| The rapid development of global digitalization brings opportunities to various industries,but also puts forward higher requirements for network security protection capability,network security is the premise of digital development,but also an important guarantee for digital development.However,DDoS attack,as a traditional network attack method,has always posed a serious threat to network security.Attackers continue to improve their attack capabilities,with clearer attack targets,more complex attack methods,larger attack scale and larger attack resources,which brings great challenges to the construction of network security protection system.Based on the software to achieve DDoS attack identification can no longer meet the current needs,based on professional hardware to achieve DDoS attack identification in the era of rapid development of the Internet has become critical.This paper proposes an attack identification method for DDoS attacks at the network layer based on the hardware protocol stack design principle,and implements the DDoS attack identification IP core based on this method using hardware logic circuitry,which is simulated and deployed based on a high-performance network security chip,and is controlled by way of AHB bus configuration registers acting on the data path.It is also simulated and experimentally verified in the SV/UVM simulation and verification platform,and the simulation experiments show that the expected output results of attack identification can be achieved.The research work in this paper is as follows:1.design the hardware protocol stack based on the high-performance network security chip architecture.The chip architecture adopts AMBA bus structure as the internal interconnection standard,and uses AHB bus to configure registers and connect high-speed interface modules.The hardware circuitry is designed to streamline the network protocol processing flow and parse it layer by layer according to the characteristics of the network data flow,thus constituting a solution to disassemble the network data flow for a specific protocol based on this chip architecture.2.Implement an IP core applied to a high-performance network security chip for DDoS attack identification,using a chunked design approach to achieve synchronous control of chunks by using the bus timing unification feature for control.The overall project planning and design is carried out first,and then each functional sub-module inside its IP core is implemented,so as to realize the deep analysis and detection of network data flow.For the DDoS attack identification IP core of high-performance network security chip,the simulation verification platform based on SV/UVM is used for data path testing and functional verification,and the data message models corresponding to different protocols are written to ensure that the network data simulated in the simulation conforms to the standard protocol specifications.The verification results show that this IP core can interact with other modules in the chip to identify the network data containing the attack and output the attack results,and the verification experimental results show that the expected defense effect can be achieved. |
PDF Full Text Request