摘要
网络的高速发展给人们带来了很多便利,但同时也给人们的生活带来冲击和影响。其中,有害信息污染、网络攻击、网络犯罪等非法应用极大地妨碍了互联网的正常使用,也给人们的正常生活带来了威胁。目前,研制如何有效监控网络内容信息,发现网上有害信息,控制、处置以及打击各种网上违法犯罪活动的专用工具已成为各国政府、机构的迫切需要和重要任务。
网络数据过滤是管理信息传播的一种重要手段,也是实现网络内容监控,滤除有害信息,维护网络信息安全的核心理论和关键技术,对支持国民经济发展和国防建设具有重大意义。国家骨干网的网络安全应用需要在高速环境下进行网络数据的深度检测并过滤有害信息,由于软件过滤算法的处理速度难以跟上网络发展的步伐,使用硬件对网络过滤进行加速成为一种必然的选择。本文针对字符串匹配、跨包匹配、规则匹配这三种常用的数据过滤技术展开研究,提出了多种新算法。以字符串匹配算法为基础设计并实现了一种硬件网络数据过滤器,然后扩展其功能,综合使用本文提出的多种算法设计了一款基于IP流的高速网数据过滤卡。仿真测试表明该卡是可用的、可实现的,验证了本文的相关研究工作。
本文所取得的研究成果主要有:
1.提出了三种适用于大规模字符串集的字符串匹配算法。(1)提出了一种存储优化的字符串匹配算法——MEPLPM算法。该算法以基于BF的PLPM算法为基础进行改进,扩大了字符串容量。(2)提出了一种查询与分析分离的BF型字符串匹配算法——DQAPLPM算法,改进了传统BF型匹配算法在数据中字符串出现率增加时匹配速度迅速降低的缺点。(3)提出了一种将hash计算与查表分离的动态可配置BF算法——DCBF算法。该算法能适应字符串集的变化,始终保持较高的匹配速度,增强了BF型匹配算法的灵活性和实用性。
2.提出了一种基于分段BF和前缀保存的跨包匹配算法。该算法借鉴了使用PBF进行包尾前缀识别的思想,以适量增加保存数据长度为代价减小了存储开销,因而更适用于大规模字符串集。该算法同样保证了连接切换时保存的数据量不超过一个较小的限度,同时平均每包保存的数据量与原算法在同一量级。在该算法的研究中,还设计了一种将BF与CAM(Content Addressable Memory)结合的快速流识别方法,使跨包匹配算法能应用于实际网络中的多连接环境。
3.提出了一种基于PVMatcher的快速规则匹配算法。该算法将二元规则运算转化为一对位向量操作,并使用硬件加速运算,能快速识别非匹配的字符串而且能够加快匹配字符串的处理速度,在输入字符串总数目较少时规则匹配速度明显高于传统规则匹配算法。分析表明,该算法的资源需求小,生成的中间结果少,连接切换时存取数据少,而且在网络数据中出现的字符串数目较少时匹配速度快,非常适合网络安全应用。
4.在上述研究工作的基础上,设计了一种基于基于IP流的高速网数据过滤卡。该卡主要针对网络安全分析应用,无需进行协议还原,可以直接针对IP数据包进行分析并逐级过滤掉不关心的数据,从而可以大大减轻后继处理单元的负载,提高整体处理效率。详细的设计和仿真测试表明该卡是可靠的、可实现的。
With the fast development of Internet, we get not only convenience, but also some bad influence. Some illegal activities on Internet including information pollution, attack and crime bring damages to Internet and threat the interest of legal users. Governments and organizations put much attention on techniques and tools for Internet content supervision, so that the abnormal data could be distinguished from normal data on Internet and criminal activities could be controlled or punished.
Data filtering on Internet is an important method to control information transmitting and to maintain information security, by which harmful information could be monitored and filtered. With the development of broadband technique, the increasing network bandwidth has exceeded the increasing speed of CPU, which brings greatly challenges to the intrusion detection systems of backbone network. Since the speed of software process could not keep up with the demand of Internet speed, accelerating algorithms based on hardware are necessary for data filtering on Internet.
