基于多层模式匹配技术的高速以太网NIDS实现方案

目前多数基于网络的入侵检测系统(NIDS)无法适用于对高速以太网链路的实时流量分析和入侵检测任务.本文在传统模式匹配方法的基础上,引入了基于协议分析的多层模式匹配概念:采用FPGA硬件逻辑对长度和偏移量相对固定的数据包包首部分进行模式匹配;采用核心态软件逻辑对长度和偏移量变化的数据包负载部分进行模式匹配.新的模式匹配技术有效提高了NIDS的整体性能.最后,本文给出了一种基于多层模式匹配的高速以太网NIDS实现方案.并对FPGA硬件逻辑和核心态软件逻辑采用的检测策略进行了详细说明.

Implementation of Network-based Intrusion Detection System for Fast-speed Ethernet Based on the Multi-layer Pattern Matching Method

As a response to increased threats, many Network-based Intrusion Detection Systems (NIDSs) have been de- veloped, but current NIDS are barely capable of real- time traffic analysis and intrusion detection job on Fast Ethernet links. This paper describes a new matching method with the name "Multi- layer Pattern Matching (MPM)" based on the protocol analysis. MPM is a pattern matching method using the FPGA logic and kernel logic as the detection mechanism. FPGA logic performs the function of fixed field pattern matching based on packet header information that is easily ex- amined by fixed size and offset. Kernel logic performs the function of payload pattern matching based on packet payload information that is not easily examined by variable size and offset. This new matching method can improve the perfor- mance of the NIDSs. A new implementation of NIDS for fast- speed Ethernet based on the MPM method is proposed fi- nally, and the detection strategies applied FPGA logic and kernel logic are described in detail.