網際網路的蓬勃發展為人們的生活帶來了便利之處，無論是設計於個人電腦上的服務，亦或是開發於行動裝置上的APP等，都能夠用來滿足各種需求。不僅對於個人而言，許多產業的營運也都依賴著網路進行。這個時代網路已是隨處可見。網路對於整個社會而言是有益的，但不當的使用還是會造成不便。因此，網路安全是ㄧ項重要的課題，若能夠對網路流量進行分析並辨識出流量屬於的應用服務種類，對於提升網路環境的安全有相當大的助益，流量分類系統因此應運而生。流量分類系統分成幾個種類，基於特徵模式的流量辨識系統有像是L7-filter、Snort、nDPI、Tstat以及Net-DPIS。Net-DPIS利用深層封包檢測技術並搭配多模式比對演算法，來查看封包內容中是否存在有特徵字串，藉此來辨識流量屬於的應用服務種類。Net-DPIS with Cache Mechanism在Net-DPIS系統中加上快取機制，提升了整體的辨識效率。本論文基於Net-DPIS的相關研究成果，增加了封包重要資訊萃取、阻檔異常流量等功能，並利用多核心架構將工作適當地分配給不同的核心去執行，達到改良辨識效率以及平衡各核心工作量之目的。

The development of the network brings convenience to people’s daily life. The service on personal computers or APPs on mobile devices can meet people’s needs. Not only individuals but also industries rely on the network. Nowadays, network is everywhere. The network is a great benefit to the society, but improper use of network will cause the inconvenience. The network security is an important issue. If network traffic can be analyzed and classified, network security can be upgraded. As a result, traffic classification systems appear. There are several kinds of traffic classification systems. One kind of traffic classification is payload-based traffic classification system such as L7-filter, Snort, nDPI, Tstat and Net-DPIS. Net-DPIS utilizes Deep Packet Inspection (DPI) technique and multiple pattern matching algorithms to look up whether there are patterns existing in payload or not. Net-DPIS with Cache Mechanism added cache mechanism in Net-DPIS, which improved the performance of traffic classification. This thesis adds new functions such as metadata extraction, blocking abnormal connection and so forth. Furthermore, work is divided into three parts and be allocated for different cores to implement. The goal is to improve the performance of system and balance the workloads of cores.

[1] L7-filter [Online]. Available: http://l7-filter.sourceforge.net/
[2] Snort [Online]. Available: https://www.snort.org/
[3] nDPI [Online]. Available: http://www.ntop.org/products/deep-packet-inspection/ndpi/
[4] Tstat [Online]. Available: http://tstat.polito.it/
[5] M.-Y. Liao, M.-Y. Luo, C.-S. Yang, C.-H. Chen, P.-C. Wu and Y.-W. Chen, "Design and evaluation of deep packet inspection system: a case study," IET Networks, Vol. 1, No. 1, pp. 2-9, 2012.
[6] P.-M. Wu, "Design and implementation of a network traffic classification caching mechanism based on Net-DPIS," in Master’s thesis, National Cheng Kung University, 2011.
[7] OWASP Top 10 2017 [Online]. Available: https://www.owasp.org/index.php/Top_10_2017-Top_10
[8] Netfilter [Online]. Available: https://www.netfilter.org/
[9] IANA [Online]. Available: https://www.iana.org/
[10] N. Cascarano, L. Ciminiera and F. Risso, "Improving cost and accuracy of DPI traffic classifiers," in Proceedings of the 2010 ACM Symposium on Applied Computing, pp. 641-646, 2010.
[11] R. Smith, C. Estan, S. Jha and S. Kong, "Deflating the big bang: fast and scalable deep packet inspection with extended finite automata," in Proceedings of the ACM SIGCOMM 2008 Conference on Data Communication, pp. 207-218, 2008.
[12] B. C. Brodie, D. E. Taylor, and R. K. Cytron, "A scalable architecture for high-throughput regular-expression pattern matching," in Proceedings of the 33rd annual international symposium on Computer Architecture, pp. 191-202, 2006.
[13] Y.-H. Yang and V. Prasanna, "High-performance and compact architecture for regular expression matching on FPGA," IEEE Transactions on Computers, Vol. 61, No. 7, pp. 1013-1025, 2012.
[14] L. Wang, S. Chen, Y. Tang, and J. Su, "Gregex: GPU based high speed regular expression matching engine," in Proceedings of the Fifth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing, pp. 366-370, 2011.
[15] A. Sperotto, G. Schaffrath, R. Sadre, C. Morariu, A. Pras and B. Stiller, "An overview of IP flow-based intrusion detection," IEEE Communications Surveys & Tutorials, Vol. 12, No. 3, pp. 343-356, 2010.
[16] C.-Y. Kuo, "Design and Implementation of a Network Intrusion Detection System Based," in Master’s thesis, National Cheng Kung University, 2015.
[17] Cisco [Online]. Available: http://www.cisco.com
[18] G. Munz and G. Carle, "Real-time analysis of flow data for network attack detection," in Proceedings of the 10th IFIP/IEEE International Symposium on Integrated Network Management, pp. 100-108, 2007.
[19] C. Livadas, R. Walsh, D. Lapsley, and W. T. Strayer, "Using machine learning techniques to identify botnet traffic," in Proceedings of the 31st IEEE Conference on Local Computer Networks (LCN’06), pp. 967-974, 2006.
[20] A. Karasaridis, B. Rexroad, and D. Hoeflin, "Wide-scale botnet detection and characterization," in Proceedings of the first conference on Hot Topics in Understanding Botnets (HotBots ’07), Berkeley, CA, USA, p. 7, 2007.
[21] T. Dübendorfer and B. Plattner, "Host behaviour based early detection of worm outbreaks in internet backbones," in Proceedings of the 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE'05), pp. 166-171, 2005.
[22] M. P. Collins and M. K. Reiter, "Hit-list worm detection and bot identification in large networks using protocol graphs," in Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection (RAID’07), pp. 276–295, 2007.
[23] T. Dübendorfer, A. Wagner, and B. Plattner, "A framework for real-time worm attack detection and backbone monitoring," in Proceedings of the First IEEE International Workshop on Critical Infrastructure Protection (IWCIP’ 05), 2005.
[24] L. Khan, M. Awad, and B. Thuraisingham, "A new intrusion detection system using support vector machines and hierarchical clustering," The VLDB Journal, Vol. 16, No. 4, pp. 507-521, 2007.
[25] R. Sommer and V. Paxson, "Outside the closed world: On using machine learning for network intrusion detection," in Proceedings of IEEE Symposium on Security and Privacy (S&P), pp. 305-316, 2010.
[26] R. M. Karp and M. O. Rabin, "Efficient randomized pattern-matching algorithms," IBM Journal of Research and Development - Mathematics and Computing, Vol. 31, No. 2, pp. 249-260, 1987.
[27] D. E. Knuth, J. H. Morris and V. R. Pratt, "Fast pattern matching in strings," SIAM Journal on Computing, Vol. 6, No. 2, pp. 323-350, 1977.
[28] R. S. Boyer and J. S. Moore, "A fast string searching algorithm," Communications of the ACM, Vol. 20, No. 10, pp. 762-772, 1977.
[29] S. Wu and U. Manber, "A fast algorithm for multi-pattern searching," Technical Report TR-94-17, Department of Computer Science, University of Arizona, 1994.
[30] P.-C. Wu, "A fast multi-pattern matching algorithm for network processors," in Master’s thesis, National Sun Yat-Sen University, 2006.
[31] A. Lazarevic, V. Kumar, and J. Srivastava, "Intrusion detection: A survey," Managing Cyber Threats, pp. 19–78, 2005.
[32] F. Sabahi, A. Movaghar, "Intrusion detection: A Survey," in Proceedings of the Third International Conference on Systems and Networks Communications, pp.23-26, 2008.
[33] D. Zhao, I. Traore, B. Sayed, W. Lu, S. Saad, A. Ghorbani, D. Garant, "Botnet detection based on traffic behavior analysis and flow intervals," Computers and Security, Volume 39, pp. 2-16, 2013.
[34] C. N. Modi, D. R. Patel, A. Patel, R. Muttukrishnan, "Bayesian Classifier and Snort based network intrusion detection system in cloud computing," in Proceedings of the Third International Conference on Computing Communication and Networking Technologies, pp. 1-7, 2012.
[35] F. F. Etemad and P. Vahdani Amoli, "Real-time botnet command and control characterization at the host level," in Proceedings of the 6th International Symposium on Telecommunications (IST), pp.1005-1009, 2012.
[36] C.-W. Lin, "Design and implementation of a botnet malware detection framework based on port monitor," in Master’s thesis, National Cheng Kung University, 2016.
[37] G. Creech and J. Hu, "A semantic approach to host-based intrusion detection systems using contiguous and discontiguous system call patterns," IEEE Transactions on Computers, Vol. 63, No. 4, pp. 807-819, 2014.
[38] H. Zhengbing, L. Zhitang and W. Junqi. "A novel network intrusion detection system (NIDS) based on signatures search of data mining," in Proceedings of the First International Workshop on Knowledge Discovery and Data Mining (WKDD), pp. 10-16, 2008.
[39] W. Tylman, "Misuse-based intrusion detection using bayesian networks," in Proceedings of the Third International Conference on Dependability of Computer Systems DepCoS-RELCOMEX, pp. 203–210, 2008.
[40] P. García-Teodoro, J. Díaz-Verdejo, G. Maciá-Fernández and E. Vázquez "Anomaly-based network intrusion detection Techniques, systems and challenges," Computers and Security, Vol. 28, No. 1-2, pp. 18-28, 2009.
[41] D. Mutz, F. Valeur, G. Vigna and C. Kruegel, "Anomalous system call detection," ACM Transactions on Information and System Security (TISSEC), Vol. 9, No. 1, pp. 61-93, 2006.
[42] C.-H. Chen, "The design and implementation of protocol classifier based on Linux Netfilter," in Master’s thesis, National Sun Yat-Sen University, 2006.
[43] Y.-S. Hsu, "Impact and analysis of non-well-known port in Internet service," in Master’s thesis, National Sun Yat-Sen University, 2008.
[44] Y.-W. Chen, "Performance analysis and improvement of classifier based on Linux Netfilter," in Master’s thesis, National Cheng Kung University, 2011.
[45] Z.-K. Mo, "A novel network intrusion detection system in cloud computing," in Master’s thesis, National Cheng Kung University, 2014.
[46] Linux Kernel [Online]. Available: https://www.kernel.org/
[47] Tcpdump&Libpcap [Online]. Available: http://www.tcpdump.org/
[48] Tcpreplay [Online]. Available: http://tcpreplay.synfin.net/