入侵检测系统中基于FPGA的快速分包系统研究
摘要
入侵检测系统(Intrusion-detection system,IDS)是一种对网络传输进行即时监视,在发现可疑传输时发出警报或者采取主动反应措施的网络安全设备。在其分布式IDS中,网络大量的数据传送将造成网络拥塞,因此,如何快速处理网络数据包成为分布式IDS中一个至关重要的问题。
本文工作结合具体课题展开,使用Altera公司的FreeDEV2.1开发板从原理和实践的角度来研究网络数据包分流,重点研究了利用FPGA芯片和NiosII软核来开发快速分包系统。首先阐述了FPGA的基本原理、体系结构、各构件及其功能;说明使用FPGA的一般方法和过程;其次,利用FPGA内部集成的大容量分块RAM,将CPU、存储器、I/O接口、DSP模块等系统设计所必需的模块集成到一片FPGA上,搭建了基于一个Nios II处理器的硬件和软件开发环境;最后,在HAL的基础上设计现实了一个基于FPGA的快速分包系统。
IDS (Intrusion-detection system, IDS) is a network security equipment, which gives a real-time surveillance of network transmission and alarms or takes the initiative response when discoveries suspicious transmission. In 1990, IDS was differed into network-based IDS and host-based IDS. Later, distributed IDS appeared.
At present the overall structure of distributed systems is multi-level hierarchical structure, which is a top-down tree structure, consisting of the control nodes, data aggregation nodes and data collection nodes. Control nodes are located at the top of the tree. they are responsible for controlling the entire system and provide interface for communicating with the outside world; Data aggregation nodes are located in the middle layer. They accept commands from the upper and then control the lower. They analysis of the data from the lower and submit the reduced data to the upper; The leaf node at the bottom is responsible for data collected function. It can be a network host, It can also be a data collector in the network. But precisely because of its hierarchical structure leads to a very important issue: In this system, the network transmission of large amounts of data will result in network congestion. Therefore, how to deal with the network packets with a high speed is a critical issue in a distributed intrusion detection system.
In today's growing network, how to make the network packet fast becomes a vital link to enhance the performance of a Distributed Intrusion Detection System. The methods of dealing with the network packet by the software in the past can no longer meet the requirements for either fast or exactly. It has an increasing tendency for software and hardware to co-design. At present, in the domestic construction and implementation of the network packet classification processing system, the best method is to use hardware. Though the ASIC that designed by network equipment manufacturers is very excellent in the completion of the work of which the procedure is laid down, its development cycle is long and it is not programmable. Programmable logic device has flexible designed plan and powerful function. FPGA (field programmable gate array) appears as an semi-custom circuit in the ASIC field. And its performance can be tobeonapar with the ASIC. FPGA makes up for the lack of a custom circuit, and overcomes the shortcomings that the number of the original gate is limited in programmable devices. FPGA can be completely configurable and programmable by the user through the software to complete a particular logic function. Their application is no longer limited to instead of traditional digital logic, the more major application is that it can realize more complex logic of the algorithm by oriented algorithm. FPGA can also implement shared hardware, hardware emulation, prototype validation and other functions. Compared with the general processors, FPGA has more specific, the chip has a wealth of programmable hardware resources, by which can directly implement the complex algorithms required by the system, and improves computation speed.
FPGA is very fit to any high-speed parallel data processing, It is very flexible and has scalable capacity. FPGA devices which have become the choice of programmable design are now quietly increased the number of the friendly characteristics of network equipment, in order to enter this market. Through the friendly features of network, platform FPGA can provide high performance data and functions of network controlling and processing. This will also enable them to become the ideal candidate devices for dedicated network processing in a network, and give the control power of compromising between flexibility and performance to the users.
The basic component of the FPGA are: programmable input / output (I / O) modules, the basic programmable logic modules, routing interconnect resources, embedded block RAM, functional units embedded in the bottom and a embedded dedicated hard-core. According to the characteristics of FPGA, in this paper, put forward a fast packet transmission systems based on FPGA. Its main idea is: using the software and hardware co-design to increase the speed of processing network packet in order to solve the problem of network congestion in distributed intrusion detection system.
In this paper, from the SOPC based on FPGA, describes the implement of fast packet transmission based on FPGA in details, including hardware development and software development. In the hardware development process, this paper designs and generates a Nios II system module using SOPC Builder, and downloads the Nios II system module in the FPGA development board using Quartus II. In the software development process, this paper develops on the basis of the HAL (Hardware Abstraction Layer). In the software development process, this paper introduces LAN91C111 Ethernet controller driver interface module, the storage of network packet module, interrupt handling module, DMA transmission module and filtering rules module.
The main principle is: First of all intercepts a data packet from the driver interface of LAN91C111 Ethernet controller, and then stores the data packet in a connection pool. In order to reduce the impact of interruption to system performance, it will not interrupt until that it has saved a certain number of packets arrived. after the interruption, transfers packets to the filter rules module by the DMA. Packets will be discarded or transfered according to the rules in the rules table.
The structure of this paper is:
In chapter 1, first of all from the problems of network congestion in distributed intrusion detection system, explains the study background and significance of this subject; and then puts forward the design for a system of processing network packet based on hardware and software co-design using FPGA; finally explains the theory of how to design the above system.
In chapter 2, according to the development of programmable logic device in history, puts forward the basis of why choose FPGA, and systematically introduces the architecture of FPGA, method and flow of design FPGA, and how to use the FPGA development tools-Quartus II. Lays a theoretical basis for the implement of system.
In chapter 3, the design process of the system is introduced. It describes the development environment to build the system from the hardware development and software development. In the hardware development process, proposes the process of generating the Nios II system module; in the software development process, presents the HAL system library and LwIP protocol stack.
In chapter 4, we carries out the implementation and performance analysis of the fast packet transmission system based on FPGA. Describes the system modules which are developed on the basis of HAL, and tests the performance of the systems. The result shows that the system can meet the requirements of processing network packet fast.
In chapter 5, a summary and prospects of the issues are given, Analyze the results of research and inadequacies in this paper, as well as other outstanding issues.
本文工作结合具体课题展开,使用Altera公司的FreeDEV2.1开发板从原理和实践的角度来研究网络数据包分流,重点研究了利用FPGA芯片和NiosII软核来开发快速分包系统。首先阐述了FPGA的基本原理、体系结构、各构件及其功能;说明使用FPGA的一般方法和过程;其次,利用FPGA内部集成的大容量分块RAM,将CPU、存储器、I/O接口、DSP模块等系统设计所必需的模块集成到一片FPGA上,搭建了基于一个Nios II处理器的硬件和软件开发环境;最后,在HAL的基础上设计现实了一个基于FPGA的快速分包系统。
IDS (Intrusion-detection system, IDS) is a network security equipment, which gives a real-time surveillance of network transmission and alarms or takes the initiative response when discoveries suspicious transmission. In 1990, IDS was differed into network-based IDS and host-based IDS. Later, distributed IDS appeared.
At present the overall structure of distributed systems is multi-level hierarchical structure, which is a top-down tree structure, consisting of the control nodes, data aggregation nodes and data collection nodes. Control nodes are located at the top of the tree. they are responsible for controlling the entire system and provide interface for communicating with the outside world; Data aggregation nodes are located in the middle layer. They accept commands from the upper and then control the lower. They analysis of the data from the lower and submit the reduced data to the upper; The leaf node at the bottom is responsible for data collected function. It can be a network host, It can also be a data collector in the network. But precisely because of its hierarchical structure leads to a very important issue: In this system, the network transmission of large amounts of data will result in network congestion. Therefore, how to deal with the network packets with a high speed is a critical issue in a distributed intrusion detection system.
In today's growing network, how to make the network packet fast becomes a vital link to enhance the performance of a Distributed Intrusion Detection System. The methods of dealing with the network packet by the software in the past can no longer meet the requirements for either fast or exactly. It has an increasing tendency for software and hardware to co-design. At present, in the domestic construction and implementation of the network packet classification processing system, the best method is to use hardware. Though the ASIC that designed by network equipment manufacturers is very excellent in the completion of the work of which the procedure is laid down, its development cycle is long and it is not programmable. Programmable logic device has flexible designed plan and powerful function. FPGA (field programmable gate array) appears as an semi-custom circuit in the ASIC field. And its performance can be tobeonapar with the ASIC. FPGA makes up for the lack of a custom circuit, and overcomes the shortcomings that the number of the original gate is limited in programmable devices. FPGA can be completely configurable and programmable by the user through the software to complete a particular logic function. Their application is no longer limited to instead of traditional digital logic, the more major application is that it can realize more complex logic of the algorithm by oriented algorithm. FPGA can also implement shared hardware, hardware emulation, prototype validation and other functions. Compared with the general processors, FPGA has more specific, the chip has a wealth of programmable hardware resources, by which can directly implement the complex algorithms required by the system, and improves computation speed.
FPGA is very fit to any high-speed parallel data processing, It is very flexible and has scalable capacity. FPGA devices which have become the choice of programmable design are now quietly increased the number of the friendly characteristics of network equipment, in order to enter this market. Through the friendly features of network, platform FPGA can provide high performance data and functions of network controlling and processing. This will also enable them to become the ideal candidate devices for dedicated network processing in a network, and give the control power of compromising between flexibility and performance to the users.
The basic component of the FPGA are: programmable input / output (I / O) modules, the basic programmable logic modules, routing interconnect resources, embedded block RAM, functional units embedded in the bottom and a embedded dedicated hard-core. According to the characteristics of FPGA, in this paper, put forward a fast packet transmission systems based on FPGA. Its main idea is: using the software and hardware co-design to increase the speed of processing network packet in order to solve the problem of network congestion in distributed intrusion detection system.
In this paper, from the SOPC based on FPGA, describes the implement of fast packet transmission based on FPGA in details, including hardware development and software development. In the hardware development process, this paper designs and generates a Nios II system module using SOPC Builder, and downloads the Nios II system module in the FPGA development board using Quartus II. In the software development process, this paper develops on the basis of the HAL (Hardware Abstraction Layer). In the software development process, this paper introduces LAN91C111 Ethernet controller driver interface module, the storage of network packet module, interrupt handling module, DMA transmission module and filtering rules module.
The main principle is: First of all intercepts a data packet from the driver interface of LAN91C111 Ethernet controller, and then stores the data packet in a connection pool. In order to reduce the impact of interruption to system performance, it will not interrupt until that it has saved a certain number of packets arrived. after the interruption, transfers packets to the filter rules module by the DMA. Packets will be discarded or transfered according to the rules in the rules table.
The structure of this paper is:
In chapter 1, first of all from the problems of network congestion in distributed intrusion detection system, explains the study background and significance of this subject; and then puts forward the design for a system of processing network packet based on hardware and software co-design using FPGA; finally explains the theory of how to design the above system.
In chapter 2, according to the development of programmable logic device in history, puts forward the basis of why choose FPGA, and systematically introduces the architecture of FPGA, method and flow of design FPGA, and how to use the FPGA development tools-Quartus II. Lays a theoretical basis for the implement of system.
In chapter 3, the design process of the system is introduced. It describes the development environment to build the system from the hardware development and software development. In the hardware development process, proposes the process of generating the Nios II system module; in the software development process, presents the HAL system library and LwIP protocol stack.
In chapter 4, we carries out the implementation and performance analysis of the fast packet transmission system based on FPGA. Describes the system modules which are developed on the basis of HAL, and tests the performance of the systems. The result shows that the system can meet the requirements of processing network packet fast.
In chapter 5, a summary and prospects of the issues are given, Analyze the results of research and inadequacies in this paper, as well as other outstanding issues.
引文
[1]陈明奇.入侵检测[M].北京:人民邮电出版社, 2001: 1-26.
[2] Anil Telikepalli.数据包处理方法和解决方案[J].今日电子, 2002, (7): 21-25.
[3]曾志高,谭骏珊,易胜秋.数据包过滤技术的分析与讨论[J].株洲师范高等专科学校学报. 2006, 11(5): 65-67.
[4]杨勇,瞿中,何江平.基于散列查找的数据包分流算法研究[J].计算机工程与设计, 2005, 26(4): 927-929.
