WO2015018188A1 - 一种深度报文检测方法、设备及协处理器 - Google Patents
一种深度报文检测方法、设备及协处理器 Download PDFInfo
- Publication number
- WO2015018188A1 WO2015018188A1 PCT/CN2014/071025 CN2014071025W WO2015018188A1 WO 2015018188 A1 WO2015018188 A1 WO 2015018188A1 CN 2014071025 W CN2014071025 W CN 2014071025W WO 2015018188 A1 WO2015018188 A1 WO 2015018188A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data packet
- coprocessor
- original data
- application layer
- processor core
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 71
- 238000007689 inspection Methods 0.000 title claims abstract description 9
- 230000008569 process Effects 0.000 claims abstract description 47
- 238000012545 processing Methods 0.000 claims description 151
- 230000015654 memory Effects 0.000 claims description 94
- 238000004422 calculation algorithm Methods 0.000 claims description 91
- 230000014509 gene expression Effects 0.000 claims description 64
- 238000001514 detection method Methods 0.000 claims description 46
- 238000004458 analytical method Methods 0.000 claims description 43
- 230000001133 acceleration Effects 0.000 claims description 10
- 238000012546 transfer Methods 0.000 claims description 8
- 238000009826 distribution Methods 0.000 claims description 7
- 230000005540 biological transmission Effects 0.000 claims description 5
- 238000013467 fragmentation Methods 0.000 claims description 3
- 238000006062 fragmentation reaction Methods 0.000 claims description 3
- 230000008707 rearrangement Effects 0.000 claims description 3
- 230000003993 interaction Effects 0.000 description 29
- 230000006870 function Effects 0.000 description 25
- 230000006399 behavior Effects 0.000 description 20
- 238000010586 diagram Methods 0.000 description 14
- 230000000717 retained effect Effects 0.000 description 6
- 238000001914 filtration Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 238000010921 in-depth analysis Methods 0.000 description 4
- 238000005457 optimization Methods 0.000 description 4
- 238000013461 design Methods 0.000 description 3
- 239000012634 fragment Substances 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 230000003542 behavioural effect Effects 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000007667 floating Methods 0.000 description 2
- 238000004321 preservation Methods 0.000 description 2
- 238000003860 storage Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 238000012512 characterization method Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000005111 flow chemistry technique Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/028—Capturing of monitoring data by filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/30—Definitions, standards or architectural aspects of layered protocol stacks
- H04L69/32—Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
- H04L69/322—Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions
- H04L69/329—Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the application layer [OSI layer 7]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
- H04L63/0218—Distributed architectures, e.g. distributed firewalls
Definitions
- the embodiments of the present invention relate to computer technologies, and in particular, to a deep packet detection method, device, and coprocessor.
- DPI Deep Packet Inspection
- the DPI technology implements in-depth analysis of data packets through feature matching algorithms to obtain application information of data packets, thereby implementing services such as network optimization, application flow control, and security detection.
- the DPI service is usually implemented by a general-purpose processor, and a matching processor is integrated in the general-purpose processor, and the general-purpose processor drives the matcher by the software logic to implement feature matching. Since general-purpose processors are not designed specifically for DPI services, in order to ensure versatility requirements, their integrated matchers generally only support general-purpose matching algorithms, such as regular expression matching algorithms, but cannot support DPI-specific services.
- the matching algorithm is designed, resulting in poor matching performance and becoming a bottleneck for business processing.
- all DPI services are implemented in general-purpose processors, which limit the performance of DPI services due to limited resources of general-purpose processors.
- FIG. 1 another implementation manner of the DPI service in the prior art is to solidify the DPI service logic into the hardware.
- the hardware entity may be an FPGA (Field-Programmable Gate Array). Or ASIC (Application Specific Integrated Circuit).
- the DPI service logic of a device is divided into three steps: 1. Endpoint table matching; 2. IP port identification; 3. Application layer text feature matching; 4. Complex post-decoding recognition. The first three steps can be solidified into hardware logic to achieve.
- step four The logic of step four is very complicated and cannot be implemented by hardware logic, and is left to the general processor to complete. It can be seen that the logic is solidified by hardware, and the scalability is poor:
- the DPI business logic the three steps in the above example become four steps or the adjustment order
- the hardware code needs to be rewritten, and the simulation is released to the existing network device. in. It is difficult to quickly adapt to network traffic changes; moreover, because the multiple steps of the DPI business logic are implemented by the general-purpose processor with software implementation and hardware acceleration chip logic, the interaction between the general-purpose processor and the hardware acceleration chip is inevitable, resulting in DPI. The processing delay is large.
- the embodiment of the invention provides a deep packet detection method, device and coprocessor to improve the performance and scalability of the DPI.
- an embodiment of the present invention provides a deep packet detection method, including: a transceiver module of a coprocessor receiving an original data packet sent by a general processor, and transmitting the original data packet to the coprocessor
- the processor core invokes at least one sub-coprocessor of the coprocessor to perform application layer parsing on the original data packet to obtain an application layer parsing result of the original data packet, and the application layer parsing result
- An application layer information for indicating the original data packet the processor core transmitting the application layer parsing result to the general-purpose processor, so that the general-purpose processor is configured according to the application layer parsing result
- the original packet is processed.
- the original data packet is sent to the processor core of the coprocessor
- the method further includes: performing stream processing on the original data packet; and sending the original data packet to the processor core, including: sending the stream processed data packet to the processor core ;
- the processor core invokes at least one sub-coprocessor of the coprocessor to perform an application layer parsing on the original data packet, to obtain an application layer parsing result of the original data packet, including: the processor core calling station At least one sub-coprocessor of the co-processor to apply the layer parsing to the stream-processed data packet to obtain an application layer parsing result of the original data packet.
- the stream processing sub-module of the transceiver module performs stream processing on the original data packet, including: the stream processing sub-module Performing IP fragment packet reassembly processing and TCP out-of-order message reordering processing on the original data packet.
- At least two processor cores are disposed in the coprocessor; and the original data packet is sent to a processor core of the coprocessor,
- the method includes: selecting one processor core from the at least two processor cores according to a load condition of each of the processor cores, and transmitting the original data packet to the selected processor core.
- the processor core by using the at least one sub-coprocessor of the coprocessor, to perform application layer parsing on the original data packet, specifically: the processing The controller core invokes at least one sub-coprocessor of the coprocessor through the exchange bus module of the coprocessor to perform application layer parsing on the original data packet.
- the processor core invokes at least one sub-coprocessor of the coprocessor to perform application layer parsing on the original data packet to obtain the original data packet.
- Application layer resolution results including:
- the processor core invokes a protocol identification sub-coprocessor included by the coprocessor, and the protocol identification sub-coprocessor performs an endpoint search on the original data packet under the call of the processor core to obtain an endpoint search.
- the endpoint lookup result is returned to the processor core, and the processor core is at least Determining an application layer protocol type of the original data packet according to the endpoint search result, and using the obtained application layer protocol type as an application layer parsing result of the original data packet.
- the processor core invokes at least one sub-coprocessor of the coprocessor to perform application layer parsing on the original data packet to obtain the original data packet.
- the application layer parsing result includes: the processor core invokes a protocol identifier sub-coprocessor included by the coprocessor, and the protocol identifier sub-processor calls the association under a call of the processor core a string matching engine included in the processor, the string matching engine performs string matching on the original data packet under the call of the protocol identification sub-coprocessor to obtain a feature matching result, and returns the feature matching result
- the processor core the processor core determines an application layer protocol type of the original data packet according to the feature matching result, and uses the application layer protocol type as an application layer parsing result of the original data packet .
- the processor core invokes at least one sub-coprocessor of the coprocessor to perform application layer parsing on the original data packet to obtain the original data packet.
- Application layer resolution results including:
- the processor core invokes a regular expression matching engine included in the coprocessor, and the regular expression matching engine performs regular matching on the original data packet under the call of the processor core to obtain a feature matching result.
- the processor core determines an application layer protocol type of the original data packet according to the feature matching result, and using the obtained application layer protocol type as the The application layer parsing result of the original data packet.
- the processor core invokes at least one sub-coprocessor of the coprocessor to perform an application layer parsing on the original data packet to obtain the original data packet.
- Application layer resolution results including: The processor core invokes a protocol identifier sub-processor included by the coprocessor to identify an application layer protocol of the original data packet, to obtain an application layer protocol type of the original data packet; The protocol parsing sub-coprocessor included by the coprocessor performs protocol parsing on the original data packet, obtains an parsing result, and parses the parsing result and the application layer protocol type as an application layer of the original data packet. result.
- the string matching engine performs a string on the original data packet by using the protocol identifier sub-coprocessor Match and get the feature matching results, including:
- the string matching engine reads a string matching algorithm state table from the first memory under the call of the protocol identifier sub-coprocessor, and processes the stream processed data according to the string matching algorithm state table.
- the packet is matched by a string to obtain a feature matching result.
- the processor core sends the application layer parsing result to the universal The processor, the processor core sends the application layer parsing result to the result reporting processing module included in the coprocessor; the result reporting processing module encapsulates the application layer parsing result according to a preset format And sending the encapsulated application layer parsing result to the general purpose processor.
- the embodiment of the present invention provides a deep packet detection method, including:
- the general purpose processor sends the original data packet to the coprocessor; the general purpose processor receives the application layer parsing result of the original data packet sent by the coprocessor, where the application layer parsing result is
- the processor core of the processor invokes at least one sub-coprocessor of the coprocessor to perform application layer parsing on the original data packet; the application layer parsing result is used to represent application layer information of the original data packet
- the general purpose processor is to the original according to at least the application layer parsing result The packet is processed.
- the processing by the general-purpose processor, processing the original data packet according to the application layer parsing result, the method, Whether the original data packet is an encrypted data packet, and if so, decrypting the original data packet.
- the general-purpose processor processes the original data packet according to the application layer analysis result, including:
- the general processor determines, according to the application layer analysis result, a service type of the flow to which the original data packet belongs, and performs traffic statistics, charging, or transmission acceleration on the flow according to the service type.
- the application layer parsing result of the original data packet includes: an application layer protocol type of the original data packet and a URL matching result; where the application layer protocol type of the original data packet is Obtaining, by the coprocessor-processed processor core, a protocol identifier of the coprocessor to identify the original data packet; the URL matching result is a processor core of the coprocessor After determining that the application layer protocol type of the original data packet is a hypertext transfer protocol, calling a uniform resource locator URL matching engine of the coprocessor to perform matching of the original data packet by using a URL; The process of processing the original data packet according to the application layer analysis result, the method includes: determining, by the general-purpose processor, whether the flow to which the original data packet belongs is used according to the application layer analysis result and the URL matching result Access the restricted website, and if so, block the stream.
- an embodiment of the present invention provides a coprocessor, including: a transceiver module, a sub-coprocessor, and a processor core;
- the transceiver module is configured to receive an original data packet sent by a general-purpose processor, and use the original data Sending a packet to the processor core;
- the processor core is configured to invoke the sub-coprocessor to perform an application layer parsing on the original data packet to obtain an application layer parsing result of the original data packet, where the application layer parsing result is used to represent the original And applying the application layer parsing result to the general-purpose processor, so that the general-purpose processor processes the original data packet according to at least the application layer parsing result;
- the sub-coprocessor is configured to perform application layer parsing on the original data packet by using the processor core to obtain application layer information of the original data packet.
- the transceiver module includes:
- a receiving unit configured to receive an original data packet sent by the general-purpose processor
- a stream processing unit configured to: after the receiving unit receives the original data packet sent by the general-purpose processor, stream processing the original data packet;
- a distribution unit configured to send the stream processed data packet to the processor core
- the processor core is specifically configured to invoke the sub-coprocessor to perform application layer parsing on the stream-processed data packet.
- the flow processing unit is specifically configured to perform IP fragmentation packet reassembly processing and TCP out-of-order on the original data packet. ⁇ rearrangement processing.
- the number of the processor cores is at least two;
- the distribution unit is specifically configured to determine a load condition of each of the at least two processor cores, and select one of the at least two processor cores according to a load condition of each of the processor cores.
- the processor cores send the stream processed data packets to the selected processor core.
- the coprocessor further includes: a switching bus module;
- the processor core is specifically configured to invoke the sub-coprocessor to perform application layer parsing on the original data packet by using a switch bus module of the coprocessor.
- the sub-coprocessor is specifically configured to perform an endpoint search on the original data packet by using the processor core to obtain an endpoint search result, where The endpoint search result is returned to the processor core; the processor core is specifically configured to: determine, according to the endpoint search result, an application layer protocol type of the original data packet, and determine the determined application layer protocol type The application layer parsing result of the original data packet is sent to the general purpose processor.
- the sub-coprocessor includes: a protocol identifier sub-processor and a string matching engine; and the protocol identifier sub-processor is specifically configured to:
- the string matching engine is invoked by the processor core, and the string matching engine performs string matching on the original data packet under the call of the protocol identification sub-coprocessor to obtain a feature matching result.
- the feature matching result is returned to the processor core;
- the processor core is specifically configured to determine an application layer protocol type of the original data packet according to at least the feature matching result, and determine the determined application layer protocol type as The application layer parsing result of the original data packet is sent to the general purpose processor.
- the sub-coprocessor is specifically: a regular expression matching engine; the regular expression matching engine is configured to perform a call under the call of the processor core The original data packet is subjected to regular matching, and the feature matching result is obtained, and the feature matching result is returned.
- the processor core is configured to determine an application layer protocol type of the original data packet according to at least the feature matching result, and determine the determined application layer protocol type as the original data packet.
- the application layer parsing result is sent to the general purpose processor.
- the sub-coprocessor further includes: a protocol parsing sub-coprocessor; The original data packet is subjected to protocol parsing, and the parsing result is obtained, and the parsing result is returned to the processor core; the processor core is further configured to send the parsing result to the general-purpose processor, so that the The general purpose processor processes the original data packet according to the application layer protocol type and the parsing result.
- the string matching engine is specifically configured to be used from the first memory by the protocol identifier sub-coprocessor Reading a string matching algorithm state table, performing string matching on the original data packet according to the string matching algorithm state table, obtaining a feature matching result, and returning the feature matching result to the processor core, where The first memory is used to store the string matching algorithm status table.
- the processor core is specifically configured to read a rule condition data structure from the second memory, according to the feature matching result and The rule condition data structure determines the application layer protocol type, wherein the second memory is used for a rule condition data structure.
- an embodiment of the present invention provides a general-purpose processor, including:
- a sending module configured to send the original data packet to the coprocessor;
- the receiving module configured to receive an application layer parsing result of the original data packet sent by the coprocessor, where the application layer parsing result is
- the processor core of the coprocessor calls at least one sub coprocessor of the coprocessor Performing application layer parsing on the original data packet;
- the application layer parsing result is used to represent application layer information of the original data packet;
- the processing module is configured to use the parsing result to the original data according to at least the application layer parsing result The package is processed.
- the processing module is specifically configured to: if the original data packet is identified as an encrypted data packet according to the application layer parsing result, decrypt the original data packet.
- the feature is that
- the application layer parsing result of the original data packet includes: an application layer protocol type of the original data packet and a URL matching result, where the URL matching result is determined by the processor core of the coprocessor
- the uniform resource locator URL matching engine of the coprocessor is called to perform matching of the original data packet by using a URL;
- the processing module is configured to determine, according to an application layer protocol type of the original data packet and the URL matching result, whether the flow to which the original data packet belongs is used to access the restricted website, and if yes, block the flow Broken processing.
- the embodiment of the present invention provides a deep packet detecting device, including: a coprocessor provided by any embodiment of the present invention and a general-purpose processor provided by any embodiment of the present invention.
- the number of the general-purpose processors is one.
- the number of the general-purpose processors is at least two;
- the deep packet detecting device further includes a network card and a load balancing device; and the network card is configured to receive a data packet from the network, Sending the data packet to the load balancing device;
- the load balancing device is configured to acquire a load condition of each of the at least two general-purpose processors, according to each of the common parts
- the load condition of the processor is selected in a general purpose processor that sends the data packet to the selected general purpose processor.
- the deep packet detection method, device, and coprocessor implemented DPI by using a general-purpose processor and a coprocessor, and the sub-coprocessor in the coprocessor can be specifically for the DPI service.
- the design the DPI function is offloaded from the general-purpose processor, reducing the occupation of general-purpose processor resources, so that the general-purpose processor can handle other value-added services.
- the processor core is set in the coprocessor, and the sub-coprocessor is operated under the call of the processor core, and the intermediate state information can be retained, and the interaction between the processor core and the sub-coprocessor is also intra-chip interaction, avoiding the association. Frequent interactions between the processor and the general purpose processor can reduce processing latency.
- FIG. 2 is a schematic diagram of a deep packet detection architecture according to an embodiment of the present invention.
- FIG. 3 is a schematic diagram of a deep packet detection application scenario according to an embodiment of the present invention
- FIG. 4 is a flowchart of a first deep packet detection method according to an embodiment of the present invention
- FIG. 5 is a flowchart of a second deep packet detection method according to an embodiment of the present invention.
- FIG. 6 is a flowchart of a method for detecting a deep packet according to an embodiment of the present invention.
- FIG. 7 is a flowchart of another method for detecting a deep packet according to an embodiment of the present invention.
- FIG. 8 is a flowchart of another method for detecting a deep packet according to an embodiment of the present invention.
- FIG. 9 is a schematic structural diagram of a first coprocessor according to an embodiment of the present invention.
- FIG. 10 is a schematic structural diagram of a second coprocessor according to an embodiment of the present disclosure.
- FIG. 11 is a schematic structural diagram of a general-purpose processor according to an embodiment of the present disclosure
- FIG. 12 is a schematic structural diagram of a first deep packet detecting device according to an embodiment of the present invention
- FIG. 13 is a schematic structural diagram of a second deep packet detecting device according to an embodiment of the present invention
- DPI deep packet inspection
- the functional modules of the DPI processing task are divided into multiple levels (typically four levels). The higher the level, the more complex and common the processed business; the lower the level, the simpler and more specific the algorithm.
- DPI coprocessor is responsible for implementing the logic of the DPI service control layer, the DPI sub-service logic layer, and the algorithm engine layer.
- the DPI co-processing internally includes multiple sub-coprocessors, each sub-coprocessor is used to complete a specific DPI sub-service.
- the sub-coprocessor can be divided into high-level sub-associations.
- the processor such as the sub-coprocessor A in FIG. 2
- the sub-coprocessor of the hierarchical level such as the sub-coprocessors C and D in FIG. 2, wherein the sub-coprocessor of the lower level may specifically be A software or hardware-implemented algorithm engine that implements a specialized function using a specific algorithm, such as a string matching engine, a regular expression matching engine, etc., and a higher-level sub-coprocessor compared to a lower-level sub-coprocessor.
- a specific algorithm such as a string matching engine, a regular expression matching engine, etc.
- a higher-level sub-coprocessor compared to a lower-level sub-coprocessor.
- DPI sub-services such as protocol identification, parsing, etc.
- a high-level sub-coprocessor can be a logical or physical entity that integrates multiple sub-coprocessors and/or algorithm engine functions for implementing more advanced, generic DPI sub-functions, and high-level sub-association
- the low-level module can be called to implement the required functions, and the sub-coprocessors of the same level can also call each other to cooperate to complete the function.
- Level 1 Operational intensive layer.
- Level 1 Operational intensive layer.
- This level of tasks is redundant by general purpose processors.
- Level 2 DPI business control layer.
- the DPI service control logic is executed by placing the kernel in the DPI coprocessor, including the sequential execution control of the steps of the DPI engine, the conditional rule matching, the cross-packet processing, the preservation of the intermediate state, and the like, and the control logic related to the DPI service.
- this level of tasks is performed by a processor core (core) in the DPI coprocessor.
- Level 3 DPI sub-business logic layer. Responsible for DPI-specific sub-services that can be cured. For example: application layer protocol identification, protocol deep analysis, packet behavior feature analysis module.
- the task of this level is performed by a high-level sub-coprocessor in the DPI coprocessor, for example, a protocol identifier sub-processor for identifying an application layer protocol type of the data packet, In-depth solution to the agreement The protocol resolves the sub-coprocessor and so on.
- Level 4 Algorithm Engine Layer. Responsible for algorithmic engine tasks that are specifically optimized for DPI. For example: general regular expression matching, floating point arithmetic, multimodal string matching, single mode string matching, behavioral parameter operations, and more. This level of tasks is done by low-level sub-coprocessors in the DPI coprocessor, such as the regular expression matching engine, the floating-point arithmetic engine, the string matching engine, and so on.
- level two to level four an internal bus or a switch bus module is required to be responsible for message and data interaction between these hierarchical modules.
- the level one and other levels that is, the inter-chip interaction between the general-purpose processor and the DPI coprocessor, need to be exchanged by some industry-standardized buses, such as PCIE (Personal Computer Interface Express). )bus. What type of bus is used is determined by the external interface provided by the general purpose processor.
- the embodiment of the present invention may further provide external memory for the DPI coprocessor to save the intermediate state of the DPI to achieve better scalability and performance, so that when processing is needed When saving a live task, it does not have to be done by a general purpose processor, and the DPI coprocessor can offload more of its processor resources.
- the external memory provided can also store various feature word data structures and algorithm-specific data structures that are required for DPI processing. In this way, the DPI coprocessor can read the data directly and quickly without having to read it through the bus through the general purpose processor, which can achieve higher processing performance.
- external memory A holds a soft core-specific data structure, including flow tables and rule conditions, so that the DPI coprocessor can sense the state of the flow rather than packet-based processing.
- the external memory B stores the data structure of each matching engine and the sub-coprocessor, such as a DFA (Deterministic Finite Automaton) state table, a single-mode matching algorithm auxiliary data, and an algorithm data structure of the sub-coprocessor. and many more. It should be noted that the external memory A and the external memory B are only logical divisions, and the two can be located on the same physical memory.
- DFA Dynamic Finite Automaton
- FIG. 4 is a flowchart of a first deep packet detection method according to an embodiment of the present invention.
- the deep packet detection method provided in this embodiment may be specifically applied to a deep packet detection DPI process of a network device, and the network device may be, for example, a router and a gateway.
- the network device may be configured with a deep packet detecting device, and the deep packet detecting device includes a general-purpose processor and a coprocessor.
- the deep packet detecting method provided in this embodiment is executed by a coprocessor.
- Step A10 The transceiver module of the coprocessor receives the original data packet sent by the general processor, and sends the original data packet to the processor core of the coprocessor;
- Step A20 The processor core invokes at least one sub-coprocessor of the coprocessor to perform an application layer parsing on the original data packet, to obtain an application layer parsing result of the original data packet, where the application layer parsing result of the original data packet is used for Indicates the application layer information of the data packet, such as the application layer protocol type, the service to which the data packet belongs, and the like, which are not enumerated here;
- Step A30 The processor core sends an application layer parsing result of the original data packet to the general-purpose processor, so that the general-purpose processor processes the original data packet according to the application layer parsing result.
- the network device needs to perform in-depth analysis on the data packets in the received stream to implement network optimization and application flow control, and the network device sends the data packet to the general-purpose processor through the network card, and the general-purpose processor hands over the DPI-related tasks. DPI coprocessor to complete.
- the coprocessor can be an FPGA (Field Programmable Gate Array) or an ASIC (Application Specific Integrated Circuit).
- An ASIC is implemented, one or more processor cores are deployed in the coprocessor, a transceiver module and a plurality of sub-coprocessors are also disposed in the coprocessor, and the sub-coprocessor is implemented by a hardware description language, and the hardware description language is It can be VHDL ( Very-High-Speed Integrated Circuit Hardware Description Language) or Verilog HDL.
- the sub-coprocessor can be used for application protocol identification, protocol parsing, etc. of the data packet to improve the processing performance of the service.
- the general purpose processor sends the original data packet to the transceiver module of the coprocessor, and the transceiver module distributes the original data packet to the processor core in the coprocessor, and the processor core of the coprocessor calls the sub coprocessor to the original
- the data packet is parsed by the application layer to obtain the parsing result, and the processor core returns the parsing result to the general-purpose processor, and the general-purpose processor processes the original data packet according to the parsing result, such as traffic statistics, acceleration, current limiting, blocking, and Filter and so on.
- the general-purpose processor can establish a flow table according to the parsing result.
- the flow table records a plurality of flow entry items and processing instructions, and the general-purpose processor matches the received data packet by using the flow table entry to determine the flow to which the data packet belongs. And deal with it accordingly.
- the general processor and the coprocessor cooperate to implement DPI, and the sub-coprocessor in the coprocessor can be specifically designed for the DPI service by performing finer granular division on the coprocessor.
- the DPI function is offloaded from the general-purpose processor, which reduces the occupation of the general-purpose processor resources, so that the general-purpose processor can process other value-added services;
- the processor core is provided with the processor core for DPI service control,
- the sub-coprocessor runs under the call of the processor core, which greatly improves the flexibility of business processing, and the interaction between the processor core and the sub-coprocessor is also intra-chip interaction, avoiding the coprocessor and the general processor. Frequent interactions between DPI can be achieved.
- FIG. 5 is a flowchart of a second deep packet detection method according to an embodiment of the present invention.
- the method for detecting a deep packet in this embodiment includes: Step A101, the transceiver module of the coprocessor receives the original data packet sent by the general processor; Step A102, stream processing the original data packet;
- performing the stream processing on the original data packet may include: performing an IP fragment packet reassembly process and a TCP out-of-order packet re-processing on the original data packet. Further, the stream processing the original data packet may further include: The original packet is streamed to ensure sequential processing.
- Step A103 Send the stream processed data packet to a processor core of the coprocessor
- the number of processor cores in the coprocessor can be set according to the needs of the DPI service, that is, the number of processor cores can be one or more.
- the sending the original data packet to the processor core of the coprocessor includes:
- Determining a load condition of each of the plurality of processor cores co-processed selecting a processor core from the plurality of processor cores according to a load balancing policy, and transmitting the original data packet to the selected processor core .
- the load condition of all processor cores can be monitored, and the processor core is selected according to the load condition of each processor core in the distribution process of the data packet, and the data packet is sent to the processor core with relatively idle processing resources. deal with.
- Step A104 The processor core invokes at least one sub-coprocessor of the coprocessor to perform an application layer parsing on the original data packet to obtain an application layer parsing result of the original data packet.
- the processor core may specifically invoke the at least one sub-coprocessor to perform application layer parsing on the original data packet through the exchange bus module of the coprocessor.
- the switch bus module may be a Switch-Arbiter switch module, and communication between the processor core and each of the child coprocessors included therein is implemented by the switch bus module.
- Step A105 The processor core sends the application layer parsing result of the original data packet to the general-purpose processor.
- the general processor processes the original data packet according to the application layer parsing result.
- a result reporting processing module may be further disposed in the coprocessor, and the processor core may send the application layer parsing result of the original data packet to the result reporting processing module, and the result reporting processing module applies the application layer
- the parsing result is encapsulated according to a preset format, and the encapsulated result is sent to a general-purpose processor, where the preset format can be, for example, a TLV (Type Length Value) structure, and the TLV structure is a general type with a type, a length, and a value.
- the preset format can be, for example, a TLV (Type Length Value) structure, and the TLV structure is a general type with a type, a length, and a value. Data description format.
- external memory may be set for use by the coprocessor
- the memory may include a first memory and a second memory
- the first memory and the second memory may be physically independent of two memories, or the first memory and the first
- the second memory can also be physically separated on the same memory.
- the first memory is used to store the data structure required by the sub-coprocessor
- the second memory is used to store data used by the DPI service control layer such as stream intermediate state data, endpoint table data, port feature table, and rule condition table.
- the second in-memory rule condition table is used to record one or more rules.
- a rule usually contains a set of features that describe the details of the packet, such as the source/destination address of the packet, the source/destination port, the type of transport protocol, and some special strings and data contained in the payload of the packet. Whether the package is fragmented and so on.
- the sub-coprocessor analyzes the data packet to obtain a feature matching result.
- the processor core determines the feature in each rule according to the feature matching result. If a data packet meets a certain rule, the The application layer protocol type corresponding to the rule is the application layer protocol type of the data packet.
- features such as strings, regular expressions, and behavioral features. Feature matching results can be obtained in different ways for different features.
- the sub-coprocessors included in the co-processing can be specifically divided into high-level sub-coprocessors for performing general DPI sub-services (such as protocol identification).
- the high-level sub-coprocessor can call the low-level module to implement the required functions.
- the sub-coprocessors of the same level can also call each other to cooperate to complete the function.
- the specific implementation of step A104 is also different:
- the protocol identifies the sub-association
- the processor may perform an endpoint search on the original data packet by the processor core to obtain an endpoint search result, and return the endpoint search result to the processor core, where the processor core determines the application layer of the original data packet according to at least the endpoint search result.
- the protocol type, and the obtained application layer protocol type is used as an application layer parsing result of the original data packet;
- a state machine is set in the protocol identification sub-coprocessor. If a destination IP address, a source IP address, a destination port, and a source port of a flow in which a packet is located can successfully find one or more records in the endpoint table, the application layer protocol type of the packet may be Get it directly from the endpoint table without having to take more steps.
- an endpoint table record is: Destination IP address: 103.224.1.9, Destination port: 443, Application layer protocol type: gmail—webmail. If a packet of a certain stream is sent to port 443 of the destination IP address, the DPI processing result can be directly clarified, indicating that the application layer protocol type of the packet of the stream is gmail_webmail.
- the protocol identifier sub-coprocessor can invoke a low-level sub-coprocessor, such as a string matching engine, to help perform the corresponding function, string matching, under the call of the processor core.
- the engine performs string matching on the original data packet under the call of the protocol identifier sub-coprocessor to obtain a feature matching result, and returns the feature matching result to the processor core, and the processor core is at least root
- the application layer protocol type of the original data packet is determined according to the feature matching result, and the application layer protocol type is used as an application layer analysis result of the original data packet.
- the string matching engine may be a single-mode string matching engine or a multi-mode string matching engine.
- the single-mode string matching engine can adopt a single-mode string matching algorithm, and the single-mode string matching algorithm can be a BM (Boyer Moore) algorithm.
- the multi-mode string matching engine can adopt a multi-mode string matching algorithm, and the multi-mode string matching algorithm can be an AC (Aho-Corasick) algorithm, a Wu-Manber algorithm, or an ExB algorithm.
- AC Azo-Corasick
- Wu-Manber algorithm a Wu-Manber algorithm
- ExB algorithm ExB algorithm
- the protocol identification sub-coprocessor calls the multi-mode string matching engine, and the multi-mode string matching engine scans the data packet to find one or more characters in the data packet.
- the string feature is obtained, and the feature matching result is obtained, and the feature matching result is returned to the processor core, and the processor core determines the application layer protocol type of the original data packet according to the feature matching result.
- the string matching engine performs string matching on the stream-processed data packet under the call of the protocol identifier sub-coprocessor, including:
- the string matching engine reads the string matching algorithm state table from the first memory under the call of the protocol identifier sub-coprocessor, and performs string matching on the original data packet according to the string matching algorithm state table.
- the first memory stores a string matching algorithm state table.
- the string matching algorithm state table is a multi-mode string matching algorithm state table
- the string matching algorithm state table is a single-mode string matching algorithm state table.
- the multi-mode string matching algorithm is an AC algorithm
- the multi-mode string matching algorithm state table is an AC state table
- the multi-mode string matching engine performs multi-mode on the data packet.
- String matching can be implemented according to the multi-mode string matching algorithm state table.
- the string matching engine does not directly read and write the first memory.
- the coprocessor has a cache (Cache).
- the cache and the first memory can be implemented by DMA (Direct Memory Access). Interaction. Through the setting of the cache, the number of accesses to the external memory can be greatly reduced. Most of the access memory requests can be completed through the cache, which greatly improves the performance of the system.
- the processor core If the processor core is calling a sub-coprocessor of the ⁇ level, such as a regular expression matching engine dedicated to regular expression matching, the regular expression matching engine is against the original call of the processor core.
- the data packet is regularly matched to obtain a feature matching result, and the feature matching result is returned to the processor core, and the processor core determines the application layer protocol type of the original data packet according to at least the feature matching result, and the obtained application layer protocol type is used as the original.
- the application layer parsing result of the packet If the processor core is calling a sub-coprocessor of the ⁇ level, such as a regular expression matching engine dedicated to regular expression matching, the regular expression matching engine is against the original call of the processor core.
- the data packet is regularly matched to obtain a feature matching result, and the feature matching result is returned to the processor core, and the processor core determines the application layer protocol type of the original data packet according to at least the feature matching result, and the obtained application layer protocol type is used as the original.
- the regular expression matching engine may adopt a regular expression matching algorithm, and the regular expression matching algorithm may be an NFA (Non-deterministic Finite Automaton) algorithm or a DFA (Deterministic Finite Automaton). Algorithms, etc.
- NFA Non-deterministic Finite Automaton
- DFA Deterministic Finite Automaton
- the processor core can directly call the regular expression matching engine, and the regular expression matching engine searches the data packet to obtain the feature matching result, and returns the feature matching result to the processor core.
- the processor core determines an application layer protocol type of the original data packet according to the feature matching result.
- the regular expression matching engine performs a regular match on the original data packet under the call of the processor core, including:
- the regular expression matching engine reads the regular expression from the first memory under the call of the processor core Matching the algorithm state table, and performing regular matching on the original data packet according to the regular expression matching algorithm state table.
- the first memory stores a regular expression matching algorithm state table.
- the regular expression matching algorithm state table is a DFA state table
- the regular expression matching engine is in the pair data.
- the packet performs regular matching, it can be implemented according to the regular expression matching algorithm state table.
- the processor core may further obtain an application layer protocol type of the original data packet by calling a behavior feature statistics sub-coprocessor, specifically, the behavior feature statistics sub-coprocessor is in the processor core.
- the behavior data matching of the original data packet is performed under the call, and the feature matching result is obtained, and the feature matching result is returned to the processor core, and the processor core determines the application layer protocol type according to the feature matching result.
- the behavior feature model may be pre-established for different application protocols.
- the behavior feature statistics sub-coprocessor matches the behavior characteristics in the data packet to obtain the feature matching result, and the feature is obtained.
- the matching result is returned to the processor core, and the processor core determines the application layer protocol type of the original data packet according to the feature matching result.
- the processor core determines an application layer protocol type of the original data packet according to the feature matching result, including:
- the processor core reads the rule condition table from the second memory through the cache, and determines the application layer protocol type of the original data packet according to the feature matching result and the rule condition table.
- the second memory stores a rule condition table, where the rule condition table stores a correspondence between the rule and the application layer protocol type, and the processor core matches the feature matching result with the feature in the rule to determine the feature matching. Whether the result conforms to the rule, if it is met, the application layer protocol type of the data packet can be determined.
- the processor core does not directly read and write the second memory, and the coprocessor is set to be slow. Cache, the data can be exchanged by DMA before the cache and the second memory.
- a protocol parsing sub-coprocessor is also disposed in the coprocessor, and a state machine can be set in the protocol parsing sub-coprocessor.
- the processor core invokes at least one sub-coprocessor of the coprocessor to perform an application layer parsing on the original data packet, to obtain an application layer parsing result of the original data packet, which specifically includes:
- the protocol identifier sub-processor included by the processor identifies the application layer protocol of the original data packet, and obtains an application layer protocol type of the original data packet;
- the processor core invokes a protocol parsing sub-coprocessor included in the coprocessor to perform protocol parsing on the original data packet, obtains an parsing result, and uses the parsing result and the application layer protocol type as the original data packet.
- Application layer parsing results are a protocol parsing sub-coprocessor included in the coprocessor to perform protocol parsing on the original data packet, obtains an parsing result, and uses the parsing result and the application layer protocol type as the original data packet.
- a URL matching engine may also be set in the coprocessor, and the processor core invokes the protocol identification sub-coprocessor of the coprocessor to identify the application protocol of the original data packet, and if the processor core determines the knowledge
- the application layer protocol type is a hypertext transfer protocol
- the coprocessor's uniform resource locator URL matching engine is invoked, and the URL matching engine performs URL matching on the original data packet under the call of the processor core to obtain a URL matching result. And returning the URL matching result to the processor core, where the processing result further includes the URL matching result.
- the URL matching engine may be invoked to perform further analysis on the data packet.
- the URL matching engine can analyze the value of the URL of the data packet to obtain a URL matching result.
- Association The processor sends the URL matching result as a processing result to the general-purpose processor, and the general-purpose processor can perform network management work related to the URL according to the URL matching result.
- the general processor and the coprocessor of the deep packet detecting device cooperate to implement the DPI service, and the function modules in the coprocessor can be set according to the actual DPI service requirements.
- the foregoing embodiment provides several functional modules. The form is implemented, but the invention is not limited thereto. And different DPI services, the processing flow can be different.
- the feature matching work can also be done through the processor core of the coprocessor, and the feature matching result is obtained, and the processor core determines the application layer protocol type according to the feature matching result. For example, one of the features of the HTTP protocol may be that the TCP port is 80. Since this port matching process does not require much computing resources, it can be done by the processor core of the coprocessor.
- the sub-coprocessor in the coprocessor can be designed specifically for DPI services, thus offloading DPI functions from general-purpose processors, reducing general-purpose processor resources. Occupied, so that the general-purpose processor can handle other value-added services; at the same time, the processor core is provided with the processor core for DPI service control, and the sub-coprocessor is operated under the call of the processor core, which greatly improves the flexibility of service processing. Sex, the DPI coprocessor is equipped with external memory to preserve the DPI intermediate state for better scalability and performance.
- the DPI coprocessor can offload more of its processor resources.
- the DPI coprocessor is equipped with external memory to store various feature word data structures and algorithm-specific data structures that are required for DPI processing. In this way, the DPI coprocessor can directly read the data without having to read it through the bus through the general-purpose processor, which can further improve the processing performance.
- FIG. 6 is a flowchart of a method for detecting a deep packet according to an embodiment of the present invention.
- the deep packet detection method provided in this embodiment will be described below with reference to FIG.
- Step la the general purpose processor sends the data packet to the transceiver module of the coprocessor
- Step 2a The transceiver module sends the data packet to the processor core
- Step 3a The processor core invokes the protocol identification sub-coprocessor, and sends the data packet to the protocol identifier sub-processor through the exchange bus module, and the protocol identification sub-processor performs endpoint search on the data packet;
- Step 4a protocol identification sub-association The processor determines whether the search is successful, if yes, step 5a is performed, and if not, step 6a is performed;
- Step 5a the protocol identification sub-coprocessor sends the obtained endpoint search result to the processor core through the exchange bus module, and performs step 15a;
- Step 6a The protocol identifier sub-processor feeds back to the processor core through the exchange bus module to find a failure result
- Step 7a The protocol identifier sub-coprocessor calls the multi-mode string matching engine, sends the data packet to the multi-mode string matching engine through the exchange bus module, and the multi-mode string matching engine performs multi-mode string matching on the data packet;
- Step 8a the multi-mode string matching engine determines whether the matching is successful, and if so, step 9a is performed, and if not, step 10a is performed;
- Step 9a the multi-mode string matching engine will obtain the feature matching result sent to the processor core through the exchange bus module, step 15a;
- Step 10a The multi-mode string matching engine feeds back a matching failure result to the processor core by using the exchange bus module.
- Step l la the processor core calls the regular expression matching engine, and passes the data packet through the exchange bus mode.
- the block is sent to the regular expression matching engine, the regular expression matching engine performs regular matching on the data packet;
- step 12a the regular expression matching engine determines whether the matching is successful, and if so, step 13a is performed, and if not, step 14a is performed;
- Step 13a the regular expression matching engine will obtain the feature matching result sent to the processor core through the exchange bus module, step 15a;
- Step 14a the regular expression matching engine feeds back the matching failure result to the processor core through the exchange bus module, and the processor core sends the matching failure result as a processing result to the result reporting processing module, and executes step 20a;
- Step 15a The processor core determines an application layer protocol type according to the feature matching result.
- Step 16a the processor core determines whether the data packet needs to be deeply resolved, and if so, step 17a is performed, and if not, step 19a is performed;
- Step 17a The processor core invokes the protocol parsing sub-coprocessor, and sends the data packet to the protocol parsing sub-processor through the switching bus module, and the protocol parsing sub-processor performs protocol parsing on the data packet to obtain an analysis result, and the parsing result is obtained. Transmitted to the processor core through the exchange bus module;
- Step 18a the processor core sends the application layer protocol type and the parsing result as a processing result to the result reporting processing module, and performs step 20a;
- Step 19a The processor core sends the application layer protocol type as a processing result to the result reporting processing module.
- Step 20a The result reporting processing module encapsulates the processing result and sends the processing result to the general-purpose processor.
- FIG. 7 is a flowchart of another deep packet detection method according to an embodiment of the present invention.
- the deep packet detection method provided in this embodiment is described.
- Step lb the general-purpose processor sends the data packet to the transceiver module of the coprocessor;
- Step 2b the transceiver module sends the data packet to the processor core
- Step 3b The processor core calls the multi-mode string matching engine, sends the data packet to the multi-mode string matching engine through the exchange bus module, and the multi-mode string matching engine performs multi-mode string matching on the data packet;
- Step 4b the multi-mode string matching engine determines whether the match is successful, and if so, step 5b is performed, and if not, step 6b is performed;
- Step 5b the multi-mode string matching engine will obtain the feature matching result sent to the processor core through the exchange bus module, step 15b;
- Step 6b The multi-mode string matching engine feeds back a matching failure result to the processor core by using the exchange bus module.
- Step 7b the processor core calls a regular expression matching engine, sends the data packet to the regular expression matching engine through the exchange bus module, and the regular expression matching engine performs regular matching on the data packet;
- Step 8b the regular expression matching engine determines whether If the match is successful, if yes, go to step 9b, if no, go to step 10b;
- Step 9b the regular expression matching engine will obtain the feature matching result sent to the processor core through the exchange bus module, and perform step 15b;
- Step 10b The regular expression matching engine feeds back a matching failure result to the processor core by using the exchange bus module.
- Step llb the processor core invokes the behavior feature statistics sub-coprocessor, sends the data packet to the behavior feature statistics sub-coprocessor through the exchange bus module, and the behavior feature statistics sub-coprocessor performs behavior characteristic matching on the data packet;
- Step 12b the behavior feature statistics sub-coprocessor determines whether the match is successful, and if so, step 13b is performed, and if not, step 14b is performed;
- Step 13b the behavior feature statistics sub-coprocessor to obtain the feature matching result is sent to the processor core through the exchange bus module, step 15b;
- Step 14b the behavior characteristic statistics sub-coprocessor returns the matching failure result to the processor core through the exchange bus module, the processor core sends the matching failure result as a processing result to the result reporting processing module, and performs step 20b;
- Step 15b The processor core determines an application layer protocol type according to the feature matching result.
- Step 16b if the application layer protocol type is HTTP, the processor core determines whether it is necessary to obtain the value of the URL of the data packet, and if so, step 17b is performed, and if not, step 19b is performed;
- Step 17b the processor core invokes the URL matching engine, sends the data packet to the URL matching engine through the exchange bus module, and the URL matching engine analyzes the value of the URL of the data packet to obtain a URL matching result, and sends the URL matching result through the exchange bus module.
- Step 18b The processor core sends the application layer protocol type and the URL matching result as a processing result to the result reporting processing module.
- Step 19b The processor core sends the application layer protocol type as a processing result to the result reporting processing module.
- Step 20b The result reporting processing module encapsulates the processing result and sends the processing result to the general-purpose processor.
- FIG. 8 is a flowchart of another method for detecting a deep packet according to an embodiment of the present invention.
- the deep packet detection method provided in this embodiment may be implemented in conjunction with the method provided in the embodiment shown in FIG. 4 , and the specific implementation process is not described herein again.
- the deep packet detection method provided in this embodiment is performed by a general-purpose processor, and the method specifically includes: Step B10: The general purpose processor sends the original data packet to the coprocessor;
- Step B20 The general-purpose processor receives an application layer parsing result of the original data packet sent by the coprocessor; wherein, the application layer parsing result is that the processor core of the coprocessor calls the at least one sub-coprocessor of the coprocessor to the original data.
- the application layer parsing result is used to represent the application layer information of the original data packet, such as the application layer protocol type, the service to which the original data packet belongs, and the like, and is not described here;
- Step B30 The general-purpose processor processes the original data packet according to at least the application layer parsing result.
- the network card of the network device sends the stream to the general-purpose processor.
- the general-purpose processor sends the original data packet to the co-processor, and the co-processor performs the application layer parsing on the original data packet to obtain the application layer parsing result, and the application layer parsing result may include the application layer protocol type, the protocol deep parsing result, the URL matching result, and the like.
- the application layer parsing result is returned to the general-purpose processor, and the general-purpose processor processes the original data packet according to the application layer parsing result, such as traffic statistics, acceleration, current limiting, blocking, and filtering.
- the general-purpose processor sends the original data packet to the coprocessor, receives the processing result sent by the coprocessor, and processes the original data packet according to the processing result.
- the general-purpose processor and the coprocessor cooperate to implement DPI.
- the sub-coprocessor in the coprocessor can be specially designed for DPI services, and the DPI function is uninstalled from the general-purpose processor, which reduces the occupation of general-purpose processor resources, so that the universal The processor can handle other value-added services.
- the processor core is set in the coprocessor
- the sub-coprocessor is operated under the call of the processor core
- the interaction between the processor core and the sub-coprocessor is also intra-chip interaction, avoiding the coprocessor and the general processor. Frequent exchanges between Mutual, you can increase the speed of operation.
- the general-purpose processor processes the original data packet according to the application layer parsing result, and specifically includes:
- the general-purpose processor determines that the original data packet is an encrypted data packet according to the application layer analysis result of the original data packet, the original data packet is decrypted.
- the general purpose processor sends the original data packet to the coprocessor, and when the coprocessor recognizes that the original data packet is encrypted, returns a processing result indicating that the original data packet is an encrypted data packet to the general purpose processor.
- the general processor can decrypt the original data packet, and then send the decrypted original data packet to the coprocessor.
- the process of processing the original data packet by the coprocessor can refer to the description of the foregoing embodiment.
- the general purpose processor processes the original data packet according to the application layer parsing result, which may include:
- the general-purpose processor determines the service type of the flow to which the original data packet belongs according to the application layer analysis result of the original data packet, the traffic statistics, charging, or transmission acceleration is performed on the flow according to the service type.
- the operator wants to charge the VoIP (voice over Internet Protocol) traffic.
- VoIP Voice over Internet Protocol
- Traffic statistics can be performed on the flow to implement charging for VoIP telephony services.
- the general purpose processor When users want to speed up certain application traffic, such as online games, when the general purpose processor is When the layer analysis result is used to determine that the stream to which the original data packet belongs is used for the network game service, the stream is accelerated to ensure the transmission speed of the stream.
- the general processor determines that the stream to which the original data packet belongs is for a specific application according to the application layer analysis result, the flow can be blocked.
- the application layer parsing result of the original data packet includes: an application layer protocol type of the original data packet and a URL matching result; wherein, the application layer protocol type of the original data packet may be processed by the coprocessor
- the protocol core of the coprocessor calls the coprocessor to identify the original data packet, and further, the processor core of the coprocessor determines the application layer protocol type of the original data packet as the hypertext transfer protocol HTTP.
- the coordinator's Uniform Resource Locator URL Matching Engine may be called to match the original data packet URL to obtain the URL matching result and send it to the general purpose processor; accordingly, the general purpose processor receives the coprocessor sending After the result of the URL matching, the application layer protocol type and the URL matching result are used to determine whether the flow to which the original data packet belongs is used to access the restricted website, and if so, the flow is blocked.
- the user wants to enable the green Internet service to prevent the minor from accessing the unhealthy website.
- HTTP is determined, and according to the URL matching result, it is determined that the website pointed to by the URL is restricted. The flow is blocked to prevent minors from accessing unhealthy websites.
- FIG. 9 is a schematic structural diagram of a coprocessor according to an embodiment of the present invention.
- the coprocessor 91 provided in this embodiment may implement various steps of the deep packet identification method applied to the coprocessor provided by any embodiment of the present invention, and the specific implementation process is not described herein.
- the coprocessor 91 provided in this embodiment specifically includes: a transceiver module 11, a processor core 12, and a sub-coprocessor 13.
- the transceiver module 11 is configured to receive the original data packet sent by the general-purpose processor, and send the original data packet to the processor core 12;
- a processor core 12 a sub-coprocessor 13 for calling the coprocessor 91, identifying an application protocol of the original data packet, generating a processing result, and transmitting the processing result to the general-purpose processor;
- the sub-coprocessor 13 is configured to identify the application protocol of the original data packet under the call of the processor core 12.
- the coprocessor 91 can be implemented by an FPGA or an ASIC, and one or more processor cores 12 are disposed in the coprocessor 91.
- the coprocessor 91 is further provided with a transceiver module 11 and a sub-coprocessor 13, and a sub-coprocessor 13.
- the hardware description language can be VHDL or Verilog HDL.
- the sub-coprocessor 13 is specifically used for application protocol identification of data packets, which can improve the processing effect of the service.
- the coprocessor 91 may further include a switch bus module 14. Accordingly, the processor core 12 can call the sub-coprocessor 13 through the switch bus module 14 of the coprocessor 91.
- the function module of the coprocessor 91 can be equipped with the first memory 15, the second memory 16, and the first memory saves the soft core-specific data structure, including the flow table and the rule condition, so that the DPI coprocessor can sense the flow.
- the state not the processing based on the package.
- the second memory stores the data structures of the matching engine and the sub-coprocessor, such as the DFA state table, the single-mode matching algorithm auxiliary data, the arithmetic data structure of the sub-coprocessor, and the like. It should be noted that the first memory and the second memory are only logical divisions, and the two may be located on the same physical memory.
- the coprocessor 91 and the transceiver module 11 provided by the embodiment receive the original number sent by the general processor. According to the packet, the original data packet is sent to the processor core 12 of the coprocessor 91, and the processor core 12 calls the subcoprocessor 13 of the coprocessor 91 to identify the application protocol of the original data packet, and generate a processing result, the processor. The core 12 sends the processing result to the general purpose processor to cause the general purpose processor to process the original data packet based on the processing result.
- the general purpose processor and the coprocessor 91 cooperate to implement the DPI, and the sub coprocessor 13 in the coprocessor 91 can be specifically designed for the DPI service, and the DPI function is uninstalled from the general purpose processor, thereby reducing the occupation of the general processor resources. So that the general purpose processor can handle other value-added services.
- the processor core 12 is disposed in the coprocessor 91.
- the sub-coprocessor 13 operates under the call of the processor core 12, and the intermediate state information can be retained.
- the interaction between the processor core 12 and the sub-coprocessor 13 is also a chip. The internal interaction avoids frequent interaction between the coprocessor 91 and the general purpose processor, and can improve the running speed.
- FIG. 10 is a schematic structural diagram of another coprocessor 10 according to an embodiment of the present invention.
- the transceiver module 11 may include a receiving unit 111, a stream processing unit 112, and a distribution unit 113.
- the receiving unit 111 is configured to receive the original data packet sent by the general-purpose processor; the stream processing unit 112 is configured to stream processing the original data packet; and the distributing unit 113 is configured to send the data packet after the stream processing to the processing
- the core 12 specifically, the stream processing unit 112 is specifically configured to perform IP fragment packet reassembly processing and TCP out-of-order packet reordering processing on the original data packet; when the coprocessor 10 includes multiple processor cores
- the distribution unit 113 is specifically configured to determine a load condition of each of the at least two processor cores, and select one of the at least two processor cores according to a load condition of each of the processor cores.
- the processor core sends the stream-processed data packet to the selected processor core, and accordingly, the selected processor core is used to invoke the sub-coprocessor 13 to perform application layer parsing on the stream-processed data packet. For example, application layer protocol identification.
- the coprocessor 10 may further include a switch bus module 14.
- the core 12 specifically calls the sub-coprocessor 13 through the switch bus module 14 of the coprocessor 10.
- the sub-coprocessor 13 may look up the sub-coprocessor for the endpoint.
- the sub-coprocessor 13 is specifically configured to perform an endpoint search on the original data packet under the call of the processor core 12, The endpoint lookup result is obtained, and the endpoint lookup result is returned to the processor core 12.
- the processor core 12 is specifically configured to determine an application layer protocol type of the original data packet according to the feature matching result, and send the determined application layer protocol type as an application layer parsing result of the original data packet to the general-purpose processor.
- the sub-coprocessor 13 includes a protocol identification sub-coprocessor 131 and a string matching engine 132.
- the protocol identification sub-coprocessor 131 is configured to: after the processor core calls the sub-coprocessor 13, invoke the string matching engine 132; the string matching engine 132 is configured to be used under the call of the protocol identification sub-coprocessor 131
- the original data packet is subjected to string matching to obtain a feature matching result, and the feature matching result is returned to the processor core;
- the processor core 12 is specifically configured to determine an application layer protocol type of the original data packet according to the feature matching result, and send the determined application layer protocol type to the general-purpose processor as an application layer parsing result of the original data packet. .
- sub-coprocessor 13 may also be a regular expression matching engine.
- the regular expression matching engine is configured to perform regular matching on the original data packet under the call of the processor core 12 to obtain a feature matching result, and return the feature matching result to the processor core 12.
- the processor core 12 is specifically configured to determine an application layer protocol type of the original data packet according to the feature matching result, and send the determined application layer protocol type to the general purpose processor as an application layer parsing result of the original data packet.
- the sub-coprocessor 13 further includes: a behavior feature statistic sub-coprocessor 133, configured to perform behavior feature matching on the original data packet under the call of the processor core 12 to obtain a feature matching result, and match the feature The result is returned to the processor core 12.
- the processor core 12 is specifically configured to be based on the feature The matching result determines the application layer protocol type of the original data packet, and sends the determined application layer protocol type as the application layer parsing result of the original data packet to the general purpose processor.
- the coprocessor 10 may further include: a protocol parsing sub-coprocessor 15 configured to perform protocol parsing on the original data packet under the call of the processor core 12 to obtain an parsing result, and the parsing The result is returned to the processor core 12; correspondingly, the processor core 12 is specifically configured to send the application layer protocol type of the original data packet and the parsing result obtained by the protocol parsing sub-coprocessor 15 as the application layer parsing result of the original data packet.
- a protocol parsing sub-coprocessor 15 configured to perform protocol parsing on the original data packet under the call of the processor core 12 to obtain an parsing result, and the parsing The result is returned to the processor core 12; correspondingly, the processor core 12 is specifically configured to send the application layer protocol type of the original data packet and the parsing result obtained by the protocol parsing sub-coprocessor 15 as the application layer parsing result of the original data packet.
- the coprocessor 10 may further include: a uniform resource locator URL matching engine 16 configured to perform URL matching on the original data packet under the call of the processor core 12 to obtain a URL matching result. And returning the URL matching result to the processor core 12; correspondingly, the processor core 12 is specifically configured to send the application layer protocol type of the original data packet and the URL matching result as an application layer parsing result of the original data packet.
- a uniform resource locator URL matching engine 16 configured to perform URL matching on the original data packet under the call of the processor core 12 to obtain a URL matching result. And returning the URL matching result to the processor core 12; correspondingly, the processor core 12 is specifically configured to send the application layer protocol type of the original data packet and the URL matching result as an application layer parsing result of the original data packet.
- the coprocessor 10 further includes: a result of the processing module 17.
- the processor core 12 is specifically configured to send the application layer parsing result of the original data packet to the result reporting processing module 17, and report the result.
- the processing module 17 is configured to encapsulate the application layer parsing result according to a preset format, and send the encapsulated application layer parsing result to the general-purpose processor.
- the general purpose processor of the DPI device and the coprocessor 91 cooperate to implement the DPI service, and the function modules in the coprocessor 91 can be set according to actual DPI service requirements, and the logic of the processor core 12 can also be based on actual The DPI service needs to be programmed.
- the above embodiment provides an implementation form of several functional modules, but the invention is not limited thereto.
