CN108881254A - Intruding detection system neural network based - Google Patents

Intruding detection system neural network based Download PDF

Info

Publication number
CN108881254A
CN108881254A CN201810696883.2A CN201810696883A CN108881254A CN 108881254 A CN108881254 A CN 108881254A CN 201810696883 A CN201810696883 A CN 201810696883A CN 108881254 A CN108881254 A CN 108881254A
Authority
CN
China
Prior art keywords
neural network
matrix
detection system
data
intruding detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810696883.2A
Other languages
Chinese (zh)
Other versions
CN108881254B (en
Inventor
李曦
王超
孙凡
周学海
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Suzhou Institute for Advanced Study USTC
Original Assignee
Suzhou Institute for Advanced Study USTC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suzhou Institute for Advanced Study USTC filed Critical Suzhou Institute for Advanced Study USTC
Priority to CN201810696883.2A priority Critical patent/CN108881254B/en
Publication of CN108881254A publication Critical patent/CN108881254A/en
Application granted granted Critical
Publication of CN108881254B publication Critical patent/CN108881254B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/06Physical realisation, i.e. hardware implementation of neural networks, neurons or parts of neurons
    • G06N3/063Physical realisation, i.e. hardware implementation of neural networks, neurons or parts of neurons using electronic means
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computer Hardware Design (AREA)
  • Neurology (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Artificial Intelligence (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of intruding detection systems neural network based, the architectural framework of building service-oriented, including cache module and neural network accelerator module, wherein cache module captures redundancy using the temporal locality in hardware, reduces the demand to storage resource;Neural network accelerator module accelerates the process of string matching for detecting attack character string;Whole system operates on cloud computing platform.The present invention, which designs the redundancy table mechanism realized, can be good at utilizing the temporal locality of hardware, greatly reduce the demand on piece storage resource.Meanwhile in order to improve the speed of intruding detection system and accuracy rate, neural network method is applied also in the present invention to accelerate the process of string matching.Intruding detection system of the invention has the characteristics that high-performance, low-power consumption relative to general processor, can satisfy the demand to speed and handling capacity under big data era.

Description

Intruding detection system neural network based
Technical field
The present invention relates to computer hardwares to accelerate field, and in particular to a kind of intruding detection system and its design method.
Background technique
In big data era, explosive growth, attack and network along with hacker is presented in the relevant application in internet The wide-scale distribution of virus, making us to network security, more stringent requirements are proposed.In order to protect network not drop under fire or at least Low attack, network administrator can generally use firewall on the router.However, the firewall of network administrator can only capture The attack of limit.Therefore, for the safety of network, intruding detection system has obtained more and more answering on the router With.Intruding detection system detects attack and the internet worm of hacker by network data package.In general, intruding detection system In there are many Hardware probes, they are responsible for real time monitoring network data packet, once Hardware probes detect exception, it Intrusion alarm will be triggered.
In general, most important part is string matching algorithm in intruding detection system.String matching problem is One computation-intensive problem, given character string is compared by it with reference character string.Intruding detection system, which checks, to be come Data packet, and by it compared with reference character string, if it does, then representing the data packet, there are security risk, intrusion detections System can be handled the data according to the hidden danger to the degree of danger of system.However, with the increase of network mighty torrent, when Preceding computer data to be processed are more and more, are no longer satisfied people in the demand of big data era, for example, hacker can The network packet of malice is easily passed to system, and broken through by a large amount of data packet and fast-attack scheme anti- Wall with flues.For the safety for guaranteeing network system, great challenge is proposed to the throughput and speed that improve network intrusions system.
On the other hand, neural network is under the jurisdiction of the connectionism school of artificial intelligence field, and it is big to be that a kind of application is similar to The structure of cranial nerve Synaptic junction carries out the mathematical model of information processing.In the 1950s, first generation neural network --- sense Know that machine is born, can be realized linear classification, associative memory etc.;In the 1980s, multi-layer perception (MLP) and its training algorithm --- Back-propagation algorithm (back propagation, BP), is widely studied and applied because being able to solve linearly inseparable problem. But hardware computing capability and algorithm for training network more low at that time the problems such as easily falling into local minimum, become restriction nerve The bottleneck of calculation method development, until the deep learning side of " multilayered structure, Level by level learning " that professor Hinton in 2006 starts Method brings the powerful calculating ability of neural network really into play, and becomes big data under the historical background of big data One bright star of analysis field.This method speech recognition, image recognition, in terms of, Breakthrough success is achieved, as a result, refreshes at an amazing speed and constantly the various significant discipline in these application fields Record.
Summary of the invention
For the above technical problems and newest technical progress, object of the present invention is to:By nerual network technique Applied to intruding detection system, accelerate the speed of string matching, to meet the requirement under big data era to system.
The technical scheme is that:
A kind of intruding detection system neural network based, including cache module and neural network accelerator module, wherein Cache module captures redundancy using the temporal locality in hardware, reduces the demand to storage resource;Neural network accelerates Device module accelerates the process of string matching for detecting attack character string;On this basis, in order to facilitate the use of user, The present invention provides unified programming interface to call the service for user.
In preferred embodiment, cache module supports parallel query using Bloom filter, and extends Bloom filter, Countable Bloom filter is devised, and as basic unit, multiple basic units form minimum in parallel Buffer structure, this method can greatly save the storage resource of FPGA on piece.
In preferred embodiment, neural network accelerator module, including bus bar structure, buffer structure and computing engines three Divide and constitutes.
Bus bar structure, including data/address bus and control bus are respectively used to the transmission of transmission and the order of data.
Buffer structure, including input-buffer, output caching and weight cache three parts, are respectively used to storage neural network meter Input data, output data and weight data during calculation.
Computing unit, including multiplier and adder, for the multiply-add operation in neural network.
Convolutional layer and full articulamentum in convolutional neural networks have different attributes, and convolutional layer is computation-intensive, and Full articulamentum is memory access intensity, and therefore, during application convolutional neural networks accelerate character string, we are to convolutional layer Different optimization methods has been used with full articulamentum.In preferred embodiment, for convolutional layer, we are dedicated to calculating parallel, application A kind of method converts matrix multiplication for convolutional calculation and calculates;For full articulamentum, we are dedicated to reducing required memory Bandwidth, the method for applying batch processing.
Matrix multiplication calculates, and in preferred embodiment, is designed using fragment, will press fragment size inside every a line of input matrix Fragment is carried out, each column of weight matrix carry out fragment according to fragment size, and it is big to be carried out fragment in input matrix for calculating each time Multiply-add operation in small data and weight matrix between the data of fragment size, obtains interim calculated result, when a line meter It is cumulative to obtain final result after calculation.
In preferred embodiment, neural network accelerator module has multiple computing units, and each computing unit corresponds to convolutional Neural It one layer in network model, is calculated between each computing unit in pipelined fashion.
Since the calculating of convolutional layer and full articulamentum all being unified to matrix multiplication calculating, on this basis, I Used two different matrix multiplications to calculate modes, in the first calculating mode, the partial results and benefit of output matrix With the input of fragment size, then, the partial results of output matrix and the portion is updated using the input of next fragment size Divide result and in such a mode, weight matrix window vertically moves;In second of calculating mode, output matrix All partial results and the input of fragment size is all only utilized then all partial results of output matrix and will to utilize next The input of a fragment size come update partial results and, in such a mode, weight matrix window moves horizontally.Preferred In scheme, both calculating modes are used alternatingly in flowing water line computation.
