網路安全關鍵技術高效率字樣比對演算法設計與實現

Abstract

隨著網際網路(Internet)的快速發展以及各種多樣化的服務，越來越多的使用者高 度依賴網路的正常運作，因此網路安全(network security)已經成為網路應用上相當重 要的一個議題。由於網際網路是個人人都能使用的公眾網路，設計之初僅以互連為目的 並未加入安全性的考量，因此陸續出現竊聽、入侵與病毒等損害用戶權益的事件。現階 段除了在用戶端的防範機制之外，在出入口的網路設備(路由器、交換器等)上加入更有 效率的安全機制，勢必漸漸成為一種新的趨勢。 本計劃的目的是研究高效率入侵與病毒偵測常用之字樣比對(pattern matching) 技術演算法，並以FPGA 發展平台實現。目前入侵與病毒偵測技術大略可以分為以下兩 種。第一種是連線行為異常(behavior anomaly)的檢查，它是根據一般使用者習慣(如 連線頻率)建構出一套正常行為模型，當某台機器的行為偏離正常行為模型時，即判斷 此機器有入侵意圖或已中毒。第二種是從封包的內容(packet content)著手，用字樣比 對的方式，檢查是否含有惡意的特徵(signature)或病毒碼。這些攻擊或惡意的特徵通 常可以用簡單字串(simple string)或正規表示法(regular expression)來表示。本計 劃的目標之一即是針對這兩種字樣設計高效率的比對演算法。 然而，在網路上傳輸的資訊常經過諸如LZW 或LZ77 壓縮之處理，在壓縮之後特徵 字樣將不易偵測。如何在LZW 與LZ77 壓縮檔中快速搜尋特徵字樣也是本計劃擬解決之 問題。

With the rapid growth of various Internet applications, more and more users highly rely on the correct operation of networks. As such, Internet security is becoming an important issue. There are all kinds of security incidents including eavesdropping, intrusion, and virus/worms which may cause severe damage and economic loss to our society. How to integrate security functions into switches/routers to quickly detect and react to security incidents has attracted much attention in recent years. The purpose of this project is to design and implement high-performance, memory-efficient pattern matching algorithms for Internet security applications. Behavior anomaly and pattern matching are two common techniques for malware detection. The concept of behavior anomaly is to establish a profile of normal behavior and identify a host to be abnormal if its behavior does not conform to the profile. It may result in a high false positive rate because the normal behavior profile is difficult to specify. On the contrary, pattern matching, which is based on deterministic signatures of malware, can be precise. It is possible to detect any malware as long as its signature is available. Most signatures were specified by simple byte strings in the past. However, there is increasing demand of using regular expression because it is much more expressive than simple byte strings. Therefore, in addition to simple byte strings, the pattern matching algorithms to be developed in this project will handle regular expression as well. Since files may be transported on Internet in compressed format, we will also consider efficient pattern matching in compressed files. In particular, we will focus on LZW and LZ77 compressed files because these two are the most commonly used algorithms. We expect to publish at least three international journal and/or conference papers in each year.