隨著網路迅速發展，網路攻擊的數量與造成的危害也日益加劇，然而傳統的狀態防火牆與防毒軟體在網路攻擊的偵測能力上卻有所欠缺，使用入侵偵測系統或入侵防禦系統雖然能夠補足網路攻擊偵測的不足的缺點，但並非能適用於所有的機器與網路環境，入侵偵測系統的部署門檻較低，但在部署上多是以旁路的機制取得封包進行偵測，因此完成分析時往往危害也已經造成，並不能即時阻止入侵行為；而入侵偵測系統的成本高，必須以在線的方式串皆於防禦機器前，為了維持穩定且高效能的傳輸速度與處理速度，一般會利用硬體加速的方式提升效能，需要特殊的硬體設備支援，如：特殊應用積體電路或網路處理器等，因而產生額外的成本，且在系統擴充與移植的彈性較差。
因此本研究以DPDK封包處理框架為基礎的軟體型網路入侵防禦系統作為解決的方法，藉由DPDK框架能快速處理封包的優勢作為封包收發的基礎，在此基礎上加入入侵偵測、防禦與封包轉發等功能，實現能部署於常見設備上的軟體型入侵防禦系統，同時具備了開發便利、部署與維護的彈性高以及低成本等優勢，能夠為更多的使用者提供防護。本研究實作了軟體型入侵防禦系統的雛型，並透過實驗驗證此系統之效能，結果顯示本系統部署於伺服器級主機時，本實驗環境下所測得的最大處理頻寬達6 Gbps；而將此機器實際部署於1-Gbps的網路環境時可提供940 Mbps的傳輸頻寬，證實了本系統的可行性與潛力，期望能為高速成長的網路攻擊提供保護。

In recent years, the number of cyberattacks has grown rapidly. However, the common-used tools such as firewalls and antivirus softwares are inadequate against the attacks through the Internet. Intrusion detection systems can detect the event but cannot block it. Although intrusion prevention systems can find the event and protect the host, their prices are not affordable for everyone.
This study designs and implements a prototype of software-based IPS based on DPDK framework. DPDK is a fast packet processing framework proposed by Intel. It provides CPU polling mechanism for packet processing to improve the throughput in high-traffic network. This system consists of several functions such as protocol analysis, misuse detection and l3 forwarding. In our experiments, we deploy the system on a 1-Gbps network to measure the TCP/IP throughput by iperf tool and estimate the performance at different degrees of parallelism. The TCP/IP maximum bandwidth measured by iperf tool is 940 Mbps and the maximum throughput is 6137 Mbps at the degree of parallelism is 8. These results verify that the system can work well on 1-Gbps networks and the software-based IPS have the potential to be applied on most network environments.

[1] "Cybersecurity threats to cost organizations in Asia Pacific US$1.75 trillion in economic losses," 2018. [Online]. Available: https://news.microsoft.com/apac/2018/05/18/cybersecurity-threats-to-cost-organizations-in-asia-pacific-us1-75-trillion-in-economic-losses/. [Accessed July 2020].
[2] "Cyber Security Statistics for 2019," 2019. [Online]. Available: https://www.cyberdefensemagazine.com/cyber-security-statistics-for-2019/. [Accessed July 2020].
[3] "Total damage caused by reported cyber crime 2001-2019," Internet and Computing Core Certifications, 2020. [Online]. Available: https://www.statista.com/statistics/267132/total-damage-caused-by-by-cyber-crime-in-the-us/. [Accessed July 2020].
[4] K. Ingham and S. Forrest, "A history and survey of network firewalls. University of New Mexico, Tech.," University of New Mexico, Tech, 2002.
[5] R. E. Wesinger Jr and C. D. Coley, "Firewall providing enhanced network security and user transparency". Patent 5,898,830, 27 Apr 1999.
[6] C. H. Rowland, "Intrusion detection system". United States Patent US 6,405,318 B1, 11 Jun 2002.
[7] G. M. Jackson, "Intrusion prevention system". United States Patent Patent US 7.458,094 B2, 25 Nov 2008.
[8] N. Weaver, V. Paxson and J. M. Gonzalez, "The shunt: an FPGA-based accelerator for network intrusion prevention," in Proceedings of the 2007 ACM/SIGDA 15th international symposium on Field programmable gate arrays, 2007.
[9] J. M. Gonzalez, V. Paxson and N. Weaver, "Shunting: a hardware/software architecture for flexible, high-performance network intrusion prevention," in Proceedings of the 14th ACM conference on Computer and communications security, 2007.
[10] X. Zhang, C. Li and W. Zheng, "Intrusion prevention system design," in The Fourth International Conference onComputer and Information Technology, 2004. CIT '04., 2004.
[11] K. Xinidis, K. G. Anagnostakis and E. P. Markatos, "Design and Implementation of a High-Performance Network Intrusion Prevention System," in IFIP International Information Security Conference, Boston, 2005.
[12] A. Lazarevic, V. Kumar and J. Srivastava, "Intrusion Detection: A Survey," in Managing Cyber Threats, Springer, 2005, pp. 19-79.
[13] W. Wenji, C. Matt and B. Mark, "The performance analysis of linux networking – Packet receiving," Computer Communications, vol. 30, pp. 1044-1057, 2007.
[14] G. Chuanxiong and Z. Shaoren, "Analysis and evaluation of the TCP/IP protocol stack of LINUX," IEEE, pp. 444-453, 2000.
[15] W. Wenji and C. Matt, "Potential performance bottleneck in Linux TCP," International Journal of Communication Systems, vol. 20, pp. 1263-1283, 2007.
[16] INTEL, "Data plane development kit," 2014. [Online]. Available: https://www.dpdk.org/. [Accessed July 2020].
[17] K. Hans J. and H. Linutronix Gmb, "Userspace I/O drivers in a realtime context," The 13th Realtime Linux Workshop, 2011.
[18] L. Deri, M. Martinelli, T. Bujlow and A. Cardigliano, "nDPI: Open-Source High-Speed," in International Wireless Communications and Mobile Computing Conference, 2014.
[19] M. Roesch, "Snort – Lightweight Intrusion Detection for Networks," in Systems Administration Conference, 1999.
[20] R. Russell and H. Welte, "Linux netfilter Hacking HOWTO," 2002. [Online]. Available: https://www.netfilter.org/documentation/HOWTO/netfilter-hacking-HOWTO.html. [Accessed July 2020].
[21] "Certified Ethical Hacker - CEH Certification," EC-Council, 2018. [Online]. Available: https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/. [Accessed July 2020].
[22] I. Dubrawsky, "Firewall Evolution - Deep Packet Inspection," SecurityFocus, 2003.
[23] B. A. Forouzan, TCP/IP Protocol Suite, McGraw-Hill, Inc., 2002.
[24] S. Dharmapurikar, P. Krishnamurthy, T. Sproull and J. Lockwood, "Deep packet inspection using parallel Bloom filters," in 11th Symposium on High Performance Interconnects, 2003. Proceedings., 2003.
[25] A. E. Rafiq, M. W. El-Kharashi and F. Gebali, "A fast string search algorithm for deep packet classification," Computer Communications, pp. 1524-1538, 2004.
[26] V. Jacobson, C. Leres and S. McCanne, "pcap-Packet Capture library," UNIX man page, 2001.
[27] O. Beaudoux and M. Beaudouin-Lafon, "OpenDPI: A toolkit for developing document-centered environments," in Enterprise Information Systems VII, Springer, 2007, pp. 231-239.
[28] Z. Li, "HPSRouter: A high performance software router based on DPDK," in 2018 20th International Conference on Advanced Communication Technology (ICACT), 2018.
[29] S. Gallenmüller, P. Emmerich, R. Schönberger, D. Raumer and G. Carle, "Building Fast but Flexible Software Routers," in 2017 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS), 2017.
[30] P.-C. Lin, Y.-D. Lin, Y.-C. Lai and T.-H. Lee, "Using String Matching for Deep Packet Inspection," Computer, vol. 41, pp. 23-28, 2008.
[31] S. I. Hakak, A. Kamsin, P. Shivakumara, G. A. Gilkar, W. Z. Khan and M. Imran, "Exact String Matching Algorithms: Survey, Issues, and Future Research Directions," IEEE Access, vol. 7, pp. 69614-69637, 2019.
[32] J. D. Valois, "Implementing lock-free queues," in Proceedings of the seventh international conference on Parallel and Distributed Computing Systems, 1994.
[33] H. Zimmermann, "OSI Reference Model - The ISO Model of Architecture for Open Systems Interconnection," IEEE Transactions on Communications, vol. 28, pp. 425-432, 1980.
[34] P. Gupta, S. Lin and N. McKeown, "Routing lookups in hardware at memory access speeds," in Proceedings. IEEE INFOCOM '98, the Conference on Computer Communications. Seventeenth Annual Joint Conference of the IEEE Computer and Communications Societies. Gateway to the 21st Century (Cat. No.98, 1998.
[35] N. Gupta, A. Saikia and D. Sanghi, "Web application firewall," Indian Institute of Technology, Kanpur, 2007.
[36] T. Bujlow, V. Carela-Español and P. Barlet-Ros, "Independent comparison of popular DPI tools for traffic classification," Computer Networks, vol. 76, pp. 75-89, 2015.