從古至今，網路攻擊的手段日新月異，隨著5G、IoT、MEC的發展，網路環境日趨複雜，防範風險的難度也隨之加大，攻擊者擁有的攻擊面也隨之擴張。攻擊手段也從早期封包欺騙、洪水攻擊、垂直掃描、社交攻擊等升級為最近的Web應用程序攻擊、Web注入攻擊、滲透攻擊和勒索軟體等。

多變的攻擊手法使得傳統防火牆、防毒軟體難以看見事件的全貌並進行全面的分析，因此入侵預防系統(IPS)應運而生，其本質上也可以算是一種中間人攻擊，透過掃描並記錄流經封包的資訊或進一步作為端口代理內部設備對外的流量而取得所有封包資訊進行分析，並在發現惡意封包特徵時丟棄該封包或主動中斷連線，其不僅可以發現並阻止由外而內的網路攻擊更可以避免內部人員流出機密資訊。然而由於IPS設備需以極低的延遲負擔主幹網路的流量，傳統IPS多需仰賴專用硬體輔助且相對昂貴，非商業用戶難以負擔，此外仰賴專用硬體使其彈性相對薄弱，難以即時部屬或更動設備。

為了改善傳統IPS的不足，本研究基於DPDK、openNetVM、Hyperscan等開源函式庫，設計並實現一個高效能軟體型IPS並組建一個資訊安全服務鍊，最後於10-Gbps環境中使用iperf、Pktgen-DPDK等網路壓力測試工具、惡意pcap封包檔與Snort社區規則評估該IPS的效能，作為應用容器化軟體型IPS填補由於攻擊面擴展而衍生資安問題的嘗試。

In several years, the strategy of network attacks have changed rapidly. With the development of 5G, IoT, and MEC, the network environment has become increasingly complex, and the difficulty of preventing risks has also increased, and the attack surface of attackers has also expanded. Attack methods have also been upgraded from early packet spoofing, flood attacks, vertical scanning, social attacks, etc. to recent web application attacks, web injection attacks, penetration attacks and ransomware.

In order to deal with the changing attack techniques, Intrusion Prevention System (IPS) were created, which can essentially be considered a man-in-the-middle attack, by scanning and recording the information flowing through the packet or further acting as a port proxy for internal devices to obtain all packet information for analysis, and when malicious packet characteristics are found It can not only detect and stop network attacks from outside but also prevent internal personnel from leaking confidential information. However, since IPS devices need to bear the traffic of the backbone network with very low latency, traditional IPS rely on dedicated hardware to assist, which makes it relatively inflexible and difficult to immediately deploy or change the device.

In order to improve the shortcomings of traditional IPS, this thesis designed and implemented a high-performance software-based IPS based on open-source libraries such as DPDK, openNetVM, and Hyperscan, and assembled an information security service chain, and finally evaluated the performance of the IPS in a 10-Gbps environment using network stress test tools such as iperf, Pktgen-DPDK, malicious pcap packet files, and Snort community rules, as an attempt to apply containerized software-based IPS to fill the information security problems arising from the expansion of the attack surface.

[1] "Cybersecurity threats to cost organizations in Asia Pacific US$1.75 trillion in economic losses" 2018. [Online]. Available: https://news.microsoft.com/apac/features/cybersecurity-in-asia/. [Accessed: 30-March-2022]
[2] "Microsoft Security Endpoint Threat Summary", 2019 [Online]. Available: https://news.microsoft.com/wp-content/uploads/prod/sites/570/2020/02/Microsoft-Security-Endpoint-Threat-Summary-2019-Updated.pdf. [Accessed: 30-March-2022]
[3] "Taiwan's current situation of malware attacks revealed", 2018 [Online]. Available: https://www.ithome.com.tw/news/129187. [Accessed: 30-March-2022]
[4] Ingham, K., & Forrest, S. (2002). A history and survey of network firewalls. University of New Mexico, Tech. Rep.
[5] Liao, H. J., Lin, C. H. R., Lin, Y. C., & Tung, K. Y. (2013). Intrusion detection system: A comprehensive review. Journal of Network and Computer Applications, 36(1), 16-24.
[6] Zhang, X., Li, C., & Zheng, W. (2004, September). Intrusion prevention system design. In The Fourth International Conference onComputer and Information Technology, 2004. CIT'04. (pp. 386-390). IEEE.
[7] Rosen, R. (2014). Netfilter. In Linux Kernel Networking (pp. 247-278). Apress, Berkeley, CA.
[8] El-Maghraby, R. T., Abd Elazim, N. M., & Bahaa-Eldin, A. M. (2017, December). A survey on deep packet inspection. In 2017 12th International Conference on Computer Engineering and Systems (ICCES) (pp. 188-197). IEEE.
[9] Dharmapurikar, S., Krishnamurthy, P., Sproull, T., & Lockwood, J. (2003, August). Deep packet inspection using parallel bloom filters. In 11th Symposium on High Performance Interconnects, 2003. Proceedings. (pp. 44-51). IEEE.
[10] Yu, F., Chen, Z., Diao, Y., Lakshman, T. V., & Katz, R. H. (2006, December). Fast and memory-efficient regular expression matching for deep packet inspection. In Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems (pp. 93-102).
[11] Deri, L., Martinelli, M., Bujlow, T., & Cardigliano, A. (2014, August). ndpi: Open-source high-speed deep packet inspection. In 2014 International Wireless Communications and Mobile Computing Conference (IWCMC) (pp. 617-622). IEEE.
[12] Beaudoux, O., & Beaudouin-Lafon, M. (2007). OpenDPI: A toolkit for developing document-centered environments. In Enterprise Information Systems VII (pp. 231-239). Springer, Dordrecht.
[13] K. Xinidis, K. G. Anagnostakis and E. P. Markatos, "Design and Implementation of a High-Performance Network Intrusion Prevention System," in IFIP International Information Security Conference, Boston, 2005.
[14] N. Weaver, V. Paxson and J. M. Gonzalez, "The shunt: an FPGA-based accelerator for network intrusion prevention," in Proceedings of the 2007 56 ACM/SIGDA 15th international symposium on Field programmable gate arrays, 2007.
[15] "Data Plane Development Kit (DPDK) – Intel", [Online]. Available: https://www.dpdk.org/. [Accessed: 30-March-2022]
[16] "F-Stack – Tencent", [Online]. Available: http://www.f-stack.org/. [Accessed: 30-March-2022]
[17] Zhang, W., Liu, G., Zhang, W., Shah, N., Lopreiato, P., Todeschi, G., ... & Wood, T. (2016, August). OpenNetVM: A platform for high performance network service chains. In Proceedings of the 2016 workshop on Hot topics in Middleboxes and Network Function Virtualization (pp. 26-31).
[18] Sun, C., Bi, J., Zheng, Z., Yu, H., & Hu, H. (2017, August). NFP: Enabling network function parallelism in NFV. In Proceedings of the Conference of the ACM Special Interest Group on Data Communication (pp. 43-56).
[19] Kulkarni, S. G., Zhang, W., Hwang, J., Rajagopalan, S., Ramakrishnan, K. K., Wood, T., ... & Fu, X. (2020). NFVnice: Dynamic backpressure and scheduling for NFV service chains. IEEE/ACM Transactions on Networking, 28(2), 639-652.
[20] Kohler, E., Morris, R., Chen, B., Jannotti, J., & Kaashoek, M. F. (2000). The Click modular router. ACM Transactions on Computer Systems (TOCS), 18(3), 263-297.
[21] "Hyperscan.io– Intel", [Online]. Available: https://www.hyperscan.io/. [Accessed: 30-March-2022]
[22] "Snort/Snort3", [Online]. Available: https://www.snort.org/. [Accessed: 30-March-2022]
[23] "Suricata", [Online]. Available: https://suricata.io/. [Accessed: 30-March-2022]
[24] Chen, M. J., Chien, K. P., Huang, C. Y., Cheng, B. C., & Chu, Y. S. (2009, May). An ASIC for SMTP intrusion prevention system. In 2009 IEEE International Symposium on Circuits and Systems (pp. 1847-1850). IEEE.
[25] Sourdis, I., & Pnevmatikatos, D. (2003, September). Fast, large-scale string match for a 10Gbps FPGA-based network intrusion detection system. In International Conference on Field Programmable Logic and Applications (pp. 880-889). Springer, Berlin, Heidelberg.
[26] Clark, C. R. (2004). Design of efficient FPGA circuits for matching complex patterns in network intrusion detection systems (Doctoral dissertation, Georgia Institute of Technology).
[27] J. M. Gonzalez, V. Paxson and N. Weaver, "Shunting: a hardware/software architecture for flexible, high-performance network intrusion prevention," in Proceedings of the 14th ACM conference on Computer and communications security, 2007.
[28] M. -A. Kourtis et al., "Enhancing VNF performance by exploiting SR-IOV and DPDK packet processing acceleration," 2015 IEEE Conference on Network Function Virtualization and Software Defined Network (NFV-SDN), 2015, pp. 74-78, doi: 10.1109/NFV-SDN.2015.7387409.
[29] Nikolai Pitaev, Matthias Falkner, Aris Leivadeas, and Ioannis Lambadaris. 2018. Characterizing the Performance of Concurrent Virtualized Network Functions with OVS-DPDK, FD.IO VPP and SR-IOV. In Proceedings of the 2018 ACM/SPEC International Conference on Performance Engineering (ICPE '18). Association for Computing Machinery, New York, NY, USA, 285–292. DOI:https://doi.org/10.1145/3184407.3184437
[30] Martins, J., Ahmed, M., Raiciu, C., Olteanu, V., Honda, M., Bifulco, R., & Huici, F. (2014). {ClickOS} and the Art of Network Function Virtualization. In 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI 14) (pp. 459-473).
[31] Bujlow, T., Carela-Español, V., & Barlet-Ros, P. (2015). Independent comparison of popular DPI tools for traffic classification. Computer Networks, 76, 75-89.
[32] "Wireshark-pcap", [Online]. Available: https://gitlab.com/wireshark/wireshark/-/wikis/SampleCaptures#sample-captures. [Accessed: 30-March-2022]
[33] "OpenSource -pcap", [Online]. Available: https://docs.securityonion.net/en/2.3/pcaps.html. [Accessed: 30-March-2022]