隨著網路攻擊的種類顯著增加，新的網路安全設備變的越來越重要。然而，網路頻寬成長的速度卻遠大於處理器的速度，使得現有高效能的單一處理器仍無法即時的處理大量的網路資料流量。因此使用多顆處理器來提升系統效能是一個重要而且必然的趨勢。隨著處理器數量的增加，軟體架構的設計也需要跟著改變。
本論文主要在提出一個基於多核心處理器 (multi-core processor) 的系統架構來提高網路入侵偵測系統(Network Intrusion Detection and Prevention System, 簡稱NIPS) 的封包內容檢測效能。早期的多核心處理器都會使用自己的系統架構，在這些特殊的架構下通常會讓每顆處理器擁有屬於自己才能夠讀取的記憶體，也因為如此早期的多核心處理器會非常的昂貴。隨著雙核心的處理器的問世，可以讓多顆處理器來提升NIPS系統效能且不需要這些特殊的架構。NIPS需要大量的快取記憶體以增快讀取資料的速度。尤其如果需要讀取在處理器的記憶體區塊時，將會花費大量的時間。而現今的處理器通常不會有大量的快取記憶體，所以最好的方法是減少系統對快取記憶體以外的讀取次數。插斷 (interrupts) 對NIPS系統效能有相當程度的影響，要提升系統效能應該要設法降低插斷的影響。本論文利用快取記憶體、插斷跟連線分配的特色來設計並實作多執行序 (multiple threads) 的NIPS。實驗數據顯示本論文所設計的方法確實可有效的提升NIPS的效能。

As the types of attacks have increased noticeably, network security devices are more and more important in recent years. However, the growth rate of network bandwidth has been greater than that of processors’ performance. Even the most powerful general processors are not able to process packets at multiple gigabit wire speed. Consequently, it is desired to design next generation network systems for processing packets in parallel based on multi-processor platforms.
In this thesis, a novel software architecture is proposed to enhance the performance of Network Intrusion Detection and Prevention Systems (NIPS). It’s beneficial for NIPS to run on platforms with large cache memory if frequently accessed data structures can be found in the cache memory. Although the processor is unlikely to equip with large cache memory, the performance can still be enhanced by reducing L2 cache missing rate. Another performance bottleneck is interrupt. It affects system performance in a negative way. Therefore, offloading interrupt handling is also helpful to improve performance. This thesis presents a mechanism to design an NIPS in multi-core platform based on processor affinity, interrupt affinity and stream affinity. The experimental results show that the proposed architecture really enhances the NIPS performance dramatically.

[1] Juniper, http://www.juniper.net/
[2] TippingPoint, http://www.tippingpoint.com/
[3] BroadWeb, http://www.broadweb.com/
[4] NFR, http://www.checkpoint.com/
[5] Radware, http://www.radware.com/
[6] Slammer (LovSan), http://www.viruslist.com/sp/viruses/
[7] Ying-Cun Chen, ”A Novel Pattern Matching Architecture with TCAM for Network Security System”, Master thesis, Department of Computer Science, National Tsing Hua University, June 2004.
[8] Kai Zheng, Chengchen Hu, Hongbin Lu and Bin Liu, “An Ultra High Throughput and Power Efficient TCAM Based IP Lookup Engine”, INFOCOM 2004, 7-11 March 2004, Pages:1984-1994.
[9] Huan Liu, “Routing Table Compaction in Ternary CAM”, IEEE Micro, Volume 22, Issue:1, Jan.-Feb. 2002, Page(s):58-64.
[10] Netlogic NL877313 datasheet, http://www.netlogicmicro.com/
[11] Altera FPGA design flow: http://www.altera.com/
[12] Jing-Long Chu, Guan Yu Chong, and Chia-Chi Chu; “Smart gateway systems for Internet security for broadband communication networks: SoC solutions and FPGA demonstrations,” International Conference on ASIC, 21-24 Oct. 2003 Page(s):1317–1320.
[13] Chao, H.J., Karri, R., and Wing Cheong Lau, ”CYSEP - a cyber-security processor for 10 Gbps networks and beyond” IEEE MILCOM 2004. 31 Oct.-3 Nov. 2004, Page(s):1114-1122.
[14] Dual-core processor, http://en.wikipedia.org/wiki/Multi-core_(computing)
[15] Intel: http://www.intel.com/
[16] AMD: http://www.amd.com/
[17] Intel® Pentium® D Processor, Intel® Pentium® Processor Extreme Edition, Intel® Pentium® 4 Processor and Intel® Core™2 Duo Extreme Processor X6800∆ Thermal and Mechanical Design Guidelines (TMDG)
[18] AMD Athlon™ 64 X2 Dual-Core Processor Product Data Sheet
[19] AMD-8111TM HyperTransportTM I/O Hub Data Sheet
[20] Open Source, http://www.opensource.org/
[21] Snort, http://www.snort.org
[22] Hank NIDS, http://hank.sourceforge.net/
[23] Mukheriee B., Heberlein L.T and Levitt K.N, “Network intrusion detection”, IEEE Network, Volume 8, Issue 3, May-June 1994, Page(s):26-41.
[24] Ip_queue, http://www.cs.princeton.edu/~nakao/libipq.htm.
[25] Detection Engine, “Snort Detection Revisited”, http://ww.eipdistribution.com/Snort20.htm
[26] Nishimura T, Fukamachi S, and Shinohara T, “Speed-up of Aho-Corasick Pattern Matching Machines by Rearranging States”, String Processing and Information Retrieval, 13-15 Nov. 2001, Pages(s):175-185
[27] Aho/Corasick Pattern Matching Automation,
http://www-sr.informatilk.uni-tuebingen.de/`buehler/AC/AC.html
[28] Netfilter,http://www.netfilter.org
[29] Iptable, http://www.netfilter.org/projects/iptables/downloads.html#iptables-1.3.8
[30] Fedora core 4,http://fedoraproject.org/
[31] Vermeiren, T., Borghs, E., and Haaodorens, B. ” Evaluation of Software Techniques for Parallel Packet Processing on Multi-core Processors” IEEE Consumer Communications and Networking Conference (CCNC2004), Jan. 2004, Page(s):645-647.
[32] Foong, A., Fung, J., and Newell, D. “An In-depth Analysis of the Impact of Processor Affinity on Network Performance” IEEE International Conference on Networks (ICON 2004), 16-19 Nov. 2004, Page(s):244-250.
[33] Bart Haagdorens, Tim Vermeiren, and Marnix Goossens, ” Improving the Performance of Signature-Based Network Intrusion Detection Sensors by Multi-threading”, WISA 2004, LNCS 3325, pp. 188–203, 2004.
[34] APIC, http://developer.intel.com/design/index.htm
[35] Chariot, http://www.chariot.net.au/
[36] CRC16, http://www.eagleairaust.com.au/code/crc16.htm
[37] XOR, http://www.cublog.cn/u/12592/showart_294560.html
[38] ELF