面向网络预警的并行模式匹配方法研究
|
摘要
网络预警系统是实现网络安全主动防护的重要工具。网络预警系统基于网络安全态势感知信息,其中入侵检测系统是网络安全态势感知信息的重要来源,但现有入侵检测系统的性能难以满足现实要求。模式匹配是入侵检测系统的性能瓶颈所在。为提高入侵检测中模式匹配的速度,人们从不同角度开展了大量研究工作,但是仍有许多问题没有得到解决。本文综合考虑了性能与成本的因素,深入研究了入侵检测系统中的模式匹配问题,工作的主要内容和创新点包括:
1、研究了当前针对入侵检测系统进行模式匹配加速的四种基本方法,并对这些方法的优缺点和适用范围进行了评价与比较。
2、从课题的背景出发,对Snort进行了性能瓶颈分析。首先利用工具gprof获取了Snort运行过程中各函数消耗的时间以及函数间的调用关系等信息;同时设计实现了一个对源码结构自适应的性能分析辅助工具和一个以图形化方式展现特定函数调用关系的工具。分析结果证实,在Snort中,模式匹配消耗的时间占总处理时间的一半以上,是系统性能瓶颈所在。
3、提出了一种基于GPU的并行模式匹配方法。该方法将模式集划分与文本划分结合起来,采用更为有效的数据访问和数据管理方式,同时探讨了其中的负载均衡问题,以实现快速的模式匹配。实验表明,该方法相比CPU上的实现有较大的提高,加速比约为7。与另一种在GPU上的实现Gnort相比,在模式集合更大的情况下也有一定优势。
4、提出了一种基于缩减模式集的预过滤方法。根据统计分析的结论,使用长度为2字节的模式子串做为过滤模式的候选集合。然后给出缩减候选集合问题的0-1整数线性规划形式,再利用LINGO软件来求解。在Snort的模式集合上进行的实验表明,通过优化,过滤模式集合大大缩减,同时提高了过滤率。
5.从网络预警系统的需要出发,构建了网络安全态势信息收集平台。首先探讨了平台的总体架构,给出了现有原型系统的基本情况。然后分别描述了平台中入侵检测预处理模块和基于入侵检测的态势信息收集模块的实现。
Network Early Warning System(NEWS) is an important tool for active defence of network security. NEWS is based on Network Security Situation Awareness(NSSA), and Intrusion Detection System(IDS) is the most important source of NSSA information. However, the performance of current IDSs is not as good as required. The bottleneck lies in pattern matching. A lot of work has been done on the problem of pattern matching for intrusion detection, yet there is still a lot of space left for improvement. In this paper, we focus on the problem of pattern matching for IDSs. The main achievements can be listed as follows
1.Four different ways to accelerate pattern matching are surveyed, and their advantages and disadvantages are analyzed and compared in detail.
2.An analysis of Snort's performance bottleneck is carried out. The tool Gprof was used to profile the running time of each function and to record the relationship of function calls discovered at run-time. Meanwhile, an assistant tool for performance profiling was designed and implemented, and an graphical description tool for the relationship of function calls was put forward. The experiment results show that in Snort, more than half of the processing time was consumed by pattern matching, which is the performance bottleneck.
3.A GPU based method for parallel pattern matching is proposed. This method combines pattern set partition and text partition together, employs a more effective way of data access and data management. At the same time, the issue of load balancing is discussed too. The experiment results indicates a 7 time acceleration compared to the CPU implementation. Under the condition with a large pattern set, our method is better than another GPU based method Gnort.
4.A pre-filtering mechanism based on the reduction of filtering pattern set is proposed. According to our statistical analysis, 2 byte sub-pattern are used as pre-filter keyword candidates. Then the Binary Integer Linear Programming formation of the keyword reduction problem is given. The optimization leads to a decreased size of filtering pattern set, and the filter ratio is increased.
5 . The platform of information collection for Network Security Situation Awareness is designed according to the requirements of NEWSs. The architecture of the platform is presented first, then some details about the prototype system is revealed. The pre-processing module for intrusion detection and the collection module of situation awareness information for intrusion detection based are demonstrated too.
