簡易檢索 / 詳目顯示

回結果列表
研究生: 劉尚凱
Shang-Kai Liu
論文名稱: 專屬封包深層檢測用之自動機系統
Deep Packet Inspection by Network-Stream Custom Automata Engine
指導教授: 黃能富
Nen-Fu Huang
口試委員:
學位類別: 碩士
Master
系所名稱: 電機資訊學院 - 資訊工程學系
Computer Science
論文出版年: 2005
畢業學年度: 93
語文別: 英文
論文頁數: 54
中文關鍵詞: 網路入侵偵測自動機防火牆封包
相關次數: 點閱:3下載:0
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報

    • Abstract
    論及網路入侵偵測系統(Intrusion Detection System)和防火牆(Firewall),其中最為重要的關鍵即為用來辨識與比對規則(rules)的字集比對演算法(Pattern Matching Algorithm)。倘若所使用的字集比對演算法效能越好、功能越強,整個系統在偵測各種不同的入侵行為與處理多樣化的入侵規則時將更為有效。為了能夠處理現今因應日漸繁雜的入侵行為而產生的種種複雜規則,我們需要一個不單能處理一般規則、甚至可以輕鬆處理正規語言複雜規則的強力比對引擎。
    我們實作出來的特製自動機系統,融合了強大的功能性和規劃良好的規模性。它不但可以在使用了極少記憶空間的情況下輕易處理最新的Snort規則,更克服了傳統字集比對演算法的缺點。我們的特製自動機系統能在比對的動作中同時處理一般的字集比對、字集間的關係比對、以及由正規語言所寫的規則比對。它改進了傳統系統需花費額外的運算時間來處理此類複雜比對的缺失,同時也結合了較少的記憶體需求、較強的功能、與較佳的效能種種優點。
    在本篇論文中,經由實驗測試可以發現特製自動機系統結合了功能性、效能性、與需求性三大優勢。經由我們的規劃與設計,比對各種複雜規則這件任務將可簡化為各種字集比對的動作。這樣的設計有助於未來日益繁雜的網路環境,更能利用相同的自動機比對核心,便可處理多樣化的入侵規則。

    Contents Chapter 1 Introduction 1 1.1 Problem Statement 1 Chapter 2 Related pattern-matching algorithms 4 2.1 Aho-Corasick pattern-matching algorithm 4 2.2 EGREP matching algorithm 6 2.3 Comparison between AC and EGREP 8 Chapter 3 Custom automata system for Snort rules 11 3.1 Advantages in custom automata system 12 3.2 The architecture in custom automata system 12 3.3 Supporting Regular Expression 15 3.4 Implement header and content custom automata 16 3.5 Experiments and comparisons between custom automata system and Snort 25 3.6 Implementation in hardware 29 Chapter 4 Automata for Regular Expression 38 4.1 The architecture in Regular Expression automata 38 4.2 Automata in automata 40 4.3 Implement Regular Expression automata 40 4.4 Compiler and Optimization 46 4.5 Experiments and comparisons between Regular Expression automata and EGREP 46 Chapter 5 Conclusion 50 References 53 Figure and Table Index Figure Index Figure 2-1 An example of AC automata 5 Figure 2-2 Function diagrams of EGREP compiling 6 Figure 2-3 Function diagrams of EGREP matching 7 Figure 2-4 Examples of EGREP and AC automata 9 Figure 2-5 Examples of data structure in EGREP and AC automata 9 Figure 3-1 Overview of custom automata system for Snort rules when compiling 13 Figure 3-2 Overview of custom automata system for Snort rules when matching 14 Figure 3-3 An example of custom header automata. 17 Figure 3-4 An example of custom content automata 18 Figure 3-5 Compiling flowchart of custom content automata 21 Figure 3-6 Matching flowchart of custom content automata 23 Figure 3-7 An example of custom content automata while matching 24 Figure 3-8 Matching time of custom automata system when input different data sizes. 26 Figure 3-9 Hardware architecture for parallel pattern matching. 30 Figure 3-10 Hardware Design of Custom Automata System 31 Figure 3-11 An example of group nodes with hash filter (M=2) 32 Figure 3-12 An example of dividing every pattern into 4-byte substrings. 33 Figure 3-13 Matching engine in hardware with N 32-bit ALUs (N=4) 34 Figure 3-14 Flowchart of custom automata in hardware matching 37 Figure 4-1 Overview of Regular Expression Automata 38 Figure 4-2 An example of data structure in Regular Expression Automata 39 Figure 4-3 Concept and example of automata in automata. 40 Figure 4-4 Compiling Flowchart of Regular Expression automata 43 Figure 4-5 Matching Flowchart of Regular Expression automata. 45 Figure 4-6 Comparison of matching time for different data sizes 49 Table Index Table 1 Comparisons between EGREP algorithm and AC algorithm 8 Table 2 Matching time of custom automata system when input different data sizes 25 Table 3 Matching time of Snort system for different packets 28 Table 4 Matching time of custom automata system for different packets 29 Table 5 Comparison of matching time (Regular Expression vs. EGREP). 47

    References
    1. Seungho Ryu, Bo-Heung Chung, Jeong-Nyeo Kim, “Design of Packet Detection System for High-Speed Network Environment”, The 6th International Conference on Advanced Communication Technology, 2004, pp. 496–498.
    2. M. Fisk, G. Varghese, “Fast Content-Based Packet Handling for Intrusion Detection”, UCSD Technical report, CS2001-0670, May 2001.
    3. Feldman A., Muthukrishnan S., “Tradeoffs for packet classification”, IEEE INFOCOM 2000, March 2000, pp. 1193–1202.
    4. Pankaj Gupta and Nick Mckeown, “Packet Classification on multiple fields”, Sigcomm, Computer Communication Review, Volume 29, no 4, Sep 1999, pp.147-160.
    5. Pankaj Gupta and Nick McKeown, “Algorithm for packet classification”, IEEE Network, Volume 15, Issue 2, March-April 2001, pp.24-32.
    6. Jang-Jong Fan, Keh-Yih Su, ” An Efficient Algorithm for Matching Multiple Patterns”, IEEE Transactions on Knowledge and Data Engineering, Volume 5, Issue 2, April 1993, pp.339–351.
    7. Aoe, J.-I., “An efficient implementation of static string pattern matching machines”, IEEE Transactions on Software Engineering, Volume 15, Issue 8, Aug. 1989,pp.1010–1016.
    8. Thomas Gries , Source code of agrep v3.37, department of computer science, university of Arizona, http://www.tgries.de/agrep/
    9. Tomasz Kojm , “C implementation of the Aho-Corasick pattern matching algorithm,” 2002, http://cvs.sourceforge.net/viewcvs.py/clamav/clamav-devel/libclamav/matcher-ac.c?rev=1.5
    10. Tomasz Kojm , Source code of AC algorithm, clamav.net, http://prdownloads.sourceforge.net/clamwin/clamwin-0.37.3-setup.exe?use_mirror=aleron
    11. David Parsons , Source code of fgrep algorithm, http://www.pell.portland.or.us/~orc/Code/4bsd/4bsd-current/fgrep/fgrep.c
    12. Ando, K., Okada, M., Shishibori, M., Jun-Ichi Aoe, “Efficient multi-attribute pattern matching using the extended Aho-Corasick method”, IEEE International Conference on Systems, Man, and Cybernetics, Oct. 1997, pp. 3936–3941.
    13. Henry Spencer, Source code of egrep , University of Toronto, http://www.opensource.apple.com/darwinsource/WWDC2004/less-11/less/regexp.c.
    14. Open source code of pcre, http://gnuwin32.sourceforge.net/packages/pcre.htm.
    15. Kupferman, O., Safra, S., Vardi, M.Y., “Relating word and tree automata”, IEEE Symposium on Logic in Computer Science, LICS '96, July 1996, pp. 322–332.
    16. Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese, “Deterministic memory-efficient string matching algorithms for intrusion detection”, INFOCOM 2004, March 2004, pp. 2628–2639.
    17. Yuke Wang, Yun Zhang, Yiyan Tang, Anand Krishnamurtjy, Gerard Damm, Bashar Bou-Diab, “Novel disjoint graph based algorithm for multi-field range-based packet classification”, IEEE ICC 2004, June 2004, pp. 1108–1112.
    18. Josue Kuri, Gonzalo Navarro, Ludovic Me, “Fast multi-pattern search algorithms for intrusion detection”, String Processing and Information Retrieval, 2000. SPIRE 2000, pp.169-180.
    19. Marc Norton , “Optimizing pattern matching for intrusion detection”, July 2004, http://docs.idsresearch.org/OptimizingPatternMatchingForIDS.pdf.
    20. Meng-Hang Ho, Hsu-Chun Yen, “A dictionary-based compressed pattern matching algorithm”, International Computer Software and Applications Conference, 2002, Aug. 2002, pp. 873–878.
    21. Kosaraju, S.R., “Efficient tree pattern matching”, Symposium on Foundations of Computer Science, 1989, 30 Oct.- 1 Nov. 1989, pp.178–183.
    22. Ando, K., Koyama, M., Shishibori, M., Aoe, J., “Rules for describing multi-attribute information and its efficient pattern matching”, IEEE International Conference on Intelligent Processing Systems, 1997 (ICIPS '97), Oct. 1997, pp. 953–957.
    23. Brown, R.L., “Accelerated template matching using template trees grown by condensation”, IEEE Transactions on Systems, Man and Cybernetics, Volume 25, Issue 3, March 1995, pp.523–528.
    24. Martin, A., Seroussi, G., Weinberger, M.J., “Linear time universal coding and time reversal of tree sources via FSM closure”, IEEE Transactions on Information Theory, Volume 50, Issue 7, July 2004, pp.1442-1468.

    無法下載圖示 全文公開日期 本全文未授權公開 (校內網路)
    全文公開日期 本全文未授權公開 (校外網路)

    QR CODE