基于网络处理器的入侵检测系统设计与性能优化研究
|
摘要
目前入侵检测仍然是极富挑战性的工作。由于复杂性和分析困难,网络入侵检测系统一般运行在PC或通用工作站上。不幸的是,因为在高带宽的网络流量下有限的分析能力,传统通用系统已被证实不适于作为高速网络入侵检测系统的运行平台。人们试图通过在网络接口上过滤不感兴趣的数据包,来提高网络入侵检测系统的性能。好在网络体系结构及其构成要素已经有了质的飞跃,这使得具体实施网络处理的位置也随之变化。现在可以把一个复杂的网络处理“化整为零”分布于整个数据包通行路径。作为网络通信节点的现代主机系统或服务器体系结构充分利用了多核CPU的处理优势,而且网络处理器(NP)和FPGA也被有机地集成到网络接口卡上,形成新的称之为智能网络接口卡(iNIC)的计算资源。这就为将入侵检测功能从主机卸载到智能网卡提供了机会。目前网络处理器板卡(NPNIC)的智能程度及性价比越来越好,附带这种增强计算能力的智能NP板卡的主机系统完全可以将以往通常由边缘路由器担负的大量处理任务卸载到主机本身。
这种多核与虚拟化等新技术的出现迫使人们必须重新思考如何完成传统的网络处理任务。本文从入侵检测在网络中的部署位置角度分析现有集中式系统的不足,结合主机智能板卡上网络处理器多核多线程并行处理特点,提出利用可提供额外处理能力的NP智能网卡接口实现分布式入侵检测系统(iNIC NIDS), iNIC NIDS集分布式系统和NP二者优势于一身、具有可靠性高、可扩展性好及吞吐量高的优点,特别适用于复杂高速网络的分布式入侵检测。我们给出了其部署方案,并以智能板卡的可编程网络处理器为平台,实现了方案的状态检测原型系统SCUT NP-NIDS。论文的主要工作包括:
1、提出了一种基于节点主机NP智能板卡的分布式入侵检测系统设计方案。
方案集分布式系统与网络处理器优势于一身。具有对数据流更细粒度的检测、只对各自收到的数据流实施本地私有安全策略、可以定制安全策略,可扩展性好及抗毁性好、方便攻击的证据收集与固定等优点。我们给出了总体方案,提出了分离系统策略控制接口与数据接口的设计理念,对安全策略实施和主机的网络处理器网络接口、用户界面及系统各模块间通信进行了的详细描述与分析,并通过原型系统实现验证了方案可行性。
2、实现了优化的状态网络入侵检测系统原型。
状态入侵检测系统性能主要取决于会话表的处理速度和规则匹配算法的效率。我们从设计到实现对TCP会话重组模块进行了多项优化和改进:采用二叉排序树Hash表方式组织会话表快速而高效,精心设计的会话表项结构在维护会话状态的同时避免了多余的访存操作;将会话表分割后分配至不同的存储通道,提高了访问速度;改进的关键字的查找算法使得查找效率提升一倍;创造性地提出具有Cache功能的会话节点回收与分配算法,使得分配回收效率提高了16倍;创新性地提出了多队列超时算法,算法仅与会话节点数线性相关,效率高且易于实现,避免了低效的会话树遍历操作。原型系统会话重组模块的构建实现了数据包间的关联处理,满足了当今在线深度内容检测的要求。实际测试表明,精心设计的数据结构和算法及系列优化措施大幅提升了系统性能。
3、提出两种接口设计方法并以此完善了原型系统的用户界面与用户-内核接口。
一方面利用IOCTL机制,实现了NP智能板卡的用户-内核接口所需的虚拟设备及其操作函数,解决了棘手的异构处理器不同地址空间的地址转换与访问问题。方便了规则库升级,提高了系统的灵活配置适应能力。另一方面,巧妙借用开源路由软件Zebra实现了原型系统的CLI命令行接口实现了所提方案的控制接口,既可对系统进行本地调试和维护,又方便网络管理员对原型系统远程实施管理策略。
4、提出并实现了原型系统主机的智能网络处理器网络接口。
提出以此接口可作为所提方案的主机与板卡间数据接口实现入侵检测应用的卸载,实现了主机的网络处理器板卡驱动所需的各操作函数。现有主机顶层应用无需任何改变即可通过该接口与底层硬件网络处理单元进行交互,使得复杂检测任务的处理可在主机CPU和板卡NP间合理配置,也极大地方便系统增加新颖网络应用服务。
5、提出入侵检测应用卸载概念并引入评价模型、搭建了原型系统的实验平台。
我们提出了入侵检测应用卸载到网络处理器智能板卡的概念,并尝试借助LAWS模型对各种条件下应用卸载的性能提升提供理论依据并进行实验验证。所构建的实验平台包括测试基准和测试用例及网络分析仪套件。我们全面考察了不同协议背景不同访问方式下智能NP网络接口相较普通网络接口的性能表现;从多种角度评估了会话重组状态检测模块的有效性;对入侵检测应用在通信路径上不同位置不同处理层次网络接口的实现情况进行了详实的性能分析与对比。实验结果表明,将入侵检测应用放置在距离网络链路更近的网络处理器,可使系统在减少约30倍时延同时,通过提前阻止非法流提升合法流约30倍的带宽。一系列的测试验证了分布式环境下基于网络处理器智能板卡的入侵检测系统(iNIC NIDS)的有效性和可行性。
The intrusion detection is still a very challenging task at present. For its complexity and difficulty in analysis, the network intrusion detection system is usually operated in the PC or the general workstation. Unfortunately, owing to its limited analysis capacity of the high throughput traffic, it has proved that the traditional general system is not fit for the operation platform of the network intrusion detection system. Researchers attempt to improve the performance of the network intrusion detection system through pre-recognizing and filtering the unwanted packets on the network interface. Luckily, the change of the building components of the internet infrastructure has brought about the shift of the location. The complex network processing can be divided into several parts and distributed into the whole communication path of the data packet.
As the network communication node, the end host, or the sever architecture, has made full use of the advantage of the multi-core processor's high speed processing. Since the network processor and FPGA are organically integrated into the network interface card, a new computing resource called iNIC has been formed, which offers an opportunity for offloading the intrusion detection from the CPU to the intelligent network card. Nowadays the network processor is widely used, and the price of the NP intelligent NIC card and the high end server's network card is almost the same, so the end host with the intelligent NIC of the enhanced computing capacity can offload the large quantity of the processing tasks from the centralized IDS onto the host itself.
The emergence of such new technologies as the multi-core and virtualization is forcing people to reconsider how to finish the traditional network processing tasks. This dissertation, from the perspective of its disposition of the intrusion detection system in the network, first analyzes the shortage of the current centralized system. Then, considering the features of the multi-core multi-thread and parallel processing of the network processor on the host intelligent NIC, it proposes that the NP-based iNIC interface can be used for iNIC NIDS with extra processing capacity. It also proposes that for having the advantages of both DIDS and NP and the features of extension and the throughput, iNIC NIDS is dependable and is especially fit for the distributed intrusion detection of the high speed network. In this dissertation, we offer the deployment scheme of iNIC NIDS and implement its prototype on the basis of the open source software Snort and by means of the programmable network processor. The main contributions of this dissertation are as follows:
1. It proposes the scheme of the distributed intrusion detection system. Integrating the advantages of both the distributed system and the high speed NP, the scheme has the following features:having the capability of traffic checking at a finer granularity; each end system having the private security policies for itself only; making its specific security strategy; with better extension and survivability; and being easier for collecting and fixing the attacking evidence, etc. This dissertation not only offers the general scheme, but also offers the design principles and gives detailed description and analysis of the security strategy implementation and host's iNIC interface, the user interface, and the communication between different modules of the system. It also discusses its feasibility.
2. It realizes the prototype system of the optimized network processor intrusion detection. The performance of the network processor intrusion detection system depends on the processing speed of the conversational guidance and the efficiency of the rule matching algorithm. We take a series of measures to optimize and improve the TCP session reassembly component of preprocessor of the stateful intrusion detection system: choosing the best data structure and algorithm; devising uniform distributed hash function with hash collision avoiding; modified session key generation algorithm which doubles the lookup speed; session node allocation and recollection with scratchpad caching which gives up to 16 times speedup; and an improvemented muti-queue timeout mechanism. This dissertation describes and analyzes the components and realization of this module from the perspective of data structures and algorithms, much enriching the function of SCUT NP-NIDS.
3. It creates two ways of the interface design and thus perfects both the prototype system's user interface and the user-kernel interface. On the one hand, with the accelerated unit offered by the IXP2400 network processor itself and the IOCTL mechanism, we implement the intelligent NIC's user-kernel interface, thus making it easier for the upgrading of the rule set and much improving the system's flexibility and adaptation; on the other hand, we implement the system's CLI command interface as our proposed scheme's control interface with the help of open source routing software Zebra, thus making it easier for the network administrator to actualize the remote management strategy.
4. It realizes the host's intelligent network processor interface of the prototype system. Combining the virtual socket network interface mechanism, we design and implement the host's IXP network interface as our proposed scheme's data interface, under which, the host can interact with the bottom hardware network processing unit through the interface without any change of its top application, thus making it much easier for the system to increase the new network application service.
5. It puts forward the concept of the intrusion detection application offload and introduces the evaluation model, thus establishing the experimental platform of the prototype system. We propose the concept of offloading the intrusion detection application to the network processing intelligent integrated circuit board and try to use the LAWS module to theorize and verify with experiments the performance updating of the application offloading under different circumstances. With the implemented host's network processor interface and different experiments to operate the current IDS on the IXP iNIC and the host, we compare and contrast the performance of their communication path at different locations. The test result proves that when IDS is placed closer to the network link in the network processor, the system can gain about 30 times decrease latency; and the advanced block of the illegal information traffic can gain about 30 times increase throughput of the legal traffic, thus further verifying the effectiveness and feasibility of the proposed distributed intrusion detection system based on the network processor intelligent NIC.
