节点文献

入侵检测系统中基于FPGA的快速分包系统研究

Fast Packet Transmission System in Intrusion Detection Based on FPGA

【作者】 兰恭明

【导师】 刘衍珩;

【作者基本信息】 吉林大学 , 软件工程, 2009, 硕士

【摘要】 入侵检测系统(Intrusion-detection system,IDS)是一种对网络传输进行即时监视,在发现可疑传输时发出警报或者采取主动反应措施的网络安全设备。在其分布式IDS中,网络大量的数据传送将造成网络拥塞,因此,如何快速处理网络数据包成为分布式IDS中一个至关重要的问题。本文工作结合具体课题展开,使用Altera公司的FreeDEV2.1开发板从原理和实践的角度来研究网络数据包分流,重点研究了利用FPGA芯片和NiosII软核来开发快速分包系统。首先阐述了FPGA的基本原理、体系结构、各构件及其功能;说明使用FPGA的一般方法和过程;其次,利用FPGA内部集成的大容量分块RAM,将CPU、存储器、I/O接口、DSP模块等系统设计所必需的模块集成到一片FPGA上,搭建了基于一个Nios II处理器的硬件和软件开发环境;最后,在HAL的基础上设计现实了一个基于FPGA的快速分包系统。

【Abstract】 IDS (Intrusion-detection system, IDS) is a network security equipment, which gives a real-time surveillance of network transmission and alarms or takes the initiative response when discoveries suspicious transmission. In 1990, IDS was differed into network-based IDS and host-based IDS. Later, distributed IDS appeared.At present the overall structure of distributed systems is multi-level hierarchical structure, which is a top-down tree structure, consisting of the control nodes, data aggregation nodes and data collection nodes. Control nodes are located at the top of the tree. they are responsible for controlling the entire system and provide interface for communicating with the outside world; Data aggregation nodes are located in the middle layer. They accept commands from the upper and then control the lower. They analysis of the data from the lower and submit the reduced data to the upper; The leaf node at the bottom is responsible for data collected function. It can be a network host, It can also be a data collector in the network. But precisely because of its hierarchical structure leads to a very important issue: In this system, the network transmission of large amounts of data will result in network congestion. Therefore, how to deal with the network packets with a high speed is a critical issue in a distributed intrusion detection system.In today’s growing network, how to make the network packet fast becomes a vital link to enhance the performance of a Distributed Intrusion Detection System. The methods of dealing with the network packet by the software in the past can no longer meet the requirements for either fast or exactly. It has an increasing tendency for software and hardware to co-design. At present, in the domestic construction and implementation of the network packet classification processing system, the best method is to use hardware. Though the ASIC that designed by network equipment manufacturers is very excellent in the completion of the work of which the procedure is laid down, its development cycle is long and it is not programmable. Programmable logic device has flexible designed plan and powerful function. FPGA (field programmable gate array) appears as an semi-custom circuit in the ASIC field. And its performance can be tobeonapar with the ASIC. FPGA makes up for the lack of a custom circuit, and overcomes the shortcomings that the number of the original gate is limited in programmable devices. FPGA can be completely configurable and programmable by the user through the software to complete a particular logic function. Their application is no longer limited to instead of traditional digital logic, the more major application is that it can realize more complex logic of the algorithm by oriented algorithm. FPGA can also implement shared hardware, hardware emulation, prototype validation and other functions. Compared with the general processors, FPGA has more specific, the chip has a wealth of programmable hardware resources, by which can directly implement the complex algorithms required by the system, and improves computation speed.FPGA is very fit to any high-speed parallel data processing, It is very flexible and has scalable capacity. FPGA devices which have become the choice of programmable design are now quietly increased the number of the friendly characteristics of network equipment, in order to enter this market. Through the friendly features of network, platform FPGA can provide high performance data and functions of network controlling and processing. This will also enable them to become the ideal candidate devices for dedicated network processing in a network, and give the control power of compromising between flexibility and performance to the users.The basic component of the FPGA are: programmable input / output (I / O) modules, the basic programmable logic modules, routing interconnect resources, embedded block RAM, functional units embedded in the bottom and a embedded dedicated hard-core. According to the characteristics of FPGA, in this paper, put forward a fast packet transmission systems based on FPGA. Its main idea is: using the software and hardware co-design to increase the speed of processing network packet in order to solve the problem of network congestion in distributed intrusion detection system.In this paper, from the SOPC based on FPGA, describes the implement of fast packet transmission based on FPGA in details, including hardware development and software development. In the hardware development process, this paper designs and generates a Nios II system module using SOPC Builder, and downloads the Nios II system module in the FPGA development board using Quartus II. In the software development process, this paper develops on the basis of the HAL (Hardware Abstraction Layer). In the software development process, this paper introduces LAN91C111 Ethernet controller driver interface module, the storage of network packet module, interrupt handling module, DMA transmission module and filtering rules module.The main principle is: First of all intercepts a data packet from the driver interface of LAN91C111 Ethernet controller, and then stores the data packet in a connection pool. In order to reduce the impact of interruption to system performance, it will not interrupt until that it has saved a certain number of packets arrived. after the interruption, transfers packets to the filter rules module by the DMA. Packets will be discarded or transfered according to the rules in the rules table.The structure of this paper is:In chapter 1, first of all from the problems of network congestion in distributed intrusion detection system, explains the study background and significance of this subject; and then puts forward the design for a system of processing network packet based on hardware and software co-design using FPGA; finally explains the theory of how to design the above system.In chapter 2, according to the development of programmable logic device in history, puts forward the basis of why choose FPGA, and systematically introduces the architecture of FPGA, method and flow of design FPGA, and how to use the FPGA development tools-Quartus II. Lays a theoretical basis for the implement of system.In chapter 3, the design process of the system is introduced. It describes the development environment to build the system from the hardware development and software development. In the hardware development process, proposes the process of generating the Nios II system module; in the software development process, presents the HAL system library and LwIP protocol stack.In chapter 4, we carries out the implementation and performance analysis of the fast packet transmission system based on FPGA. Describes the system modules which are developed on the basis of HAL, and tests the performance of the systems. The result shows that the system can meet the requirements of processing network packet fast.In chapter 5, a summary and prospects of the issues are given, Analyze the results of research and inadequacies in this paper, as well as other outstanding issues.

【关键词】 入侵检测FPGASOPC快速分包
【Key words】 Intrusion detectionFPGASOPCFast packet transmission
  • 【网络出版投稿人】 吉林大学
  • 【网络出版年期】2009年 09期
  • 【分类号】TP393.08
  • 【被引频次】4
  • 【下载频次】121
节点文献中: 

本文链接的文献网络图示:

本文的引文网络