王勝德臺灣大學:電機工程學研究所楊祝晉Yang, Ju-ChengJu-ChengYang2010-07-012018-07-062010-07-012018-07-062008U0001-1908200812032300http://ntur.lib.ntu.edu.tw//handle/246246/187973狀態封包檢測為路由器、防火牆等網路安全設備核心技術之一，其方法是利用一個連線表來記錄封包流的狀態，以判斷進入的封包是否為正常的封包；其中連線表的每筆記錄儲存來源端及接收端的網路位址和通訊埠號以及其他相關的重要資訊。在網路頻寬速度日漸提昇的同時，一個高速而且低記憶體需求的封包檢測架構用以抵擋網路連線攻擊是相當重要的。 在這篇論文當中，我們會先提出一個以雜湊技術為核心處理的狀態封包檢測架構；接著在這個架構之上做修正，透過雜湊連線表的主鍵值 (Hashing the Session Key, HSK) 來延伸出一個新的封包狀態檢測架構。這個架構能夠適用於硬體實作，進而提供更高的處理效能；同時，如果針對每個雜湊表格皆提供獨立的記憶體區塊，便能夠利用平行處理的特性及管線化架構設計，大幅的加速整個模組的處理速度。 最後透過理論分析以及實驗數據來驗證我們所提出之狀態封包檢測架構的可行性，相較於其他現在以特徵字串比對的演算法，皆能夠提供較佳的處理速度，以及較低的記憶體需求用量，並且能夠適用在高速的網路環境之上運作。Stateful Packet Inspection (SPI) is one of the most critical functions for network security devices such as routers and firewalls. SPI uses previous communications to derive the state of current communication and records the packet state by a session table whose entries typically store source and destination IP addresses, port numbers and other important information. As the network wire speed increases, a high performance and low storage usage SPI architecture is required for defending against malicious TCP traffic. In this thesis, we start by a hashing-based SPI architecture which can filter most of attack traffic. Then we propose an SPI approach called HSK (Hashing the Session Key) based on this architecture. An FPGA-based implementation can support better performance especially when using a dedicated memory bank for each hashing table and using pipeline technologies. Both theoretical and experimental results show that our SPI-HSK architecture can provide a higher processing speed and a lower storage requirement than other existing signature based SPI solutions, and can work well in Gigabit Ethernet networks.口試委員會審定書 i謝 ii要 iiibstract ivist of Tables viiist of Figures viiiist of Algorithms ixhapter 1 Introduction 1.1 Background 1.2 Session Table Processing 2.3 Contributions 4.4 Thesis Organization 4hapter 2 Related Work 5.1 Signature-Based Solutions 6.2 Defending SYN Flooding Attack 9.3 Non-Signature-Based Solutions (Anomaly Detection) 11hapter 3 Proposed Architecture 13.1 System Overview and Packet Processing Flow 13.2 The Design of the SPI Architecture 16.2.1 The General SPI Architecture 16.2.2 The SPI Processing Algorithm 20.2.3 Time and Space Complexity Analysis 23.2.4 The Hardware Design of the SPI Architecture 24.3 The SPI-HSK Architecture 26.3.1 The General SPI-HSK Architecture 26.3.2 The SPI-HSK Processing Algorithm 29.3.3 Time and Space Complexity Analysis 31.3.4 The Hardware Design of the SPI-HSK Architecture 32.4 Speed Up the Design 34.4.1 Using the Separate Memory Banks 34.4.2 The Pipeline Architecture 34hapter 4 Implementation 35.1 The TCP Trace Generator 35.2 Software Simulation 36.3 FPGA Verification 39hapter 5 Experiment Results 42.1 Accurate Rate versus Parameters 42.3 Performance Evaluation 46.3 Comparison and Discussions 47hapter 6 Conclusions and Future Work 51eferences 541469301 bytesapplication/pdfen-US雜湊狀態封包檢測連線表網路安全Hashingstateful packet inspectionsession tablenetwork securitythesishttp://ntur.lib.ntu.edu.tw/bitstream/246246/187973/1/ntu-97-R95921094-1.pdf