这种多核与虚拟化等新技术的出现迫使人们必须重新思考如何完成传统的网络处理任务。本文从入侵检测在网络中的部署位置角度分析现有集中式系统的不足,结合主机智能板卡上网络处理器多核多线程并行处理特点,提出利用可提供额外处理能力的NP智能网卡接口实现分布式入侵检测系统(iNIC NIDS), iNIC NIDS集分布式系统和NP二者优势于一身、具有可靠性高、可扩展性好及吞吐量高的优点,特别适用于复杂高速网络的分布式入侵检测。我们给出了其部署方案,并以智能板卡的可编程网络处理器为平台,实现了方案的状态检测原型系统SCUT NP-NIDS。论文的主要工作包括:
1、提出了一种基于节点主机NP智能板卡的分布式入侵检测系统设计方案。
方案集分布式系统与网络处理器优势于一身。具有对数据流更细粒度的检测、只对各自收到的数据流实施本地私有安全策略、可以定制安全策略,可扩展性好及抗毁性好、方便攻击的证据收集与固定等优点。我们给出了总体方案,提出了分离系统策略控制接口与数据接口的设计理念,对安全策略实施和主机的网络处理器网络接口、用户界面及系统各模块间通信进行了的详细描述与分析,并通过原型系统实现验证了方案可行性。
2、实现了优化的状态网络入侵检测系统原型。
状态入侵检测系统性能主要取决于会话表的处理速度和规则匹配算法的效率。我们从设计到实现对TCP会话重组模块进行了多项优化和改进:采用二叉排序树Hash表方式组织会话表快速而高效,精心设计的会话表项结构在维护会话状态的同时避免了多余的访存操作;将会话表分割后分配至不同的存储通道,提高了访问速度;改进的关键字的查找算法使得查找效率提升一倍;创造性地提出具有Cache功能的会话节点回收与分配算法,使得分配回收效率提高了16倍;创新性地提出了多队列超时算法,算法仅与会话节点数线性相关,效率高且易于实现,避免了低效的会话树遍历操作。原型系统会话重组模块的构建实现了数据包间的关联处理,满足了当今在线深度内容检测的要求。实际测试表明,精心设计的数据结构和算法及系列优化措施大幅提升了系统性能。
3、提出两种接口设计方法并以此完善了原型系统的用户界面与用户-内核接口。
一方面利用IOCTL机制,实现了NP智能板卡的用户-内核接口所需的虚拟设备及其操作函数,解决了棘手的异构处理器不同地址空间的地址转换与访问问题。方便了规则库升级,提高了系统的灵活配置适应能力。另一方面,巧妙借用开源路由软件Zebra实现了原型系统的CLI命令行接口实现了所提方案的控制接口,既可对系统进行本地调试和维护,又方便网络管理员对原型系统远程实施管理策略。
4、提出并实现了原型系统主机的智能网络处理器网络接口。
提出以此接口可作为所提方案的主机与板卡间数据接口实现入侵检测应用的卸载,实现了主机的网络处理器板卡驱动所需的各操作函数。现有主机顶层应用无需任何改变即可通过该接口与底层硬件网络处理单元进行交互,使得复杂检测任务的处理可在主机CPU和板卡NP间合理配置,也极大地方便系统增加新颖网络应用服务。
5、提出入侵检测应用卸载概念并引入评价模型、搭建了原型系统的实验平台。
我们提出了入侵检测应用卸载到网络处理器智能板卡的概念,并尝试借助LAWS模型对各种条件下应用卸载的性能提升提供理论依据并进行实验验证。所构建的实验平台包括测试基准和测试用例及网络分析仪套件。我们全面考察了不同协议背景不同访问方式下智能NP网络接口相较普通网络接口的性能表现;从多种角度评估了会话重组状态检测模块的有效性;对入侵检测应用在通信路径上不同位置不同处理层次网络接口的实现情况进行了详实的性能分析与对比。实验结果表明,将入侵检测应用放置在距离网络链路更近的网络处理器,可使系统在减少约30倍时延同时,通过提前阻止非法流提升合法流约30倍的带宽。一系列的测试验证了分布式环境下基于网络处理器智能板卡的入侵检测系统(iNIC NIDS)的有效性和可行性。
The intrusion detection is still a very challenging task at present. For its complexity and difficulty in analysis, the network intrusion detection system is usually operated in the PC or the general workstation. Unfortunately, owing to its limited analysis capacity of the high throughput traffic, it has proved that the traditional general system is not fit for the operation platform of the network intrusion detection system. Researchers attempt to improve the performance of the network intrusion detection system through pre-recognizing and filtering the unwanted packets on the network interface. Luckily, the change of the building components of the internet infrastructure has brought about the shift of the location. The complex network processing can be divided into several parts and distributed into the whole communication path of the data packet.
As the network communication node, the end host, or the sever architecture, has made full use of the advantage of the multi-core processor's high speed processing. Since the network processor and FPGA are organically integrated into the network interface card, a new computing resource called iNIC has been formed, which offers an opportunity for offloading the intrusion detection from the CPU to the intelligent network card. Nowadays the network processor is widely used, and the price of the NP intelligent NIC card and the high end server's network card is almost the same, so the end host with the intelligent NIC of the enhanced computing capacity can offload the large quantity of the processing tasks from the centralized IDS onto the host itself.
The emergence of such new technologies as the multi-core and virtualization is forcing people to reconsider how to finish the traditional network processing tasks. This dissertation, from the perspective of its disposition of the intrusion detection system in the network, first analyzes the shortage of the current centralized system. Then, considering the features of the multi-core multi-thread and parallel processing of the network processor on the host intelligent NIC, it proposes that the NP-based iNIC interface can be used for iNIC NIDS with extra processing capacity. It also proposes that for having the advantages of both DIDS and NP and the features of extension and the throughput, iNIC NIDS is dependable and is especially fit for the distributed intrusion detection of the high speed network. In this dissertation, we offer the deployment scheme of iNIC NIDS and implement its prototype on the basis of the open source software Snort and by means of the programmable network processor. The main contributions of this dissertation are as follows:
1. It proposes the scheme of the distributed intrusion detection system. Integrating the advantages of both the distributed system and the high speed NP, the scheme has the following features:having the capability of traffic checking at a finer granularity; each end system having the private security policies for itself only; making its specific security strategy; with better extension and survivability; and being easier for collecting and fixing the attacking evidence, etc. This dissertation not only offers the general scheme, but also offers the design principles and gives detailed description and analysis of the security strategy implementation and host's iNIC interface, the user interface, and the communication between different modules of the system. It also discusses its feasibility.
2. It realizes the prototype system of the optimized network processor intrusion detection. The performance of the network processor intrusion detection system depends on the processing speed of the conversational guidance and the efficiency of the rule matching algorithm. We take a series of measures to optimize and improve the TCP session reassembly component of preprocessor of the stateful intrusion detection system: choosing the best data structure and algorithm; devising uniform distributed hash function with hash collision avoiding; modified session key generation algorithm which doubles the lookup speed; session node allocation and recollection with scratchpad caching which gives up to 16 times speedup; and an improvemented muti-queue timeout mechanism. This dissertation describes and analyzes the components and realization of this module from the perspective of data structures and algorithms, much enriching the function of SCUT NP-NIDS.
3. It creates two ways of the interface design and thus perfects both the prototype system's user interface and the user-kernel interface. On the one hand, with the accelerated unit offered by the IXP2400 network processor itself and the IOCTL mechanism, we implement the intelligent NIC's user-kernel interface, thus making it easier for the upgrading of the rule set and much improving the system's flexibility and adaptation; on the other hand, we implement the system's CLI command interface as our proposed scheme's control interface with the help of open source routing software Zebra, thus making it easier for the network administrator to actualize the remote management strategy.
4. It realizes the host's intelligent network processor interface of the prototype system. Combining the virtual socket network interface mechanism, we design and implement the host's IXP network interface as our proposed scheme's data interface, under which, the host can interact with the bottom hardware network processing unit through the interface without any change of its top application, thus making it much easier for the system to increase the new network application service.
5. It puts forward the concept of the intrusion detection application offload and introduces the evaluation model, thus establishing the experimental platform of the prototype system. We propose the concept of offloading the intrusion detection application to the network processing intelligent integrated circuit board and try to use the LAWS module to theorize and verify with experiments the performance updating of the application offloading under different circumstances. With the implemented host's network processor interface and different experiments to operate the current IDS on the IXP iNIC and the host, we compare and contrast the performance of their communication path at different locations. The test result proves that when IDS is placed closer to the network link in the network processor, the system can gain about 30 times decrease latency; and the advanced block of the illegal information traffic can gain about 30 times increase throughput of the legal traffic, thus further verifying the effectiveness and feasibility of the proposed distributed intrusion detection system based on the network processor intelligent NIC.
