硬體上的封包狀態檢查系統設計與實作

Bo-Hong Chen; 陳柏宏

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/29464

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	王勝德(Sheng-De Wang)
dc.contributor.author	Bo-Hong Chen	en
dc.contributor.author	陳柏宏	zh_TW
dc.date.accessioned	2021-06-13T01:07:46Z	-
dc.date.available	2012-07-26
dc.date.copyright	2007-07-26
dc.date.issued	2007
dc.date.submitted	2007-07-19
dc.identifier.citation	[1] N. A. Noureldien and I. M. Osman., “A Stateful Inspection ModuleArchitecture,” in Proc. TENCON 2000 vol. 2, 2000, pp. 259 - 265,. [2] X. Li, Z. Z. Ji, and M. Z. Hu. “Stateful Inspection firewall session table processing,” 2005. in Proc. Coding and Computing (ITCC'05) vol 2, 2005, pp. 615 - 620 [3] X. Li, Z. Ji, W. Liu, and M. Z. Hu, “Stateful Inspection Firewall Session Table Architecture and Timeouts.” Journal of Harbin Institute of Technology (New Series), 2006 [4] Xin Li, M.Z. Hu, and Z. Z. Ji, “A Hardware-Based PATRICIA Algorithm for Fixed-Length Match.”, in Proc. 計算機研究與發展, 2005. 42卷6期(2005/06), pp. 951 - 957. [5] C. Y. Huang, K. T. Chen, and C. L. Lei. “Mitigating Active Attacks Towards Client Networks Using the Bitmap Filter.”, in Proc. Dependable Systems and Networks (DSN'06), 2006, pp.403 - 412 [6] C. L. Schuba, I. V. Krsul, and M. G. Kuhn, “Analysis of a Denial of Service Attack on TCP.”, in Proc. 1997 IEEE Symposium on Security and Privacy, 1997, pp. 208 - 223 [7] M. Chouman, H. Safa, and H. Artail, “Novel defense mechanism against SYN flooding attacks in IP networks.”, in Proc. Electrical and Computer Engineering, 2005, pp. 2151 - 2154 [8] H. Wang, D. Zhang, and K. G. Shin, “Detecting SYN Flooding Attacks.” IEEE INFOCOM 2002, pp. 1530 - 1539 [9] S. Yoon, B. Kim, and J. Oh. “High-Performance Stateful Intrusion Detection System.”, in Proc. Computational Intelligence and Security, 2006, 574 - 579 [10] N. Weaver, V. Paxson, and J. M. Gonzalez, “The shunt: an FPGA-based accelerator for network intrusion prevention.” In Proc. FPGA ’07: Proceedings of the 2007 ACM/SIGDA 15th international symposium on Field programmable gate arrays, 2007, pp. 199 - 206. [11] M. Roesch. Writing Snort Rules: “How To write Snort rules and keep your sanity.” http://www.snort.org. [12] Celoxica DK Design Suite, http://www.celoxica.com/products/dk/default.asp [13] Handel-C Language Reference Manual, http://www.celoxica.com/techlib/files/CEL-W040414XQ7-281.pdf [14] Mentor Graphics, http://www.model.com/ [15] Xilinx ISE http://www.xilinx.com/ise/logic_design_prod/index.htm [16] Xilinx EDK http://www.xilinx.com/ise/embedded_design_prod/platform_studio.htm [17] Xilinx ML-405 http://www.xilinx.com/products/boards/ml405/reference_designs.htm [18] DDoS工具 http://www.csie.ncu.edu.tw/~cs102098/tool.htm [19] J. Postel , “Transmission Control Protocol” in Proc.RFC 793, September 1981 [20] 鍾佳芳, “設計與實作狀態化高速入侵偵測系統”, 碩士論文, 台灣大學資訊工程研究所, 2005 [21] A. V. Aho and M. J. Corasick. “Efficient String Matching: An Aid to Bibliographic Search, “ in Proc. Communications of the ACM, 1975, pp. 333 - 340. [22] R. K. C. Chang, “Defending against flooding-based distributed denial-of-service attacks: a tutorial.”, in Proc. IEEE Commun. Mag, 2002, pp. 42 - 51. [23] T. Bass, A.. Freyre, D. Gruber, and G. Watt, “E-mail bombs and countermeasures: cyber attacks on availability and brand integrity.”, In Proc. IEEE Network Magazine, Volume 12, Issue 2, 1998, pp.10 - 17 [24] A. Broder and M. Mitzenmacher, “Network Applications of Bloom Filters: A Survey.”, In Proc. 40th Annual Allerton Conference, 2003, pp.485 - 509
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/29464	-
dc.description.abstract	TCP通訊協定缺乏安全機制、尤其對於阻斷服務攻擊(DoS)，網路資源易於嚴重佔用，雖然目前都許多文獻及商品宣稱對於阻斷服務攻擊有保護的功能，但不能完全阻擋，也可能產生誤判；狀態封包檢測(Stateful Packet Inspection, SPI)是目前比較新的技術，可以有效抵制SYN洪流(SYN Flooding)的攻擊，許多文獻會對此主題進行探討。本論文主要討論是在SPI技術以及相關的連線表(Session Table)資料結構。作為連線表的資料結構必須能支援:(1)匹配時採用定長匹配技術，(2)表的項目數量龐大，(3)表的插入及刪除動作頻繁，(4)表的數據寬度較寬。因此尋找一個符合以上特性的演算法非常重要。PATRICIA演算法的特色是: (1)空間複雜度不變，(2)搜尋、插入、刪除效能優異，(3)適合硬體實作；所以PATRICIA演算法適合於連線表；文獻上已有方法改善插入動作，使得插入時，不用再重新搜尋一遍。本論文提出雙向的PAT-FM演算法，進一步改善刪除動作，在每一個node中能記錄上一層node的位址，使得刪除時，能得到固定的刪除處理時間，進而讓整體更有效率，模擬所得的結果證明本論文所提的方法的確能改善整體的執行效率。另外，實作後下載到Xilinx ML-405上驗證，也證明雙向PAT-FM可以在真正的硬體上正常動作。	zh_TW
dc.description.abstract	The security-related deficiencies in the TCP/IP protocol make networks vulnerable to intruders. The denial-of-service (DoS) attacks are such intrusions that saturate the target of victim machine with external communications requests, such that it cannot respond to its intended users. Stateful Packet Inspection (SPI) is a key technology that makes a stateful firewall able to hold in memory significant attributes of connections to prevent DoS attacks, such as SYN flooding, the most common DoS attack on the Internet. In this paper, we first investigate SPI technologies and related session table architectures in order to improve the performance of firewall machines. The PATRICIA tree is good at supporting the expensive match, insert, and delete operations in the session table. In this thesis, we use a kind of PATRICIA tree, called Doubly Link PAT-FM algorithm and improve the delete operations. Finally, we implemented the proposed system in hardware and experimental results show its effectiveness.	en
dc.description.provenance	Made available in DSpace on 2021-06-13T01:07:46Z (GMT). No. of bitstreams: 1 ntu-96-J94921060-1.pdf: 5065434 bytes, checksum: aea104105d825f40b02ea44782f2b5e6 (MD5) Previous issue date: 2007	en
dc.description.tableofcontents	第一章介紹 1 第二章相關研究 3 第一節 SYN洪流攻擊 3 第二節狀態封包檢測 4 第三節連線表 8 第三章雙向PAT-FM演算法 11 第一節動機 11 第二節搜尋動作 12 第三節插入動作 14 第四節刪除動作 15 第五節更新連線動作 17 第六節接收封包行程 17 第七節 Timeout行程 18 第四章演算法實作 20 第一節工具 20 第一項 Visual C++ 6.0 20 第二項 Celoxica DK design suite 21 第三項 ModelSim SE PLUS 6.1c 23 第四項 Xilinx ISE 8.2i 24 第五項 Xilinx Platform Studio 8.2i 24 第二節評估板 25 第三節流程 26 第一項規格製定 26 第二項演算法設計 29 第三項硬體實作 32 第四項 Synthesis, Place & Route 39 第五項下載至評估板與展示 39 第五章數據分析 43 第一節演算法分析 43 第二節演算法複雜度比較 46 第六章結論 47 第七章參考文獻 48
dc.language.iso	zh-TW
dc.subject	連線表	zh_TW
dc.subject	封包分類	zh_TW
dc.subject	狀態	zh_TW
dc.subject	PATRICIA algorithm	en
dc.subject	session table	en
dc.subject	stateful packet inspection	en
dc.subject	packet classification	en
dc.title	硬體上的封包狀態檢查系統設計與實作	zh_TW
dc.title	A Hardware-Based Stateful Packet Inspection System Design and Implementation	en
dc.type	Thesis
dc.date.schoolyear	95-2
dc.description.degree	碩士
dc.contributor.oralexamcommittee	雷欽隆(Chin-Laung Lei),魏宏宇(Hung-Yu Wei),洪士灝(Shih-Hao Hung)
dc.subject.keyword	封包分類,狀態,連線表,	zh_TW
dc.subject.keyword	PATRICIA algorithm,packet classification,stateful packet inspection,session table,	en
dc.relation.page	50
dc.rights.note	有償授權
dc.date.accepted	2007-07-23
dc.contributor.author-college	電機資訊學院	zh_TW
dc.contributor.author-dept	電機工程學研究所	zh_TW
顯示於系所單位：	電機工程學系

文件中的檔案：

檔案	大小	格式
ntu-96-1.pdf 未授權公開取用	4.95 MB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。