CN-122027263-A - Network card hardware function configuration method based on software definition

Abstract

The invention discloses a network card hardware function configuration method based on software definition, which belongs to the technical field of network security, and comprises the steps of monitoring the characteristics of a logic layer and a physical layer generated when a network card processes a data stream, comparing the characteristics with a normal behavior baseline, triggering defense reconstruction when deviation occurs, generating an evolution reference sample set according to abnormal flow, retrieving and combining the evolution reference sample set from a hardware module library according to threat types to form initial hardware logic configuration, carrying out iterative optimization and test on the configuration in an evolution sandbox isolated inside the network card to generate winning hardware logic configuration, extracting a dynamic session state from current main path hardware and migrating the winning hardware logic configuration, and driving idle programmable logic units to execute randomized calculation to generate coverage physical noise during the operation of the winning configuration, so that the self-adaptive hardware-level precise defense of unknown threats can be realized, the service continuity and the linear speed processing performance are ensured, and the protection capability on bypass channel attacks is enhanced.

Inventors

• LIU YUN
• CHEN DUO

Assignees

• 北京遂芯微电子有限公司

Dates

Publication Date

20260512

Application Date

20260203

Claims (10)

1. 1. A network card hardware function configuration method based on software definition is characterized by comprising the following steps: monitoring logic layer characteristics and physical layer characteristics generated when a network card processes a network data stream, and generating real-time characteristic data; comparing the real-time characteristic data with a baseline model for representing normal network flow behaviors, triggering a defense reconstruction process when the real-time characteristic data deviate, and generating an abnormal flow mirror image containing the network data in the period; processing the abnormal flow mirror image by using a software analysis model to generate an evolution reference sample set containing input data and expected defensive action labels; according to the characteristic deviation type of the triggering defense reconstruction flow, retrieving and combining the characteristic deviation type into initial hardware logic configuration from a hardware function module library containing various basic function units; loading the initial hardware logic configuration into an evolution sandbox area which is physically isolated inside the network card, and iteratively adjusting the initial hardware logic configuration in a constraint space defined by an electrical safety rule to generate an adjusted hardware logic configuration; Performing a function fitting test on the adjusted hardware logic configuration by using the evolution reference sample set until a winning hardware logic configuration which functionally meets the requirements of the evolution reference sample set is generated; Extracting complete dynamic session state information from main path hardware logic of current processing service data; Migrating the dynamic session state information to the winning hardware logic configuration, and seamlessly switching the service data flow from the main path hardware logic to the winning hardware logic configuration; During processing of the traffic data stream by the winning hardware logic configuration, unused programmable logic units within the network card are driven to perform randomization calculations to generate the overlay physical noise.
2. 2. A network card hardware function configuration method based on software definition is characterized in that the method monitors logic layer characteristics and physical layer characteristics generated when a network card processes network data flow to generate real-time characteristic data, and comprises the steps of utilizing a protocol analysis engine in the network card to extract message header information and flow statistics indexes of data packets in real time as the logic layer characteristics, synchronously acquiring dynamic power consumption values of the network card chip at the current moment and time sequence delay values of a key path by utilizing an on-chip sensor and a ring oscillator implanted in the network card chip to serve as the physical layer characteristics, marking synchronous time stamps on the acquired logic layer characteristics and the physical layer characteristics based on a unified hardware clock source, and carrying out vectorization splicing and normalization processing on the logic layer characteristics and the physical layer characteristics after time alignment to generate the real-time characteristic data.
3. 3. The network card hardware function configuration method based on software definition according to claim 1, wherein the comparison is performed between the real-time feature data and a baseline model for representing normal network traffic behaviors, and when the real-time feature data deviate, a defense reconfiguration process is triggered, and the method comprises the steps of continuously collecting the logic layer feature and the physical layer feature, respectively generating a logic layer feature sequence and a physical layer feature sequence, when the logic layer feature sequence or the physical layer feature sequence deviates from the baseline model, generating an initial deviation signal, performing correlation analysis on the logic layer feature sequence and the physical layer feature sequence in a time dimension to evaluate the correlation strength between the initial deviation signals and generate a correlation score, and when the correlation score exceeds a trigger threshold for indicating strong correlation, confirming that the defense exists and triggering the defense reconfiguration process.
4. 4. The network card hardware function configuration method based on software definition according to claim 1, wherein the processing the abnormal traffic image by using a software analysis model to generate an evolution reference sample set includes performing deep behavior analysis on the abnormal traffic image to identify and extract a potential threat behavior pattern therein, converting the threat behavior pattern into a structured defending intention description set, the defending intention description set defining behavior characteristics to be handled and corresponding handling logic, performing a one-by-one decision on data in the abnormal traffic image according to the defending intention description set, labeling each data unit with the expected defending action label, and finally forming the evolution reference sample set.
5. 5. The method for configuring hardware functions of a network card based on software definition according to claim 1, wherein the retrieving and combining the feature deviation type into an initial hardware logic configuration from a hardware function module library including a plurality of basic function units according to the feature deviation type triggering a defending reconfiguration process includes converting the feature deviation type into a defending function demand vector, calculating a matching degree score between the defending function demand vector and a function description of each basic function unit in the hardware function module library, selecting one or more basic function units with highest matching degree scores, and connecting the selected basic function units through a standard bus architecture to combine to form the initial hardware logic configuration.
6. 6. The software-defined network card hardware function configuration method according to claim 1, wherein the performing a function fitting test on the adjusted hardware logic configuration by using the evolutionary reference sample set includes feeding input data in the evolutionary reference sample set into the adjusted hardware logic configuration to obtain an actual output result thereof, comparing the actual output result with an expected defending action label in the evolutionary reference sample set to calculate a function compliance score, and generating a comprehensive fitness value by combining the function compliance score with a processing performance index obtained through time sequence analysis, wherein the comprehensive fitness value is used for guiding iterative adjustment of a next round.
7. 7. The method for configuring the hardware function of the network card based on the software definition according to claim 1, wherein the step of extracting the complete dynamic session state information from the main path hardware logic of the current processing service data includes sending a pause instruction to the main path hardware logic to stop receiving a new session establishment request to obtain a static session state snapshot, performing an atomized copy operation of a hardware level on a connection state table used for storing all active connection contexts in the main path hardware logic to obtain a complete copy of the connection state table, and taking the complete copy of the connection state table obtained through the atomized copy operation as the dynamic session state information.
8. 8. The method for configuring the hardware function of the network card based on the software definition according to claim 1 is characterized by comprising the steps of analyzing the dynamic session state information, mapping and writing the dynamic session state information into a register file and an on-chip storage block corresponding to the inside of the winning hardware logic configuration to complete state recovery, activating an input buffer queue at the front end of a data path after the state recovery is completed, temporarily storing the arrived service data packet at the moment to prevent data loss, sending a switching signal to a data path selector, directing an outlet of the data stream to an input port of the winning hardware logic configuration, releasing the service data packet temporarily stored in the input buffer queue to the winning hardware logic configuration, and completing seamless switching of the service data stream.
9. 9. The method of claim 1, wherein said driving unused programmable logic units in the network card perform randomization calculations to generate the overlay physical noise, comprising initiating periodic logic obfuscation operations on the winning hardware logic configuration to continuously change its own physical characteristics after the traffic data stream is switched, loading noise generator circuitry for generating pseudo-random sequences into the unused programmable logic units in the network card, and activating the noise generator circuitry to generate high frequency randomization calculations to generate the overlay physical noise.
10. 10. The method of claim 9, wherein the step of initiating periodic logic obfuscation of the winning hardware logic configuration includes identifying an auxiliary logic path in the winning hardware logic configuration that does not directly affect a final defense decision, and periodically adjusting contents of a lookup table or physical routing paths of signals in the auxiliary logic path according to an obfuscation policy to change power consumption characteristics of the auxiliary logic path while maintaining functional equivalence.

