网络入侵检测系统高速处理技术研究
|
摘要
随着网络技术和网络应用的飞速发展,层出不穷的网络攻击手段给网络安全带来了严峻的挑战。在高速网络环境下,传统入侵检测系统处理技术已经不能满足日益增长的数据量对实时处理能力的需要。
论文重点研究网络入侵检测系统的高速处理技术。论文首先提出了一种适合高速网络入侵检测系统的高速处理模型,然后针对该模型实现中的快速模式匹配算法、自适应动态负载均衡以及入侵检测探针的流识别与管理等关键技术展开研究,研究成果已得到成功应用。
论文系统分析了网络入侵检测系统的体系结构,提出了一种适合高速网络入侵检测系统的可扩展多级并行处理模型——XMLPP体系结构模型。该模型把实时要求高、处理相对规则的处理任务交前端高速专用硬件系统在数据采集时完成;而把处理复杂的任务调度到后端由多个入侵检测探针并行完成。XMLPP体系结构模型可扩展性好、可靠性高,大大提高了系统整体性能,能较好地适应高速网络的入侵检测的需求。
针对高速网络入侵检测中模式匹配存在的性能问题,论文提出一种基于TCAM的快速模式匹配算法——TFPM算法。该算法通过对待匹配字符串进行模式前缀Hash检查,过滤掉不存在匹配可能的字符串,只使用TCAM并行查找存在匹配前缀的字符串,有效地降低了TCAM查找次数。该算法使用多队列虚拟鉴别技术,并行检查多个报文,在隐藏访问延时的同时提高了TCAM的利用率。为支持多规则复合的复杂报文分类,论文设计并实现了专用模式匹配指令集,与TFPM算法相结合,可支持多规则复杂报文分类,增强了模式匹配的报文分类能力。算法实现复杂度低,可满足高速网络基于内容的复杂报文分类要求。
针对XMLPP模型中的负载分配问题,论文提出了一种面向会话的自适应负载均衡方法——MSF自适应负载均衡算法。该算法基于IP报文头多域分类方法,使用静态流表对流量进行划分,结合动态调整TCP流数目最少流束(具有相同Hash值的流的集合)的方法,能够在保持各处理节点间报文级和位流级负载均衡的同时,维持网络会话的完整性。由于算法在保持负载均衡的同时保证了会话完整性,能够确保入侵检测探针正确解析所接收报文的语义,适合于在高速网络入侵检测中使用。
针对入侵检测探针中流识别与管理存在的问题,论文提出了一种具有良好Hash性能的CRC20算法。基于该算法,采用基于硬件实现的动态报文存储方法,论文提出了实现高速报文流识别与管理方法。理论分析和模拟结果表明,该方法的计算复杂性低、访存性能好,适合高速网络链路中的流管理应用。
最后,论文应用上述研究成果实现了一个基于宏流水体系结构的高速网络数据采集与预处理系统,该系统既可应用于高速入侵检测,也可应用于高速网络安全监控和网络测量等方面。论文主要成果已成为某高速网络入侵检测系统系列设备的重要组成部分,从2005年开始,系统得到广泛应用,在高速网络入侵检测和网络管理等领域发挥了重要作用。
With the rapid development of the network technologies and applications, more and more network attack techniques bring a serious challenge to the network security. In the large-scale high-traffic network environment, the traditional technologies for network-based intrusion detection systems (NIDS) can not satisfy the needs for real-time processing of the growing network traffic.
In the dissertation we deeply study the hardware-based accelerating techniques for high-speed network intrusion detection systems. We first propose a novel architectural model for NIDS, and then conduct research on the key techniques of this model, including fast pattern matching algorithms, adaptive load-balancing, and flow identification and management for NIDS probes. The main contributions of the dissertation are as follows:
(1) We first systematically analyze the architecture of NIDS, and propose a novel XMLPP (extensible Multi-Level Parallel Processing model) for high-speed NIDS. In the XMLPP model, the simple, periodic tasks which require high processing speed are processed in the specially designed hardware with high speed during data acquisition, and the relatively complex tasks are scheduled to the high-performance, back-end probes. The XMLPP model can help improve the system performance and enhance the system reliability, which are very important for high-speed NIDS.
(2) To improve the performance of pattern matching in high-speed NIDS, a novel TCAM-based Fast Pattern Matching Algorithm, TFPM is proposed in this paper. The algorithm reduces the number of TCAM matching operations greatly by pre-filtering the string using pattern prefix matching. By means of multiple virtual queues for identification, this algorithm significantly improves the performance of pattern matching. To support content-based multi-rules packet classification, we design and implement a special pattern matching instruction set. This instruction set can be used together with TFPM algorithm to support complex multi-rules packet classification and improve the packet classification ability of pattern matching. The TFPM algorithm is easy to be implemented with hardware and satisfies the need for content-based complex packet classification in high-speed networks.
(3) Aiming at the load balancing problem in high speed NIDS, we propose MSF (Minimum Session number First), a session-oriented adaptive load balancing algorithm. With consideration of load balancing of both packet-level and bit-level, the MSF algorithm dynamically schedules the objects based on the session number in the flow-bundles. This algorithm maintains the integrity of the sessions, and ensures that the NIDS can correctly understand the semantics of the received packets.
(4) Aiming at the problem in the flow identification and management of NIDS probes, we propose CRC20, an effective hash algorithm. Based on the CRC20 algorithm, we dynamically store the received packets by means of hardware, and realize the identification and management of high speed packet flows. Theoretical analysis and extensive simulations prove that the algorithm has good computational complexity and memory-access performance, and is suitable for flow management in high speed networks.
At last, based on the above techniques we study the implementation of a real system which is macro-pipelined-architecture-based with integrated high speed network data collection and pre-processing system. The system captures packets from high-speed links and completes the pre-processing such as packet classification, filtering, content inspection, and so on. The system efficiently attenuates the network traffic, reduces the workload of back-end processing probes, and improves the performance of NIDS.
As a hardware-based accelerating processing platform, this system can be used not only in high-speed NIDS, but also in high-speed network security monitoring, network behavior analysis and network measurement, etc. Currently this system plays an important role in the field of security management and network management.
论文重点研究网络入侵检测系统的高速处理技术。论文首先提出了一种适合高速网络入侵检测系统的高速处理模型,然后针对该模型实现中的快速模式匹配算法、自适应动态负载均衡以及入侵检测探针的流识别与管理等关键技术展开研究,研究成果已得到成功应用。
论文系统分析了网络入侵检测系统的体系结构,提出了一种适合高速网络入侵检测系统的可扩展多级并行处理模型——XMLPP体系结构模型。该模型把实时要求高、处理相对规则的处理任务交前端高速专用硬件系统在数据采集时完成;而把处理复杂的任务调度到后端由多个入侵检测探针并行完成。XMLPP体系结构模型可扩展性好、可靠性高,大大提高了系统整体性能,能较好地适应高速网络的入侵检测的需求。
针对高速网络入侵检测中模式匹配存在的性能问题,论文提出一种基于TCAM的快速模式匹配算法——TFPM算法。该算法通过对待匹配字符串进行模式前缀Hash检查,过滤掉不存在匹配可能的字符串,只使用TCAM并行查找存在匹配前缀的字符串,有效地降低了TCAM查找次数。该算法使用多队列虚拟鉴别技术,并行检查多个报文,在隐藏访问延时的同时提高了TCAM的利用率。为支持多规则复合的复杂报文分类,论文设计并实现了专用模式匹配指令集,与TFPM算法相结合,可支持多规则复杂报文分类,增强了模式匹配的报文分类能力。算法实现复杂度低,可满足高速网络基于内容的复杂报文分类要求。
针对XMLPP模型中的负载分配问题,论文提出了一种面向会话的自适应负载均衡方法——MSF自适应负载均衡算法。该算法基于IP报文头多域分类方法,使用静态流表对流量进行划分,结合动态调整TCP流数目最少流束(具有相同Hash值的流的集合)的方法,能够在保持各处理节点间报文级和位流级负载均衡的同时,维持网络会话的完整性。由于算法在保持负载均衡的同时保证了会话完整性,能够确保入侵检测探针正确解析所接收报文的语义,适合于在高速网络入侵检测中使用。
针对入侵检测探针中流识别与管理存在的问题,论文提出了一种具有良好Hash性能的CRC20算法。基于该算法,采用基于硬件实现的动态报文存储方法,论文提出了实现高速报文流识别与管理方法。理论分析和模拟结果表明,该方法的计算复杂性低、访存性能好,适合高速网络链路中的流管理应用。
最后,论文应用上述研究成果实现了一个基于宏流水体系结构的高速网络数据采集与预处理系统,该系统既可应用于高速入侵检测,也可应用于高速网络安全监控和网络测量等方面。论文主要成果已成为某高速网络入侵检测系统系列设备的重要组成部分,从2005年开始,系统得到广泛应用,在高速网络入侵检测和网络管理等领域发挥了重要作用。
With the rapid development of the network technologies and applications, more and more network attack techniques bring a serious challenge to the network security. In the large-scale high-traffic network environment, the traditional technologies for network-based intrusion detection systems (NIDS) can not satisfy the needs for real-time processing of the growing network traffic.
In the dissertation we deeply study the hardware-based accelerating techniques for high-speed network intrusion detection systems. We first propose a novel architectural model for NIDS, and then conduct research on the key techniques of this model, including fast pattern matching algorithms, adaptive load-balancing, and flow identification and management for NIDS probes. The main contributions of the dissertation are as follows:
(1) We first systematically analyze the architecture of NIDS, and propose a novel XMLPP (extensible Multi-Level Parallel Processing model) for high-speed NIDS. In the XMLPP model, the simple, periodic tasks which require high processing speed are processed in the specially designed hardware with high speed during data acquisition, and the relatively complex tasks are scheduled to the high-performance, back-end probes. The XMLPP model can help improve the system performance and enhance the system reliability, which are very important for high-speed NIDS.
(2) To improve the performance of pattern matching in high-speed NIDS, a novel TCAM-based Fast Pattern Matching Algorithm, TFPM is proposed in this paper. The algorithm reduces the number of TCAM matching operations greatly by pre-filtering the string using pattern prefix matching. By means of multiple virtual queues for identification, this algorithm significantly improves the performance of pattern matching. To support content-based multi-rules packet classification, we design and implement a special pattern matching instruction set. This instruction set can be used together with TFPM algorithm to support complex multi-rules packet classification and improve the packet classification ability of pattern matching. The TFPM algorithm is easy to be implemented with hardware and satisfies the need for content-based complex packet classification in high-speed networks.
(3) Aiming at the load balancing problem in high speed NIDS, we propose MSF (Minimum Session number First), a session-oriented adaptive load balancing algorithm. With consideration of load balancing of both packet-level and bit-level, the MSF algorithm dynamically schedules the objects based on the session number in the flow-bundles. This algorithm maintains the integrity of the sessions, and ensures that the NIDS can correctly understand the semantics of the received packets.
(4) Aiming at the problem in the flow identification and management of NIDS probes, we propose CRC20, an effective hash algorithm. Based on the CRC20 algorithm, we dynamically store the received packets by means of hardware, and realize the identification and management of high speed packet flows. Theoretical analysis and extensive simulations prove that the algorithm has good computational complexity and memory-access performance, and is suitable for flow management in high speed networks.
At last, based on the above techniques we study the implementation of a real system which is macro-pipelined-architecture-based with integrated high speed network data collection and pre-processing system. The system captures packets from high-speed links and completes the pre-processing such as packet classification, filtering, content inspection, and so on. The system efficiently attenuates the network traffic, reduces the workload of back-end processing probes, and improves the performance of NIDS.
As a hardware-based accelerating processing platform, this system can be used not only in high-speed NIDS, but also in high-speed network security monitoring, network behavior analysis and network measurement, etc. Currently this system plays an important role in the field of security management and network management.
引文
[1]CNCERT/CC,2006年网络安全工作报告。http://www.cert.org.cn/.
[2]CERT/CC Statistics 2003.Available at:http://www.cert.org/stats/cert_stats.html
[3]冯登国。国内外信息安全研究现状及其发展趋势。信息网络安全,2007年第1期。
[4]H.Richard,L.George,M.Arthur and S.Mark.The Architecture of a Network Level Intrusion Detection System.Department of Computer Science,University of New Mexico Technical Report,CS90-20,1990:1-24.
[5]Anderson J R Computer security threat monitoring and surveillance.Technical Report,James P Anderson Co,Fort Washington,Pennsylvania 1980
[6]Denning D.An intrusion detection model.IEEE transaction on Software Engineering,1987,13(2):222-232.
[7]Vaccarro,H.S.,Liepins,G.E.Detection of Anomalous Computer Session Activity.Proceedings of the IEEE Symposium on Research in Security and Privacy.Oakland,California,May 1-3,1989.Washington,DC:IEEE Computer Society Press,1989:208-209.
[8]Heberlein,L.A Network Security Monitor.Proceedings of the IEEE Computer Society Symposium,Research in Security and Privacy,May 1990:296-303.
[9]Mukherjee,Heberlein L.,Levitt K.,Network Intrusion Detection,IEEE Network Magazine,Vol.8.No.3,May/June 1994:26-41.
[10]Snapp.S.et al.A System for Distributed Intrusion Detection,Proceedings of IEEE COMPCON,March 1991:170-176.
[11]S.Staniford-Chen,S.Cheung,R.et al.GRIDS A Graph-Based Intrusion Detection System for Large Networks.Proceedings of the 19th National Information Systems Security Conference 1996
[12]Snort2.6.0 http://www.snort.org/.
[13]Snort-ng.Snort-next generation:Network intrusion detection System.http://www.infosys.tuwien.ac.at.
[14]Forrest S,Hofmeyr S A.Immunology as information processing.In:Segel and Cohen eds.Design Principles for the Immune System and Other Distributed Autonomous Systems USA:Oxford University Press,2000.
[15]Marceau C,et al.Architecture of a CORBA Immune System.Odyssey Research Associates Technical Report TM29820005,1998.13229.
[16]Honeynet Project.http://www.honeynet.org.
[17]Jun-feng Tian;Jian-ling Wang;Xiao-hui Yang;Ren-ling Li.A Study of Intrusion Signature Based on Honeypot.Sixth International Conference on Parallel and Distributed Computing,Applications and Technologies,2005.PDCAT 2005.Dec.2005:125-129.
[18]张剑,龚俭。可回卷的自动入侵响应系统。电子学报,2004年5月第32卷第5期:769-773。
[19]S.Savage;et al.Network Support for IP Traceback.IEEE/ACM Transaction on Networking.9(3).2001.
[20]Savage S,Wetherall D,Karlin A,et al.Practical network support for IP traceback.Proceedings of the 2000 ACM SIGCOMM Conference.Stockholm,Sweden:ACM,2000.
[21]Snoeren A C,Partridge C,Sanchez L A,et al.Hash based IP traceback.Proceedings of 2001 Conference on Applications,Technologies,Architectures,and Protocols for Computer Communication(ACM SIGCOMM).California:ACM,2001:3-14.
[22]Sanchez L A.,Milliken W C,Snoeren A C,et al.Hardware support for a hash based IP traceback.Proceedings of the 2nd DARPA Information Survivability Conference and Exposition(DISCEX Ⅱ).Anaheim,CA,2001:146-152.
[23]Bellovin S M.ICMP Yraceback Messages,Internet Draft.March 2001.
[24]CNNIC.中国互联网络发展状况统计报告.Beijing,2007.01.
[25]Basu A.,Buch V.,Vogels W.,Von Eicken Thorsten.U-Net:A user level network interface for parallel and distributed computing.In:Proceedings of the 15th ACM Symposium on Operating Systems Principles,Copper Mountain,Colorado,1995.
[26]http://www.endance.com..
[27]Ian Graham.Achieving zero-loss multi-Gigabit IDS.Endace Ltd.http://www.endace.com.
[28]http://www.endance.com/ninj aprobe/.
[29]http://www,soleranetworks.com/products/
[30]http://ngmon.postech.ac.kr.
[31]YG Chu,J Li,YX Yang.The Architecture of the Large-scale Distributed Intrusion Detection System.Proceedings of the Sixth International Conference on Parallel and Distributed Computing,Applications and Technologies(PDCAT'05)
[32]C Kruegel,F Valeur,G Vignaetal,et al.Stateful intrusion detection for high-speed networks.Proc.of the IEEE Symposium Security and Privacy.Los Alamitos,CA:IEEE Computer Society Pres,2002.
[33]陈训逊,方滨兴,李蕾。高速网络环境下入侵检测系统结构研究;计算机研究与发展,2004年9月第41期第9卷:1481-1487。
[34]Jackson,K.A.:NADIR:A prototype system for detecting network and file system abuse,Proc.of the 7th European Conference on Information Systems,Nov 1992.
[35]Habra,N.,Le Charlier B.,Mounji A.,Mathieu,I.ASAX:Software architecture and rule-based language for universal audit trail analysis.Deswarte,Y.,Eizenberg,G.(eds.),Proc.of the 2nd European Symposium on Research in Computer Security(ESORICS'92),Toulouse,France,Nov.1992,435 - 450.
[36]Mark Crosbie and Eugene Spafford.Active Defense of a Computer System using Autonomous Agents.In Proceedings of the 18th National Information Systems Security Conference,October 1995:549-558.
[37]P.A.Porras,P.G.Neumann.EMERALD:Eventmonitoring enabling responses to anomalous live disturbances.In National Information Systems Secur ity Conference,Baltimore MD,Octoberl 997.
[38]NLANR network traffic packet header traces.2002.http://pma.nlanr.net/Traces/long/iplsl.html.
[39]S.Staniford-Chen,B.Tung,D.Schnackenberg.The Common Intrusion Detection Framework(CIDF).In Proceedings of the Information Survivability Workshop(ISW'98), Orlando FL, 1998: 253-274.
[40] Gupta P, McKeown N. Algorithms for packet classification. IEEE Network. Mar. 2001.15(2):24-32.
[41] P. Gupta, N. McKeown, Packet classification on multiple fields, Computer Communication. Rev., vol. 29, pp. 147-160, Oct. 1999.
[42] Lili Qiu; Varghese, G; Suri, S. Fast firewall implementations for software and hardware-based routers. Ninth International Conference on Network Protocols, 2001.Nov.2001:241-250.
