基于SOPC的入侵检测系统的设计与实现
摘要
随着计算机入侵事件的频频发生,计算机网络安全问题也越来越引起人们的重视。入侵检测系统正是在这样的背景下应运而生。入侵检测系统能够主动查找和评估风险,是防火墙的重要补充。目前的入侵检测系统一般是基于软件或基于网络处理器的方式实现,然而随着网络速度的不断提升,对入侵检测系统的处理速度提出了更高的要求。入侵检测系统需要将收集到数据与特征库进行匹配,这就造成了处理速度瓶颈的存在。因此,如果采用硬件的方式对特征匹配进行加速处理,将会大大的提高入侵检测系统的性能。
正是在这样的背景下,提出了一种嵌入式入侵检测系统的SOPC(System On Programmable Chip)实现架构,包含基于NiosII处理器的软件模块和硬件加速模块。其中,软件模块采用协议分析技术检测网络层、传输层的疑似威胁信息;硬加速模块包含包头匹配、正则表达式匹配等两个子模块匹配Snort规则库。包头匹配模块采用Tree-bit map算法实现;正则表达式匹配模块采用NFA(None-Deterministic Finite Automata)状态机实现。该架构在Altera CycloneII FGPA上实现,并在Altera DEII开发板上进行了验证,实验结果表明系统能够正确检测网络流量中的威胁信息,硬件加速器的吞吐率可达1.6Gbps。同时,充分考虑了设计的可升级性,开发了用软件能够读取规则集并自动生成HDL代码。
本文首先阐述了入侵检测系统的发展背景、趋势及基本理论。其次重点介绍了用于包头匹配的Tree-bit map算法以及用于正则表达式匹配的由正则表达式构造NFA状态机的算法;随后提出了基于SOPC的入侵检测系统的总体设计方案;然后分别从硬件实现部分以及软件设计部分对系统的构建进行阐述;最后,对系统在FPGA上的测试做了分析,并给出测试结果。
As the intrusion events on the Internet always happens,Computer networks' security is more and more concered by people.Intrusion Detections System(IDS) is borned under this background.IDS could initiatively find and assess threats that exist in the system,which is an improtant complementarity for firewall.The IDS using at present is usually based on software or Network Processors(NP),which could not statisfy the increasing speed of the computer networks.IDS needs to collect data and then match it with the feature database.The matching process is the bottle-neck of the whole IDS system's processing speed.Therefor,if the featrue matching process is accelarated by hardware,then the performance of the IDS system would be greatly improved,especially the processing speed.
An SOPC(System On Programmable Chip) based architecture of the IDS system is proposed,which contains an software module running on the NiosII Processor and an hardware accelatrator.The software module uses protocol analysis tehnology to detect malicous information containing in the network layer or the transportation layer;the hardware accelaration module is composed of two subsidiary module:the head match module and the reguler expression match module.The head match module uses Tree-bit map algorithms and the regular expression match module uses NFAs (None-Deterministic Finite Automata).The proposed architecture is realized on Altera CycloneII FPGA and is tested on Altera DEII development board.The test result shows that the desinged system could correctly detect all malicous information hiding in the network data flow.The hardware accelarator's throughput speed is 1.6Gbps.
Firstly the development backgroud of the IDS system,the basic theorys of IDS and the developing trend is briefly introduced;Secondly the Tree-bit map algorithms and the NFA sate-machine are introduced;Thirdly the hardware implementation of the accelarator and the software implementation is introduced;finally,the system's test result and analysis is proposed.
