Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Signature Match Processor Architecture for Network Intrusion Detection Janardhan Singaraju, Long Bu and John A. Chandy Electrical and Computer Engineering.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "A Signature Match Processor Architecture for Network Intrusion Detection Janardhan Singaraju, Long Bu and John A. Chandy Electrical and Computer Engineering."— Presentation transcript:

1 A Signature Match Processor Architecture for Network Intrusion Detection Janardhan Singaraju, Long Bu and John A. Chandy Electrical and Computer Engineering Department, University of Connecticut, Storrs, CT 06269-1157

2 Introduction Network intrusion Detection :Process of identifying and analyzing packets that may signify an impending threat to Organizations Network. Deployment- Passive : Uses secondary node to analyze data flow Host Based System : Monitors a single system. SNORT- Open Source intrusion detection Software. EX: alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOSTrin00 Daemon to Master message detected"; content:"l44"; reference:arachnids,186;classtype:attempted-dos; sid:231; rev:3;) String Matching: 30% of Computation Time.

3 Software vs. Hardware Software Implementation  Relatively slow  More CPU computation  Flexible  Easy design and implementation Hardware implementation  Very fast  CPU offload  Less flexible  Much longer design cycle Hardware Techniques : Finite Automata based methods, CAM Based methods

4 CAM Based NIDS Content Addressable Memories: Used in caches,IP address look-up tables. CAM based NIDS stores a set of signatures k bits matched against CAM for matches. No need to reprogram. Cannot handle regular Expressions.

5 Disadvantages Fixed keyword size. Cannot match overlapping signatures e.g.: Signatures FOO and BAR Data: AFOOBARCD, k=3 checks AFO, OBA,RCD – no match? Sliding window approach using single character comparators with shift registers.

6 Our Model CAM based Signature match processor Uses array of Cellular automata to process Character matches. Compatible with further optimizations like processing characters in parallel, prefix sharing, pattern partitioning etc. Multiple character matches per cycle of operation

7 Signature Match processor Architecture Matched Address Output Control circuit Data in From network CPU Control Character Match Array Signature Match Array Signature Match buffer Match Signal Data in PE Reset SM Reset Finish Match Address output Logic CPU Control

8 Character match array Can be implemented with CAM Array of Discrete Comparators 256, 8 bit Comparators to match all possible ASCII Characters P rows of Comparators, P denote the degree of parallelism

9 Character Match Array ABCD Byte 1... ABCD Byte 2... ABCD Byte p............................................ Match A[1:p] Match D[1:p]

10 Character Match Array ABCD Byte 1... D 0 0 1 0 ABCD Byte 1... C 0 0 0 1

11 Signature Match Array N x 1 array of processing elements (PE) N is number of characters in the signature set to be matched. All inputs connected according to the signature set to be matched. Each element performs a simple algorithm based on the number of characters matched at a time (p).

12 Signature Match Array Cout [1:p] Cin [1:p] Cout [1:p] Cin [1:p] Signature: QUIT MQ[1:p] MU[1:p] MI[1:p] MT[1:p] Sig_begSig_end Signature match

13 Signature Match Array EX: p = 4 cout1 <= MA1 and (cin3 or sig_beg); cout2 <= MA2 and (cin1 or sig_beg); cout3 <= MA3 and (cin2 or sig_beg); cout4_temp <= MA4 and (cin3 or sig_beg); sig_match <= sig_end and (cout1 or cout2 or cout3 or cout4_temp); if ( clk’event and clk=’1’) then cout4 <= cout4_temp; end if

14 Signature Match Array Each PE generates carry signals that are propagated to the next PE These carry signals determine the carry signals that are generated in the next PE. Carry signals along with signature begin signal determine the word match Pth Carry out in each PE is latched for further use.

15 Signature Match Processor 4adls 4adls f l 00 0100 1000000 0 l Sig_beg 44adsl Sig_end 1 0 0 0 0 0 0 0 0 0 0 Signature match Data in : fl44

16 Signature Match Processor 4adls 4adls 4 4 1100 0010000 1 l Sig_beg 44adsl Sig_end 1 0 0 1 0 0 0 0 0 0 0 Signature match Data in : fl44

17 Address Output Logic Separates multiple matches for signatures and decodes start address of each Signature match Signature match buffer stores end address of all word matches Match position (MP) is given as input to binary structured address output logic

18 Address Output Logic MP0MP1MP2MP3LP0LP1LP2LP3 MAA A1 A0 MA out LP in MP0 LP0 MP1 LP1

19 Address Output Logic MP1MP2MP3LP0LP1LP2LP3 A1 A0 1011 LP 100011 Address MAA MP0 001001 0011 0001 000001

20 Control Circuit Manages data flow throughout the signature match processor Presents p bytes of data to the signature match processor Resets the signature match buffers, enables address output logic

21 Performance Analysis time to process a b byte packet is b/p+M+1 cycles where M is the number of matches found in the packet. b/p corresponds to the time for the packet to stream through the SMP signature matches and M + 1 is the time to do the matched address output per-packet cycle time is max ( b/p, M + 1) If b/p > M + 1, which is the general case, the per-packet cycle time is b/p, and the per-byte run-time is 1/p cycles.

