Internet Worm and Virus Protection for Very High-Speed Networks

Similar documents
Hardware Laboratory Configuration

A Framework for Rule Processing in Reconfigurable Network Systems

Field-programmable Port Extender (FPX) August 2001 Workshop. John Lockwood, Assistant Professor

FPgrep and FPsed: Packet Payload Processors for Managing the Flow of Digital Content on Local Area Networks and the Internet

SEVER INSTITUTE OF TECHNOLOGY MASTER OF SCIENCE DEGREE THESIS ACCEPTANCE. (To be the first page of each copy of the thesis)

TCP-Splitter: A Reconfigurable Hardware Based TCP/IP Flow Monitor

A Modular System for FPGA-Based TCP Flow Processing in High-Speed Networks

Protocol Processing on the FPX

Architectures for Rule Processing Intrusion Detection and Prevention Systems

Users Guide: Fast IP Lookup (FIPL) in the FPX

Extensible Network Configuration and Communication Framework

TCP-Splitter: Design, Implementation and Operation

Motivation for this class

A Framework for Rule Processing in Reconfigurable Network Systems

A Framework for Rule Processing in Reconfigurable Network Systems

HAIL: A HARDWARE-ACCELERATED ALGORITHM FOR LANGUAGE IDENTIFICATION. Charles M. Kastner, G. Adam Covington, Andrew A. Levine, John W.

Liquid Architecture Λ

HIGH SPEED DOCUMENT CLUSTERING IN RECONFIGURABLE HARDWARE. G. Adam Covington, Charles L.G. Comstock, Andrew A. Levine, John W. Lockwood, Young H.

FPX Architecture for a Dynamically Extensible Router

Control and Configuration Software for a Reconfigurable Networking Hardware Platform

Dynamic Hardware Plugins in an FPGA with Partial Run-time Reconfiguration

Automatic compilation framework for Bloom filter based intrusion detection

Protocol Wrappers for Layered Network Packet Processing in Reconfigurable Hardware

Wide-area Hardware-accelerated Intrusion Prevention Systems (WHIPS)

WASHINGTON UNIVERSITY SEVER INSTITUTE OF TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING TECHNIQUES FOR PROCESSING TCP/IP FLOW CONTENT

Packet Inspection on Programmable Hardware

Background on Bloom Filter

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Multi-pattern Signature Matching for Hardware Network Intrusion Detection Systems

Malware Research at SMU. Tom Chen SMU

TCP Programmer for FPXs

Motivation to Teach Network Hardware

A THERMAL MANAGEMENT AND PROFILING METHOD FOR RECONFIGURABLE HARDWARE APPLICATIONS. Phillip H. Jones, John W. Lockwood, Young H.

Fast Reconfiguring Deep Packet Filter for 1+ Gigabit Network

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Efficient Packet Classification for Network Intrusion Detection using FPGA

Configuring Anomaly Detection

1. INTRODUCTION 2. BACKGROUND. outputs scores that indicate proximity to known topics or dialects of a language.

Hash-Based String Matching Algorithm For Network Intrusion Prevention systems (NIPS)

Building Networks with Open, Reconfigurable Hardware

Virtual Patching Solution: Increased Protection and Reduced Maintenance for Process Control Systems

Hello, World: A Simple Application for the Field Programmable Port Extender (FPX)

Very Fast Containment of Scanning Worms. Nicholas Weaver, Stuart Staniford, Vern Paxson ICSI, Nevis Networks, ICSI & LBNL

TriBiCa: Trie Bitmap Content Analyzer for High-Speed Network Intrusion Detection

Technology in Action

Scheduling Data Flows using DRR

The router architecture consists of two major components: Routing Engine. 100-Mbps link. Packet Forwarding Engine

Configuring Anomaly Detection

Configuring Anomaly Detection

Cisco ASA 5500 Series IPS Solution

Web Gateway Security Appliances for the Enterprise: Comparison of Malware Blocking Rates

RiceNIC. Prototyping Network Interfaces. Jeffrey Shafer Scott Rixner

Demonstration of a High Performance Active Router DARPA Demo - 9/24/99

Unit 2 Assignment 2. Software Utilities?

Design and Implementation of DPI Mechanism for NIDS on FPGA

Intel PRO/1000 PT and PF Quad Port Bypass Server Adapters for In-line Server Appliances

CS61C Machine Structures Lecture 37 Networks. No Machine is an Island!

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Symantec Network Security 7100 Series

Keywords -- Programmable router, reconfigurable hardware, active networking, port processor. I. INTRODUCTION

First Gigabit Kits Workshop

SteelGate Overview. Manage perimeter security and network traffic to ensure operational efficiency, and optimal Quality of Service (QoS)

Outline. Intrusion Detection. Intrusion Detection History. Some Challenges. Network-based Host Compromises. Host-based Network Intrusion Detection

Configurable String Matching Hardware for Speeding up Intrusion Detection

CSE 565 Computer Security Fall 2018

IDS: Signature Detection

WHITE PAPER: BEST PRACTICES. Sizing and Scalability Recommendations for Symantec Endpoint Protection. Symantec Enterprise Security Solutions Group

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

A Platform for High Performance Overlay Hosting Services

Switch and Router Design. Packet Processing Examples. Packet Processing Examples. Packet Processing Rate 12/14/2011

Symantec Client Security. Integrated protection for network and remote clients.

Virtual CMS Honey pot capturing threats In web applications 1 BADI ALEKHYA, ASSITANT PROFESSOR, DEPT OF CSE, T.J.S ENGINEERING COLLEGE

NetFPGA Update at GEC4

Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone

FPGA VHDL Design Flow AES128 Implementation

HIGH-PERFORMANCE NETWORK SECURITY USING NETWORK INTRUSION DETECTION SYSTEM APPROACH

Improving the Database Logging Performance of the Snort Network Intrusion Detection Sensor

Data Sheet. DPtech IPS2000 Series Intrusion Prevention System. Overview. Series IPS2000-MC-N. Features

Worm Detection, Early Warning and Response Based on Local Victim Information

Experience with the NetFPGA Program

FPGA based Network Traffic Analysis using Traffic Dispersion Graphs

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

A senior design project on network security

Programmable Logic Devices

Cisco NAC Network Module for Integrated Services Routers

How Cisco IT Upgraded Intrusion Detection to Improve Scalability and Performance

HAIL: An Algorithm for the Hardware Accelerated Identification of Languages, Master's Thesis, May 2006

Regular Expression Acceleration at Multiple Tens of Gb/s

Introducing LXI to your Network Administrator

Security: Worms. Presenter: AJ Fink Nov. 4, 2004

Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,

WUCS-TM-02-?? September 13, 2002

Types Of Computer Virus Sources Of Virus Virus Warning Signs Virus Detection(Anti-Virus) Virus Prevention and Removal

IT Foundations Networking Specialist Certification with Exam

Computer Network Vulnerabilities

Snort: The World s Most Widely Deployed IPS Technology

N-Dimension n-platform 340S Unified Threat Management System

On the Effectiveness of Distributed Worm Monitoring

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Quick Heal Total Security for Mac. Simple, fast and seamless protection for Mac.

Transcription:

Internet Worm and Virus Protection for Very High-Speed Networks John W. Lockwood Professor of Computer Science and Engineering lockwood@arl.wustl.edu http://www.arl.wustl.edu/~lockwood Research Sponsor: http://www.globalvelocity.info/

Internet Worms and Viruses The problem with worms and virus attacks Annoyance to users Costly to businesses (lost productivity) Security threat to government (compromised data) Recent Attacks Nimda, Code Red, Slammer MSBlast Infected over 350,000 hosts in Aug. 16, 2003 SoBigF Infected 1 million users in first 24 hours Infected > 200 million in the first week Caused an estimated $1 billion in damages to repair. Detectable by a Signature in Content Pattern of bytes Regular Expression Morphable pattern

Challenges to Stopping Worm and Virus Attacks End-systems difficult to maintain Operating systems become outdated Users introduce new machines on network Internet contains several types of traffic Web, file transfers, telnet Data may appear anywhere in the packet Networks process High Speed Data Multi Gigabit/second data transmission rates now commonplace in campus, corporate, and backbone networks Peer-to-Peer protocols dominate current and future traffic Need Real-time gathering No latency can be tolerated

Virus/Worm/Data Spread in Unprotected Networks Small Town U.S.A. NAP University X Los Angeles NAP Location A Location B Location C St. Louis NAP A C A B B

Virus/Worm/Data Spread in Unprotected Networks Small Town U.S.A. NAP University X Los Angeles NAP Location A Location B Location C St. Louis NAP A C A B B

Virus/Worm/Data Spread in Unprotected Networks Small Town U.S.A. NAP University X Los Angeles NAP Location A Location B Location C St. Louis NAP A C A B B

Virus/Worm/Data Spread in Unprotected Networks Small Town U.S.A. NAP University X Los Angeles NAP Location A Location B Location C St. Louis NAP A C A B B

Virus/Worm/Data Containment in Protected Networks Small Town U.S.A. NAP University X Content Scanning and Protection Device Los Angeles NAP Location A Location B Location C St. Louis NAP A C A B B

Content Scanning Technology Fiber optic Line Cards Gigabit Ethernet ATM OC-3 to OC-48 Reconfigurable Hardware Uses Field Programmable Port Extender (FPX) Platform Protocol processing and content scanning performed in hardware Reconfigurable over the network Chassis / Motherboard Allows Modules to Stack

Field-programmable Port Extender (FPX) PROM SRAM D[64] Addr D[36] D[64] D[36] Addr Addr Addr SelectMAP Reconfiguration Interface Subnet A Network Interface Device (NID) FPGA 2.4 Gigabit/sec Network Interfaces SDRAM SRAM PC100 ZBT SDRAM SRAM PC100 ZBT Program NID Program RAD Subnet B Reconfigurable Application Device (RAD) FPGA Processing Function Processing Function Off-chip Memories Off-chip Memories PROM SRAM D[64] Addr D[36] D[64] D[36] Addr Addr Addr SelectMAP Reconfiguration Interface Subnet A Network Interface Device (NID) FPGA 2.4 Gigabit/sec Network Interfaces SDRAM SRAM PC100 ZBT SDRAM SRAM PC100 ZBT Program NID Program RAD Subnet B Reconfigurable Application Device (RAD) FPGA Processing Function Processing Function Processing Function Processing Function Off-chip Memories Off-chip Memories

Remotely reprogramming hardware over the network New module developed Content Matching Server generates New module in programmable Logic Module Bitfile transmitted over network New module deployed into FPX hardware Internet IPP IPP IPP IPP IPP IPP IPP IPP OPP OPP OPP OPP OPP OPP OPP OPP

Data Scanning Technologies Protocol Processing Layered Protocol Wrappers Process Cells/frames/packets/flows in hardware Regular Expression Matching Deterministic Finite Automata (DFA) Dynamically programmed into FPGA logic Fixed String Matching Bloom Filters Dynamically programmed into BlockRAMs

Regular Expression Matching with Finite Automata RE1 RE2 RE3 RE4 RE5 RE6 Flow Dispatch RE1 RE2 RE3 RE4 RE5 RE6 RE1 RE2 RE3 RE4 RE5 RE6 RE1 RE2 RE3 RE4 RE5 RE6 Flow Collect UDP/TCP Wrapper IP Wrapper Frame Wrapper Cell Wrapper Moscola et al.

SDRAM String Matching with Bloom Filters False Positive Resolver BF W BF 5 BF 4 BF 3 Data in b W - - - - - - - - - b 5 b 4 b 3 b 2 b 1 Data Out UDP/TCP Wrapper IP Wrapper Frame Wrapper Cell Wrapper Dharmapulikar et al.

Complete Protection System Network Aggregation Point (NAP) Switch/ Concentrator Global Velocity DED Router/ Switch Data Data Regional Transaction Processor (RTP) Content Matching Server (CMS)/ Central Storage and Backup System (CSBS)

System Components Hardware-based Data Processing FPGA bitfile transferred over network to reconfigurable hardware Content scanned in hardware with parallel Finite State Machines (FSMs) Control messages sent over network allow blocking/unblocking of data Software-based System Generation Web-based control and configuration SQL Database stores signature patterns Finite State Machines created with JLEX VHDL-specified circuits generated, Instantiated, and integrated with Internet protocol processing wrappers

Selecting the Search Strings

Edit Search strings

Program the Hardware

Modular Design Flow (our contribution) In-System, Data Scanning on FPX Platform Install and deploy modules over Internet to remote scanners (NCHARGE) Generate bitstream (Xilinx) Place and Route with constraints (Xilinx) Front End: Specify Regular Expression (Web, PHP) New, 2 Million-gate Packet Scanner: 9 Minutes Set Boundry I/O & Routing Constraints (DHP) Back End (1): Extract Search terms from SQL database Back End (2): Generate Finite State Machines in VHDL Synthesize Logic to gates & flops (Synplicity Pro)

Network Configuration with Gigabit Ethernet Data Enabling Device (DED) with FPX Processing Modules Internet Gigabit Ethernet Gigabit Ethernet PC PC PC PC

Passive Virus Protection Content returns from Internet through FPX Content is processed in the FPX FPgrep Module Content containing virus is forwarded from FPX Alert packet is sent to user to let them know of the virus Internet User requests information from Internet Internet User

Passive Virus Example

Active Virus Protection Content returns from infected host Content is processed in the FPX Content Scanning Module Content containing virus is dropped at FPX Alert packet is sent to user to let them know of the virus (1) Data requested from public Internet Internet User

Active Virus Example

Other Applications Prevent unauthorized release of data Secure Classified documents Lock medical documents for Health Insurance Portability and Accountability Act (HIPAA) Avoid liability for misuse of network Copyright infringement Pornography in the workplace

Content Scanning Technologies General Purpose Microprocessors Fully Reprogrammable Sequential Processing Custom Packet Processing Hardware Highly concurrent processing Static Functionality Network Processors Mostly Reprogrammable Some concurrent processing (8-32 cores)............... Reconfigurable Hardware Fully Programmable Highly concurrent processing......

Performance Probability of Matching FPGA-based Regular Expression Matching with Parallel Engines Software-based Regular Expression Matching Systems (Snort, etc) Throughput

Actual Software Performance From: Network Intrusion Detection Systems: Important IDS Network Security Vulnerabilities by Simon Edwards (TopLayer.com)

Throughput Comparison Sed was run on different Linux PCs Dual Intel Pentium III @ 1 GHz 13.7 Mbps when data is read from disk 32.72 Mbps when data is read from memory Alpha 21364 @ 667 MHz 36 Mbps when data is read from disk 50.4 Mbps when data is read from memory Software results are 40x slower than FPsed

String Processing Benchmarks (measured results for SED)

Results Content Scanning Platform Implemented Scans Internet packets for virus or Internet worm signatures using reconfigurable hardware Generates prompts when matching content is found Content Matching Server Implemented Automatically generates FPGA from regular expressions selected from database Regional Transaction Processor implemented Tracks propagation of Internet worms and viruses Reduces the spread of malware from months to minutes

Acknowledgements Washington University Faculty John Lockwood Ronald Loui Jon Turner Graduate Students Mike Attig Sarang Dharmapurikar David Lim Jing Lu Bharath Madhusudan James Moscola Chris Neely David Schuehler Todd Sproull David Taylor Haoyu Song Chris Zuver Industry Research Partners Matthew Kulig (Global Velocity) David Reddick (Global Velocity) Tim Brooks (Global Velocity) Government Partners National Science Foundation Hardware Vendors David Parlour (Xilinx) Visiting Faculty and Students Edson Horta Florian Braun Carlos Macian

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback