A Survey on the Application of FPGAs for Network Infrastructure Security

Given the rapid evolution of attack methods and toolkits, software-based solutions to secure the network infrastructure have become overburdened. The performance gap between the execution speed of security software and the amount of data to be processed is ever widening. A common solution to close this performance gap is through hardware implementation of security functions. Possessing the flexibility of software and high parallelism of hardware, reconfigurable hardware devices, such as Field Programmable Gate Arrays (FPGAs), have become increasingly popular for this purpose. FPGAs support the performance demands of security operations as well as enable architectural and algorithm innovations in the future. This paper presents a survey of the state-of-art in FPGA-based implementations that have been used in the network infrastructure security area, categorizing currently existing diverse implementations. Combining brief descriptions with intensive case-studies, we hope this survey will inspire more active research in this area.

[1]  John W. Lockwood,et al.  Reprogrammable network packet processing on the field programmable port extender (FPX) , 2001, FPGA '01.

[2]  Viktor K. Prasanna,et al.  High-throughput linked-pattern matching for intrusion detection systems , 2005, 2005 Symposium on Architectures for Networking and Communications Systems (ANCS).

[3]  Yu Chen,et al.  NeuroNet: Towards an Intelligent Internet Infrastructure , 2008, 2008 5th IEEE Consumer Communications and Networking Conference.

[4]  Mark V. Lawson,et al.  Finite Automata , 2003, Handbook of Networked and Embedded Control Systems.

[5]  Yu Chen,et al.  A Novel Embedded Accelerator for Online Detection of Shrew DDoS Attacks , 2008, 2008 International Conference on Networking, Architecture, and Storage.

[6]  John W. Lockwood,et al.  A Modular System for FPGA-Based TCP Flow Processing in High-Speed Networks , 2004, FPL.

[7]  Michael J. Schulte,et al.  An Overview of Reconfigurable Hardware in Embedded Systems , 2006, EURASIP J. Embed. Syst..

[8]  Giovanni Vigna,et al.  A stateful intrusion detection system for World-Wide Web servers , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[9]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[10]  Morris Sloman,et al.  A survey of trust in internet applications , 2000, IEEE Communications Surveys & Tutorials.

[11]  Judith Kelner,et al.  A Survey on Internet Traffic Identification , 2009, IEEE Communications Surveys & Tutorials.

[12]  Rocky K. C. Chang,et al.  Defending against flooding-based distributed denial-of-service attacks: a tutorial , 2002, IEEE Commun. Mag..

[13]  Kai Hwang,et al.  Filtering of shrew DDoS attacks in frequency domain , 2005, The IEEE Conference on Local Computer Networks 30th Anniversary (LCN'05)l.

[14]  Philip Hunter Hardware-based security , 2004 .

[15]  Viktor K. Prasanna,et al.  Performance of FPGA implementation of bit-split architecture for intrusion detection systems , 2006, Proceedings 20th IEEE International Parallel & Distributed Processing Symposium.

[16]  Sarang Dharmapurikar,et al.  Implementation results of bloom filters for string matching , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[17]  Stephen M. Trimberger Field-Programmable Gate Array Technology , 2007 .

[18]  Young H. Cho,et al.  Deep network packet filter design for reconfigurable devices , 2008, TECS.

[19]  Michele Colajanni,et al.  Enhancing interoperability and stateful analysis of cooperative network intrusion detection systems , 2007, ANCS '07.

[20]  T. V. Lakshman,et al.  High-speed policy-based packet forwarding using efficient multi-dimensional range matching , 1998, SIGCOMM '98.

[21]  Min Cai,et al.  WormShield : Collaborative Worm Signature Detection Using Distributed Aggregation Trees , 2005 .

[22]  Steven A. Guccione,et al.  A Reconfigurable Content Addressable Memory , 2000, IPDPS Workshops.

[23]  Wayne Luk,et al.  Bitwise optimised CAM for network intrusion detection systems , 2005, International Conference on Field Programmable Logic and Applications, 2005..

[24]  Brad L. Hutchings,et al.  JHDL-an HDL for reconfigurable systems , 1998, Proceedings. IEEE Symposium on FPGAs for Custom Computing Machines (Cat. No.98TB100251).

[25]  Scott Hauck,et al.  The roles of FPGAs in reprogrammable systems , 1998, Proc. IEEE.

[26]  Aiko Pras,et al.  An Overview of IP Flow-Based Intrusion Detection , 2010, IEEE Communications Surveys & Tutorials.

[27]  William H. Mangione-Smith,et al.  Deep packet filter with dedicated logic and read only memories , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[28]  Marco D. Santambrogio,et al.  An adaptable FPGA-based System for Regular Expression Matching , 2008, 2008 Design, Automation and Test in Europe.

[29]  H. T. Kung,et al.  Use of spectral analysis in defense against DoS attacks , 2002, Global Telecommunications Conference, 2002. GLOBECOM '02. IEEE.

[30]  Dionisios N. Pnevmatikatos,et al.  Pre-decoded CAMs for efficient and high-speed NIDS pattern matching , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[31]  Geoffrey Brown,et al.  A Combined Hardware-Software Architecture for Network Flow , 2005, ERSA.

[32]  Michael Sipser,et al.  Introduction to the Theory of Computation , 1996, SIGA.

[33]  Christopher R. Clark,et al.  Scalable pattern matching for high speed networks , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[34]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[35]  John W. Lockwood,et al.  Architecture for a hardware-based, TCP/IP content-processing system , 2004, IEEE Micro.

[36]  John W. Lockwood,et al.  Rethinking Hardware Support for Network Analysis and Intrusion Prevention , 2006, HotSec.

[37]  Kamran Eshraghian,et al.  Principles of CMOS VLSI Design: A Systems Perspective , 1985 .

[38]  Vern Paxson,et al.  An architecture for exploiting multi-core processors to parallelize network intrusion prevention , 2009, NSS 2009.

[39]  G. Manimaran,et al.  Internet infrastructure security: a taxonomy , 2002, IEEE Netw..

[40]  John W. Lockwood,et al.  Fast and Scalable Pattern Matching for Network Intrusion Detection Systems , 2006, IEEE Journal on Selected Areas in Communications.

[41]  John W. Lockwood,et al.  TCP-Splitter: A TCP/IP flow monitor in reconfigurable hardware , 2002, Proceedings 10th Symposium on High Performance Interconnects.

[42]  R. Power CSI/FBI computer crime and security survey , 2001 .

[43]  Kleanthis Psarris,et al.  Hardware implementation for network intrusion detection rules with regular expression support , 2008, SAC '08.

[44]  George Varghese,et al.  Automated Worm Fingerprinting , 2004, OSDI.

[45]  Nicholas Kyriakopoulos,et al.  A comparative analysis of network dependability, fault-tolerance, reliability, security, and survivability , 2009, IEEE Communications Surveys & Tutorials.

[46]  Ronald D. Williams,et al.  Taxonomies of attacks and vulnerabilities in computer systems , 2008, IEEE Communications Surveys & Tutorials.

[47]  Jonathan S. Turner,et al.  Scalable packet classification using distributed crossproducing of field labels , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[48]  Stephen T. Kent,et al.  Security Architecture for the Internet Protocol , 1998, RFC.

[49]  Viktor K. Prasanna,et al.  A methodology for synthesis of efficient intrusion detection systems on FPGAs , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[50]  Farnam Jahanian,et al.  The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets , 2005, SRUTI.

[51]  Ying-Dar Lin,et al.  Building an integrated security gateway: Mechanisms, performance evaluations, implementations, and research issues , 2002, IEEE Communications Surveys & Tutorials.

[52]  Jim Tørresen,et al.  Exploiting Stateful Inspection of Network Security in Reconfigurable Hardware , 2003, FPL.

[53]  Jean Walrand,et al.  Transmission Control Protocol , 2007 .

[54]  Jan Koÿ Fast Regular Expression Matching Using FPGA , 2010 .

[55]  Marc Necker,et al.  TCP-Stream reassembly and state tracking in hardware , 2002, Proceedings. 10th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[56]  John W. Lockwood,et al.  Design of a system for real-time worm detection , 2004, Proceedings. 12th Annual IEEE Symposium on High Performance Interconnects.

[57]  Hugh Garraway Parallel Computer Architecture: A Hardware/Software Approach , 1999, IEEE Concurrency.

[58]  Viktor K. Prasanna,et al.  Fast Regular Expression Matching Using FPGAs , 2001, The 9th Annual IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM'01).

[59]  Christopher R. Clark,et al.  Efficient Reconfigurable Logic Circuits for Matching Complex Network Intrusion Detection Patterns , 2003, FPL.

[60]  Benjamin Teitelbaum,et al.  TCP Use and Performance on Internet 2 , 2001 .

[61]  Pele Li,et al.  A survey of internet worm detection and containment , 2008, IEEE Communications Surveys & Tutorials.

[62]  Laxmi N. Bhuyan,et al.  Compiling PCRE to FPGA for accelerating SNORT IDS , 2007, ANCS '07.

[63]  Glen Gibb,et al.  NetFPGA--An Open Platform for Gigabit-Rate Network Switching and Routing , 2007, 2007 IEEE International Conference on Microelectronic Systems Education (MSE'07).

[64]  Dawn Song,et al.  A Clean-Slate Design for the Next-Generation Secure Internet , 2006 .

[65]  Karen A. Scarfone,et al.  Guide to Intrusion Detection and Prevention Systems (IDPS) , 2007 .

[66]  John W. Lockwood,et al.  Application of Hardware Accelerated Extensible Network Nodes for Internet Worm and Virus Protection , 2003, IWAN.

[67]  John W. Lockwood,et al.  Implementation of a content-scanning module for an Internet firewall , 2003, 11th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, 2003. FCCM 2003..

[68]  John W. Lockwood,et al.  SRAM Programming SelectMap Interface EC EC VC VC Four Port Switch ccp Error Check VC VC Control Cell Asynchronous LineCardSwitch InterfaceCircuit Interface Processor Synch , 2001 .

[69]  Dionisios N. Pnevmatikatos,et al.  Fast, Large-Scale String Match for a 10Gbps FPGA-Based Network Intrusion Detection System , 2003, FPL.

[70]  Alok N. Choudhary,et al.  An FPGA-Based Network Intrusion Detection Architecture , 2008, IEEE Transactions on Information Forensics and Security.

[71]  Xiapu Luo,et al.  On a New Class of Pulsing Denial-of-Service Attacks and the Defense , 2005, NDSS.

[72]  Shanshan Song,et al.  Collaborative Internet Worm Containment , 2005, IEEE Secur. Priv..

[73]  Geoffrey Brown,et al.  Reconfigurable Architecture for Network Flow Analysis , 2008, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[74]  Stamatis Vassiliadis,et al.  Future Directions of (Programmable and Reconfigurable) Embedded Processors , 2004 .

[75]  Kai Hwang,et al.  Collaborative Change Detection of DDoS Attacks on Community and ISP Networks , 2006, International Symposium on Collaborative Technologies and Systems (CTS'06).

[76]  Yuan-Cheng Lai,et al.  Profiling and accelerating string matching algorithms in three network content security applications , 2006, IEEE Communications Surveys & Tutorials.

[77]  S.G. Eick,et al.  Transformation Algorithms for Data Streams , 2005, 2005 IEEE Aerospace Conference.

[78]  S. Azgomi CONTENT-ADDRESSABLE MEMORY (CAM) AND ITS APPLICATIONS , 1999 .

[79]  John W. Lockwood,et al.  Internet Worm and Virus Protection in Dynamically Reconfigurable Hardware , 2003 .

[80]  George Varghese,et al.  Scalable packet classification , 2001, SIGCOMM 2001.

[81]  Douglas Allchin,et al.  Error Types , 2001, Perspectives on Science.

[82]  Nick McKeown,et al.  Packet classification on multiple fields , 1999, SIGCOMM '99.

[83]  Parimal Patel,et al.  Distributed IDS using Reconfigurable Hardware , 2007, 2007 IEEE International Parallel and Distributed Processing Symposium.

[84]  Brad L. Hutchings,et al.  Assisting network intrusion detection with reconfigurable hardware , 2002, Proceedings. 10th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[85]  Jong-Soo Jang,et al.  Detection of DDoS and IDS Evasion Attacks in a High-Speed Networks Environment , 2007 .

[86]  Dhabaleswar K. Panda,et al.  Performance characterization of a 10-Gigabit Ethernet TOE , 2005, 13th Symposium on High Performance Interconnects (HOTI'05).

[87]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[88]  Venkatachary Srinivasan,et al.  Packet classification using tuple space search , 1999, SIGCOMM '99.

[89]  J. Torresen,et al.  Improving a network security system by recongurable hardware , 2004, Proceedings Norchip Conference, 2004..

[90]  Jean P. Mermet,et al.  Fundamentals and standards in hardware description languages , 1993 .

[91]  Haoyu Song,et al.  Efficient packet classification for network intrusion detection using FPGA , 2005, FPGA '05.

[92]  S. Egorov SNORTRAN : An Optimizing Compiler for Snort Rules , 2002 .

[93]  Zvonko G. Vranesic,et al.  Field-Programmable Gate Arrays , 1992 .

[94]  Viktor K. Prasanna,et al.  Automatic Synthesis of Efficient Intrusion Detection Systems on FPGAs , 2006, IEEE Trans. Dependable Secur. Comput..

[95]  Alexander Szekely,et al.  Packet Filtering in Gigabit Networks Using FPGAs , 2007 .

[96]  Tsern-Huei Lee,et al.  Using String Matching for Deep Packet Inspection , 2008, Computer.

[97]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[98]  T. V. Lakshman,et al.  Gigabit rate packet pattern-matching using TCAM , 2004, Proceedings of the 12th IEEE International Conference on Network Protocols, 2004. ICNP 2004..

[99]  Jonathan S. Turner,et al.  Packet classification using extended TCAMs , 2003, 11th IEEE International Conference on Network Protocols, 2003. Proceedings..

[100]  Kotagiri Ramamohanarao,et al.  Survey of network-based defense mechanisms countering the DoS and DDoS problems , 2007, CSUR.

[101]  Herbert Bos,et al.  A network intrusion detection system on IXP1200 network processors with support for large rule sets , 2004 .

[102]  Vern Paxson,et al.  An architecture for exploiting multi-core processors to parallelize network intrusion prevention , 2007 .

[103]  John W. Lockwood,et al.  Deep packet inspection using parallel bloom filters , 2004, IEEE Micro.

[104]  Walid A. Najjar,et al.  Automatic Compilation Framework for Bloom Filter Based Intrusion Detection , 2006, ARC.

[105]  John W. Lockwood,et al.  Protocol Wrappers for Layered Network Packet Processing in Reconfigurable Hardware , 2002, IEEE Micro.

[106]  Keith W. Ross,et al.  Computer networking - a top-down approach featuring the internet , 2000 .

[107]  John W. Lockwood,et al.  Design and Implementation of a String Matching System for Network Intrusion Detection using FPGA-based Bloom Filters , 2004 .

[108]  Steve Poole,et al.  Granidt: Towards Gigabit Rate Network Intrusion Detection Technology , 2002, FPL.

[109]  Neil Weste,et al.  Principles of CMOS VLSI Design , 1985 .

[110]  Radia J. Perlman,et al.  Network security - private communication in a public world , 2002, Prentice Hall series in computer networking and distributed systems.

[111]  Jean P. Mermet Fundamentals and Standards in Hardware Description Languages: Proceedings of the NATO Advanced Study Institute, in Ciocco, Barga, Italy, April 16-26, 1993 , 1993 .

[112]  Chuang Lin,et al.  A Fast Multi-pattern Matching Algorithm for Deep Packet Inspection on a Network Processor , 2007, 2007 International Conference on Parallel Processing (ICPP 2007).

[113]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[114]  David E. Taylor Survey and taxonomy of packet classification techniques , 2005, CSUR.

[115]  John W. Lockwood,et al.  Architecture for a hardware based, TCP/IP content scanning system [intrusion detection system applications] , 2003, 11th Symposium on High Performance Interconnects, 2003. Proceedings..