| With the increasing type and number of Worm attacks in the Internet, Anti-Worm has become an important issue in network security research and anti-worm engine is already widely used in network security applications such as Firewalls and IDS systems. Deep Packet Inspection (DPI) is usually used in anti-worm engine, whose essence is multi-pattern matching procedure. As it should check packet payloads, an anti-worm engine usually takes much more procceeding time. Thus, the design of high performance anti-worm engine is a very important issue in high-speed network security applications.This paper introduces the design and implementation of Anti-Worm Engine based on Network Processor (NP) with Deep Packet Inspection technology. The function blocks of the entire system and inner modules of anti-worm engine are described in detail. The extension fuction of TCP flow stateful scanning is introduced and the structure of flow state record is given too.After a brief survey of Multi-pattern Algorithm, the Bloom Filter algorithm is choosen first. It is a fast paralleled hash algorithm which is widely used on ASIC based hardware design. However, it doesn't perform well enough in the experiment on NP platform.In order to improve the system performance, the Hash Boyer-Moore (HBM) algorithm is proposed here. It is a novel multi-pattern matching algorithm, which is based on the idea of bad character and distance skip like the Boyer-Moore Algorithm. It has shown higher speed and lower space cost in our analysis and higher throughput than Bloom Filter in our experiments.This anti-worm engine is implemented and optimized on an Intel IXP 2400 Network Processor and its performance is tested too. From these experiments, the anti-worm engine with HBM gives a stable performance and meets the needs of Gigabit Ethernet. |
PDF Full Text Request