[5]瞿中,邱玉辉. Hash函数实现数据包分流算法研究[J].计算机科学, 2006, 33(2): 67-69.
[6]申震生,龚向阳,王文东,阙喜戎.具有高速过滤算法的IP防火墙.计算机应用, 2001, 21(5): 50-52.
[7]魏利华,唐玉华,李方敏.网络处理器技术在IXP1200中的应用[J].青岛科技大学学报, 2005, 26(3): 264-267.
[8]瞿中.基于FPGA的数据包分类研究[J].计算机工程与设计, 2006, 27(9): 1554-1556.
[9]周善荣.基于FPGA的数据报文分类的研究[J].科学技术与工程, 2007, 7(9): 2069-2072.
[10]李晨,王自强,张东.基于RAM结构的CAM的Verilog HAL设计[J].计算机工程与应用, 2003, 27: 157-159.
[11]谭兴晔,张勇,雷振明. AdpCAM:基于TCAM的低功耗IP查表算法[J].计算机应用研究, 2006, (2): 35-37.
[12]刘航,戴冠中,李晖晖,慕德俊.基于FPGA的高速网络入侵检测系统.计算机应用, 2004, 24(5): 33-35.
[13] Haoyu Song, John W. lockwood. Efficient packet classification for network intrusion detection using FPGA[C]. Proceedings of the 2005 ACM/SIGDA 13th international symposium on Field-programmable gate arrays, New York, USA, 2005: 238-245.
[14]易映萍,黄望军. FPGA的特点及应用[J].电气开关, 2001, (2):44-46.
[15]周国富.现场可编程门阵列(FPGA)及应用[J].电子技术应用, 1995, (6): 35-36.
[16]刘朝苹,杜皎,冯登国.一种高效的网络安全设备IP数据包转发机制[J].机算计工程, 2005, 31(11): 124-126.
[17]屠振,梁进山,杨奎武. TCAM在高速路由查找中的应用及其FPGA实现[J].微计算机信息(测控自动化), 2005, 21(4): 208-209.
[18]须文波,胡丹. DDR2 SDRAM控制器的FPGA实现[J].江南大学学报(自然科学版), 2006, 5(2): 145-148.
[19]王诚,吴继华,范丽珍等. Altera FPGA/CPLD设计(基础篇)[M].北京:人民邮电出版社, 2005: 1-24.
[20]愈一鸣,唐薇,陆晓鹏,陈正茂. Altera可编程逻辑器件的应用与设计[M].北京:机械工业出版社, 2007: 1-8.
[21]王道宪. CPLD/FPGA可编程逻辑器件应用与开发[M].北京:国防工业出版社, 2004: 1-18.
[22]黄健,刘时贵,涂光瑜,罗志元.基于可编程序控制器的实时通信技术[J].计算机应用研究, 1995, (3): 75-77.
[23] Robert Green. FPGA搞活数字电视[J].电子产品世界, 2001, (23):25-26.
[24]刘皖,何道君,谭明. FPGA设计与应用[M].北京:清华大学出版社, 2006:1-13
[25]王传新. FPGA设计基础[M].北京:高等教育出版社, 2007: 135-136.
[26]马彧,王丹利,王丽英. CPLD/FPGA可编程逻辑器件实用教程[M].北京:机械工业出版社, 2006: 12-14.
[27]华清远见嵌入式培训中心. FPGA应用开发入门与典型实例[M].北京:人民邮电出版社, 2008:66-113.
[28]郑亚民,董晓舟.可编程逻辑器件开发软件QuartusII[M].北京:国防工业出版社, 2006: 76-92.
[29]孙恺,程世恒. NiosII系统开发设计与应用实例[M].北京:北京航空航天大学出版社, 2007: 84-94.
[30]田大新,刘衍珩,李永丽,唐怡.数据包过滤规则的快速匹配算法和冲突检测[J].计算机研究与发展, 2005, 42(7): 1128-1135.
[2] Anil Telikepalli.数据包处理方法和解决方案[J].今日电子, 2002, (7): 21-25.
[3]曾志高,谭骏珊,易胜秋.数据包过滤技术的分析与讨论[J].株洲师范高等专科学校学报. 2006, 11(5): 65-67.
[4]杨勇,瞿中,何江平.基于散列查找的数据包分流算法研究[J].计算机工程与设计, 2005, 26(4): 927-929.
[5]瞿中,邱玉辉. Hash函数实现数据包分流算法研究[J].计算机科学, 2006, 33(2): 67-69.
[6]申震生,龚向阳,王文东,阙喜戎.具有高速过滤算法的IP防火墙.计算机应用, 2001, 21(5): 50-52.
[7]魏利华,唐玉华,李方敏.网络处理器技术在IXP1200中的应用[J].青岛科技大学学报, 2005, 26(3): 264-267.
[8]瞿中.基于FPGA的数据包分类研究[J].计算机工程与设计, 2006, 27(9): 1554-1556.
[9]周善荣.基于FPGA的数据报文分类的研究[J].科学技术与工程, 2007, 7(9): 2069-2072.
[10]李晨,王自强,张东.基于RAM结构的CAM的Verilog HAL设计[J].计算机工程与应用, 2003, 27: 157-159.
[11]谭兴晔,张勇,雷振明. AdpCAM:基于TCAM的低功耗IP查表算法[J].计算机应用研究, 2006, (2): 35-37.
[12]刘航,戴冠中,李晖晖,慕德俊.基于FPGA的高速网络入侵检测系统.计算机应用, 2004, 24(5): 33-35.
[13] Haoyu Song, John W. lockwood. Efficient packet classification for network intrusion detection using FPGA[C]. Proceedings of the 2005 ACM/SIGDA 13th international symposium on Field-programmable gate arrays, New York, USA, 2005: 238-245.
[14]易映萍,黄望军. FPGA的特点及应用[J].电气开关, 2001, (2):44-46.
[15]周国富.现场可编程门阵列(FPGA)及应用[J].电子技术应用, 1995, (6): 35-36.
[16]刘朝苹,杜皎,冯登国.一种高效的网络安全设备IP数据包转发机制[J].机算计工程, 2005, 31(11): 124-126.
[17]屠振,梁进山,杨奎武. TCAM在高速路由查找中的应用及其FPGA实现[J].微计算机信息(测控自动化), 2005, 21(4): 208-209.
[18]须文波,胡丹. DDR2 SDRAM控制器的FPGA实现[J].江南大学学报(自然科学版), 2006, 5(2): 145-148.
[19]王诚,吴继华,范丽珍等. Altera FPGA/CPLD设计(基础篇)[M].北京:人民邮电出版社, 2005: 1-24.
[20]愈一鸣,唐薇,陆晓鹏,陈正茂. Altera可编程逻辑器件的应用与设计[M].北京:机械工业出版社, 2007: 1-8.
[21]王道宪. CPLD/FPGA可编程逻辑器件应用与开发[M].北京:国防工业出版社, 2004: 1-18.
[22]黄健,刘时贵,涂光瑜,罗志元.基于可编程序控制器的实时通信技术[J].计算机应用研究, 1995, (3): 75-77.
[23] Robert Green. FPGA搞活数字电视[J].电子产品世界, 2001, (23):25-26.
[24]刘皖,何道君,谭明. FPGA设计与应用[M].北京:清华大学出版社, 2006:1-13
[25]王传新. FPGA设计基础[M].北京:高等教育出版社, 2007: 135-136.
[26]马彧,王丹利,王丽英. CPLD/FPGA可编程逻辑器件实用教程[M].北京:机械工业出版社, 2006: 12-14.
[27]华清远见嵌入式培训中心. FPGA应用开发入门与典型实例[M].北京:人民邮电出版社, 2008:66-113.
[28]郑亚民,董晓舟.可编程逻辑器件开发软件QuartusII[M].北京:国防工业出版社, 2006: 76-92.
[29]孙恺,程世恒. NiosII系统开发设计与应用实例[M].北京:北京航空航天大学出版社, 2007: 84-94.
[30]田大新,刘衍珩,李永丽,唐怡.数据包过滤规则的快速匹配算法和冲突检测[J].计算机研究与发展, 2005, 42(7): 1128-1135.