CN101699788A - Modularized network intrusion detection system - Google Patents
Modularized network intrusion detection system Download PDFInfo
- Publication number
- CN101699788A CN101699788A CN200910236818A CN200910236818A CN101699788A CN 101699788 A CN101699788 A CN 101699788A CN 200910236818 A CN200910236818 A CN 200910236818A CN 200910236818 A CN200910236818 A CN 200910236818A CN 101699788 A CN101699788 A CN 101699788A
- Authority
- CN
- China
- Prior art keywords
- module
- detection
- network
- intrusion detection
- modules
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明公开了一种模块化的网络入侵检测系统。该系统包括数据源模块,其用于包获取和编码解析,分流模块,用于完成来自编码解析模块的网包的调度,并将网包分发到检测模块中的各个检测子模块;检测模块,用于检测网包中是否含有攻击,其使用多个线程,包括一种或多种检测子模块;其中,所述数据源模块和所述分流模块使用一个线程。本发明的技术方案可独立设计的数据采集及分发/检测模块式架构,便于使用硬件实现特定模块的功能;能够充分利用多核处理器的处理能力,性能可随处理器核数线性增长,且可动态加载多个检测模块,便于针对不同硬件情况配置;同时使内存消耗大大下降,增强了系统的通用性。
The invention discloses a modular network intrusion detection system. The system includes a data source module, which is used for packet acquisition and encoding analysis, and a distribution module, which is used to complete the scheduling of network packets from the encoding analysis module, and distributes the network packets to each detection sub-module in the detection module; the detection module, It is used to detect whether there is an attack in the network packet, which uses multiple threads, including one or more detection sub-modules; wherein, the data source module and the distribution module use one thread. The technical solution of the present invention can independently design the data acquisition and distribution/detection modular architecture, which is convenient to use hardware to realize the functions of specific modules; it can make full use of the processing capabilities of multi-core processors, and the performance can increase linearly with the number of processor cores, and can Dynamic loading of multiple detection modules is convenient for configuration according to different hardware conditions; at the same time, memory consumption is greatly reduced, and the versatility of the system is enhanced.
Description
技术领域technical field
本发明涉及网络过滤和监控技术领域,尤其涉及一种模块化的网络入侵检测系统。The invention relates to the technical field of network filtering and monitoring, in particular to a modularized network intrusion detection system.
背景技术Background technique
网络入侵检测系统(Network Intrusion Detection System,NIDS)是一种监控网络或系统活动中恶意或有害的行为并进行报警的网络安全系统。它通过旁路或在线的方式截获网络中的数据包(以下简称网包),并对其内容进行分析,对含有攻击的网包予以报警或截断,以实现入侵检测/防御的功能。由于NIDS的功能复杂,一般使用软件实现,运行于防火墙或安全网关系统内部。Network Intrusion Detection System (NIDS) is a network security system that monitors malicious or harmful behaviors in network or system activities and issues alarms. It intercepts data packets in the network (hereinafter referred to as network packets) through bypass or online, and analyzes its content, and gives an alarm or intercepts the network packets containing attacks, so as to realize the function of intrusion detection/defense. Due to the complex functions of NIDS, it is generally realized by software and runs inside the firewall or security gateway system.
近年来,业界对网络设备的吞吐量要求越来越高,NIDS作为安全网关的性能瓶颈,需要大量的计算力以实现高吞吐量的处理。在通用处理器架构下要满足NIDS运算需求的提升,仅靠单一CPU是有限的,近年来发展的多核处理器解决了单核处理器运算力增长不足的难题。但多核的应用有一个条件,就是程序的一个线程仅能运行在一个处理器内核上,要充分利用多个内核的性能优势,必须使用多个线程并行处理。因此,NIDS并行处理架构是迎合当今处理器多核化的重要技术。In recent years, the industry has increasingly higher requirements on the throughput of network devices. As the performance bottleneck of the security gateway, NIDS requires a large amount of computing power to achieve high-throughput processing. Under the general-purpose processor architecture, to meet the improvement of NIDS computing requirements, only a single CPU is limited. The multi-core processors developed in recent years have solved the problem of insufficient growth in the computing power of single-core processors. However, there is a condition for multi-core applications, that is, one thread of the program can only run on one processor core. To fully utilize the performance advantages of multiple cores, multiple threads must be used for parallel processing. Therefore, the NIDS parallel processing architecture is an important technology to meet the multi-core of today's processors.