1、研究了当前针对入侵检测系统进行模式匹配加速的四种基本方法,并对这些方法的优缺点和适用范围进行了评价与比较。
2、从课题的背景出发,对Snort进行了性能瓶颈分析。首先利用工具gprof获取了Snort运行过程中各函数消耗的时间以及函数间的调用关系等信息;同时设计实现了一个对源码结构自适应的性能分析辅助工具和一个以图形化方式展现特定函数调用关系的工具。分析结果证实,在Snort中,模式匹配消耗的时间占总处理时间的一半以上,是系统性能瓶颈所在。
3、提出了一种基于GPU的并行模式匹配方法。该方法将模式集划分与文本划分结合起来,采用更为有效的数据访问和数据管理方式,同时探讨了其中的负载均衡问题,以实现快速的模式匹配。实验表明,该方法相比CPU上的实现有较大的提高,加速比约为7。与另一种在GPU上的实现Gnort相比,在模式集合更大的情况下也有一定优势。
4、提出了一种基于缩减模式集的预过滤方法。根据统计分析的结论,使用长度为2字节的模式子串做为过滤模式的候选集合。然后给出缩减候选集合问题的0-1整数线性规划形式,再利用LINGO软件来求解。在Snort的模式集合上进行的实验表明,通过优化,过滤模式集合大大缩减,同时提高了过滤率。
5.从网络预警系统的需要出发,构建了网络安全态势信息收集平台。首先探讨了平台的总体架构,给出了现有原型系统的基本情况。然后分别描述了平台中入侵检测预处理模块和基于入侵检测的态势信息收集模块的实现。
Network Early Warning System(NEWS) is an important tool for active defence of network security. NEWS is based on Network Security Situation Awareness(NSSA), and Intrusion Detection System(IDS) is the most important source of NSSA information. However, the performance of current IDSs is not as good as required. The bottleneck lies in pattern matching. A lot of work has been done on the problem of pattern matching for intrusion detection, yet there is still a lot of space left for improvement. In this paper, we focus on the problem of pattern matching for IDSs. The main achievements can be listed as follows
1.Four different ways to accelerate pattern matching are surveyed, and their advantages and disadvantages are analyzed and compared in detail.
2.An analysis of Snort's performance bottleneck is carried out. The tool Gprof was used to profile the running time of each function and to record the relationship of function calls discovered at run-time. Meanwhile, an assistant tool for performance profiling was designed and implemented, and an graphical description tool for the relationship of function calls was put forward. The experiment results show that in Snort, more than half of the processing time was consumed by pattern matching, which is the performance bottleneck.
3.A GPU based method for parallel pattern matching is proposed. This method combines pattern set partition and text partition together, employs a more effective way of data access and data management. At the same time, the issue of load balancing is discussed too. The experiment results indicates a 7 time acceleration compared to the CPU implementation. Under the condition with a large pattern set, our method is better than another GPU based method Gnort.
4.A pre-filtering mechanism based on the reduction of filtering pattern set is proposed. According to our statistical analysis, 2 byte sub-pattern are used as pre-filter keyword candidates. Then the Binary Integer Linear Programming formation of the keyword reduction problem is given. The optimization leads to a decreased size of filtering pattern set, and the filter ratio is increased.
5 . The platform of information collection for Network Security Situation Awareness is designed according to the requirements of NEWSs. The architecture of the platform is presented first, then some details about the prototype system is revealed. The pre-processing module for intrusion detection and the collection module of situation awareness information for intrusion detection based are demonstrated too.
引文
[1]胡华平,张怡,陈海涛等.面向大规模网络的入侵检测与预警系统研究.国防科技大学学报,2003,25(1):21~25.
[2]赵文涛.基于网络安全态势感知的预警技术研究.国防科技大学,2009.
[3] Navarro G., M. Raffinot. Flexible Pattern Matching in Strings: Practical On-Line Search Algorithms for Texts and Biological Sequences. Cambridge University Press, 2002.
[4] Zheng K., H. Lu. Scalable Pattern-Matching via Dynamic Differentiated Distributed Detection (D4). Proceedings of IEEE GLOBECOM 2008:103~107.
[5] Song T., W. Zhang, D. Wang, et al. A memory efficient multiple pattern matching architecture for network security. Proceedings of INFOCOM 2008:201~205.
[6] Sheu T.F., N.F. Huang, H.P. Lee. Hierarchical multi-pattern matching algorithm for network content inspection. Information Sciences, 2008:397~401.
[7] Choi Y.H., M.Y. Jung,S.W. Seo. L+ 1-MWM: A Fast Pattern Matching Algorithm for High-Speed Packet Filtering. Proceedings of INFOCOMM 2008:113~117.
