一般來說，對於目前的嵌入式網路安全系統，最主要的問題在於有限的計算資源以及巨大的惡意程式特徵碼。依照 OpenWRT 最近的統計，大部分的家用 router 所配備的記憶體小於 64MB，扣除掉 router 本身基本功能的需用，能夠剩下給安全相關功能的記憶體已經不多。隨著近年來惡意軟體指數型的成長，防毒產業需要使用自動化的機制來產生對應的病毒碼、入侵偵測特徵碼、IP RBL與 DNS RBL等等，這些比對用的資料庫內容也跟著惡意程式指數型成長。這些巨量的比對用資料庫對於像家用router這樣的嵌入式安全系統就會是一個運作上的難題。
為了改善這些問題，本論文針對嵌入式網路安全系統提出一些改良的軟體比對方法，它們是”以軟體為基礎的MD5 checksum 查找法”、”網路快速病毒檔案掃描法”、”大型Botnet IP 資料庫比對法”以及”可移植型多字串比對程式碼產生器”。它們可以改善家用router 在比對這些資料庫時的效能與容量。為了研究自動病毒碼/特徵碼生成系統與嵌入式網路安全系統的整合，本論文在最後提供了一個”針對類HTTP Botnet 的特徵碼自動生成方法”。

In general, the problems for current embedded network security systems are limited computing resources and numerous matching rules. By the statistics of OpenWrt, most SME/SOHO routers are embedded network systems and their memory sizes are usually lower than 64 MB. With the exponential growth of Malware/virus, anti-virus and intrusion detection industries employ automatic rule-generating (RuleGen) systems. However, the numerous security rules (IPs, domain names, URLs, file checksums and string-based patterns) generated by RuleGen systems are difficult to be utilized by the resource-limited SME/SOHO routers.

For dealing with the problems, some software-based refined matching methods for embedded systems were proposed. They are a software-based MD5-checksum lookup scheme, a network fast virus-scanning scheme, a large-scale Botnet IP lookup scheme, and a retargetable multiple-string-matching code-generating system. They can improve the performance and capacity of resource-limit SME/SOHO routers for IP, MD5 file checksum, and string-based rules. The software-based MD5-checksum lookup scheme can maintain a high lookup speed by removing unnecessary table searches. The network fast virus-scanning scheme is a proxyless stream-Based anti-virus architecture for network virus scan with zero buffering. The architecture can eliminate the buffering I/O operations in old store-and-forward architectures and get better performance. The large-scale Botnet IP lookup scheme can utilize the CPU cache to obtain a good performance for large-scale IP matching. The retargetable multiple-string-matching code-generating system presents the interfaces to co-design with hardware and obtain better performance in text-based pattern matching for embedded environments. Finally, for exploring the possibility to refine the RuleGen systems for resource-limit SME/SOHO routers, a simple HTTP-like Botnet rule-generating system is proposed.

References
[1] R. Rivest, The MD5 Message-Digest Algorithm, Network Working Group,
Internet Engineering Task Force (IETF) Std., 1992. [Online]. Available:
http://tools.ietf.org/html/rfc1321
[2] US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF),
Internet Engineering Task Force (IETF) Std., May 2011. [Online]. Available:
https://tools.ietf.org/html/rfc6234
[3] Malware statistics and trends report. AVTest Institute. [Online].
Available: http://www.av-test.org/typo3temp/avtestreports/malware-last-
10-years sum en.png
[4] Clam antivirus. [Online]. Available: http://www.clamav.net/
[5] Openwrt. [Online]. Available: https://openwrt.org/
[6] Openwrt table of hardware. [Online]. Available: http://wiki.openwrt.org/
toh/start
[7] J. Oberheide, E. Cooke, and F. Jahanian, “Cloudav: N-version antivirus
in the network cloud,” in Proceedings of the 17th conference on Security
symposium. Berkeley, CA, USA: USENIX Association, 2008, pp. 91–106.
[Online]. Available: http://portal.acm.org/citation.cfm?id=1496711.1496718
[8] X. Wang, D. Feng, X. Lai, and H. Yu, “Collisions for hash functions md4,
md5, haval-128 and ripemd,” Cryptology ePrint Archive, Report 2004/199,
2004, http://eprint.iacr.org/.
[9] Availability and description of the file checksum integrity verifier utility.
