Hardware Architecture of a Behavior Modeling Coprocessor for Network Intrusion Detection System
YADAV, MEETA. Hardware Architecture of a Behavior Modeling Coprocessor for Network Intrusion Detection. (Under the direction of Professor Paul D. Franzon).
Intrusion detection systems protect a network against exploitation and manipulation by monitoring the incoming and outgoing traffic and classifying it as normal or malicious. The task of classifying network traffic is difficult and is made more complex by growing performance pressures of increasing traffic rates, the need to detect stealthy attacks by performing sophisticated analysis, the requirement of in-line processing and the inability of software based systems to keep up with the line-speeds. Most current intrusion detection systems make trade-offs between one or more performance requirements. For instance, software based systems are scalable and can perform more complex algorithmic analysis on the network traffic but are incapable of keeping up with the line speeds. Hardware based systems can process packets in real-time but are not scalable or configurable, and they are limited to rule based packet filtering. These growing performance pressures on network security devices have redefined the issues to be addressed in the design of a security system, underlining the need for a scalable and configurable hardware system that has the ability to effectively detect intrusions by performing sophisticated analysis at line-speeds while keeping up with the increasing traffic rate and attack sophistication. The focus of this dissertation is to design a hardware based intrusion detection system that is scalable, configurable, and capable of analyzing traffic to detect various categories of attacks at linespeeds. Specifically, we address four important issues with the design of hardware based systems:
- A behavior based technique was implemented in hardware to detect attacks embedded in the different protocol layers, across layers and in the payload of the packet. The technique monitors the traffic deeply, recovers-higher layer semantics, understands the flow of commands, requests, responses and detect attacks embedded across packets and across connections. The technique checks the network traffic for behavioral compliance using configurable, parametric data structures called theories that can model simple as well as complex behavior. Theories translate themselves into hardware using configurable functional units called assertion blocks.
- Theories and assertion blocks are parametric and configurable in nature and can be configured to translate any behavior description to hardware. The ability of individual theories and assertion blocks to be configured lends the configurability aspect to the entire system. To enable the system to scale with an increase in behavior modules a configurable fabric of assertion blocks has been developed. The configurable assertion block fabric contains pre-synthesized assertion modules that are triggered by theories to perform the operation specified by the theories.
- A Multi-Level Fractional Hash Algorithm was developed to effectively manage the traffic information gathered by inserting and querying a connection record with average case of O(1). The technique uses associative memory arranged in different levels, an on-chip bit vector array to insert records and the tag based technique of caches to query a record.
- To block pre-defined and user defined malicious content a high speed, Trie based pattern matching algorithm was designed. The algorithm splits the pattern set into tries that are stored in the on-chip memory and pruned patterns that are stored in the off-chip SRAM. The streaming data is split into into sub-streams that can lead to a possible match. The sub-streams are searched in parallel for malicious content by traversing the on-chip tries and comparing the pruned patterns stored off-chip using dedicated comparators. The throughput of the pattern matching algorithm is 14 Gbps and is independent of length of the patterns, location of the malicious content in streaming data and the number of patterns in the pattern set.
The architectural and algorithmic enhancements that addressed the performance issues with security systems were integrated to architect The Hardware Architecture of a Behavior Modeling Coprocessor for Network Intrusion Detection, called Behavioral Intrusion Prevention and Detection System (BIPDS). BIPDS is designed to carry out threat detection with dedicated hardware accelerators by monitoring all communication layers, extracting relevant data, and enabling highly efficient operation. The designed system supports a large number of protocols and applications, and allows for extensibility to new applications and services. Different aspects of security have been handled with behavioral modeling which enable the system to detect attack and pre-attack behavior. A key accomplishment of BIPDS is its scalable architecture, and flexibility to be updated which enables the system to adapt to various network configurations, and scale with an increase in network traffic and behavior models. The main contribution of this dissertation is the identification of an efficient hardware architecture that can parallel process one million simultaneous data connections at 11Gbps and has a die area of 17.3 sq mm (TSMC 0.25 Î¼ library), and has a morphable data path to accommodate changes in network sizes and configurations.
Advisor:Paul D. Franzon; Michael A Rappa; Yannis Viniotis; Gregory T. Byrd
School:North Carolina State University
School Location:USA - North Carolina
Source Type:Master's Thesis
Date of Publication:03/26/2007