一种面向网络安全分析的高速流重组优化方案

doi:10.3969/j.issn.1671-1122.2019.11.011

信息网络安全 ›› 2019, Vol. 19 ›› Issue (11): 82-90.doi: 10.3969/j.issn.1671-1122.2019.11.011

一种面向网络安全分析的高速流重组优化方案

陈良国^1,², 阮树骅^1,²(), 陈兴蜀^1,², 罗永刚²

1.四川大学网络空间安全学院,四川成都 610065
2.四川大学网络空间安全研究院,四川成都 610065

收稿日期:2019-08-10 出版日期:2019-11-10 发布日期:2020-05-11
作者简介:
作者简介：陈良国（1993—）,男,贵州,硕士研究生,主要研究方向为大数据和网络安全;阮树骅（1966—）,女,四川,副教授,硕士,主要研究方向为云计算与大数据安全;陈兴蜀（1968—）,女,四川,教授,博士,主要研究方向为可信计算、云计算与大数据安全;罗永刚（1980—）,男,贵州,博士研究生,主要研究方向为大数据和网络安全。
基金资助:
国家自然科学基金青年科学基金[61802270];中央高校基本科研业务费基础研究项目[SCU2018D018]

A High-speed Network Flow Reassembly Optimized Scheme for Network Security Analysis

Liangguo CHEN^1,², Shuhua RUAN^1,²(), Xingshu CHEN^1,², Yonggang LUO²

1. College of Cybersecurity, Sichuan University, Chengdu Sichuan 610065, China
2. Cybersecurity Research Institute, Sichuan University, Chengdu Sichuan 610065, China

Received:2019-08-10 Online:2019-11-10 Published:2020-05-11

摘要/Abstract

摘要：

在高速网络环境下,网络流量采集和重组是进行网络安全分析的重要前提。文章针对网络安全分析的准确性和实时性要求,提出了一种面向网络安全分析的高速流重组优化方案。首先,在基于Hash结构的流表方案中,设计了多流表并行化机制,并通过在高速网络流的分发策略中引入反馈信息,解决了高速网络流在多个流表间分发的负载均衡问题;其次,为进一步降低流老化检测开销,在流表方案中特别设计了活跃队列,将流记录按最近最少使用顺序排列,避免全流表遍历操作,降低了流老化检测的时间复杂度;最后,文章利用DPDK实现了基于流表优化方案的高速网络流重组系统,并对该流表优化方案的准确性和实时性进行了验证。实验结果表明,在网络带宽为10 Gbps时,丢包率为0.002%,能有效满足高速网络环境下网络安全分析的数据需求。

关键词: 安全分析, 流重组, 多流表, 活跃队列, 负载均衡

Abstract:

In high-speed network environment, network traffic collection and reassembly is an important prerequisite for network security analysis. To meet the need of the accuracy and real-time requirement of network security analysis, a high-speed network flow reassembly optimization scheme is proposed in this paper. Firstly, a parallel mechanism of multi-flow tables is designed in the Hash-based flow table scheme, the load balancing problem of high-speed network flows distributed among multiple flow tables is solved by introducing feedback information into the distribution strategy of high-speed network flows. Secondly, in order to further reduce the overhead of flow aging detection, an active queue is designed in the flow table scheme. Records are arranged in the order of least recent usage, which could avoid full flow table traversal operation and reduce the time complexity of flow aging detection. Finally, a high-speed network flow reassembly system based on flow table optimization scheme is implemented by DPDK, and the accuracy and real-time performance of the flow table optimization scheme are verified. The experimental results show that when the network bandwidth is 10 Gbps, the packet loss rate is 0.002%, which can effectively meet the data requirements of network security analysis in high-speed network environment.

Key words: security analysis, flow reassembly, multi-flow table, active queue, load balancing

中图分类号:

TP309

陈良国, 阮树骅, 陈兴蜀, 罗永刚. 一种面向网络安全分析的高速流重组优化方案[J]. 信息网络安全, 2019, 19(11): 82-90.

Liangguo CHEN, Shuhua RUAN, Xingshu CHEN, Yonggang LUO. A High-speed Network Flow Reassembly Optimized Scheme for Network Security Analysis[J]. Netinfo Security, 2019, 19(11): 82-90.

图/表 10

图1

图2

图3

表1

图4

图5

图6

表2

图7

图8

参考文献 18

[1]	INTEL DPDK. Programmer’s Guide[EB/OL]. , 2019-6-1.
[2]	BLOTT M, ELLITHORPE J, MCKEOWN N, et al.FPGA Research Design Platform Fuels Network Advances[J]. Xilinx Xcell Journal, 2010, 4(73): 24-29.
[3]	ENDACE. DAG Packet Capture Cards[EB/OL]. , 2019-6-1.
[4]	HAN S, JANG K, PARK K S, et al.PacketShader: A GPU-Accelerated Software Router[J]. ACM SIGCOMM Computer Communication Review, 2011, 41(4): 195-206.
[5]	LEE J, LEE S, LEE J, et al.FloSIS: A Highly Scalable Network Flow Capture System for Fast Retrieval and Storage Efficiency[C]//USENIX Association. Usenix Conference on Usenix Technical Conference, 2015, Santa Clara, CA. Berkeley: USENIX Association, 2015: 445-457.
[6]	NTOP. PF_RING:High-speed Packet Capture, Filtering and Analysis[EB/OL]. , 2019-6-1.
[7]	DERI L, CARDIGLIANO A, FUSCO F.10 Gbit Line Rate Packet-to-Disk Using N2disk[C]//IEEE. 2013 IEEE Conference on Computer Communications Workshops, INFOCOM WKSHPS 2013, April 14-19, 2013, Turin, Italy. New York: IEEE Computer Society, 2013: 441-446.
[8]	EMMERICH P, PUDELKO M, GALLENMÜLLER S, et al. FlowScope: Efficient Packet Capture and Storage in 100 Gbit/s Networks[C]//IEEE. 2017 IFIP Networking Conference and Workshops, IFIP Networking 2017, June 12-16, 2017, Stockholm, Sweden. New York: IEEE, 2017: 1-9.
[9]	CLAFFY K C, BRAUN H W, POLYZOS G C.A Parameterizable Methodology for Internet Traffic Flow Profiling[J]. IEEE Journal on Selected Areas in Communications, 1995, 13(8): 1481-1494.
[10]	ZHANG Guangxing, QIU Feng, XIE Gaogang, et al.An Efficient Representation of Network Flow Record[J]. Journal of Computer Research and Development, 2013, 50(4): 722-730.
	张广兴,邱峰,谢高岗,等.一种高效的网络流记录表示方法[J]. 计算机研究与发展,2013,50(4):722-730.
[11]	PAPADOGIANNAKIS A, POLYCHRONAKIS M, MARKATOS E P.Stream-oriented Network Traffic Capture and Analysis for High-speed Networks[J]. IEEE Journal on Selected Areas in Communications, 2014, 32(10): 1849-1863.
[12]	NTOP. nProbe: An Extensible NetFlow v5/v9/IPFIX Probe for IPv4/v6[EB/OL]. , 2019-6-1.
[13]	INACIO C M, TRAMMELL B.Yaf: Yet Another Flowmeter[C]//USENIX. LISA’10: 24th Large Installation System Administration Conference, November 7-12, 2010, San Jose, California. Berkeley: USENIX Association, 2010: 107.
[14]	WANG D, XUE Y, DONG Y.Memory-efficient Hypercube Flow Table for Packet Processing on Multi-cores[C]//IEEE. 54th Annual IEEE USA Global Telecommunications Conference Energizing Global Communications, GLOBECOM 2011, December 5-9, 2011, Houston, TX, USA. New York: IEEE, 2011: 1-6.
[15]	ECKHOFF D, LIMMER T, DRESSLER F.Hash Tables for Efficient Flow Monitoring: Vulnerabilities and Countermeasures[C]//IEEE. 2009 IEEE 34th Conference on Local Computer Networks, LCN 2009, October 20-23, 2009, Zurich, Switzerland. Los Alamitos: IEEE Computer Society, 2009: 1087-1094.
[16]	BANERJEE S, KANNAN K.Tag-in-tag: Efficient Flow Table Management in SDN Switches[C]//IEEE. 10th International Conference on Network and Service Management, CNSM 2014, January 17-21, 2014, Rio de Janeiro, Brazil. New York: IEEE, 2015: 109-117.
[17]	WOO S, JEONG E, PARK S, et al.Comparison of Caching Strategies in Modern Cellular Backhaul Networks[C]//ACM SIGMOBILE. 11th Annual International Conference on Mobile Systems, Applications, and Services, MobiSys 2013, June 25-28, 2013, Taipei, China. New York: ACM, 2013: 319-332.
[18]	WANG Yucong, CHEN Xingshu,LUO Yonggang,et al.NTCI-Flow: A Scalable High-speed Network Traffic Processing Framework[J]. Advanced Engineering Sciences, 2017(S1): 168-174.
	王煜骢,陈兴蜀,罗永刚,等. NTCI-Flow:一种可扩展的高速网络流量处理框架[J]. 四川大学学报(工程科学版),2017(S1):168-174.

编号	CPU			内存	硬盘
编号	型号	主频	核数	内存	硬盘
1	Intel Xeon E5-2609 v2	2.50 GHz	8	128 GB	6T
2	Intel Xeon E5-2609 v2	2.50 GHz	8	128 GB	1T

用例模式	流表个数	是否使用流表并行化	是否使用活跃队列
1	1	否	是
2	2	是	否
3	2	是	是

一种面向网络安全分析的高速流重组优化方案

A High-speed Network Flow Reassembly Optimized Scheme for Network Security Analysis

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 10

参考文献 18

相关文章 8

编辑推荐

Metrics

本文评价

[1]	王艳, 潘琛. WSANs中基于生物免疫机制的动态数据汇集算法研究[J]. 信息网络安全, 2018, 18(6): 7-11.
[2]	梅东晖, 李红灵. 基于多目标混合粒子群算法的虚拟机负载均衡研究[J]. 信息网络安全, 2018, 18(2): 78-83.
[3]	陈瑞滢, 陈泽茂, 王浩. 基于攻击图的工控网络威胁建模研究[J]. 信息网络安全, 2018, 18(10): 70-77.
[4]	GULKhanSafiQamas, 王鹏, 罗森林, 潘丽敏. 一种高并发网络Web应用技术研究[J]. 信息网络安全, 2017, 17(12): 29-35.
[5]	王东亮, 衣俊艳, 李时慧, 王洪新. 融合负载均衡和蝙蝠算法的云计算任务调度[J]. 信息网络安全, 2017, 17(1): 23-28.
[6]	. 基于链路质量的应急无线传感网络路由算法研究[J]. , 2014, 14(5): 59-.
[7]	徐京;张彦;辛阳;朱洪亮. 高速网络内容监控系统的关键技术分析[J]. , 2012, 12(10): 0-0.
[8]	李艳;刘怡麟. 基于T-G保护系统的抗病毒网络安全分析模型[J]. , 2009, 9(9): 0-0.