Efficient Packet Classification for Network Intrusion Detection using FPGA - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

Efficient Packet Classification for Network Intrusion Detection using FPGA

Description:

Source IP address (external network) - any (internal network) ... combined values of these fields is much less than the total number of rules ... – PowerPoint PPT presentation

Number of Views:133
Avg rating:3.0/5.0
Slides: 22
Provided by: luisio
Category:

less

Transcript and Presenter's Notes

Title: Efficient Packet Classification for Network Intrusion Detection using FPGA


1
Efficient Packet Classification for Network
Intrusion Detection using FPGA
  • H. Song and J. Lockwood
  • Dept. of CSE Washington University
  • FPGA05

2
Introduction
  • NIDS that protect high-speed computer networks
    demand
  • high throughput
  • flexibility to handle new threats
  • These systems classify Internet packets based on
  • the header fields
  • the strings in the packet content or traffic flow

3
Introduction (cont.)
  • Packet header classification is an integrated
    part of a full featured NIDS
  • rules usually contain 5-tuple header filters
  • source IP address
  • source port
  • destination IP address
  • destination port
  • Protocol
  • plus some strings (aka signature)

4
Introduction (cont.)
  • Packet header fields are constant in length and
    appear at fixed location in the packet
  • Signatures are variable-length and can be located
    at any offset in the packet

5
Introduction (cont.)
  • Due to the different nature of strings and packet
    header fields, it is desirable to separate the
    header classification process from the string
    matching process
  • A cross-product of the two results can be used
    to determine a complete rule match

6
Snort NIDS
  • Within Snort, the incoming packet header
  • compares against the header filters sequentially
  • and then the packet payload compares against the
    signatures in the context sequentially
  • This sw based system cannot keep up with high
    speed networks
  • the system drops packets when the input traffic
    load exceeds the processing power of the CPU

7
Hardware NIDS
  • Packet header classification and content scanning
    can be performed in parallel
  • improves the overall throughput

8
Problem Statement
  • There are k relevant packets header fields
  • H1, H2, , Hk
  • Each field is a bit string and allows one of
    three kinds of matches
  • exact
  • prefix
  • range
  • The header rule set contains a sequence of N
    rules
  • R1, R2, , RN

9
Problem Statement
  • Each rule is a combination of k header fields
  • A rule is said to match a packet if each field in
    the rule matches the corresponding field in the
    packet header in the specified way
  • A header match is not enough to identify a
    malicious packet, further inspection needs to be
    conducted

10
A Snort rule example
11
The Idea
  • Many rules may share a common snort header rule
  • Classify the packet based on the header first
  • Then use this information to guide further
    inspections of the packet content

12
BV-TCAM Architecture
  • The design combines and optimizes the TCAM and
    Bit-Vector algorithms for packet header
    classification in NIDS
  • Like the BV output, the TCAM output forms another
    bit vector and each bit in the vector indicates
    the match to the corresponding rule field(s) or
    not

13
Architecture (cont.)
  • So the idea is
  • the header fields are partitioned in a way that
    some of them are classified using TCAM while the
    others are classified using Bit Vector
    algorithms

14
Architecture (cont.)
  • TCAM example

15
Architecture (cont.)
  • Bit-Vector algorithms are used for port
    classification Build the port prefix lookup tree
    for bit vector searching
  • each port's ranges are first transformed into a
    series of prefixes
  • all prefixed are then inserted into a binary
    decision tree
  • the branch decision at each level is decided by
    the bit patter in the prefix
  • each valid prefix node has a bit vector created
  • the bit vector indicates all the rules with its
    port definition matching to this prefix

16
Architecture (cont.)
  • Bit-Vector example

17
Architecture (cont.)
  • After getting all three bit vectors from the TCAM
    and the two longest prefix lookup trees, the set
    of matches can be determined by intersecting
    these bit vectors

18
Implementation
  • A full FPGA-based NIDS is under development
  • Based on the Snort rule set
  • Prototype Xilinx XCV-2000E FPGA
  • Source IP address (external network) -gt any
    (internal network)
  • 33 distinct values (files headers)
  • 33 x 72bits TCAM
  • this size of TCAM can be implemented using an
    embedded core on the FPGA

19
Implementation
  • TCAM core is comprised of multiple block of
    SRL16Es linked by carry-chains

20
Results
  • Using the TCAM as a component avoids the need to
    expand the size of the rule set by only using
    TCAM to classify the fields that is represented
    as prefix or exact value
  • Compressed number of entries needed in TCAM to
    classify due to the fact that the number of
    distinct combined values of these fields is much
    less than the total number of rules

21
Results (cont.)
  • Through the parallel operation and data structure
    size compression, the architecture is optimized
    for both throughput and storage efficiency
  • Resource consumption for TCAM is only 3 of the
    available SRL16Es
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Efficient Packet Classification for Network Intrusion Detection using FPGA" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!