A Framework for Rule Processing in Reconfigurable Network Systems

Similar documents
A Framework for Rule Processing in Reconfigurable Network Systems

A Framework for Rule Processing in Reconfigurable Network Systems

A Modular System for FPGA-Based TCP Flow Processing in High-Speed Networks

TCP-Splitter: A Reconfigurable Hardware Based TCP/IP Flow Monitor

Internet Worm and Virus Protection for Very High-Speed Networks

Automatic compilation framework for Bloom filter based intrusion detection

Efficient Packet Classification for Network Intrusion Detection using FPGA

Multi-pattern Signature Matching for Hardware Network Intrusion Detection Systems

Configurable String Matching Hardware for Speeding up Intrusion Detection

TriBiCa: Trie Bitmap Content Analyzer for High-Speed Network Intrusion Detection

Architectures for Rule Processing Intrusion Detection and Prevention Systems

NETWORK INTRUSION DETECTION SYSTEMS ON FPGAS WITH ON-CHIP NETWORK INTERFACES

Fast Reconfiguring Deep Packet Filter for 1+ Gigabit Network

Automated Incremental Design of Flexible Intrusion Detection Systems on FPGAs 1

Highly Space Efficient Counters for Perl Compatible Regular Expressions in FPGAs

Boundary Hash for Memory-Efficient Deep Packet Inspection

VARIABLE-LENGTH HASHING FOR EXACT PATTERN MATCHING

Novel FPGA-Based Signature Matching for Deep Packet Inspection

Extensible Network Configuration and Communication Framework

AN FPGA BASED ARCHITECTURE FOR COMPLEX RULE MATCHING WITH STATEFUL INSPECTION OF MULTIPLE TCP CONNECTIONS

A parallel String Matching Engine for use in high speed network intrusion detection systems.

Automatic Synthesis of Efficient Intrusion Detection Systems on FPGAs 1

Packet Inspection on Programmable Hardware

speed and low area matching advantages of high speed and parallel processing [6]. It can

RiceNIC. Prototyping Network Interfaces. Jeffrey Shafer Scott Rixner

Highly Memory-Efficient LogLog Hash for Deep Packet Inspection

SEVER INSTITUTE OF TECHNOLOGY MASTER OF SCIENCE DEGREE THESIS ACCEPTANCE. (To be the first page of each copy of the thesis)

A Methodology for Synthesis of Efficient Intrusion Detection Systems on FPGAs 1

FPgrep and FPsed: Packet Payload Processors for Managing the Flow of Digital Content on Local Area Networks and the Internet

Packet Header Analysis and Field Extraction for Multigigabit Networks

FPGA based Network Traffic Analysis using Traffic Dispersion Graphs

CPE/EE 422/522. Introduction to Xilinx Virtex Field-Programmable Gate Arrays Devices. Dr. Rhonda Kay Gaede UAH. Outline

Performance of FPGA Implementation of Bit-split Architecture for Intrusion Detection Systems

Project Proposal. ECE 526 Spring Modified Data Structure of Aho-Corasick. Benfano Soewito, Ed Flanigan and John Pangrazio

HIGH SPEED DOCUMENT CLUSTERING IN RECONFIGURABLE HARDWARE. G. Adam Covington, Charles L.G. Comstock, Andrew A. Levine, John W. Lockwood, Young H.

Decision Forest: A Scalable Architecture for Flexible Flow Matching on FPGA

Regular expression matching with input compression: a hardware design for use within network intrusion detection systems.

TCP-Splitter: Design, Implementation and Operation

TriBiCa: Trie Bitmap Content Analyzer for High-Speed Network Intrusion Detection

INTERNET CONTENT SEARCH USING FPGA S

Jakub Cabal et al. CESNET

Regular expression matching with input compression: a hardware design for use within network intrusion detection systems

HAIL: A HARDWARE-ACCELERATED ALGORITHM FOR LANGUAGE IDENTIFICATION. Charles M. Kastner, G. Adam Covington, Andrew A. Levine, John W.

