Results 1 - 10
of
20
The Shunt: An FPGA-based accelerator for network intrusion prevention
- In FPGA ’07: Proceedings of the 2007 ACM/SIGDA 15th international
, 2007
"... The sophistication and complexity of analysis performed by today’s network intrusion prevention systems (IPSs) benefits greatly from implementation using general-purpose CPUs. Yet the performance of such CPUs increasingly lags behind that necessary to process today’s high-rate traffic streams. A key ..."
Abstract
-
Cited by 25 (6 self)
- Add to MetaCart
(Show Context)
The sophistication and complexity of analysis performed by today’s network intrusion prevention systems (IPSs) benefits greatly from implementation using general-purpose CPUs. Yet the performance of such CPUs increasingly lags behind that necessary to process today’s high-rate traffic streams. A key observation, however, is that much of the traffic comprising a high-volume stream can, after some initial analysis, be qualified as “likely uninteresting.” To this end, we have developed an in-line, FPGA-based IPS accelerator, the Shunt, using the NetFPGA2 platform. The Shunt functions as the forwarding device used by the IPS; it alone processes the bulk of the traffic, offloading the memory bus and leaving the CPU free to inspect the subset of the traffic deemed germane for security analysis. To do so, the Shunt maintains several large state tables indexed by packet header fields, including IP/TCP flags, source and destination IP addresses, and connection tuples. The tables yield decision values the element makes on a packet-by-packet basis: forward the packet, drop it, or divert it through the IPS. By manipulating table entries, the IPS can specify the traffic it wishes to examine, directly block malicious traffic, and “cut through ” traffic streams once it has had an opportunity to “vet ” them, all on a fine-grained basis. We base our design on a novel series of caches, with a “fail safe ” miss policy, coupled to a host PC to handle both cache management and higher level IPS analysis. The design requires only 2 MB of SRAM for its extensive caches, and can support
Tribica: Trie Bitmap Content Analyzer for HighSpeed Network Intrusion Detection
- Proc. IEEE INFOCOM
, 2007
"... Abstract—Deep packet inspection (DPI) is often used in network intrusion detection and prevention systems (NIDPS), where incoming packet payloads are compared against known attack signatures. Processing every single byte in the incoming packet payload has a very stringent time constraint, e.g., 200 ..."
Abstract
-
Cited by 14 (8 self)
- Add to MetaCart
(Show Context)
Abstract—Deep packet inspection (DPI) is often used in network intrusion detection and prevention systems (NIDPS), where incoming packet payloads are compared against known attack signatures. Processing every single byte in the incoming packet payload has a very stringent time constraint, e.g., 200 ps for a 40-Gbps line. Traditional DPI systems either need a large memory space or use special memory such as ternary content addressable memory (TCAM), limiting parallelism, or yielding high cost/power consumption. In this paper, we present a highspeed, single-chip DPI scheme that is scalable and configurable through memory updates. The scheme is based on a novel data structure called TriBiCa (Trie Bitmap Content Analyzer), which provides minimal perfect hashing functionality. It uses a trie structure with a hash function performed at each layer. Branching is determined by the hashing results with an objective to evenly partition attack signatures into multiple groups at each layer. During a query, as an input traverses the trie, an address to a table in the memory that stores all attack signatures is formed and is used to access the signature for an exact match. Due to the small space required, multiple copies of TriBiCa can be implemented on a single chip to perform pipelining and parallelism simultaneously, thus achieving high throughput. We have designed the TriBiCa on a modest FPGA chip, Xilinx Virtex II Pro, achieving 10-Gbps throughput without using any external memory. A proof-of-concept design is implemented and tested with 1-Gbps packet streams. By using today’s state-of-the-art FPGAs, a throughput of 40 Gbps is believed to be achievable. Index Terms—TriBiCa, NIDPS, minimal perfect hashing
A Parallel Architecture for Stateful Intrusion Detection in High Traffic Networks
, 2006
"... In a scenario where network bandwidth and traffic are continuously growing, network appliances that have to monitor and analyze all flowing packets are reaching their limits. These issues are critical especially for Network Intrusion Detection Systems (NIDS) that need to trace and reassemble every ..."
Abstract
-
Cited by 11 (6 self)
- Add to MetaCart
In a scenario where network bandwidth and traffic are continuously growing, network appliances that have to monitor and analyze all flowing packets are reaching their limits. These issues are critical especially for Network Intrusion Detection Systems (NIDS) that need to trace and reassemble every connection, and to examine every packet flowing on the monitored link(s), to guarantee high security levels. Any NIDS based on a single component cannot scale over certain thresholds, even if it has some parts built in hardware. Hence, parallel architectures appear as the most valuable alternative for the future. In this paper, we propose a parallel NIDS architecture that is able to provide us with fully reliable analysis, high performance and scalability. These properties come together with the low costs and high flexibility that are guaranteed by a total software implementation. The load balancing mechanism of the proposed NIDS distributes the traffic among a configurable number of parallel sensors, so that each of them is reached by a manageable amount of traffic. The parallelism and traffic distribution do not alter the results of the traffic analysis that remains reliable and stateful.
Pipelined parallel ac-based approach for multi-string matching
- in ICPADS
, 2008
"... All in-text references underlined in blue are linked to publications on ResearchGate, letting you access and read them immediately. ..."
Abstract
-
Cited by 5 (0 self)
- Add to MetaCart
(Show Context)
All in-text references underlined in blue are linked to publications on ResearchGate, letting you access and read them immediately.
Approximate Fingerprinting to Accelerate Pattern Matching
"... Pattern matching and analysis over network data streams is increasingly becoming an essential primitive of network monitoring systems. It is a fundamental part of most intrusion detection systems, worm detecting algorithms and many other anomaly detection mechanisms. It is a processingintensive task ..."
Abstract
-
Cited by 5 (2 self)
- Add to MetaCart
(Show Context)
Pattern matching and analysis over network data streams is increasingly becoming an essential primitive of network monitoring systems. It is a fundamental part of most intrusion detection systems, worm detecting algorithms and many other anomaly detection mechanisms. It is a processingintensive task, usually requiring to search for a large number of patterns simultaneously. We propose the technique of “approximate fingerprinting” to reduce the memory demands and significantly accelerate the pattern matching process. The method computes fingerprints of prefixes of the patterns and matches them against the input stream. It acts as a generic preprocessor to a standard pattern matching engine by “clearing ” a large fraction of the input that would not match any of the patterns. The main contribution is the “approximate ” characteristic of the fingerprint, which allows to slide the fingerprinting window through the packet at a faster rate, while maintaining a small memory footprint and low number of false positives. An improvement over a Bloom filter solution, a fingerprint can indicate which patterns are the candidate matches. We validate our technique by presenting the performance gain for the popular Snort intrusion detection system with the preprocessor in place.
Aggregated bloom filters for intrusion detection and prevention hardware
- in Proceedings of the Global Communications Conference (GLOBECOM), 2007
"... Abstract—Bloom Filters (BFs) are fundamental building blocks in various network security applications, where packets from high-speed links are processed using state-of-the-art hardware-based systems. In this paper, we propose Aggregated Bloom Filters (ABFs) to increase the throughput and scalability ..."
Abstract
-
Cited by 4 (1 self)
- Add to MetaCart
(Show Context)
Abstract—Bloom Filters (BFs) are fundamental building blocks in various network security applications, where packets from high-speed links are processed using state-of-the-art hardware-based systems. In this paper, we propose Aggregated Bloom Filters (ABFs) to increase the throughput and scalability of BFs. The proposed ABF has two methods to improve average speed and scalability. The first method leverages the query mechanism for hardware BFs. We ptimize queries by removing redundant hash calculations and memory accesses. First, to remove redundancy, the hash functions for each query are calculated sequentially. As soon as we have a no match in any of the hash results, the query is immediately abandoned. We then aggregate multiple queries and query a BF with all of these queries in parallel, which maximizes the throughput of the BF. The second method addresses scalability issues regarding the on-chip memory resources. In most applications multiple BFs are required to store many sets with different numbers of elements. These sets may also be too small for the unit memory on-chip. So, most of the memory is left unused, causing low memory utilization. The second method aggregates small distributed BFs to a single BF allowing better on-chip memory utilization. For the application of Network Intrusion Detection and Prevention Systems (NIDPSs), our proposed ABF shows seven-fold improvement in the average query throughput and four times less memory usage. I.
Article A Partially Distributed Intrusion Detection System for Wireless Sensor Networks
, 2013
"... sensors ..."
(Show Context)
A Digest and Pattern Matching-Based Intrusion Detection Engine
, 2009
"... Intrusion detection/prevention systems (IDSs/IPSs) heavily rely on signature databases and pattern matching (PM) techniques to identify network attacks. The engines of such systems often employ traditional PM algorithms to search for telltale patterns in network flows. The observations that real-wor ..."
Abstract
-
Cited by 1 (0 self)
- Add to MetaCart
Intrusion detection/prevention systems (IDSs/IPSs) heavily rely on signature databases and pattern matching (PM) techniques to identify network attacks. The engines of such systems often employ traditional PM algorithms to search for telltale patterns in network flows. The observations that real-world network traffic is largely legitimate and that telltales manifested by exploits rarely appear in network streams lead us to the proposal of Fingerprinter. This framework integrates fingerprinting and PM methods to rapidly distinguish well-behaved from malicious traffic. Fingerprinter produces concise digests or fingerprints for attack signatures during its programming phase. In its querying phase, the framework quickly identifies attack-free connections by transforming input traffic into its fingerprint space and matching its digest against those of attack signatures. If the legitimacy of a stream cannot be determined by fingerprints alone, our framework uses the Boyer–Moore algorithm to ascertain whether attack signatures appear in the stream. To reduce false matches, we resort to multiple fingerprinting techniques including Bloom–Filter and Rabin–Fingerprint. Experimentation with a prototype and a variety of traces has helped us establish that Fingerprinter significantly accelerates the attack detection process.
Multi-Stride String Searching for High-Speed Content Inspection
, 2012
"... Design of hardware-assisted high-speed string-matching engine for content inspection has been an active research topic. Scalability, flexibility and speed are the three major challenges. In this paper, we shall present a high-speed string matching engine for virus scanning that can process 3 bytes o ..."
Abstract
- Add to MetaCart
Design of hardware-assisted high-speed string-matching engine for content inspection has been an active research topic. Scalability, flexibility and speed are the three major challenges. In this paper, we shall present a high-speed string matching engine for virus scanning that can process 3 bytes of input data per cycle. Our design uses a memory-based architecture. The hardware circuits need not be reconfigured when the pattern set is updated. We evaluate our design using the ClamAV virus database with over 82K patterns, and the memory cost of our method is about 2.4 MB. The proposed method is an improved version of our previously published method called quick sampling with on demand verification. The previous design has a memory cost of 1.4 MB and a throughput of 1 byte per cycle. Two novel architectural features are incorporated into the new design, namely a new technique to construct near-minimal dynamic perfect hash tables using the bit-shuffle approach, and the introduction of a new concept called byte-shift invariant code (BSIC). With the BSIC, a suffix verification unit can be shared by multiple prefix sampling units. Hence, the processing rate of the new design can be speeded up to three times the processing rate of the old design, while the memory cost is only increased by 72%.