[Online]. Available: http://support.microsoft.com/kb/841290/en-us
[10] Spam-ip.com. [Online]. Available: http://spam-ip.com/spam-blacklist.php
[11] Emerging threats botnet command and control drop rules. [Online]. Avail-
able: http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-
botcc.rules
[12] Shadowserver bot counts. [Online]. Available: http://www.shadowserver.
org/wiki/pmwiki.php/Stats/BotCounts
[13] I. Charitakis, D. Pnevmatikatos, E. Markatos, and K. Anagnostakis, “Code
generation for packet header intrusion analysis on the ixp1200 network
processor,” vol. 2826, pp. 226–239, 2003, 10.1007/978-3-540-39920-9 16.
[Online]. Available: http://dx.doi.org/10.1007/978-3-540-39920-9 16
[14] R.-T. Liu, N.-F. Huang, C.-H. Chen, and C.-N. Kao, “A fast
string-matching algorithm for network processor-based intrusion detection
system,” ACM Transactions on Embedded Computing Systems (TECS),
vol. 3, no. 3, pp. 614–633, Aug. 2004. [Online]. Available: http:
//doi.acm.org/10.1145/1015047.1015055
[15] G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee, “Bothunter:
detecting malware infection through ids-driven dialog correlation,” in
Proceedings of 16th USENIX Security Symposium on USENIX Security
Symposium. Berkeley, CA, USA: USENIX Association, 2007, pp. 12:1–12:16.
[Online]. Available: http://portal.acm.org/citation.cfm?id=1362903.1362915
[16] O. Erdogan and P. Cao, “Hash-av:fast virus signature scanning by
cache-resident filters,” International Journal of Security and Networks, vol. 2,
pp. 50–59, March 2007. [Online]. Available: http://portal.acm.org/citation.
cfm?id=1359210.1359215
[17] B. H. Bloom, “Space/time trade-offs in hash coding with allowable errors,”
Communications of the ACM, vol. 13, no. 7, pp. 422–426, 1970.
[18] A. V. Aho and M. J. Corasick, “Effcient string matching: an aid to biblio-
graphic search,” Communications of the ACM, vol. 18, no. 6, pp. 333–340,
1975.
[19] R. S. Boyer and J. S. Moore, “A fast string searching algorithm,” Communi-
cations of the ACM, vol. 20, no. 10, pp. 762–772, 1977.
[20] S.Wu and U. Manber, “A fast algorithm for multi-pattern searching,” Techni-
cal Report TR-94-17,Department of Computer Science, University of Arizona,
1994.
[21] Amavis-ng. [Online]. Available: https://directory.fsf.org/wiki/AMaViS-ng
[22] Squidclamav. [Online]. Available: http://squidclamav.darold.net/
[23] Y.-D. Lin, S.-H. Chen, P.-C. Lin, and Y.-C. Lai, “Designing and evaluating
interleaving decompressing and virus scanning in a stream-based mail
proxy,” Journal of Systems and Software, vol. 81, no. 9, pp. 1517–1524, Sep.
2008. [Online]. Available: http://dx.doi.org/10.1016/j.jss.2007.10.003
[24] X. Chen, J. Andersen, Z. Mao, M. Bailey, and J. Nazario, “Towards an under-
standing of anti-virtualization and anti-debugging behavior in modern mal-
ware,” in Dependable Systems and Networks With FTCS and DCC, 2008.
DSN 2008. IEEE International Conference on, June 2008, pp. 177–186.
[25] N.-F. Huang, S.-M. Zhao, J.-Y. Pan, and C.-A. Su, “A fast ip routing lookup
scheme for gigabit switching routers,” in INFOCOM ’99. Eighteenth Annual
Joint Conference of the IEEE Computer and Communications Societies. Pro-
ceedings. IEEE, vol. 3, Mar. 1999, pp. 1429 –1436 vol.3.
[26] W. Eatherton, G. Varghese, and Z. Dittia, “Tree bitmap: hardware/software
ip lookups with incremental updates,” ACM SIGCOMM Computer Commu-
nication Review, vol. 34, no. 2, pp. 97–122, 2004.
[27] B. Jenkins. (1997) A hash function for hash table lookup. [Online]. Available:
http://burtleburtle.net/bob/hash/doobs.html
[28] Ffs(), linux programmer’s manual. [Online]. Available: http://man7.org/
linux/man-pages/man3/ffs.3.html
[29] M. A. Ruiz-Sanchez, E. W. Biersack, and W. Dabbous, “Survey and taxon-
omy of ip address lookup algorithms,” Network, IEEE, vol. 15, no. 2, pp.
8–23, 2001.
[30] A. G. West and I. Lee, “Towards the effective temporal association
mining of spam blacklists,” in Proceedings of the 8th Annual Collaboration,
Electronic Messaging, Anti-Abuse and Spam Conference, ser. CEAS ’11.
New York, NY, USA: ACM, 2011, pp. 73–82. [Online]. Available:
http://doi.acm.org/10.1145/2030376.2030385
[31] Y. Meng and L.-F. Kwok, “Adaptive blacklist-based packet filter with a
statistic-based approach in network intrusion detection,” Journal of Network
and Computer Applications, vol. 39, pp. 83–92, 2014.
[32] Snort. [Online]. Available: http://www.snort.org/
[33] O. Morandi, F. Risso, P. Rolando, O. Hagsand, and P. Ekdahl, “Mapping
packet processing applications on a systolic array network processor,” High
Performance Switching and Routing, 2008. HSPR 2008. International Con-
ference on, pp. 213 –220, may. 2008.
[34] O. Morandi, F. Risso, S. Valenti, and P. Veglia, “Design and implementation
of a framework for creating portable and effcient packet-processing applica-
tions,” in Proceedings of the 8th ACM international conference on Embedded
software (EMSOFT ’08). New York, NY, USA: ACM, 2008, pp. 237–244.
[35] O. Morandi, P. Monclus, G. Moscardi, and F. Risso, “An intrusion detection
sensor for the netvm virtual processor,” in Proceedings of the 23rd interna-
tional conference on Information Networking. Institute of Electrical and
Electronics Engineers Inc., The, 2009, pp. 68–72.
[36] N. Tuck, T. Sherwood, B. Calder, and G. Varghese, “Deterministic memory-
effcient string matching algorithms for intrusion detection,” in INFOCOM
2004. Twenty-third AnnualJoint Conference of the IEEE Computer and Com-
munications Societies, vol. 4, March 2004, pp. 2628–2639 vol.4.
[37] J. Newsome, B. Karp, and D. Song, “Polygraph: automatically generating
signatures for polymorphic worms,” in Security and Privacy, 2005 IEEE Sym-
posium on, May 2005, pp. 226 – 241.
[38] R. Muthuregunathan, S. S., S. R., and R. S.R., “Effcient snort rule gener-
ation using evolutionary computing for network intrusion detection,” Com-
putational Intelligence, Communication Systems and Networks, International
Conference on, vol. 0, pp. 336–341, 2009.
[39] R. Perdisci, W. Lee, and N. Feamster, “Behavioral clustering of
http-based malware and signature generation using malicious network
traces,” in Proceedings of the 7th USENIX conference on Networked
systems design and implementation, ser. NSDI’10. Berkeley, CA, USA:
USENIX Association, 2010, pp. 26–26. [Online]. Available: http:
//portal.acm.org/citation.cfm?id=1855711.1855737
[40] G. K. Venkatesh and R. A. Nadarajan, “Http botnet detection using adaptive
learning rate multilayer feed-forward neural network,” in Information Security
Theory and Practice. Security, Privacy and Trust in Computing Systems and
Ambient Intelligent Ecosystems. Springer, 2012, pp. 38–48.
[41] D. Zhao, I. Traore, B. Sayed, W. Lu, S. Saad, A. Ghorbani, and D. Garant,
“Botnet detection based on traffic behavior analysis and flow intervals,” Com-
puters & Security, vol. 39, pp. 2–16, 2013.
[42] N. Kheir, “Analyzing http user agent anomalies for malware detection,”
in Data Privacy Management and Autonomous Spontaneous Security, ser.
Lecture Notes in Computer Science, R. Pietro, J. Herranz, E. Damiani, and
R. State, Eds. Springer Berlin Heidelberg, 2013, vol. 7731, pp. 187–200.
[Online]. Available: http://dx.doi.org/10.1007/978-3-642-35890-6 14
[43] A. Zarras, A. Papadogiannakis, R. Gawlik, and T. Holz, “Automated gen-
eration of models for fast and precise detection of http-based malware,” in
Privacy, Security and Trust (PST), 2014 Twelfth Annual International Con-
ference on, July 2014, pp. 249–256.
[44] C.-T. Lin, N.-J. Wang, H. Xiao, and C. Eckert, “Feature selection and extrac-
tion for malware classification,” JOURNAL OF INFORMATION SCIENCE
AND ENGINEERING, vol. 31, pp. 965–992, 2015.
[45] P. N. Ayuso, “Netfilters connection tracking system,” LOGIN: The
USENIX magazine, vol. 31, pp. 34–39, 2006. [Online]. Available:
http://people.netfilter.org/pablo/docs/login.pdf
[46] The Base16, Base32, and Base64 Data Encodings, IETF Std., 2006. [Online].