Scrypt ASIC Prototyping Preliminary Design Document

An Efficient FPGA Implementation of Principle Component Analysis based Network Intrusion Detection System

Hash-Based String Matching Algorithm For Network Intrusion Prevention systems (NIPS)

Large-scale Multi-flow Regular Expression Matching on FPGA*

FPGA Implementation of Token-Based Clam AV Regex Virus Signatures with Early Detection

Dynamic Pipelining: Making IP- Lookup Truly Scalable

FPGA-Based Intrusion Detection System for 10 Gigabit Ethernet

Project Proposal. ECE 526 Spring Modified Data Structure of Aho-Corasick. Benfano Soewito, Ed Flanigan and John Pangrazio

Regular Expression Acceleration at Multiple Tens of Gb/s

Hardware Implementation for Scalable Lookahead Regular Expression Detection

Deep Packet Inspection for Intrusion Detection Systems: A Survey

Hardware Acceleration in Computer Networks. Jan Kořenek Conference IT4Innovations, Ostrava

Automation Framework for Large-Scale Regular Expression Matching on FPGA. Thilan Ganegedara, Yi-Hua E. Yang, Viktor K. Prasanna

TOKEN-BASED DICTIONARY PATTERN MATCHING FOR TEXT ANALYTICS. Raphael Polig, Kubilay Atasu, Christoph Hagleitner

Design and Implementation of DPI Mechanism for NIDS on FPGA

TCP Programmer for FPXs

REGULAR expressions are widely used in the network intrusion

SCALABLE HIGH-THROUGHPUT SRAM-BASED ARCHITECTURE FOR IP-LOOKUP USING FPGA. Hoang Le, Weirong Jiang, Viktor K. Prasanna

Regular Expression Matching for Reconfigurable Packet Inspection

FPX Architecture for a Dynamically Extensible Router

Pipelined Parallel AC-based Approach for Multi-String Matching

An Architecture for IPv6 Lookup Using Parallel Index Generation Units

Resource-Efficient SRAM-based Ternary Content Addressable Memory

Protocol Processing on the FPX

Scalable Automaton Matching for High-speed Deep Content Inspection

CprE 583 Reconfigurable Computing

Switch and Router Design. Packet Processing Examples. Packet Processing Examples. Packet Processing Rate 12/14/2011

Two-Stage Decomposition of SNORT Rules towards Efficient Hardware Implementation

Efficient Packet Classification on FPGAs also Targeting at Manageable Memory Consumption

LegUp: Accelerating Memcached on Cloud FPGAs

Efficient String Matching FPGA for speed up Network Intrusion Detection

FPGA Based Packet Classification Using Multi-Pipeline Architecture

High Capacity and High Performance 20nm FPGAs. Steve Young, Dinesh Gaitonde August Copyright 2014 Xilinx

A Passive Network Appliance for Real-Time Network Monitoring

Hardware Laboratory Configuration

HIGH-PERFORMANCE PACKET PROCESSING ENGINES USING SET-ASSOCIATIVE MEMORY ARCHITECTURES

Towards High-performance Flow-level level Packet Processing on Multi-core Network Processors

Low Latency FPGA Acceleration of Market Data Feed Arbitration

Supra-linear Packet Processing Performance with Intel Multi-core Processors

PowerPC on NetFPGA CSE 237B. Erik Rubow

Liquid Architecture Λ

High-Performance Integer Factoring with Reconfigurable Devices

Users Guide: Fast IP Lookup (FIPL) in the FPX

Dynamically Configurable Online Statistical Flow Feature Extractor on FPGA

1. INTRODUCTION 2. BACKGROUND. outputs scores that indicate proximity to known topics or dialects of a language.

Background on Bloom Filter

Scalable Multi-Pipeline Architecture for High Performance Multi-Pattern String Matching

Table of Contents...2 Abstract...3 Protocol Flow Analyzer...3

INTRODUCTION TO FPGA ARCHITECTURE

Index Terms- Field Programmable Gate Array, Content Addressable memory, Intrusion Detection system.

Application Protocol Breakdown

Structural Framework for High Speed Intrusion Detection/Prevention Signature Based Systems

SHA3 Core Specification. Author: Homer Hsing

HIGH-PERFORMANCE NETWORK SECURITY USING NETWORK INTRUSION DETECTION SYSTEM APPROACH

Computer Science at Kent

PACKET classification is a prominent technique used in

Towards Effective Packet Classification. J. Li, Y. Qi, and B. Xu Network Security Lab RIIT, Tsinghua University Dec, 2005

Transcription:

A Framework for Rule Processing in Reconfigurable Network Systems Michael Attig and John Lockwood Washington University in Saint Louis Applied Research Laboratory Department of Computer Science and Engineering May 1, 2005 Rule Processing Framework FCCM 2005 1 Outline Overview Background Architecture Results Summary Rule Processing Framework FCCM 2005 2

Rule Processing Overview Rule processing & intrusion detection TCP Flow Processing Header Processing Payload Scanning alert tcp any 110 any any (msg:"virus - Possible MyRomeo Worm"; flow:established; content:"myromeo.exe"; nocase; classtype:miscactivity; sid:723; rev:6;) Snort Rules (version 2.2 Sept 2004) 2464 Rules 292 Headers 2107 Signatures 233 Regular Expressions Rule Processing Framework FCCM 2005 3 Rule Characteristics 2464 unique rules 292 unique header rules 168 are header-only 2107 unique signatures 97% less than 32 bytes Spread across 2296 of rules 233 regular expressions Snort rules always contain static signature also Few signatures associated with many rules 83% found in single rule Only 18 associated with more than 10 rules 10 header rules can match at once (pessimistic) Number of occurrences Number of Occurrences Unique Signature Distribution 180 160 140 120 100 80 60 40 20 0 1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 Signature Length (bytes) Unique Signature Occurences 160 140 120 100 80 60 40 20 0 1 151 301 451 601 751 901 1051 1201 1351 1501 1651 1801 1951 2101 signature number Snort version 2.2 (Sept 2004) Rule Processing Framework FCCM 2005 4

Fully Functional Rule Processing String Matching? Comparators [Sourdis fccm 04] Partitioning [Baker fccm 04]? TCAMs [Yu hoti 04]? Bloom Filters [Attig fccm 04]? DFAs [Moscola fccm 03] Header Classification Complete Rule Processing NFAs [Clark fccm 04] BV-TCAM [Song fpga 05]? TCP Flow? Reconstruction [Schuehler fpl 04] Rule Processor Pipelining [Cho fccm 04] Rule Processing Framework FCCM 2005 5 Rule Processing Framework Overview Order TCP flows for inspection by payload scanner(s) h header modules determine matching header rules Local Area Area Network p payload modules search for static signatures and regular expressions Rule processor uses header and payload match criteria to determine rule matches TCP/IP Data Intrusion Detection System Local Local Area Area Network Network Intrusion Detection System Internet Matching header and string IDs sent to rule processor using standard interface Focus of this Talk Internet Internet Rule Processing Framework FCCM 2005 6

Rule Processor FPGA (1) (2) (3) (5) (6) (7) Software Communication Wrapper Matching Criteria Communication Wrapper Rule Processing Framework FCCM 2005 7 Example R1: Alert tcp any 80 any 125 (content: string1 ; content: string2 ;) Algorithmically: R1: H1 Λ C1 Λ C2 Rule Processing Framework FCCM 2005 8

Rule Processing Example TCP/IP Data flow H1 C1C2 Rule Processing Framework FCCM 2005 9 Rule Processor FPGA (1) (2) (3) (5) (6) (7) Software Communication Wrapper flow H1 C1 C2 C1 X R1 H1 Headers Reset Rule Header +1 Matching Criteria Communication Wrapper Rule Processing Framework FCCM 2005 10

Implementation Environment Xilinx Virtex 2000E FPGA 12% LUTs 25% Slices 93% of Block RAMs 80.6 MHz Stacked configuration allows chaining processing Rule Processing Framework FCCM 2005 11 Worst Case Throughput Worst case when signature associated with many rules detected Only 18 signatures in more than 10 rules Worst case signature 00 00 00 00 in 135 rules Scenario: Back-to-back 44 byte TCP packets from different flows and 00 00 00 00 as payload Worst case assumes 7 million attack packets per second Throughput (Mbps) 3000 2500 2000 1500 1000 500 0 Framework Throughput 0 250 500 750 1000 1250 1500 Packet Size (Bytes) Worst-case Average Case Rule Processing Framework FCCM 2005 12

