A Framework for Rule Processing in Reconfigurable Network Systems - - PDF document

Rule Processing Framework – FCCM 2005

1

A Framework for Rule Processing in Reconfigurable Network Systems

Michael Attig and John Lockwood

Washington University in Saint Louis Applied Research Laboratory Department of Computer Science and Engineering May 1, 2005

Rule Processing Framework – FCCM 2005

2

Outline

• Overview
• Background
• Architecture
• Results
• Summary

Rule Processing Framework – FCCM 2005

3

Rule Processing Overview

• Rule processing & intrusion detection
• TCP Flow Processing
• Header Processing
• Payload Scanning

alert tcp any 110 any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"myromeo.exe"; nocase; classtype:misc- activity; sid:723; rev:6;)

• Snort Rules (version 2.2 Sept 2004)

– 2464 Rules – 292 Headers – 2107 Signatures – 233 Regular Expressions

Rule Processing Framework – FCCM 2005

4

Rule Characteristics

• 2464 unique rules
• 292 unique header rules

– 168 are “header-only”

• 2107 unique signatures

– 97% less than 32 bytes – Spread across 2296 of rules

• 233 regular expressions

– Snort rules always contain static signature also

• Few signatures associated

with many rules

– 83% found in single rule – Only 18 associated with more than 10 rules

• 10 header rules can match at
• nce (pessimistic)

Unique Signature Distribution

20 40 60 80 100 120 140 160 180 1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 Signature Length (bytes) Number of Occurrences

Unique Signature Occurences

20 40 60 80 100 120 140 160 1 151 301 451 601 751 901 1051 1201 1351 1501 1651 1801 1951 2101 signature number Number of occurrences

Snort version 2.2 (Sept 2004)

Rule Processing Framework – FCCM 2005

5

Fully Functional Rule Processing

Rule Processor

Complete Rule Processing

String Matching Bloom Filters [Attig fccm’04] TCAMs [Yu hoti’04] BV-TCAM [Song fpga’05] Comparators [Sourdis fccm’04] NFAs [Clark fccm’04] DFAs [Moscola fccm’03] ? ? ? ? ? Partitioning [Baker fccm’04] TCP Flow Reconstruction [Schuehler fpl’04] Header Classification ? Pipelining [Cho fccm’04]

Rule Processing Framework – FCCM 2005

6

Rule Processing Framework Overview

TCP/IP Data

h header modules determine matching header rules Order TCP flows for inspection by payload scanner(s) p payload modules search for static signatures and regular expressions Matching header and string IDs sent to rule processor using standard interface Rule processor uses header and payload match criteria to determine rule matches

Focus of this Talk Local Area Network Local Area Network Internet Internet

Intrusion Detection System

Local Area Network Local Area Network Internet Internet

Intrusion Detection System

Rule Processing Framework – FCCM 2005

7

Software Communication Wrapper Matching Criteria Communication Wrapper

Rule Processor

FPGA

(1) (2) (3) (5) (6) (7)

Rule Processing Framework – FCCM 2005

8

Example

R1: Alert tcp any 80 any 125 (content:“string1”; content:“string2”;) Algorithmically: R1: H1 Λ C1 Λ C2

Rule Processing Framework – FCCM 2005

9

Rule Processing Example

TCP/IP Data

H1 C1 C2 C1 flow

Rule Processing Framework – FCCM 2005

10

Software Communication Wrapper Matching Criteria Communication Wrapper

Headers

Header

Rule

FPGA

Rule Processor

H1 C1 C2 C1 R1

X

R1 H1 H1

+1

Reset

(1) (2) (3) (5) (6) (7)

flow

Rule Processing Framework – FCCM 2005

11

Implementation Environment

• Xilinx Virtex 2000E FPGA

– 12% LUTs – 25% Slices – 93% of Block RAMs – 80.6 MHz

• Stacked configuration

allows chaining processing

Rule Processing Framework – FCCM 2005

12

Worst Case Throughput

• Worst case when signature associated with many rules

detected

• Only 18 signatures in more than 10 rules
• Worst case signature

– |00 00 00 00| in 135 rules

• Scenario:

– Back-to-back 44 byte TCP packets from different flows and |00 00 00 00| as payload – Worst case assumes 7 million attack packets per second

Framework Throughput

500 1000 1500 2000 2500 3000 250 500 750 1000 1250 1500

Packet Size (Bytes) Throughput (Mbps)

