Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Intrusion Detection Systems on FPGAs with On-Chip Network Interfaces Christopher ClarkGeorgia Institute of Technology Craig UlmerSandia National.

Published byMargery Jacobs Modified over 9 years ago

Similar presentations

Presentation on theme: "Network Intrusion Detection Systems on FPGAs with On-Chip Network Interfaces Christopher ClarkGeorgia Institute of Technology Craig UlmerSandia National."— Presentation transcript:

1 Network Intrusion Detection Systems on FPGAs with On-Chip Network Interfaces Christopher ClarkGeorgia Institute of Technology Craig UlmerSandia National Laboratories, California Craig Ulmer cdulmer@sandia.gov February 22, 2005 Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.

2 Network Intrusion Detection Systems on FPGAs with On-Chip Network Interfaces Note:This work was not performed by SNL’s network security group and is independent of SNL’s network security policy or infrastructure. Packet Good Malicious NIDS Chris Clark / Georgia TechCraig Ulmer / SNL + NI FPGA Network

3 Outline Background: An evolution of NIDS and FPGAs Single-Chip NIDS: An integrated approach Example: A Multi-Filter Bridge NIDS –Implementation details and measurements Concluding remarks and future work

4 Background: An Evolution of NIDS and FPGAs

5 Network Intrusion Detection Systems (NIDS) There are many malicious users on the Internet –Unprotected home PCs hijacked within 10 minutes –Even if protected- still fighting denial of service Network Intrusion Detection Systems (NIDS) –Monitor network and react to attacks Example: Snort (www.snort.org) –Large database of malicious packet signatures –1,305 rules with 1,512 patterns –Pattern matching on 17,537 characters

6 Host-based NIDS Implementations NIC CPU NIC CPU FPGA NIC CPU FPGA SoftwareFPGA CardFPGA-enabled NIC I/O Multiple architectures proposed for NIDS –Separation of Network Interface and Intrusion Detection ID

7 Single-Chip NIDS: An Integrated Approach

8 Evolution: An Integrated Approach New FPGAs have network transceivers –FPGAs interact directly with network Build complete NIDS in an FPGA –NI and ID units under one roof Integration benefits –Customization of units and topology –Portability –New applications Describe our integration experiences NI Network FPGA Intrusion Detection FPGA Intrusion Detection Network Interface Chip

9 Network Interface: Gigabit Ethernet Xilinx Virtex II/Pro FPGA has Rocket I/O modules We developed a simplified GigE network interface –Stripped down to essentials: move data between network and FIFOs –Roughly same size as FIFO-less Xilinx GigE core FIFOs enable data rate changes between FPGA and Network Rx Control Tx Control Rx Packet FIFO 16b Align CRC Filter Tx Packet FIFO GigE Network Interface Core Rocket I/O Transceiver GigE Network Framer FPGA Internals

10 Intrusion Detection Unit Header Decoder Header Analysis Header Payload Analysis Match Decision Logic Drop Match Match Vector Ethernet Frame Data Snort rules translated to structural JHDL intrusion detection unit –Compile time select 16/32/64b data width –Both header/payload analysis units Payload analysis unit performs large-scale pattern matching –Non-deterministic finite state automata (NFA) –Previously described in FCCM 2004 (Clark and Schimmel) Aligned Payload Match Header Match

11 Integrated Example: A Multi-Filter Bridge NIDS

12 Filtering Network Connections Desire a NIDS that we can insert on a network link –Detect and filter out attacks –Transparent to users –Single bi-directional link: Filter Bridge –Can extend to support multiple filter bridges per FPGA NI ID Unit FPGA Single Filter Bridge

13 NI Data Rates in Multi-Filter Bridge NIDS ID data rate > Aggregate network rate Increase ID data rate –Data path: 16/32/64 bits –Clock: 62.5–125 MHz Example: 2 Bridges –ID needs 4x data rate –1x = 16b / 62.5 MHz –4x = 32b / 125 MHz ID Unit NI OKDrop Scheduler

14 Multi-Filter Bridge: Implementation Details and Measurements

15 Multi-Filter Bridge Implementation Parameterized design –Number of bridges:1-4 –ID bitwidth:16b/32b/64b –NI FIFO depth:2-16 KB Xilinx ML300 Reference Board –Virtex II/Pro-7 FPGA (-6) –Four optical GigE ports Pair of Intel hosts –Packet Engines GigE cards

16 Latency Measurements Internal measurements –Used ChipScope Pro –Counted clock cycles External measurements –Host-to-Host –Round-trip timings –Long and short messages Topology43 bytes1024 bytes No NIDS119 µs224 µs Single NIDS123 µs244 µs Dual NIDS128 µs291 µs OperationLatency Transceiver0.64 µs 1x ID2.4 µs 2x ID1.6 µs

17 Percentage of Maximum Rule Set for Single Filter Bridge

18 FPGA Utilization for Multi-Filter Bridges Number of Filter Bridges V2P50 Slice Utilization Constant FPGA size and rule set –Virtex II/Pro 50 (-6) –2,001 Chars (10% of Max) Increases in Bitwidth –Large jumps –32b to 64b > 16b to 32b Increases in Number of Bridges –ID unit unaffected

