Network Virtual Machine (NetVM): A New Architecture for Efficient and Portable Packet Processing Applications

A challenge facing network device designers, besides increasing the speed of network gear, is improving its programmability in order to simplify the implementation of new applications (see for example, active networks, content networking, etc). This paper presents our work on designing and implementing a virtual network processor, called NetVM, which has an instruction set optimized for packet processing applications, i.e., for handling network traffic. Similarly to a Java Virtual Machine that virtualizes a CPU, a NetVM virtualizes a network processor. The NetVM is expected to provide a compatibility layer for networking tasks (e.g., packet filtering, packet counting, string matching) performed by various packet processing applications (firewalls, network monitors, intrusion detectors) so that they can be executed on any network device, ranging from expensive routers to small appliances (e.g. smart phones). Moreover, the NetVM will provide efficient mapping of the elementary functionalities used to realize the above mentioned networking tasks upon specific hardware functional units (e.g., ASICs, FPGAs, and network processing elements) included in special purpose hardware systems possibly deployed to implement network devices

A Proposal for Dynamic Access Lists for TCP/IP Packet Filering

The use of IP filtering to improve system security is well established, and although limited in what it can achieve has proved to be efficient and effective. In the design of a security policy there is always a trade-off between usability and security. Restricting access means that legitimate use of the network is prevented; allowing access means illegitimate use may be allowed. Static access list make finding a balance particularly stark -- we pay the price of decreased security 100% of the time even if the benefit of increased usability is only gained 1% of the time. Dynamic access lists would allow the rules to change for short periods of time, and to allow local changes by non-experts. The network administrator can set basic security guide-lines which allow certain basic services only. All other services are restricted, but users are able to request temporary exceptions in order to allow additional access to the network. These exceptions are granted depending on the privileges of the user. This paper covers the following topics: (1) basic introduction to TCP/IP filtering; (2) semantics for dynamic access lists and; (3) a proposed protocol for allowing dynamic access; and (4) a method for representing access lists so that dynamic update and look-up can be done efficiently performed.Comment: 12 pages. Shortened version appeared in SAICSIT 200

Applications of reprogrammability in algorithm acceleration

This doctoral thesis consists of an introductory part and eight appended publications, which deal with hardware-based reprogrammability in algorithm acceleration with a specific emphasis on the possibilities offered by modern large-scale Field Programmable Gate Arrays (FPGAs) in computationally demanding applications. The historical evolution of both the theoretical and technological paths culminating in the introduction of reprogrammable logic devices is first outlined. This is followed by defining the commonly used terms in the thesis. The reprogrammable logic market is surveyed, and the architectural structures and the technological reasonings behind them are described in detail. As reprogrammable logic lies between Application Specific Integrated Circuits (ASICs) and general-purpose microprocessors in the implementation spectrum of electronics systems, special attention has been paid to differentiate these three implementation approaches. This has been done to emphasize, that reprogrammable logic offers much more than just a low-volume replacement for ASICs. Design systems for reprogrammable logic are investigated, as the learning curve associated with them is the main hurdle for software-oriented designers for using reprogrammable logic devices. The theoretically important topic of partial reprogrammability is described in detail, but it is concluded, that the practical problems in designing viable development platforms for partially reprogrammable systems will hinder its wide-spread adoption. The main technical, design-oriented, and economic applicability factors of reprogrammable logic are laid out. The main advantages of reprogrammable logic are their suitability for fine-grained bit-level parallelizable computing with a short time-to-market and low upfront costs. It is also concluded, that the main opportunities for reprogrammable logic lie in the potential of high-level design systems, and the ever-growing ASIC design gap. On the other hand, most power-conscious mass-market portable products do not seem to offer major new market potential for reprogrammable logic. The appended publications are examined and compared to contemporaneous research at other research institutions. The conclusion is that for relatively wide classes of well-defined computation problems, reprogrammable logic offers a more efficient solution than a software-centered approach, with a much shorter production cycle than is the case with ASICs.reviewe

Hardware Acceleration of Network Intrusion Detection System Using FPGA

This thesis presents new algorithms and hardware designs for Signature-based Network Intrusion Detection System (SB-NIDS) optimisation exploiting a hybrid hardwaresoftware co-designed embedded processing platform. The work describe concentrates on optimisation of a complete SB-NIDS Snort application software on a FPGA based hardware-software target rather than on the implementation of a single functional unit for hardware acceleration. Pattern Matching Hardware Accelerator (PMHA) based on Bloom filter was designed to optimise SB-NIDS performance for execution on a Xilinx MicroBlaze soft-core processor. The Bloom filter approach enables the potentially large number of network intrusion attack patterns to be efficiently represented and searched primarily using accesses to FPGA on-chip memory. The thesis demonstrates, the viability of hybrid hardware-software co-designed approach for SB-NIDS. Future work is required to investigate the effects of later generation FPGA technology and multi-core processors in order to clearly prove the benefits over conventional processor platforms for SB-NIDS. The strengths and weaknesses of the hardware accelerators and algorithms are analysed, and experimental results are examined to determine the effectiveness of the implementation. Experimental results confirm that the PMHA is capable of performing network packet analysis for gigabit rate network traffic. Experimental test results indicate that our SB-NIDS prototype implementation on relatively low clock rate embedded processing platform performance is approximately 1.7 times better than Snort executing on a general purpose processor on PC when comparing processor cycles rather than wall clock time

Reconfigurable Computing Based on Commercial FPGAs. Solutions for the Design and Implementation of Partially Reconfigurable Systems = Computación reconfigurable basada en FPGAs comerciales. Soluciones para el diseño e implementación de sistemas parcialmente reconfigurables.

Esta tesis doctoral está enmarcada en el campo de investigación de la computación reconfigurable. Este campo ha experimentado un crecimiento abrumador en los últimos años como resultado de la evolución de los dispositivos reconfigurables, donde las Field Programmable Gate Arrays (FPGAs) son el máximo exponente desde el punto de vista comercial. De forma tradicional las empresas de electrónica han seleccionado las FPGAs como prototipos iníciales de productos de altas prestaciones. Luego el sistema final es integrado en Application Specific Integrated Circuits (ASICs) que se producen en grandes volúmenes perimiendo amortiza su alto coste de diseño y producción y aprovechando la ventaja del bajo coste por unidad. Por otro lado, los DSPs (Digital Signal Processing) y los microprocesadores han sido preferidos por su bajo coste ante las FPGAs el campo de los dispositivos con menores requisitos de cómputo. En los últimos años, este panorama está sufriendo una serie de cambios. Ahora el mercado busca mas soluciones “reconfigurables” ya que permiten reducir el tiempo de salida del producto al mercado (time-to-market), aumentar el tiempo del producto en el mercado (time-in-market) y además cubren los amplios requisitos de cómputo. El cambio que se observa, se debe a que los dispositivos programables han evolucionado de simples estructuras programables a complejas plataformas reconfigurables. Las FPGAs del estado de la técnica han alcanzado un grado de integración muy alto y además ahora contienen, dentro de su arquitectura programable, microprocesadores y lógica específica de procesamiento digital de señal. Otro factor sumamente importante para el cambio es que las FPGAs permiten el diseño de dispositivos cuyo hardware pueden ser adaptado, o actualizado, una vez que el producto ya esta entregado e instalado, obteniendo así una flexibilidad en el hardware comparable con la del software, donde la actualización postventa de los sistemas es una práctica muy explotada de cara a la reducción de costes y la salida rápida al mercado. Por otro lado, y sobre todo en el ámbito académico, existen dispositivos reconfigurables con distinta granularidad que permites alcanzar altas prestaciones en comparación con las FPGAs comerciales de grano fino (comparable con la de los ASICs), pero están restringidas a una aplicación o grupo de aplicaciones. A pesar de que los dispositivos reconfigurables propietarios ofrecen muchas ventajas, esta opción ha sido descartada en la presente tesis debido a que, desde el punto de vista industrial requieren, aparte del diseño del ASIC reconfigurable, el desarrollo de un entorno de diseño completo. Todo esto conlleva a un elevado coste de recursos, además del alejamiento de las propuestas de la industria. La presente tesis se ha centrado en proporcionar soluciones para dispositivos comerciales, FPGAs de grano fino, con la finalidad de aprovechar las herramientas existentes y mantener las soluciones propuestas lo más cerca posible de la industria. Los dispositivos reconfigurables proporcionan diversos métodos de reconfiguración, siendo el más atractivo la reconfiguración parcial y dinámica, ya que permite adaptar el dispositivo sin interrumpir su funcionamiento y crear dispositivos auto-adaptables. Este tipo de reconfiguración será el objeto de estudio de la tesis doctoral. La reconfiguración parcial permite tener una serie de tareas hardware (módulos que se ubican en la estructura reconfigurable) ejecutándose paralelamente en la FPGA y sustituir un bloque por otro, dependiendo de las necesidades del sistema, sin alterar el funcionamiento del resto de bloques. Esta idea básica en teoría brinda la flexibilidad del software al hardware, que combinado con su paralelismo implícito hace del sistema reconfigurable una potente herramienta que puede dar pie a la creación de sistemas adaptables o incluso autoadaptativos, supercomputadores reconfigurables y hardware bio-inspirado entre otros. Por otro lado, a pesar que algunos proveedores de FPGAs permiten la reconfiguración parcial, el uso de esta técnica aún está restringido al ámbito académico y a sistemas muy básicos. El trabajo de investigación descrito dentro de la presente tesis doctoral ha tenido por objeto el estudio de diversos aspectos de los sistemas parcialmente reconfigurables, la identificación de las principales deficiencias de las soluciones existentes y la propuesta de nuevas soluciones originales. Como resultado del estudio del estado del arte se ha visto que las soluciones existentes son poco flexibles y la escalabilidad de los sistemas que se pueden diseñar es reducida. Por ello las propuestas originales de esta tesis tienen como objetivo permitir el diseño e implementación de sistemas parcialmente reconfigurables con alta escalabilidad y flexibilidad. La tesis principal del trabajo de investigación ha sido basada en la idea que para obtener una mayor flexibilidad de los sistemas se debe desligar el diseño del sistema reconfigurable del diseño de los cores que serán consumidos por dicho sistema. La tesis doctoral ha contribuido proponiendo mejores soluciones a nivel de arquitectura, flujos de diseño y herramientas que han permitido el diseño e implementación de diversos sistemas parcialmente reconfigurables con distinto grado de flexibilidad y escalabilidad. La flexibilidad y la escalabilidad son términos que en los sistemas reconfigurables se pueden asociar a diversos aspectos. Dentro de esta tesis la flexibilidad está asociada principalmente a la diversidad de cores o tareas hardware que pueden ser consumidos o integrados en un sistema ya definido, mientras que la escalabilidad está referida al número de cores que pueden coexistir en el sistema y ser reconfigurados independientemente. Para poder diseñar sistemas flexibles y escalables, estas características deben estar cubiertas en distintos niveles. Más en detalle dentro de la presente tesis, desde el punto de vista de la arquitectura, la flexibilidad está cubierta por la posibilidad de posicionar libremente cores en una arquitectura escalable predefinida. Desde el punto de vista del sistema, la flexibilidad está reflejada por la posibilidad de no sólo de modificar o reconfigurar un core del sistema hardware, sino también de modificar las comunicaciones internas del mismo. Desde el punto de vista del dispositivo, la flexibilidad está garantizada por la transparencia en el proceso de reconfiguración. Por último, la flexibilidad en el proceso de diseño está cubierta por la definición de herramientas y flujos de diseño que permiten por un lado desligar el diseño del sistema reconfigurable del diseño de los cores para el sistema, y por otro lado que diseñadores sin conocimientos detallados de reconfiguración parcial puedan diseñar cores. Dentro de la tesis doctoral se presentan cuatro dispositivos reconfigurable integrados en distintos entornos y con distinto grado de flexibilidad que corresponde al grado de aprovechamiento de las aportaciones originales de la tesis. Las principales aportaciones de la tesis doctoral, relacionadas a cada uno de los aspectos mencionados en el párrafo anterior, y tratados en distintas partes de la tesis se resumen a continuación destacando en la medida de lo posible las diferencias con respecto al estado del arte: Se ha definido una metodología de diseño de Arquitecturas Virtuales (abstracción de la arquitectura física de la FPGA que incluye la distribución de los recursos programables en slots y la forma de interconexión de los slots). La metodología, propuesta originalmente en esta tesis, permite el diseño de sistemas reconfigurables con alta flexibilidad y escalabilidad comparadas con el estado del arte. Una solución a la adaptación de las comunicaciones internas en los sistemas reconfigurables llamada DRNoC (Dynamic Reconfigurable NoC). La solución original abarca diversos aspectos e incluye la definición de una arquitectura de interconexión para los sistemas reconfigurables basada en redes en chip (Network on Chip - NoC), la definición de métodos de reconfiguración y el direccionamiento interno del sistema, y de forma más específica para las comunicaciones basadas en redes, la definición de un formato de tramas y la arquitectura de los enrutadores. La principal diferencia de la solución propuesta con el estado del arte es que DRNoC no restringe la comunicación únicamente a NoCs y permite la definición de cualquier tipo de esquema de comunicación (NoC, punto a punto, punto a multipunto, bus, o una combinación de las anteriores) y además, permite que varios esquemas de comunicación coexistan en el mismo sistema y que funcionen de forma independiente. De esta forma la solución propuesta brinda una mayor flexibilidad que las ya existentes. Se ha propuesto una solución para la manipulación de los ficheros de configuración para las FPGA del tipo Virtex II/Pro que es la más completa comparada con el estado del arte. Asimismo, una serie de herramientas que permiten la generación y extracción de cores para sistemas reconfigurables basados en FPGA Virtex II que ha sido la primera solución existente para estas FPGA. Un flujo de diseño para cores basado en plantillas que permite el diseño de cores hardware sin ser un experto en reconfiguración parcial y sin conocer los detalles del sistema final en el que se implementará el core. El diseño, implementación y prueba de un sistema parcialmente reconfigurable basado en FPGAs comerciales de grano fino para redes de sensores. La primera aproximación existente en el estado del arte al uso de los sistemas parcialmente reconfigurables en las redes de sensores. La integración de un sistema reconfigurable en un entorno cliente-servidor que incluye un original sistema de control de la reconfiguración. Una solución para la depuración de los sistemas reconfigurables. Un sistema de emulación y prototipado rápido de las comunicaciones dentro de un chip basado originalmente en la idea de la reutilización de cores hardware por medio de la técnica de reconfiguración parcial. Como conclusión global del trabajo de investigación realizado cabe destacar que la presente tesis ha dado lugar a la creación y consolidación de una línea de investigación en el grupo de electrónica digital del Centro de Electrónica Industrial que actualmente se encuentra entre las más activas y de mayor importancia. Además, el trabajo de investigación y la divulgación de las aportaciones originales han permitido que el centro de investigación pase a formar parte del estado del arte de los sistemas parcialmente reconfigurables. The thesis is enclosed in the research area of reconfigurable computing which, in the last years, has experienced a remarkable growth as a result of the impressive evolution of reconfigurable devices. In this area, Field Programmable Gate Arrays (FPGAs) are the most outstanding representative from the commercial point of view. Traditionally FPGAs have been used for prototyping, in previous to the final Application Specific Integrated Circuit (ASIC) design stages. However, the interest in the integration of FPGAs in final products has been growing in the last years. FPGAs are preferred for small production volumes, where the ASIC masks high cost is unaffordable and also in products where time-to-market is a priority, and waiting for a complete ASIC design cycle is not desirable. State of the art FPGAs are highly integrated electronic circuits, composed of tens of millions of system gates, with competitive speed, performance and configurability. These devices have evolved from simple gate arrays to complex platforms that include embedded memory, multipliers and even microprocessors and digital signal processing elements. Additionally, the fine grain nature of the reconfigurable arrays, make FPGAs suitable for a broad set of application domains. On the other side, and mostly in the academic community, there are custom reconfigurable devices with different granularity levels that permit to achieve higher performance, compared to commercial FPGAs, but for a certain application domain. Although there are very good solutions in the academic state of the art, their main drawback from the industry point of view is that they require specific design environments and also, that the efforts and resources needed for designing such solutions are very high. This thesis work is focused on providing solutions that target commercial fine grain reconfigurable devices, FPGAs, in order to take advantage of existing tools and to keep the proposed solutions closer to the industry. Today FPGAs provide different reconfiguration options. Among them, the most challenging one is partial reconfiguration. This feature has special interest, as it permits system updates on the fly once the device is deployed, without the need of stopping it and without theoretical loss of performance. Partial reconfiguration is also an attractive feature because it permits to allocate different tasks/cores running in parallel in the device and change them on the fly as needed without disturbing other tasks/cores. This basic idea, brings software-like flexibility to hardware which, in combination with its inherited parallelism, opens the door for a broad amount of possibilities and applications, like runtime adaptive super-computing, adaptive embedded software ii accelerators, bio-inspired, self-reconfigurable and self-arrangeable systems. However, even though some commercial FPGAs provide partial reconfiguration features, its utilization is still in its early stages and it is not well supported by FPGA vendors, making its exploitation in real electronic systems very difficult. Therefore, there are several academic groups working to provide alternative solutions for the design and implementation of partially reconfigurable systems based on commercial FPGAs that intend to stimulate their integration and use in the industry. This research work intents to study different aspects of partially reconfigurable system on-chip and contribute with flexibility improvements. The main idea that will be followed along the thesis is that the design of reconfigurable systems will be considered an independent process from the design of cores that will be consumed by the system. This approach involves the design of flexible and scalable partial runtime reconfigurable systems, where most of the thesis contribution will be focused. More in detail, this thesis will contribute to improve architecture solutions, design tools and design flows of partially reconfigurable systems for commercial FPGAs and provide systems with higher flexibility and scalability. Flexibility and scalability in a reconfigurable system are terms that can be related to several aspects. In this thesis flexibility is mainly related to the diversity of tasks or cores a system can consume, while scalability is connected to the number of cores that can run in parallel and be independently reconfigured. Flexibility and scalability have to be covered by the system at different levels and the work presented in this thesis will contribute in all the specific levels. More in detail, from an architectural point of view, flexibility is reflected by the possibility of freely loading tasks or cores in a defined, scalable architecture. From the system point of view, flexibility is related to the possibility of modifying not only the system functionality by loading different tasks, but also to adapt the on-chip communications. From the device point of view, flexibility is reflected by the reconfiguration process transparency and, from the design point of view, it is oriented to the definition of design tools and flows that will permit, as far as possible, non specialized designers to design cores for a partially reconfigurable system and without knowing the system details. All the original proposed solutions, in each individual aspect, will be compared with the state of the art and complete systems solutions will be designed and will be integrated in different application domains in order to validate the thesis proposals. In order to achieve better understanding of the thesis and to facilitate the comparison with some, selected, related work, the thesis structure is not traditional. Instead of including a state of the art and a result Chapter, each Chapter is focused on a specific aspect of partially reconfigurable system design and includes state of the art and result sections. The first chapter, Chapter 1, introduces the main concepts to be used in the thesis. Chapter 2 is focused on reconfigurable systems architectures, contributing with architecture solutions and a design method. Chapter 3 proposes a solution that enhances the features of the architectures defined in Chapter 2, and provides more flexibility to the entire system by extending reconfiguration to the on-chip communication. Chapter 4 is related to the design flows and tools, where contributions are made in both aspects and the proposed solutions are compared with the state of the Abstract and Thesis Organization iii art. Complete systems, with different independency levels, are presented in Chapter 5 in order to validate the thesis contributions. Conclusions, a summary of contributions and the future work are included in Chapter 6. A more detailed description of each Chapter content is presented below: Chapter 1 provides an introduction to the reconfigurable systems based on FPGAs topic, by first defining the place of FPGAs in the electronic industry and afterwards, introducing the main concepts to be used along the thesis. Although the focus is put on commercial reconfigurable devices, some custom reconfigurable systems are also described in order to have a complete view of the options in reconfigurable devices. The Chapter discuses the thesis main topic, related to partial runtime reconfigurable systems, highlighting its main advantages and disadvantages and, introducing some of the approaches to be followed in this thesis. The main term introduced in this Chapter, associated to reconfigurable systems architectures, is ”Virtual Architecture”. The term defines the architecture of the partially reconfigurable system and how the different regions it is composed of are interconnected. A brief summary of the thesis main goals is included at the end of the Chapter. The main topic of Chapter 2 is related to reconfigurable systems architectures design. The Chapter includes a specific state of the art section that reviews some existing architecture solutions. After that, a general method for virtual architectures design, an original thesis contribution, is presented in detail. Afterwards, the method is applied to the design of general one dimensional (1D) and two dimensional (2D) architectures for Xilinx Virtex II/Pro FPGAs and, as an example, following the specific steps of the method, two 1D, bus based, architectures are designed. The architecture buses are compared with two state of the art solutions in terms of area and performance in the results section of the same Chapter. Chapter 3 is focused on reconfigurable systems on-chip communication issues, where the need of adaptability is the main topic. Again, a state of the art description of some 2D reconfigurable systems is presented at the beginning of the Chapter and, afterwards, an original solution, called Dynamic Reconfigurable NoC (DRNoC), is proposed. This solution covers different aspects. First, an architecture oriented to support adaptability in the on-chip communications is originally proposed. The architecture is mapped to a Virtex II FPGA by modifying a virtual architecture from the general ones presented in Chapter 2. Second, two types of reconfigurations that span through different levels of the OSI communication model are originally proposed. Third, a set of Network on Chip models, focused on the communication adaptability are designed and/or adapted and presented in the Chapter, along with an original NoC packet format and router architecture. These models are mapped to the DRNoC architecture and implementation cost parameters are defined and used to evaluate different implementation options. Regarding the architecture reconfigurability, it is important to remark that along the entire Chapter, intermediate test of possible partial reconfigurations and test results are included. At the end of the Chapter, the proposed architecture is compared with the state of the art using a set of structural parameters taken from a reference work and complemented with others defined in the Chapter. Chapter 4, focuses on the design tools and flows for partially reconfigurable systems. Again, an overview of the state of the art is included at the beginning of the Chapter. Abstract and Thesis Organization iv Afterwards, an original software solution for Virtex II configuration files (bitstreams) manipulations is presented. The first part of the solution is a study of the Virtex II/Pro FPGA bitstream format, used to define a set of equations for accessing a specific bitstream resource (at register or block level). Based on these equations, a set of tools for bitstream manipulation that target resource restricted devices are originally presented. Also, a design flow, based on systems and virtual architectures templates, which permits a straightforward core design by non partial reconfiguration experts and without knowing the system details, is originally proposed. In Chapter 5 four reconfigurable systems with different flexibility level, which corresponds to the level of the thesis proposals exploitation, are presented. The selected application domains attempt to demonstrate different advantages of the use of partial runtime reconfigurable systems and therefore are mainly a proof of concept. The first domain belongs to the wireless sensor networks, where t

Development of PCI Embedded Card Useful for Microcontroller Trainer

Not availabl

Paketverarbeitende Systeme – Algorithmen und Architekturen für hohe Verarbeitungsgeschwindigkeiten

Paketverarbeitende Systeme basieren auf zwei wichtigen Bereichen: der eigentlichen Paketverarbeitung und der Paketklassifizierung. Zur Optimierung der Paketverarbeitung wurde eine FPGA-basierte Architektur für funktionale Module entwickelt, auf deren Basis verschiedene Funktionen für den Einsatz im Teilnehmerzugangsnetzwerk realisiert wurden. Hash-basierte Klassifizierungsalgorithmen und –architekturen sind grundsätzlich für die Paketklassifizierung geeignet. Zur Optimierung dieser Klasse von Algorithmen wurde eine evolvierbare Hashfunktionsarchitektur entwickelt.Packet processing systems base on two important areas: ultimate packet and packet classification. For optimization of packet processing an FPGA-based architecture for functional modules has been developed. For application in Access Network, different functional modules have been developed. Hash-based classification algorithms and architectures are appropriate for fast packet classification. For optimization of this class of algorithms, an evolvable architecture for hash functions has been developed

E-commerce security enhancement and anomaly intrusion detection using machine learning techniques

With the fast growth of the Internet and the World Wide Web, security has become a major concern of many organizations, enterprises and users. Criminal attacks and intrusions into computer and information systems are spreading quickly and they can come from anywhere on the globe. Intrusion prevention measures, such as user authentication, firewalls and cryptography have been used as the first line of defence to protect computer and information systems from intrusions. As intrusion prevention alone may not be sufficient in a highly dynamic environment, such as the Internet, intrusion detection has been used as the second line of defence against intrusions. However, existing cryptography-based intrusion prevention measures implemented in software, have problems with the protection of long-term private keys and the degradation of system performance. Moreover, the security of these software-based intrusion prevention measures depends on the security of the underlying operating system, and therefore they are vulnerable to threats caused by security flaws of the underlying operating system. On the other hand, existing anomaly intrusion detection approaches usually produce excessive false alarms. They also lack in efficiency due to high construction and maintenance costs. In our approach, we employ the "defence in depth" principle to develop a solution to solve these problems. Our solution consists of two lines of defence: preventing intrusions at the first line and detecting intrusions at the second line if the prevention measures of the first line have been penetrated. At the first line of defence, our goal is to develop an encryption model that enhances communication and end-system security, and improves the performance of web-based E-commerce systems. We have developed a hardware-based RSA encryption model to address the above mentioned problems of existing software-based intrusion prevention measures. The proposed hardware-based encryption model is based on the integration of an existing web-based client/server model and embedded hardware-based RSA encryption modules. DSP embedded hardware is selected to develop the proposed encryption model because of its advanced security features and high processing capability. The experimental results showed that the proposed DSP hardware-based RSA encryption model outperformed the software-based RSA implementation running on Pentium 4 machines that have almost double clock speed of the DSP's clock speed at large RSA encryption keys. At the second line of defence, our goal is to develop an anomaly intrusion detection model that improves the detection accuracy, efficiency and adaptability of existing anomaly detection approaches. Existing anomaly detection systems are not effective as they usually produce excessive false alarms. In addition, several anomaly detection approaches suffer a serious efficiency problem due to high construction costs of the detection profiles. High construction costs will eventually reduce the applicability of these approaches in practice. Furthermore, existing anomaly detection systems lack in adaptability because no mechanisms are provided to update their detection profiles dynamically, in order to adapt to the changes of the behaviour of monitored objects. We have developed a model for program anomaly intrusion detection to address these problems. The proposed detection model uses a hidden Markov model (HMM) to characterize normal program behaviour using system calls. In order to increase the detection rate and to reduce the false alarm rate, we propose two detection schemes: a two-layer detection scheme and a fuzzy-based detection scheme. The two-layer detection scheme aims at reducing false alarms by applying a double-layer test on each sequence of test traces of system calls. On the other hand, the fuzzy-based detection scheme focuses on further improving the detection rate, as well as reducing false alarms. It employs the fuzzy inference to combine multiple sequence information to correctly determine the sequence status. The experimental results showed that the proposed detection schemes reduced false alarms by approximately 48%, compared to the normal database scheme. In addition, our detection schemes generated strong anomaly signals for all tested traces, which in turn improve the detection rate. We propose an HMM incremental training scheme with optimal initialization to address the efficiency problem by reducing the construction costs, in terms of model training time and storage demand. Unlike the HMM batch training scheme, which updates the HMM model using the complete training set, our HMM incremental training scheme incrementally updates the HMM model using one training subset at a time, until convergence. The experimental results showed that the proposed HMM incremental training scheme reduced training time four-fold, compared to the HMM batch training, based on the well-known Baum-Welch algorithm. The proposed training scheme also reduced storage demand substantially, as the size of each training subset is significantly smaller than the size of the complete training set. We also describe our complete model for program anomaly detection using system calls in chapter 8. The complete model consists of two development stages: training stage and testing stage. In the training stage, an HMM model and a normal database are constructed to represent normal program behaviour. In addition, fuzzy sets and rules are defined to represent the space and combined conditions of the sequence parameters. In the testing stage, the HMM model and the normal database, are used to generate the sequence parameters which are used as the input for the fuzzy inference engine to evaluate each sequence of system calls for anomalies and possible intrusions. The proposed detection model also provides a mechanism to update its detection profile (the HMM model and the normal database) using online training data. This makes the proposed detection model up-to-date, and therefore, maintains the detection accuracy