【作者】 许宪成；

【导师】 张凌；

【作者基本信息】 华南理工大学 ， 通信与信息系统， 2010， 博士

【摘要】 目前入侵检测仍然是极富挑战性的工作。由于复杂性和分析困难,网络入侵检测系统一般运行在PC或通用工作站上。不幸的是,因为在高带宽的网络流量下有限的分析能力,传统通用系统已被证实不适于作为高速网络入侵检测系统的运行平台。人们试图通过在网络接口上过滤不感兴趣的数据包,来提高网络入侵检测系统的性能。好在网络体系结构及其构成要素已经有了质的飞跃,这使得具体实施网络处理的位置也随之变化。现在可以把一个复杂的网络处理“化整为零”分布于整个数据包通行路径。作为网络通信节点的现代主机系统或服务器体系结构充分利用了多核CPU的处理优势,而且网络处理器(NP)和FPGA也被有机地集成到网络接口卡上,形成新的称之为智能网络接口卡(iNIC)的计算资源。这就为将入侵检测功能从主机卸载到智能网卡提供了机会。目前网络处理器板卡(NPNIC)的智能程度及性价比越来越好,附带这种增强计算能力的智能NP板卡的主机系统完全可以将以往通常由边缘路由器担负的大量处理任务卸载到主机本身。这种多核与虚拟化等新技术的出现迫使人们必须重新思考如何完成传统的网络处理任务。本文从入侵检测在网络中的部署位置角度分析现有集中式系统的不足,结合主机智能板卡上网络处理器多核多线程并行处理特点,提出利用可提供额外处理能力的NP智能网卡接口实现分布式入侵检测系统(iNIC NIDS), iNIC NIDS集分布式系统和NP二者优势于一身、具有可靠性高、可扩展性好及吞吐量高的优点,特别适用于复杂高速网络的分布式入侵检测。我们给出了其部署方案,并以智能板卡的可编程网络处理器为平台,实现了方案的状态检测原型系统SCUT NP-NIDS。论文的主要工作包括：1、提出了一种基于节点主机NP智能板卡的分布式入侵检测系统设计方案。方案集分布式系统与网络处理器优势于一身。具有对数据流更细粒度的检测、只对各自收到的数据流实施本地私有安全策略、可以定制安全策略,可扩展性好及抗毁性好、方便攻击的证据收集与固定等优点。我们给出了总体方案,提出了分离系统策略控制接口与数据接口的设计理念,对安全策略实施和主机的网络处理器网络接口、用户界面及系统各模块间通信进行了的详细描述与分析,并通过原型系统实现验证了方案可行性。2、实现了优化的状态网络入侵检测系统原型。状态入侵检测系统性能主要取决于会话表的处理速度和规则匹配算法的效率。我们从设计到实现对TCP会话重组模块进行了多项优化和改进：采用二叉排序树Hash表方式组织会话表快速而高效,精心设计的会话表项结构在维护会话状态的同时避免了多余的访存操作；将会话表分割后分配至不同的存储通道,提高了访问速度；改进的关键字的查找算法使得查找效率提升一倍；创造性地提出具有Cache功能的会话节点回收与分配算法,使得分配回收效率提高了16倍；创新性地提出了多队列超时算法,算法仅与会话节点数线性相关,效率高且易于实现,避免了低效的会话树遍历操作。原型系统会话重组模块的构建实现了数据包间的关联处理,满足了当今在线深度内容检测的要求。实际测试表明,精心设计的数据结构和算法及系列优化措施大幅提升了系统性能。3、提出两种接口设计方法并以此完善了原型系统的用户界面与用户-内核接口。一方面利用IOCTL机制,实现了NP智能板卡的用户-内核接口所需的虚拟设备及其操作函数,解决了棘手的异构处理器不同地址空间的地址转换与访问问题。方便了规则库升级,提高了系统的灵活配置适应能力。另一方面,巧妙借用开源路由软件Zebra实现了原型系统的CLI命令行接口实现了所提方案的控制接口,既可对系统进行本地调试和维护,又方便网络管理员对原型系统远程实施管理策略。4、提出并实现了原型系统主机的智能网络处理器网络接口。提出以此接口可作为所提方案的主机与板卡间数据接口实现入侵检测应用的卸载,实现了主机的网络处理器板卡驱动所需的各操作函数。现有主机顶层应用无需任何改变即可通过该接口与底层硬件网络处理单元进行交互,使得复杂检测任务的处理可在主机CPU和板卡NP间合理配置,也极大地方便系统增加新颖网络应用服务。5、提出入侵检测应用卸载概念并引入评价模型、搭建了原型系统的实验平台。我们提出了入侵检测应用卸载到网络处理器智能板卡的概念,并尝试借助LAWS模型对各种条件下应用卸载的性能提升提供理论依据并进行实验验证。所构建的实验平台包括测试基准和测试用例及网络分析仪套件。我们全面考察了不同协议背景不同访问方式下智能NP网络接口相较普通网络接口的性能表现；从多种角度评估了会话重组状态检测模块的有效性；对入侵检测应用在通信路径上不同位置不同处理层次网络接口的实现情况进行了详实的性能分析与对比。实验结果表明,将入侵检测应用放置在距离网络链路更近的网络处理器,可使系统在减少约30倍时延同时,通过提前阻止非法流提升合法流约30倍的带宽。一系列的测试验证了分布式环境下基于网络处理器智能板卡的入侵检测系统(iNIC NIDS)的有效性和可行性。更多还原

【Abstract】 The intrusion detection is still a very challenging task at present. For its complexity and difficulty in analysis, the network intrusion detection system is usually operated in the PC or the general workstation. Unfortunately, owing to its limited analysis capacity of the high throughput traffic, it has proved that the traditional general system is not fit for the operation platform of the network intrusion detection system. Researchers attempt to improve the performance of the network intrusion detection system through pre-recognizing and filtering the unwanted packets on the network interface. Luckily, the change of the building components of the internet infrastructure has brought about the shift of the location. The complex network processing can be divided into several parts and distributed into the whole communication path of the data packet.As the network communication node, the end host, or the sever architecture, has made full use of the advantage of the multi-core processor’s high speed processing. Since the network processor and FPGA are organically integrated into the network interface card, a new computing resource called iNIC has been formed, which offers an opportunity for offloading the intrusion detection from the CPU to the intelligent network card. Nowadays the network processor is widely used, and the price of the NP intelligent NIC card and the high end server’s network card is almost the same, so the end host with the intelligent NIC of the enhanced computing capacity can offload the large quantity of the processing tasks from the centralized IDS onto the host itself.The emergence of such new technologies as the multi-core and virtualization is forcing people to reconsider how to finish the traditional network processing tasks. This dissertation, from the perspective of its disposition of the intrusion detection system in the network, first analyzes the shortage of the current centralized system. Then, considering the features of the multi-core multi-thread and parallel processing of the network processor on the host intelligent NIC, it proposes that the NP-based iNIC interface can be used for iNIC NIDS with extra processing capacity. It also proposes that for having the advantages of both DIDS and NP and the features of extension and the throughput, iNIC NIDS is dependable and is especially fit for the distributed intrusion detection of the high speed network. In this dissertation, we offer the deployment scheme of iNIC NIDS and implement its prototype on the basis of the open source software Snort and by means of the programmable network processor. The main contributions of this dissertation are as follows:1. It proposes the scheme of the distributed intrusion detection system. Integrating the advantages of both the distributed system and the high speed NP, the scheme has the following features:having the capability of traffic checking at a finer granularity; each end system having the private security policies for itself only; making its specific security strategy; with better extension and survivability; and being easier for collecting and fixing the attacking evidence, etc. This dissertation not only offers the general scheme, but also offers the design principles and gives detailed description and analysis of the security strategy implementation and host’s iNIC interface, the user interface, and the communication between different modules of the system. It also discusses its feasibility.2. It realizes the prototype system of the optimized network processor intrusion detection. The performance of the network processor intrusion detection system depends on the processing speed of the conversational guidance and the efficiency of the rule matching algorithm. We take a series of measures to optimize and improve the TCP session reassembly component of preprocessor of the stateful intrusion detection system: choosing the best data structure and algorithm; devising uniform distributed hash function with hash collision avoiding; modified session key generation algorithm which doubles the lookup speed; session node allocation and recollection with scratchpad caching which gives up to 16 times speedup; and an improvemented muti-queue timeout mechanism. This dissertation describes and analyzes the components and realization of this module from the perspective of data structures and algorithms, much enriching the function of SCUT NP-NIDS.3. It creates two ways of the interface design and thus perfects both the prototype system’s user interface and the user-kernel interface. On the one hand, with the accelerated unit offered by the IXP2400 network processor itself and the IOCTL mechanism, we implement the intelligent NIC’s user-kernel interface, thus making it easier for the upgrading of the rule set and much improving the system’s flexibility and adaptation; on the other hand, we implement the system’s CLI command interface as our proposed scheme’s control interface with the help of open source routing software Zebra, thus making it easier for the network administrator to actualize the remote management strategy.4. It realizes the host’s intelligent network processor interface of the prototype system. Combining the virtual socket network interface mechanism, we design and implement the host’s IXP network interface as our proposed scheme’s data interface, under which, the host can interact with the bottom hardware network processing unit through the interface without any change of its top application, thus making it much easier for the system to increase the new network application service.5. It puts forward the concept of the intrusion detection application offload and introduces the evaluation model, thus establishing the experimental platform of the prototype system. We propose the concept of offloading the intrusion detection application to the network processing intelligent integrated circuit board and try to use the LAWS module to theorize and verify with experiments the performance updating of the application offloading under different circumstances. With the implemented host’s network processor interface and different experiments to operate the current IDS on the IXP iNIC and the host, we compare and contrast the performance of their communication path at different locations. The test result proves that when IDS is placed closer to the network link in the network processor, the system can gain about 30 times decrease latency; and the advanced block of the illegal information traffic can gain about 30 times increase throughput of the legal traffic, thus further verifying the effectiveness and feasibility of the proposed distributed intrusion detection system based on the network processor intelligent NIC.更多还原