隨著網路行為日亦複雜，以特徵基礎的網路入侵偵測系統中特徵規則的設計已經無法只用單獨一個事件來判斷是否發生攻擊行為。高度辨識度的特徵規則須包含多個事件，同時滿足彼此間特定關係。
例如在TCP型態目的埠為80的封包下，內容中若是出現 content: "GET " 之後依序在特定範圍出現 URL “/../../../../../../../../../../../”，如此便可以判斷出發生攻擊『WEB-MISC iPlanet ../../ DOS attempt』；定義此類的rule稱為 multi-event rule。觀察最具公信力開放程式碼的網路入侵偵測系統-Snort，隨著版本的更新，multi-condition所占的比例也越來越多。
原本純軟體架構的網路入侵偵測系統的運作流程，先由Pre-processor將所有需要判斷的條件找出，Detection Engine再以link list的方式循序對所有rule的每一個條件進行判斷，在multi-event rule成為特徵規則的主流的趨勢下，軟體架構的Detection Engine將不利於處理。為了解決這樣的問題，本篇論文嘗試由三個方向對原本的系統進行改良。
第一，因為需要判斷的條件會依據封包屬於不同的網路型態下而有所不同， 調整原本的字串比對演算法，在不造成漏判下大幅度減少不必要內容比對。
第二, 觀察及分析Snort rule，對所有rule進行分組，獨立的子集合彼此之間可以比對各自的關聯性，以縮小需要的比對範圍。
第三, 將原本純軟體架構的Snort 中 Detection Engine部分改以SoC （System on Chip）實現，pre-processor發現的condition 以SoC上的軟體部份進行分類收集, 再以自行設計的硬體電路執行比對的演算法，縮短等待時間。
依照上述三點我們在FPGA上設計一個SoC系統，驗證我所提出的方法。並經過測試在相同情況之下可以達到軟體執行上八到十四倍的效能。

Given the complexity of the Internet connectivity involved, signature-based NIDS (Network Intrusion Detection System) can not rely only on the use of one payload string, regular expression and URL to detect attack intension. A highly recognizable signature must be included in the basis of this particular relationship.
For example, with HTTP flow, when the content “GET ” appears on the fourth byte of the payload and then the URL “/../../../../../../../../../../../” appears, this activates that the detect attack intension “WEB-MISC DOS attempt.” These are called “multi-event rules.” Under the public open-source of NIDS - Snort, the number of multi-events in the total number of rules increases depending on the version update.
Because the original Snort program is a pure software system, the “Detection Engine” must search the entire option node (conditions) under the entire sequential RTN list. Under multi-event rules, the general trend is for the ‘Detection Engine’ to become the time-critical component of the Snort system. The objective of this thesis is to attempt to improve the original NIDS using three approaches.
The first objective is to observe target patterns with a specified network application. To do this, we modify an AC multi-pattern match algorithm to filter 60~70% of unnecessary pattern information, which substantially reduces the amount of post-processor overhead.
The second objective is to divide the Snort rule set into several groups. Each event needs only to search the corresponding independent rule group. Therefore, narrowing the search range can reduce the frequency of matching numbers.
Lastly, this thesis proposes a novel architecture to re-plan components of the Snort detection engine. We see that a SoC-based solution is better because it looks after both programmable software and the logic circuits of specific hardware.
We devise a SoC system, which incorporates the above three objectives, on an Altera FPGA development board (1C20). This SoC-based system is shown to detect all attack intentions correctly. Furthermore, according to latency observations in three networks, the speed of the SoC-based approach is 8 to 14 times faster than a pure software system.

[1] Mukherjee B., Heberlein L.T and Levitt K.N, "Network intrusion detection", Network, IEEE, Volume 8, Issue 3, May-June 1994 Page(s):26 – 41.
[2] Xinyou Zhang, Chengzhong Li and Wenbin Zheng, "Intrusion prevention system design", Computer and Information Technology, 2004, The Fourth International Conference on 14-16 Sept. 2004 Page(s):386 – 390.
[3] Mike Fisk and George Varghese, “Applying Fast String Matching to Intrusion Detection", Los Alamos National Laboratory, University of California San Diego, http://www.stormingmedia.us/66/6626/A662604.html
[4] Antonatos S, Anagnostakis K.G, Markatos E.P and Polychronakis, M, "Performance Analysis of Content Matching Intrusion Detection Systems", Applications and the Internet, 2004. Proceedings. 2004 International Symposium on 2004 Page(s):208 - 215
[5] Neil Desai, “Increasing Performance in High Speed NIDS”,
15 March 2002, http://www.linuxsecurity.com/content/view/111419/65/
[6] Snort, http://www.snort.org
[7] Hank NIDS, http://hank.sourceforge.net
[8] Khan A, "Recent Developments in High-Performance System-on-Chip IC Design", ICICDT '04, Integrated Circuit Design and Technology, 4 May 2004. Page(s):151 - 158
[9] Cordan B, "An Efficient Bus Architecture for System-On-Chip Design", Custom Integrated Circuits, 1999. Proceedings of the IEEE 1999 16-19 May 1999, Page(s):623 - 626
[10] Open Source, http://www.opensource.org/
[11] Andres Felipe Arboleda and Charles Edward Bedon, "Snort Diagrams for Developers", 14 April. 2005
http://afrodita.unicauca.edu.co/~cbedon/snort/snortdevdiagrams.doc
[12] Jimmy Alderson, "Internet Security Systems", http://www.snort.org/docs/iss-placement.pdf
[13] Spyros Antonatos, Kostas G. Anagnostakis and Evangelos P. Markatos,
“Performance Analysis of Content Matching Intrusion Detection Systems”, International Symposium on California, 14-16 January, 2004, Page(s):208 - 215
[14] Detection Engine, "Snort Detection Revisited", http://www.eipdistribution.com/Snort20.htm
[15] RTN list, http://archives.neohapsis.com/archives/snort/2000-04/0366.html
[16] Snort ruleset, http://www.snort.org/rules/
[17] Altera FPGA design flow: http://www.altera.com/
[18] SoC: http://www.hope.com.tw/
[19] SoC introduction, http://www.taiwansoc.org
[20] Nishimura T, Fukamachi S and Shinohara T, "Speed-up of Aho-corasick Pattern
Matching Machines by Rearranging States", String Processing and Information Retrieval on 13-15 Nov. 2001, Page(s):175 - 185
[21] Aho/Corasick Pattern Matching Automaton,
http://www-sr.informatik.uni-tuebingen.de/~buehler/AC/AC.html
[22] Ying-Cun Chen, “A Novel Pattern Matching Architecture with TCAM for Network Security System”, Master thesis, Department of Computer Science, National Tsing Hua University, June 2004.
[23] Kai Zheng, Chengchen Hu, Hongbin Lu and Bin Liu, "An Ultra High Throughput and Power Efficient TCAM Based IP Lookup Engine", INFOCOM 2004. Twenty-third Annual Joint Conference of the IEEE Computer and Communications Societies, Volume: 3 , 7-11 March 2004, Pages:1984 - 1994
[24] Huan Liu, "Routing TABLE COMPACTION In ternary CAM", Micro, IEEE ,
Volume: 22 , Issue: 1 , Jan.-Feb. 2002, Pages:58 - 64
[25] Netlogic NL877313 datasheet, http://www.netlogicmicro.com/
[26] Xilinx "Using Block RAM for High Performance Read/Write CAMS",
http://www.xilinx.com/bvdocs/appnotes/xapp204.pdf
[27] Zhiyong Liang, Jianping Wu and Ke Xu, "A TCAM-based IP Lookup Scheme
for Multi-Nexthop Routing" Computer Networks and Mobile Computing, 2003. International Conference, 20-23 Oct. 2003, Pages:128- 135
[28] Fang Yu, Katz R.H. and Lakshman T.V., "Gigabit Rate Packet Pattern-Matching using TCAM", Network Protocols, 2004. ICNP 2004. Proceedings of the 12th IEEE International Conference, 5-8 Oct.2004, Pages: 174- 183
[29] Hutchings B.L., Franklin R and Carver D., "Assisting Network Intrusion Detection with Reconfigurable Hardware", Field-Programmable Custom Computing Machines, 2002. Proceedings. 10th Annual IEEE Symposium, 22-24 April 2002.
[30] Jing-Long Chu, Guan Yu Chong E. and Chia-Chi Chu, "Smart Gateway systems for Internet Security for Broadband Communication networks: SoC Solutions and FPGA Demonstrations ", Taiwan, ASIC, 2003. Proceedings. 5th International Conference, 21-24 Oct. 2003, page(s):1317 - 1320 Vol.2
[31] Nios II processor datasheet, http://www.altera.com/nios
[32] Aletra's Nios processor Custom Instructions,
http://www.altera.com/products/ip/processors/nios2/ /ni2-cust_instructions.html
[33] Aletra 1c20 datasheet, http://www.altera.com/products/devkits/altera/kit-nios_1C20.html
[34] Nios II processor datasheet, http://www.altera.com/nios
[35] Y. H. Cho and W. H.Mangione-Smith. “Programmable Hardware for Deep Packet Filtering on a Large Signature Set”. In First IBM Watson P=ac2 Conference, Yorktown, NY, October 2004. IBM.
[36] Sergei Egorov and Gene Savchuk, SNORTRAN: “An Optimizing Compiler for Snort Rules”, http://www.zone-h.org/files/13/SNORTRAN_wp.pdf