290 likes | 405 Views
A Signature Match Processor Architecture for Network Intrusion Detection. Janardhan Singaraju, Long Bu and John A. Chandy Electrical and Computer Engineering Department, University of Connecticut, Storrs, CT 06269-1157. Introduction.
E N D
A Signature Match Processor Architecture for Network Intrusion Detection Janardhan Singaraju, Long Bu and John A. Chandy Electrical and Computer Engineering Department, University of Connecticut, Storrs, CT 06269-1157
Introduction • Network intrusion Detection :Process of identifying and analyzing packets that may signify an impending threat to Organizations Network. • Deployment- Passive : Uses secondary node to analyze data flow Host Based System : Monitors a single system. • SNORT- Open Source intrusion detection Software. EX: alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOSTrin00 Daemon to Master message detected"; content:"l44"; reference:arachnids,186;classtype:attempted-dos; sid:231; rev:3;) • String Matching: 30% of Computation Time.
Software vs. Hardware • Hardware implementation • Very fast • CPU offload • Less flexible • Much longer design cycle • Software Implementation • Relatively slow • More CPU computation • Flexible • Easy design and implementation • Hardware Techniques : Finite Automata based methods, CAM Based methods
CAM Based NIDS • Content Addressable Memories: Used in caches,IP address look-up tables. • CAM based NIDS stores a set of signatures • k bits matched against CAM for matches. • No need to reprogram. • Cannot handle regular Expressions.
Disadvantages • Fixed keyword size. • Cannot match overlapping signatures e.g.: Signatures FOO and BAR Data: AFOOBARCD, k=3 checks AFO, OBA,RCD – no match? • Sliding window approach using single character comparators with shift registers.
Our Model • CAM based Signature match processor • Uses array of Cellular automata to process Character matches. • Compatible with further optimizations like processing characters in parallel, prefix sharing, pattern partitioning etc. • Multiple character matches per cycle of operation
CPU Control Character Match Array Data in CPU Control Data in From network Match Signal PE Reset Control circuit Signature Match Array SM Reset Signature Match buffer Finish Match Address output Logic Signature Match processor Architecture Matched Address Output
Character match array • Can be implemented with CAM • Array of Discrete Comparators • 256, 8 bit Comparators to match all possible ASCII Characters • P rows of Comparators, P denote the degree of parallelism
. . . . . . Byte p Byte 1 A A B B C C D D . . . Byte 2 A B C D Character Match Array . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Match A[1:p] Match D[1:p]
. . . . . . Byte 1 Byte 1 A A B B C C D D Character Match Array C 0 0 1 0 D 0 0 0 1
Signature Match Array • N x 1 array of processing elements (PE) N is number of characters in the signature set to be matched. • All inputs connected according to the signature set to be matched. • Each element performs a simple algorithm based on the number of characters matched at a time (p).
MQ[1:p] MU[1:p] MI[1:p] MT[1:p] Sig_beg Sig_end Cout [1:p] Cout [1:p] Cout [1:p] Cin [1:p] Cin [1:p] Cin [1:p] Signature: QUIT Signature Match Array Signature match
Signature Match Array EX: p = 4 cout1 <= MA1 and (cin3 or sig_beg); cout2 <= MA2 and (cin1 or sig_beg); cout3 <= MA3 and (cin2 or sig_beg); cout4_temp <= MA4 and (cin3 or sig_beg); sig_match <= sig_end and (cout1 or cout2 or cout3 or cout4_temp); if ( clk’event and clk=’1’) then cout4 <= cout4_temp; end if
Signature Match Array • Each PE generates carry signals that are propagated to the next PE • These carry signals determine the carry signals that are generated in the next PE. • Carry signals along with signature begin signal determine the word match • Pth Carry out in each PE is latched for further use.
f 4 a d l s l 4 a d l s 00 00 00 01 00 Signature Match Processor Sig_beg Sig_beg Sig_end Sig_end 0 0 0 0 0 1 0 0 0 0 0 0 1 0 0 0 0 l 4 4 a d s l Signature match Signature match 0 0 Data in : fl44
4 4 a d l s 4 4 a d l s 11 00 00 00 00 Signature Match Processor Sig_beg Sig_beg Sig_end Sig_end 0 1 0 0 0 0 0 1 0 0 0 0 1 0 0 0 0 l 4 4 a d s l Signature match Signature match 1 0 Data in : fl44
Address Output Logic • Separates multiple matches for signatures and decodes start address of each Signature match • Signature match buffer stores end address of all word matches • Match position (MP) is given as input to binary structured address output logic
Address Output Logic A0 MP1 LP1 MP0 LP0 MP0 LP0 MP1 LP1 MP2 LP2 MP3 LP3 A1 LP in MA out MAA
Address LP 1011 1000 11 0011 0010 01 0001 0001 00 Address Output Logic A0 MP0 LP0 MP1 LP1 MP2 LP2 MP3 LP3 A1 MAA
Control Circuit • Manages data flow throughout the signature match processor • Presents p bytes of data to the signature match processor • Resets the signature match buffers, enables address output logic
Performance Analysis • time to process a b byte packet is b/p+M+1 cycles where M is the number of matches found in the packet. • b/p corresponds to the time for the packet to stream through the SMP signature matches and M + 1 is the time to do the matched address output • per-packet cycle time is max ( b/p, M + 1) • If b/p > M + 1, which is the general case, the per-packet cycle time is b/p, and the per-byte run-time is 1/p cycles.
FPGA implementation • Xilinx Virtex II Pro XC2VP30 FPGA • Virtex II Pro has Rocket IO to implement MAC • XILINX ISE 7.1i Design environment • Rule set ranging from 94 rules with 1021 char to 1237 rules with 16347 chars
Resource Utilization • Design using binary tree structured Address output logic uses 1.5 registers and 1.5 LUTs per CAM Character • LUTs correspond to CAM, PE logic ,MAO logic. • Registers correspond to Word match buffers and PE registers.
Comparison NIDS FPGA Designs • The performance metric is ratio between throughput and logic cell/char to evaluate the tradeoff between area and performance • Number of Logic cells/Char is small • Throughput will increase with increase in parallelism.
Conclusions • Innovative CAM based Signature Match Processor • Processing speed of over 5Gbps can be achieved • Priority address encoder to generate addresses in case of multiple matches
Future Directions • Plan to use embedded PowerPC in Virtex II Pro to implement software part of NIDS such as SMP Managements, Alerts, logging etc • Other applications such as directory lookup in network storage systems, DNS lookup and LDAP processing • Extending SMP to support wild card and approximate word matching capabilities • Improving power characteristics of SMP