AntiWorm NPU-based Parallel Bloom filters in Giga-Ethernet LAN

In this paper, an AntiWorm system based on the Intel IXP Network Processor was implemented using the Parallel Bloom filters technique. The AntiWorm system consists of two components: Bloom filters and Exact Matching engines. The Parallel Bloom filters can identify the suspicious traffic quickly and effectively, and then dispatch them to Exact Matching engines for further investigation. Both the principles and the implementation of the AntiWorm system are introduced in detail. With the consideration of the system performance parameters, two feasible implementation solutions are investigated and the advantages and disadvantages are also compared. The selections of configuration parameters of the AntiWorm system are also discussed. A hash scheme based on MD5's function is proposed for implementing fast hash functions. To test the performance of the AntiWorm system, such as throughput and delay, some experiments are carried out with different simulated traffic condition. The internal statistics of IXP network processor are also collected and analyzed for optimizing the system performance. To demonstrate the operation of the AntiWorm system, assaults by Worm Blaster are used in the test bed, and the experimental results prove the effectiveness of the AntiWorm system. The Software Package WormDetector1.0 is also provided as a software release from the research.

[1]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[2]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[3]  Sundar Iyer,et al.  ClassiPl: an architecture for fast and flexible packet classification , 2001, IEEE Netw..

[4]  Rama S. Bhamidipati,et al.  Challenges and Methodologies for Implementing High-Performance Network Processors , 2002 .

[5]  Michael Mitzenmacher,et al.  Compressed bloom filters , 2002, TNET.

[6]  Larry Huston,et al.  IXA Portability Framework : Preserving Software Investment in Network Processor Applications , 2002 .

[7]  Dennis P. Carrigan,et al.  Security: Adding Protection to the Network via the Network Processor , 2002 .

[8]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[9]  Donald F. Towsley,et al.  Worm propagation modeling and analysis under dynamic quarantine defense , 2003, WORM '03.

[10]  Chuang Lin,et al.  Optimization and benchmark of cryptographic algorithms on network processors , 2003, SMC'03 Conference Proceedings. 2003 IEEE International Conference on Systems, Man and Cybernetics. Conference Theme - System Security and Assurance (Cat. No.03CH37483).

[11]  David M. Nicol,et al.  Simulating realistic network worm traffic for worm warning system design and testing , 2003, WORM '03.

[12]  Iván Arce,et al.  An Analysis of the Slapper Worm , 2003, IEEE Secur. Priv..

[13]  Yang Wang,et al.  Modeling the effects of timing parameters on virus propagation , 2003, WORM '03.

[14]  Daniel P. W. Ellis,et al.  Worm anatomy and model , 2003, WORM '03.

[15]  Matthew C. Elder,et al.  Recent worms: a survey and trends , 2003, WORM '03.

[16]  Bernhard Plattner,et al.  Experiences with worm propagation simulations , 2003, WORM '03.

[17]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[18]  Jesse C. Rabek,et al.  Detection of injected, dynamically generated, and obfuscated malicious code , 2003, WORM '03.

[19]  Michael D. Smith,et al.  Access for sale: a new class of worm , 2003, WORM '03.

[20]  Robert K. Cunningham,et al.  A taxonomy of computer worms , 2003, WORM '03.

[21]  Erik J. Johnson,et al.  IXP2400/2800 Programming: The Complete Microengine Coding Guide , 2003 .

[22]  Patrick Lincoln,et al.  Epidemic profiles and defense of scale-free networks , 2003, WORM '03.

[23]  Bill Carlson Intel Internet Exchange Architecture and Applications: A Practical Guide to Intel's Network Processors , 2003 .

[24]  Douglas Comer,et al.  Network Systems Design Using Network Processors , 2003 .

[25]  Jintao Xiong,et al.  ACT: attachment chain tracing scheme for email virus detection and control , 2004, WORM '04.

[26]  Zhuoqing Morley Mao,et al.  Toward understanding distributed blackhole placement , 2004, WORM '04.

[27]  Jonathan M. McCune,et al.  A study of mass-mailing worms , 2004, WORM '04.

[28]  George Kesidis,et al.  Preliminary results using scale-down to explore worm dynamics , 2004, WORM '04.

[29]  David Moore,et al.  The Spread of the Witty Worm , 2004, IEEE Secur. Priv..

[30]  Salvatore J. Stolfo Worm and Attack Early Warning , 2004, IEEE Secur. Priv..

[31]  John W. Lockwood,et al.  Deep packet inspection using parallel bloom filters , 2004, IEEE Micro.

[32]  Daniel R. Ellis,et al.  A behavioral approach to worm detection , 2004, WORM '04.

[33]  John W. Lockwood,et al.  Architecture for a hardware-based, TCP/IP content-processing system , 2004, IEEE Micro.

[34]  Jun Xu,et al.  WORM vs. WORM: preliminary study of an active counter-attack mechanism , 2004, WORM '04.

[35]  Vern Paxson,et al.  The top speed of flash worms , 2004, WORM '04.

[36]  Jonathan D. Pincus,et al.  Beyond stack smashing: recent advances in exploiting buffer overruns , 2004, IEEE Security & Privacy Magazine.

[37]  Karl N. Levitt,et al.  A hybrid quarantine defense , 2004, WORM '04.

[38]  Simon S. Y. Shim,et al.  Issues in high-speed Internet security , 2004, Computer.

[39]  James E. Just,et al.  Review and analysis of synthetic diversity for breaking monocultures , 2004, WORM '04.

[40]  K. Claffy,et al.  Remote physical device fingerprinting , 2005, IEEE Transactions on Dependable and Secure Computing.

[41]  David A. Maltz,et al.  Worm origin identification using random moonwalks , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[42]  James Newsome,et al.  Polygraph: automatically generating signatures for polymorphic worms , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[43]  D. Moore Slammer Worm Dissection How Slammer Chooses Its Victims inside the Slammer Worm , 2006 .