跳到主要內容

臺灣博碩士論文加值系統

(18.97.9.172) 您好!臺灣時間:2025/02/11 13:39
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

我願授權國圖
: 
twitterline
研究生:傅遠佳
研究生(外文):Yuan Chia Fu
論文名稱:入侵防禦系統效能改善之研究
論文名稱(外文):Research on the Performance Improvement of an Intrusion Prevention System
指導教授:馮立琪馮立琪引用關係
指導教授(外文):L. C. Feng
學位類別:碩士
校院名稱:長庚大學
系所名稱:資訊工程學研究所
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2009
畢業學年度:97
論文頁數:124
中文關鍵詞:入侵防禦系統入侵偵測系統多核心處理器字串比對
外文關鍵詞:Intrusion Detection SystemIntrusion Prevention SystemOpenSourceLinuxPattern MatchMulit-Core Processor
相關次數:
  • 被引用被引用:1
  • 點閱點閱:596
  • 評分評分:
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
近年來因為網際網路的快速發展,網路安全的相關研究及商品迅速的增加,其中又以入侵偵測系統(Intrusion Detection System)受到非常大的重視。網際技術的快速發展,促使了骨幹網路頻寬大幅增加,但隨著網路頻寬的增加,入侵偵測與防禦變得越來越困難,如何有效提昇入侵偵測系統的效能,同時又能降低成本成為系統發展的挑戰。
目前的入侵偵測系統大多使用專用的軟硬體設備,因此價格昂貴。自由軟體因為免費、開放的特性逐漸受到重視,其中又以Linux受到廣泛的支持,如果能有效加以利用,應可節省大量的建置成本。
近年來因為PC快速發展,PC的效能持續增加但成本卻持續降低,又因為Processor製造商在Single-Core Processor的發展出現效能瓶頸,因此PC的Multi-Core Processor技術發展迅速,如果能將Multi-Core Processor的PC系統結合自由軟體,並以此取代專用且昂貴的網路安全設備,必能大幅的節省成本。
雖然Multi-Core Processor能提昇效能,但目前的Linux在Multi-Core Processor的系統上無法有效的增加網路處理能力。
在本論文中,我們針對如何改善以Linux為基礎的入侵防禦系統效能進行研究,分別從系統的Pattern Match Module演算法以及Linux在Mulit-Core Processor的網路流程進行改良,藉此提昇入侵防禦系統的整體效能。
實驗的結果顯示,在改善Pattern Match Module演算法後,比自由軟體中頗受好評且廣泛使用的入侵防禦系統Snort快了91%;改良了Linux網路處理流程能夠有效的將負載分散到所有CPU,系統的處理能力能因此提高。兩者整合後,在2GB的網路環境下頻寬測試可以到達1.8GBit/s的速度。
With the recent rapid development of Internet, network security research and related products increased rapidly, especially intrusion detection systems are very much concern.
At present, the majority of intrusion detection systems use specialized software and hardware, it is very expensive. Because free and open properties, Open Source Software gradually be taken seriously, especially the Linux special attention. If the effective use of free software that can save a lot of software costs. Because of the rapid development of Internet, the backbone of the network bandwidth increased significantly. With the increase in network bandwidth, intrusion detection and prevention has become increasingly difficult. How to enhance the effectiveness of intrusion detection systems and reduce system cost as a system development challenges.
In recent years, because the performance of processor becomes slow growth, manufacturers turn to the development of multi-core processors. However, many studies have shown that multi-core processors in the Linux system can not enhance the performance of network processing.
In this paper, we focused on how to improve the Linux-based intrusion prevention system performance to study. On the one hand, we improved the Pattern Match Module of the algorithm, on the other hand, we focused on multi-core processors to improve the network process flow in Linux. Use of these methods to improve the intrusion prevention system to enhance the overall performance. Experimental results show that the improvement of the Pattern Match Module algorithm, it will be 91 percent faster than Snort. Improved processing network of Linux will be able to effectively spread the load of all CPUs, the system can therefore increase the processing capacity. Both integrated can upto 1.8GBit/s speed in the 2GB network environment.
目錄
指導教授推薦書
口試委員會審定書
授權書 iii
致謝 iv
中文摘要 v
Abstract vii
目錄 ix
圖目錄 xii
表目錄 xvi
第一章 緒論 1
1.1 研究動機 3
1.2 研究貢獻 6
1.3 論文架構 7
第二章 相關研究 8
2.1 Pattern Match效能改善相關研究 8
2.1.1 Brute-Force algorithm 9
2.1.2 Knuth-Morris-Pratt algorithm 10
2.1.3 Boyer-Moore algorithm 14
2.1.4 Aho-Corasick algorithm 21
2.1.5 Aho-Corasick-Boyer-Moore algorithm 25
2.2 Multi-Core System作業系統相關研究 32
2.2.1 Corey 32
2.2.2 JNIC Project 33
2.2.3 SMP Linux Router的轉送改進方案 35
第三章 Linux網路問題研究 37
3.1 Linux的Multi-Processor支援 37
3.2 Linux的中斷架構 40
3.3 Linux的網路架構 43
3.4 Linux網路與Multi-Processor的問題分析 45
第四章 Snort介紹 48
4.1 Snort架構分析 48
4.2 Snort Rule結構 49
4.3 Snort系統流程 52
第五章 系統架構 55
5.1 Pattern Match演算法結構 55
5.2 Pattern Match演算法實作流程 61
5.3 Linux在Multi-Core環境下網路效能改善之設計 64
5.4 Linux在Multi-Core環境下網路效能改善之實作 68
5.5 系統架構 73
5.5.1 KIPS系統架構 74
5.5.2 IP fragment reassembly 78
5.5.3 Snort Rule轉換程式 80
第六章 測試結果 82
6.1 測試環境 82
6.2 KIPS(Pattern Match)演算法測試 86
6.3 Multi-Core效能改善測試 89
6.4 整合測試(Multi-Core KIPS) 93
6.5 2G頻寬測試 97
6.6 測試結論 100
第七章 結論與未來工作 101
參考文獻 103


圖目錄
圖 1 1 Multi-Core和Single-Core Processor逐年效能比較[16] 5
圖 2 1暴力演算法原理 9
圖 2 2 KMP演算法原理 11
圖 2 3 KMP演算法next table建表原理 12
圖 2 4 BM演算法原理 15
圖 2 5 BM演算法BAD Table移位演示 16
圖 2 6 BM演算法BAD Table建表原理 18
圖 2 7 BM演算法GOOD Table移位演示 19
圖 2 8 BM演算法GOOD Table建表原理 20
圖 2 9 AC演算法Tree結構建立原理 22
圖 2 10 AC演算法比對原理 24
圖 2 11 AC_BM演算法Tree結構 26
圖 2 12 AC_BM演算法BAD Table建表原理 27
圖 2 13 AC_BM演算法GOOD Table建表原理 28
圖 2 14 AC_BM演算法GOOD Table示意圖 29
圖 2 15 AC_BM演算法比對流程 30
圖 2 16 Corey網路架構圖 33
圖 2 17 JNIC系統架構圖 34
圖 2 18 SMP Linux Router轉送改善方案架構 36
圖 3 1 Linux Kernel 2.6 domain scheduler結構圖 38
圖 3 2 Linux Kernel 2.6 task負載平衡示意圖 39
圖 3 3 IRQBALANCE IRQ分配示意圖[51] 41
圖 3 4 Linux封包處理流程圖 43
圖 3 5 Linux NAPI模式網路處理流程 44
圖 3 6 Linux SoftIRQ後的封包處理流程 44
圖 3 7 IRQ Affinity設定示意圖 46
圖 3 8 IRQBALANCE設定示意圖 46
圖 3 9 Linux封包轉送測試[58] 47
圖 4 1 Snort各部件作業方塊圖 48
圖 4 2 Snort Rule 50
圖 4 3 Snort Rule結構示意圖 51
圖 4 4 Snort初始化流程圖 52
圖 4 5 Snort封包比對流程圖 53
圖 5 1 陣列形式的Aho-Corasick狀態機結構 56
圖 5 2 AC_BM演算法BAD Table建表實作流程 58
圖 5 3 AC_BM演算法GOOD Table建表實作流程 60
圖 5 4 AC_BM演算法Pattern Match比對實作流程 62
圖 5 5 non-NAPI模式Module運作流程 65
圖 5 6 NAPI模式Module運作流程 65
圖 5 7 Network Packet Assignment Module內部架構 66
圖 5 8 Linux SoftIRQ後的封包處理流程 69
圖 5 9 Policy Management Unit內部流程 71
圖 5 10 Task Assignment Unit內部流程(WorkQueue) 72
圖 5 11 Task Assignment Unit內部流程(SoftIRQ) 73
圖 5 12 Packet Statistics Unit內部流程 73
圖 5 13 KIPS設計流程圖 74
圖 5 14 KIPS系統架構圖 75
圖 5 15 KIPS系統流程圖 76
圖 5 16 使用ip_defrag()進行IP fragment reassembly流程 79
圖 5 17 ipq結構與ipfrag結構關係圖 80
圖 6 1 實驗環境架構 82
圖 6 2 頻寬測試比較表(單Client) 86
圖 6 3 頻寬測試比較表(多Client) 87
圖 6 4 Latency測試比較表 88
圖 6 5 CPU使用率比較表 89
圖 6 6 Multi-Core改良頻寬測試比較表(單Client) 91
圖 6 7 Multi-Core改良頻寬測試比較表(多Client) 91
圖 6 8 Multi-Core改良Latency測試比較表 92
圖 6 9 Multi-Core改良CPU使用率分佈比較表 93
圖 6 10 Multi-Core KIPS的Latency比較表 94
圖 6 11 Multi-Core KIPS的頻寬比較表 95
圖 6 12 Multi-Core KIPS的CPU使用率比較表 96
圖 6 13 不同Policy的Multi-Core KIPS的CPU使用率比較表 97
圖 6 14 四張網路卡實驗環境示意圖 98
圖 6 15 2GB頻寬測試比較表 99


表目錄
表 2 1 KMP演算法next table 13
表 2 2 BM演算法BAD Table 19
表 2 3 BM演算法GOOD Table 21
表 2 4 AC_BM演算法BAD Table 28
表 3 1 Linux各類SoftIRQ用途及其優先權 42
表 4 1 Snort欄位 50
表 6 1 A前端電腦配備列表 84
表 6 2 B端Server電腦配備列表 85
表 6 3 C後端電腦配備列表 85
表 6 4 Multi-Core改良Ping測試結果表 90
[1] "告別2007 駭客「產業」隱然成形", Dec. 2007, http://www.zdnet.com.tw/print/?id=20126790.
[2] "《巴哈姆特》、《遊戲基地》遭受網路攻擊", Apr. 2008, http://mag.udn.com/mag/digital/storypage.jsp?f_ART_ID=123192.
[3] "IBM - Proventia Network Intrusion Prevention System (IPS)", May. 2009, http://www-935.ibm.com/services/us/index.wss/offerfamily/iss/a1030570.
[4] "Intrusion Prevention System - IPS Software Blade", http://www.checkpoint.com/products/softwareblades/intrusion-prevention-system.html.
[5] "Symantec - AntiVirus, Anti-Spyware, Endpoint Security, Backup, Storage Solutions", http://www.symantec.com/index.jsp.
[6] "Symantec ManHunt", http://www.symantec.com/region/tw/product/sids/smh/.
[7] V. Jacobson, C. Leres, and S. McCanne, "libpcap, Lawrence Berkeley Laboratory, Berkeley, CA", Initial public release June, 1994.
[8] M. Roesch, "Snort–lightweight intrusion detection for networks".
[9] W. Lee, S.J. Stolfo, and C.U.N.Y.D.O.C. SCIENCE, Data Mining Approaches for Intrusion Detection, COLUMBIA UNIV NEW YORK DEPT OF COMPUTER SCIENCE, 2000.
[10] H. Debar, M. Becker, and D. Siboni, "A neural network component for an intrusion detection system", 1992 IEEE Computer Society Symposium on Research in Security and Privacy, 1992. Proceedings., 1992, pages. 240-250.
[11] G. Vigna and R.A. Kemmerer, "NetSTAT: A network-based intrusion detection approach", Computer Security Applications Conference, 1998, Proceedings., 14th Annual, 1998, pages. 25-34.
[12] 黃盈源, "一個重用ip堆疊之核心內入侵偵測系統的研究與實作", 長庚大學資訊管理研究所, 2002.
[13] D.T. Marr, F. Binns, D.L. Hill, G. Hinton, D.A. Koufaty, J.A. Miller, and M. Upton, "Hyper-Threading Technology Architecture and Microarchitecture", Intel Technology Journal, vol. 6, 2002, pages. 4-15.
[14] D. Koufaty and D. Marr, "Hyperthreading technology in the netburst microarchitecture", Micro, IEEE, vol. 23, 2003, pages. 56-65.
[15] Intel Corporation, "Introduction to Hyper-Threading Technology", 2001.
[16] D. Geer, "Chip makers turn to multicore processors", IEEE Computer, vol. 38, 2005, pages. 11-13.
[17] G. Koch, "Discovering Multi-Core: Extending the Benefits of Moore’s Law", Technology, 2005, page. 1.
[18] R.M. Ramanathan and T. Evangelist, "Intel Multi-Core Processors: Leading the Next Digital Revolution", Technology, 2005, page. 1.
[19] J. Sanders, "Linux, Open Source, and Software's Future", 1998.
[20] G. Hertel, S. Niedner, and S. Herrmann, "Motivation of software developers in Open Source projects: an Internet-based survey of contributors to the Linux kernel", Research Policy, vol. 32, 2003, pages. 1159-1177.
[21] M.W. Godfrey and Q. Tu, "Evolution in open source software: a case study", Software Maintenance, 2000. Proceedings. International Conference on, 2000, pages. 131-142.
[22] A. Hars, "Working for Free? Motivations for Participating in Open-Source Projects", International Journal of Electronic Commerce, vol. 6, 2002, pages. 25-39.
[23] A. Foundation, Apache http server project, 1999.
[24] P. Albitz, DNS and Bind, O'Reilly & Associates, Inc. Sebastopol, CA, USA, 2001.
[25] A. Mockus, R.T. Fielding, and J.D. Herbsleb, "Two case studies of open source software development: Apache and Mozilla", ACM Trans. Softw. Eng. Methodol., vol. 11, 2002, pages. 309-346.
[26] T. Howlett, Open source security tools, Prentice Hall, 2004.
[27] R. Bolla and R. Bruschi, "An effective forwarding architecture for SMP Linux routers", Telecommunication Networking Workshop on QoS in Multiservice IP Networks, 2008. IT-NEWS 2008. 4th International, 2008, pages. 210-216.
[28] R. Bolla and R. Bruschi, "IP Forwarding Performance Analysis In The Presence Of Control Plane Functionalities In A PC-Based Open Router", Distributed Cooperative Laboratories: Networking, Instrumentation, and Measurements, 2006, pages. 143-158.
[29] D.P. Bovet and M. Cesati, Understanding the Linux kernel, O'Reilly Beijing; Sebastopol, Calif, 2005.
[30] Z. Ning, A.J. Cox, and J.C. Mullikin, SSAHA: a fast search method for large DNA databases, Cold Spring Harbor Laboratory Press, 2001.
[31] D. Gusfield, "Algorithms on Stings, Trees, and Sequences: Computer Science and Computational Biology", SIGACT News, vol. 28, 1997, pages. 41-60.
[32] E. Eskin and P.A. Pevzner, "Finding composite regulatory patterns in DNA sequences", Bioinformatics, vol. 18, 2002, pages. S354-S363.
[33] G.A. Stephen, String searching algorithms, World Scientific, 1994.
[34] R.A. Baeza-Yates, "Algorithms for string searching", SIGIR Forum, vol. 23, 1989, pages. 34-58.
[35] "An explanation of the Brute force algorithm", http://www-igm.univ-mlv.fr/%7Elecroq/string/node3.html#SECTION0030.
[36] P. Weiner, "Linear pattern matching algorithms", Switching and Automata Theory, 1973. SWAT '08. IEEE Conference Record of 14th Annual Symposium on, 1973, pages. 1-11.
[37] D.E. Knuth, J. Morris, and V.R. Pratt, "Fast Pattern Matching in Strings", SIAM Journal on Computing, vol. 6, Jun. 1977, pages. 323-350.
[38] "An explanation of the Knuth-Morris-Pratt algorithm", http://www-igm.univ-mlv.fr/%7Elecroq/string/node8.html#SECTION0080.
[39] R.S. Boyer and J.S. Moore, "A fast string searching algorithm", Commun. ACM, vol. 20, 1977, pages. 762-772.
[40] "An explanation of the Boyer-Moore algorithm", http://www-igm.univ-mlv.fr/~lecroq/string/node14.html.
[41] A.V. Aho and M.J. Corasick, "Efficient string matching: an aid to bibliographic search", Commun. ACM, vol. 18, 1975, pages. 333-340.
[42] C. Coit, S. Staniford, and J. McAlerney, "Towards faster string matching for intrusion detection or exceeding the speed of Snort", DARPA Information Survivability Conference & Exposition II, 2001. DISCEX '01. Proceedings, 2001, pages. 367-373 vol.1.
[43] N. Desai, "Increasing performance in high speed NIDS", Capturado em: http://www. linuxsecurity. com/resource_files/intrusion_detec tion/Increasing_Performance_in_High_Speed_NIDS. pdf, 2003.
[44] S. Boyd-Wickizer, H. Chen, R. Chen, Y. Mao, F. Kaashoek, R. Morris, A. Pesterev, L. Stein, M. Wu, and Y. Dai, "Corey: an operating system for many cores".
[45] M. Schlansker, N. Chitlur, E. Oertli, J. Paul M. Stillwell, L. Rankin, D. Bradford, R.J. Carter, J. Mudigonda, N. Binkert, and N.P. Jouppi, "High-performance ethernet-based communications for future multi-core processors", Reno, Nevada: ACM, 2007, pages. 1-12.
[46] J. Aas, "Understanding the Linux 2.6. 8.1 CPU Scheduler", Silicon Graphics Int’l, http://josh. trancesoftware. com/linux/linux_ cpu_scheduler. pdf, 2005.
[47] Suresh Siddha, Multi-Core and Linux Kernel, Intel Open Source Technology Center, .
[48] D.A. Klein, Advanced programmable interrupt controller, Google Patents, 2000.
[49] B.R. Davis and B. Young, Input/output subsystem having an integrated advanced programmable interrupt controller for use in a personal computer, US Patent 5,857,090, 1999.
[50] 蘇春豔 and 楊小華, "Linux 內核中斷內幕", IBM developerWorks 中國, May. 2007, http://www.ibm.com/developerworks/cn/linux/l-cn-linuxkernelint/index.html.
[51] "IRQBALANCE", http://irqbalance.org/.
[52] A. Rubini and J. Corbet, Linux Device Drivers, O'Reilly, 2005.
[53] L. Rizzo, "Device Polling support for FreeBSD", Proceedings of the Main European BSD Conference (EuroBSDCon 2001), Brighton, UK, 2001.
[54] L. Deri, "Improving passive packet capture: Beyond device polling", Proceedings of SANE, 2004.
[55] L. Deri, "nCap: Wire-speed packet capture and transmission", Proceedings of E2EMON, 2005.
[56] I. Kim, J. Moon, and H.Y. Yeom, "Timer-based interrupt mitigation for high performance packet processing", In Proc. 5th International Conference on HighPerformance Computing in the Asia-Pacific Region, Gold, 2001, http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.18.9625.
[57] "Net:NAPI - The Linux Foundation", http://www.linuxfoundation.org/en/Net:NAPI.
[58] 鄭衛斌, 丁會寧, 李慶海, and 李慶海, "Linux 的網絡轉發性能研究", 西安交通大學學報, vol. 38, Apr. 2004, pages. 124-126.
[59] L. Degioanni, G. Varenni, F. Risso, and J. Bruno, WinPcap: The Windows Packet Capture Library, Januar, 2007.
[60] A. Tirumala, F. Qin, J. Dugan, J. Ferguson, and K. Gibbs, "Iperf-The TCP/UDP bandwidth measurement tool", URL: http://dast. nlanr. net/Projects/Iperf, 2004.
[61] L. McVoy and S. Graphics, "lmbench: Portable Tools for Performance Analysis".
[62] R. Andresen, "Monitoring Linux with native tools", 30th Annual International Conference of the Computer Measurement Group, Inc. December, 2004, pages. 5-10.
[63] M. Muuss, "The story of the PING program", sito ufficiale: http://ftp. arl. army. mil/mike/ping. html, 1983.
[64] J. Levon and P. Elie, "Oprofile: A system profiler for linux", Web site: http://oprofile. sourceforge. net, 2005.
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top
無相關期刊