19 Density Observations Largest parts unappealing –Significant compile times –Limited routing resources Medium parts more economical –Chain multiple NIDS bridges Virtex-4 parts –More affordable –Prices are more linear FPGA Slices Relative V2P Price & Density V2P100 V2P70 V2P7 V2P40

20 Conclusions and Future Work

21 Integrated NIDS appealing –Customize individual components and overall design –Good portability because does not depend on external chips Multi-filter bridge design –Demonstrated transparent in-line filter –Support a low number of filter bridges at link speeds Future work to explore larger parts in greater detail –Better results with floor planning and early placement 16% Improvement in Clock Rate Constrain to top 65% of V2P100

22 Backup Slides

23 Network Interface Characteristics Flexible packet FIFO –16/32/64b width to user –2-16 KB (each direction) –Can handle 185 MHz clock rate –Separate reader/writer clocks Small size –GigE with 4KB FIFOs: 749 slices –Xilinx GigE core (no FIFO):763 slices

24 ID Payload Analysis Unit Large-scale pattern matching –Non-deterministic finite state automata (NFA) –Previously described in FCCM 2004 (Clark and Schimmel) Decode incoming symbol and route to necessary stages

Download ppt "Network Intrusion Detection Systems on FPGAs with On-Chip Network Interfaces Christopher ClarkGeorgia Institute of Technology Craig UlmerSandia National."

Similar presentations

Deep Packet Inspection: Where are We? CCW08 Michela Becchi.

Deep Packet Inspection: Where are We? CCW08 Michela Becchi.
Architecture-Specific Packing for Virtex-5 FPGAs

Architecture-Specific Packing for Virtex-5 FPGAs
Berlin – November 10th, 2011 NetFPGA Programmable Networking for High-Speed Network Prototypes, Research and Teaching Presented by: Andrew W. Moore (University.

Berlin – November 10th, 2011 NetFPGA Programmable Networking for High-Speed Network Prototypes, Research and Teaching Presented by: Andrew W. Moore (University.
Authors: Raphael Polig, Kubilay Atasu, and Christoph Hagleitner Publisher: FPL, 2013 Presenter: Chia-Yi, Chu Date: 2013/10/30 1.

Authors: Raphael Polig, Kubilay Atasu, and Christoph Hagleitner Publisher: FPL, 2013 Presenter: Chia-Yi, Chu Date: 2013/10/30 1.
Technical University of Crete Packet Pre-filtering for Network Intrusion Detection Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis.

Technical University of Crete Packet Pre-filtering for Network Intrusion Detection Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis.
Reviewer: Jing Lu Gigabit Rate Packet Pattern- Matching Using TCAM Fang Yu, Randy H. Katz T. V. Lakshman UC Berkeley Bell Labs, Lucent ICNP’2004.

Reviewer: Jing Lu Gigabit Rate Packet Pattern- Matching Using TCAM Fang Yu, Randy H. Katz T. V. Lakshman UC Berkeley Bell Labs, Lucent ICNP’2004.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
CSC 450/550 Part 3: The Medium Access Control Sublayer More Contents on the Engineering Side of Ethernet.

CSC 450/550 Part 3: The Medium Access Control Sublayer More Contents on the Engineering Side of Ethernet.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
1 An Evolution of Pattern Matching within Network Intrusion Detection Systems Erik Anderson 9 November 2006.

1 An Evolution of Pattern Matching within Network Intrusion Detection Systems Erik Anderson 9 November 2006.
Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer.

Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
BEEKeeper Remote Management and Debugging of Large FPGA Clusters Terry Filiba Navtej Sadhal.

BEEKeeper Remote Management and Debugging of Large FPGA Clusters Terry Filiba Navtej Sadhal.
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.
Application of NetFPGA in Network Security Hao Chen 2/25/2011.

Application of NetFPGA in Network Security Hao Chen 2/25/2011.
A Signature Match Processor Architecture for Network Intrusion Detection Janardhan Singaraju, Long Bu and John A. Chandy Electrical and Computer Engineering.

A Signature Match Processor Architecture for Network Intrusion Detection Janardhan Singaraju, Long Bu and John A. Chandy Electrical and Computer Engineering.
Switch EECS 252 – Spring 2006 RAMP Blue Project Jue Sun and Gary Voronel Electrical Engineering and Computer Sciences University of California, Berkeley.

Switch EECS 252 – Spring 2006 RAMP Blue Project Jue Sun and Gary Voronel Electrical Engineering and Computer Sciences University of California, Berkeley.
Implementation of DSP Algorithm on SoC. Mid-Semester Presentation Student : Einat Tevel Supervisor : Isaschar Walter Accompaning engineer : Emilia Burlak.

Implementation of DSP Algorithm on SoC. Mid-Semester Presentation Student : Einat Tevel Supervisor : Isaschar Walter Accompaning engineer : Emilia Burlak.
1 Design of the Front End Readout Board for TORCH Detector 10, June 2010.

1 Design of the Front End Readout Board for TORCH Detector 10, June 2010.
Using FPGAs with Embedded Processors for Complete Hardware and Software Systems Jonah Weber May 2, 2006.

Using FPGAs with Embedded Processors for Complete Hardware and Software Systems Jonah Weber May 2, 2006.

Similar presentations

Ads by Google