引文
[1]Subharthi Paul, Jianli Pan, and Raj Jain, Architectures for the Future Networks and the Next Generation Internet:A Survey [EB/OL]. http://www.cse.wustl.edu/~jain/papers/ftp/i3survey.pdf.2010
[2]Papaefstathiou, I. et al. Introduction:Network Processors for Future High-End Systems and Applications[J]. IEEE Micro.September/October 2004,24(5):7-9
[3]中国互联网络发展状况统计报告[EB/OL]. http://www.cnnic.net.cn/.2009
[4]CNCERT/CC2009年网络安全工作报告[EB/OL]. http://www.cert.org.cn/.2009
[5]SV Wunnava, E Rassi. Data encryption performance and evaluation schemes. In Proceedings of IEEE Southeast Conference[C].2002,234-238
[6]Oswald E. An efficient masking scheme for AES software implementations. In:Song J, Kwon T, Yung M, eds. Proc. of the Information Security Applications[C]. LNCS 3786, Berlin:Springer-Verlag,2006.292-305
[7]黄元飞,陈麟,唐三平.信息安全与加密解密核心技术.浦东电子出版社,2001
[8]C Adams, S Farrell. Internet X.509 public key infrastructure certificate management protocols. RFC 2510,1999
[9]李晓峰,冯登国,徐震.一种通用访问控制管理模型[J].计算机研究与发展.2007,44(6):947-957
[10]罗鑫.访问控制技术与模型研究[D].北京:北京邮电大学.2009
[II]Lance Spitzner, Understanding the FW-1 State Table[EB/OL]. http://www.spitzner.net/fwtable.html.2009
[12]张磊,卿斯汉.一个基于Agent的防火墙系统的设计与实现[J].软件学报,2000,11(5):642-645
[13]R. Sidhu and V. K. Prasanna, Fast Regular Expression Matching using FPGAs, in Proc. of the 9th Symp[C]. On Field-Programmable Custom Computing Machines (FCCM'01),2001,227-238
[14]刘衍珩,田大新,余雪岗,王健.基于分布式学习的大规模网络入侵检测算法[J].软件学报,2008,19(4):993-1003
[15]Fernandes S, Antonello R, Lacerda T, Santos A, Sadok D, Westholm T. Slimming Down Deep Packet Inspection Systems, in Proc. of the INFOCOM Workshops 2009, IEEE [C].2009,1-6
[16]Provos, N. A Virtual Honeypot Framework. Tech. Rep.03-1, CITI (University of Michigan), Oct.2003
[17]杨宏宇,谢丽霞,网络入侵诱骗技术-蜜罐系统的应用[J].计算机工程与应用.2006,32(13):176-181
[18]张丽红.计算机网络入侵检测技术研究进展[J].微计算机应用,2004,25(2):135-140
[19]V. Paxson, K. Asanovic, S. Dharmapurikar, J. Lockwood, R. Pang, R. Sommer, and N. Weaver, Rethinking Hardware Support for Network Analysis and Intrusion Prevention, in Proc. of the 1st USENIX Workshop on Hot Topics in Security[C],2006,63-68
[20]Shah N. Understanding network processors [D]. Berkeley:Univ. of California,2001
[21]谭章熹,林闯,任丰源,周文江.网络处理器的分析与研究[J].软件学报,2003,14(2):253-267
[22]K. Ettikan, Rosni Abdullah. Survey of Network Processors (NP)[J]. Malaysian Journal of Computer Science, Vol.16 No.2, December 2003:21-37
[23]V. Paxson, Bro:A System for Detecting Network Intruders in Real-Time[J]. Computer Networks, vol.31, no.23-24,1999,2435-2463
[24]M. Roesch, Snort-Lightweight Intrusion Detection for Networks, in Proc. of the 13th USENIX Systems Administration Conf. (LISA'99) [C],1999,229-238
[25]A. Lakhina, et al., Mining Anomalies Using Traffic Feature Distributions[EB/OL]. Proc. ACM SIGCOMM 2005[C]. www.sigcomm.org/sigcomm2005/paper-LakCro.pdf. 2005
[26]C. Estan, S. Savage, and G. Varghese, Automatically Inferring Patterns of Resource Consumptionin Network Traffic[EB/OL], In ACM SIGCOMM, Karlsruhe, August 2003.www.sigcomm.org/sigcomm2003/papers/p137-estan.pdf.2004
[27]Juan M Estevez-Tapiador, Pedro Garcia-Teodoro, et al. Anomaly Detection Methods in Wired Networks:A Survey and Taxonomy [J].Computer Communications,2004,27(16): 1569-1584
[28]Ke Wang, Salvatore J Stolfo. Anomalous Payload-based Network Intrusion Detection. The 7th International Symposium on Recent Advances in Intrusion Detection[C]. Berlin Heidelberg:Springer,2004,203-222
[29]Mizuki Oka, Yoshihiro Oyama, Hirotake Abe. Anomaly Detection Using Layered Networks Based on Eigen Co-occurrence Matrix.The 7th International Symposium on Recent Advances in Intrusion Detection[C]. Berlin Heidelberg:Springer,2004,223-237
[30]Christopher Kruegel, Fredrik Valeur. Stateful Intrusion Detection for High-Speed Networks. In Proceedings of the IEEE Symposium On Security And Privacy[C].2002, 285-294
[31]Sommer R, Paxson V. Enhancing byte-level network intrusion detection signatures with context. In:Proc. of the 10th ACM Conf. on Computer and Communications Security[C]. New York:ACM,2003,262-271
[32]徐乾,鄂跃鹏,葛敬国,钱华林.深度包检测中一种高效的正则表达式压缩算法[J].软件学报,2009,20(8):2214-2226
[33]Kumar S, Turner J, Williams J. Advanced algorithms for fast and scalable deep packet inspection. In:Bhuyan LN, Dubois M, Eatherton W, eds. Proc. of the 2006 ACM/IEEE Symp. on Architecture for Networking and Communications Systems[C]. New York: ACM,2006,81-92
[34]Yu F, Chen ZF, Diao YL, Lakshman TV, Katz RH. Fast and memory-efficient regular expression matching for deep packet inspection. In:Bhuyan LN, Dubois M, Eatherton W, eds. Proc. of the 2006 ACM/IEEE Symp. on Architecture for Networking and Communications Systems[C]. New York:ACM,2006,93-102
[35]Johnson T, Muthukrishnan S, Rozenbaum I. Monitoring regular expressions on out-of-order streams. In:Proc. of 2007 IEEE the 23rd Int'l Conf. on Data Engineering[C]. Piscataway:IEEE,2007,1315-1319
[36]C. Giovanni. Fun with Packets:Designing a Stick[EB/OL]. http://www.eurocompton.net/stick/,2008
[37]Sniph. Snot. http://www.sec33.com/sniph/,2001
[38]Anzen. nidsbench:a network intrusion detection system test suite[EB/OL]. http://packetstorm.widexs.nl/UNIX/IDS/nidsbench/,1999
[39]Min Gyung Kang, Juan Caballero, Dawn Song. Distributed Evasive Scan Techniques and Countermeasures. In Proc. of Intl. Conference on Detection of Intrusions and Malware, and Vulnerability Assessment[C].2007,157-174
[40]K Timm. IDS evasion techniques and tactics [EB/OL]. http://www.securityfocus.com/print/infocus/.2010
[41]Peng Ning. Yen Cui, and Douglas S Reeves. Constructing Attack Scenarios through Correlationof Intrusion Alerts. Proceedings of the 9th ACM Conference on Computer & Communications Security[C].2002,245-254
[42]Peng Ning, Dingbang X, Christopher G. Healey, Robert and St. Amant. Building Attack Scenarios through Integration of Complementary Alert Methods. Proceedings of the 11th Annual Network and Distributed System Security Symposium[C].2004,97-111
[43]Seungyong Yoon, Byoungkoo Kim, Jintae Oh, and Jongsoo Jang H/W based Stateful Packet Inspection using a Novel Session Architecture. International Journal Of Computers[J]. Issue 3, Volume 2,2008,229-238
[44]Lambert Schaelicke, Thomas Slabach, Branden Moore, Curt Freeland. Characterizing the Performance of Network Intrusion Detection Sensors. In Proceedings of Recent Advances In Intrusion Detection[C].2003,155-172
[45]C. Clark, W. Lee, D. Schimmel, D. Contis, M. Kone, and A. Thomas, A Hardware Platform for Network Intrusion Detection and Prevention, in Proc. of the 3rd Workshop on Network Processors & Applications (NP3) [C].2004,1-10.
[46]Netronome. Product Brief, NFE-i8000 Network Acceleration Card[EB/OL], http://www.netronome.com/.2008
[47]RadiSys. Product Brief, ATCA-7010:10 Gbps Packet Processing Module[EB/OL], http://radisys.com/Products/ATCA.html,2010
[48]E. Yeh, H. Chao, V. Mannem, J. Gervais, B. Booth, Introduction to TCP/IP Offload Engine (TOE)[EB/OL], http://www.10gea.org, May 2002.
[49]Y. Hoskote et al. A TCP Offload Accelerator for 10 Gb/s Ethernet in 90-nm CMOS[J]. IEEE Journal of Solid-State Circuits,38(11):1866-1875, Nov.2003
[50]ENP-2611 Data Sheet [EB/OL]. http://www.radisys.com/products/.2006
[51]Intel network processors. [EB/OL]. http://www.intel.com/design/network/products/npfamily/.2006
[52]Himanshu Raj, Ivan Ganev, Karsten Schwan, and Jimi Xenidis. Self-Virtualized I/O: High perfor-mance, scalable I/O virtualization in multi-core systems. Technical Report GIT-CERCS-06-02, Georgia Institute of Technology, Atlanta, Georgia, USA,2006
[53]Corbet, J.Rubini, A., and Kroah-Hartman, G. Linux device Drivers,3rd Edition [M]. O'Reilly Media, Inc.2005
[54]W. de Bruijn, A. Slowinska, K. van Reeuwijk, T. Hruby, L. Xu, and H. Bos, SafeCard: A Gigabit IPS on the Network Card, in Proc. of the 9th Int'l Symp. on Recent Advances in Intrusion Detection (RAID'06) [C].2006,311-330
[55]H. Bos and K. Huang, Towards Software-Based Signature Detection for Intrusion Prevention on the Network Card, in Proc. of the 8th Int'l Symp. on Recent Advances in Intrusion Detection (RAID'05) [C].2005,102-123.
[56]Xinidis, K. and et al. Design and Implementation of a High-Performance Network Intrusion Prevention System. In Proceedings of 20th International Information Security Conference[C]. Chiba, Japan, vol.181:1571-5736.2005.
[57]滑国青.基于网络处理器的高速入侵检测系统(预处理子系统)的设计与实现[D].广州:华南理工大学,2005
[58]吴静波.基于网络处理器的高速入侵检测系统(规则解析子系统)的设计与实现[D].广州:华南理工大学,2005
[59]林若川.基于网络处理器的高速入侵检测系统(模式匹配子系统)的设计与实现[D].广州:华南理工大学,2005
[60]XU Xian-Cheng, ZHANG Ling and DONG Shou-Bin. Applying Software Component Technology to NP-based System for Novel Network Services. Proc of Asia-Pacific Services Computing Conference[C].2006,335-339.
[61]Kejing He, Xiancheng Xu, Qiang Yue. A Secure, Lossless, and Compressed Based62 Encoding. The 11th IEEE International Conference on Communications Systems.2008.11,761-765
[62]陈法山.基于网络处理器的网络流量采集的研究与实现[D].广州:华南理工大学,2007
[63]朱裕忠.基于网络处理器安全应用通用平台的包过滤防火墙的设计与实现[D].广州:华南理工大学,2007
[64]许宪成.基于IXA架构的网络处理器系统实验设计[J].实验技术与管理.2007.(Vol.24 No.5):85-88
[65]Xiancheng Xu, Ling Zhang, and Shoubin Dong. Design Consideration and Implementation of Portscan Detection Module on NP-based IDS. In Proc. of the IEEE ICEE2010[C].2010,1323-1326
[66]Xiancheng Xu, Flow Cache Design for Improving Traffic Collection in NP-based Network Monitor System. In Proc. of the IEEE ICEE2010[C].2010,2049-2052
[67]K. Thompson, G.J. Miller, and F. Wilder, Wide-Area Internet Traffic Patterns and Characteristics[J], IEEE Network Magazine, vol.11, no.6, Nov.-Dec.1997,10-23.
[68]Christoph L. Schuba, Ivan V. Krsul, et al. Analysis of a denial of service attack on TCP [EB/OL]. http://www.mathcs.sjsu.edu/faculty/schuba/pub/pubs.2010
[69]Web Browser Security [EB/OL]. http://bcheck.scanit.be/bcheck/, or http://www.greymagic.com/.2008
[70]Darrell M. Kienzle, Matthew C. Elder, Recent worms:a survey and trends, Proceedings of the 2003 ACM workshop on Rapid Malcode[C]. Pages:1-10, October 2003
[71]David Geer, Malicious Bots Threaten Network Security[J], IEEE Computer magazine, Vol.38, No.1:18-20, January 2005
[72]Wikipedia. Internet security[EB/OL]. http://en.wikipedia.org/wiki/Internet_security. 2010
[73]Stefan Axelsson, Intrusion Detection Systems:A Survey and Taxonomy, Chalmers University of Technology, Goteborg, Sweden, Technical Report 99-15,2000
[74]Lee, S J Stolfo, P K Chan. Real-time Data Mining-based Intrusion Detection. Proceedings of the DARPA Information Survivability Conference and Exposition II (DISCEXII) [C]. Anaheim, CA:IEEE Computer Society,2001,85-100
[75]P K Harmer, P DWilliams, G H Gunsch. An Artificial Immune System Architecture for Computer Security Applications[J]. IEEE Transactions on Evolutionary Computation, 2002,6 (3):252-280
[76]Eugene H Spafford, Diego Zamboni. Intrusion Detection Using Autonomous Agents[J]. Computer Networks,2000,34:547-570
[77]Richard Lippmann, Joshua W Haines, David J Fried. Analysis and Results of the 1999 DARPA Off-Line Intrusion Detection Evaluation. The 3rd International Symposium on Recent Advances in Intrusion Detection[C]. Berlin Heidelberg:Springer,2000,162-182
[78]连一峰,戴英侠,胡艳等.分布式入侵检测方法研究[J].计算机研究与发展,2003,40(8):1195-1202
[79]苏璞睿,李德全,冯登国.基于基因规划的主机异常检测方法[J].软件学报,200314(6):1120-1126
[80]高艳,管晓宏,孙国基.基于实时击键序列的主机入侵检测[J].计算机学报,200427(3):396-401
[81]冯力,管晓宏,郭三刚等.采用规划识别理论预测系统调用序列中的入侵企图[J]计算机学报,2004,27(8):1083-1091
[82]徐明,陈纯,应晶.基于系统调用分类的异常检测[J].软件学报,2004,15(3)391-403
[83]卿斯汉,蒋建春,马恒太等.入侵检测技术研究综述[J].通信学报,2004,25(7)19-29
[84]Anderson JP. Computer security threat monitoring and surveillance. Technical Report, 79F296400, Fort Washington:James P. Anderson Company,1980
[85]Snapp SR, et al. DIDS (distributed intrusion detection system)-Motivation, architecture, and an early prototype. In Proc. of the 14th National Computer Security Conf. [C]. Vol. 10.Washington,1991:167-176
[86]S Staniford Chen, B Tung. The Common Intrusion Detection Framework Architecture [EB/OL]. http://www.isi.edu/gost/cidf/drafts/2001/architecture.txt,2003
[87]彭志豪,李冠宇.分布式入侵检测系统研究综述[J].微电子学与计算机.200623(9):191-193
[88]V. Paxson, R. Sommer, and N. Weaver, An Architecture for Exploiting Multi-Core Processors to Parallelize Network Intrusion Prevention, In Proc. of the 2007 IEEE Sarnoff Symp[C].2007,1-7
[89]魏宇欣,武穆清.智能网格入侵检测系统.软件学报[J].2006,17(11):2384-2394
[90]陈荣,高济,郭航.面向网格计算的按需入侵检测模型[J].浙江大学学报(自然科学版),2006,40(3):387-391
[91]Mukkamala S, Sung AH, Abraham A. Intrusion detection using an ensemble of intelligent paradigms[J]. Journal of Network and Computer Applications,2005, 28(2):167-182
[92]Cannady J. Artificial neural networks for misuse detection. In:Proc. of the'98 National Information System Security Conf. (NISSC'98)[C]. Arlington:Virginia Press, 1998.443-456
[93]Hansen LK, Salamon P. Neural network ensembles[J]. IEEE Trans. on Pattern Analysis and Machine Intelligence,1990,12(10):993-1001
[94]张凤斌,杨永田,江子扬.遗传算法在基于网络异常的入侵检测中的应用[J].电子学报,2004,32(5):875-877
[95]Shon T, Seo J, Moon J.SVM approach with a genetic algorithm for network intrusion detection. In:Proc. of the 20th Symp. On Computer and Information Sciences (ISCIS 2005) [C].Berlin:Springer-Verlag,2005.224-233
[96]俞研,黄皓.基于改进多目标遗传算法的入侵检测集成方法[J].软件学报,2007,18(6):1369-1378
[97]Tim Bass, Multi sensor Data Fusion for Next Generation Distributed Intrusion Detection System.1999 IRIS National Symposium[C].1999
[98]Dasgupta D. Immunity-Based intrusion detection system: A general framework. In: Proc. of The 22nd NISSC[C].1999
[99]赵俊忠.基于免疫机制的入侵检测系统模型研究[D].北京:北京交通大学,2005
[100]苏洁,乔佩利,刘亚辉.基于免疫进化计算的分布式入侵检测方法[J].计算机工程,2010,36(6):163-165
[101]W. Lee and S.J. Stolfo, Data mining approaches for intrusion detection,7th USENIX Security Symposium[C].1998,79-94
[102]W. Lee, S.J. Stolfo, K.W. Mok, A data mining framework for building intrusion detection models, IEEE Symposium on Security and Privacy[C].1999,120-132
[103]W. Lee, A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems[D]. PhD thesis, Columbia University,1999
[104]W. Lee, S.J. Stolfo, K.W. Mok, Data mining in work flow environments:Experiences in intrusion detection, ACM SIGKDD International Conference on Knowledge Discovery & Data Mining (KDD-99) [C].114-124,1999
[105]W. Lee, et al., Real Time Data Mining-based Intrusion Detection, IEEE Second DARPA Information Survivability Conference and Exposition[C].85-100,2001
[106]褚永刚.大规模分布式入侵检测系统关键技术研究[D].北京:北京邮电大学,2005.65-72
[107]赵月爱,彭新光.高速网络环境下的入侵检测技术研究[J].计算机工程与设计,2006,27(16):2985-2987
[108]Verssimo P, et al., Intrusion-Tolerant Middleware:the Road to Automatic Security[J].IEEE Security & Privacy, 2006,4(4):54-62
[109]崔竞松,王丽娜,张焕国等.一种并行容侵系统研究模型RC模型[J].计算机学报,2004,27(4):501-506
[110]周华,孟相如,张立,乔向东.分布式入侵容忍系统的主动恢复算法研究[J].西安电子科技大学学报(自然科学版).2009.36(2);378-384
[111]于佳,孔凡玉,程相国,郝蓉,GUO Xiangfa.可证安全的入侵容忍签名方案[J].软件学报,2010,21(9):2352-2366
[112]Paxson, V., Sommer, V., and Weaver, N. An Architecture for Exploiting Multi-Core Processors to Parallelize Network Intrusion Prevention. In Proceedings of IEEE Sarnoff Symposium[C]. Nassau Inn, Princeton, NJ, 2007:1-7
[113]林闯,孔祥震,周寰.增强计算系统可信赖性:融合虚拟化和SOA.软件学报[J],2009,20(7):1986-2004
[114]Mahdi Dashtbozorgi, et al., A scalable multi-core aware software architecture for high-performance network monitoring. International Conference on Security of Information and Networks archive. Proceedings of the 2nd international conference on Security of information and networks[C].2009, Pages:117-122
[115]Gibb, G. et al. NetFPGA—An Open Platform for Teaching How to Build Gigabit-Rate Network Switches and Routers[J]. In:Education, IEEE Transactions on Issue Date:Aug.2008 Volume:51 Issue:3 On page(s):364-369
[116]Y. Luo and C. Zhang. The design of a programmable network edge node with hybrid multi-core processors for virtual networks. In IEEE International Conference on Computer Communications and Networks[C]. St Thomas, USVI, August 2008. Page(s): 1-6
[117]Harkins, D. and D. Carrel. The Internet Key Exchange. (IKE), RFC 2409, November 1998
[118]M. Roesch, Snort-Lightweight Intrusion Detection for Networks, in Proc. of the 13th USENIX Systems Administration Conf. (LISA'99),1999, pp.229-238
[119]Snort[EB/OL]. http://www.snort.org,2010
[120]Guanhua Yan; Songqing Chen. Dynamic Balancing of Packet Filtering Workloads on Distributed Firewalls.16th International Workshop on[C].2008, Page(s):209-218
[121]杨武,方滨兴,云晓春.一种可扩展的高效入侵监测平台技术[J].软件学报,2007,18(9):2271-2282
[122]Recio RJ. Server I/O networks past, present, and future. In:Proc. of the ACM SIGCOMM Workshop on Network-I/O Convergence:Experience, Lessons, Implications[C]. New York:ACM Press,2003.163-178
[123]Intel in Communications.10 gigabit Ethernet technology overview. White Paper[EB/OL]. http://www.intel.com/network/connectivity/resources/doc_library/white papers/.2003
[124]Voltaire Inc., InfiniBand:The next step in high performance computing[EB/OL]. http://www.hitachi—hitec.com.2002
[125]Minturn D, Regnier G, et al. Addressing TCP/IP processing challenges using the IA and IXP processors[J]. Intel Technology Journal,2003,7(4):39-50
