一种面向网络安全分析的高速流重组优化方案

A High-speed Network Flow Reassembly Optimized Scheme for Network Security Analysis

在高速网络环境下,网络流量采集和重组是进行网络安全分析的重要前提。文章针对网络安全分析的准确性和实时性要求,提出了一种面向网络安全分析的高速流重组优化方案。首先,在基于Hash结构的流表方案中,设计了多流表并行化机制,并通过在高速网络流的分发策略中引入反馈信息,解决了高速网络流在多个流表间分发的负载均衡问题;其次,为进一步降低流老化检测开销,在流表方案中特别设计了活跃队列,将流记录按最近最少使用顺序排列,避免全流表遍历操作,降低了流老化检测的时间复杂度;最后,文章利用DPDK实现了基于流表优化方案的高速网络流重组系统,并对该流表优化方案的准确性和实时性进行了验证。实验结果表明,在网络带宽为10 Gbps时,丢包率为0.002%,能有效满足高速网络环境下网络安全分析的数据需求。

In high-speed network environment, network traffic collection and reassembly is an important prerequisite for network security analysis. To meet the need of the accuracy and realtime requirement of network security analysis, a high-speed network flow reassembly optimization scheme is proposed in this paper. Firstly, a parallel mechanism of multi-flow tables is designed in the Hash-based flow table scheme, the load balancing problem of high-speed network flows distributed among multiple flow tables is solved by introducing feedback information into the distribution strategy of high-speed network flows. Secondly, in order to further reduce the overhead of flow aging detection, an active queue is designed in the flow table scheme. Records are arranged in the order of least recent usage, which could avoid full flow table traversal operation and reduce the time complexity of flow aging detection. Finally, a high-speed network flow reassembly system based on flow table optimization scheme is implemented by DPDK, and the accuracy and real-time performance of the flow table optimization scheme are verified. The experimental results show that when the network bandwidth is 10 Gbps, the packet loss rate is 0.002%, which can effectively meet the data requirements of network security analysis in high-speed network environment.