Download files
Abstract
Packet classification is an important method implemented in modern network processors used in embedded systems such as routers. Packet classification methods also serve to detect network intrusion, enable the deployment of Quality of Service techniques, and facilitate the use of firewalls in large networks. Current software-based packet classification techniques exhibit low performance, prompting researchers to move their focus to architectures encompassing both software and hardware components. Some of the newer hardware architectures exclusively utilize Ternary Content Addressable Memory (TCAM) to improve the performance of rule matching. However, this results in systems with high power consumption.
A novel SRAM-based multi-stream architecture, named LOP which significantly reduces power consumption while improving throughput beyond that of the TCAM approaches is proposed in this thesis. Compared with a state-of-the-art TCAM implementation (throughput of 495 Million Searches per Second (495Msps)) in 65nm CMOS technology, on average, LOP saves 43\% of energy consumption with a throughput of 590Msps. Moreover, hardware-based packet-side range encoding units have been introduced to integrate with LOP to further reduce power consumption without sacrificing throughput. The combinational architecture, named LOP_RE, can save 65\% energy consumption of TCAM. To reduce area, a hardware-based state machine has been designed to share range-encoded memories between multiple streams. In addition, hybrid packet classification architecture, named HybridLOP, is proposed to implement network intrusion detection system. A signature-based intrusion detection system, SNORT has been tested to show that the hybrid packet classification system achieves high throughput. The LOP-based architectures are customized architectures which can be configured according to the required throughput and/or power consumption. The architectures with different configurations have been implemented using VHDL and synthesized using Synopsys Design Compiler with TSMC's 65nm process library. PrimeTime-PX was used to estimate the power consumption of the circuits and Modelsim was used to simulate the design under the Linux environment.
Network anomaly detection is one of the emerging network applications. In the last part of the thesis, a novel network anomaly detection system, named MCAD is introduced, which utilizes packet classification systems. MCAD was able to detect 15 types of multiple connection based attacks and archives a low false positive alarm rate of 0.466\%.