1 An Evolution of Pattern Matching within Network Intrusion Detection Systems Erik Anderson 9 November 2006.

Slides:



Advertisements
Similar presentations
Deep Packet Inspection: Where are We? CCW08 Michela Becchi.
Advertisements

Fast and Scalable Pattern Matching for Content Filtering Sarang Dharmapurikar John Lockwood.
A Search Memory Substrate for High Throughput and Low Power Packet Processing Sangyeun Cho, Michel Hanna and Rami Melhem Dept. of Computer Science University.
Multi-dimensional Packet Classification on FPGA: 100Gbps and Beyond
A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.
1 An Efficient, Hardware-based Multi-Hash Scheme for High Speed IP Lookup Hot Interconnects 2008 Socrates Demetriades, Michel Hanna, Sangyeun Cho and Rami.
Massively Parallel Cuckoo Pattern Matching Applied For NIDS/NIPS  Author: Tran Ngoc Thinh, Surin Kittitornkun  Publisher: Electronic Design, Test and.
TIE Extensions for Cryptographic Acceleration Charles-Henri Gros Alan Keefer Ankur Singla.
Give qualifications of instructors: DAP
Parallell Processing Systems1 Chapter 4 Vector Processors.
High-throughput Linked-Pattern Matching for Intrusion Detection System Zachary Baker and Viktor K. Prasanna University of Southern California
Development of Parallel Simulator for Wireless WCDMA Network Hong Zhang Communication lab of HUT.
The Concept of Computer Architecture
Reviewer: Jing Lu Gigabit Rate Packet Pattern- Matching Using TCAM Fang Yu, Randy H. Katz T. V. Lakshman UC Berkeley Bell Labs, Lucent ICNP’2004.
Chapter 8 Hardware Conventional Computer Hardware Architecture.
CS 151 Digital Systems Design Lecture 37 Register Transfer Level
Using Cell Processors for Intrusion Detection through Regular Expression Matching with Speculation Author: C˘at˘alin Radu, C˘at˘alin Leordeanu, Valentin.
Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.
Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.
ECE 526 – Network Processing Systems Design Network Security: string matching algorithm Chapter 17: George Varghese.
Synthesizable, Space and Time Efficient Algorithms for String Editing Problem. Vamsi K. Kundeti.
A Signature Match Processor Architecture for Network Intrusion Detection Janardhan Singaraju, Long Bu and John A. Chandy Electrical and Computer Engineering.
UCB November 8, 2001 Krishna V Palem Proceler Inc. Customization Using Variable Instruction Sets Krishna V Palem CTO Proceler Inc.
A High Throughput String Matching Architecture for Intrusion Detection and Prevention Lin Tan U of Illinois, Urbana Champaign Tim Sherwood UC, Santa Barbara.
ECE 526 – Network Processing Systems Design
Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.
Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.
Gnort: High Performance Intrusion Detection Using Graphics Processors Giorgos Vasiliadis, Spiros Antonatos, Michalis Polychronakis, Evangelos Markatos,
RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by.
Presentation by : Samad Najjar Enhancing the performance of intrusion detection system using pre-process mechanisms Supervisor: Dr. L. Mohammad Khanli.
Sarang Dharmapurikar With contributions from : Praveen Krishnamurthy,
Network Intrusion Detection Systems on FPGAs with On-Chip Network Interfaces Christopher ClarkGeorgia Institute of Technology Craig UlmerSandia National.
B212/MAPLD 2005 Craven1 Configurable Soft Processor Arrays Using the OpenFire Processor Stephen Craven Cameron Patterson Peter Athanas Configurable Computing.
COMPUTER SCIENCE &ENGINEERING Compiled code acceleration on FPGAs W. Najjar, B.Buyukkurt, Z.Guo, J. Villareal, J. Cortes, A. Mitra Computer Science & Engineering.
EET 4250: Chapter 1 Computer Abstractions and Technology Acknowledgements: Some slides and lecture notes for this course adapted from Prof. Mary Jane Irwin.
Automated Design of Custom Architecture Tulika Mitra
Sujayyendhiren RS, Kaiqi Xiong and Minseok Kwon Rochester Institute of Technology Motivation Experimental Setup in ProtoGENI Conclusions and Future Work.
To be smart or not to be? Siva Subramanian Polaris R&D Lab, RTP Tal Lavian OPENET Lab, Santa Clara.
ASIP Architecture for Future Wireless Systems: Flexibility and Customization Joseph Cavallaro and Predrag Radosavljevic Rice University Center for Multimedia.
Vladimír Smotlacha CESNET Full Packet Monitoring Sensors: Hardware and Software Challenges.
Programming Concepts in GPU Computing Dušan Gajić, University of Niš Programming Concepts in GPU Computing Dušan B. Gajić CIITLab, Dept. of Computer Science.
FPGA Based String Matching for Network Processing Applications Janardhan Singaraju, John A. Chandy Presented by: Justin Riseborough Albert Tirtariyadi.
1 Towards Optimal Custom Instruction Processors Wayne Luk Kubilay Atasu, Rob Dimond and Oskar Mencer Department of Computing Imperial College London HOT.
Automatic Synthesis of Efficient Intrusion Detection Systems on FPGAs by Zachary K. Baker and Viktor K. Prasanna University of Southern California, Los.
R2D2 team R2D2 team Reconfigurable and Retargetable Digital Devices  Application domains Mobile telecommunications  WCDMA/UMTS (Wideband Code Division.
Outline  Over view  Design  Performance  Advantages and disadvantages  Examples  Conclusion  Bibliography.
Lecture 16: Reconfigurable Computing Applications November 3, 2004 ECE 697F Reconfigurable Computing Lecture 16 Reconfigurable Computing Applications.
Chapter 1 Computer Abstractions and Technology. Chapter 1 — Computer Abstractions and Technology — 2 The Computer Revolution Progress in computer technology.
1 Optimization of Regular Expression Pattern Matching Circuits on FPGA Department of Computer Science and Information Engineering National Cheng Kung University,
Rinoy Pazhekattu. Introduction  Most IPs today are designed using component-based design  Each component is its own IP that can be switched out for.
Lecture 12: Reconfigurable Systems II October 20, 2004 ECE 697F Reconfigurable Computing Lecture 12 Reconfigurable Systems II: Exploring Programmable Systems.
A Resource Efficient Content Inspection System for Next Generation Smart NICs Karthikeyan Sabhanatarajan, Ann Gordon-Ross* The Energy Efficient Internet.
Data Management for Decision Support Session-4 Prof. Bharat Bhasker.
Author : Sarang Dharmapurikar, John Lockwood Publisher : IEEE Journal on Selected Areas in Communications, 2006 Presenter : Jo-Ning Yu Date : 2010/12/29.
Hardened IDS using IXP Didier Contis, Dr. Wenke Lee, Dr. David Schimmel Chris Clark, Jun Li, Chengai Lu, Weidong Shi, Ashley Thomas, Yi Zhang  Current.
Biosequence Similarity Search on the Mercury System Praveen Krishnamurthy, Jeremy Buhler, Roger Chamberlain, Mark Franklin, Kwame Gyang, and Joseph Lancaster.
Parallel processing
Fast Lookup for Dynamic Packet Filtering in FPGA REPORTER: HSUAN-JU LI 2014/09/18 Design and Diagnostics of Electronic Circuits & Systems, 17th International.
Author: Weirong Jiang, Viktor K. Prasanna Publisher: th IEEE International Conference on Application-specific Systems, Architectures and Processors.
Introduction to Intrusion Detection Systems. All incoming packets are filtered for specific characteristics or content Databases have thousands of patterns.
Gnort: High Performance Network Intrusion Detection Using Graphics Processors Date:101/2/15 Publisher:ICS Author:Giorgos Vasiliadis, Spiros Antonatos,
Optimizing Interconnection Complexity for Realizing Fixed Permutation in Data and Signal Processing Algorithms Ren Chen, Viktor K. Prasanna Ming Hsieh.
Andreas Hoffmann Andreas Ropers Tim Kogel Stefan Pees Prof
Parallel Software Development with Intel Threading Analysis Tools
CSE7701: Research Seminar on Networking
James Logan CS526 Dr. Chow April 29, 2009
Scalable Memory-Less Architecture for String Matching With FPGAs
Pipelined Architecture for Multi-String Matching
Vern Paxson (ICSI) Krste Asanovic (MIT)
Presentation transcript:

1 An Evolution of Pattern Matching within Network Intrusion Detection Systems Erik Anderson 9 November 2006

2 Overview Introduction and Background Software Approaches Soft Core Processors Circuit Based Pattern Matching Automatic Synthesis Memory Based Pattern Matching Comparisons of Techniques Future Works

3 Introduction and Background Network Intrusion Detection/Prevention Systems Pattern Matching in Application Layer Patterns/Network speed growing faster than CPU speeds Reconfigurable Computing Price, performance, power middle ground between CPUs and ASICs.

4 Software Approaches Commercial NDIS Snort Hogwash Algorithms Brute Force Knuth-Morris-Pratt Aho-Corasick

5 From: Dharmapurikar 2005

6 Soft Core Processors Customize processors for an application. Objective: find a “good” solution in linear time. On board evaluation with SPARC V8. 79 parameters … 3.6 trillion configurations Lockwood, Washington University

7 Soft Core Processors Evaluation Technique Assume parameter independence. Start with “out of box” configuration. Rebuild and evaluate processor, tweaking one parameter at a time. Results (BLASTN) 11.59% Runtime improvement 0% change in slices 39% increase in BRAMs Lockwood, Washington University

8 Circuit Based Pattern Matching Uses Brute Force Method in Hardware Very fast Highly parallel Ideal for reconfigurable computing Expensive Schimmel, Georgia Tech Mangione-Smith, UCLA From: Cho 2003

9 Shared Substring Reduced circuit size Circuit Based Pattern Matching Schimmel, Georgia Tech Mangione-Smith, UCLA From: Cho 2003

10 Character Decoding Statefull comparison Reduced circuit size Circuit Based Pattern Matching Schimmel, Georgia Tech Mangione-Smith, UCLA From: Clark 2004

11 Automatic Synthesis Given a high-level description, automatically generate a circuit. ROCCC Translates C -> SUIF -> VHDL Extensive loop analysis to find task level parallelism. Generalized tool. Prasanna, USC Jajjar, UC Riverside

12 Automatic Synthesis Riverside Input is a set of search strings. Generates circuit based on: Knuth-Morris-Pratt Character Decoding method Prasanna, USC Jajjar, UC Riverside

13 Memory Based Pattern Matching Circuit based approaches are fast but not scalable. Throughput depends on unrealistic bus model. Resynthesize with new search strings. Paradigm switch to using memory to hold strings, and circuits to manage control path. Mangione-Smith, UCLA Lockwood, Washington University

14 Hybrid Model Divide search string into prefix and suffix. 1.Use circuit based design to match prefixes. 2.Use memory lookup to match suffix. Mangione-Smith, UCLA Lockwood, Washington University From: Cho 2003

15 Jump-ahead Aho-Corasick Circuit implements Variation of Aho- Corasick state machine. Treat k-characters as single symbol. Mangione-Smith, UCLA Lockwood, Washington University From: Dharmapurikar 2005

16 Jump-ahead Aho-Corasick Search strings held in memory data structures. 1 clock cycle Bloom filter to lookup state transition. Multiple cores to improve performance. Mangione-Smith, UCLA Lockwood, Washington University From: Dharmapurikar 2005

17 Comparisons of Techniques TechniqueSpeed (Gbps) Size (slices) Character Decoding K - 60K Automatic Char. Decode K - 32K ROCCC18.638K Hybrid3.26.1K / 11KB JACK-NFA NA / 6-47 KB

18 Future Works Runtime reconfiguration of circuit based systems. Dealing with fragmented packets. Applications towards bioinformatics.

19 Abstractions for NIDS Motivation: Collapse of Moore’s Law, increased threats, & design complexity. Paradigm shift from fast individual packet processing, to fast cumulative processing. Long term goals: HLL to describe network analysis. Abstracting parallel techniques. Automatic compilation/synthesis of circuits. Lockwood, Washington University

20 Questions?