1 / 24

Network Intrusion Detection Systems on FPGAs with On-Chip Network Interfaces

Network Intrusion Detection Systems on FPGAs with On-Chip Network Interfaces. Craig Ulmer cdulmer@sandia.gov. Christopher Clark Georgia Institute of Technology Craig Ulmer Sandia National Laboratories, California. February 22, 2005.

cstewart
Télécharger la présentation

Network Intrusion Detection Systems on FPGAs with On-Chip Network Interfaces

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Intrusion Detection Systems on FPGAs with On-Chip Network Interfaces Craig Ulmer cdulmer@sandia.gov Christopher Clark Georgia Institute of Technology Craig Ulmer Sandia National Laboratories, California February 22, 2005 Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company,for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.

  2. Network Intrusion Detection Systems on FPGAs with On-Chip Network Interfaces NI NIDS Good FPGA Network Packet + NI Malicious Chris Clark / Georgia Tech Craig Ulmer / SNL Note: This work was not performed by SNL’s network security group and is independent of SNL’s network security policy or infrastructure.

  3. Outline • Background: An evolution of NIDS and FPGAs • Single-Chip NIDS: An integrated approach • Example: A Multi-Filter Bridge NIDS • Implementation details and measurements • Concluding remarks and future work

  4. Background:An Evolution of NIDS and FPGAs

  5. Network Intrusion Detection Systems (NIDS) • There are many malicious users on the Internet • Unprotected home PCs hijacked within 10 minutes • Even if protected- still fighting denial of service • Network Intrusion Detection Systems (NIDS) • Monitor network and react to attacks • Example: Snort (www.snort.org) • Large database of malicious packet signatures • 1,305 rules with 1,512 patterns • Pattern matching on 17,537 characters

  6. Host-based NIDS Implementations • Multiple architectures proposed for NIDS • Separation of Network Interface and Intrusion Detection CPU CPU CPU ID I/O I/O I/O ID FPGA ID FPGA NIC NIC NIC Software FPGA Card FPGA-enabled NIC

  7. Single-Chip NIDS:An Integrated Approach

  8. Network Interface Chip Intrusion Detection Network FPGA Evolution: An Integrated Approach • New FPGAs have network transceivers • FPGAs interact directly with network • Build complete NIDS in an FPGA • NI and ID units under one roof • Integration benefits • Customization of units and topology • Portability • New applications • Describe our integration experiences Intrusion Detection NI Network NI FPGA

  9. Network Interface: Gigabit Ethernet • Xilinx Virtex II/Pro FPGA has Rocket I/O modules • We developed a simplified GigE network interface • Stripped down to essentials: move data between network and FIFOs • Roughly same size as FIFO-less Xilinx GigE core • FIFOs enable data rate changes between FPGA and Network Rocket I/O Transceiver CRC Filter 16b Align Rx Packet FIFO Rx Control GigE Network FPGA Internals Tx Control Tx Packet FIFO Framer GigE Network Interface Core

  10. Intrusion Detection Unit • Snort rules translated to structural JHDL intrusion detection unit • Compile time select 16/32/64b data width • Both header/payload analysis units • Payload analysis unit performs large-scale pattern matching • Non-deterministic finite state automata (NFA) • Previously described in FCCM 2004 (Clark and Schimmel) Header Match Ethernet Frame Data Header Decoder Header Header Analysis Drop Match Decision Logic Match Aligned Payload Payload Analysis Match Vector Payload Match

  11. Integrated Example:A Multi-Filter Bridge NIDS

  12. Filtering Network Connections • Desire a NIDS that we can insert on a network link • Detect and filter out attacks • Transparent to users • Single bi-directional link: Filter Bridge • Can extend to support multiple filter bridges per FPGA FPGA NI NI ID Unit Single Filter Bridge

  13. Data Rates in Multi-Filter Bridge NIDS • ID data rate > Aggregate network rate • Increase ID data rate • Data path: 16/32/64 bits • Clock: 62.5–125 MHz • Example: 2 Bridges • ID needs 4x data rate • 1x = 16b / 62.5 MHz • 4x = 32b / 125 MHz NI NI NI NI Scheduler OK Drop ID Unit

  14. Multi-Filter Bridge:Implementation Details and Measurements

  15. Multi-Filter Bridge Implementation • Parameterized design • Number of bridges: 1-4 • ID bitwidth: 16b/32b/64b • NI FIFO depth: 2-16 KB • Xilinx ML300 Reference Board • Virtex II/Pro-7 FPGA (-6) • Four optical GigE ports • Pair of Intel hosts • Packet Engines GigE cards

  16. Latency Measurements • Internal measurements • Used ChipScope Pro • Counted clock cycles • External measurements • Host-to-Host • Round-trip timings • Long and short messages

  17. Percentage of Maximum Rule Setfor Single Filter Bridge

  18. Constant FPGA size and rule set Virtex II/Pro 50 (-6) 2,001 Chars (10% of Max) Increases in Bitwidth Large jumps 32b to 64b > 16b to 32b Increases in Number of Bridges ID unit unaffected FPGA Utilization for Multi-Filter Bridges V2P50 Slice Utilization Number of Filter Bridges

  19. Density Observations Relative V2P Price & Density • Largest parts unappealing • Significant compile times • Limited routing resources • Medium parts more economical • Chain multiple NIDS bridges • Virtex-4 parts • More affordable • Prices are more linear V2P100 V2P70 V2P40 V2P7 FPGA Slices

  20. Conclusions and Future Work

  21. Conclusions and Future Work • Integrated NIDS appealing • Customize individual components and overall design • Good portability because does not depend on external chips • Multi-filter bridge design • Demonstrated transparent in-line filter • Support a low number of filter bridges at link speeds • Future work to explore larger parts in greater detail • Better results with floor planning and early placement Constrain to top 65% of V2P100 16% Improvement in Clock Rate

  22. Backup Slides

  23. Network Interface Characteristics • Flexible packet FIFO • 16/32/64b width to user • 2-16 KB (each direction) • Can handle 185 MHz clock rate • Separate reader/writer clocks • Small size • GigE with 4KB FIFOs: 749 slices • Xilinx GigE core (no FIFO): 763 slices

  24. Match “abb” Match ‘a’ a Match ‘b’ b Match ‘c’ 8 c Match ‘d’ d Match “dcb” . . ID Payload Analysis Unit • Large-scale pattern matching • Non-deterministic finite state automata (NFA) • Previously described in FCCM 2004 (Clark and Schimmel) • Decode incoming symbol and route to necessary stages

More Related