| Summary: | 碩士 === 國立中央大學 === 資訊管理研究所 === 97 === As network services become more and more important in our society, the demand
for network security systems is increasing. Network intrusion detection systems (NIDS)
provide an effective and secure solution to the network attacks and are widely used in
enterprises. Many NIDSs, such as Snort, are based on software, so their processing
speeds are much slower than wire-speed. FPGA technology has properties which are
high speed string matching and reprogrammable, but the resources in FPGA are limited
while the database of signatures has become very large and keeps growing.
In this thesis we use decision tree to improve the utilization of resources when
implementing NIDS on FPGA. The system uses decision tree to process the rule
header to reduce resource requirements. Rule options are organized to multiple string
matching groups according to the matching results of rule header. We implement an
IDS circuit that process 1023 Snort rules at FPGA. The experimental results show
that the system can reduce the average of resource by 56%.
In addition, we develop a tool to automatically generate the Verilog HDL source
code of the IDS circuit from a Snort rule set. Using the FPGA and the IDS circuit
generator, the proposed system is able to update the matching rule corresponding to
new intrusion and attacks.
|
|---|
