1 / 20

An Evolution of Pattern Matching within Network Intrusion Detection Systems

An Evolution of Pattern Matching within Network Intrusion Detection Systems. Erik Anderson 9 November 2006. Overview. Introduction and Background Software Approaches Soft Core Processors Circuit Based Pattern Matching Automatic Synthesis Memory Based Pattern Matching

tyne
Download Presentation

An Evolution of Pattern Matching within Network Intrusion Detection Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Evolution of Pattern Matching within Network Intrusion Detection Systems Erik Anderson 9 November 2006

  2. Overview • Introduction and Background • Software Approaches • Soft Core Processors • Circuit Based Pattern Matching • Automatic Synthesis • Memory Based Pattern Matching • Comparisons of Techniques • Future Works

  3. Introduction and Background • Network Intrusion Detection/Prevention Systems • Pattern Matching in Application Layer • Patterns/Network speed growing faster than CPU speeds • Reconfigurable Computing • Price, performance, power middle ground between CPUs and ASICs.

  4. Software Approaches • Commercial NDIS • Snort • Hogwash • Algorithms • Brute Force • Knuth-Morris-Pratt • Aho-Corasick

  5. Aho-Corasick From: Dharmapurikar 2005

  6. Soft Core Processors Lockwood, Washington University • Customize processors for an application. • Objective: find a “good” solution in linear time. • On board evaluation with SPARC V8. • 79 parameters … 3.6 trillion configurations

  7. Soft Core Processors Lockwood, Washington University • Evaluation Technique • Assume parameter independence. • Start with “out of box” configuration. • Rebuild and evaluate processor, tweaking one parameter at a time. • Results (BLASTN) • 11.59% Runtime improvement • 0% change in slices • 39% increase in BRAMs

  8. Circuit Based Pattern Matching Schimmel, Georgia TechMangione-Smith, UCLA • Uses Brute Force Method in Hardware • Very fast • Highly parallel • Ideal for reconfigurable computing • Expensive From: Cho 2003

  9. Circuit Based Pattern Matching Schimmel, Georgia TechMangione-Smith, UCLA • Shared Substring • Reduced circuit size From: Cho 2003

  10. Circuit Based Pattern Matching Schimmel, Georgia TechMangione-Smith, UCLA • Character Decoding • Statefull comparison • Reduced circuit size From: Clark 2004

  11. Automatic Synthesis Prasanna, USCJajjar, UC Riverside • Given a high-level description, automatically generate a circuit. • ROCCC • Translates C -> SUIF -> VHDL • Extensive loop analysis to find task level parallelism. • Generalized tool.

  12. Automatic Synthesis Prasanna, USCJajjar, UC Riverside • Riverside • Input is a set of search strings. • Generates circuit based on: • Knuth-Morris-Pratt • Character Decoding method

  13. Memory Based Pattern Matching Mangione-Smith, UCLALockwood, Washington University • Circuit based approaches are fast but not scalable. • Throughput depends on unrealistic bus model. • Resynthesize with new search strings. • Paradigm switch to using memory to hold strings, and circuits to manage control path.

  14. Hybrid Model Mangione-Smith, UCLALockwood, Washington University • Divide search string into prefix and suffix. • Use circuit based design to match prefixes. • Use memory lookup to match suffix. From: Cho 2003

  15. Jump-ahead Aho-Corasick Mangione-Smith, UCLALockwood, Washington University • Circuit implements Variation of Aho-Corasick state machine. • Treat k-characters as single symbol. From: Dharmapurikar 2005

  16. Jump-ahead Aho-Corasick Mangione-Smith, UCLALockwood, Washington University • Search strings held in memory data structures. • 1 clock cycle Bloom filter to lookup state transition. • Multiple cores to improve performance. From: Dharmapurikar 2005

  17. Comparisons of Techniques

  18. Future Works • Runtime reconfiguration of circuit based systems. • Dealing with fragmented packets. • Applications towards bioinformatics.

  19. Abstractions for NIDS Lockwood, Washington University • Motivation: Collapse of Moore’s Law, increased threats, & design complexity. • Paradigm shift from fast individual packet processing, to fast cumulative processing. • Long term goals: • HLL to describe network analysis. • Abstracting parallel techniques. • Automatic compilation/synthesis of circuits.

  20. Questions?

More Related