Network Intrusion Detection Systems on FPGAs with On-Chip Network Interfaces Christopher ClarkGeorgia Institute of Technology Craig UlmerSandia National Laboratories, California Craig Ulmer February 22, 2005 Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.
Network Intrusion Detection Systems on FPGAs with On-Chip Network Interfaces Note:This work was not performed by SNL’s network security group and is independent of SNL’s network security policy or infrastructure. Packet Good Malicious NIDS Chris Clark / Georgia TechCraig Ulmer / SNL + NI FPGA Network
Outline Background: An evolution of NIDS and FPGAs Single-Chip NIDS: An integrated approach Example: A Multi-Filter Bridge NIDS –Implementation details and measurements Concluding remarks and future work
Background: An Evolution of NIDS and FPGAs
Network Intrusion Detection Systems (NIDS) There are many malicious users on the Internet –Unprotected home PCs hijacked within 10 minutes –Even if protected- still fighting denial of service Network Intrusion Detection Systems (NIDS) –Monitor network and react to attacks Example: Snort ( –Large database of malicious packet signatures –1,305 rules with 1,512 patterns –Pattern matching on 17,537 characters
Host-based NIDS Implementations NIC CPU NIC CPU FPGA NIC CPU FPGA SoftwareFPGA CardFPGA-enabled NIC I/O Multiple architectures proposed for NIDS –Separation of Network Interface and Intrusion Detection ID
Single-Chip NIDS: An Integrated Approach
Evolution: An Integrated Approach New FPGAs have network transceivers –FPGAs interact directly with network Build complete NIDS in an FPGA –NI and ID units under one roof Integration benefits –Customization of units and topology –Portability –New applications Describe our integration experiences NI Network FPGA Intrusion Detection FPGA Intrusion Detection Network Interface Chip
Network Interface: Gigabit Ethernet Xilinx Virtex II/Pro FPGA has Rocket I/O modules We developed a simplified GigE network interface –Stripped down to essentials: move data between network and FIFOs –Roughly same size as FIFO-less Xilinx GigE core FIFOs enable data rate changes between FPGA and Network Rx Control Tx Control Rx Packet FIFO 16b Align CRC Filter Tx Packet FIFO GigE Network Interface Core Rocket I/O Transceiver GigE Network Framer FPGA Internals
Intrusion Detection Unit Header Decoder Header Analysis Header Payload Analysis Match Decision Logic Drop Match Match Vector Ethernet Frame Data Snort rules translated to structural JHDL intrusion detection unit –Compile time select 16/32/64b data width –Both header/payload analysis units Payload analysis unit performs large-scale pattern matching –Non-deterministic finite state automata (NFA) –Previously described in FCCM 2004 (Clark and Schimmel) Aligned Payload Match Header Match
Integrated Example: A Multi-Filter Bridge NIDS
Filtering Network Connections Desire a NIDS that we can insert on a network link –Detect and filter out attacks –Transparent to users –Single bi-directional link: Filter Bridge –Can extend to support multiple filter bridges per FPGA NI ID Unit FPGA Single Filter Bridge
NI Data Rates in Multi-Filter Bridge NIDS ID data rate > Aggregate network rate Increase ID data rate –Data path: 16/32/64 bits –Clock: 62.5–125 MHz Example: 2 Bridges –ID needs 4x data rate –1x = 16b / 62.5 MHz –4x = 32b / 125 MHz ID Unit NI OKDrop Scheduler
Multi-Filter Bridge: Implementation Details and Measurements
Multi-Filter Bridge Implementation Parameterized design –Number of bridges:1-4 –ID bitwidth:16b/32b/64b –NI FIFO depth:2-16 KB Xilinx ML300 Reference Board –Virtex II/Pro-7 FPGA (-6) –Four optical GigE ports Pair of Intel hosts –Packet Engines GigE cards
Latency Measurements Internal measurements –Used ChipScope Pro –Counted clock cycles External measurements –Host-to-Host –Round-trip timings –Long and short messages Topology43 bytes1024 bytes No NIDS119 µs224 µs Single NIDS123 µs244 µs Dual NIDS128 µs291 µs OperationLatency Transceiver0.64 µs 1x ID2.4 µs 2x ID1.6 µs
Percentage of Maximum Rule Set for Single Filter Bridge
FPGA Utilization for Multi-Filter Bridges Number of Filter Bridges V2P50 Slice Utilization Constant FPGA size and rule set –Virtex II/Pro 50 (-6) –2,001 Chars (10% of Max) Increases in Bitwidth –Large jumps –32b to 64b > 16b to 32b Increases in Number of Bridges –ID unit unaffected
Density Observations Largest parts unappealing –Significant compile times –Limited routing resources Medium parts more economical –Chain multiple NIDS bridges Virtex-4 parts –More affordable –Prices are more linear FPGA Slices Relative V2P Price & Density V2P100 V2P70 V2P7 V2P40
Conclusions and Future Work
Integrated NIDS appealing –Customize individual components and overall design –Good portability because does not depend on external chips Multi-filter bridge design –Demonstrated transparent in-line filter –Support a low number of filter bridges at link speeds Future work to explore larger parts in greater detail –Better results with floor planning and early placement 16% Improvement in Clock Rate Constrain to top 65% of V2P100
Backup Slides
Network Interface Characteristics Flexible packet FIFO –16/32/64b width to user –2-16 KB (each direction) –Can handle 185 MHz clock rate –Separate reader/writer clocks Small size –GigE with 4KB FIFOs: 749 slices –Xilinx GigE core (no FIFO):763 slices
ID Payload Analysis Unit Large-scale pattern matching –Non-deterministic finite state automata (NFA) –Previously described in FCCM 2004 (Clark and Schimmel) Decode incoming symbol and route to necessary stages