WO2015018188A1 - 一种深度报文检测方法、设备及协处理器 - Google Patents

一种深度报文检测方法、设备及协处理器 Download PDF

Info

Publication number
WO2015018188A1
WO2015018188A1 PCT/CN2014/071025 CN2014071025W WO2015018188A1 WO 2015018188 A1 WO2015018188 A1 WO 2015018188A1 CN 2014071025 W CN2014071025 W CN 2014071025W WO 2015018188 A1 WO2015018188 A1 WO 2015018188A1
Authority
WO
WIPO (PCT)
Prior art keywords
data packet
coprocessor
original data
application layer
processor core
Prior art date
Application number
PCT/CN2014/071025
Other languages
English (en)
French (fr)
Inventor
艾维•菲尔
丹尼尔•莫斯科维奇
郑明�
莫默
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to RU2015137525A priority Critical patent/RU2630414C2/ru
Priority to JP2015532299A priority patent/JP6192725B2/ja
Priority to EP14834700.8A priority patent/EP2933955B1/en
Priority to CA2898053A priority patent/CA2898053C/en
Priority to KR1020157020935A priority patent/KR101662685B1/ko
Publication of WO2015018188A1 publication Critical patent/WO2015018188A1/zh
Priority to US14/980,719 priority patent/US20160119198A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/028Capturing of monitoring data by filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/30Definitions, standards or architectural aspects of layered protocol stacks
    • H04L69/32Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
    • H04L69/322Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions
    • H04L69/329Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the application layer [OSI layer 7]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • H04L63/0218Distributed architectures, e.g. distributed firewalls

