Presentation is loading. Please wait.

Presentation is loading. Please wait.

Author : Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis Vassiliadis Publisher : ANCS’06 Presenter : Zong-Lin Sie Date : 2011/01/05.

Published byDomenic Arnold Modified over 9 years ago

Similar presentations

Presentation on theme: "Author : Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis Vassiliadis Publisher : ANCS’06 Presenter : Zong-Lin Sie Date : 2011/01/05."— Presentation transcript:

1 Author : Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis Vassiliadis Publisher : ANCS’06 Presenter : Zong-Lin Sie Date : 2011/01/05 1

2  Observe that it is very rare for a single incoming packet to fully or partially match more than a few tens of IDS rules.  Select a small portion from each IDS rule to be matched in the pre-filtering step.  We also propose and evaluate the cost and performance of a reconfigurable architecture that uses multiple processing engines in order to exploit the benefits of pre-filtering. 2

3  In the past years, many researchers have worked on reconfigurable IDS focusing mostly on the payload scan. [3,4,7,9-11,15,16]  In this paper we introduce a packet pre-filtering approach that header matching and a relatively low- cost pattern matching module can filter out the majority of the Snort rules and point out a small subset to be fully matched. 3

4  Most hardware-based techniques suffer from the limitation that they search the payload for all patterns in the entire rule set while ignoring rule headers.  In essence, they search for thousands of patterns while the packet header might specify that we are interested in only a few tens or so patterns. 4

5  Our key observation in packet pre-filtering is that matching a small part of each rule’s payload combined with matching the header information can substantially reduce the set of the possibly matching rules compared to using only header matching as in previously proposed approaches [5].  The pre-filtering module is designed for reconfigurable hardware and therefore can update its supported IDS rule set via reconfiguration. 5

6 6 depend on rule’s definition

7  Header Matching : ( using simple comparator ) Performs a more fine-grained grouping than Snort. source and destination ports : additional parameters for TCP/UDP rules and the ICMP type for ICMP rules. The header fields are registered and forwarded to a pipelined comparator module. This module discovers all active rule sets and can also be used to inform the software of the best applicable rule set 7 sourceIPdestinationI P protocolsourcePortdestinationPort

8  Partial Pattern Matching : Packet payload is scanned using partial search patterns. We select the first pattern and match a constant number of its prefix bytes. If the pattern is shorter than the selected number of prefix bytes then the full pattern is matched. The static pattern matching is performed utilizing DCAM, a pre-decoding technique [15]. 8

9  Basic CAM 9

10  DCAM : 10

11  DCAM detail : 11

12  Increase performance : 12

13  Bitmask : Each bit of the mask corresponds to a single rule. When the header and pattern matching performed in pre-filtering module is equivalent to a complete IDS rule, this rule should be directly reported and no further matching is required. 13

14  Priority Encoder : Outputs sequentially all the positions of the active bits in the bitmask (possibly matching rules IDs). 14

15  Priority Encoder : 15 Stage NStage N+1 Fixed priority Pipelined → scales well as the #inputs increases Encodes/outputs every SET bit of the bitmask Binary tree like structure Bitmask → leafs of the tree

16  Pre-filtering points out the rules to be fully matched  Specialized Engines: For each candidate rule:  A PE is reserved  A firmware is transferred to the PE  PE released  rule match, rule mismatch or End of packet  Coprocessors (Static patterns & Regular expression matching) perform payload scan  PEs select the coprocessor info and decide whether a rule matches or not 16

17  If ( candidate rules > PEs ) ?  # of PEs is the threshold defined by the system designer. ( i.e. 32 PEs in this design )  In order to guarantee performance, the packet is reported, Admin policies determine the next step (i.e. drop) 17

18 18 Defcon11 traces  9 trace files  ~10 millions packets  4.6 million packets have payload  payload length:  Mean 698 bytes  Max 1460 bytes SNORT v2.4 3,191 rules 2,271 rules with payload description ( 71.2% ) 920 only header ( 28.8% ) rules grouped into 381 rule sets

19  Pre-Filtering setup:  Header matching  Scr/dest IP+Port, Protocol  Payload Pattern match  2-10 chars prefix match  For prefix>2 chars: Average Candidate rules per packet= 1~3 ( per trace )  Overall average: 1.8 rules per packet  Only header match  ~45 rules per packet 19

20 20  Payload prefix match= 2 chars: max 63 candidate rules per packets  Payload prefix match>=4 chars: max 32 candidate rules per packets What does this mean:  Max number of rules for further processing  1% or 32 out of 3,200 rules  The Max degree of parallelism needed (processing engines, threads etc.)

21  Present the implementation results of two packet pre-filtering designs. 21 Xilinx Virtex4 FPGA devices contain up to 90,000 slices

22  All the packet pre-filtering sub-modules are fine-grain pipelined and therefore the operating frequency of the designs is relatively high: 22 Datapath 8 bits/cycle:  Virtex2: 2.7 Gbps  Virtex4: 4 Gbps  Area 11K slices (medium-small FPGA) Datapath 32 bits/cycle:  Virtex2: 9.7 Gbps  Virtex4: 14 Gbps  Area 15K slices (medium-small FPGA)  Priority encoder takes most of the area

23  Performance : 99% of the IDS rules per incoming packet do not need further processing (in Defcon11 traces), without loosing detection precision.  Requirements : (1) Lightweight system, requires 10-15K slices, can fit in a medium-sized FPGA (2) Can be integrated in both HW or SW based systems 23

Download ppt "Author : Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis Vassiliadis Publisher : ANCS’06 Presenter : Zong-Lin Sie Date : 2011/01/05."

Similar presentations

Authors: Wei Lin, Bin Liu Publisher: ICPADS, 2008 (IEEE International Conference on Parallel and Distributed Systems) Presenter: Chia-Yi, Chu Date: 2014/03/05.

Authors: Wei Lin, Bin Liu Publisher: ICPADS, 2008 (IEEE International Conference on Parallel and Distributed Systems) Presenter: Chia-Yi, Chu Date: 2014/03/05.
Massively Parallel Cuckoo Pattern Matching Applied For NIDS/NIPS  Author: Tran Ngoc Thinh, Surin Kittitornkun  Publisher: Electronic Design, Test and.

Massively Parallel Cuckoo Pattern Matching Applied For NIDS/NIPS  Author: Tran Ngoc Thinh, Surin Kittitornkun  Publisher: Electronic Design, Test and.
Fast Firewall Implementation for Software and Hardware-based Routers Lili Qiu, Microsoft Research George Varghese, UCSD Subhash Suri, UCSB 9 th International.

Fast Firewall Implementation for Software and Hardware-based Routers Lili Qiu, Microsoft Research George Varghese, UCSD Subhash Suri, UCSB 9 th International.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—4-1 Implementing Inter-VLAN Routing Deploying Multilayer Switching with Cisco Express Forwarding.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—4-1 Implementing Inter-VLAN Routing Deploying Multilayer Switching with Cisco Express Forwarding.
Outline Introduction Related work on packet classification Grouper Performance Empirical Evaluation Conclusions.

Outline Introduction Related work on packet classification Grouper Performance Empirical Evaluation Conclusions.
Technical University of Crete Packet Pre-filtering for Network Intrusion Detection Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis.

Technical University of Crete Packet Pre-filtering for Network Intrusion Detection Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis.
Multithreaded FPGA Acceleration of DNA Sequence Mapping Edward Fernandez, Walid Najjar, Stefano Lonardi, Jason Villarreal UC Riverside, Department of Computer.

Multithreaded FPGA Acceleration of DNA Sequence Mapping Edward Fernandez, Walid Najjar, Stefano Lonardi, Jason Villarreal UC Riverside, Department of Computer.
A Memory-Efficient Reconfigurable Aho-Corasick FSM Implementation for Intrusion Detection Systems Authors: Seongwook Youn and Dennis McLeod Presenter:

A Memory-Efficient Reconfigurable Aho-Corasick FSM Implementation for Intrusion Detection Systems Authors: Seongwook Youn and Dennis McLeod Presenter:
400 Gb/s Programmable Packet Parsing on a Single FPGA Authors : Michael Attig 、 Gordon Brebner Publisher: 2011 Seventh ACM/IEEE Symposium on Architectures.

400 Gb/s Programmable Packet Parsing on a Single FPGA Authors : Michael Attig 、 Gordon Brebner Publisher: 2011 Seventh ACM/IEEE Symposium on Architectures.
1 Author: Ioannis Sourdis, Sri Harsha Katamaneni Publisher: IEEE ASAP,2011 Presenter: Jia-Wei Yo Date: 2011/11/16 Longest prefix Match and Updates in Range.

1 Author: Ioannis Sourdis, Sri Harsha Katamaneni Publisher: IEEE ASAP,2011 Presenter: Jia-Wei Yo Date: 2011/11/16 Longest prefix Match and Updates in Range.
Using Cell Processors for Intrusion Detection through Regular Expression Matching with Speculation Author: C˘at˘alin Radu, C˘at˘alin Leordeanu, Valentin.

Using Cell Processors for Intrusion Detection through Regular Expression Matching with Speculation Author: C˘at˘alin Radu, C˘at˘alin Leordeanu, Valentin.
University of Michigan Electrical Engineering and Computer Science 1 Reducing Control Power in CGRAs with Token Flow Hyunchul Park, Yongjun Park, and Scott.

University of Michigan Electrical Engineering and Computer Science 1 Reducing Control Power in CGRAs with Token Flow Hyunchul Park, Yongjun Park, and Scott.
1 Memory-Efficient 5D Packet Classification At 40 Gbps Authors: Ioannis Papaefstathiou, and Vassilis Papaefstathiou Publisher: IEEE INFOCOM 2007 Presenter:

1 Memory-Efficient 5D Packet Classification At 40 Gbps Authors: Ioannis Papaefstathiou, and Vassilis Papaefstathiou Publisher: IEEE INFOCOM 2007 Presenter:
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.
CS 268: Lectures 13/14 (Route Lookup and Packet Classification) Ion Stoica April 1/3, 2002.

CS 268: Lectures 13/14 (Route Lookup and Packet Classification) Ion Stoica April 1/3, 2002.
A Signature Match Processor Architecture for Network Intrusion Detection Janardhan Singaraju, Long Bu and John A. Chandy Electrical and Computer Engineering.

A Signature Match Processor Architecture for Network Intrusion Detection Janardhan Singaraju, Long Bu and John A. Chandy Electrical and Computer Engineering.
Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.

Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.
Chapter 9 Classification And Forwarding. Outline.

Chapter 9 Classification And Forwarding. Outline.
Juanjo Noguera Xilinx Research Labs Dublin, Ireland Ahmed Al-Wattar Irwin O. Irwin O. Kennedy Alcatel-Lucent Dublin, Ireland.

Juanjo Noguera Xilinx Research Labs Dublin, Ireland Ahmed Al-Wattar Irwin O. Irwin O. Kennedy Alcatel-Lucent Dublin, Ireland.
Workpackage 3 New security algorithm design ICS-FORTH Heraklion, 3 rd June 2009.

Workpackage 3 New security algorithm design ICS-FORTH Heraklion, 3 rd June 2009.

Similar presentations

Ads by Google