280 likes | 417 Views
FPGA-based ROM-free network intrusion detection using shift-OR circuit. Authors : Wen-Jyi Hwang, Huang-Chun Roan, Ying-Nan Shih, Chia-Tien Dan Lo and Chien-Min Ou Publisher : Journal of Embedded Computing Present : Chen- Rong Chang Date : November , 18, 2009.
E N D
FPGA-based ROM-free network intrusiondetection using shift-OR circuit Authors : Wen-Jyi Hwang, Huang-Chun Roan, Ying-Nan Shih, Chia-Tien Dan Lo and Chien-Min Ou Publisher : Journal of Embedded Computing Present :Chen- Rong Chang Date :November, 18, 2009 Department of Computer Science and Information Engineering National Cheng Kung University, Taiwan R.O.C.
OUTLINE • Preliminaries • shift-or algorithm • The architecture • Basic module circuit • Module circuit based on bitmap encoder • High throughput module circuit • Experimental results and comparisons
Shift-Or algorithm(1/3) a a b Rj+1[i] = ( Rj [i] | Sc [i] ) <<1 , i=1,…,m. S Cycle 0 : R0 1110 • An example of shift-or algorithm with pattern P = aaband text T = aab, The bit vector S associated with each symbol sc ∈ Σ = {a, b, c } for the pattern P 3
Shift-Or algorithm(1/3) Rj+1[i] = ( Rj [i] | Sc [i] ) <<1 , i=1,…,m. Cycle 1 : R0 1110 Input a 100 Sc 1110 R1 1100 • An example of shift-or algorithm with pattern P = aaband text T = aab, The bit vector S associated with each symbol sc ∈ Σ = {a, b, c } for the pattern P 4
Shift-Or algorithm(1/3) Rj+1[i] = ( Rj [i] | Sc [i] ) <<1 , i=1,…,m. Cycle 2 : R0 1110 Input a 100 Sc 1110 R1 1100 Input a 100 Sc 1100 R2 1000 match prefix “aa” of P • An example of shift-or algorithm with pattern P = aaband text T = aab, The bit vector S associated with each symbol sc ∈ Σ = {a, b, c } for the pattern P 5
Shift-Or algorithm(1/3) Rj+1[i] = ( Rj [i] | Sc [i] ) <<1 , i=1,…,m. • An example of shift-or algorithm with pattern P = aaband text T = aab, The bit vector S associated with each symbol sc ∈ Σ = {a, b, c } for the pattern P Cycle 3 : R2 1000 R0 1110 Input a Input b 100 011 Sc Sc 1110 1011 R1 1100 R3 0100 Input c 100 Sc match 1100 R2 1000 match sub-pattern “aa” of P 6
Shift-Or algorithm(1/3) Rj+1[i] = ( Rj [i] | Sc [i] ) <<1 , i=1,…,m. • An example of shift-or algorithm with pattern P = aaband text T = aab, The bit vector S associated with each symbol sc ∈ Σ = {a, b, c } for the pattern P Cycle 0 : R0 1110 8
Shift-Or algorithm(1/3) Rj+1[i] = ( Rj [i] | Sc [i] ) <<1 , i=1,…,m. Cycle 1 : R0 1110 Input a 100 Sc 1110 R1 1100 • An example of shift-or algorithm with pattern P = aaband text T = aab, The bit vector S associated with each symbol sc ∈ Σ = {a, b, c } for the pattern P 9
Shift-Or algorithm(1/3) Rj+1[i] = ( Rj [i] | Sc [i] ) <<1 , i=1,…,m. Cycle 2 : R0 1110 Input a 100 Sc 1110 R1 1100 Input c 111 Sc 1111 R2 1110 • An example of shift-or algorithm with pattern P = aaband text T = aab, The bit vector S associated with each symbol sc ∈ Σ = {a, b, c } for the pattern P 10
Shift-Or algorithm(1/3) Rj+1[i] = ( Rj [i] | Sc [i] ) <<1 , i=1,…,m. Cycle 3 : R2 1110 R0 1110 Input a Input a 100 100 Sc Sc 1110 1110 R1 1100 R3 1100 Input c 111 Sc 1111 R2 1110 • An example of shift-or algorithm with pattern P = aaband text T = aab, The bit vector S associated with each symbol sc ∈ Σ = {a, b, c } for the pattern P 11
Shift-Or algorithm(1/3) Rj+1[i] = ( Rj [i] | Sc [i] ) <<1 , i=1,…,m. • An example of shift-or algorithm with pattern P = aaband text T = aab, The bit vector S associated with each symbol sc ∈ Σ = {a, b, c } for the pattern P Cycle 4 : R2 1110 R0 1110 Input a Input a 100 100 Sc Sc 1110 1110 R1 1100 R3 1100 Input c Input a 111 100 Sc Sc 1111 1100 R2 1110 R4 1000 12
Shift-Or algorithm(1/3) Rj+1[i] = ( Rj [i] | Sc [i] ) <<1 , i=1,…,m. • An example of shift-or algorithm with pattern P = aaband text T = aab, The bit vector S associated with each symbol sc ∈ Σ = {a, b, c } for the pattern P Cycle 5 : R2 1110 R0 1110 R4 1000 Input a Input a 100 100 Input a Sc Sc 011 Sc 1110 1110 1011 R1 1100 R3 1100 R5 0100 Input c Input a 111 100 Sc Sc match 1111 1100 R2 1110 R4 1000 13
Basic module circuit(1/2) The basic circuit of each module for exact pattern matching, (a) The block diagram of the circuit, (b) The shift register circuit during clock cycle j + 1. 14
Basic module circuit(1/2) 256 symbols Pattern: aabc The basic circuit of each module for exact pattern matching, (a) The block diagram of the circuit, (b) The shift register circuit during clock cycle j + 1. =4 15
Basic module circuit(2/2) Pattern: aabc 2 =4 Fig. 4. The augment of a symbol encoder for reducing the ROM size. In this example, each input character is assumed to be an ASCII code (8 bits). We uses only 4 symbols in the alphabet. The output of the symbol encoder therefore is 2 bits. 16
Module circuit based on bitmap encoder(1/5) • Therefore, the ROM implemented by embedded memory bits may become the bottleneck of the systems’s throughput. In addition, the same ROM cannot be shared by different rules. The consumption of embedded memory bits will be high for the circuits containing large number of Snort rules. 17
Module circuit based on bitmap encoder(2/5) Fig. 7. The increase of a symbol encoder for reducing the bitmap encoder size. In this example, each input character is assumed to be an ASCII code (8 bits). We uses only 7 symbols in the alphabet. The output of the symbol encoder is 3 bits. 18
Module circuit based on bitmap encoder(3/5) Fig.5 A simple example of the proposed circuit for the pattern aadc and the total symbol a, b, c, d, (a)The architecture (b)Table of the pattern. 19
Module circuit based on bitmap encoder(4/5) Fig.6 An example of three patterns (aadc, bdd and ddac) share the same bitmap encoder, (a) The architecture (b) Table of three patterns 20
Module circuit based on bitmap encoder(5/5) • The sharing of the same symbol encoder and bitmap encoder by three different Snort rules. Each character is also assumed to be an ASCII. All the Snort rules use the same alphabet comprised of 7 symbols. 21
High throughput module circuit Bitmap Encoder 1 Bitmap Encoder 2 1 2 Pattern: aabcd Payload: 123aabcd 22
Experimental results and comparisons(1/3) The performance of the ROM-based and bitmap encoding circuit with q = 1 for various rule sets sizes ranging from 500 characters to 8000 characters (a) LE per character (b) Operating Frequency. 23
Shift-And Algorithm • The shift-or algorithm is a tricky implementation of shift-and. The idea is to avoid using the “0m-1”mask of formula in order to speed up the computation. Shift-and algorithm formula: Rj+1[i] = (Rj[i]<<1 | 0m-11) & Sc[i], i=1,…,m. Shift-or algorithm formula: Rj+1[i] = Rj[i]<<1 | Sc[i], i=1,…,m. 26
Shift-Or algorithm(1/3) • Let Rjbe a bit vector containing information about all matches of the prefixes of P that end at j. • The vector contains m + 1 elements Rj [i], i = 0, . . .,m, where Rj [i] = 0 if the first i characters of the pattern P match exactly the last i characters up to j in the text (i.e., p1p2. . .pi= tj−i+1tj−i+2. . . tj). The transition from Rjto Rj+1 is performed by the recurrence: • where the initial conditions for the recurrence are given by R0[i] = 1, i = 1, . . .,m, and Rj[0] = 0, j = 0, . . .,m. The recurrence can be implemented by the simple shift and OR operations.
Shift-Or algorithm(2/3) • Suppose P =p1p2. . .pmis a pattern to be searched inside a large text (or source) T = t1t2. . . tn, where n>>m. Every character of P and T belongs to the same alphabet Σ = {s1, . . . , s|Σ|}. • Let Rj be a bit vector containing information about all matches of the prefixes of P that end at j. The formula shows in follow: The initial value: Rj = 1m-10 , EX: Rj = 11111110. 28