發(fā)布時(shí)間：2018-07-08 12:49

  本文選題：現(xiàn)場(chǎng)可編程門(mén)陣列 + En_ClusterFA算法　； 參考：《長(zhǎng)沙理工大學(xué)》2014年碩士論文

【摘要】：隨著網(wǎng)絡(luò)的發(fā)展,網(wǎng)絡(luò)上的非法信息嚴(yán)重威脅了網(wǎng)絡(luò)的安全,因此,需要對(duì)有害的或不符合安全策略的信息進(jìn)行過(guò)濾。傳統(tǒng)的過(guò)濾技術(shù)基于數(shù)據(jù)包頭部進(jìn)行過(guò)濾,但越來(lái)越多的有害信息隱藏于數(shù)據(jù)包內(nèi)容中,僅僅依靠傳統(tǒng)的過(guò)濾技術(shù)無(wú)法有效的解決此問(wèn)題。由于正則表達(dá)式描述能力強(qiáng)大、靈活、豐富,因此利用正則表達(dá)式匹配技術(shù)作為過(guò).濾關(guān)鍵技術(shù)來(lái)實(shí)現(xiàn)對(duì)網(wǎng)絡(luò)數(shù)據(jù)流的過(guò)濾。正則表達(dá)式規(guī)則轉(zhuǎn)換成確定型有窮自動(dòng)機(jī)(Deterministic Finite Automaton, DFA)時(shí)存在“空間爆炸×問(wèn)題,會(huì)消耗大量的內(nèi)存空間,導(dǎo)致無(wú)法有效地直接將DFA狀態(tài)表存儲(chǔ)于內(nèi)存里,因此,需要對(duì)DFA狀態(tài)表進(jìn)行壓縮以減少占用的內(nèi)存空間。在高速網(wǎng)絡(luò)流環(huán)境下,過(guò)濾數(shù)據(jù)需要消耗大量的計(jì)算能力,而現(xiàn)場(chǎng)可編程門(mén)陣列(Field-Programmable Gate Array, FPGA)具有硬件并行性的特點(diǎn),很適合用來(lái)處理大量的網(wǎng)絡(luò)流。針對(duì)上述問(wèn)題,結(jié)合FPGA并行加速的特點(diǎn),本文研究基于正則表達(dá)式匹配的高速網(wǎng)絡(luò)流過(guò)濾技術(shù),并在NetFPGA-10G平臺(tái)上設(shè)計(jì)與實(shí)現(xiàn)高速網(wǎng)絡(luò)流過(guò)濾系統(tǒng)。主要包括以下幾點(diǎn)：(1)提出一種改善ClusterFA壓縮率的算法,稱(chēng)之為En_ClusterFA算法。為了解決正則表達(dá)式匹配中的“空間爆炸”問(wèn)題,前人提出了基于簇聚類(lèi)的DFA壓縮算法,即ClusterFA算法,但該算法的分組個(gè)數(shù)取理想值較為困難,且其類(lèi)中心向量表中每一行連續(xù)重復(fù)的轉(zhuǎn)移狀態(tài)出現(xiàn)頻率較高。針對(duì)此問(wèn)題,提出一種改善ClusterFA壓縮率的算法,即En_ClusterFA算法：提取類(lèi)中心向量表行與行之間相同的首尾部分,并對(duì)其進(jìn)行游程編碼以建立索引表,然后對(duì)類(lèi)中心向量表余下部分的轉(zhuǎn)移狀態(tài)進(jìn)行游程編碼。實(shí)驗(yàn)結(jié)果表明,與ClusterFA算法中DFA狀態(tài)表的壓縮率相比,En_ClusterFA算法平均提高了4%。(2)利用En_ClusterFA算法的優(yōu)點(diǎn)和FPGA的并行加速特點(diǎn),在NetFPGA-10G平臺(tái)上設(shè)計(jì)與實(shí)現(xiàn)高速網(wǎng)絡(luò)流過(guò)濾系統(tǒng)：在硬件上通過(guò)精確串匹配和DFA匹配,識(shí)別和過(guò)濾得到相應(yīng)的網(wǎng)絡(luò)流后將其傳至內(nèi)核驅(qū)動(dòng)層對(duì)應(yīng)的數(shù)據(jù)緩沖區(qū),然后繞過(guò)協(xié)議棧,直接拷貝至用戶空間。為了驗(yàn)證精確串匹配和DFA匹配功能的正確性,在硬件里對(duì)過(guò)濾得到的數(shù)據(jù)包個(gè)數(shù)分類(lèi)進(jìn)行統(tǒng)計(jì),然后在用戶界面上顯示出來(lái)。實(shí)驗(yàn)結(jié)果驗(yàn)證了En_ClusterFA算法在FPGA上實(shí)現(xiàn)的正確性。
[Abstract]:With the development of the network, the illegal information on the network seriously threatens the security of the network. Therefore, it is necessary to filter the information that is harmful or inconsistent with the security policy. The traditional filtering technology is based on the packet header, but more and more harmful information is hidden in the packet content, which can not be effectively solved by relying on the traditional filtering technology. Because the regular expression description is powerful, flexible and rich, the regular expression matching technique is used too much. Filter key technology to realize the filtering of network data flow. When regular expression rules are converted into deterministic finite automata (DFA), there is a "space explosion 脳 problem", which will consume a lot of memory space, resulting in the inability to store the DFA state table directly in memory. The DFA status table needs to be compressed to reduce memory footprint. In the high-speed network flow environment, filtering data requires a lot of computing power, while the field programmable gate array (FPGA) has the characteristics of hardware parallelism, so it is very suitable for processing a large number of network flows. Aiming at the above problems and combining the characteristics of FPGA parallel acceleration, this paper studies the high-speed network flow filtering technology based on regular expression matching, and designs and implements a high-speed network flow filtering system based on NetFPGA-10G platform. The main contents are as follows: (1) an algorithm to improve the compression ratio of ClusterFA is proposed, which is called EnSert ClusterFA algorithm. In order to solve the problem of "space explosion" in regular expression matching, a cluster clustering based DFA compression algorithm, ClusterFA algorithm, is proposed. The transition state of each row in the class center vector table is more frequent. In order to solve this problem, an algorithm to improve the compression ratio of ClusterFA is proposed, which is the End ClusterFA algorithm: extracting the same first and last parts between the row and the row of the class center vector table, and coding the run length to build the index table. Then run length coding was performed on the transfer state of the class center to the rest of the scale. The experimental results show that compared with the compression ratio of DFA state table in ClusterFA algorithm, EnSerge ClusterFA algorithm has an average increase of 4 points. (2) the advantages of EnStat ClusterFA algorithm and the parallel acceleration of FPGA are utilized. A high-speed network flow filtering system is designed and implemented on NetFPGA-10G platform. The network flow is identified and filtered by accurate string matching and DFA matching in hardware, and then transferred to the corresponding data buffer in the kernel driver layer, then bypassing the protocol stack. Copy directly to user space. In order to verify the correctness of the exact string matching and DFA matching, the number of filtered packets is classified in the hardware and then displayed on the user interface. The experimental results verify the correctness of EnStat ClusterFA algorithm implemented on FPGA.
【學(xué)位授予單位】：長(zhǎng)沙理工大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類(lèi)號(hào)】：TP393.08
，

本文編號(hào)：2107486