Presentation is loading. Please wait.

Presentation is loading. Please wait.

ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS The next six months Cork, 29 January 2007.

Published byDavid Goodman Modified over 9 years ago

Similar presentations

Presentation on theme: "ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS The next six months Cork, 29 January 2007."— Presentation transcript:

1 ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS The next six months Cork, 29 January 2007

2 ICS-FORTH WISDOM WP3: New security algorithm design Objectives Identify critical security application components which can be efficiently implemented in the optical domain. Characterise constraints to algorithmic components and develop novel analytical techniques for simplified pattern matching. Design a Security Application Programming Interface (SAPI) which will be the interface between high-level security applications and low-level optical implementation Tasks - Deliverables WP 3.1: Security Applications partitioning (M12) WP 3.2: Identification of simplified Security Algorithms Components (M24) WP 3.3: Definition of a Security Application Programming Interface: SAPI (M27)

3 ICS-FORTH WP3.1 Security Applications Partitioning Identify components which can be effectively and efficiently implemented in the optical domain e.g., optical bit filtering, simple optical bit pattern matching Partitioning of security-related applications (Firewalls, DoS attacks detection, IDS/IPS) into -high-level part (electronic) -low-level part (optical) WP2 outcome crucial to WP3 restrictions from optical hardware D3.1 report M12 (not M24 or M30 as initially stated)

4 ICS-FORTH WP3.1 Security Applications Partitioning Identify efficient operations in optical domain by considering optical hardware optical bit filtering, pattern matching (order of a hundred bits) variable delays? optical data format RZ pulses packet structure and decoding TCP/IP, UDP/IP, etc basic firewall functionality prevent communication for specific servers and services basic IDS/IPS functionality: signature, anomaly detection simple pattern matching, stateful pattern matching, protocol decode- based detection, heuristic-based detection, anomaly-based detection

5 ICS-FORTH WP3.1 Security Applications Partitioning Packet structure Header (fixed length) Payload (variable length) Optical processing for headers only Optical filtering to extract specific fields from headers Complication: options field between different protocols, need to check options length. TCP/IP headers

6 ICS-FORTH WP3.1 Security Applications Partitioning Basic firewall functionality Look at port numbers Block incoming traffic to specific ports Optical filtering, optical pattern matching Look at IP addresses Block incoming traffic from specific IP addresses Optical filtering, optical/electronic pattern matching Headers only What happens to payload in the meantime? (sampling, randomized, heuristic…)

7 ICS-FORTH WP3.1 Security Applications Partitioning Basic NIDS/NIPS functionality Simple pattern matching optical for packet header, electronic for payload Stateful pattern matching no obvious implementation in the optical Protocol decode detection no obvious implementation in the optical Heuristic detection possibilities to combine optical with electronic Anomaly detection optical (e.g. simple DoS attacks) and electronic

8 ICS-FORTH WP3.1 Security Applications Partitioning WISDOM firewall/NIDS/NIPS at the moment: Header-based rules only in the optical more than 90% of actual NIDS rules involve full packet inspection more than 90% of alerts in actual NIDS are header-based Conventional NIDS throughput

9 ICS-FORTH WP3.2 Identification of Simplified Security Algorithms Components Optical pre-processing for more complex pattern recognition Restrictions in optical domain (buffering, level of integration, etc) Scalability of security pattern matching algorithms, optimum balance between optical and electronic processing (WP6) D3.2 Identification of Simplified Security Algorithms Components that may be implemented within optical bit-serial processing elements (M24)

10 ICS-FORTH WP 3.3 Definition of a Security Application Programming Interface (SAPI) SAPI will bridge the gap between optical execution of key components and programming of security applications High-level programming, abstract all low-level details Monitoring Application Programming Interface (MAPI) D3.3 Definition of SAPI (M27)

11 ICS-FORTH Scalability Parallel use of optical devices up to a dozen “on a chip” Parallel/Distributed Architectures Multiple sensors operating in parallel coupled with suitable load balancing traffic splitters Many issues, e.g., not trivial to split packets, to distribute traffic evenly, specialized sensors

12 ICS-FORTH Modeling and simulation Physical models of optical hardware from WP4 but useful for WP3 Functional models of optical devices and simulators Optical bit matching Conventional electronics

Download ppt "ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS The next six months Cork, 29 January 2007."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.

REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.
IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.

IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.
A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.

A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.

Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
IDS/IPS Definition and Classification

IDS/IPS Definition and Classification
Using Cell Processors for Intrusion Detection through Regular Expression Matching with Speculation Author: C˘at˘alin Radu, C˘at˘alin Leordeanu, Valentin.

Using Cell Processors for Intrusion Detection through Regular Expression Matching with Speculation Author: C˘at˘alin Radu, C˘at˘alin Leordeanu, Valentin.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.

Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.
Design and Implementation of SIP-aware DDoS Attack Detection System.

Design and Implementation of SIP-aware DDoS Attack Detection System.
Department Of Computer Engineering

Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection System Marmagna Desai [ 520 Presentation]
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.

BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
Workpackage 3 New security algorithm design ICS-FORTH Heraklion, 3 rd June 2009.

Workpackage 3 New security algorithm design ICS-FORTH Heraklion, 3 rd June 2009.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Composing Software Defined Networks Jennifer Rexford Princeton University With Joshua Reich, Chris Monsanto, Nate Foster, and.

Composing Software Defined Networks Jennifer Rexford Princeton University With Joshua Reich, Chris Monsanto, Nate Foster, and.
Penetration Testing Security Analysis and Advanced Tools: Snort.

Penetration Testing Security Analysis and Advanced Tools: Snort.
Workpackage 3 New security algorithm design ICS-FORTH Paris, 30 th June 2008.

Workpackage 3 New security algorithm design ICS-FORTH Paris, 30 th June 2008.

Similar presentations

Ads by Google