整合網路封包安全檢測系統及多核心封包擷取模組於超高速網路環境

隨著網路頻寬速度與網路惡意入侵攻擊的倍增，網路安全已經成為一嚴重的議題，使用網路入侵檢測系統(NIDS)也成為了在資料伺服器前端不可或缺的設備。然而，單一核心的處理器的效能並沒有持續成長，其已無法因應目前的網路速度與持續增加的規則比對庫(rule set)。本論文主要提出一個嵌入式多核心網路安全入侵檢測系統，根據不同的乙太網路卡硬體架構特性，提出了Flow Ring與MCA Ring兩種不同的架構，並包含了三項特點： 1) 整合了高速網路封包擷取模組與網路入侵檢測系統； 2) 運用了封包零拷貝技術來減少在收集網路封包時所造成的額外負擔； 3) 使用了中斷與程序的處理器偏好設定來提高系統處理效能。實驗數據中呈現了網路入侵檢測系統在不同架構下的封包檢測系統中的效能差異，實驗的結果呈現了本論文所提出的設計方法於高頻寬網路系統下明顯地提升系統檢測整體的效能。

關鍵字

網路入侵檢測系統；零拷貝；多核心系統；封包擷取模組；高頻寬網路

並列摘要

Network security has been a serious problem in the Internet. To face this issue, network intrusion detection tools have become indispensable for computer systems and network gateways. In this paper, according to the different hardware features on network interface card, we propose two kinds of multi-core aware packet capture modules, called Flow Ring and MCA Ring. Moreover, we propose an embedded, multi-core aware network intrusion detection system (NIDS), which has the following features: 1) It integrates different novel multi-core aware packet capture modules, the MCA Ring and Flow Ring, with an NIDS. 2) It exploits a zero-copy mechanism to remove the overheads of packet copy processing from the network interface driver to the NIDS application. 3) It uses the concept of process and IRQ affinity to enhance the processing speed. The performance of NIDS under different packet capture modules in multi-gigabits networks has also been analyzed and presented in this paper. The results show that our integrated multi-core aware modules and NIDS are effective for detecting network intrusion attacks in multi-gigabits networks.

並列關鍵字

Linux kernel ； NIDS ； Ring Buffer ； Multi-Gigabits Network ； Packet Capture

參考文獻

[4] K. Salah and A. Kahtani, "Performance evaluation comparison of Snort NIDS under Linux and Windows Server," Journal of Network and Computer Applications, vol. 33, pp. 6-15, 2010.

[5] K. Salah and A. Kahtani, "Improving snort performance under linux," Communications, IET, vol. 3, pp. 1883-1895, 2009.

[7] M. Dashtbozorgi and M. A. Azgomi, "A scalable multi-core aware software architecture for high-performance network monitoring," presented at the Proceedings of the 2nd international conference on Security of information and networks, Famagusta, North Cyprus, 2009.

[9] D. V. Schuehler, J. Moscola, and J. Lockwood, "Architecture for a hardware based, TCP/IP content scanning system [intrusion detection system applications]," in High Performance Interconnects, 2003. Proceedings. 11th Symposium on, 2003, pp. 89-94.

[10] D. V. Schuehler, J. Moscola, and J. W. Lockwood, "Architecture for a hardware-based, TCP/IP content-processing system," Micro, IEEE, vol. 24, pp. 62-69, 2004.

延伸閱讀

Yang, J. C. (2008). 應用於網路入侵偵測系統之快速狀態化封包檢測架構 [master's thesis, National Taiwan University]. Airiti Library. https://doi.org/10.6342/NTU.2008.01146
Wenyen, T. (2015). 於具備多佇列網路卡的多核心平台上對高效能封包處理之研究 [doctoral dissertation, National Tsing Hua University]. Airiti Library. https://www.airitilibrary.com/Article/Detail?DocID=U0016-0312201510305130
林翰培（2009）。高速網路下被動式封包擷取之效能提升〔碩士論文，元智大學〕。華藝線上圖書館。https://doi.org/10.6838/YZU.2009.00164
Wu, P. W. (2008). An Integrated Multimedia Framework for Embedded Dual-core Processors [master's thesis, National Tsing Hua University]. Airiti Library. https://www.airitilibrary.com/Article/Detail?DocID=U0016-2002201314574330
Prasad, D. V., & Deepthi, M. (2015). Reconfigurable Architecture for Minimizing the Network Delays in the Multi-core Systems. Research Journal of Applied Sciences, Engineering and Technology, 9(8), 637-644. https://www.airitilibrary.com/Article/Detail?DocID=20407467-201503-201506090033-201506090033-637-644

國際替代計量

整合網路封包安全檢測系統及多核心封包擷取模組於超高速網路環境

全文下載

主題瀏覽