Available: http://tools.ietf.org/rfc/rfc4648.txt
[47] GZIP file format specification version 4.3, IETF Std. [Online]. Available:
https://www.ietf.org/rfc/rfc1952.txt
[48] bzip2. [Online]. Available: http://www.bzip.org/index.html
[49] ZIP File Format Specification, PKWARE Inc. Std., 2012. [Online]. Available:
http://www.pkware.com/documents/casestudies/APPNOTE.TXT
[50] Basic tar format. [Online]. Available: http://www.gnu.org/software/tar/
manual/html node/Standard.html
[51] N.-F. Huang, C.-N. Kao, and R.-T. Liu, “A novel software-based MD5 check-
sum lookup scheme for anti-virus systems,” in Trust, security and privacy
Symposium (IWCMC2011-Security). Istanbul, Turkey: IEEE, 2011.
[52] Kernel-based virtual machine. [Online]. Available: http://www.linux-
kvm.org/page/Main Page
[53] Postfix. [Online]. Available: http://www.postfix.org/
[54] The cachefly content delivery network. [Online]. Available: http:
//www.cachefly.com/
[55] Thinkbroadband (download test ?les). [Online]. Available: http://www.
thinkbroadband.com/download/
[56] Squid. [Online]. Available: http://www.squid-cache.org/
[57] Botnet maps. [Online]. Available: https://www.shadowserver.org/wiki/
pmwiki.php/Stats/BotnetMaps
[58] Botnet takedown o?ers peek at private data repository. [Online].
Available: http://arstechnica.com/security/2009/03/17/botnet-takedown-
o?ers-peek-at-private-data-repository/
[59] Trendmicro: Global botnet threat activity map. [Online]. Avail-
able: http://www.trendmicro.com/us/security-intelligence/current-threat-
activity/global-botnet-map/
[60] C. Botnet, “Internet census 2012: port scanning/0 using insecure embedded
devices,” 2013. [Online]. Available: http://internetcensus2012.bitbucket.org/
paper.html
[61] Y.-H. Feng, N.-F. Huang, and C.-H. Chen, “An e?cient caching mechanism
for network-based url ?ltering by multi-level counting bloom ?lters,” in Com-
munications (ICC), 2011 IEEE International Conference on, June 2011, pp.
1–6.
[62] Intel atom processor c2000 microserver product family datasheet. Intel.
[Online]. Available: https://www-ssl.intel.com/content/dam/www/public/
us/en/documents/datasheets/atom-c2000-microserver-datasheet.pdf
[63] Intel gateway solutions for the internet of things. Intel. [Online]. Avail-
able: http://www.mouser.com/catalog/specsheets/intel SolutionsForIoT
330184-02.pdf
[64] Gcc, the gnu compiler collection. [Online]. Available: http://gcc.gnu.org/
[65] Gcc online documentation. [Online]. Available: http://gcc.gnu.org/
onlinedocs/
[66] ccache, a fast c/c++ compiler cache. [Online]. Available: http:
//ccache.samba.org/
[67] R.-T. Liu, N.-F. Huang, C.-N. Kao, C.-H. Chen, and C.-C. Chou, “A fast
pattern-match engine for network processor-based network intrusion detection
system,” Information Technology: Coding and Computing, 2004. Proceedings.
ITCC 2004. International Conference on, vol. 1, pp. 97 – 101 Vol.1, apr. 2004.
[68] The shmoo group (defcon ctf packet trace). [Online]. Available: http:
//cctf.shmoo.com/data/
[69] Emerging threats.net open rulesets. Emerging Threats.net. [Online].
Available: http://rules.emergingthreats.net/open/
[70] Wireshark. [Online]. Available: http://www.wireshark.org/
[71] Threatexpert. [Online]. Available: http://www.threatexpert.com/
[72] Tcpdump/libpcap public repository. [Online]. Available: http://www.
tcpdump.org/
[73] C.-C. Chang and C.-J. Lin, “Libsvm: A library for support vector
machines,” ACM Transactions on Intelligent Systems and Technology
(TIST), vol. 2, pp. 27:1–27:27, May 2011. [Online]. Available: http:
//doi.acm.org/10.1145/1961189.1961199
[74] J. Kornblum, “Identifying almost identical ?les using context triggered piece-
wise hashing,” Digital investigation, vol. 3, pp. 91–97, 2006.
[75] Virustotal - free online virus, malware and url scanner. [Online]. Available:
https://www.virustotal.com/en/
[76] C. Kao, T. Liu, H.-W. Hung, and R. Lung, “Some things about lan
device detection,” 2015. [Online]. Available: http://hitcon.org/2015/CMT/
download/day2-g-r1.pdf