[43] Srinivasan V, Varghese G, Suri S, Waldvagel M. Fast and scalable layer four switching.Proc ACM STGCGMM'98 Aug 1998:191-202
[44] Buddhikot M M, Suri S, Waldvogel M. Space decomposition techniques for a fast layer-4 switching. Proc. Conf. Protocols for High Speed Networks, Aug 1999: 25-41.
[45] Gupta P, McKeown N. Packet classification on multiple fields. Proc. ACM SIGCOMM'99, Aug. 1999: 147-160.
[46] Gupta P, Mckeown N. Classification using hierarchical intelligent cuttings. Proc Hot Interconnects VII, Stanford, CA, Aug 1999.
[47] V. Srinivasan, S Suri, G Varghese. Packet. Classification using tuple space search. Proc ACM SIGCOMM'99, Aug 1999,135-146.
[48] Fang Yu, Randy H. Katz. Efficient Multi-Match Packet Classification with TCAM.Proceedings 12th Annual IEEE Symposium on High Performance Interconnects. Aug 2004:28-34.
[49] Kasnavi, S.; Gaudet, V.C.; Berube, P.; Amaral, J.N. A Hardware-Based Longest Prefix Matching Scheme for TCAMs. IEEE International Symposium on Circuits and Systems,2005. ISCAS 2005:3339-3342.
[50] Haoyu Song, John W. Lockwood. Efficient Packet Classification for Network Intrusion Detection using FPGA. FPGA'05, Monterey, California, USA, February 20-22 2005:238-245.
[51] Huan Liu. Efficient Mapping of Range Classifier into Ternary-CAM. Proceedings 10th Annual IEEE Symposium on High Performance Interconnects. Aug, 2002: 95-100.
[52] Miyoshi, H.; Thompson, J.S. SIRS: selective intersected rule search for packet classification. The 11th IEEE International Conference on Networks, ICON2003. Sep 2003:105-110.
[53] Knuth D E, Morris J H, Pratt V R. Fast pattern matching in strings. SIAM Journal on Computing, 1977, 6 (2): 323- 350.
[54] Boyer R S, Moo re J S. A fast string searching algorithm. Comm ACM, 1977, 20(10):762- 772.
[55] Hume A, Sunday DM. Fast String Searching. Software Pract. Exp., 1991, 21 (11): 1221-1248.
[56] Sunday DM. A Very Fast Substring Search Algorithm. Commun. ACM, 1990, 33(8): 132-142.
[57] AHO A, CORASICK M. Efficient string matching: an aid to bibliographic search.Communications of the ACM, 1975, 18(6):333-340.
[58] LECROQ T. New experimental results on exact string-matching.http://www-igm.univ-mlv.fr/~lecroq/biblio.html#jwith.
[59]S.Wu,U.Manber.A Fast Algorithm For Multi-Pattern Searching.Technical Report TR-94-17,Department of Computer Science,University of Arizona.1994:1-11.
[60]Horspool R.N.Practical Fast Searching in Strings.Software Practice and Experience,1980(10)(6):501-506,FL.1980.
[61]ES de Moura.Fast and flexible word searching on compressed text.ACM Transactions on Information Systems,2000
[62]谭建龙。串匹配算法及其在网络内容分析中的应用;博士学位论文;北京:中国科学院计算技术研究所;2003年7月。
[63]张冬艳,殷丽华,胡铭曾,云晓春,郑秀荣;面向内容安全的多模精确匹配算法性能分析;通信学报;2004年7月第25卷第7期:128-136。
[64]李伟男,鄂跃鹏,葛敬国,钱华林。多模式匹配算法及其硬件实现;软件学报,2006年5月第41期第9卷:1481-1487。
[65]FangYu,Zhifeng Chert,Yanlei Diao.Fast and Memory-Efficient Regular Expression Matching for Deep Packet Inspection.Technical Report,Berkeley,University of California,2006.http://www.eecs.berkeley.edu/Pubs/TechRpts/2006/EECS-2006-76.html.
[66]Sailesh Kumar,Sarang Dharmapurikar,Fang Yu,et al.Algorithms to Accelerate Multiple Regular Expressions Matching for Deep Packet Inspection.SIGCOMM'06,September 11-15,2006,Pisa,Italy.339-350.
[67]Application Layer Packet Classifier for Linux,http://17-filter.sourceforge.net.
[68]IPP2P:http://www.ipp2p.org.
[69]Estrade,B.D.;Perkins,A.L.;Harris,J.M.Explicitly Parallel Regular Expressions.First International Multi-Symposiums on Computer and Computational Sciences,2006.IMSCCS'06:402-409.
[70]陈一骄,胡晓峰,孙志刚。高速网络接口流量分配技术设计与实现;2003中国通信专用集成电路技术及产业发展研讨会,中国昆明,2003.8:28-32。
[71]C.J.Coit,S.Staniford,J.McAlerney.Towards Faster String Matching for Intrusion Detection or Exceeding the Speed of Snort.DARPA Information Survivability Conference and Exposition(DISCEXⅡ'01),2001.
[72]Cho YH,Mangione-Smith WH.Deep packet filter with dedicated logic and read only memories.In:Pocek KL,ed.Proc.of the 12th Annual IEEE Symp.on Field-Programmable Custom Computing Machines.Los Alamitos:IEEE Computer Society,2004:125-134.
[73]Cho YH,Mangione-Smith WH.Fast reconfiguring deep packet filter for 1+gigabit network.In:Pocek KL,ed.Proc.of the 13th Annual IEEE Syrup.on Field-Programmable Custom Computing Machines.Los Alamitos:IEEE Computer Society,2005.215-224.
[74]Cho YH,Mangione-Smith WH.A pattern matching coprocessor for network security.In:Proc.of the 42nd Annual Conf.on Design Automation.New York:ACM Press,2005:234-239.
[75]Franklin F,Carver D,Hutchings B.Assisting network intrusion detection with reconfigurable hardware.In:Pocek KL,ed.Proc.of the IEEE Symp.on Field-Programmable Custom Computing Machines.Los Alamitos:IEEE Computer Society,2002:111-120.
[76] Sourdis I, Pnevmatikatos D. Pre-decoded CAMs for Efficient and High-Speed NIDS Pattern Matching. IEEE Symposium on Field-Programmable Custom Computing Machines, FCCM 2004.
