高速网络流过滤关键技术研究与应用

发布时间：2018-07-08 12:49

  本文选题：现场可编程门阵列 + En_ClusterFA算法　； 参考：《长沙理工大学》2014年硕士论文

【摘要】：随着网络的发展,网络上的非法信息严重威胁了网络的安全,因此,需要对有害的或不符合安全策略的信息进行过滤。传统的过滤技术基于数据包头部进行过滤,但越来越多的有害信息隐藏于数据包内容中,仅仅依靠传统的过滤技术无法有效的解决此问题。由于正则表达式描述能力强大、灵活、丰富,因此利用正则表达式匹配技术作为过.滤关键技术来实现对网络数据流的过滤。正则表达式规则转换成确定型有穷自动机(Deterministic Finite Automaton, DFA)时存在“空间爆炸×问题,会消耗大量的内存空间,导致无法有效地直接将DFA状态表存储于内存里,因此,需要对DFA状态表进行压缩以减少占用的内存空间。在高速网络流环境下,过滤数据需要消耗大量的计算能力,而现场可编程门阵列(Field-Programmable Gate Array, FPGA)具有硬件并行性的特点,很适合用来处理大量的网络流。针对上述问题,结合FPGA并行加速的特点,本文研究基于正则表达式匹配的高速网络流过滤技术,并在NetFPGA-10G平台上设计与实现高速网络流过滤系统。主要包括以下几点：(1)提出一种改善ClusterFA压缩率的算法,称之为En_ClusterFA算法。为了解决正则表达式匹配中的“空间爆炸”问题,前人提出了基于簇聚类的DFA压缩算法,即ClusterFA算法,但该算法的分组个数取理想值较为困难,且其类中心向量表中每一行连续重复的转移状态出现频率较高。针对此问题,提出一种改善ClusterFA压缩率的算法,即En_ClusterFA算法：提取类中心向量表行与行之间相同的首尾部分,并对其进行游程编码以建立索引表,然后对类中心向量表余下部分的转移状态进行游程编码。实验结果表明,与ClusterFA算法中DFA状态表的压缩率相比,En_ClusterFA算法平均提高了4%。(2)利用En_ClusterFA算法的优点和FPGA的并行加速特点,在NetFPGA-10G平台上设计与实现高速网络流过滤系统：在硬件上通过精确串匹配和DFA匹配,识别和过滤得到相应的网络流后将其传至内核驱动层对应的数据缓冲区,然后绕过协议栈,直接拷贝至用户空间。为了验证精确串匹配和DFA匹配功能的正确性,在硬件里对过滤得到的数据包个数分类进行统计,然后在用户界面上显示出来。实验结果验证了En_ClusterFA算法在FPGA上实现的正确性。
[Abstract]:With the development of the network, the illegal information on the network seriously threatens the security of the network. Therefore, it is necessary to filter the information that is harmful or inconsistent with the security policy. The traditional filtering technology is based on the packet header, but more and more harmful information is hidden in the packet content, which can not be effectively solved by relying on the traditional filtering technology. Because the regular expression description is powerful, flexible and rich, the regular expression matching technique is used too much. Filter key technology to realize the filtering of network data flow. When regular expression rules are converted into deterministic finite automata (DFA), there is a "space explosion 脳 problem", which will consume a lot of memory space, resulting in the inability to store the DFA state table directly in memory. The DFA status table needs to be compressed to reduce memory footprint. In the high-speed network flow environment, filtering data requires a lot of computing power, while the field programmable gate array (FPGA) has the characteristics of hardware parallelism, so it is very suitable for processing a large number of network flows. Aiming at the above problems and combining the characteristics of FPGA parallel acceleration, this paper studies the high-speed network flow filtering technology based on regular expression matching, and designs and implements a high-speed network flow filtering system based on NetFPGA-10G platform. The main contents are as follows: (1) an algorithm to improve the compression ratio of ClusterFA is proposed, which is called EnSert ClusterFA algorithm. In order to solve the problem of "space explosion" in regular expression matching, a cluster clustering based DFA compression algorithm, ClusterFA algorithm, is proposed. The transition state of each row in the class center vector table is more frequent. In order to solve this problem, an algorithm to improve the compression ratio of ClusterFA is proposed, which is the End ClusterFA algorithm: extracting the same first and last parts between the row and the row of the class center vector table, and coding the run length to build the index table. Then run length coding was performed on the transfer state of the class center to the rest of the scale. The experimental results show that compared with the compression ratio of DFA state table in ClusterFA algorithm, EnSerge ClusterFA algorithm has an average increase of 4 points. (2) the advantages of EnStat ClusterFA algorithm and the parallel acceleration of FPGA are utilized. A high-speed network flow filtering system is designed and implemented on NetFPGA-10G platform. The network flow is identified and filtered by accurate string matching and DFA matching in hardware, and then transferred to the corresponding data buffer in the kernel driver layer, then bypassing the protocol stack. Copy directly to user space. In order to verify the correctness of the exact string matching and DFA matching, the number of filtered packets is classified in the hardware and then displayed on the user interface. The experimental results verify the correctness of EnStat ClusterFA algorithm implemented on FPGA.
【学位授予单位】：长沙理工大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08
，

本文编号：2107486