研究生: |
施映男 Ying-Nan Shih |
---|---|
論文名稱: |
超越10Gbps之超高速特徵比對電路設計及其在網路入侵偵測系統之應用 |
指導教授: |
黃文吉
Hwang, Wen-Jyi |
學位類別: |
碩士 Master |
系所名稱: |
資訊工程學系 Department of Computer Science and Information Engineering |
論文出版年: | 2007 |
畢業學年度: | 95 |
語文別: | 中文 |
論文頁數: | 69 |
中文關鍵詞: | 網路入侵偵測系統 、FPGA實作 、高處理效率 |
英文關鍵詞: | Network Intrusion Detection System (NIDS), FPGA implementation, High throughput |
論文種類: | 學術論文 |
相關次數: | 點閱:119 下載:1 |
分享至: |
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
因為在網路發達的科技社會中,網路上的犯罪行為呈現逐日攀升的現象,所以如何去保障大眾在使用網路時的安全,便成了一個很重要的議題。
在眾多的網路安全防護系統中不乏使用軟體或硬體為基礎的系統,但是大多都各有自己的利弊而無法在處理效率與設計時所消耗的資源成本上取得一個兩頭兼顧的平衡點。因此本篇的論文主要是想設計出一套新穎的Network Intrusion Detection System (NIDS),並且以硬體為核心,然後採用FPGA 為設計基礎而加以去實現。
在本論文所提出來的硬體電路設計,可以很輕易的藉由模擬實驗來證明,本論文的電路設計是一個具備著超高處理速度並且在設計過程中只需消耗少量的硬體資源成本,即可快速的以FPGA實現出一套NIDS系統電路。
A novel FPGA-based signature match circuit that can serve as the core of a hardware-based network intrusion detection system (NIDS) is presented in this paper. The circuit is based on simple shift registers and symbol encoders for the efficient signature match in hardware. As compared with related work, experimental results show that the proposed work achieves higher throughput and less hardware resource in the FPGA implementations of NIDS systems.
[1] SNORT official web site.
http://www.snort.org.
[2] T. Ramirez and C. D. Lo, “Rule Set Decomposition for Hardware Network Intrusion Detection,” in the 2004 International Computer Symposium (ICS 2004), Dec. 15-17, 2004, Taipei, Taiwan, 2004.
[3] M. Gokhale, D. Dubois, A. Dubois, M. Boorman, S. Poole and V. Hogsett, “Granidt: towards gigabit rate network intrusion detection technology,” Proceedings of the International Conference on Field Programmable Logic and Application, pp. 404-413, 2002.
[4] B. L. Hutchings, R. Franklin, and D. Carver, “Assisting network intrusion detection with reconfigurable hardware,” Proceedings of the IEEE Symposium on Field-Programmable Custom Computing Machines, pp.111-120, 2002.
[5] J. Singaraju, L. Bu and J. A. Chandy, “A signature match processor architecture for network intrusion detection,” Proceedings of the IEEE Symposium on Field-Programmable Custom Computing Machines, pp.235-242, 2005.
[6] I. Sourdis and D. N. Pnevmatikatos, “Pre-decoded CAMs for efficient and high-speed NIDS pattern matching,” Proceedings of the IEEE Symposium on Field-Programmable Custom Computing Machines, pp. 258-267, 2004.
[7] C. Clark and D. Schimmel, “Scalable multi-pattern matching on high speed networks,” Proceedings of the IEEE Symposium on Field- Programmable Custom Computing Machines, pp.249-257, 2004.
[8] J. Moscola, J. W. Lockwood, R. P. Loui and M. Pachos, “Implementation of a Content-Scanning Module for an Internet Firewall,” Proceedings of the IEEE Symposium on Field-Programmable Custom Computing Machines, pp.31-38, 2003.
[9] R. Baeza-Tates and G.H. Gonnet, “A new approach to text searching,” Communications of the ACM, Vol. 35, pp.74-82, 1992.
[10] H.C. Roan, C.M. Ou, W.J. Hwang and C.T.D. Lo, “Efficient Logic Circuit for Network Intrusion Detection,” Lecture Notes in Computer Science, Vol. 4096, pp.776-784, 2006.
[11] M. Aldwairi, T. Conte and P. Franzon, “Configurable string matching hardware for speeding up intrusion detection,” ACM SIGARCH Computer Architecture News, Vol. 33, pp.99-107, 2005.
[12] Y.H. Cho and W.H. Mangione-Smith, “Deep packet filter with dedicated logic and read only memories,” Proceedings of the IEEE Symposium on Field- Programmable Custom Computing Machines, pp.125-134, 2004.
[13] 阮煥鈞, 應用於網路入侵偵測系統之高效能電路可程式化系統晶片設計, 國立台灣師範大學資訊工程研究所碩士論文, 94學年度。
[14] ALTERA official web site.
http://www.altera.com