In this thesis, we focused on several important data filtering techniques such as string matching, multi-packet matching and rule matching, and proposed some new algorithms in each field. Based on the proposed string matching algorithms, a hardware based Internet data filter was designed and implemented. Then we improved this data filter in functions and processing speed and designed an Internet data filter card. Simulation proved the usability and feasibility of our works.
Primary innovative contributions of this thesis can be summarized as follows.
1. We proposed three new string matching algorithms which could be fit for strings of large numbers. (1)Memory Efficient Parallel Longest Prefix Matcher——MEPLPM was proposed, which was based on PLPM and could contain more strings. (2) Decoupled Query and Analysis Parallel Longest Prefix Matcher——DQAPLPM was proposed, with which the scope of string occurrence rate would be extended compared with traditional BF based algorithms. (3)Dynamic Configurable Bloom Filters——DCBF was proposed, which could be applied to different string sets and increase the flexibility of Bloom Filter.
2. We proposed a multi-packet matching algorithm based on DCBF and PBF. PBF is a multi-packet string matching algorithm which can work without defragment. Our new algorithm decreased the on-chip memory requirement of PBF with a little more off-chip memory cost. To fit for multi-flows on network, a fast flow state manage algorithm using BF and little CAM(Content Addressable Memory) was proposed to support this new algorithm.
3. We proposed a fast rule matching algorithm based on PVMatcher. A 2-length rule was transformed as a pair of bit-vector operation, which can be accelerated by hardware. With PVMatcher, strings without matching any rules could be recognized quickly so the processing time could be reduced. Analysis shows that the memory requirement of PVMatcher is far less than that of traditional algorithms. The process speed of our new algorithm is obviously faster than traditional algorithms when the numbers of string is not large(eg: <20), which is consistent with the fact of Internet security applications.
4. Based on the above researches, we designed an Internet data filter card. This card could filter data without defragment and work at very high speed. Tens thousand of strings and rules could be programmed into this card and most data in high speed network could be filtered. Elaborate design and simulation have been performed, proved the usability and feasibility of this card.
引文
[1]中国互联网络信息中心.中国互联网络发展状况统计报告(2009年1月)[Z]. 2009.
[2]国家计算机网络应急技术处理协调中心(cncert/cc),全国网络与信息技术培训项目管理中心(ntc-Mc).网络安全应急实践指南[Z].电子工业出版社, 2008.
[3]国家计算机网络应急技术处理协调中心.中国互联网网络安全报告(2008年上半年)[Z]. 2008.
[4]谭建龙.串匹配算法及其在网络内容分析中的应用[D].博士学位论文,中国科学院研究生院, 2003.
[5] Mahajan A, Soewito B, Parsi S K, et al. Implementing high-speed string matching hardware for network intrusion detection systems[J]. Proceedings of the 2008 International Conference on Parallel Distributed Processing Techniques and Applications. Las Vegas, NV, United States. 2008, 157-163.
[6] Salmela L, Tarhio J, Joki J K. Multipattern string matching with q-grams[J]. Journal of Experimental Algorithmics (JEA). 2006, 11:1-19.
[7] Lee H, Ng R T, Shim K. Extending q-grams to estimate selectivity of string matching with low edit distance[J]. Very Large Data Bases. 2007, 195-206.
[8] Scarpazza D P, Villa O, Petrini F. Exact multi-pattern string matching on the cell/b.e. processor[J]. Conference On Computing Frontiers. 2008,33-42.
[9] Tan L, Brotherton B, Sherwood T. Bit-split string-matching engines for intrusion detection and prevention[J]. ACM Transactions on Architecture and Code Optimization (TACO). 2006, 3(1): 3-34.
[10] Ager M S, Danvy O, Rohde H K. Fast partial evaluation of pattern matching in strings[J]. ACM Transactions on Programming Languages and Systems (TOPLAS). 2006, 28(4): 696-714.
[11] Aldwairi M, Conte T, Franzon P. Configurable string matching hardware for speeding up intrusion detection[J]. ACM SIGARCH Computer Architecture News. 2005, 33(1): 99-107.
[12] Tummala A K, Patel P. Distributed IDS using reconfigurable hardware[C]. In: 21st International Parallel and Distributed Processing Symposium, IPDPS 2007, 1-6
[13] Alicherry M, Muthuprasanna M, Kumar V. High speed pattern matching for network IDS/IPS[C]. In: 14th IEEE International Conference on Network Protocols, ICNP 2006, Nov 12-15 2006.Los Alamitos, CA 90720-1314, United States. 187-196.
