TC: Small: A High-Performance Abstract Machine for Network Intrusion Detection

TC：Small：用于网络入侵检测的高性能抽象机

• 批准号: 0915667
• 负责人: Robin Sommer
• 金额: $ 45万
• 依托单位: International Computer Science Institute
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2009
• 资助国家: 美国
• 起止时间: 2009-09-15 至 2013-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0915667&HistoricalAwards=false
• 关键词: TC; Small; Performance; Abstract; Machine

Network intrusion detection systems (NIDS) need to balance between a set of challenges difficult to simultaneously address to their full extent: the complexity of network communication; the need to operate extremely efficiently to achieve line-rate performance; and dealing securely with untrusted input. Our project aims to build an efficient and secure bridge between dealing effectively with these challenges, and offering the high-level abstractions required for describing a security policy. Observing that NIDS implementations share a large degree of functionality, we introduce a new middle-layer into NIDS processing, consisting of two main pieces: first, an abstract machine model that is specifically tailored to the network intrusion detection domain and directly supports the field's common abstractions and idioms in its instruction set; and second, a compilation strategy for turning programs written for the abstract machine into highly optimized, natively executable code for a given target platform, with performance comparable to manually written C code. As a broader goal, our undertaking provides the security community with a novel architecture that facilitates development and reuse of building blocks commonly required for network traffic analysis. While the focus of our effort is the design and implementation of the abstract machine environment itself, we envision enabling the community to unleash its full potential by building analysis functionality on top of the platform we develop.

网络入侵检测系统 (NIDS) 需要在一系列难以同时全面解决的挑战之间取得平衡：网络通信的复杂性；需要极其高效地运行以实现线速性能；并安全地处理不受信任的输入。我们的项目旨在在有效应对这些挑战和提供描述安全策略所需的高级抽象之间建立一座高效且安全的桥梁。观察到 NIDS 实现共享很大程度的功能，我们在 NIDS 处理中引入了一个新的中间层，该中间层由两个主要部分组成：首先，专门针对网络入侵检测领域定制的抽象机器模型，并在其指令集中直接支持该领域的常见抽象和惯用语；其次，一种编译策略，用于将为抽象机编写的程序转换为针对给定目标平台的高度优化的本机可执行代码，其性能与手动编写的 C 代码相当。作为一个更广泛的目标，我们的事业为安全社区提供了一种新颖的架构，有助于网络流量分析常用的构建块的开发和重用。虽然我们工作的重点是抽象机器环境本身的设计和实现，但我们设想通过在我们开发的平台上构建分析功能，使社区能够释放其全部潜力。