1 / 34

A. Das , S. Misra, S. Joshi*, J. Zambreno + , G. Memik, and A. Choudhary

Design, Automation & Test in Europe (DATE) 2008. An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System. A. Das , S. Misra, S. Joshi*, J. Zambreno + , G. Memik, and A. Choudhary Electrical Engineering and Computer Science Department.

rowenb
Download Presentation

A. Das , S. Misra, S. Joshi*, J. Zambreno + , G. Memik, and A. Choudhary

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Design, Automation & Test in Europe (DATE) 2008 An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System A. Das , S. Misra, S. Joshi*, J. Zambreno+, G. Memik, and A. Choudhary Electrical Engineering and Computer Science Department *Indian Institute of Technology, Kharagpur, + Iowa State University

  2. Overview Principal Component Analysis PCA Framework Results Contributions • Novel architecture for Principal Component Analysis (PCA) used in Network Intrusion Detection • Parallel implementation of PCA on an FPGA platform • Achieving a throughput of 24.72 Gbpswith up to 99.9% accuracy and as low as 1.95% false alarm rate

  3. Overview Principal Component Analysis PCA Framework Results Overview: Network Intrusions • Network Attacks / Intrusions • Malicious Code (virus, worms, Trojan horses, malware) • Approximately $70 B economic losses a year (and increasing) • Example attacks: • Denial of Service (DoS) • Port scanning SYN Flood by exploiting TCP 3-way handshake

  4. Overview Principal Component Analysis PCA Framework Results Overview: Network Intrusions • Network Attacks / Intrusions • Malicious Code (virus, worms, Trojan horses, malware) • Approximately $70 B economic losses a year (and increasing) • Example attacks: • Denial of Service (DoS) • Port scanning Smurf attack

  5. Overview Principal Component Analysis PCA Framework Results Overview: NIDS • Network Intrusion Detection System • Suspicious Activity Monitoring both inbound and outbound • Identify attacks and alert the System Administrator/User • NIDS techniques: • Signature Detection • less false alarms, new attacks undetected (e.g. SNORT) • Anomaly Detection • more false alarms, detection of new attacks • Popular Anomaly Detection Methods: • Data Mining, Genetic algorithms, Statistical analysis • Performance Bottlenecks: S/W methods cannot match Gigabit Ethernet rates

  6. Overview Principal Component Analysis PCA Framework Results NIDS: Challenges • Problems with Signature IDS • Can only detect known intrusion types • Problems with Anomaly IDS • Need to have “sufficient” training data that covers as much variation of the normal behavior as possible • Too much dependence over training data set • False positives • Slow due to high dimensional network data

  7. Overview Principal Component Analysis PCA Framework Results NIDS: Challenges • Problems with Signature IDS • Can only detect known intrusion types • Problems with Anomaly IDS • Need to have “sufficient” training data that covers as much variation of the normal behavior as possible • Too much dependence over training data set • False positives • Slow due to high dimensional network data Offline Phase Labeled Training Data Normal Behavior Learning Online Phase Preprocessing Deviation Attack Detection Live Network Stream

  8. Overview Principal Component Analysis PCA Framework Results Overall NIDS Framework

  9. Overview Principal Component Analysis PCA Framework Results Outline • Overview of Network Intrusions Detection • Principal Component Analysis (PCA) • Distance Calculation • Methodology • PCA Framework • PCA architecture • FPGA implementation • Results • FPGA performance • Accuracy • H/W Speedup • Conclusions

  10. Overview Principal Component Analysis PCA Framework Results Principal Component Analysis (PCA) • Express variation in multivariate data in uncorrelated variables • Input data dimension consists of p correlated variables x1,x2,…xp • PCA looks for a transformation of the xi into p new variables yi that are uncorrelated y1 f1(x1,x2,…xp) y2 f2 (x1,x2,…xp) ……… yp fp(x1,x2,…xp) Eigenvalues (λi) Eigenvectors (ei)

  11. Overview Principal Component Analysis PCA Framework Results PCA: An Example PC 2 Original Variable B PC 1 Original Variable A • PC 1 is the direction of maximum variance (major) • PC 2 uncorrelated (orthogonal) to PC 1 (minor)

  12. Overview Principal Component Analysis PCA Framework Results PCA: Properties • Principal components are arranged in descending order indicating the amount of variation it encompasses • Keep the q most important ones and discard the others • Some deviation may not follow the same correlation model • May want to keep the r least important components • Calculate distance in the new set of axes • Outlier if distance far from normal

  13. Overview Principal Component Analysis PCA Framework Results Major principal components Minor principal components PCA y1 y2 .. yq .. .. yp-r+1 .. yp

  14. Overview Principal Component Analysis PCA Framework Results PCA: Steps involved • Distance Calculation: Map the input data into suitable axes; calculate the distance using principal components • Euclidian Distance (equal weight for each dimension) • Mahalanobis Distance (uses correlation matrix) • Outlier Detection: Distance exceeding a pre-defined threshold • tMand tm with Major and Minor components, respectively

  15. Overview Principal Component Analysis PCA Framework Results Offline Phase Online Phase PCA Framework: Phases

  16. Overview Principal Component Analysis PCA Framework Results PCA Framework: Phases Offline Phase: • Step 1: Mean vector of the sample data (training data) created • Step 2: Correlation Matrix R created • Step 3: Eigen-analysis performed on R; extraction of <ei, λi>pairs • Step 4: Pairs are sorted according to λito determine the major and minor principal components • Step 5: Thresholds are calculated

  17. Overview Principal Component Analysis PCA Framework Results PCA Framework: Phases Online Phase: • Step 1: Online data (test data) are mapped to the eigenspace of q & rprincipal components • Step 2: MajC and MinC scores are computed in parallel • Step 3: Threshold comparison is performed

  18. Overview Principal Component Analysis PCA Framework Results PCA: Advantages • Reduces the dimensionality of network data with little or no information loss • Analyses different network TCP parameters (features) • Complete breakdown into offline and online phase • Eigen-analysis and sorting performed in offline phase • Major and minor components chosen define two thresholds • Better coverage • Faster compared to software implementation • Hardware level parallelism to compute PC score

  19. Overview Principal Component Analysis PCA Framework Results Principal Component Score Pipeline for FPGA

  20. Overview Principal Component Analysis PCA Framework Results FPGA Implementation • Design synthesis using VHDL • Place and route using Xilinx ISE 8.1 • Target Platform Xilinx XC2VP30 • # of pipeline stages = F(p, q, r) • Training and testing dataset : • KDD Cup 1999 • 100,000-125,000 training data samples • Up to 12 of 32 principal components used • Speedup limited by I/O bandwidth of FPGA board

  21. Overview Principal Component Analysis PCA Framework Results Outline • Overview of Network Intrusions Detection • Principal Component Analysis (PCA) • Distance Calculation • Methodology • PCA Framework • PCA architecture • FPGA implementation • Results • FPGA performance • Accuracy • H/W Speedup • Conclusions

  22. Overview Principal Component Analysis PCA Framework Results Results: FPGA Performance • # fields (p) = 32 • Maximum throughput = 24.72 Gbps

  23. Overview Principal Component Analysis PCA Framework Results Results: PCA Accuracy Detection and False Alarm Rates vs. q

  24. Overview Principal Component Analysis PCA Framework Results PCA hardware Speedup • Compared with sequential software code • System: AMD Opteron 2.4GHZ with 2GB memory

  25. Overview Principal Component Analysis PCA Framework Results Conclusions • High Ethernet throughput demands efficient anomaly detection in networks • High dimensional network data becomes a bottleneck for anomaly detection • Hardware implementation of NIDS based on Principal Component Analysis can be effective • Parallelism is exploited using reconfigurable hardware (FPGAs) • Attack detection up to 99% with false alarm rates as low as 1.95% • Significant speedup compared to software