In preferred embodiment, the programming interface, including hardware platform initialization and data transmission.
Compared with prior art, it is an advantage of the invention that:
The present invention is easy to use, transparent to user.The present invention, which designs the redundancy table mechanism realized, can be good at using hard The temporal locality of part greatly reduces the demand on piece storage resource.Meanwhile in order to improve the speed of intruding detection system and Accuracy rate applies neural network method also in the present invention to accelerate the process of string matching.Intrusion detection of the invention System has the characteristics that high-performance, low-power consumption relative to general processor, can satisfy under big data era to speed and The demand of handling capacity.
Detailed description of the invention
The invention will be further described with reference to the accompanying drawings and embodiments:
Fig. 1 is the system assumption diagram of data center's parallel intrusion detection system based on FPGA of the present embodiment;
Fig. 2 is the intruding detection system architecture diagram of the present embodiment;
Fig. 3 is the Bloom filter structure chart of the present embodiment;
Fig. 4 is the countable Bloom filter structure chart of the extension of the present embodiment;
Fig. 5 is the cache module detailed design figure of the present embodiment;
Fig. 6 is that the matrix multiplication method of the present embodiment calculates convolutional layer figure;
Fig. 7 is that the batch processing method of the present embodiment calculates full articulamentum figure;
Fig. 8 is the assembly line calculation method figure of the present embodiment;
Fig. 9 is the hardware structure diagram of the neural network accelerator of the present embodiment.
Specific embodiment
Above scheme is described further below in conjunction with specific embodiment.It should be understood that these embodiments are for illustrating The present invention and be not limited to limit the scope of the invention.Implementation condition used in the examples can be done according to the condition of specific producer Further adjustment, the implementation condition being not specified is usually the condition in routine experiment.
Intruding detection system in the embodiment of the present invention includes cache module and neural network accelerator module, wherein Cache module captures redundancy using the temporal locality in hardware, reduces the demand to storage resource;Neural network accelerator Module accelerates the process of string matching for detecting attack character string.Data path between accelerator and general processor It can be using PCI-E bus protocol, AXI bus protocol etc..Attached drawing data path of the embodiment of the present invention use AXI bus protocol for Example explanation, but the present invention is not limited thereto.
Fig. 1 is the system assumption diagram of data center's parallel intrusion detection system based on FPGA of the present embodiment, herein, Intruding detection system server is mainly responsible for pattern match task.During execution task, the task of part can be loaded into Accelerated on FPGA accelerator.The intruding detection system server of front end is responsible for the attack detecting of data center, the clothes of rear end Business device is responsible for data base administration.About the data processing of intruding detection system, intruding detection system server analyzes application first The behavior of program, the main method of analysis are methods neural network based.The distribution of task and interface operate in intrusion detection On the software server of system, and neural network method then operates on the hardware accelerator of FPGA.
Fig. 2 is the intruding detection system architecture diagram of the present embodiment, it includes buffer area and matching engine two parts composition.It is slow Rush stored in area be etc. engine processing to be matched intermediate result.Stream indicates payload, and is based on writing control unit Send it to buffer area.In matching engine, status register is used to store the final output state of redundancy bytes.
In the beginning of each process cycle, the combination of temporary register and status register will be sent to cache module and Neural network module, the index of this combination expression cache module, and neural network resume module input state And data flow.Initially, 2 select signals and NN_done signal are initialized to 0.When cache line occurs in cache When hit, the output state read from redundancy table will be sent in X bus, while select signal will be arranged to 1.Equally , in original module, the final output state after having traversed finite state machine will be sent in Y bus, while NN_ Done signal will be arranged to 1.Select signal and NN_done signal will carry out OR operation under en enable signal.When enabled When signal en is true, MUX unit will be tied using the input therefrom selected in X Y bus according to select signal as output Fruit is sent to matching logic unit.Meanwhile do_next signal is effective, it will terminate cache module and neural network mould The execution of block, and start next process cycle.Similarly, for read_next signal by set, it will make Controller postpone It rushes in area and reads in data to be treated of next period.When matching logic unit receives status data, it will judge the rule Then whether match with attack known in finite state machine.When such a match occurs, it is by set match signal, and straight Connect update status register.Then, matching logic enters next process cycle.
In state-of-the-art work, redundancy table is all to be realized in software with original Hash table.When hash-collision increases Added-time, index will be compared with the equivalent item in table clause.Therefore, it is necessary to be stored in memory all indexes.Work as table When table entry increases, required storage resource will necessarily be bigger.However, the on piece storage resource on FPGA is limited, the outer memory access of piece Delay again it is too high.In order to solve this problem, the present invention devises a kind of new redundancy table storage organization on FPGA.Due to Intruding detection system allows certain error, and with this, the present invention reconstructs the storage organization of cache using Bloom filter, and Bloom filter is extended.
Bloom filter is 1970 by the grand proposition of cloth.It is actually a very long binary vector and a series of Random mapping function.Bloom filter can be used for retrieving an element whether in a set.
Fig. 3 is the Bloom filter structure chart of the present embodiment, and n is the size of set, and k is of independent hash function Number, m is the digit of bit vector v.F represents the probability for Error type I occur, by the value for selecting suitable m and k, it is possible to reduce There is the probability of Error type I.Ideally, it is assumed that we have selected for most suitable k value, such as 1 institute of equation Show:
Then there is the calculating of the probability of Error type I as shown in equation 2:
Bloom filter structure allows following operation:
Addition element:It is added in k hash function, obtains k position, and by the bit position on these positions 1。
Inquire element:It is tested whether in set, is added in k hash function, k position is obtained.
And want to delete an element on Bloom filter to be impossible.Because Error type I is can not to avoid 's.One element is mapped to k position, is enough to delete the element although this k position is all set to 0, it is also deleted Other elements.
A large amount of hash function is used in Bloom filter, this needs a large amount of hardware resource to realize.Original On the basis of Bloom filter, the present invention extends it, and each of original v array bit is replaced position one A counter devises countable Bloom filter.
Fig. 4 is the countable Bloom filter structure chart of the extension of the present embodiment, includes x and y as index.Together When, the present invention in also maintain the array C of a m size, each of these Elements C i is i-th in associated v array The counter of a position.Each of C array element is all used to store output state.It is corresponding to breathe out when being inserted into an element Each counter of uncommon index value is incremented by.Assuming that each element in string assemble S is the index of redundancy table, set In all indexes output state it is all stored, then, each index in set S passes through hashing operation, and Corresponding counter also adds up, and then, intruding detection system reads corresponding counter in set S, and by the defeated of respective index It does well and writes in corresponding array C on the smallest position of Counter Value.Redundant configuration is by the Block RAM on FPGA (BRAM) it realizes.
In the hardware realization of intruding detection system, BRAM is configured to dual-port, in order to preferably utilize these BRAM, most Good k value is 2.In the present invention, the size of counter is 3 bits, we store output state using 15.Therefore, should The size of each entry is 18 bits in redundancy table.One piece of BRAM has 36k bit, so each BRAM can include 36* 1024/18=2048 entry, this that is, in Bloom filter m=2048, k=2, according to equation (1) and equation (2), One piece of BRAM, which can be calculated, can support n=(m/k) * ln 2=709, and the probability that Error type I occurs is (1/22 =0.25.Fig. 5 (a) is the basic unit of the cache module of the present embodiment, and in the present invention, we define M and indicate to support item The set of quantity and address range, such as the input of M (709, [1...2048]) the basic unit is index value, output is most Subtotal figure device and to the signal for being hit or being not hit by with the combination of state and cache.In addition, Hash Round Robin data partition generator group Hash function used in part is different from each other.By 5 such basic units in parallel, a smallest mini-EBF is just formed , as shown in Fig. 5 (b), its Error type I probability f=(1/2) 10.In the present invention, we define G and indicate to support item The set of quantity, basic unit quantity and address range, such as G (709,5, [1...2048]).Due to having 20,000 in set S , and each mini-EBF can support 709, therefore need 20000/709=29 mini-EBF in total.
In addition, in mini-EBF, the range of hash function is limited with address range, and hash function is to a particular address Influence of the mapping limitation in space to last Error type I can be ignored.As shown in Fig. 5 (c), the life of cache module In (be not hit by) signal and be equivalent to (a1 V a2 V...a28 V a29) for example, work as bit vector (a1,a2,…,a29) be equal to (1, 0 ..., 0) when, the output state of cache module is set by the input state of mini-EBF G1, and cache module is corresponding Hitting (being not hit by) signal is 1.
In order to improve the speed and accuracy rate of intruding detection system, in the present invention, we also apply in matching logic Neural network module.
Comprising many different types of layers in convolutional neural networks, they are segmented into two parts:Feature extractor and point Class device.Feature extractor is made of multiple convolutional layers, in addition lower sampling layer and excitation layer, for extracting the feature of input, feature The output of extractor is connected in the input of classifier, and classifier is made of multiple full articulamentums, and classifier is used to identify input Which classification belonged to.
Convolutional layer and full articulamentum in convolutional neural networks have different attributes, and convolutional layer is computation-intensive, and Full articulamentum is memory access intensity, and therefore, during application convolutional neural networks accelerate matching logic, the present invention is to volume Lamination and full articulamentum have used different optimization methods.For convolutional layer, we are dedicated to calculating parallel, apply a kind of side Method converts matrix multiplication for convolutional calculation and calculates;For full articulamentum, we are dedicated to reducing required memory bandwidth, application The method of batch processing.On this basis, the method that the present invention also applies flowing water line computation to whole network.
The pseudocode of convolutional layer is as follows, it receives N number of characteristic pattern as input, and each input feature vector figure is big by one The small sliding window for K*K does convolution algorithm, for generating a pixel on an output characteristic pattern.Wherein sliding window Step-length be S, the input as next round is participated in operation by M output characteristic pattern.
In the present invention, we convert matrix multiplication for the calculating of convolutional layer by the mapping of 3 dimensions and calculate.For example, Fig. 6 It is the matrix multiplication method calculating convolutional layer figure of the present embodiment, Fig. 6 (a) is traditional convolutional calculation method, and Fig. 6 (b) is matrix The convolutional calculation method of multiplication.By comparing, it can be seen that the output result that two methods obtain is consistent.In Fig. 6 (b) in, the input that 3 characteristic dimensions are 3*3 is rearranged the matrix for being classified as (2*2) * (3*2*2).In input feature vector figure The data of first convolution kernel window 2*2 are unfolded and horizontally arranged to input matrix, as shown in Fig. 6 (b).By the convolution of 2*2 Core window is applied to 3 all input feature vectors, will obtain entire input matrix.The convolution kernel of 6 2*2 is also rearranged For the matrix of (3*2*2) * (2).It finally completes two multiplications of matrices and calculates the convolution for being equivalent to complete this layer It calculates.It should be noted that the rearrangement of entire input feature vector be we by data deposit FPGA on piece caching when complete, so The demand to external memory can be reduced, because not needing the input matrix that storage entirely rearranges.
