用于高速网络入侵检测系统的并行TCP/IP协议栈

随着网络应用层内容检测技术的速度提高到10Gb/s的数量级,底层的TCP/IP协议栈已经成为制约网络入侵检测系统的检测速度的新瓶颈。该文的前期工作采用64位指令、并行计算指令和操作系统内核数据映射等软件硬件系统特性来优化TCP校验码计算、TCP连接表Hash值计算和内核态到用户态的数据复制等性能瓶颈。在此基础上,该文进一步研究了连接表Hash值计算、半开连接过滤和并行化问题,采用通用Hash(universal Hash)函数作为TCP连接表查找的Hash函数,以避免算法复杂度攻击,并利用SSE(streaming SIMD extensions)指令集中的并行指令来提高计算速度;采用Bloom过滤器过滤TCP半开连接;使用多次加载动态链接库(DLL)的方法,利用并行化获得更高的吞吐率。实验表明:经过上述改进后,使用3个处理器核心的TCP/IP协议栈,对平均包长110 B的攻击流量能达到4.4 Gb/s的吞吐率,对平均包长501 B的正常流量能达到15.2 Gb/s的吞吐率,达到原始系统的4倍以上,比该文前期工作的结果提高了50%到70%。

Fast parallelized TCP/IP stack for high-speed network intrusion detection systems

Since the speed of application layer content detection has been increased to 10 Gb/s,TCP/IP stacks have become the new bottle-neck in network intrusion detection systems.Previous systems have used 64 bit instructions,parallel instructions and kernel space memory mapping to speed up the bottle-necks,such as the TCP checksum computation,TCP connection table Hash value calculation and data copies from the kernel space to the user space.A method was developed using universal Hash in the TCP connection lookup table to avoid algorithmic complexity attacks and to speed up the computations using the parallel instructions in the SSE(streaming SIMD extensions) instruction set.A Bloom filter is used to filter TCP half-open connections.The TCP/IP stack was then parallelized using multi-loaded dynamic-link library(DLL) to achieve higher throughput.Evaluations show that a TCP/IP stack using these three processing cores is able to deliver 4.4 Gb/s throughput against attacking traffic with an average packet size of 110 Bytes and 15.2 Gb/s with normal traffic with an average packet size of 501 Bytes,which is 4 times the speed of the original system and 50%-70% higher than the authors’ previous work.