[8] AbuHmed T., A. Mohaisen,D.H. Nyang. A Survey on Deep Packet Inspection for Intrusion Detection Systems. Eprint Arxiv 2008, 8(3): 37~41.
[9] Zhou Z., Y. Xue, J. Liu, et al. MDH: A High Speed Multi-phase Dynamic Hash String Matching Algorithm for Large-Scale Pattern Set. LECTURE NOTES IN COMPUTER SCIENCE, 2007, 4861:201~208.
[10]国家计算机网络应急技术处理协调中心.中国互联网网络安全报告,2008.
[11]宣蕾,苏金树,苗青.网络安全战略预警系统研究.通信技术,2001,7:90-92.
[12]王慧强,赖积保,朱亮.网络态势感知系统研究综述.计算机科学,2006,33(10):5~10.
[13]吴诚堃,殷建平,蔡志平等.网络入侵检测系统中基于多核平台的模式匹配技术研究.计算机工程与科学,2009,31(9):1~4.
[14] Snort: A Light Weight Intrusion Detection System. http://www.snort.org. 2008.
[15] Antonatos S., K.G. Anagnostakis, E.P. Markatos. Generating realistic workloads for network intrusion detection systems. ACM SIGSOFT Software Engineering Notes, 2004, 29(1): 207~215.
[16] Navarro G. A guided tour to approximate string matching. ACM Computing Surveys (CSUR), 2001, 33(1): 31~88.
[17] Coit C.J., S. Staniford,J. McAlerney. Towards Faster String Matching for Intrusion Detection or Exceeding the Speed of Snort. Proceedings of DISCEX,2001:45~50.
[18] Allauzen C., M. Raffinot. Factor oracle of a set of words. Technical report 99-11: Institut Gaspard-Monge, Universite de Marne-la-Vallee, 1999.
[19] Ando K., S. Mizobuchi, M. Shishibori, et al. Efficient multi-attribute pattern matching. International Journal of Computer Mathematics, 1998, 66(1-2): 21~38.
[20] Wu S., U. Manber. A fast algorithm for multi-pattern searching. Technical Report 8885. University of Arizona, 1994.
[21] Kumar S., E.H. Spafford. A Pattern Matching Model for Misuse Intrusion Detection. Proceedings of the 17th National Computer Security Conference, 1994:107~116.
[22] Fan, J.-J., K.-Y. Su. Efficient algorithm for matching multiple patterns. IEEE Transactions on Knowledge and Data Engineering, 1993, 5(2): 339~351.
[23] Karp R.M., M.O. Rabin. Efficient Randomized pattern-matching algorithms. IBM Journal of Research and Development, 1987, 31(2): 249~260.
[24] Knuth D.E., J.H. Morris, V.R. Pratt. Fast pattern matching in strings. SIAM Journal on Computing, 1977, 6(1): 323~350.
[25] Boyer R.S., J.S. Moore. A fast string searching algorithm. Communications of the ACM, 1977, 20(10): 762~772.
[26] Aho A.V., M.J. Corasick. Efficient String Matching: An Aid to Bibliographic Search. Communications of the ACM, 1975, 18(6): 333~340.
[27]李伟男,鄂跃鹏,葛敬国等.多模式匹配算法及硬件实现.软件学报,2006,17(12): 2403~2415.
[28] Huang N.F., Y.M. Chu, C.H. Tsai, et al. A novel algorithm and architecture for high speed pattern matching in resource-limited silicon solution. IEEE Glasgow, 2007: 125~136.
[29] Baker Z.K., V.K. Prasanna. Time and area efficient pattern matching on FPGAs. in Proceedings of the 2004 ACM/SIGDA 12th international symposium on Field programmable gate arrays. 2004: ACM New York, NY, USA.
[30] Sourdis I., D. Pneumatikatos. Fast, Large-Scale String Match for a 10Gbps FPGA-Based Network Intrusion Detection System. LECTURE NOTES IN COMPUTER SCIENCE, 2003: 880~889.
[31] Yeim-Kuan Chang, Ming-Li Tsai, C.-C. Su. Improved TCAM-Based Pre-Filtering for Network Intrusion Detection Systems. 22nd International Conference on Advanced Information Networking and Applications, 2008: 120~126.
[32] Che H., Z. Wang, K. Zheng, et al. DRES: Dynamic Range Encoding Scheme for TCAM Coprocessors. Computers, IEEE Transactions on, 2008, 57(7): 902~915.