Definitions

  • the embodiments of the present invention relate to computer technologies, and in particular, to a deep packet detection method, device, and coprocessor.
  • DPI Deep Packet Inspection
  • the DPI technology implements in-depth analysis of data packets through feature matching algorithms to obtain application information of data packets, thereby implementing services such as network optimization, application flow control, and security detection.
  • the DPI service is usually implemented by a general-purpose processor, and a matching processor is integrated in the general-purpose processor, and the general-purpose processor drives the matcher by the software logic to implement feature matching. Since general-purpose processors are not designed specifically for DPI services, in order to ensure versatility requirements, their integrated matchers generally only support general-purpose matching algorithms, such as regular expression matching algorithms, but cannot support DPI-specific services.
  • the matching algorithm is designed, resulting in poor matching performance and becoming a bottleneck for business processing.
  • all DPI services are implemented in general-purpose processors, which limit the performance of DPI services due to limited resources of general-purpose processors.
  • FIG. 1 another implementation manner of the DPI service in the prior art is to solidify the DPI service logic into the hardware.
  • the hardware entity may be an FPGA (Field-Programmable Gate Array). Or ASIC (Application Specific Integrated Circuit).
  • the DPI service logic of a device is divided into three steps: 1. Endpoint table matching; 2. IP port identification; 3. Application layer text feature matching; 4. Complex post-decoding recognition. The first three steps can be solidified into hardware logic to achieve.
  • step four The logic of step four is very complicated and cannot be implemented by hardware logic, and is left to the general processor to complete. It can be seen that the logic is solidified by hardware, and the scalability is poor:
  • the DPI business logic the three steps in the above example become four steps or the adjustment order
  • the hardware code needs to be rewritten, and the simulation is released to the existing network device. in. It is difficult to quickly adapt to network traffic changes; moreover, because the multiple steps of the DPI business logic are implemented by the general-purpose processor with software implementation and hardware acceleration chip logic, the interaction between the general-purpose processor and the hardware acceleration chip is inevitable, resulting in DPI. The processing delay is large.
  • the embodiment of the invention provides a deep packet detection method, device and coprocessor to improve the performance and scalability of the DPI.
  • an embodiment of the present invention provides a deep packet detection method, including: a transceiver module of a coprocessor receiving an original data packet sent by a general processor, and transmitting the original data packet to the coprocessor
  • the processor core invokes at least one sub-coprocessor of the coprocessor to perform application layer parsing on the original data packet to obtain an application layer parsing result of the original data packet, and the application layer parsing result
  • An application layer information for indicating the original data packet the processor core transmitting the application layer parsing result to the general-purpose processor, so that the general-purpose processor is configured according to the application layer parsing result
  • the original packet is processed.
  • the original data packet is sent to the processor core of the coprocessor
  • the method further includes: performing stream processing on the original data packet; and sending the original data packet to the processor core, including: sending the stream processed data packet to the processor core ;
  • the processor core invokes at least one sub-coprocessor of the coprocessor to perform an application layer parsing on the original data packet, to obtain an application layer parsing result of the original data packet, including: the processor core calling station At least one sub-coprocessor of the co-processor to apply the layer parsing to the stream-processed data packet to obtain an application layer parsing result of the original data packet.
  • the stream processing sub-module of the transceiver module performs stream processing on the original data packet, including: the stream processing sub-module Performing IP fragment packet reassembly processing and TCP out-of-order message reordering processing on the original data packet.
  • At least two processor cores are disposed in the coprocessor; and the original data packet is sent to a processor core of the coprocessor,
  • the method includes: selecting one processor core from the at least two processor cores according to a load condition of each of the processor cores, and transmitting the original data packet to the selected processor core.
  • the processor core by using the at least one sub-coprocessor of the coprocessor, to perform application layer parsing on the original data packet, specifically: the processing The controller core invokes at least one sub-coprocessor of the coprocessor through the exchange bus module of the coprocessor to perform application layer parsing on the original data packet.
  • the processor core invokes at least one sub-coprocessor of the coprocessor to perform application layer parsing on the original data packet to obtain the original data packet.
  • Application layer resolution results including:
  • the processor core invokes a protocol identification sub-coprocessor included by the coprocessor, and the protocol identification sub-coprocessor performs an endpoint search on the original data packet under the call of the processor core to obtain an endpoint search.
  • the endpoint lookup result is returned to the processor core, and the processor core is at least Determining an application layer protocol type of the original data packet according to the endpoint search result, and using the obtained application layer protocol type as an application layer parsing result of the original data packet.
  • the processor core invokes at least one sub-coprocessor of the coprocessor to perform application layer parsing on the original data packet to obtain the original data packet.
  • the application layer parsing result includes: the processor core invokes a protocol identifier sub-coprocessor included by the coprocessor, and the protocol identifier sub-processor calls the association under a call of the processor core a string matching engine included in the processor, the string matching engine performs string matching on the original data packet under the call of the protocol identification sub-coprocessor to obtain a feature matching result, and returns the feature matching result
  • the processor core the processor core determines an application layer protocol type of the original data packet according to the feature matching result, and uses the application layer protocol type as an application layer parsing result of the original data packet .
  • the processor core invokes at least one sub-coprocessor of the coprocessor to perform application layer parsing on the original data packet to obtain the original data packet.
  • Application layer resolution results including:
  • the processor core invokes a regular expression matching engine included in the coprocessor, and the regular expression matching engine performs regular matching on the original data packet under the call of the processor core to obtain a feature matching result.
  • the processor core determines an application layer protocol type of the original data packet according to the feature matching result, and using the obtained application layer protocol type as the The application layer parsing result of the original data packet.
  • the processor core invokes at least one sub-coprocessor of the coprocessor to perform an application layer parsing on the original data packet to obtain the original data packet.
  • Application layer resolution results including: The processor core invokes a protocol identifier sub-processor included by the coprocessor to identify an application layer protocol of the original data packet, to obtain an application layer protocol type of the original data packet; The protocol parsing sub-coprocessor included by the coprocessor performs protocol parsing on the original data packet, obtains an parsing result, and parses the parsing result and the application layer protocol type as an application layer of the original data packet. result.
  • the string matching engine performs a string on the original data packet by using the protocol identifier sub-coprocessor Match and get the feature matching results, including:
  • the string matching engine reads a string matching algorithm state table from the first memory under the call of the protocol identifier sub-coprocessor, and processes the stream processed data according to the string matching algorithm state table.
  • the packet is matched by a string to obtain a feature matching result.
  • the processor core sends the application layer parsing result to the universal The processor, the processor core sends the application layer parsing result to the result reporting processing module included in the coprocessor; the result reporting processing module encapsulates the application layer parsing result according to a preset format And sending the encapsulated application layer parsing result to the general purpose processor.
  • the embodiment of the present invention provides a deep packet detection method, including:
  • the general purpose processor sends the original data packet to the coprocessor; the general purpose processor receives the application layer parsing result of the original data packet sent by the coprocessor, where the application layer parsing result is
  • the processor core of the processor invokes at least one sub-coprocessor of the coprocessor to perform application layer parsing on the original data packet; the application layer parsing result is used to represent application layer information of the original data packet
  • the general purpose processor is to the original according to at least the application layer parsing result The packet is processed.
  • the processing by the general-purpose processor, processing the original data packet according to the application layer parsing result, the method, Whether the original data packet is an encrypted data packet, and if so, decrypting the original data packet.
  • the general-purpose processor processes the original data packet according to the application layer analysis result, including:
  • the general processor determines, according to the application layer analysis result, a service type of the flow to which the original data packet belongs, and performs traffic statistics, charging, or transmission acceleration on the flow according to the service type.
  • the application layer parsing result of the original data packet includes: an application layer protocol type of the original data packet and a URL matching result; where the application layer protocol type of the original data packet is Obtaining, by the coprocessor-processed processor core, a protocol identifier of the coprocessor to identify the original data packet; the URL matching result is a processor core of the coprocessor After determining that the application layer protocol type of the original data packet is a hypertext transfer protocol, calling a uniform resource locator URL matching engine of the coprocessor to perform matching of the original data packet by using a URL; The process of processing the original data packet according to the application layer analysis result, the method includes: determining, by the general-purpose processor, whether the flow to which the original data packet belongs is used according to the application layer analysis result and the URL matching result Access the restricted website, and if so, block the stream.
  • an embodiment of the present invention provides a coprocessor, including: a transceiver module, a sub-coprocessor, and a processor core;
  • the transceiver module is configured to receive an original data packet sent by a general-purpose processor, and use the original data Sending a packet to the processor core;
  • the processor core is configured to invoke the sub-coprocessor to perform an application layer parsing on the original data packet to obtain an application layer parsing result of the original data packet, where the application layer parsing result is used to represent the original And applying the application layer parsing result to the general-purpose processor, so that the general-purpose processor processes the original data packet according to at least the application layer parsing result;
  • the sub-coprocessor is configured to perform application layer parsing on the original data packet by using the processor core to obtain application layer information of the original data packet.
  • the transceiver module includes:
  • a receiving unit configured to receive an original data packet sent by the general-purpose processor
  • a stream processing unit configured to: after the receiving unit receives the original data packet sent by the general-purpose processor, stream processing the original data packet;
  • a distribution unit configured to send the stream processed data packet to the processor core
  • the processor core is specifically configured to invoke the sub-coprocessor to perform application layer parsing on the stream-processed data packet.
  • the flow processing unit is specifically configured to perform IP fragmentation packet reassembly processing and TCP out-of-order on the original data packet. ⁇ rearrangement processing.
  • the number of the processor cores is at least two;
  • the distribution unit is specifically configured to determine a load condition of each of the at least two processor cores, and select one of the at least two processor cores according to a load condition of each of the processor cores.
  • the processor cores send the stream processed data packets to the selected processor core.
  • the coprocessor further includes: a switching bus module;
  • the processor core is specifically configured to invoke the sub-coprocessor to perform application layer parsing on the original data packet by using a switch bus module of the coprocessor.
  • the sub-coprocessor is specifically configured to perform an endpoint search on the original data packet by using the processor core to obtain an endpoint search result, where The endpoint search result is returned to the processor core; the processor core is specifically configured to: determine, according to the endpoint search result, an application layer protocol type of the original data packet, and determine the determined application layer protocol type The application layer parsing result of the original data packet is sent to the general purpose processor.
  • the sub-coprocessor includes: a protocol identifier sub-processor and a string matching engine; and the protocol identifier sub-processor is specifically configured to:
  • the string matching engine is invoked by the processor core, and the string matching engine performs string matching on the original data packet under the call of the protocol identification sub-coprocessor to obtain a feature matching result.
  • the feature matching result is returned to the processor core;
  • the processor core is specifically configured to determine an application layer protocol type of the original data packet according to at least the feature matching result, and determine the determined application layer protocol type as The application layer parsing result of the original data packet is sent to the general purpose processor.
  • the sub-coprocessor is specifically: a regular expression matching engine; the regular expression matching engine is configured to perform a call under the call of the processor core The original data packet is subjected to regular matching, and the feature matching result is obtained, and the feature matching result is returned.
  • the processor core is configured to determine an application layer protocol type of the original data packet according to at least the feature matching result, and determine the determined application layer protocol type as the original data packet.
  • the application layer parsing result is sent to the general purpose processor.
  • the sub-coprocessor further includes: a protocol parsing sub-coprocessor; The original data packet is subjected to protocol parsing, and the parsing result is obtained, and the parsing result is returned to the processor core; the processor core is further configured to send the parsing result to the general-purpose processor, so that the The general purpose processor processes the original data packet according to the application layer protocol type and the parsing result.
  • the string matching engine is specifically configured to be used from the first memory by the protocol identifier sub-coprocessor Reading a string matching algorithm state table, performing string matching on the original data packet according to the string matching algorithm state table, obtaining a feature matching result, and returning the feature matching result to the processor core, where The first memory is used to store the string matching algorithm status table.
  • the processor core is specifically configured to read a rule condition data structure from the second memory, according to the feature matching result and The rule condition data structure determines the application layer protocol type, wherein the second memory is used for a rule condition data structure.
  • an embodiment of the present invention provides a general-purpose processor, including:
  • a sending module configured to send the original data packet to the coprocessor;
  • the receiving module configured to receive an application layer parsing result of the original data packet sent by the coprocessor, where the application layer parsing result is
  • the processor core of the coprocessor calls at least one sub coprocessor of the coprocessor Performing application layer parsing on the original data packet;
  • the application layer parsing result is used to represent application layer information of the original data packet;
  • the processing module is configured to use the parsing result to the original data according to at least the application layer parsing result The package is processed.
  • the processing module is specifically configured to: if the original data packet is identified as an encrypted data packet according to the application layer parsing result, decrypt the original data packet.
  • the feature is that
  • the application layer parsing result of the original data packet includes: an application layer protocol type of the original data packet and a URL matching result, where the URL matching result is determined by the processor core of the coprocessor
  • the uniform resource locator URL matching engine of the coprocessor is called to perform matching of the original data packet by using a URL;
  • the processing module is configured to determine, according to an application layer protocol type of the original data packet and the URL matching result, whether the flow to which the original data packet belongs is used to access the restricted website, and if yes, block the flow Broken processing.
  • the embodiment of the present invention provides a deep packet detecting device, including: a coprocessor provided by any embodiment of the present invention and a general-purpose processor provided by any embodiment of the present invention.
  • the number of the general-purpose processors is one.
  • the number of the general-purpose processors is at least two;
  • the deep packet detecting device further includes a network card and a load balancing device; and the network card is configured to receive a data packet from the network, Sending the data packet to the load balancing device;
  • the load balancing device is configured to acquire a load condition of each of the at least two general-purpose processors, according to each of the common parts
  • the load condition of the processor is selected in a general purpose processor that sends the data packet to the selected general purpose processor.
  • the deep packet detection method, device, and coprocessor implemented DPI by using a general-purpose processor and a coprocessor, and the sub-coprocessor in the coprocessor can be specifically for the DPI service.
  • the design the DPI function is offloaded from the general-purpose processor, reducing the occupation of general-purpose processor resources, so that the general-purpose processor can handle other value-added services.
  • the processor core is set in the coprocessor, and the sub-coprocessor is operated under the call of the processor core, and the intermediate state information can be retained, and the interaction between the processor core and the sub-coprocessor is also intra-chip interaction, avoiding the association. Frequent interactions between the processor and the general purpose processor can reduce processing latency.
  • FIG. 2 is a schematic diagram of a deep packet detection architecture according to an embodiment of the present invention.
  • FIG. 3 is a schematic diagram of a deep packet detection application scenario according to an embodiment of the present invention
  • FIG. 4 is a flowchart of a first deep packet detection method according to an embodiment of the present invention
  • FIG. 5 is a flowchart of a second deep packet detection method according to an embodiment of the present invention.
  • FIG. 6 is a flowchart of a method for detecting a deep packet according to an embodiment of the present invention.
  • FIG. 7 is a flowchart of another method for detecting a deep packet according to an embodiment of the present invention.
  • FIG. 8 is a flowchart of another method for detecting a deep packet according to an embodiment of the present invention.
  • FIG. 9 is a schematic structural diagram of a first coprocessor according to an embodiment of the present invention.
  • FIG. 10 is a schematic structural diagram of a second coprocessor according to an embodiment of the present disclosure.
  • FIG. 11 is a schematic structural diagram of a general-purpose processor according to an embodiment of the present disclosure
  • FIG. 12 is a schematic structural diagram of a first deep packet detecting device according to an embodiment of the present invention
  • FIG. 13 is a schematic structural diagram of a second deep packet detecting device according to an embodiment of the present invention
  • DPI deep packet inspection
  • the functional modules of the DPI processing task are divided into multiple levels (typically four levels). The higher the level, the more complex and common the processed business; the lower the level, the simpler and more specific the algorithm.
  • DPI coprocessor is responsible for implementing the logic of the DPI service control layer, the DPI sub-service logic layer, and the algorithm engine layer.
  • the DPI co-processing internally includes multiple sub-coprocessors, each sub-coprocessor is used to complete a specific DPI sub-service.
  • the sub-coprocessor can be divided into high-level sub-associations.
  • the processor such as the sub-coprocessor A in FIG. 2
  • the sub-coprocessor of the hierarchical level such as the sub-coprocessors C and D in FIG. 2, wherein the sub-coprocessor of the lower level may specifically be A software or hardware-implemented algorithm engine that implements a specialized function using a specific algorithm, such as a string matching engine, a regular expression matching engine, etc., and a higher-level sub-coprocessor compared to a lower-level sub-coprocessor.
  • a specific algorithm such as a string matching engine, a regular expression matching engine, etc.
  • a higher-level sub-coprocessor compared to a lower-level sub-coprocessor.
  • DPI sub-services such as protocol identification, parsing, etc.
  • a high-level sub-coprocessor can be a logical or physical entity that integrates multiple sub-coprocessors and/or algorithm engine functions for implementing more advanced, generic DPI sub-functions, and high-level sub-association
  • the low-level module can be called to implement the required functions, and the sub-coprocessors of the same level can also call each other to cooperate to complete the function.
  • Level 1 Operational intensive layer.
  • Level 1 Operational intensive layer.
  • This level of tasks is redundant by general purpose processors.
  • Level 2 DPI business control layer.
  • the DPI service control logic is executed by placing the kernel in the DPI coprocessor, including the sequential execution control of the steps of the DPI engine, the conditional rule matching, the cross-packet processing, the preservation of the intermediate state, and the like, and the control logic related to the DPI service.
  • this level of tasks is performed by a processor core (core) in the DPI coprocessor.
  • Level 3 DPI sub-business logic layer. Responsible for DPI-specific sub-services that can be cured. For example: application layer protocol identification, protocol deep analysis, packet behavior feature analysis module.
  • the task of this level is performed by a high-level sub-coprocessor in the DPI coprocessor, for example, a protocol identifier sub-processor for identifying an application layer protocol type of the data packet, In-depth solution to the agreement The protocol resolves the sub-coprocessor and so on.
  • Level 4 Algorithm Engine Layer. Responsible for algorithmic engine tasks that are specifically optimized for DPI. For example: general regular expression matching, floating point arithmetic, multimodal string matching, single mode string matching, behavioral parameter operations, and more. This level of tasks is done by low-level sub-coprocessors in the DPI coprocessor, such as the regular expression matching engine, the floating-point arithmetic engine, the string matching engine, and so on.
  • level two to level four an internal bus or a switch bus module is required to be responsible for message and data interaction between these hierarchical modules.
  • the level one and other levels that is, the inter-chip interaction between the general-purpose processor and the DPI coprocessor, need to be exchanged by some industry-standardized buses, such as PCIE (Personal Computer Interface Express). )bus. What type of bus is used is determined by the external interface provided by the general purpose processor.
  • the embodiment of the present invention may further provide external memory for the DPI coprocessor to save the intermediate state of the DPI to achieve better scalability and performance, so that when processing is needed When saving a live task, it does not have to be done by a general purpose processor, and the DPI coprocessor can offload more of its processor resources.
  • the external memory provided can also store various feature word data structures and algorithm-specific data structures that are required for DPI processing. In this way, the DPI coprocessor can read the data directly and quickly without having to read it through the bus through the general purpose processor, which can achieve higher processing performance.
  • external memory A holds a soft core-specific data structure, including flow tables and rule conditions, so that the DPI coprocessor can sense the state of the flow rather than packet-based processing.
  • the external memory B stores the data structure of each matching engine and the sub-coprocessor, such as a DFA (Deterministic Finite Automaton) state table, a single-mode matching algorithm auxiliary data, and an algorithm data structure of the sub-coprocessor. and many more. It should be noted that the external memory A and the external memory B are only logical divisions, and the two can be located on the same physical memory.
  • DFA Dynamic Finite Automaton
  • FIG. 4 is a flowchart of a first deep packet detection method according to an embodiment of the present invention.
  • the deep packet detection method provided in this embodiment may be specifically applied to a deep packet detection DPI process of a network device, and the network device may be, for example, a router and a gateway.
  • the network device may be configured with a deep packet detecting device, and the deep packet detecting device includes a general-purpose processor and a coprocessor.
  • the deep packet detecting method provided in this embodiment is executed by a coprocessor.
  • Step A10 The transceiver module of the coprocessor receives the original data packet sent by the general processor, and sends the original data packet to the processor core of the coprocessor;
  • Step A20 The processor core invokes at least one sub-coprocessor of the coprocessor to perform an application layer parsing on the original data packet, to obtain an application layer parsing result of the original data packet, where the application layer parsing result of the original data packet is used for Indicates the application layer information of the data packet, such as the application layer protocol type, the service to which the data packet belongs, and the like, which are not enumerated here;
  • Step A30 The processor core sends an application layer parsing result of the original data packet to the general-purpose processor, so that the general-purpose processor processes the original data packet according to the application layer parsing result.
  • the network device needs to perform in-depth analysis on the data packets in the received stream to implement network optimization and application flow control, and the network device sends the data packet to the general-purpose processor through the network card, and the general-purpose processor hands over the DPI-related tasks. DPI coprocessor to complete.
  • the coprocessor can be an FPGA (Field Programmable Gate Array) or an ASIC (Application Specific Integrated Circuit).
  • An ASIC is implemented, one or more processor cores are deployed in the coprocessor, a transceiver module and a plurality of sub-coprocessors are also disposed in the coprocessor, and the sub-coprocessor is implemented by a hardware description language, and the hardware description language is It can be VHDL ( Very-High-Speed Integrated Circuit Hardware Description Language) or Verilog HDL.
  • the sub-coprocessor can be used for application protocol identification, protocol parsing, etc. of the data packet to improve the processing performance of the service.
  • the general purpose processor sends the original data packet to the transceiver module of the coprocessor, and the transceiver module distributes the original data packet to the processor core in the coprocessor, and the processor core of the coprocessor calls the sub coprocessor to the original
  • the data packet is parsed by the application layer to obtain the parsing result, and the processor core returns the parsing result to the general-purpose processor, and the general-purpose processor processes the original data packet according to the parsing result, such as traffic statistics, acceleration, current limiting, blocking, and Filter and so on.
  • the general-purpose processor can establish a flow table according to the parsing result.
  • the flow table records a plurality of flow entry items and processing instructions, and the general-purpose processor matches the received data packet by using the flow table entry to determine the flow to which the data packet belongs. And deal with it accordingly.
  • the general processor and the coprocessor cooperate to implement DPI, and the sub-coprocessor in the coprocessor can be specifically designed for the DPI service by performing finer granular division on the coprocessor.
  • the DPI function is offloaded from the general-purpose processor, which reduces the occupation of the general-purpose processor resources, so that the general-purpose processor can process other value-added services;
  • the processor core is provided with the processor core for DPI service control,
  • the sub-coprocessor runs under the call of the processor core, which greatly improves the flexibility of business processing, and the interaction between the processor core and the sub-coprocessor is also intra-chip interaction, avoiding the coprocessor and the general processor. Frequent interactions between DPI can be achieved.
  • FIG. 5 is a flowchart of a second deep packet detection method according to an embodiment of the present invention.
  • the method for detecting a deep packet in this embodiment includes: Step A101, the transceiver module of the coprocessor receives the original data packet sent by the general processor; Step A102, stream processing the original data packet;
  • performing the stream processing on the original data packet may include: performing an IP fragment packet reassembly process and a TCP out-of-order packet re-processing on the original data packet. Further, the stream processing the original data packet may further include: The original packet is streamed to ensure sequential processing.
  • Step A103 Send the stream processed data packet to a processor core of the coprocessor
