An Evolution of Pattern Matching within Network Intrusion Detection Systems

1
An Evolution of Pattern Matching within Network
Intrusion Detection Systems

• Erik Anderson
• 9 November 2006

2
Overview

• Introduction and Background
• Software Approaches
• Soft Core Processors
• Circuit Based Pattern Matching
• Automatic Synthesis
• Memory Based Pattern Matching
• Comparisons of Techniques
• Future Works

3
Introduction and Background

• Network Intrusion Detection/Prevention Systems
• Pattern Matching in Application Layer
• Patterns/Network speed growing faster than CPU
  speeds
• Reconfigurable Computing
• Price, performance, power middle ground between
  CPUs and ASICs.

4
Software Approaches

• Commercial NDIS
• Snort
• Hogwash
• Algorithms
• Brute Force
• Knuth-Morris-Pratt
• Aho-Corasick

5
Aho-Corasick
From Dharmapurikar 2005
6
Soft Core Processors
Lockwood, Washington University

• Customize processors for an application.
• Objective find a good solution in linear time.
• On board evaluation with SPARC V8.
• 79 parameters 3.6 trillion configurations

7
Soft Core Processors
Lockwood, Washington University

• Evaluation Technique
• Assume parameter independence.
• Start with out of box configuration.
• Rebuild and evaluate processor, tweaking one
  parameter at a time.
• Results (BLASTN)
• 11.59 Runtime improvement
• 0 change in slices
• 39 increase in BRAMs

8
Circuit Based Pattern Matching
Schimmel, Georgia TechMangione-Smith, UCLA

• Uses Brute Force Method in Hardware
• Very fast
• Highly parallel
• Ideal for reconfigurable computing
• Expensive

From Cho 2003
9
Circuit Based Pattern Matching
Schimmel, Georgia TechMangione-Smith, UCLA

• Shared Substring
• Reduced circuit size

From Cho 2003
10
Circuit Based Pattern Matching
Schimmel, Georgia TechMangione-Smith, UCLA

• Character Decoding
• Statefull comparison
• Reduced circuit size

From Clark 2004
11
Automatic Synthesis
Prasanna, USCJajjar, UC Riverside

• Given a high-level description, automatically
  generate a circuit.
• ROCCC
• Translates C -gt SUIF -gt VHDL
• Extensive loop analysis to find task level
  parallelism.
• Generalized tool.

12
Automatic Synthesis
Prasanna, USCJajjar, UC Riverside

• Riverside
• Input is a set of search strings.
• Generates circuit based on
• Knuth-Morris-Pratt
• Character Decoding method

13
Memory Based Pattern Matching
Mangione-Smith, UCLALockwood, Washington
University

• Circuit based approaches are fast but not
  scalable.
• Throughput depends on unrealistic bus model.
• Resynthesize with new search strings.
• Paradigm switch to using memory to hold strings,
  and circuits to manage control path.

14
Hybrid Model
Mangione-Smith, UCLALockwood, Washington
University

• Divide search string into prefix and suffix.
• Use circuit based design to match prefixes.
• Use memory lookup to match suffix.

From Cho 2003
15
Jump-ahead Aho-Corasick
Mangione-Smith, UCLALockwood, Washington
University

• Circuit implements Variation of Aho-Corasick
  state machine.
• Treat k-characters as single symbol.

From Dharmapurikar 2005
16
Jump-ahead Aho-Corasick
Mangione-Smith, UCLALockwood, Washington
University

• Search strings held in memory data structures.
• 1 clock cycle Bloom filter to lookup state
  transition.
• Multiple cores to improve performance.

From Dharmapurikar 2005
17
Comparisons of Techniques
Technique Speed (Gbps) Size (slices)
Character Decoding 26 - 42 41K - 60K
Automatic Char. Decode 1.9 - 10 5.7K - 32K
ROCCC 18.6 38K
Hybrid 3.2 6.1K / 11KB
JACK-NFA 1.9 - 11 NA / 6-47 KB
18
Future Works

• Runtime reconfiguration of circuit based systems.
• Dealing with fragmented packets.
• Applications towards bioinformatics.

19
Abstractions for NIDS
Lockwood, Washington University

• Motivation Collapse of Moores Law, increased
  threats, design complexity.
• Paradigm shift from fast individual packet
  processing, to fast cumulative processing.
• Long term goals
• HLL to describe network analysis.
• Abstracting parallel techniques.
• Automatic compilation/synthesis of circuits.

20
Questions?