The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.11 - Nov. (2013 vol.62)
pp: 2322-2334
Salvatore Pontarelli , University of Rome "Tor Vergata," Rome
Giuseppe Bianchi , University of Rome "Tor Vergata," Rome
Simone Teofili , University of Rome "Tor Vergata," Rome
ABSTRACT
Security of today's networks heavily rely on network intrusion detection systems (NIDSs). The ability to promptly update the supported rule sets and detect new emerging attacks makes field-programmable gate arrays (FPGAs) a very appealing technology. An important issue is how to scale FPGA-based NIDS implementations to ever faster network links. Whereas a trivial approach is to balance traffic over multiple, but functionally equivalent, hardware blocks, each implementing the whole rule set (several thousands rules), the obvious cons is the linear increase in the resource occupation. In this work, we promote a different, traffic-aware, modular approach in the design of FPGA-based NIDS. Instead of purely splitting traffic across equivalent modules, we classify and group homogeneous traffic, and dispatch it to differently capable hardware blocks, each supporting a (smaller) rule set tailored to the specific traffic category. We implement and validate our approach using the rule set of the well-known Snort NIDS, and we experimentally investigate the emerging trade-offs and advantages, showing resource savings up to 80 percent based on real-world traffic statistics gathered from an operator's backbone.
INDEX TERMS
Computer architecture, Field programmable gate arrays, Intrusion detection, Logic gates,traffic awareness, Deep packet inspection, FPGA, intrusion detection system, Snort, string matching
CITATION
Salvatore Pontarelli, Giuseppe Bianchi, Simone Teofili, "Traffic-Aware Design of a High-Speed FPGA Network Intrusion Detection System", IEEE Transactions on Computers, vol.62, no. 11, pp. 2322-2334, Nov. 2013, doi:10.1109/TC.2012.105
REFERENCES
[1] "Snort: The Open Source Network Intrusion Detection System," Sourcefire, http:/www.snort.org, 2013.
[2] Xilinx Website, http:/www.xilinx.com/, 2013.
[3] S. Sinha, F. Jahanian, and J. Patel, "Wind: Workload-Aware Intrusion Detection," Proc. Int'l Conf. Recent Advances in Intrusion Detection, pp. 290-310, 2006.
[4] K. Papagiannaki, N. Taft, Z.-L. Zhang, and C. Diot, "Long-Term Forecasting of Internet Backbone Traffic: Observations and Initial Models," Proc. IEEE INFOCOM, pp. 1178-1188, 2003.
[5] P. Borgnat, G. Dewaele, K. Fukuda, P. Abry, and K. Cho, "Seven Years and One Day: Sketching the Evolution of Internet Traffic," Proc. IEEE INFOCOM, pp. 711-719, 2009.
[6] A.V. Aho and M.J. Corasick, "Efficient String Matching: An Aid to Bibliographic Search," Comm. ACM, vol. 18, no. 6, pp. 333-340, June 1975.
[7] B.L. Hutchings, R. Franklin, and D. Carver, "Assisting Network Intrusion Detection with Reconfigurable Hardware," Proc. IEEE Symp. Field-Programmable Custom Computing Machine, pp. 111-120, 2002.
[8] J. Bispo, I. Sourdis, J. Cardoso, and S. Vassiliadis, "Synthesis of Regular Expressions Targeting FPGAs: Current Status and Open Issues," Proc. Third Int'l Conf. Reconfigurable Computing: Architectures, Tools and Applications, 2007.
[9] J. Moscola, J. Lockwood, R.P. Loui, and M. Pachos, "Implementation of a Content-Scanning Module for an Internet Firewall," Proc. 11th IEEE Symp. Field-Programmable Custom Computing Machines, pp. 31-38, 2003.
[10] C.R. Clark and D.E. Schimmel, "Scalable Parallel Pattern-Matching on High-Speed Networks," Proc. IEEE Symp. Field-Programmable Custom Computing Machines, pp. 249-257, 2004.
[11] R. Sidhu and V.K. Prasanna, "Fast Regular Expression Matching Using FPGAs," Proc. Ninth IEEE Symp. Field-Programmable Custom Computing Machines, pp. 227-238, 2001.
[12] Y.H.E. Yang, W. Jiang, and V.K. Prasanna, "Compact Architecture for High-Throughput Regular Expression Matching on FPGA," Proc. Fourth ACM/IEEE Symp. Architectures for Networking and Communications Systems, pp. 30-39, 2008.
[13] N. Yamagaki, R. Sidhu, and S. Kamiya, "High-Speed Regular Expression Matching Engine Using Multi-Character NFA," Proc. Int'l Conf. Field Programmable Logic and Applications, pp. 131-136, 2008.
[14] Z.K. Baker and V.K. Prasanna, "Automatic Synthesis of Efficient Intrusion Detection Systems on FPGAs" IEEE Trans. Dependable and Secure Computing, vol. 3, no. 4, pp. 289-300, Oct.-Dec. 2006.
[15] M. Attig and J. Lockwood, "SIFT: Snort Intrusion Filter for TCP," Proc. 13th Symp. High Performance Interconnects, 2005.
[16] H. Song, T. Sproull, M. Attig, and J. Lockwood, "Snort Offloader: A Reconfigurable Hardware NIDS Filter," Proc. Int'l Conf. Field Programmable Logic and Applications, pp. 493-498, 2005.