[77] Moscola J, Lockwood J, Loui RP, Pachos M. Implementation of a content-scanning module for an Internet firewall. In: Pocek KL, ed. Proc. of the 11th Annual IEEE Symp.on Field-Programmable Custom Computing Machines. Los Alamitos: IEEE Computer Society, 2003. 31-38.
[78] Sidhu R, Prasanna VK. Fast regular expression matching using FPGAs. In: Pocek KL,ed. Proc. of the IEEE Symp. on Field-Programmable Custom Computing Machines. Los Alamitos: IEEE Computer Society, 2001: 227-238.
[79] L. Tan, and T. Sherwood, A High Throughput String Matching Architecture for Intrusion Detection and Prevention. Proceedings. 32nd International Symposium on Computer Architecture, 2005. ISCA'05. 04-08 June 2005: 112-122.
[80] L. Tan, and T. Sherwood, Bit-Split String-Matching Engines for Intrusion Detection and Prevention. ACM Transactions on Architecture and Code Optimization, Vol.3, No.1,March 2006: 3-34.
[81] TUCK, N., SHERWOOD, T., CALDER, B., AND VARGHESE, G. 2004. Deterministic memory-efficient string matching algorithms for intrusion detection. In the 23rd Conference of the IEEE Communications Society.
[82] B Bloom. Space/time tradeoffs in hash coding with allowable errors. Communications of the ACM, 1970, 13 (7): 422-426.
[83] Sarang Dharmapurikar, Praveen Krishnamurthy, Todd Sproull, etc. Deep packet inspection using parallel Bloom filters. Proceedings of the 11th Symposium on High Performance Interconnects (HOTI'03): 44-51.
[84] Taskin Kocak and Ilhan Kaya. Low-Power Bloom Filter Architecture for Deep Packet Inspection. IEEE COMMUNICATIONS LETTERS, VOL.10, NO.3, MARCH 2006.
[85] Dharmapurikar S, Lockwood J. Fast and scalable pattern matching for content filtering. In: Berenbaum A, ed. Proc. of the 2005 Symp. on Architecture for Networking and Communications Systems. New York: ACM Press, 2005:183-192.
[86] Attig M, Dharmapurikar S, Lockwood JW. Implementation results of bloom filters for string matching. In: Pocek KL, ed. Proc. of the 12th Annual IEEE Symp. on Field-Programmable Custom Computing Machines. Los Alamitos: IEEE Computer Society, 2004: 322-323.
[87] Yu F, Katz RH, Lakshman TV. Gigabit rate packet pattern-matching using TCAM. In: Koenig H, ed. Proc. of the 12th IEEE International Conf. on Network Protocols (ICNP 2004). Washington: IEEE Computer Society, 2004: 174-183.
[88] JS Sung, SM Kang, YG Lee, etc. Multi-gigabit Rate Deep Packet Inspection Algorithm using TCAM. This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE GLOBECOM 2005 proceedings.
[89] L. Kencl, J. Le Boudec. Adaptive load sharing for network processors. In IEEE INFOCOM 2002, New York, NY, USA, June 2002: 545-554.
[90] K. W. Ross. Hash routing for collections of shared web caches. IEEE Network, Vol.11,No.6, November-December 1997.
[91]G.Dittmann,A.Herkersdorf.Network processor load balancing for high-speed links.2002 International Symposium on Performance Evaluation of Computer and Telecommunication Systems(SPECTS 2002),San Diego,CA,USA,July 2002:727-735.
[92]W.Shi,M.H.MacGregor et al.An Adaptive Load Balancer for Multiprocessor Routers.University of Alberta,Edmonton,AB,TGG 2E8,Canada,http://www.cs.ualberta.ca/-pawel/PAPERS/.2004
[93]Weiguang Shi,Mike H.MacGregor,Pawel Gburzynski.Load balancing for parallel forwarding.IEEE/ACM Transactions on Networking,vol.13,No.4,2005.
[94]Shaikh,J.Rexford,K.G.Shin.Load-sensitive routing of long-lived IP flows.ACM SIGCOMM Computer Communication Review,Vol.29 No.4 October 1999:215-226.
[95]张晓明。网络处理器设计的若干关键技术研究。博士学位论文,长沙:国防科学技术大学,2006。
[96]Z.Cao;Z.Wang;E.Zegura.Performance of hashing-based schemes for Internet load balancing.In Proceedings of IEEE Infocom 2000,Vol.1,March 2000:332-341.
[97]程光,龚俭,丁伟,徐加羚。面向IP流测量的哈希算法研究。软件学报,Vol.16,No.52005:652-658。
[98]Duffield NG,Grossglauser M.Trajectory sampling for direct traffic observation.IEEE/ACM Trans.on Networking,2001.9(3):280-292.
[99]Jain R.A comparison of hashing schemes for address lookup in computer networks.IEEE Trans.on Communications,1992,40(3):1570-1573.
[100]IP Flow information export(ipfix).2004.http://www.ietf.org/html.charters/ipfix-charter.html
[101]Glaise R J.A Two-step Computation of Cyclic Redundancy Code CRC32 for ATM Networks.IBM Journal of Research and Develoopment,2002,41(6).
[102]H.Michael Ji,Earl Killian.Fast Parallel CRC Algorithm and Implementation on a Configurable Processor.2002 IEEE.
[103]CLAFFY K C.Internet Traffic Characterization.Dissertation for the degree Doctor of Philosophy.University of California,San Diego.1994.
[104]RYU B,CHENEY D,BRAUN H W.Internet flow characterization:adaptive timeout strategy and statistical modeling.Workshop on Passive and Active Measurement(PAM).2001:95-105.
[105]HOHN N,VEITCH D.Inverting sampled traffic.IMC'03,Miami Beach,Florida,USA.2003:222-333.
[106]周明中,龚俭,丁伟。网络流超时策略研究。通信学报,2005年4月第26卷第4期:88-93。
[107]NLANR network traffic packet header traces,2006.http://pma.nlanr.net/Traces/.
[108]Rolf Enzler.Architectural Trade-offs in Dynamically Reconfigurable Processors.A dissertation submitted to the Swiss Federal Institute of Technology Zurich.Swiss 2004.
[2]CERT/CC Statistics 2003.Available at:http://www.cert.org/stats/cert_stats.html
[3]冯登国。国内外信息安全研究现状及其发展趋势。信息网络安全,2007年第1期。
[4]H.Richard,L.George,M.Arthur and S.Mark.The Architecture of a Network Level Intrusion Detection System.Department of Computer Science,University of New Mexico Technical Report,CS90-20,1990:1-24.
