使用FPGA實現應用於網路安全之可延展的字樣比對架構

Abstract

因為字樣比對的準確性，使其技術近年來被廣泛地運用到一些網際網路的應用，例如入侵偵測，防毒。現今網路入侵偵測系統在偵測網路封包的有效負載(payload)時，是檢查其有效負載是否與所設定的網路安全規範一致。這個過程，往往被稱之深度封包檢測(deep packet inspection)，偵測有效負載中之任意起始位置是否涉及到預先定義的字樣或關鍵字。字樣比對是一項需要高度計算密集的工作，因此其潛在的瓶頸問題是，無法快速處理。因為傳統的實現於軟體的字樣比對無法跟上日益增加的網路速度，因此實現於硬體的解決方式被相繼的提出。本論文將實現NTL實驗室所提出一個新穎的字樣比對架構，並將其一個稱之為預先過濾器的前置處理器實現於FPGA。我們將展現出它如何有效率的比對成千上萬的字樣。最後，我們將字樣比對實現於Xilinx Virtex II Pro ML310 FPGA，並得到一些詳細的數據和結果。

Because of its accuracy, pattern matching technique has recently been applied to Internet security applications such as intrusion detection, anti-virus. Modern Network Intrusion Detection Systems (NIDS) detect the network packet payload to check if it conforms to the security policies of the given network. This step, often called that deep packet inspection, involves detection of predefined patterns or keywords starting at an arbitrary location in the payload. Pattern matching is a computationally intensive work. It has a potential bottleneck without high-speed processing. Since the conventional software-implemented pattern matching have not kept pace with the increasing network speeds, hardware-implemented solutions have been introduced. In this paper we will realize the NTL laboratory to propose a novel scalable pattern matching architecture, and the pre-processor, call that pre-filter, which implemented to FPGA. We show how Pre-filters can be used effectively to perform pattern matching for thousands of strings. Finally, we give the details of our implementation of pattern matching technique on Xilinx Virtex II Pro ML310 FPGA.