期刊文献+
任意字段
题名或关键词
题名
关键词
文摘
作者
第一作者
机构
刊名
分类号
参考文献
作者简介
基金资助
栏目信息

基于节点共享计数型Bloom filter高效动态数据包过滤方案 被引量:1

Efficient dynamic packet filtering program based on shared-node counting Bloom filter
下载PDF
导出
摘要 入侵防御系统(intrusion prevention system,IPS)中常用的包过滤方案大量消耗时间和空间,丢包率高,不能实现多过滤器并行处理。针对此问题,设计了一种新的过滤器方案,该方案在网络设备驱动层采用节点共享计数型bloom filter技术,通过改进哈希函数的集合,减少了位数组元素的碰撞率,实现了过滤规则的动态添加和删除。由元组空间法把过滤规则划分多个集合,在每个集合中创建不同的节点共享计数型Bloom filter位数组,并且优化搜索算法,进一步降低了位数组元素的碰撞率。通过在多核处理器中建立多个并行处理线程,实现了过滤的并行处理。实验结果表明,新的方案能够减少28%~31%的碰撞率和12%~19%的hash表的访问次数。 The ordinary packet filtering program used in an intrusion prevention system (IPS) consumes a tremendous amount of time and space that results in a larger packet loss rate and can not he achieved in parallel processing. This paper designs a new filtering program by adopting the shared-node counting bloom filter technology on the network device driver layer. The collision rate of the elements in bits group can be evidently decreased, and the free addition and deletion of dynamic filtering rules can be easily realized by improving the sets of hash functions. In each of the multi-rules sets, which is divided by tuple space, different shared-node counting Bloom filter bits groups are created. The search algorithm in tuple space is optimized and the collision rate of elements in bits group is further reduced. In the multi-core processors, filter processing can be executed in parallel through the establishment of a number of parallel processing threads. Experiment results show that the presented filtering program can reduce 28 %-31% of the collision rate and 12 %--19 % of the hash table visits.
作者 王杰 石成辉 刘亚宾
机构地区 郑州大学电气工程学院
出处 《系统工程与电子技术》 EI CSCD 北大核心 2009年第9期2227-2231,共5页 Systems Engineering and Electronics
基金 河南省杰出人才创新基金(074200510013)资助课题
关键词 网络安全 包过滤 计数型bloom FILTER 节点共享 元组空间 哈希 network security packet filtering counting Bloom filter shared-node tuple space hash
分类号 TP393 [自动化与计算机技术—计算机应用技术]
  • 相关文献

参考文献13

  • 1MeCanne S, Jacobson V. The BSD packet filter: A new architecture for user-level packet capture [C]//Proc. of USENIX Technical Conference, Cicinnati, CA, 1993 ; 259 - 269.
  • 2Xilinx Inc. Virtex-II Pro and Virtex II Fro X Platform FPGAs: complete data sheet[R]. 2004.
  • 3Intel Corporation. Intel IXP2800 network processor dazasheet [R].2002.
  • 4Begel A, McCanne S, Graham S L. BPF+ : exploiting global dataflow optimization in a generalized packet filter architecture[C]// Proc. of SIGCOMM, California, USA, 1999:123- 134.
  • 5Bos H, Bruijn W, Cnstea M, et al. FFPF: fairly fast packet filters [C]//Proc. of USENIX OSDI , Portland, USA, 2004 : 347 - 363.
  • 6Engler D, Kaashoek M. DPF: fast, flexible message demultiplexing using dynamic code generation [C] // Proc. of SIGCOMM, San Francisw, CA, 1996:53 -59.
  • 7Bloom B H. Space/time trade-offs in hash coding with allowable errors[J]. Communication of the ACM, 1970, 13(7) :422 - 426.
  • 8Song H, Turner J, Dharmapurikar S. Fast hash table lookup using extended bloom filter., an aid to network processing[C]//Proc, of Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, 2005 : 181 - 192.
  • 9LINUX KERNEL DOCUMENT. NAPIHOWTO. Txt [EB/OL]. http: // www. linux2m32r, org/lxr/http/source/Documentation/ networking/NAPI HOWTO. txt.
  • 10柳斌,李之棠,黎耀.基于Linux系统的高速网络捕包技术研究[J].计算机应用研究,2006,23(5):225-227. 被引量:7

二级参考文献17

  • 1田志宏,方滨兴,云晓春.RTLinux下基于半轮询驱动的用户级报文传输机制[J].软件学报,2004,15(6):834-841. 被引量:15
  • 2[1]T V Lakshman,D Stiliadis.Hight-speed policy-based packet forwarding using efficient multi-dimensional range matching[A].Proc.of ACM Sigcomm[C].Vancouver,Canada:1998.101-202.
  • 3[2]M Waldvogel,G Varghese,J Turner,B Plattner.Scalable hight speed IP routing lookups[A].Proc. of Sigcomm[C].Cannes,France,1997.25-35.
  • 4[3]V Srinivasan,S Suri,G Varghese.Packet classification using turple space search[A].Proc. of Sigcomm[C].Cambridge,Massachusetts,1999.135-1466.
  • 5[4]A Hari,S Suri,G Parulkar.Detecting and resolving packet filter conflicts[J].Porc. of IEEE INFOCOMM,2000.1203-1213.
  • 6[5]P Warkhede,S Suri,G Varghese.Fast packet classification for two-dimensional conflict-freee filters[J].IEEE INFOCOM,2001.1434-1443.
  • 7[6]P Gupta,N McKeown.Packet classification on multiple fields[J].ACM Computer Review,1999,29(4):146-160.
  • 8[7]V Srinivasan,G Varghese,S Suri,M Waldvogel.Fast and scalable layer four switching[A].Proc.ACM Sigcomm[C].Vancouver,Canada,1998.203-214.
  • 9[8]Anthony J McAuley,Paul Francis.Fast routing table lookup using CAMs[J].IEEE INFOCOM,1993,3:1382-1391.
  • 10[9]P Gupta,N McKeown.Algorithms for packet classification[J].IEEE Network,2001,4:24-32.

共引文献11

同被引文献6

  • 1胡滨,夏欣,任守纲.数据包过滤模型的分析与研究[J].计算机工程与设计,2007,28(5):1040-1042. 被引量:1
  • 2Armbruster B, Smith J C, Park K. A packet filter placement problem with application to defense against distributed denial of service attacks [J]. European Journal of Operational Research, 2007, 176(2): 1283-1292.
  • 3Julkunen H, Chow C E. Enhance network security with dynamic packet filter [C]//Proceedings of the 7th IEEE International Conference on Computer Communications and Networks. Lafayette, IN: IEEE Press, 1998: 268-275.
  • 4Todtmann B, Rathgeb E P. Requirements for managing distributed packet filter configurations in Carrier-grade Networks [C]. 10th IFIP/IEEE International Symposium on Integrated Network Management, Munich, 2007: 737-740.
  • 5Hooper E. An intelligent detection and response strategy to false positives and network attacks [C]//Proceedings of the 4th IEEE International Workshop on Information Assurance. Washington DC: IEEE Press, 2006: 16-21.
  • 6李金平,高东杰.策略路由技术[J].计算机科学,2002,29(4):84-85. 被引量:8

引证文献1

系统工程与电子技术
2009年 第9期

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部