Traffic-Aware Design of a High Speed Fpga Network Intrusion Detection System
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication.
IEEE TRANSACTIONS ON COMPUTERS
1
Traffic-aware Design of a High Speed FPGA
Network Intrusion Detection System
Salvatore Pontarelli, Giuseppe Bianchi, Simone Teofili
Consorzio Nazionale InterUniversitario per le Telecomunicazioni (CNIT)
University of Rome “Tor Vergata”
Via del Politecnico 1, 00133, Rome, ITALY
Abstract—Security of today’s networks heavily rely on Network Intrusion Detection Systems (NIDSs). The ability to promptly update the supported rule sets and detect new emerging attacks makes Field Programmable Gate Arrays (FPGAs) a very appealing technology. An important issue is how to scale
FPGA-based NIDS implementations to ever faster network links.
Whereas a trivial approach is to balance traffic over multiple, but functionally equivalent, hardware blocks, each implementing the whole rule set (several thousands rules), the obvious cons is the linear increase in the resource occupation. In this work, we promote a different, traffic-aware, modular approach in the design of FPGA-based NIDS. Instead of purely splitting traffic across equivalent modules, we classify and group homogeneous traffic, and dispatch it to differently capable hardware blocks, each supporting a (smaller) rule set tailored to the specific traffic category. We implement and validate our approach using the rule set of the well known Snort NIDS, and we experimentally investigate the emerging trade-offs and advantages, showing resource savings up to 80% based on real world traffic statistics gathered from an operator’s backbone.
Index Terms—Deep Packet Inspection, FPGA, Intrusion Detection System, Snort, String matching, Traffic awareness
I. I NTRODUCTION
The demand for network security and protection against threats and attacks is ever increasing, due to the widespread diffusion of network connectivity
IEEE TRANSACTIONS ON COMPUTERS
1
Traffic-aware Design of a High Speed FPGA
Network Intrusion Detection System
Salvatore Pontarelli, Giuseppe Bianchi, Simone Teofili
Consorzio Nazionale InterUniversitario per le Telecomunicazioni (CNIT)
University of Rome “Tor Vergata”
Via del Politecnico 1, 00133, Rome, ITALY
Abstract—Security of today’s networks heavily rely on Network Intrusion Detection Systems (NIDSs). The ability to promptly update the supported rule sets and detect new emerging attacks makes Field Programmable Gate Arrays (FPGAs) a very appealing technology. An important issue is how to scale
FPGA-based NIDS implementations to ever faster network links.
Whereas a trivial approach is to balance traffic over multiple, but functionally equivalent, hardware blocks, each implementing the whole rule set (several thousands rules), the obvious cons is the linear increase in the resource occupation. In this work, we promote a different, traffic-aware, modular approach in the design of FPGA-based NIDS. Instead of purely splitting traffic across equivalent modules, we classify and group homogeneous traffic, and dispatch it to differently capable hardware blocks, each supporting a (smaller) rule set tailored to the specific traffic category. We implement and validate our approach using the rule set of the well known Snort NIDS, and we experimentally investigate the emerging trade-offs and advantages, showing resource savings up to 80% based on real world traffic statistics gathered from an operator’s backbone.
Index Terms—Deep Packet Inspection, FPGA, Intrusion Detection System, Snort, String matching, Traffic awareness
I. I NTRODUCTION
The demand for network security and protection against threats and attacks is ever increasing, due to the widespread diffusion of network connectivity