[126]王圣,苏金树.TCP加速技术研究综述[J].软件学报,2004,15(11):1689-1699
[127]Altman E, Avrachenkov K, Barakat C.TCP in presence of bursty losses. In:Proc.of the 2000 ACM SIGMETRICS Int'l Conf.on Measurement and Modeling of Computer Systems[C]. New York:ACM Press,2000.124-133
[128]Mitzenmacher M, Rajaramany R. Towards more complete models of TCP latency and throughput[J]. Journal of Supercomputing,2001,20(2):137-160
[129]Andres Ortiz, et al. Analyzing the benefits of protocol offload by full-system simulation,in:15th Euromicro International Conference on Parallel, Distributed and Network-Based Processing (PDP'07)[C].February 2007,229-237
[130]Shivam P, Chase JS. On the elusive benefits of protocol offload. In:SIGCOMM 2003 Workshop on Network I/O Convergence:Expedence, Lessons, Implications(NICELI) [C]. New York: ACM Press,2003.179-184
[131]H. Song, T. Sproull, M. Attig, and J. Lockwood. Snort Offloader: A Reconfigurable Hardware NIDS Filter, in Proc. of the 15th Int'l Conf. on Field Programmable Logic and Applications (FPL'05)[C].2005,493-498
[132]Intel, Networking & Communications Building Blocks, Network Processors[EB/OL]. http://developer.intel.com/design/network/products/npfamily/index.htm, June,2005
[133]IBM, Networking Technologies [EB/OL]. http://www-3.ibm.com/chips/products/wired/, June 2005
[134]Agere Systems, The Challenge for Next Generation Network Processors [EB/OL]. http://www.agere.com/metro_regional_transport/network_processors.html Broadcom Corporation, Broadband Processor Product Line, http://www.broadcom.com/broadbandproducts.html, June 2005
[135]Ezchip Technologies, NP-1 10-Gigabit 7-Layer Network Processor[EB/OL]. http://www.ezchip.com/html/in_prod.html, June 2005
[136]Motorola, C-PortTM Network Processors [EB/OL]. http://e-www.motorola.com/webapp/sps/site/June,2005
[137]Cisco, Toaster Network Processors[EB/OL]. http://www.cisco.com/products/,2005
[138]许宪成,杨存祥.组件技术及其在嵌入式系统设计中的应用[J].微计算机信息2007年23(2):39-42
[139]Intel. Intel 2400 network processor, hardware reference manual[M]. Jan.2004
[140]Intel Internet Exchange Architecture Portability Framework Developer's Manual[M]. November 2004
[141]E. Johnson and A. Kunze. IXP2400/2800 Programming-The Complete Microengine Coding Guide[M]. Intel Press, April 2003
[142]I. Charitakis, D. Pnevmatikatos, E. Markatos, and K. Anagnostakis.S2I:a tool for automatic rule match compilationfor the ixp network processor. In Proceedings of SCOPES 2003, Vienna[EB/OL]. http:// citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.81.48&rep. September 2003
[143]Hyeyoung cho, et al. Network Processor Based Network Intrusion Detection System[J]. ICOIN 2004, LNCS 3090,973-982,2004
[144]C. Clark, W. Lee, D. Schimmel, D. Contis, M. Kone, and A. Thomas, A Hardware Platform for Network Intrusion Detection and Prevention, in Proc. of the 3rd Workshop on Network Processors & Applications (NP3)[C].2004
[145]Jon Howell, Consystant Design Technologies[EB/OL]. http://www.usenix.org/events/osdi2000/full_papers/.2006
[146]GNU Zebra[EB/OL]. http://www.zebra.org/.2009
[147]Robert S. Boyer, J Strother Moore. A Fast String Searching Algorithm[J]. Communications of the ACM.1977.10. Vol.20 Num.10
[148]Aho A, Corasick M. Efficient string matching:an aid to bibliographic search[J]. Communications of the ACM,1975,18(6):333-340
[149]S. Wu, U. Manber. A Fast Algorithm for Multi-Pattern Searching. Technical Report TR-94-17, University of Arizona,1994
[150]Evangelos P. Markatos, Spyros Antonatos, Michalis Polychronakis etc. Exclusion-based Signature Matching for Intrusion Detection. In Proceedings of the IASTED International Conference on Communications and Computer Networks (CCN02)[C].2002.146-152
[151]Rong-Tai Liu, Nen-Fu Huang, Chia-Nan Kao, etc. A Fast Pattern Matching Algorithm For Network Processor-Based Intrusion Detection System. Performance Computing and Communications Conference[C]. IEEE,2004, Page(s):271-275
[152]J. Jung, B. Krishnamurthy, and M. Rabinovich. Flash crowds and denial of service attacks:Characterization and implications for cdns and web sites. In Proceedings of the International World Wide Web Conference[C]. IEEE, pages 252-262, May 2002
[153]S. Martin, P. Cascon, HolyLich, L. Buytenhek et al. ENP-Faq:The Hitchiker Guide to ENP-2611[EB/OL]. http://ixp2xxx.sf.net/wiki/.2008
[154]Quagga Routing Software Suite, GPL licensed IPv4/IPv6 routing software[EB/OL]. http://www.quagga.net/about.php.2009
[155]张铭,王腾蛟,赵海燕.数据结构与算法[M].北京:高等教育出版社,2008
[156]Douglas E. Comer, Network Systems Design using Network Processors[M]. Prentice Hall,2006
[157]Michael Yuen and Berry Kercheval, Sep. CRC-32 Calculation, Test Cases and HEC Tutorial[EB/OL],http://www.cell-relay.com/cell-relay/publications/software/CRC/32bitC RC.html.2003
[158]邓月华,基于宽带网络的TCP报文还原与应用[D].成都:四川大学,2006
[159]Maurice J Bach. The Design of The Unix Operating System [M]. Prentice Hall.2003
[160]D.V. Schuehler and J. Lockwood, TCP-Splitter:A TCP/IP Flow Monitor in Reconfigurable Hardware, Proc.10th Symp. High Performance Interconnects (Hot Interconnects X)[C]. IEEE Press,2002,127-131
[161]Marc N, Didier C, David S. TCP stream reassembly and state tracking in hardware. In:Proc. of the 10th Annual IEEE Symposium on Field Programmable Custom Computing Machines[C]. Napa,2002,1-2.
[162]Dharmapurikar S, Paxson V. Robust TCP stream reassembly in the presence of adversaries. In:Proc. of the 14 th conf. on USEN IX Security Symposium[C]. Baltimore, 2005. Berkeley:USENIX Association,2005:65-81
[163]Hanaoka, M. et al. An efficient TCP reassembler mechanism for layer 7 aware network intrusion detection/prevention systems.In:Proc. of 12 the IEEE Symposium on Computers and Communications[C]. Aveiro,2007, Page(s):79-86
[164]Xu Bo, et al. Architecture-Aware Session Lookup Design for Inline Deep Inspection on Network Processors. Tsinghua Science and Technology [J].2009,14(1):19-28
[165]Xiong Bing, Chen Xiaosu, Chen Ning. An Efficient TCP Flow State Management Algorithm in High-Speed Network. In:Proc. of Information Engineering and Electronic Commerce, IEEC'09. International Symposium[C]. May 2009:106-110
[166]Cascon, P.; Ortega, J. et al. A Multi-Threaded Network Interface Using Network Processors[C]. In Proc. Of the 17th Euromicro International Conference on Parallel, Distributed and Network-based Processing,2009, Page(s):196-200
[167]ixp, Projects using Intel IXA based devices[EB/OL]. https://mailman.cc.gatech.edu/mailman/listinfo/ixp.2010
[168]Kenneth Mackenzie, et al. An Intel IXP1200-based Network Interface. In Proceedings of the Workshop on Novel Uses of System Area Networks at HPCA (SAN-2 2003) [C].2003
[169]Lennert Buytenhek. intel ixp2000 network driver[EB/OL]. http://lwn.net/Articles/152290/.2010
[170]Real-Time Linux Development from MontaVista. http://www.mvista.com/real_time_linux.php.2009
[171]Spirent Communications. SmartBits 6000C[EB/OL]. http://www.spirentcom.com/.2008
[172]Jones, R. Netperf Homepage [EB/OL]. http://www.netperf.org/netperf/.2008
[173]Radisys Inc., ENP2611 Datasheet [EB/OL].http://www.radisys.com/.2008
[174]Haas, R, Kencl, L. et al. Creating advanced functions on network processors: experience and perspectives. IEEE Network,2003, Page(s):46-54
[175]Li Zhao, et al., A Network Processor-Based, Content-Aware Switch. IEEE Micro[C]. 2003, Page(s):46-54
[176]The NSS Group. Network IDS Test Reports [EB/OL]. http://nsslabs.com/ips.2008
[177]Nmap. Nmap Free Security Scanner For Network Exploration & Hacking[EB/OL]. http://nmap.org.2009
[178]free Fragroute software download[EB/OL]. http:// www.softitem.com/Linux/download-fragroute-1-2-10286478.html.2009
[179]Spirent Communications. Avalanche and Reflector [EB/OL]. http://www.spirentcom.com/.2008
[180]Case Study:IDT PAX. port 2500 content inspection engine (CIE) and Intel(?) IXP2400 network processor. http://www.intel.com/design/network/casestudies/idt_04.pdf.2004
[2]Papaefstathiou, I. et al. Introduction:Network Processors for Future High-End Systems and Applications[J]. IEEE Micro.September/October 2004,24(5):7-9
[3]中国互联网络发展状况统计报告[EB/OL]. http://www.cnnic.net.cn/.2009
[4]CNCERT/CC2009年网络安全工作报告[EB/OL]. http://www.cert.org.cn/.2009