[14] Zhao K, Chu J, Che X, et al. Improvement on rules matching algorithm of snort based on dynamic adjustment[C]. In: 2nd International Conference on Anti-counterfeiting, Security and Identification, ASID 2008.Piscataway, NJ 08855-1331, United States. 285-287.
[15] Aho A V, Corasick M J. EFFICIENT STRING MATCHING: AN AID TO BIBLIOGRAPHIC SEARCH.[J]. 1975, 18(6): 333-340.
[16] Commentz-Walter B. A string matching algorithm fast on the average[C]. Proceedings of the 6th Colloquium on Automata, Languages and Programming, 1979, 118-132.
[17] Wu S, Manber U. A fast algorithm for multi-pattern searching[R]. Technical Report TR-94-17, Department of Computer Science, University of Arizona,Tucson, AZ, 1994.
[18] Crochemore M, Czumaj A, Gasieniec L, et al. Faster practical multi-pattern matching[J]. Inf. Process. Leu. 1999, 71(3-4): 107-113.
[19] Franklin F, Carver D, Hutchings B. Assisting network intrusion detection with reconfigurable hardware[C]. In: Proc. of the IEEE Symp. On Field-Programmable Custom Computing Machines.Los Alamitos, 2002. 111-120.
[20] Sidhu R P S, Prasanna V K. Fast regular expression matching using FPGAs[C]. In: Proc. of the 11th Annual IEEE Symp. on Field-Programmable Custom Computing Machines.Los Alamitos, 2001.227-238.
[21] Moscola J, Lockwood J, Loui R P, et al. Implementation of a content scanning module for an internet firewall[C]. In: Proceedings of IEEE Workshop on FPGAs for Custom Computing Machines.Napa, CA, USA: 2003, 31-38.
[22] Baker Z K, Prasanna V K. Time and Area Efficient Pattern Matching on FPGAs[C]. In: Monterey, California, USA: 2004. 22-24.
[23] Sourdis I, Pnevmatikatos D. Fast, Large-Scale String Match for a 10Gbps FPGA-based Network Intrusion Detection System[C]. In: Proceedings of FPL2003.2003, 880-889.
[24] Dharmapurikar S, Lockwood J W. Fast and scalable pattern matching for network intrusion detection systems[J]. 2006, 24(10): 1781-1791.
[25]殷丽华,方滨兴,张宏莉.快速的多模式匹配算法[J].哈尔滨工业大学学报. 2007, 39(12):1925-1927.
[26]李雪.大规模特征串匹配技术的研究[D].博士学位论文,北京邮电大学, 2008.
[27]余建明,徐波,薛一波.基于网络处理器的高速字符串匹配[J].清华大学学报(自然科学版)网络.预览. 2008(04), 589-591.
[28]钱江波.连续查询硬件处理器及相关算法研究[D].博士学位论文,东南大学, 2006.
[29] Koziol J. Intrusion Detection with Snort[Z]. Sams Pulishing, 2003.
[30] Paxson V. Bro: A System for Detecting Network Intruders in Realtime[J]. Computer Networks. 1999, 31(Dec): 2435-2463.
[31] http://hogwash.sourceforge.net[Z].
[32] Navarro G, Raffinot M. A Bit-parallel approach to suffix automata: Fast extended string matching[J]. 1998, 1448: 14~33.
[33] Muthukrishnan S. Simple Optimal Parallel Multiple Pattern Matching[J]. 2000, 34(1): 1-13.
[34] Shen Z, Wang Y, Xu Y. Fast multiple pattern algorithm for Chinese string matching[J]. 2001, 35(9): 1285-1289.
[35] He L, Fang B, Yun X, et al. SDFA: A uniform model for string matching algorithms[J]. 2004, 10(2): 34-37.
[36] Lu H, Zheng K, Liu B, et al. A memory-efficient parallel string matching architecture for high-speed intrusion detection[J]. 2006, 24(10): 1793-1803.
[37] Scarpazza D P, Villa O, Petrini F. Peak-performance DFA-based string matching on the cell processor[C]. In: 21st International Parallel and Distributed Processing Symposium, Piscataway, United States, 2007,1-8.