[5]Anderson J R Computer security threat monitoring and surveillance.Technical Report,James P Anderson Co,Fort Washington,Pennsylvania 1980
[6]Denning D.An intrusion detection model.IEEE transaction on Software Engineering,1987,13(2):222-232.
[7]Vaccarro,H.S.,Liepins,G.E.Detection of Anomalous Computer Session Activity.Proceedings of the IEEE Symposium on Research in Security and Privacy.Oakland,California,May 1-3,1989.Washington,DC:IEEE Computer Society Press,1989:208-209.
[8]Heberlein,L.A Network Security Monitor.Proceedings of the IEEE Computer Society Symposium,Research in Security and Privacy,May 1990:296-303.
[9]Mukherjee,Heberlein L.,Levitt K.,Network Intrusion Detection,IEEE Network Magazine,Vol.8.No.3,May/June 1994:26-41.
[10]Snapp.S.et al.A System for Distributed Intrusion Detection,Proceedings of IEEE COMPCON,March 1991:170-176.
[11]S.Staniford-Chen,S.Cheung,R.et al.GRIDS A Graph-Based Intrusion Detection System for Large Networks.Proceedings of the 19th National Information Systems Security Conference 1996
[12]Snort2.6.0 http://www.snort.org/.
[13]Snort-ng.Snort-next generation:Network intrusion detection System.http://www.infosys.tuwien.ac.at.
[14]Forrest S,Hofmeyr S A.Immunology as information processing.In:Segel and Cohen eds.Design Principles for the Immune System and Other Distributed Autonomous Systems USA:Oxford University Press,2000.
[15]Marceau C,et al.Architecture of a CORBA Immune System.Odyssey Research Associates Technical Report TM29820005,1998.13229.
[16]Honeynet Project.http://www.honeynet.org.
[17]Jun-feng Tian;Jian-ling Wang;Xiao-hui Yang;Ren-ling Li.A Study of Intrusion Signature Based on Honeypot.Sixth International Conference on Parallel and Distributed Computing,Applications and Technologies,2005.PDCAT 2005.Dec.2005:125-129.
[18]张剑,龚俭。可回卷的自动入侵响应系统。电子学报,2004年5月第32卷第5期:769-773。
[19]S.Savage;et al.Network Support for IP Traceback.IEEE/ACM Transaction on Networking.9(3).2001.
[20]Savage S,Wetherall D,Karlin A,et al.Practical network support for IP traceback.Proceedings of the 2000 ACM SIGCOMM Conference.Stockholm,Sweden:ACM,2000.
[21]Snoeren A C,Partridge C,Sanchez L A,et al.Hash based IP traceback.Proceedings of 2001 Conference on Applications,Technologies,Architectures,and Protocols for Computer Communication(ACM SIGCOMM).California:ACM,2001:3-14.
[22]Sanchez L A.,Milliken W C,Snoeren A C,et al.Hardware support for a hash based IP traceback.Proceedings of the 2nd DARPA Information Survivability Conference and Exposition(DISCEX Ⅱ).Anaheim,CA,2001:146-152.
[23]Bellovin S M.ICMP Yraceback Messages,Internet Draft.March 2001.
[24]CNNIC.中国互联网络发展状况统计报告.Beijing,2007.01.
[25]Basu A.,Buch V.,Vogels W.,Von Eicken Thorsten.U-Net:A user level network interface for parallel and distributed computing.In:Proceedings of the 15th ACM Symposium on Operating Systems Principles,Copper Mountain,Colorado,1995.
[26]http://www.endance.com..
[27]Ian Graham.Achieving zero-loss multi-Gigabit IDS.Endace Ltd.http://www.endace.com.
[28]http://www.endance.com/ninj aprobe/.
[29]http://www,soleranetworks.com/products/
[30]http://ngmon.postech.ac.kr.
[31]YG Chu,J Li,YX Yang.The Architecture of the Large-scale Distributed Intrusion Detection System.Proceedings of the Sixth International Conference on Parallel and Distributed Computing,Applications and Technologies(PDCAT'05)
[32]C Kruegel,F Valeur,G Vignaetal,et al.Stateful intrusion detection for high-speed networks.Proc.of the IEEE Symposium Security and Privacy.Los Alamitos,CA:IEEE Computer Society Pres,2002.
[33]陈训逊,方滨兴,李蕾。高速网络环境下入侵检测系统结构研究;计算机研究与发展,2004年9月第41期第9卷:1481-1487。
[34]Jackson,K.A.:NADIR:A prototype system for detecting network and file system abuse,Proc.of the 7th European Conference on Information Systems,Nov 1992.
[35]Habra,N.,Le Charlier B.,Mounji A.,Mathieu,I.ASAX:Software architecture and rule-based language for universal audit trail analysis.Deswarte,Y.,Eizenberg,G.(eds.),Proc.of the 2nd European Symposium on Research in Computer Security(ESORICS'92),Toulouse,France,Nov.1992,435 - 450.
[36]Mark Crosbie and Eugene Spafford.Active Defense of a Computer System using Autonomous Agents.In Proceedings of the 18th National Information Systems Security Conference,October 1995:549-558.
[37]P.A.Porras,P.G.Neumann.EMERALD:Eventmonitoring enabling responses to anomalous live disturbances.In National Information Systems Secur ity Conference,Baltimore MD,Octoberl 997.
[38]NLANR network traffic packet header traces.2002.http://pma.nlanr.net/Traces/long/iplsl.html.
[39]S.Staniford-Chen,B.Tung,D.Schnackenberg.The Common Intrusion Detection Framework(CIDF).In Proceedings of the Information Survivability Workshop(ISW'98), Orlando FL, 1998: 253-274.
[40] Gupta P, McKeown N. Algorithms for packet classification. IEEE Network. Mar. 2001.15(2):24-32.
[41] P. Gupta, N. McKeown, Packet classification on multiple fields, Computer Communication. Rev., vol. 29, pp. 147-160, Oct. 1999.
[42] Lili Qiu; Varghese, G; Suri, S. Fast firewall implementations for software and hardware-based routers. Ninth International Conference on Network Protocols, 2001.Nov.2001:241-250.
