基于FPGA的抗网络攻击关键技术研究
发布时间:2018-11-09 11:39
【摘要】:网络安全问题一直伴随着计算机网络的发展,随着互联网应用的不断扩展和网络带宽的不断提高,基于硬件的网络安全防护技术作为最有效的访问控制手段,在性能不断提升的同时也针对不同的应用领域发展新的架构,如专用集成电路(ASIC)、网络处理器(NP)、现场可编程门阵列(FPGA)等。基于FPGA的网络安全防护技术具有可编程、扩展性好、设计周期短等特点,可以有效地根据不同应用领域设计专用的安全控制策略。 本文设计了一种基于FPGA的网络安全防护平台,并在此基础上开展抗网络攻击关键技术的研究。论文介绍了FPGA网络安全平台的硬件系统架构,详细讨论了网络通信电路与FPGA系统的电路原理。针对不同网络攻击手段的特点,将网络单向传输控制、协议及内容过滤归一化为数据包过滤问题,给出了RTL代码的架构,并详细介绍了网卡芯片驱动模块、基于CAM的数据包过滤引擎以及半双工调度机制的设计方法。采用层次化的方法对双向数据转发、网络安全防护等功能分步测试,给出了每个步骤的测试系统、测试方法与结果分析。 实验结果表明,本文设计的FPGA网络安全防护平台能够实现网络数据的转发与处理,不同安全防护策略下的测试结果验证了本文设计的基于数据包过滤引擎的网络安全防护架构的有效性。
[Abstract]:Network security has been accompanied by the development of computer network. With the continuous expansion of Internet applications and the continuous improvement of network bandwidth, hardware-based network security protection technology is the most effective means of access control. At the same time, new architectures have been developed for different application fields, such as (NP), Field Programmable Gate Array (FPGA) of ASIC (ASIC), network processor and so on. The network security protection technology based on FPGA has the characteristics of programmable, good expansibility and short design period, so it can effectively design special security control strategy according to different application fields. In this paper, a network security protection platform based on FPGA is designed, and the key technologies against network attack are studied. The hardware architecture of FPGA network security platform is introduced in this paper. The circuit principle of network communication circuit and FPGA system is discussed in detail. According to the characteristics of different network attack methods, the network one-way transmission control, protocol and content filtering are normalized to packet filtering. The structure of RTL code is given, and the driving module of network card chip is introduced in detail. The design method of packet filtering engine and half duplex scheduling mechanism based on CAM. The functions of bidirectional data forwarding and network security protection are tested step by hierarchical method. The test system, test method and result analysis of each step are given. The experimental results show that the FPGA network security protection platform designed in this paper can transmit and process the network data. The test results under different security strategies verify the effectiveness of the proposed network security protection architecture based on packet filtering engine.
【学位授予单位】:天津大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
本文编号:2320304
[Abstract]:Network security has been accompanied by the development of computer network. With the continuous expansion of Internet applications and the continuous improvement of network bandwidth, hardware-based network security protection technology is the most effective means of access control. At the same time, new architectures have been developed for different application fields, such as (NP), Field Programmable Gate Array (FPGA) of ASIC (ASIC), network processor and so on. The network security protection technology based on FPGA has the characteristics of programmable, good expansibility and short design period, so it can effectively design special security control strategy according to different application fields. In this paper, a network security protection platform based on FPGA is designed, and the key technologies against network attack are studied. The hardware architecture of FPGA network security platform is introduced in this paper. The circuit principle of network communication circuit and FPGA system is discussed in detail. According to the characteristics of different network attack methods, the network one-way transmission control, protocol and content filtering are normalized to packet filtering. The structure of RTL code is given, and the driving module of network card chip is introduced in detail. The design method of packet filtering engine and half duplex scheduling mechanism based on CAM. The functions of bidirectional data forwarding and network security protection are tested step by hierarchical method. The test system, test method and result analysis of each step are given. The experimental results show that the FPGA network security protection platform designed in this paper can transmit and process the network data. The test results under different security strategies verify the effectiveness of the proposed network security protection architecture based on packet filtering engine.
【学位授予单位】:天津大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
【参考文献】
相关期刊论文 前5条
1 杨柳;钟诚;吕婉琪;张莹;唐印浒;姬鑫;;一种高效的安全数据包过滤算法[J];兰州大学学报(自然科学版);2012年04期
2 张永铮;肖军;云晓春;王风宇;;DDoS攻击检测和控制方法[J];软件学报;2012年08期
3 肖军;韩党群;储海燕;毕杨;;基于ARM的嵌入式TCP/IP协议的实现[J];现代电子技术;2009年02期
4 顾华详;;中国信息安全面临的挑战及法治策略探讨[J];中国浦东干部学院学报;2010年04期
5 刘浩然;廖聪;;对Ping命令的代码级分析研究[J];现代计算机(专业版);2009年03期
,本文编号:2320304
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2320304.html
