【作者】 陈一骄；

【导师】 卢锡城；

【作者基本信息】 国防科学技术大学 ， 计算机科学与技术， 2007， 博士

【摘要】 随着网络技术和网络应用的飞速发展,层出不穷的网络攻击手段给网络安全带来了严峻的挑战。在高速网络环境下,传统入侵检测系统处理技术已经不能满足日益增长的数据量对实时处理能力的需要。论文重点研究网络入侵检测系统的高速处理技术。论文首先提出了一种适合高速网络入侵检测系统的高速处理模型,然后针对该模型实现中的快速模式匹配算法、自适应动态负载均衡以及入侵检测探针的流识别与管理等关键技术展开研究,研究成果已得到成功应用。论文系统分析了网络入侵检测系统的体系结构,提出了一种适合高速网络入侵检测系统的可扩展多级并行处理模型——XMLPP体系结构模型。该模型把实时要求高、处理相对规则的处理任务交前端高速专用硬件系统在数据采集时完成;而把处理复杂的任务调度到后端由多个入侵检测探针并行完成。XMLPP体系结构模型可扩展性好、可靠性高,大大提高了系统整体性能,能较好地适应高速网络的入侵检测的需求。针对高速网络入侵检测中模式匹配存在的性能问题,论文提出一种基于TCAM的快速模式匹配算法——TFPM算法。该算法通过对待匹配字符串进行模式前缀Hash检查,过滤掉不存在匹配可能的字符串,只使用TCAM并行查找存在匹配前缀的字符串,有效地降低了TCAM查找次数。该算法使用多队列虚拟鉴别技术,并行检查多个报文,在隐藏访问延时的同时提高了TCAM的利用率。为支持多规则复合的复杂报文分类,论文设计并实现了专用模式匹配指令集,与TFPM算法相结合,可支持多规则复杂报文分类,增强了模式匹配的报文分类能力。算法实现复杂度低,可满足高速网络基于内容的复杂报文分类要求。针对XMLPP模型中的负载分配问题,论文提出了一种面向会话的自适应负载均衡方法——MSF自适应负载均衡算法。该算法基于IP报文头多域分类方法,使用静态流表对流量进行划分,结合动态调整TCP流数目最少流束(具有相同Hash值的流的集合)的方法,能够在保持各处理节点间报文级和位流级负载均衡的同时,维持网络会话的完整性。由于算法在保持负载均衡的同时保证了会话完整性,能够确保入侵检测探针正确解析所接收报文的语义,适合于在高速网络入侵检测中使用。针对入侵检测探针中流识别与管理存在的问题,论文提出了一种具有良好Hash性能的CRC20算法。基于该算法,采用基于硬件实现的动态报文存储方法,论文提出了实现高速报文流识别与管理方法。理论分析和模拟结果表明,该方法的计算复杂性低、访存性能好,适合高速网络链路中的流管理应用。最后,论文应用上述研究成果实现了一个基于宏流水体系结构的高速网络数据采集与预处理系统,该系统既可应用于高速入侵检测,也可应用于高速网络安全监控和网络测量等方面。论文主要成果已成为某高速网络入侵检测系统系列设备的重要组成部分,从2005年开始,系统得到广泛应用,在高速网络入侵检测和网络管理等领域发挥了重要作用。更多还原

【Abstract】 With the rapid development of the network technologies and applications, more and more network attack techniques bring a serious challenge to the network security. In the large-scale high-traffic network environment, the traditional technologies for network-based intrusion detection systems (NIDS) can not satisfy the needs for real-time processing of the growing network traffic.In the dissertation we deeply study the hardware-based accelerating techniques for high-speed network intrusion detection systems. We first propose a novel architectural model for NIDS, and then conduct research on the key techniques of this model, including fast pattern matching algorithms, adaptive load-balancing, and flow identification and management for NIDS probes. The main contributions of the dissertation are as follows:(1) We first systematically analyze the architecture of NIDS, and propose a novel XMLPP (extensible Multi-Level Parallel Processing model) for high-speed NIDS. In the XMLPP model, the simple, periodic tasks which require high processing speed are processed in the specially designed hardware with high speed during data acquisition, and the relatively complex tasks are scheduled to the high-performance, back-end probes. The XMLPP model can help improve the system performance and enhance the system reliability, which are very important for high-speed NIDS.(2) To improve the performance of pattern matching in high-speed NIDS, a novel TCAM-based Fast Pattern Matching Algorithm, TFPM is proposed in this paper. The algorithm reduces the number of TCAM matching operations greatly by pre-filtering the string using pattern prefix matching. By means of multiple virtual queues for identification, this algorithm significantly improves the performance of pattern matching. To support content-based multi-rules packet classification, we design and implement a special pattern matching instruction set. This instruction set can be used together with TFPM algorithm to support complex multi-rules packet classification and improve the packet classification ability of pattern matching. The TFPM algorithm is easy to be implemented with hardware and satisfies the need for content-based complex packet classification in high-speed networks.(3) Aiming at the load balancing problem in high speed NIDS, we propose MSF (Minimum Session number First), a session-oriented adaptive load balancing algorithm. With consideration of load balancing of both packet-level and bit-level, the MSF algorithm dynamically schedules the objects based on the session number in the flow-bundles. This algorithm maintains the integrity of the sessions, and ensures that the NIDS can correctly understand the semantics of the received packets. (4) Aiming at the problem in the flow identification and management of NIDS probes, we propose CRC20, an effective hash algorithm. Based on the CRC20 algorithm, we dynamically store the received packets by means of hardware, and realize the identification and management of high speed packet flows. Theoretical analysis and extensive simulations prove that the algorithm has good computational complexity and memory-access performance, and is suitable for flow management in high speed networks.At last, based on the above techniques we study the implementation of a real system which is macro-pipelined-architecture-based with integrated high speed network data collection and pre-processing system. The system captures packets from high-speed links and completes the pre-processing such as packet classification, filtering, content inspection, and so on. The system efficiently attenuates the network traffic, reduces the workload of back-end processing probes, and improves the performance of NIDS.As a hardware-based accelerating processing platform, this system can be used not only in high-speed NIDS, but also in high-speed network security monitoring, network behavior analysis and network measurement, etc. Currently this system plays an important role in the field of security management and network management.更多还原