基于节点共享计数型Bloom filter高效动态数据包过滤方案

Journal of Systems Engineering and Electronics ›› 2009, Vol. 31 ›› Issue (9): 2227-2231.

基于节点共享计数型Bloom filter高效动态数据包过滤方案

王杰, 石成辉, 刘亚宾

郑州大学电气工程学院, 河南, 郑州, 450001

收稿日期:2008-06-25 修回日期:2008-11-05 出版日期:2009-09-20 发布日期:2010-01-03
作者简介:王杰(1959- ),男,教授,博土生导师,博士,主要研究方向为智能计算与智能控制、计算机网络与信息安全.E-mail:wj@zzuedu.cn
基金资助:
河南省杰出人才创新基金(074200510013)资助课题

Efficient dynamic packet filtering program based on shared-node counting Bloom filter

WANG Jie, SHI Cheng-hui, LIU Ya-bin

School of Electrical Engineering, Zhengzhou Univ., Zhengzhou 450001, China

Received:2008-06-25 Revised:2008-11-05 Online:2009-09-20 Published:2010-01-03

摘要/Abstract

摘要： 入侵防御系统(intrusion prevention system,IPS)中常用的包过滤方案大量消耗时间和空间,丢包率高,不能实现多过滤器并行处理。针对此问题,设计了一种新的过滤器方案,该方案在网络设备驱动层采用节点共享计数型bloom filter技术,通过改进哈希函数的集合,减少了位数组元素的碰撞率,实现了过滤规则的动态添加和删除。由元组空间法把过滤规则划分多个集合,在每个集合中创建不同的节点共享计数型Bloom filter位数组,并且优化搜索算法,进一步降低了位数组元素的碰撞率。通过在多核处理器中建立多个并行处理线程,实现了过滤的并行处理。实验结果表明,新的方案能够减少28%~31%的碰撞率和12%~19%的hash表的访问次数。

Abstract: The ordinary packet filtering program used in an intrusion prevention system(IPS) consumes a tremendous amount of time and space that results in a larger packet loss rate and can not be achieved in parallel processing.This paper designs a new filtering program by adopting the shared-node counting bloom filter technology on the network device driver layer.The collision rate of the elements in bits group can be evidently decreased,and the free addition and deletion of dynamic filtering rules can be easily realized by improving the sets of hash functions.In each of the multi-rules sets,which is divided by tuple space,different shared-node counting Bloom filter bits groups are created.The search algorithm in tuple space is optimized and the collision rate of elements in bits group is further reduced.In the multi-core processors,filter processing can be executed in parallel through the establishment of a number of parallel processing threads.Experiment results show that the presented filtering program can reduce 28%~31% of the collision rate and 12%~19% of the hash table visits.

中图分类号:

TP393

王杰, 石成辉, 刘亚宾. 基于节点共享计数型Bloom filter高效动态数据包过滤方案[J]. Journal of Systems Engineering and Electronics, 2009, 31(9): 2227-2231.

WANG Jie, SHI Cheng-hui, LIU Ya-bin. Efficient dynamic packet filtering program based on shared-node counting Bloom filter[J]. Journal of Systems Engineering and Electronics, 2009, 31(9): 2227-2231.

参考文献

[1] McCanne S,Jacobson V.The BSD packet filter:A new architecture for user-level packet capture[C]//Proc,of USENIX Technical Conference,Cicinnati,CA,t 993:259-269.
[2] Xilinx Inc.Virtex-Ⅱ Pro and Virtex-Ⅱ Pro X Platform FPGAs:complete data sheet[R].2004.
[3] Intel Corporation.Intel IXP2800 network processor datasheet[R].2002.
[4] Begel A,McCanne S,Graham S L.BPF+:exploiting global dataflow optimization in a generalized packet filter architecture[C]//Proc.o f SIGCOOMM,California,USA,1999:123-134.
[5] Bos H,Bruijn W,Cristea M,et al.FFPF:fairly fast packet filters[C]//Proc.of USENIX OSDI,Portland,USA,2004:347-363.
[6] Engler D,Kaashoek M.DPF:fast,flexible message demultiplexing using dynamic code generation[C]//Proc.of SIGCOMM,San Francisw,CA,1996:53-59.
[7] Bloom B H.Space/time trade-offs in hash coding with allowable errors[J].Communication of the ACM,1970,13(7):422-426.
[8] Song H,Turner J,Dharmapurikar S.Fast hash table lookup using extended bloom filters an aid to network processing[C]//Proc.of Conference on Applications,Technologies,Architectures,and Protocols for Computer Communications,2005:181-192.
[9] LINUX KERNEL DOCUMENT.NAPIHOWTO.Txt[EB/OL].http:// www,linux2m32r,org/lxr/http/source/Documentation/networking/NAPI HOWTO.txt.
[10] 柳斌,李之棠,黎耀.基于Linux系统的高速网络捕包技术研究[J].计算机应用研究,2006(5):225-227.
[11] 杜德超,姚庆栋.多维过滤规则无冲突的高速分组分类算法[J].电子学报,2002,30(11):1676-1680.
[12] Had A,Suri A,Parulkar G.Detecting and resolving packet filter conflicts[C]//Proc.of IEEE 9th Annual Joint Conference of the IEEE Computer and Communication Societies,2000(3):1203-1212.
[13] Srinivasan V,Suri S,Varghese G.Packet classification using tuple space search[C]//Proc,of IEEE Conference on Applications,Technologies,Architectures and Protocols for Computer Communication,1999:135-146.

[1]	金志刚, 段晨旭, 羊秋玲, 苏毅珊. 基于水下云边协同架构的珊瑚礁监测新机制[J]. 系统工程与电子技术, 2022, 44(12): 3829-3836.
[2]	唐玺博, 张立民, 钟兆根. 基于ADASYN与改进残差网络的入侵流量检测识别[J]. 系统工程与电子技术, 2022, 44(12): 3850-3862.
[3]	刘高赛, 姜兴龙, 李华旺, 梁广. 基于位置感知的大规模LEO星座分布式路由算法[J]. 系统工程与电子技术, 2022, 44(11): 3529-3536.
[4]	宋鑫康, 赵尚弘, 王翔, 郝少伟. 航空信息网络服务功能链协同构建与映射策略[J]. 系统工程与电子技术, 2022, 44(11): 3556-3563.
[5]	付有斌, 康巧燕, 王建峰, 胡海岩, 赵朔. 标签分割的软件定义飞行自组网控制器智能部署方法[J]. 系统工程与电子技术, 2022, 44(10): 3249-3257.
[6]	龚建兴, 朱雷, 王华兵, 丁佩元, 路程昭. 基于功能图的作战体系关键节点分析[J]. 系统工程与电子技术, 2022, 44(8): 2515-2521.
[7]	马泽煊, 李进, 路艳丽, 陈晨. 融合WaveNet和BiGRU的网络入侵检测方法[J]. 系统工程与电子技术, 2022, 44(8): 2652-2660.
[8]	赵长啸, 李二帅, 何锋, 王鹏. TSN时间敏感流量带宽分配与优化[J]. 系统工程与电子技术, 2022, 44(6): 2027-2034.
[9]	李宁, 霍兵, 宋瑞良, 任智. 多PAN太赫兹无线个域网边缘节点信息高效报告方法[J]. 系统工程与电子技术, 2022, 44(5): 1709-1716.
[10]	蚁佳才, 刘斌, 姚莉, 赵文涛. 基于知识推理的卫星网络态势理解[J]. 系统工程与电子技术, 2022, 44(5): 1562-1571.
[11]	姚玉坤, 任丽丹, 任智, 冯鑫, 杜文正. MSC中基于SDN的拓扑感知RLNC重传方案[J]. 系统工程与电子技术, 2022, 44(4): 1393-1400.
[12]	王练, 朱朝辉, 吴海莲, 殷豪. 不完美反馈下基于立即可解网络编码的多播重传机制[J]. 系统工程与电子技术, 2021, 43(12): 3703-3708.
[13]	阳勇, 孟相如, 康巧燕, 赵文文. 基于流量优化的可靠服务功能链部署方法[J]. 系统工程与电子技术, 2021, 43(10): 3017-3025.
[14]	陈坤, 吕娜, 朱海峰, 方宇. 基于定时的航空集群机载网络更新方法[J]. 系统工程与电子技术, 2021, 43(9): 2642-2648.
[15]	韩晓阳, 孟相如, 康巧燕, 翟东, 刘鹏飞. 可靠性与拓扑感知的服务功能链备份保护方法[J]. 系统工程与电子技术, 2021, 43(7): 1961-1970.