Deep Packet Field Extraction Engine (DPFEE): A pre-processor for network intrusion detection and denial-of-service detection systems

Network Intrusion Detection Systems (NIDS) and Anti-Denial-of-Service (DoS) employ Deep Packet Inspection (DPI) which provides visibility to the content of payload to detect network attacks. All DPI engines assume a pre-processing step that extracts the various protocol specific fields. However, application layer (L7) field extraction is computationally expensive. We propose a Deep Packet Field Extraction Engine (DPFEE) to offload the application layer field extraction to hardware. DPFEE is a content-aware, grammar-based, Layer 7 programmable field extraction engine for text-based protocols. Our prototype DPFEE implementation for the Session Initiation Protocol (SIP) on a single FPGA, achieved a bandwidth of 257.1 Gbps and this can be easily scaled beyond 300 Gbps.

[1]  John W. Lockwood,et al.  Implementation of Network Application Layer Parser for Multiple TCP/IP Flows in Reconfigurable Devices , 2006, 2006 International Conference on Field Programmable Logic and Applications.

[2]  Pavel Celeda,et al.  Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement , 2013, EUNICE.

[3]  J.W. Lockwood,et al.  Hardware-Accelerated Parser for Extraction of Metadata in Semantic Network Content , 2007, 2007 IEEE Aerospace Conference.

[4]  Xinan Tang,et al.  Building High-Performance Application Protocol Parsers on Multi-core Architectures , 2011, 2011 IEEE 17th International Conference on Parallel and Distributed Systems.

[5]  George Varghese,et al.  Leaping Multiple Headers in a Single Bound: Wire-Speed Parsing Using the Kangaroo System , 2010, 2010 Proceedings IEEE INFOCOM.

[6]  Liu Yang,et al.  Improving NFA-Based Signature Matching Using Ordered Binary Decision Diagrams , 2010, RAID.

[7]  Erich M. Nahum,et al.  Evaluating SIP server performance , 2007, SIGMETRICS '07.

[8]  Jan Korenek,et al.  Low-latency modular packet header parser for FPGA , 2012, 2012 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS).

[9]  Thomas Magedanz,et al.  Survey of network security systems to counter SIP-based denial-of-service attacks , 2010, Comput. Secur..

[10]  Michael Scharf,et al.  Measurement of the SIP Parsing Performance in the SIP Express Router , 2007, EUNICE.

[11]  Jan Korenek,et al.  Packet header analysis and field extraction for multigigabit networks , 2009, 2009 12th International Symposium on Design and Diagnostics of Electronic Circuits & Systems.

[12]  Herbert Bos,et al.  Towards Software-Based Signature Detection for Intrusion Prevention on the Network Card , 2005, RAID.

[13]  T. V. Lakshman,et al.  Fast and memory-efficient regular expression matching for deep packet inspection , 2006, 2006 Symposium on Architecture For Networking And Communications Systems.

[14]  Mauricio Cortes,et al.  On SIP performance , 2004, Bell Labs Technical Journal.

[15]  Norbik Bashah Idris,et al.  A Survey on Parallel and Distributed Techniques for Improving the Performance of Signature -Based Network Intrusion Detection Systems , 2013 .

[16]  Aziz Mohaisen,et al.  A Survey on Deep Packet Inspection for Intrusion Detection Systems , 2008, ArXiv.

[17]  AccelerAted deep pAcket InspectIon for network securIty ApplIcAtIons , 2012 .

[18]  Henning Schulzrinne,et al.  Secure SIP: A Scalable Prevention Mechanism for DoS Attacks on SIP Based VoIP Systems , 2008, IPTComm.

[19]  Ling Shao,et al.  SIP Parsing Offload: Design and Performance , 2007, IEEE GLOBECOM 2007 - IEEE Global Telecommunications Conference.

[20]  Abdul Ghafoor Abbasi,et al.  Security analysis of VoIP architecture for identifying SIP vulnerabilities , 2014, 2014 International Conference on Emerging Technologies (ICET).

[21]  Eric Torng,et al.  FlowSifter: A counting automata approach to layer 7 field extraction for deep flow inspection , 2012, 2012 Proceedings IEEE INFOCOM.

[22]  Gordon J. Brebner,et al.  400 Gb/s Programmable Packet Parsing on a Single FPGA , 2011, 2011 ACM/IEEE Seventh Symposium on Architectures for Networking and Communications Systems.

[23]  Hao Wang,et al.  A modular NFA architecture for regular expression matching , 2010, FPGA '10.

[24]  I. Skuliber,et al.  Grammar-based SIP parser implementation with performance optimizations , 2011, Proceedings of the 11th International Conference on Telecommunications.

[25]  Marshall T. Rose,et al.  Guidelines for the Use of Extensible Markup Language (XML) within IETF Protocols , 2003, RFC.