Intrusion Detection of WashU s Backbone Network Matching 4 Byte Signatures Matching 12+ Byte Signatures Observe ~10,000 total string matches per second on WashU s backbone network (~250-300 Mbps) Scaling to 2.5 Gbps, only ~100,000 string matches per second Rule Processing Framework FCCM 2005 13 Next Generation FPGA Projections More block RAM Faster place & route Parallel copies of pipeline Multiple IDs per clock cycle QDR SRAMs Rule Processor Relative Improvement 6x improvement to throughput 7 6 5 4 3 2 1 0 Rule Frequency Throughput VirtexE Virtex2 Virtex4 Rule Processing Framework FCCM 2005 14

Related Work Function Group and Component Device Logic Cells Throughput (Gbps) Flow GaTech Stream Assembler Virtex 1000 876 (10%) 3.2 Monitoring Northwestern U. Flow Monitor Virtex2-8000 - 48.3 WashU TCP Processor Virtex4 140 22,100 (35%) 10.3 Header Processing WashU BV-TCAM Virtex4 100 4,200 (10%) 10 Payload Crete Pre-decoded CAMs Virtex2-6000 64,268 (95%) 9.7 Scanning GaTech Decoder Trees Virtex2-8000 54,890 (81%) 7 Tokyo Trie-based Hash Virtex2-6000 2,365 (7%) 10 UCLA Packet Filters Spartan 3 2000 15,202 (37%) 3.2 USC Partitioning Virtex2 Pro 15,010 (15%) 4.5 WashU Bloom Filters Virtex4 100 35,850 (85%) 20.4 Correlation WashU Rule Processor Virtex4 100 40,200 (95%) 15.9 Rule Processing Framework FCCM 2005 15 Contributions Development of large-scale Rule Processing Framework Bridge between component processing and rule processing Supports up to 32,768 rules Rule processing framework capable of 2.5 Gbps throughput on FPX Projected to 15.9 on latest Virtex 4 Rule processor operated on TCP flows Context information stored for over 2 million simultaneous flows Rule Processing Framework FCCM 2005 16

Acknowledgments Research Sponsors Global Velocity Boeing ARL Faculty & Students http://arl.wustl.edu/projects/fpx/reconfig.htm Rule Processing Framework FCCM 2005 17 Questions? Rule Processing Framework FCCM 2005 18

Communication Wrapper Interface Between Devices Between Software/Hardware Rule Processing Framework FCCM 2005 19 Example R1: Alert tcp any 80 any 125 (content: string1 ; content: string2 ;) R2: Alert tcp any 8080 any 1024 (content: string1 ;) R1: H1 Λ C1 Λ C2 R2: H2 Λ C1 Rule Processing Framework FCCM 2005 20

Rule Processor FPGA Communication Wrapper H1 C1 C2 C1 CIDs CIDs RIDs R1 H2 H1 X R2 Reset X BRAM +1 Communication Wrapper Rule Processing Framework FCCM 2005 21 Adding Modules Accept and act upon IP packets Communicate match criteria using communication wrapper interface Provide deterministic interfaces Abstract transport protocol Software Configuration using communication wrapper Represent matching criteria as ID numbers Allows combination of techniques Take advantage of best characteristics General classifiers vs. field-specific headers Static strings vs. regular expressions Rule Processing Framework FCCM 2005 22

Evaluation Recall Rule IDs are inserted into pipeline based on matching signatures Throughput (Mbps) 3000 2500 2000 1500 1000 500 Throughput versus Rule Look-ups per Second 0 1.E+00 1.E+02 1.E+04 1.E+06 1.E+08 80 Million rule IDs per second Rule Look-ups per Second Rule Processing Framework FCCM 2005 23 Additional Rules Supported Virtex 2 120 of 144 Block RAMs (18 Kbits each) 2 copies of pipeline 10 BRAM in stage 2 10 BRAM in stage 5 40 BRAM in stage 6 184,320 rules supported Virtex 4 216 of 240 Block RAMs (18 Kbits each) 4 copies of pipeline 9 BRAM in stage 2 9 BRAM in stage 5 36 BRAM in stage 6 165,888 rules supported Rule Processing Framework FCCM 2005 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback