Results 1 - 10
of
16
Deep Packet Filter with Dedicated Logic and Read Only Memories
, 2004
"... Searching for multiple string patterns in a stream of data is a computationally expensive task. The speed of the search pattern module determines the overall performance of deep packet inspection firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS). For example, one o ..."
Abstract
-
Cited by 74 (4 self)
- Add to MetaCart
Searching for multiple string patterns in a stream of data is a computationally expensive task. The speed of the search pattern module determines the overall performance of deep packet inspection firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS). For example, one open source IDS configured for 845 patterns, can sustain a throughput of only 50 Mbps running on a dual 1-GHz Pentium III system. Using such systems would not be practical for filtering high speed networks with over 1 Gbps traffic. Some of these systems are implemented with field programmable gate arrays (FPGA) so that they are fast and programmable. However, such FPGA filters tend to be too large to be mapped on to a single FPGA. By sharing the common sub-logic in the design, we can effectively shrink the footprint of the filter. Then, for a large subset of the patterns, the logic area can be further reduced by using a memory based architecture. These design methods allow our filter for 2064 attack patterns to map onto a single Xilinx Spartan 3 - XC3S2000 FPGA with a filtering rate of over 3 Gbps of network traffic.
Programmable Hardware for Deep Packet Filtering on a Large Signature Set
, 2004
"... Damage caused by the recent series of application-level network attacks clearly indicate an immediate need for increased security. Most of these attacks can be more accurately detected by a technique termed Deep Packet Inspection. Deep packet inspection not only examines the packet header, but also ..."
Abstract
-
Cited by 11 (2 self)
- Add to MetaCart
Damage caused by the recent series of application-level network attacks clearly indicate an immediate need for increased security. Most of these attacks can be more accurately detected by a technique termed Deep Packet Inspection. Deep packet inspection not only examines the packet header, but also looks through the entire payload searching for all of the user specified patterns. Payload pattern search is an expensive process, especially when the set of patterns is large. Current solutions employ software filtering systems that is practical for bandwidth beyond 100 Mbps. For example, one of the most widely used intrusion detection system, Snort, configured with 845 patterns can sustain a throughput of only 50 Mbps running on a dual 1-GHz Pentium III system. The bottleneck of such system is the dynamic pattern search. Therefore, we implement a fast dynamic pattern search engine on a field programmable gate array. Our system filters and identifies the entire 1,625 unique patterns defined in the most current version of Snort rule set. This system is mapped onto a single 400k Xilinx Spartan 3 FPGA - XC3S400 with a filtering rate of 1.6 Gbps.
Hybrid CMOS/Nanodevice Circuits for High Throughput Pattern Matching Applications
"... We propose a class of novel hybrid CMOS/nanodevice circuits for pattern matching applications (e.g. real-time network intrusion detection, network packet routing, DNA sequencing), with the potential for dramatic improvements in throughput, density, and power performance relative to state-of-the-art ..."
Abstract
-
Cited by 6 (2 self)
- Add to MetaCart
(Show Context)
We propose a class of novel hybrid CMOS/nanodevice circuits for pattern matching applications (e.g. real-time network intrusion detection, network packet routing, DNA sequencing), with the potential for dramatic improvements in throughput, density, and power performance relative to state-of-the-art designs. The performance advantage of our novel circuits is mainly due to three factors: the implementation of a ternary content addressable memory cell with stackable ultradense resistive switching (“memristive ” or RRAM) devices; three dimensional hybrid CMOS/nanodevice circuitry with an area-distributed interface enabling high communication bandwidth between the memory and CMOS subsystems; and use of a modified CMOL FPGA fabric with low reconfiguration overhead. 1.
Scalable Multi-Pipeline Architecture for High Performance Multi-Pattern String Matching
"... Abstract—Multi-pattern string matching remains a major performance bottleneck in network intrusion detection and anti-virus systems for high-speed deep packet inspection (DPI). Although Aho-Corasick deterministic finite automaton (AC-DFA) based solutions produce deterministic throughput and are wide ..."
Abstract
-
Cited by 5 (1 self)
- Add to MetaCart
(Show Context)
Abstract—Multi-pattern string matching remains a major performance bottleneck in network intrusion detection and anti-virus systems for high-speed deep packet inspection (DPI). Although Aho-Corasick deterministic finite automaton (AC-DFA) based solutions produce deterministic throughput and are widely used in today’s DPI systems such as Snort [1] and ClamAV [2], the high memory requirement of AC-DFA (due to the large number of state transitions in AC-DFA) inhibits efficient hardware implementation to achieve high performance. Some recent work [3], [4] has shown that the AC-DFA can be reduced to a character trie that contains only the forward transitions by incorporating pipelined processing. But they have limitations in either handling long patterns or extensions to support multi-character input per clock cycle to achieve high throughput. This paper generalizes the problem and proves formally that a linear pipeline with H stages can remove all cross transitions to the top H levels of a AC-DFA. A novel and scalable pipeline architecture for memoryefficient multi-pattern string matching is then presented. The architecture can be easily extended to support multi-character input per clock cycle by mapping a compressed AC-DFA [5] onto multiple pipelines. Simulation using Snort and ClamAV pattern sets shows that a 8-stage pipeline can remove more than 99 % of the transitions in the original AC-DFA. The implementation on a state-of-the-art field programmable gate array (FPGA) shows that our architecture can store on a single FPGA device the full set of string patterns from the latest Snort rule set. Our FPGA implementation sustains 10+ Gbps throughput, while consuming a small amount of on-chip logic resources. Also desirable scalability is achieved: the increase in resource requirement of our solution is sub-linear with the throughput improvement. Keywords-Deep packet inspection; DFA; FPGA; pipeline; string matching; I.
A Survey on the Application of FPGAs for Network Infrastructure Security
"... Abstract—Given the rapid evolution of attack methods and toolkits, software-based solutions to secure the network infrastructure have become overburdened. The performance gap between the execution speed of security software and the amount of data to be processed is ever widening. A common solution t ..."
Abstract
-
Cited by 4 (1 self)
- Add to MetaCart
(Show Context)
Abstract—Given the rapid evolution of attack methods and toolkits, software-based solutions to secure the network infrastructure have become overburdened. The performance gap between the execution speed of security software and the amount of data to be processed is ever widening. A common solution to close this performance gap is through hardware implementation of security functions. Possessing the flexibility of software and high parallelism of hardware, reconfigurable hardware devices, such as Field Programmable Gate Arrays (FPGAs), have become increasingly popular for this purpose. FPGAs support the performance demands of security operations as well as enable architectural and algorithm innovations in the future. This paper presents a survey of the state-of-art in FPGA-based implementations that have been used in the network infrastructure security area, categorizing currently existing diverse implementations. Combining brief descriptions with intensive case-studies, we hope this survey will inspire more active research in this area.
LaFA: Lookahead finite automata for scalable regular expression detection
- In ANCS
, 2009
"... Although Regular Expressions (RegExes) have been widely used in network security applications, their inherent com-plexity often limits the total number of RegExes that can be detected using a single chip for a reasonable through-put. This limit on the number of RegExes impairs the scal-ability of to ..."
Abstract
-
Cited by 3 (2 self)
- Add to MetaCart
(Show Context)
Although Regular Expressions (RegExes) have been widely used in network security applications, their inherent com-plexity often limits the total number of RegExes that can be detected using a single chip for a reasonable through-put. This limit on the number of RegExes impairs the scal-ability of today’s RegEx detection systems. The scalability of existing schemes is generally limited by the traditional per character state processing and state transition detection paradigm. The main focus of existing schemes is in opti-mizing the number of states and the required transitions, but not the suboptimal character-based detection method. Furthermore, the potential benefits of reduced number of op-erations and states using out-of-sequence detection methods have not been explored. In this paper, we propose Looka-head Finite Automata (LaFA) to perform scalable RegEx detection using very small amount of memory. LaFA’s mem-ory requirement is very small due to the following three ar-eas of effort described in this paper: (1) Different parts of a RegEx, namely RegEx components, are detected using dif-ferent detectors, each of which is specialized and optimized for the detection of a certain RegEx component. (2) We systematically reorder the RegEx component detection se-quence, which provides us with new possibilities for mem-ory optimization. (3) Many redundant states in classical finite automata are identified and eliminated in LaFA. Our simulations show that LaFA requires an order of magnitude less memory compared to today’s state-of-the-art RegEx de-tection systems. A single commodity Field Programmable Gate Array (FPGA) chip can accommodate up to twenty-five thousand (25k) RegExes. Based on the throughput of our LaFA prototype on FPGA, we estimated that a 34-Gbps throughput can be achieved.
Strukov, “Mapping of image and network processing tasks on high-throughput CMOL FPGA circuits, extended version, available online at https://sites.google.com/site/strukov
, 2012
"... Abstract — A simple two-terminal memristive device has excellent scaling properties. For example, devices with footprint below 10×10 nm2 have been recently demonstrated and crossbar structures provide means of sustaining memristor density in large-scale circuits. While taking advantage of high densi ..."
Abstract
-
Cited by 2 (1 self)
- Add to MetaCart
(Show Context)
Abstract — A simple two-terminal memristive device has excellent scaling properties. For example, devices with footprint below 10×10 nm2 have been recently demonstrated and crossbar structures provide means of sustaining memristor density in large-scale circuits. While taking advantage of high density memristive devices is relatively straightforward in crossbar memory circuits, doing so efficiently in digital logic circuits still remains challenging. For example, only a small fraction (less than 1 % on average) of memristive devices is actively utilized, i.e. turned to highly conductive state, in CMOL FPGA circuits which are configured to implement representative benchmark circuits. The main contribution of this paper is to demonstrate that such utilization can be much higher, more than 12%, in certain variety of CMOL FPGA circuits which are specifically designed for high throughput processing of streaming data. The high memristor device utilization is demonstrated by performing detailed mapping of network and image processing tasks and is mainly due to efficient use of high fan-in logic gates implementing exact and approximate pattern matching operations with streaming data. As a result of high utilization proposed circuits are estimated to have much higher computational throughput as compared to traditional approaches and represent a killer application which capitalizes efficiently on the density advantages of memristive devices.
Design of 8-bit Dedicated Microprocessor for Content Matching in NIDPS
"... Abstract- Content or string matching is the core process of deep package inspection and pattern recognition used by the Network Intrusion Detection and Prevention Systems (NIDPS). Although there are many sophisticated algorithms in software it is an exhaustive process and still beneath the requireme ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract- Content or string matching is the core process of deep package inspection and pattern recognition used by the Network Intrusion Detection and Prevention Systems (NIDPS). Although there are many sophisticated algorithms in software it is an exhaustive process and still beneath the requirements of the high-speed network traffic. In this paper is presented a flexible hardware solution i.e. microprocessor able to recognize known attack patterns and its variants to overcome the software NIDPS outage caused by 1 Gbps (and beyond) throughputs on a single CPU core. Since many modified network attacks use the so called evasion techniques, the presented approach is an 8-bit dedicated microprocessor for exact and approximate string matching. To construct the design itself and to perform the simulation environment the Xilinx ISE Web Pack simulator is used. Keywords- Data path, control unit, register, NIDPS, pattern 1.
Technical Report Packet Sampling for Network Monitoring
, 2007
"... In this paper, the emphasis is placed on various packet sampling methods and their application to network monitoring. We present the motivations for packet sampling on high-speed network links. We give an overview of all known packet sampling techniques, point out their strengths and weaknesses in t ..."
Abstract
- Add to MetaCart
(Show Context)
In this paper, the emphasis is placed on various packet sampling methods and their application to network monitoring. We present the motivations for packet sampling on high-speed network links. We give an overview of all known packet sampling techniques, point out their strengths and weaknesses in terms of reliability and accuracy in the estimation in different network traffic parameters. We also provide more details about the adaptive packet sampling, as a way to increase this accuracy. One of the key objectives of our study is to gain some insight about the feasibility of the packet sampling in context of network anomaly detection. It was proven that packet sampling provides reliable estimates in traffic monitoring applications. However there is not much research on whether packet sampling provides sufficient amount of information for the anomaly detection. 1
Windows Server 2008
"... Abstract: Snort is the most widely deployed network intrusion detection system (NIDS) worldwide, with millions of downloads to date. PC-based Snort typically runs on either Linux or Windows operating systems. In this paper, we present an experimental evaluation and comparison of the performance of S ..."
Abstract
- Add to MetaCart
Abstract: Snort is the most widely deployed network intrusion detection system (NIDS) worldwide, with millions of downloads to date. PC-based Snort typically runs on either Linux or Windows operating systems. In this paper, we present an experimental evaluation and comparison of the performance of Snort NIDS when running under the two newly released operating systems of Windows 7 and Windows Server 2008. Snort's performance is measured when subjecting a PC host running Snort to both normal and malicious traffic. Snort's performance is evaluated and compared in terms of throughput and packet loss. In order to offer sound interpretations and get a better insight into the behaviour of Snort, we also measure the packet loss encountered at the kernel level. In addition, we study the impact of running Snort under different system configurations which include CPU scheduling priority given to user applications or kernel services, uni and multiprocessor environment, and processor affinity.
