DPFEE: A High Performance Scalable Pre-Processor for Network Security Systems

Network Intrusion Detection Systems (NIDS) and Anti-Denial-of-Service (DoS) employ Deep Packet Inspection (DPI) which provides visibility to the content of payload to detect network attacks. All DPI engines assume a pre-processing step that extracts the various protocol-specific fields. However, application layer (L7) field extraction is computationally expensive. We propose a novel Deep Packet Field Extraction Engine (DPFEE) for application layer field extraction to hardware. DPFEE is a content-aware, grammar-based, Layer 7 programmable field extraction engine for text-based protocols. Our prototype DPFEE implementation for the Session Initiation Protocol (SIP) and HTTP protocol on a single FPGA, achieves a bandwidth of 408.5 Gbps and this can be scaled beyond 500 Gbps. Single DPFEE exhibits a speedup of 24X-89X against widely used preprocessors. Even against 12 multi-instances of a preprocessor, single DPFEE demonstrated a speedup of 4.7-7.4X. Single DPFEE achieved 3.14X higher bandwidth, 1020X lower latency, and 106X lower power consumption, when compared with 200 parallel streams of GPU accelerated preprocessor.

[1]  Norbik Bashah Idris,et al.  A Survey on Parallel and Distributed Techniques for Improving the Performance of Signature -Based Network Intrusion Detection Systems , 2013 .

[2]  Aziz Mohaisen,et al.  A Survey on Deep Packet Inspection for Intrusion Detection Systems , 2008, ArXiv.

[3]  Gordon J. Brebner,et al.  400 Gb/s Programmable Packet Parsing on a Single FPGA , 2011, 2011 ACM/IEEE Seventh Symposium on Architectures for Networking and Communications Systems.

[4]  Hao Wang,et al.  A modular NFA architecture for regular expression matching , 2010, FPGA '10.

[5]  Jan Korenek,et al.  Packet header analysis and field extraction for multigigabit networks , 2009, 2009 12th International Symposium on Design and Diagnostics of Electronic Circuits & Systems.

[6]  Herbert Bos,et al.  Towards Software-Based Signature Detection for Intrusion Prevention on the Network Card , 2005, RAID.

[7]  T. V. Lakshman,et al.  Fast and memory-efficient regular expression matching for deep packet inspection , 2006, 2006 Symposium on Architecture For Networking And Communications Systems.

[8]  Christopher R. Clark,et al.  Efficient Reconfigurable Logic Circuits for Matching Complex Network Intrusion Detection Patterns , 2003, FPL.

[9]  Mauricio Cortes,et al.  On SIP performance , 2004, Bell Labs Technical Journal.

[10]  P. James,et al.  Open Source IDS High Performance Shootout , 2020 .

[11]  I. Skuliber,et al.  Grammar-based SIP parser implementation with performance optimizations , 2011, Proceedings of the 11th International Conference on Telecommunications.

[12]  Liu Yang,et al.  Improving NFA-Based Signature Matching Using Ordered Binary Decision Diagrams , 2010, RAID.

[13]  Sotiris Ioannidis,et al.  GASPP: A GPU-Accelerated Stateful Packet Processing Framework , 2014, USENIX Annual Technical Conference.

[14]  Abdul Ghafoor Abbasi,et al.  Security analysis of VoIP architecture for identifying SIP vulnerabilities , 2014, 2014 International Conference on Emerging Technologies (ICET).

[15]  George Varghese,et al.  Leaping Multiple Headers in a Single Bound: Wire-Speed Parsing Using the Kangaroo System , 2010, 2010 Proceedings IEEE INFOCOM.

[16]  Marshall T. Rose,et al.  Guidelines for the Use of Extensible Markup Language (XML) within IETF Protocols , 2003, RFC.

[17]  Mohammad Mannan,et al.  Killed by Proxy: Analyzing Client-end TLS Interce , 2016, NDSS.

[18]  Sotiris Ioannidis,et al.  Gnort: High Performance Network Intrusion Detection Using Graphics Processors , 2008, RAID.

[19]  Dionisios N. Pnevmatikatos,et al.  Fast, Large-Scale String Match for a 10Gbps FPGA-Based Network Intrusion Detection System , 2003, FPL.

[20]  Pablo Rodriguez,et al.  Multi-Context TLS (mcTLS): Enabling Secure In-Network Functionality in TLS , 2015, Comput. Commun. Rev..

[21]  Erich M. Nahum,et al.  Evaluating SIP server performance , 2007, SIGMETRICS '07.

[22]  Henning Schulzrinne,et al.  Secure SIP: A Scalable Prevention Mechanism for DoS Attacks on SIP Based VoIP Systems , 2008, IPTComm.

[23]  William H. Mangione-Smith,et al.  Specialized Hardware for Deep Network Packet Filtering , 2002, FPL.

[24]  John W. Lockwood,et al.  Implementation of a content-scanning module for an Internet firewall , 2003, 11th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, 2003. FCCM 2003..

[25]  John W. Lockwood,et al.  SRAM Programming SelectMap Interface EC EC VC VC Four Port Switch ccp Error Check VC VC Control Cell Asynchronous LineCardSwitch InterfaceCircuit Interface Processor Synch , 2001 .

[26]  Yangdong Deng,et al.  IP routing processing with graphic processors , 2010, 2010 Design, Automation & Test in Europe Conference & Exhibition (DATE 2010).

[27]  Victor C. Valgenti,et al.  Hybrid Regular Expression Matching for Deep Packet Inspection on Multi-Core Architecture , 2010, 2010 Proceedings of 19th International Conference on Computer Communications and Networks.

[28]  Eric Torng,et al.  High-Speed Application Protocol Parsing and Extraction for Deep Flow Inspection , 2014, IEEE Journal on Selected Areas in Communications.

[29]  Eric Torng,et al.  FlowSifter: A counting automata approach to layer 7 field extraction for deep flow inspection , 2012, 2012 Proceedings IEEE INFOCOM.

[30]  Thomas Magedanz,et al.  Survey of network security systems to counter SIP-based denial-of-service attacks , 2010, Comput. Secur..

[31]  Jan Korenek,et al.  Low-latency modular packet header parser for FPGA , 2012, 2012 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS).

[32]  Michael Scharf,et al.  Measurement of the SIP Parsing Performance in the SIP Express Router , 2007, EUNICE.

[33]  Ning Weng,et al.  Scalable many-field packet classification using multidimensional-cutting via selective bit-concatenation , 2015, 2015 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS).

[34]  John W. Lockwood,et al.  Implementation of Network Application Layer Parser for Multiple TCP/IP Flows in Reconfigurable Devices , 2006, 2006 International Conference on Field Programmable Logic and Applications.

[35]  J.W. Lockwood,et al.  Hardware-Accelerated Parser for Extraction of Metadata in Semantic Network Content , 2007, 2007 IEEE Aerospace Conference.

[36]  Christopher R. Clark,et al.  Scalable pattern matching for high speed networks , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[37]  M. Norton Optimizing Pattern Matching for Intrusion Detection , 2004 .

[38]  Scott Hauck,et al.  Runtime and quality tradeoffs in FPGA placement and routing , 2001, FPGA '01.

[39]  Ramesh Karri,et al.  Deep Packet Field Extraction Engine (DPFEE): A pre-processor for network intrusion detection and denial-of-service detection systems , 2015, 2015 33rd IEEE International Conference on Computer Design (ICCD).

[40]  Dong Zhou,et al.  Raising the Bar for Using GPUs in Software Packet Processing , 2015, NSDI.

[41]  Xinan Tang,et al.  Building High-Performance Application Protocol Parsers on Multi-core Architectures , 2011, 2011 IEEE 17th International Conference on Parallel and Distributed Systems.

[42]  Ling Shao,et al.  SIP Parsing Offload: Design and Performance , 2007, IEEE GLOBECOM 2007 - IEEE Global Telecommunications Conference.

[43]  Brad L. Hutchings,et al.  Assisting network intrusion detection with reconfigurable hardware , 2002, Proceedings. 10th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[44]  Viktor K. Prasanna,et al.  Fast Regular Expression Matching Using FPGAs , 2001, The 9th Annual IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM'01).

[45]  Steve Poole,et al.  Granidt: Towards Gigabit Rate Network Intrusion Detection Technology , 2002, FPL.

[46]  Pavel Celeda,et al.  Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement , 2013, EUNICE.