基于节点共享计数型Bloom filter高效动态数据包过滤方案

Abstract

Abstract: The ordinary packet filtering program used in an intrusion prevention system(IPS) consumes a tremendous amount of time and space that results in a larger packet loss rate and can not be achieved in parallel processing.This paper designs a new filtering program by adopting the shared-node counting bloom filter technology on the network device driver layer.The collision rate of the elements in bits group can be evidently decreased,and the free addition and deletion of dynamic filtering rules can be easily realized by improving the sets of hash functions.In each of the multi-rules sets,which is divided by tuple space,different shared-node counting Bloom filter bits groups are created.The search algorithm in tuple space is optimized and the collision rate of elements in bits group is further reduced.In the multi-core processors,filter processing can be executed in parallel through the establishment of a number of parallel processing threads.Experiment results show that the presented filtering program can reduce 28%~31% of the collision rate and 12%~19% of the hash table visits.

CLC Number:

TP393

WANG Jie, SHI Cheng-hui, LIU Ya-bin. Efficient dynamic packet filtering program based on shared-node counting Bloom filter[J]. Journal of Systems Engineering and Electronics, 2009, 31(9): 2227-2231.

References

[1] McCanne S,Jacobson V.The BSD packet filter:A new architecture for user-level packet capture[C]//Proc,of USENIX Technical Conference,Cicinnati,CA,t 993:259-269.
[2] Xilinx Inc.Virtex-Ⅱ Pro and Virtex-Ⅱ Pro X Platform FPGAs:complete data sheet[R].2004.
[3] Intel Corporation.Intel IXP2800 network processor datasheet[R].2002.
[4] Begel A,McCanne S,Graham S L.BPF+:exploiting global dataflow optimization in a generalized packet filter architecture[C]//Proc.o f SIGCOOMM,California,USA,1999:123-134.
[5] Bos H,Bruijn W,Cristea M,et al.FFPF:fairly fast packet filters[C]//Proc.of USENIX OSDI,Portland,USA,2004:347-363.
[6] Engler D,Kaashoek M.DPF:fast,flexible message demultiplexing using dynamic code generation[C]//Proc.of SIGCOMM,San Francisw,CA,1996:53-59.
[7] Bloom B H.Space/time trade-offs in hash coding with allowable errors[J].Communication of the ACM,1970,13(7):422-426.
[8] Song H,Turner J,Dharmapurikar S.Fast hash table lookup using extended bloom filters an aid to network processing[C]//Proc.of Conference on Applications,Technologies,Architectures,and Protocols for Computer Communications,2005:181-192.
[9] LINUX KERNEL DOCUMENT.NAPIHOWTO.Txt[EB/OL].http:// www,linux2m32r,org/lxr/http/source/Documentation/networking/NAPI HOWTO.txt.
[10] 柳斌,李之棠,黎耀.基于Linux系统的高速网络捕包技术研究[J].计算机应用研究,2006(5):225-227.
[11] 杜德超,姚庆栋.多维过滤规则无冲突的高速分组分类算法[J].电子学报,2002,30(11):1676-1680.
[12] Had A,Suri A,Parulkar G.Detecting and resolving packet filter conflicts[C]//Proc.of IEEE 9th Annual Joint Conference of the IEEE Computer and Communication Societies,2000(3):1203-1212.
[13] Srinivasan V,Suri S,Varghese G.Packet classification using tuple space search[C]//Proc,of IEEE Conference on Applications,Technologies,Architectures and Protocols for Computer Communication,1999:135-146.

[1]	Zhigang JIN, Chenxu DUAN, Qiuling YANG, Yishan SU. A new mechanism for reef coral monitoring based on underwater cloud-edge collaborative architecture [J]. Systems Engineering and Electronics, 2022, 44(12): 3829-3836.
[2]	Xibo TANG, Limin ZHANG, Zhaogen ZHONG. Intrusion traffic detection and identification based on ADASYN and improved residual network [J]. Systems Engineering and Electronics, 2022, 44(12): 3850-3862.
[3]	Gaosai LIU, Xinglong JIANG, Huawang LI, Guang LIANG. Large-scale LEO constellation distributed routing algorithm based on location awareness [J]. Systems Engineering and Electronics, 2022, 44(11): 3529-3536.
[4]	Xinkang SONG, Shanghong ZHAO, Xiang WANG, Shaowei HAO. Collaborative construction and embedding strategy of aviation information network service function chain [J]. Systems Engineering and Electronics, 2022, 44(11): 3556-3563.
[5]	Youbin FU, Qiaoyan KANG, Jianfeng WANG, Haiyan HU, Shuo ZHAO. Intelligent deployment method of software-defined flying ad-hoc network controller based on label segmentation [J]. Systems Engineering and Electronics, 2022, 44(10): 3249-3257.
[6]	Jianxing GONG, Lei ZHU, Huabing WANG, Peiyuan DING, Chengzhao LU. Analysis of key nodes in combat system based on function graph [J]. Systems Engineering and Electronics, 2022, 44(8): 2515-2521.
[7]	Zexuan MA, Jin LI, Yanli LU, Chen CHEN. Network intrusion detection method based on WaveNet and BiGRU [J]. Systems Engineering and Electronics, 2022, 44(8): 2652-2660.
[8]	Changxiao ZHAO, Ershuai LI, Feng HE, Peng WANG. Bandwidth allocation and optimization of time-sensitive traffic in TSN [J]. Systems Engineering and Electronics, 2022, 44(6): 2027-2034.
[9]	Ning LI, Bing HUO, Ruiliang SONG, Zhi REN. Efficient reporting approach of edge nodes' information in multi-PAN terahertz wireless personal area network [J]. Systems Engineering and Electronics, 2022, 44(5): 1709-1716.
[10]	Jiacai YI, Bin LIU, Li YAO, Wentao ZHAO. Satellite cyber situational understanding based on knowledge reasoning [J]. Systems Engineering and Electronics, 2022, 44(5): 1562-1571.
[11]	Yukun YAO, Lidan REN, Zhi REN, Xin FENG, Wenzheng DU. Topology-aware RLNC retransmission scheme based on SDN in MSC [J]. Systems Engineering and Electronics, 2022, 44(4): 1393-1400.
[12]	Lian WANG, Chaohui ZHU, Hailian WU, Hao YIN. Multicast retransmission scheme based on instantly decodable network coding under imperfect feedback [J]. Systems Engineering and Electronics, 2021, 43(12): 3703-3708.
[13]	Yong YANG, Xiangru MENG, Qiaoyan KANG, Wenwen ZHAO. Reliable service function chain deployment method based on traffic optimization [J]. Systems Engineering and Electronics, 2021, 43(10): 3017-3025.
[14]	Kun CHEN, Na LYU, Haifeng ZHU, Yu FANG. Time-based updates method for airborne network of aviation swarm [J]. Systems Engineering and Electronics, 2021, 43(9): 2642-2648.
[15]	Xiaoyang HAN, Xiangru MENG, Qiaoyan KANG, Dong ZHAI, Pengfei LIU. Reliability and topology aware service function chain backup protection method [J]. Systems Engineering and Electronics, 2021, 43(7): 1961-1970.

Efficient dynamic packet filtering program based on shared-node counting Bloom filter

PDF (PC)

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 15

Recommended Articles

Metrics

Comments