如图1所示,现有技术中常用的NIDS包括以下几部分:包获取模块、编码解析模块,入侵检测模块和信息反馈模块。其中,入侵检测模块是NIDS的核心功能部分,该模块通过预处理、规则匹配等几个步骤来检测网包中是否含有攻击。然而,入侵检测模块也是最耗时的模块,一般并行化NIDS都会选择检测模块进行并行化处理,以达到提高多核CPU利用率的目的。As shown in FIG. 1 , the NIDS commonly used in the prior art includes the following parts: a packet acquisition module, a code analysis module, an intrusion detection module and an information feedback module. Among them, the intrusion detection module is the core function part of NIDS. This module detects whether there is an attack in the network packet through several steps such as preprocessing and rule matching. However, the intrusion detection module is also the most time-consuming module. Generally, the parallelized NIDS will select the detection module for parallel processing to achieve the purpose of improving the utilization of multi-core CPUs.
现有技术中通用处理器架构下的并行NIDS并不多,比较典型的有Intel公司的Supra-Snort和美国普渡大学的Multi-Snort。然而,前者没有实现多线程间的内存共享,使得多线程运行时内存消耗过大,限制了该系统的应用范围;后者没有实现模块化构架,因此难以对该系统添加新的应用。There are not many parallel NIDSs under the general-purpose processor architecture in the prior art, and the typical ones include Supra-Snort of Intel Corporation and Multi-Snort of Purdue University in the United States. However, the former does not realize the memory sharing between multi-threads, which makes the memory consumption of multi-threads run too large, which limits the scope of application of the system; the latter does not implement a modular framework, so it is difficult to add new applications to the system.
发明内容Contents of the invention
针对现有技术中存在的缺陷和不足,本发明的目的是提供一种具有并行处理架构的模块化的网络入侵检测系统,能够使得内存消耗大大下降,并方便地添加新的应用。In view of the defects and deficiencies in the prior art, the purpose of the present invention is to provide a modular network intrusion detection system with a parallel processing architecture, which can greatly reduce memory consumption and add new applications conveniently.
为达到上述目的,本发明提出了一种模块化的网络入侵检测系统,包括数据源模块,其用于包获取和编码解析,所述系统还包括:In order to achieve the above object, the present invention proposes a modular network intrusion detection system, including a data source module, which is used for packet acquisition and encoding analysis, and the system also includes:
分流模块,用于完成来自所述编码解析模块的网包的调度,并通过缓冲队列将网包分发到检测模块中的各个检测子模块;和A distribution module, configured to complete the scheduling of network packets from the encoding and parsing module, and distribute the network packets to each detection sub-module in the detection module through the buffer queue; and
检测模块,用于检测网包中是否含有攻击,其使用多个线程,包括一种或多种检测子模块,同种类的检测子模块共享只读数据。其中,所述数据源模块和所述分流模块使用一个线程。The detection module is used to detect whether there is an attack in the network packet. It uses multiple threads and includes one or more detection sub-modules. The detection sub-modules of the same type share read-only data. Wherein, the data source module and the distribution module use one thread.
其中,所述分流模块还可以包括一五元组信息分发子模块,用于根据网包的五元组信息完成将网包分发至所述检测模块,其中,所述五元组信息包括源/目的网络层地址、源/目的传输层端口和传输层协议标志。Wherein, the distribution module may also include a quintuple information distribution sub-module, which is used to distribute the network packet to the detection module according to the quintuple information of the network packet, wherein the quintuple information includes source/ Destination network layer address, source/destination transport layer port and transport layer protocol flag.
