一個有效利用記憶體的樣式比對引擎與硬體加速封包處理平台

Abstract

網路安全偵測系統（Network Intrusion detection system）收集已知的網路攻擊的特徵碼（signatures）針對封包內容和特徵碼做樣式比對（Pattern Matching），保護我們的網路環境。特徵碼通常以正規表達式（Regular Expressions）表示，在偵測系統中樣式比對功能佔用了大量的計算時間。為了保持網路的運作速度，硬體加速器被應用在網路安全偵測系統上。在本論文中，我們延伸 H-cFA成為Bitmap H-cFA，它利用位元對應的方式記錄走過的狀態，透過History buffer 記錄重覆次數，從而減少總狀態數。Bitmap H-cFA不管保持了H-cFA 的少記憶體特性，同時增加支援的正規表達式格式，建立一個更一般化的樣式比對引擎。我們同時提出一個硬體加速封包處理平台，它提供在FPGA上測試樣式比對智財 (IPs)。它包括封包擷取器和 TCP標頭分析器，它提供很容易的整合樣式比對引擎測試整個系統。我們在Xilinx ML405 FPGA 開發板上實作了封包處理平台和樣式比對引擎，最後得到231 Mbps 的處理流量。

A Network Intrusion Detection System (NIDS) collects known signatures of network threats and carries out pattern matching between packet payload and signatures to protect our network. Signatures are often represented by regular expressions and pattern matching occupied most of computing time in an NIDS. To keep the network operating at full speed, hardware accelerators are used in pattern matching. In this thesis, we extended the History based Counting Finite Automaton (H-cFA) to Bitmap H-cFA, which used a bitmap data structure to store the 'walked' states and recorded the repeat count in a history buffer to reduce the total number of states in finite automata. Bitmap H-cFA not only kept the low memory characteristic but also provided more support in regular expression formats, making a more generalized pattern matching engine. We also presented a hardware accelerated packet processing platform, which allowed pattern matching intellectual properties (IPs) to be tested in FPGA. The proposed packet processing platform consisted of a packet payload extractor and a TCP packet header parser. It could easily be integrated with a pattern matching engine to test the system. We implemented the proposed packet processing platform and the pattern matching engine in a Xilinx ML405 FPGA development board and obtained a processing throughput of 231 Mbps.