Deep content inspection for high speed computer networks.

摘要

Thanks to broadband Internet access, more people are using the computer network to do their everyday activities than ever. However, insufficient security measures from the service providers leave most Internet users defenseless against malicious attacks through web pages, e-mails, and other application-specific network transfers. As a result, it has been estimated that computer network intrusions cost global businesses over {dollar}55B in damages in the year 2003 alone. Currently, one of the most effective ways to detect and filter such network attack is deep packet inspection. While there are a few systems using deep packet inspection techniques, most are software system running on processors that lack the resources to keep up with fast networks such as gigabit Ethernet. The most essential, yet computationally intensive task of deep packet inspection is dynamic pattern search. Therefore, my research has focused on developing high performance pattern search hardware. In my research, I have developed accelerator architecture that has evolved over time to produce several compact and yet powerful pattern search accelerators for reconfigurable devices and ASIC. The architecture has been implemented to support the entire set of worm signatures defined in the open source network intrusion system named Snort. The smallest of the implemented engines is capable of identifying over two thousand patterns on every byte alignment at a rate of two gigabit per second. Although deep packet inspection has been effective in protecting networks that use the system, history suggests that more elusive attacks such as polymorphic worms will likely infiltrate such network in the near future. Since deep packet inspection systems cannot recognize beyond regular expressions, the polymorphic attacks would not be easily detected. Therefore, I present a novel co-processor architecture for recognizing language structure by the way of context free grammar parsing. Along with the pattern detection accelerator, the grammar parser provides an even more powerful tool for detecting future network intrusions.