INTERNET CONTENT SEARCH USING FPGA S
|
|
- Buddy Johnston
- 5 years ago
- Views:
Transcription
1 INTERNET CONTENT SEARCH USING FPGA S Inan Aydin 1, Ali Ziya Alkar 2 1 Karel A.Ş., Ankara, Turkey, inan.aydin@karel.com.tr 2 Hacettepe University, Department of Electrical Eng, Beytepe, Ankara, Turkey, alkar@hacettepe.edu.tr Abstract. Network Intrusion Prevention Systems (IPS) are used in computer communication to block and deter intrusions by taking necessary precautions for the networks to be more secure. By analyzing the information such as the IP address, protocol, port number and payload contained in the packets, the systems can be defended against network attacks. The ultimate point where the IPS peeks at its workload is where the evaluation of hundreds of packets reaches at a high network speed. In this research, Aho Corasick (AC) algorithm is chosen as the character matching algorithm. In order to catch up with the high network speeds, the matching algorithm is designed to work in parallel in hardware. All variables used in the system are flashed to the hardware through an interface software program without the need for a hard coded program. The design is highly reconfigurable and finally placed to work in a low cost Field Programmable Gate Array (FPGA). Keywords: Computer Network Security, IDS, IPS, FPGA, Firewalls, TCP/IP. 1 Introduction With the extended usage of internet, the variety of applications using internet as a media and the connectivity has increased almost exponentially. These kinds of systems are under constant threat of malicious programs. These attacks range from simple SMPT worm attacks to the Trojan programs embedded into so called innocent executable files or even screensavers. Some cause the loss of all the invaluable data on the computer, or hijack of the computer for other attacks [22][7]. As the ADSL and cable modem usage has increased throughout the years, the extended bandwidth demand is doubling every 100 days [11]. Due to this, intrusion detection and counter attack and defense studies have moved from the end user to the network connection points and from the side packet forwarders to the central packet forwarders. Intrusion Detection Systems (IDS) are quite promising in the protection of the systems on the network and internet. The functionality of the IDS can be resembled to a complicated alarm system built for homes and offices. Just like the instances of an anomaly detection such as motion, noise or a break in, for the alarm systems, the IDS constantly monitors the contents of the packets, looking for attack signatures and upon detection takes the necessary measures against the offending actions. Every one of data searched in its entirety is a huge step towards protecting the computer networks at the cost of reduced network performance. With the IDS the network traffic can be monitored in real time and proactively the attack can be neutralized, logged, and then added to the signature data base as well as the system administrators can be warned about the attack for an immediate action if necessary. Firewalls while placed at the network entry/exit points simply check the headers of the packets. However the attacks can be generated using confirming header information deceiving the system. IDS s use mechanisms to check the payloads as well as the header information. This enables the IDS systems to prevent attacks that can penetrate through the classical firewall systems. With the investigation of the header and the data payload, the attacks that are matched with signatures already in the database, IDS s provide a better protection from the threats of the network. In order for the IDS to spot the anomalies some criteria are needed to be defined and introduced to the system. These criteria include the types of packets to be treated, the character set included in the payload and the location of the payload within the packet. The actions taken are defined separately upon detecting a packet which matches all the defined criteria. IDS systems can be ported to be utilized in a variety of operating systems. Client type IDS s can monitor the incoming network traffic for an attack. Initially IDS s are placed for diagnosis purposes on certain locations along the network. Then these are installed in central and side packet managers once they became popular. An IPS (Intrusion Prevention System) has all the features of a good IDS, but can also stop malicious traffic from invading the enterprise. IPS sits inline with traffic flows on a network, actively shutting down attempted attacks as they re sent over the wire. In other words IPS is proactive compared to the IDS systems. In our implementation, we designed an IDS with proactive defence system built into it. As the network speed and the diversity in the types of attacks has increased through time the need for the effectiveness of the algorithms are also needed to be increased. Software methods by their nature may not be effective compared to dedicated hardwares when the performance is the criteria. The client side IDS
2 the effectiveness of the algorithms are also needed to be increased. Software methods by their nature may not be effective compared to dedicated hardwares when the performance is the criteria. The client side IDS performances are measured in terms of the general success rate whereas the packet managers are evaluated with respect to their worst case success rate [6]. This success rate can be well increased using effective algorithms and running them in parallel [17] where possible. Hardware methods are well suited for parallel execution of string matching algorithms [15]. The usage of FPGA s are increasing as well due to their fast reconfigurability and price [2][8-13] [16][18]. In the next section, string matching algorithms in particular our choice of algorithm is described. In Section 3 Snort is introduced.. In Section 4 our application platform will be explained. In the final two sections tests and conclusions will be presented. 2 String matching algorithms In the fundamentals of a modern IPS there is a string matching algorithm running in its intrusion detection core. The contents of the packets contain the fingerprints of an attack. In this respect, the algorithm should be capable of both allowing a network at very high speeds as well as checking packets with a number of different parameters. This causes the string matching algorithms to be the bottleneck point within the intrustion detection [5]. The importance of string matching algorithms can be shown by analyzing the frequently referred IDS software solution, a freeware namely the Snort system. Snort accommodates a large database of the known anomalies and rules derived from other suspicious network activities. These rules are identified by the experts, by analyzing the packets in their entirety including the payloads. Figure 1. The snort rule increase through the years. The rule such as matching of a string at a determined field then an action is taken. These actions may include logging the packet, informing the system administrator, ignoring the whole packet or activating other rules. There are several commercial IPS s in the market using the rules defined by Snort. The Snort rule increment since 1999 to the publication date is illustrated in Figure 1. The increment in the rule number is quite dramatic and reaches up to rules today. Figure 2. Byte lengths histogram in the rules [21]
3 The byte lengths used in matching is shown in Figure 2. The 4 byte point corresponds to the number of rules dependent on the IP number. Byte lengths for most of the rules vary from 5 to 20. However, some byte lengths for some rules exceed 50. Therefore the operation time for the string matching algorithm needs to be invariant of the byte length for consistent performance purposes. The following can be concluded from both Figure 1 and 2: It is a known fact that the 70% of the total time for Snort system workload consists of string matching algorithms [23]. The linear search techniques that require increased operation time can be quite useless. A search algorithm needs to meet the constant rate demand for a stable performance. Aho Corasick algorithm can meet this demand [1][21], in addition it has a parallel notion in its structure which can be applied to hardware.. Aho Corasick works by forming states from each element in a string. During the execution of the algorithm each incoming character is compared against a rule and upon finding a match a state transfer occurs. When the final state is reached, the keyword matching is completed. A typical example on Aho Corasick algorithm execution is illustrated in Figure 3. Figure 3. Aho-Corascik State Table 3 Snort Rule Structure As mentioned in the introduction, Snort consists of a database formed of rules that define intrusion detection attacks. The basic Snort rule structure is shown as follows: alert tcp $EXTERNAL_NET any-> /24 80 (msg: Sample alert ;) The title of the rule is formed by alert tcp any any -> any any and contains the following information: Log alert: When a suspected packet is spotted the action to be taken is specified. Protocol (ip, tcp, udp, icmp, any): Defines which packet protocol is to be applied for the rule. Src IP & Port: The source information about the packet is specified. This field may consist of variables such as ($HOME_NET), personal IP addresses, CIDR (Classless Inter-Domain Routing) or a list of these variables. Dst IP & Port: The destination information about the packet is specified. Port numbers may consist of individual port numbers (such as 1024) or list of port numbers (80:85). More complicated rules can be formed by adding various choices on top of the basic rule structure. These rules can be built by analysis of attack packets previously spotted. The body of the rule (msg: Sample alert ;) is enclosed within parenthesis (). The choices are separated by comma, from each other. There are total of 5 type choices for the rule body: Metadata, Payload detection, Non payload identification, Post Detection, Thresholding and suppression Metadata options provide the IDS information about the rule itself. For example msg is a warning message legible by everyone. reference indicates a URL address for further information. classtype and priority, informs about the attack type and the event that will occur. classtype indicates the default priority that needs to be used for the class types and priority changes these default priorities. sid and rev privatizes the rule and every sid needs to be private. A rule example where the mentioned options are included is as follows: alert tcp $EXTERNAL_NET any -> /24 80 (msg: Sample alert ; classtype:webapplication-activity; reference:url, rev:1;)
4 Payload detection option is used to indicate a search on data fields of the packet, not on the header section. This option, as mentioned in the Section 1, is the distinguishing feature of the IDS systems from a typical firewall system. The content option is used for string search If nocase is used during the investigation of the payload then the search becomes case insensitive. offset option is used to skip the search of a certain byte length. An example rule built with these options is as follows: alert tcp $EXTERNAL_NET any -> /24 80 (msg: Sample alert ;content: http 3a // test.cgi?id=pwn3d ; nocase; offset:12; classtype: web-applicationactivity;reference:url, advisories/ html; sid: ; rev:1;) This rule searches the case insensitive occurrence string within all the network traffic, containing the header information in the specified rule. While doing this, in order to increase the efficiency, the first 12 bytes are skipped. 4 Application platform In our hardware application, the strings specified by the user are flashed to the hardware system, and are searched within the streaming network traffic. The basic operation functionality of the IDS, the header and payload information are traced with different variables thus a Snort like implementation has been realized with this prototype. The aim in this hardware implementation is to be able to search the header and payload of the packet traffic at the network speeds. The search algorithm has been implemented using the Aho Corasick algorithm which provided a network speed search capability in hardware, with the only identifiable worst case scenario that we know of [21]. The application is implemented with a laptop connected to the internet with a cable ADSL modem. The first stage in packet search is applied on the header parts. The headers are searched with respect to the predefined user defined variables. The second stage consists of a search of user defined variables in the payload. In the system, we included 8 parallel search engines that implement string matching. While doing this our ultimate goal was not to saturate the performance of network traffic. At least we demanded the network speed to be satisfactory while increasing the characters to be found in the research. The entire architecture of this system will be investigated in two sections, namely the hardware and the data entry interface as the software. 4.1 Hardware Architecture The application platform is placed between the ADSL modem and the computer as shown in Figure 4. This provides a suitable transparent flow of internet traffic for constant monitoring. This structure forms the hardware based IPS. This system will not require any modifications or setup program on the client side. This is an important feature in terms of its applicability. Figure 4. The hardware architecture of the system The hardware platform consists of a slightly modified version of a Dragon PCI FPGA1 platform as shown in Figure 5. Figure 5. Modified Dragon development platform. Dragon is an FPGA card capable of connection to a PC via PCI or/and USB ports. It includes a XC2S100 FPGA from the Spartan-II series. This low cost platform is suitable for many applications without the 1 KNJN LLC Electronic Development Products
5 necessity of large, expensive and complicated systems. The USB interface included on the platform includes a 1 MB/s data rate. This interface serves as a power supply to the card as well as providing the interface to convey the variables inputted through a user interface by the user. 4.2 Data Entry Interface A program has been prepared to send the variables determined by the user to the hardware implementation. This software is a perfect interface between the hardware implementation and changing user needs eliminating a complicated hardware load process for the FPGA. The program is written in MS Windows Visual Studio.NET 2003 development environment. Dragon card is controlled through the USB connection and the programming is done through the same interface as well. The data entry program sends the variables received by a user interface to the system through the USB. With the interface program the user can supply the variables that form the Internet layer that forms the TCP/IP model [3][4][14][19][20], transport layer and the application layer. A snapshot is given in Figure 6. Figure 6. Data Entry User Interface There are three logical address slots to restrict the traffic from IP addresses entered. The variables entered in these slots will be searched in the header field of the packets. In the transport layer, one of two basic transport methods for packet transfer is included namely: TCP and UDP protocols can be selected from a drop down button. In addition to the protocol selection in this layer, the port numbers used to convey the packets to the right application can also be selected to prevent data block traffic flow from this particular port number. Since the application specific port numbers are located in the source port field, the IDS is able to take action against the source port numbers. As an example: An HTML data request by any client might have a port number however on the server side the destination port number has to be 80; since the data requested is sent as an HTTP packet. Similarly the server side has to select the destination port of this request as The 80 port number on the server side indicates the packet is an HTTP packet. At the very top most location the Application Layer includes slots for strings to be searched. In the initial application the number of characters allowed in each string is limited to be 11 with up to 4 different strings. The variables defined in these slots are going to be used in the generation of states in the Aho Corasick algorithm. The variables entered in these slots will be searched in the payload field of the packets. For demonstration purposes, a warning led indicator as shown on Figure 5 by a red arrow is signaled at any instance on a match of the transport and application layers' parameters of the incoming packet along with parameters defined by user for each layer. If no keyword is chosen the indicated port/protocol will be blocked. In addition the Network IP s are independent parameters that can be blocked independent of the transport and the application layer values. At normal operation this led indicator is not utilized instead the traffic is simply blocked to demonstrate the IPS characterists. Wild characters are supported in the search mechanism. The user can place the? in places where that character can be any character. As an example for the string ca?st, the system will accept any character following the s and t characters and look for the s and t characters following the? character replacement. As a result all the strings suited for this scenario such as any of the words carst, canst and cavst will cause the alarm to go off. During the search for the character string if the string is required to be an isolated word, then a blank
6 space before and after the word is needed to be added. As an example the word: sleep will be differentiated from the search of sleeper word and will not cause a trigger if found within other longer strings including the word sleep partially. If a port number and protocol is required to be blocked only a? in the keyword slot will be sufficient to block that particular port number and protocol. 5 Tests performed Colasoft Packet Builder 1.0 is used to simulate the system. The program generates a certain amount of network packets and simulates the transport and network layer functionality. In addition the keywords are entered in the packet contents are loaded with keywords contained in the application layer filter. As a result the response time of the system has been measured to the simulated attacks. Besides this test platform, the HTML pages are randomly selected to test the entire system. The tests performed on the platform are designed to push the Aho Corasick hardware implementation to its limits. The keyword length is gradually increased to the limit where the states formed would cause a bottleneck in the matching algorithm hence the network transmission would fail and require re-transmissions. The re-transmissions are bounded to be 3 for our case and operating system we used in our system. The server shutsdown the connection after 3 retries. The RTT (Round Trip Time), between our client and the is 64ms as the basis of our tests. The adaptive RTO (Retransmission Timeout) goes up to 96ms. When the device under test is gradually pushed to the limit of 847 characters, due to late respond times, the server disconnects transmission. 96 ms / 847 states = 0.11 ms/states (1) As a result 0.11 ms is spent per character matching. This value is found by the parallel code processing structure of the FPGA. A second test is performed to test the effectiveness of the parallel execution. The test engines are serialized. The character length of 478 is found to bottleneck the system. 96 ms / 478 states = 0.20 ms/states (2) With these results we can conclude that the serial engines required twice the amount of time per matching of a character with respect to parallel matching as we initially implemented. 6 Conclusions In this work, we aimed to design a low cost, fast, portable and easily reconfigurable hardware IPS system. The whole research aimed at giving support at intrusion detection at all levels of TCP/IP layers. Parallelism has been incorporated to accommodate faster string searching with respect to other approaches that use serial engines, including software approaches. This design can be enhanced to include more rules for all spectrums of network threats. More Snort rules can be added to the system to improve the system. In addition the intrusion attempts can be stored for future monitoring. The application platform is a simple modified low cost FPGA dragon card with a Xilinx Spartan XC2S100 FPGA chip. The hardware platform is supported by a user friendly interface to easily include the search parameters to the existing hardware within less than a single second. The RAM on the development card is kept minimal for cost concerns. The total RAM or the size of FPGA can be enhanced at a cost to improve the states of the algorithm. The major limitation of RAM can also be eliminated by using bit compression techniques [23] References [1] Aldwairi, M, Hardware Efficient Pattern Matching Algorithms and Architectures for Fast Intrusion Detection, 2006 [2] Baker, Z. K., Prasanna, V. K., A Methodology for Synthesis of Efficient Intrusion Detection Systems on FPGAs, Proceedings of the 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, Pages: , 2004 [3] Behrouz, A., F., TCP/IP Protocol Suite, McGraw-Hill. [4] Braden, R. T., Borman, D. A., Partridge C., 1988, RFC1071: Computing the Internet checksum, 2003 [5] Cisco, Interconnecting Cisco Network Devices, CA: Cisco System, Inc., 1999 [6] Fide, S., Jenks, S., A Survey of String Matching Approaches in Hardware, 2006 [7] Floyd, B., The Changing Face of Network Security Threats, 2006 [8] Graczyk, R., Pozniak, K. T., Romaniuk, R. S., FPGA based, modular, configurable controller with fast synchronous optical network, TESLA Report ,
7 [9] Hegarty, D., McDonald, S., An FPGA-based Configurable Network Interface System, Networking, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies, ICN/ICONS/MCL [10] Kachris, C., Design and Implementation of a TCP/IP core for reconfigurable logic, [11] Lockwood, J. W., An Open Platform for Development of Network Processing Modules in Reprogrammable Hardware, [12] Lu, W., Designing TCP/IP Functions In FPGAs, [13] Moscola, J., Lockwood, J., Loui, R. P., Pachos, M., Implementation of a content-scanning module for an Internet firewall, Field-Programmable Custom Computing Machines, FCCM th Annual IEEE Symposium, [14] Önal, H., TCP/IP Ağlarda Parçalanmış Paketler, Parçalanmış Paketler ve Güvenlik Sistemlerine Etkileri, [15] Pagiamtzis, K., Sheikholeslami, A., Content-Addressable Memory (CAM) Circuits and Architectures: A Tutorial and Survey, IEEE Journal of Solid-State Circuits, Vol. 41, NO. 3, [16] Sidhu, R., Prasanna, V. K., Fast Regular Expression Matching using FPGAs, Field-Programmable Custom Computing Machines, FCCM '01. The 9th Annual IEEE Symposium. [17] Soewito, B., Weng, N. Methodology for Evaluating DNA Pattern Searching Algorithms on Multiprocessor, Proceedings of the 7th IEEE International Conference on Volume, Issue, Oct Page(s) [18] Sourdis, I., Pnevmatikatos, D., Fast, Large-Scale String Match for a 10Gbps FPGA-Based Network Intrusion, [19] Stevens, R., Wesley, A., TCP/IP Illustrated, Volume 1, [20] Tanenbaum, A. S., Computer Networks, Chapter 2, 3, 4, 5, 6, 7, 8, [21] Tuck, N. Sherwood, T., Calder, B., Varghese, G., Deterministic Memory Efficient String Matching Algorithms for Intrusion Detection, INFOCOM Twenty-third Annual Joint Conference of the IEEE Computer and Communications Societies, [22] Whitman, M. E., Ph.D. and H., J., Mattord, M.B.A, Management of Information Security, Boston, MA: Thomson Course Technology, 2004, ch 9. [23] Xyan, Z., Sahni, S., Highly compressed Aho-Corasick automata for efficient intrusion detection, Computers and Communications, ISCC IEEE Symposium on Volume, Issue, 6-9 July 2008 Page(s):
A Framework for Rule Processing in Reconfigurable Network Systems
A Framework for Rule Processing in Reconfigurable Network Systems Michael Attig and John Lockwood Washington University in Saint Louis Applied Research Laboratory Department of Computer Science and Engineering
More informationProject Proposal. ECE 526 Spring Modified Data Structure of Aho-Corasick. Benfano Soewito, Ed Flanigan and John Pangrazio
Project Proposal ECE 526 Spring 2006 Modified Data Structure of Aho-Corasick Benfano Soewito, Ed Flanigan and John Pangrazio 1. Introduction The internet becomes the most important tool in this decade
More informationIntrusion Detection - Snort. Network Security Workshop April 2017 Bali Indonesia
Intrusion Detection - Snort Network Security Workshop 25-27 April 2017 Bali Indonesia Issue Date: [31-12-2015] Revision: [V.1] Sometimes, Defenses Fail Our defenses aren t perfect Patches weren t applied
More informationPacket Inspection on Programmable Hardware
Abstract Packet Inspection on Programmable Hardware Benfano Soewito Information Technology Department, Bakrie University, Jakarta, Indonesia E-mail: benfano.soewito@bakrie.ac.id In the network security
More informationIntrusion Detection - Snort
Intrusion Detection - Snort 1 Sometimes, Defenses Fail Our defenses aren t perfect Patches aren t applied promptly enough AV signatures not always up to date 0-days get through Someone brings in an infected
More informationIntrusion Detection - Snort
Intrusion Detection - Snort Network Security Workshop 3-5 October 2017 Port Moresby, Papua New Guinea 1 Sometimes, Defenses Fail Our defenses aren t perfect Patches aren t applied promptly enough AV signatures
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 19: Intrusion Detection Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Intruders Intrusion detection host-based network-based
More informationIDS / SNORT. Matsuzaki maz Yoshinobu stole slides from Fakrul Alam
IDS / SNORT Matsuzaki maz Yoshinobu stole slides from Fakrul Alam 1 Sometimes, Defenses Fail Our defenses aren t perfect Patches weren t applied promptly enough Antivirus signatures not
More informationConfigurable String Matching Hardware for Speeding up Intrusion Detection
Configurable String Matching Hardware for Speeding up Intrusion Detection Monther Aldwairi, Thomas Conte, Paul Franzon Dec 6, 2004 North Carolina State University {mmaldwai, conte, paulf}@ncsu.edu www.ece.ncsu.edu/erl
More informationProject Proposal. ECE 526 Spring Modified Data Structure of Aho-Corasick. Benfano Soewito, Ed Flanigan and John Pangrazio
Project Proposal ECE 526 Spring 2006 Modified Data Structure of Aho-Corasick Benfano Soewito, Ed Flanigan and John Pangrazio 1. Introduction The internet becomes the most important tool in this decade
More informationTree-Based Minimization of TCAM Entries for Packet Classification
Tree-Based Minimization of TCAM Entries for Packet Classification YanSunandMinSikKim School of Electrical Engineering and Computer Science Washington State University Pullman, Washington 99164-2752, U.S.A.
More informationChapter 7. Network Intrusion Detection and Analysis. SeoulTech UCS Lab (Daming Wu)
SeoulTech UCS Lab Chapter 7 Network Intrusion Detection and Analysis 2015. 11. 3 (Daming Wu) Email: wdm1517@gmail.com Copyright c 2015 by USC Lab All Rights Reserved. Table of Contents 7.1 Why Investigate
More information* Knowledge of Adaptive Security Appliance (ASA) firewall, Adaptive Security Device Manager (ASDM).
Contents Introduction Prerequisites Requirements Components Used Background Information Configuration Step 1. Configure Intrusion Policy Step 1.1. Create Intrusion Policy Step 1.2. Modify Intrusion Policy
More informationDetecting Specific Threats
The following topics explain how to use preprocessors in a network analysis policy to detect specific threats: Introduction to Specific Threat Detection, page 1 Back Orifice Detection, page 1 Portscan
More informationProxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking
NETWORK MANAGEMENT II Proxy Servers Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking resources from the other
More informationScrutinizer Flow Analytics
Scrutinizer Flow Analytics TM Scrutinizer Flow Analytics Scrutinizer Flow Analytics is an expert system that highlights characteristics about the network. It uses flow data across dozens or several hundred
More informationIDS: Signature Detection
IDS: Signature Detection Idea: What is bad, is known What is not bad, is good Determines whether a sequence of instructions being executed is known to violate the site security policy Signatures: Descriptions
More informationIndex Terms- Field Programmable Gate Array, Content Addressable memory, Intrusion Detection system.
Dynamic Based Reconfigurable Content Addressable Memory for FastString Matching N.Manonmani 1, K.Suman 2, C.Udhayakumar 3 Dept of ECE, Sri Eshwar College of Engineering, Kinathukadavu, Coimbatore, India1
More informationActivating Intrusion Prevention Service
Activating Intrusion Prevention Service Intrusion Prevention Service Overview Configuring Intrusion Prevention Service Intrusion Prevention Service Overview Intrusion Prevention Service (IPS) delivers
More informationIJSER. Virtualization Intrusion Detection System in Cloud Environment Ku.Rupali D. Wankhade. Department of Computer Science and Technology
ISSN 2229-5518 321 Virtualization Intrusion Detection System in Cloud Environment Ku.Rupali D. Wankhade. Department of Computer Science and Technology Abstract - Nowadays all are working with cloud Environment(cloud
More informationERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016
Abstract The Mirai botnet struck the security industry in three massive attacks that shook traditional DDoS protection paradigms, proving that the Internet of Things (IoT) threat is real and the grounds
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationFIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others
FIREWALLS 1 FIREWALLS Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others FIREWALLS: WHY Prevent denial of service attacks: SYN ooding: attacker
More informationASA Access Control. Section 3
[ 39 ] CCNP Security Firewall 642-617 Quick Reference Section 3 ASA Access Control Now that you have connectivity to the ASA and have configured basic networking settings on the ASA, you can start to look
More informationAutomatic compilation framework for Bloom filter based intrusion detection
Automatic compilation framework for Bloom filter based intrusion detection Dinesh C Suresh, Zhi Guo*, Betul Buyukkurt and Walid A. Najjar Department of Computer Science and Engineering *Department of Electrical
More informationNetwork Performance Analysis System. White Paper
Network Performance Analysis System White Paper Copyright Copyright 2018 Colasoft. All rights reserved. Information in this document is subject to change without notice. No part of this document may be
More informationMulti-pattern Signature Matching for Hardware Network Intrusion Detection Systems
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE GLOBECOM 5 proceedings. Multi-pattern Signature Matching for Hardware
More informationAnomaly Detection in Communication Networks
Anomaly Detection in Communication Networks Prof. D. J. Parish High Speed networks Group Department of Electronic and Electrical Engineering D.J.Parish@lboro.ac.uk Loughborough University Overview u u
More informationThe Intrusion Rules Editor
The following topics describe how to use the intrusion rules editor: An Introduction to Intrusion Rule Editing, page 1 Rule Anatomy, page 2 Custom Rule Creation, page 14 Searching for Rules, page 20 Rule
More informationSecurity Principles SNORT - IDS
Security Principles SNORT - IDS Intrusion detection What is intrusion detection? Technically, any method that allows you to discover if someone has penetrated or is attempting intrusion into your network,
More informationThe Intrusion Rules Editor
The following topics describe how to use the intrusion rules editor: An Introduction to Intrusion Rule Editing, on page 1 Rule Anatomy, on page 2 Custom Rule Creation, on page 14 Searching for Rules, on
More informationModular Policy Framework. Class Maps SECTION 4. Advanced Configuration
[ 59 ] Section 4: We have now covered the basic configuration and delved into AAA services on the ASA. In this section, we cover some of the more advanced features of the ASA that break it away from a
More informationLab 8: Firewalls & Intrusion Detec6on Systems
Lab 8: Firewalls & Intrusion Detec6on Systems Fengwei Zhang Wayne State University CSC Course: Cyber Security Prac6ce 1 Firewall & IDS Firewall A device or applica6on that analyzes packet headers and enforces
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationPre processors. Detection Engine
Packet Decoder Pre processors Detection Engine Logging and Alerting System Output Modules Filesystem Syslog Database XML Firewall config You should know how the rules are constructed in order to fully
More information2. INTRUDER DETECTION SYSTEMS
1. INTRODUCTION It is apparent that information technology is the backbone of many organizations, small or big. Since they depend on information technology to drive their business forward, issues regarding
More informationThe following topics describe how to configure correlation policies and rules.
The following topics describe how to configure correlation policies and rules. Introduction to and Rules, page 1 Configuring, page 2 Configuring Correlation Rules, page 5 Configuring Correlation Response
More informationCIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 12
CIS 551 / TCOM 401 Computer and Network Security Spring 2007 Lecture 12 Announcements Project 2 is on the web. Due: March 15th Send groups to Jeff Vaughan (vaughan2@seas) by Thurs. Feb. 22nd. Plan for
More informationEfficient Packet Classification for Network Intrusion Detection using FPGA
Efficient Packet Classification for Network Intrusion Detection using FPGA ABSTRACT Haoyu Song Department of CSE Washington University St. Louis, USA hs@arl.wustl.edu FPGA technology has become widely
More information20-CS Cyber Defense Overview Fall, Network Basics
20-CS-5155 6055 Cyber Defense Overview Fall, 2017 Network Basics Who Are The Attackers? Hackers: do it for fun or to alert a sysadmin Criminals: do it for monetary gain Malicious insiders: ignores perimeter
More informationNew Approach towards Covert Communication using TCP-SQN Reference Model
ISSN 2278 0211 (Online) New Approach towards Covert Communication using TCP-SQN Reference Model Dhananjay M. Dakhane Department of Computer science & Engineering Sipna College of Engineering & Technology,
More informationThe Intrusion Rules Editor
The following topics describe how to use the intrusion rules editor: An Introduction to Intrusion Rule Editing, page 1 Rule Anatomy, page 2 Custom Rule Creation, page 15 Searching for Rules, page 20 Rule
More informationANALYSIS AND EVALUATION OF DISTRIBUTED DENIAL OF SERVICE ATTACKS IDENTIFICATION METHODS
ANALYSIS AND EVALUATION OF DISTRIBUTED DENIAL OF SERVICE ATTACKS IDENTIFICATION METHODS Saulius Grusnys, Ingrida Lagzdinyte Kaunas University of Technology, Department of Computer Networks, Studentu 50,
More informationWired internetworking devices. Unit objectives Differentiate between basic internetworking devices Identify specialized internetworking devices
Wired internetworking devices Unit objectives Differentiate between basic internetworking devices Identify specialized internetworking devices Topic A Topic A: Basic internetworking devices Topic B: Specialized
More informationNetwork Security. Chapter 0. Attacks and Attack Detection
Network Security Chapter 0 Attacks and Attack Detection 1 Attacks and Attack Detection Have you ever been attacked (in the IT security sense)? What kind of attacks do you know? 2 What can happen? Part
More informationFPGA Implementation of Token-Based Clam AV Regex Virus Signatures with Early Detection
IOSR Journal of Electronics and Communication Engineering (IOSR-JECE) e-issn: 2278-2834,p- ISSN: 2278-8735 PP 54-61 www.iosrjournals.org FPGA Implementation of Token-Based Clam AV Regex Virus Signatures
More informationTCP Congestion Control in Wired and Wireless networks
TCP Congestion Control in Wired and Wireless networks Mohamadreza Najiminaini (mna28@cs.sfu.ca) Term Project ENSC 835 Spring 2008 Supervised by Dr. Ljiljana Trajkovic School of Engineering and Science
More informationCongestion Control In The Internet Part 2: How it is implemented in TCP. JY Le Boudec 2015
1 Congestion Control In The Internet Part 2: How it is implemented in TCP JY Le Boudec 2015 Contents 1. Congestion control in TCP 2. The fairness of TCP 3. The loss throughput formula 4. Explicit Congestion
More informationProCurve Network Immunity
ProCurve Network Immunity Hans-Jörg Elias Key Account Manager hans-joerg.elias@hp.com 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
More informationHigh Ppeed Circuit Techniques for Network Intrusion Detection Systems (NIDS)
The University of Akron IdeaExchange@UAkron Mechanical Engineering Faculty Research Mechanical Engineering Department 2008 High Ppeed Circuit Techniques for Network Intrusion Detection Systems (NIDS) Ajay
More informationChapter 9. Firewalls
Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential Effective means of protecting LANs Inserted between the premises network and the Internet to establish a controlled link however
More informationSCP SC Network Defense and Countermeasures (NDC) Exam.
SCP SC0-402 Network Defense and Countermeasures (NDC) Exam TYPE: DEMO http://www.examskey.com/sc0-402.html Examskey SCP SC0-402 exam demo product is here for you to test the quality of the product. This
More informationCSCD 433/533 Advanced Networks
CSCD 433/533 Advanced Networks Lecture 2 Network Review Winter 2017 Reading: Chapter 1 1 Topics Network Topics Some Review from CSCD330 Applications Common Services Architecture OSI Model AS and Routing
More informationConcept Questions Demonstrate your knowledge of these concepts by answering the following questions in the space that is provided.
223 Chapter 19 Inter mediate TCP The Transmission Control Protocol/Internet Protocol (TCP/IP) suite of protocols was developed as part of the research that the Defense Advanced Research Projects Agency
More informationNetwork Security Terms. Based on slides from gursimrandhillon.files.wordpress.com
Network Security Terms Based on slides from gursimrandhillon.files.wordpress.com Network Security Terms Perimeter is the fortified boundary of the network that might include the following aspects: 1. Border
More informationFundamental Issues. System Models and Networking Chapter 2,3. System Models. Architectural Model. Middleware. Bina Ramamurthy
System Models and Networking Chapter 2,3 Bina Ramamurthy Fundamental Issues There is no global time. All communications are by means of messages. Message communication may be affected by network delays
More informationNetworking interview questions
Networking interview questions What is LAN? LAN is a computer network that spans a relatively small area. Most LANs are confined to a single building or group of buildings. However, one LAN can be connected
More informationRule Hashing for Efficient Packet Classification in Network Intrusion Detection
Rule Hashing for Efficient Packet Classification in Network Intrusion Detection Atsushi Yoshioka, Shariful Hasan Shaikot, and Min Sik Kim School of Electrical Engineering and Computer Science Washington
More informationUNIT 2 TRANSPORT LAYER
Network, Transport and Application UNIT 2 TRANSPORT LAYER Structure Page No. 2.0 Introduction 34 2.1 Objective 34 2.2 Addressing 35 2.3 Reliable delivery 35 2.4 Flow control 38 2.5 Connection Management
More informationChapter 4: network layer. Network service model. Two key network-layer functions. Network layer. Input port functions. Router architecture overview
Chapter 4: chapter goals: understand principles behind services service models forwarding versus routing how a router works generalized forwarding instantiation, implementation in the Internet 4- Network
More informationCongestion Control In The Internet Part 2: How it is implemented in TCP. JY Le Boudec 2014
1 Congestion Control In The Internet Part 2: How it is implemented in TCP JY Le Boudec 2014 Contents 1. Congestion control in TCP 2. The fairness of TCP 3. The loss throughput formula 4. Explicit Congestion
More informationMeans for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content
Intrusion Detection INFO404 - Lecture 13 21.04.2009 nfoukia@infoscience.otago.ac.nz Content Definition Network vs. Host IDS Misuse vs. Behavior Based IDS Means for Intrusion Detection Definitions (1) Intrusion:
More informationCSC 401 Data and Computer Communications Networks
CSC 401 Data and Computer Communications Networks Network Layer Overview, Router Design, IP Sec 4.1. 4.2 and 4.3 Prof. Lina Battestilli Fall 2017 Chapter 4: Network Layer, Data Plane chapter goals: understand
More informationACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems
ACS-3921/4921-001 Computer Security And Privacy Chapter 9 Firewalls and Intrusion Prevention Systems ACS-3921/4921-001 Slides Used In The Course A note on the use of these slides: These slides has been
More informationAdvanced Network Design
Advanced Network Design Organization Whoami, Book, Wikipedia www.cs.uchicago.edu/~nugent/cspp54015 Grading Homework/project: 60% Midterm: 15% Final: 20% Class participation: 5% Interdisciplinary Course
More informationReduction in Power Consumption of Packet Counter on VIRTEX-6 FPGA by Frequency Scaling. Pandey, Nisha; Pandey, Bishwajeet; Hussain, Dil muhammed Akbar
Aalborg Universitet Reduction in Power Consumption of Packet Counter on VIRTEX-6 FPGA by Frequency Scaling Pandey, Nisha; Pandey, Bishwajeet; Hussain, Dil muhammed Akbar Published in: Proceedings of IEEE
More informationDistributed Denial of Service (DDoS)
Distributed Denial of Service (DDoS) Defending against Flooding-Based DDoS Attacks: A Tutorial Rocky K. C. Chang Presented by Adwait Belsare (adwait@wpi.edu) Suvesh Pratapa (suveshp@wpi.edu) Modified by
More informationNeed For Protocol Architecture
Chapter 2 CS420/520 Axel Krings Page 1 Need For Protocol Architecture E.g. File transfer Source must activate communications path or inform network of destination Source must check destination is prepared
More informationECE 158A: Lecture 7. Fall 2015
ECE 158A: Lecture 7 Fall 2015 Outline We have discussed IP shortest path routing Now we have a closer look at the IP addressing mechanism We are still at the networking layer, we will examine: IP Headers
More informationCongestion Control In The Internet Part 2: How it is implemented in TCP. JY Le Boudec 2014
1 Congestion Control In The Internet Part 2: How it is implemented in TCP JY Le Boudec 2014 Contents 1. Congestion control in TCP 2. The fairness of TCP 3. The loss throughput formula 4. Explicit Congestion
More informationNeed For Protocol Architecture
Chapter 2 CS420/520 Axel Krings Page 1 Need For Protocol Architecture E.g. File transfer Source must activate communications path or inform network of destination Source must check destination is prepared
More informationCIT 480: Securing Computer Systems
CIT 480: Securing Computer Systems Intrusion Detection CIT 480: Securing Computer Systems Slide #1 Topics 1. Definitions and Goals 2. Models of Intrusion Detection 3. False Positives 4. Architecture of
More informationTriBiCa: Trie Bitmap Content Analyzer for High-Speed Network Intrusion Detection
Dept. of Electrical and Computer Eng. : Trie Bitmap Content Analyzer for High-Speed Network Intrusion Detection N. Sertac Artan and Jonathan H. Chao 8 May 27 26th Annual IEEE Conference on Computer Communications
More informationComparison of Firewall, Intrusion Prevention and Antivirus Technologies
Comparison of Firewall, Intrusion Prevention and Antivirus Technologies (How each protects the network) Dr. Gaurav Kumar Jain Email: gaurav.rinkujain.jain@gmail.com Mr. Pradeep Sharma Mukul Verma Abstract
More informationA Study on Intrusion Detection Techniques in a TCP/IP Environment
A Study on Intrusion Detection Techniques in a TCP/IP Environment C. A. Voglis and S. A. Paschos Department of Computer Science University of Ioannina GREECE Abstract: The TCP/IP protocol suite is the
More informationFPGA based Network Traffic Analysis using Traffic Dispersion Graphs
FPGA based Network Traffic Analysis using Traffic Dispersion Graphs 2 nd September, 2010 Faisal N. Khan, P. O. Box 808, Livermore, CA 94551 This work performed under the auspices of the U.S. Department
More informationIntrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks
Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks So we are proposing a network intrusion detection system (IDS) which uses a Keywords: DDoS (Distributed Denial
More informationIntroduction p. 1 The Need for Security p. 2 Public Network Threats p. 2 Private Network Threats p. 4 The Role of Routers p. 5 Other Security Devices
Preface p. xv Acknowledgments p. xvii Introduction p. 1 The Need for Security p. 2 Public Network Threats p. 2 Private Network Threats p. 4 The Role of Routers p. 5 Other Security Devices p. 6 Firewall
More informationTwo Level State Machine Architecture for Content Inspection Engines
Two Level State Machine Architecture for Content Inspection Engines Mohammadreza Yazdani Wojciech Fraczak Feliks Welfeld Ioannis Lambadaris Department of Systems and Computer Engineering Carleton University,
More informationTopics. Principles of Intrusion Detection. Intrusion Detection. Characteristics of systems not under attack
Intrusion Detection Topics 1. Principles 2. Models of Intrusion Detection 3. False Positives 4. Architecture of an IDS 5. IDS Deployment 6. Active Response (IPS) 7. Host-based IDS and IPS 8. IDS Evasion
More informationYour Name: Your student ID number:
CSC 573 / ECE 573 Internet Protocols October 11, 2005 MID-TERM EXAM Your Name: Your student ID number: Instructions Allowed o A single 8 ½ x11 (front and back) study sheet, containing any info you wish
More informationDevice Management Basics
The following topics describe how to manage devices in the Firepower System: The Device Management Page, on page 1 Remote Management Configuration, on page 2 Add Devices to the Firepower Management Center,
More informationNetwork Interconnection
Network Interconnection Covers different approaches for ensuring border or perimeter security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 Lecture
More informationTo see the details of TCP (Transmission Control Protocol). TCP is the main transport layer protocol used in the Internet.
Lab Exercise TCP Objective To see the details of TCP (Transmission Control Protocol). TCP is the main transport layer protocol used in the Internet. The trace file is here: https://kevincurran.org/com320/labs/wireshark/trace-tcp.pcap
More informationUser Datagram Protocol (UDP):
SFWR 4C03: Computer Networks and Computer Security Feb 2-5 2004 Lecturer: Kartik Krishnan Lectures 13-15 User Datagram Protocol (UDP): UDP is a connectionless transport layer protocol: each output operation
More informationChapter 6. What happens at the Transport Layer? Services provided Transport protocols UDP TCP Flow control Congestion control
Chapter 6 What happens at the Transport Layer? Services provided Transport protocols UDP TCP Flow control Congestion control OSI Model Hybrid Model Software outside the operating system Software inside
More informationUNIT IV -- TRANSPORT LAYER
UNIT IV -- TRANSPORT LAYER TABLE OF CONTENTS 4.1. Transport layer. 02 4.2. Reliable delivery service. 03 4.3. Congestion control. 05 4.4. Connection establishment.. 07 4.5. Flow control 09 4.6. Transmission
More informationLecture 16: Network Layer Overview, Internet Protocol
Lecture 16: Network Layer Overview, Internet Protocol COMP 332, Spring 2018 Victoria Manfredi Acknowledgements: materials adapted from Computer Networking: A Top Down Approach 7 th edition: 1996-2016,
More informationCN-100 Network Analyzer Product Overview
CN-100 Network Analyzer Product Overview CN-100 network analyzers offer an extremely powerful yet cost effective solution for today s complex networking requirements. Test Ethernet or ATM networks with
More informationETSF10 Internet Protocols Transport Layer Protocols
ETSF10 Internet Protocols Transport Layer Protocols 2012, Part 2, Lecture 2.1 Kaan Bür, Jens Andersson Transport Layer Protocols Process-to-process delivery [ed.4 ch.23.1] [ed.5 ch.24.1] Transmission Control
More informationInternet Protocol version 6
Internet Protocol version 6 Claudio Cicconetti International Master on Communication Networks Engineering 2006/2007 IP version 6 The Internet is growing extremely rapidly. The
More informationTrisul Network Analytics - Traffic Analyzer
Trisul Network Analytics - Traffic Analyzer Using this information the Trisul Network Analytics Netfllow for ISP solution provides information to assist the following operation groups: Network Operations
More informationConfiguring IP SLAs ICMP Path Jitter Operations
This document describes how to configure an IP Service Level Agreements (SLAs) Internet Control Message Protocol (ICMP) Path Jitter operation to monitor hop-by-hop jitter (inter-packet delay variance).
More informationUDP Lite for Real Time Multimedia Applications
UDP Lite for Real Time Multimedia Applications Lars-Åke Larzon*, Mikael Degermark*, Stephen Pink* Extended Enterprise Laboratory HP Laboratories Bristol HPL-IRI-1999-001 April, 1999 E-mail: [11n,micke,steve]@cdt.luth.se
More informationConfiguring RTP Header Compression
Configuring RTP Header Compression First Published: January 30, 2006 Last Updated: July 23, 2010 Header compression is a mechanism that compresses the IP header in a packet before the packet is transmitted.
More informationIntel PRO/1000 PT and PF Quad Port Bypass Server Adapters for In-line Server Appliances
Technology Brief Intel PRO/1000 PT and PF Quad Port Bypass Server Adapters for In-line Server Appliances Intel PRO/1000 PT and PF Quad Port Bypass Server Adapters for In-line Server Appliances The world
More informationMonitoring and diagnostics of data infrastructure problems in power engineering. Jaroslav Stusak, Sales Director CEE, Flowmon Networks
Monitoring and diagnostics of data infrastructure problems in power engineering Jaroslav Stusak, Sales Director CEE, Flowmon Networks 35,000 kilometers of electric power, which feeds around 740,000 clients...
More informationSIP System Features. SIP Timer Values. Rules for Configuring the SIP Timers CHAPTER
CHAPTER 4 Revised: March 24, 2011, This chapter describes features that apply to all SIP system operations. It includes the following topics: SIP Timer Values, page 4-1 SIP Session Timers, page 4-7 Limitations
More informationCongestion Control in Communication Networks
Congestion Control in Communication Networks Introduction Congestion occurs when number of packets transmitted approaches network capacity Objective of congestion control: keep number of packets below
More informationNetwork Layer: Router Architecture, IP Addressing
Network Layer: Router Architecture, IP Addressing UG3 Computer Communications & Networks (COMN) Mahesh Marina mahesh@ed.ac.uk Slides thanks to Myungjin Lee and copyright of Kurose and Ross Router Architecture
More information