[5]SV Wunnava, E Rassi. Data encryption performance and evaluation schemes. In Proceedings of IEEE Southeast Conference[C].2002,234-238
[6]Oswald E. An efficient masking scheme for AES software implementations. In:Song J, Kwon T, Yung M, eds. Proc. of the Information Security Applications[C]. LNCS 3786, Berlin:Springer-Verlag,2006.292-305
[7]黄元飞,陈麟,唐三平.信息安全与加密解密核心技术.浦东电子出版社,2001
[8]C Adams, S Farrell. Internet X.509 public key infrastructure certificate management protocols. RFC 2510,1999
[9]李晓峰,冯登国,徐震.一种通用访问控制管理模型[J].计算机研究与发展.2007,44(6):947-957
[10]罗鑫.访问控制技术与模型研究[D].北京:北京邮电大学.2009
[II]Lance Spitzner, Understanding the FW-1 State Table[EB/OL]. http://www.spitzner.net/fwtable.html.2009
[12]张磊,卿斯汉.一个基于Agent的防火墙系统的设计与实现[J].软件学报,2000,11(5):642-645
[13]R. Sidhu and V. K. Prasanna, Fast Regular Expression Matching using FPGAs, in Proc. of the 9th Symp[C]. On Field-Programmable Custom Computing Machines (FCCM'01),2001,227-238
[14]刘衍珩,田大新,余雪岗,王健.基于分布式学习的大规模网络入侵检测算法[J].软件学报,2008,19(4):993-1003
[15]Fernandes S, Antonello R, Lacerda T, Santos A, Sadok D, Westholm T. Slimming Down Deep Packet Inspection Systems, in Proc. of the INFOCOM Workshops 2009, IEEE [C].2009,1-6
[16]Provos, N. A Virtual Honeypot Framework. Tech. Rep.03-1, CITI (University of Michigan), Oct.2003
[17]杨宏宇,谢丽霞,网络入侵诱骗技术-蜜罐系统的应用[J].计算机工程与应用.2006,32(13):176-181
[18]张丽红.计算机网络入侵检测技术研究进展[J].微计算机应用,2004,25(2):135-140
[19]V. Paxson, K. Asanovic, S. Dharmapurikar, J. Lockwood, R. Pang, R. Sommer, and N. Weaver, Rethinking Hardware Support for Network Analysis and Intrusion Prevention, in Proc. of the 1st USENIX Workshop on Hot Topics in Security[C],2006,63-68
[20]Shah N. Understanding network processors [D]. Berkeley:Univ. of California,2001
[21]谭章熹,林闯,任丰源,周文江.网络处理器的分析与研究[J].软件学报,2003,14(2):253-267
[22]K. Ettikan, Rosni Abdullah. Survey of Network Processors (NP)[J]. Malaysian Journal of Computer Science, Vol.16 No.2, December 2003:21-37
[23]V. Paxson, Bro:A System for Detecting Network Intruders in Real-Time[J]. Computer Networks, vol.31, no.23-24,1999,2435-2463
[24]M. Roesch, Snort-Lightweight Intrusion Detection for Networks, in Proc. of the 13th USENIX Systems Administration Conf. (LISA'99) [C],1999,229-238
[25]A. Lakhina, et al., Mining Anomalies Using Traffic Feature Distributions[EB/OL]. Proc. ACM SIGCOMM 2005[C]. www.sigcomm.org/sigcomm2005/paper-LakCro.pdf. 2005
[26]C. Estan, S. Savage, and G. Varghese, Automatically Inferring Patterns of Resource Consumptionin Network Traffic[EB/OL], In ACM SIGCOMM, Karlsruhe, August 2003.www.sigcomm.org/sigcomm2003/papers/p137-estan.pdf.2004
[27]Juan M Estevez-Tapiador, Pedro Garcia-Teodoro, et al. Anomaly Detection Methods in Wired Networks:A Survey and Taxonomy [J].Computer Communications,2004,27(16): 1569-1584
[28]Ke Wang, Salvatore J Stolfo. Anomalous Payload-based Network Intrusion Detection. The 7th International Symposium on Recent Advances in Intrusion Detection[C]. Berlin Heidelberg:Springer,2004,203-222
[29]Mizuki Oka, Yoshihiro Oyama, Hirotake Abe. Anomaly Detection Using Layered Networks Based on Eigen Co-occurrence Matrix.The 7th International Symposium on Recent Advances in Intrusion Detection[C]. Berlin Heidelberg:Springer,2004,223-237
[30]Christopher Kruegel, Fredrik Valeur. Stateful Intrusion Detection for High-Speed Networks. In Proceedings of the IEEE Symposium On Security And Privacy[C].2002, 285-294
[31]Sommer R, Paxson V. Enhancing byte-level network intrusion detection signatures with context. In:Proc. of the 10th ACM Conf. on Computer and Communications Security[C]. New York:ACM,2003,262-271
[32]徐乾,鄂跃鹏,葛敬国,钱华林.深度包检测中一种高效的正则表达式压缩算法[J].软件学报,2009,20(8):2214-2226
[33]Kumar S, Turner J, Williams J. Advanced algorithms for fast and scalable deep packet inspection. In:Bhuyan LN, Dubois M, Eatherton W, eds. Proc. of the 2006 ACM/IEEE Symp. on Architecture for Networking and Communications Systems[C]. New York: ACM,2006,81-92
[34]Yu F, Chen ZF, Diao YL, Lakshman TV, Katz RH. Fast and memory-efficient regular expression matching for deep packet inspection. In:Bhuyan LN, Dubois M, Eatherton W, eds. Proc. of the 2006 ACM/IEEE Symp. on Architecture for Networking and Communications Systems[C]. New York:ACM,2006,93-102
[35]Johnson T, Muthukrishnan S, Rozenbaum I. Monitoring regular expressions on out-of-order streams. In:Proc. of 2007 IEEE the 23rd Int'l Conf. on Data Engineering[C]. Piscataway:IEEE,2007,1315-1319
[36]C. Giovanni. Fun with Packets:Designing a Stick[EB/OL]. http://www.eurocompton.net/stick/,2008
[37]Sniph. Snot. http://www.sec33.com/sniph/,2001
[38]Anzen. nidsbench:a network intrusion detection system test suite[EB/OL]. http://packetstorm.widexs.nl/UNIX/IDS/nidsbench/,1999
[39]Min Gyung Kang, Juan Caballero, Dawn Song. Distributed Evasive Scan Techniques and Countermeasures. In Proc. of Intl. Conference on Detection of Intrusions and Malware, and Vulnerability Assessment[C].2007,157-174
[40]K Timm. IDS evasion techniques and tactics [EB/OL]. http://www.securityfocus.com/print/infocus/.2010
[41]Peng Ning. Yen Cui, and Douglas S Reeves. Constructing Attack Scenarios through Correlationof Intrusion Alerts. Proceedings of the 9th ACM Conference on Computer & Communications Security[C].2002,245-254
[42]Peng Ning, Dingbang X, Christopher G. Healey, Robert and St. Amant. Building Attack Scenarios through Integration of Complementary Alert Methods. Proceedings of the 11th Annual Network and Distributed System Security Symposium[C].2004,97-111
[43]Seungyong Yoon, Byoungkoo Kim, Jintae Oh, and Jongsoo Jang H/W based Stateful Packet Inspection using a Novel Session Architecture. International Journal Of Computers[J]. Issue 3, Volume 2,2008,229-238
[44]Lambert Schaelicke, Thomas Slabach, Branden Moore, Curt Freeland. Characterizing the Performance of Network Intrusion Detection Sensors. In Proceedings of Recent Advances In Intrusion Detection[C].2003,155-172
[45]C. Clark, W. Lee, D. Schimmel, D. Contis, M. Kone, and A. Thomas, A Hardware Platform for Network Intrusion Detection and Prevention, in Proc. of the 3rd Workshop on Network Processors & Applications (NP3) [C].2004,1-10.
[46]Netronome. Product Brief, NFE-i8000 Network Acceleration Card[EB/OL], http://www.netronome.com/.2008
[47]RadiSys. Product Brief, ATCA-7010:10 Gbps Packet Processing Module[EB/OL], http://radisys.com/Products/ATCA.html,2010
[48]E. Yeh, H. Chao, V. Mannem, J. Gervais, B. Booth, Introduction to TCP/IP Offload Engine (TOE)[EB/OL], http://www.10gea.org, May 2002.
[49]Y. Hoskote et al. A TCP Offload Accelerator for 10 Gb/s Ethernet in 90-nm CMOS[J]. IEEE Journal of Solid-State Circuits,38(11):1866-1875, Nov.2003
[50]ENP-2611 Data Sheet [EB/OL]. http://www.radisys.com/products/.2006
[51]Intel network processors. [EB/OL]. http://www.intel.com/design/network/products/npfamily/.2006
[52]Himanshu Raj, Ivan Ganev, Karsten Schwan, and Jimi Xenidis. Self-Virtualized I/O: High perfor-mance, scalable I/O virtualization in multi-core systems. Technical Report GIT-CERCS-06-02, Georgia Institute of Technology, Atlanta, Georgia, USA,2006
[53]Corbet, J.Rubini, A., and Kroah-Hartman, G. Linux device Drivers,3rd Edition [M]. O'Reilly Media, Inc.2005
[54]W. de Bruijn, A. Slowinska, K. van Reeuwijk, T. Hruby, L. Xu, and H. Bos, SafeCard: A Gigabit IPS on the Network Card, in Proc. of the 9th Int'l Symp. on Recent Advances in Intrusion Detection (RAID'06) [C].2006,311-330
[55]H. Bos and K. Huang, Towards Software-Based Signature Detection for Intrusion Prevention on the Network Card, in Proc. of the 8th Int'l Symp. on Recent Advances in Intrusion Detection (RAID'05) [C].2005,102-123.
[56]Xinidis, K. and et al. Design and Implementation of a High-Performance Network Intrusion Prevention System. In Proceedings of 20th International Information Security Conference[C]. Chiba, Japan, vol.181:1571-5736.2005.
[57]滑国青.基于网络处理器的高速入侵检测系统(预处理子系统)的设计与实现[D].广州:华南理工大学,2005
[58]吴静波.基于网络处理器的高速入侵检测系统(规则解析子系统)的设计与实现[D].广州:华南理工大学,2005
[59]林若川.基于网络处理器的高速入侵检测系统(模式匹配子系统)的设计与实现[D].广州:华南理工大学,2005
[60]XU Xian-Cheng, ZHANG Ling and DONG Shou-Bin. Applying Software Component Technology to NP-based System for Novel Network Services. Proc of Asia-Pacific Services Computing Conference[C].2006,335-339.