  26. Acknowledgements This work was supported by NSF grants NSF-ITR CCR-0325207, CNS-0406341, CNS-0551639, IIS-0536994, CCR-0325207, by Air Force Office of Scientific Research (AFOSR) award FA9550-06-1-0152 and DoE CAREER Award DE-FG02-05ER25691

  27. Thank You ! Questions? Contact Info: Electrical Engineering and Computer Science Department Northwestern University 2145 Sheridan Road Evanston, IL 60208 Phone: (847) 467-4610 Fax: (847) 467-4144 Email: ada829@eecs.northwestern.edu Web:http://www.ece.northwestern.edu/~ada829

  28. References • [1] M. E. Attig and J. Lockwood. A framework for rule processing in reconfigurable network systems. In IEEE Symposium on Field-Programmable Custom Computing Machines,(FCCM), Napa, CA, Apr. 2005. • [2] Z. K. Baker and V. K. Prasanna. Time and Area Efficient Pattern Matching on FPGAs. In The Twelfth Annual ACM International Symposium on Field-Programmable Gate Arrays (FPGA ’04), 2004 • [3] Z. K. Baker and V. K. Prasanna. Efficient Hardware Data Mining with the Apriori Algorithm on FPGAs. In Proceedings of the Thirteenth Annual IEEE Sym. on Field Programmable Custom Computing Machines 2005 • [4] S. Dharmapurikar, P. Krishnamurthy, T. Sproull, and J. W. Lockwood. Deep packet inspection using parallel bloom filters. In Symp. on High Performance Interconnects, August 2003. • [5] M. Fleury, B. Self, and A. C. Downton. A fine-grained parallel pipelined karhunen-loeve transform. In 17th International Parallel and Distributed Processing Symposium, Nice, France, April 2003. • [6] J. D. Jobson. Applied Multivariate Data Analysis, Volume II: Categorical and Multivariate Methods. Springer-Verlag, NY, 1992. • [7] I. T. Jolliffe. Principal Component Analysis. Springer-Verlag, NY, 2002.

  29. References • [8] Jungsuk Song and Hiroki Takakura and yasuo Okabe. A proposal of new benchmark data to evaluate mining algorithms for intrusion detection. In 23rd Asia Pacific Advanced Networking Meeting, 2007. • [9] KDD Cup 1999 Data. http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html, August 1999. • [10] Nicholas Athanasiades and Randal Abler and John Levine and Henry Owen and George Riley. Intrusion detection testing and benchmarking methodologies. In IEEE International Information Assurance Workshop, 2003. • [11] R. Sidhu and V. Prasanna. Fast regular expression matching FPGAs. In IEEE Symposium on Field-Programmable Custom Computing Machines, April 2001. • [12] D. V. Schuehler, J. Moscola, and J.W. Lockwood. Architecture for a hardware-based, tcp/ip content-processing system. In IEEE Micro, January 2004. • [13] M.-L. Shyu, S.-C. Chen, K. Sarinnapakorn, and L. Chang. A novel anomaly detection scheme based on principal component classifier. In IEEE Foundations and New Directions of Data Mining Workshop, pages 172–179, November 2003. • [14] H. Song and J. W. Lockwood. Efficient packet classification for network intrusion detection using fpga. In Intl. Symp. On Field-Programmable Gate Arrays, February 2005.

  30. Backups

  31. Overview Principal Component Analysis PCA Framework Results NIDS FPGA Architecture Principal Component Analysis Feature Extraction

  32. Feature Extraction Module HF(1) Sketch table 1 Estimate Block 32 Src IP Hash Control Block HF(2) 32 Dst IP 16 Src port Sketch table 2 : : : : : Estimated value 16 Dst port : : 6 Flags Sketch table H Feature Sketch Architecture HF(H)

  33. Overview Principal Component Analysis PCA Framework Results Results: PCA Accuracy Detection and False alarm Rates vs. q

More Related