基于网络安全芯片的DDoS攻击识别IP核设计

分布式拒绝攻击(distributed denial of service, DDoS)作为一种传统的网络攻击方式,依旧对网络安全存在着较大的威胁.本文研究基于高性能网络安全芯片SoC+IP的构建模式,针对网络层DDoS攻击,提出了一种从硬件层面实现的DDoS攻击识别方法.根据硬件协议栈设计原理,利用逻辑电路门处理网络数据包进行拆解分析,随后对拆解后的信息进行攻击判定,将认定为攻击的数据包信息记录在攻击池中,等待主机随时读取.并通过硬件逻辑电路实现了基于该方法的DDoS攻击识别IP核(intellectual property core), IP核采用AHB总线配置寄存器的方式进行控制.在基于SV/UVM的仿真验证平台进行综合和功能性测试.实验表明, IP核满足设计要求,可实时进行DDoS攻击识别检测,有效提高高性能网络安全芯片的安全防护功能.

IP Core Design for DDoS Attack Identification Based on Network Security Chip

Distributed denial of service (DDoS) attack, as a traditional network attack method, still poses a great threat to network security. This study proposes a DDoS attack identification method implemented at the hardware level on the basis of the construction mode of a high-performance network security chip system on chip (SoC)+IP to handle network-layer DDoS attacks. According to the design principle for hardware protocol stacks, the logic circuit gate is used to process network packets in a manner of disassembly and analysis. Then, attack determination in the disassembled information is conducted, and the information of the packets identified as attacks is recorded into the attack pool, waiting to be read by the host at any time. Furthermore, an intellectual property (IP) core for DDoS attack identification based on the proposed method is implemented by a hardware logic circuit, and the IP core is controlled by means of advanced high-performance bus (AHB) configuration registers. Comprehensive and functional tests are performed on the system verilog/universal verification methodology (SV/UVM)-based simulation and verification platform. The experiments show that the IP core meets the design requirements and can perform DDoS attack identification and detection in real time to effectively improve the security protection function of the high-performance network security chip.