利用動態叢集技術所建構之高效能及具可靠性之入侵防禦系統

在今日的社會中，網路的安全性已經廣為各大組織機構所重視。越來越多的安全性系統被裝設以保護網際網路上的裝置及通訊。網路入侵防禦系統是其中一種可以詳細分析網路內容及主動阻擋有害封包的安全系統。而由於網路連線頻寬大量成長及需要進行越來越多的複雜檢查，對於高效能網路入侵防禦系統的需求也隨之日益增加。在本篇論文中，我們提出了一種叢集式架構，藉由集合多台裝置之力來共同實作出一個高效能的網路入侵防禦系統。在此架構下，流量將會自動的分散到各個裝置中，而且流量再分配機制可以使系統達成動態負載平衡的效果。基於叢集系統的架構，我們也設計了一個網路流量搬動機制使系統能夠更快速的反應網路流量的變化而達成負載平衡的狀態。這個叢集架構同時也支援容錯機制以及動態擴充的功能而不須停止系統。我們安裝了一個知名的入侵防禦系統『Snort』在叢集系統的每台電腦上，並實作出上述的機制於嵌入式Linux系統核心模組中。最後從實驗及實作中驗證我們所提出的方法可以應用在建構高效能及具可靠性的網路入侵防禦系統。

關鍵字

高效能封包處理；入侵防禦系統；叢集式架構；動態負載平衡

並列摘要

Security has become a big issue for all organizations in today's network environ-ment. More and more systems have been developed to secure the network infrastructure and communication over the Internet. Network intrusion prevention system (NIPS) is a kind of security system which can perform deeply content inspection and block the sus-pected packets. The demand for high performance NIPS is driven by the growing bandwidth available and the more complex packet inspection. In this thesis, we propose a clustering scheme by aggregating several devices to provide high throughput and im-plement the network intrusion prevention system over a cluster. The proposed scheme makes incoming traffic self-dispatched and applies traffic redistribution to keep the load of devices balanced. Base on the cluster scheme, we design a dynamic migration ap-proach to fast achieve the state of load balance with the variance of network. This clus-tering scheme also supports the fault tolerance and dynamic expansion without shutting down the system. Based on the designed architecture, we deploy Snort, which is a well-known and popular NIPS, on each device of the cluster and implement all the pro-posed mechanisms as kernel modules over embedded Linux. According to the results of performance evaluation, we can successfully build a high performance, dependable NIPS by means of the proposed schemes over the designed in-line device cluster.

並列關鍵字

high performance packet process ； IPS ； cluster ； load balance ； fault tolerant

參考文獻

[2] S. Antonatos, K. G. Anagnostakis, E. P. Markatos, M. Polychronakis, “Performance Analysis of Content Matching Intrusion Detection Systems,” Proceedings of In-ternational Symposium on Applications and the Internet, 2004.

[3] “Intel IXP425 Network Processor,” Intel, Corporation,

[4] Young Bae Jang and Jung Wan Cho, “A Cluster-Based Router Architecture for Massive and Various Computations in Active Networks”, Proceedings of 17th In-ternational Conference on Information Networking (ICOIN 2003), LNCS 2662, pp. 326-335, February 2003.

[9] David C. Plummer, “Ethernet Address Resolution Protocol,” RFC 826, November 1982.

[12] Rusty Russell and Harald Welte, “Linux netfilter Hacking HOWTO,” http://www.netfilter.org/documentation/HOWTO//netfilter-hacking-HOWTO.html

延伸閱讀

Tsai, P. L. (2006). 利用動態叢集技術建構兼具高效能及自我調適特性之網路系統 [doctoral dissertation, National Taiwan University]. Airiti Library. https://doi.org/10.6342/NTU.2006.00718
許詠泰（2003）。應用於監視系統之強健式整合性的即時移動物體偵測與追蹤演算法〔碩士論文，元智大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0009-0112200611351110
高玟瑜、姜美玲、伊遠正（2017）。具擴展性與模組化的核心層級入侵偵測與防禦系統。載於東海大學（主編），TANET2017 臺灣網際網路研討會（頁1184-1190）。東海大學。https://doi.org/10.6728/TANET.201710.0206
Ananthi, P., & Balasubramanie, P. (2014). An Adaptive Hybrid Multi-level Intelligent Intrusion Detection System for Network Security. Research Journal of Applied Sciences, Engineering and Technology, 7(16), 3348-3355. https://www.airitilibrary.com/Article/Detail?DocID=20407467-201404-201507070018-201507070018-3348-3355
Chen, B. T., & Huang, Y. L. (2010). The Design and Implementation of a Multi-core Supported Network Intrusion Detection System. In 中華民國資訊安全學會 (Ed.), 全國資訊安全會議 (pp. 175-180). 中華民國資訊安全學會. https://doi.org/10.29615/CISC.201005.0175

國際替代計量

利用動態叢集技術所建構之高效能及具可靠性之入侵防禦系統

全文下載

主題瀏覽