| Popis: |
This dissertation deals with essential issues pertaining to high performance processing for network security and deep packet inspection. The proposed solutions keep pace with the increasing number and complexity of known attack descriptions providing multi-Gbps processing rates. We advocate the use of reconfigurable hardware to provide flexibility, hardware speed, and parallelism in challenging packet and content inspection functions. This thesis is divided in two parts, firstly content inspection and secondly packet inspection. The first part considers high speed scanning and analyzing packet payloads to detect hazardous contents. Such contents are described in either static patterns or regular expression format and need to be matched against incoming data. The proposed static pattern matching approach introduces pre-decoding to share matching characters in CAM-like comparators and a new perfect hashing algorithm to predict a matching pattern. The FPGA-designs match over 2,000 static patterns, provide 2 8 Gbps operating throughput and require 10-30% area of a large reconfigurable device; that is half the performance of an ASIC and approximately 30% more efficient compared to previous FPGA-based solutions. The regular expression design is performed following a Non-Deterministic Finite Automata (NFA) approach and introducing nw basic building blocks for complex regular expressions features. Theoretical grounds in support of the new blocks are established to prove their correctness. In doing so, approximately four times less Finite Automata states need to be stored. The designs achieve 1.6-3.2 Gbps throughput using 10-30% area of a large FPGA for matching over 1,500 regular expressions; that is 10-20x more efficient than previous FPGA-based works and comparable to ASICs. The second part of the thesis concerns offloading the overall processing of a packet inspection engine. Packet pre-filtering is introduced as a means to resolve or at least alleviate the processing requirements of matching incoming traffic against large datasets of known attacks. Partially matching descriptions of malicious traffic avoids further processing of over 98% of the attack descriptions per packet. Packet pre-filtering is implemented in reconfigurable technology and sustains 2.5 to 10 Gbps processing rates in a Xilinx Virtex2 device. |
