INTERNET CONTENT SEARCH USING FPGA S

Transcription

1 INTERNET CONTENT SEARCH USING FPGA S Inan Aydin 1, Ali Ziya Alkar 2 1 Karel A.Ş., Ankara, Turkey, inan.aydin@karel.com.tr 2 Hacettepe University, Department of Electrical Eng, Beytepe, Ankara, Turkey, alkar@hacettepe.edu.tr Abstract. Network Intrusion Prevention Systems (IPS) are used in computer communication to block and deter intrusions by taking necessary precautions for the networks to be more secure. By analyzing the information such as the IP address, protocol, port number and payload contained in the packets, the systems can be defended against network attacks. The ultimate point where the IPS peeks at its workload is where the evaluation of hundreds of packets reaches at a high network speed. In this research, Aho Corasick (AC) algorithm is chosen as the character matching algorithm. In order to catch up with the high network speeds, the matching algorithm is designed to work in parallel in hardware. All variables used in the system are flashed to the hardware through an interface software program without the need for a hard coded program. The design is highly reconfigurable and finally placed to work in a low cost Field Programmable Gate Array (FPGA). Keywords: Computer Network Security, IDS, IPS, FPGA, Firewalls, TCP/IP. 1 Introduction With the extended usage of internet, the variety of applications using internet as a media and the connectivity has increased almost exponentially. These kinds of systems are under constant threat of malicious programs. These attacks range from simple SMPT worm attacks to the Trojan programs embedded into so called innocent executable files or even screensavers. Some cause the loss of all the invaluable data on the computer, or hijack of the computer for other attacks [22][7]. As the ADSL and cable modem usage has increased throughout the years, the extended bandwidth demand is doubling every 100 days [11]. Due to this, intrusion detection and counter attack and defense studies have moved from the end user to the network connection points and from the side packet forwarders to the central packet forwarders. Intrusion Detection Systems (IDS) are quite promising in the protection of the systems on the network and internet. The functionality of the IDS can be resembled to a complicated alarm system built for homes and offices. Just like the instances of an anomaly detection such as motion, noise or a break in, for the alarm systems, the IDS constantly monitors the contents of the packets, looking for attack signatures and upon detection takes the necessary measures against the offending actions. Every one of data searched in its entirety is a huge step towards protecting the computer networks at the cost of reduced network performance. With the IDS the network traffic can be monitored in real time and proactively the attack can be neutralized, logged, and then added to the signature data base as well as the system administrators can be warned about the attack for an immediate action if necessary. Firewalls while placed at the network entry/exit points simply check the headers of the packets. However the attacks can be generated using confirming header information deceiving the system. IDS s use mechanisms to check the payloads as well as the header information. This enables the IDS systems to prevent attacks that can penetrate through the classical firewall systems. With the investigation of the header and the data payload, the attacks that are matched with signatures already in the database, IDS s provide a better protection from the threats of the network. In order for the IDS to spot the anomalies some criteria are needed to be defined and introduced to the system. These criteria include the types of packets to be treated, the character set included in the payload and the location of the payload within the packet. The actions taken are defined separately upon detecting a packet which matches all the defined criteria. IDS systems can be ported to be utilized in a variety of operating systems. Client type IDS s can monitor the incoming network traffic for an attack. Initially IDS s are placed for diagnosis purposes on certain locations along the network. Then these are installed in central and side packet managers once they became popular. An IPS (Intrusion Prevention System) has all the features of a good IDS, but can also stop malicious traffic from invading the enterprise. IPS sits inline with traffic flows on a network, actively shutting down attempted attacks as they re sent over the wire. In other words IPS is proactive compared to the IDS systems. In our implementation, we designed an IDS with proactive defence system built into it. As the network speed and the diversity in the types of attacks has increased through time the need for the effectiveness of the algorithms are also needed to be increased. Software methods by their nature may not be effective compared to dedicated hardwares when the performance is the criteria. The client side IDS

2 the effectiveness of the algorithms are also needed to be increased. Software methods by their nature may not be effective compared to dedicated hardwares when the performance is the criteria. The client side IDS performances are measured in terms of the general success rate whereas the packet managers are evaluated with respect to their worst case success rate [6]. This success rate can be well increased using effective algorithms and running them in parallel [17] where possible. Hardware methods are well suited for parallel execution of string matching algorithms [15]. The usage of FPGA s are increasing as well due to their fast reconfigurability and price [2][8-13] [16][18]. In the next section, string matching algorithms in particular our choice of algorithm is described. In Section 3 Snort is introduced.. In Section 4 our application platform will be explained. In the final two sections tests and conclusions will be presented. 2 String matching algorithms In the fundamentals of a modern IPS there is a string matching algorithm running in its intrusion detection core. The contents of the packets contain the fingerprints of an attack. In this respect, the algorithm should be capable of both allowing a network at very high speeds as well as checking packets with a number of different parameters. This causes the string matching algorithms to be the bottleneck point within the intrustion detection [5]. The importance of string matching algorithms can be shown by analyzing the frequently referred IDS software solution, a freeware namely the Snort system. Snort accommodates a large database of the known anomalies and rules derived from other suspicious network activities. These rules are identified by the experts, by analyzing the packets in their entirety including the payloads. Figure 1. The snort rule increase through the years. The rule such as matching of a string at a determined field then an action is taken. These actions may include logging the packet, informing the system administrator, ignoring the whole packet or activating other rules. There are several commercial IPS s in the market using the rules defined by Snort. The Snort rule increment since 1999 to the publication date is illustrated in Figure 1. The increment in the rule number is quite dramatic and reaches up to rules today. Figure 2. Byte lengths histogram in the rules [21]

3 The byte lengths used in matching is shown in Figure 2. The 4 byte point corresponds to the number of rules dependent on the IP number. Byte lengths for most of the rules vary from 5 to 20. However, some byte lengths for some rules exceed 50. Therefore the operation time for the string matching algorithm needs to be invariant of the byte length for consistent performance purposes. The following can be concluded from both Figure 1 and 2: It is a known fact that the 70% of the total time for Snort system workload consists of string matching algorithms [23]. The linear search techniques that require increased operation time can be quite useless. A search algorithm needs to meet the constant rate demand for a stable performance. Aho Corasick algorithm can meet this demand [1][21], in addition it has a parallel notion in its structure which can be applied to hardware.. Aho Corasick works by forming states from each element in a string. During the execution of the algorithm each incoming character is compared against a rule and upon finding a match a state transfer occurs. When the final state is reached, the keyword matching is completed. A typical example on Aho Corasick algorithm execution is illustrated in Figure 3. Figure 3. Aho-Corascik State Table 3 Snort Rule Structure As mentioned in the introduction, Snort consists of a database formed of rules that define intrusion detection attacks. The basic Snort rule structure is shown as follows: alert tcp $EXTERNAL_NET any-> /24 80 (msg: Sample alert ;) The title of the rule is formed by alert tcp any any -> any any and contains the following information: Log alert: When a suspected packet is spotted the action to be taken is specified. Protocol (ip, tcp, udp, icmp, any): Defines which packet protocol is to be applied for the rule. Src IP & Port: The source information about the packet is specified. This field may consist of variables such as ($HOME_NET), personal IP addresses, CIDR (Classless Inter-Domain Routing) or a list of these variables. Dst IP & Port: The destination information about the packet is specified. Port numbers may consist of individual port numbers (such as 1024) or list of port numbers (80:85). More complicated rules can be formed by adding various choices on top of the basic rule structure. These rules can be built by analysis of attack packets previously spotted. The body of the rule (msg: Sample alert ;) is enclosed within parenthesis (). The choices are separated by comma, from each other. There are total of 5 type choices for the rule body: Metadata, Payload detection, Non payload identification, Post Detection, Thresholding and suppression Metadata options provide the IDS information about the rule itself. For example msg is a warning message legible by everyone. reference indicates a URL address for further information. classtype and priority, informs about the attack type and the event that will occur. classtype indicates the default priority that needs to be used for the class types and priority changes these default priorities. sid and rev privatizes the rule and every sid needs to be private. A rule example where the mentioned options are included is as follows: alert tcp $EXTERNAL_NET any -> /24 80 (msg: Sample alert ; classtype:webapplication-activity; reference:url, rev:1;)

4 Payload detection option is used to indicate a search on data fields of the packet, not on the header section. This option, as mentioned in the Section 1, is the distinguishing feature of the IDS systems from a typical firewall system. The content option is used for string search If nocase is used during the investigation of the payload then the search becomes case insensitive. offset option is used to skip the search of a certain byte length. An example rule built with these options is as follows: alert tcp $EXTERNAL_NET any -> /24 80 (msg: Sample alert ;content: http 3a // test.cgi?id=pwn3d ; nocase; offset:12; classtype: web-applicationactivity;reference:url, advisories/ html; sid: ; rev:1;) This rule searches the case insensitive occurrence string within all the network traffic, containing the header information in the specified rule. While doing this, in order to increase the efficiency, the first 12 bytes are skipped. 4 Application platform In our hardware application, the strings specified by the user are flashed to the hardware system, and are searched within the streaming network traffic. The basic operation functionality of the IDS, the header and payload information are traced with different variables thus a Snort like implementation has been realized with this prototype. The aim in this hardware implementation is to be able to search the header and payload of the packet traffic at the network speeds. The search algorithm has been implemented using the Aho Corasick algorithm which provided a network speed search capability in hardware, with the only identifiable worst case scenario that we know of [21]. The application is implemented with a laptop connected to the internet with a cable ADSL modem. The first stage in packet search is applied on the header parts. The headers are searched with respect to the predefined user defined variables. The second stage consists of a search of user defined variables in the payload. In the system, we included 8 parallel search engines that implement string matching. While doing this our ultimate goal was not to saturate the performance of network traffic. At least we demanded the network speed to be satisfactory while increasing the characters to be found in the research. The entire architecture of this system will be investigated in two sections, namely the hardware and the data entry interface as the software. 4.1 Hardware Architecture The application platform is placed between the ADSL modem and the computer as shown in Figure 4. This provides a suitable transparent flow of internet traffic for constant monitoring. This structure forms the hardware based IPS. This system will not require any modifications or setup program on the client side. This is an important feature in terms of its applicability. Figure 4. The hardware architecture of the system The hardware platform consists of a slightly modified version of a Dragon PCI FPGA1 platform as shown in Figure 5. Figure 5. Modified Dragon development platform. Dragon is an FPGA card capable of connection to a PC via PCI or/and USB ports. It includes a XC2S100 FPGA from the Spartan-II series. This low cost platform is suitable for many applications without the 1 KNJN LLC Electronic Development Products

5 necessity of large, expensive and complicated systems. The USB interface included on the platform includes a 1 MB/s data rate. This interface serves as a power supply to the card as well as providing the interface to convey the variables inputted through a user interface by the user. 4.2 Data Entry Interface A program has been prepared to send the variables determined by the user to the hardware implementation. This software is a perfect interface between the hardware implementation and changing user needs eliminating a complicated hardware load process for the FPGA. The program is written in MS Windows Visual Studio.NET 2003 development environment. Dragon card is controlled through the USB connection and the programming is done through the same interface as well. The data entry program sends the variables received by a user interface to the system through the USB. With the interface program the user can supply the variables that form the Internet layer that forms the TCP/IP model [3][4][14][19][20], transport layer and the application layer. A snapshot is given in Figure 6. Figure 6. Data Entry User Interface There are three logical address slots to restrict the traffic from IP addresses entered. The variables entered in these slots will be searched in the header field of the packets. In the transport layer, one of two basic transport methods for packet transfer is included namely: TCP and UDP protocols can be selected from a drop down button. In addition to the protocol selection in this layer, the port numbers used to convey the packets to the right application can also be selected to prevent data block traffic flow from this particular port number. Since the application specific port numbers are located in the source port field, the IDS is able to take action against the source port numbers. As an example: An HTML data request by any client might have a port number however on the server side the destination port number has to be 80; since the data requested is sent as an HTTP packet. Similarly the server side has to select the destination port of this request as The 80 port number on the server side indicates the packet is an HTTP packet. At the very top most location the Application Layer includes slots for strings to be searched. In the initial application the number of characters allowed in each string is limited to be 11 with up to 4 different strings. The variables defined in these slots are going to be used in the generation of states in the Aho Corasick algorithm. The variables entered in these slots will be searched in the payload field of the packets. For demonstration purposes, a warning led indicator as shown on Figure 5 by a red arrow is signaled at any instance on a match of the transport and application layers' parameters of the incoming packet along with parameters defined by user for each layer. If no keyword is chosen the indicated port/protocol will be blocked. In addition the Network IP s are independent parameters that can be blocked independent of the transport and the application layer values. At normal operation this led indicator is not utilized instead the traffic is simply blocked to demonstrate the IPS characterists. Wild characters are supported in the search mechanism. The user can place the? in places where that character can be any character. As an example for the string ca?st, the system will accept any character following the s and t characters and look for the s and t characters following the? character replacement. As a result all the strings suited for this scenario such as any of the words carst, canst and cavst will cause the alarm to go off. During the search for the character string if the string is required to be an isolated word, then a blank

6 space before and after the word is needed to be added. As an example the word: sleep will be differentiated from the search of sleeper word and will not cause a trigger if found within other longer strings including the word sleep partially. If a port number and protocol is required to be blocked only a? in the keyword slot will be sufficient to block that particular port number and protocol. 5 Tests performed Colasoft Packet Builder 1.0 is used to simulate the system. The program generates a certain amount of network packets and simulates the transport and network layer functionality. In addition the keywords are entered in the packet contents are loaded with keywords contained in the application layer filter. As a result the response time of the system has been measured to the simulated attacks. Besides this test platform, the HTML pages are randomly selected to test the entire system. The tests performed on the platform are designed to push the Aho Corasick hardware implementation to its limits. The keyword length is gradually increased to the limit where the states formed would cause a bottleneck in the matching algorithm hence the network transmission would fail and require re-transmissions. The re-transmissions are bounded to be 3 for our case and operating system we used in our system. The server shutsdown the connection after 3 retries. The RTT (Round Trip Time), between our client and the is 64ms as the basis of our tests. The adaptive RTO (Retransmission Timeout) goes up to 96ms. When the device under test is gradually pushed to the limit of 847 characters, due to late respond times, the server disconnects transmission. 96 ms / 847 states = 0.11 ms/states (1) As a result 0.11 ms is spent per character matching. This value is found by the parallel code processing structure of the FPGA. A second test is performed to test the effectiveness of the parallel execution. The test engines are serialized. The character length of 478 is found to bottleneck the system. 96 ms / 478 states = 0.20 ms/states (2) With these results we can conclude that the serial engines required twice the amount of time per matching of a character with respect to parallel matching as we initially implemented. 6 Conclusions In this work, we aimed to design a low cost, fast, portable and easily reconfigurable hardware IPS system. The whole research aimed at giving support at intrusion detection at all levels of TCP/IP layers. Parallelism has been incorporated to accommodate faster string searching with respect to other approaches that use serial engines, including software approaches. This design can be enhanced to include more rules for all spectrums of network threats. More Snort rules can be added to the system to improve the system. In addition the intrusion attempts can be stored for future monitoring. The application platform is a simple modified low cost FPGA dragon card with a Xilinx Spartan XC2S100 FPGA chip. The hardware platform is supported by a user friendly interface to easily include the search parameters to the existing hardware within less than a single second. The RAM on the development card is kept minimal for cost concerns. The total RAM or the size of FPGA can be enhanced at a cost to improve the states of the algorithm. The major limitation of RAM can also be eliminated by using bit compression techniques [23] References [1] Aldwairi, M, Hardware Efficient Pattern Matching Algorithms and Architectures for Fast Intrusion Detection, 2006 [2] Baker, Z. K., Prasanna, V. K., A Methodology for Synthesis of Efficient Intrusion Detection Systems on FPGAs, Proceedings of the 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, Pages: , 2004 [3] Behrouz, A., F., TCP/IP Protocol Suite, McGraw-Hill. [4] Braden, R. T., Borman, D. A., Partridge C., 1988, RFC1071: Computing the Internet checksum, 2003 [5] Cisco, Interconnecting Cisco Network Devices, CA: Cisco System, Inc., 1999 [6] Fide, S., Jenks, S., A Survey of String Matching Approaches in Hardware, 2006 [7] Floyd, B., The Changing Face of Network Security Threats, 2006 [8] Graczyk, R., Pozniak, K. T., Romaniuk, R. S., FPGA based, modular, configurable controller with fast synchronous optical network, TESLA Report ,

7 [9] Hegarty, D., McDonald, S., An FPGA-based Configurable Network Interface System, Networking, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies, ICN/ICONS/MCL [10] Kachris, C., Design and Implementation of a TCP/IP core for reconfigurable logic, [11] Lockwood, J. W., An Open Platform for Development of Network Processing Modules in Reprogrammable Hardware, [12] Lu, W., Designing TCP/IP Functions In FPGAs, [13] Moscola, J., Lockwood, J., Loui, R. P., Pachos, M., Implementation of a content-scanning module for an Internet firewall, Field-Programmable Custom Computing Machines, FCCM th Annual IEEE Symposium, [14] Önal, H., TCP/IP Ağlarda Parçalanmış Paketler, Parçalanmış Paketler ve Güvenlik Sistemlerine Etkileri, [15] Pagiamtzis, K., Sheikholeslami, A., Content-Addressable Memory (CAM) Circuits and Architectures: A Tutorial and Survey, IEEE Journal of Solid-State Circuits, Vol. 41, NO. 3, [16] Sidhu, R., Prasanna, V. K., Fast Regular Expression Matching using FPGAs, Field-Programmable Custom Computing Machines, FCCM '01. The 9th Annual IEEE Symposium. [17] Soewito, B., Weng, N. Methodology for Evaluating DNA Pattern Searching Algorithms on Multiprocessor, Proceedings of the 7th IEEE International Conference on Volume, Issue, Oct Page(s) [18] Sourdis, I., Pnevmatikatos, D., Fast, Large-Scale String Match for a 10Gbps FPGA-Based Network Intrusion, [19] Stevens, R., Wesley, A., TCP/IP Illustrated, Volume 1, [20] Tanenbaum, A. S., Computer Networks, Chapter 2, 3, 4, 5, 6, 7, 8, [21] Tuck, N. Sherwood, T., Calder, B., Varghese, G., Deterministic Memory Efficient String Matching Algorithms for Intrusion Detection, INFOCOM Twenty-third Annual Joint Conference of the IEEE Computer and Communications Societies, [22] Whitman, M. E., Ph.D. and H., J., Mattord, M.B.A, Management of Information Security, Boston, MA: Thomson Course Technology, 2004, ch 9. [23] Xyan, Z., Sahni, S., Highly compressed Aho-Corasick automata for efficient intrusion detection, Computers and Communications, ISCC IEEE Symposium on Volume, Issue, 6-9 July 2008 Page(s):