應用於網路入侵系統之高效能電路可程式化系統晶片設計

Abstract

此論文提出了用硬體來實現網路入侵偵測系統的電路設計,主要的概念是採用shift-or algorithm,並只使用到shift register, OR gates 和 ROM。 整個電路架構可以把ROM去除來稍作改良。此論文提出的硬體電路已經被驗證模擬及合成於Altera Stratix FPGA。實驗結果顯示出一次處理兩個characters的時候,throughput可到達6.75 Gbits/sec,硬體資源花費0.7 LE/chars。當電路一次處理四個characters的時候,throughput可達到9.2 Gbits/sec,硬體資源花費2.75 LE/chars。跟現有文獻來探討,我們提出的硬體電路可達到較高的throughput跟比較少的硬體資源。
This thesis introduces a novel FPGA based signature match co-processor that can serve as the core of a hardware-based network intrusion detection system (NIDS). The central idea of the signature match coprocessor is an architecture based on the shift-or algorithm, which utilizes simple shift registers, OR gates, and ROMs where patterns are stored. Moreover, the architecture can be improved further by the removal of the ROM. The proposed architecture has been prototyped, simulated and synthesized by the Altera Stratix FPGA. Experimental results reveal that the circuit with processing two characters at a time attains the throughput up to 6.75 Gbits/sec with area cost of 0.7 logic elements (LEs) per character. The circuit with processing four input characters at a time achieves the throughput up to 9.2 Gbits/sec with area cost of 2.75 LE per character. As compared with related works, experimental results show that the proposed architecture achieves higher throughput and less hardware resource in the FPGA implementations of NIDS.

Description

Keywords

網路安全, 可程式化系統晶片設計, 字串比對, Network Security, FPGA, String Matching

Citation

Collections