KR20190028597A - Matching method of high speed snort rule and yara rule based on fpga - Google Patents

Abstract

The present invention relates to a method for matching a high-speed snort rule and yara rule based on FPGA, which comprises: a rule conversion step of converting a snort rule and a yara rule in a detection rule converter, and storing a fixed pattern and a PCRE pattern in a memory on a hardware board; a pattern matching step of receiving a packet input from a network on the basis of the converted rule, and performing packet parsing in a packet FIFO and a high-speed packet processing module to separately perform matching with the fixed pattern and the PCRE pattern; a hash matching step of receiving a header value and a payload of the packet from the packet parsing to reconfigure a file, storing the same in a memory in an FPGA, and matching the same with hash values stored based on an additionally inputted packet to generate a mitigation control signal in a detection result processing module; and a packet forwarding step of reading the packet from the packet FIFO to determine whether to mitigate the packet, and continuously generating packet dropping and packet forwarding.

Description

FIELD OF THE INVENTION [0001] The present invention relates to an FPGA-based fast snooze rule and a method of matching a high-

The present invention relates to an FPGA-based fast SNORT rule and a YARA rule matching method.

Many companies and individuals use a computer to access the network to share information. In addition, these network users typically want to share a minimal amount of information between computers and computers outside the network using the Internet through a Web site for multiple purposes. This information sharing is performed by establishing a communication session between the server computer and the client computer. These physical and logical connections between computers establish a global computer network such as the Internet.

Unfortunately, a malicious computer user may use an Internet connection to interfere with the communication of the network over the Internet, access sensitive data, or erase data. An example of such an attack is a denial of service attack ("DoS") in which an attacker attempts to deny service to a particular client on a victim machine.

DoS attacks can be performed in a variety of ways, including using the server's memory and network connections. The services of the server computer may be interrupted by a network attack that can be detected by the IDS or IPS system.

To establish a network connection, there must be a session establishment process between the client computer and the server. For example, a client computer requests a service from a server. In response to this request, the server allocates memory space and processing time, sends the response back to the computer, and waits for the client computer to respond. The client computer can send a lot of service requests to the server, but it can not reply to the server. The server then waits for a response that it never receives while wasting memory and processing time. During the wait while the server receives additional data packets, the server may run out of memory, process the space, or disconnect the network. Eventually, the request is too much so that the server can not provide the connection to the legitimate user and the communication of the server over the Internet is essentially terminated. This can result in loss of e-mail, Internet access, and Web server functionality.

Another example of such an attack is to flood the server with large amounts of data packets to consume all CPU power, thereby causing the server to run numerous programs or scripts to prevent legitimate users from accessing the network or consuming the available memory space There is a case.

It is difficult to detect attacks that use the signatures of packet payloads when many of the network attack types have to check many packets. Currently used processes for applying signature detection and detection detection policies are software based solutions using pure CPU power. The CPU-based solutions are based on the logical structure of the S / W, and the functions to be basically processed are sequentially executed, which causes a lot of problems in improving the performance. Therefore, if the link speed can not be processed in a single network security system, the network structure becomes complicated and operation becomes difficult.

It is an object of the present invention to solve the above problems and to provide an apparatus and method for converting a rule applied to Snort and Yarara into a detection rule to be used in a device, Based fast snooze rule and yara rule matching that detects rules in packet, session, and file units and prevents malicious packets and files from infiltrating through packet-based defense for real-time network security Method.

It is another object of the present invention to provide an FPGA-based high-speed FPGA that overcomes the deterioration in detection and prevention performance due to a complicated network structure and a CPU-consuming signature matching process by implementing a hardware- And to provide a method of matching Snort rules and Yarar rules.

According to another aspect of the present invention, there is provided an FPGA-based fast snooze rule and a Yahara rule matching method, wherein a Snort rule and a Yarar rule are transformed by a detection rule converter to store a fixed pattern and a PCRE pattern in a memory on a hardware board A rule conversion step; A pattern matching step of receiving a packet input from the network based on the converted rule and performing packet parsing in a packet FIFO and a fast packet processing module to perform a fixed pattern and a PCRE pattern matching, respectively; Receives the header value and payload of the packet from the packet parsing, reconstructs the file, stores it in a memory in the FPGA, matches the hash values stored on the basis of the further input packet, and outputs a mitigation control signal in the detection result processing module A generated hash matching step; And a packet forwarding step of continuously generating a packet drop and a packet forwarding by determining whether to mitigate the packet by reading the packet from the packet FIFO.

Wherein the rule conversion step includes: a snoop rule and a jaarule editing step for converting the snoop and jaarul rule in the detection rule converter; A fixed pattern storage step of storing the fixed patterns converted in the Snort rule and the Jahar rule in an internal dual port RAM block memory of the FPGA in which the detection engine operates so that the fixed patterns can be applied in the high speed packet processing module; And a PCRE pattern storing step of storing the PCRE pattern among the result values converted from the Snoop and Yarar rules in a memory on the FPGA board.

In the pattern matching step, the input packet is received and stored in the packet FIFO, and simultaneously transmitted to the high-speed packet processing module 200 to perform packet parsing, and a network packet receiving step for distinguishing a header value from a payload; Among the extracted results, the contents corresponding to the payload are a fixed pattern matching step to compare with the fixed pattern stored in the FPGA in real time; A PCRE pattern matching request step of identifying a rule number assigned to each fixed pattern when a result of the fixed pattern matching detection is found and confirming whether the PCRE pattern is applied to the rule by confirming the rule number; And a PCRE pattern matching step for reading from the PCRE pattern storage so that the related PCRE pattern can be applied to the PCRE pattern matching when the PCRE pattern matching is required and programming the related DFA so that PCRE pattern matching can be performed .

The hash matching step may include a file re-gathering step of receiving a header value and a payload of a packet from the packet parsing and reconstructing a file based on the session; A file-based hash computation and updater for storing MD5 hashing results for the reconstructed file in a memory within the FPGA; A hash value matching step of calculating a hash value of files to be reconstructed based on a further input packet and comparing the hash values with stored hash values; A PCRE pattern matching request step for determining whether to perform PCRE rule matching; And a detection result processing step of generating a mitigation control signal based on the detection results in the pattern matching step and the hash matching step and delivering the mitigation control signal to the packet forwarding engine.

The packet forwarding step may include: a packet buffering step of receiving and buffering a packet input from the network; And a mitigation policy application step of determining whether to mitigate a packet by reading a packet from the packet FIFO and causing a packet drop and a packet forwarding function to be successively generated.

As described above, according to the present invention, the Snort rule and the jaruaru detection engine can be implemented using FPGA, which is a hardware element, and further processing using the detection result can be applied to inline mitigation.

And. According to the present invention, it is possible to optimize the detection speed and the application amount of the elements required in the FPGA by compiling Snort rule and JAAR rule into FPGA-based pattern matching, PCRE rule matching, and JAAR rule matching rule format.

Also, according to the present invention, the detection result can be applied to the inline engine by applying the detection result to the logic element on the hardware board.

Also, according to the present invention, high performance can be achieved by applying a parallel signal processing method and a parallel function module in an FPGA.

In addition, according to the present invention, it is possible to improve the operation speed by applying a self-dynamic whitelist entry (whitelist entry) through a session data preprocessing to improve the overall performance by reducing the startup of the internal operation module of the detection engine.

In addition, according to the present invention, it is possible to apply the present invention to a real-time dynamic file detection result entry generation and detection process so that the files downloaded from the same web server are distinguished and the same file is subjected only once to the entire detection routine.

1 is a block diagram of an FPGA-based fast SNORT rule and a YARA rule matching apparatus according to the present invention.
2 is a detection rule converter output table applied to the Snort rule and the Yarra rule according to the present invention.
3 is a block diagram of a detailed functional module of a high speed packet processing module according to the present invention.
4 is a block diagram of a detailed function module of a signature matching module according to the present invention.
FIG. 5 is a functional block diagram of the Fast Signature Scanning Module according to the present invention.
6 is a block diagram of the internal structure of the high-speed signature length scanning module according to the present invention.
7 is a block diagram of a PCRE detection module according to the present invention.
8 is a block diagram of a dynamic hash and a match module according to the present invention.
9 is a flowchart of an FPGA-based fast snooze rule and a jara rule matching method according to the present invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art can easily carry out the present invention. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein.

Hereinafter, a preferred embodiment of the FPGA-based fast snooze rule and the Yahara matching device of the present invention will be described in detail.

FIG. 1 is a block diagram of an FPGA-based fast snooze rule and a Yahara matching device according to the present invention.

Referring to FIG. 1, an FPGA-based high-speed snort rule and a jara rule matching apparatus according to the present invention includes a detection rule converter 100 and a detection engine 100 for converting a snort rule and a jara rule 1000).

Snort is a detection and blocking tool used as an open source network-based intrusion detection system (NIDS) and network-based intrusion prevention system (NIPS). It can perform real-time traffic analysis and packet logging in an Internet traffic (IP) have. Here, the snort performs protocol analysis, content search, and matching, and Snort uses a detection rule to implement this function.

YARA is a tool used to identify and classify malicious software samples using easy-to-define rules, and is used to classify files or run processes using YARA to identify the type of malicious code. Using this tool, you can perform signature-based detection of malware that is similar to what an anti-virus solution can do for you.

The detection rule transformer 100 transforms the Snort rule and the jara rule format into a Fast Packet Processing Module 200 of the detection engine 1000 and a PCRE detection module A Regular Expression Detection Module 300, and a Detection Result Processing Module 500.

The detection engine 1000 receives an input packet input from the network based on the contents of the rule provided from the detection rule converter 100 and detects a fixed pattern in the high speed packet processing module 200, The PCRE pattern matching in the PC 300 and the same file search result performed in the dynamic Hash & Match Control Module 400 and the detection result processing module 500 in the detection result processing module 500, Based on the results of the packet processing module 200, the PCRE detection module 300 and the dynamic hash and match control module 400, a policy to be applied when the detection result is determined to be positive is checked When the mitigation control module 700 transmits mitigation control signals provided from the detection result processing module 500 to the mitigation policy application module 700, Reads the corresponding input packet stored in the memory 600 and applies the detection result applying policy to the output packet.

When the inputted input packet is stored in the packet FIFO 600 and the processing result of the detection engine 1000 for the packet is prepared in the mitigation policy application module 700, the read packet is applied to the output packet .

Hereinafter, the flow of the input packet to be input will be described in the direction.

The detection rule transformer 100 receives the snort rule and the jara rule, converts the snort rule and the jara rule into a rule format for the detection function, stores the result, and applies the result to the detection engine 1000. In the case of the PCRE pattern, when a new PCRE pattern is requested in units of packets from the detection engine 1000, the PCRE pattern can be used in the PCRE detection module 300 by transmitting the PCRE pattern requested in real time to the detection engine 1000.

The input packets are received from the network and stored in the packet FIFO 600.

The input packet is supplied to the fast packet processing module 200 and the dynamic hash and match control module 400 at the same time as the input packets are written to the packet FIFO 600.

In the fast packet processing module 200, packet parsing is performed to distinguish a header value from a payload value, and a fixed pattern signature is detected. The extracted header value and payload information are transmitted to the dynamic hash and match control module 400, the PCRE detection module 300 and the detection result processing module 500. The fixed pattern detection result is transmitted to the detection result processing module (500). The fixed patterns are supplied from the detection rule converter 100 and the new fixed pattern values are configured so that the detection rule converter 100 can update a new entry or erase an existing entry.

Here, the fast packet processing module 200 performs a function of detecting a fixed pattern at a high speed among the detection parameters of the converted rule. The fixed pattern matching result signals may be used as a reference signal to activate the function of the PCRE detection module 300.

The PCRE detection module 300 continuously communicates with the detection rule transformer 100 while the device is in operation. When the fixed pattern matching result is positive from the high speed packet processing module 200 and there is a PCRE pattern applied to the rule number provided in the detection rule converter 100, the internal DFA receives the PCRE pattern so that the internal DFA can detect the PCRE pattern Program. This operation is performed on a packet-by-packet basis.

Here, the PCRE detection module 300 is a module that detects the PCRE rule among the detection parameters of the converted rule. Based on the matching result of the high-speed packet processing module 200, the PCRE rule is loaded into PCRE detection sub-engines commonly used in real time to minimize the amount of internal required logic, It can be used effectively to detect PCRE rules and detect large amounts of PCRE rules.

The input packet is also input to the dynamic hash and match control module 400. The header value and the payload value for the same packet are supplied from the fast packet processing module 200. After combining the files by checking the contents of the file that can be reassembled from the payload, it extracts its own parameters that can distinguish the type of data (for example, files) that can appear repeatedly in the input data, The procedure for calculating the hash value of the system is reduced to improve the overall performance of the system.

Here, the dynamic hash and match control module 400 accumulates file-related data from input incoming packets and reassembles the file. The metadata of the file to be reassembled is extracted first, It is possible to accumulate the entire packets to perform file reassembly, to judge whether to start the process of generating a hash value, and to compare the hash value of the reassembled file with the stored hash values.

The fixed pattern matching result, the PCRE matching result, and the hash matching result, which are respectively obtained from the high-speed packet processing module 200, the PCRE detecting module 300, the dynamic hash and the match control module 400, The results are comprehensively and simultaneously compared with each other, and a mitigation control signal is generated based on a rule policy provided by the detection rule transformer 100.

Based on the mitigation control signal provided from the detection result processing module 500, the mitigation policy application module 700 knows how to process an input packet stored in the packet FIFO 600, (Packet drop or forwarding) and sends the packet as an output packet.

Here, the detection result processing module 500 synthesizes the detection and matching results of the detection rule converter 100, the high-speed packet processing module 200, and the PCRE detection module 300 in real- ), Thereby enabling to protect the packet-based, session-based, and file-based harmful traffic in inline. In particular, in the case of file-based attacks, detection, blocking, and additional mitigation functions are implemented without delaying the flow of traffic using the technique of blocking the last packet of harmful traffic (file) It provides the ability to The ability to accumulate packets on a per-session basis and reassemble the file is implemented using an SDRAM (several gigabytes in size) interfaced with the FPGA.

The packet FIFO 600 controls the system delay so that the resultant signal (Mitigation Control) processed by the detection result processing module 500 is processed in the mitigation policy application module 700 and output as an output packet (Output Packet) And then buffered.

FIG. 2 is a table showing a detection rule converter output table to be applied to Snort rule and Jara rule according to the present invention. The Snort rule and the detection rule applied in the Jara rule are shown in FIG. FIG. 5 shows an example of the result of conversion into a form applicable to a detection-engine based harmful pattern detection module used in the invention.

The functional module implemented by the present invention is configured to detect a rule to be detected based on all the parameters (Protocol, Source IP, Source Port, Direction, Destination IP, Destination Port, Fixed Pattern, PCRE) .

3 is a block diagram of a detailed functional module of the high speed packet processing module according to the present invention, and detailed functional modules are as follows.

Referring to FIG. 3, the fast packet processing module 200 detects a fixed pattern among the detailed parameters of the Snort rule and the Yarar rule.

The input traffic (incoming packet, for example, Layer 2 Ethernet frame) is input to a Signature Matching Module 210 and a Packet Parsing Module 220.

The signature matching module 210 extracts header information of layers 2, 3, and 4 from all input packets, and generates a reference signal that can identify the layer 7 data area.

Layer 3 and Layer 4 header information can be used to store basic data that can extract packets or files that accumulate the contents of a file that is delivered over a communication session or to identify the content of the detected results.

Matching using the fixed pattern of the detection rule converter output table 110 is started based on a signal indicating a point where the layer 7 data area starts. Fixed Pattern entries are read by a software program associated with the present invention and compared to incoming packets that are programmed into the internal matching logic.

The signature matching module 210 compares the payload of all incoming packets in real time and sends the matching results to the packet handling decision module 230 together with the header information. And transmitted to the PCRE detection module 300 and the detection result processing module 500 as a high-speed pattern determination result signal.

FIG. 4 is a block diagram of a detailed function module of the signature matching module according to the present invention.

4, the signature matching module 210 includes a Fast Signature Scanning Module 211, a Scanned Data Storage Module 212, and an Exact Pattern Matching Module ) 213 as shown in Fig.

Signature matching is performed on a byte-by-byte basis. Fixed patterns are compared with the input packet data that is programmed and input into the fast signature scanning module 211 and the full pattern matching module 213.

In the case of the high-speed signature scanning module 211, the main goal is to compare the length of a portion of the fixed pattern with the length to identify an area of data in which an actual high-speed pattern may exist. This function is realized by using dual-port RAM and stores information about a pattern of a fixed pattern and a length of a pattern to reliably check the area to be compared in the data of the input packet. The generated Scanned Data Stream is transmitted to a Scanned Data Storage Module 212, and data of a length corresponding to the determined length is sent to a pattern matching window (Exact Pattern Matching Module)

The stored data is compared in the full pattern matching module 213 together with the scan data stream input to the fast signature scanning module 211.

If the comparison result is positive, a positive signature matching result is generated.

If there is a PCRE parameter contained in one rule along with the detected pattern, then a particular PCRE rule is programmed into the PCRE detection module 300 to allow PCRE-related matching to begin.

5 shows the detailed function of the functional blocks of the fast signature screening module according to the present invention.

In FIG. 5, a process of finding a signature to be matched with data of an input packet is described by using a signature "/script/update.asp" as an example.

The hexadecimal text of the ASCII text "/script/update.asp" is "2f 73 63 72 69 70 74 2f 75 70 64 61 74 65 2e 61 73 70".

The high-speed signature scanning module 211 stores the length of the pattern of ".asp" and "/script/update.asp" while uploading "/script/update.asp" as a fixed pattern to be detected . This information is stored in the fast signature length scanning module 217 and the fast signature pattern matching module 218. The fast signature length scanning module 217 checks the length of the signature and generates a fast signature The pattern matching module 218 actually compares some pattern areas of the signature.

Signatures for a plurality of fixed patterns are stored in the high-speed signature length scanning module 217 and the high-speed signature pattern matching module 218, and the matched pattern length values and the partial pattern matching results Pattern Matching Result) to the Signature Window Selection Module 219. Then, the signature window selection module 219 generates a pattern matching window signal by determining the fixed pattern length and the comparison position for the fixed pattern matching the two conditions among the stored fixed patterns, and outputs the pattern matching window signal to the PCRE search module 300 and the search result processing Module 500 as shown in FIG.

6 illustrates the internal structure of a fast signature length scanning module according to the present invention.

Referring to FIG. 6, the fast signature length scanning module 217 uses a plurality of dual port RAMs 220 to check the length of a pattern to be detected.

Information about the length of a fixed pattern that is uploaded via one of the address port and the data port of the dual port RAM 220 is stored. For example, in the case of "/script/update.asp", hexadecimal texts of ".asp" corresponding to the values of the last 4 ASCII texts are used as addresses and the length of the failure pattern is used as data, And writes it to the port RAM 220 (WRITE).

When an incoming packet is applied to the address of the other port of the dual port RAM 220 thus updated, the values read out indicate the length of the pattern including each input byte value . In the present case, the value of the length of the pattern to be pattern-matched is read out as four consecutive identical length values.

The fast signature pattern matching module 218 updates the memory area of the dual port RAM 220 using the hexadecimal value for the remaining portion of the pattern updated in the same manner.

In this case, when a bit of "1" is written using some of the bits used for each data, the byte of the incoming packet applied to the address line indicates that it is a part of a pattern to be detected.

7 shows the structure of the PCRE detection module according to the present invention.

Referring to FIG. 7, the PCRE detection module 300 includes a plurality of PCRE detection submodules 310. The PCRE detection sub-module 310 comprises a Multi-Pattern Detection Module 320 and a Programmable PCRE Match module 330.

The multi-pattern detection module 320 receives the fixed pattern matching results detected by the high-speed packet processing module 200, and when the number of fixed patterns is several in the case of a rule including an associated fixed pattern, , Generates a PCRE rule request signal (Rule Request Signal) after detecting the multi-patterns, and causes the PCRE included in the corresponding rule to be written into the programmable PCRE matching module 330 using the PCRE rule.

The main functions to be implemented in the present invention are enabled by the PCRE detection function. In the case of the programmable PCRE match module 330, based on the result of the multi-pattern detection module 320, PCRE detection is implemented using logic.

When the analysis result of the fixed pattern is likely to be included in several rules, a plurality of PCRE detection submodules 310 are simultaneously driven and the packet payout So that the PCRE matching for the payload can be processed in real time.

Each PCRE detection sub-module 310 generates PCRE matching results, which are passed to the detection result processing module 500.

FIG. 8 shows a structure of a dynamic hash and a match module according to the present invention.

Referring to FIG. 8, the main purpose of the dynamic hash and match module 400 is to extract the self-parameters that can distinguish the types of data (e.g., files) that can appear repeatedly in the input data, It reduces the procedure for calculating the hash value for the entire system.

The dynamic hash and match module 400 includes a file content hashing module 410, a hash match module 420, a metadata extraction module 430, a metadata match module 440, , And a metadata entry table (450).

The file content hashing module 410 grasps the start point of the file transmitted through the session information composed of the input packets and collects the packets belonging to the related file to restore the file without the interoperation function with the CPU in the apparatus of the present invention . A hash function (for example, MD5 hash) is operated to check whether there is a harmful pattern included in the restored file, thereby creating a hash result value.

The hash match module 420 is defined as the hash result value of the already harmful file, and the values stored in the existing hash value table 421 and the values stored in the file content hashing module 410, And compares the input value with the hash result value.

Particularly, the hash match function of the hash match module 420 is started by the hash match control signal provided by the metadata extraction module 430. When the hash match control signal is positive, a hash read signal is compared with a hash read value that triggers the existing hash value table 421 and is read. The result of the comparison is transmitted to the detection result processing module 500 as a part of the hash matching result.

The metadata extraction module 430 extracts the file metadata of each file from the incoming packets based on the file file start instruction signal provided by the file content hashing module 410.

The metadata matching module 440 generates and stores metadata values automatically defined from the metadata entry table 450 when the metadata values defined according to the type of the specific file are provided from the metadata extraction module 430 The metadata values are read and compared. When the metadata value stored in the metadata entry table 450 acts as a whitelist, that is, when the hash matching module 420 has a negative hash value (a file identified as a hash value The hash match module 420 sends a negative hash match control signal to the hash match module 420 and the hash match module 420 sends a session reset signal to the file hash module 410 And does not start the process of reassembling the file, so that the hashing-based matching performance of the present apparatus can be kept high.

In the metadata entry table 450, the file metadata extracted by the metadata extraction module 430 is stored. The file metadata is stored by a metadata update signal which is enabled when the result of the hash match module 420 is negative.

The meta data stored in the meta data entry table 450 is implemented in a structure that can be updated in real time, and the meta data stored by the meta read signal from the meta data match module 440 is transmitted.

9 is a flowchart of an FPGA-based fast snooze rule and a Yahara rule matching method according to the present invention.

Referring to FIG. 9, the FPGA-based fast Snooze rule and Yarra rule matching method includes a rule conversion step S100, a pattern matching step S200, a hash matching step S300, and a packet forwarding step S400 .

Here, the four steps are all implemented based on parallel processing capable of communicating in real time and simultaneously processing each function. In the rule conversion step, a rule conversion operation is performed in the CPU, and the converted result values, that is, the detection identifiers used in the present invention are stored in a memory on a hardware board of the FPGA and are operated in the FPGA, , And provides information on rules in real time in the process of packet-based processing in packet forwarding steps. For the rule translation step, you can proceed regardless of whether the FPGA board is running when you want to apply the new Snort rule and the Yarar rule.

The steps of each engine will be described with reference to FIG.

The function module in which the rule conversion step (S100) operates is the detection rule converter (100).

The rule conversion step S100 includes a Snort rule and a Yarra rule editing step S110, a fixed pattern storing step S120, and a PCRE pattern storing step S130.

The Snort rule and Yarar rule editing step S110 converts the Snort and Yarar rules into a form of a rule to be applied in the present invention and stores them in a fixed pattern storage step S120 and a PCRE pattern storing step S120 ) To be stored in the memory on the hardware board that is assigned to each.

The fixed pattern storage step S120 is a step in which the fixed patterns converted in the snoop and yahoo rules are applied to the fast packet processing module 200 in the detection engine 1000, Port RAM is stored in block memory.

The PCRE pattern storing step (S130) stores the PCRE pattern among the converted result values in the Snort and Yarar rules in the memory on the FPGA board. The type of data to be stored at this time is such that the DFA detailed engine prepared in the PCRE detection module 300 of the detection engine 1000 can be programmed. That is, when the processing result of the fast packet processing module 200 for each packet requires PCRE pattern matching, a rule conversion engine (Rule Compilation Engine) sets an accurate PCRE pattern value based on the unique number of the pattern to the PCRE detection module 300 ) So as to execute the PCRE pattern operation immediately after programming the DFA.

The pattern matching step S200 is implemented in the fast packet processing module 200, the PCRE detection module 300, and the dynamic hash and match control module 400.

The pattern matching step S200 includes a network packet receiving step S210, a packet parsing step S220, a fixed pattern matching step S230, a PCRE pattern matching request step S240, an alc PCRE pattern matching step S250, .

In the network packet receiving step S210, the input packet is received and stored in the packet FIFO 600, and simultaneously transmitted to the high speed packet processing module 200 to perform packet parsing (S220). The L3 / L4 header value and the payload The payload is distinguished. The contents corresponding to the payload among the extracted results are compared with the fixed pattern stored in the FPGA in the fixed pattern matching step (S230). Fixed Pattern Matching When the result of detection is found, the rule number assigned to each fault pattern is identified. When the rule numbers thus identified are checked, the PCRE pattern matching request step (S240) confirms whether there is a PCRE pattern applied to the rule.

If the PCRE pattern matching is required according to the result, the PCRE pattern matching step S250 reads the PCRE pattern from the PCRE pattern storage so that the related PCRE pattern can be applied to the PCRE pattern matching of the present invention, Allow PCRE pattern matching to proceed.

The hash matching step S300 receives the header value and the payload of the packet from the packet parsing S220 of the pattern matching step and reconstructs the file based on the session in the file re-gathering step S310. The MD5 hashing result for the reconstructed file is stored in a memory inside the FPGA in a file-based hash calculation and an updater step S320.

The stored value is calculated by calculating a hash value of files to be reconstructed on the basis of the input packet, and then compared with the stored hash values in a hash value matching operation (S330).

The result of the comparison is transmitted to the PCRE pattern matching request step S330, and it is determined whether or not to perform the PCRE rule (yara rule matching).

The detection result processing step S340 is implemented in the detection result processing module 500. The mitigation control signal is generated based on the detection results in the pattern matching engine and the hash-matching engine, and is transmitted to the packet forwarding engine.

The packet forwarding step S400 includes a packet buffering step S410 and a mitigation policy application step S420. The processing of the pattern matching engine and the hash matching engine is completed for one inputted packet, and then the mitigation control signal It is determined that the matching procedure for the packet has been completed and the packet is read from the packet FIFO 600 to determine whether to mitigate (drop) the packet in the mitigation policy application step (S420) drop and packet forwarding functions are continuously generated.

As described above, the rules conversion step, the pattern matching step, the hash matching step, and the packet forwarding step simultaneously perform respective functions to enable detailed functions required in the present invention to be implemented at an FPGA-based super high speed.

It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit or scope of the invention. It is not.

Claims (5)

A rule conversion step of converting the Snort rule and the Yarar rule in the detection rule converter to store the fixed pattern and the PCRE pattern in the memory on the hardware board;
A pattern matching step of receiving a packet input from the network based on the converted rule and performing packet parsing in a packet FIFO and a fast packet processing module to perform a fixed pattern and a PCRE pattern matching, respectively;
Receives the header value and payload of the packet from the packet parsing, reconstructs the file, stores it in a memory in the FPGA, matches the hash values stored on the basis of the further input packet, and outputs a mitigation control signal in the detection result processing module A generated hash matching step; And
And a packet forwarding step of continuously generating a packet drop and a packet forwarding by determining whether to mitigate a packet by reading a packet from the packet FIFO. The method according to claim 1,
The rule transformation step includes:
A snooze rule and a yaho rule editing step for converting the snoop and yaho rules in the detection rule converter;
A fixed pattern storage step of storing the fixed patterns converted in the Snort rule and the Jahar rule in an internal dual port RAM block memory of the FPGA in which the detection engine operates so that the fixed patterns can be applied in the high speed packet processing module; And
And a PCRE pattern storing step of storing the PCRE pattern among the converted result values in the Snort and Yarar rules in a memory on the FPGA board. The method according to claim 1,
Wherein the pattern matching step comprises:
A network packet receiving step of receiving the input packet and storing it in the packet FIFO and simultaneously transmitting the packet to the high speed packet processing module 200 to perform packet parsing and to distinguish the header value from the payload;
Among the extracted results, the contents corresponding to the payload are a fixed pattern matching step to compare with the fixed pattern stored in the FPGA in real time;
A PCRE pattern matching request step of identifying a rule number assigned to each fixed pattern when a result of the fixed pattern matching detection is found and confirming whether the PCRE pattern is applied to the rule by confirming the rule number; And
And a PCRE pattern matching step of reading from the PCRE pattern storage so that the related PCRE pattern can be applied to the PCRE pattern matching when the PCRE pattern matching is required and programming the related DFA so that the PCRE pattern matching can proceed. Based fast snooze rule and yara rule matching method. The method according to claim 1,
The hash matching step comprises:
Receiving a header value and a payload of a packet from the packet parsing and reconstructing a file based on the session;
A file-based hash computation and updater for storing MD5 hashing results for the reconstructed file in a memory within the FPGA;
A hash value matching step of calculating a hash value of files to be reconstructed based on a further input packet and comparing the hash values with stored hash values;
A PCRE pattern matching request step for determining whether to perform PCRE rule matching; And
And a detection result processing step of generating a mitigation control signal based on the detection results in the pattern matching step and the hash matching step and delivering the mitigation control signal to the packet forwarding engine. The method according to claim 1,
Wherein the packet forwarding step comprises:
A packet buffering step of receiving and buffering a packet input from the network; And
And a mitigation policy application step of causing a packet drop and a packet forwarding function to be successively generated by determining whether to mitigate a packet by reading a packet from the packet FIFO, And a method of matching a rule.

Images