正是在这样的背景下,提出了一种嵌入式入侵检测系统的SOPC(System On Programmable Chip)实现架构,包含基于NiosII处理器的软件模块和硬件加速模块。其中,软件模块采用协议分析技术检测网络层、传输层的疑似威胁信息;硬加速模块包含包头匹配、正则表达式匹配等两个子模块匹配Snort规则库。包头匹配模块采用Tree-bit map算法实现;正则表达式匹配模块采用NFA(None-Deterministic Finite Automata)状态机实现。该架构在Altera CycloneII FGPA上实现,并在Altera DEII开发板上进行了验证,实验结果表明系统能够正确检测网络流量中的威胁信息,硬件加速器的吞吐率可达1.6Gbps。同时,充分考虑了设计的可升级性,开发了用软件能够读取规则集并自动生成HDL代码。
本文首先阐述了入侵检测系统的发展背景、趋势及基本理论。其次重点介绍了用于包头匹配的Tree-bit map算法以及用于正则表达式匹配的由正则表达式构造NFA状态机的算法;随后提出了基于SOPC的入侵检测系统的总体设计方案;然后分别从硬件实现部分以及软件设计部分对系统的构建进行阐述;最后,对系统在FPGA上的测试做了分析,并给出测试结果。
As the intrusion events on the Internet always happens,Computer networks' security is more and more concered by people.Intrusion Detections System(IDS) is borned under this background.IDS could initiatively find and assess threats that exist in the system,which is an improtant complementarity for firewall.The IDS using at present is usually based on software or Network Processors(NP),which could not statisfy the increasing speed of the computer networks.IDS needs to collect data and then match it with the feature database.The matching process is the bottle-neck of the whole IDS system's processing speed.Therefor,if the featrue matching process is accelarated by hardware,then the performance of the IDS system would be greatly improved,especially the processing speed.
An SOPC(System On Programmable Chip) based architecture of the IDS system is proposed,which contains an software module running on the NiosII Processor and an hardware accelatrator.The software module uses protocol analysis tehnology to detect malicous information containing in the network layer or the transportation layer;the hardware accelaration module is composed of two subsidiary module:the head match module and the reguler expression match module.The head match module uses Tree-bit map algorithms and the regular expression match module uses NFAs (None-Deterministic Finite Automata).The proposed architecture is realized on Altera CycloneII FPGA and is tested on Altera DEII development board.The test result shows that the desinged system could correctly detect all malicous information hiding in the network data flow.The hardware accelarator's throughput speed is 1.6Gbps.
Firstly the development backgroud of the IDS system,the basic theorys of IDS and the developing trend is briefly introduced;Secondly the Tree-bit map algorithms and the NFA sate-machine are introduced;Thirdly the hardware implementation of the accelarator and the software implementation is introduced;finally,the system's test result and analysis is proposed.
引文
[1]韩海东等,入侵检测系统及实例剖析.北京:清华大学出版设, 2002,10-12.
[2] Sabahi.F,Movaghar.A.Intrusion Detection:A survey.The Third International Conference on Systems and Networks Communications, 2008,23-26.
[3]刘宝旭,蒋文保.黑客入侵的主动防御.北京:电子工业出版社, 2007,94~95.
[4]郭方方,防火墙、入侵检测与VPN.北京:北京邮电大学出版设, 2008,33-34.
[5]李剑,曹大元.入侵检测技术.北京:高等教育出版社, 2008,207~208.
[6]齐欣,启明星辰天阗千兆入侵检测系统问世.上海:信息网络安全.2002,58-59.
[7] Jack Kozio, Snort入侵检测实用解决方案.北京:机械工业出版社, 2005,60-62.
[8] Young-Deok,Kim Hyun-Seok. A High-Speed Range-Matching TCAM for Storage-Efficient Packet Classification.IEEE Transactions on Circuits and Systems, 2009(56),1221-1230.
[9] T.V.Lakshman and D.Stiliadis. High-Speed Policy-based Packet Forwarding using Efficient Multi-dimensional Range Matching,1998,203-214.
[10] Haoyu Song,John W.Lockwood. Efficient Packet Classification for Network Intrusion Detection using FPGA. Proceedings of the 2005 ACM/SIGDA 13th international symposium on Field-programmable gate arrays, 2005,238-245.
