An FPGA-Based Network Intrusion Detection Architecture

Proceedings of the 2005 ACM/SIGDA 13th international symposium on Field-programmable gate arrays - FPGA '05, 2005

FPGA technology has become widely used for real-time network intrusion detection. In this paper, a novel packet classification architecture called BV-TCAM is presented, which is implemented for an FPGA-based Network Intrusion Detection System (NIDS). The classifier can report multiple matches at gigabit per second network link rates. The BV-TCAM architecture combines the Ternary Content Addressable Memory (TCAM) and the Bit Vector (BV) algorithm to effectively compress the data representations and boost throughput. A tree-bitmap implementation of the BV algorithm is used for source and destination port lookup while a TCAM performs the lookup of the other header fields, which can be represented as a prefix or exact value. The architecture eliminates the requirement for prefix expansion of port ranges. With the aid of a small embedded TCAM, packet classification can be implemented in a relatively small part of the available logic of an FPGA. The design is prototyped and evaluated in a Xilinx FPGA XCV2000E on the FPX platform. Even with the most difficult set of rules and packet inputs, the circuit is fast enough to sustain OC48 traffic throughput. Using larger and faster FPGAs, the system can work at speeds greater than OC192.

2007

This paper proposes Gigabit IDS to detect and respond against various attacks on high-speed links. Our proposed system has hardware-based stateful intrusion detection architecture that can provide the high-performance detection mechanism. It is possible through the pattern matching and heuristic analysis functions that are processed in FPGA Logic. In this paper, we propose architecture designed to perform intrusion detection on high-speed links with reduced false positive rates. We then present the efficient detection mechanisms for the FPGAbased Reconfiguring Hardware. It is revealed that the prototype has a consistent performance with varying traffic level.

2004

The fast extension of inexpensive computer networks has increased the problem of unauthorized access and tampering with data. As a response to increased threats, many Network-based Intrusion Detection Systems (NIDSs) have been developed, but current NIDSs are barely capable of real-time traffic analysis on Fast Ethernet links. As network technology presses forward, Gigabit Ethernet has become the actual standard for large network installations. Therefore, there is an emerging need for security analysis techniques that can keep up with the increased network throughput. We have made effort to design and implement high-speed IDS that is run as a lower branch of our system named ‘Network Security Control System (NSCS)’. Our IDS named ‘Security Gateway System (SGS)’ has a pattern matching approach through the FPGA (Field Programmable Gate Array) logic and kernel logic as detection mechanism that can be applied to Gigabit-Ethernet links. In this paper, we briefly introduce the whole architecture of our system designed to perform intrusion detection on high-speed links. And then, we present the efficient detection mechanism that is run by cooperation of FPGA logic and kernel logic. In other words, we focus on the network intrusion detection mechanism applied in a lower branch of our system.

Network Processor Design, 2005

The current generation of centralized network intrusion detection systems (NIDS) have various limitations on their performance and effectiveness. In this paper, we argue that intrusion detection analysis should be distributed to network node IDS (NNIDS) running in hardware on the end hosts. An NNIDS can unambiguously inspect traffic to and from the host, and when implemented on the network interface hardware, can function independently of the host operating system to provide better protection with less overhead than software implementations. We discuss the computation and communication characteristics of typical software intrusion detection analysis tasks. Then, we describe our efforts in mapping these tasks to a hardware platform using COTS components including Intel IXP network processors and Xilinx Virtex FPGAs. We report the performance of our prototype NNIDS implementation and provide analysis on how the network processor architecture affects the performance. Our results show that the NNIDS can achieve high performance with a pipeline of processing stages and careful allocation of tasks to the most appropriate hardware resources.

12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines

Intrusion detection for network security is a computation intensive application demanding high system performance. System level design, a relatively unexplored field in this area, allows more efficient communication and extensive reuse of hardware components for dramatic increases in area-time performance. By applying optimization strategies to the entire database, we reduce hardware requirements compared to architectures designed with single pattern matchers in mind. We present a methodology for system-wide integration of graph-based partitioning of large intrusion detection pattern databases. Integrating ruleset-based graph creation and min-cut partitioning, our methodology allows efficient multi-byte comparisons and partial matches for high performance FPGA-based network security. Through pre-processing, this methodology yields designs with competitive clock frequencies that are a minimum of 8x more area efficient than any other shift-andcompare architectures, and 2x that of other predecoded architectures.

2005

With the onset of Gigabit networks, current generation networking components will soon be insufficient for numerous reasons: most notably because existing methods cannot support high performance demands. Feature extraction (or flow monitoring), an essential component in anomaly detection, summarizes network behavior from a packet stream. This information is fed into intrusion detection methods such as association rule mining, outlier analysis, and classification algorithms in order to characterize network behavior. However, current feature extraction methods based on per-flow analysis are expensive, not scalable, and thus prohibitive for large-scale networks. In this paper, we propose an accurate and scalable Feature Extraction Module (FEM) based on sketches. We present the details of the FEM design on an FPGA and show that using FPGAs we can achieve significantly better performance compared to existing software and ASIC implementations. Specifically, the optimal FEM configuration achieves 20.18 Gbps throughput and 97.61% accuracy.

This work elaborates the implementation and the use of dedicated hardware in computer network security. The novel FPGA implementation for user profiling in intrusion detection systems, provides new potential which can further lead to better performances and more reliable security systems. The results yield a promising future for these systems and overcome many speed drawbacks and disadvantages of already existing algorithms as well as platform for development the new, original ones.

IEEE Transactions on Dependable and Secure Computing, 2006

This paper presents a methodology and a tool for automatic synthesis of highly efficient intrusion detection systems using a high-level, graph-based partitioning methodology and tree-based lookahead architectures. Intrusion detection for network security is a compute-intensive application demanding high system performance. The tools implement and automate a customizable flow for the creation of efficient Field Programmable Gate Array (FPGA) architectures using system-level optimizations. Our methodology allows for customized performance through more efficient communication and extensive reuse of hardware components for dramatic increases in area-time performance.

Many Network Intrusion Detection System(NIDS)s have been developed to detect and respond against several kinds of intrusion activities in widespread networks. Due to the explosive growth of network bandwidth, software approach in developing a high-speed NIDS is becoming impractical due to the performance constraint. Accordingly, it seems unavoidable to investigate the hardware-based solutions. Another critical problem of NIDS is a problem of false positive alerts. In order to solve these two problems, we propose a high-performance real-time intrusion detection and response system that has FPGA-based reconfiguring hardware architecture and SPI(Stateful Packet Inspection)-based intrusion detection module in the FPGA. In this paper, we present the novel architecture and mechanisms for design and implementing the system. Some experimental results are also provided.

2007

With the wide adoption of internet into our everyday lives, internet security becomes an important issue. Intrusion detection at the network level is an effective way of stopping malicious attacks at the source and preventing viruses and worms from wide spreading. The key component in a successful network intrusion detection system is a high performance pattern matching engine that can uncover the malicious activities in real time. In this paper, we propose a highly parallel, scalable hardware based network intrusion detection system, that can handle variable pattern length efficiently and effectively. Pattern matchings are completed in O(log M) time where M is the longest pattern length. Implementation is done on a standard off-the-shelf FPGA. Comparison with the other techniques shows promising results.

2010 International Conference on Field Programmable Logic and Applications, 2010

A Network Intrusion Detection System (NIDS) inspects the traffic flowing in a network to detect malicious content such as spam, viruses, and so on. Hardware based solutions appear necessary to face the performance requirements emerging when the goal is to deploy such systems in high speed network scenarios. However, the appropriate choice of the hardware platform is believed to be subject to at least two requirements, usually considered independent each other: i) it needs to be reprogrammable, in order to update the intrusion detection rules each time a new threat arises, and ii) it must be capable of containing the typically very large set of rules of existing NIDSs. The goal of this paper is to show that reprogrammability can be further exploited to reduce the resource requirements for the chosen platform. Specifically, we propose an FPGA-based solution that classifies and dispatches traffic to elastic buffers, connecting one buffer at a time to a dynamically reconfigurable rule matching core. This core supports only the appropriate subset of detection rules. A worst-case analysis shows that the saving in hardware resources is achieved with a relatively small buffer space, currently available in cheap, low end, FPGA boards, with no impairment on the resulting throughput.

Cronin Brendan Hardware Acceleration of Network Intrusion Detection and Prevention Phd Thesis Dublin City University, 2014

The fast extension of inexpensive computer networks has increased the problem of unauthorized access and tampering with data. As a response to increased threats, many network-based intrusion detection systems(NIDSs) have been developed, but current NIDSs are barely capable of real-time traffic analysis on Fast Ethernet links . As network technology presses forward, Gigabit Ethernet has become the actual standard for large network installations. Therefore, there is an emerging need for security analysis techniques that can keep up with the increased network throughput[2].

American Journal of Applied Sciences, 2012

Abtract: Intrusion rule processing in reconfigurable hardware enables intrusion detection and prevention. The use of reconfigurable hardware for network security applications has great strides as Field Programmable Gate Array (FPGA) devices have provided larger and faster resources. This proposes architecture called "BV-TCAM" is presented, which is implemented for an FPGA-based Network Intrusion Detection Systems (NIDS). The BV-TCAM architecture combines the Ternary Content Addressable Memory (TCAM) and Bit Vector (BV) algorithm to effectively compress the data representation and throughput. A tree bitmap implementation of the BV algorithm is used for source and destination port lookup while a TCAM performs lookup for other header fields, which can be represented as a prefix or exact value. With the aid of small embedded TCAM, packet classification can be implemented in relatively small part of the available logic of an FPGA. The BV-TCAM architecture has been modelled by VHDL. Simulations were performed by MODELSIM. This architecture have to be synthesized and implement our design using Xilinx FPGA device.

Security and Communication Networks, 2008

Despite the rapid advance in networking technologies, detection of network anomalies at high-speed switches/routers is still far from maturity. To push the frontier, two major technologies need to be addressed. The first one is efficient feature-extraction algorithms/hardware that can match a line rate in the order of Gb/s; the second one is fast and effective anomaly detection schemes. In this paper, we focus on design of efficient data structure and algorithms for feature extraction. Specifically, we propose a novel data structure that extracts socalled two-directional (2D) matching features, which are shown to be effective indicators of network anomalies. Our key idea is to use a Bloom filter array to trade off a small amount of accuracy in feature extraction, for much less space and time complexity, so that our data structure can catch up with a line rate in the order of Gb/s. Different from the existing work, our data structure has the following properties: 1) dynamic Bloom filter, 2) combination of a sliding window with Bloom filter, and 3) using an insertion-removal pair to enhance Bloom filter with a removal operation. Our analysis and simulation demonstrate that the proposed data structure has a better space/time tradeoff than conventional algorithms. For example, for a fixed time complexity, the conventional algorithm (i.e., hash table [1]-[8]) requires a memory of 1.01G bits while our data structure requires a memory of only 62.9M bits, at the cost of losing 1% accuracy in feature extraction.