Network Intrusion Detection Systems on FPGAs with On-Chip Network Interfaces

1
Network Intrusion Detection Systems on FPGAs
with On-Chip Network Interfaces
Craig Ulmer cdulmer_at_sandia.gov
February 22, 2005

• Christopher Clark Georgia Institute of Technology
• Craig Ulmer Sandia National Laboratories,
  California

Sandia is a multiprogram laboratory operated by
Sandia Corporation, a Lockheed Martin
Company,for the United States Department of
Energys National Nuclear Security
Administration under contract DE-AC04-94AL85000.
2
Network Intrusion Detection Systems on FPGAs
with On-Chip Network Interfaces
NI
Good
NIDS
FPGA
Network
Packet

NI
Malicious
Chris Clark / Georgia Tech
Craig Ulmer / SNL
Note This work was not performed by SNLs
network security group and is independent of
SNLs network security policy or infrastructure.
3
Outline

• Background An evolution of NIDS and FPGAs
• Single-Chip NIDS An integrated approach
• Example A Multi-Filter Bridge NIDS
• Implementation details and measurements
• Concluding remarks and future work

4
Background An Evolution of NIDS and FPGAs
5
Network Intrusion Detection Systems (NIDS)

• There are many malicious users on the Internet
• Unprotected home PCs hijacked within 10 minutes
• Even if protected- still fighting denial of
  service
• Network Intrusion Detection Systems (NIDS)
• Monitor network and react to attacks
• Example Snort (www.snort.org)
• Large database of malicious packet signatures
• 1,305 rules with 1,512 patterns
• Pattern matching on 17,537 characters

6
Host-based NIDS Implementations

• Multiple architectures proposed for NIDS
• Separation of Network Interface and Intrusion
  Detection

CPU
CPU
CPU
ID
I/O
I/O
I/O
ID
FPGA
ID
FPGA
NIC
NIC
NIC
Software
FPGA Card
FPGA-enabled NIC
7
Single-Chip NIDS An Integrated Approach
8
Evolution An Integrated Approach

• New FPGAs have network transceivers
• FPGAs interact directly with network
• Build complete NIDS in an FPGA
• NI and ID units under one roof
• Integration benefits
• Customization of units and topology
• Portability
• New applications
• Describe our integration experiences

NI
Intrusion Detection
Network
NI
FPGA
9
Network Interface Gigabit Ethernet

• Xilinx Virtex II/Pro FPGA has Rocket I/O modules
• We developed a simplified GigE network interface
• Stripped down to essentials move data between
  network and FIFOs
• Roughly same size as FIFO-less Xilinx GigE core
• FIFOs enable data rate changes between FPGA and
  Network

Rocket I/O Transceiver
16b Align
CRC Filter
Rx Packet FIFO
Rx Control
GigE Network
FPGA Internals
Tx Control
Tx Packet FIFO
Framer
GigE Network Interface Core
10
Intrusion Detection Unit

• Snort rules translated to structural JHDL
  intrusion detection unit
• Compile time select 16/32/64b data width
• Both header/payload analysis units
• Payload analysis unit performs large-scale
  pattern matching
• Non-deterministic finite state automata (NFA)
• Previously described in FCCM 2004 (Clark and
  Schimmel)

Header Match
Ethernet Frame Data
Header Decoder
Header Analysis
Header
Drop
Match Decision Logic
Match
Aligned Payload
Payload Analysis
Match Vector
Payload Match
11
Integrated Example A Multi-Filter Bridge NIDS
12
Filtering Network Connections

• Desire a NIDS that we can insert on a network
  link
• Detect and filter out attacks
• Transparent to users
• Single bi-directional link Filter Bridge
• Can extend to support multiple filter bridges per
  FPGA

FPGA
NI
NI
ID Unit
Single Filter Bridge
13
Data Rates in Multi-Filter Bridge NIDS

• ID data rate gt Aggregate network rate
• Increase ID data rate
• Data path 16/32/64 bits
• Clock 62.5125 MHz
• Example 2 Bridges
• ID needs 4x data rate
• 1x 16b / 62.5 MHz
• 4x 32b / 125 MHz

NI
NI
NI
NI
Scheduler
OK
Drop
ID Unit
14
Multi-Filter BridgeImplementation Details and
Measurements
15
Multi-Filter Bridge Implementation

• Parameterized design
• Number of bridges 1-4
• ID bitwidth 16b/32b/64b
• NI FIFO depth 2-16 KB
• Xilinx ML300 Reference Board
• Virtex II/Pro-7 FPGA (-6)
• Four optical GigE ports
• Pair of Intel hosts
• Packet Engines GigE cards

16
Latency Measurements

• Internal measurements
• Used ChipScope Pro
• Counted clock cycles
• External measurements
• Host-to-Host
• Round-trip timings
• Long and short messages

Operation Latency
Transceiver 0.64 µs
1x ID 2.4 µs
2x ID 1.6 µs
Topology 43 bytes 1024 bytes
No NIDS 119 µs 224 µs
Single NIDS 123 µs 244 µs
Dual NIDS 128 µs 291 µs
17
Percentage of Maximum Rule Setfor Single Filter
Bridge
18
FPGA Utilization for Multi-Filter Bridges
V2P50 Slice Utilization

• Constant FPGA size and rule set
• Virtex II/Pro 50 (-6)
• 2,001 Chars (10 of Max)
• Increases in Bitwidth
• Large jumps
• 32b to 64b gt 16b to 32b
• Increases in Number of Bridges
• ID unit unaffected

Number of Filter Bridges
19
Density Observations
Relative V2P Price Density

• Largest parts unappealing
• Significant compile times
• Limited routing resources
• Medium parts more economical
• Chain multiple NIDS bridges
• Virtex-4 parts
• More affordable
• Prices are more linear

V2P100
V2P70
V2P40
V2P7
FPGA Slices
20
Conclusions and Future Work
21
Conclusions and Future Work

• Integrated NIDS appealing
• Customize individual components and overall
  design
• Good portability because does not depend on
  external chips
• Multi-filter bridge design
• Demonstrated transparent in-line filter
• Support a low number of filter bridges at link
  speeds
• Future work to explore larger parts in greater
  detail
• Better results with floor planning and early
  placement

Constrain to top 65 of V2P100
16 Improvement in Clock Rate
22
Backup Slides
23
Network Interface Characteristics

• Flexible packet FIFO
• 16/32/64b width to user
• 2-16 KB (each direction)
• Can handle 185 MHz clock rate
• Separate reader/writer clocks
• Small size
• GigE with 4KB FIFOs 749 slices
• Xilinx GigE core (no FIFO) 763 slices

24
ID Payload Analysis Unit

• Large-scale pattern matching
• Non-deterministic finite state automata (NFA)
• Previously described in FCCM 2004 (Clark and
  Schimmel)
• Decode incoming symbol and route to necessary
  stages