簡易檢索 / 詳目顯示

回結果列表
研究生: 陳建麟
論文名稱: 適合高速網路入侵偵測系統之平行字串比對演算法設計
A Parallel String Matching Algorithm for High Speed Network Intrusion Detection System
指導教授: 黃能富
口試委員:
學位類別: 碩士
Master
系所名稱: 電機資訊學院 - 資訊工程學系
Computer Science
論文出版年: 2007
畢業學年度: 95
語文別: 中文
論文頁數: 52
中文關鍵詞: 字串比對
相關次數: 點閱:1下載:0
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報

    • 現今電腦的發展越來越普遍,而網際網路的應用也無所不在。在這樣子的環境下,電腦的資訊安全議題也就變得日趨重要;網路入侵偵測系統 (NIDS) 的重要性也因此越來越被重視。然而在網路入侵偵測系統中,大部份的系統處理被字串比對所佔據,因此字串比對演算法的設計將嚴重影響系統成為效能的瓶頸。本論文著眼於網路入侵偵測系統的核心技術 – 字串比對演算法,設計出新的演算法來加速字串比對的效能。
    我們藉由觀察有限狀態機(DFA),發現在有限狀態機中的每個字元的下一個狀態通常都會對應到一個特定的狀態而與目前狀態無關,稱此狀態為字元所對應的特殊狀態(Magic-State)。因此,我們基於Aho-Corasick演算法和Magic-State特性,設計出一個能一次處理多個字元數的MACMS(Multiple-character AC with Magic-State)演算法。透過利用Magic-state的特性,MACMS演算法能夠迅速預測AC在處理多個字元後的結果,而使得MACMS演算法能夠一次處理多個字元來達到提高字串比對的效能。
    實驗數據顯示, 利用MACMS演算法建構Snort Rule,只須要117 KB的TCAM以及98 KB的SRAM即可處理Snort Rule。當TCAM與SRAM的頻率在600MHz時,本論文所提出的系統架構透過一次處理10個字元方式可將字串比對的速度提升到48Gbps。

    Chapter 1 Introduction 1 Chapter 2 Related work 5 2.1 Aho-Corasick algorithm 6 2.2 Jump-ahead Aho-Corasick NFA (JACK-NFA) 7 2.3 Transition-distributed parallel DFAs (TDP-DFA) 9 Chapter 3 MACMS Algorithm 11 3.1 Magic state 11 3.2 MACMS – Finding out correct next state 13 3.2.1 MACMS – Building Default Table 14 3.2.2 MACMS – Building Transition-Path Table 18 3.2.3 Reducing Transition-Path Table 23 3.3 MACMS – Solving pattern match 25 3.3.1 MACMS –Building Match Table 25 3.3.2 Pattern matching procedure 28 3.3.3 Reducing Transition-Path Table 30 3.3.4 Grouping patterns 33 3.4 MACMS – Matching short patterns 35 3.4.1 Default Table for short patterns 35 3.4.2 Transition-Path Table for short patterns 37 3.4.3 Match Table for short patterns 37 3.4.4 Architecture for matching short patterns 38 3.5 System Architecture 39 Chapter 4 EXPERIMENTAL RESULTS 41 4.1 Analysis of Snort patterns 41 4.2 Analysis of Magic state 43 4.3 Analysis of MACMS 44 4.4 Analysis of system resources 47 Chapter 5 Conclusions 50 References 51

    [1] M. Roesch, “Snort – lightweight intrusion detection for networks,” 13th Systems Administradion Conference, pages 229-238, Nov. 1999.
    [2] A. Baratloo, N. Singh, and T. Tsai, “Transparent run-time defense against stack smashing attacks,” USENIX Security Symposium, June 2000.
    [3] “Current Trends in IDS and IPS,”[On-line].
    http://www.networksecurityjournal.com/features/current-trends-in-ids-ips-052907 .
    [4] “Snort - the de facto Standard for Intrusion Detection/Prevention,” [On-line]. Available: www.snort.org
    [5] S. Antonatos, K. G. Anagostakis, and E. P. Markatos, “Generating realistic work loads for network intrusion detection systems.” ACM Workshop on Software and Performance, Redwood Shores, CA., USA, 2004.
    [6] A. V. Aho and M. J. Corasick, “Efficient string matching: and aid to bibliographic search,” Communications of ACM, 18(6):333-340, 1975.
    [7] M. Fisk and G. Varghese, “Fast content-based packet handling for intrusion detection,” UCSD Tech. Rep. CS2001-0670, 2001.
    [8] K. G. Anagnostakis, E. P. Markatos, S. Antonatos, and M. Polychronakis, “E2XB: A domain-specific string matching algorithm for intrusion detection,” 18th IFIP Int. Information Security Conference, Athens, Greece, 2003.
    [9] R. T. Liu, N. F. Huang, C. H. Chen, and C. N. Kao, “A fast string-match algorithm for network processor-based net work intrusion detection system,” ACM Transactions on. Embedded Computer Systems, Vol.3, pp.614-633, 2004.
    [10] C. R. Clark and D. E. Schimmel, “Scalable pattern matching for high speed networks,” IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM2004), Napa, CA, Apr.2004, pp. 249-257.
    [11] I. Sourdis and D. Pnevmatikatos. “Pre-decoded CAMs for efficient and high-speed NIDS pattern matching,” IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM2005), 2005.
    [12] Y. Sugwara, M. Inaba, and K. Hiraki. “Over 10 Gbps string matching mechanism for multi-stream packet scanning systems,” International Conference on Field Programmable Logic and Application, Antwerp, Belgium, Aug. 2004.
    [13] S. Yusuf and W. Luk, “Bitwise optimised CAM for network intrusion detection systems,” International Conference on Field Programmable Logic and Application, 2005, pp.444-449.
    [14] F. Yu, R. H. Katz, and T. V. Lakshman, “Gigabit rate packet pattern-matching using TCAM,” IEEE International Conference on Network Protocols, 2004, pp. 174-183.
    [15] N. Tuck, T. Sherwood, B. Calder, and G. Varghese, “Deterministic memory-efficient string matching algorithms for intrusion detection,” IEEE INFOCOM 2004, pp. 2628-2639.
    [16] L. Tan and T. Sherwood, “A high throughput string matching architecture for intrusion detection and prevention,” International. Symposium on Computer Architecture, 2005, pp. 112-122.
    [17] Y. H. Cho and W. H. Mangione-Smith, “A pattern matching coprocessor for network security,” IEEE DAC2005, Anaheim, CA, 2005.
    [18] S. Dharmapurikar and J. Lookwod, “Fast and scalable pattern matching for content filtering,” Symposium of Architecture and Network. Communication. Systems, Princeton, NJ, 2005.
    [19] Lu H B, Zheng K, Liu B, Zhang X, and Liu Y H, “A Memory-Efficient Parallel String Matching Architecture for High Speed Intrusion Detection, IEEE JSAC, Vol.24, No. 10, Oct. 2006, pp. 1793-1804.
    [20] B. Bloom, “Space/time trade-offs in hash coding with allowable errors,” Communications of. ACM, Vol. 13, pp. 422-426, May 1970.
    [21] Analog Bits Inc.,”High speed Ternary CAM Datasheet,” 2004.[On-line]. Available: http://www.analogbits.com/pdf/High_Speed_T_CAM_Datasheet.pdf

    無法下載圖示 全文公開日期 本全文未授權公開 (校內網路)
    全文公開日期 本全文未授權公開 (校外網路)
    全文公開日期 本全文未授權公開 (國家圖書館:臺灣博碩士論文系統)
    QR CODE