- the DPI device can be divided into multiple levels, for example, divided into four levels from top to bottom: computationally dense layer, DPI service control layer, DPI sub-service logic layer and algorithm engine layer.
- computationally dense layer The higher the level, the processing The more complex and common the business, the lower the level, the simpler and more specific the algorithm.
- DPI-related tasks should be handed over to the coprocessor as much as possible. This allows a general purpose processor to perform more computationally intensive tasks.
- the coprocessor is responsible for implementing the logic of the DPI service control layer, the DPI sub-service logic layer, and the algorithm engine layer.
- high-level modules call low-level modules to implement the required functions.
- modules of the same level can also call each other to coordinate the completion of functions.
- Each level will be described in detail below.
- Level 1 Computational intensive layer. Responsible for tasks that require a large amount of computational processing, including: complex logic processing such as encryption and decryption and codec in DPI business logic; and other non-DPI services such as value-added services, policy matching, and message action execution.
- complex logic processing such as encryption and decryption and codec in DPI business logic
- non-DPI services such as value-added services, policy matching, and message action execution.
- Level 2 DPI business control layer.
- the DPI service control logic is executed by placing a processor core in the coprocessor, including the sequential execution control of the steps of the DPI engine, the conditional rule matching, the cross-packet processing, the preservation of the intermediate state, and the like, and the control logic related to the DPI service.
- Level 3 DPI sub-business logic layer. Responsible for DPI-specific sub-services that can be cured. For example: protocol identification sub-coprocessor, protocol parsing sub-coprocessor and behavior characterization sub-coprocessor.
- Level 4 Algorithm Engine Layer. Responsible for algorithmic engine tasks that are specifically optimized for DPI. For example: regular expression matching engine, floating expression engine, multi-modal string matching algorithm engine, single-mode string matching algorithm engine and behavior parameter calculation engine, and so on.
- Level 2 through Level 4 the exchange of bus modules is responsible for message and data interaction between these hierarchical modules.
- the level one and other levels that is, the inter-chip interaction between the general processor and the coprocessor, can be standardized bus, such as PCIE, and the type of the bus can be set according to the external interface provided by the general purpose processor.
- modules for auxiliary processing are independent of each level and are implemented using solidified logic.
- the transceiver module inside the coprocessor 91 the result reporting processing module, the memory read/write module, the cache, and the like.
- the general-purpose processor can also determine whether it is processed by itself or by the coprocessor according to the service type. If the processing algorithm corresponding to the service type has a higher level and is more complicated, the general-purpose processor Processing, if the service type is a DPI related service, it is processed by a coprocessor.
- the embodiment of the present invention also proposes to equip the coprocessor with external memory to save the DPI intermediate state to achieve better scalability and performance, such as the first memory 83 and the second in FIG. Memory 84.
- external memory can be used to save various feature word data structures and algorithm-specific data structures that are needed for DPI processing. In this way, the coprocessor can read the data directly and quickly without having to read it through the bus through the general purpose processor, which can achieve higher processing performance.
- the string matching engine 132 is specifically configured to read a string matching algorithm state table from the first memory 83 under the call of the processor core 12, and use the string matching algorithm state table to the original data packet. A string matching is performed to obtain a feature matching result, wherein the first memory 83 is configured to store a string matching algorithm status table.
- the function module of the coprocessor 10 is equipped with a first memory 83, and the first memory 83 stores a string matching algorithm state table.
- the string matching algorithm The state table is a multi-mode string matching algorithm state table.
- the string matching algorithm state table is a single-mode string matching algorithm state table.
- the multi-mode string matching algorithm is an AC algorithm
- the multi-mode string matching algorithm state The table is an AC state table
- the multi-mode string matching engine can implement the multi-mode string matching algorithm state table according to the multi-mode string matching of the data packet.
- the multi-mode string matching engine does not directly read and write the first memory 83.
- the coprocessor 10 is provided with a cache, and the first memory 83 can be accessed through the cache.
- the regular expression matching engine is specifically configured to read a regular expression matching algorithm state table from the first memory 83 under the call of the processor core 12, and match the algorithm state table to the original according to the regular expression.
- the data packet is subjected to regular matching, wherein the first memory 83 is used to store a regular expression matching algorithm status table.
- the first memory 83 stores a regular expression matching algorithm state table.
- the regular expression matching algorithm state table is a DFA state table
- the regular expression matching engine is in the pair.
- a packet is subjected to regular matching, it can be implemented according to the regular expression matching algorithm state table.
- the regular expression matching engine does not directly read and write the first memory 83, and the coprocessor 10 is provided with a cache to access the first memory 83 through the cache.
- the string matching engine 132 performs string matching on the original data packet according to the string matching algorithm state table in the first memory 83. After the feature matching result is obtained, the processor core 12 is specifically used to learn from the second memory. The rule condition data structure is read in 84, and the application layer protocol type of the original data packet is determined according to the feature matching result and the rule condition data structure, wherein the second memory 84 is used for the rule condition data structure.
- the processor core 12 of the coprocessor 10 is provided with a second memory 84.
- the second memory 84 stores a rule condition data structure, where the rule condition data structure is used to store the correspondence between the service rule and the application layer protocol type.
- the processor core 12 queries the rule layer matching type of the original data packet from the rule condition data structure in the second memory according to the feature matching result obtained by the string matching engine. At The processor core 12 may not directly read or write the second memory 84.
- the coprocessor 10 is provided with a cache, and the second memory 84 is accessed through the cache.
- the first memory 83 and the second memory 84 may be in a dual slot mode.
- the first memory 83 and the second memory 84 can be designed in a double bank mode, the first slot is used to save the currently used data structure, which is called the current slot, and the second slot is used to save the upgraded data. Structure, called the upgrade slot.
- coprocessor 10 accesses the data in the current slot for business processing.
- the upgraded data can be loaded into the upgrade slot, and the upgrade process does not affect the access of the coprocessor 10 to the current slot of the memory, when the new data is loaded.
- it is finished it will switch to the system slot.
- the first slot is used as the system slot
- the second slot is used as the current slot, and so on.
- the first slot and the second slot are used alternately to save the upgrade data, ensuring that the upgrade takes effect without interruption.
- Current business It is worth noting that in practical applications, after switching to the system slot, because some traffic is still in the process, the traffic that is still in the process cannot be forcibly switched to the new system slot. In this case, the new traffic is processed using the data from the new system slot, and the old traffic continues to be processed using the original system slot. The original system slot is not set to work until all old traffic is processed. This will allow the system to be upgraded without disrupting the current business.
- the original identification feature of the BitTorrent protocol is "Bttorrent”
- the new feature is "XBttorrent”
- the knowledge base of the DPI identification needs to be updated
- the data structure corresponding to the coprocessor 10 of the present invention is A string feature stored in the AC status table. Therefore, the newly compiled feature data structure needs to be loaded into the upgrade slot.
- the multimode string matching engine still uses the current slot during the loading process. After the loading is completed, the current slot is swapped with the upgrade slot.
- the multi-mode string matching engine can read the new AC status table. In the actual application process, it mainly includes the compilation part and the running part.
- Compilation section Feature Compiler, Parse Subprocessor Compiler, Result Template Compiler, Policy Compiler.
- the compiler mainly includes:
- a. foreground compiler feature compiler, parsing subprocessor compiler and matching rule translator, etc.
- b. background compiler regular expression compiler, single-mode string algorithm compiler and multi-mode string algorithm compiler Wait.
- the main functions of the front-end compiler include: categorizing rules for various DPI services (such as application layer protocol, IPS/IDS, URL filtering) into rules that can be used by the coprocessor of the present invention, namely: Expressions, strings, values, etc.; generating the data structure of the second memory, ie: conditional rule data structure, etc.; compiling the software logic of the processor core in the coprocessor high-level programming language code to the coprocessor processor The instructions executed by the core; compile various DPI service data structures used by the general purpose processor, namely: the data structure mentioned above for supporting post-decryption identification and algorithm identification.
- DPI services such as application layer protocol, IPS/IDS, URL filtering
- the main function of the background compiler is to compile the data structure that can be used by the lowest level algorithm engine module of the various coprocessors, that is, the data structure of the first memory, and the details are not described above.
- the compilation part of the module also contains coprocessor drivers. It is responsible for loading the compiled various data structures into the coprocessor's first memory, the second memory, and the coprocessor on-chip memory (eg, the processor core's logic instructions are stored in the processor's on-chip memory).
- FIG. 11 is a schematic structural diagram of a general-purpose processor according to an embodiment of the present invention.
- the general-purpose processor 82 provided in this embodiment may implement various steps of the deep packet detection method applied to the general-purpose processor provided by any embodiment of the present invention, and the specific implementation process is not described herein again.
- the general-purpose processor provided in this embodiment includes: a sending module 21, a transceiver module 22, and a processing module 23.
- a sending module 21 configured to send the original data packet to the coprocessor
- the receiving module 22 is configured to receive an application layer parsing result of the original data packet sent by the coprocessor, where the application layer parsing result is that at least one sub coprocessor of the coprocessor is invoked by a processor core of the coprocessor
- the application layer parsing of the original data packet is performed; the application layer parsing result is used to represent the application layer information of the data packet;
- the processing module 23 is configured to process the original data packet according to at least the application layer parsing result.
- the general-purpose processor sends the original data packet to the coprocessor, receives the processing result sent by the coprocessor, and processes the original data packet according to the processing result.
- the general-purpose processor and the coprocessor cooperate to implement DPI.
- the sub-coprocessor in the coprocessor can be specially designed for DPI services, and the DPI function is uninstalled from the general-purpose processor, which reduces the occupation of general-purpose processor resources, so that the universal The processor can handle other value-added services.
- the processor core is set in the coprocessor, and the sub-coprocessor is operated under the call of the processor core, and the intermediate state information can be retained, and the interaction between the processor core and the sub-coprocessor is also intra-chip interaction, avoiding the association. Frequent interactions between the processor and the general purpose processor can increase the speed of operation.
- the processing module 23 is specifically configured to: if the original data is an encrypted data packet according to an application layer analysis result of the original data packet, decrypt the original data packet.
- the processing module 23 is specifically configured to determine, according to an application layer parsing result of the original data packet, a service type of the stream to which the original data packet belongs, and the original data packet according to the service type.
- the flow of the genus performs traffic statistics, billing, or transmission acceleration.
- the application layer parsing result of the original data packet includes: an application layer protocol type of the original data packet and a URL matching result; wherein, the application layer protocol type of the original data packet may be invoked by a processor core of the coprocessor
- the protocol identification sub-processor of the coprocessor obtains the original data packet, and further, the processor core of the coprocessor further determines that the application layer protocol type of the original data packet is the hypertext transfer protocol HTTP,
- the uniform resource locator URL matching engine of the coprocessor may be invoked to match the original data packet URL to obtain the URL matching result and sent to the general purpose processor; accordingly, the general purpose processor receives the URL matching result sent by the coprocessor Then, according to the application layer protocol type and the URL matching result, it is determined whether the flow to which the original data packet belongs is used to access the restricted website, and if yes, the flow is blocked.
- FIG. 12 is a schematic structural diagram of a first DPI device according to an embodiment of the present invention.
- the DPI device provided in this embodiment includes: a coprocessor 81 provided by any embodiment of the present invention and a general purpose processor 82 provided by any embodiment of the present invention.
- the general-purpose processor 82 and the co-processor 81 cooperate to implement the DPI, and the sub-coprocessor in the coprocessor 81 can be specifically designed for the DPI service, and the DPI function is uninstalled from the general-purpose processor 82.
