| The intrusion detection is still a very challenging task at present. For its complexity and difficulty in analysis, the network intrusion detection system is usually operated in the PC or the general workstation. Unfortunately, owing to its limited analysis capacity of the high throughput traffic, it has proved that the traditional general system is not fit for the operation platform of the network intrusion detection system. Researchers attempt to improve the performance of the network intrusion detection system through pre-recognizing and filtering the unwanted packets on the network interface. Luckily, the change of the building components of the internet infrastructure has brought about the shift of the location. The complex network processing can be divided into several parts and distributed into the whole communication path of the data packet.As the network communication node, the end host, or the sever architecture, has made full use of the advantage of the multi-core processor's high speed processing. Since the network processor and FPGA are organically integrated into the network interface card, a new computing resource called iNIC has been formed, which offers an opportunity for offloading the intrusion detection from the CPU to the intelligent network card. Nowadays the network processor is widely used, and the price of the NP intelligent NIC card and the high end server's network card is almost the same, so the end host with the intelligent NIC of the enhanced computing capacity can offload the large quantity of the processing tasks from the centralized IDS onto the host itself.The emergence of such new technologies as the multi-core and virtualization is forcing people to reconsider how to finish the traditional network processing tasks. This dissertation, from the perspective of its disposition of the intrusion detection system in the network, first analyzes the shortage of the current centralized system. Then, considering the features of the multi-core multi-thread and parallel processing of the network processor on the host intelligent NIC, it proposes that the NP-based iNIC interface can be used for iNIC NIDS with extra processing capacity. It also proposes that for having the advantages of both DIDS and NP and the features of extension and the throughput, iNIC NIDS is dependable and is especially fit for the distributed intrusion detection of the high speed network. In this dissertation, we offer the deployment scheme of iNIC NIDS and implement its prototype on the basis of the open source software Snort and by means of the programmable network processor. The main contributions of this dissertation are as follows:1. It proposes the scheme of the distributed intrusion detection system. Integrating the advantages of both the distributed system and the high speed NP, the scheme has the following features:having the capability of traffic checking at a finer granularity; each end system having the private security policies for itself only; making its specific security strategy; with better extension and survivability; and being easier for collecting and fixing the attacking evidence, etc. This dissertation not only offers the general scheme, but also offers the design principles and gives detailed description and analysis of the security strategy implementation and host's iNIC interface, the user interface, and the communication between different modules of the system. It also discusses its feasibility.2. It realizes the prototype system of the optimized network processor intrusion detection. The performance of the network processor intrusion detection system depends on the processing speed of the conversational guidance and the efficiency of the rule matching algorithm. We take a series of measures to optimize and improve the TCP session reassembly component of preprocessor of the stateful intrusion detection system: choosing the best data structure and algorithm; devising uniform distributed hash function with hash collision avoiding; modified session key generation algorithm which doubles the lookup speed; session node allocation and recollection with scratchpad caching which gives up to 16 times speedup; and an improvemented muti-queue timeout mechanism. This dissertation describes and analyzes the components and realization of this module from the perspective of data structures and algorithms, much enriching the function of SCUT NP-NIDS.3. It creates two ways of the interface design and thus perfects both the prototype system's user interface and the user-kernel interface. On the one hand, with the accelerated unit offered by the IXP2400 network processor itself and the IOCTL mechanism, we implement the intelligent NIC's user-kernel interface, thus making it easier for the upgrading of the rule set and much improving the system's flexibility and adaptation; on the other hand, we implement the system's CLI command interface as our proposed scheme's control interface with the help of open source routing software Zebra, thus making it easier for the network administrator to actualize the remote management strategy.4. It realizes the host's intelligent network processor interface of the prototype system. Combining the virtual socket network interface mechanism, we design and implement the host's IXP network interface as our proposed scheme's data interface, under which, the host can interact with the bottom hardware network processing unit through the interface without any change of its top application, thus making it much easier for the system to increase the new network application service.5. It puts forward the concept of the intrusion detection application offload and introduces the evaluation model, thus establishing the experimental platform of the prototype system. We propose the concept of offloading the intrusion detection application to the network processing intelligent integrated circuit board and try to use the LAWS module to theorize and verify with experiments the performance updating of the application offloading under different circumstances. With the implemented host's network processor interface and different experiments to operate the current IDS on the IXP iNIC and the host, we compare and contrast the performance of their communication path at different locations. The test result proves that when IDS is placed closer to the network link in the network processor, the system can gain about 30 times decrease latency; and the advanced block of the illegal information traffic can gain about 30 times increase throughput of the legal traffic, thus further verifying the effectiveness and feasibility of the proposed distributed intrusion detection system based on the network processor intelligent NIC.
|
PDF Full Text Request