Method and device for inspecting deep packets among heterogeneous platforms

Abstract

The invention provides a method for inspecting deep packets among heterogeneous platforms. The method comprises the following steps of: when the condition that corresponding session entries of a received packet contain instruction information required for being subjected to deep packet inspection is judged on a first platform in an FPGA (Field Programmable Gate Array) architecture, carrying out protocol analysis on the packet on the first platform so as to determine a bearer protocol; determining whether the multimode matching is required for being carried out or not based on a predefined bearer protocol-multimode match mapping table; when the multimode matching is required for being carried out, carrying out multimode matching on a payload part of the packet on the first platform based on a predefined application-related multimode characteristic set; and after multimode matching hit, transmitting the packet and a multimode matching result to a second platform, and carrying out deep packet inspection on the packet on the second platform based on the multimode matching result. With the adoption of the method, the packet traffic uploaded to the second platform for processing and the calculating burden of the second platform can be reduced.

Description

technical field [0001] The present invention relates to the field of data processing, and more specifically, to a method and device for in-depth message detection among heterogeneous platforms. Background technique [0002] Traditional network security devices usually involve L3 / L4 (network layer and transport layer) level security protection, and can be implemented using heterogeneous platforms, which usually include the first platform under the FPGA architecture and the second platform under the X86 architecture. Second platform. [0003] FPGA (Field-programmable gate array), that is, field programmable gate array, is a reprogrammable silicon chip. The widespread adoption of FPGA chips stems from the fact that FPGAs combine the greatest advantages of ASICs and traditional processors. FPGAs can provide the speed and stability of hardware timing without the large-scale investment such as the huge up-front cost of custom ASIC design. The flexibility of reprogrammable silic...

AI Technical Summary

Problems solved by technology

The complexity of the above-mentioned analysis mechanisms makes the DPI logic unsuitable for hardware implementation, and can only require more in-depth detection work to be handed over to the CPU

[0015] In addition, unlike the detection mechanism of the first packet of the traditional connection, DPI requires more load traffic in the connection to be submitted to the CPU for analysis, which makes the traffic between heterogeneous platforms violate the 28 model, causing most packets to slow down The speed path increases the IO overhead and computing burden of the CPU, thus making it difficult to take advantage of heterogeneous platforms.

[0016] Due to the above-mentioned mode change caused by the introduction of DPI, the path of message processing becomes longer, which leads to a significant decrease in key indicators such as throughput and delay of network security equipment.

[0017] Also, the bus between the hardware and the CPU becomes a bottleneck

Although the CPU bus technology (this is PCIE, which has been developed to PCIE3.0) is developing rapidly, it is difficult to meet the requirements of the current heterogeneous platform to complete the above requirements

The resulting direct problem is that once a performance bottleneck occurs, frequent packet loss and out-of-order will greatly increase the missed and misjudgment of the final application recognition

[0019] When encountering the above problems, the most common solution for heterogeneous platforms in the architecture is the introduction of the Cache mechanism. The main idea is to send the matching recognition results of the DPI in the slow path as a Cache to the hardware for acceleration. However, the DPI problem is complicated. Due to the nature of the usual Cache mechanism is not suitable for the current problem

The main reason is that the result of DPI identification is generally identified by the destination IP and service number in the protocol, but the same IP and service number may carry other application features, so it cannot be reversed.

Images