Worst-case Average Case

Rule Processing Framework – FCCM 2005

13

Intrusion Detection of WashU’s Backbone Network

Matching 4 Byte Signatures Matching 12+ Byte Signatures

• Observe ~10,000 total string matches per second on WashU’s

backbone network (~250-300 Mbps)

• Scaling to 2.5 Gbps, only ~100,000 string matches per second

Rule Processing Framework – FCCM 2005

14

Next Generation FPGA Projections

• More block RAM
• Faster place & route
• Parallel copies of pipeline

– Multiple IDs per clock cycle

• QDR SRAMs
• 6x improvement

to throughput

Rule Processor Relative Improvement

1 2 3 4 5 6 7 Rule Frequency Throughput VirtexE Virtex2 Virtex4

Rule Processing Framework – FCCM 2005

15

Related Work

15.9 40,200 (95%) Virtex4 100 WashU Rule Processor Correlation 20.4 35,850 (85%) Virtex4 100 WashU Bloom Filters 4.5 15,010 (15%) Virtex2 Pro USC Partitioning 3.2 15,202 (37%) Spartan 3 2000 UCLA Packet Filters 10 2,365 (7%) Virtex2-6000 Tokyo Trie-based Hash 7 54,890 (81%) Virtex2-8000 GaTech Decoder Trees Scanning 9.7 64,268 (95%) Virtex2-6000 Crete Pre-decoded CAMs Payload 10 4,200 (10%) Virtex4 100 WashU BV-TCAM Header Processing 10.3 22,100 (35%) Virtex4 140 WashU TCP Processor 48.3

• Virtex2-8000

Northwestern U. Flow Monitor Monitoring 3.2 876 (10%) Virtex 1000 GaTech Stream Assembler Flow

Throughput (Gbps) Logic Cells Device Group and Component Function

Rule Processing Framework – FCCM 2005

16

Contributions

• Development of large-scale Rule Processing

Framework

– Bridge between component processing and rule processing – Supports up to 32,768 rules

• Rule processing framework capable of 2.5

Gbps throughput on FPX

– Projected to 15.9 on latest Virtex 4

• Rule processor operated on TCP flows

– Context information stored for over 2 million simultaneous flows

Rule Processing Framework – FCCM 2005

17

Acknowledgments

• Research Sponsors

– Global Velocity – Boeing

• ARL Faculty & Students

http://arl.wustl.edu/projects/fpx/reconfig.htm Rule Processing Framework – FCCM 2005

18

Questions?

Rule Processing Framework – FCCM 2005

19

Communication Wrapper Interface

Between Devices Between Software/Hardware

Rule Processing Framework – FCCM 2005

20

Example

R1: Alert tcp any 80 any 125 (content:“string1”; content:“string2”;) R2: Alert tcp any 8080 any 1024 (content:“string1”;) R1: H1 Λ C1 Λ C2 R2: H2 Λ C1

Rule Processing Framework – FCCM 2005

21

FPGA

Communication Wrapper Communication Wrapper BRAM

Rule Processor

CIDs CIDs RIDs

H1 C1 C2 C1 R1 R2

X

R1 H1 H2

X +1

H1 Reset

Rule Processing Framework – FCCM 2005

22

Adding Modules

• Accept and act upon IP packets
• Communicate match criteria using communication

wrapper interface

– Provide deterministic interfaces – Abstract transport protocol

• Software Configuration using communication wrapper
• Represent matching criteria as ID numbers
• Allows combination of techniques

– Take advantage of best characteristics

• General classifiers vs. field-specific headers
• Static strings vs. regular expressions

Rule Processing Framework – FCCM 2005

23 Throughput versus Rule Look-ups per Second

500 1000 1500 2000 2500 3000 1.E+00 1.E+02 1.E+04 1.E+06 1.E+08 Rule Look-ups per Second Throughput (Mbps)

Evaluation

• Recall Rule IDs are inserted into pipeline based on

matching signatures

80 Million rule IDs per second

Rule Processing Framework – FCCM 2005

24

Additional Rules Supported

• Virtex 2

– 120 of 144 Block RAMs (18 Kbits each) – 2 copies of pipeline

• 10 BRAM in stage 2
• 10 BRAM in stage 5
• 40 BRAM in stage 6

– 184,320 rules supported

• Virtex 4

– 216 of 240 Block RAMs (18 Kbits each) – 4 copies of pipeline

• 9 BRAM in stage 2
• 9 BRAM in stage 5
• 36 BRAM in stage 6

– 165,888 rules supported