| With the rapid development of the network technologies and applications, more and more network attack techniques bring a serious challenge to the network security. In the large-scale high-traffic network environment, the traditional technologies for network-based intrusion detection systems (NIDS) can not satisfy the needs for real-time processing of the growing network traffic.In the dissertation we deeply study the hardware-based accelerating techniques for high-speed network intrusion detection systems. We first propose a novel architectural model for NIDS, and then conduct research on the key techniques of this model, including fast pattern matching algorithms, adaptive load-balancing, and flow identification and management for NIDS probes. The main contributions of the dissertation are as follows:(1) We first systematically analyze the architecture of NIDS, and propose a novel XMLPP (extensible Multi-Level Parallel Processing model) for high-speed NIDS. In the XMLPP model, the simple, periodic tasks which require high processing speed are processed in the specially designed hardware with high speed during data acquisition, and the relatively complex tasks are scheduled to the high-performance, back-end probes. The XMLPP model can help improve the system performance and enhance the system reliability, which are very important for high-speed NIDS.(2) To improve the performance of pattern matching in high-speed NIDS, a novel TCAM-based Fast Pattern Matching Algorithm, TFPM is proposed in this paper. The algorithm reduces the number of TCAM matching operations greatly by pre-filtering the string using pattern prefix matching. By means of multiple virtual queues for identification, this algorithm significantly improves the performance of pattern matching. To support content-based multi-rules packet classification, we design and implement a special pattern matching instruction set. This instruction set can be used together with TFPM algorithm to support complex multi-rules packet classification and improve the packet classification ability of pattern matching. The TFPM algorithm is easy to be implemented with hardware and satisfies the need for content-based complex packet classification in high-speed networks.(3) Aiming at the load balancing problem in high speed NIDS, we propose MSF (Minimum Session number First), a session-oriented adaptive load balancing algorithm. With consideration of load balancing of both packet-level and bit-level, the MSF algorithm dynamically schedules the objects based on the session number in the flow-bundles. This algorithm maintains the integrity of the sessions, and ensures that the NIDS can correctly understand the semantics of the received packets. (4) Aiming at the problem in the flow identification and management of NIDS probes, we propose CRC20, an effective hash algorithm. Based on the CRC20 algorithm, we dynamically store the received packets by means of hardware, and realize the identification and management of high speed packet flows. Theoretical analysis and extensive simulations prove that the algorithm has good computational complexity and memory-access performance, and is suitable for flow management in high speed networks.At last, based on the above techniques we study the implementation of a real system which is macro-pipelined-architecture-based with integrated high speed network data collection and pre-processing system. The system captures packets from high-speed links and completes the pre-processing such as packet classification, filtering, content inspection, and so on. The system efficiently attenuates the network traffic, reduces the workload of back-end processing probes, and improves the performance of NIDS.As a hardware-based accelerating processing platform, this system can be used not only in high-speed NIDS, but also in high-speed network security monitoring, network behavior analysis and network measurement, etc. Currently this system plays an important role in the field of security management and network management.
|
PDF Full Text Request