Academia.eduAcademia.edu

Figure from:An FPGA-Based Network Intrusion Detection Architecture

See full PDFdownloadDownload figure
Figure 10

Figure 10

Related Figures (12)

related work, and Section VII concludes the paper and presents the areas of future work. data and, therefore, reduces the computational cost of analyzing new data. PCA methodology has been successfully used in signal processing, namely the Karhunen Loeve Transformation [15], and image processing for compression and restoration. In the case of the KDD Cup 1999 data, where each connection record has 41 features, we will show that PCA can effectively account for up to 50% of the variation or relative significance of the data with only five principal components. Being able to capture such a large fraction of the variation by only using a small number of features is certainly a desirable property for the hardware implementation, (i.e., such an algorithm is likely to reduce the hardware overhead significantly).
related work, and Section VII concludes the paper and presents the areas of future work. data and, therefore, reduces the computational cost of analyzing new data. PCA methodology has been successfully used in signal processing, namely the Karhunen Loeve Transformation [15], and image processing for compression and restoration. In the case of the KDD Cup 1999 data, where each connection record has 41 features, we will show that PCA can effectively account for up to 50% of the variation or relative significance of the data with only five principal components. Being able to capture such a large fraction of the variation by only using a small number of features is certainly a desirable property for the hardware implementation, (i.e., such an algorithm is likely to reduce the hardware overhead significantly).
Fig. 2. FPGA architecture with feature extraction and PCA. extracted from the packets fed into the system. The FEM, in the next phase, uses these headers to extract the temporal and con- nection-based characteristics of the network. We discuss FEM in detail in Section III. This information or, in other words, the network features are then processed by the anomaly detection phase, which here is done by using PCA (as shown in the figure). Formulation of PCA and its application in anomaly detection are presented in Section IV. Details regarding the framework imple- mentation are dealt with in Section IV-E. tivity in a period of time, referred to as a “bursty attack.” SYN floods are an example, where connection tables are flooded in a period of time, disabling the victim machine to service new connection requests. Connection-based attacks do not have a recognizable temporal aspect. They are sometimes referred to as “pulsing zombie attacks.” Port scans may release connec- tion requests in the span of seconds or days. Therefore, intru- sion detection methods focusing on large volumes of network activity are ineffective. Our architecture can capture both con- nection and time-based statistics.
Fig. 2. FPGA architecture with feature extraction and PCA. extracted from the packets fed into the system. The FEM, in the next phase, uses these headers to extract the temporal and con- nection-based characteristics of the network. We discuss FEM in detail in Section III. This information or, in other words, the network features are then processed by the anomaly detection phase, which here is done by using PCA (as shown in the figure). Formulation of PCA and its application in anomaly detection are presented in Section IV. Details regarding the framework imple- mentation are dealt with in Section IV-E. tivity in a period of time, referred to as a “bursty attack.” SYN floods are an example, where connection tables are flooded in a period of time, disabling the victim machine to service new connection requests. Connection-based attacks do not have a recognizable temporal aspect. They are sometimes referred to as “pulsing zombie attacks.” Port scans may release connec- tion requests in the span of seconds or days. Therefore, intru- sion detection methods focusing on large volumes of network activity are ineffective. Our architecture can capture both con- nection and time-based statistics.
Fig. 3. FEM with one feature sketch.
Fig. 3. FEM with one feature sketch.
Fig. 5. Feature sketches executed in parallel.
Fig. 5. Feature sketches executed in parallel.
Fig. 7. Effect of FS row length(K) on accuracy.
Fig. 7. Effect of FS row length(K) on accuracy.
Fig. 8. Effect of FS row length (K) on average deviation.
Fig. 8. Effect of FS row length (K) on average deviation.
Fig. 9. Detection and false alarm rate versus q.
Fig. 9. Detection and false alarm rate versus q.
FPGA. The number of fields (p) is the number of 32-b fields used to calculate the throughput of the PSCP pipeline. The #mult field is the number of 18 x 18-b block multipliers used.
FPGA. The number of fields (p) is the number of 32-b fields used to calculate the throughput of the PSCP pipeline. The #mult field is the number of 18 x 18-b block multipliers used.
XILINX ISE 5.21 PLACE-AND-ROUTE STATISTICS (XC2VP100) stages in the second summation (see Table V) constant. The second summation is an intense operation from a bandwidth per- spective. As the data travel through the pipeline, an initial 32-b value gets multiplied twice and becomes 128 b wide. We use this pipeline configuration to preserve the accuracy in fixed-point arithmetic. The overall throughput increases moving from Q3 to Q4 but then decreases afterwards in Q6 and Q8. The reason for this behavior is the large bandwidth of the second summa- tion.
XILINX ISE 5.21 PLACE-AND-ROUTE STATISTICS (XC2VP100) stages in the second summation (see Table V) constant. The second summation is an intense operation from a bandwidth per- spective. As the data travel through the pipeline, an initial 32-b value gets multiplied twice and becomes 128 b wide. We use this pipeline configuration to preserve the accuracy in fixed-point arithmetic. The overall throughput increases moving from Q3 to Q4 but then decreases afterwards in Q6 and Q8. The reason for this behavior is the large bandwidth of the second summa- tion.
TABLE VI and coordination may inhibit the advantages of parallelization. Also, the number of stages required to perform the summation also varies by logs(q). For example, with q = 1, there is no need for an adder tree. For g = 2 to gq = 4, two pipeline stages are required.
TABLE VI and coordination may inhibit the advantages of parallelization. Also, the number of stages required to perform the summation also varies by logs(q). For example, with q = 1, there is no need for an adder tree. For g = 2 to gq = 4, two pipeline stages are required.