TriBiCa: Trie Bitmap Content Analyzer for High-Speed Network Intrusion Detection
|
|
- Jodie Park
- 5 years ago
- Views:
Transcription
1 Dept. of Electrical and Computer Eng. : Trie Bitmap Content Analyzer for High-Speed Network Intrusion Detection N. Sertac Artan and Jonathan H. Chao 8 May 27 26th Annual IEEE Conference on Computer Communications
2 Outline of the Talk Introduction Data Structure Introduction to Algorithms for for Intrusion Detection and Prevention Implementation and Performance Conclusion 5/8/7 INFOCOM 27 2
3 Introduction
4 Network Intrusion Detection and Prevention NIDS NIPS Like a security camera Like a security guard On-the-side Inline Only monitors the traffic Both monitors and police the traffic Cannot modify the traffic Internet Internet IPS IDS Protected Network 5/8/7 Protected Network INFOCOM 27
5 The attack is known and defined by a signature Assumptions A signature is a payload excerpt to identify a particular attack No zero-day attacks considered Signatures are contained within a single packet 5/8/7 Our previous work deals with detecting signatures spanning multiple packets INFOCOM 27
6 Deep Packet Inspection Slide a window on a packet payload Advance the window one byte at a time Compare the window content against all signatures Per-byte processing has stringent time-constraint: 2 ps for 4-Gbps line Packet Hdr Attack signatures database Payload Attack { Signature SQL Slammer 726e5686f756e MyDoom 57696e646f7773 5/8/7 INFOCOM 27
7 Motivation: The memory bottleneck Goal: Small and constant worst case time Some options: Bottleneck External Memory 5/8/7 On-chip memory is limited Signatures Finite Automata: Too big TCAM: Too expensive Around Mbits for stateof-the-art FPGAs Signatures stored in slow external memory INFOCOM 27 7
8 Trie Bitmap for Content Analysis
9 Our Contribution : Trie Bitmap Content Analyzer FPGA Signatures External Memory 5/8/7 Space-efficient and fast Signatures fit into a fraction of an FPGA No external memory access No memory bottleneck Guaranteeing one operation/byte Allows multiple parallel engines on a single chip to boost performance No reconfiguration. Easy updates through on-chip memory updates Uses minimal perfect hashing INFOCOM 27 9
10 Ordinary Hashing vs. Minimal Perfect Hashing U U S Hash Function I S S S Collision: Unpredictable query time Memory > S 5/8/7 I = S U >> I = S = S ) U >> I O( S ) S Hash Function S INFOCOM 27 S Collision Free: Predictable query time Memory: Same as S
11 Binary Trie as an Address Decoder b b b2 b3 b4 b5 b6 b7 b4 b5 b6 b7 b b b2 b3 log(n) levels b7 b6 b7 b5 b6 b5 b4 b3 b2 b4 b3 b2 b b Addr= 5/8/7 b b INFOCOM 27
12 Node Structure b b b2 b3 b4 b5 b6 b7 Hash Function 5 Data Bitmap (DB) Group to left child 5/8/7 Next Node Bitmap (NB) Group to right child INFOCOM 27 2
13 : Successful Query b6 b5 b4 b2 b b3 b b7 b7 b6 H b7 H2 b5 b3 b2 b4 Compare b5 b7 b6 b b3 b2 Match b b4 b5 b4 b3 b2 b b b b H H2 b b Addr= 5/8/7 b b b6 b H INFOCOM 27 3
14 : Successful No-Match Query b6 b5 b4 b9 b3 b b7 H b7 b6 b9 H b7 H2 b2 b b5 b3 b2 b4 Discard b5 b6 b b b3 b2 b4 b7 b6 b5 b4 b3 b2 b b Addr= 5/8/7 b b INFOCOM 27 4
15 Equal-Partitioning
16 Offline Data Structure: The Occupancy Table The Occupancy Table Bin No. 4 Items 2 3 Data Bitmap (DB) Next Node Bitmap (NB) A Node Occupancy Item List , Constraint: All items hashed to the same bin must go to the same next node 5/8/7 INFOCOM 27 6
17 Cast into Number Partitioning Problem The Occupancy Table Bin No. 5/8/7 INFOCOM 27 Occupancy Item List ,
18 Easy or Hard? As, Item values decrease Number of items increases Chance of equal-partitioning increases Hayes formulated hardness as, > n/2 = 8 6 Total w/q w : The number of bits required to represent the largest number q : is the count of items Total Since for26 hashing, q is expected to be higher at high levels w increases slower compared to n Equal-partitioning at high levels is easier than lower levels 26 Total 5/8/7 INFOCOM 27 8
19 Easy or Hard? b b b2 b3 b4 b5 b6 b7 b5 b4 Items / node decreases b b b2 b3 b4 b5 b6 b7 b7 b6 Node count/level increases b3 b2 Max. occupancy/n increases b b Possible partitionings decrease Harder to solve Use naïve algorithms for high-levels of Use Brute-force for low-levels 5/8/7 INFOCOM 27 9
20 Partitioning High-levels: Blackjack Algorithm Partition 8 items into two 4 item groups Start Sum: 2 3 Occupancies Next Node Bitmap (NB) If fails, change starting point If all starting points exhausted, change hash function 5/8/7 INFOCOM 27 2
21 Partitioning Low-levels: Greedy Algorithm Let s go back b b b b2 b b3 b b2 b3 b b2 b3 b b2 b3 b Collision No partitioning Higher a node in the trie, higher the expected number of different equal-partitionings Expected possible equal partitionings for a node with 6 items and load factor.5 is over 8 5/8/7 INFOCOM 27 2
22 Partitioning Low-levels: Greedy Algorithm For each node, q q2 q3 Occupancies q = Q = 5, qmax = max (n, m) q4 q5 Try all 2n 2 subsets of Q for sum = n/2 {q}, {q2}, {q3}, {q4}, {q5} {q, q2}, {q, q3}, {q, q4}, {q, q5}, {q2, q3} {q, q2, q3}, {q, q2, q4}, {q, q2, q5}, 5/8/7 INFOCOM 27 22
23 Success probability using Greedy Algorithm for the last 4 nodes 5% chance of equal-partitioning with a single set of random hash functions for a set of, signatures 5/8/7 INFOCOM 27 23
24 for NIDPS
25 Snort Signatures Signature length between to 22 bytes Total of 655 unique signatures 5/8/7 INFOCOM 27 25
26 Preparation Chop signatures into fixed-length chunks and ID these chunks For c = 4, Signature ABCDEFGHIJKLMN ABCD ID 5/8/7 EFGH ID2 IJKL ID3 INFOCOM 27 MN Note the short suffix ID4 26
27 Detecting Long Signatures Sig: ABCDEFGHIJKL, c = 4 S Detector ABCD ID EFGH ID2 IJKL ID3 ABCD S Detector 2 S, ID S S, ID2 S2 S2, ID3 S3, Match EFGH S2 Match / No Match IJKL Input S3 ABCDEFGHIJKL Detector S, ID ID Concatenate S,ID S Match / No Match Detector 2 State S 5/8/7 INFOCOM 27 27
28 Detecting Long Signatures Sig: ABCDEFGHIJKL, c = 4 S Detector ABCD ID EFGH ID2 IJKL ID3 ABCD S Detector 2 S, ID S S, ID2 S2 S2, ID3 S3, Match EFGH S2 Match / No Match IJKL Input S3 ABCDEFGHIJKL Detector S, ID2 ID2 Concatenate S,ID S Note other offsets (e.g. BCDE) have their own current state 5/8/7 INFOCOM 27 Match / No Match Detector 2 State S2 28
29 Detecting Long Signatures Sig: ABCDEFGHIJKL, c = 4 S Detector ABCD ID EFGH ID2 IJKL ID3 ABCD S Detector 2 S, ID S S, ID2 S2 S2, ID3 S3, Match EFGH S2 MATCH! Match / No Match IJKL Input S3 ABCDEFGHIJKL Detector S2, ID3 ID3 Concatenate S,ID S2 Match / No Match Detector 2 State S3 5/8/7 INFOCOM 27 29
30 Implementation and Performance
31 Case Study Snort Signature detection using 2 stages achieved using 5/8/7 29 kbits for high-levels 36. kbits for low-levels and hash keys 65. kbits in total Construction time: 8 seconds on a 2.8 GHz Pentium-4 3 MHz clock speed on a Xilinx Virtex2Pro FPGA Gbps using a Xilinx Virtex2Pro FPGA INFOCOM 27
32 5/8/7 Rehash Operations Required INFOCOM 27
33 Demonstration Setup IDS Sensor GigE User Browsing Monitor s Web Server UDP Alert Messages Internet Traffic Generator 5/8/7 IDS Monitor/ Web Server INFOCOM 27 33
34 Demonstration Setup Test Setup IDS Monitor/ Web Server Intrusion Detection And Prevention System (IDPS) Traffic Generator INFOCOM 27 34
35 Conclusion 5/8/7 A high-speed low-cost Deep Packet Inspection method for NIDS is proposed Over Gbps throughput with single Virtex2Pro FPGA Gbps proof-of-concept design is validated on hardware 4 Gbps is believed to be achievable using today s state-of-the-art FPGAs No external memory needed INFOCOM 27 35
36 5/8/7 Q&A INFOCOM 27 36
TriBiCa: Trie Bitmap Content Analyzer for High-Speed Network Intrusion Detection
TriBiCa: Trie Bitmap Content Analyzer for High-Speed Network Intrusion Detection N. Sertac Artan ECE Department Polytechnic University Brooklyn, NY (sartan01@utopia.poly.edu) H. Jonathan Chao ECE Department
More informationBoundary Hash for Memory-Efficient Deep Packet Inspection
Boundary Hash for Memory-Efficient Deep Packet Inspection N. Sertac Artan, Masanori Bando, and H. Jonathan Chao Electrical and Computer Engineering Department Polytechnic University Brooklyn, NY Abstract
More informationA Framework for Rule Processing in Reconfigurable Network Systems
A Framework for Rule Processing in Reconfigurable Network Systems Michael Attig and John Lockwood Washington University in Saint Louis Applied Research Laboratory Department of Computer Science and Engineering
More informationHighly Memory-Efficient LogLog Hash for Deep Packet Inspection
Highly Memory-Efficient LogLog Hash for Deep Packet Inspection Masanori Bando, N. Sertac Artan, and H. Jonathan Chao Department of Electrical and Computer Engineering Polytechnic Institute of NYU Abstract
More informationSwitch and Router Design. Packet Processing Examples. Packet Processing Examples. Packet Processing Rate 12/14/2011
// Bottlenecks Memory, memory, 88 - Switch and Router Design Dr. David Hay Ross 8b dhay@cs.huji.ac.il Source: Nick Mckeown, Isaac Keslassy Packet Processing Examples Address Lookup (IP/Ethernet) Where
More informationProject Proposal. ECE 526 Spring Modified Data Structure of Aho-Corasick. Benfano Soewito, Ed Flanigan and John Pangrazio
Project Proposal ECE 526 Spring 2006 Modified Data Structure of Aho-Corasick Benfano Soewito, Ed Flanigan and John Pangrazio 1. Introduction The internet becomes the most important tool in this decade
More informationSpace-Time Tradeoffs in Software-Based Deep Packet Inspection
Space-Time Tradeoffs in Software-ased eep Packet Inspection nat remler-arr I Herzliya, Israel Yotam Harchol avid Hay Hebrew University, Israel. OWSP Israel 2011 (Was also presented in I HPSR 2011) Parts
More informationHardware Acceleration in Computer Networks. Jan Kořenek Conference IT4Innovations, Ostrava
Hardware Acceleration in Computer Networks Outline Motivation for hardware acceleration Longest prefix matching using FPGA Hardware acceleration of time critical operations Framework and applications Contracted
More informationImproving the Database Logging Performance of the Snort Network Intrusion Detection Sensor
-0- Improving the Database Logging Performance of the Snort Network Intrusion Detection Sensor Lambert Schaelicke, Matthew R. Geiger, Curt J. Freeland Department of Computer Science and Engineering University
More informationProject Proposal. ECE 526 Spring Modified Data Structure of Aho-Corasick. Benfano Soewito, Ed Flanigan and John Pangrazio
Project Proposal ECE 526 Spring 2006 Modified Data Structure of Aho-Corasick Benfano Soewito, Ed Flanigan and John Pangrazio 1. Introduction The internet becomes the most important tool in this decade
More informationPERG-Rx: An FPGA-based Pattern-Matching Engine with Limited Regular Expression Support for Large Pattern Database. Johnny Ho
PERG-Rx: An FPGA-based Pattern-Matching Engine with Limited Regular Expression Support for Large Pattern Database Johnny Ho Supervisor: Guy Lemieux Date: September 11, 2009 University of British Columbia
More information소프트웨어기반고성능침입탐지시스템설계및구현
소프트웨어기반고성능침입탐지시스템설계및구현 KyoungSoo Park Department of Electrical Engineering, KAIST M. Asim Jamshed *, Jihyung Lee*, Sangwoo Moon*, Insu Yun *, Deokjin Kim, Sungryoul Lee, Yung Yi* Department of Electrical
More informationDynamic Pipelining: Making IP- Lookup Truly Scalable
Dynamic Pipelining: Making IP- Lookup Truly Scalable Jahangir Hasan T. N. Vijaykumar School of Electrical and Computer Engineering, Purdue University SIGCOMM 05 Rung-Bo-Su 10/26/05 1 0.Abstract IP-lookup
More informationEfficient Packet Classification for Network Intrusion Detection using FPGA
Efficient Packet Classification for Network Intrusion Detection using FPGA ABSTRACT Haoyu Song Department of CSE Washington University St. Louis, USA hs@arl.wustl.edu FPGA technology has become widely
More informationReliably Scalable Name Prefix Lookup! Haowei Yuan and Patrick Crowley! Washington University in St. Louis!! ANCS 2015! 5/8/2015!
Reliably Scalable Name Prefix Lookup! Haowei Yuan and Patrick Crowley! Washington University in St. Louis!! ANCS 2015! 5/8/2015! ! My Topic for Today! Goal: a reliable longest name prefix lookup performance
More informationRobust TCP Stream Reassembly In the Presence of Adversaries
Robust TCP Stream Reassembly In the Presence of Adversaries Sarang Dharmapurikar and Vern Paxson Washington Univ. UC Berkeley Usenix Security 2005 Presented by N. Sertac Artan Motivation TCP Reassembly
More informationFlashTrie: Hash-based Prefix-Compressed Trie for IP Route Lookup Beyond 100Gbps
FlashTrie: Hash-based Prefix-Compressed Trie for IP Route Lookup Beyond 100Gbps Masanori Bando and H. Jonathan Chao Department of Electrical and Computer Engineering Polytechnic Institute of NYU, Brooklyn,
More informationMo Money, No Problems: Caches #2...
Mo Money, No Problems: Caches #2... 1 Reminder: Cache Terms... Cache: A small and fast memory used to increase the performance of accessing a big and slow memory Uses temporal locality: The tendency to
More informationImproving Signature Matching using Binary Decision Diagrams
Improving Signature Matching using Binary Decision Diagrams Liu Yang, Rezwana Karim, Vinod Ganapathy Rutgers University Randy Smith Sandia National Labs Signature matching in IDS Find instances of network
More informationHardware Implementation for Scalable Lookahead Regular Expression Detection
Hardware Implementation for Scalable Lookahead Regular Expression Detection Masanori Bando, N. Sertac Artan, Nishit Mehta, Yi Guan, and H. Jonathan Chao Department of Electrical and Computer Engineering
More informationCS 268: Route Lookup and Packet Classification
Overview CS 268: Route Lookup and Packet Classification Packet Lookup Packet Classification Ion Stoica March 3, 24 istoica@cs.berkeley.edu 2 Lookup Problem Identify the output interface to forward an incoming
More informationConfigurable String Matching Hardware for Speeding up Intrusion Detection
Configurable String Matching Hardware for Speeding up Intrusion Detection Monther Aldwairi, Thomas Conte, Paul Franzon Dec 6, 2004 North Carolina State University {mmaldwai, conte, paulf}@ncsu.edu www.ece.ncsu.edu/erl
More informationExscind: A Faster Pattern Matching For Intrusion Detection Using Exclusion and Inclusion Filters
Exscind: A Faster Pattern Matching For Intrusion Detection Using Exclusion and Inclusion Filters 1 Monther Aldwairi and Duaa Alansari Seventh International Conference on Next Generation Web Services Practices
More informationNetwork Wide Policy Enforcement. Michael K. Reiter (joint work with V. Sekar, R. Krishnaswamy, A. Gupta)
Network Wide Policy Enforcement Michael K. Reiter (joint work with V. Sekar, R. Krishnaswamy, A. Gupta) 1 Enforcing Policy in Future Networks MF vision includes enforcement of rich policies in the network
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 19: Intrusion Detection Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Intruders Intrusion detection host-based network-based
More informationHash-Based String Matching Algorithm For Network Intrusion Prevention systems (NIPS)
Hash-Based String Matching Algorithm For Network Intrusion Prevention systems (NIPS) VINOD. O & B. M. SAGAR ISE Department, R.V.College of Engineering, Bangalore-560059, INDIA Email Id :vinod.goutham@gmail.com,sagar.bm@gmail.com
More informationNovel FPGA-Based Signature Matching for Deep Packet Inspection
Novel FPGA-Based Signature Matching for Deep Packet Inspection Nitesh B. Guinde and Sotirios G. Ziavras Electrical & Computer Engineering Department, New Jersey Institute of Technology, Newark NJ 07102,
More informationRuler: High-Speed Packet Matching and Rewriting on Network Processors
Ruler: High-Speed Packet Matching and Rewriting on Network Processors Tomáš Hrubý Kees van Reeuwijk Herbert Bos Vrije Universiteit, Amsterdam World45 Ltd. ANCS 2007 Tomáš Hrubý (VU Amsterdam, World45)
More informationCIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 12
CIS 551 / TCOM 401 Computer and Network Security Spring 2007 Lecture 12 Announcements Project 2 is on the web. Due: March 15th Send groups to Jeff Vaughan (vaughan2@seas) by Thurs. Feb. 22nd. Plan for
More informationEfficient Signature Matching with Multiple Alphabet Compression Tables
Efficient Signature Matching with Multiple Alphabet Compression Tables Shijin Kong Randy Smith Cristian Estan Presented at SecureComm, Istanbul, Turkey Signature Matching Signature Matching a core component
More informationOne-Pass Streaming Algorithms
One-Pass Streaming Algorithms Theory and Practice Complaints and Grievances about theory in practice Disclaimer Experiences with Gigascope. A practitioner s perspective. Will be using my own implementations,
More informationChapter 5A. Large and Fast: Exploiting Memory Hierarchy
Chapter 5A Large and Fast: Exploiting Memory Hierarchy Memory Technology Static RAM (SRAM) Fast, expensive Dynamic RAM (DRAM) In between Magnetic disk Slow, inexpensive Ideal memory Access time of SRAM
More informationInternet Worm and Virus Protection for Very High-Speed Networks
Internet Worm and Virus Protection for Very High-Speed Networks John W. Lockwood Professor of Computer Science and Engineering lockwood@arl.wustl.edu http://www.arl.wustl.edu/~lockwood Research Sponsor:
More informationFPGA Implementation of Lookup Algorithms
2011 IEEE 12th International Conference on High Performance Switching and Routing FPGA Implementation of Lookup Algorithms Zoran Chicha, Luka Milinkovic, Aleksandra Smiljanic Department of Telecommunications
More informationForwarding and Routers : Computer Networking. Original IP Route Lookup. Outline
Forwarding and Routers 15-744: Computer Networking L-9 Router Algorithms IP lookup Longest prefix matching Classification Flow monitoring Readings [EVF3] Bitmap Algorithms for Active Flows on High Speed
More informationShow Me the $... Performance And Caches
Show Me the $... Performance And Caches 1 CPU-Cache Interaction (5-stage pipeline) PCen 0x4 Add bubble PC addr inst hit? Primary Instruction Cache IR D To Memory Control Decode, Register Fetch E A B MD1
More informationScalable Lookup Algorithms for IPv6
Scalable Lookup Algorithms for IPv6 Aleksandra Smiljanić a*, Zoran Čiča a a School of Electrical Engineering, Belgrade University, Bul. Kralja Aleksandra 73, 11120 Belgrade, Serbia ABSTRACT IPv4 addresses
More informationPluggable Transports Roadmap
Pluggable Transports Roadmap Steven J. Murdoch and George Kadianakis steven.murdoch@cl.cam.ac.uk,asn@torproject.org Tor Tech Report 2012-03-003 March 17, 2012 Abstract Of the currently available pluggable
More informationAutomated Signature Generation: Overview and the NoAH Approach. Bernhard Tellenbach
Automated Signature Generation: Overview and the NoAH Approach Structure Motivation: The speed of insecurity Overview Building Blocks and Techniques The NoAH approach 2 The speed of insecurity Source:
More informationInformation Systems (Informationssysteme)
Information Systems (Informationssysteme) Jens Teubner, TU Dortmund jens.teubner@cs.tu-dortmund.de Summer 2018 c Jens Teubner Information Systems Summer 2018 1 Part IX B-Trees c Jens Teubner Information
More informationMulti-pattern Signature Matching for Hardware Network Intrusion Detection Systems
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE GLOBECOM 5 proceedings. Multi-pattern Signature Matching for Hardware
More informationConfiguring Anomaly Detection
CHAPTER 9 Caution Anomaly detection assumes it gets traffic from both directions. If the sensor is configured to see only one direction of traffic, you should turn off anomaly detection. Otherwise, when
More informationConfiguring Anomaly Detection
CHAPTER 9 This chapter describes anomaly detection and its features and how to configure them. It contains the following topics: Understanding Security Policies, page 9-2 Understanding Anomaly Detection,
More informationECE GRADUATE INFORMATION SESSION. eeweb.poly.edu/~chao
ECE GRADUATE INFORMATION SESSION 9/3/09 eeweb.poly.edu/~chao 1 Agenda 3:00-3:20, Prof Chao 3:20-3:33, Prof Erkip 3:33-3:46, Prof Panwar 3:46-4:59, Prof Selesnick 4:59-4:12, Prof Czarkowski 4:12-4:25, Prof
More informationFast Reconfiguring Deep Packet Filter for 1+ Gigabit Network
Fast Reconfiguring Deep Packet Filter for + Gigabit Network Young H. Cho and William H. Mangione-Smith {young,billms}@ee.ucla.edu University of California, Los Angeles Department of Electrical Engineering
More informationDatabase Applications (15-415)
Database Applications (15-415) DBMS Internals- Part VI Lecture 14, March 12, 2014 Mohammad Hammoud Today Last Session: DBMS Internals- Part V Hash-based indexes (Cont d) and External Sorting Today s Session:
More informationCIT 480: Securing Computer Systems
CIT 480: Securing Computer Systems Intrusion Detection CIT 480: Securing Computer Systems Slide #1 Topics 1. Definitions and Goals 2. Models of Intrusion Detection 3. False Positives 4. Architecture of
More informationFPGA Implementation of Token-Based Clam AV Regex Virus Signatures with Early Detection
IOSR Journal of Electronics and Communication Engineering (IOSR-JECE) e-issn: 2278-2834,p- ISSN: 2278-8735 PP 54-61 www.iosrjournals.org FPGA Implementation of Token-Based Clam AV Regex Virus Signatures
More informationWeaving Relations for Cache Performance
Weaving Relations for Cache Performance Anastassia Ailamaki Carnegie Mellon Computer Platforms in 198 Execution PROCESSOR 1 cycles/instruction Data and Instructions cycles
More informationSubsequence Definition. CS 461, Lecture 8. Today s Outline. Example. Assume given sequence X = x 1, x 2,..., x m. Jared Saia University of New Mexico
Subsequence Definition CS 461, Lecture 8 Jared Saia University of New Mexico Assume given sequence X = x 1, x 2,..., x m Let Z = z 1, z 2,..., z l Then Z is a subsequence of X if there exists a strictly
More informationScalable Lookahead Regular Expression Detection System for Deep Packet Inspection
IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 20, NO. 3, JUNE 2012 699 Scalable Lookahead Regular Expression Detection System for Deep Packet Inspection Masanori Bando, Associate Member, IEEE, N. Sertac Artan,
More informationPacket Inspection on Programmable Hardware
Abstract Packet Inspection on Programmable Hardware Benfano Soewito Information Technology Department, Bakrie University, Jakarta, Indonesia E-mail: benfano.soewito@bakrie.ac.id In the network security
More informationHash-Based Indexing 165
Hash-Based Indexing 165 h 1 h 0 h 1 h 0 Next = 0 000 00 64 32 8 16 000 00 64 32 8 16 A 001 01 9 25 41 73 001 01 9 25 41 73 B 010 10 10 18 34 66 010 10 10 18 34 66 C Next = 3 011 11 11 19 D 011 11 11 19
More informationLecture 12: Addressing. CSE 123: Computer Networks Alex C. Snoeren
Lecture 12: Addressing CSE 123: Computer Networks Alex C. Snoeren Lecture 12 Overview IP Addresses Class-based addressing Subnetting Classless addressing Route aggregation 2 Addressing Considerations Fixed
More informationDefense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation
Defense-in-Depth Against Malicious Software Speaker name Title Group Microsoft Corporation Agenda Understanding the Characteristics of Malicious Software Malware Defense-in-Depth Malware Defense for Client
More informationTowards High-performance Flow-level level Packet Processing on Multi-core Network Processors
Towards High-performance Flow-level level Packet Processing on Multi-core Network Processors Yaxuan Qi (presenter), Bo Xu, Fei He, Baohua Yang, Jianming Yu and Jun Li ANCS 2007, Orlando, USA Outline Introduction
More informationDeep Packet Inspection of Next Generation Network Devices
Deep Packet Inspection of Next Generation Network Devices Prof. Anat Bremler-Barr IDC Herzliya, Israel www.deepness-lab.org This work was supported by European Research Council (ERC) Starting Grant no.
More informationDecision Forest: A Scalable Architecture for Flexible Flow Matching on FPGA
Decision Forest: A Scalable Architecture for Flexible Flow Matching on FPGA Weirong Jiang, Viktor K. Prasanna University of Southern California Norio Yamagaki NEC Corporation September 1, 2010 Outline
More informationSSA: A Power and Memory Efficient Scheme to Multi-Match Packet Classification. Fang Yu, T.V. Lakshman, Martin Austin Motoyama, Randy H.
SSA: A Power and Memory Efficient Scheme to Multi-Match Packet Classification Fang Yu, T.V. Lakshman, Martin Austin Motoyama, Randy H. Katz Presented by: Discussion led by: Sailesh Kumar Packet Classification
More informationFirewall Performance Evaluation Secure Computing Sidewinder vs. Check Point NGX
Firewall Performance Evaluation vs. Check Point NGX June 1, 27 Author: Bill Bosen Firewall Performance Evaluation 7 vs. R62 June 1, 27 In view of the fact that firewall performance is becoming more and
More informationGrowth of the Internet Network capacity: A scarce resource Good Service
IP Route Lookups 1 Introduction Growth of the Internet Network capacity: A scarce resource Good Service Large-bandwidth links -> Readily handled (Fiber optic links) High router data throughput -> Readily
More informationFile Structures and Indexing
File Structures and Indexing CPS352: Database Systems Simon Miner Gordon College Last Revised: 10/11/12 Agenda Check-in Database File Structures Indexing Database Design Tips Check-in Database File Structures
More informationCSE502: Computer Architecture CSE 502: Computer Architecture
CSE 502: Computer Architecture Memory Hierarchy & Caches Motivation 10000 Performance 1000 100 10 Processor Memory 1 1985 1990 1995 2000 2005 2010 Want memory to appear: As fast as CPU As large as required
More informationUMSSIA INTRUSION DETECTION
UMSSIA INTRUSION DETECTION INTRUSION DETECTION Sensor1 Event1, Event2 Monitor No intrusion M SensorN Event1, Event2 Alarm! IDS CHARACTERISTICS Characteristics an IDS can be classified/evaluated by: Type
More informationAn Ultra High Throughput and Memory Efficient Pipeline Architecture for Multi-Match Packet Classification without TCAMs
ANCS 2009 An Ultra High Throughput and Memory Efficient Pipeline Architecture for Multi-Match Pacet Classification without TCAMs Yang Xu, Zhaobo Liu, Zhuoyuan Zhang, H. Jonathan Chao Polytechnic Institute
More informationSecurity: Worms. Presenter: AJ Fink Nov. 4, 2004
Security: Worms Presenter: AJ Fink Nov. 4, 2004 1 It s a War Out There 2 Analogy between Biological and Computational Mechanisms The spread of self-replicating program within computer systems is just like
More informationVARIABLE-LENGTH HASHING FOR EXACT PATTERN MATCHING
VARIABLE-LENGTH HASHING FOR EXACT PATTERN MATCHING Dionisios Pnevmatikatos Foundation for Research and Technology-Hellas Institute of Computer Science Vasilika Vouton, Heraklion, Greece pnevmati@ics.forth.gr
More informationJaal: Towards Network Intrusion Detection at ISP Scale
Jaal: Towards Network Intrusion Detection at ISP Scale A. Aqil, K. Khalil, A. Atya, E. Paplexakis, S. Krishnamurthy, KK. Ramakrishnan University of California Riverside T. Jaeger Penn State University
More informationRoadmap. Java: Assembly language: OS: Machine code: Computer system:
Roadmap C: car *c = malloc(sizeof(car)); c->miles = 100; c->gals = 17; float mpg = get_mpg(c); free(c); Assembly language: Machine code: get_mpg: pushq movq... popq ret %rbp %rsp, %rbp %rbp 0111010000011000
More informationCHAPTER 4 BLOOM FILTER
54 CHAPTER 4 BLOOM FILTER 4.1 INTRODUCTION Bloom filter was formulated by Bloom (1970) and is used widely today for different purposes including web caching, intrusion detection, content based routing,
More informationCaches and Memory Hierarchy: Review. UCSB CS240A, Fall 2017
Caches and Memory Hierarchy: Review UCSB CS24A, Fall 27 Motivation Most applications in a single processor runs at only - 2% of the processor peak Most of the single processor performance loss is in the
More informationHigh speed CMOS image sensors Wim Wuyts Sr. Staff Applications Engineer Cypress Semiconductor Corporation Belgium Vision 2006
High speed CMOS image sensors Wim Wuyts Sr. Staff Applications Engineer Cypress Semiconductor Corporation Belgium Vision 2006 P E R F O R M Outline Introduction Architecture Analog high speed CIS Digital
More informationHomework 1 Solutions:
Homework 1 Solutions: If we expand the square in the statistic, we get three terms that have to be summed for each i: (ExpectedFrequency[i]), (2ObservedFrequency[i]) and (ObservedFrequency[i])2 / Expected
More informationSelf-Addressable Memory-Based FSM: A Scalable Intrusion Detection Engine
Southern Illinois University Carbondale pensiuc Articles Department of Electrical and Computer Engineering 1-2009 Self-Addressable Memory-Based FSM: A Scalable Intrusion Detection Engine Benfano Soewito
More informationA MULTI-CHARACTER TRANSITION STRING MATCHING ARCHITECTURE BASED ON AHO-CORASICK ALGORITHM. Chien-Chi Chen and Sheng-De Wang
International Journal of Innovative Computing, Information and Control ICIC International c 2012 ISSN 1349-4198 Volume 8, Number 12, December 2012 pp. 8367 8386 A MULTI-CHARACTER TRANSITION STRING MATCHING
More informationFaloutsos 1. Carnegie Mellon Univ. Dept. of Computer Science Database Applications. Outline
Carnegie Mellon Univ. Dept. of Computer Science 15-415 - Database Applications Lecture #14: Implementation of Relational Operations (R&G ch. 12 and 14) 15-415 Faloutsos 1 introduction selection projection
More informationLecture 12: Aggregation. CSE 123: Computer Networks Alex C. Snoeren
Lecture 12: Aggregation CSE 123: Computer Networks Alex C. Snoeren Lecture 12 Overview Subnetting Classless addressing Route aggregation 2 Class-based Addressing Most significant bits determines class
More informationIntrusion Detection - Snort. Network Security Workshop April 2017 Bali Indonesia
Intrusion Detection - Snort Network Security Workshop 25-27 April 2017 Bali Indonesia Issue Date: [31-12-2015] Revision: [V.1] Sometimes, Defenses Fail Our defenses aren t perfect Patches weren t applied
More informationCSC 774 Advanced Network Security
Computer Science CSC 774 Advanced Network Security Topic 4.3 Mitigating DoS Attacks against Broadcast Authentication in Wireless Sensor Networks 1 Wireless Sensor Networks (WSN) A WSN consists of a potentially
More informationNetwork Layer/IP Protocols
Network Layer/IP Protocols 1 Outline IP Datagram (IPv4) NAT Connection less and connection oriented service 2 IPv4 packet header 3 IPv4 Datagram Header Format version of the IP protocol (4 BIts) IP header
More informationSummarizing and mining inverse distributions on data streams via dynamic inverse sampling
Summarizing and mining inverse distributions on data streams via dynamic inverse sampling Presented by Graham Cormode cormode@bell-labs.com S. Muthukrishnan muthu@cs.rutgers.edu Irina Rozenbaum rozenbau@paul.rutgers.edu
More informationIntroduction Challenges with using ML Guidelines for using ML Conclusions
Introduction Challenges with using ML Guidelines for using ML Conclusions Misuse detection Exact descriptions of known bad behavior Anomaly detection Deviations from profiles of normal behavior First proposed
More informationAMP-Based Flow Collection. Greg Virgin - RedJack
AMP-Based Flow Collection Greg Virgin - RedJack AMP- Based Flow Collection AMP - Analytic Metadata Producer : Patented US Government flow / metadata producer AMP generates data including Flows Host metadata
More informationAutomatic Speech Recognition (ASR)
Automatic Speech Recognition (ASR) February 2018 Reza Yazdani Aminabadi Universitat Politecnica de Catalunya (UPC) State-of-the-art State-of-the-art ASR system: DNN+HMM Speech (words) Sound Signal Graph
More informationLEoNIDS: a Low-latency and Energyefficient Intrusion Detection System
LEoNIDS: a Low-latency and Energyefficient Intrusion Detection System Nikos Tsikoudis Thesis Supervisor: Evangelos Markatos June 2013 Heraklion, Greece Low-Power Design Low-power systems receive significant
More informationCost-based Query Sub-System. Carnegie Mellon Univ. Dept. of Computer Science /615 - DB Applications. Last Class.
Cost-based Query Sub-System Carnegie Mellon Univ. Dept. of Computer Science 15-415/615 - DB Applications Queries Select * From Blah B Where B.blah = blah Query Parser Query Optimizer C. Faloutsos A. Pavlo
More informationLoad Shedding in Network Monitoring Applications
Load Shedding in Network Monitoring Applications P. Barlet-Ros 1 G. Iannaccone 2 J. Sanjuàs-Cuxart 1 D. Amores-López 1 J. Solé-Pareta 1 1 Technical University of Catalonia (UPC) Barcelona, Spain {pbarlet,
More informationComputers and Security, 2010 (Elsevier Journal) Efficient Hardware Support for Pattern Matching in Network Intrusion Detection
1 Computers and Security, 2010 (Elsevier Journal) Efficient Hardware Support for Pattern Matching in Network Intrusion Detection Nitesh B. Guinde and Sotirios G. Ziavras Electrical and Computer Engineering
More informationLecture 11: Speed & Communications
Lecture 11: Speed & Communications David Black-Schaffer davidbbs@stanford.edu EE183 Spring 2003 Pipelining for Speed Overview Do a little bit of work in each stage (fast) Use the pipe registers to break
More informationCasting out Demons: Sanitizing Training Data for Anomaly Sensors Angelos Stavrou,
Casting out Demons: Sanitizing Training Data for Anomaly Sensors Angelos Stavrou, Department of Computer Science George Mason University Joint work with Gabriela Cretu, Michael E. Locasto, Salvatore J.
More informationPractical MU-MIMO User Selection on ac Commodity Networks
Practical MU-MIMO User Selection on 802.11ac Commodity Networks Sanjib Sur Ioannis Pefkianakis, Xinyu Zhang and Kyu-Han Kim From Legacy to Gbps Wi-Fi 1999-2003 2009 What is new in 802.11ac? 2013 Legacy
More informationIntrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng
Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Internet Security Mechanisms Prevent: Firewall, IPsec, SSL Detect: Intrusion Detection Survive/ Response:
More informationLine-rate packet processing in hardware: the evolution towards 400 Gbit/s
Proceedings of the 9 th International Conference on Applied Informatics Eger, Hungary, January 29 February 1, 2014. Vol. 1. pp. 259 268 doi: 10.14794/ICAI.9.2014.1.259 Line-rate packet processing in hardware:
More informationInsiders View: Network Security Devices. Dennis Cox BreakingPoint Systems
Insiders View: Network Security Devices Dennis Cox CTO @ BreakingPoint Systems Who am I? Chief Technology Officer - BreakingPoint Systems Director of Engineering - TippingPoint Engineering - Cisco Systems
More informationDetecting Malicious Hosts Using Traffic Flows
Detecting Malicious Hosts Using Traffic Flows Miguel Pupo Correia joint work with Luís Sacramento NavTalks, Lisboa, June 2017 Motivation Approach Evaluation Conclusion Outline 2 1 Outline Motivation Approach
More informationConcept: Traffic Flow. Prof. Anja Feldmann, Ph.D. Dr. Steve Uhlig
Concept: Traffic Flow Prof. Anja Feldmann, Ph.D. Dr. Steve Uhlig 1 Passive measurement capabilities: Packet monitors Available data: All protocol information All content Possible analysis: Application
More informationHEAD HardwarE Accelerated Deduplication
HEAD HardwarE Accelerated Deduplication Final Report CS710 Computing Acceleration with FPGA December 9, 2016 Insu Jang Seikwon Kim Seonyoung Lee Executive Summary A-Z development of deduplication SW version
More informationTACC1441 Hardware Accelerator
TACC1441 Hardware Accelerator AccessData and Tableau Joint Web Event September 14, 2007 Agenda Five reasons to deploy hardware acceleration TACC1441 Overview Changing the shape of password recovery Performance
More informationScalable Enterprise Networks with Inexpensive Switches
Scalable Enterprise Networks with Inexpensive Switches Minlan Yu minlanyu@cs.princeton.edu Princeton University Joint work with Alex Fabrikant, Mike Freedman, Jennifer Rexford and Jia Wang 1 Enterprises
More informationDesign and Implementation of DPI Mechanism for NIDS on FPGA
Design and Implementation of DPI Mechanism for NIDS on FPGA Veena M P 1, Divya Prabha 2, Dr. M Z Kurian 3 M.Tech [Digital electronics], Sri Siddhartha Institute of Technology, Tumkur, Karnataka, India
More information