The calculating of full articulamentum can be regarded as matrix-vector multiplication calculating, in the present invention, the method that we use fragment The calculating of matrix multiplication is completed, as shown in Fig. 7 (a).The size of fragment is xm, and section in input array is first carried out in we The calculating of [x1, xm] and weight data m*n obtain partial results and [y1, yn], and then we utilize [xm+1, x2m] as defeated Enter, and calculated in other weight data m*n, to update partial results and [y1, yn], when all input data and first row Weight be completed calculating after, we can be obtained by final [y1, yn].Other results can be obtained with identical method It arrives.
Since full articulamentum occupies a large amount of EMS memory access bandwidth, in the present invention, we use batch processing Method optimizes the internal storage access of full articulamentum.As shown in Fig. 7 (b), an input matrix is constituted by N number of input array, N can To be taken as the size of batch processing.After application batch processing method, calculating increases N times, and internal storage access does not increase, therefore Reduce the bandwidth of internal storage access.Due to needing N number of clock cycle to complete the multiplying of N*m*n, during this period of time, accelerate Device needs to be ready to data required for next round calculates, and therefore, N should be not less than to be spent for reading m*n weight data Time.
In the present invention, the calculating of convolutional layer and full articulamentum has been converted to the calculating of matrix multiplication, in order to improve The performance of neural network module, the method that we apply flowing water line computation.
In order to realize that the purpose of flowing water line computation, the mode that matrix multiplication calculates are reorganized.In Fig. 8 (a), meter Calculation mode and figure (7) are identical, and in Fig. 8 (b), it is different from Fig. 7 to calculate mode.In Fig. 8 (b), all parts of output matrix As a result it and all only utilizes [x1, xm] as input, then, all partial results of output matrix and will utilize [xm+1, x2m] work For input update partial results and.In this mode, the window m*n of weight matrix is moved horizontally, and in Fig. 7, The window m*n of weight matrix is vertically moved.
In the present invention, the mode that both matrix multiplications calculate is used alternatingly.In the matrix multiplication of first layer calculates, Partial results and [y1, yn] are obtained using mode is vertically moved, then, the matrix calculating of the second layer can start to calculate, it Using mode is moved horizontally, only with [y1, yn] as input.It is all meters of grade first layers since the second layer starts calculating not It calculates after all completing, therefore we need the buffer area of N*n size only to store the intermediate result of first layer calculating.For subsequent Third layer matrix multiplication calculate, using vertically moving mode, the 4th subsequent layer matrix multiplication is calculated, using moving horizontally mould Formula, and so on.By this method, assembly line can smoothly flow.
Fig. 9 is the hardware structure diagram of the neural network accelerator of the present embodiment, and the AXI4-Lite bus in figure is for ordering Transmission, AXI4 bus be used for data transmission.In Fig. 9, there are multiple processing units, each processing unit corresponds to convolution mind Through one layer in network topology.In order to improve performance and handling capacity, all processing units work in pipelined fashion.At me Design in, the partial results of interlayer and the on piece buffer area for being stored in FPGA.In this way, it can significantly reduce Data access, it is often more important that, on piece buffer area also promotes the reuse of data.
The calculating structure of matrix multiplication can also be found from Fig. 9, wherein including data buffering and computing engines.In this hair In bright, computing engines are made of many multiplier and accelerator, are responsible for multiplication and additional calculation.In order to accelerate the speed calculated It spends, has all added an acceleration tree construction to complete to add up behind parallel multiplication operation.Input block, output buffer and weight Buffer area constitutes data buffer zone.In our design, input data and weight data are prefetched by data pre-fetching technology To corresponding buffer area, the partial results of interlayer and it is stored in output buffer.Double buffering technology is used on piece buffer area, makes Obtaining data can be accessed in a manner of ping-pong, which enables the transmission time of data and calculating time to be overlapped.
For we more user-friendly intruding detection system service, we define programming interface control its In accelerator.Programming interface defined in the present invention has versatility, can adapt to different application field and different types of Accelerator.The pseudocode of programming model is as follows, it includes following two step.
1. hardware platform initializes:In the FPGA accelerator that we design, initialization includes neural network accelerator The initialization of initialization and DMA.In order to increase more hardware modules, we can be based on hardware specification modification initialization generation Code.We initialize dma device using AxiDma_CfgInitialize () API, and relevant configuration parameter is stored in In DmaDev structural body, including the number of channel, data width, operation mode and control signal.With the initialization operation class of dma device Seemingly, the initial configuration information of neural network accelerator includes control signal, device name and physical address.
2. application load and data transmission:After initialization is completed, by the way that specific register value is arranged, we can be opened Dynamic dma device and accelerator, all information for instructing accelerator to complete to calculate are included in InputData.Particularly, I Transmit data to accelerator using AxiDma_Transfer () function, and receive the number for sending back and from accelerator According to.This function has 4 parameters, and first parameter specifies dma device, and second parameter specifies the initial address of data transmission, Third parameter specifies the size of data transmission, and the 4th parameter specifies the direction of data transmission.
The foregoing examples are merely illustrative of the technical concept and features of the invention, its object is to allow the person skilled in the art to be It cans understand the content of the present invention and implement it accordingly, it is not intended to limit the scope of the present invention.It is all smart according to the present invention The equivalent transformation or modification that refreshing essence is done, should be covered by the protection scope of the present invention.

Claims (6)

1. intruding detection system neural network based, which is characterized in that including:
Cache module captures redundancy using the temporal locality in hardware, reduces the demand to storage resource;
Neural network accelerator module accelerates the process of string matching for detecting attack character string;
Unified programming interface calls the intruding detection system for user.
2. intruding detection system neural network based according to claim 1, which is characterized in that the cache module, Parallel query is supported using Bloom filter, and extends Bloom filter, devises countable Bloom filter, and with this For basic unit, multiple basic units form minimal cache structure in parallel, and this method can be saved greatly The storage resource of FPGA on piece.
3. intruding detection system neural network based according to claim 1, which is characterized in that the neural network Accelerator module, including bus bar structure, buffer structure and computing engines;
Bus bar structure, including data/address bus and control bus are respectively used to the transmission of transmission and the order of data;
Buffer structure, including input-buffer, output caching and weight cache three parts, are respectively used to storage neural computing mistake Input data, output data and weight data in journey;
Computing unit, including multiplier and adder, for the multiply-add operation in neural network;It include convolutional layer in neural network Is converted by matrix multiplication by convolutional calculation and is calculated for convolutional layer with full articulamentum;For full articulamentum, batch processing is applied Method.
4. intruding detection system neural network based according to claim 3, which is characterized in that the matrix multiplication Calculate, designed using fragment, will be pressed inside every a line of input matrix fragment size carry out fragment, weight matrix it is each column according to Fragment size carries out fragment, calculates be carried out in input matrix fragment size in the data of fragment size and weight matrix each time Data between multiply-add operation, obtain interim calculated result, it is cumulative to obtain final result after a line calculates.
5. intruding detection system neural network based according to claim 3, which is characterized in that the neural network Accelerator module has multiple computing units in neural network accelerator module, and each computing unit corresponds to convolutional neural networks It one layer in model, is calculated between each computing unit in pipelined fashion;
The calculating of convolutional layer and full articulamentum is all unified to matrix multiplication calculating, on this basis, use is two different Matrix multiplication calculates mode, in the first calculating mode, the partial results of output matrix and the input using fragment size, so Afterwards, the partial results of output matrix and updated using the input of next fragment size the partial results and, in this mode Under, weight matrix window vertically moves;In second of calculating mode, all partial results of output matrix and all benefit With the input of fragment size, then, all partial results of output matrix and by using the input of next fragment size come more New portion result and, in such a mode, weight matrix window moves horizontally;Two different matrix multiplications calculate mode It is used alternatingly in flowing water line computation.
6. intruding detection system neural network based according to claim 1, which is characterized in that the programming interface, Including hardware platform initialization and data transmission.
CN201810696883.2A 2018-06-29 2018-06-29 Intrusion detection system based on neural network Active CN108881254B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810696883.2A CN108881254B (en) 2018-06-29 2018-06-29 Intrusion detection system based on neural network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810696883.2A CN108881254B (en) 2018-06-29 2018-06-29 Intrusion detection system based on neural network

Publications (2)

Publication Number Publication Date
CN108881254A true CN108881254A (en) 2018-11-23
CN108881254B CN108881254B (en) 2021-08-06

Family

ID=64297233

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810696883.2A Active CN108881254B (en) 2018-06-29 2018-06-29 Intrusion detection system based on neural network

Country Status (1)

Country Link
CN (1) CN108881254B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110768946A (en) * 2019-08-13 2020-02-07 中国电力科学研究院有限公司 Industrial control network intrusion detection system and method based on bloom filter
CN111741002A (en) * 2020-06-23 2020-10-02 广东工业大学 Method and device for training network intrusion detection model
CN112396174A (en) * 2019-08-12 2021-02-23 美光科技公司 Storage device with neural network accelerator for predictive maintenance of a vehicle
CN113447883A (en) * 2021-06-25 2021-09-28 海宁奕斯伟集成电路设计有限公司 Multi-station parallel test method and test system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101770581A (en) * 2010-01-08 2010-07-07 西安电子科技大学 Semi-automatic detecting method for road centerline in high-resolution city remote sensing image
CN103747060A (en) * 2013-12-26 2014-04-23 惠州华阳通用电子有限公司 Distributed monitor system and method based on streaming media service cluster
US20140157396A1 (en) * 2012-05-22 2014-06-05 Xockets IP , LLC Efficient packet handling, redirection, and inspection using offload processors
CN105891215A (en) * 2016-03-31 2016-08-24 浙江工业大学 Welding visual detection method and device based on convolutional neural network
CN107025317A (en) * 2015-10-07 2017-08-08 阿尔特拉公司 Method and apparatus for implementing the layer on convolutional neural networks accelerator
CN107924472A (en) * 2015-06-03 2018-04-17 英乐爱有限公司 Pass through the image classification of brain computer interface

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101770581A (en) * 2010-01-08 2010-07-07 西安电子科技大学 Semi-automatic detecting method for road centerline in high-resolution city remote sensing image
US20140157396A1 (en) * 2012-05-22 2014-06-05 Xockets IP , LLC Efficient packet handling, redirection, and inspection using offload processors
CN103747060A (en) * 2013-12-26 2014-04-23 惠州华阳通用电子有限公司 Distributed monitor system and method based on streaming media service cluster
CN107924472A (en) * 2015-06-03 2018-04-17 英乐爱有限公司 Pass through the image classification of brain computer interface
CN107025317A (en) * 2015-10-07 2017-08-08 阿尔特拉公司 Method and apparatus for implementing the layer on convolutional neural networks accelerator
CN105891215A (en) * 2016-03-31 2016-08-24 浙江工业大学 Welding visual detection method and device based on convolutional neural network

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
CHAO WANG: "《xFilter: A Temporal Locality Accelerator for Intrusion Detection System Services》", 《2017 IEEE 24TH INTERNATIONAL CONFERENCE ON WEB SERVICES》 *
FAN SUN: "《A High-Performance Accelerator for Large-Scale Convolutional Neural Networks》", 《2017 IEEE INTERNATIONAL SYMPOSIUM ON PARALLEL AND DISTRIBUTED PROCESSING WITH APPLICATIONS AND 2017 IEEE INTERNATIONAL CONFERENCE ON UBIQUITOUS COMPUTING AND COMMUNICATIONS (ISPA/IUCC)》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112396174A (en) * 2019-08-12 2021-02-23 美光科技公司 Storage device with neural network accelerator for predictive maintenance of a vehicle
CN110768946A (en) * 2019-08-13 2020-02-07 中国电力科学研究院有限公司 Industrial control network intrusion detection system and method based on bloom filter
CN111741002A (en) * 2020-06-23 2020-10-02 广东工业大学 Method and device for training network intrusion detection model
CN111741002B (en) * 2020-06-23 2022-02-15 广东工业大学 Method and device for training network intrusion detection model
CN113447883A (en) * 2021-06-25 2021-09-28 海宁奕斯伟集成电路设计有限公司 Multi-station parallel test method and test system

Also Published As

Publication number Publication date
CN108881254B (en) 2021-08-06

Similar Documents

Publication Publication Date Title
US11775430B1 (en) Memory access for multiple circuit components
EP4145308A1 (en) Search recommendation model training method, and search result sorting method and device
CN113688855B (en) Data processing method, federal learning training method, related device and equipment
CN108881254A (en) Intruding detection system neural network based
US10943167B1 (en) Restructuring a multi-dimensional array
CN107844322A (en) Apparatus and method for performing artificial neural network forward operation
CN112580720B (en) Model training method and device
WO2021208799A1 (en) Transfer model training method and apparatus and fault detection method and apparatus
US20190042910A1 (en) Spike timing dependent plasticity in neuromorphic hardware
EP3973401B1 (en) Interleaving memory requests to accelerate memory accesses
CN111797970B (en) Method and device for training neural network
CN112667528A (en) Data prefetching method and related equipment
CN113642734A (en) Distributed training method and device for deep learning model and computing equipment
WO2023231961A1 (en) Multi-agent reinforcement learning method and related device
WO2022267036A1 (en) Neural network model training method and apparatus and data processing method and apparatus
CN106776466A (en) A kind of FPGA isomeries speed-up computation apparatus and system
CN113726545B (en) Network traffic generation method and device for generating countermeasure network based on knowledge enhancement
CN107315563A (en) A kind of apparatus and method for performing vectorial comparison operation
CN114282678A (en) Method for training machine learning model and related equipment
WO2024067373A1 (en) Data processing method and related apparatus
CN110443214A (en) A kind of recognition of face accelerating circuit system and accelerated method based on RISC-V
CN109145107A (en) Subject distillation method, apparatus, medium and equipment based on convolutional neural networks
CN107578107A (en) Model training method and device
WO2021253938A1 (en) Neural network training method and apparatus, and video recognition method and apparatus
WO2024114659A1 (en) Summary generation method and related device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant