Designs and algorithms for packet and content inspection

This dissertation deals with essential issues pertaining to high performance processing for network security and deep packet inspection. The proposed solutions keep pace with the increasing number and complexity of known attack descriptions providing multi-Gbps processing rates. We advocate the use of reconfigurable hardware to provide flexibility, hardware speed, and parallelism in challenging packet and content inspection functions. This thesis is divided in two parts, firstly content inspection and secondly packet inspection. The first part considers high speed scanning and analyzing packet payloads to detect hazardous contents. Such contents are described in either static patterns or regular expression format and need to be matched against incoming data. The proposed static pattern matching approach introduces pre-decoding to share matching characters in CAM-like comparators and a new perfect hashing algorithm to predict a matching pattern. The FPGA-designs match over 2,000 static patterns, provide 2 8 Gbps operating throughput and require 10-30% area of a large reconfigurable device; that is half the performance of an ASIC and approximately 30% more efficient compared to previous FPGA-based solutions. The regular expression design is performed following a Non-Deterministic Finite Automata (NFA) approach and introducing nw basic building blocks for complex regular expressions features. Theoretical grounds in support of the new blocks are established to prove their correctness. In doing so, approximately four times less Finite Automata states need to be stored. The designs achieve 1.6-3.2 Gbps throughput using 10-30% area of a large FPGA for matching over 1,500 regular expressions; that is 10-20x more efficient than previous FPGA-based works and comparable to ASICs. The second part of the thesis concerns offloading the overall processing of a packet inspection engine. Packet pre-filtering is introduced as a means to resolve or at least alleviate the processing requirements of matching incoming traffic against large datasets of known attacks. Partially matching descriptions of malicious traffic avoids further processing of over 98% of the attack descriptions per packet. Packet pre-filtering is implemented in reconfigurable technology and sustains 2.5 to 10 Gbps processing rates in a Xilinx Virtex2 device.

[1]  Antonius P. J. Engbersen,et al.  Fast and scalable packet classification , 2003, IEEE J. Sel. Areas Commun..

[2]  Jean-Marc Champarnaud,et al.  Compact and fast algorithms for safe regular expression search , 2004, Int. J. Comput. Math..

[3]  Haoyu Song,et al.  Fast hash table lookup using extended bloom filter: an aid to network processing , 2005, SIGCOMM '05.

[4]  Haoyu Song,et al.  Efficient packet classification for network intrusion detection using FPGA , 2005, FPGA '05.

[5]  Wayne Luk,et al.  Bitwise optimised CAM for network intrusion detection systems , 2005, International Conference on Field Programmable Logic and Applications, 2005..

[6]  Jeffrey D. Ullman,et al.  Experience with a regular expression compiler , 1983 .

[7]  Evangelos P. Markatos,et al.  Performance analysis of content matching intrusion detection systems , 2004, 2004 International Symposium on Applications and the Internet. Proceedings..

[8]  Udi Manber,et al.  A FAST ALGORITHM FOR MULTI-PATTERN SEARCHING , 1999 .

[9]  John W. Lockwood,et al.  Fast and Scalable Pattern Matching for Network Intrusion Detection Systems , 2006, IEEE Journal on Selected Areas in Communications.

[10]  Evangelos P. Markatos,et al.  Piranha: Fast and Memory-Efficient Pattern Matching for Intrusion Detection , 2005, SEC.

[11]  Stamatis Vassiliadis,et al.  FLUX Networks: Interconnects on Demand , 2006, 2006 International Conference on Embedded Computer Systems: Architectures, Modeling and Simulation.

[12]  Dionisios N. Pnevmatikatos,et al.  Pre-decoded CAMs for efficient and high-speed NIDS pattern matching , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[13]  Donald E. Knuth,et al.  Fast Pattern Matching in Strings , 1977, SIAM J. Comput..

[14]  Christopher R. Clark,et al.  Scalable pattern matching for high speed networks , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[15]  John W. Lockwood,et al.  Deep packet inspection using parallel bloom filters , 2004, IEEE Micro.

[16]  Dionisios N. Pnevmatikatos,et al.  Variable-Length Hashing for Exact Pattern Matching , 2006, 2006 International Conference on Field Programmable Logic and Applications.

[17]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[18]  Robert McNaughton,et al.  Regular Expressions and State Graphs for Automata , 1960, IRE Trans. Electron. Comput..

[19]  Kei Hiraki,et al.  Over 10Gbps String Matching Mechanism for Multi-stream Packet Scanning Systems , 2004, FPL.

[20]  Brad L. Hutchings,et al.  Assisting network intrusion detection with reconfigurable hardware , 2002, Proceedings. 10th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[21]  Stamatis Vassiliadis,et al.  Regular expression matching for reconfigurable packet inspection , 2006, 2006 IEEE International Conference on Field Programmable Technology.

[22]  Patrick Crowley,et al.  Algorithms to accelerate multiple regular expressions matching for deep packet inspection , 2006, SIGCOMM 2006.

[23]  E. McCluskey Minimization of Boolean functions , 1956 .

[24]  Peng Ning,et al.  Alert correlation through triggering events and common resources , 2004, 20th Annual Computer Security Applications Conference.

[25]  Viktor K. Prasanna,et al.  High-throughput linked-pattern matching for intrusion detection systems , 2005, 2005 Symposium on Architectures for Networking and Communications Systems (ANCS).

[26]  Dionisios N. Pnevmatikatos,et al.  A Memory-Efficient Reconfigurable Aho-Corasick FSM Implementation for Intrusion Detection Systems , 2007, 2007 International Conference on Embedded Computer Systems: Architectures, Modeling and Simulation.

[27]  T. V. Lakshman,et al.  Fast and memory-efficient regular expression matching for deep packet inspection , 2006, 2006 Symposium on Architecture For Networking And Communications Systems.

[28]  Stamatis Vassiliadis,et al.  Scalable Multigigabit Pattern Matching for Packet Inspection , 2008, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[29]  Stamatis Vassiliadis,et al.  Reconfigurable FLUX networks , 2006, 2006 IEEE International Conference on Field Programmable Technology.

[30]  Jonathan S. Turner,et al.  Advanced algorithms for fast and scalable deep packet inspection , 2006, 2006 Symposium on Architecture For Networking And Communications Systems.

[31]  Gaston H. Gonnet,et al.  A new approach to text searching , 1989, SIGIR '89.

[32]  M. J. Foster Avoiding Latch Formation in Regular Expression Recognizers , 1989, IEEE Trans. Computers.

[33]  Dionisios N. Pnevmatikatos,et al.  On the Importance of Header Classification in HW/SW Network Intrusion Detection Systems , 2005, Panhellenic Conference on Informatics.

[34]  Haoyu Song,et al.  Fast packet classification using bloom filters , 2006, 2006 Symposium on Architecture For Networking And Communications Systems.

[35]  Dan Gusfield,et al.  Algorithms on Strings, Trees, and Sequences - Computer Science and Computational Biology , 1997 .

[36]  William H. Mangione-Smith,et al.  Fast reconfiguring deep packet filter for 1+ gigabit network , 2005, 13th Annual IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM'05).

[37]  William H. Mangione-Smith,et al.  Specialized Hardware for Deep Network Packet Filtering , 2002, FPL.

[38]  Wayne Luk,et al.  UNITE: Uniform Hardware-Based Network Intrusion deTection Engine , 2006, ARC.

[39]  Sunil Kim Pattern Matching Acceleration for Network Intrusion Detection Systems , 2005, SAMOS.

[40]  Alan L. Tharp,et al.  Using Tries to Eliminate Pattern Collisions in Perfect Hashing , 1994, IEEE Trans. Knowl. Data Eng..

[41]  Viktor K. Prasanna,et al.  A methodology for synthesis of efficient intrusion detection systems on FPGAs , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[42]  S. Vassiliadis,et al.  Reconfigurable Fabric Interconnects , 2006, 2006 International Symposium on System-on-Chip.

[43]  Apostolos Dollas,et al.  FPGA based architecture for DNA sequence comparison and database search , 2006, Proceedings 20th IEEE International Parallel & Distributed Processing Symposium.

[44]  M. Karnaugh The map method for synthesis of combinational logic circuits , 1953, Transactions of the American Institute of Electrical Engineers, Part I: Communication and Electronics.

[45]  William H. Mangione-Smith,et al.  A pattern matching co-processor for network security , 2005, Proceedings. 42nd Design Automation Conference, 2005..

[46]  Dionisios N. Pnevmatikatos,et al.  Fast, Large-Scale String Match for a 10Gbps FPGA-Based Network Intrusion Detection System , 2003, FPL.

[47]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[48]  Haoyu Song,et al.  Multi-pattern signature matching for hardware network intrusion detection systems , 2005, GLOBECOM '05. IEEE Global Telecommunications Conference, 2005..

[49]  Wen-Jyi Hwang,et al.  Shift-Or Circuit for Efficient Network Intrusion Detection Pattern Matching , 2006, 2006 International Conference on Field Programmable Logic and Applications.

[50]  Gordon J. Brebner,et al.  Mutable codesign for embedded protocol processing , 2005, International Conference on Field Programmable Logic and Applications, 2005..

[51]  Cheng-Hung Lin,et al.  Optimization of Regular Expression Pattern Matching Circuits on FPGA , 2006, Proceedings of the Design Automation & Test in Europe Conference.

[52]  Stamatis Vassiliadis,et al.  Packet pre-filtering for network intrusion detection , 2006, 2006 Symposium on Architecture For Networking And Communications Systems.

[53]  George F. Gilder,et al.  Telecosm: How Infinite Bandwidth Will Revolutionize Our World , 2000 .

[54]  Susie Stephens,et al.  Oracle Database 10g: a platform for BLAST search and Regular Expression pattern matching in life sciences , 2004, Nucleic Acids Res..

[55]  Ron K. Cytron,et al.  A Scalable Architecture For High-Throughput Regular-Expression Pattern Matching , 2006, 33rd International Symposium on Computer Architecture (ISCA'06).

[56]  Evangelos P. Markatos,et al.  Exclusion-based Signature Matching for Intrusion Detection , 2002 .

[57]  Sarang Dharmapurikar,et al.  Implementation results of bloom filters for string matching , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[58]  D. V. Pryor,et al.  Text searching on Splash 2 , 1993, [1993] Proceedings IEEE Workshop on FPGAs for Custom Computing Machines.

[59]  John W. Lockwood,et al.  A framework for rule processing in reconfigurable network systems , 2005, 13th Annual IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM'05).

[60]  Ralph C. Merkle,et al.  Protocols for Public Key Cryptosystems , 1980, 1980 IEEE Symposium on Security and Privacy.

[61]  Lukas Kencl,et al.  Approximate fingerprinting to accelerate pattern matching , 2006, IMC '06.

[62]  Derek L. Schuff,et al.  Design Alternatives for a High-Performance Self-Securing Ethernet Network Interface , 2007, 2007 IEEE International Parallel and Distributed Processing Symposium.

[63]  Paul D. Franzon,et al.  Configurable string matching hardware for speeding up intrusion detection , 2005, CARN.

[64]  John W. Lockwood,et al.  A Scalable Hybrid Regular Expression Pattern Matcher , 2006, 2006 14th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[65]  John A. Chandy,et al.  FPGA based network intrusion detection using content addressable memories , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[66]  Dionisios N. Pnevmatikatos,et al.  Hashing + memory = low cost, exact pattern matching , 2005, International Conference on Field Programmable Logic and Applications, 2005..

[67]  Brian W. Kernighan,et al.  An efficient heuristic procedure for partitioning graphs , 1970, Bell Syst. Tech. J..

[68]  T. V. Lakshman,et al.  Gigabit rate packet pattern-matching using TCAM , 2004, Proceedings of the 12th IEEE International Conference on Network Protocols, 2004. ICNP 2004..

[69]  John W. Lockwood,et al.  Fast and scalable pattern matching for content filtering , 2005, 2005 Symposium on Architectures for Networking and Communications Systems (ANCS).

[70]  S. Vassiliadis,et al.  S/370 sign-magnitude floating-point adder , 1989 .

[71]  Stamatis Vassiliadis,et al.  FLUX interconnection networks on demand , 2007, J. Syst. Archit..

[72]  John W. Lockwood Field Programmable Port Extender (FPX) User Guide (Version 2.2) , 2002 .

[73]  Christopher R. Clark,et al.  Efficient Reconfigurable Logic Circuits for Matching Complex Network Intrusion Detection Patterns , 2003, FPL.

[74]  Timothy Sherwood,et al.  A High Throughput String Matching Architecture for Intrusion Detection and Prevention , 2005, ISCA 2005.

[75]  Viktor K. Prasanna,et al.  A computationally efficient engine for flexible intrusion detection , 2005, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[76]  Viktor K. Prasanna,et al.  String matching on multicontext FPGAs using self-reconfiguration , 1999, FPGA '99.

[77]  Viktor K. Prasanna,et al.  Time and area efficient pattern matching on FPGAs , 2004, FPGA '04.

[78]  Steve Poole,et al.  Granidt: Towards Gigabit Rate Network Intrusion Detection Technology , 2002, FPL.

[79]  G.E. Moore,et al.  Cramming More Components Onto Integrated Circuits , 1998, Proceedings of the IEEE.

[80]  Viktor K. Prasanna,et al.  Performance of FPGA implementation of bit-split architecture for intrusion detection systems , 2006, Proceedings 20th IEEE International Parallel & Distributed Processing Symposium.

[81]  Tomasz Kozlowski,et al.  An enhanced algorithm for the minimization of exclusive-OR sum-of-products for incompletely specified functions , 1995, Proceedings of ICCD '95 International Conference on Computer Design. VLSI in Computers and Processors.

[82]  William H. Mangione-Smith,et al.  Deep packet filter with dedicated logic and read only memories , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[83]  Richard M. Karp,et al.  Efficient Randomized Pattern-Matching Algorithms , 1987, IBM J. Res. Dev..

[84]  Jan van Lunteren,et al.  High-Performance Pattern-Matching for Intrusion Detection , 2006, INFOCOM.

[85]  Nick McKeown,et al.  Algorithms for packet classification , 2001, IEEE Netw..

[86]  Viktor K. Prasanna,et al.  Automatic Synthesis of Efficient Intrusion Detection Systems on FPGAs , 2006, IEEE Trans. Dependable Secur. Comput..

[87]  Forbes J. Burkowski A Hardware Hashing Scheme in the Design of a Multiterm String Comparator , 1982, IEEE Transactions on Computers.

[88]  Marek A. Perkowski,et al.  Minimization of exclusive sum-of-products expressions for multiple-valued input, incompletely specified functions , 1996, IEEE Trans. Comput. Aided Des. Integr. Circuits Syst..

[89]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[90]  Muhittin Mungan,et al.  Analytical solution of a stochastic content-based network model , 2004, q-bio/0406049.

[91]  John A. Chandy,et al.  A signature match processor architecture for network intrusion detection , 2005, 13th Annual IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM'05).

[92]  David E. Taylor Survey and taxonomy of packet classification techniques , 2005, CSUR.

[93]  Salvatore J. Stolfo,et al.  Anomalous Payload-Based Network Intrusion Detection , 2004, RAID.

[94]  Gérard Berry,et al.  From Regular Expressions to Deterministic Automata , 1986, Theor. Comput. Sci..

[95]  Jakub Botwicz,et al.  Building Dependable Intrusion Prevention Systems , 2006, 2006 International Conference on Dependability of Computer Systems.

[96]  Juan E. Tapiador,et al.  Measuring normality in HTTP traffic for anomaly-based intrusion detection , 2004, Comput. Networks.

[97]  Alfred V. Aho,et al.  Efficient string matching , 1975, Commun. ACM.

[98]  Dana S. Scott,et al.  Finite Automata and Their Decision Problems , 1959, IBM J. Res. Dev..

[99]  Dionisios N. Pnevmatikatos,et al.  An efficient, low-cost I/O subsystem for network processors , 2003, IEEE Design & Test of Computers.

[100]  John W. Lockwood,et al.  A Reconfigurable Architecture for Multi-Gigabit Speed Content-Based Routing , 2006, 14th IEEE Symposium on High-Performance Interconnects (HOTI'06).

[101]  Frederick F. Sellers,et al.  Error detecting logic for digital computers , 1968 .

[102]  Jeffrey D. Ullman,et al.  Introduction to Automata Theory, Languages and Computation , 1979 .

[103]  Stamatis Vassiliadis,et al.  Regular Expression Matching in Reconfigurable Hardware , 2008, J. Signal Process. Syst..

[104]  Viktor K. Prasanna,et al.  Fast Regular Expression Matching Using FPGAs , 2001, The 9th Annual IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM'01).

[105]  Haoyu Song,et al.  Shape shifting tries for faster IP route lookup , 2005, 13TH IEEE International Conference on Network Protocols (ICNP'05).

[106]  Stamatis Vassiliadis,et al.  A reconfigurable perfect-hashing scheme for packet inspection , 2005, International Conference on Field Programmable Logic and Applications, 2005..

[107]  Jeffrey D. Ullman,et al.  The compilation of regular expressions into integrated circuits , 1980, 21st Annual Symposium on Foundations of Computer Science (sfcs 1980).

[108]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[109]  John W. Lockwood,et al.  Implementation of a content-scanning module for an Internet firewall , 2003, 11th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, 2003. FCCM 2003..

[110]  Mark Craven,et al.  Learning Statistical Models for Annotating Proteins with Function Information using Biomedical Text , 2005, BMC Bioinformatics.

[111]  Joseph M. Lancaster,et al.  Biosequence similarity search on the Mercury system , 2004 .

[112]  Tobias Becker,et al.  Modular partial reconfigurable in Virtex FPGAs , 2005, International Conference on Field Programmable Logic and Applications, 2005..

[113]  Timothy Sherwood,et al.  Architectures for Bit-Split String Scanning in Intrusion Detection , 2006, IEEE Micro.

[114]  Ken Thompson,et al.  Programming Techniques: Regular expression search algorithm , 1968, Commun. ACM.

[115]  Viktor K. Prasanna,et al.  Regular Expression Software Deceleration for Intrusion Detection Systems , 2006, 2006 International Conference on Field Programmable Logic and Applications.

[116]  Leonidas J. Guibas,et al.  String Overlaps, Pattern Matching, and Nontransitive Games , 1981, J. Comb. Theory A.

[117]  Peter Sutton Partial character decoding for improved regular expression matching in FPGAs , 2004, Proceedings. 2004 IEEE International Conference on Field- Programmable Technology (IEEE Cat. No.04EX921).