  • the number of processor cores in the coprocessor can be set according to the needs of the DPI service, that is, the number of processor cores can be one or more.
  • the sending the original data packet to the processor core of the coprocessor includes:
  • Determining a load condition of each of the plurality of processor cores co-processed selecting a processor core from the plurality of processor cores according to a load balancing policy, and transmitting the original data packet to the selected processor core .
  • the load condition of all processor cores can be monitored, and the processor core is selected according to the load condition of each processor core in the distribution process of the data packet, and the data packet is sent to the processor core with relatively idle processing resources. deal with.
  • Step A104 The processor core invokes at least one sub-coprocessor of the coprocessor to perform an application layer parsing on the original data packet to obtain an application layer parsing result of the original data packet.
  • the processor core may specifically invoke the at least one sub-coprocessor to perform application layer parsing on the original data packet through the exchange bus module of the coprocessor.
  • the switch bus module may be a Switch-Arbiter switch module, and communication between the processor core and each of the child coprocessors included therein is implemented by the switch bus module.
  • Step A105 The processor core sends the application layer parsing result of the original data packet to the general-purpose processor.
  • the general processor processes the original data packet according to the application layer parsing result.
  • a result reporting processing module may be further disposed in the coprocessor, and the processor core may send the application layer parsing result of the original data packet to the result reporting processing module, and the result reporting processing module applies the application layer
  • the parsing result is encapsulated according to a preset format, and the encapsulated result is sent to a general-purpose processor, where the preset format can be, for example, a TLV (Type Length Value) structure, and the TLV structure is a general type with a type, a length, and a value.
  • the preset format can be, for example, a TLV (Type Length Value) structure, and the TLV structure is a general type with a type, a length, and a value. Data description format.
  • external memory may be set for use by the coprocessor
  • the memory may include a first memory and a second memory
  • the first memory and the second memory may be physically independent of two memories, or the first memory and the first
  • the second memory can also be physically separated on the same memory.
  • the first memory is used to store the data structure required by the sub-coprocessor
  • the second memory is used to store data used by the DPI service control layer such as stream intermediate state data, endpoint table data, port feature table, and rule condition table.
  • the second in-memory rule condition table is used to record one or more rules.
  • a rule usually contains a set of features that describe the details of the packet, such as the source/destination address of the packet, the source/destination port, the type of transport protocol, and some special strings and data contained in the payload of the packet. Whether the package is fragmented and so on.
  • the sub-coprocessor analyzes the data packet to obtain a feature matching result.
  • the processor core determines the feature in each rule according to the feature matching result. If a data packet meets a certain rule, the The application layer protocol type corresponding to the rule is the application layer protocol type of the data packet.
  • features such as strings, regular expressions, and behavioral features. Feature matching results can be obtained in different ways for different features.
  • the sub-coprocessors included in the co-processing can be specifically divided into high-level sub-coprocessors for performing general DPI sub-services (such as protocol identification).
  • the high-level sub-coprocessor can call the low-level module to implement the required functions.
  • the sub-coprocessors of the same level can also call each other to cooperate to complete the function.
  • the specific implementation of step A104 is also different:
  • the protocol identifies the sub-association
  • the processor may perform an endpoint search on the original data packet by the processor core to obtain an endpoint search result, and return the endpoint search result to the processor core, where the processor core determines the application layer of the original data packet according to at least the endpoint search result.
  • the protocol type, and the obtained application layer protocol type is used as an application layer parsing result of the original data packet;
  • a state machine is set in the protocol identification sub-coprocessor. If a destination IP address, a source IP address, a destination port, and a source port of a flow in which a packet is located can successfully find one or more records in the endpoint table, the application layer protocol type of the packet may be Get it directly from the endpoint table without having to take more steps.
  • an endpoint table record is: Destination IP address: 103.224.1.9, Destination port: 443, Application layer protocol type: gmail—webmail. If a packet of a certain stream is sent to port 443 of the destination IP address, the DPI processing result can be directly clarified, indicating that the application layer protocol type of the packet of the stream is gmail_webmail.
  • the protocol identifier sub-coprocessor can invoke a low-level sub-coprocessor, such as a string matching engine, to help perform the corresponding function, string matching, under the call of the processor core.
  • the engine performs string matching on the original data packet under the call of the protocol identifier sub-coprocessor to obtain a feature matching result, and returns the feature matching result to the processor core, and the processor core is at least root
  • the application layer protocol type of the original data packet is determined according to the feature matching result, and the application layer protocol type is used as an application layer analysis result of the original data packet.
  • the string matching engine may be a single-mode string matching engine or a multi-mode string matching engine.
  • the single-mode string matching engine can adopt a single-mode string matching algorithm, and the single-mode string matching algorithm can be a BM (Boyer Moore) algorithm.
  • the multi-mode string matching engine can adopt a multi-mode string matching algorithm, and the multi-mode string matching algorithm can be an AC (Aho-Corasick) algorithm, a Wu-Manber algorithm, or an ExB algorithm.
  • AC Azo-Corasick
  • Wu-Manber algorithm a Wu-Manber algorithm
  • ExB algorithm ExB algorithm
  • the protocol identification sub-coprocessor calls the multi-mode string matching engine, and the multi-mode string matching engine scans the data packet to find one or more characters in the data packet.
  • the string feature is obtained, and the feature matching result is obtained, and the feature matching result is returned to the processor core, and the processor core determines the application layer protocol type of the original data packet according to the feature matching result.
  • the string matching engine performs string matching on the stream-processed data packet under the call of the protocol identifier sub-coprocessor, including:
  • the string matching engine reads the string matching algorithm state table from the first memory under the call of the protocol identifier sub-coprocessor, and performs string matching on the original data packet according to the string matching algorithm state table.
  • the first memory stores a string matching algorithm state table.
  • the string matching algorithm state table is a multi-mode string matching algorithm state table
  • the string matching algorithm state table is a single-mode string matching algorithm state table.
  • the multi-mode string matching algorithm is an AC algorithm
  • the multi-mode string matching algorithm state table is an AC state table
  • the multi-mode string matching engine performs multi-mode on the data packet.
  • String matching can be implemented according to the multi-mode string matching algorithm state table.
  • the string matching engine does not directly read and write the first memory.
  • the coprocessor has a cache (Cache).
  • the cache and the first memory can be implemented by DMA (Direct Memory Access). Interaction. Through the setting of the cache, the number of accesses to the external memory can be greatly reduced. Most of the access memory requests can be completed through the cache, which greatly improves the performance of the system.
  • the processor core If the processor core is calling a sub-coprocessor of the ⁇ level, such as a regular expression matching engine dedicated to regular expression matching, the regular expression matching engine is against the original call of the processor core.
  • the data packet is regularly matched to obtain a feature matching result, and the feature matching result is returned to the processor core, and the processor core determines the application layer protocol type of the original data packet according to at least the feature matching result, and the obtained application layer protocol type is used as the original.
  • the application layer parsing result of the packet If the processor core is calling a sub-coprocessor of the ⁇ level, such as a regular expression matching engine dedicated to regular expression matching, the regular expression matching engine is against the original call of the processor core.
  • the data packet is regularly matched to obtain a feature matching result, and the feature matching result is returned to the processor core, and the processor core determines the application layer protocol type of the original data packet according to at least the feature matching result, and the obtained application layer protocol type is used as the original.
  • the regular expression matching engine may adopt a regular expression matching algorithm, and the regular expression matching algorithm may be an NFA (Non-deterministic Finite Automaton) algorithm or a DFA (Deterministic Finite Automaton). Algorithms, etc.
  • NFA Non-deterministic Finite Automaton
  • DFA Deterministic Finite Automaton
  • the processor core can directly call the regular expression matching engine, and the regular expression matching engine searches the data packet to obtain the feature matching result, and returns the feature matching result to the processor core.
  • the processor core determines an application layer protocol type of the original data packet according to the feature matching result.
  • the regular expression matching engine performs a regular match on the original data packet under the call of the processor core, including:
  • the regular expression matching engine reads the regular expression from the first memory under the call of the processor core Matching the algorithm state table, and performing regular matching on the original data packet according to the regular expression matching algorithm state table.
  • the first memory stores a regular expression matching algorithm state table.
  • the regular expression matching algorithm state table is a DFA state table
  • the regular expression matching engine is in the pair data.
  • the packet performs regular matching, it can be implemented according to the regular expression matching algorithm state table.
  • the processor core may further obtain an application layer protocol type of the original data packet by calling a behavior feature statistics sub-coprocessor, specifically, the behavior feature statistics sub-coprocessor is in the processor core.
  • the behavior data matching of the original data packet is performed under the call, and the feature matching result is obtained, and the feature matching result is returned to the processor core, and the processor core determines the application layer protocol type according to the feature matching result.
  • the behavior feature model may be pre-established for different application protocols.
  • the behavior feature statistics sub-coprocessor matches the behavior characteristics in the data packet to obtain the feature matching result, and the feature is obtained.
  • the matching result is returned to the processor core, and the processor core determines the application layer protocol type of the original data packet according to the feature matching result.
  • the processor core determines an application layer protocol type of the original data packet according to the feature matching result, including:
  • the processor core reads the rule condition table from the second memory through the cache, and determines the application layer protocol type of the original data packet according to the feature matching result and the rule condition table.
  • the second memory stores a rule condition table, where the rule condition table stores a correspondence between the rule and the application layer protocol type, and the processor core matches the feature matching result with the feature in the rule to determine the feature matching. Whether the result conforms to the rule, if it is met, the application layer protocol type of the data packet can be determined.
  • the processor core does not directly read and write the second memory, and the coprocessor is set to be slow. Cache, the data can be exchanged by DMA before the cache and the second memory.
  • a protocol parsing sub-coprocessor is also disposed in the coprocessor, and a state machine can be set in the protocol parsing sub-coprocessor.
  • the processor core invokes at least one sub-coprocessor of the coprocessor to perform an application layer parsing on the original data packet, to obtain an application layer parsing result of the original data packet, which specifically includes:
  • the protocol identifier sub-processor included by the processor identifies the application layer protocol of the original data packet, and obtains an application layer protocol type of the original data packet;
  • the processor core invokes a protocol parsing sub-coprocessor included in the coprocessor to perform protocol parsing on the original data packet, obtains an parsing result, and uses the parsing result and the application layer protocol type as the original data packet.
  • Application layer parsing results are a protocol parsing sub-coprocessor included in the coprocessor to perform protocol parsing on the original data packet, obtains an parsing result, and uses the parsing result and the application layer protocol type as the original data packet.
  • a URL matching engine may also be set in the coprocessor, and the processor core invokes the protocol identification sub-coprocessor of the coprocessor to identify the application protocol of the original data packet, and if the processor core determines the knowledge
  • the application layer protocol type is a hypertext transfer protocol
  • the coprocessor's uniform resource locator URL matching engine is invoked, and the URL matching engine performs URL matching on the original data packet under the call of the processor core to obtain a URL matching result. And returning the URL matching result to the processor core, where the processing result further includes the URL matching result.
  • the URL matching engine may be invoked to perform further analysis on the data packet.
  • the URL matching engine can analyze the value of the URL of the data packet to obtain a URL matching result.
  • Association The processor sends the URL matching result as a processing result to the general-purpose processor, and the general-purpose processor can perform network management work related to the URL according to the URL matching result.
  • the general processor and the coprocessor of the deep packet detecting device cooperate to implement the DPI service, and the function modules in the coprocessor can be set according to the actual DPI service requirements.
  • the foregoing embodiment provides several functional modules. The form is implemented, but the invention is not limited thereto. And different DPI services, the processing flow can be different.
  • the feature matching work can also be done through the processor core of the coprocessor, and the feature matching result is obtained, and the processor core determines the application layer protocol type according to the feature matching result. For example, one of the features of the HTTP protocol may be that the TCP port is 80. Since this port matching process does not require much computing resources, it can be done by the processor core of the coprocessor.
  • the sub-coprocessor in the coprocessor can be designed specifically for DPI services, thus offloading DPI functions from general-purpose processors, reducing general-purpose processor resources. Occupied, so that the general-purpose processor can handle other value-added services; at the same time, the processor core is provided with the processor core for DPI service control, and the sub-coprocessor is operated under the call of the processor core, which greatly improves the flexibility of service processing. Sex, the DPI coprocessor is equipped with external memory to preserve the DPI intermediate state for better scalability and performance.
  • the DPI coprocessor can offload more of its processor resources.
  • the DPI coprocessor is equipped with external memory to store various feature word data structures and algorithm-specific data structures that are required for DPI processing. In this way, the DPI coprocessor can directly read the data without having to read it through the bus through the general-purpose processor, which can further improve the processing performance.
  • FIG. 6 is a flowchart of a method for detecting a deep packet according to an embodiment of the present invention.
  • the deep packet detection method provided in this embodiment will be described below with reference to FIG.
  • Step la the general purpose processor sends the data packet to the transceiver module of the coprocessor
  • Step 2a The transceiver module sends the data packet to the processor core
  • Step 3a The processor core invokes the protocol identification sub-coprocessor, and sends the data packet to the protocol identifier sub-processor through the exchange bus module, and the protocol identification sub-processor performs endpoint search on the data packet;
  • Step 4a protocol identification sub-association The processor determines whether the search is successful, if yes, step 5a is performed, and if not, step 6a is performed;
  • Step 5a the protocol identification sub-coprocessor sends the obtained endpoint search result to the processor core through the exchange bus module, and performs step 15a;
  • Step 6a The protocol identifier sub-processor feeds back to the processor core through the exchange bus module to find a failure result
  • Step 7a The protocol identifier sub-coprocessor calls the multi-mode string matching engine, sends the data packet to the multi-mode string matching engine through the exchange bus module, and the multi-mode string matching engine performs multi-mode string matching on the data packet;
  • Step 8a the multi-mode string matching engine determines whether the matching is successful, and if so, step 9a is performed, and if not, step 10a is performed;
  • Step 9a the multi-mode string matching engine will obtain the feature matching result sent to the processor core through the exchange bus module, step 15a;
  • Step 10a The multi-mode string matching engine feeds back a matching failure result to the processor core by using the exchange bus module.
  • Step l la the processor core calls the regular expression matching engine, and passes the data packet through the exchange bus mode.
  • the block is sent to the regular expression matching engine, the regular expression matching engine performs regular matching on the data packet;
  • step 12a the regular expression matching engine determines whether the matching is successful, and if so, step 13a is performed, and if not, step 14a is performed;
  • Step 13a the regular expression matching engine will obtain the feature matching result sent to the processor core through the exchange bus module, step 15a;
  • Step 14a the regular expression matching engine feeds back the matching failure result to the processor core through the exchange bus module, and the processor core sends the matching failure result as a processing result to the result reporting processing module, and executes step 20a;
  • Step 15a The processor core determines an application layer protocol type according to the feature matching result.
  • Step 16a the processor core determines whether the data packet needs to be deeply resolved, and if so, step 17a is performed, and if not, step 19a is performed;
  • Step 17a The processor core invokes the protocol parsing sub-coprocessor, and sends the data packet to the protocol parsing sub-processor through the switching bus module, and the protocol parsing sub-processor performs protocol parsing on the data packet to obtain an analysis result, and the parsing result is obtained. Transmitted to the processor core through the exchange bus module;
  • Step 18a the processor core sends the application layer protocol type and the parsing result as a processing result to the result reporting processing module, and performs step 20a;
  • Step 19a The processor core sends the application layer protocol type as a processing result to the result reporting processing module.
  • Step 20a The result reporting processing module encapsulates the processing result and sends the processing result to the general-purpose processor.
  • FIG. 7 is a flowchart of another deep packet detection method according to an embodiment of the present invention.
  • the deep packet detection method provided in this embodiment is described.
  • Step lb the general-purpose processor sends the data packet to the transceiver module of the coprocessor;
  • Step 2b the transceiver module sends the data packet to the processor core
  • Step 3b The processor core calls the multi-mode string matching engine, sends the data packet to the multi-mode string matching engine through the exchange bus module, and the multi-mode string matching engine performs multi-mode string matching on the data packet;
  • Step 4b the multi-mode string matching engine determines whether the match is successful, and if so, step 5b is performed, and if not, step 6b is performed;
  • Step 5b the multi-mode string matching engine will obtain the feature matching result sent to the processor core through the exchange bus module, step 15b;
  • Step 6b The multi-mode string matching engine feeds back a matching failure result to the processor core by using the exchange bus module.
  • Step 7b the processor core calls a regular expression matching engine, sends the data packet to the regular expression matching engine through the exchange bus module, and the regular expression matching engine performs regular matching on the data packet;
  • Step 8b the regular expression matching engine determines whether If the match is successful, if yes, go to step 9b, if no, go to step 10b;
  • Step 9b the regular expression matching engine will obtain the feature matching result sent to the processor core through the exchange bus module, and perform step 15b;
  • Step 10b The regular expression matching engine feeds back a matching failure result to the processor core by using the exchange bus module.
  • Step llb the processor core invokes the behavior feature statistics sub-coprocessor, sends the data packet to the behavior feature statistics sub-coprocessor through the exchange bus module, and the behavior feature statistics sub-coprocessor performs behavior characteristic matching on the data packet;
  • Step 12b the behavior feature statistics sub-coprocessor determines whether the match is successful, and if so, step 13b is performed, and if not, step 14b is performed;
  • Step 13b the behavior feature statistics sub-coprocessor to obtain the feature matching result is sent to the processor core through the exchange bus module, step 15b;
  • Step 14b the behavior characteristic statistics sub-coprocessor returns the matching failure result to the processor core through the exchange bus module, the processor core sends the matching failure result as a processing result to the result reporting processing module, and performs step 20b;
  • Step 15b The processor core determines an application layer protocol type according to the feature matching result.
  • Step 16b if the application layer protocol type is HTTP, the processor core determines whether it is necessary to obtain the value of the URL of the data packet, and if so, step 17b is performed, and if not, step 19b is performed;
  • Step 17b the processor core invokes the URL matching engine, sends the data packet to the URL matching engine through the exchange bus module, and the URL matching engine analyzes the value of the URL of the data packet to obtain a URL matching result, and sends the URL matching result through the exchange bus module.
  • Step 18b The processor core sends the application layer protocol type and the URL matching result as a processing result to the result reporting processing module.
  • Step 19b The processor core sends the application layer protocol type as a processing result to the result reporting processing module.
  • Step 20b The result reporting processing module encapsulates the processing result and sends the processing result to the general-purpose processor.
  • FIG. 8 is a flowchart of another method for detecting a deep packet according to an embodiment of the present invention.
  • the deep packet detection method provided in this embodiment may be implemented in conjunction with the method provided in the embodiment shown in FIG. 4 , and the specific implementation process is not described herein again.
  • the deep packet detection method provided in this embodiment is performed by a general-purpose processor, and the method specifically includes: Step B10: The general purpose processor sends the original data packet to the coprocessor;
  • Step B20 The general-purpose processor receives an application layer parsing result of the original data packet sent by the coprocessor; wherein, the application layer parsing result is that the processor core of the coprocessor calls the at least one sub-coprocessor of the coprocessor to the original data.
  • the application layer parsing result is used to represent the application layer information of the original data packet, such as the application layer protocol type, the service to which the original data packet belongs, and the like, and is not described here;
  • Step B30 The general-purpose processor processes the original data packet according to at least the application layer parsing result.
  • the network card of the network device sends the stream to the general-purpose processor.
  • the general-purpose processor sends the original data packet to the co-processor, and the co-processor performs the application layer parsing on the original data packet to obtain the application layer parsing result, and the application layer parsing result may include the application layer protocol type, the protocol deep parsing result, the URL matching result, and the like.
  • the application layer parsing result is returned to the general-purpose processor, and the general-purpose processor processes the original data packet according to the application layer parsing result, such as traffic statistics, acceleration, current limiting, blocking, and filtering.
  • the general-purpose processor sends the original data packet to the coprocessor, receives the processing result sent by the coprocessor, and processes the original data packet according to the processing result.
  • the general-purpose processor and the coprocessor cooperate to implement DPI.
  • the sub-coprocessor in the coprocessor can be specially designed for DPI services, and the DPI function is uninstalled from the general-purpose processor, which reduces the occupation of general-purpose processor resources, so that the universal The processor can handle other value-added services.
  • the processor core is set in the coprocessor
  • the sub-coprocessor is operated under the call of the processor core
  • the interaction between the processor core and the sub-coprocessor is also intra-chip interaction, avoiding the coprocessor and the general processor. Frequent exchanges between Mutual, you can increase the speed of operation.
  • the general-purpose processor processes the original data packet according to the application layer parsing result, and specifically includes:
  • the general-purpose processor determines that the original data packet is an encrypted data packet according to the application layer analysis result of the original data packet, the original data packet is decrypted.
  • the general purpose processor sends the original data packet to the coprocessor, and when the coprocessor recognizes that the original data packet is encrypted, returns a processing result indicating that the original data packet is an encrypted data packet to the general purpose processor.
  • the general processor can decrypt the original data packet, and then send the decrypted original data packet to the coprocessor.
  • the process of processing the original data packet by the coprocessor can refer to the description of the foregoing embodiment.
  • the general purpose processor processes the original data packet according to the application layer parsing result, which may include:
  • the general-purpose processor determines the service type of the flow to which the original data packet belongs according to the application layer analysis result of the original data packet, the traffic statistics, charging, or transmission acceleration is performed on the flow according to the service type.
  • the operator wants to charge the VoIP (voice over Internet Protocol) traffic.
  • VoIP Voice over Internet Protocol
  • Traffic statistics can be performed on the flow to implement charging for VoIP telephony services.
  • the general purpose processor When users want to speed up certain application traffic, such as online games, when the general purpose processor is When the layer analysis result is used to determine that the stream to which the original data packet belongs is used for the network game service, the stream is accelerated to ensure the transmission speed of the stream.
  • the general processor determines that the stream to which the original data packet belongs is for a specific application according to the application layer analysis result, the flow can be blocked.
  • the application layer parsing result of the original data packet includes: an application layer protocol type of the original data packet and a URL matching result; wherein, the application layer protocol type of the original data packet may be processed by the coprocessor
  • the protocol core of the coprocessor calls the coprocessor to identify the original data packet, and further, the processor core of the coprocessor determines the application layer protocol type of the original data packet as the hypertext transfer protocol HTTP.
  • the coordinator's Uniform Resource Locator URL Matching Engine may be called to match the original data packet URL to obtain the URL matching result and send it to the general purpose processor; accordingly, the general purpose processor receives the coprocessor sending After the result of the URL matching, the application layer protocol type and the URL matching result are used to determine whether the flow to which the original data packet belongs is used to access the restricted website, and if so, the flow is blocked.
  • the user wants to enable the green Internet service to prevent the minor from accessing the unhealthy website.
  • HTTP is determined, and according to the URL matching result, it is determined that the website pointed to by the URL is restricted. The flow is blocked to prevent minors from accessing unhealthy websites.
  • FIG. 9 is a schematic structural diagram of a coprocessor according to an embodiment of the present invention.
  • the coprocessor 91 provided in this embodiment may implement various steps of the deep packet identification method applied to the coprocessor provided by any embodiment of the present invention, and the specific implementation process is not described herein.
  • the coprocessor 91 provided in this embodiment specifically includes: a transceiver module 11, a processor core 12, and a sub-coprocessor 13.
  • the transceiver module 11 is configured to receive the original data packet sent by the general-purpose processor, and send the original data packet to the processor core 12;
  • a processor core 12 a sub-coprocessor 13 for calling the coprocessor 91, identifying an application protocol of the original data packet, generating a processing result, and transmitting the processing result to the general-purpose processor;
  • the sub-coprocessor 13 is configured to identify the application protocol of the original data packet under the call of the processor core 12.
  • the coprocessor 91 can be implemented by an FPGA or an ASIC, and one or more processor cores 12 are disposed in the coprocessor 91.
  • the coprocessor 91 is further provided with a transceiver module 11 and a sub-coprocessor 13, and a sub-coprocessor 13.
  • the hardware description language can be VHDL or Verilog HDL.
  • the sub-coprocessor 13 is specifically used for application protocol identification of data packets, which can improve the processing effect of the service.
  • the coprocessor 91 may further include a switch bus module 14. Accordingly, the processor core 12 can call the sub-coprocessor 13 through the switch bus module 14 of the coprocessor 91.
  • the function module of the coprocessor 91 can be equipped with the first memory 15, the second memory 16, and the first memory saves the soft core-specific data structure, including the flow table and the rule condition, so that the DPI coprocessor can sense the flow.
  • the state not the processing based on the package.
  • the second memory stores the data structures of the matching engine and the sub-coprocessor, such as the DFA state table, the single-mode matching algorithm auxiliary data, the arithmetic data structure of the sub-coprocessor, and the like. It should be noted that the first memory and the second memory are only logical divisions, and the two may be located on the same physical memory.
  • the coprocessor 91 and the transceiver module 11 provided by the embodiment receive the original number sent by the general processor. According to the packet, the original data packet is sent to the processor core 12 of the coprocessor 91, and the processor core 12 calls the subcoprocessor 13 of the coprocessor 91 to identify the application protocol of the original data packet, and generate a processing result, the processor. The core 12 sends the processing result to the general purpose processor to cause the general purpose processor to process the original data packet based on the processing result.
  • the general purpose processor and the coprocessor 91 cooperate to implement the DPI, and the sub coprocessor 13 in the coprocessor 91 can be specifically designed for the DPI service, and the DPI function is uninstalled from the general purpose processor, thereby reducing the occupation of the general processor resources. So that the general purpose processor can handle other value-added services.
  • the processor core 12 is disposed in the coprocessor 91.
  • the sub-coprocessor 13 operates under the call of the processor core 12, and the intermediate state information can be retained.
  • the interaction between the processor core 12 and the sub-coprocessor 13 is also a chip. The internal interaction avoids frequent interaction between the coprocessor 91 and the general purpose processor, and can improve the running speed.
  • FIG. 10 is a schematic structural diagram of another coprocessor 10 according to an embodiment of the present invention.
  • the transceiver module 11 may include a receiving unit 111, a stream processing unit 112, and a distribution unit 113.
  • the receiving unit 111 is configured to receive the original data packet sent by the general-purpose processor; the stream processing unit 112 is configured to stream processing the original data packet; and the distributing unit 113 is configured to send the data packet after the stream processing to the processing
  • the core 12 specifically, the stream processing unit 112 is specifically configured to perform IP fragment packet reassembly processing and TCP out-of-order packet reordering processing on the original data packet; when the coprocessor 10 includes multiple processor cores
  • the distribution unit 113 is specifically configured to determine a load condition of each of the at least two processor cores, and select one of the at least two processor cores according to a load condition of each of the processor cores.
  • the processor core sends the stream-processed data packet to the selected processor core, and accordingly, the selected processor core is used to invoke the sub-coprocessor 13 to perform application layer parsing on the stream-processed data packet. For example, application layer protocol identification.
  • the coprocessor 10 may further include a switch bus module 14.
  • the core 12 specifically calls the sub-coprocessor 13 through the switch bus module 14 of the coprocessor 10.
  • the sub-coprocessor 13 may look up the sub-coprocessor for the endpoint.
  • the sub-coprocessor 13 is specifically configured to perform an endpoint search on the original data packet under the call of the processor core 12, The endpoint lookup result is obtained, and the endpoint lookup result is returned to the processor core 12.
  • the processor core 12 is specifically configured to determine an application layer protocol type of the original data packet according to the feature matching result, and send the determined application layer protocol type as an application layer parsing result of the original data packet to the general-purpose processor.
  • the sub-coprocessor 13 includes a protocol identification sub-coprocessor 131 and a string matching engine 132.
  • the protocol identification sub-coprocessor 131 is configured to: after the processor core calls the sub-coprocessor 13, invoke the string matching engine 132; the string matching engine 132 is configured to be used under the call of the protocol identification sub-coprocessor 131
  • the original data packet is subjected to string matching to obtain a feature matching result, and the feature matching result is returned to the processor core;
  • the processor core 12 is specifically configured to determine an application layer protocol type of the original data packet according to the feature matching result, and send the determined application layer protocol type to the general-purpose processor as an application layer parsing result of the original data packet. .
  • sub-coprocessor 13 may also be a regular expression matching engine.
  • the regular expression matching engine is configured to perform regular matching on the original data packet under the call of the processor core 12 to obtain a feature matching result, and return the feature matching result to the processor core 12.
  • the processor core 12 is specifically configured to determine an application layer protocol type of the original data packet according to the feature matching result, and send the determined application layer protocol type to the general purpose processor as an application layer parsing result of the original data packet.
  • the sub-coprocessor 13 further includes: a behavior feature statistic sub-coprocessor 133, configured to perform behavior feature matching on the original data packet under the call of the processor core 12 to obtain a feature matching result, and match the feature The result is returned to the processor core 12.
  • the processor core 12 is specifically configured to be based on the feature The matching result determines the application layer protocol type of the original data packet, and sends the determined application layer protocol type as the application layer parsing result of the original data packet to the general purpose processor.
  • the coprocessor 10 may further include: a protocol parsing sub-coprocessor 15 configured to perform protocol parsing on the original data packet under the call of the processor core 12 to obtain an parsing result, and the parsing The result is returned to the processor core 12; correspondingly, the processor core 12 is specifically configured to send the application layer protocol type of the original data packet and the parsing result obtained by the protocol parsing sub-coprocessor 15 as the application layer parsing result of the original data packet.
  • a protocol parsing sub-coprocessor 15 configured to perform protocol parsing on the original data packet under the call of the processor core 12 to obtain an parsing result, and the parsing The result is returned to the processor core 12; correspondingly, the processor core 12 is specifically configured to send the application layer protocol type of the original data packet and the parsing result obtained by the protocol parsing sub-coprocessor 15 as the application layer parsing result of the original data packet.
  • the coprocessor 10 may further include: a uniform resource locator URL matching engine 16 configured to perform URL matching on the original data packet under the call of the processor core 12 to obtain a URL matching result. And returning the URL matching result to the processor core 12; correspondingly, the processor core 12 is specifically configured to send the application layer protocol type of the original data packet and the URL matching result as an application layer parsing result of the original data packet.
  • a uniform resource locator URL matching engine 16 configured to perform URL matching on the original data packet under the call of the processor core 12 to obtain a URL matching result. And returning the URL matching result to the processor core 12; correspondingly, the processor core 12 is specifically configured to send the application layer protocol type of the original data packet and the URL matching result as an application layer parsing result of the original data packet.
  • the coprocessor 10 further includes: a result of the processing module 17.
  • the processor core 12 is specifically configured to send the application layer parsing result of the original data packet to the result reporting processing module 17, and report the result.
  • the processing module 17 is configured to encapsulate the application layer parsing result according to a preset format, and send the encapsulated application layer parsing result to the general-purpose processor.
  • the general purpose processor of the DPI device and the coprocessor 91 cooperate to implement the DPI service, and the function modules in the coprocessor 91 can be set according to actual DPI service requirements, and the logic of the processor core 12 can also be based on actual The DPI service needs to be programmed.
  • the above embodiment provides an implementation form of several functional modules, but the invention is not limited thereto.
  • the DPI device can be divided into multiple levels, for example, divided into four levels from top to bottom: computationally dense layer, DPI service control layer, DPI sub-service logic layer and algorithm engine layer.
  • computationally dense layer The higher the level, the processing The more complex and common the business, the lower the level, the simpler and more specific the algorithm.
  • DPI-related tasks should be handed over to the coprocessor as much as possible. This allows a general purpose processor to perform more computationally intensive tasks.
  • the coprocessor is responsible for implementing the logic of the DPI service control layer, the DPI sub-service logic layer, and the algorithm engine layer.
  • high-level modules call low-level modules to implement the required functions.
  • modules of the same level can also call each other to coordinate the completion of functions.
  • Each level will be described in detail below.
  • Level 1 Computational intensive layer. Responsible for tasks that require a large amount of computational processing, including: complex logic processing such as encryption and decryption and codec in DPI business logic; and other non-DPI services such as value-added services, policy matching, and message action execution.
  • complex logic processing such as encryption and decryption and codec in DPI business logic
  • non-DPI services such as value-added services, policy matching, and message action execution.
  • Level 2 DPI business control layer.
  • the DPI service control logic is executed by placing a processor core in the coprocessor, including the sequential execution control of the steps of the DPI engine, the conditional rule matching, the cross-packet processing, the preservation of the intermediate state, and the like, and the control logic related to the DPI service.
  • Level 3 DPI sub-business logic layer. Responsible for DPI-specific sub-services that can be cured. For example: protocol identification sub-coprocessor, protocol parsing sub-coprocessor and behavior characterization sub-coprocessor.
  • Level 4 Algorithm Engine Layer. Responsible for algorithmic engine tasks that are specifically optimized for DPI. For example: regular expression matching engine, floating expression engine, multi-modal string matching algorithm engine, single-mode string matching algorithm engine and behavior parameter calculation engine, and so on.
  • Level 2 through Level 4 the exchange of bus modules is responsible for message and data interaction between these hierarchical modules.
  • the level one and other levels that is, the inter-chip interaction between the general processor and the coprocessor, can be standardized bus, such as PCIE, and the type of the bus can be set according to the external interface provided by the general purpose processor.
  • modules for auxiliary processing are independent of each level and are implemented using solidified logic.
  • the transceiver module inside the coprocessor 91 the result reporting processing module, the memory read/write module, the cache, and the like.
  • the general-purpose processor can also determine whether it is processed by itself or by the coprocessor according to the service type. If the processing algorithm corresponding to the service type has a higher level and is more complicated, the general-purpose processor Processing, if the service type is a DPI related service, it is processed by a coprocessor.
  • the embodiment of the present invention also proposes to equip the coprocessor with external memory to save the DPI intermediate state to achieve better scalability and performance, such as the first memory 83 and the second in FIG. Memory 84.
  • external memory can be used to save various feature word data structures and algorithm-specific data structures that are needed for DPI processing. In this way, the coprocessor can read the data directly and quickly without having to read it through the bus through the general purpose processor, which can achieve higher processing performance.
  • the string matching engine 132 is specifically configured to read a string matching algorithm state table from the first memory 83 under the call of the processor core 12, and use the string matching algorithm state table to the original data packet. A string matching is performed to obtain a feature matching result, wherein the first memory 83 is configured to store a string matching algorithm status table.
  • the function module of the coprocessor 10 is equipped with a first memory 83, and the first memory 83 stores a string matching algorithm state table.
  • the string matching algorithm The state table is a multi-mode string matching algorithm state table.
  • the string matching algorithm state table is a single-mode string matching algorithm state table.
  • the multi-mode string matching algorithm is an AC algorithm
  • the multi-mode string matching algorithm state The table is an AC state table
  • the multi-mode string matching engine can implement the multi-mode string matching algorithm state table according to the multi-mode string matching of the data packet.
  • the multi-mode string matching engine does not directly read and write the first memory 83.
  • the coprocessor 10 is provided with a cache, and the first memory 83 can be accessed through the cache.
  • the regular expression matching engine is specifically configured to read a regular expression matching algorithm state table from the first memory 83 under the call of the processor core 12, and match the algorithm state table to the original according to the regular expression.
  • the data packet is subjected to regular matching, wherein the first memory 83 is used to store a regular expression matching algorithm status table.
  • the first memory 83 stores a regular expression matching algorithm state table.
  • the regular expression matching algorithm state table is a DFA state table
  • the regular expression matching engine is in the pair.
  • a packet is subjected to regular matching, it can be implemented according to the regular expression matching algorithm state table.
  • the regular expression matching engine does not directly read and write the first memory 83, and the coprocessor 10 is provided with a cache to access the first memory 83 through the cache.
  • the string matching engine 132 performs string matching on the original data packet according to the string matching algorithm state table in the first memory 83. After the feature matching result is obtained, the processor core 12 is specifically used to learn from the second memory. The rule condition data structure is read in 84, and the application layer protocol type of the original data packet is determined according to the feature matching result and the rule condition data structure, wherein the second memory 84 is used for the rule condition data structure.
  • the processor core 12 of the coprocessor 10 is provided with a second memory 84.
  • the second memory 84 stores a rule condition data structure, where the rule condition data structure is used to store the correspondence between the service rule and the application layer protocol type.
  • the processor core 12 queries the rule layer matching type of the original data packet from the rule condition data structure in the second memory according to the feature matching result obtained by the string matching engine. At The processor core 12 may not directly read or write the second memory 84.
  • the coprocessor 10 is provided with a cache, and the second memory 84 is accessed through the cache.
  • the first memory 83 and the second memory 84 may be in a dual slot mode.
  • the first memory 83 and the second memory 84 can be designed in a double bank mode, the first slot is used to save the currently used data structure, which is called the current slot, and the second slot is used to save the upgraded data. Structure, called the upgrade slot.
  • coprocessor 10 accesses the data in the current slot for business processing.
  • the upgraded data can be loaded into the upgrade slot, and the upgrade process does not affect the access of the coprocessor 10 to the current slot of the memory, when the new data is loaded.
  • it is finished it will switch to the system slot.
  • the first slot is used as the system slot
  • the second slot is used as the current slot, and so on.
  • the first slot and the second slot are used alternately to save the upgrade data, ensuring that the upgrade takes effect without interruption.
  • Current business It is worth noting that in practical applications, after switching to the system slot, because some traffic is still in the process, the traffic that is still in the process cannot be forcibly switched to the new system slot. In this case, the new traffic is processed using the data from the new system slot, and the old traffic continues to be processed using the original system slot. The original system slot is not set to work until all old traffic is processed. This will allow the system to be upgraded without disrupting the current business.
  • the original identification feature of the BitTorrent protocol is "Bttorrent”
  • the new feature is "XBttorrent”
  • the knowledge base of the DPI identification needs to be updated
  • the data structure corresponding to the coprocessor 10 of the present invention is A string feature stored in the AC status table. Therefore, the newly compiled feature data structure needs to be loaded into the upgrade slot.
  • the multimode string matching engine still uses the current slot during the loading process. After the loading is completed, the current slot is swapped with the upgrade slot.
  • the multi-mode string matching engine can read the new AC status table. In the actual application process, it mainly includes the compilation part and the running part.
  • Compilation section Feature Compiler, Parse Subprocessor Compiler, Result Template Compiler, Policy Compiler.
  • the compiler mainly includes:
  • a. foreground compiler feature compiler, parsing subprocessor compiler and matching rule translator, etc.
  • b. background compiler regular expression compiler, single-mode string algorithm compiler and multi-mode string algorithm compiler Wait.
  • the main functions of the front-end compiler include: categorizing rules for various DPI services (such as application layer protocol, IPS/IDS, URL filtering) into rules that can be used by the coprocessor of the present invention, namely: Expressions, strings, values, etc.; generating the data structure of the second memory, ie: conditional rule data structure, etc.; compiling the software logic of the processor core in the coprocessor high-level programming language code to the coprocessor processor The instructions executed by the core; compile various DPI service data structures used by the general purpose processor, namely: the data structure mentioned above for supporting post-decryption identification and algorithm identification.
  • DPI services such as application layer protocol, IPS/IDS, URL filtering
  • the main function of the background compiler is to compile the data structure that can be used by the lowest level algorithm engine module of the various coprocessors, that is, the data structure of the first memory, and the details are not described above.
  • the compilation part of the module also contains coprocessor drivers. It is responsible for loading the compiled various data structures into the coprocessor's first memory, the second memory, and the coprocessor on-chip memory (eg, the processor core's logic instructions are stored in the processor's on-chip memory).
  • FIG. 11 is a schematic structural diagram of a general-purpose processor according to an embodiment of the present invention.
  • the general-purpose processor 82 provided in this embodiment may implement various steps of the deep packet detection method applied to the general-purpose processor provided by any embodiment of the present invention, and the specific implementation process is not described herein again.
  • the general-purpose processor provided in this embodiment includes: a sending module 21, a transceiver module 22, and a processing module 23.
  • a sending module 21 configured to send the original data packet to the coprocessor
  • the receiving module 22 is configured to receive an application layer parsing result of the original data packet sent by the coprocessor, where the application layer parsing result is that at least one sub coprocessor of the coprocessor is invoked by a processor core of the coprocessor
  • the application layer parsing of the original data packet is performed; the application layer parsing result is used to represent the application layer information of the data packet;
  • the processing module 23 is configured to process the original data packet according to at least the application layer parsing result.
  • the general-purpose processor sends the original data packet to the coprocessor, receives the processing result sent by the coprocessor, and processes the original data packet according to the processing result.
  • the general-purpose processor and the coprocessor cooperate to implement DPI.
  • the sub-coprocessor in the coprocessor can be specially designed for DPI services, and the DPI function is uninstalled from the general-purpose processor, which reduces the occupation of general-purpose processor resources, so that the universal The processor can handle other value-added services.
  • the processor core is set in the coprocessor, and the sub-coprocessor is operated under the call of the processor core, and the intermediate state information can be retained, and the interaction between the processor core and the sub-coprocessor is also intra-chip interaction, avoiding the association. Frequent interactions between the processor and the general purpose processor can increase the speed of operation.
  • the processing module 23 is specifically configured to: if the original data is an encrypted data packet according to an application layer analysis result of the original data packet, decrypt the original data packet.
  • the processing module 23 is specifically configured to determine, according to an application layer parsing result of the original data packet, a service type of the stream to which the original data packet belongs, and the original data packet according to the service type.
  • the flow of the genus performs traffic statistics, billing, or transmission acceleration.
  • the application layer parsing result of the original data packet includes: an application layer protocol type of the original data packet and a URL matching result; wherein, the application layer protocol type of the original data packet may be invoked by a processor core of the coprocessor
  • the protocol identification sub-processor of the coprocessor obtains the original data packet, and further, the processor core of the coprocessor further determines that the application layer protocol type of the original data packet is the hypertext transfer protocol HTTP,
  • the uniform resource locator URL matching engine of the coprocessor may be invoked to match the original data packet URL to obtain the URL matching result and sent to the general purpose processor; accordingly, the general purpose processor receives the URL matching result sent by the coprocessor Then, according to the application layer protocol type and the URL matching result, it is determined whether the flow to which the original data packet belongs is used to access the restricted website, and if yes, the flow is blocked.
  • FIG. 12 is a schematic structural diagram of a first DPI device according to an embodiment of the present invention.
  • the DPI device provided in this embodiment includes: a coprocessor 81 provided by any embodiment of the present invention and a general purpose processor 82 provided by any embodiment of the present invention.
  • the general-purpose processor 82 and the co-processor 81 cooperate to implement the DPI, and the sub-coprocessor in the coprocessor 81 can be specifically designed for the DPI service, and the DPI function is uninstalled from the general-purpose processor 82.
  • the occupancy of the general purpose processor 82 resources is reduced so that the general purpose processor 82 can handle other value added services.
  • the coprocessor 81 is provided with a processor core, and the sub-coprocessor is operated under the call of the processor core, and the intermediate state information can be retained, and the interaction between the processor core and the sub-coprocessor is also intra-chip interaction, which avoids The frequent interaction between coprocessor 81 and general purpose processor 82 can increase the speed of operation.
  • the DPI device includes one of a number of general purpose processors. In practical applications, a coprocessor can also cooperate with one or more general purpose processors to implement DPI services. In another embodiment, the DPI device includes at least two general purpose processors; the DPI device further includes a network card and a load balancing device;
  • the network card is used to receive data packets from the network and send the data packets to the load balancing device;
  • the load balancing device is configured to acquire a load condition of each of the at least two general purpose processors, select a general purpose processor according to the load condition of each general purpose processor, and send the data packet to the selected general purpose processor.
  • FIG. 13 is a schematic structural diagram of a second DPI device according to an embodiment of the present invention.
  • two general-purpose CPUs 33, 35 in FIG. 13
  • the network card 31 receives the data packets sent by other devices in the network, and distributes them directly to the appropriate general-purpose CPU through a load balancing device 32 responsible for load sharing, instead of using DMA (Direct Memory Access).
  • DMA Direct Memory Access
  • the general purpose CPU determines that DPI processing is required, the data packet is forwarded to the coprocessor 34. After the processing by the coprocessor 34 is completed, the DPI processing result is received through the PCIE interface, and after further processing is performed according to the DPI processing result, the data packet to be forwarded is forwarded through the network card 31.
  • the load balancing device 32 can be implemented by an FPGA.
  • the load balancing device 32 can select a suitable general-purpose CPU to process the data packet according to the load condition of each general-purpose CPU, and can implement the messaging logic on the other hand. If there is only one general-purpose CPU in the DPI device, the load balancing device 32 may not be provided, and the messaging logic may be implemented by other chips.
  • the general-purpose CPU in the embodiment of the present invention may specifically be a Cavium general-purpose CPU.
  • the DPI device implemented by the embodiment of the present invention implements DPI through a general-purpose processor and a coprocessor, and the sub-coprocessor in the coprocessor can be specifically designed for the DPI service, and the DPI function is uninstalled from the general-purpose processor, and is lowered.
  • the use of general purpose processor resources so that the general purpose processor can handle other Value-added services.
  • the processor core is set in the coprocessor, and the sub-coprocessor is operated under the call of the processor core, and the intermediate state information can be retained, and the interaction between the processor core and the sub-coprocessor is also intra-chip interaction, avoiding the association. Frequent interactions between the processor and the general purpose processor can reduce processing latency.
  • FIG. 14 is a schematic structural diagram of a third DPI device according to an embodiment of the present invention.
  • the DPI device includes two general-purpose CPUs (42, 45 in FIG. 14), a general-purpose CPU 42 configured with DDR3 memory 43, and a general-purpose CPU 45 configured with DDR3 memory 46.
  • the DPI device is further provided with a network card 41. After receiving the data packet sent by other devices in the network, the network card 41 first triggers the general-purpose CPU 42 to read the data packet through the PCIE interface and saves it to the DDR3 memory 43 used by him. .
  • the general-purpose CPU 42 performs some processing and finds that DPI processing is required, the data packet is transferred to the coprocessor 44 for DPI processing by the DMA method. After the coprocessor 44 completes the processing, the DPI processing result is returned to the general-purpose CPU 42. Processing, the Sandy-Bridge Universal CPU 42 sends the data packet to be forwarded to the next network device in the network through the network card 41. It should be noted that the general-purpose CPU of the embodiment of the present invention may be a Sandy-Bridge general-purpose CPU.
  • the DPI device implemented by the embodiment of the present invention implements DPI through a general-purpose processor and a coprocessor, and the sub-coprocessor in the coprocessor can be specifically designed for the DPI service, and the DPI function is uninstalled from the general-purpose processor, and is lowered.
  • the occupation of general purpose processor resources allows the general purpose processor to handle other value added services.
  • the processor core is set in the coprocessor, and the sub-coprocessor is operated under the call of the processor core, and the intermediate state information can be retained, and the interaction between the processor core and the sub-coprocessor is also intra-chip interaction, avoiding the association. Frequent interactions between the processor and the general purpose processor can reduce processing latency.
  • the deep packet detection method and apparatus provided by the embodiments of the present invention can be applied to various application scenarios, such as, but not limited to, in an enterprise network router, using a DPI coprocessor for application protocol identification, deep protocol parsing, IDS (Intrusion Detection Systems) ) and the strategy engine.
  • On Router and BRAS Broadband Remote Access Server
  • the DPI coprocessor for application protocol identification, deep protocol parsing, and policy engine.
  • the DPI coprocessor is used for application protocol identification, deep protocol parsing, content filtering, and policy engine.
  • the DPI coprocessor is used for application protocol identification, deep protocol parsing, content filtering, and policy engine.
  • the radio access network element RNC Radio Network Controller
  • NodeB the DPI coprocessor is used for application protocol identification, deep protocol parsing, radio resource optimization, and policy engine.
  • the foregoing program may be stored in a computer readable storage medium, and the program is executed when executed.
  • the foregoing steps include the steps of the foregoing method embodiments; and the foregoing storage medium includes: a medium that can store program codes, such as a ROM, a RAM, a magnetic disk, or an optical disk.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)
  • Advance Control (AREA)

Abstract

本发明实施例提供一种深度报文检测方法、设备及协处理器,该深度报文检测方法包括:协处理器的收发模块接收通用处理器发送的原始数据包,将原始数据包发送给协处理器的处理器核;处理器核调用协处理器的子协处理器对原始数据包进行应用层解析,得到应用层解析结果;处理器核将解析结果发送给通用处理器,以使通用处理器根据解析结果对原始数据包进行处理。本发明实施例提供的深度报文检测方法及装置,降低了通用处理器资源的占用,提高运行速度。

Description

一种深度报文检测方法、 设备及协处理器
技术领域
本发明实施例涉及计算机技术, 尤其涉及一种深度报文检测方法、 设备及 协处理器。
背景技术
深度报文检测 ( Deep Packet Inspection, 简称 DPI )技术作为网络入侵检 测及应用层协议识别的核心技术,在网络与信息安全领域中发挥着日益重要的 作用。 DPI技术通过特征匹配算法实现对数据包的深入分析, 以获得数据包的 应用信息, 从而实现网络优化、 应用流量控制和安全检测等业务。 现有技术中,通常通过通用处理器来实现 DPI业务,通用处理器中集成有 匹配器,通用处理器由软件逻辑驱动匹配器来实现特征匹配。 由于通用处理器 往往不是专门为 DPI业务而设计的, 因此, 为了保证通用性要求, 其集成的匹 配器一般也只支持通用的匹配算法, 比如正则表达式匹配算法, 而不能支持专 门为 DPI业务所设计的匹配算法,从而导致匹配性能不佳,成为业务处理的瓶 颈。而且,所有的 DPI业务都在通用处理器中实现,由于通用处理器资源有限, 限制了 DPI业务的性能。 如图 1所示, 现有技术中 DPI业务的另一种实现方 式是是把 DPI 业务逻辑固化到硬件中去, 此硬件实体可以是 FPGA ( Field-Programmable Gate Array,现场可编程门阵列 ) ,或者 ASIC( Application Specific Integrated Circuit, 专用集成电路) 。 例如, 某设备的 DPI业务逻辑分 三个步骤: 一、 端点表匹配; 二、 IP 端口识别; 三、 应用层 文文本特征匹 配; 四、 复杂的解码后识别。 可以把前三个步骤都固化到硬件逻辑中去实现, 而步骤四逻辑很复杂,无法通过硬件逻辑来实现,则遗留给通用处理器来完成。 可以看出, 通过硬件实现逻辑固化, 扩展性差: DPI 业务逻辑(如上例的 三个步骤变成四个步骤或者调整顺序)发生变化时,都需要重新编写硬件代码、 仿真再发布到现网设备中。 难以快速适应网络流量变化; 而且, 由于 DPI业 务逻辑的多个步骤分别由通用处理器用软件实现和硬件加速芯片逻辑实现,不 可避免的多次通用处理器与硬件加速芯片之间的交互,导致 DPI处理的时延 ^艮 大。
发明内容
本发明实施例提供一种深度报文检测方法、 设备及协处理器, 以提高 DPI 的性能和扩展性。
第一方面, 本发明实施例提供一种深度报文检测方法, 包括: 协处理器的收发模块接收通用处理器发送的原始数据包,将所述原始数据 包发送给所述协处理器的处理器核;所述处理器核调用所述协处理器的至少一 个子协处理器对所述原始数据包进行应用层解析,得到所述原始数据包的应用 层解析结果, 所述应用层解析结果用于表示所述原始数据包的应用层信息; 所 述处理器核将所述应用层解析结果发送给所述通用处理器,以使所述通用处理 器根据所述应用层解析结果对所述原始数据包进行处理。 在第一种可能的实现方式中,在所述协处理器的收发模块接收所述通用处 理器发送的原始数据包之后,在将所述原始数据包发送给所述协处理器的处理 器核之前, 所述方法还包括: 对所述原始数据包进行流处理; 所述将所述原始 数据包发送给所述处理器核,包括:将流处理后的数据包发送给所述处理器核; 所述处理器核调用所述协处理器的至少一个子协处理器对所述原始数据包进 行应用层解析, 得到所述原始数据包的应用层解析结果, 包括: 所述处理器核 调用所述协处理器的至少一个子协处理器对所述流处理后的数据包应用层解 析, 得到所述原始数据包的应用层解析结果。
结合第一方面的第一种可能的实现方式,在第二种可能的实现方式中, 所 述收发模块的流处理子模块对所述原始数据包进行流处理, 包括: 所述流处理 子模块对所述原始数据包进行 IP分片报文重组处理和 TCP乱序报文重排处 理。
结合第一方面,在第三种可能的实现方式中, 所述协处理器中设置有至少 两个处理器核;所述将所述原始数据包发送给所述协处理器的处理器核,包括: 根据每个所述处理器核的负荷情况从所述至少两个处理器核中选择一个 处理器核, 将所述原始数据包发送给被选择的处理器核。
结合第一方面,在第四种可能的实现方式中, 所述处理器核调用所述协处 理器的至少一个子协处理器对所述原始数据包进行应用层解析, 具体包括: 所述处理器核通过所述协处理器的交换总线模块调用所述协处理器的至 少一个子协处理器对所述原始数据包进行应用层解析。
结合第一方面,在第五种可能的实现方式中, 所述处理器核调用所述协处 理器的至少一个子协处理器对所述原始数据包进行应用层解析,得到所述原始 数据包的应用层解析结果, 包括:
所述处理器核调用所述协处理器包括的协议识别子协处理器,所述协议识 别子协处理器在所述处理器核的调用下对所述原始数据包进行端点查找,得到 端点查找结果,将所述端点查找结果返回所述处理器核, 所述处理器核至少根 据所述端点查找结果确定所述原始数据包的应用层协议类型 ,并将得到的所述 应用层协议类型作为所述原始数据包的应用层解析结果。
结合第一方面,在第六种可能的实现方式中, 所述处理器核调用所述协处 理器的至少一个子协处理器对所述原始数据包进行应用层解析,得到所述原始 数据包的应用层解析结果, 包括: 所述处理器核调用所述协处理器包括的协议 识别子协处理器, 所述协议识别子协处理器在所述处理器核的调用下,调用所 述协处理器包括的字符串匹配引擎,所述字符串匹配引擎在所述协议识别子协 处理器的调用下对所述原始数据包进行字符串匹配,得到特征匹配结果,将所 述特征匹配结果返回所述处理器核 ,所述处理器核至少根据所述特征匹配结果 确定所述原始数据包的应用层协议类型, ,并将所述应用层协议类型作为所述 原始数据包的应用层解析结果。
结合第一方面,在第七种可能的实现方式中, 所述处理器核调用所述协处 理器的至少一个子协处理器对所述原始数据包进行应用层解析,得到所述原始 数据包的应用层解析结果, 包括:
所述处理器核调用所述协处理器包括的正则表达式匹配引擎,所述正则表 达式匹配引擎在所述处理器核的调用下对所述原始数据包进行正则匹配,得到 特征匹配结果,将所述特征匹配结果返回所述处理器核, 所述处理器核至少根 据所述特征匹配结果确定所述原始数据包的应用层协议类型,并将得到的所述 应用层协议类型作为所述原始数据包的应用层解析结果。
结合第一方面,在第八种可能的实现方式中, 所述处理器核调用所述协处 理器的至少一个子协处理器对所述原始数据包进行应用层解析,得到所述原始 数据包的应用层解析结果, 包括: 所述处理器核调用所述协处理器包括的协议识别子协处理器对所述原始 数据包的应用层协议进行识别, 得到所述原始数据包的应用层协议类型; 所述处理器核调用所述协处理器包括的协议解析子协处理器对所述原始 数据包进行协议解析,得到解析结果, 并将所述解析结果和所述应用层协议类 型作为所述原始数据包的应用层解析结果。
结合第一方面的第六种可能的实现方式,在第九种可能的实现方式中, 所 述字符串匹配引擎在所述协议识别子协处理器的调用下对所述原始数据包进 行字符串匹配, 得到特征匹配结果, 包括:
所述字符串匹配引擎在所述协议识别子协处理器的调用下,从第一内存中 读取字符串匹配算法状态表,根据所述字符串匹配算法状态表对所述流处理后 的数据包进行字符串匹配, 得到特征匹配结果。
结合第一方面或第一方面的第一至第九任一种可能的实现方式,在第十一 种可能的实现方式中,所述处理器核将所述应用层解析结果发送给所述通用处 理器, 包括: 所述处理器核将所述应用层解析结果发送给所述协处理器包括的 结果上报处理模块;所述结果上报处理模块将所述应用层解析结果按照预设格 式进行封装 , 将封装后的应用层解析结果发送给所述通用处理器。
第二方面, 本发明实施例提供一种深度报文检测方法, 包括:
通用处理器将原始数据包发送给协处理器;所述通用处理器接收所述协处 理器发送的所述原始数据包的应用层解析结果, 其中, 所述应用层解析结果是 由所述协处理器的处理器核调用所述协处理器的至少一个子协处理器对所述 原始数据包进行应用层解析得到的;所述应用层解析结果用于表示所述原始数 据包的应用层信息;所述通用处理器至少根据所述应用层解析结果对所述原始 数据包进行处理。
在第一种可能的实现方式中,所述通用处理器至少根据所述应用层解析结 果对所述原始数据包进行处理, 包括: 所述通用处理器若根据所述应用层解析 结果确定所述原始数据包是否为加密数据包, 若是, 则对所述原始数据包进行 解密处理。
在第二种可能的实现方式中,所述通用处理器至少根据所述应用层解析结 果对所述原始数据包进行处理, 包括:
所述通用处理器根据所述应用层解析结果确定所述原始数据包所属的流 的业务类型, 根据所述业务类型对所述流进行流量统计、 计费或传输加速。
在第三种可能的实现方式中, 所述原始数据包的应用层解析结果包括: 所 述原始数据包的应用层协议类型和 URL匹配结果; 其中, 所述原始数据包的 应用层协议类型是由所述协处理的处理器核调用所述协处理器的协议识别子 协处理器对所述原始数据包进行识别后得到的; 所述 URL匹配结果是由所述 协处理器的处理器核在确定所述原始数据包的应用层协议类型为超文本传输 协议之后, 调用所述协处理器的统一资源定位符 URL匹配引擎对所述原始数 据包进行 URL的匹配得到的; 所述通用处理器至少根据所述应用层解析结果 对所述原始数据包进行处理, 包括: 所述通用处理器根据所述应用层解析结果 和所述 URL匹配结果判断所述原始数据包所属的流是否用于访问被限网站, 若是, 则对所述流进行阻断处理。
第三方面, 本发明实施例提供一种协处理器, 包括: 收发模块、 子协处理 器和处理器核;
所述收发模块, 用于接收通用处理器发送的原始数据包,将所述原始数据 包发送给所述处理器核;
所述处理器核,用于调用所述子协处理器对所述原始数据包进行应用层解 析,得到所述原始数据包的应用层解析结果, 所述应用层解析结果用于表示所 述原始数据包的应用层信息;以及将所述应用层解析结果发送给所述通用处理 器,以使所述通用处理器至少根据所述应用层解析结果对所述原始数据包进行 处理;
所述子协处理器,用于在所述处理器核的调用下对所述原始数据包进行应 用层解析, 得到所述原始数据包的应用层信息。
在第一种可能的实现方式中, 所述收发模块包括:
接收单元, 用于接收所述通用处理器发送的原始数据包;
流处理单元,用于在所述接收单元接收到所述通用处理器发送的原始数据 包之后, 对所述原始数据包进行流处理;
分发单元, 用于将流处理后的数据包发送给所述处理器核;
所述处理器核具体用于调用所述子协处理器对所述流处理后的数据包进 行应用层解析。
结合第三方面的第一种可能的实现方式,在第二种可能的实现方式中, 所 述流处理单元具体用于对所述原始数据包进行 IP分片报文重组处理和 TCP乱 序才艮文重排处理。
结合第三方面的第一种或第二种可能的实现方式,在第三种可能的实现方 式中, 所述处理器核的数量为至少两个;
所述分发单元具体用于,确定所述至少两个处理器核中每个处理器核的负 荷情况,根据每个所述处理器核的负荷情况从所述至少两个处理器核中选择一 个处理器核, 将所述流处理后的数据包发送给被选择的处理器核。 结合第三方面的, 或第三方面的第一、 第二或第三种可能的实现方式, 在 第四种可能的实现方式中, 所述协处理器还包括: 交换总线模块;
所述处理器核具体用于通过所述协处理器的交换总线模块调用所述子协 处理器对所述原始数据包进行应用层解析。
结合第三方面, 在第五种可能的实现方式中, 所述子协处理器具体用于, 在所述处理器核的调用下对所述原始数据包进行端点查找, 得到端点查找结 果, 将所述端点查找结果返回所述处理器核; 所述处理器核具体用于, 至少根 据所述端点查找结果确定所述原始数据包的应用层协议类型 ,并将确定的所述 应用层协议类型作为所述原始数据包的应用层解析结果发送给所述通用处理 器。
结合第三方面, 在第六种可能的实现方式中, 所述子协处理器包括: 协议 识别子协处理器和字符串匹配引擎; 所述协议识别子协处理器具体用于: 在所 述处理器核的调用下,调用所述字符串匹配引擎, 所述字符串匹配引擎在所述 协议识别子协处理器的调用下对所述原始数据包进行字符串匹配,得到特征匹 配结果,将所述特征匹配结果返回所述处理器核; 所述处理器核具体用于至少 根据所述特征匹配结果确定所述原始数据包的应用层协议类型,并将确定的所 述应用层协议类型作为所述原始数据包的应用层解析结果发送给所述通用处 理器。
结合第三方面, 在第七种可能的实现方式中, 所述子协处理器具体为: 正 则表达式匹配引擎;所述正则表达式匹配引擎用于在所述处理器核的调用下对 所述原始数据包进行正则匹配,得到特征匹配结果,将所述特征匹配结果返回 所述处理器核;所述处理器核具体用于至少根据所述特征匹配结果确定所述原 始数据包的应用层协议类型,并将确定的所述应用层协议类型作为所述原始数 据包的应用层解析结果发送给所述通用处理器。
结合第三方面的第六种可能的实现方式,在第八种可能的实现方式中, 所 述子协处理器还包括: 协议解析子协处理器; 所述协议解析子协处理器用于对 所述原始数据包进行协议解析,得到解析结果,将所述解析结果返回给所述处 理器核; 所述处理器核还用于将所述解析结果发送给所述通用处理器, 以使所 述通用处理器根据所述应用层协议类型和所述解析结果对所述原始数据包进 行处理。
结合第三方面的第六种可能的实现方式,在第九种可能的实现方式中, 所 述字符串匹配引擎具体用于在所述协议识别子协处理器的调用下,从第一内存 中读取字符串匹配算法状态表,根据所述字符串匹配算法状态表对所述原始数 据包进行字符串匹配,得到特征匹配结果,将所述特征匹配结果返回所述处理 器核其中, 所述第一内存用于存储字符串匹配算法状态表。
结合第三方面的第九种可能的实现方式,在第十种可能的实现方式中, 所 述处理器核具体用于从第二内存中读取规则条件数据结构,根据所述特征匹配 结果和所述规则条件数据结构确定所述应用层协议类型, 其中, 所述第二内存 用于规则条件数据结构。
第四方面, 本发明实施例提供一种通用处理器, 包括:
发送模块, 用于将原始数据包发送给协处理器; 接收模块, 用于接收所述 协处理器发送的所述原始数据包的的应用层解析结果, 其中, 所述应用层解析 结果是由所述协处理器的处理器核调用所述协处理器的至少一个子协处理器 对所述原始数据包进行应用层解析得到的;所述应用层解析结果用于表示所述 原始数据包的应用层信息; 处理模块, 用于至少根据所述应用层解析结果对所 述原始数据包进行处理。
在第一种可能的实现方式中, 所述处理模块, 具体用于若根据所述应用层 解析结果识别所述原始数据包为加密数据包,则对所述原始数据包进行解密处 理。
在第二种可能的实现方式中, 其特征在于,
所述原始数据包的应用层解析结果包括:所述原始数据包的应用层协议类 型和 URL匹配结果, 其中, 所述 URL匹配结果是由所述协处理器的处理器核 在确定所述原始数据包的应用层协议类型为超文本传输协议时,调用所述协处 理器的统一资源定位符 URL匹配引擎对所述原始数据包进行 URL的匹配后得 到的;
所述处理模块具体用于根据所述原始数据包的应用层协议类型和所述 URL 匹配结果判断所述原始数据包所属的流是否用于访问被限网站, 若是, 则对所述流进行阻断处理。
第五方面, 本发明实施例提供一种深度报文检测设备, 包括: 本发明任意 实施例提供的协处理器和本发明任意实施例提供的通用处理器。
在第一种可能的实现方式中, 所述通用处理器的数量为一个。
在第二种可能的实现方式中, 所述通用处理器的数量为至少两个; 所述深 度报文检测装置还包括网卡和负载均衡装置; 所述网卡用于从网络接收数据 包,将所述数据包发送给所述负载均衡装置; 所述负载均衡装置用于获取所述 至少两个通用处理器中每个所述通用处理器的负载情况,根据每个所述通用处 理器的负载情况选在一个通用处理器, 将所述数据包发送给选择的通用处理 器。
由上述技术方案可知, 本发明实施例提供的深度报文检测方法、设备及协 处理器, 通过通用处理器和协处理器配合实现 DPI, 协处理器中的子协处理器 可以专门为 DPI业务而设计, 将 DPI功能从通用处理器中卸载, 降低了通用 处理器资源的占用, 以使得通用处理器可以处理其他增值业务。 而且协处理器 中设置有处理器核, 子协处理器在处理器核的调用下运行, 可以保留中间状态 信息, 处理器核与子协处理器的交互也都是芯片内交互,避免了协处理器与通 用处理器之间的频繁交互, 可以降低处理时延。
附图说明 图 2为本发明实施例提供的一种深度报文检测架构示意图;
图 3为本发明实施例提供的一种深度报文检测应用场景示意图; 图 4为本发明实施例提供的第一种深度报文检测方法流程图;
图 5为本发明实施例提供的第二种深度报文检测方法流程图;
图 6为本发明实施例提供的一种深度报文检测方法流程图;
图 7为本发明实施例提供的另一种深度报文检测方法流程图;
图 8为本发明实施例提供的另一种深度报文检测方法流程图;
图 9为本发明实施例提供的第一种协处理器结构示意图;
图 10为本发明实施例提供的第二种协处理器结构示意图;
图 11为本发明实施例提供的通用处理器结构示意图; 图 12为本发明实施例提供的第一种深度报文检测设备的结构示意图; 图 13为本发明实施例提供的第二种深度报文检测设备的结构示意图; 图 14为本发明实施例提供的第三种深度报文检测设备的结构示意图。
具体实施方式
为使本发明实施例的目的、技术方案和优点更加清楚, 下面将结合本发明 实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然, 所描述的实施例是本发明一部分实施例, 而不是全部的实施例。基于本发明中 的实施例 ,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其 他实施例, 都属于本发明保护的范围。
为了便于本领域技术更好地理解本发明技术方案,先对本发明实施例的深 度报文检测(Deep Packet Inspection, 简称 DPI )架构 #丈一个总体介绍, 如图 2 所示:
本发明实施例将 DPI处理任务的功能模块划分为多个层次(典型的是四个 层次), 层次越高, 处理的业务越复杂、 通用; 层次越低, 算法越简单、 专用。
这些层次由两个芯片来实现,分别是通用处理器和 DPI协处理器。为了提 高硬件加速性能, 可以尽可能多的把 DPI相关任务交由 DPI协处理器来完成。 这样通用处理器可以完成更多的运算密集型任务,因为通用处理器对这类任务 的性能优化做得更好, 重点放在增值业务的处理上面。 DPI协处理器则负责实 现 DPI业务控制层、 DPI子业务逻辑层、 算法引擎层的逻辑。 其中, DPI协处 理内部又包含有多个子协处理器, 每个子协处理器用于完成特定的 DPI 子业 务,根据 DPI子业务复杂度的不同,子协处理器具体可以分为高层级的子协处 理器(如图 2中的子协处理器 A ), 以 氐层级的子协处理器(如图 2中的子 协处理器 C、 D ), 其中, 低层级的子协处理器具体可以为软件或硬件实现 的算法引擎, 用于采用特定算法实现一个专用功能, 比如字符串匹配引擎、 正 则表达式匹配引擎等, 而与低层级的子协处理器相比, 高层级的子协处理器用 于执行更为通用的 DPI子业务, 比如协议识别、 解析等。 例如, 高层级的子协 处理器可以为集成了多个子协处理器和 /或算法引擎功能的逻辑或物理实体, 用于实现更为高级、通用的 DPI子功能,且高层级的子协处理器可以调用低层 次模块来实现需要的功能, 同时, 同一层次的子协处理器也可以互相调用来协 同完成功能。
具体地, 在一种应用场景中, 如图 3所示, 可以对任务划分成如下层次: 层次一: 运算密集层。 负责需要大量运算处理的任务, 包括: DPI业务逻 辑中的加解密、 编解码、 复杂逻辑处理; 以及其他非 DPI业务, 如增值业务; 策略匹配; 报文动作执行等, 在本发明实施例中, 这一层次的任务由通用处理 器来冗成。
层次二: DPI业务控制层。 通过在 DPI协处理器中放置内核来执行 DPI 业务控制逻辑, 包括, DPI引擎各步骤的先后执行顺序控制、 条件规则匹配、 跨包处理、保存中间状态等等 DPI业务相关的控制逻辑。 本发明实施例中, 这 一层次的任务由 DPI协处理器中的处理器核 (core ) 来完成。
层次三: DPI子业务逻辑层。 负责可以固化的 DPI特定子业务。 例如: 应 用层协议识别、 协议深度解析、 数据包行为特征分析模块。 本发明实施例中, 这一层次的任务由 DPI协处理器中的高层级的子协处理器来完成, 比如,用于 识别数据包的应用层协议类型的协议识别子协处理器,用于对协议进行深度解 析的协议解析子协处理器等等。
层次四: 算法引擎层。 负责特定为 DPI优化的算法引擎任务。 例如: 通用 正则表达式匹配、 浮点运算、 多模字符串匹配、 单模字符串匹配、 行为参数运 算等等。这一层次的任务由 DPI协处理器中的低层级的子协处理器来完成, 比 如, 正则表达式匹配引擎、 浮点运算引擎、 字符串匹配引擎等等。
需要特别说明的是, 在 DPI协处理器内部, 即层次二到层次四, 需要内部 总线或者一个交换总线模块来负责这些层次模块间的消息、数据交互。 而层次 一与其他层次, 即通用处理器与 DPI协处理器之间属于芯片间交互,需要采用 一些业界已有的标准化总线来进行交互, 典型的如 PCIE ( Personal Computer Interface Express, 外设互联扩展)总线。 采用什么类型总线, 由通用处理器提 供的对外接口来确定。
更优地, 除了层次化设计架构之外, 本发明实施例还可以进一步为 DPI 协处理器配备外部内存, 以保存 DPI中间状态而做到更好的扩展性和性能,这 样, 当处理到需要保存现场的任务时, 不必交由通用处理器完成, DPI协处理 器可以卸载更多其处理器资源。另外,配备的外部内存还可以保存 DPI处理时 需要用到的各种特征字数据结构、 算法特定数据结构。 这样, DPI协处理器可 以直接快速的读取这些数据而不必经由总线通过通用处理器来读取,可以达到 更高的处理性能。
例如, 外部内存 A保存软核专用的数据结构, 包括流表、 规则条件, 使 DPI协处理器能感知流的状态, 而不是基于包的处理。外部内存 B保存各匹配 引擎和子协处理器的数据结构, 如 DFA ( Deterministic Finite Automaton, 确定 型有限自动机)状态表、 单模匹配算法辅助数据、 子协处理器的算法数据结构 等等。 需要说明的是, 外部内存 A和外部内存 B只是是逻辑上的划分, 两者 可以位于同一片物理内存上。
基于以上描述的 DPI架构,本发明实施例提供一种深度报文检测方法, 图 4为本发明实施例提供的第一种深度报文检测方法流程图。 如图 4所示, 本实 施例提供的深度报文检测方法具体可以应用于网络设备的深度报文检测 DPI 过程, 网络设备可以为如路由器和网关等。 网络设备中可以设置有深度报文检 测装置, 深度报文检测装置包括通用处理器和协处理器, 本实施例提供的深度 报文检测方法通过协处理器来执行。
本实施例提供的深度报文检测方法, 具体包括:
步骤 A10、协处理器的收发模块接收通用处理器发送的原始数据包,将该 原始数据包发送给该协处理器的处理器核;
步骤 A20、该处理器核调用该协处理器的至少一个子协处理器对原始数据 包进行应用层解析, 得到原始数据包的应用层解析结果; 其中, 原始数据包的 应用层解析结果用于表示该数据包的应用层信息, 比如应用层协议类型、数据 包所属的业务等等, 此处不一一列举;
步骤 A30、 该处理器核将原始数据包的应用层解析结果发送给通用处理 器, 以使通用处理器根据该应用层解析结果对原始数据包进行处理。
具体地,网络设备需要通过对接收到的流中的数据包进行深入分析以实现 网络优化和应用流量控制, 网络设备通过网卡将数据包发送给通用处理器,通 用处理器把 DPI相关任务交由 DPI协处理器来完成。
在本发明实施例中, 协处理器可以通过 FPGA ( Field Programmable Gate Array, 现场可编程门阵列)或 ASIC ( Application Specific Integrated Circuit, 专用集成电路)来实现, 协处理器中部署有一个或多个处理器核, 协处理器中 还设置有收发模块和多个子协处理器, 子协处理器通过硬件描述语言实现,硬 件描述语言可以为 VHDL ( Very-High- Speed Integrated Circuit Hardware Description Language, 超高速集成电路硬件描述语言)或 Verilog HDL。 子协 处理器可用于对数据包进行应用协议识别,协议解析等, 以提高业务的处理性 能。
通用处理器将原始数据包发送给协处理器的收发模块,收发模块再将原始 数据包分发给协处理器中的处理器核,协处理器的处理器核调用子协处理器对 所述原始数据包进行应用层解析,得到解析结果, 处理器核将该解析结果返回 给通用处理器,通用处理器再根据解析结果对原始数据包进行处理, 例如流量 统计、 加速、 限流、 阻断和过滤等。 通用处理器可以根据解析结果建立流表, 流表中记录有多个流表项和处理指令,通用处理器通过流表项对接收到的数据 包进行匹配, 以确定该数据包所属的流, 并进行相应地处理。
本实施例提供的深度报文检测方法, 通用处理器和协处理器配合实现 DPI, 通过对协处理器进行更细粒度的划分, 协处理器中的子协处理器可以专 门为 DPI业务而设计, 这样就将 DPI功能从通用处理器中卸载, 降低了通用 处理器资源的占用, 以使得通用处理器可以处理其他增值业务; 同时, 协处理 器中设置有处理器核来进行 DPI业务控制,子协处理器在处理器核的调用下运 行, 大大提高了业务处理的灵活性, 而且处理器核与子协处理器的交互也都是 芯片内交互,避免了协处理器与通用处理器之间的频繁交互,可以提 DPI性能。
图 5为本发明实施例提供的第二种深度报文检测方法流程图。如图 5所示, 在本实施例的深度报文检测方法, 包括: 步骤 A101, 协处理器的收发模块接收通用处理器发送的原始数据包; 步骤 A102, 对该原始数据包进行流处理;
具体地, 对原始数据包进行流处理, 可以包括: 对原始数据包进行 IP分 片报文重组处理和 TCP乱序报文重排处理; 进一步的, 对原始数据包进行流 处理还可以包括: 对原始数据包进行流报文保证顺序处理。
步骤 A103 , 将流处理后的数据包发送给协处理器的处理器核;
在实际应用过程中 ,可以根据 DPI业务的需要设置协处理器中处理器核的 数量, 即处理器核的数量可以为一个或多个。 当协处理器中设置有至少两个处 理器核时, 所述将原始数据包发送给协处理器的处理器核, 具体包括:
确定协处理的多个处理器核中的每个处理器核的负荷情况,根据负载均衡 策略从多个处理器核中选择一个处理器核,将所述原始数据包发送给选择的处 理器核。
具体地, 可以对所有处理器核的负荷情况进行监测, 并且在数据包的分发 过程中根据各个处理器核的负荷情况选择处理器核,将数据包发给处理资源相 对空闲的处理器核进行处理。
步骤 A104, 处理器核调用协处理器的至少一个子协处理器对原始数据包 进行应用层解析, 得到原始数据包的应用层解析结果;
在本实施例中,处理器核具体可以而通过协处理器的交换总线模块来调用 至少一个子协处理器对原始数据包进行应用层解析。
具体地, 交换总线模块可以为 Switch-Arbiter交换模块, 处理器核与其包 括的各个子协处理器之间的通信通过该交换总线模块来实现。
步骤 A105 ,处理器核将原始数据包的应用层解析结果发送给通用处理器, 以使通用处理器根据该应用层解析结果对原始数据包进行处理。
具体地, 在一个实施例中, 协处理器中还可以设置有结果上报处理模块, 处理器核可以将原始数据包的应用层解析结果发送给结果上报处理模块,结果 上报处理模块将该应用层解析结果按照预设格式进行封装,将封装后的结果发 送给通用处理器, 其中, 该预设格式例如可以为 TLV ( Type Length Value )结 构, TLV结构是一种带类型、 长度和值的通用数据描述格式。
在本实施例中, 可以设置外部内存以供协处理器使用, 内存可以包括第一 内存和第二内存, 第一内存和第二内存可以物理上独立的两个内存, 或者第一 内存和第二内存也可以为物理上在同一内存上,逻辑上分离。 第一内存用于保 存子协处理器所需要的数据结构, 第二内存用于保存流中间状态数据、端点表 数据、 端口特征表和规则条件表等 DPI业务控制层使用的数据。
通常采用规则来描述用于防御网络攻击行为的特征或者用于应用协议识 别的协议特征, 第二内存中的规则条件表用以记录一条或多条规则。规则中通 常包含一组特征, 这些特征用于描述数据包的细节, 如数据包的源 /目的地址、 源 /目的端口、 传输协议类型、 数据包的负载中包含的某些特殊字符串和数据 包是否分片等等。 子协处理器对数据包进行分析获得特征匹配结果, 处理器核 在确定应用层协议类型时,根据特征匹配结果去对应每个规则中的特征, 若某 个数据包符合某个规则,则该规则对应的应用层协议类型即为该数据包的应用 层协议类型。特征的描述可以有多种,例如字符串、正则表达式和行为特征等, 针对不同的特征可以通过不同的方式得到特征匹配结果。
在本实施例中,根据 DPI子业务复杂度的不同,协处理内部包含的子协处 理器具体可以分为用于执行通用 DPI子业务的高层级的子协处理器(如协议识 别子协处理器, 协议解析子协处理器), 以及用于实现专用功能的低层级的子 协处理器, 比如软件或硬件实现的算法引擎(字符串匹配引擎、 正则表达式匹 配引擎等), 其中, 高层级的子协处理器可以调用低层次模块来实现需要的功 能, 同时, 同一层次的子协处理器也可以互相调用来协同完成功能。 基于此, 根据子协处理器的类型不同, 步骤 A104的具体实现方式也有所不同:
( 1 )如果处理器核调用的是高层级的子协处理器, 比如用于识别数据包 应用层协议类型的协议识别子协处理器, 则在一种可能的实施方式中,协议识 别子协处理器可以在处理器核的调用下对原始数据包进行端点查找,得到端点 查找结果, 将该端点查找结果返回处理器核, 述处理器核至少根据该端点查找 结果确定原始数据包的应用层协议类型,并将得到的应用层协议类型作为所述 原始数据包的应用层解析结果;
具体地,协议识别子协处理器中设置有状态机。如果某一个数据包所在的 流的目的 IP地址、 源 IP地址、 目的端口和源端口中的某几项能在端点表中成 功查找一条或多条记录,则该数据包的应用层协议类型可以直接从端点表中获 取, 不必需要更多的步骤。 例如, 某一条端点表记录为: 目的 IP 地址: 103.224.1.9, 目的端口: 443 , 应用层协议类型: gmail— webmail。 如果某一条 流的数据包发往该目的 IP地址的 443端口, 则可以直接明确 DPI处理结果, 表明此条流的数据包的应用层协议类型是 gmail— webmail。
在另一种可能的实施方式中, 协议识别子协处理器在处理器核的调用下, 可以调用低层次的子协处理器, 比如字符串匹配引擎来帮助其完成相应的功 能,字符串匹配引擎在协议识别子协处理器的调用下对原始数据包进行字符串 匹配, 得到特征匹配结果, 将该特征匹配结果返回处理器核, 处理器核至少根 据该特征匹配结果确定原始数据包的应用层协议类型, ,并将该应用层协议类 型作为原始数据包的应用层解析结果。
具体地, 字符串匹配引擎可以为单模字符串匹配引擎,也可以为多模字符 串匹配引擎。单模字符串匹配引擎可以采用单模字符串匹配算法,单模字符串 匹配算法可以为 BM ( Boyer Moore )算法。 多模字符串匹配引擎可以采用多 模字符串匹配算法, 多模字符串匹配算法可以为 AC ( Aho-Corasick ) 算法、 Wu-Manber算法或 ExB算法等。 多模字符串匹配过程中, 对目标字符串扫描 一遍即可查找到一个或多个字符串特征。
当需要对数据包进行多模字符串匹配时,协议识别子协处理器调用多模字 符串匹配引擎, 多模字符串匹配引擎对数据包进行扫描,在数据包中查找到一 个或多个字符串特征, 得到特征匹配结果, 将特征匹配结果返回给处理器核, 处理器核再根据该特征匹配结果确定该原始数据包的应用层协议类型。
在本实施例中,字符串匹配引擎在协议识别子协处理器的调用下对所述流 处理后的数据包进行字符串匹配, 包括:
字符串匹配引擎在协议识别子协处理器的调用下,从第一内存中读取字符 串匹配算法状态表,根据该字符串匹配算法状态表对原始数据包进行字符串匹 配。
具体地, 第一内存中存储有字符串匹配算法状态表, 当字符串匹配引擎为 多模字符串匹配引擎时, 字符串匹配算法状态表为多模字符串匹配算法状态 表, 当字符串匹配引擎为单模字符串匹配引擎时, 字符串匹配算法状态表为单 模字符串匹配算法状态表。 例如, 多模字符串匹配算法为 AC算法, 该多模字 符串匹配算法状态表为 AC状态表,多模字符串匹配引擎在对数据包进行多模 字符串匹配时可以根据该多模字符串匹配算法状态表实现。字符串匹配引擎并 不直接对第一内存进行读写操作, 协处理器中设置有緩存(Cache ), 緩存与第 一内存之前可以通过 DMA(Direct Memory Access, 直接内存存取)方式来实现 数据交互。 通过緩存的设置, 可以大大减少访问外部内存的次数, 大部分访问 内存请求都可以通过緩存来完成, 大幅提升了系统的性能。
( 2 )如果处理器核调用的是^^层级的子协处理器, 比如专门用于进行正 则表达式匹配的正则表达式匹配引擎,则正则表达式匹配引擎在处理器核的调 用下对原始数据包进行正则匹配,得到特征匹配结果,将该特征匹配结果返回 处理器核,处理器核至少根据该特征匹配结果确定原始数据包的应用层协议类 型, 并将得到的应用层协议类型作为原始数据包的应用层解析结果。
具体地,正则表达式匹配引擎可以采用正则表达式匹配算法,正则表达式 匹配算法可以为 NFA ( Nondeterministic Finite Automaton, 非确定型有限自动 机 )算法或 DFA ( Deterministic Finite Automaton, 确定型有限自动机 )算法等, 正则表达式匹配过程中,特征不是通过字符串来描述的, 而是通过正则表达式 来描述的。
当需要对数据包进行正则表达式匹配时,处理器核可以直接调用正则表达 式匹配引擎, 正则表达式匹配引擎在数据包中查找, 得到特征匹配结果, 将特 征匹配结果返回给处理器核,处理器核再根据该特征匹配结果确定该原始数据 包的应用层协议类型。
在本实施例中,正则表达式匹配引擎在处理器核的调用下对原始数据包进 行正则匹配, 包括:
正则表达式匹配引擎在处理器核的调用下,从第一内存中读取正则表达式 匹配算法状态表,根据该正则表达式匹配算法状态表对原始数据包进行正则匹 配。
具体地, 第一内存中存储有正则表达式匹配算法状态表, 例如, 正则表达 式匹配算法为 DFA算法时, 该正则表达式匹配算法状态表为 DFA状态表, 正 则表达式匹配引擎在对数据包进行正则匹配时可以根据该正则表达式匹配算 法状态表实现。
在本发明的另一个实施例中,处理器核还可以通过调用行为特征统计子协 处理器来得到原始数据包的应用层协议类型, 具体地,行为特征统计子协处理 器在处理器核的调用下对原始数据包进行行为特征匹配, 得到特征匹配结果, 将该特征匹配结果返回给处理器核,处理器核根据该特征匹配结果确定应用层 协议类型。
具体地,对于不同的应用协议可以预先建立行为特征模型, 当需要对数据 包进行行为特征匹配时,行为特征统计子协处理器对数据包中的行为特征进行 匹配, 得到特征匹配结果, 将特征匹配结果返回给处理器核, 处理器核再根据 该特征匹配结果确定该原始数据包的应用层协议类型。在本实施例中, 处理器 核根据特征匹配结果确定原始数据包的应用层协议类型, 包括:
处理器核通过緩存从第二内存中读取规则条件表,根据特征匹配结果和该 规则条件表确定原始数据包的应用层协议类型。
具体地, 第二内存中存储有规则条件表, 该规则条件表中存储有规则与应 用层协议类型的对应关系, 处理器核将特征匹配结果与规则中的特征相对应, 以判断该特征匹配结果是否符合该规则, 若符合, 则可以确定数据包的应用层 协议类型。 处理器核并不直接对第二内存进行读写操作,协处理器中设置有緩 存(Cache ), 緩存与第二内存之前可以通过 DMA方式来实现数据交互。
在另一个实施例中, 协处理器中还设置有协议解析子协处理器,协议解析 子协处理器中可以设置状态机。在对数据包的应用协议识别, 获知该数据包所 承载的应用层协议类型后 ,若需要进一步获知其中的信息以协助进行各种增值 业务处理或规则匹配时,还可以根据应用协议格式对数据包进行深入解析,提 取相关信息, 以得到解析结果。
具体地,处理器核调用所述协处理器的至少一个子协处理器对所述原始数 据包进行应用层解析, 得到所述原始数据包的应用层解析结果, 具体包括: 处理器核调用协处理器包括的协议识别子协处理器对所述原始数据包的 应用层协议进行识别, 得到所述原始数据包的应用层协议类型;
所述处理器核调用协处理器包括的协议解析子协处理器对所述原始数据 包进行协议解析,得到解析结果, 并将所述解析结果和所述应用层协议类型作 为所述原始数据包的应用层解析结果。
在本实施例中, 协处理器中还可以设置 URL匹配引擎, 处理器核调用协 处理器的协议识别子协处理器对所述原始数据包的应用协议进行识别之后,若 处理器核判断获知所述应用层协议类型为超文本传输协议,则调用协处理器的 统一资源定位符 URL 匹配引擎, 该 URL匹配引擎在处理器核的调用下对原 始数据包进行 URL的匹配, 得到 URL匹配结果, 将所述 URL匹配结果返回 给所述处理器核, 其中, 所述处理结果还包括所述 URL匹配结果。
例如 ,若处理器核识别到某个数据包对应的流的应用层协议类型为超文本 传输协议(HTTP ), 则可以调用 URL匹配引擎对该数据包进行进一步的分析。 URL匹配引擎可以分析出该数据包的 URL的值, 以得到 URL匹配结果。 协 处理器将该 URL匹配结果作为处理结果发送给通用处理器, 通用处理器可以 根据该 URL匹配结果进行与 URL有关的网络管理工作。
在实际应用中,深度报文检测装置的通用处理器和协处理器配合实现 DPI 业务,协处理器中的功能模块可以根据实际的 DPI业务需要来设置,上述实施 例提供了几种功能模块的实现形式, 但本发明并不以此为限。 而且不同的 DPI 业务, 处理流程也可以不同。特征匹配的工作也可以通过协处理器的处理器核 来完成,得到特征匹配结果, 处理器核再根据特征匹配结果确定应用层协议类 型。 例如 , HTTP协议的特征之一可以是 TCP端口为 80 , 由于此端口匹配的 过程并不需要太多计算资源, 可以由协处理器的处理器核来完成。
本实施例提供的深度报文检测方法, 通用处理器和协处理器配合实现
DPI, 通过对协处理器进行更细粒度的划分, 协处理器中的子协处理器可以专 门为 DPI业务而设计, 这样就将 DPI功能从通用处理器中卸载, 降低了通用 处理器资源的占用, 以使得通用处理器可以处理其他增值业务; 同时, 协处理 器中设置有处理器核来进行 DPI业务控制,子协处理器在处理器核的调用下运 行, 大大提高了业务处理的灵活性, 为 DPI协处理器配备外部内存, 以保存 DPI中间状态而做到更好的扩展性和性能。 因为, 当处理到需要保存现场的任 务时, 不必交由通用处理器完成, DPI协处理器可以卸载更多其处理器资源。 另外, 通过为 DPI协处理器配备外部内存, 以保存 DPI处理时需要用到的各 种特征字数据结构、 算法特定数据结构。 这样, DPI协处理器可以直接快速的 读取这些数据而不必经由总线通过通用处理器来读取,可以进一步提高处理性 f]匕。
下面通过具体的实例来说明基于本发明实施例的 DPI 架构进行深度报文 检测的具体过程, 图 6为本发明实施例提供的一种深度报文检测方法流程图。 以下结合图 6对本实施例提供的深度报文检测方法进行说明。
步骤 la、 通用处理器将数据包发送给协处理器的收发模块;
步骤 2a、 收发模块将数据包发送给处理器核;
步骤 3a、 处理器核调用协议识别子协处理器, 将数据包通过交换总线模 块发送给协议识别子协处理器, 协议识别子协处理器对数据包进行端点查找; 步骤 4a、 协议识别子协处理器判断是否查找成功, 若是, 则执行步骤 5a, 若否, 则执行步骤 6a;
步骤 5a、 协议识别子协处理器将得到的端点查找结果通过交换总线模块 发送给处理器核, 执行步骤 15a;
步骤 6a、 协议识别子协处理器通过交换总线模块向处理器核反馈查找失 败结果;
步骤 7a、 协议识别子协处理器调用多模字符串匹配引擎, 将数据包通过 交换总线模块发送给多模字符串匹配引擎,多模字符串匹配引擎对数据包进行 多模字符串匹配;
步骤 8a、 多模字符串匹配引擎判断是否匹配成功, 若是, 则执行步骤 9a, 若否, 则执行步骤 10a;
步骤 9a、 多模字符串匹配引擎将得到的特征匹配结果通过交换总线模块 发送给处理器核, 执行步骤 15a;
步骤 10a、 多模字符串匹配引擎通过交换总线模块向处理器核反馈匹配失 败结果;
步骤 l la、 处理器核调用正则表达式匹配引擎, 将数据包通过交换总线模 块发送给正则表达式匹配引擎, 正则表达式匹配引擎对数据包进行正则匹配; 步骤 12a、正则表达式匹配引擎判断是否匹配成功,若是,则执行步骤 13a, 若否, 则执行步骤 14a;
步骤 13a、 正则表达式匹配引擎将得到的特征匹配结果通过交换总线模块 发送给处理器核, 执行步骤 15a;
步骤 14a、 正则表达式匹配引擎通过交换总线模块向处理器核反馈匹配失 败结果, 处理器核将匹配失败结果作为处理结果发送给结果上报处理模块,执 行步骤 20a;
步骤 15a、 处理器核根据特征匹配结果确定应用层协议类型;
步骤 16a、 处理器核判断是否需要对数据包进行深度解析, 若是, 则执行 步骤 17a, 若否, 则执行步骤 19a;
步骤 17a、 处理器核调用协议解析子协处理器, 将数据包通过交换总线模 块发送给协议解析子协处理器, 协议解析子协处理器对数据包进行协议解析, 得到解析结果 , 将解析结果通过交换总线模块发送给处理器核;
步骤 18a、 处理器核将应用层协议类型和解析结果作为处理结果发送给结 果上报处理模块, 执行步骤 20a;
步骤 19a、 处理器核将应用层协议类型作为处理结果发送给结果上报处理 模块;
步骤 20a、 结果上报处理模块将处理结果封装后发送给通用处理器。
下面通过另一个具体的实例来说明基于本发明实施例的 DPI 架构进行深 度报文检测的具体过程,图 7为本发明实施例提供的另一种深度报文检测方法 流程图, 以下结合图 7对本实施例提供的深度报文检测方法进行说明。 步骤 lb、 通用处理器将数据包发送给协处理器的收发模块;
步骤 2b、 收发模块将数据包发送给处理器核;
步骤 3b、 处理器核调用多模字符串匹配引擎, 将数据包通过交换总线模 块发送给多模字符串匹配引擎,多模字符串匹配引擎对数据包进行多模字符串 匹配;
步骤 4b、 多模字符串匹配引擎判断是否匹配成功, 若是, 则执行步骤 5b, 若否, 则执行步骤 6b;
步骤 5b、 多模字符串匹配引擎将得到的特征匹配结果通过交换总线模块 发送给处理器核, 执行步骤 15b;
步骤 6b、 多模字符串匹配引擎通过交换总线模块向处理器核反馈匹配失 败结果;
步骤 7b、 处理器核调用正则表达式匹配引擎, 将数据包通过交换总线模 块发送给正则表达式匹配引擎, 正则表达式匹配引擎对数据包进行正则匹配; 步骤 8b、 正则表达式匹配引擎判断是否匹配成功, 若是, 则执行步骤 9b, 若否, 则执行步骤 10b;
步骤 9b、 正则表达式匹配引擎将得到的特征匹配结果通过交换总线模块 发送给处理器核, 执行步骤 15b;
步骤 10b、 正则表达式匹配引擎通过交换总线模块向处理器核反馈匹配失 败结果;
步骤 llb、 处理器核调用行为特征统计子协处理器, 将数据包通过交换总 线模块发送给行为特征统计子协处理器,行为特征统计子协处理器对数据包进 行行为特征匹配; 步骤 12b、 行为特征统计子协处理器判断是否匹配成功, 若是, 则执行步 骤 13b, 若否, 则执行步骤 14b;
步骤 13b、 行为特征统计子协处理器将得到的特征匹配结果通过交换总线 模块发送给处理器核, 执行步骤 15b;
步骤 14b、 行为特征统计子协处理器通过交换总线模块向处理器核反馈匹 配失败结果, 处理器核将匹配失败结果作为处理结果发送给结果上报处理模 块, 执行步骤 20b;
步骤 15b、 处理器核根据特征匹配结果确定应用层协议类型;
步骤 16b、 若应用层协议类型为 HTTP, 处理器核判断是否需要获取数据 包的 URL的值, 若是, 则执行步骤 17b, 若否, 则执行步骤 19b;
步骤 17b、 处理器核调用 URL 匹配引擎, 将数据包通过交换总线模块发 送给 URL匹配引擎, URL匹配引擎分析出数据包的 URL的值, 得到 URL匹 配结果, 将 URL匹配结果通过交换总线模块发送给处理器核;
步骤 18b、 处理器核将应用层协议类型和 URL匹配结果作为处理结果发 送给结果上报处理模块;
步骤 19b、 处理器核将应用层协议类型作为处理结果发送给结果上报处理 模块;
步骤 20b、 结果上报处理模块将处理结果封装后发送给通用处理器。
图 8为本发明实施例提供的另一种深度报文检测方法流程图。如图 8所示, 本实施例提供的深度报文检测方法可以与图 4 所示实施例提供的方法配合实 现, 具体实现过程在此不再贅述。本实施例提供的深度报文检测方法通过通用 处理器来执行, 该方法具体包括: 步骤 B10、 通用处理器将原始数据包发送给协处理器;
步骤 B20、 通用处理器接收协处理器发送的原始数据包的应用层解析结 果; 其中,应用层解析结果是由协处理器的处理器核调用协处理器的至少一个 子协处理器对原始数据包进行应用层解析后得到的;应用层解析结果用于表示 原始数据包的应用层信息,比如应用层协议类型、原始数据包所属的业务等等, 此处不再贅述;
步骤 B30、通用处理器至少根据上述应用层解析结果对原始数据包进行处 理。
具体地,网络设备需要通过对接收到的流中的数据包进行深入分析以实现 网络优化和应用流量控制等业务时, 网络设备的网卡将流发送给通用处理器。 通用处理器将原始数据包发送给协处理器,协处理器对原始数据包进行应用层 解析得到应用层解析结果,应用层解析结果可以包括应用层协议类型、协议深 度解析结果和 URL匹配结果等。 将应用层解析结果返回通用处理器, 通用处 理器根据应用层解析结果对原始数据包进行处理,例如流量统计、加速、限流、 阻断和过滤等。
本实施例提供的深度报文检测方法,通用处理器将原始数据包发送给协处 理器,接收所述协处理器发送的处理结果,根据所述处理结果对所述原始数据 包进行处理。 通用处理器和协处理器配合实现 DPI, 协处理器中的子协处理器 可以专门为 DPI业务而设计, 将 DPI功能从通用处理器中卸载, 降低了通用 处理器资源的占用, 以使得通用处理器可以处理其他增值业务。 而且协处理器 中设置有处理器核, 子协处理器在处理器核的调用下运行, 处理器核与子协处 理器的交互也都是芯片内交互, 避免了协处理器与通用处理器之间的频繁交 互, 可以提高运行速度。
在一个实施例中,通用处理器根据应用层解析结果对所述原始数据包进行 处理, 具体包括:
若通用处理器若根据原始数据包的应用层解析结果确定出原始数据包为 加密数据包, 则对原始数据包进行解密处理。
具体地,通用处理器将原始数据包发送给协处理器, 当协处理器识别出该 原始数据包是加密的,则向通用处理器返回用以指示该原始数据包为加密数据 包的处理结果, 则通用处理器可以对该原始数据包进行解密处理, 再将解密处 理后的原始数据包发送给协处理器,协处理器对原始数据包的处理过程可以参 照上述实施例的描述。
在实际应用中, 例如解密处理等操作实现比较复杂,协处理器无法执行的 任务可以交由通用处理器来实现。 当然, 若协处理器中设置有解密模块时, 协 处理器可以自行对原始数据包进行解密处理。
在另一个实施例中,通用处理器根据应用层解析结果对所述原始数据包进 行处理, 可以包括:
若通用处理器根据原始数据包的应用层解析结果确定原始数据包所属的 流的业务类型, 根据该业务类型对流进行流量统计、 计费或传输加速。
具体地, 运营商希望对 VoIP ( Voice over Internet Protocol )流量进行计费, 当通用处理器原始数据包的应用层解析结果判断出原始数据包所在数据流是 采用 Skype协议做 VoIP电话的数据流时, 可对该流进行流量统计,以实现 VoIP 电话业务的计费。
当用户希望对某些应用流量加速时, 例如网络游戏, 当通用处理器根据应 用层解析结果判断出原始数据包所属的流用于网络游戏业务, 则对该条流加 速, 以保证该条流的传输速度。
当用户希望对某些应用进行阻断时 ,当通用处理器根据根据应用层解析结 果判断出原始数据包所属的流是用于某一特定的应用程序时,可以对该流进行 阻断处理。
优选地, 在另一个实施例中, 原始数据包的应用层解析结果包括: 原始数 据包的应用层协议类型和 URL匹配结果; 其中, 原始数据包的应用层协议类 型可以由协处理器的处理器核调用协处理器的协议识别子协处理器对所述原 始数据包进行识别后得到, 进一步地,协处理器的处理器核在确定原始数据包 的应用层协议类型为超文本传输协议 HTTP之后,还可以调用协处理器的统一 资源定位符 URL匹配引擎对原始数据包进行 URL进行匹配, 以得到 URL匹 配结果并发送给通用处理器;相应地,通用处理器接收到协处理器发送的 URL 匹配结果后, 根据的应用层协议类型和 URL匹配结果判断所述原始数据包所 属的流是否用于访问被限网站, 若是, 则对所述流进行阻断处理。
