Design and Implementation of a DPDK-based Virtual NIPS

doi:10.3969/j.issn.1671-1122.2018.05.005

Abstract

Abstract:

As the threat of network security, NIDS/NIPS have become an important way to protect network environment. Considering the existing NIDS/NIPS software, such as Snort and Iptables have ineffective data processing performance, this paper propose a DPDK based Virtual NIPS(vD-IPS).This paper design the overall architecture of the system, highlighting the packet connection and detection module and packet cleaning module. Considering the multiple attack environments, this paper design and implement a mechanism of pattern matching algorithm selection. After experimental verification, vD-IPS Satisfy the requirements of intrusion detection and packet cleaning. Compare to Snort, the performance of packet connection and detection of vD-IPS with one core increased by 1.64 times and two cores has increased by 2.62 times. Comparing to Iptables, the performance of packet cleaning of vD-IPS with one core has increased by 1.56 times and two cores have increased by 1.89 times and three cores have increased by 2.21 times. In conclusion, vD-IPS performs better with the same abilities of detection and protection comparing to Snort and Iptables. With the increasing numbers of cores, vD-IPS has further improvement of performance. vD-IPS can select different pattern matching algorithm which has the best matching effect according to the character set size and string length of different pattern string.

Key words: NIPS, DPDK, intrusion detection, packet cleaning, pattern matching

CLC Number:

TP309

Chaoling LIU, Yan ZHANG, Huiran YANG, Hongjing WU. Design and Implementation of a DPDK-based Virtual NIPS[J]. Netinfo Security, 2018, 18(5): 41-51.

Figures/Tables 15

References 22

[1]	CAO Zijian,ZHAO Yufeng,RONG Xiaofeng.Platform Design of Network Intrusion Detection Cooperating with Firewall[J].Netinfo Security,2012(9):12-14.
	曹子建,赵宇峰,容晓峰.网络入侵检测与防火墙联动平台设计[J].信息网络安全,2012(9):12-14.
[2]	QING Hao,YUAN Hongchun.Research on Intrusion Prevention System and Its Implementation[J].Communications Technology,2003(6):101-103.
	卿昊,袁宏春.入侵防御系统(IPS)的技术研究及其实现[J].通信技术,2003(6):101-103.
[3]	ISS. Flaw: ISS RealSecure[EB/OL]. ,2018-1-10.
[4]	CISCO.Cisco[EB/OL].,2018-1-10.
[5]	NSFOCUS. NGIPS[EB/OL]. ,2018-1-10.
[6]	TOPSEC. topsec IPS[EB/OL]. ,2018-1-10.
[7]	LI Kang, XIN Yang, ZHU Hongliang.Analysis and Design of Packet Capture Module in Intrusion Detection System Based on Snort[J].Netinfo Security,2012(10):23-28.
	李康,辛阳,朱洪亮.Snort入侵检测系统中数据包捕获模块的分析与设计[J].信息网络安全,2012(10):23-28.
[8]	SURICATA. Suricata[EB/OL]., 2018-1-10.
[9]	PFSENSE. Pfsense[EB/OL].,2018-1-10.
[10]	NETFILTER. Iptables [EB/OL].,2018-1-10.
[11]	SHOREWALL. shorewall[EB/OL].,2018-1-10.
[12]	UBUNTU, wiki. Ufw UserGuide[EB/OL]. ,2018-1-10.
[13]	VUURMUUR. Vuurmuur Firewall[EB/OL].,2018-1-10.
[14]	INTEL. DPDK[EB/OL]. ,2018-1-10.
[15]	CHENG Jie.Data Structures[M]. Beijing: TsingHua University Press,2011.
	程杰. 大话数据结构[M]. 北京:清华大学出版社, 2011.
[16]	SIMONE F, THIERRY L.A Multiple Sliding Windows Approach to Speed up String Matching Algorithms[J]. Lecture Notes in Computer Science, 2012, 72(76):172-183.
[17]	WU Xihong,ZENG Feng.Research on AC Multiple Pattern Matching Algorithm[J].Computer Engineering,2012, 38(6): 279-281.
	巫喜红,曾锋.AC 多模式匹配算法研究[J].计算机工程,2012, 38(6):279-281.
[18]	DONG Zhixin,FANG Binxing.Optimization Research of Multi Pattern Matching Algorithm Based on AC_QS[J].Intelligent Computer and Applications,2017,7(5):100-103.
	董志鑫,方滨兴.基于AC_QS 多模式匹配算法的优化研究[J].智能计算机与应用,2017,7(5):100-103.
[19]	QQ_32023541.The Principle of CW Clustering Algorithm[EB/OL]. ,2018-1-10.
[20]	ZHAO Guofeng,YE Fei,YAO Yongan,et al.Design and Implementation of a Multi-pattern String Matching Algorithm in Cloud Center Network Intrusion Detection System[J].Netinfo Security,2018(1):52-57.
	赵国锋,叶飞,姚永安,等.一种面向云中心网络入侵检测的多模式匹配算法[J].信息网络安全,2018(1):52-57.
[21]	LIU Ping, TAN Jianlong.A Fast String Matching Algorithm in Content-based XML Filtering[J].Journal of Chinese Infomation Processiog,2005(2):20-27.
	刘萍,谭建龙.XML 内容筛选中的快速串匹配算法[J].中文信息学报,2005(2):20-27.
[22]	ZHOU Lihua.The Implementation of Network Intrusion Detection System Based on SBOM Algorithm[J].Intelligent Computer and Applications,2013,3(3):90-92.
	周丽华. 基于SBOM算法的网络入侵检测系统的实现[J].智能计算机与应用,2013,3(3):90-92.