一种网络分组内容线速动态检测方法

华南理工大学学报（自然科学版） ›› 2008, Vol. 36 ›› Issue (9): 15-19.

一种网络分组内容线速动态检测方法

徐克付齐德昱钱正平向军郑伟平

华南理工大学计算机系统结构研究所, 广东广州 510640

收稿日期:2007-09-14 修回日期:1900-01-01 出版日期:2008-09-25 发布日期:2008-09-25
通信作者: 徐克付（1977-），男，博士生，主要从事网络信息安全研究． E-mail:xkfool@163．com
作者简介:徐克付（1977-），男，博士生，主要从事网络信息安全研究．
基金资助:
中国博士后科学基金资助项目（2005037582）;粤港关键领域重点突破项目（2005A10307007）

A Method of On-Line Dynamic Inspection for Network Packet Contents

Xu Ke-fu Qi De-yu Qian Zheng-ping Xiang Jun Zheng Wei-ping

Research Institute of Computer System, South China University of Technology, Guangzhou 510640, Guangdong,China

Received:2007-09-14 Revised:1900-01-01 Online:2008-09-25 Published:2008-09-25
Contact: 徐克付（1977-），男，博士生，主要从事网络信息安全研究． E-mail:xkfool@163．com
About author:徐克付（1977-），男，博士生，主要从事网络信息安全研究．
Supported by:
中国博士后科学基金资助项目（2005037582）;粤港关键领域重点突破项目（2005A10307007）

摘要/Abstract

摘要： 针对高速网络内容检测中多模式匹配算法性能差和模式集不断动态变化的问题，提出了一种松散耦合的双通道线速动态内容检测方法．该方法包含快速通道和慢速通道两部分，快速通道利用可动态查询的并行Counting Bloom filter引擎过滤网络分组，过滤出的嫌疑分组送慢速通道利用高效动态模式匹配算法一步准确鉴别和分析，从而避免对正常分组的阻碍，达到线速检测．基于程序局部性原理，采用额定长度前缀的方法实现了对长模式的可扩展性．分析与模拟试验表明，该检测方法具有较高的吞吐性能，可以实现线速动态内容检测，同时减少了硬件资源开销，提高了可扩展性．

关键词: Bloom filter 计算机网络, 深度分组检测, 动态模式匹配

Abstract:

In the high-speed inspection of network contents, the multi-pattern matching algorithm is inefficient and the pattern set continuously changes. In order to solve these problems, an on-line dynamic inspection method with two loosely-coupled pipelines is proposed. This method consists of a fast pipeline and a slow one. In the fast pipeline, parallel Counting Bloom filter engines which can perform fast dynamic query are adopted to filter the network packet, while in the slow one, a high-performance dynamic pattern matching algorithm is adopted to distinguish the suspicious packet coming from the fast pipeline. Thus, the block to normal packets can be removed and the on-line inspection can be achieved. Moreover, according to the locality principle of programs, a length threshold is set to implement the scalability for long rules. Analytical and simulated results indicate that the proposed inspection method with high throughput meets the requirements of on-line dynamic inspection of network packet contents well with low hardware consumption and high scalability.

Key words: Bloom filter, computer network, deep packet inspection, dynamic pattern matching

徐克付齐德昱钱正平向军郑伟平. 一种网络分组内容线速动态检测方法[J]. 华南理工大学学报（自然科学版）, 2008, 36(9): 15-19.

Xu Ke-fu Qi De-yu Qian Zheng-ping Xiang Jun Zheng Wei-ping . A Method of On-Line Dynamic Inspection for Network Packet Contents[J]. Journal of South China University of Technology (Natural Science Edition), 2008, 36(9): 15-19.