1 / 1

Sujayyendhiren RS, Kaiqi Xiong and Minseok Kwon Rochester Institute of Technology

OpenBIDS : An OpenFlow-enabled Network Intrusion Detection System Using Bloom Filters. Sujayyendhiren RS, Kaiqi Xiong and Minseok Kwon Rochester Institute of Technology. Abstract

toshi
Download Presentation

Sujayyendhiren RS, Kaiqi Xiong and Minseok Kwon Rochester Institute of Technology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. OpenBIDS : An OpenFlow-enabled Network Intrusion Detection System Using Bloom Filters Sujayyendhiren RS, Kaiqi Xiong and Minseok Kwon Rochester Institute of Technology Abstract OpenBIDS uses OpenFlow and Bloom filters to provide a high performance online Network Intrusion Detection System (NIDS). The Bloom filter resides in the data plane, and runs multiple pattern matching while OpenFlow provides a robust, efficient and modular framework for the filtering and configuration in the data plane. Motivation OpenBIDS Architecture Increasing network bandwidth and security threats calls for an NIDS with high accuracy and throughput. OpenBIDS is an attempt to augment OpenFlow, which is a robust Software Defined Networking (SDN) framework, for the data plane rules configuration and packet filtering. Experimental Setup in ProtoGENI These results show the lookup time taken by the Bloom filter lookup in OpenBIDS including metadata construction. The results show that the lookup time increases in proportion to data size increase. The first figure shows the results when signature length ranges from 5 to 25 bytes; the second one is when signature length is from 5 to 65 bytes. Components of OpenBIDS Control Plane: The control plane receives, parses, and stores configuration information pertaining to the signatures received from the controller (as the interface between the controller and data plane). The signature specific information is stored at a hash table. Netlink Interface: Data transfer between the user space and kernel space via Netlink sockets. Data plane: The data plane receives signature information from the control plane, and inserts that into the Bloom filter. Data lookup with the filter is hooked in the OpenFlow data plane. Controller: The controller sends configuration information to the user space module. The user space module then parses and stores signature and relevant information, and forwards the signature information to the filter. Bloom filter: This data structure is used for high speed membership queries. It is lightweight and supports rapid lookup with some false positives. The size of the Bloom filter is independent of string length, and this in turn makes the filter a good candidate to be implemented in fast on-chip memory. The filter calculates k hash values for each signature and stored in m memory.We use k = 8and m = 102,400. The experimental setup comprises 4 PCs in which PC-1 runs the OpenFlow controller and the OpenBIDS rules configuration files. The PC placed at the center has the OVS kernel module (openvswitch.ko) with the Bloom filter hook running as the OpenBIDS data plane. The OpenBIDS control plane resides at the users space on this machine. PC-2 is the source that produces data plane packets to OpenBIDS. All the data plane packets are destined to PC-0. Common packet generators can be used at PC-2 and PC-0 for the analysis of parameters like delay and jitter. Results are obtained by populating 60 - 70 signatures of lengths ranging between 5 bytes to the maximum signature lengths specified in the above table. Data packet of 1000 bytes was analyzed each time. There is linear increase in processing time with increase in the signature length. Experimental Results • Conclusions and Future Work • OpenBIDS is modular and its data plane is lightweight.It can thus be easily integrated into a variety of networks including SDN. • Speed can further be increased by using a parallel Bloom filter. • OpenBIDS may well be extended to dynamically learn/analyze network traffic, and thus add rules to eradicate the learned threats. We used plaintext data packets obtained from http://www.nist.org/news.php. The packets are of length in the order of thousand bits and contains information related to security. The size of the filter used for the experiment is 102,400 bits. About 25 common signatures/strings were populated with the length ranging from 4 to 20 bytes.

More Related