基于FPGA器件的高速以太网入侵检测系统设计与实现

本文设计并实现了一种基于FPGA芯片的G比特以太网入侵检测系统。该系统将以太网数据帧头部和数据帧负荷相分离。首先利用Xilinx公司的XC2V1000型FPGA芯片实现数据帧头部的匹配；然后利用操作系统核心态模块实现数据帧负荷的匹配。从而将操作系统计算量降至最低．极大地提高了入侵检测系统整体性能实验数据证明．该系统可有效实现对高速以太网中多种攻击的检测与响应。     

运用差分演化算法实现多维包匹配的研究

互联网的发展已经使网速的瓶颈由链路速度转移到核心网络设备的包处理速度上,而包处理的核心工作是包匹配。传统方法难以做到包匹配速度适应核心网络设备数据包线速转发。提出了一种新的包匹配算法,该算法对差分演化算法进行了改进,并结合了改进算法和传统的包匹配算法。在适应值处理上运用统计学方法,从而增加了分析问题的客观性。数值实验表明,新算法与传统算法相比,在速度、存储空间以及更新时间等性能上得到了有效改善,另外新算法的包匹配的时间性能与规则数目只有很弱的相关性,从而适合处理多维和大规模问题。新算法把演化算法运用于多域大规模规则库的网络数据包的转发,并且数据包还能做到线速转发。新算法具有普适性,适用于防火墙、差别服务路由器等网络设备。     

基于分类规则信息熵的报文处理算法

针对分类规则的预处理问题,提出离群属性检测分类算法。在报文分类规则属性域上计算离群属性子集,利用规则属性加权矢量计算加权距离,分析规则加权邻域的子空间离群影响因子,通过与离群因子阈值比较生成频繁匹配子集对规则进行预处理。实验结果表明,该算法能缩小后续报文的匹配范围,提高报文转发的匹配精度与速度。     

基于差分演化算法的大规模包匹配研究

在差分演化算法与传统包匹配算法基础上,提出一种改进包匹配算法。该算法包匹配的时间性能与规则数目存在弱相关性,可处理多维和大规模规则库的包匹配问题。数值分析与实验结果表明,与基于Trie类算法相比,该算法能使数据包有效地进行线速转发,改善包匹配性能。     

Port partitioning and dynamic queueing for IP forwarding

With the increase of internet protocol (IP) packets the performance of routers became an important issue in internet/working. In this paper we examine the matching algorithm in gigabit router which has input queue with virtual output queueing. Dynamic queue scheduling is also proposed to reduce the packet delay and packet loss probability. Port partitioning is employed to reduce the computational burden of the scheduler in a switch which matches the input and output ports for fast packet switching. Each port is divided into two groups such that the matching algorithm is implemented within each pair of groups in parallel. The matching is performed by exchanging the pair of groups at every time slot. Two algorithms, maximal weight matching by port partitioning (MPP) and modified maximal weight matching by port partitioning (MMPP) are presented. In dynamic queue scheduling, a popup decision rule for each delay critical packet is made to reduce both the delay of the delay critical packet and the loss probability of loss critical packet. Computational results show that MMPP has the lowest delay and requires the least buffer size. The throughput is illustrated to be linear to the packet arrival rate, which can be achieved under highly efficient matching algorithm. The dynamic queue scheduling is illustrated to be highly effective when the occupancy of the input buffer is relatively high.Scope and purposeTo cope with the increasing internet traffic, it is necessary to improve the performance of routers. To accelerate the switching from input ports to output in the router partitioning of ports and dynamic queueing are proposed. Input and output ports are partitioned into two groups A/B and a/b, respectively. The matching for the packet switching is performed between group pairs (A, a) and (B, b) in parallel at one time slot and (A, b) and (B, a) at the next time slot. Dynamic queueing is proposed at each input port to reduce the packet delay and packet loss probability by employing the popup decision rule and applying it to each delay critical packet.The partitioning of ports is illustrated to be highly effective in view of delay, required buffer size and throughput. The dynamic queueing also demonstrates good performance when the traffic volume is high.     

Hierarchical multi-pattern matching algorithm for network content inspection

Inspection engines that can inspect network content for application-layer information are urgently required. In-depth packet inspection engines, which search the whole packet payload, can identify the interested packets that contain certain patterns. Network equipment then utilizes the searching results from the inspection engines for application-oriented management. The most important technology for fast packet inspection is an efficient multi-pattern matching algorithm to perform exact string matching between packets and a large set of patterns. This paper proposes a novel hierarchical multi-pattern matching algorithm (HMA) for packet inspection. HMA builds hierarchical index tables from the most frequent common-codes, and efficiently reduces the amount of external memory accesses and memory space by two-tier and cluster-wise matching. Analysis and simulation results reveal that HMA performs much better than state-of-the-art matching algorithms. In particular, HMA can update patterns incrementally, thus creating a reliable network system.     

