Search

CN-121984741-A - Ultra-large-scale network security feature library loading method based on remote memory access

CN121984741ACN 121984741 ACN121984741 ACN 121984741ACN-121984741-A

Abstract

The invention discloses a loading method of a super-large-scale network security feature library based on remote memory access, which relates to the field of network security and comprises the following steps of obtaining a network security feature library and network security monitoring equipment, constructing a remote memory access cluster formed by combining a plurality of computing nodes, configuring a local memory access module and a remote memory access module, logically dividing network security feature data in the network security feature library, obtaining logic fragments and mapping the logic fragments into corresponding computing nodes, obtaining operation monitoring data corresponding to the network security feature library and the network security monitoring equipment, respectively carrying out access scheduling analysis on the network security monitoring equipment and dynamic expansion analysis on the network security feature library according to the obtained operation monitoring data, generating dynamic adjustment information, and respectively carrying out self-adaptive adjustment on access identification processes of all the computing nodes according to the obtained dynamic adjustment information.

Inventors

  • LI BO
  • ZHAO JUNYI
  • TAN YONG
  • FAN RONG
  • HE ENSHENG

Assignees

  • 湖南数通信息技术服务有限公司

Dates

Publication Date
20260505
Application Date
20260128

Claims (8)

  1. 1. A loading method of a very large scale network security feature library based on remote memory access is characterized by comprising the following steps: Step S1, setting a network security management platform, acquiring a corresponding network security feature library and network security monitoring equipment through the network security management platform, and respectively marking the acquired network security feature library and network security monitoring equipment; step S2, constructing a remote memory access cluster composed of a plurality of computing nodes according to a network security feature library, respectively configuring a local memory access module and a remote memory access module in each computing node, and interconnecting through a high-speed network; Step S3, logically dividing corresponding network security feature data in the network security feature library according to preset classification rules respectively to obtain corresponding logic fragments, and mapping the obtained logic fragments into corresponding computing nodes respectively; Step S4, respectively setting data acquisition terminals according to the network security feature library and the network security monitoring equipment, and respectively acquiring operation monitoring data of the computing nodes through the data acquisition terminals; s5, respectively carrying out access scheduling analysis and dynamic capacity expansion analysis on the network security monitoring equipment and the network security feature library according to the obtained corresponding operation monitoring data, and respectively generating dynamic adjustment information according to analysis results; and S6, carrying out self-adaptive adjustment on the access identification process of each computing node according to the obtained dynamic adjustment information.
  2. 2. The method for loading a very large scale network security feature library based on remote memory access according to claim 1, wherein the process of obtaining the corresponding network security feature library and network security monitoring device comprises: setting a network security management platform, wherein a data entry terminal is arranged in the network security management platform, and corresponding network security monitoring equipment and a network security feature library are acquired through the data entry terminal; the network security feature library is internally provided with a plurality of feature source data interfaces, corresponding network security feature data are respectively obtained through each feature source data interface, and the obtained network security feature data are stored; the network security monitoring equipment comprises corresponding equipment identification information, equipment hardware performance information and equipment running state information; And respectively marking the obtained network security feature library and the network security monitoring equipment to obtain corresponding identification information.
  3. 3. The method for loading a very large scale network security feature library based on remote memory access according to claim 2, wherein said process of constructing a remote memory access cluster composed of a plurality of computing nodes comprises: Acquiring network security feature data stored in a network security feature library, and constructing a remote memory access cluster according to the data volume of the network security feature data, wherein a plurality of computing nodes are arranged in the remote memory access cluster, and the computing nodes comprise two types of feature computing nodes and flexible computing nodes; And respectively configuring a local memory access module and a remote memory access module in each computing node, interconnecting the nodes through a high-speed network, and setting a corresponding memory access protocol.
  4. 4. The method for loading a very large scale network security feature library based on remote memory access according to claim 3, wherein the process of obtaining the corresponding logical fragments comprises: logically dividing corresponding network security feature data in a network security feature library according to a preset classification rule to obtain four types of attack fingerprint features, abnormal flow pattern features, protocol behavior features and user behavior features; Respectively carrying out statistical analysis on four types of network security feature data in a network security feature library to obtain the duty ratio data of each type of network security feature data, and respectively setting the logic fragment number of the corresponding type of network security feature data according to the corresponding duty ratio data; The network security feature data are respectively obtained corresponding computing nodes according to the logic fragment number of the corresponding type, and the network security feature data of the corresponding type are mapped into the corresponding computing nodes for storage; and acquiring the matching rate of each network security feature data of the same type stored in each computing node, and judging and mapping the matching rate to a local memory access module or a remote memory access module according to the matching rate of each network security feature data.
  5. 5. The method for loading a security feature library of a very large scale network based on remote memory access as recited in claim 4, wherein the process of obtaining operation monitoring data of the computing nodes through the data acquisition terminal respectively comprises: acquiring identification information of a network security feature database and network security monitoring equipment, respectively setting corresponding data acquisition terminals according to the corresponding identification information, and respectively acquiring corresponding operation monitoring data according to the data acquisition terminals; Acquiring operation monitoring data of each detection node in a network security feature database, wherein the operation monitoring data comprises node load data, node access data and node matching data; setting corresponding detection nodes according to network security monitoring equipment, and acquiring operation monitoring data of the corresponding detection nodes in the network security monitoring equipment, wherein the operation monitoring data comprise equipment network operation data, detection load data and access matching data; and performing time sequence alignment processing on each piece of obtained operation monitoring data according to the corresponding identification information and the acquisition time.
  6. 6. The method for loading a very large scale network security feature library based on remote memory access according to claim 5, wherein the process of performing access scheduling analysis on the network security monitoring devices according to the obtained corresponding operation monitoring data respectively comprises: acquiring historical operation monitoring data corresponding to network safety monitoring equipment and operation monitoring data acquired currently; respectively carrying out statistical analysis on corresponding network operation data, detection load data and access matching data in historical operation monitoring data obtained by network safety monitoring equipment, setting detection trigger conditions according to the network operation data, obtaining corresponding load cycle data according to the detection load data, and obtaining the matching frequency coldness and warmth of corresponding network safety feature data at each unit time in the load cycle data according to the access matching data; And sequentially comparing and analyzing the corresponding network operation data, the detection load data and the access matching data in the obtained operation monitoring data with the detection trigger condition, the load period data and the matching frequency coldness and warmth, setting a remote memory access mechanism according to a comparison analysis result, and generating dynamic adjustment information by the remote memory access mechanism.
  7. 7. The method for loading a very large scale network security feature library based on remote memory access as recited in claim 6, wherein said dynamically expanding the network security feature library based on the obtained corresponding operation monitoring data comprises: Sequentially analyzing node access data, node load data and node matching data contained in operation monitoring data corresponding to the network security feature library, and acquiring access pressure data and node capacity data of each computing node in the network security feature library by combining the node access data and the node load data; Setting pressure threshold values and capacity threshold values corresponding to all the computing nodes, and comparing and analyzing access pressure data and node capacity data of all the computing nodes with the corresponding pressure threshold values and capacity threshold values respectively to obtain access state data and storage state data corresponding to all the computing nodes; Setting a capacity expansion threshold, comparing the obtained duty ratio data with the capacity expansion threshold, and re-mapping the network security feature data stored by each computing node in the network security feature library into corresponding flexible computing nodes according to node matching data if the duty ratio data is larger than the capacity expansion threshold, and generating dynamic adjustment information corresponding to the network security feature library according to analysis results.
  8. 8. The method for loading a very large scale network security feature library based on remote memory access according to claim 7, wherein the process of adaptively adjusting the access identification process of each computing node according to the obtained dynamic adjustment information comprises: adjusting according to the dynamic adjustment information corresponding to the network security feature library and each network security monitoring device, and respectively setting corresponding version identification information for the network security feature library and the network security monitoring devices according to the corresponding adjustment results; and feeding the set version identification information back to the corresponding computing node, and carrying out self-adaptive adjustment on the corresponding memory access protocol according to the version identification information.

Description

Ultra-large-scale network security feature library loading method based on remote memory access Technical Field The invention relates to the technical field of network security, in particular to a method for loading a super-large-scale network security feature library based on remote memory access. Background With the development of cloud computing, big data and internet of things technologies, a network security system needs to analyze massive network behavior data in real time to identify malicious traffic, abnormal behaviors and potential attacks, and in order to realize high-precision monitoring, network security equipment generally depends on a very large-scale network security feature library, wherein attack fingerprints, abnormal traffic patterns, protocol behavior features and the like are included; However, in the prior art, because of the large scale of the network security feature library, the loading and capacity expansion of the feature library have various defects, wherein the single-node physical memory capacity is limited, the resident loading of the TB-level feature library is difficult to support, the local content loading is limited, the high concurrency and low delay real-time detection requirements cannot be met, and the problems of insufficient timeliness and poor flexibility in the process of accessing the corresponding network security feature library by the network security loading are caused. Disclosure of Invention The invention aims to solve the defects in the prior art and provides a loading method of a very large-scale network security feature library based on remote memory access. In order to achieve the above purpose, the present invention adopts the following technical scheme: A loading method of a very large scale network security feature library based on remote memory access comprises the following steps: Step S1, setting a network security management platform, acquiring a corresponding network security feature library and network security monitoring equipment through the network security management platform, and respectively marking the acquired network security feature library and network security monitoring equipment; step S2, constructing a remote memory access cluster composed of a plurality of computing nodes according to a network security feature library, respectively configuring a local memory access module and a remote memory access module in each computing node, and interconnecting through a high-speed network; Step S3, logically dividing corresponding network security feature data in the network security feature library according to preset classification rules respectively to obtain corresponding logic fragments, and mapping the obtained logic fragments into corresponding computing nodes respectively; Step S4, respectively setting data acquisition terminals according to the network security feature library and the network security monitoring equipment, and respectively acquiring operation monitoring data of the computing nodes through the data acquisition terminals; s5, respectively carrying out access scheduling analysis and dynamic capacity expansion analysis on the network security monitoring equipment and the network security feature library according to the obtained corresponding operation monitoring data, and respectively generating dynamic adjustment information according to analysis results; and S6, carrying out self-adaptive adjustment on the access identification process of each computing node according to the obtained dynamic adjustment information. The technical scheme further comprises that the process of acquiring the corresponding network security feature library and the network security monitoring equipment comprises the following steps: setting a network security management platform, wherein a data entry terminal is arranged in the network security management platform, and corresponding network security monitoring equipment and a network security feature library are acquired through the data entry terminal; the network security feature library is internally provided with a plurality of feature source data interfaces, corresponding network security feature data are respectively obtained through each feature source data interface, and the obtained network security feature data are stored; the network security monitoring equipment comprises corresponding equipment identification information, equipment hardware performance information and equipment running state information; And respectively marking the obtained network security feature library and the network security monitoring equipment to obtain corresponding identification information. Further, the process of constructing a remote memory access cluster composed of a plurality of computing nodes includes: Acquiring network security feature data stored in a network security feature library, and constructing a remote memory access cluster according to the data volume of the network security featu