其中,所述分流模块还可以包括一哈希编码子模块,用于将所述五元组信息进行哈希编码以决定将网包分发至所述检测模块中的哪个检测子模块。Wherein, the distribution module may further include a hash encoding submodule, configured to perform hash encoding on the five-tuple information to determine which detection submodule in the detection module to distribute the network packet to.
其中,所述检测模块至少可以包括入侵检测模块、防病毒模块及网址过滤模块中的一种或多种检测子模块。Wherein, the detection module may at least include one or more detection sub-modules of an intrusion detection module, an anti-virus module, and a website filtering module.
其中,该系统还可以包括信息反馈、网包阻断模块。Wherein, the system may also include information feedback and network packet blocking modules.
其中,所述系统还包括一检测子模块加载模块,用于通过读取配置文件动态加载所述检测子模块。Wherein, the system further includes a detection submodule loading module, which is used to dynamically load the detection submodule by reading configuration files.
其中,所述同种类的检测子模块可以被设置为同一优先级,所述分流模块自动将流量均匀分发给同等优先级的各个检测子模块。Wherein, the detection sub-modules of the same type can be set to the same priority, and the distribution module automatically distributes the flow evenly to each detection sub-module of the same priority.
其中,根据所述检测模块中所包括的检测子模块的种类,相应地,所述只读数据至少可以包括入侵检测规则集、病毒库及网址库中的一种或多种。Wherein, according to the type of the detection sub-module included in the detection module, correspondingly, the read-only data may at least include one or more of an intrusion detection rule set, a virus database, and a website database.
上述技术方案具有如下优点:本发明通过分流模块实现了系统的并行处理,从而将数据采集与检测分离开,形成了可独立设计的数据采集及分发/检测模块式架构,便于不同种类的数据源与检测模块的分别设计,及使用硬件实现某一特定模块的功能,且可以并方便地添加新的应用;检测模块使用多线程设计,能够充分利用多核处理器的处理能力,性能可随处理器核数线性增长,且可以动态加载多个检测模块,便于针对不同硬件情况进行配置;同时实现了同种模块间的内存共享,使得内存消耗大大下降,增强了系统的通用性。The above technical solution has the following advantages: the present invention realizes parallel processing of the system through the shunt module, thereby separating data collection and detection, forming an independently designed data collection and distribution/detection modular architecture, which is convenient for different types of data sources It is designed separately from the detection module, and uses hardware to realize the function of a specific module, and new applications can be added conveniently; the detection module uses multi-thread design, which can make full use of the processing power of multi-core processors, and its performance can vary with the processor. The number of cores increases linearly, and multiple detection modules can be dynamically loaded, which is convenient for configuration according to different hardware conditions; at the same time, memory sharing between the same modules is realized, which greatly reduces memory consumption and enhances the versatility of the system.
附图说明Description of drawings
图1是现有技术的NIDS的原理框图;Fig. 1 is the functional block diagram of the NIDS of prior art;
图2是本发明实施例提出的网络入侵检测系统的原理框图;Fig. 2 is the functional block diagram of the network intrusion detection system proposed by the embodiment of the present invention;
图3是本发明实施例提出的网络入侵检测系统的使用实例框图。Fig. 3 is a block diagram of a use example of the network intrusion detection system proposed by the embodiment of the present invention.
具体实施方式Detailed ways
下面结合附图和实施例,对本发明的具体实施方式作进一步详细描述。以下实施例用于说明本发明,但不用来限制本发明的范围。The specific implementation manners of the present invention will be further described in detail below in conjunction with the accompanying drawings and embodiments. The following examples are used to illustrate the present invention, but are not intended to limit the scope of the present invention.
