| As the fast growth of user population and application protocols, Internet has become more and more complex. To improve the security and manageability of Internet, application protocol identification has become a fundamental function to network securit y and management systems, and it is regared as one of the basic elements in China’s newly published standard for next generation firewalls. However, as the access bandwidth of Internet grows rapidly and a growing number of 40 Gbps or higher speed networks have been deployed, the performance of current methods cannot match the bandwidth of high speed networks due to the considerable computation and memory complexity.To cope with this issue, we focus on developing high performance application layer identification technology on FPGA for 40 Gbps or high speed networks. Specifically, the contribution of this dissertation can be summarized as follows.A high performance architecture for application layer identification system on FPGA is proposed which employs simplified string based protocol identification method to reduce computation complexity and uses flow management system to bring down the workload of protocol identification engines. Specifically, it customizes flow entry management scheme, out of date entry deletion scheme, entry caches scheme, application identification engine pipeline design, simplified string based protocol identification method design, etc., according to FPGA hardware features for improving performance. Experiments show that the architecture can offer a processing capacity of more than 36 Gbps and recognize 128 applications with an accuracy of about 92% and a flow table of up to 2 million flow entries.To improve the architecture’s identification accuracy, an efficient method for generating FPGA based regular expression matching engines is proposed. It consists of a state machine conversion algorithm and an inspection engine generation method. The former one is used to convert single-character input non-deterministic finite automaton into multi-character input non-deterministic finite automaton; the latter one is aimed to optimized engines according to hardware features. Experiments on Net FPGA10 G show that the engines offer a sustained throughput of over 10 Gbps, which is about 62% higher than current methods.A FPGA accelerated application layer protocols identification method for 100 Gbps networks is proposed. Specifically, we first analyze the common features of the L7-filter rulesets. Then, the transition growth problem of multi-stride NFA is discussed. At last, a FPGA-accelerated method, which includes Link-NFA structure, optimization and matching architecture, is proposed. Experiments on Virtex6 FPGA show that the prototype can scan network traffic at a typical rate of about 115 Gbps and can support up to about 850 protocols.
|
PDF Full Text Request