Description

Network card hardware function configuration method based on software definition Technical Field The invention relates to the technical field of network security, in particular to a network card hardware function configuration method based on software definition. Background With the rapid development of network technology, network security threats also exhibit the characteristics of diversification, complexity and high dynamic property. The intelligent network card, especially based on field programmable gate array FPGA, has become a key component for constructing next generation network infrastructure and safety equipment due to its high performance data processing capability and hardware logic reconfigurable characteristic. The network data packet processing method allows network functions and security functions which are originally processed by a CPU of a host computer to be unloaded into network card hardware for execution, so that CPU resources are released, and network data packet processing at a linear speed is realized. The patent document with the Chinese patent publication number of CN113965373A discloses a data exchange method based on an intelligent network card and a server. The method comprises the steps of selecting an encryption algorithm to encrypt data when a host machine sends the data, dividing the encrypted data into first encrypted data and second encrypted data, respectively sending the first encrypted data and the second encrypted data to a first intelligent network card and a second intelligent network card, sending a second secret key and a second random number generated by the second intelligent network card to a server by the first intelligent network card, sending the first secret key and the first random number generated by the first intelligent network card to the server by the second intelligent network card, decrypting and splicing the data sent by the first intelligent network card and the second intelligent network card, and decrypting by the encryption algorithm. According to the invention, the two keys are sent through different network card links, the key of the network card link is used for decrypting the encrypted data of the other network card link, and the positions of the keys in the links are sent randomly, so that the risk of secret leakage of the keys is greatly reduced. In the prior art, a scheme for improving network security performance by using an intelligent network card is generally focused on hardware acceleration. For example, fixed firewall rules, access control list ACL or partial signature matching logic for intrusion detection are cured into the FPGA to improve the processing efficiency of specific security functions. Other schemes perform relatively static functional configuration on the network card through a controller of the software defined network SDN, such as issuing flow table rules. Although these approaches improve performance to some extent, their hardware defense logic is usually pre-designed and compiled, with relatively fixed functionality. However, the prior art solutions have significant drawbacks. First, its hardware defense logic is static and once deployed, it is difficult to quickly adjust to cope with endless new attacks or zero-day vulnerabilities, lacking the ability to adapt to unknown threats. Secondly, when the hardware function needs to be updated, the FPGA is usually required to be reprogrammed in whole or in part, which takes a long time, and usually causes the network card to be offline, resulting in service interruption. Finally, the existing security measures are mainly concentrated on the logic level of network protocols and data contents, and lack effective protection means for bypass attacks on the physical levels of power consumption analysis, electromagnetic radiation analysis and the like. Disclosure of Invention In order to solve the problems, the invention provides a network card hardware function configuration method based on software definition, which adopts the technical scheme that real-time monitoring logic and physical layer characteristics are adopted, hardware defense logic is generated based on abnormal flow evolution, session states are seamlessly migrated to new logic for deployment, self-adaptive hardware-level precise defense against unknown threats can be realized, and meanwhile, the line speed processing capacity and service continuity of services are ensured. The above object can be achieved by the following scheme: a network card hardware function configuration method based on software definition includes: monitoring logic layer characteristics and physical layer characteristics generated when a network card processes a network data stream, and generating real-time characteristic data; comparing the real-time characteristic data with a baseline model for representing normal network flow behaviors, triggering a defense reconstruction process when the real-time characteristic data deviate, and ge