簡易檢索 / 詳目顯示
| 研究生: |
許景涵 Jing-han Shiu |
|---|---|
| 論文名稱: |
以NetFPGA實作結合NFA及AC演算法之網路型入侵偵測系統 Using NetFPGA to Implement Integrated NFA and AC Algorithms for Network Based Intrusion Detection Systems |
| 指導教授: |
陳奕明
Yi-Ming Chen |
| 口試委員: | |
| 學位類別: |
碩士 Master |
| 系所名稱: |
管理學院 - 資訊管理學系 Department of Information Management |
| 畢業學年度: | 99 |
| 語文別: | 中文 |
| 論文頁數: | 79 |
| 中文關鍵詞: | Snort 、NIDS 、NetFPGA 、NFA 、布隆過濾器 、AC |
| 外文關鍵詞: | Snort, Bloom filter, NetFPGA, NFA, AC, NIDS |
| 相關次數: | 點閱:12 下載:0 |
| 分享至: |
| 查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
近年來因為社會各業仰賴電腦及網路的正常運作,因此網路及電腦安全越來越受到重視。基於特徵比對的網路型入侵偵測系統可以在封包到達主機前過濾掉含有惡意特徵之封包,因此經常被視為網路防護的防線。以軟體實作之入侵偵測系統比對特徵之效能有限,無法負荷於Gbps等級之網路頻寬。因此本研究使用NetFPGA實作網路型入侵偵測系統的特徵比對功能,讓入侵偵測的比對效能可以承擔Gbps的網路流量。然而由於惡意程式碼特徵數逐年增長,在單一FPGA晶片中儲存全部的惡意特徵顯得越來越困難。因此本研究提出結合FPGA及軟體共同防護的系統架構,當規則數無法儲存於單一FPGA晶片時,可將其分擔至軟體型入侵偵測系統上比對,此設計為過去研究未曾嘗試的架構,並且本研究應用布隆過濾器,開發過濾正常封包的流量過濾器,用於減少軟體型入侵偵測系統的封包處理量,以降低效能瓶頸出現的機會。此外過去研究往往僅使用FPGA中單一資源儲存特徵規則,當單一硬體資源耗竭後,無法使用其他資源儲存更多的特徵規則。因此本研究在演算法設計時使用嶄新的設計概念,結合NFA及AC的演算法,讓特徵字串的儲存可以分配到FPGA晶片上CLB及BRAMs兩種資源中,經實驗證實可以在NetFPGA上儲存2451條Snort規則 (共57630位元組),更加有效的利用FPGA晶片上之資源。
In modern society, all walks of life rely on the function of computers and networks, therefore, the computer and network security are becoming more and more important. For avoiding the damage of property, Nework Intrusion Detection Systems (NIDS) are regarded as an indispensable device for network security. However, the software-based NIDS, such as Snort, cannot sustain well protection when the systems meet high network flow under Gbps network. For this reason, this research focuses on the design of high performance intrusion detector and implements the functions of NIDS on NetFPGA.
But the growing number of signature, it’s getting more difficult to store all the necessary signatures in single FPGA on-chip resource. Therefore this research proposes a system architecture combining FPGA and software-based NIDS for offering complete signature set. Once the signatures cannot be stored in single FPGA, some signature can be distributed to software-based NIDS and be matched by the software-based NIDS later. This is a fresh system architecture that has not been tried. Because of performance issue, this rearch developed a Normal Traffic Filter (NTF) by using Bloom filters to offload software-based NIDS.
Besides, this research proposes a brandnew design concept that combines the NFA and AC algorithms for storing the signatures in two different on-chip resources (CLB and BRAMs); this method can store more signatures by distributing signatures to CLB and BRAMs. Experiments showed that this novel algorithm can store 2451 snort rules (total 57630 bytes) without consuming up on-chip resource on NetFPGA.
中文參考文獻
〔1〕 魏雅笛,「利用決策樹以FPGA為基礎之入侵偵測系統資源利用」,國立中央大學,資訊管理學系碩士論文,民國98年。
〔2〕 朱彥豪,「以NetFPGA實作結合布隆過濾器與改良式Karp Rabin演算法之網路惡意封包偵測器」,國立中央大學,資訊管理學系碩士論文,民國99年。
英文參考文獻
〔3〕 K. Salah , and A.Kahtani, “Performance evaluation comparison of Snort NIDS under Linux and Windows Server”, Journal of Network and Computer Applications, Vol. 33, pp. 6–15, 2010.
〔4〕 Jad Naous, David Erickson, G. Adam Covington, Giudo Appenzeller, and Nick Mckeown, ”Implementing an OpenFlow Switch on the NetFPGA platform”, ACM/IEEE Symposium on Architectures for Networking and Communications Systems, Nov. 2008.
〔5〕 G. Adam Covington, Glen Gibb, John Lockwood, and Nick Mckeown, ”A Packet Generator on the NetFPGA Platform”, 17th IEEE Symposium on Field Programmable Custom Computing Machines, Apr. 2007.
〔6〕 Hao Chen, Douglas H. Sumerville, and Yu Chen, “Two-Stage Decomposition of Snort Rules towards Efficient Hardware Implementation”, 7th International Workshop on the Design of Reliable Communication Networks, 2009.
〔7〕 Sarang Dharmapurikar, and John Lockwood, “Fast and Scalable Pattern Matching for Network Intrusion Detection Systems”, IEEE Journal on Selected Areas in Communications, Oct. 2006.
〔8〕 Yeim-Kuan Chang, Chen-Rong Chang, and Cheng-Chien Su, “The Cost Effective Pre-Processing based NFA Pattern Matching Architecture for NIDS”, 24th IEEE International Conference on Advanced Information Networking and Applications, 2010.
〔9〕 Toshihiro Katashita, Yoshinori Yamaguchi, Atusi Maeda, and Kenji Toda, “FPGA-Based Intrusion Detection System for 10 Gigabit Ethernet”, IEICE Transactions on Information and Systems, 2007.
〔10〕 Jing Yu, Bo Yang, Ruiyuan Sun, and Zhenxiang Chen, “FPGA-Based Parallel Pattern Matching Algorithm for Network Intrusion Detection System”, International Conference on Multimedia Information Networking and Security, 2009.
〔11〕 Chun Janson Xue, Meilin Liu, and QingFeng Zhuge, “Variable Length Pattern Matching for Hardware Network Intrusion Detection System”, Journal of Signal Process System, Vol. 59, p85-93, 2010.
〔12〕 A. V. Aho and M. J. Corasick, “Efficient String Matching: an Aid to Bibliographic Search”, Communications of the ACM 18, p.333-340, 1975.
〔13〕 B. Bloom, “Space/time trade-offs in hash coding with allowable errors”, Communications of the ACM, Vol. 13 Issue 7, July 1970.
〔14〕 Robert S. Boyer and J. Strother Moore, “A Fast String Searching Algorithm”, Communications of the ACM 20, p.762-772, 1977.
〔15〕 Udi Manber and Sun Wu, “Glimpse: A Tool to Search Through Entire File Systems”, Usenix Winter Technical Conference, p. 22-32, 1944.
〔16〕 Ioannis Sourdis, Dionisios Pnevmatikatos, and Stamatis Vassiliadis, “A Evaluation of FPGA-based IDS Pattern Matching Techniques”, 2005, July 2011 accessed from http://www.stw.nl/NR/rdonlyres/D82FD682-973B-452D-B701-6F371ACC404D/0/sourdis.pdf.
〔17〕 Mou-Sen Chen, Ming-Yi Liao, Pang-Wei Tsai, Mon-Yen Luo, Chu-Sing Yang, and C. Eugene Yeh., “Using NetFPGA to Offload Linux Netfilter Firewall”, 2nd North American NetFPGA Developers Workshop, Stanford, CA , 2010.
〔18〕 Haoyu Song, Todd Sproull, Mike Attig, and John Lockwood, “Snort Offloader: A Reconfigurable Hardware NIDs Filter”, International Conference on Field Programmable Logic and Applications, 2005.
〔19〕 M. V. Ramakrishna, E. Fu, and E. Bahcekapili, “A Performance Study of Hashing Functions for Hardware Applications”, Proc. 6th Int’l Conf. Computing and Information, pp. 1621-1636, 1994.
〔20〕 M. V. Ramakrishna, E. Fu, and E. Bahcekapili, “Efficient Hardware Hashing Functions for High Performance Computers”, IEEE Transactions on computers, Vol. 46, p.1378, Dec. 1997.
相關網站
〔21〕 Symantec. “Symantec Global Internet Security Threat Report – Trends for 2009.”
〔22〕 台灣網路資訊中心,連線頻寬查詢。2011年4月22日取自http://map.twnic.net.tw/
〔23〕 Snort, http://www.snort.org/, 2011.
〔24〕 National Instruments, “FPGA-Under the Hood.” , 2011年6月取自ftp://ftp.ni.com/pub/devzone/pdf/tut_6983.pdf
〔25〕 Xlinx, What Are FPGAs, 2011年7月取自http://www.xilinx.com/company/gettingstarted/index.htm
〔26〕 NetFGPA, http://netfpga.org/, 2011.
〔27〕 Sourcefire, “Snort 2.0 Hi-performance multi-rule inspection engine”, 2003.
〔28〕 Xlinx, Virtex-II Pro and Virtex-II Pro X Platform FPGAs: Complete Data Sheet, p.2, June 2011.
〔29〕 IETF, Benchmarking Terminology for Network Interconnection Devices, 2011年7月取自http://www.ietf.org/rfc/rfc1242.txt
〔30〕 SPIRENT, SmartBits, http://www.spirent.com/Solutions-Directory/Smartbits.aspx
〔31〕 Basic Analysis and Security Engine (base), http://base.secureideas.net/.
〔32〕 NetFPGA-10G, Getting Started Guide Webside, 2011年7月存取自http://netfpga10g.pbworks.com/w/page/32176625/Getting-Started-Guide.
