基于多核处理器的L7-Filter规则匹配改进算法
发布时间:2019-05-08 01:25
【摘要】:随着计算机网络技术在政治,军事,商业等领域的广泛使用,网络流量的高速增长,使得网络安全的问题日益突出,作为网络安全的核心问题数据包分类技术显得尤为重要。L7-Filter是Linux系统平台下基于对数据包应用层数据分析并最终确定分类的软件平台。然而,,随着网络中多核处理器的大规模部署,L7-Filter并没有在多核环境下表现出明显的性能提升。 针对以上问题,本文首先概要性的介绍了多核计算的体系结构,分析了L7-Filter的架构及其在多核处理器上性能瓶颈,针对性地提出了一种对目标规则链进行类型分类,并依据网络数据流时间局部性的统计特性来动态优化规则链的方法来改进数据包匹配分类算法;在本文最后通过设计仿真实验对算法的性能进行了分析,改进后的算法充分的利用了网络数据包在时间和空间上的局部性,使多核环境下数据包分类性能有了约6%的提高;实验结果表明,在数据包个数相同的条件下,改进后的算法明显的提高了多核处理器的处理性能,随着数据包个数的增加,性能优越性越明显。
[Abstract]:With the wide use of computer network technology in political, military, commercial and other fields, and the rapid growth of network traffic, the problem of network security has become increasingly prominent. As the core problem of network security, packet classification technology is very important. L7-Filter is a software platform based on the data analysis of the application layer of the data packet and finally determines the classification of the data packet under the Linux system platform. However, with the large-scale deployment of multi-core processors in the network, L7-Filter does not show a significant improvement in performance in multi-core environments. To solve the above problems, this paper firstly introduces the architecture of multi-core computing, analyzes the architecture of L7-Filter and its performance bottleneck on multi-core processors, and puts forward a kind of classification of target rule chain. According to the statistical characteristics of time locality of network data flow, the method of dynamic optimization of rule chain is used to improve the classification algorithm of packet matching. In the end of this paper, the performance of the algorithm is analyzed by designing simulation experiments. The improved algorithm makes full use of the localization of network packets in time and space, and improves packet classification performance by about 6% in multi-core environment. The experimental results show that under the condition of the same number of packets, the improved algorithm can obviously improve the processing performance of the multi-core processor. With the increase of the number of packets, the better the performance is, the more obvious the performance superiority is.
【学位授予单位】:武汉科技大学
【学位级别】:硕士
【学位授予年份】:2013
【分类号】:TP332;TP393.08
本文编号:2471511
[Abstract]:With the wide use of computer network technology in political, military, commercial and other fields, and the rapid growth of network traffic, the problem of network security has become increasingly prominent. As the core problem of network security, packet classification technology is very important. L7-Filter is a software platform based on the data analysis of the application layer of the data packet and finally determines the classification of the data packet under the Linux system platform. However, with the large-scale deployment of multi-core processors in the network, L7-Filter does not show a significant improvement in performance in multi-core environments. To solve the above problems, this paper firstly introduces the architecture of multi-core computing, analyzes the architecture of L7-Filter and its performance bottleneck on multi-core processors, and puts forward a kind of classification of target rule chain. According to the statistical characteristics of time locality of network data flow, the method of dynamic optimization of rule chain is used to improve the classification algorithm of packet matching. In the end of this paper, the performance of the algorithm is analyzed by designing simulation experiments. The improved algorithm makes full use of the localization of network packets in time and space, and improves packet classification performance by about 6% in multi-core environment. The experimental results show that under the condition of the same number of packets, the improved algorithm can obviously improve the processing performance of the multi-core processor. With the increase of the number of packets, the better the performance is, the more obvious the performance superiority is.
【学位授予单位】:武汉科技大学
【学位级别】:硕士
【学位授予年份】:2013
【分类号】:TP332;TP393.08
【参考文献】
相关期刊论文 前10条
1 胡朝强;黄利斌;;针对应用层过滤的Iptables防火墙扩展功能应用研究[J];计算机安全;2010年05期
2 王杰;石成辉;;基于正则表达式的动态应用层协议识别方案[J];计算机工程与应用;2010年18期
3 所光;杨学军;;多核处理机系统Cache管理技术研究现状[J];计算机工程与科学;2010年07期
4 林闯;王元卓;任丰原;;新一代网络QoS研究[J];计算机学报;2008年09期
5 徐卫志;宋风龙;刘志勇;范东睿;余磊;张帅;;众核处理器片上同步机制和评估方法研究[J];计算机学报;2010年10期
6 丁晶;陈晓岚;吴萍;;基于正则表达式的深度包检测算法[J];计算机应用;2007年09期
7 熊忠阳;张逢贵;张玉芳;;Linux下基于Netfilter个人内核防火墙的设计与实现[J];计算机应用;2009年S1期
8 杨赞;杨林;王保进;张琨;;依据流统计特性的报文分类规则集动态优化[J];计算机应用研究;2011年05期
9 曹折波;李青;;多核处理器并行编程模型的研究与设计[J];计算机工程与设计;2010年13期
10 王若梅;张绮雯;周凡;;一种新的多模式快速匹配算法[J];中山大学学报(自然科学版);2005年S2期
本文编号:2471511
本文链接:https://www.wllwen.com/kejilunwen/jisuanjikexuelunwen/2471511.html