- the occupancy of the general purpose processor 82 resources is reduced so that the general purpose processor 82 can handle other value added services.
- the coprocessor 81 is provided with a processor core, and the sub-coprocessor is operated under the call of the processor core, and the intermediate state information can be retained, and the interaction between the processor core and the sub-coprocessor is also intra-chip interaction, which avoids The frequent interaction between coprocessor 81 and general purpose processor 82 can increase the speed of operation.
- the DPI device includes one of a number of general purpose processors. In practical applications, a coprocessor can also cooperate with one or more general purpose processors to implement DPI services. In another embodiment, the DPI device includes at least two general purpose processors; the DPI device further includes a network card and a load balancing device;
- the network card is used to receive data packets from the network and send the data packets to the load balancing device;
- the load balancing device is configured to acquire a load condition of each of the at least two general purpose processors, select a general purpose processor according to the load condition of each general purpose processor, and send the data packet to the selected general purpose processor.
- FIG. 13 is a schematic structural diagram of a second DPI device according to an embodiment of the present invention.
- two general-purpose CPUs 33, 35 in FIG. 13
- the network card 31 receives the data packets sent by other devices in the network, and distributes them directly to the appropriate general-purpose CPU through a load balancing device 32 responsible for load sharing, instead of using DMA (Direct Memory Access).
- DMA Direct Memory Access
- the general purpose CPU determines that DPI processing is required, the data packet is forwarded to the coprocessor 34. After the processing by the coprocessor 34 is completed, the DPI processing result is received through the PCIE interface, and after further processing is performed according to the DPI processing result, the data packet to be forwarded is forwarded through the network card 31.
- the load balancing device 32 can be implemented by an FPGA.
- the load balancing device 32 can select a suitable general-purpose CPU to process the data packet according to the load condition of each general-purpose CPU, and can implement the messaging logic on the other hand. If there is only one general-purpose CPU in the DPI device, the load balancing device 32 may not be provided, and the messaging logic may be implemented by other chips.
- the general-purpose CPU in the embodiment of the present invention may specifically be a Cavium general-purpose CPU.
- the DPI device implemented by the embodiment of the present invention implements DPI through a general-purpose processor and a coprocessor, and the sub-coprocessor in the coprocessor can be specifically designed for the DPI service, and the DPI function is uninstalled from the general-purpose processor, and is lowered.
- the use of general purpose processor resources so that the general purpose processor can handle other Value-added services.
- the processor core is set in the coprocessor, and the sub-coprocessor is operated under the call of the processor core, and the intermediate state information can be retained, and the interaction between the processor core and the sub-coprocessor is also intra-chip interaction, avoiding the association. Frequent interactions between the processor and the general purpose processor can reduce processing latency.
- FIG. 14 is a schematic structural diagram of a third DPI device according to an embodiment of the present invention.
- the DPI device includes two general-purpose CPUs (42, 45 in FIG. 14), a general-purpose CPU 42 configured with DDR3 memory 43, and a general-purpose CPU 45 configured with DDR3 memory 46.
- the DPI device is further provided with a network card 41. After receiving the data packet sent by other devices in the network, the network card 41 first triggers the general-purpose CPU 42 to read the data packet through the PCIE interface and saves it to the DDR3 memory 43 used by him. .
- the general-purpose CPU 42 performs some processing and finds that DPI processing is required, the data packet is transferred to the coprocessor 44 for DPI processing by the DMA method. After the coprocessor 44 completes the processing, the DPI processing result is returned to the general-purpose CPU 42. Processing, the Sandy-Bridge Universal CPU 42 sends the data packet to be forwarded to the next network device in the network through the network card 41. It should be noted that the general-purpose CPU of the embodiment of the present invention may be a Sandy-Bridge general-purpose CPU.
- the DPI device implemented by the embodiment of the present invention implements DPI through a general-purpose processor and a coprocessor, and the sub-coprocessor in the coprocessor can be specifically designed for the DPI service, and the DPI function is uninstalled from the general-purpose processor, and is lowered.
- the occupation of general purpose processor resources allows the general purpose processor to handle other value added services.
- the processor core is set in the coprocessor, and the sub-coprocessor is operated under the call of the processor core, and the intermediate state information can be retained, and the interaction between the processor core and the sub-coprocessor is also intra-chip interaction, avoiding the association. Frequent interactions between the processor and the general purpose processor can reduce processing latency.
- the deep packet detection method and apparatus provided by the embodiments of the present invention can be applied to various application scenarios, such as, but not limited to, in an enterprise network router, using a DPI coprocessor for application protocol identification, deep protocol parsing, IDS (Intrusion Detection Systems) ) and the strategy engine.
- On Router and BRAS Broadband Remote Access Server
- the DPI coprocessor for application protocol identification, deep protocol parsing, and policy engine.
- the DPI coprocessor is used for application protocol identification, deep protocol parsing, content filtering, and policy engine.
- the DPI coprocessor is used for application protocol identification, deep protocol parsing, content filtering, and policy engine.
- the radio access network element RNC Radio Network Controller
- NodeB the DPI coprocessor is used for application protocol identification, deep protocol parsing, radio resource optimization, and policy engine.
- the foregoing program may be stored in a computer readable storage medium, and the program is executed when executed.
- the foregoing steps include the steps of the foregoing method embodiments; and the foregoing storage medium includes: a medium that can store program codes, such as a ROM, a RAM, a magnetic disk, or an optical disk.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
- Advance Control (AREA)
Abstract
Description
Claims
Priority Applications (6)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
RU2015137525A RU2630414C2 (ru) | 2013-08-05 | 2014-01-21 | Устройство и способ глубокой проверки пакетов и сопроцессор |
JP2015532299A JP6192725B2 (ja) | 2013-08-05 | 2014-01-21 | ディープパケットインスペクション方法及び装置並びにコプロセッサ |
EP14834700.8A EP2933955B1 (en) | 2013-08-05 | 2014-01-21 | Deep packet inspection method, device, and coprocessor |
CA2898053A CA2898053C (en) | 2013-08-05 | 2014-01-21 | Deep packet inspection method, device, and coprocessor |
KR1020157020935A KR101662685B1 (ko) | 2013-08-05 | 2014-01-21 | 심층 패킷 검사 방법 및 기기, 그리고 코프로세서 |
US14/980,719 US20160119198A1 (en) | 2013-08-05 | 2015-12-28 | Deep Packet Inspection Method and Device, and Coprocessor |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310337064.6 | 2013-08-05 | ||
CN201310337064.6A CN104348677A (zh) | 2013-08-05 | 2013-08-05 | 一种深度报文检测方法、设备及协处理器 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/980,719 Continuation US20160119198A1 (en) | 2013-08-05 | 2015-12-28 | Deep Packet Inspection Method and Device, and Coprocessor |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2015018188A1 true WO2015018188A1 (zh) | 2015-02-12 |
Family
ID=52460603
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2014/071025 WO2015018188A1 (zh) | 2013-08-05 | 2014-01-21 | 一种深度报文检测方法、设备及协处理器 |
Country Status (8)
Country | Link |
---|---|
US (1) | US20160119198A1 (zh) |
EP (1) | EP2933955B1 (zh) |
JP (1) | JP6192725B2 (zh) |
KR (1) | KR101662685B1 (zh) |
CN (1) | CN104348677A (zh) |
CA (1) | CA2898053C (zh) |
RU (1) | RU2630414C2 (zh) |
WO (1) | WO2015018188A1 (zh) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110546640A (zh) * | 2017-04-25 | 2019-12-06 | 华为技术有限公司 | 用于深度数据包分析的分级模式匹配 |
Families Citing this family (51)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2014134538A1 (en) * | 2013-02-28 | 2014-09-04 | Xaptum, Inc. | Systems, methods, and devices for adaptive communication in a data communication network |
CN104780080B (zh) * | 2015-04-13 | 2018-09-25 | 苏州迈科网络安全技术股份有限公司 | 深度报文检测方法及系统 |
CN105162626B (zh) * | 2015-08-20 | 2018-07-06 | 西安工程大学 | 基于众核处理器的网络流量深度识别系统及识别方法 |
CN111865657B (zh) | 2015-09-28 | 2022-01-11 | 华为技术有限公司 | 一种加速管理节点、加速节点、客户端及方法 |
CN105141468B (zh) * | 2015-10-08 | 2019-02-05 | 盛科网络(苏州)有限公司 | 高效实现网络芯片流量统计的方法及装置 |
CN105429820B (zh) * | 2015-11-05 | 2018-10-09 | 武汉烽火网络有限责任公司 | 基于软件定义网络的深度包检测系统及方法 |
US9723027B2 (en) | 2015-11-10 | 2017-08-01 | Sonicwall Inc. | Firewall informed by web server security policy identifying authorized resources and hosts |
CN106815112B (zh) * | 2015-11-27 | 2020-03-24 | 大唐软件技术股份有限公司 | 一种基于深度包检测的海量数据监控系统及方法 |
US9860259B2 (en) | 2015-12-10 | 2018-01-02 | Sonicwall Us Holdings Inc. | Reassembly free deep packet inspection for peer to peer networks |
CN107026821B (zh) * | 2016-02-01 | 2021-06-01 | 阿里巴巴集团控股有限公司 | 报文的处理方法及装置 |
CN105847179B (zh) * | 2016-03-23 | 2019-07-26 | 武汉绿色网络信息服务有限责任公司 | 一种dpi系统中数据并发上报的方法及装置 |
JP6717092B2 (ja) | 2016-07-14 | 2020-07-01 | 富士通株式会社 | 制御装置および制御装置における処理方法 |
CN108353321B (zh) * | 2016-11-04 | 2021-02-09 | 华为技术有限公司 | 一种网络热点控制的方法以及相关设备 |
CN107204923B (zh) * | 2017-05-24 | 2020-06-02 | 全讯汇聚网络科技(北京)有限公司 | 一种协议分流方法、系统及路由器 |
CN109388499A (zh) * | 2017-08-04 | 2019-02-26 | 东软集团股份有限公司 | 报文转发方法及装置、计算机可读存储介质、电子设备 |
CN107682215B (zh) * | 2017-08-31 | 2021-07-06 | 哈尔滨工程大学 | 一种基于改进lrfu状态记录的dpi业务识别方法 |
CN109802924B (zh) * | 2017-11-17 | 2022-05-17 | 华为技术有限公司 | 一种识别加密数据流的方法及装置 |
US10666655B2 (en) * | 2017-11-20 | 2020-05-26 | Microsoft Technology Licensing, Llc | Securing shared components |
CN110098970A (zh) * | 2018-01-30 | 2019-08-06 | 江苏博智软件科技股份有限公司 | 一种基于多框架的高性能协议还原模块 |
US11057352B2 (en) | 2018-02-28 | 2021-07-06 | Xaptum, Inc. | Communication system and method for machine data routing |
US10965653B2 (en) | 2018-03-28 | 2021-03-30 | Xaptum, Inc. | Scalable and secure message brokering approach in a communication system |
US10805439B2 (en) | 2018-04-30 | 2020-10-13 | Xaptum, Inc. | Communicating data messages utilizing a proprietary network |
CN108900374B (zh) * | 2018-06-22 | 2021-05-25 | 网宿科技股份有限公司 | 一种应用于dpi设备的数据处理方法和装置 |
CN110855602B (zh) * | 2018-08-21 | 2022-02-25 | 国家计算机网络与信息安全管理中心 | 物联网云平台事件识别方法及系统 |
US10924593B2 (en) | 2018-08-31 | 2021-02-16 | Xaptum, Inc. | Virtualization with distributed adaptive message brokering |
CN109308200A (zh) * | 2018-09-10 | 2019-02-05 | 麒麟合盛网络技术股份有限公司 | 一种内存数据加载方法、装置及其设备 |
US11188384B2 (en) * | 2018-11-07 | 2021-11-30 | Ebay Inc. | Resource trust model for securing component state data for a resource using blockchains |
CN111163043B (zh) * | 2018-11-08 | 2023-03-21 | 全球能源互联网研究院有限公司 | 一种源网荷系统实时交互协议深度解析方法和系统 |
US10938877B2 (en) | 2018-11-30 | 2021-03-02 | Xaptum, Inc. | Optimizing data transmission parameters of a proprietary network |
CN109783409A (zh) * | 2019-01-24 | 2019-05-21 | 北京百度网讯科技有限公司 | 用于处理数据的方法和装置 |
US10912053B2 (en) | 2019-01-31 | 2021-02-02 | Xaptum, Inc. | Enforcing geographic restrictions for multitenant overlay networks |
KR102045702B1 (ko) * | 2019-05-03 | 2019-11-15 | 한국과학기술원 | 심층 패킷 분석에서 정규 표현식 매칭 방법 및 그 장치 |
CN113812116A (zh) * | 2019-06-17 | 2021-12-17 | 西门子股份公司 | 网络行为模型构建方法、装置和计算机可读介质 |
CN110502378B (zh) * | 2019-08-16 | 2022-11-22 | 兆讯恒达科技股份有限公司 | 一种配置多算法协处理器自检的方法 |
CN110661682B (zh) * | 2019-09-19 | 2021-05-25 | 上海天旦网络科技发展有限公司 | 通用互联数据自动分析系统、方法、设备 |
US11411919B2 (en) | 2019-10-01 | 2022-08-09 | EXFO Solutions SAS | Deep packet inspection application classification systems and methods |
EP3820082A1 (en) * | 2019-11-07 | 2021-05-12 | Rohde & Schwarz GmbH & Co. KG | System for analyzing data traffic as well as method for analyzing data traffic |
CN111130946B (zh) * | 2019-12-30 | 2022-03-25 | 联想(北京)有限公司 | 一种深度报文识别的加速方法、装置和存储介质 |
CN111817917B (zh) * | 2020-07-03 | 2021-12-24 | 中移(杭州)信息技术有限公司 | 一种深度包检测的方法、装置、服务器及存储介质 |
CN111865724B (zh) * | 2020-07-28 | 2022-02-08 | 公安部第三研究所 | 视频监控设备信息采集控制实现方法 |
CN112637223B (zh) * | 2020-12-26 | 2023-03-24 | 曙光网络科技有限公司 | 应用协议识别方法、装置、计算机设备和存储介质 |
CN112787828B (zh) * | 2021-01-08 | 2023-03-21 | 重庆创通联智物联网有限公司 | 一种应用程序的流量统计方法、设备、移动电子设备 |
CN114827431A (zh) * | 2021-01-27 | 2022-07-29 | Oppo广东移动通信有限公司 | 场景包处理方法、协处理芯片、主处理芯片及电子设备 |
CN112671618B (zh) * | 2021-03-15 | 2021-06-15 | 北京安帝科技有限公司 | 深度报文检测方法和装置 |
CN113191454A (zh) * | 2021-05-26 | 2021-07-30 | 清创网御(北京)科技有限公司 | 一种多核处理器平台的流量分类方法 |
CN113905411B (zh) * | 2021-10-28 | 2023-05-02 | 中国联合网络通信集团有限公司 | 深度包检测识别规则的检测方法、装置、设备及存储介质 |
CN114050926B (zh) * | 2021-11-09 | 2024-07-09 | 南方电网科学研究院有限责任公司 | 一种数据报文深度检测方法和装置 |
CN115473850B (zh) * | 2022-09-14 | 2024-01-05 | 电信科学技术第十研究所有限公司 | 一种基于ai的实时数据过滤方法、系统及存储介质 |
CN115665051B (zh) * | 2022-12-29 | 2023-03-28 | 北京浩瀚深度信息技术股份有限公司 | 基于fpga+rldram3实现高速流表的方法 |
CN116545772B (zh) * | 2023-07-04 | 2023-09-19 | 杭州海康威视数字技术股份有限公司 | 轻量级物联网流量的协议识别方法、装置及设备 |
CN116962551B (zh) * | 2023-07-28 | 2024-03-19 | 中科驭数(北京)科技有限公司 | 基于dpu应用层报文重组的dpi安全检测方法 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101102184A (zh) * | 2007-08-02 | 2008-01-09 | 中兴通讯股份有限公司 | 宽带接入服务器及用于宽带接入服务器的高速dpi单板装置 |
US20090190505A1 (en) * | 2008-01-30 | 2009-07-30 | Alcatel Lucent | Method and apparatus for targeted content delivery based on real-time communication session analysis |
CN101997700A (zh) * | 2009-08-11 | 2011-03-30 | 上海大学 | 基于深度包检测和深度流检测技术的IPv6监测设备 |
CN102932203A (zh) * | 2012-10-31 | 2013-02-13 | 东软集团股份有限公司 | 异构平台间的深度报文检测方法及装置 |
Family Cites Families (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP3989634B2 (ja) * | 1998-09-28 | 2007-10-10 | 株式会社ローラン | 集積回路及び集積回路用のデータを記録した記録媒体 |
US20110238855A1 (en) * | 2000-09-25 | 2011-09-29 | Yevgeny Korsunsky | Processing data flows with a data flow processor |
JP2007325293A (ja) * | 2002-08-20 | 2007-12-13 | Nec Corp | 攻撃検知システムおよび攻撃検知方法 |
US7146643B2 (en) * | 2002-10-29 | 2006-12-05 | Lockheed Martin Corporation | Intrusion detection accelerator |
JP2009296195A (ja) * | 2008-06-04 | 2009-12-17 | Mitsubishi Electric Corp | 複数のcpuコアを備えたfpgaを用いた暗号装置 |
US8468546B2 (en) * | 2011-02-07 | 2013-06-18 | International Business Machines Corporation | Merging result from a parser in a network processor with result from an external coprocessor |
JP5667009B2 (ja) * | 2011-08-08 | 2015-02-12 | 日本電信電話株式会社 | ルータ装置及びデータ解析方法 |
US20140153435A1 (en) * | 2011-08-31 | 2014-06-05 | James Rolette | Tiered deep packet inspection in network devices |
CA2768483C (en) * | 2011-12-30 | 2019-08-20 | Sandvine Incorporated Ulc | Systems and methods for managing quality of service |
-
2013
- 2013-08-05 CN CN201310337064.6A patent/CN104348677A/zh active Pending
-
2014
- 2014-01-21 JP JP2015532299A patent/JP6192725B2/ja not_active Expired - Fee Related
- 2014-01-21 CA CA2898053A patent/CA2898053C/en not_active Expired - Fee Related
- 2014-01-21 EP EP14834700.8A patent/EP2933955B1/en not_active Not-in-force
- 2014-01-21 WO PCT/CN2014/071025 patent/WO2015018188A1/zh active Application Filing
- 2014-01-21 RU RU2015137525A patent/RU2630414C2/ru not_active IP Right Cessation
- 2014-01-21 KR KR1020157020935A patent/KR101662685B1/ko active IP Right Grant
-
2015
- 2015-12-28 US US14/980,719 patent/US20160119198A1/en not_active Abandoned
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101102184A (zh) * | 2007-08-02 | 2008-01-09 | 中兴通讯股份有限公司 | 宽带接入服务器及用于宽带接入服务器的高速dpi单板装置 |
US20090190505A1 (en) * | 2008-01-30 | 2009-07-30 | Alcatel Lucent | Method and apparatus for targeted content delivery based on real-time communication session analysis |
CN101997700A (zh) * | 2009-08-11 | 2011-03-30 | 上海大学 | 基于深度包检测和深度流检测技术的IPv6监测设备 |
CN102932203A (zh) * | 2012-10-31 | 2013-02-13 | 东软集团股份有限公司 | 异构平台间的深度报文检测方法及装置 |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110546640A (zh) * | 2017-04-25 | 2019-12-06 | 华为技术有限公司 | 用于深度数据包分析的分级模式匹配 |
Also Published As
Publication number | Publication date |
---|---|
EP2933955A1 (en) | 2015-10-21 |
CN104348677A (zh) | 2015-02-11 |
CA2898053C (en) | 2017-10-31 |
US20160119198A1 (en) | 2016-04-28 |
KR101662685B1 (ko) | 2016-10-05 |
KR20150103248A (ko) | 2015-09-09 |
EP2933955A4 (en) | 2016-02-10 |
CA2898053A1 (en) | 2015-02-12 |
RU2015137525A (ru) | 2017-03-06 |
RU2630414C2 (ru) | 2017-09-07 |
EP2933955B1 (en) | 2017-06-28 |
JP2015537278A (ja) | 2015-12-24 |
JP6192725B2 (ja) | 2017-09-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2015018188A1 (zh) | 一种深度报文检测方法、设备及协处理器 | |
US11368560B2 (en) | Methods and apparatus for self-tuning operation within user space stack architectures | |
US7685254B2 (en) | Runtime adaptable search processor | |
US9356844B2 (en) | Efficient application recognition in network traffic | |
US11265235B2 (en) | Technologies for capturing processing resource metrics as a function of time | |
US20150319086A1 (en) | System for Accelerated Network Route Update | |
US11431681B2 (en) | Application aware TCP performance tuning on hardware accelerated TCP proxy services | |
WO2019129167A1 (zh) | 一种处理数据报文的方法和网卡 | |
US20210099427A1 (en) | Methods and apparatus for emerging use case support in user space networking | |
WO2018130079A1 (zh) | 一种英特网协议安全IPSec协议加密方法和网络设备 | |
CN116049085A (zh) | 一种数据处理系统及方法 | |
CN114697387B (zh) | 数据包传输方法、装置及存储介质 | |
US11775359B2 (en) | Methods and apparatuses for cross-layer processing | |
US11799986B2 (en) | Methods and apparatus for thread level execution in non-kernel space | |
US10606751B2 (en) | Techniques for cache delivery | |
KR102304584B1 (ko) | 데이터 플레인 가속화 기술과 하드웨어 암호화 처리 장치를 이용한 초고속 암호 통신 시스템 및 그 방법 | |
Miao et al. | Renovate high performance user-level stacks' innovation utilizing commodity network adaptors | |
CN114116193A (zh) | 用于边缘系统中的高级监视的系统、装置和方法 | |
JP4638513B2 (ja) | 通信制御装置及び通信制御方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
ENP | Entry into the national phase |
Ref document number: 2015532299 Country of ref document: JP Kind code of ref document: A |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 14834700 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2898053 Country of ref document: CA |
|
REEP | Request for entry into the european phase |
Ref document number: 2014834700 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2014834700 Country of ref document: EP |
|
ENP | Entry into the national phase |
Ref document number: 20157020935 Country of ref document: KR Kind code of ref document: A |
|
ENP | Entry into the national phase |
Ref document number: 2015137525 Country of ref document: RU Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |