跳到主要內容

臺灣博碩士論文加值系統

(44.220.181.180) 您好!臺灣時間:2024/09/10 07:06
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

我願授權國圖
: 
twitterline
研究生:黃兆偉
研究生(外文):Chao Wei Huang
論文名稱:多核心架構下Linux網路效能改善之研究
論文名稱(外文):Improving the Linux Network Performance on Multi-core System
指導教授:馮立琪馮立琪引用關係
指導教授(外文):L. C. Feng
學位類別:碩士
校院名稱:長庚大學
系所名稱:資訊工程學系
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2013
畢業學年度:101
論文頁數:90
中文關鍵詞:網路處理網路攻擊入侵偵測系統
外文關鍵詞:network processingnetwork attacksIntrusion Detection System
相關次數:
  • 被引用被引用:1
  • 點閱點閱:657
  • 評分評分:
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
隨著網路的蓬勃發展,Linux網路處理效率的改善一直是很重要的議題,而隨著科技的進步,Multi-Core/Multi-Processor架構也越來越成熟,使Linux網路效率的改善越來越受重視。雖然Linux因應近年來的Multi-Core System架構的潮流,陸續也提供各種改善方案。但近年來的研究成果顯示Linux本身處理封包的方式,並無法充分利用Multi-Core所帶來平行處理的優勢,進而限制了處理網路封包的能力。
除此之外在現今充滿各類網路攻擊的網路環境中網路安全是相當的重要的。為了因應這一個問題許多防衛軟體陸續被開發出來,其中入侵偵測系統(Intrusion Detection System)在最近幾年已經成為大多數防止病毒、駭客入侵的基本配備。但近年網路發展速度愈來愈快,入侵偵測或防禦的動作也受考驗,使得IDS 檢測網路封包的效能益發重要。
在本文中我們利用RPS(Receive Packet Steering) 技術來改善Linux作業系統在Multi-Core/Multi-Processor架構下處理網路封包效果不佳的問題,並透過Kernel Level 的 IDS 進一步提升整體IDS 檢測網路封包效能。
With the vigorous development of the Internet, the improvement of the the Linux network processing efficiency has been a very important issue.
With technological advancement let Multi-Core/Multi-Processor architecture get more mature and more attention to improve the Linux network efficiency.In succession offers a variety of improvement programs,while the Linux in response to Multi-Core System architecture trend in recent years.
However, recent research shows that Linux by itself to process the packets dose not be able to take full of the Multi-Core advantage to parallel processing, thereby limiting the ability of the processing of network packets.
In addition, the network environment is full of all kinds of network attacks today, network security is very important.Many defense software have been developed to intrusion detection system (Intrusion Detection System) in recent years has become the most basic equipment to prevent viruses, hacking To respond to this problem.Intrusion detection or defense of the action is also affected by the test because in recent years, the speed of development of the Internet is growing fast lead IDS to detect network packet performance all the more important.
In this article, we use the RPS (Receive Packet Steering) technology to improve the Linux operating system is ineffective in Multi-Core/Multi-Processor architecture processing network packets, and further improve the overall IDS detection network through Kernel Level IDSpacket performance.

目錄
指導教授推薦書
口試委員會審定書
授權書 iii
致謝 iv
中文摘要 v
Abstract vi
目錄 viii
圖目錄 xi
表目錄 xiv
第一章 緒論 1
1.1研究動機 2
1.2研究目標 3
第二章 相關研究 4
2.1 Linux網路封包轉送系統問題分析 4
2.2 Intel網路卡相關技術 7
2.3 Linux網路封包轉送改進方式 8
第三章 Linux網路系統探討及處理方式 14
3.1 Linux中斷處理架構 14
3.2 Linux網路系統架構 16
3.3 Linux網路處理流程之問題分析 19
3.4 RPS(Receive Packet Steering)及RFS(Receive Flow Steering) 20
3.4.1 RPS及RFS原理介紹 23
3.4.2 RPS及RFS相關資料結構 24
3.4.3 IPI(Interprocessor Interrupt)觸發原理 27
3.4.4 RPS/RFS處理流程 27
第四章 Kernel Intrusion Detection System 35
4.1 KIDS背景概述 35
4.1.1Net-Filter機制 36
4.1.2 KIDS 系統架構與運行流程 36
4.1.3 KIDS的Rule Database 39
4.1.4 KIDS 各版本重要更動 42
4.1.4.1 Data Base 的演變流程 42
4.1.4.2 Detect Engine的演變流程 43
4.2 KIDS改良實作 44
4.2.1 轉換snort rule的改善 46
4.2.2 Connect table資料結構說明 47
4.2.3 Connect table 機制分析 48
4.2.4 Rule Tree 的改善方式 52
4.2.5 多封包的檢測流程之改善 53
4.3 KIDS多封包執行流程 55
第五章 實驗結果 57
5.1測試環境及系統設定 57
5.1.1 測試環境 57
5.1.2 Server系統設定 58
5.2測試工具 59
5.3 Snort 62
5.4系統效能測試 64
第六章 結論 69
參考文獻 72

圖目錄
圖 2-1 Linux封包轉送測試[1] 5
圖2-2 以IRQ-Affinity設定Tx及Rx在同/不同cache的CPU [2] 6
圖2-3 Intel提供的封包流量分配架構[4] 8
圖2-4 SMP System的封包轉送機制改善方案[5] 10
圖2-5 傳統Software Router封包轉發架構[6] 12
圖2-6 Software Router封包轉發改善架構[6] 13
圖 3-1 Linux封包處理流程圖 17
圖 3-2 Linux NAPI模式網路處理流程 18
圖 3-3 NAPI接收封包流程,來源[9] 19
圖3-4 CPU平行方式發送封包 21
圖3-5 接收封包時的分配現象 21
圖3-6 接收時封包分配交錯狀況 22
圖3-7 RPS分配封包 23
圖3-8 RPS配合RFS後封包分配方式 24
圖3-9 RPS相關資料結構 25
圖3-10 CPU之softnet_data資料結構 26
圖3-11 RPS及RFS實作區分 28
圖3-12系統於Driver Polling階段分配封包流程 29
圖3-13 CPU執行觸發函式流程 31
圖3-14 CPU執行 OS Polling流程 33
圖 4-1封包進入KIDS流程圖 37
圖4-2規則檔組織方式[12] 42
圖4-3 Connect table機制 47
圖4-4三向握手與四次斷開之示意圖 49
圖4-5 Connect table流程圖 50
圖4-6 rule tree架構圖 53
圖4-7 Netfilter機制中的函式呼叫[7] 54
圖4-8修改後的KIDS架構圖 55
圖4-9修改後的KIDS流程圖 56
圖5-1實驗環境架構 57
圖5-2 10G環境連接圖 58
圖5-3 Snort-inline運作模式[23] 63
圖5-4 Snort與ip_queue溝通方式[24] 63
圖5-5網路封包轉送效率比較 66
圖5-6 Snort檢測時CPU使用率 67
圖5-7 KIDS檢測時CPU使用率 67

表目錄
表3-1 Linux各類SoftIRQ用途及其優先權[7] 15
表4-1 Snort Rule類型分類 40
表5-1電腦配備列表 58
表5-2 Rule分類表 64
表5-3 KIDS封包延遲時間及封包遺失率 65
表5-4 Snort封包延遲時間及封包遺失率 65
[1] 鄭衛斌等編著,《Linux 的網絡轉發性能研究》,第三十八卷第二期,頁124-126,民國93年2月。
[2] Salah, K., Hamawi, M., and Hassan, Y, “On the Performance of IP-Forwarding for Multicore Multiprocessor Linux Hosts,” International Journal of IET Communications, Vol. 4, No. 18, Dec. 2010, pp. 2166-2180.
[3] Intel, Improving Network Performance in Multi-Core Systems,White Paper, 2007.
http://download.intel.com/support/network/sb/318483001us2.pdf
[4] Intel,Integrating Services at the Edge Test results show that one Intel® Xeon® processor 5500 series with quad-core technology can forward traffic at 20 Gbps,2009
http://download.intel.com/embedded/processor/solutionbrief/322973.pdf
[5] Bolla, R.; Bruschi, R., "An effective forwarding architecture for SMP Linux routers," Telecommunication Networking Workshop on QoS in Multiservice IP Networks, 2008. IT-NEWS 2008. 4th International , Venice, Italy, Feb. 2008, pp.210-216.
[6] N. Egi, A. Greenhalgh, M. Handley, G. Iannaccone,M. Manesh, L. Mathy, and S. Ratnasamy. Improved forwarding architecture and resource management for multi-core software routers. In NPC ’09: Proc. of the 2009 Sixth IFIP Int. Conference on Network and Parallel Computing, pages 117–124, 2009.
[7] O'Reilly Media,Understanding Linux Network Internals,December 2005
[8] D.P. Bovet and M. Cesati, Understanding the Linux kernel, O'Reilly Beijing; Sebastopol, Calif, 2005.
[9] 盧元亨,〈使用叢集架構對網路進行監控與分析〉,私立大同大學,碩士論文,民國97年。
[10] J. Corbet. Receive packet steering [LWN.net]. sito ufficiale:http://lwn.net/Articles/362339/.
[11] Information about the RPS and RFS sito ufficiale:
http://lwn.net/Articles/398393/
[12] 黃盈源,〈一個重用IP堆疊之核心內入侵偵測系統的研究與實作〉,私立長庚大學,碩士論文,民國91年。
[13] 傅遠佳,〈入侵防禦系統效能改善之研究〉,私立長庚大學,民國98年。
[14] A. Hess, T. Gingold, S. R. Garzon, G. Schäfer. Intrusion Prevention with Active Networks: A Performance Comparison between User and Kernel-Space Implementation. 18. DFN-Arbeitstagung über Kommunikationsnetze, June 2004, Düsseldorf, Germany.
[15] PATIL, S., KASHYAP, A., SIVATHANU, G., AND ZADOK, E.
I^3 FS: An in-kernel integrity checker and intrusion detection file system. In Proceedings of the Large Installation System Administration Conference (LISA) (November 2004), pp. 67-78
[16] Fatemeh Azmandian, Micha Moe, Malak Alshawabkeh, Jennifer
Dy, Javed Aslam, and David Kaeli. Virtual machine monitor-based lightweight intrusion detection. SIGOPS Oper. Syst. Rev., 45:38-53,July 2011.
[17] Information about the Knuth–Morris–Pratt algorithm. sito ufficiale:
http://en.wikipedia.org/wiki/Knuth%E2%80%93Morris%E2%80%93Pratt_algorithm
[18] Information about the Boyer–Moore string search algorithm. sito ufficiale:
http://en.wikipedia.org/wiki/Boyer%E2%80%93Moore_string_search_algorithm
[19] Jason C C, Staniford S, McAlemey J. Towards faster string for intrusion detection or exceeding the sped of snort [J/OL], 2001
[20] A. Tirumala, F. Qin, J. Dugan, J. Ferguson, and K. Gibbs, "Iperf-The TCP/UDP bandwidth measurement tool", URL: http://dast. nlanr. net/Projects/Iperf, 2004.
[21] M.Muuss,"The story of the PING program" , sito ufficiale:
http://ftp.arl.army.mil/mike/ping.html,1983.
[22] Information about the Linux/UNIX sar command. sito ufficiale:
http://www.computerhope.com/unix/usar.htm
[23] Information about the Snort sito ufficiale:
http://icsp.nsysu.edu.tw/modules/tinycontent0/index.php?id=1
[24] Information about the Snort inline sito ufficiale:
http://blog.chinaunix.net/uid-105044-id-2952109.html
[25] Information about the PF_RING. sito ufficiale:
http://www.ntop.org/products/pf_ring/
[26] Information about the 10 gbps snort multiprocessing with pf_ring. sito ufficiale:
http://www.metaflows.com/blog/pf_ring/10-gbps-snort-multiprocessing-with-pf_ring/
[27] M.Roesch,” Snort-lightweight intrusion detection for networks”, sito ufficiale:http://www.snort.org/
[28] Information about the linux bridge. sito ufficiale:
http://www.linuxfoundation.org/collaborate/workgroups/networking/bridge
[29] R.Olsson,” pktgen the linux packet generator”, sito ufficiale:
http://www.linuxfoundation.org/collaborate/workgroups/networking/pktgen
[30] Suresh Siddha, Multi-Core and Linux Kernel, Intel Open Source Technology Center, .
[31] J. Levon and P. Elie, "Oprofile: A system profiler for linux", Web site: http://oprofile. sourceforge. net, 2005.
[32] Intel. Accelerating high-speed networking with intel i/o acceleration technology. White Paper, 2006.
[33] Intel. Intelligent queuing technologies for virtualization. White Paper, 2008.
連結至畢業學校之論文網頁點我開啟連結
註: 此連結為研究生畢業學校所提供,不一定有電子全文可供下載,若連結有誤,請點選上方之〝勘誤回報〞功能,我們會盡快修正,謝謝!
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top