模組化核心層級入侵偵測與防禦系統以及使用RPS/RFS機制提升效能的研究

隨著現代生活與資訊網路的緊密結合，社會運作所依賴的資訊系統越來越多元化，資訊系統朝向高內聚性、低耦合性的發展，專注在各個資訊系統的核心價值上，而資訊系統也被佈建在多種不同的網路環境中提供服務。但資訊系統的安全性問題也隨著資訊系統的演進而面對更多的挑戰，其中入侵偵測與防禦系統是已經被驗證能有效抵禦攻擊的解決方案，也是本研究討論的主題。　　本研究深入探討入侵偵測與防禦系統的處理流程與資訊系統的運作原理，將Kernel Level入侵偵測與防禦系統運用在不同的系統環境架構中，並且在不同的系統架構中驗證Kernel Level入侵偵測與防禦系統的運作優勢。此外，本研究參考實驗室過往的研究成果，重新設計與實作出一套Kernel Level的入侵偵測與防禦系統，讓過往建構在Linux Kernel 3.7.9基礎上的Kernel Level入侵偵測與防禦系統，在Linux Kernel 4.15.0上也能順利運作。本研究實作的Kernel Level入侵偵測與防禦系統能在收發封包第一時間即進行威脅偵測，相較運作在User Level的入侵偵測與防禦系統相當大程度減少對網路效能的影響，避免複製資料至User Level、等候CPU Scheduler排程、在Kernel Level與User Level間來回切換的運作成本。在研究實驗中，本研究建構了3種系統環境架構，研究在不同環境架構中效能瓶頸的問題，並且探究其產生的原因與相應解決的辦法，使用Receive Packet Steering / Receive Flow Steering技術將接收封包的Softirq分配到不同Core上處理，以避免封包集中在同一個Core上處理而造成效能瓶頸的問題。實驗結果顯示，本研究實作的Kernel Level入侵偵測與防禦系統能在不影響系統運作效能下有效的保護資訊系統。

關鍵字

入侵偵測與防禦系統； Linux Kernel ； RPS ； RFS ；虛擬化

並列摘要

With the close integration of modern life and information networks, the types of information systems are becoming more and more diversified, information systems are developing towards high cohesion and low coupling, focusing on the core values of each information system. The systems are also deployed to provide services in a variety of different network environments. However, the security issues of information systems also have more challenges as the information system evolves. Among them, the Intrusion Detection and Prevention System (IDPS) is an effective solution in defending against attacks, and it is also the subject of this study. 　　This study delves into the processing flow of IDPS and the operating principles of information systems. A kernel-level IDPS is developed and applied to the systems with different network environments, to verify the operational advantages of a kernel-level IDPS under different system architectures. This study mainly refers to the previous research results of our laboratory to redesign a kernel-level IDPS, allowing the kernel-level IDPS based on Linux Kernel 3.7.9 in the past, which works well on Linux Kernel 4.15.0. The kernel-level IDPS implemented in this study can perform attack detection as soon as it receives or sends packets. Compared with the IDPS operating at the user-level, it has a much smaller impact on network performance. It avoids the operating costs of copying data to the user-level buffer, waiting for being scheduled by kernel scheduler, and switching back and forth between kernel-level and user-level. In the experiments, this study constructed three experimental environments with different architectures, to study the performance bottlenecks and explore their causes and corresponding solutions. This study also examines the effect of using the Receive Packet Steering and Receive Flow Steering technologies to enable the distribution of packets sent and received to different cores for processing. It avoids the problem of performance bottlenecks caused by the centralized processing of packets on the same core. The experimental results show that the kernel-level IDPS implemented in this study can effectively protect the information system without affecting the system’s performance.