Network Intrusion Detection and Prevention Systems (NIDPS) are important elements of network security. Their role is to monitor internet traffic for malicious content and, on detection, generate an alert message and/or block the offending traffic. Potential attacks are described in a database of rules known as the rule set, where each rule consists of an IP header part and a payload signature part. The payload signature can be in the form of a fixed string and/or regular expression. This thesis studies the three main stages of these systems, namely TCP/IP reassembly, multi-match header matching and Deep Packet Inspection (DPI).udTCP/IP reassembly is a necessary prerequisite to DPI as attack patterns may span more than one IP fragment or TCP segment. Either target-based reassembly or traffic normalisation is required in order to overcome insertion/evasion attacks. This thesis builds upon existing research by outlining an FPGA-based architecture that handles the common case of reassembling in-sequence data streams in hardware and the much rarer out-of-sequence data streams in software.udMulti-match header matching involves the matching of each packet header against the header section of all rules. This differs from the single-match classification used in routers where there is a single highest priority match per packet. The strategy adopted in this thesis was to adapt a number of single match algorithms to perform multi-matching and to compare their performance with existing solutions. Existing solutions typically involve the use of Ternary Content Addressable Memory (TCAM) and therefore suffer from disadvantages such as high cost, high energy consumption, and low storage efficiency. Algorithmic solutions, which use SRAM instead of TCAM, can therefore have an advantage. The adapted algorithms were implemented in C code and evaluated in terms of speed and energy efficiency on an ARM processor.udDPI is particularly challenging due to the number and complexity of regular expressions. This thesis builds on existing research into Bit-Parallel hardware architectures. The main contribution is an extension for the efficient handling of the constrained {min,max} repetition syntax, including a solution to the issue of counter overlap. This allows for the handling of many additional regular expressions that would otherwise be unsuitable. The design was implemented in VHDL and evaluated using the Xilinx tool set. A comprehensive review of the most significant research works in the DPI field is also provided.
展开▼