[61]Kejing He, Xiancheng Xu, Qiang Yue. A Secure, Lossless, and Compressed Based62 Encoding. The 11th IEEE International Conference on Communications Systems.2008.11,761-765
[62]陈法山.基于网络处理器的网络流量采集的研究与实现[D].广州:华南理工大学,2007
[63]朱裕忠.基于网络处理器安全应用通用平台的包过滤防火墙的设计与实现[D].广州:华南理工大学,2007
[64]许宪成.基于IXA架构的网络处理器系统实验设计[J].实验技术与管理.2007.(Vol.24 No.5):85-88
[65]Xiancheng Xu, Ling Zhang, and Shoubin Dong. Design Consideration and Implementation of Portscan Detection Module on NP-based IDS. In Proc. of the IEEE ICEE2010[C].2010,1323-1326
[66]Xiancheng Xu, Flow Cache Design for Improving Traffic Collection in NP-based Network Monitor System. In Proc. of the IEEE ICEE2010[C].2010,2049-2052
[67]K. Thompson, G.J. Miller, and F. Wilder, Wide-Area Internet Traffic Patterns and Characteristics[J], IEEE Network Magazine, vol.11, no.6, Nov.-Dec.1997,10-23.
[68]Christoph L. Schuba, Ivan V. Krsul, et al. Analysis of a denial of service attack on TCP [EB/OL]. http://www.mathcs.sjsu.edu/faculty/schuba/pub/pubs.2010
[69]Web Browser Security [EB/OL]. http://bcheck.scanit.be/bcheck/, or http://www.greymagic.com/.2008
[70]Darrell M. Kienzle, Matthew C. Elder, Recent worms:a survey and trends, Proceedings of the 2003 ACM workshop on Rapid Malcode[C]. Pages:1-10, October 2003
[71]David Geer, Malicious Bots Threaten Network Security[J], IEEE Computer magazine, Vol.38, No.1:18-20, January 2005
[72]Wikipedia. Internet security[EB/OL]. http://en.wikipedia.org/wiki/Internet_security. 2010
[73]Stefan Axelsson, Intrusion Detection Systems:A Survey and Taxonomy, Chalmers University of Technology, Goteborg, Sweden, Technical Report 99-15,2000
[74]Lee, S J Stolfo, P K Chan. Real-time Data Mining-based Intrusion Detection. Proceedings of the DARPA Information Survivability Conference and Exposition II (DISCEXII) [C]. Anaheim, CA:IEEE Computer Society,2001,85-100
[75]P K Harmer, P DWilliams, G H Gunsch. An Artificial Immune System Architecture for Computer Security Applications[J]. IEEE Transactions on Evolutionary Computation, 2002,6 (3):252-280
[76]Eugene H Spafford, Diego Zamboni. Intrusion Detection Using Autonomous Agents[J]. Computer Networks,2000,34:547-570
[77]Richard Lippmann, Joshua W Haines, David J Fried. Analysis and Results of the 1999 DARPA Off-Line Intrusion Detection Evaluation. The 3rd International Symposium on Recent Advances in Intrusion Detection[C]. Berlin Heidelberg:Springer,2000,162-182
[78]连一峰,戴英侠,胡艳等.分布式入侵检测方法研究[J].计算机研究与发展,2003,40(8):1195-1202
[79]苏璞睿,李德全,冯登国.基于基因规划的主机异常检测方法[J].软件学报,200314(6):1120-1126
[80]高艳,管晓宏,孙国基.基于实时击键序列的主机入侵检测[J].计算机学报,200427(3):396-401
[81]冯力,管晓宏,郭三刚等.采用规划识别理论预测系统调用序列中的入侵企图[J]计算机学报,2004,27(8):1083-1091
[82]徐明,陈纯,应晶.基于系统调用分类的异常检测[J].软件学报,2004,15(3)391-403
[83]卿斯汉,蒋建春,马恒太等.入侵检测技术研究综述[J].通信学报,2004,25(7)19-29
[84]Anderson JP. Computer security threat monitoring and surveillance. Technical Report, 79F296400, Fort Washington:James P. Anderson Company,1980
[85]Snapp SR, et al. DIDS (distributed intrusion detection system)-Motivation, architecture, and an early prototype. In Proc. of the 14th National Computer Security Conf. [C]. Vol. 10.Washington,1991:167-176
[86]S Staniford Chen, B Tung. The Common Intrusion Detection Framework Architecture [EB/OL]. http://www.isi.edu/gost/cidf/drafts/2001/architecture.txt,2003
[87]彭志豪,李冠宇.分布式入侵检测系统研究综述[J].微电子学与计算机.200623(9):191-193
[88]V. Paxson, R. Sommer, and N. Weaver, An Architecture for Exploiting Multi-Core Processors to Parallelize Network Intrusion Prevention, In Proc. of the 2007 IEEE Sarnoff Symp[C].2007,1-7
[89]魏宇欣,武穆清.智能网格入侵检测系统.软件学报[J].2006,17(11):2384-2394
[90]陈荣,高济,郭航.面向网格计算的按需入侵检测模型[J].浙江大学学报(自然科学版),2006,40(3):387-391
[91]Mukkamala S, Sung AH, Abraham A. Intrusion detection using an ensemble of intelligent paradigms[J]. Journal of Network and Computer Applications,2005, 28(2):167-182
[92]Cannady J. Artificial neural networks for misuse detection. In:Proc. of the'98 National Information System Security Conf. (NISSC'98)[C]. Arlington:Virginia Press, 1998.443-456
[93]Hansen LK, Salamon P. Neural network ensembles[J]. IEEE Trans. on Pattern Analysis and Machine Intelligence,1990,12(10):993-1001
[94]张凤斌,杨永田,江子扬.遗传算法在基于网络异常的入侵检测中的应用[J].电子学报,2004,32(5):875-877
[95]Shon T, Seo J, Moon J.SVM approach with a genetic algorithm for network intrusion detection. In:Proc. of the 20th Symp. On Computer and Information Sciences (ISCIS 2005) [C].Berlin:Springer-Verlag,2005.224-233
[96]俞研,黄皓.基于改进多目标遗传算法的入侵检测集成方法[J].软件学报,2007,18(6):1369-1378
[97]Tim Bass, Multi sensor Data Fusion for Next Generation Distributed Intrusion Detection System.1999 IRIS National Symposium[C].1999
[98]Dasgupta D. Immunity-Based intrusion detection system: A general framework. In: Proc. of The 22nd NISSC[C].1999
[99]赵俊忠.基于免疫机制的入侵检测系统模型研究[D].北京:北京交通大学,2005
[100]苏洁,乔佩利,刘亚辉.基于免疫进化计算的分布式入侵检测方法[J].计算机工程,2010,36(6):163-165
[101]W. Lee and S.J. Stolfo, Data mining approaches for intrusion detection,7th USENIX Security Symposium[C].1998,79-94
[102]W. Lee, S.J. Stolfo, K.W. Mok, A data mining framework for building intrusion detection models, IEEE Symposium on Security and Privacy[C].1999,120-132
[103]W. Lee, A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems[D]. PhD thesis, Columbia University,1999
[104]W. Lee, S.J. Stolfo, K.W. Mok, Data mining in work flow environments:Experiences in intrusion detection, ACM SIGKDD International Conference on Knowledge Discovery & Data Mining (KDD-99) [C].114-124,1999
[105]W. Lee, et al., Real Time Data Mining-based Intrusion Detection, IEEE Second DARPA Information Survivability Conference and Exposition[C].85-100,2001
[106]褚永刚.大规模分布式入侵检测系统关键技术研究[D].北京:北京邮电大学,2005.65-72
[107]赵月爱,彭新光.高速网络环境下的入侵检测技术研究[J].计算机工程与设计,2006,27(16):2985-2987
[108]Verssimo P, et al., Intrusion-Tolerant Middleware:the Road to Automatic Security[J].IEEE Security & Privacy, 2006,4(4):54-62
[109]崔竞松,王丽娜,张焕国等.一种并行容侵系统研究模型RC模型[J].计算机学报,2004,27(4):501-506
[110]周华,孟相如,张立,乔向东.分布式入侵容忍系统的主动恢复算法研究[J].西安电子科技大学学报(自然科学版).2009.36(2);378-384
[111]于佳,孔凡玉,程相国,郝蓉,GUO Xiangfa.可证安全的入侵容忍签名方案[J].软件学报,2010,21(9):2352-2366
[112]Paxson, V., Sommer, V., and Weaver, N. An Architecture for Exploiting Multi-Core Processors to Parallelize Network Intrusion Prevention. In Proceedings of IEEE Sarnoff Symposium[C]. Nassau Inn, Princeton, NJ, 2007:1-7
[113]林闯,孔祥震,周寰.增强计算系统可信赖性:融合虚拟化和SOA.软件学报[J],2009,20(7):1986-2004
[114]Mahdi Dashtbozorgi, et al., A scalable multi-core aware software architecture for high-performance network monitoring. International Conference on Security of Information and Networks archive. Proceedings of the 2nd international conference on Security of information and networks[C].2009, Pages:117-122
[115]Gibb, G. et al. NetFPGA—An Open Platform for Teaching How to Build Gigabit-Rate Network Switches and Routers[J]. In:Education, IEEE Transactions on Issue Date:Aug.2008 Volume:51 Issue:3 On page(s):364-369
[116]Y. Luo and C. Zhang. The design of a programmable network edge node with hybrid multi-core processors for virtual networks. In IEEE International Conference on Computer Communications and Networks[C]. St Thomas, USVI, August 2008. Page(s): 1-6
[117]Harkins, D. and D. Carrel. The Internet Key Exchange. (IKE), RFC 2409, November 1998
[118]M. Roesch, Snort-Lightweight Intrusion Detection for Networks, in Proc. of the 13th USENIX Systems Administration Conf. (LISA'99),1999, pp.229-238
[119]Snort[EB/OL]. http://www.snort.org,2010
[120]Guanhua Yan; Songqing Chen. Dynamic Balancing of Packet Filtering Workloads on Distributed Firewalls.16th International Workshop on[C].2008, Page(s):209-218
[121]杨武,方滨兴,云晓春.一种可扩展的高效入侵监测平台技术[J].软件学报,2007,18(9):2271-2282
[122]Recio RJ. Server I/O networks past, present, and future. In:Proc. of the ACM SIGCOMM Workshop on Network-I/O Convergence:Experience, Lessons, Implications[C]. New York:ACM Press,2003.163-178
[123]Intel in Communications.10 gigabit Ethernet technology overview. White Paper[EB/OL]. http://www.intel.com/network/connectivity/resources/doc_library/white papers/.2003
[124]Voltaire Inc., InfiniBand:The next step in high performance computing[EB/OL]. http://www.hitachi—hitec.com.2002