[17] S. Teofili, E. Nobile, S. Pontarelli, and G. Bianchi, "IDS Rules Adaptation for Packets Pre-Filtering in Gbps Line Rates," Trustworthy Internet, pp. 303-316, Springer, 2011.
[18] Y.H. Cho, S. Navab, and W.H. Mangione-Smith, "Specialized Hardware for Deep Network Packet Filtering," Proc. 12th Conf. Field Programmable Logic and Applications, pp. 452-461, 2002.
[19] I. Sourdis, D.N. Pnevmatikatos, and S. Vassiliadis, "Scalable Multigigabit Pattern Matching for Packet Inspection," IEEE Trans. Very Large Scale Integration Systems, vol. 16, no. 2, pp. 156-166, Feb. 2008.
[20] I. Sourdis and D. Pnevmatikatos, "Fast, Large-Scale String Match for a 10Gbps FPGA-Based Network Intrusion Detection System," Proc. Int'l Conf. Field Programmable Logic and Applications, pp. 880-889, 2003.
[21] I. Sourdis, D. Pnevmatikatos, S. Wong, and S. Vassiliadis, "A Reconfigurable Perfect-Hashing Scheme for Packet Inspection" Proc. 15th Int'l Conf. Field Programmable Logic Application, pp. 644-647, 2005.
[22] F.J. Burkowski, "A Hardware Hashing Scheme in the Design of a Multiterm String Comparator" IEEE Trans. Computers, vol. 31, no. 9, pp. 825-834, Sept. 1982.
[23] M. Attig, S. Dharmapurikar, and J. Lockwood, "Implementation Results of Bloom Filters for String Matching" Proc. IEEE Symp. Field-Programmable Custom Computing Machine, pp. 322-323, 2004.
[24] D. Markovic, B. Nikolic, and R.W. Brodersen, "Power and Area Efficient VLSI Architectures for Communication Signal Processing," Proc. IEEE Int'l Conf. Comm., pp. 3223-3228, 2006.
[25] A.P. Chandrakasan, S. Sheng, and R.W. Brodersen, "Low-Power CMOS Digital Design," IEEE J. Solid-State Circuits, vol. 27, no. 4, pp. 473-484, Apr. 1992.
[26] M. Gokhale, D. Dubois, A. Dubois, M. Boorman, S. Poole, and V. Hogsett, "Granidt: Towards Gigabit Rate Network Intrusion Detection," Proc. Int'l Conf. Field Programmable Logic and Applications, pp. 404-413, 2003.
[27] I. Sourdis and D. Pnevmatikatos, "Pre-Decoded CAMs for Efficient and High-Speed NIDS Pattern Matching," Proc. IEEE Symp. Field-Programmable Custom Computing Machine, pp. 258-267, 2004.
[28] I. Sourdis, V. Dimopoulos, D. Pnevmatikatos, and S. Vassiliadis, "Packet Pre-Filtering for Network Intrusion Detection," Proc. Second ACM/IEEE Symp. Architectures for Networking and Comm. Systems (ANCS), pp. 183-192, 2006.
[29] C. Lin, C. Huang, C. Jiang, and S. Chang, "Optimization of Pattern Matching Circuits for Regular Expression on FPGA," IEEE Trans. Very Large Scale Integration Systems, vol 15, no 12, pp. 1303-1310, Dec. 2007.
[30] C. Greco, E. Nobile, S. Pontarelli, and S. Teofili, "An FPGA Based Architecture for Complex Rule Matching with Stateful Inspection of Multiple TCP Connections," Proc. VI IEEE Southern Programmable Logic Conf., pp. 119-124, 2010.
[31] N. Shenoy and R. Rudell, "Efficient Implementation of Retiming," Proc. IEEE/ACM Int'l Conf. Computer-Aided Design, pp. 226-233, 1994.
[32] J. Baumgartner and A. Kuehlmann, "Min-Area Retiming on Flexible Circuit Structures," Proc. IEEE/ACM Int'l Conf. Computer-Aided Design, pp. 176-182, 2001.
[33] XST User Guide, http:/www.xilinx.com/, 2013.
[34] LogiCORE IP 10-Gigabit Ethernet MAC v10.1, http:/www.xilinx. com/, 2013.
[35] V. Dimopoulos, I. Papaefstathiou, and D. Pnevmatikatos, "A Memory-Efficient Reconfigurable Aho-Corasick FSM Implementation for Intrusion Detection Systems," Proc. Int'l Conf. Embedded Computer Systems: Architectures, Modelling and Simulation (IC-SAMOS '07), July 2007.
[36] Privacy-Aware Secure Monitoring, http:/www.fp7-prism.eu/, 2013.
[37] COMBO Product Brief, http://www.invea-tech.com/data/ combocombo_pb_en.pdf , 2013.
[38] Virtex-5 Family Overview, http://www.xilinx.com/support/ documentation/ data_sheetsds100.pdf, 2013.
[39] S. Pontarelli, C. Greco, E. Nobile, S. Teofili, and G. Bianchi, "Exploiting Dynamic Reconfiguration for FPGA Based Network Intrusion Detection Systems," Proc. IEEE Int'l Conf. Field Programmable Logic and Applications (FPL), pp. 10-14, 2010.
[40] K. Papadimitriou, A. Dollas, and S. Hauck, "Performance of Partial Reconfiguration in FPGA Systems: A Survey and a Cost Model," ACM Trans. Reconfigurable Technology and Systems, vol. 4, no. 4,article 36, Dec. 2011.
69 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool