整合網路封包安全檢測系統及多核心封包擷取模組於超高速網路環境

Abstract

隨著網路頻寬速度與網路惡意入侵攻擊的倍增，網路安全已經成為一嚴重的議題，使用網路入侵檢測系統(NIDS)也成為了在資料伺服器前端不可或缺的設備。然而，單一核心的處理器的效能並沒有持續成長，其已無法因應目前的網路速度與持續增加的規則比對庫(rule set)。本論文主要提出一個嵌入式多核心網路安全入侵檢測系統，根據不同的乙太網路卡硬體架構特性，提出了Flow Ring與MCA Ring兩種不同的架構，並包含了三項特點： 1) 整合了高速網路封包擷取模組與網路入侵檢測系統； 2) 運用了封包零拷貝技術來減少在收集網路封包時所造成的額外負擔； 3) 使用了中斷與程序的處理器偏好設定來提高系統處理效能。實驗數據中呈現了網路入侵檢測系統在不同架構下的封包檢測系統中的效能差異，實驗的結果呈現了本論文所提出的設計方法於高頻寬網路系統下明顯地提升系統檢測整體的效能。

Network security has been a serious problem in the Internet. To face this issue, network intrusion detection tools have become indispensable for computer systems and network gateways. In this paper, according to the different hardware features on network interface card, we propose two kinds of multi-core aware packet capture modules, called Flow Ring and MCA Ring. Moreover, we propose an embedded, multi-core aware network intrusion detection system (NIDS), which has the following features: 1) It integrates different novel multi-core aware packet capture modules, the MCA Ring and Flow Ring, with an NIDS. 2) It exploits a zero-copy mechanism to remove the overheads of packet copy processing from the network interface driver to the NIDS application. 3) It uses the concept of process and IRQ affinity to enhance the processing speed. The performance of NIDS under different packet capture modules in multi-gigabits networks has also been analyzed and presented in this paper. The results show that our integrated multi-core aware modules and NIDS are effective for detecting network intrusion attacks in multi-gigabits networks.