1 / 21

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems. Authors: Yeim-Kuan Chang, Ming-Li Tsai and Cheng-Chien Su Publisher: 22nd International Conference on Advanced Information Networking and Applications Present: Chia-Ming ,Chuang Date: 1, 7, 2008.

orien
Télécharger la présentation

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Improved TCAM-based Pre-Filtering forNetwork Intrusion Detection Systems Authors:Yeim-Kuan Chang, Ming-Li Tsai and Cheng-Chien Su Publisher:22nd International Conference on Advanced Information Networking and Applications Present:Chia-Ming ,Chuang Date:1, 7, 2008 Department of Computer Science and Information Engineering National Cheng Kung University, Taiwan R.O.C. 1

  2. Outline • 1. INTRODUCTION • 2. RELATED WORKS • 3. PROPOSED ALGORITHMS • 4. EXPERIMENTS • 5. CONCLUSION 2

  3. Introduction (1/2) • Networks have been protected using firewalls that monitor and filter network traffic. Firewalls usually examine the packet headers to determine whether the packets are allowed to go through or dropped. • Network intrusion detection systems (NIDS) are utilized to detect malicious attacks and protect Internet • A NIDS differs from a firewall in that it needs to scan both the headers and the payloads of each incoming packet for thousands of suspicious patterns. By inspecting both packet headers and payloads to identify attack signatures, 3

  4. Introduction (2/2) • Current NIDS pattern databases contain thousands of patterns, resulting in a difficult computational task. Traditionally, software-based NIDS may be overloaded when the packet arrival rate becomes high. • To keep up with the high-speed networks, hardware-based NIDS implementation is needed. 4

  5. Outline • 1. INTRODUCTION • 2. RELATED WORKS • 3. PROPOSED ALGORITHMS • 4. EXPERIMENTS • 5. CONCLUSION 5

  6. RELATED WORKS (1/3) • A. Software-based solutions (一)single-pattern matching Boyer-Moore (二)multiple-pattern matching Aho-Corasick(AC) 6

  7. RELATED WORKS (2/3) The first comparison d-c at position 4 produces a mismatch. The text symbol d does not occur in the pattern. Therefore, the pattern cannot match at any of the positions 0, ..., 4, since all corresponding windows contain a d. The pattern can be shifted to position 5. Comparison b-c causes a mismatch. Text symbol b occurs in the pattern at positions 0 and 2. The pattern can be shifted so that the rightmost b in the pattern is aligned to text symbol b. 7

  8. RELATED WORKS (3/3) • B. FPGA-based solutions • Many hardware-based algorithms have been proposed,where many solutions are based on Field Programmable Gate Arrays (FPGAs). • C. Parallel Bloom filters • Bloom filter is a space-efficient probabilistic data structure that is used to test whether an element or string is a member of a set. False positives are possible, but false negatives are not. • D. TCAM solutions • Ternary Content Addressable Memory (TCAM) is a type of memory that consists of a set of entries. A TCAM allows fully parallel search of entries per TCAM lookup. 8

  9. Outline • 1. INTRODUCTION • 2. RELATED WORKS • 3. PROPOSED ALGORITHMS • 4. EXPERIMENTS • 5. CONCLUSION 9

  10. PROPOSED ALGORITHMS(1/6) introduction to FTSE The basic concept of FTSE is described as follows: • w bytes of the data stream as the input called the sliding window. • If any I byte suffix of sliding window does not match the i-byte prefix of pattern P for all i = 1 to w, we can advance the sliding window by skipping the current w bytes of the data stream and continue the search with the next w bytes. • if the i-byte suffix of the sliding window does match the i-byte prefix of pattern P for all i = 1 to w – 1, then we only skip w – i bytes to get the sliding window for the next cycle and repeat the search process 10

  11. PROPOSED ALGORITHMS(2/6) 11

  12. PROPOSED ALGORITHMS(3/6) Suppose we have a total of N patterns and the number of prefix-patterns in group Gi is Ni. The total number of TCAM entries is ΣNi. So the total TCAM memory requirement is w×ΣNi bytes. the don’t-care bytes in TCAM entries increase the probability of finding a match in TCAM. For example, the probability of matching an entry '***A' in one TCAM lookup is ½^8 which is large. 12

  13. PROPOSED ALGORITHMS(4/6) 13

  14. PROPOSED ALGORITHMS(5/6) 14

  15. PROPOSED ALGORITHMS (6/6) which consists of two parts: TCAM pre-filter module and exact matching module. The incoming data stream is first filtered through TCAM pre-filter module, which matches w-byte prefixes of patterns. If a match occurs in group G0, the corresponding ID of the partial matching pattern is sent to the exact matching module for performing the exact matching between the potential pattern and input data stream. The controller determines the shift value of sliding window according to lookup results in TCAM. 15

  16. Outline • 1. INTRODUCTION • 2. RELATED WORKS • 3. PROPOSED ALGORITHMS • 4. EXPERIMENTS • 5. CONCLUSION 16

  17. EXPERIMENTS (1/3) 17

  18. EXPERIMENTS (2/3) 18

  19. EXPERIMENTS (3/3) 19

  20. Outline • 1. INTRODUCTION • 2. RELATED WORKS • 3. PROPOSED ALGORITHMS • 4. EXPERIMENTS • 5. CONCLUSION 20

  21. Conclusion (1/1) • Our TCAM-based approach provides two techniques to improve the performance of FTSE. • The first technique matches the w-byte suffixes of patterns instead of w-byte prefixes. • The second technique finds the final partial matching results from all the groups instead of only G0. The second proposed scheme can process multi characters per TCAM lookup. • The results showed that our two techniques can arebetter than the original FTSE 21

More Related