[38] Petersen H. String matching with simple devices[J]. 2007, 105(1): 32-34.
[39] Dimopoulos V, Papaefstathiou J, Pnevmatikatost D. A memory-efficient reconfigurable Aho-Corasick FSM implementation for intrusion detection systems[C]. In: 2007 International Conference on Embedded Computer Systems: Architectures,Modeling and Simulation,.Piscataway, United States, 2007. 186-193.
[40] Crochemore M, Epifanio C, Gabriele A, et al. On the suffix automaton with mismatches[C]. In: 12th International Conference on Implementation and Application of Automata, CIAA 2007, Jul 16-18 2007.Heidelberg, Germany: Springer Verlag, 2007. 144-156.
[41] Dixon R, Egecioglu O, Sherwood T. Automata-theoretic analysis of bit-split languages for packet scanning[C]. In: 13th International Conference on Implementation and Application of Automata.Heidelberg, Germany: Springer Verlag, 2008. 141-150.
[42] Yu J, Xu B, Xue Y. Network processor-based high performance string matching[J]. 2008, 48(4): 589-591.
[43] Artan N S, Chao H J. Multi-packet signature detection using prefix bloom filters[C]. In: GLOBECOM'05: IEEE Global Telecommunications Conference, 2005, St. Louis, MO, United states: Institute of Electrical and Electronics Engineers Inc., 2005. 1811-1816.
[44] Bar-Yossef Z, Kumar R, Sivakumar D. Sampling algorithms: Lower bounds and applications[C]. In: Proc. of the 2001 Annual ACM Symp. on Theory of Computing.2001. 266-275.
[45] Babcock B, Datar M, Motwani R. Sampling from a moving window over streaming data[C]. In: Proc. of the 2002 Annual ACM_SIAM symp. on Discrete Algorithms.2002. 633-634.
[46] Manku G, Motwani R. Approximate frequency counts over streaming data[C]. Proceedings of the 28th international Conference on Very Large Data Bases, 2002, 346-357.
[47] Guha S, Koundas N, Shim K. Data-streams and histograms[C]. In: Proc. of the 2001 Annual ACM Symp. on Theory of Computing.2001. 471-475.
[48] Guha S, Koundas N. Approximating a data stream for querying and estimation: Algorithms and performance evaluation[C]. In: Proc. of the 2002 Intl. Conf. on Data Engineering.2002, 567-576.
[49] Ando K, Mizobuchi S, Shishibori M, et al. Efficient multi-attribute pattern matching[J]. International Journal of Computer Mathematics. 1998, 66(1-2): 21-38.
[50]宋世杰.基于序列模式挖掘的误用入侵检测系统及其关键技术研究[D].博士学位论文,国防科学技术大学, 2005.
[51] Freund Y, Robert E S, Singer Y, et al. Using and combining predictors that specialize[C]. In: Proc. of the twenty-ninth annual ACM symp. on Theory of computing.El Paso, Texas, United States: 1997. 334-343.
[52] A H S, Forrest S. Architecture for a Artificial Immune System[J]. Evolutinary computation. 2000, 7(1): 45-66.
[53]刘海峰.安全操作系统的若干关键技术研究[D].博士学位论文,中国科学院软件研究所, 2002.
[54] Yeim-Kuan, Ming-Li C. Improved TCAM-Based Pre-Filtering for Network Intrusion Detection Systems[C]. In: Proc. AINA 2008.Gino Wan, Okinawa, Japan: 2008. 985-990.
[55] Dharmapurikar S, Song H, Turner J, et al. Fast packet classification using bloom filters[C]. In: 2nd ACM/IEEE Symposium on Architectures for Networking and Communications Systems.New York, United States: Association for Computing Machinery, 2006. 61-70.
[56] Attig M, Lockwood J. A framework for rule processing in reconfigurable network systems[C]. In: 13th Annual IEEE Symposium on Field-Programmable CustomComputing Machines.Piscataway, United States: Institute of Electrical and Electronics Engineers Computer Society, 2005. 225-234.
[57]代六玲.互联网内容监管系统关键技术的研究[D].博士学位论文,南京理工大学, 2004.
[58]段丹青.入侵检测算法及关键技术研究[D].博士学位论文,中南大学, 2007.
[59] Kwok T T, Kwok Y. Design and evaluation of parallel string matching algorithms for network intrusion detection systems[C]. In: 2007 IFIP International Conference on Network and Parallel Computing,.Heidelberg, Germany: Springer Verlag, 2007. 344-353.
[60] Yu J, Huang Q, Xue Y. Optimizing multi-thread string matching for network processor based intrusion management system[C]. In: 3rd IASTED International Conference on Communication, Network, and Information Security,.Calgary, Canada: Acta Press, 2006. 199-204.
[61] Sourdis I, Pnevmatikatos D. Pre-decoded CAMs for efficient and high-speed NIDS pattern matching[C]. In: Proceedings - 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines,.Los Alamitos, United States: IEEE Computer Society, 2004. 258-267.
[62] Cheng L L, Heung D M, Yiu S M. Approximate String Matching in DNA Sequences[C]. Proceeding Eighth International Conference on Database Systems for Advanced Application, 2003,303-310.
[63] Buhler J, Keich U, Sun Y. Designing seeds for similarity search in genomic DNA[J]. 2005, 70(3): 342-363.
[64]眭新光.文本信息隐藏及分析技术研究[D].博士学位论文,解放军信息工程大学, 2007.
[65] Boyer R S, Moore J S. FAST STRING SEARCHING ALGORITHM.[J]. 1977, 20(10): 762-772.
[66] Baeza-Yates R, Gonnet G. A new approach to text searching[J]. Communications of the ACM. 1992, 35(10): 74-82.
[67] Boyer R S, Moore J S. A fast string searching algorithm[J]. Communications of the ACM. 1977, 20(10): 762-772.
[68] Cantone D, Faro S. Fast-Search: A new efficient variant of the Boyer-Moore string matching algorithm[C]. In: Proc. of the 2nd International Workshop on Experimental and Efficient Algorithms (WEA 2003).Heidelberg: Springer-Verlag, 2003. 47-58.
[69] Sunday D M. A very fast substring search algorithm[J]. Communications of the ACM. 1990, 33(8): 132-142.
[70] Crochemore M, Rytter W. Text Algorithms[M]. Oxford:Oxford University Science Press, 1994.
[71] Lecrop T. A variation on the Boyer-Moore algorithm[J]. Theoretical Computer Sience. 1992, 92(1): 119-144.
[72] Crochemore M, Hancart C. Automata for matching patterns[Z]. Heidelberg: Springer-Verlag, 1997, 399-462.
[73] Yao A C. The Complexity of pattern matching for a random string[J]. SIAM Journal on Computing. 1979, 8(3): 368-387.
[74] Cho Y H, Mangione-Smith W H. Deep packet filter with dedicated logic and read only memories[C]. In: Proc. of the 12th Annual IEEE Symp. on Field-Programmable Custom Computing Machines.Los Alamitos: IEEE Computer Society, 2004. 125.
[75] Cho Y H, Mangione-Smith W H. A pattern matching coprocessor for network security[C]. In: Proc. of the 42nd Annual Conf. on Design Automation.New York: ACM Press, 2005. 234-239.
[76]黄建,徐晶.高效双Hash线速浮动字符串匹配[J].微电子学与计算机. 2008(02):58-61.
[77] Hyyr H, Fredriksson K, Navarro G. Increased bit-parallelism for approximate and multiple string matching[J]. Journal of Experimental and Efficient Algorithmics (JEA). 2004, 3039: 285-298.
[78] Prasad R, Agarwal S. An efficient string matching algorithm using super alphabets[C]. In: 1st International Conference on Emerging Trends in Engineering and Technology.Piscataway, United States: Institute of Electrical and Electronics Engineers Computer Society, 2008. 1181-1186.
[79] Prasad R, Agarwal S. A new parameterized string matching algorithm by combining bit-parallelism and suffix automata[C]. In: 2008 IEEE 8th International Conference on Computer and Information Technology. Piscataway, United States: Institute of Electrical and Electronics Engineers Computer Society, 2008. 778-783.
[80] Yin L, Fang B, Zhang H. Improved algorithms for multiple patterns matching[J]. 2007, 39(12): 1925-1929.
[81] Lin Y, Tseng K, Hung C, et al. Scalable automaton matching for high-speed deep content inspection[C]. In: 21st International Conference on Advanced Information Networking and ApplicationsWorkshops/Symposia,.Piscataway, United States: Institute of Electrical and Electronics Engineers Computer Society, 2007. 858-863.
[82] Viswanadha Raju S, Mantena S R, Vinaya Babu A, et al. Efficient parallel pattern matching using partition method[C]. In: 7th International Conference on Parallel and Distributed Computing, Applications and Technologies.Piscataway, United States: Institute of Electrical and Electronics Engineers Computer Society, 2006. 427-430.
[83]万国根,秦志光.改进的AC-BM字符串匹配算法[J].电子科技大学学报. 2006, 35(04):531-534.
[84] Yu F, Katz R H, Lakshman T V. Gigabit rate packet pattern-matching using TCAM[C]. In: Proceedings of the 12th IEEE International Conference on Network Protocols.Berlin, Germany: IEEE Computer Society, 2004. 174-183.
[85] Liu A X, Meiners C R, Zhou Y. All-match based complete redundancy removal for packet classifiers in TCAMs[C]. In: INFOCOM 2008: 27th IEEE Communications Society Conference on Computer Communications.Piscataway, United States: Institute of Electrical and Electronics Engineers Inc., 2008. 574-582.
[86] Kesselman A, Kogan K, Nemzer S, et al. Space and speed tradeoffs in TCAM hierarchical packet classification[C]. In: 2008 IEEE Sarnoff Symposium.Piscataway, United States: Institute of Electrical and Electronics Engineers Computer Society, 2008, 1-6.
[87] Chang Y, Su C. Efficient TCAM encoding schemes for packet classification using gray code[C]. In: 50th Annual IEEE Global Telecommunications Conference.New York, United States: Institute of Electrical and Electronics Engineers Inc., 2007. 1834-1839.
[88] Bloom B H. SPACE/TIME TRADE-OFFS IN HASH CODING WITH ALLOWABLE ERRORS[J]. ACM. 1970, 13(7): 422-426.
[89] Sourdis I, Pnevmatikatos D. Fast, Large-Scale String Match for a 10Gbps FPGA-based Network Intrusion Detection System[C]. In: Proceedings of FPL2003. 2003, 880-889.
[90]兰景英,王永恒. Snort研究及BM算法改进[J].计算机工程与设计. 2008,29(09):2199-2202.
[91]郭莉,谭建龙,王映.面向信息安全的实时数据流计算[Z].信息技术快报, 2004(3).
[92] Chen X, Shen J. Algorithms for Multiple IP Address Lookups[C]. In: Proceedings of the Fifteenth IASTED International Conference on Parallel and Distributed Computing and Systems.Calgery - Alberta, Canada: Int. Assoc. of Science and Technology for Development, 2003. 844-847.
[93] Chen Y, Oguntoyinbo O. Power efficient packet classification using cascaded bloom filter and off-the-shelf ternary CAM for WDM networks[J]. 2009, 32(2): 349-356.
[94] Chen C, Hsu C, Huang C. Fast packet classification using bit compression with fast boolean expansion[J]. 2008, 24(1): 61-81.
[95] Fan L, Cao P. Summary cache: A scalable wide-area Web cache sharing protocol[J]. IEEE/ACM Transactions on Networking. 2000, 8(3): 281-293.
[96] Cormen T H, Leiserson C E, Rivest R L. Introduction to Algorithms[M]. Pretice Hall, 1990.
[97] Song H, Dharmapurikar S, Turner J, et al. Fast hash table lookup using extended bloom filter: An aid to network processing[J]. 2005, 35(4): 181-192.
[98] Dharmapurikar S, Krishnamurthy P, Taylor D E. Longest Prefix Matching Using Bloom Filters[C]. In: Proceedings of ACM SIGCOMM 2003: Conference on Computer Communications.New York, United States: Association for Computing Machinery, 2003. 201-212.
[99] Dharmapurikar S, Krishnamurthy P, Sproull T S, et al. Deep packet inspection using parallel bloom filters[J]. 2004, 24(1): 52-61.
[100] Ramakrishna M, Fu E, Bahcekapili E. A performance study of hashing functions for hardware applications[C]. In: Proc. of Int. Conf. on Computing and Information.1994. 1621-1636.
[101] Standford B. Ip Fragmentation and fragrouter[Z]. SANS Institute, 2000.
[102] Yoshioka A, Shaikot S H, Kim M S. Rule hashing for efficient packet classification in network intrusion detection[C]. In: 17th International Conference on Computer Communications and Networks. Piscataway, United States: Institute of Electrical and Electronics Engineers Inc., 2008. 614-619.
[103] Song T, Zhang W, Wang D, et al. A memory efficient multiple pattern matching architecture for network security[C]. In: INFOCOM 2008: 27th IEEE Communications Society Conference on Computer Communications.Piscataway, United States: Institute of Electrical and Electronics Engineers Inc., 2008. 673-681.
[104] Yoshioka A, Shaikot S H, Kim M S. Rule hashing for efficient packet classification in network intrusion detection[C]. In: 17th International Conference on Computer Communications and Networks. Piscataway, United States: Institute of Electrical and Electronics Engineers Inc. 2008. 614-619.
[105] Song H, Turner J, Dharmapurikar S. Packet classification using coarse-grained tuple spaces[C]. In: 2nd ACM/IEEE Symposium on Architectures for Networking and Communications Systems. New York, United States: Association for Computing Machinery, 2006. 41-50.
[106] Liu A X, Meiners C R, Zhou Y. All-match based complete redundancy removal for packet classifiers in TCAMs[C]. In: INFOCOM 2008: 27th IEEE Communications Society Conference on Computer Communications. Piscataway, United States: Institute of Electrical and Electronics Engineers Inc., 2008. 574-582.
[107] Jeong H, Song I, Lee Y, et al. A multi-dimension rule update in a TCAM-based high-performance network security system[C]. In: 20th International Conference on Advanced Information Networking and Applications.Piscataway, United States: Institute of Electrical and Electronics Engineers Inc., 2006. 62-66.
[108] Jepsen D W, Jr Gelatt C D. Macro placement by Monte Carlo annealing[C]. In: Proc. IEEE Int Conference on Computer Design.Port Chester: 1983. 495-498.
[109] Storer J A, Nicas A J, Becker J. Uniform circuit placement[Z]. In VLSI: Algorithms and Architectures, Amsterdam: Elsevier, 1985.
[110] Romeo F, Sangovann-Vincentell A L. Probabilistic hill climbing algorithms: Properties & applications[C]. In: Proc. 1985 Chapel Hill Conference on VLSI.1985. 393-417.
[111] Geman S, Geman D. Stochastic relaxation, gibbs distributions, & the Bayesian restoration of images[C]. In: IEEE Proc. Pattern Analysis and Machine Intelligence.1984. 721-741.
[112] Rothman D H, Nonlinear I. Statistical mechanics, and residual statics estimation[J]. Geophysics. 1985, 50: 2784-2796.
[113] Kirkpatrick S, Jr Gelatt C D, Vecchi M P. Optimization by simulated annealing[J]. Science. 1983, 220(4598): 671-680.
[114]康立山.非数值并行算法(第1册)--模拟退火算法[M].北京:科学出版社, 1997.
[115] Li W N. Strong NP-hard Discrete Gate Sizing Problems[C]. In: Proc. ICCD'93.1993. 468-471.
[116] http://www.synopsys.com[Z].
[117]孙小涓.海量网络流实时处理的优化技术研究[D].博士学位论文,中国科学院研究生院, 2008.
[118] David D C, David L. Architectural Considerations for a New Generation of Protocols[J]. ACM SIGCOMM Computer Communication Review, 1990, 20(4):200-208.
[119] Mark B A, Larry L. Increasing Network Throughput by Integrating Protocol Layers[J]. IEEE/ACM Transactions on Networking. 1993, 1(5): 600-610.
[120] Mark B A, Larry L. Peterson: A language-based approach to protocol implementation[J]. IEEE/ACM Transactions on Networking. 1993, 1(1): 4-19.
[121] Bengt A, Mats B, Per G. The Applicability of Integrated Layer Processing[J]. IEEE Journal on Selected Areas in Communications. 1998, 16(3): 317-331.