Title: An Evolution of Pattern Matching within Network Intrusion Detection Systems
1An Evolution of Pattern Matching within Network
Intrusion Detection Systems
- Erik Anderson
- 9 November 2006
2Overview
- Introduction and Background
- Software Approaches
- Soft Core Processors
- Circuit Based Pattern Matching
- Automatic Synthesis
- Memory Based Pattern Matching
- Comparisons of Techniques
- Future Works
3Introduction and Background
- Network Intrusion Detection/Prevention Systems
- Pattern Matching in Application Layer
- Patterns/Network speed growing faster than CPU
speeds - Reconfigurable Computing
- Price, performance, power middle ground between
CPUs and ASICs.
4Software Approaches
- Commercial NDIS
- Snort
- Hogwash
- Algorithms
- Brute Force
- Knuth-Morris-Pratt
- Aho-Corasick
5Aho-Corasick
From Dharmapurikar 2005
6Soft Core Processors
Lockwood, Washington University
- Customize processors for an application.
- Objective find a good solution in linear time.
- On board evaluation with SPARC V8.
- 79 parameters 3.6 trillion configurations
7Soft Core Processors
Lockwood, Washington University
- Evaluation Technique
- Assume parameter independence.
- Start with out of box configuration.
- Rebuild and evaluate processor, tweaking one
parameter at a time. - Results (BLASTN)
- 11.59 Runtime improvement
- 0 change in slices
- 39 increase in BRAMs
8Circuit Based Pattern Matching
Schimmel, Georgia TechMangione-Smith, UCLA
- Uses Brute Force Method in Hardware
- Very fast
- Highly parallel
- Ideal for reconfigurable computing
- Expensive
From Cho 2003
9Circuit Based Pattern Matching
Schimmel, Georgia TechMangione-Smith, UCLA
- Shared Substring
- Reduced circuit size
From Cho 2003
10Circuit Based Pattern Matching
Schimmel, Georgia TechMangione-Smith, UCLA
- Character Decoding
- Statefull comparison
- Reduced circuit size
From Clark 2004
11Automatic Synthesis
Prasanna, USCJajjar, UC Riverside
- Given a high-level description, automatically
generate a circuit. - ROCCC
- Translates C -gt SUIF -gt VHDL
- Extensive loop analysis to find task level
parallelism. - Generalized tool.
12Automatic Synthesis
Prasanna, USCJajjar, UC Riverside
- Riverside
- Input is a set of search strings.
- Generates circuit based on
- Knuth-Morris-Pratt
- Character Decoding method
13Memory Based Pattern Matching
Mangione-Smith, UCLALockwood, Washington
University
- Circuit based approaches are fast but not
scalable. - Throughput depends on unrealistic bus model.
- Resynthesize with new search strings.
- Paradigm switch to using memory to hold strings,
and circuits to manage control path.
14Hybrid Model
Mangione-Smith, UCLALockwood, Washington
University
- Divide search string into prefix and suffix.
- Use circuit based design to match prefixes.
- Use memory lookup to match suffix.
From Cho 2003
15Jump-ahead Aho-Corasick
Mangione-Smith, UCLALockwood, Washington
University
- Circuit implements Variation of Aho-Corasick
state machine. - Treat k-characters as single symbol.
From Dharmapurikar 2005
16Jump-ahead Aho-Corasick
Mangione-Smith, UCLALockwood, Washington
University
- Search strings held in memory data structures.
- 1 clock cycle Bloom filter to lookup state
transition. - Multiple cores to improve performance.
From Dharmapurikar 2005
17Comparisons of Techniques
Technique Speed (Gbps) Size (slices)
Character Decoding 26 - 42 41K - 60K
Automatic Char. Decode 1.9 - 10 5.7K - 32K
ROCCC 18.6 38K
Hybrid 3.2 6.1K / 11KB
JACK-NFA 1.9 - 11 NA / 6-47 KB
18Future Works
- Runtime reconfiguration of circuit based systems.
- Dealing with fragmented packets.
- Applications towards bioinformatics.
19Abstractions for NIDS
Lockwood, Washington University
- Motivation Collapse of Moores Law, increased
threats, design complexity. - Paradigm shift from fast individual packet
processing, to fast cumulative processing. - Long term goals
- HLL to describe network analysis.
- Abstracting parallel techniques.
- Automatic compilation/synthesis of circuits.
20Questions?