具体地, 用户希望开启绿色上网业务, 防止未成年人访问不健康网站, 当 通用处理器根据处理结果中的应用层协议类型时 HTTP, 且根据 URL匹配结 果判断出该 URL指向的网站是访问被限的, 则对该流进行阻断, 以防止未成 年人对不健康网站的访问。
图 9为本发明实施例提供的一种协处理器结构示意图。如图 9所示, 本实 施例提供的协处理器 91具体可以实现本发明任意实施例提供的应用于协处理 器的深度报文识别方法的各个步骤, 具体实现过程在此不再贅述。本实施例提 供的协处理器 91具体包括: 收发模块 11、 处理器核 12和子协处理器 13。 收发模块 11 , 用于接收通用处理器发送的原始数据包, 将所原始数据包 发送给处理器核 12;
处理器核 12, 用于调用协处理器 91的子协处理器 13对所述原始数据包 进行应用协议的识别, 生成处理结果, 以及将所述处理结果发送给所述通用处 理器;
子协处理器 13 , 用于在处理器核 12的调用下对原始数据包进行应用协议 的识别。
协处理器 91可以通过 FPGA或 ASIC来实现,协处理器 91中部署有一个 或多个处理器核 12, 协处理器 91中还设置有收发模块 11和子协处理器 13 , 子协处理器 13通过硬件描述语言实现,硬件描述语言可以为 VHDL或 Verilog HDL。 子协处理器 13专门用于对数据包进行应用协议识别, 可以提高业务的 处理效果。
在本实施例中,所述的协处理器 91还可以包括交换总线模块 14。相应地, 所述处理器核 12可以通过所述协处理器 91的交换总线模块 14调用所述子协 处理器 13。
进一步地, 可以而为协处理器 91的功能模块配备第一内存 15, 第二内存 16, 第一内存保存软核专用的数据结构, 包括流表、 规则条件, 使 DPI协处理 器能感知流的状态, 而不是基于包的处理。 第二内存保存各匹配引擎和子协处 理器的数据结构, 如 DFA状态表、 单模匹配算法辅助数据、 子协处理器的算 法数据结构等等。 需要说明的是, 第一内存和第二内存只是是逻辑上的划分, 两者可以位于同一片物理内存上。
本实施例提供的协处理器 91 , 收发模块 11接收通用处理器发送的原始数 据包, 将原始数据包发送给协处理器 91的处理器核 12, 处理器核 12调用协 处理器 91的子协处理器 13对原始数据包进行应用协议的识别 ,生成处理结果, 处理器核 12将处理结果发送给通用处理器, 以使通用处理器根据处理结果对 原始数据包进行处理。 通用处理器和协处理器 91配合实现 DPI, 协处理器 91 中的子协处理器 13可以专门为 DPI业务而设计, 将 DPI功能从通用处理器中 卸载, 降低了通用处理器资源的占用, 以使得通用处理器可以处理其他增值业 务。 而且协处理器 91中设置有处理器核 12, 子协处理器 13在处理器核 12的 调用下运行, 可以保留中间状态信息, 处理器核 12与子协处理器 13的交互也 都是芯片内交互, 避免了协处理器 91与通用处理器之间的频繁交互, 可以提 高运行速度。
图 10为本发明实施例提供的另一种协处理器 10结构示意图。 如图 10所 示, 在本实施例中, 所述收发模块 11可以包括接收单元 111、 流处理单元 112 和分发单元 113。 接收单元 111用于接收所述通用处理器发送的原始数据包; 流处理单元 112用于对所述原始数据包进行流处理;分发单元 113用于将流处 理之后的数据包发送给所述处理器核 12, 具体地, 流处理单元 112具体用于 对所述原始数据包进行 IP分片报文重组处理和 TCP乱序报文重排处理; 当协 处理器 10包含多个处理器核时, 分发单元 113具体用于, 确定所述至少两个 处理器核中每个处理器核的负荷情况,根据每个所述处理器核的负荷情况从所 述至少两个处理器核中选择一个处理器核,将所述流处理后的数据包发送给被 选择的处理器核, 相应地, 被选择的处理器核用于调用子协处理器 13对流处 理后的数据包进行应用层解析, 比如应用层协议识别。
在本实施例中, 协处理器 10还可以包括交换总线模块 14。 相应地, 处理 器核 12具体通过协处理器 10的交换总线模块 14调用子协处理器 13。
在一个实施例中, 子协处理器 13可以为端点查找子协处理器, 在这种情 形下,子协处理器 13具体用于在处理器核 12的调用下对原始数据包进行端点 查找, 得到端点查找结果, 将该端点查找结果返回处理器核 12。 处理器核 12 具体用于根据该特征匹配结果确定原始数据包的应用层协议类型 ,并将确定的 应用层协议类型作为原始数据包的应用层解析结果发送给通用处理器。
在另一个实施例中,如图 10所示, 子协处理器 13包括协议识别子协处理 器 131和字符串匹配引擎 132。 协议识别子协处理器 131用于: 在所述处理器 核调用子协处理器 13后, 调用字符串匹配引擎 132; 字符串匹配引擎 132用 于在协议识别子协处理器 131的调用下对原始数据包进行字符串匹配,得到特 征匹配结果, 将该特征匹配结果返回所述处理器核;
相应地, 处理器核 12具体用于至少根据该特征匹配结果确定原始数据包 的应用层协议类型,并将确定的应用层协议类型作为原始数据包的应用层解析 结果发送给所述通用处理器。
在另一个实施例中, 子协处理器 13也可以为正则表达式匹配引擎。 该正 则表达式匹配引擎用于在处理器核 12的调用下对原始数据包进行正则匹配, 得到特征匹配结果, 将该特征匹配结果返回处理器核 12。 处理器核 12具体用 于根据该特征匹配结果确定原始数据包的应用层协议类型,并将确定的应用层 协议类型作为原始数据包的应用层解析结果发送给通用处理器。
优选地, 子协处理器 13还可以而包括: 行为特征统计子协处理器 133 , 用于在处理器核 12的调用下对原始数据包进行行为特征匹配, 得到特征匹配 结果, 将该特征匹配结果返回处理器核 12。 处理器核 12具体用于根据该特征 匹配结果确定原始数据包的应用层协议类型,并将确定的应用层协议类型作为 原始数据包的应用层解析结果发送给通用处理器。
优选地, 在本实施例中, 协处理器 10还可以包括: 协议解析子协处理器 15 , 用于在处理器核 12的调用下对原始数据包进行协议解析,得到解析结果, 将该解析结果返回给处理器核 12; 相应地, 处理器核 12具体用于将原始数据 包的应用层协议类型, 以及协议解析子协处理器 15得到的解析结果作为原始 数据包的应用层解析结果发送给通用处理器。
优选地, 在本实施例中, 协处理器 10还可以包括: 统一资源定位符 URL 匹配引擎 16, 用于在处理器核 12的调用下对原始数据包进行 URL的匹配, 得到 URL匹配结果, 并将该 URL匹配结果返回给所述处理器核 12; 相应地, 处理器核 12具体用于将原始数据包的应用层协议类型,以及该 URL匹配结果 作为原始数据包的应用层解析结果发送给通用处理器。
优选地, 在本实施例中, 协处理器 10还包括: 结果上 "¾处理模块 17。 处 理器核 12具体用于将原始数据包的应用层解析结果发送给结果上报处理模块 17, 结果上报处理模块 17用于将该应用层解析结果按照预设格式进行封装, 将封装后的应用层解析结果发送给通用处理器。
在实际应用中, DPI设备的通用处理器和协处理器 91配合实现 DPI业务, 协处理器 91中的功能模块可以根据实际的 DPI业务需要来设置,处理器核 12 的逻辑也可以根据实际的 DPI业务需要来编程,上述实施例提供了几种功能模 块的实现形式, 但本发明并不以此为限。
可以将 DPI设备划分为多个层次, 例如, 自上而下划分为四个层次: 运算 密集层、 DPI业务控制层、 DPI子业务逻辑层和算法引擎层。 层次越高, 处理 的业务越复杂通用, 层次越低, 算法越简单专用。 为了提高硬件加速性能, 应 尽可能多的把 DPI相关任务交由协处理器来完成。这样通用处理器可以完成更 多的运算密集型任务。协处理器则负责实现 DPI业务控制层、 DPI子业务逻辑 层、 算法引擎层的逻辑。
原则上, 高层次的模块调用低层次的模块来实现需要的功能。 当然, 同一 层次的模块也可以互相调用来协同完成功能。 以下对各层次进行详细说明。
层次一: 运算密集层。 负责需要大量运算处理的任务, 包括: DPI业务逻 辑中的加解密和编解码等复杂逻辑处理; 以及其他非 DPI业务, 如增值业务、 策略匹配和报文动作执行等。
层次二: DPI 业务控制层。 通过在协处理器中放置处理器核来执行 DPI 业务控制逻辑, 包括, DPI引擎各步骤的先后执行顺序控制、 条件规则匹配、 跨包处理、 保存中间状态等等 DPI业务相关的控制逻辑。
层次三: DPI子业务逻辑层。 负责可以固化的 DPI特定子业务。 例如: 协 议识别子协处理器, 协议解析子协处理器和行为特征统计子协处理器。
层次四: 算法引擎层。 负责特定为 DPI优化的算法引擎任务。 例如: 正则 表达式匹配引擎、 浮定表达式引擎、 多模字符串匹配算法引擎、 单模字符串匹 配算法引擎和行为参数运算引擎等等。
需要特别说明的是, 在协处理器内部, 即层次二到层次四通过交换总线模 块来负责这些层次模块间的消息和数据交互。 而层次一与其他层次, 即通用处 理器与协处理器之间属于芯片间交互, 可以采用标准化总线, 例如 PCIE, 实 现, 总线的类型可以根据通用处理器提供的对外接口来设置。
除了可以划分到对应层次的各模块之外, 还有一些用于辅助处理的模块, 他们是独立于各层次的, 使用固化的逻辑来实现。 例如, 协处理器 91 内部的 收发模块、 结果上报处理模块、 内存读写模块和緩存等等。
在实际实现过程中,通用处理器还可以预先根据业务类型判断是由自己进 行处理还是交由协处理器来处理,如果业务类型对应的处理算法层次较高,较 为复杂, 则由该通用处理器进行处理, 若该业务类型即为 DPI相关业务, 则通 过协处理器来处理。
除了层次化设计架构之外, 本发明实施例还提出为协处理器配备外部内 存, 以保存 DPI中间状态而做到更好的扩展性和性能, 如图 10中的第一内存 83和第二内存 84。 这样, 当处理到需要保存现场的任务时, 不必交由通用处 理器完成, 协处理器可以卸载更多其处理器资源。 另外, 配备的外部内存还可 以保存 DPI处理时需要用到的各种特征字数据结构、算法特定数据结构。这样, 协处理器可以直接快速的读取这些数据而不必经由总线通过通用处理器来读 取, 可以达到更高的处理性能。
在本实施例中, 字符串匹配引擎 132具体用于在处理器核 12的调用下, 从第一内存 83中读取字符串匹配算法状态表, 根据该字符串匹配算法状态表 对原始数据包进行字符串匹配, 得到特征匹配结果, 其中, 第一内存 83用于 存储字符串匹配算法状态表。
具体地, 为协处理器 10的功能模块配备第一内存 83 , 第一内存 83中存 储有字符串匹配算法状态表, 当字符串匹配引擎 132 为多模字符串匹配引擎 时, 字符串匹配算法状态表为多模字符串匹配算法状态表, 当字符串匹配引擎 132为单模字符串匹配引擎时, 字符串匹配算法状态表为单模字符串匹配算法 状态表。 例如, 多模字符串匹配算法为 AC算法, 该多模字符串匹配算法状态 表为 AC状态表,多模字符串匹配引擎在对数据包进行多模字符串匹配时可以 根据该多模字符串匹配算法状态表实现。多模字符串匹配引擎并不直接对第一 内存 83进行读写操作,协处理器 10中设置有緩存, 可以通过緩存来访问第一 内存 83。
在本实施例中, 正则表达式匹配引擎具体用于在处理器核 12的调用下, 从第一内存 83中读取正则表达式匹配算法状态表, 根据该正则表达式匹配算 法状态表对原始数据包进行正则匹配, 其中, 第一内存 83用于存储正则表达 式匹配算法状态表。
具体地, 第一内存 83中存储有正则表达式匹配算法状态表, 例如, 正则 表达式匹配算法为 DFA算法时,该正则表达式匹配算法状态表为 DFA状态表, 正则表达式匹配引擎在对数据包进行正则匹配时可以根据该正则表达式匹配 算法状态表实现。正则表达式匹配引擎并不直接对第一内存 83进行读写操作, 协处理器 10中设置有緩存, 通过緩存来访问第一内存 83。
在本实施例中, 字符串匹配引擎 132根据第一内存 83中的字符串匹配算 法状态表对原始数据包进行字符串匹配, 得到特征匹配结果之后, 处理器核 12具体用于从第二内存 84中读取规则条件数据结构, 根据该特征匹配结果和 该规则条件数据结构确定原始数据包的应用层协议类型, 其中, 所述第二内存 84用于规则条件数据结构。
具体地, 为协处理器 10的处理器核 12配备第二内存 84, 第二内存 84中 存储有规则条件数据结构,该规则条件数据结构用于存储业务规则与应用层协 议类型的对应关系, 处理器核 12根据字符串匹配引擎得到的特征匹配结果从 第二内存中的规则条件数据结构中查询得到原始数据包的应用层协议类型。处 理器核 12可以不直接对第二内存 84进行读写操作, 协处理器 10中设置有緩 存, 通过緩存来访问第二内存 84。
在本实施例中, 第一内存 83、 第二内存 84可以为双槽模式。
具体地, 可以将第一内存 83和第二内存 84设计成双槽( Double Bank ) 模式, 第一槽用来保存当前使用的数据结构, 称为当前槽, 第二槽用于保存升 级的数据结构, 称为升级槽。 在系统运行过程中, 协处理器 10访问当前槽中 的数据以实现业务处理。在该过程中,若需要对内存中的数据进行升级的时候, 可以将升级的数据加载到升级槽中, 该升级过程并不影响协处理器 10对内存 的当前槽的访问, 当新数据加载完毕, 就切换到系统槽, 此时, 第一槽作为系 统槽,第二槽作为当前槽,以此类推,第一槽和第二槽交替用于保存升级数据, 保证了升级生效而不中断当前业务。值得注意的是, 在实际应用中, 切换成系 统槽后, 由于一些业务流量还处于处理过程中,对于该还在处理过程中的业务 流量不能强行切换到新的系统槽。在这种情况下,新的业务流量就采用新的系 统槽的数据来处理, 旧的业务流量继续采用原系统槽来处理。 直到所有旧的业 务流量处理完毕, 才将原系统槽设置为不工作状态。这样就做到不中断当前业 务而升级系统。
例如, BitTorrent协议的原识别特征是 "Bttorrent" , 而由于 BitTorrent软 件升级, 新的特征是 " XBttorrent" , 因此, 需要更新 DPI识别的知识库, 对应 到本发明的协处理器 10的数据结构就是存放在 AC状态表中的某一个字符串 特征。 因此, 需要把新编译后的特征数据结构加载到升级槽中。 加载过程中, 多模字符串匹配引擎依然使用当前槽。 待加载完毕, 当前槽与升级槽调换。 多 模字符串匹配引擎就可以读取新的 AC状态表了。 在实际应用过程中, 主要包含编译部分和运行部分。
编译部分: 特征编译器, 解析子处理器编译器, 结果模板编译器, 策略编 译器。
在实际应用中, 编译器主要包括:
a.前台编译器: 特征编译器、 解析子处理器编译器和匹配规则译器等; b.后台编译器: 正则表达式编译器、 单模字符串算法编译器和多模字符串 算法编译器等。
前台编译器主要作用包括:把用于各种 DPI业务的规则(如应用层协议识 另 ij、 IPS/IDS, URL过滤) 归类成可以被本发明的协处理器使用的规则, 即: 正则表达式、 字符串、 数值等; 生成所述第二内存的数据结构, 即: 条件规则 数据结构等;编译协处理器中的处理器核的软件逻辑高级编程语言代码到可由 协处理器处理器核执行的指令; 编译通用处理器用的各种 DPI业务数据结构, 即: 上文提到的用于支撑解密后识别、 算法识别的数据结构。
后台编译器主要作用包括:编译可供各种协处理器中最低层次算法引擎模 块使用的数据结构, 即所述第一内存的数据结构, 举例如上不再贅述。
除了两大种类编译器, 编译部分模块还包含协处理器驱动程序。 负责把编 译好的各种数据结构加载到协处理器的第一内存、第二内存以及协处理器片内 内存中 (如处理器核的逻辑指令是存放在处理器片内内存)。
运行部分: 配置 API, DPI处理 API, 驱动程序, DPI业务控制层处理器 核的固件, DPI子业务处理层 (解析字处理器、 URL过滤模块、 策略匹配模块) 和算法引擎层(单模字符串匹配引擎、 正则表达式匹配引擎、 多模字符串匹配 引擎) 的硬件模块。 图 11为本发明实施例提供的通用处理器结构示意图。 如图 11所示, 本实 施例提供的通用处理器 82具体可以实现本发明任意实施例提供的应用于通用 处理器的深度报文检测方法的各个步骤, 具体实现过程在此不再贅述。本实施 例提供的通用处理器包括: 发送模块 21、 收发模块 22和处理模块 23。
发送模块 21 , 用于将原始数据包发送给协处理器;
接收模块 22, 用于接收所述协处理器发送的原始数据包的的应用层解析 结果, 其中,应用层解析结果是由协处理器的处理器核调用协处理器的至少一 个子协处理器对原始数据包进行应用层解析后得到的;应用层解析结果用于表 示数据包的应用层信息;
处理模块 23 , 用于至少根据该应用层解析结果对原始数据包进行处理。。 本实施例提供的通用处理器, 通用处理器将原始数据包发送给协处理器, 接收所述协处理器发送的处理结果,根据所述处理结果对所述原始数据包进行 处理。 通用处理器和协处理器配合实现 DPI, 协处理器中的子协处理器可以专 门为 DPI业务而设计, 将 DPI功能从通用处理器中卸载, 降低了通用处理器 资源的占用, 以使得通用处理器可以处理其他增值业务。 而且协处理器中设置 有处理器核, 子协处理器在处理器核的调用下运行, 可以保留中间状态信息, 处理器核与子协处理器的交互也都是芯片内交互,避免了协处理器与通用处理 器之间的频繁交互, 可以提高运行速度。
在一个实施例中, 处理模块 23 , 具体用于若根据原始数据包的应用层解 析结果识别出原始数据为加密数据包, 则对原始数据包进行解密处理。
在另一个实施例中, 处理模块 23 , 具体用于根据原始数据包的应用层解 析结果确定原始数据包所属的流的业务类型,根据该业务类型对原始数据包所 属的流进行流量统计、 计费或传输加速。
在另一个实施例中,原始数据包的应用层解析结果包括: 原始数据包的应 用层协议类型和 URL匹配结果; 其中, 原始数据包的应用层协议类型可以由 协处理器的处理器核调用协处理器的协议识别子协处理器对所述原始数据包 进行识别后得到, 进一步地, 协处理器的处理器核在确定原始数据包的应用层 协议类型为超文本传输协议 HTTP之后,还可以调用协处理器的统一资源定位 符 URL匹配引擎对原始数据包进行 URL进行匹配, 以得到 URL匹配结果并 发送给通用处理器; 相应地, 通用处理器接收到协处理器发送的 URL匹配结 果后, 根据的应用层协议类型和 URL匹配结果判断所述原始数据包所属的流 是否用于访问被限网站, 若是, 则对所述流进行阻断处理。
图 12为本发明实施例提供的第一种 DPI设备结构示意图。 如图 12所示, 本实施例提供的 DPI设备包括: 本发明任意实施例提供的协处理器 81和本发 明任意实施例提供的通用处理器 82。
本实施例提供的 DPI设备, 通用处理器 82和协处理器 81配合实现 DPI, 协处理器 81中的子协处理器可以专门为 DPI业务而设计, 将 DPI功能从通用 处理器 82中卸载, 降低了通用处理器 82资源的占用, 以使得通用处理器 82 可以处理其他增值业务。 而且协处理器 81 中设置有处理器核, 子协处理器在 处理器核的调用下运行, 可以保留中间状态信息, 处理器核与子协处理器的交 互也都是芯片内交互, 避免了协处理器 81与通用处理器 82之间的频繁交互, 可以提高运行速度。
在一个实施例中, DPI设备包含的通用处理器的数量为一个。 在实际应用 中, 一个协处理器也可以与一个或多个通用处理器配合实现 DPI业务。 在另一个实施例中, DPI设备包含的通用处理器的数量为至少两个; DPI 设备还包括网卡和负载均衡装置;
网卡用于从网络接收数据包, 将数据包发送给负载均衡装置;
负载均衡装置用于获取所述至少两个通用处理器中每个通用处理器的负 载情况,根据每个通用处理器的负载情况选择一个通用处理器,将数据包发送 给选择的通用处理器。
图 13为本发明实施例提供的第二种 DPI设备结构示意图。 如图 13所示, 以 DPI设备中设置两个通用 CPU (图 13中的 33、 35 ) 为例, DPI设备中还 设置有网卡 31和负载均衡装置 32。 网卡 31接收网络中的其他设备发送的数 据包, 直接通过一个负责负荷分担的负载均衡装置 32分发到合适的通用 CPU 处理, 不是采用 DMA ( Direct Memory Access, 直接内存存取)的方式。 通用 CPU确定需要进行 DPI处理时, 再把数据包转发给协处理器 34。 待协处理器 34完成处理后, 通过 PCIE接口收取 DPI处理结果, 根据 DPI处理结果进一 步进行其他业务处理后, 将需要转发的数据包通过网卡 31转发出去。
负载均衡装置 32可以通过 FPGA来实现,负载均衡装置 32—方面可以根 据每个通用 CPU的负载情况选择合适的通用 CPU对数据包进行处理, 另一 方面可以实现消息收发逻辑。 若 DPI设备中只有一个通用 CPU时, 可以不设 置该负载均衡装置 32, 可以通过其他的芯片实现消息收发逻辑, 本发明实施 例中的通用 CPU具体可以为 Cavium通用 CPU。
本发明实施例提供的 DPI设备,通过通用处理器和协处理器配合实现 DPI, 协处理器中的子协处理器可以专门为 DPI业务而设计, 将 DPI功能从通用处 理器中卸载, 降^ ^了通用处理器资源的占用, 以使得通用处理器可以处理其他 增值业务。 而且协处理器中设置有处理器核, 子协处理器在处理器核的调用下 运行, 可以保留中间状态信息, 处理器核与子协处理器的交互也都是芯片内交 互, 避免了协处理器与通用处理器之间的频繁交互, 可以降低处理时延。
图 14为本发明实施例提供的第三种 DPI设备结构示意图。 如图 14所示, 在本实施例中, DPI设备包括两个通用 CPU (图 14中的 42、 45 ),为通用 CPU 42配置有 DDR3内存 43 , 为通用 CPU 45配置有 DDR3内存 46。 DPI设备中 还设置有网卡 41 , 网卡 41接收到网络中的其他设备发送的数据包后, 首先通 过 PCIE接口通过 DMA方式触发通用 CPU 42读取数据包, 并保存到他使用 的 DDR3内存 43中。若通用 CPU 42进行一些处理后发现需要进行 DPI处理, 则将数据包通过 DMA方式交由协处理器 44进行 DPI处理,待协处理器 44完 成处理后, 将 DPI处理结果返回给通用 CPU 42进一步处理, Sandy-Bridge通 用 CPU 42再将需要转发的数据包通过网卡 41发送给网络中的下一个网络设 备。需要说明的是,本发明实施例的通用 CPU可以为 Sandy-Bridge通用 CPU。
本发明实施例提供的 DPI设备,通过通用处理器和协处理器配合实现 DPI, 协处理器中的子协处理器可以专门为 DPI业务而设计, 将 DPI功能从通用处 理器中卸载, 降^ ^了通用处理器资源的占用, 以使得通用处理器可以处理其他 增值业务。 而且协处理器中设置有处理器核, 子协处理器在处理器核的调用下 运行, 可以保留中间状态信息, 处理器核与子协处理器的交互也都是芯片内交 互, 避免了协处理器与通用处理器之间的频繁交互, 可以降低处理时延。
本发明实施例提供的深度报文检测方法和装置可以应用于多种应用场景, 例如但不限于, 在企业网路由器, 使用 DPI协处理器进行应用协议识别、深度 协议解析、 IDS ( Intrusion Detection Systems )和策略引擎。 在 Router和 BRAS ( Broadband Remote Access Server ), 使用 DPI协处理器进行应用协议识别、 深度协议解析和策略引擎。 在 GGSN ( Gateway GPRS Support Node )中, 使用 DPI协处理器进行应用协议识别、 深度协议解析、 内容过滤和策略引擎。 在应 用网关中,使用 DPI协处理器进行应用协议识别、深度协议解析、 内容过滤和 策略引擎。 在无线接入网元 RNC ( Radio Network Controller ), NodeB, 使用 DPI协处理器进行应用协议识别、 深度协议解析、 无线资源优化和策略引擎。
本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可 以通过程序指令相关的硬件来完成,前述的程序可以存储于一计算机可读取存 储介质中, 该程序在执行时, 执行包括上述方法实施例的步骤; 而前述的存储 介质包括: ROM、 RAM, 磁碟或者光盘等各种可以存储程序代码的介质。
最后应说明的是: 以上实施例仅用以说明本发明的技术方案, 而非对其限 制; 尽管参照前述实施例对本发明进行了详细的说明, 本领域的普通技术人员 应当理解: 其依然可以对前述各实施例所记载的技术方案进行修改, 或者对其 中部分技术特征进行等同替换; 而这些修改或者替换, 并不使相应技术方案的 本质脱离本发明各实施例技术方案的范围。

Claims

权 利 要 求
1、 一种深度报文检测 DPI方法, 其特征在于, 包括:
协处理器的收发模块接收通用处理器发送的原始数据包,将所述原始数据 包发送给所述协处理器的处理器核;
所述处理器核调用所述协处理器的至少一个子协处理器对所述原始数据 包进行应用层解析,得到所述原始数据包的应用层解析结果, 所述应用层解析 结果用于表示所述原始数据包的应用层信息;
所述处理器核将所述应用层解析结果发送给所述通用处理器,以使所述通 用处理器根据所述应用层解析结果对所述原始数据包进行处理。
2、 根据权利要求 1所述的深度报文检测方法, 其特征在于, 在所述协处 理器的收发模块接收所述通用处理器发送的原始数据包之后,在将所述原始数 据包发送给所述协处理器的处理器核之前, 所述方法还包括:
对所述原始数据包进行流处理;
所述将所述原始数据包发送给所述处理器核, 包括:
将流处理后的数据包发送给所述处理器核;
所述处理器核调用所述协处理器的至少一个子协处理器对所述原始数据 包进行应用层解析, 得到所述原始数据包的应用层解析结果, 包括:
所述处理器核调用所述协处理器的至少一个子协处理器对所述流处理后 的数据包应用层解析, 得到所述原始数据包的应用层解析结果。
3、 根据权利要求 2所述的深度报文检测方法, 其特征在于, 所述对所述 原始数据包进行流处理, 包括:
对所述原始数据包进行 IP分片报文重组处理和 TCP乱序报文重排处理。
4、 根据权利要求 1所述的深度报文检测方法, 其特征在于: 所述协处理 器中设置有至少两个处理器核;所述将所述原始数据包发送给所述协处理器的 处理器核, 包括:
根据每个所述处理器核的负荷情况从所述至少两个处理器核中选择一个 处理器核, 将所述原始数据包发送给被选择的处理器核。
5、 根据权利要求 1所述的深度报文检测方法, 其特征在于, 所述处理器 核调用所述协处理器的至少一个子协处理器对所述原始数据包进行应用层解 析, 具体包括:
所述处理器核通过所述协处理器的交换总线模块调用所述协处理器的至 少一个子协处理器对所述原始数据包进行应用层解析。
6、 根据权利要求 1所述的深度报文检测方法, 其特征在于,
所述处理器核调用所述协处理器的至少一个子协处理器对所述原始数据 包进行应用层解析, 得到所述原始数据包的应用层解析结果, 包括:
所述处理器核调用所述协处理器包括的协议识别子协处理器,所述协议识 别子协处理器在所述处理器核的调用下对所述原始数据包进行端点查找,得到 端点查找结果,将所述端点查找结果返回所述处理器核, 所述处理器核至少根 据所述端点查找结果确定所述原始数据包的应用层协议类型 ,并将得到的所述 应用层协议类型作为所述原始数据包的应用层解析结果。
7、 根据权利要求 1所述的深度报文检测方法, 其特征在于,
所述处理器核调用所述协处理器的至少一个子协处理器对所述原始数据 包进行应用层解析, 得到所述原始数据包的应用层解析结果, 包括:
所述处理器核调用所述协处理器包括的协议识别子协处理器,所述协议识 别子协处理器在所述处理器核的调用下,调用所述协处理器包括的字符串匹配 引擎,所述字符串匹配引擎在所述协议识别子协处理器的调用下对所述原始数 据包进行字符串匹配,得到特征匹配结果,将所述特征匹配结果返回所述处理 器核,所述处理器核至少根据所述特征匹配结果确定所述原始数据包的应用层 协议类型,,并将所述应用层协议类型作为所述原始数据包的应用层解析结果。
8、 根据权利要求 1所述的深度报文检测方法, 其特征在于,
所述处理器核调用所述协处理器的至少一个子协处理器对所述原始数据 包进行应用层解析, 得到所述原始数据包的应用层解析结果, 包括:
所述处理器核调用所述协处理器包括的正则表达式匹配引擎,所述正则表 达式匹配引擎在所述处理器核的调用下对所述原始数据包进行正则匹配 ,得到 特征匹配结果,将所述特征匹配结果返回所述处理器核, 所述处理器核至少根 据所述特征匹配结果确定所述原始数据包的应用层协议类型,并将得到的所述 应用层协议类型作为所述原始数据包的应用层解析结果。
9、 根据权利要求 1所述的深度报文检测方法, 其特征在于, 所述处理器 核调用所述协处理器的至少一个子协处理器对所述原始数据包进行应用层解 析, 得到所述原始数据包的应用层解析结果, 包括:
所述处理器核调用所述协处理器包括的协议识别子协处理器对所述原始 数据包的应用层协议进行识别, 得到所述原始数据包的应用层协议类型;
所述处理器核调用所述协处理器包括的协议解析子协处理器对所述原始 数据包进行协议解析,得到解析结果, 并将所述解析结果和所述应用层协议类 型作为所述原始数据包的应用层解析结果。
10、 根据权利要求 1-9任一项所述的深度报文检测方法, 其特征在于, 所 述处理器核将所述应用层解析结果发送给所述通用处理器, 包括: 所述处理器核将所述应用层解析结果发送给所述协处理器包括的结果上 报处理模块;
所述结果上报处理模块将所述应用层解析结果按照预设格式进行封装,将 封装后的应用层解析结果发送给所述通用处理器。
11、 根据权利要求 7所述的深度报文检测方法, 其特征在于, 所述字符串 匹配引擎在所述协议识别子协处理器的调用下对所述原始数据包进行字符串 匹配, 得到特征匹配结果, 包括:
所述字符串匹配引擎在所述协议识别子协处理器的调用下,从第一内存中 读取字符串匹配算法状态表,根据所述字符串匹配算法状态表对所述流处理后 的数据包进行字符串匹配, 得到特征匹配结果。
12、 根据权利要求 11所述的深度报文检测方法, 其特征在于, 所述处理 器核至少根据所述特征匹配结果确定所述原始数据包的应用层协议类型, 包 括:
所述处理器核从第二内存中读取规则条件数据结构,根据所述特征匹配结 果和所述规则条件数据结构确定所述原始数据包的应用层协议类型。
1 3、 一种深度^艮文检测方法, 其特征在于, 包括:
通用处理器将原始数据包发送给协处理器;
所述通用处理器接收所述协处理器发送的所述原始数据包的应用层解析 结果, 其中, 所述应用层解析结果是由所述协处理器的处理器核调用所述协处 理器的至少一个子协处理器对所述原始数据包进行应用层解析得到的;所述应 用层解析结果用于表示所述原始数据包的应用层信息; 所述通用处理器至少根据所述应用层解析结果对所述原始数据包进行处 理。
14、 根据权利要求 1 3所述的深度报文检测方法, 其特征在于, 所述通用 处理器至少根据所述应用层解析结果对所述原始数据包进行处理, 包括:
所述通用处理器若根据所述应用层解析结果确定所述原始数据包是否为 加密数据包, 若是, 则对所述原始数据包进行解密处理。
15、 根据权利要求 1 3所述的深度报文检测方法, 其特征在于, 所述通用 处理器至少根据所述应用层解析结果对所述原始数据包进行处理, 包括:
所述通用处理器根据所述应用层解析结果确定所述原始数据包所属的流 的业务类型, 根据所述业务类型对所述流进行流量统计、 计费或传输加速。
16、 根据权利要求 1 3所述的深度报文检测方法, 其特征在于, 所述原始 数据包的应用层解析结果包括:所述原始数据包的应用层协议类型和 URL匹配 结果; 其中, 所述原始数据包的应用层协议类型是由所述协处理的处理器核调 用所述协处理器的协议识别子协处理器对所述原始数据包进行识别后得到的; 所述 URL 匹配结果是由所述协处理器的处理器核在确定所述原始数据包的应 用层协议类型为超文本传输协议之后, 调用所述协处理器的统一资源定位符 URL匹配引擎对所述原始数据包进行 URL的匹配得到的;
所述通用处理器至少根据所述应用层解析结果对所述原始数据包进行处 理, 包括:
所述通用处理器根据所述应用层解析结果和所述 URL 匹配结果判断所述 原始数据包所属的流是否用于访问被限网站,若是,则对所述流进行阻断处理。
17、 一种协处理器, 其特征在于, 包括: 收发模块、 子协处理器和处理器 核;
所述收发模块, 用于接收通用处理器发送的原始数据包,将所述原始数据 包发送给所述处理器核;
所述处理器核,用于调用所述子协处理器对所述原始数据包进行应用层解 析,得到所述原始数据包的应用层解析结果, 所述应用层解析结果用于表示所 述原始数据包的应用层信息;以及将所述应用层解析结果发送给所述通用处理 器,以使所述通用处理器至少根据所述应用层解析结果对所述原始数据包进行 处理;
所述子协处理器,用于在所述处理器核的调用下对所述原始数据包进行应 用层解析, 得到所述原始数据包的应用层信息。
18、 根据权利要求 17所述的协处理器, 其特征在于, 所述收发模块包括: 接收单元, 用于接收所述通用处理器发送的原始数据包;
流处理单元,用于在所述接收单元接收到所述通用处理器发送的原始数据 包之后, 对所述原始数据包进行流处理;
分发单元, 用于将流处理后的数据包发送给所述处理器核;
所述处理器核具体用于调用所述子协处理器对所述流处理后的数据包进 行应用层解析。
19、 根据权利要求 18所述的协处理器, 其特征在于: 所述流处理单元具 体用于对所述原始数据包进行 IP分片报文重组处理和 TCP乱序报文重排处理。
20、 根据权利要求 18或 19所述的协处理器, 其特征在于: 所述处理器核 的数量为至少两个;
所述分发单元具体用于,确定所述至少两个处理器核中每个处理器核的负 荷情况,根据每个所述处理器核的负荷情况从所述至少两个处理器核中选择一 个处理器核, 将所述流处理后的数据包发送给被选择的处理器核。
21、 根据权利要求 17-20任一项所述的协处理器, 其特征在于, 还包括: 交换总线模块;
所述处理器核具体用于通过所述协处理器的交换总线模块调用所述子协 处理器对所述原始数据包进行应用层解析。
22、 根据权利要求 1 7所述的协处理器, 其特征在于, 所述子协处理器具 体用于,在所述处理器核的调用下对所述原始数据包进行端点查找,得到端点 查找结果, 将所述端点查找结果返回所述处理器核;
所述处理器核具体用于,至少根据所述端点查找结果确定所述原始数据包 的应用层协议类型,并将确定的所述应用层协议类型作为所述原始数据包的应 用层解析结果发送给所述通用处理器。
23、 根据权利要求 17所述的协处理器, 其特征在于, 所述子协处理器包 括: 协议识别子协处理器和字符串匹配引擎;
所述协议识别子协处理器具体用于: 在所述处理器核的调用下,调用所述 字符串匹配引擎,所述字符串匹配引擎在所述协议识别子协处理器的调用下对 所述原始数据包进行字符串匹配,得到特征匹配结果,将所述特征匹配结果返 回所述处理器核;
所述处理器核具体用于至少根据所述特征匹配结果确定所述原始数据包 的应用层协议类型,并将确定的所述应用层协议类型作为所述原始数据包的应 用层解析结果发送给所述通用处理器。
24、 根据权利要求 17所述的协处理器, 其特征在于, 所述子协处理器具 体为: 正则表达式匹配引擎;
所述正则表达式匹配引擎用于在所述处理器核的调用下对所述原始数据 包进行正则匹配,得到特征匹配结果,将所述特征匹配结果返回所述处理器核; 所述处理器核具体用于至少根据所述特征匹配结果确定所述原始数据包 的应用层协议类型,并将确定的所述应用层协议类型作为所述原始数据包的应 用层解析结果发送给所述通用处理器。
25、 根据权利要求 23所述的协处理器, 其特征在于, 所述子协处理器还 包括: 协议解析子协处理器;
所述协议解析子协处理器用于对所述原始数据包进行协议解析,得到解析 结果, 将所述解析结果返回给所述处理器核;
所述处理器核还用于将所述解析结果发送给所述通用处理器,以使所述通 用处理器根据所述应用层协议类型和所述解析结果对所述原始数据包进行处 理。
26、 根据权利要求 17-25任一项所述的协处理器, 其特征在于, 还包括: 结果上报处理模块;
所述处理器核具体用于将所述应用层解析结果发送给所述结果上报处理 模块;
所述结果上报处理模块用于将所述应用层解析结果按照预设格式进行封 装, 将封装后的应用层解析结果发送给所述通用处理器。
27、 根据权利要求 23所述的协处理器, 其特征在于:
所述字符串匹配引擎具体用于在所述协议识别子协处理器的调用下,从第 一内存中读取字符串匹配算法状态表,根据所述字符串匹配算法状态表对所述 原始数据包进行字符串匹配,得到特征匹配结果,将所述特征匹配结果返回所 述处理器核其中, 所述第一内存用于存储字符串匹配算法状态表。
28、 根据权利要求 27所述的协处理器, 其特征在于:
所述处理器核具体用于从第二内存中读取规则条件数据结构,根据所述特 征匹配结果和所述规则条件数据结构确定所述应用层协议类型,其中, 所述第 二内存用于规则条件数据结构。
29、 根据权利要求 28所述的协处理器, 其特征在于: 所述第一内存和第 二内存为双槽模式。
30、 一种通用处理器, 其特征在于, 包括:
发送模块, 用于将原始数据包发送给协处理器;
接收模块,用于接收所述协处理器发送的所述原始数据包的的应用层解析 结果, 其中, 所述应用层解析结果是由所述协处理器的处理器核调用所述协处 理器的至少一个子协处理器对所述原始数据包进行应用层解析得到的;所述应 用层解析结果用于表示所述原始数据包的应用层信息;
处理模块, 用于至少根据所述应用层解析结果对所述原始数据包进行处 理。
31、 根据权利要求 30所述的通用处理器, 其特征在于, 所述处理模块, 具体用于若根据所述应用层解析结果识别所述原始数据包为加密数据包,则对 所述原始数据包进行解密处理。
32、 根据权利要求 30或 31所述的通用处理器, 其特征在于,
所述原始数据包的应用层解析结果包括:所述原始数据包的应用层协议类 型和 URL匹配结果, 其中, 所述 URL匹配结果是由所述协处理器的处理器核在 确定所述原始数据包的应用层协议类型为超文本传输协议时,调用所述协处理 器的统一资源定位符 URL 匹配引擎对所述原始数据包进行 URL的匹配后得到 的;
所述处理模块具体用于根据所述原始数据包的应用层协议类型和所述 URL匹配结果判断所述原始数据包所属的流是否用于访问被限网站, 若是, 则 对所述流进行阻断处理。
33、 一种深度报文检测 DPI设备, 其特征在于, 包括: 如权利要求 17-29 任一项所述的协处理器和如权利要求 30-32任一项所述的通用处理器。
34、 根据权利要求 33所述的深度报文检测装置, 其特征在于: 所述通用 处理器的数量为一个。
35、 根据权利要求 33所述的深度报文检测装置, 其特征在于: 所述通用 处理器的数量为至少两个; 所述 DP I设备还包括网卡和负载均衡装置;
所述网卡用于从网络接收数据包, 将所述数据包发送给所述负载均衡装 置;
所述负载均衡装置用于确定所述至少两个通用处理器中每个所述通用处 理器的负载情况, 根据每个所述通用处理器的负载情况选择一个通用处理器, 将所述数据包发送给被选择的通用处理器。
PCT/CN2014/071025 2013-08-05 2014-01-21 一种深度报文检测方法、设备及协处理器 WO2015018188A1 (zh)

Priority Applications (6)

Application Number Priority Date Filing Date Title
RU2015137525A RU2630414C2 (ru) 2013-08-05 2014-01-21 Устройство и способ глубокой проверки пакетов и сопроцессор
JP2015532299A JP6192725B2 (ja) 2013-08-05 2014-01-21 ディープパケットインスペクション方法及び装置並びにコプロセッサ
EP14834700.8A EP2933955B1 (en) 2013-08-05 2014-01-21 Deep packet inspection method, device, and coprocessor
CA2898053A CA2898053C (en) 2013-08-05 2014-01-21 Deep packet inspection method, device, and coprocessor
KR1020157020935A KR101662685B1 (ko) 2013-08-05 2014-01-21 심층 패킷 검사 방법 및 기기, 그리고 코프로세서
US14/980,719 US20160119198A1 (en) 2013-08-05 2015-12-28 Deep Packet Inspection Method and Device, and Coprocessor

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310337064.6 2013-08-05
CN201310337064.6A CN104348677A (zh) 2013-08-05 2013-08-05 一种深度报文检测方法、设备及协处理器

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US14/980,719 Continuation US20160119198A1 (en) 2013-08-05 2015-12-28 Deep Packet Inspection Method and Device, and Coprocessor

Publications (1)

Publication Number Publication Date
WO2015018188A1 true WO2015018188A1 (zh) 2015-02-12

Family

ID=52460603

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/071025 WO2015018188A1 (zh) 2013-08-05 2014-01-21 一种深度报文检测方法、设备及协处理器

Country Status (8)

Country Link
US (1) US20160119198A1 (zh)
EP (1) EP2933955B1 (zh)
JP (1) JP6192725B2 (zh)
KR (1) KR101662685B1 (zh)
CN (1) CN104348677A (zh)
CA (1) CA2898053C (zh)
RU (1) RU2630414C2 (zh)
WO (1) WO2015018188A1 (zh)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110546640A (zh) * 2017-04-25 2019-12-06 华为技术有限公司 用于深度数据包分析的分级模式匹配

Families Citing this family (51)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014134538A1 (en) * 2013-02-28 2014-09-04 Xaptum, Inc. Systems, methods, and devices for adaptive communication in a data communication network
CN104780080B (zh) * 2015-04-13 2018-09-25 苏州迈科网络安全技术股份有限公司 深度报文检测方法及系统
CN105162626B (zh) * 2015-08-20 2018-07-06 西安工程大学 基于众核处理器的网络流量深度识别系统及识别方法
CN111865657B (zh) 2015-09-28 2022-01-11 华为技术有限公司 一种加速管理节点、加速节点、客户端及方法
CN105141468B (zh) * 2015-10-08 2019-02-05 盛科网络(苏州)有限公司 高效实现网络芯片流量统计的方法及装置
CN105429820B (zh) * 2015-11-05 2018-10-09 武汉烽火网络有限责任公司 基于软件定义网络的深度包检测系统及方法
US9723027B2 (en) 2015-11-10 2017-08-01 Sonicwall Inc. Firewall informed by web server security policy identifying authorized resources and hosts
CN106815112B (zh) * 2015-11-27 2020-03-24 大唐软件技术股份有限公司 一种基于深度包检测的海量数据监控系统及方法
US9860259B2 (en) 2015-12-10 2018-01-02 Sonicwall Us Holdings Inc. Reassembly free deep packet inspection for peer to peer networks
CN107026821B (zh) * 2016-02-01 2021-06-01 阿里巴巴集团控股有限公司 报文的处理方法及装置
CN105847179B (zh) * 2016-03-23 2019-07-26 武汉绿色网络信息服务有限责任公司 一种dpi系统中数据并发上报的方法及装置
JP6717092B2 (ja) 2016-07-14 2020-07-01 富士通株式会社 制御装置および制御装置における処理方法
CN108353321B (zh) * 2016-11-04 2021-02-09 华为技术有限公司 一种网络热点控制的方法以及相关设备
CN107204923B (zh) * 2017-05-24 2020-06-02 全讯汇聚网络科技(北京)有限公司 一种协议分流方法、系统及路由器
CN109388499A (zh) * 2017-08-04 2019-02-26 东软集团股份有限公司 报文转发方法及装置、计算机可读存储介质、电子设备
CN107682215B (zh) * 2017-08-31 2021-07-06 哈尔滨工程大学 一种基于改进lrfu状态记录的dpi业务识别方法
CN109802924B (zh) * 2017-11-17 2022-05-17 华为技术有限公司 一种识别加密数据流的方法及装置
US10666655B2 (en) * 2017-11-20 2020-05-26 Microsoft Technology Licensing, Llc Securing shared components
CN110098970A (zh) * 2018-01-30 2019-08-06 江苏博智软件科技股份有限公司 一种基于多框架的高性能协议还原模块
US11057352B2 (en) 2018-02-28 2021-07-06 Xaptum, Inc. Communication system and method for machine data routing
US10965653B2 (en) 2018-03-28 2021-03-30 Xaptum, Inc. Scalable and secure message brokering approach in a communication system
US10805439B2 (en) 2018-04-30 2020-10-13 Xaptum, Inc. Communicating data messages utilizing a proprietary network
CN108900374B (zh) * 2018-06-22 2021-05-25 网宿科技股份有限公司 一种应用于dpi设备的数据处理方法和装置
CN110855602B (zh) * 2018-08-21 2022-02-25 国家计算机网络与信息安全管理中心 物联网云平台事件识别方法及系统
US10924593B2 (en) 2018-08-31 2021-02-16 Xaptum, Inc. Virtualization with distributed adaptive message brokering
CN109308200A (zh) * 2018-09-10 2019-02-05 麒麟合盛网络技术股份有限公司 一种内存数据加载方法、装置及其设备
US11188384B2 (en) * 2018-11-07 2021-11-30 Ebay Inc. Resource trust model for securing component state data for a resource using blockchains
CN111163043B (zh) * 2018-11-08 2023-03-21 全球能源互联网研究院有限公司 一种源网荷系统实时交互协议深度解析方法和系统
US10938877B2 (en) 2018-11-30 2021-03-02 Xaptum, Inc. Optimizing data transmission parameters of a proprietary network
CN109783409A (zh) * 2019-01-24 2019-05-21 北京百度网讯科技有限公司 用于处理数据的方法和装置
US10912053B2 (en) 2019-01-31 2021-02-02 Xaptum, Inc. Enforcing geographic restrictions for multitenant overlay networks
KR102045702B1 (ko) * 2019-05-03 2019-11-15 한국과학기술원 심층 패킷 분석에서 정규 표현식 매칭 방법 및 그 장치
CN113812116A (zh) * 2019-06-17 2021-12-17 西门子股份公司 网络行为模型构建方法、装置和计算机可读介质
CN110502378B (zh) * 2019-08-16 2022-11-22 兆讯恒达科技股份有限公司 一种配置多算法协处理器自检的方法
CN110661682B (zh) * 2019-09-19 2021-05-25 上海天旦网络科技发展有限公司 通用互联数据自动分析系统、方法、设备
US11411919B2 (en) 2019-10-01 2022-08-09 EXFO Solutions SAS Deep packet inspection application classification systems and methods
EP3820082A1 (en) * 2019-11-07 2021-05-12 Rohde & Schwarz GmbH & Co. KG System for analyzing data traffic as well as method for analyzing data traffic
CN111130946B (zh) * 2019-12-30 2022-03-25 联想(北京)有限公司 一种深度报文识别的加速方法、装置和存储介质
CN111817917B (zh) * 2020-07-03 2021-12-24 中移(杭州)信息技术有限公司 一种深度包检测的方法、装置、服务器及存储介质
CN111865724B (zh) * 2020-07-28 2022-02-08 公安部第三研究所 视频监控设备信息采集控制实现方法
CN112637223B (zh) * 2020-12-26 2023-03-24 曙光网络科技有限公司 应用协议识别方法、装置、计算机设备和存储介质
CN112787828B (zh) * 2021-01-08 2023-03-21 重庆创通联智物联网有限公司 一种应用程序的流量统计方法、设备、移动电子设备
CN114827431A (zh) * 2021-01-27 2022-07-29 Oppo广东移动通信有限公司 场景包处理方法、协处理芯片、主处理芯片及电子设备
CN112671618B (zh) * 2021-03-15 2021-06-15 北京安帝科技有限公司 深度报文检测方法和装置
CN113191454A (zh) * 2021-05-26 2021-07-30 清创网御(北京)科技有限公司 一种多核处理器平台的流量分类方法
CN113905411B (zh) * 2021-10-28 2023-05-02 中国联合网络通信集团有限公司 深度包检测识别规则的检测方法、装置、设备及存储介质
CN114050926B (zh) * 2021-11-09 2024-07-09 南方电网科学研究院有限责任公司 一种数据报文深度检测方法和装置
CN115473850B (zh) * 2022-09-14 2024-01-05 电信科学技术第十研究所有限公司 一种基于ai的实时数据过滤方法、系统及存储介质
CN115665051B (zh) * 2022-12-29 2023-03-28 北京浩瀚深度信息技术股份有限公司 基于fpga+rldram3实现高速流表的方法
CN116545772B (zh) * 2023-07-04 2023-09-19 杭州海康威视数字技术股份有限公司 轻量级物联网流量的协议识别方法、装置及设备
CN116962551B (zh) * 2023-07-28 2024-03-19 中科驭数(北京)科技有限公司 基于dpu应用层报文重组的dpi安全检测方法

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101102184A (zh) * 2007-08-02 2008-01-09 中兴通讯股份有限公司 宽带接入服务器及用于宽带接入服务器的高速dpi单板装置
US20090190505A1 (en) * 2008-01-30 2009-07-30 Alcatel Lucent Method and apparatus for targeted content delivery based on real-time communication session analysis
CN101997700A (zh) * 2009-08-11 2011-03-30 上海大学 基于深度包检测和深度流检测技术的IPv6监测设备
CN102932203A (zh) * 2012-10-31 2013-02-13 东软集团股份有限公司 异构平台间的深度报文检测方法及装置

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3989634B2 (ja) * 1998-09-28 2007-10-10 株式会社ローラン 集積回路及び集積回路用のデータを記録した記録媒体
US20110238855A1 (en) * 2000-09-25 2011-09-29 Yevgeny Korsunsky Processing data flows with a data flow processor
JP2007325293A (ja) * 2002-08-20 2007-12-13 Nec Corp 攻撃検知システムおよび攻撃検知方法
US7146643B2 (en) * 2002-10-29 2006-12-05 Lockheed Martin Corporation Intrusion detection accelerator
JP2009296195A (ja) * 2008-06-04 2009-12-17 Mitsubishi Electric Corp 複数のcpuコアを備えたfpgaを用いた暗号装置
US8468546B2 (en) * 2011-02-07 2013-06-18 International Business Machines Corporation Merging result from a parser in a network processor with result from an external coprocessor
JP5667009B2 (ja) * 2011-08-08 2015-02-12 日本電信電話株式会社 ルータ装置及びデータ解析方法
US20140153435A1 (en) * 2011-08-31 2014-06-05 James Rolette Tiered deep packet inspection in network devices
CA2768483C (en) * 2011-12-30 2019-08-20 Sandvine Incorporated Ulc Systems and methods for managing quality of service

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101102184A (zh) * 2007-08-02 2008-01-09 中兴通讯股份有限公司 宽带接入服务器及用于宽带接入服务器的高速dpi单板装置
US20090190505A1 (en) * 2008-01-30 2009-07-30 Alcatel Lucent Method and apparatus for targeted content delivery based on real-time communication session analysis
CN101997700A (zh) * 2009-08-11 2011-03-30 上海大学 基于深度包检测和深度流检测技术的IPv6监测设备
CN102932203A (zh) * 2012-10-31 2013-02-13 东软集团股份有限公司 异构平台间的深度报文检测方法及装置

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110546640A (zh) * 2017-04-25 2019-12-06 华为技术有限公司 用于深度数据包分析的分级模式匹配

Also Published As

Publication number Publication date
EP2933955A1 (en) 2015-10-21
CN104348677A (zh) 2015-02-11
CA2898053C (en) 2017-10-31
US20160119198A1 (en) 2016-04-28
KR101662685B1 (ko) 2016-10-05
KR20150103248A (ko) 2015-09-09
EP2933955A4 (en) 2016-02-10
CA2898053A1 (en) 2015-02-12
RU2015137525A (ru) 2017-03-06
RU2630414C2 (ru) 2017-09-07
EP2933955B1 (en) 2017-06-28
JP2015537278A (ja) 2015-12-24
JP6192725B2 (ja) 2017-09-06

Similar Documents

Publication Publication Date Title
WO2015018188A1 (zh) 一种深度报文检测方法、设备及协处理器
US11368560B2 (en) Methods and apparatus for self-tuning operation within user space stack architectures
US7685254B2 (en) Runtime adaptable search processor
US9356844B2 (en) Efficient application recognition in network traffic
US11265235B2 (en) Technologies for capturing processing resource metrics as a function of time
US20150319086A1 (en) System for Accelerated Network Route Update
US11431681B2 (en) Application aware TCP performance tuning on hardware accelerated TCP proxy services
WO2019129167A1 (zh) 一种处理数据报文的方法和网卡
US20210099427A1 (en) Methods and apparatus for emerging use case support in user space networking
WO2018130079A1 (zh) 一种英特网协议安全IPSec协议加密方法和网络设备
CN116049085A (zh) 一种数据处理系统及方法
CN114697387B (zh) 数据包传输方法、装置及存储介质
US11775359B2 (en) Methods and apparatuses for cross-layer processing
US11799986B2 (en) Methods and apparatus for thread level execution in non-kernel space
US10606751B2 (en) Techniques for cache delivery
KR102304584B1 (ko) 데이터 플레인 가속화 기술과 하드웨어 암호화 처리 장치를 이용한 초고속 암호 통신 시스템 및 그 방법
Miao et al. Renovate high performance user-level stacks' innovation utilizing commodity network adaptors
CN114116193A (zh) 用于边缘系统中的高级监视的系统、装置和方法
JP4638513B2 (ja) 通信制御装置及び通信制御方法

Legal Events

Date Code Title Description
ENP Entry into the national phase

Ref document number: 2015532299

Country of ref document: JP

Kind code of ref document: A

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14834700

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2898053

Country of ref document: CA

REEP Request for entry into the european phase

Ref document number: 2014834700

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2014834700

Country of ref document: EP

ENP Entry into the national phase

Ref document number: 20157020935

Country of ref document: KR

Kind code of ref document: A

ENP Entry into the national phase

Ref document number: 2015137525

Country of ref document: RU

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE