High Ppeed Circuit Techniques for Network Intrusion Detection Systems (NIDS)

Transcription

1 The University of Akron Mechanical Engineering Faculty Research Mechanical Engineering Department 2008 High Ppeed Circuit Techniques for Network Intrusion Detection Systems (NIDS) Ajay Mohan Mahajan University of Akron, main campus Please take a moment to share how this work helps you through this survey. Your feedback will be important as we plan further development of our repository. Follow this and additional works at: Part of the Electrical and Computer Engineering Commons, and the Mechanical Engineering Commons Recommended Citation Mahajan, Ajay Mohan, "High Ppeed Circuit Techniques for Network Intrusion Detection Systems (NIDS)" (2008). Mechanical Engineering Faculty Research This Dissertation is brought to you for free and open access by Mechanical Engineering Department at IdeaExchange@UAkron, the institutional repository of The University of Akron in Akron, Ohio, USA. It has been accepted for inclusion in Mechanical Engineering Faculty Research by an authorized administrator of IdeaExchange@UAkron. For more information, please contact mjon@uakron.edu, uapress@uakron.edu.

2 HIGH SPEED CIRCUIT TECHNIQUES FOR NETWORK INTRUSION DETECTION SYSTEMS (NIDS) by Atul Mahajan B.E., Electronics and Communication Engineering Visveswaraiah Technological University, India, 2004 A Thesis Submitted in Partial Fulfillment of the Requirements for the Master of Science Degree Department of Electrical and Computer Engineering in the Graduate School Southern Illinois University Carbondale December 2008

3

4 THESIS APPROVAL HIGH SPEED CIRCUIT TECHNIQUES FOR NETWORK INTRUSION DETECTION SYSTEMS (NIDS) By Atul Mahajan A Thesis Submitted in Partial Fulfillment of the Requirements for the Degree of Master of Science in the field of Electrical and Computer Engineering Approved by: Dr. Haibo Wang, Chair Dr. Ning Weng Dr. Spyros Tragoudas Graduate School Southern Illinois University Carbondale August 22, 2008

5 AN ABSTRACT OF THE THESIS OF ATUL MAHAJAN, for the Master of Science in ELECTRICAL AND COMPUTER ENGINEERING, presented on August 22 nd, 2008, at Southern Illinois University Carbondale. TITLE: HIGH SPEED CIRCUIT TECHNIQUES FOR NETWORK INTRUSION DETECTION SYSTEMS (NIDS) MAJOR PROFESSOR: Dr. Haibo Wang This thesis presents a string matching hardware implemented on FPGA platforms for network intrusion detection systems. The proposed architecture, consisting of packet classifiers and strings matching verifiers, achieves superb throughput by using several mechanisms. First, based on incoming packet contents, the packet classifier scan dramatically reduce the number of strings to be matched for each packet and, accordingly, feed the packet to a proper verifier to conduct matching. Second, a novel multi-threading finite state machine (FSM) is proposed, which improves FSM clock frequency and allows multiple packets to be examined by a single FSM simultaneously. Design techniques for high-speed interconnect and interface circuits are also presented. Experimental results are presented to explore the trade-offs between system performance, strings partition granularity and hardware resource cost. i

6 ACKNOWLEDGMENTS I would like to express my deepest appreciation to my thesis mentor, Dr. Haibo Wang, who has guided and motivated me to this wonderful research area and given me a chance to work on this project. My sincere thanks also go to my committee members Dr. Ning Weng and Dr. Spyros Tragoudas who helped making this research more informed with their valuable comments and remarks. I appreciate Southern Illinois University Carbondale and the Department of Electrical and Computer Engineering for providing necessary technical support for this work. ii

7 TABLE OF CONTENTS CHAPTER PAGE ABSTRACT...i ACKNOWLEDGMENTS... ii LIST OF TABLES...iv LIST OF FIGURES...v CHAPTERS CHAPTER 1 Introduction...1 CHAPTER 2 Related Work...5 CHAPTER 3 Proposed Network Intrusion Detection System...12 CHAPTER 4 High Throughput Verifier Design...19 CHAPTER 5 Implementation and Experimental Results...32 CHAPTER 6 Conclusions and Future Work...45 REFERENCES...47 VITA...50 iii

8 LIST OF TABLES TABLE PAGE Table 1 Attack methods and solutions...6 Table 2 FSM clock frequency for M-threading FSMs...34 Table 3 Percentage Resource Utilization (Virtex 4 FX100 device) for M-threading FSMs...37 iv

9 LIST OF FIGURES FIGURE PAGE Figure 1 Fields of an IP Packet...5 Figure 2 Virtex-5 FPGA Family...9 Figure 3 Block RAM Logic Diagram - one port shown...10 Figure 4 Proposed Network Intrusion Detection System Architecture...13 Figure 5 Bus Based Technology for Interconnect between Classifiers and FSMs...14 Figure 6 Proposed Classifier Architecture...16 Figure 7 A Conventional FSM...21 Figure 8 A Pipelined FSM...23 Figure 9 A Multi-threading FSM...24 Figure 10 Connecting Multiple FSMs...27 Figure 11 A Simple Interface Circuit...29 Figure 12 A High-speed Interface Circuit...31 Figure 13 Flowchart Depicting Implementation of Proposed Technique on FPGA...33 Figure 14 FSM Clock Frequency versus Number of Threads...35 Figure 15 DFF Utilization in Multi-threading FSMs...38 Figure 16 FPGA Resource Utilization for Different FSM Partitions...39 Figure 17 Interconnect Delay with Different FSM Sizes...40 Figure 18 Snapshot of Floorplan for 10 FSM Modules on Virtex4 FX100 Device...41 Figure 19 Delay of FSM Input Path...42 v

10 Figure 20 Snapshot of Floorplan of FSM of Size Figure 21 Snapshot showing Minimum Time Period for FSM of Size Figure 22 Snapshot showing Simulated Waveforms for FSM...44 vi

11 1 CHAPTER 1 INTRODUCTION Over the past few years, there has been a manifold increase in the Internet applications. This increase has undoubtedly raised the standard of life all over the world. Most of the things can now be done while sitting at home and using the network, more commonly known as Internet. While the Internet brings enormous convenience, it also creates the possibilities for hackers or enemies to steal secretary information or derail the normal operation of organizations. Because of these Internet attacks, the Internet security becomes an important issue in the increasingly connected world. There have been enormous cases in the recent history where the lack of network security has led to major fraudulent activities. The biggest and most famous case is the hacking of wireless networks of nine major retailers in USA. As a result, more than 41 million credit and debit card numbers were stolen. This case which happened in 2007 shocked the internet society all over the world. It clearly depicts that in spite of the highly sophisticated network security systems available nowadays, no one is guaranteed to be 100% safe in the Internet. Even the best available network security system can not provide 100% safety as everyday the intruders are developing newer ways of possible network attacks. This requires the security system to be updated periodically to keep up with all sorts of attacks. In the near future, there will be more and more data transmitted over the networks. Not only financial information but all the official information related to the nation s security

12 2 is also available over the networks. As an instance, any intrusion in the network of Department of Defense of any nation can lead to dreadful consequences for the entire world. Hence, network security is the area which can never be ignored and need to be constantly updated. One of the most promising techniques that provide the lacking security of the internet is Network Intrusion Detection System (NIDS) [8, 13, 18]. Although an NIDS normally contains various sub-systems, its most important component is a string matching engine. In order to detect any suspicious activity, the sting matching engine compares the incoming network packet with predefined patterns which are defined as a set of rules. According to the Snort version 2.4 there are a total of 3305 such rules. Each rule consists of two types of strings to be matched: one is header strings with determined position in packet header (e.g., source/destination network address and source/destination port number); another is payload strings with probabilistic position in packet payload (e.g., network worms and computer virus). A suspicious activity is detected when both header strings and at least one of payload strings are matched on the packet. This simple string matching engine was successful in detecting attacks when the network traffic was very low and also there were few possible attack rules. But in present day situation, where the network traffic is in the high range of ten Gigabit per second and also there are thousands of possible attack rules, this simple engine can become the bottleneck of the overall NIDS. Also, it is necessary to scan every byte of a packet as the starting position of payload string might be probabilistic. The NIDS can be developed either in software or hardware. The existing softwarebased NIDS are very slow and they are capable to operate successfully only if the

13 3 network traffic is very low, in the order of hundred Megabits per second. In order to overcome the drawbacks of the software-based NIDS, various hardware approaches [4, 2, 6, 9, 12] have been proposed. However, all of them are either lacking performance, scalability to traffic rate and attack rules, or they are too complicated to design and operate. To address these concerns, a simple but efficient architecture based on scalable classifiers and novel multi-threading finite state machines (FSMs) has been designed. The classifier arranges the incoming packet to three categories: malicious, suspected or benign. Malicious packets are directly discarded and the benign packets are forwarded to the network. Most of the incoming packets (85%) to the network are benign [3]. Only the suspected packets are sent to the string matching engine. FSMs in the matching engine are used to further verify whether the suspected packet is malicious one. The key to achieving high performance of this architecture is employing multiple small and fast FSMs. Each of these FSMs searches for a portion of rules on a suspected packet and accordingly marks it as benign or malicious. The focus of this thesis is to design and implement the high-speed verifier on Field Programmable Gate Array (FPGA) platforms. The high-speed verifier is based on the concept of using FSMs to search a set of patterns. In order to improve the throughput of the verifier, a novel multi-threading FSM design has been proposed. A new circuit to feed the multi-threading FSM has also been developed. Investigations are conducted to study the granularity of the FSMs and experimental results have demonstrated that this proposed architecture achieves superb throughput.