簡易檢索 / 詳目顯示

研究生: 施映男
Ying-Nan Shih
論文名稱: 超越10Gbps之超高速特徵比對電路設計及其在網路入侵偵測系統之應用
指導教授: 黃文吉
Hwang, Wen-Jyi
學位類別: 碩士
Master
系所名稱: 資訊工程學系
Department of Computer Science and Information Engineering
論文出版年: 2007
畢業學年度: 95
語文別: 中文
論文頁數: 69
中文關鍵詞: 網路入侵偵測系統FPGA實作高處理效率
英文關鍵詞: Network Intrusion Detection System (NIDS), FPGA implementation, High throughput
論文種類: 學術論文
相關次數: 點閱:135下載:1
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報
  • 因為在網路發達的科技社會中,網路上的犯罪行為呈現逐日攀升的現象,所以如何去保障大眾在使用網路時的安全,便成了一個很重要的議題。

    在眾多的網路安全防護系統中不乏使用軟體或硬體為基礎的系統,但是大多都各有自己的利弊而無法在處理效率與設計時所消耗的資源成本上取得一個兩頭兼顧的平衡點。因此本篇的論文主要是想設計出一套新穎的Network Intrusion Detection System (NIDS),並且以硬體為核心,然後採用FPGA 為設計基礎而加以去實現。

    在本論文所提出來的硬體電路設計,可以很輕易的藉由模擬實驗來證明,本論文的電路設計是一個具備著超高處理速度並且在設計過程中只需消耗少量的硬體資源成本,即可快速的以FPGA實現出一套NIDS系統電路。

    A novel FPGA-based signature match circuit that can serve as the core of a hardware-based network intrusion detection system (NIDS) is presented in this paper. The circuit is based on simple shift registers and symbol encoders for the efficient signature match in hardware. As compared with related work, experimental results show that the proposed work achieves higher throughput and less hardware resource in the FPGA implementations of NIDS systems.

    附表目錄...................................................vi 附圖目錄..................................................vii 第一章 緒論.................................................1 1.1 研究背景............................................1 1.1.1 惡意程式(Malicious Code)............................1 1.1.2 Network Intrusion Detection System.................4 1.2 研究動機............................................7 1.3 研究目標............................................9 1.4 全文架構............................................9 第二章 理論背景............................................11 2.1 Regular Express...................................11 2.2 Context Addressable Memory (CAM)..................13 2.3 Shift-or Algorithm................................15 第三章 基礎架構電路介紹.....................................19 3.1 ROM-based Architecture............................19 3.2 Symbol Encoder Architecture.......................27 第四章 高效能電路介紹.......................................35 4.1 高效能模組電路.....................................35 4.2 完整超高速電路.....................................44 第五章 實驗數據與效能比較....................................51 5.1 開發平台與實驗環境..................................51 5.2 實驗數據的呈現與討論................................53 第六章 結論................................................67 參考著作...................................................69

    [1] SNORT official web site.
    http://www.snort.org.

    [2] T. Ramirez and C. D. Lo, “Rule Set Decomposition for Hardware Network Intrusion Detection,” in the 2004 International Computer Symposium (ICS 2004), Dec. 15-17, 2004, Taipei, Taiwan, 2004.

    [3] M. Gokhale, D. Dubois, A. Dubois, M. Boorman, S. Poole and V. Hogsett, “Granidt: towards gigabit rate network intrusion detection technology,” Proceedings of the International Conference on Field Programmable Logic and Application, pp. 404-413, 2002.

    [4] B. L. Hutchings, R. Franklin, and D. Carver, “Assisting network intrusion detection with reconfigurable hardware,” Proceedings of the IEEE Symposium on Field-Programmable Custom Computing Machines, pp.111-120, 2002.

    [5] J. Singaraju, L. Bu and J. A. Chandy, “A signature match processor architecture for network intrusion detection,” Proceedings of the IEEE Symposium on Field-Programmable Custom Computing Machines, pp.235-242, 2005.

    [6] I. Sourdis and D. N. Pnevmatikatos, “Pre-decoded CAMs for efficient and high-speed NIDS pattern matching,” Proceedings of the IEEE Symposium on Field-Programmable Custom Computing Machines, pp. 258-267, 2004.

    [7] C. Clark and D. Schimmel, “Scalable multi-pattern matching on high speed networks,” Proceedings of the IEEE Symposium on Field- Programmable Custom Computing Machines, pp.249-257, 2004.

    [8] J. Moscola, J. W. Lockwood, R. P. Loui and M. Pachos, “Implementation of a Content-Scanning Module for an Internet Firewall,” Proceedings of the IEEE Symposium on Field-Programmable Custom Computing Machines, pp.31-38, 2003.

    [9] R. Baeza-Tates and G.H. Gonnet, “A new approach to text searching,” Communications of the ACM, Vol. 35, pp.74-82, 1992.
    [10] H.C. Roan, C.M. Ou, W.J. Hwang and C.T.D. Lo, “Efficient Logic Circuit for Network Intrusion Detection,” Lecture Notes in Computer Science, Vol. 4096, pp.776-784, 2006.

    [11] M. Aldwairi, T. Conte and P. Franzon, “Configurable string matching hardware for speeding up intrusion detection,” ACM SIGARCH Computer Architecture News, Vol. 33, pp.99-107, 2005.

    [12] Y.H. Cho and W.H. Mangione-Smith, “Deep packet filter with dedicated logic and read only memories,” Proceedings of the IEEE Symposium on Field- Programmable Custom Computing Machines, pp.125-134, 2004.

    [13] 阮煥鈞, 應用於網路入侵偵測系統之高效能電路可程式化系統晶片設計, 國立台灣師範大學資訊工程研究所碩士論文, 94學年度。

    [14] ALTERA official web site.
    http://www.altera.com

    QR CODE