[11] John E.Hopcroft,Rajeev Motwani,Jeffrey D.Ullman.Introduction to Automata Theory, Languages,and Computation, 2004,55-59.
[12] R. W. Floyd and J. D. Ullman,The Compilation of Regular Expressions into Integrated Circuits.21st Annual Symposium on Foundations of Computer Science, 1980,260-269.
[13] Sidhu.R,Prasanna.V.K.Fast Regular Expression Matching using FPGAs.The 9th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, 2001,227-238.
[14] Yamagaki.N,Sidhu.R,Kamiya.S.High-speed Regular Expression Matching Engine Using Multi-Character NFA. IEEE International Conference On Field Programmable Logic and Applications, 2008,131-136.
[15] Korenek.J,Kobiersky.P.Intrusion Detection System Intended for Multigigabit Networks.IEEE DDECS’07.Design and Diagnostics of Electronic Circuits and Systems,2007,1-4.
[16] Brian Casewell. Snort 2.0入侵检测.北京:国防工业出版社, 2004,12-15.
[17] F.Sabahi,A.Movaghar. Intrusion Detection:A survey.The Third International Conference on Systems and Networks Communications,2008(44):23-26.
[18] K.Ilgun,R.A. Kemmerer.State transition analysis:a rule-based intrusion detection approach. IEEE Transactions on Software Engineering, 1995(21):181-199.
[19] A.Patcha,J.M.Park. An overview of anomaly detection techniques: Existing solutions and latest technological trends.Computer Networks, 2007(51):3448-3470.
[20] Tarek Abbes,Adel Bouhoula,Michael Ruionowithc. Protocol Analysis in Intrusion Detection Using Decision Tree.Proceedings of the International Conference on Information Technology:Coding and Computing, 2004(1):5-16.
[21]冯登国.网络入侵检测原理与技术.北京:国防工业出版设.2001,20-22.
[22] Taylor,David E.Survey and Taxonomy of Packet Classification Techniques.Tech.Report [R].Washingtin:Department of CSE,Washhington University in St.Louis.2004.
[23]刘胤.深度包检测技术的研究与设计:[硕士学位论文].贵阳:贵州大学,2008
[24] Damian Conway. Perl best practices.南京:东南大学出版社, 2006,20-22.
[25] Ivano Bonesana.etal.An adaptable FPGA-based System for Regular Expression Matching.Design,Automation and Test in Europ, 2008,1262-1267.
[26]殷人昆.数据结构.北京:清华大学出版社, 2001,22-24.
[27] Altera Inc. Avalon Interface Specifications .www.altera.com.2009.
[28]侯建军,郭勇.SOPC技术基础教程.北京:北京交通大学出版社,2008,10-12.
[29] Altera Inc. Nios II Processor Reference. www.altera.com.2009.
[30] Jean J.Labrosse.μC/OS-Ⅱ——源码公开的实时嵌入式操作系统.北京:中国电力出版设, 2001, 22-25.
[31] Altera Inc.Nios II Software Developer’s Handbook.www.altera.com.2009.
[32]李长林,高洁.Visual C++串口通信技术与典型实力.北京:清华大学出版社, 2006,22-23.
[33] Altera Inc. QuartusII handbook. www.altera.com.2009.
[2] Sabahi.F,Movaghar.A.Intrusion Detection:A survey.The Third International Conference on Systems and Networks Communications, 2008,23-26.
[3]刘宝旭,蒋文保.黑客入侵的主动防御.北京:电子工业出版社, 2007,94~95.
[4]郭方方,防火墙、入侵检测与VPN.北京:北京邮电大学出版设, 2008,33-34.
[5]李剑,曹大元.入侵检测技术.北京:高等教育出版社, 2008,207~208.
[6]齐欣,启明星辰天阗千兆入侵检测系统问世.上海:信息网络安全.2002,58-59.
[7] Jack Kozio, Snort入侵检测实用解决方案.北京:机械工业出版社, 2005,60-62.
[8] Young-Deok,Kim Hyun-Seok. A High-Speed Range-Matching TCAM for Storage-Efficient Packet Classification.IEEE Transactions on Circuits and Systems, 2009(56),1221-1230.
[9] T.V.Lakshman and D.Stiliadis. High-Speed Policy-based Packet Forwarding using Efficient Multi-dimensional Range Matching,1998,203-214.
[10] Haoyu Song,John W.Lockwood. Efficient Packet Classification for Network Intrusion Detection using FPGA. Proceedings of the 2005 ACM/SIGDA 13th international symposium on Field-programmable gate arrays, 2005,238-245.
[11] John E.Hopcroft,Rajeev Motwani,Jeffrey D.Ullman.Introduction to Automata Theory, Languages,and Computation, 2004,55-59.
[12] R. W. Floyd and J. D. Ullman,The Compilation of Regular Expressions into Integrated Circuits.21st Annual Symposium on Foundations of Computer Science, 1980,260-269.
[13] Sidhu.R,Prasanna.V.K.Fast Regular Expression Matching using FPGAs.The 9th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, 2001,227-238.
[14] Yamagaki.N,Sidhu.R,Kamiya.S.High-speed Regular Expression Matching Engine Using Multi-Character NFA. IEEE International Conference On Field Programmable Logic and Applications, 2008,131-136.
[15] Korenek.J,Kobiersky.P.Intrusion Detection System Intended for Multigigabit Networks.IEEE DDECS’07.Design and Diagnostics of Electronic Circuits and Systems,2007,1-4.
[16] Brian Casewell. Snort 2.0入侵检测.北京:国防工业出版社, 2004,12-15.
[17] F.Sabahi,A.Movaghar. Intrusion Detection:A survey.The Third International Conference on Systems and Networks Communications,2008(44):23-26.
[18] K.Ilgun,R.A. Kemmerer.State transition analysis:a rule-based intrusion detection approach. IEEE Transactions on Software Engineering, 1995(21):181-199.
[19] A.Patcha,J.M.Park. An overview of anomaly detection techniques: Existing solutions and latest technological trends.Computer Networks, 2007(51):3448-3470.
[20] Tarek Abbes,Adel Bouhoula,Michael Ruionowithc. Protocol Analysis in Intrusion Detection Using Decision Tree.Proceedings of the International Conference on Information Technology:Coding and Computing, 2004(1):5-16.
[21]冯登国.网络入侵检测原理与技术.北京:国防工业出版设.2001,20-22.
[22] Taylor,David E.Survey and Taxonomy of Packet Classification Techniques.Tech.Report [R].Washingtin:Department of CSE,Washhington University in St.Louis.2004.
[23]刘胤.深度包检测技术的研究与设计:[硕士学位论文].贵阳:贵州大学,2008
[24] Damian Conway. Perl best practices.南京:东南大学出版社, 2006,20-22.
[25] Ivano Bonesana.etal.An adaptable FPGA-based System for Regular Expression Matching.Design,Automation and Test in Europ, 2008,1262-1267.
[26]殷人昆.数据结构.北京:清华大学出版社, 2001,22-24.
[27] Altera Inc. Avalon Interface Specifications .www.altera.com.2009.
[28]侯建军,郭勇.SOPC技术基础教程.北京:北京交通大学出版社,2008,10-12.
[29] Altera Inc. Nios II Processor Reference. www.altera.com.2009.
[30] Jean J.Labrosse.μC/OS-Ⅱ——源码公开的实时嵌入式操作系统.北京:中国电力出版设, 2001, 22-25.
[31] Altera Inc.Nios II Software Developer’s Handbook.www.altera.com.2009.
[32]李长林,高洁.Visual C++串口通信技术与典型实力.北京:清华大学出版社, 2006,22-23.
[33] Altera Inc. QuartusII handbook. www.altera.com.2009.