22 NIDS with SMP Architecture

23 FPGA implementation Xilinx Virtex II Pro XC2VP30 FPGA Virtex II Pro has Rocket IO to implement MAC XILINX ISE 7.1i Design environment Rule set ranging from 94 rules with 1021 char to 1237 rules with 16347 chars

24 Resource Utilization

25 Design using binary tree structured Address output logic uses 1.5 registers and 1.5 LUTs per CAM Character LUTs correspond to CAM, PE logic,MAO logic. Registers correspond to Word match buffers and PE registers.

26 Comparison NIDS FPGA Designs

27 The performance metric is ratio between throughput and logic cell/char to evaluate the tradeoff between area and performance Number of Logic cells/Char is small Throughput will increase with increase in parallelism.

28 Conclusions Innovative CAM based Signature Match Processor Processing speed of over 5Gbps can be achieved Priority address encoder to generate addresses in case of multiple matches

29 Future Directions Plan to use embedded PowerPC in Virtex II Pro to implement software part of NIDS such as SMP Managements, Alerts, logging etc Other applications such as directory lookup in network storage systems, DNS lookup and LDAP processing Extending SMP to support wild card and approximate word matching capabilities Improving power characteristics of SMP

Download ppt "A Signature Match Processor Architecture for Network Intrusion Detection Janardhan Singaraju, Long Bu and John A. Chandy Electrical and Computer Engineering."

Similar presentations

Topics covered: CPU Architecture CSE 243: Introduction to Computer Architecture and Hardware/Software Interface.

Topics covered: CPU Architecture CSE 243: Introduction to Computer Architecture and Hardware/Software Interface.
A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.

A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.
Massively Parallel Cuckoo Pattern Matching Applied For NIDS/NIPS  Author: Tran Ngoc Thinh, Surin Kittitornkun  Publisher: Electronic Design, Test and.

Massively Parallel Cuckoo Pattern Matching Applied For NIDS/NIPS  Author: Tran Ngoc Thinh, Surin Kittitornkun  Publisher: Electronic Design, Test and.
Bio Michel Hanna M.S. in E.E., Cairo University, Egypt B.S. in E.E., Cairo University at Fayoum, Egypt Currently is a Ph.D. Student in Computer Engineering.

Bio Michel Hanna M.S. in E.E., Cairo University, Egypt B.S. in E.E., Cairo University at Fayoum, Egypt Currently is a Ph.D. Student in Computer Engineering.
Authors: Raphael Polig, Kubilay Atasu, and Christoph Hagleitner Publisher: FPL, 2013 Presenter: Chia-Yi, Chu Date: 2013/10/30 1.

Authors: Raphael Polig, Kubilay Atasu, and Christoph Hagleitner Publisher: FPL, 2013 Presenter: Chia-Yi, Chu Date: 2013/10/30 1.
Technical University of Crete Packet Pre-filtering for Network Intrusion Detection Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis.

Technical University of Crete Packet Pre-filtering for Network Intrusion Detection Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis.
Pipelined Parallel AC-based Approach for Multi-String Matching Department of Computer Science and Information Engineering National Cheng Kung University,

Pipelined Parallel AC-based Approach for Multi-String Matching Department of Computer Science and Information Engineering National Cheng Kung University,
Router Architecture : Building high-performance routers Ian Pratt

Router Architecture : Building high-performance routers Ian Pratt
Zheming CSCE715.  A wireless sensor network (WSN) ◦ Spatially distributed sensors to monitor physical or environmental conditions, and to cooperatively.

Zheming CSCE715.  A wireless sensor network (WSN) ◦ Spatially distributed sensors to monitor physical or environmental conditions, and to cooperatively.
Using Cell Processors for Intrusion Detection through Regular Expression Matching with Speculation Author: C˘at˘alin Radu, C˘at˘alin Leordeanu, Valentin.

Using Cell Processors for Intrusion Detection through Regular Expression Matching with Speculation Author: C˘at˘alin Radu, C˘at˘alin Leordeanu, Valentin.
1 An Evolution of Pattern Matching within Network Intrusion Detection Systems Erik Anderson 9 November 2006.

1 An Evolution of Pattern Matching within Network Intrusion Detection Systems Erik Anderson 9 November 2006.
Processor Technology and Architecture

Processor Technology and Architecture
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
1 A CAM-based keyword match processor architecture Author: Long Bu, John A. Chandy * Publisher: Microelectronics Journal 37 (2006) Presenter: Han-Chen.

1 A CAM-based keyword match processor architecture Author: Long Bu, John A. Chandy * Publisher: Microelectronics Journal 37 (2006) Presenter: Han-Chen.
Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.

Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.
1 FPGA-based ROM-free network intrusion detection using shift-OR circuit Department of Computer Science and Information Engineering National Cheng Kung.

1 FPGA-based ROM-free network intrusion detection using shift-OR circuit Department of Computer Science and Information Engineering National Cheng Kung.
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.
1 Multi-Core Architecture on FPGA for Large Dictionary String Matching Department of Computer Science and Information Engineering National Cheng Kung University,

1 Multi-Core Architecture on FPGA for Large Dictionary String Matching Department of Computer Science and Information Engineering National Cheng Kung University,
1 Regular expression matching with input compression : a hardware design for use within network intrusion detection systems Department of Computer Science.

1 Regular expression matching with input compression : a hardware design for use within network intrusion detection systems Department of Computer Science.
1 Gigabit Rate Multiple- Pattern Matching with TCAM Fang Yu Randy H. Katz T. V. Lakshman

1 Gigabit Rate Multiple- Pattern Matching with TCAM Fang Yu Randy H. Katz T. V. Lakshman

Similar presentations

Ads by Google