摘要
L7-filter是当前广泛应用的流量分类系统,其采用基于正则表达式匹配的深包检测方法,通过检测数据包有效载荷中存在的字符串特征对流量进行分类.然而,由于计算复杂度高、存储消耗大等原因,现有L7-filter软硬件方法的处理性能严重不足,不能适应当前40Gbps以及更高性能骨干网络.在对L7-filter的应用层协议规则集进行分析,总结其中广泛存在的特征的基础上,本文提出了一个硬件加速方法,其通过有针对性的数据模型、算法优化、匹配架构设计以提高流量分类系统的处理能力.为了验证方法的可行性,采用了基于Virtex6的FPGA板卡实现原型系统并对其进行评估.实验结果表明,原型系统的数据吞吐率可以达到约115Gbps.
L7-filter is a widely used traffic classification system which relies on regular expression matching based deep packet inspect method and can identify network traffic by inspecting string patterns hidden in the packet/payload. How- ever, due to considerable computation and storage expenditures, existing L7-filter software and hardware^solutions co^d )apt' offer sufficient performance in the context of 40 Gbps and higher speed networks. Based on analysis of commoa-feautres of the L7-filter protocol patterns, this paper proposes a hardware-accelerated method which, is for achieving high performance and includes customized data structure, optimization and matching architecture.To validate the proposed method, a hardware prototype on Virtex 6 FPGA card is implemented and tested. Experimental results show that prototype can scan network traffic at a typical rate of about 115Gbps.
出处
《电子学报》
EI
CAS
CSCD
北大核心
2016年第11期2561-2568,共8页
Acta Electronica Sinica
基金
国家自然科学基金(No.61402474)
