一种网络内容快速动态检测方法

高速网络内容检测与过滤依赖于快速多模式匹配算法按预先定义的模式集对分组的任意位置内容进行匹配。模式集往往有成千上万条，长短不一且十分复杂。多模式匹配算法对存贮器的访问速度很敏感，算法的好坏往往成为系统的性能瓶颈。另外，新的攻击层出不穷导致模式内容不断变化，如何在检测的同时有效地更新模式集合对网络安全设备在不停机检测条件下实现规则的升级与更新尤其重要。针对上述问题，提出了一种松散耦合的双通道线速动态内容检测方法，快速通道利用可动态查询的并行Counting Bloom filter引擎过滤网络分组。过滤出的嫌疑分组送慢速通道利用高效动态模式匹配算法一步准确鉴别和分析，从而避免对正常分组的阻碍达到线速检测。基于程序局部性原理，采用了额定长度前缀的方法实现了对长模式的可扩展性。分析与模拟试验表明，检测方法具有较高的吞吐性能，可以实现线速动态深度分组检测，同时减少了硬件资源开销，提高了可扩展性。

On-line Speed Dynamic Deep Packet Inspection

High-speed packet content inspection and filtering devices rely on a fast multi-pattern matching algorithm which is used to detect predefined keywords or signatures in the packets. Unfortunately, these signature sets are large (e.g., thousands) and complex 6]. Multi-pattern matching is known to require intensive memory accesses and is often a performance bottleneck 9]. Another problem is to update the rule set without halting the device while they are working. Hence, specialized fast dynamic pattern matching algorithms scalable for long rules are required for online speed packet processing. We propose a fast packet dynamic inspection algorithm using two pipelines which is a flexibility loosely coupled framework. In the fast pipeline, multiple parallel Bloom filter engines which can perform fast dynamic query are adopted to achieve high throughput. Based on the principle of locality of programs, we set a threshold length for the scalability for long rules. In the relatively slow pipeline, we adopt dynamic pattern matching algorithm to distinguish the suspicious packet comes from the fast pipeline. The analysis and the evaluation show that the high throughput of the algorithm can satisfy the wire speed inspection requirement when the low resource consumption in hardware resource further improves the scalability.