Research On Performance Improvement And Security Enhancement For Deep Packet Inspection

Network and information security technologies have profoundly changed the way of human life and production.At the same time,the national confrontation has become increasingly fierce,cross-sovereign criminal gangs,criminal organizations and other activities have become increasingly rampant,and the intensity and severity of various network penetrations and intrusions have soared,which has seriously affected the national security and social stability of all countries.As the core technology of network defense,deep packet inspection plays an irreplaceable role in the protection of network information security.Large pattern set and heavy traffic is the key to its performance,which affects the efficiency of each link.The attack on each link will also affect and restrict its function.Therefore,deep packet detection is faced with both performance and security challenges.The ever-increasing scale of attack features has increased the time and space resource consumption of the core function pattern matching algorithm,and the ever-increasing network traffic has increased the pressure on the performance of a single machine,and the continuous emergence of targeted attacks increases the security threat.The state-level heavytraffic deep packet detection technology urgently needs further optimization and transformation.In view of the challenges faced by in-depth packet inspection,this paper studies the pattern matching algorithm based on pattern characteristics and traffic characteristics,and the security defense capabilities of in-depth packet inspection for algorithm complexity attacks and network penetration.The main contributions are as follows:First of all,from the perspective of the adaptability of pattern sets,the parallel pattern matching algorithm of the deep packet inspection system is studied.Mode scale and mode characteristics are one of the key factors that affect the performance of mode matching.The length distribution of a large pattern set in a real environment has the characteristics of wide range and dynamic change.The existing pattern matching algorithms are sensitive to length,and are efficient only in specific pattern lengths,and lack efficiently matching algorithms that adapt to different length distributions.In order to solve this problem,this paper proposes a pattern matching technology based on pattern features and pattern reorganization under a multi-core architecture,which divides,schedules,evaluates and reorganizes the pattern set in a fine-grained manner.In this paper,the genetic annealing algorithm,which is not easy to fall into the local optimum,is used to perform multi-core scheduling on the results of common mode partitioning methods.According to the adaptability of the model length,this paper proposes an evaluation and reorganization plan.The results of scheduling are measured by establishing evaluation standards,and the results that do not meet the evaluation conditions are divided and scheduled through model reorganization.Experiments show that when the number of patterns is 10,the performance of this technology is 43% higher than the dynamic programming partition algorithm.The larger the pattern set,the more obvious the improvement.Secondly,from the perspective of non-hit traffic characteristics analysis,study the pattern matching performance acceleration algorithm of the in-depth message inspection system.In actual work,we found that the probability of traffic content hitting the pattern set is less than one in ten thousand.How to improve the performance of non hit traffic processing is a breakthrough to improve the system performance.Common pattern matching algorithms have not considered Traffic content characteristics.This paper proposes a pattern matching technology based on the characteristics of non-hit traffic,which increases the detection speed by adding special processing to a large number of repeated strings in the non-hit traffic.First,extract the repeated strings in the network traffic within a certain time window,construct a repeated string library through the method,and then build a pattern matching framework,use different pattern matching algorithms for regular content and repeated strings to build a matching sub-module,and build Mapping relations.Experiments show that,under different test files,the performance of this algorithm is10%-30% higher than the dual-path method.Then,from the perspective of the vulnerability of the pattern matching algorithm,research methods to improve the security defense capabilities of in-depth message inspection.Algorithmic Complexity Attacks(Algorithmic Complexity Attacks)is a typical attack technique that uses the vulnerability of pattern matching algorithms to consume system time and space resources.The attacker needs a priori knowledge of part of the pattern set,and forges attack data according to different pattern matching algorithms.The data is removed or replaced by a character from the known pattern,and copied in large numbers,so that the matching algorithm has been running at the worst time complexity.In this paper,attack detection algorithm,pattern matching algorithm and flow scheduling algorithm based on multi-core are used to defend against attack flow.An algorithm complexity attack detection method based on LevelI and Level-II threshold,pattern matching algorithm based on user-defined index order and flow scheduling algorithm based on multi-core are proposed.Experiments show that when the attack density exceeds 10%,the performance of the two-level threshold detection method is 11%-60% higher than that of no threshold,and 4%-14%higher than the I-level threshold.The false positive rate and false negative rate are two The level threshold detection method is the lowest.When the attack density is30%,the custom index sequence algorithm is 79% higher than the commonly used algorithm,and the multi-core defense framework is less affected by the attack,which is 21% higher than the custom index sequence algorithm.Finally,from the perspective of protocol vulnerabilities,research methods to improve in-depth message detection to prevent network penetration.Network penetration seriously threatens the security of the deep packet inspection system,such as TCP state machine attacks and multipath transmission attacks.A TCP state machine attack is when an attacker interferes with the TCP state machine of the deep message inspection system through forged messages,and misleads them to discard the attack traffic.This article designs a TCP recovery auxiliary buffer and a TTL table to identify such attacks.Experiments show that the detection success rate Is 96%.A multipath transmission attack is that the attacker divides the attack data into fragments,and uses the MPTCP protocol to transmit each fragment to the target through a separate network.Due to the lack of distributed detection MPTCP protocol for deep packet inspection,misjudgment of the attack data fragmentation occurs.This paper defines the adjacent content,associates the content of the same stream of multiple indepth packet inspection systems,and proposes a distributed asynchronous parallel inspection algorithm.Multi-path transmission attacks have been tested in terms of attack density and the number of malicious feature fragments.Attack density is a factor that affects overall performance.As the attack density increases,the overall performance is downtrend.Under the same attack density,the performance of the existing distributed detection algorithm is improved by 4%-22%,the average detection success rate was 98.8%.The performance improvement space increases with the increase in the number of malicious feature fragments,the average detection success rate increased to 98.7%.