A Signature Match Processor Architecture for Network Intrusion Detection Janardhan Singaraju, Long Bu and John A. Chandy Electrical and Computer Engineering Department, University of Connecticut, Storrs, CT

Introduction Network intrusion Detection :Process of identifying and analyzing packets that may signify an impending threat to Organizations Network. Deployment- Passive : Uses secondary node to analyze data flow Host Based System : Monitors a single system. SNORT- Open Source intrusion detection Software. EX: alert udp $EXTERNAL_NET any -> $HOME_NET (msg:"DDOSTrin00 Daemon to Master message detected"; content:"l44"; reference:arachnids,186;classtype:attempted-dos; sid:231; rev:3;) String Matching: 30% of Computation Time.

Software vs. Hardware Software Implementation  Relatively slow  More CPU computation  Flexible  Easy design and implementation Hardware implementation  Very fast  CPU offload  Less flexible  Much longer design cycle Hardware Techniques : Finite Automata based methods, CAM Based methods

CAM Based NIDS Content Addressable Memories: Used in caches,IP address look-up tables. CAM based NIDS stores a set of signatures k bits matched against CAM for matches. No need to reprogram. Cannot handle regular Expressions.

Disadvantages Fixed keyword size. Cannot match overlapping signatures e.g.: Signatures FOO and BAR Data: AFOOBARCD, k=3 checks AFO, OBA,RCD – no match? Sliding window approach using single character comparators with shift registers.

Our Model CAM based Signature match processor Uses array of Cellular automata to process Character matches. Compatible with further optimizations like processing characters in parallel, prefix sharing, pattern partitioning etc. Multiple character matches per cycle of operation

Signature Match processor Architecture Matched Address Output Control circuit Data in From network CPU Control Character Match Array Signature Match Array Signature Match buffer Match Signal Data in PE Reset SM Reset Finish Match Address output Logic CPU Control

Character match array Can be implemented with CAM Array of Discrete Comparators 256, 8 bit Comparators to match all possible ASCII Characters P rows of Comparators, P denote the degree of parallelism

Character Match Array ABCD Byte 1... ABCD Byte 2... ABCD Byte p Match A[1:p] Match D[1:p]

Character Match Array ABCD Byte 1... D ABCD Byte 1... C

Signature Match Array N x 1 array of processing elements (PE) N is number of characters in the signature set to be matched. All inputs connected according to the signature set to be matched. Each element performs a simple algorithm based on the number of characters matched at a time (p).

Signature Match Array Cout [1:p] Cin [1:p] Cout [1:p] Cin [1:p] Signature: QUIT MQ[1:p] MU[1:p] MI[1:p] MT[1:p] Sig_begSig_end Signature match

Signature Match Array EX: p = 4 cout1 <= MA1 and (cin3 or sig_beg); cout2 <= MA2 and (cin1 or sig_beg); cout3 <= MA3 and (cin2 or sig_beg); cout4_temp <= MA4 and (cin3 or sig_beg); sig_match <= sig_end and (cout1 or cout2 or cout3 or cout4_temp); if ( clk’event and clk=’1’) then cout4 <= cout4_temp; end if

Signature Match Array Each PE generates carry signals that are propagated to the next PE These carry signals determine the carry signals that are generated in the next PE. Carry signals along with signature begin signal determine the word match Pth Carry out in each PE is latched for further use.

Signature Match Processor 4adls 4adls f l l Sig_beg 44adsl Sig_end Signature match Data in : fl44

Signature Match Processor 4adls 4adls l Sig_beg 44adsl Sig_end Signature match Data in : fl44

Address Output Logic Separates multiple matches for signatures and decodes start address of each Signature match Signature match buffer stores end address of all word matches Match position (MP) is given as input to binary structured address output logic

Address Output Logic MP0MP1MP2MP3LP0LP1LP2LP3 MAA A1 A0 MA out LP in MP0 LP0 MP1 LP1

Address Output Logic MP1MP2MP3LP0LP1LP2LP3 A1 A LP Address MAA MP

Control Circuit Manages data flow throughout the signature match processor Presents p bytes of data to the signature match processor Resets the signature match buffers, enables address output logic

Performance Analysis time to process a b byte packet is b/p+M+1 cycles where M is the number of matches found in the packet. b/p corresponds to the time for the packet to stream through the SMP signature matches and M + 1 is the time to do the matched address output per-packet cycle time is max ( b/p, M + 1) If b/p > M + 1, which is the general case, the per-packet cycle time is b/p, and the per-byte run-time is 1/p cycles.

NIDS with SMP Architecture

FPGA implementation Xilinx Virtex II Pro XC2VP30 FPGA Virtex II Pro has Rocket IO to implement MAC XILINX ISE 7.1i Design environment Rule set ranging from 94 rules with 1021 char to 1237 rules with chars

Resource Utilization

Design using binary tree structured Address output logic uses 1.5 registers and 1.5 LUTs per CAM Character LUTs correspond to CAM, PE logic,MAO logic. Registers correspond to Word match buffers and PE registers.

Comparison NIDS FPGA Designs

The performance metric is ratio between throughput and logic cell/char to evaluate the tradeoff between area and performance Number of Logic cells/Char is small Throughput will increase with increase in parallelism.

Conclusions Innovative CAM based Signature Match Processor Processing speed of over 5Gbps can be achieved Priority address encoder to generate addresses in case of multiple matches

Future Directions Plan to use embedded PowerPC in Virtex II Pro to implement software part of NIDS such as SMP Managements, Alerts, logging etc Other applications such as directory lookup in network storage systems, DNS lookup and LDAP processing Extending SMP to support wild card and approximate word matching capabilities Improving power characteristics of SMP