[43] Srinivasan V, Varghese G, Suri S, Waldvagel M. Fast and scalable layer four switching.Proc ACM STGCGMM'98 Aug 1998:191-202
[44] Buddhikot M M, Suri S, Waldvogel M. Space decomposition techniques for a fast layer-4 switching. Proc. Conf. Protocols for High Speed Networks, Aug 1999: 25-41.
[45] Gupta P, McKeown N. Packet classification on multiple fields. Proc. ACM SIGCOMM'99, Aug. 1999: 147-160.
[46] Gupta P, Mckeown N. Classification using hierarchical intelligent cuttings. Proc Hot Interconnects VII, Stanford, CA, Aug 1999.
[47] V. Srinivasan, S Suri, G Varghese. Packet. Classification using tuple space search. Proc ACM SIGCOMM'99, Aug 1999,135-146.
[48] Fang Yu, Randy H. Katz. Efficient Multi-Match Packet Classification with TCAM.Proceedings 12th Annual IEEE Symposium on High Performance Interconnects. Aug 2004:28-34.
[49] Kasnavi, S.; Gaudet, V.C.; Berube, P.; Amaral, J.N. A Hardware-Based Longest Prefix Matching Scheme for TCAMs. IEEE International Symposium on Circuits and Systems,2005. ISCAS 2005:3339-3342.
[50] Haoyu Song, John W. Lockwood. Efficient Packet Classification for Network Intrusion Detection using FPGA. FPGA'05, Monterey, California, USA, February 20-22 2005:238-245.
[51] Huan Liu. Efficient Mapping of Range Classifier into Ternary-CAM. Proceedings 10th Annual IEEE Symposium on High Performance Interconnects. Aug, 2002: 95-100.
[52] Miyoshi, H.; Thompson, J.S. SIRS: selective intersected rule search for packet classification. The 11th IEEE International Conference on Networks, ICON2003. Sep 2003:105-110.
[53] Knuth D E, Morris J H, Pratt V R. Fast pattern matching in strings. SIAM Journal on Computing, 1977, 6 (2): 323- 350.
[54] Boyer R S, Moo re J S. A fast string searching algorithm. Comm ACM, 1977, 20(10):762- 772.
[55] Hume A, Sunday DM. Fast String Searching. Software Pract. Exp., 1991, 21 (11): 1221-1248.
[56] Sunday DM. A Very Fast Substring Search Algorithm. Commun. ACM, 1990, 33(8): 132-142.
[57] AHO A, CORASICK M. Efficient string matching: an aid to bibliographic search.Communications of the ACM, 1975, 18(6):333-340.
[58] LECROQ T. New experimental results on exact string-matching.http://www-igm.univ-mlv.fr/~lecroq/biblio.html#jwith.
[59]S.Wu,U.Manber.A Fast Algorithm For Multi-Pattern Searching.Technical Report TR-94-17,Department of Computer Science,University of Arizona.1994:1-11.
[60]Horspool R.N.Practical Fast Searching in Strings.Software Practice and Experience,1980(10)(6):501-506,FL.1980.
[61]ES de Moura.Fast and flexible word searching on compressed text.ACM Transactions on Information Systems,2000
[62]谭建龙。串匹配算法及其在网络内容分析中的应用;博士学位论文;北京:中国科学院计算技术研究所;2003年7月。
[63]张冬艳,殷丽华,胡铭曾,云晓春,郑秀荣;面向内容安全的多模精确匹配算法性能分析;通信学报;2004年7月第25卷第7期:128-136。
[64]李伟男,鄂跃鹏,葛敬国,钱华林。多模式匹配算法及其硬件实现;软件学报,2006年5月第41期第9卷:1481-1487。
[65]FangYu,Zhifeng Chert,Yanlei Diao.Fast and Memory-Efficient Regular Expression Matching for Deep Packet Inspection.Technical Report,Berkeley,University of California,2006.http://www.eecs.berkeley.edu/Pubs/TechRpts/2006/EECS-2006-76.html.
[66]Sailesh Kumar,Sarang Dharmapurikar,Fang Yu,et al.Algorithms to Accelerate Multiple Regular Expressions Matching for Deep Packet Inspection.SIGCOMM'06,September 11-15,2006,Pisa,Italy.339-350.
[67]Application Layer Packet Classifier for Linux,http://17-filter.sourceforge.net.
[68]IPP2P:http://www.ipp2p.org.
[69]Estrade,B.D.;Perkins,A.L.;Harris,J.M.Explicitly Parallel Regular Expressions.First International Multi-Symposiums on Computer and Computational Sciences,2006.IMSCCS'06:402-409.
[70]陈一骄,胡晓峰,孙志刚。高速网络接口流量分配技术设计与实现;2003中国通信专用集成电路技术及产业发展研讨会,中国昆明,2003.8:28-32。
[71]C.J.Coit,S.Staniford,J.McAlerney.Towards Faster String Matching for Intrusion Detection or Exceeding the Speed of Snort.DARPA Information Survivability Conference and Exposition(DISCEXⅡ'01),2001.
[72]Cho YH,Mangione-Smith WH.Deep packet filter with dedicated logic and read only memories.In:Pocek KL,ed.Proc.of the 12th Annual IEEE Symp.on Field-Programmable Custom Computing Machines.Los Alamitos:IEEE Computer Society,2004:125-134.
[73]Cho YH,Mangione-Smith WH.Fast reconfiguring deep packet filter for 1+gigabit network.In:Pocek KL,ed.Proc.of the 13th Annual IEEE Syrup.on Field-Programmable Custom Computing Machines.Los Alamitos:IEEE Computer Society,2005.215-224.
[74]Cho YH,Mangione-Smith WH.A pattern matching coprocessor for network security.In:Proc.of the 42nd Annual Conf.on Design Automation.New York:ACM Press,2005:234-239.
[75]Franklin F,Carver D,Hutchings B.Assisting network intrusion detection with reconfigurable hardware.In:Pocek KL,ed.Proc.of the IEEE Symp.on Field-Programmable Custom Computing Machines.Los Alamitos:IEEE Computer Society,2002:111-120.
[76] Sourdis I, Pnevmatikatos D. Pre-decoded CAMs for Efficient and High-Speed NIDS Pattern Matching. IEEE Symposium on Field-Programmable Custom Computing Machines, FCCM 2004.
[77] Moscola J, Lockwood J, Loui RP, Pachos M. Implementation of a content-scanning module for an Internet firewall. In: Pocek KL, ed. Proc. of the 11th Annual IEEE Symp.on Field-Programmable Custom Computing Machines. Los Alamitos: IEEE Computer Society, 2003. 31-38.
[78] Sidhu R, Prasanna VK. Fast regular expression matching using FPGAs. In: Pocek KL,ed. Proc. of the IEEE Symp. on Field-Programmable Custom Computing Machines. Los Alamitos: IEEE Computer Society, 2001: 227-238.
[79] L. Tan, and T. Sherwood, A High Throughput String Matching Architecture for Intrusion Detection and Prevention. Proceedings. 32nd International Symposium on Computer Architecture, 2005. ISCA'05. 04-08 June 2005: 112-122.
[80] L. Tan, and T. Sherwood, Bit-Split String-Matching Engines for Intrusion Detection and Prevention. ACM Transactions on Architecture and Code Optimization, Vol.3, No.1,March 2006: 3-34.
[81] TUCK, N., SHERWOOD, T., CALDER, B., AND VARGHESE, G. 2004. Deterministic memory-efficient string matching algorithms for intrusion detection. In the 23rd Conference of the IEEE Communications Society.
[82] B Bloom. Space/time tradeoffs in hash coding with allowable errors. Communications of the ACM, 1970, 13 (7): 422-426.
[83] Sarang Dharmapurikar, Praveen Krishnamurthy, Todd Sproull, etc. Deep packet inspection using parallel Bloom filters. Proceedings of the 11th Symposium on High Performance Interconnects (HOTI'03): 44-51.
[84] Taskin Kocak and Ilhan Kaya. Low-Power Bloom Filter Architecture for Deep Packet Inspection. IEEE COMMUNICATIONS LETTERS, VOL.10, NO.3, MARCH 2006.
[85] Dharmapurikar S, Lockwood J. Fast and scalable pattern matching for content filtering. In: Berenbaum A, ed. Proc. of the 2005 Symp. on Architecture for Networking and Communications Systems. New York: ACM Press, 2005:183-192.
[86] Attig M, Dharmapurikar S, Lockwood JW. Implementation results of bloom filters for string matching. In: Pocek KL, ed. Proc. of the 12th Annual IEEE Symp. on Field-Programmable Custom Computing Machines. Los Alamitos: IEEE Computer Society, 2004: 322-323.
[87] Yu F, Katz RH, Lakshman TV. Gigabit rate packet pattern-matching using TCAM. In: Koenig H, ed. Proc. of the 12th IEEE International Conf. on Network Protocols (ICNP 2004). Washington: IEEE Computer Society, 2004: 174-183.
[88] JS Sung, SM Kang, YG Lee, etc. Multi-gigabit Rate Deep Packet Inspection Algorithm using TCAM. This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE GLOBECOM 2005 proceedings.
[89] L. Kencl, J. Le Boudec. Adaptive load sharing for network processors. In IEEE INFOCOM 2002, New York, NY, USA, June 2002: 545-554.
[90] K. W. Ross. Hash routing for collections of shared web caches. IEEE Network, Vol.11,No.6, November-December 1997.
[91]G.Dittmann,A.Herkersdorf.Network processor load balancing for high-speed links.2002 International Symposium on Performance Evaluation of Computer and Telecommunication Systems(SPECTS 2002),San Diego,CA,USA,July 2002:727-735.
[92]W.Shi,M.H.MacGregor et al.An Adaptive Load Balancer for Multiprocessor Routers.University of Alberta,Edmonton,AB,TGG 2E8,Canada,http://www.cs.ualberta.ca/-pawel/PAPERS/.2004
[93]Weiguang Shi,Mike H.MacGregor,Pawel Gburzynski.Load balancing for parallel forwarding.IEEE/ACM Transactions on Networking,vol.13,No.4,2005.
[94]Shaikh,J.Rexford,K.G.Shin.Load-sensitive routing of long-lived IP flows.ACM SIGCOMM Computer Communication Review,Vol.29 No.4 October 1999:215-226.
[95]张晓明。网络处理器设计的若干关键技术研究。博士学位论文,长沙:国防科学技术大学,2006。
[96]Z.Cao;Z.Wang;E.Zegura.Performance of hashing-based schemes for Internet load balancing.In Proceedings of IEEE Infocom 2000,Vol.1,March 2000:332-341.
[97]程光,龚俭,丁伟,徐加羚。面向IP流测量的哈希算法研究。软件学报,Vol.16,No.52005:652-658。
[98]Duffield NG,Grossglauser M.Trajectory sampling for direct traffic observation.IEEE/ACM Trans.on Networking,2001.9(3):280-292.
[99]Jain R.A comparison of hashing schemes for address lookup in computer networks.IEEE Trans.on Communications,1992,40(3):1570-1573.
[100]IP Flow information export(ipfix).2004.http://www.ietf.org/html.charters/ipfix-charter.html
[101]Glaise R J.A Two-step Computation of Cyclic Redundancy Code CRC32 for ATM Networks.IBM Journal of Research and Develoopment,2002,41(6).
[102]H.Michael Ji,Earl Killian.Fast Parallel CRC Algorithm and Implementation on a Configurable Processor.2002 IEEE.
[103]CLAFFY K C.Internet Traffic Characterization.Dissertation for the degree Doctor of Philosophy.University of California,San Diego.1994.
[104]RYU B,CHENEY D,BRAUN H W.Internet flow characterization:adaptive timeout strategy and statistical modeling.Workshop on Passive and Active Measurement(PAM).2001:95-105.
[105]HOHN N,VEITCH D.Inverting sampled traffic.IMC'03,Miami Beach,Florida,USA.2003:222-333.
[106]周明中,龚俭,丁伟。网络流超时策略研究。通信学报,2005年4月第26卷第4期:88-93。
[107]NLANR network traffic packet header traces,2006.http://pma.nlanr.net/Traces/.
[108]Rolf Enzler.Architectural Trade-offs in Dynamically Reconfigurable Processors.A dissertation submitted to the Swiss Federal Institute of Technology Zurich.Swiss 2004.