| As the flow rate of network data and the quantity of information to be transmitted increase, the processing performance of the network security protection system can not meet the current requirements in high speed network. The security algorithm of Security software products that used to be performed by the CPU’s instructions has been gradually replaced by the algorithm acceleration chip. This paper focuses on the support technology involved in network security protection implementation based on hardware, such as fast implementation of large number modular multiplication and large number modular addition, data stream multi-pattern matching algorithm, data stream classification algorithm, etc. Finally, the algorithms for these researches are integrated in a chip for validation, and the system architecture and the performance of the chip are also analyzed. The experimental results show that the chip has better capability in cryptographic processing and intrusion detection.Modular multiplication and modular addition for large numbers are the key operations and performance bottlenecks of cryptographic algorithm. A novel implementation method for modular multiplication called as the entirely parallel systolic array architecture and large number modular addition based on parallel carry-chain is presented in the paper. The implementation method for modular multiplication adopts the systolic array circuit architecture with degree m of parallelism and level P of pipelining, which not only can speed up modular multiplication operation, but also be of great advantage to improve the configurable implementation of resources. The implementation method for large number modular addition divides large numbers involving in adding operation into many groups, and the improved carry look-ahead method is used to reduce carry delay in each group. Carry-parallel method is used to implement adding operation in different states of carry. The final result of addition is determined by carry states of groups. The method keeps the carry delay of addition unchanged as data width increases, because the processing of carry transferring is translated into the carry state equation comparison of groups.The data stream in high speed network environment has some dynamic features, such as high speed, performance of time sequence, changing over time and so on. The real-time matching algorithm of data stream should have the following characteristics:low complexities of time and space, and the storage capacity being independent of the length of data stream. The paper presents a novel pattern matching algorithm for data stream applicable to pattern strings with different lengths, which is called as Dataflow-Wu-Manber. The novel algorithm adopts the degree of correlation of character strings to be matched and prefix-pattern strings to increase the migration distance when the pattern string does not include character strings to be matched; adopts the heuristic matching method to increase the migration distance when the abstract value of character strings matches successfully; adopts the abstract matching to improve the precision of the first matching and reduce the probability of accessing to the storage, and adopts multi-level cache parallel matching to reduce the time of the length-pattern string matching. The experimental results show that the new method can improve the matching efficiency of pattern strings with different lengths.In intrusion detection analysis system based on data stream, the closer the time quantum of data stream are, the more the current detection model is affected, while the further the time quantum of data stream are, the less the current detection model is affected. The paper presents the data stream classification algorithm TWWFP based on time window weighted value because of the disadvantages of the higher time complexity of ensemble classifiers algorithm. The data stream is divided into consecutive sliding windows, with every basic window in the sliding window endowed with window weighted value related to time. The closer the time is, the bigger the window weighted value is, while the further the time is, the smaller the window weighted value is. The frequent data attributes of every basic window in the current sliding window are stored in TWWFP-Tree which is updated in real time when a new basic window enters the current sliding window. When detecting the average classification error of the weighted value attributes in two adjacent sliding windows, the length of the next sliding window will be adjusted to adapt to the changes in data stream after an abrupt change is detected. The experimental results show that the novel algorithm improves the precision and the self adaptation capability of data stream classification via the time window weighted value and by detecting the changes in the adjacent windows.A network security protection system model with high-capability is presented orienting to high speed network environment in the paper, assuring the realtimeness of data processing via algorithm accelerated chip, which integrates fast implementation methods of large number modular multiplication and large number modular addition, data stream multi-pattern matching algorithm Dataflow-Wu-Manber and data stream classification algorithm TWWFP; and adopts the design methods of hardware speedup, parallel processing and pipelining to reduce the time of data processing, improving the capability of network security protection and ensuring the realtimeness of network. The capability of algorithm accelerated chip is validated through DE2-115exploitation board. The results show that the research on support technology of network security protection based on hardware is beneficial to improve the capability of network security protection processing. |
PDF Full Text Request