1. Field of the Invention
The present invention relates to a network flow abnormality detection system and a method thereof, more particularly, relates to a system and method for network flow change detection by analyzing packet header efficiently on a multi-core processor.
2. Description of the Prior Art
Analyzing a network flow is very important when it comes to modern network system security. By monitoring, collecting and analyzing every piece of information of flow in a network system, abnormalities occurred in network can be detected. The reason for detecting abnormalities in network flow is to detect packet flow which changes very suddenly. By analyzing the information with other techniques for intrusion detection, potential security leak, unfriendly attack and abnormality can be found.
Due to the development of Internet and rapid growth of bandwidth, data volume per unit time also increases. Besides, since network system is more complex, a detection system with single monitoring spot can no longer provide complete network information—more monitoring spots are needed for the detection of network flow. A single-core CPU is reaching its processing limits due to the rapid growth of Internet traffic, therefore, multi-core processors are utilized to provide better capability in network system design. As a result, since a graphic processing unit is multi cored, it is applied to fields other than graphic operations such as common computing so that the loading of the original CPU is dispersed. A multi core processing unit provides extraordinary parallel computing and has larger bandwidth of accessing memories; thus it is applied to network system for processing data-parallel network applications.
Neelam Goyal and Randy Smith (referring to R. Smith, N. Goyal, J. Ormont, K. Sankaralingam, C. Estan. Evaluating GPUs for network packet signature matching. Performance Analysis of Systems and Software, 2009 ISPASS 2009. IEEE Inter-national symposium on, strony 175-184, 2009) disclosed the utility of GPU SIMD for detecting network abnormalities by using NVIDIA GeForce 8 Series (G80) as an accelerating core for sting matching. NVIDIA GT280 GPU provides the operation capability of 933GFLOPS (Giga Floating point Operations per second) and accessing speed of 141.7 GB/s of memories for 240 stream processors according to Shuai Mu el. so as to process a search of routing table and realize a function of string matching by the algorithm of Bloom filter and Aho-Corisick.
Further, Sangjin Han and Keon Jang (referring to R. Smith, N. Goyal, J. Ormont, K. Sankaralingam, C. Estan. Evaluating GPUs for network packet signature matching. Performance Analysis of Systems and Software, 2009 ISPASS 2009. IEEE Inter-national symposium on, strony 175-184, 2009) disclosed PacketShader software router, wherein NVIDIA GTX480 GPU is utilized as the accelerator for searching an IP router. NVIDIA GTX480 GPU provides the operation capability and accessing speed of 177.4 GB/s of memories for 480 stream processors so that the speed of PacketShader reached 40 Gbps. From the above, the GPU is utilized for increasing the performance of processing according to basic architecture of stream processor.
According to “Method and Apparatus for Sketch-based Detection of Changes in Network Traffic”, B. Krishnamurthy el., U.S. Pat. No. 7,751,325, the K-ary Sketch structure is applied to multi core processing chips for summaries and calculations of data according to network packet flow via multiple hashing functions with errors generated by hashing collisions. The K-ary Sketch is further applied in the operations of microprocessors of SUN UltraSparc-III and SGI R12k. The operation time thereof is 2.69 seconds and 1.46 seconds respectively (hashing function=5, space parameter=64 k, source IP address=1,000,000).
However, according to the K-ary sketch structure, 4-universal hash functions are used to query an error array. The query results are then sorted in order to obtain the median value. The sorting process requires significant CPU processing cycles; moreover, the time is in proportional with the number of incoming packet.
Therefore, it is crucial to minimize the time of sorting process with the technique presented in this document on a parallel processor for network system design.