[125]Minturn D, Regnier G, et al. Addressing TCP/IP processing challenges using the IA and IXP processors[J]. Intel Technology Journal,2003,7(4):39-50
[126]王圣,苏金树.TCP加速技术研究综述[J].软件学报,2004,15(11):1689-1699
[127]Altman E, Avrachenkov K, Barakat C.TCP in presence of bursty losses. In:Proc.of the 2000 ACM SIGMETRICS Int'l Conf.on Measurement and Modeling of Computer Systems[C]. New York:ACM Press,2000.124-133
[128]Mitzenmacher M, Rajaramany R. Towards more complete models of TCP latency and throughput[J]. Journal of Supercomputing,2001,20(2):137-160
[129]Andres Ortiz, et al. Analyzing the benefits of protocol offload by full-system simulation,in:15th Euromicro International Conference on Parallel, Distributed and Network-Based Processing (PDP'07)[C].February 2007,229-237
[130]Shivam P, Chase JS. On the elusive benefits of protocol offload. In:SIGCOMM 2003 Workshop on Network I/O Convergence:Expedence, Lessons, Implications(NICELI) [C]. New York: ACM Press,2003.179-184
[131]H. Song, T. Sproull, M. Attig, and J. Lockwood. Snort Offloader: A Reconfigurable Hardware NIDS Filter, in Proc. of the 15th Int'l Conf. on Field Programmable Logic and Applications (FPL'05)[C].2005,493-498
[132]Intel, Networking & Communications Building Blocks, Network Processors[EB/OL]. http://developer.intel.com/design/network/products/npfamily/index.htm, June,2005
[133]IBM, Networking Technologies [EB/OL]. http://www-3.ibm.com/chips/products/wired/, June 2005
[134]Agere Systems, The Challenge for Next Generation Network Processors [EB/OL]. http://www.agere.com/metro_regional_transport/network_processors.html Broadcom Corporation, Broadband Processor Product Line, http://www.broadcom.com/broadbandproducts.html, June 2005
[135]Ezchip Technologies, NP-1 10-Gigabit 7-Layer Network Processor[EB/OL]. http://www.ezchip.com/html/in_prod.html, June 2005
[136]Motorola, C-PortTM Network Processors [EB/OL]. http://e-www.motorola.com/webapp/sps/site/June,2005
[137]Cisco, Toaster Network Processors[EB/OL]. http://www.cisco.com/products/,2005
[138]许宪成,杨存祥.组件技术及其在嵌入式系统设计中的应用[J].微计算机信息2007年23(2):39-42
[139]Intel. Intel 2400 network processor, hardware reference manual[M]. Jan.2004
[140]Intel Internet Exchange Architecture Portability Framework Developer's Manual[M]. November 2004
[141]E. Johnson and A. Kunze. IXP2400/2800 Programming-The Complete Microengine Coding Guide[M]. Intel Press, April 2003
[142]I. Charitakis, D. Pnevmatikatos, E. Markatos, and K. Anagnostakis.S2I:a tool for automatic rule match compilationfor the ixp network processor. In Proceedings of SCOPES 2003, Vienna[EB/OL]. http:// citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.81.48&rep. September 2003
[143]Hyeyoung cho, et al. Network Processor Based Network Intrusion Detection System[J]. ICOIN 2004, LNCS 3090,973-982,2004
[144]C. Clark, W. Lee, D. Schimmel, D. Contis, M. Kone, and A. Thomas, A Hardware Platform for Network Intrusion Detection and Prevention, in Proc. of the 3rd Workshop on Network Processors & Applications (NP3)[C].2004
[145]Jon Howell, Consystant Design Technologies[EB/OL]. http://www.usenix.org/events/osdi2000/full_papers/.2006
[146]GNU Zebra[EB/OL]. http://www.zebra.org/.2009
[147]Robert S. Boyer, J Strother Moore. A Fast String Searching Algorithm[J]. Communications of the ACM.1977.10. Vol.20 Num.10
[148]Aho A, Corasick M. Efficient string matching:an aid to bibliographic search[J]. Communications of the ACM,1975,18(6):333-340
[149]S. Wu, U. Manber. A Fast Algorithm for Multi-Pattern Searching. Technical Report TR-94-17, University of Arizona,1994
[150]Evangelos P. Markatos, Spyros Antonatos, Michalis Polychronakis etc. Exclusion-based Signature Matching for Intrusion Detection. In Proceedings of the IASTED International Conference on Communications and Computer Networks (CCN02)[C].2002.146-152
[151]Rong-Tai Liu, Nen-Fu Huang, Chia-Nan Kao, etc. A Fast Pattern Matching Algorithm For Network Processor-Based Intrusion Detection System. Performance Computing and Communications Conference[C]. IEEE,2004, Page(s):271-275
[152]J. Jung, B. Krishnamurthy, and M. Rabinovich. Flash crowds and denial of service attacks:Characterization and implications for cdns and web sites. In Proceedings of the International World Wide Web Conference[C]. IEEE, pages 252-262, May 2002
[153]S. Martin, P. Cascon, HolyLich, L. Buytenhek et al. ENP-Faq:The Hitchiker Guide to ENP-2611[EB/OL]. http://ixp2xxx.sf.net/wiki/.2008
[154]Quagga Routing Software Suite, GPL licensed IPv4/IPv6 routing software[EB/OL]. http://www.quagga.net/about.php.2009
[155]张铭,王腾蛟,赵海燕.数据结构与算法[M].北京:高等教育出版社,2008
[156]Douglas E. Comer, Network Systems Design using Network Processors[M]. Prentice Hall,2006
[157]Michael Yuen and Berry Kercheval, Sep. CRC-32 Calculation, Test Cases and HEC Tutorial[EB/OL],http://www.cell-relay.com/cell-relay/publications/software/CRC/32bitC RC.html.2003
[158]邓月华,基于宽带网络的TCP报文还原与应用[D].成都:四川大学,2006
[159]Maurice J Bach. The Design of The Unix Operating System [M]. Prentice Hall.2003
[160]D.V. Schuehler and J. Lockwood, TCP-Splitter:A TCP/IP Flow Monitor in Reconfigurable Hardware, Proc.10th Symp. High Performance Interconnects (Hot Interconnects X)[C]. IEEE Press,2002,127-131
[161]Marc N, Didier C, David S. TCP stream reassembly and state tracking in hardware. In:Proc. of the 10th Annual IEEE Symposium on Field Programmable Custom Computing Machines[C]. Napa,2002,1-2.
[162]Dharmapurikar S, Paxson V. Robust TCP stream reassembly in the presence of adversaries. In:Proc. of the 14 th conf. on USEN IX Security Symposium[C]. Baltimore, 2005. Berkeley:USENIX Association,2005:65-81
[163]Hanaoka, M. et al. An efficient TCP reassembler mechanism for layer 7 aware network intrusion detection/prevention systems.In:Proc. of 12 the IEEE Symposium on Computers and Communications[C]. Aveiro,2007, Page(s):79-86
[164]Xu Bo, et al. Architecture-Aware Session Lookup Design for Inline Deep Inspection on Network Processors. Tsinghua Science and Technology [J].2009,14(1):19-28
[165]Xiong Bing, Chen Xiaosu, Chen Ning. An Efficient TCP Flow State Management Algorithm in High-Speed Network. In:Proc. of Information Engineering and Electronic Commerce, IEEC'09. International Symposium[C]. May 2009:106-110
[166]Cascon, P.; Ortega, J. et al. A Multi-Threaded Network Interface Using Network Processors[C]. In Proc. Of the 17th Euromicro International Conference on Parallel, Distributed and Network-based Processing,2009, Page(s):196-200
[167]ixp, Projects using Intel IXA based devices[EB/OL]. https://mailman.cc.gatech.edu/mailman/listinfo/ixp.2010
[168]Kenneth Mackenzie, et al. An Intel IXP1200-based Network Interface. In Proceedings of the Workshop on Novel Uses of System Area Networks at HPCA (SAN-2 2003) [C].2003
[169]Lennert Buytenhek. intel ixp2000 network driver[EB/OL]. http://lwn.net/Articles/152290/.2010
[170]Real-Time Linux Development from MontaVista. http://www.mvista.com/real_time_linux.php.2009
[171]Spirent Communications. SmartBits 6000C[EB/OL]. http://www.spirentcom.com/.2008
[172]Jones, R. Netperf Homepage [EB/OL]. http://www.netperf.org/netperf/.2008
[173]Radisys Inc., ENP2611 Datasheet [EB/OL].http://www.radisys.com/.2008
[174]Haas, R, Kencl, L. et al. Creating advanced functions on network processors: experience and perspectives. IEEE Network,2003, Page(s):46-54
[175]Li Zhao, et al., A Network Processor-Based, Content-Aware Switch. IEEE Micro[C]. 2003, Page(s):46-54
[176]The NSS Group. Network IDS Test Reports [EB/OL]. http://nsslabs.com/ips.2008
[177]Nmap. Nmap Free Security Scanner For Network Exploration & Hacking[EB/OL]. http://nmap.org.2009
[178]free Fragroute software download[EB/OL]. http:// www.softitem.com/Linux/download-fragroute-1-2-10286478.html.2009
[179]Spirent Communications. Avalanche and Reflector [EB/OL]. http://www.spirentcom.com/.2008
[180]Case Study:IDT PAX. port 2500 content inspection engine (CIE) and Intel(?) IXP2400 network processor. http://www.intel.com/design/network/casestudies/idt_04.pdf.2004