隨著網路技術飛速發展，分散式阻斷服務（DDoS）與零時差漏洞等駭客攻擊手法日益多樣化，資訊安全保護變得至關重要。傳統防火牆無法深入檢測封包，因此需要入侵偵測系統（IDS）與入侵防護系統（IPS）來進行更精密的比對。然而，IPS 在攔截惡意封包時，所有流量都必須經過其判斷，這對系統的吞吐量（Throughput）造成了巨大負擔。以軟體實作的 IPS（如 Suricata）在面對 10 Gbps 以上的高速網路環境時，常會因為 CPU 運算資源飽和而導致封包延遲或遺失。研究發現，CPU 在處理標頭驗證（Header Validation）時，頻繁的 if-else 語法容易引發 branch-miss，嚴重影響效能。 為了解決上述問題，本研究針對 Suricata 系統進行改良，將其解析封包標頭（Decode）的功能，卸載至 Netronome Agilio CX 智慧網卡上執行。

透過這種硬體卸載架構，系統能減少主機 CPU 的負擔，並提早過濾已知的惡意流量，提升 IPS 整體的處理效率與吞吐量。

As network technologies advance rapidly, cybersecurity challenges such as Distributed Denial of Service (DDoS) and zero-day exploits have become increasingly sophisticated. While traditional firewalls provide basic protection, Intrusion Prevention Systems (IPS), such as Suricata, are essential for deep packet inspection and real-time threat mitigation. However, in high-speed network environments exceeding 10 Gbps, software-based IPS often encounter significant performance bottlenecks. Research indicates that the CPU spends substantial cycles on header validation tasks, where frequent conditional branching (if-else statements) leads to high branch-miss rates, resulting in packet latency and throughput degradation.

To address these challenges, this study proposes an hardware-accelerated IPS architecture that offloads the packet header decoding process to a Netronome Agilio CX SmartNIC. By leveraging the programmable flow processing cores of the SmartNIC, the system performs Layer 2 to Layer 4 header parsing and validation directly on the hardware. This offloading strategy effectively reduces the computational burden on the host CPU and mitigates branch-miss penalties. Furthermore, a hardware-based Flow Table is implemented on the NIC to facilitate early filtering and the Respond-Reject mechanism, allowing known malicious traffic to be handled without host intervention.

Experimental results demonstrate that the proposed architecture consistently outperforms the native Suricata system across various protocols, including TCP, UDP, and ICMP. The performance gain is particularly significant in handling complex UDP-encapsulated traffic and high-load TCP streams. By optimizing resource allocation through a pipelined design within the SmartNIC, this research provides a scalable and efficient solution for robust network security in high-bandwidth infrastructures.

[1] Rebecca Gurley Bace. Intrusion detection. Sams Publishing, 2000.
[2] Zongjian Wang and Xiaobo Li. Intrusion prevention system design. In Proceedings of the International Conference on Information Engineering and Applications (IEA) 2012: Volume 3, pages 375–382. Springer, 2013.
[3] Suricata: A network ids, ips and nsm engine developed by the oisf and the suricata community. Online, 2025, https://suricata.io/.[Accessed November 2025].
[4] Lukáš Šišmiš, Colin Evrard, Etienne Rivière, and Tom Barbette. Pamo: Pattern matching offload for intrusion detection systems. In Proceedings of the 26th International Middleware Conference, Middleware ’25, page 140–152, New York, NY, USA, 2025. Association for Computing Machinery.
[5] Linus Torvalds and Linux Kernel Contributors. perf: Linux performance analysis tools. Online, 2026, https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/tools/perf.[Accessed January 2026].
[6] Chittoor V Ramamoorthy and Hon Fung Li. Pipeline architecture. ACM Computing Surveys (CSUR), 9(1):61–102, 1977.
[7] Jakub Kicinski and Nicolaas Viljoen. ebpf hardware offload to smartnics: cls bpf and xdp. Proceedings of netdev, 1, 2016. 23
[8] Toke Høiland-Jørgensen, Jesper Dangaard Brouer, Daniel Borkmann, John Fastabend, Tom Herbert, David Ahern, and David Miller. The express data path: fast programmable packet processing in the operating system kernel. In Proceedings of the 14th International Conference on Emerging Networking EXperiments and Technologies, CoNEXT’18, page 54–66, New York, NY, USA, 2018. Association for Computing Machinery.
[9] Rajath Shashidhara, Tim Stamler, Antoine Kaufmann, and Simon Peter. FlexTOE: Flexible TCP offload with Fine-Grained parallelism. In 19th USENIX Symposium on Networked Systems Design and Implementation (NSDI 22), pages 87–102, Renton, WA, April 2022. USENIX Association.
[10] Christoph Lameter. Numa (non-uniform memory access): An overview: Numa becomes more common because memory controllers get close to execution units on microprocessors. Queue, 11(7):40–51, 2013.
[11] Suricata ruleset. Online, 2026, https://github.com/OISF/suricata/tree/main/rules/.[Accessed February 2026].