Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 An Evolution of Pattern Matching within Network Intrusion Detection Systems Erik Anderson 9 November 2006.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 An Evolution of Pattern Matching within Network Intrusion Detection Systems Erik Anderson 9 November 2006."— Presentation transcript:

1 1 An Evolution of Pattern Matching within Network Intrusion Detection Systems Erik Anderson 9 November 2006

2 2 Overview Introduction and Background Software Approaches Soft Core Processors Circuit Based Pattern Matching Automatic Synthesis Memory Based Pattern Matching Comparisons of Techniques Future Works

3 3 Introduction and Background Network Intrusion Detection/Prevention Systems Pattern Matching in Application Layer Patterns/Network speed growing faster than CPU speeds Reconfigurable Computing Price, performance, power middle ground between CPUs and ASICs.

4 4 Software Approaches Commercial NDIS Snort Hogwash Algorithms Brute Force Knuth-Morris-Pratt Aho-Corasick

5 5 From: Dharmapurikar 2005

6 6 Soft Core Processors Customize processors for an application. Objective: find a “good” solution in linear time. On board evaluation with SPARC V8. 79 parameters … 3.6 trillion configurations Lockwood, Washington University

7 7 Soft Core Processors Evaluation Technique Assume parameter independence. Start with “out of box” configuration. Rebuild and evaluate processor, tweaking one parameter at a time. Results (BLASTN) 11.59% Runtime improvement 0% change in slices 39% increase in BRAMs Lockwood, Washington University

8 8 Circuit Based Pattern Matching Uses Brute Force Method in Hardware Very fast Highly parallel Ideal for reconfigurable computing Expensive Schimmel, Georgia Tech Mangione-Smith, UCLA From: Cho 2003

9 9 Shared Substring Reduced circuit size Circuit Based Pattern Matching Schimmel, Georgia Tech Mangione-Smith, UCLA From: Cho 2003

10 10 Character Decoding Statefull comparison Reduced circuit size Circuit Based Pattern Matching Schimmel, Georgia Tech Mangione-Smith, UCLA From: Clark 2004

11 11 Automatic Synthesis Given a high-level description, automatically generate a circuit. ROCCC Translates C -> SUIF -> VHDL Extensive loop analysis to find task level parallelism. Generalized tool. Prasanna, USC Jajjar, UC Riverside

12 12 Automatic Synthesis Riverside Input is a set of search strings. Generates circuit based on: Knuth-Morris-Pratt Character Decoding method Prasanna, USC Jajjar, UC Riverside

13 13 Memory Based Pattern Matching Circuit based approaches are fast but not scalable. Throughput depends on unrealistic bus model. Resynthesize with new search strings. Paradigm switch to using memory to hold strings, and circuits to manage control path. Mangione-Smith, UCLA Lockwood, Washington University

14 14 Hybrid Model Divide search string into prefix and suffix. 1.Use circuit based design to match prefixes. 2.Use memory lookup to match suffix. Mangione-Smith, UCLA Lockwood, Washington University From: Cho 2003

15 15 Jump-ahead Aho-Corasick Circuit implements Variation of Aho- Corasick state machine. Treat k-characters as single symbol. Mangione-Smith, UCLA Lockwood, Washington University From: Dharmapurikar 2005

16 16 Jump-ahead Aho-Corasick Search strings held in memory data structures. 1 clock cycle Bloom filter to lookup state transition. Multiple cores to improve performance. Mangione-Smith, UCLA Lockwood, Washington University From: Dharmapurikar 2005

17 17 Comparisons of Techniques TechniqueSpeed (Gbps) Size (slices) Character Decoding26 - 4241K - 60K Automatic Char. Decode1.9 - 105.7K - 32K ROCCC18.638K Hybrid3.26.1K / 11KB JACK-NFA1.9 - 11NA / 6-47 KB

18 18 Future Works Runtime reconfiguration of circuit based systems. Dealing with fragmented packets. Applications towards bioinformatics.

19 19 Abstractions for NIDS Motivation: Collapse of Moore’s Law, increased threats, & design complexity. Paradigm shift from fast individual packet processing, to fast cumulative processing. Long term goals: HLL to describe network analysis. Abstracting parallel techniques. Automatic compilation/synthesis of circuits. Lockwood, Washington University

20 20 Questions?

Download ppt "1 An Evolution of Pattern Matching within Network Intrusion Detection Systems Erik Anderson 9 November 2006."

Similar presentations

Deep Packet Inspection: Where are We? CCW08 Michela Becchi.

Deep Packet Inspection: Where are We? CCW08 Michela Becchi.
Fast and Scalable Pattern Matching for Content Filtering Sarang Dharmapurikar John Lockwood.

Fast and Scalable Pattern Matching for Content Filtering Sarang Dharmapurikar John Lockwood.
A Search Memory Substrate for High Throughput and Low Power Packet Processing Sangyeun Cho, Michel Hanna and Rami Melhem Dept. of Computer Science University.

A Search Memory Substrate for High Throughput and Low Power Packet Processing Sangyeun Cho, Michel Hanna and Rami Melhem Dept. of Computer Science University.
Multi-dimensional Packet Classification on FPGA: 100Gbps and Beyond

Multi-dimensional Packet Classification on FPGA: 100Gbps and Beyond
A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.

A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.
1 An Efficient, Hardware-based Multi-Hash Scheme for High Speed IP Lookup Hot Interconnects 2008 Socrates Demetriades, Michel Hanna, Sangyeun Cho and Rami.

1 An Efficient, Hardware-based Multi-Hash Scheme for High Speed IP Lookup Hot Interconnects 2008 Socrates Demetriades, Michel Hanna, Sangyeun Cho and Rami.
Massively Parallel Cuckoo Pattern Matching Applied For NIDS/NIPS  Author: Tran Ngoc Thinh, Surin Kittitornkun  Publisher: Electronic Design, Test and.

Massively Parallel Cuckoo Pattern Matching Applied For NIDS/NIPS  Author: Tran Ngoc Thinh, Surin Kittitornkun  Publisher: Electronic Design, Test and.
TIE Extensions for Cryptographic Acceleration Charles-Henri Gros Alan Keefer Ankur Singla.

TIE Extensions for Cryptographic Acceleration Charles-Henri Gros Alan Keefer Ankur Singla.
Give qualifications of instructors: DAP

Give qualifications of instructors: DAP
Parallell Processing Systems1 Chapter 4 Vector Processors.

Parallell Processing Systems1 Chapter 4 Vector Processors.
High-throughput Linked-Pattern Matching for Intrusion Detection System Zachary Baker and Viktor K. Prasanna University of Southern California

High-throughput Linked-Pattern Matching for Intrusion Detection System Zachary Baker and Viktor K. Prasanna University of Southern California
Development of Parallel Simulator for Wireless WCDMA Network Hong Zhang Communication lab of HUT.

Development of Parallel Simulator for Wireless WCDMA Network Hong Zhang Communication lab of HUT.
The Concept of Computer Architecture

The Concept of Computer Architecture
Reviewer: Jing Lu Gigabit Rate Packet Pattern- Matching Using TCAM Fang Yu, Randy H. Katz T. V. Lakshman UC Berkeley Bell Labs, Lucent ICNP’2004.

Reviewer: Jing Lu Gigabit Rate Packet Pattern- Matching Using TCAM Fang Yu, Randy H. Katz T. V. Lakshman UC Berkeley Bell Labs, Lucent ICNP’2004.
Chapter 8 Hardware Conventional Computer Hardware Architecture.

Chapter 8 Hardware Conventional Computer Hardware Architecture.
CS 151 Digital Systems Design Lecture 37 Register Transfer Level

CS 151 Digital Systems Design Lecture 37 Register Transfer Level
Using Cell Processors for Intrusion Detection through Regular Expression Matching with Speculation Author: C˘at˘alin Radu, C˘at˘alin Leordeanu, Valentin.

Using Cell Processors for Intrusion Detection through Regular Expression Matching with Speculation Author: C˘at˘alin Radu, C˘at˘alin Leordeanu, Valentin.
Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.

Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.
Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.

Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

Similar presentations

Ads by Google