[33] Yu F., R.H. Katz, T.V. Lakshman. Gigabit rate packet pattern-matching usingTCAM. Proceedings of the 12th IEEE International Conference on Network Protocols, 2004: 203~210.
[34] Ye M.J., K. Xu, J.P. Wu, et al. A high performance and scalable packet pattern-matching architecture. 2008. Busan, SOUTH KOREA: Ieee.
[35] Dharmapurikar S., J.W. Lockwood. Fast and scalable pattern matching for network intrusion detection systems. IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, 2006, 24(10): 1781~1791.
[36] Dharmapurikar S., P. Krishnamurthy, T.S. Sproull, et al. Deep Packet Inspection using Parallel Bloom Filters. IEEE MICRO, 2004: 52~61.
[37]郑波,林闯,曲扬.一种适合于网络处理器的并行多维分类算法AM-Trie.软件学报,2006,17(9):1949~1957.
[38] Intel IXA University Program. http://www.intel.com. 2009.
[39] Liu R.T., N.F. Huang, C.N. Kao, et al. A Fast Pattern-Match Engine for Network Processor-based Network Intrusion Detection System. Proceedings of the International Conference on Information Technology, Coding and Computing, 2004: 330~338.
[40] Liu D., B. Hua, X. Hu, et al. High-performance packet classification algorithm for many-core and multithreaded network processor. Proceedings of AINA, 2006: 140~147.
[41] Liu Z., K. Zheng, B.Liu. Hybrid cache architecture for high speed packet processing. Proceedings of IEEE GLOBECOM, 2005: 301~307.
[42] He F., Y. Qi, Y. Xue, et al. Load Scheduling for Flow-based Packet Processing on Multi-Core Network Processors, 2007.
[43] Qi Y., Z. Zhou, B. Yang, et al. Towards effective network algorithms on multi-core network processors. Proceedings of IEEE ICICS, 2008:307~315.
[44]余建明.网络安全中高性能字符串匹配技术及其在深度检测中应用.自动化系,清华大学,2007.
[45] Piyachon P., Y. Luo. Efficient Memory Utilization on Network Processors for Deep Packet Inspection. Proceedings of ANCS, 2006:109~115.
[46] Yu, J., Y. Xue,J. Li. Memory Efficient String Matching Algorithm for Network Intrusion Management System. Tsinghua Science & Technology, 2007, 12(5): 585~593.
[47]余建明,徐波,薛一波.基于网络处理器的高速字符串匹配.清华大学学报(自然科学版),2008,48(4):589~591.
[48] Yu, J., Q. Huang,Y. Xue. Optimizing Multi-Thread String Matching for Network Processor based Intrusion Management System. Proceedings of the Third IASTED International Conference Proceedings Communication, Network, and Information Security, 2006: 198~206.
[49] Qi Y., B. Xu, F. He, et al. Towards Optimized Packet Classification Algorithms for Multi-Core Network Processors. Proceedings of IEEE IDCDIS, 2007: 212~220.
[50] Lei S., Z. Yue, Y. Jianming, et al. On the Extreme Parallelism Inside Next-Generation Network Processors. Proceedings of INFOCOM, 2007:100~112.
[51] Yu J., J. Li. A Parallel NIDS Pattern Matching Engine and Its Implementation on Network Processor. Proceedings of the International Conference on Security and Management, 2005:102~114.
[52] NVIDIA. http://www.nvidia.com. 2009.
[53] Nvidia CUDA Programming Guide 2.1. http://developer.download.nvidia.com /compute/cuda/2_1/NVIDIA_CUDA_Programming_Guide_2.1.pdf.
[54]张庆丹,戴正华,冯圣中,等.基于GPU的串匹配算法研究.计算机应用,2006,26(007): 1735-1737.
[55] Jacob N.,C. Brodley. Offloading IDS computation to the GPU. Proceedings of Annual Computer Security Applications Conference, 2006:115~126.
[56] Huang N.-F., H.-W. Hung, S.-H. Lai, et al. A GPU-based multiple-pattern matching algorithm for network intrusion detection systems. Proceedings of International Conference on Advanced Information Networking and Applications, 2008:112~123.
[57] Nvidia G80 Specs. http://www.nvidian.com/page/8800_ features.html. 2008.
[58] Vasiliadis G., S. Antonatos, M. Polychronakis, et al. Gnort: High performance network intrusion detection using graphics processors. Proceedings of Recent Advances in Intrusion Detection, 2008:112~121.
[59] Markatos E., S. Antonatos, M. Polychronakis, et al. Exclusion-based signature matching for intrusion detection. Proceedings of the IASTED International Conference on Communications and Computer Networks, 2002: 304~311.
[60] Antonatos S., M. Polychronakis, P. Akritidis, et al. Piranha: Fast and memory-efficient pattern matching for intrusion detection. in Security and Privacy in the Age of Ubiquitous Computing: IFIP TC11 20th International Information Security Conference, 2005:98~108.
[61]彭诗力,谭汉松.基于特征值的多模式匹配算法及硬件实现.计算机工程与应用,2005,41(001):148~150.
[62] Sourdis I., D.N. Pnevmatikatos,S. Vassiliadis. Scalable multigigabit pattern matching for packet inspection. Ieee Transactions on Very Large Scale Integration Systems, 2008, 16(2): 156~166.
[63] Sourdis I., V. Dimopoulos, D. Pnevmatikatos, et al. Packet pre-filtering for network intrusion detection. Proceedings of the 2006 ACM/IEEE symposium onArchitecture for networking and communications systems, 2006: 254~261.
[64] Becchi M., M. Franklin, P. Crowley, et al. A Workload for Evaluating Deep Packet Inspection Architectures. Proceedings of NINA, 2008:113~124.
[65] What is Perl?. http://www.perl.org. 2009.
[66] Graphviz Tool Manual. http://www.graphviz.org/docs/manual.pdf. 2009.
[67] Gonzalo Navarro, Mathieu Raffinot. United Kingdom: Cambridge University Press, 2002. 36p. ISBN 0-521-81307.
[2]赵文涛.基于网络安全态势感知的预警技术研究.国防科技大学,2009.
[3] Navarro G., M. Raffinot. Flexible Pattern Matching in Strings: Practical On-Line Search Algorithms for Texts and Biological Sequences. Cambridge University Press, 2002.
[4] Zheng K., H. Lu. Scalable Pattern-Matching via Dynamic Differentiated Distributed Detection (D4). Proceedings of IEEE GLOBECOM 2008:103~107.
[5] Song T., W. Zhang, D. Wang, et al. A memory efficient multiple pattern matching architecture for network security. Proceedings of INFOCOM 2008:201~205.
[6] Sheu T.F., N.F. Huang, H.P. Lee. Hierarchical multi-pattern matching algorithm for network content inspection. Information Sciences, 2008:397~401.
[7] Choi Y.H., M.Y. Jung,S.W. Seo. L+ 1-MWM: A Fast Pattern Matching Algorithm for High-Speed Packet Filtering. Proceedings of INFOCOMM 2008:113~117.
[8] AbuHmed T., A. Mohaisen,D.H. Nyang. A Survey on Deep Packet Inspection for Intrusion Detection Systems. Eprint Arxiv 2008, 8(3): 37~41.
[9] Zhou Z., Y. Xue, J. Liu, et al. MDH: A High Speed Multi-phase Dynamic Hash String Matching Algorithm for Large-Scale Pattern Set. LECTURE NOTES IN COMPUTER SCIENCE, 2007, 4861:201~208.
[10]国家计算机网络应急技术处理协调中心.中国互联网网络安全报告,2008.
[11]宣蕾,苏金树,苗青.网络安全战略预警系统研究.通信技术,2001,7:90-92.
[12]王慧强,赖积保,朱亮.网络态势感知系统研究综述.计算机科学,2006,33(10):5~10.
[13]吴诚堃,殷建平,蔡志平等.网络入侵检测系统中基于多核平台的模式匹配技术研究.计算机工程与科学,2009,31(9):1~4.
[14] Snort: A Light Weight Intrusion Detection System. http://www.snort.org. 2008.
[15] Antonatos S., K.G. Anagnostakis, E.P. Markatos. Generating realistic workloads for network intrusion detection systems. ACM SIGSOFT Software Engineering Notes, 2004, 29(1): 207~215.
[16] Navarro G. A guided tour to approximate string matching. ACM Computing Surveys (CSUR), 2001, 33(1): 31~88.
[17] Coit C.J., S. Staniford,J. McAlerney. Towards Faster String Matching for Intrusion Detection or Exceeding the Speed of Snort. Proceedings of DISCEX,2001:45~50.
[18] Allauzen C., M. Raffinot. Factor oracle of a set of words. Technical report 99-11: Institut Gaspard-Monge, Universite de Marne-la-Vallee, 1999.
[19] Ando K., S. Mizobuchi, M. Shishibori, et al. Efficient multi-attribute pattern matching. International Journal of Computer Mathematics, 1998, 66(1-2): 21~38.
[20] Wu S., U. Manber. A fast algorithm for multi-pattern searching. Technical Report 8885. University of Arizona, 1994.
[21] Kumar S., E.H. Spafford. A Pattern Matching Model for Misuse Intrusion Detection. Proceedings of the 17th National Computer Security Conference, 1994:107~116.
[22] Fan, J.-J., K.-Y. Su. Efficient algorithm for matching multiple patterns. IEEE Transactions on Knowledge and Data Engineering, 1993, 5(2): 339~351.
[23] Karp R.M., M.O. Rabin. Efficient Randomized pattern-matching algorithms. IBM Journal of Research and Development, 1987, 31(2): 249~260.
[24] Knuth D.E., J.H. Morris, V.R. Pratt. Fast pattern matching in strings. SIAM Journal on Computing, 1977, 6(1): 323~350.
[25] Boyer R.S., J.S. Moore. A fast string searching algorithm. Communications of the ACM, 1977, 20(10): 762~772.
[26] Aho A.V., M.J. Corasick. Efficient String Matching: An Aid to Bibliographic Search. Communications of the ACM, 1975, 18(6): 333~340.
[27]李伟男,鄂跃鹏,葛敬国等.多模式匹配算法及硬件实现.软件学报,2006,17(12): 2403~2415.
[28] Huang N.F., Y.M. Chu, C.H. Tsai, et al. A novel algorithm and architecture for high speed pattern matching in resource-limited silicon solution. IEEE Glasgow, 2007: 125~136.
[29] Baker Z.K., V.K. Prasanna. Time and area efficient pattern matching on FPGAs. in Proceedings of the 2004 ACM/SIGDA 12th international symposium on Field programmable gate arrays. 2004: ACM New York, NY, USA.
[30] Sourdis I., D. Pneumatikatos. Fast, Large-Scale String Match for a 10Gbps FPGA-Based Network Intrusion Detection System. LECTURE NOTES IN COMPUTER SCIENCE, 2003: 880~889.
[31] Yeim-Kuan Chang, Ming-Li Tsai, C.-C. Su. Improved TCAM-Based Pre-Filtering for Network Intrusion Detection Systems. 22nd International Conference on Advanced Information Networking and Applications, 2008: 120~126.
[32] Che H., Z. Wang, K. Zheng, et al. DRES: Dynamic Range Encoding Scheme for TCAM Coprocessors. Computers, IEEE Transactions on, 2008, 57(7): 902~915.
[33] Yu F., R.H. Katz, T.V. Lakshman. Gigabit rate packet pattern-matching usingTCAM. Proceedings of the 12th IEEE International Conference on Network Protocols, 2004: 203~210.
[34] Ye M.J., K. Xu, J.P. Wu, et al. A high performance and scalable packet pattern-matching architecture. 2008. Busan, SOUTH KOREA: Ieee.
[35] Dharmapurikar S., J.W. Lockwood. Fast and scalable pattern matching for network intrusion detection systems. IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, 2006, 24(10): 1781~1791.
[36] Dharmapurikar S., P. Krishnamurthy, T.S. Sproull, et al. Deep Packet Inspection using Parallel Bloom Filters. IEEE MICRO, 2004: 52~61.
[37]郑波,林闯,曲扬.一种适合于网络处理器的并行多维分类算法AM-Trie.软件学报,2006,17(9):1949~1957.
[38] Intel IXA University Program. http://www.intel.com. 2009.
[39] Liu R.T., N.F. Huang, C.N. Kao, et al. A Fast Pattern-Match Engine for Network Processor-based Network Intrusion Detection System. Proceedings of the International Conference on Information Technology, Coding and Computing, 2004: 330~338.
[40] Liu D., B. Hua, X. Hu, et al. High-performance packet classification algorithm for many-core and multithreaded network processor. Proceedings of AINA, 2006: 140~147.
[41] Liu Z., K. Zheng, B.Liu. Hybrid cache architecture for high speed packet processing. Proceedings of IEEE GLOBECOM, 2005: 301~307.
[42] He F., Y. Qi, Y. Xue, et al. Load Scheduling for Flow-based Packet Processing on Multi-Core Network Processors, 2007.
[43] Qi Y., Z. Zhou, B. Yang, et al. Towards effective network algorithms on multi-core network processors. Proceedings of IEEE ICICS, 2008:307~315.
[44]余建明.网络安全中高性能字符串匹配技术及其在深度检测中应用.自动化系,清华大学,2007.
[45] Piyachon P., Y. Luo. Efficient Memory Utilization on Network Processors for Deep Packet Inspection. Proceedings of ANCS, 2006:109~115.
[46] Yu, J., Y. Xue,J. Li. Memory Efficient String Matching Algorithm for Network Intrusion Management System. Tsinghua Science & Technology, 2007, 12(5): 585~593.
[47]余建明,徐波,薛一波.基于网络处理器的高速字符串匹配.清华大学学报(自然科学版),2008,48(4):589~591.
[48] Yu, J., Q. Huang,Y. Xue. Optimizing Multi-Thread String Matching for Network Processor based Intrusion Management System. Proceedings of the Third IASTED International Conference Proceedings Communication, Network, and Information Security, 2006: 198~206.
[49] Qi Y., B. Xu, F. He, et al. Towards Optimized Packet Classification Algorithms for Multi-Core Network Processors. Proceedings of IEEE IDCDIS, 2007: 212~220.
[50] Lei S., Z. Yue, Y. Jianming, et al. On the Extreme Parallelism Inside Next-Generation Network Processors. Proceedings of INFOCOM, 2007:100~112.
[51] Yu J., J. Li. A Parallel NIDS Pattern Matching Engine and Its Implementation on Network Processor. Proceedings of the International Conference on Security and Management, 2005:102~114.
[52] NVIDIA. http://www.nvidia.com. 2009.
[53] Nvidia CUDA Programming Guide 2.1. http://developer.download.nvidia.com /compute/cuda/2_1/NVIDIA_CUDA_Programming_Guide_2.1.pdf.
[54]张庆丹,戴正华,冯圣中,等.基于GPU的串匹配算法研究.计算机应用,2006,26(007): 1735-1737.
[55] Jacob N.,C. Brodley. Offloading IDS computation to the GPU. Proceedings of Annual Computer Security Applications Conference, 2006:115~126.
[56] Huang N.-F., H.-W. Hung, S.-H. Lai, et al. A GPU-based multiple-pattern matching algorithm for network intrusion detection systems. Proceedings of International Conference on Advanced Information Networking and Applications, 2008:112~123.
[57] Nvidia G80 Specs. http://www.nvidian.com/page/8800_ features.html. 2008.
[58] Vasiliadis G., S. Antonatos, M. Polychronakis, et al. Gnort: High performance network intrusion detection using graphics processors. Proceedings of Recent Advances in Intrusion Detection, 2008:112~121.
[59] Markatos E., S. Antonatos, M. Polychronakis, et al. Exclusion-based signature matching for intrusion detection. Proceedings of the IASTED International Conference on Communications and Computer Networks, 2002: 304~311.
[60] Antonatos S., M. Polychronakis, P. Akritidis, et al. Piranha: Fast and memory-efficient pattern matching for intrusion detection. in Security and Privacy in the Age of Ubiquitous Computing: IFIP TC11 20th International Information Security Conference, 2005:98~108.
[61]彭诗力,谭汉松.基于特征值的多模式匹配算法及硬件实现.计算机工程与应用,2005,41(001):148~150.
[62] Sourdis I., D.N. Pnevmatikatos,S. Vassiliadis. Scalable multigigabit pattern matching for packet inspection. Ieee Transactions on Very Large Scale Integration Systems, 2008, 16(2): 156~166.
[63] Sourdis I., V. Dimopoulos, D. Pnevmatikatos, et al. Packet pre-filtering for network intrusion detection. Proceedings of the 2006 ACM/IEEE symposium onArchitecture for networking and communications systems, 2006: 254~261.
[64] Becchi M., M. Franklin, P. Crowley, et al. A Workload for Evaluating Deep Packet Inspection Architectures. Proceedings of NINA, 2008:113~124.
[65] What is Perl?. http://www.perl.org. 2009.
[66] Graphviz Tool Manual. http://www.graphviz.org/docs/manual.pdf. 2009.
[67] Gonzalo Navarro, Mathieu Raffinot. United Kingdom: Cambridge University Press, 2002. 36p. ISBN 0-521-81307.