如图2所示,依据本发明实施例的系统包括:As shown in Figure 2, the system according to the embodiment of the present invention includes:
数据源模块,其用于包获取和编码解析(分别相当于现有的NIDS系统中的包获取模块和编码解析模块),具体来说,整合了数据采集、数据解析、流管理、IP碎片重组、TCP流重组等功能;The data source module is used for packet acquisition and encoding analysis (respectively equivalent to the packet acquisition module and encoding analysis module in the existing NIDS system), specifically, it integrates data acquisition, data analysis, flow management, and IP fragment reassembly , TCP flow reassembly and other functions;
分流模块,用于完成来自所述编码解析模块的网包的调度,管理网包缓冲队列的调度,并通过网包缓冲队列(使用缓冲队列使得模块间无需相互等待)将网包分发到检测模块中的各个检测子模块;Distributing module, for completing the dispatching of the network packet from described coding analysis module, manages the dispatching of network packet buffer queue, and distributes network packet to detection module by network packet buffer queue (using buffer queue so that the modules do not need to wait for each other) Each detection sub-module in ;
检测模块,用于检测网包中是否含有攻击,其采用多线程设计,包括一种或多种检测子模块,同种类的检测子模块共享只读数据。所述数据源模块和所述分流模块使用一个线程(数据采集及分发线程);和The detection module is used to detect whether there is an attack in the network packet. It adopts a multi-thread design and includes one or more detection sub-modules. The detection sub-modules of the same type share read-only data. The data source module and the distribution module use a thread (data collection and distribution thread); and
信息反馈、网包阻断模块(相当于现有技术的NIDS系统中的信息反馈模块)。An information feedback and network packet blocking module (equivalent to the information feedback module in the NIDS system of the prior art).
其中,分流模块可以根据网包的五元组信息完成将网包分发至所述检测模块,其中,所述五元组信息包括源/目的网络层地址(各32bit)、源/目的传输层端口(各16bit)和传输层协议标志(8bit)。所述分流模块可以将所述五元组信息进行哈希编码以决定将网包分发至所述检测模块中的哪个检测子模块。所述检测模块至少可以包括入侵检测模块、防病毒模块及网址过滤模块中的一种或多种检测子模块。例如,如图3所示,可以包括入侵检测模块和防病毒模块两种。在图2~3中,每个虚线框代表一个线程。Wherein, the splitting module can finish distributing the network packet to the detection module according to the quintuple information of the network packet, wherein the quintuple information includes source/destination network layer address (each 32bit), source/destination transport layer port (each 16bit) and transport layer protocol flag (8bit). The distribution module can perform hash coding on the five-tuple information to determine which detection sub-module in the detection module to distribute the network packet to. The detection module may at least include one or more detection sub-modules of an intrusion detection module, an anti-virus module and a network address filtering module. For example, as shown in FIG. 3 , it may include an intrusion detection module and an antivirus module. In Figures 2-3, each dotted box represents a thread.
本实施例中,所述检测子模块可以由所述系统通过读取配置文件动态加载。同种类的检测子模块可以被设置为同一优先级,分流模块会自动在各个优先级上将流量均匀分发给同等优先级的各个检测子模块,同一网包可以由多级不同的检测子模块依次处理,实现灵活配置功能。In this embodiment, the detection sub-module may be dynamically loaded by the system by reading a configuration file. The detection sub-modules of the same type can be set to the same priority, and the distribution module will automatically distribute the traffic evenly to each detection sub-module of the same priority at each priority level, and the same network packet can be sent by multiple detection sub-modules in sequence processing to achieve flexible configuration functions.
本实施例中,根据所述检测模块中所包括的检测子模块的种类,相应地,所述只读数据至少可以包括入侵检测规则集、病毒库及网址库中的一种或多种。In this embodiment, according to the type of the detection sub-module included in the detection module, correspondingly, the read-only data may at least include one or more of an intrusion detection rule set, a virus database, and a website database.
本实施例中,所述同种类的检测子模块可以通过TLS(ThreadLocal Storage,线程本地存储)技术共享只读数据。各检测子模块的线程之间原本是毫无关联的,但是检测子模块间的数据存在冗余,一些本可以共享的内存会被重复申请。这类内存主要是运行时只读的那些,例如,编译后的规则集有2.3GB之多,如果每个检测子模块的线程都拥有一份,每个线程都需要消耗2.3G内存,这样多线程化之后很容易造成内存不足。为此,本发明实施例实现了检测子模块之间的内存共享,例如共享了入侵检测规则集和病毒库,使得内存消耗大大下降,增强了系统的通用性。In this embodiment, the detection submodules of the same type can share read-only data through TLS (ThreadLocal Storage, thread local storage) technology. The threads of each detection sub-module are originally unrelated, but the data between the detection sub-modules is redundant, and some memory that could have been shared will be repeatedly requested. This type of memory is mainly read-only at runtime. For example, the compiled rule set is as much as 2.3GB. If each thread of the detection submodule has a copy, each thread needs to consume 2.3G of memory. It is easy to cause insufficient memory after threading. Therefore, the embodiment of the present invention realizes the memory sharing between the detection sub-modules, for example, sharing the intrusion detection rule set and the virus database, so that the memory consumption is greatly reduced, and the generality of the system is enhanced.
以上所述仅是本发明的实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明技术原理的前提下,还可以做出若干改进和变型,这些改进和变型也应视为本发明的保护范围。The foregoing is only an embodiment of the present invention. It should be pointed out that for those of ordinary skill in the art, some improvements and modifications can be made without departing from the technical principle of the present invention. It should be regarded as the protection scope of the present invention.
Claims (8)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910236818A CN101699788A (en) | 2009-10-30 | 2009-10-30 | Modularized network intrusion detection system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910236818A CN101699788A (en) | 2009-10-30 | 2009-10-30 | Modularized network intrusion detection system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101699788A true CN101699788A (en) | 2010-04-28 |
Family
ID=42148234
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910236818A Pending CN101699788A (en) | 2009-10-30 | 2009-10-30 | Modularized network intrusion detection system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101699788A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102111236A (en) * | 2010-11-18 | 2011-06-29 | 北京神州绿盟信息安全科技股份有限公司 | Decoding equipment and method aiming at structuring protocol |
| CN102769575A (en) * | 2012-08-08 | 2012-11-07 | 南京中兴特种软件有限责任公司 | A traffic load balancing method for smart network card |
| CN104734993A (en) * | 2013-12-24 | 2015-06-24 | 杭州华为数字技术有限公司 | Data distribution method and distributor |
| CN105337896A (en) * | 2014-07-25 | 2016-02-17 | 华为技术有限公司 | Message processing method and device |
| CN109829299A (en) * | 2018-11-29 | 2019-05-31 | 电子科技大学 | A kind of unknown attack recognition methods based on depth self-encoding encoder |
| CN111049849A (en) * | 2019-12-23 | 2020-04-21 | 深圳市永达电子信息股份有限公司 | Network intrusion detection method, device, system and storage medium |
| CN111614660A (en) * | 2020-05-19 | 2020-09-01 | 北京字节跳动网络技术有限公司 | Method and device for detecting safety verification defects and electronic equipment |
| CN112995031A (en) * | 2021-05-11 | 2021-06-18 | 金锐同创(北京)科技股份有限公司 | Network traffic guiding method and device |
-
2009
- 2009-10-30 CN CN200910236818A patent/CN101699788A/en active Pending
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102111236A (en) * | 2010-11-18 | 2011-06-29 | 北京神州绿盟信息安全科技股份有限公司 | Decoding equipment and method aiming at structuring protocol |
| CN102111236B (en) * | 2010-11-18 | 2014-03-12 | 北京神州绿盟信息安全科技股份有限公司 | Decoding equipment and method aiming at structuring protocol |
| CN102769575A (en) * | 2012-08-08 | 2012-11-07 | 南京中兴特种软件有限责任公司 | A traffic load balancing method for smart network card |
| US10097466B2 (en) | 2013-12-24 | 2018-10-09 | Huawei Technologies Co., Ltd. | Data distribution method and splitter |
| CN104734993B (en) * | 2013-12-24 | 2018-05-18 | 杭州华为数字技术有限公司 | Data distribution method and current divider |
| CN104734993A (en) * | 2013-12-24 | 2015-06-24 | 杭州华为数字技术有限公司 | Data distribution method and distributor |
| CN105337896A (en) * | 2014-07-25 | 2016-02-17 | 华为技术有限公司 | Message processing method and device |
| CN109829299A (en) * | 2018-11-29 | 2019-05-31 | 电子科技大学 | A kind of unknown attack recognition methods based on depth self-encoding encoder |
| CN111049849A (en) * | 2019-12-23 | 2020-04-21 | 深圳市永达电子信息股份有限公司 | Network intrusion detection method, device, system and storage medium |
| CN111614660A (en) * | 2020-05-19 | 2020-09-01 | 北京字节跳动网络技术有限公司 | Method and device for detecting safety verification defects and electronic equipment |
| CN111614660B (en) * | 2020-05-19 | 2022-01-18 | 北京字节跳动网络技术有限公司 | Method and device for detecting safety verification defects and electronic equipment |
| CN112995031A (en) * | 2021-05-11 | 2021-06-18 | 金锐同创(北京)科技股份有限公司 | Network traffic guiding method and device |
| CN112995031B (en) * | 2021-05-11 | 2021-09-14 | 金锐同创(北京)科技股份有限公司 | Network traffic guiding method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101699788A (en) | Modularized network intrusion detection system | |
| Fusco et al. | High speed network traffic analysis with commodity multi-core systems | |
| Yang et al. | Using trio: juniper networks' programmable chipset-for emerging in-network applications | |
| Jamshed et al. | Kargus: a highly-scalable software-based intrusion detection system | |
| US8250164B2 (en) | Query performance data on parallel computer system having compute nodes | |
| Paxson et al. | An architecture for exploiting multi-core processors to parallelize network intrusion prevention | |
| US8949577B2 (en) | Performing a deterministic reduction operation in a parallel computer | |
| Guo et al. | A scalable multithreaded l7-filter design for multi-core servers | |
| CN1838670A (en) | System security protection method and related device using multi-processing unit architecture | |
| CN104618304A (en) | Data processing method and data processing system | |
| CN114189368B (en) | Multi-inference engine compatible real-time flow detection system and method | |
| Haagdorens et al. | Improving the performance of signature-based network intrusion detection sensors by multi-threading | |
| US20240264956A1 (en) | Efficient queue access for user-space packet processing | |
| CN104394163A (en) | Safety detection method based on Web application | |
| Shieh et al. | A topology‐based scaling mechanism for A pache S torm | |
| Su et al. | Pipedevice: a hardware-software co-design approach to intra-host container communication | |
| Nam et al. | Haetae: Scaling the performance of network intrusion detection with many-core processors | |
| CN111209112A (en) | Exception handling method and device | |
| CN103441952A (en) | Network data package processing method based on multi-core or many-core embedded processor | |
| CN105868000A (en) | Method for parallelly processing data in extensible manner for network I/O (input/output) virtualization | |
| Papadogiannakis et al. | Stream-oriented network traffic capture and analysis for high-speed networks | |
| CN102780616A (en) | Network equipment and method and device for message processing based on multi-core processor | |
| US20240314141A1 (en) | Multi-engine intrusion detection system | |
| CN117909332A (en) | Data processing system, method and computer storage medium | |
| Chen et al. | Para-snort: A multi-thread snort on multi-core ia platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20100428 |