core processors to support network security applications | |
| Shenoy et al. | Improving the performance efficiency of an ids by exploiting temporal locality in network traffic | |
| Hung et al. | Fast parallel network packet filter system based on CUDA |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: SHANGHAI INFOT MICROELECTRONICS CO., LTD. Free format text: FORMER OWNER: INST. OF COMPUTING TECHNOLOGY, CHINESE ACADEMY OF SCIENCES Effective date: 20110919 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 100080 HAIDIAN, BEIJING TO: 201203 PUDONG NEW AREA, SHANGHAI |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20110919 Address after: 201203, 11, Lane 572, Lane 115, blue wave road, Zhangjiang hi tech park, Shanghai Patentee after: Shanghai InfoTM Microelectronics Co., Ltd. Address before: 100080 No. 6 South Road, Zhongguancun Academy of Sciences, Beijing Patentee before: Institute of Computing Technology, Chinese Academy of Sciences |
|
| C56 | Change in the name or address of the patentee |
Owner name: SHANGHAI INFOTM MICROELECTRONICS CO., LTD. Free format text: FORMER NAME: SHANGHAI INFOT MICROELECTRONICS CO., LTD. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 201203, 11, Lane 572, Lane 115, blue wave road, Zhangjiang hi tech park, Shanghai Patentee after: Shanghai InfoTM Microelectronics Co., Ltd. Address before: 201203, 11, Lane 572, Lane 115, blue wave road, Zhangjiang hi tech park, Shanghai Patentee before: Shanghai InfoTM Microelectronics Co., Ltd. |
|
| DD01 | Delivery of document by public notice |
Addressee: Shanghai InfoTM Microelectronics Co., Ltd. Document name: Notification to Pay the Fees |
|
| DD01 | Delivery of document by public notice |
Addressee: Shanghai InfoTM Microelectronics Co., Ltd. Document name: Notification to Pay the Fees |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20061025 Termination date: 20170224 |