Research Of High-Performance Security Sensor Within 10G Channel

With the rising number of internet users in China, the proposing concept of "internet+" and the network security rising to the national strategy, network security has gradually becoming an important part of Internet development. Recently, serious network security incidents such as Heartbleed, Bash Vulnerability and reflection DDoS attack occurred frequently. It is necessary to do network security incident detection and emergency response effectively, and in the key node to sensor data is crucial to network security incident detection and emergency response.MONSTER (Monitor On Network Security and Tool for Emergency Response) integrates packets capture and filter, metadata sensor, network intrusion detection cooperative and response. For the question of that MONSTER does not have complete emergency sensor and metadata sensor in CERNET Nanjing node network security response. The paper puts forward the research content about emergency sensor and metadata within 10Gbps channel and high-speed network traffic.Emergency sensor captures the raw network traffic of specific communication object in the network security response. Emergency sensor copies the traffic from the boundary between CERNET Nanjing node and CERNET backbone in the way of switch port mirror. For the performance pressure from high-speed network traffic capture and processing, firstly, emergency sensor transforms tasks into rules, and controls the ACL of Switch based on rules to implement traffic filter. Secondly, emergency sensor using based on 0-copy packet capture tool PF RING DNA which could capture all the packets of lOGbps network card in zero packet loss. Thirdly, multi-threads are bound on multi-cores to parallel capture packets and write packets into shared-memory buffer based on rules. Finally, using multi-threads concurrent to sort packets in shared-memory buffer by the time and then packets are stored in the files.Metadata sensor extracts metadata information from specific packets (HTTP, DNS, IRC) at the boundary of CERNET Nanjing node and CERNET backbone. For the high speed network traffic, metadata sensor controls switch port ACL based on protocol and port of HTTP, DNS, IRC.Metadata sensor uses multi-threads to capture and parse packets, and then writes metadata into shared-memory buffer. Finally, another thread reads metadata from shared-memory buffer, and merges the request metadata and the response metadata according to the hash search algorithm, then saves the merge metadata into files.Finally, the paper designed and implemented the performance monitoring, fault detection, log management, process management of system,and deal with the testing for performance and task management. The experimental results show that the system is able to realize zero packet loss rate for emergency sensor and metadata sensor within 10Gbps channel.