Traffic-Aware Design of a High Speed Fpga Network Intrusion Detection System

Only available on StudyMode
  • Download(s): 157
  • Published: January 30, 2013
Read full document
Text Preview
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. IEEE TRANSACTIONS ON COMPUTERS
1

Traffic-aware Design of a High Speed FPGA
Network Intrusion Detection System
Salvatore Pontarelli, Giuseppe Bianchi, Simone Teofili
Consorzio Nazionale InterUniversitario per le Telecomunicazioni (CNIT) University of Rome “Tor Vergata”
Via del Politecnico 1, 00133, Rome, ITALY

Abstract—Security of today’s networks heavily rely on Network Intrusion Detection Systems (NIDSs). The ability to promptly update the supported rule sets and detect new emerging attacks makes Field Programmable Gate Arrays (FPGAs) a

very appealing technology. An important issue is how to scale FPGA-based NIDS implementations to ever faster network links. Whereas a trivial approach is to balance traffic over multiple, but functionally equivalent, hardware blocks, each implementing the whole rule set (several thousands rules), the obvious cons is the linear increase in the resource occupation. In this work, we promote a different, traffic-aware, modular approach in the design of FPGA-based NIDS. Instead of purely splitting traffic across equivalent modules, we classify and group homogeneous traffic, and dispatch it to differently capable hardware blocks, each supporting a (smaller) rule set tailored to the specific traffic category. We implement and validate our approach using the

rule set of the well known Snort NIDS, and we experimentally investigate the emerging trade-offs and advantages, showing
resource savings up to 80% based on real world traffic statistics gathered from an operator’s backbone.
Index Terms—Deep Packet Inspection, FPGA, Intrusion Detection System, Snort, String matching, Traffic awareness

I. I NTRODUCTION
The demand for network security and protection against
threats and attacks is ever increasing, due to the widespread diffusion of network connectivity and the higher risks brought about by a new generation of Internet threats. Network Intrusion Detection Systems (NIDS) play a key role in such a scenario. A NIDS is a system that analyzes the traffic crossing the network, classifies packets according to header, content, or pattern matching, and further inspects payload information with respect to content/regular-expression matching rules for detecting the occurrence of anomalies or attacks.

Software based NIDS, such as the widely employed software implementation of the Snort NIDS [1], cannot sustain the multi Gbits/sec traffic rates typical of network backbones, and thus are confined to be used in relatively small scale (edge) networks. For high speed network links, hardware-based NIDS

solutions appear to be a more realistic choice, but the hardware implementation needs to permit the frequent update of the supported rule set, so as to cope with the continuous emergence of new different types of network intrusion threats and attacks. Field Programmable Gate Arrays are thus appealing candidates. Indeed, an FPGA-based NIDS can be easily and dynamically reprogrammed when the content-matching rules

change. Moreover, current FPGA devices are capable to provide a very high processing capability, and support high speed

Digital Object Indentifier 10.1109/TC.2012.105

interfaces (FPGA for 100 Gbits/sec processing are available
and for 400 Gbits/sec are forthcoming [2]). However, such an increase in the traffic collection ability is not matched with a comparable scaling of the device frequency. Indeed, logic
resources still operate with frequencies in the order of “just” hundreds of MHz; for instance a frequency of 500 MHz, that is achievable only by last generation FPGA devices, can process 8-bit characters at “only” 4 Gbits/sec.

This issue is showcased by Figure 1 which reports the
historical evolution of a commercial product (Xilinx FPGAs)
from 2003 to the time of writing. The y-axis values are
normalized with respect to the...
tracking img