130 likes | 262 Views
Internet Worm and Virus Protection in Dynamically Reconfigurable Hardware By John W. Lockwood, et al. Course: CS895 Advisor: Dr. Ravi Mukkamala Speaker: Weiying Zhu Date: 03/17/2004. Table of Contents. Introduction Intelligent Gateway Devices System Architecture Reprogrammable Logic
E N D
Internet Worm and Virus Protection in Dynamically Reconfigurable HardwareBy John W. Lockwood, et al Course: CS895 Advisor: Dr. Ravi Mukkamala Speaker: Weiying Zhu Date: 03/17/2004
Table of Contents • Introduction • Intelligent Gateway Devices • System Architecture • Reprogrammable Logic • Conclusions • References
Introduction • Malicious software (malware): a computer virus, an Internet worm, or a hybrid that contains elements of both. • Weakness of End-System Protection: • Most malwares go undetected until they cause harm on an en-user’s computer. • Individuals tend to ignore warnings about installing new protection software and the latest security updates. • Systems are not always patched immediately, and anti-virus programs are not kept up to date.
Intelligent Gateway Devices • Existing Firewalls. • They examine only the packet headers. However, many malwares transport over trusted services. • Intrusion detection & prevention systems. • They search for predefined signatures belonging to malwares by scanning the packet payloads. • Software-based scanners: not fast-enough to monitor all traffic on a high-speed link. • Hardware-based scanners: can make use of parallelism to perform deep packet inspection with high throughput. • Programmable Logic Devices (PLDs): provide the flexibility and performance to scan for regular expressions within a high-speed network.
System Architecture • System components • Data Enabling Device (DED) – Scan packets. • Its heart is FPX, which consists of a module implemented in FPGA hardware that scans the content of Internet packets at Gigabit per second rates. • It’s installed at key traffic aggregation points of networks, as well as on the backbone. • Content Matching Server (CMS) – Reprogram DED. • It compiles and synthesizes custom circuits to reconfigure DEDs over the network. • Regional Transaction Processor (RTP) – Determine action. • It consults a database to determine actions when matching content is found by a DED. • A single RTP can be used to remotely coordinates the activities of up to 100 DEDs.
System Architecture (Cont.) Fig. 1. Example topology of a Network Aggregation Point (NAP) with DEDs added to provide worm and virus protection
System Architecture (Cont.) • System operation Fig. 2. How the system works.
Reprogrammable Logic • A DED contains two network line cards, a backplane, two or more FPX cards. • FPX card implements the core function of DED. It consists of • two FPGAs (one is NID and the other is RAD); • NID is used to route individual traffic flows through the device and process control packets. • RAS is dynamically reconfigured over the network to perform customized packet processing functions. • five banks of memory; • two high-speed (OC-48 rate) network interfaces.
Reprogrammable Logic (Cont.) Fig. 3. The FPX card.
Reprogrammable Logic (Cont.) • Line cards: • SONET line card adapter for ATM networks • GBIC for Gigabit Ethernet. • Protocol processing wrappers: • ATM wrapper • Gigabit Ethernet wrapper • IP wrapper • UDP wrapper • TCP wrapper
Reprogrammable Logic (Cont.) • Performance • By implementing four modules in parallel, the FPX can process data at a rate of 2.4 Gigabits per second. • By performing the network scanning with parallel hardware, all packets can be examined even at high throughput. Fig. 4. Performance of FPGA-based matching v.s. Software-based matching.
Conclusions • The system scans data quickly. • The scanning devices can be reconfigured to search for new attack patterns. • The system takes immediate action when attacks occur.
References • Internet Worm and Virus Protection in Dynamically Reconfigurable Hardware; by John W. Lockwood, James Moscola, Matthew Kulig, David Reddick, Tim Brooks, Military and Aerospace Programmable Logic Device (MAPLD), Washington DC, 2003, Paper E10, Sep 9-11, 2003. http://www.arl.wustl.edu/~lockwood/publications/MAPLD_2003_e10_lockwood_p.pdf • Application of Hardware Accelerated Extensible Network Nodes for Internet Worm and Virus Protection; by John W. Lockwood, James Moscola, David Reddick, Matthew Kulig, and Tim Brooks, International Working Conference on Active Networks (IWAN), Kyoto, Japan, December, 2003. http://www.arl.wustl.edu/~lockwood/publications/lockwood_IWAN_2003.pdf