Title: Network Intrusion Detection Systems on FPGAs with On-Chip Network Interfaces
1Network Intrusion Detection Systems on FPGAs
with On-Chip Network Interfaces
Craig Ulmer cdulmer_at_sandia.gov
February 22, 2005
- Christopher Clark Georgia Institute of Technology
- Craig Ulmer Sandia National Laboratories,
California
Sandia is a multiprogram laboratory operated by
Sandia Corporation, a Lockheed Martin
Company,for the United States Department of
Energys National Nuclear Security
Administration under contract DE-AC04-94AL85000.
2Network Intrusion Detection Systems on FPGAs
with On-Chip Network Interfaces
NI
Good
NIDS
FPGA
Network
Packet
NI
Malicious
Chris Clark / Georgia Tech
Craig Ulmer / SNL
Note This work was not performed by SNLs
network security group and is independent of
SNLs network security policy or infrastructure.
3Outline
- Background An evolution of NIDS and FPGAs
- Single-Chip NIDS An integrated approach
- Example A Multi-Filter Bridge NIDS
- Implementation details and measurements
- Concluding remarks and future work
4Background An Evolution of NIDS and FPGAs
5Network Intrusion Detection Systems (NIDS)
- There are many malicious users on the Internet
- Unprotected home PCs hijacked within 10 minutes
- Even if protected- still fighting denial of
service - Network Intrusion Detection Systems (NIDS)
- Monitor network and react to attacks
- Example Snort (www.snort.org)
- Large database of malicious packet signatures
- 1,305 rules with 1,512 patterns
- Pattern matching on 17,537 characters
6Host-based NIDS Implementations
- Multiple architectures proposed for NIDS
- Separation of Network Interface and Intrusion
Detection
CPU
CPU
CPU
ID
I/O
I/O
I/O
ID
FPGA
ID
FPGA
NIC
NIC
NIC
Software
FPGA Card
FPGA-enabled NIC
7Single-Chip NIDS An Integrated Approach
8Evolution An Integrated Approach
- New FPGAs have network transceivers
- FPGAs interact directly with network
- Build complete NIDS in an FPGA
- NI and ID units under one roof
- Integration benefits
- Customization of units and topology
- Portability
- New applications
- Describe our integration experiences
NI
Intrusion Detection
Network
NI
FPGA
9Network Interface Gigabit Ethernet
- Xilinx Virtex II/Pro FPGA has Rocket I/O modules
- We developed a simplified GigE network interface
- Stripped down to essentials move data between
network and FIFOs - Roughly same size as FIFO-less Xilinx GigE core
- FIFOs enable data rate changes between FPGA and
Network
Rocket I/O Transceiver
16b Align
CRC Filter
Rx Packet FIFO
Rx Control
GigE Network
FPGA Internals
Tx Control
Tx Packet FIFO
Framer
GigE Network Interface Core
10Intrusion Detection Unit
- Snort rules translated to structural JHDL
intrusion detection unit - Compile time select 16/32/64b data width
- Both header/payload analysis units
- Payload analysis unit performs large-scale
pattern matching - Non-deterministic finite state automata (NFA)
- Previously described in FCCM 2004 (Clark and
Schimmel)
Header Match
Ethernet Frame Data
Header Decoder
Header Analysis
Header
Drop
Match Decision Logic
Match
Aligned Payload
Payload Analysis
Match Vector
Payload Match
11Integrated Example A Multi-Filter Bridge NIDS
12Filtering Network Connections
- Desire a NIDS that we can insert on a network
link - Detect and filter out attacks
- Transparent to users
- Single bi-directional link Filter Bridge
- Can extend to support multiple filter bridges per
FPGA
FPGA
NI
NI
ID Unit
Single Filter Bridge
13Data Rates in Multi-Filter Bridge NIDS
- ID data rate gt Aggregate network rate
- Increase ID data rate
- Data path 16/32/64 bits
- Clock 62.5125 MHz
- Example 2 Bridges
- ID needs 4x data rate
- 1x 16b / 62.5 MHz
- 4x 32b / 125 MHz
NI
NI
NI
NI
Scheduler
OK
Drop
ID Unit
14Multi-Filter BridgeImplementation Details and
Measurements
15Multi-Filter Bridge Implementation
- Parameterized design
- Number of bridges 1-4
- ID bitwidth 16b/32b/64b
- NI FIFO depth 2-16 KB
- Xilinx ML300 Reference Board
- Virtex II/Pro-7 FPGA (-6)
- Four optical GigE ports
- Pair of Intel hosts
- Packet Engines GigE cards
16Latency Measurements
- Internal measurements
- Used ChipScope Pro
- Counted clock cycles
- External measurements
- Host-to-Host
- Round-trip timings
- Long and short messages
Operation Latency
Transceiver 0.64 µs
1x ID 2.4 µs
2x ID 1.6 µs
Topology 43 bytes 1024 bytes
No NIDS 119 µs 224 µs
Single NIDS 123 µs 244 µs
Dual NIDS 128 µs 291 µs
17Percentage of Maximum Rule Setfor Single Filter
Bridge
18FPGA Utilization for Multi-Filter Bridges
V2P50 Slice Utilization
- Constant FPGA size and rule set
- Virtex II/Pro 50 (-6)
- 2,001 Chars (10 of Max)
- Increases in Bitwidth
- Large jumps
- 32b to 64b gt 16b to 32b
- Increases in Number of Bridges
- ID unit unaffected
Number of Filter Bridges
19Density Observations
Relative V2P Price Density
- Largest parts unappealing
- Significant compile times
- Limited routing resources
- Medium parts more economical
- Chain multiple NIDS bridges
- Virtex-4 parts
- More affordable
- Prices are more linear
V2P100
V2P70
V2P40
V2P7
FPGA Slices
20Conclusions and Future Work
21Conclusions and Future Work
- Integrated NIDS appealing
- Customize individual components and overall
design - Good portability because does not depend on
external chips - Multi-filter bridge design
- Demonstrated transparent in-line filter
- Support a low number of filter bridges at link
speeds - Future work to explore larger parts in greater
detail - Better results with floor planning and early
placement
Constrain to top 65 of V2P100
16 Improvement in Clock Rate
22Backup Slides
23Network Interface Characteristics
- Flexible packet FIFO
- 16/32/64b width to user
- 2-16 KB (each direction)
- Can handle 185 MHz clock rate
- Separate reader/writer clocks
- Small size
- GigE with 4KB FIFOs 749 slices
- Xilinx GigE core (no FIFO) 763 slices
24ID Payload Analysis Unit
- Large-scale pattern matching
- Non-deterministic finite state automata (NFA)
- Previously described in FCCM 2004 (Clark and
Schimmel) - Decode incoming symbol and route to necessary
stages