基于网络安全芯片的DDoS攻击识别IP核设计
作者:
基金项目:

国产先进计算平台创新生态及应用研究(221100210600)


IP Core Design for DDoS Attack Identification Based on Network Security Chip
Author:
  • 摘要
  • | |
  • 访问统计
  • |
  • 参考文献 [18]
  • |
  • 相似文献 [20]
  • |
  • 引证文献
  • | |
  • 文章评论
    摘要:

    分布式拒绝攻击(distributed denial of service, DDoS)作为一种传统的网络攻击方式, 依旧对网络安全存在着较大的威胁. 本文研究基于高性能网络安全芯片SoC+IP的构建模式, 针对网络层DDoS攻击, 提出了一种从硬件层面实现的DDoS攻击识别方法. 根据硬件协议栈设计原理, 利用逻辑电路门处理网络数据包进行拆解分析, 随后对拆解后的信息进行攻击判定, 将认定为攻击的数据包信息记录在攻击池中, 等待主机随时读取. 并通过硬件逻辑电路实现了基于该方法的DDoS攻击识别IP核(intellectual property core), IP核采用AHB总线配置寄存器的方式进行控制. 在基于SV/UVM的仿真验证平台进行综合和功能性测试. 实验表明, IP核满足设计要求, 可实时进行DDoS攻击识别检测, 有效提高高性能网络安全芯片的安全防护功能.

    Abstract:

    Distributed denial of service (DDoS) attack, as a traditional network attack method, still poses a great threat to network security. This study proposes a DDoS attack identification method implemented at the hardware level on the basis of the construction mode of a high-performance network security chip system on chip (SoC)+IP to handle network-layer DDoS attacks. According to the design principle for hardware protocol stacks, the logic circuit gate is used to process network packets in a manner of disassembly and analysis. Then, attack determination in the disassembled information is conducted, and the information of the packets identified as attacks is recorded into the attack pool, waiting to be read by the host at any time. Furthermore, an intellectual property (IP) core for DDoS attack identification based on the proposed method is implemented by a hardware logic circuit, and the IP core is controlled by means of advanced high-performance bus (AHB) configuration registers. Comprehensive and functional tests are performed on the system verilog/universal verification methodology (SV/UVM)-based simulation and verification platform. The experiments show that the IP core meets the design requirements and can perform DDoS attack identification and detection in real time to effectively improve the security protection function of the high-performance network security chip.

    参考文献
    [1] 王磊, 李刚, 王斐玉. 改进属性加密结合代理重加密的云计算安全访问控制策略. 计算机应用与软件, 2019, 36(7): 327–333. [doi: 10.3969/j.issn.1000-386x.2019.07.056
    [2] 中国信息通信研究院, 中国电信天翼安全科技有限公司, 华为科技有限公司. 2021年全球DDoS攻击现状与趋势分析报告. https://e.huawei.com/cn/material/networking/security/333e0bdd9694437e80aac4b436781fe3. (2022-05-10).
    [3] 王飞雪, 戴蓉. 基于投票ELM和黑洞优化的云计算DDoS攻击检测. 西南大学学报(自然科学版), 2022, 44(8): 205–215. [doi: 10.13718/j.cnki.xdzk.2022.08.022
    [4] Chen Y, Hwang K. Collaborative change detection of DDoS attacks on community and ISP networks. Proceedings of the International Symposium on Collaborative Technologies and Systems (CTS’06). Las Vegas: IEEE, 2006. 401–410.
    [5] Yuan J, Mills K. Monitoring the macroscopic effect of DDoS flooding attacks. IEEE Transactions on Dependable and Secure Computing, 2005, 2(4): 324–335. [doi: 10.1109/TDSC.2005.50
    [6] Sekar V, Duffield NG, Spatscheck O, et al. LADS: Large-scale automated DDoS detection system. Proceedings of the Annual Conference on USENIX’06 Annual Technical Conference. Boston: USENIX Association, 2006. 171–184.
    [7] Chen W, Yeung DY. Defending against TCP SYN flooding attacks under different types of IP spoofing. International Conference on Networking, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies (ICNICONSMCL’06). Morne: IEEE, 2006. 38.
    [8] 陈润泽. 软件定义网络环境下DDoS攻击研究[硕士学位论文]. 贵阳: 贵州师范大学, 2022.
    [9] Yan Q, Gong Q, Yu FR. Effective software-defined networking controller scheduling method to mitigate DDoS attacks. Electronics Letters, 2017, 53(7): 469–471. [doi: 10.1049/el.2016.2234
    [10] Zheng J, Li Q, Gu GF, et al. Realtime DDoS defense using COTS SDN switches via adaptive correlation analysis. IEEE Transactions on Information Forensics and Security, 2018, 13(7): 1838–1853. [doi: 10.1109/TIFS.2018.2805600
    [11] Li YH, Xia JB, Zhang SL, et al. An efficient intrusion detection system based on support vector machines and gradually feature removal method. Expert Systems with Applications, 2012, 39(1): 424–430. [doi: 10.1016/j.eswa.2011.07.032
    [12] Wang G, Hao JX, MA J, et al. A new approach to intrusion detection using artificial neural networks and fuzzy clustering. Expert Systems with Applications, 2010, 37(9): 6225–6232. [doi: 10.1016/j.eswa.2010.02.102
    [13] 芦世雄. 基于FPGA的抗网络攻击关键技术研究[硕士学位论文]. 天津: 天津大学, 2014.
    [14] 赵桦, 罗晓富, 程军, 等. DDoS攻击实时检测防御系统的硬件实现. 微计算机信息, 2005, 21(7–3): 75–76, 98. [doi: 10.3969/j.issn.1008-0570.2005.21.030
    [15] 汤浩然. 基于网络处理器的嵌入式DDoS防御系统设计与实现[硕士学位论文]. 广州: 暨南大学, 2017.
    [16] 绿盟科技, 中国电信云堤. 2020DDoS攻击态势报告. https://www.nsfocus.com.cn/html/2021/92_0121/148.html. (2021-01-21).
    [17] 袁文澹. 基于IP核的片上结构MORSE码处理系统设计与实现研究[硕士学位论文]. 长沙: 湖南大学, 2005.
    [18] 杜越, 郑杰良, 吴益然. 基于UVM的SoC系统级外设验证平台设计. 中国集成电路, 2022, 31(6): 37–43. [doi: 10.3969/j.issn.1681-5289.2022.06.006
    引证文献
    网友评论
    网友评论
    分享到微博
    发 布
引用本文

纪俊彤,韩林,于哲,陈方.基于网络安全芯片的DDoS攻击识别IP核设计.计算机系统应用,2023,32(4):120-128

复制
分享
文章指标
  • 点击次数:659
  • 下载次数: 1665
  • HTML阅读次数: 1465
  • 引用次数: 0
历史
  • 收稿日期:2022-09-16
  • 最后修改日期:2022-10-19
  • 在线发布日期: 2023-02-17
文章二维码
您是第11202453位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京海淀区中关村南四街4号 中科院软件园区 7号楼305房间,邮政编码:100190
电话:010-62661041 传真: Email:csa (a) iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号