防火墙扩展match模块匹配算法优化

为提高大规则集防火墙中规则匹配效率,研究了Iptables规则中扩展match模块的匹配特点,将匹配过程分为数据包解码和参数比较两个步骤,对不同规则中的相同扩展match模块,提出了一种"一次解码,多次匹配"(decoding-once-techno-logy,DOT)的优化算法。通过对规则匹配时间建模分析,证明改进算法可以减少规则匹配时数据包解码次数,从而降低规则中扩展match模块的匹配时间。实验结果表明,改进后的算法可以有效提高防火墙吞吐量,降低时延。     

基于网络内容的无阻塞近似流分类的并行建模

针对大字符集语言的特点,提出一种并行硬件模型实现基于网络内容的近似流分类.由于采用并行设计和流水线设计,该模型在大规则库下仍有较好的性能,并可适用于高速网络.该并行模型有如下特点:①通过采用不同的规则组合器可完成插入、删除、替代和交换错误的近似匹配;②通过配置参数,可灵活控制近似匹配的程度;③可直接应用于大字符集语言下的网络内容流分类;④针对中文环境做了概率建模,分析了并行硬件模型对网络分组的匹配概率,证明该模型在一般情况下具有较好的可应用性.     

基于规则的防火墙匹配算法研究

传统防火墙包过滤过程是通过数据包与过滤规则顺序匹配,直到有一条规则匹配后即可停止。当过滤规则日益增多时,防火墙的吞吐量也不断下降,严重影响了网络的性能。该文提出并设计了快速的规则匹配算法,改变了以往的顺序匹配,极大地提高了防火墙的吞吐量和性能。     

基于空间分解的数据包分类技术

随着因特网的高速发展,数据包输入处理成为主干路由器的瓶颈,线速数据包输入处理对高速防火墙的研发也有重要意义。文章提出了一个二维数据包分类算法,通过对前缀过滤器特点的观察,设计了基于面积的四叉树(AQT)的构建过程和构建算法,使得算法在不降低性能的同时,更为简单,而且易于硬件的实施。     

运用差分演化算法实现包匹配多层核心基的提取

针对网络防火墙、路由器等设备中包匹配的速度问题,提出运用差分演化算法实现包匹配多层核心基的提取。该算法运用多层基础基描述包的多层特征,在每层中分别运用差分演化算法进行比特基和实体基的提取,运用平均自信息和平均互信息量衡量基础基选择的优劣。这种方法可以根据规则库实际规模选择提取比特实体基的层数,非常适应规则库的增长。实验结果表明,所提算法在时间效率、空间效率方面相对于已有的递归数据流匹配算法和基于实数编码的差分演化的包匹配算法,综合性能最优。     

基于正则表达式的应用层协议识别加速

在当今网络中,传统的采用端口进行协议识别已越来越无法满足需求.采用了正则表达式进行协议识别,并对其匹配正确性和速度进行了优化.通过将NFA匹配引擎转换为DFA匹配引擎,不仅减少了其状态数,还提高了匹配的速度;在匹配方式上提出了3种匹配方式,并加以测试比较,并与One-Pass扫描算法相结合.通过对DARPA数据集进行测试,验证加速后的匹配正确性比L7-filter高,匹配速度则可达到其6.5倍.     

基于权重与匹配效率的防火墙规则集优化算法

研究并分析防火墙规则集的优化方法,给出规则与网络数据包的的匹配频率、匹配热度和规则权重的关系公式;设计并编写基于权重与基于匹配效率的规则集优化算法程序;最后通过对相应的实验数据的分析比较,得出两种算法均可较大幅度的降低防火墙规则集与网络数据包的匹配次数,从而优化防火墙性能的结论。     

BFPC:一种新型的基于Bloom Filter的报文分类算法

Bloom Filter是一种支持高速数据查询的数据结构,已被广泛应用到各个领域,包括路由查找、串匹配[1]等。本文将重点研究Bloom Filter在报文分类领域中的应用,提出一种新型的报文分类算法——BFPC,阐述BFPC算法的基本思想,并通过实例对该算法进行了描述。最后,对BFPC算法与其他报文分类算法进行了性能比较。     

正则表达式匹配的高效硬件实现

正则表达式具有编写简单和描述能力强的特点,在报文深度内容检测中得到了广泛应用。但是,由于处理复杂,基于软件的正则表达式匹配的实现难以满足大流量下报文的内容检测。本文首先对实现正则表达式匹配的多模式确定有限自动机(MPDFA)方法进行研究,并基于该方法提出基于硬件实现报文正则表达式匹配的微引擎结构。最后,给出了我们基于AlteraCycloneIIFPGA实现的报文深度内容检查实现方案。其核心是四个实现正则表达式匹配的微引擎。测试表明,通过四个微引擎的并行处理可实现千兆以太网接口报文的线速内容检查。     

基于三态内容寻址存储器的多模式匹配算法

传统模式匹配算法在高速环境下无法实现数据包的实时处理。为此,提出一种基于三态内容寻址存储器(TCAM)的快速多模式匹配算法,通过模式移位将长模式截取为若干个子串,第1级TCAM存储子串,第2级TCAM存储子串的序列编号。搜索模式时,第1级TCAM向后端输出命中表项的编号,第2级TCAM实现序列编号的匹配,从而获得长模式的匹配信息,并通过编号空间划分方法压缩表项数目以提高资源利用率。实验结果表明,该算法可以实现网络数据的高速匹配处理,与基于hash标识的移位存储算法相比,具有空间消耗少的优势。     

Efficient multimatch packet classification and lookup with TCAM

Today's packet classification systems are designed to provide the highest-priority matching result, such as the longest prefix match, even if a packet matches multiple classification rules. However, new network applications demanding multimatch classification - that is, requiring all matching results instead of only the highest-priority match - are emerging. Ternary content-addressable memory is becoming a common extension to network processors, and its capability and speed make it attractive for high-speed networks. The proposed TCAM-based scheme produces multimatch classification results with about 10 times fewer memory lookups than a pure software approach. In addition, their scheme for removing negation in rule sets saves up to 95 percent of the TCAM space used by a straightforward implementation.     

A platform-based SoC design and implementation of scalable automaton matching for deep packet inspection

String matching plays a central role in packet inspection applications such as intrusion detection, anti-virus, anti-spam and Web filtering. Since they are computation and memory intensive, software matching algorithms are insufficient to meet the high-speed performance. Thus, offloading packet inspection to a dedicated hardware seems inevitable. This paper presents a scalable automaton matching (SAM) coprocessor that uses Aho-Corasick (AC) algorithm with two parallel acceleration techniques, root-indexing and pre-hashing. The root-indexing can match multiple bytes in one single matching, and the pre-hashing can be used to avoid bitmap AC matching which is a cycle-consuming operation. In the platform-based SoC implementation of the Xilinx ML310 FPGA, the proposed hardware architecture can achieve almost 10.7 Gbps and support over 10,000 patterns for virus, which is the largest pattern set from among the existing works. On the average, the performance of SAM is 7.65 times faster than the original bitmap AC. Furthermore, SAM is feasible for either internal or external memory architecture. The internal memory architecture provides high performance, while the external memory architecture provides high scalability in term of the number of patterns.     

面向新型业务的多维快速包分类算法研究*

网络中新兴的新型业务例如P2P,VoIP,Worm等日益增多,在整个网络流量中占有越来越多的比重。对这些新型业务的监测和控制要求路由器等核心设备必须有能力对数据包进行快速和准确的分类。本文从这些新型业务包分类规则库的特点着手,提出在多维多模式匹配情况下的三种包分类决策树,通过实验说明这些决策树应用在新型业务的包分类上与传统的串行决策树性能各自的差异,进而得出适合新型业务包分类的最佳算法。     

Managing DFA History with Queue for Deflation DFA

There is an increasing demand for network devices to perform deep packet inspection (DPI) in order to enhance network security. In DPI, the packet payload is compared against a set of predefined patterns that can be specified using regular expressions (regexes). It is well-known that mapping regexes to deterministic finite automaton (DFA) may suffer from the state explosion problem. Through observation, we attribute DFA explosion to the necessity of remembering matching history. In this paper, we investigate how to manage matching history efficiently and propose an extended DFA approach for regex matching called fcq-FA, which can make a memory size reduction of about 1,000 times with a fully automated approach. In fcq-FA, we use pipeline queues and counters to help record the matching history. Hence, state explosion caused by Kleene closure and length restriction can be completely avoided. Furthermore, it achieves a fully automated signature compilation with polynomial running time and space. The equivalence between fcq-FA and the traditional DFA is guaranteed by a strict theoretical proof, which means fcq-FA can process all the regexes supported by the traditional DFA.