compiling pcre to fpga for accelerating
play

Compiling PCRE to FPGA for Accelerating SNORT IDS Abhishek Mitra - PowerPoint PPT Presentation

Dec 03, 2023 •46 likes •316 views

Compiling PCRE to FPGA for Accelerating SNORT IDS Abhishek Mitra Walid Najjar Laxmi N Bhuyan QuickTime and a QuickTime and a decompressor decompressor are needed to see this picture. are needed to see this picture. Outline FPGA

  1. Compiling PCRE to FPGA for Accelerating SNORT IDS Abhishek Mitra Walid Najjar Laxmi N Bhuyan QuickTime™ and a QuickTime™ and a decompressor decompressor are needed to see this picture. are needed to see this picture.

  2. Outline  FPGA Introduction  NIDS and SNORT  Regular Expressions and PCRE  PCRE to FPGA via OPCODES  Hardware Details  Performance  Conclusion

  3. Field Programmable Gate Array  Silicon devices, Millions of Logic Gates  Connected by Programmable interconnects  Can efficiently Abstract a Data path by eliminating load-stores and branch instructions  Emerging platforms include SGI RASC, XD 1000, Intel QuickAssist Hardware, etc.

  4. a PROCESSOR vs an FPGA (the Highway analogy) Field Programmable Gate Array Processor (Dual core) SPEED SPEED LIMIT LIMIT 100 10 2 parallel Highways 200 parallel Highways Throughput = 2 x 100 = Throughput = 200 X 10 = 200. 2000 !  What an FPGA loses in speed, it more than makes it up with parallelism  Obtaining two orders of speedup is easily obtainable on an FPGA  FPGAs are programmed with Hardware Description Languages

  5. Network Intrusion Detection QuickTime™ and a decompressor are needed to see this picture. System (IDS) QuickTime™ and a decompressor are needed to see this picture.  Detects and filters unwanted network packets (worms, spam, etc)  Inspects payload as it enters or leaves a network, with set of rules  Highly processor intensive with increasing number of rules

  6. Network Intrusion Detection System (IDS)  The IDS may become a bottleneck  10Mbps delivered by a Pentium 4 CPU  Compare that to 10Gbps throughput of typical networks

  7. SNORT IDS rules and REGULAR EXPRESSIONS  SNORT IDS rules are used to capture signatures of malicious activity on the network (e.g. WORM activity)  A rule written as a regular expression is compact, powerful and highly expressible (one rule matches multiple possible strings)  SNORT IDS uses the PCRE (PERL compatible regular expressions) as the language in which the rules are written

  8. SNORT and PCRE  SNORT uses PCRE to match network packets on regular expression based signatures PCRE is an open source software that compiles and matches PERL regular expressions

  9. Regular Expressions and Finite Automata  A Regular Expression can be implemented as an Finite Automata  A processor can execute only one finite automata per core  An FPGA can execute hundreds of finite automata in parallel!  Possible (Speedup!) over a Processor

  10. Regular Expression and Finite automata on FPGA  A regular expression viz. 1*(01*01*)* Can Identify Even number of zeros in a string composed of alphabets 0 and 1  The equivalent Finite Automata of this regular expression can be implemented in hardware  Each state of the automata is encoded using one bit  The transitions are encoded using two bits

  11. Compiling Regular Expression to OPCODES  We utilize the PCRE complier to obtain OP Codes corresponding to regular expression operators in the SNORT rules

  12. Generating Hardware from PCRE OPCODES  We compile the OPCODES obtained to VHDL  Each OPCODE corresponds to a VHDL template  The template is filled, based on additional parameters accompanying each OPCODE

  13. Generating Hardware from OPCODES  The VHDL blocks are tied together as an NFA (Non deterministic Finite Automata)  Additional hardware connects the NFA to the memory controller  Memory controller obtains network payload form the host CPU and transfers it to the NFAs

  14. SNORT Rule to PCRE OPCODES v7.0  Example Rule snippet “/ ^NetBus\s+\d+ /”  After Compilation 80 0 20 19 21 78 21 101 21 116 21 66 Start ^ -> N -> e -> t -> b 21 117 21 115 44 8 44 6 0 20 0 -> u -> s + \s + \d END OPCODES are the common intermediate representation for software or hardware execution

  15. An example VHDL Block generated by compiling the opcodes if (clk'eventand clk = '1') then if (start = '1') then char1_1 <= mem(conv_integer(nfa1));--N char2_1 <= mem(conv_integer(nfa1)+1);--e char3_1 <= mem(conv_integer(nfa1)+2);--t char4_1 <= mem(conv_integer(nfa1)+3);--b char5_1 <= mem(conv_integer(nfa1)+4);--u char6_1 <= mem(conv_integer(nfa1)+5);--s if ((char1_1 = conv_std_logic_vector(78, 8)) and (char2_1 = conv_std_logic_vector(101, 8)) and (char3_1 = conv_std_logic_vector(116, 8)) and (char4_1 = conv_std_logic_vector(98, 8)) and (char5_1 = conv_std_logic_vector(117, 8)) and (char6_1 = conv_std_logic_vector(115, 8)) ) then match_1 <= '1'; else match_1 <= '0'; end if; end if; end if;

  16. CDF of Opcodes from regexes in SNORT DB 2.6 compiled with PCRE v7.1 40000 35000 30000 25000 20000 15000 10000 5000 0 22 79 89 78 46 72 38 51 64 47 60 88 53 39 48 75 20 8 61 70 66 73 59 97 52 29 11 6 68 82 21 80 83 65 0 4 5 9 10 30 33 44 57 The most frequently occurring OP Code corresponding to a single character match (OPCODE 22)

  17. The Finite Automata on hardware  The NFA  Multiple NFA engines are implemented to match multiple SNORT rules on a network payload

  18. QuickTime™ and a decompressor are needed to see this picture. The SGI RASC RC 100 BLADE  The RASC Blade contains two XILINX Virtex-4 LX 200 FPGA and provides upto 7.2 GByte/s throughput

  19. Architecture of 214 NFA Engines on a Virtex 4 LX 200 FPGA QuickTime™ and a decompressor are needed to see this picture. QuickTime™ and a decompressor are needed to see this picture.

  20. Throughput and Speedup  It is possible to obtain 12.9 Gbps throughput on the RASC RC-100 hardware

  21. Comparison with related systems  The Compiled PCRE Op Codes on SGI RASC RC-100 provides the highest throughput among other related FPGA platforms used for NIDS

  22. Conclusion  Compiled PCRE OPCODES to VHDL  Implemented Fast NFA based Regular Expression engines on FPGA platform  Regex engines Operate at 12.9 Gbps for efficient 10GbE IDS

  23. Future Work  Utilize multiple FPGAs to encompass all the SNORT rule-sets  Use streaming data flow for transferring payload to the FPGA  Implement all the OPCODES in hardware

  24. Q&A THANK YOU!

  27. result = pcre_exec(pcre_data->re, /* result of pcre_compile() */ pcre_data->pe, /* result of pcre_study() */ buf, /* the subject string */ len, /* the length of the subject string */ start_offset, /* start at offset 0 in the subject */ 0, /* options(handled at compile time */ ovector, /* vector for substring information */ SNORT_PCRE_OVECTOR_SIZE); /* number of elements in the vector */ if(result >= 0) { matched = 1; } else if(result == PCRE_ERROR_NOMATCH) { matched = 0; } Potential point for Speedup (i.e. implement pcre_exec in hardware)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Accelerating Convolutional Neural networks on FPGA SoC Francesco Restuccia, Ph.D. Fellow

Accelerating Convolutional Neural networks on FPGA SoC Francesco Restuccia, Ph.D. Fellow

Accelerating Convolutional Neural networks on FPGA SoC Francesco Restuccia, Ph.D. Fellow 04/12/2020 1 Overview Background Xilinx CHaiDNN Framework Overview Working flow Hardware architecture Xilinx DNNDK framework

865 views • 29 slides
Accelerating Pattern Matching Queries in Hybrid CPU-FPGA Architectures David Sidler , Zsolt Istv

Accelerating Pattern Matching Queries in Hybrid CPU-FPGA Architectures David Sidler , Zsolt Istv

Accelerating Pattern Matching Queries in Hybrid CPU-FPGA Architectures David Sidler , Zsolt Istv an, Muhsen Owaida, Gustavo Alonso Dept. of Computer Science, ETH Z urich Systems Group, Dept. of Computer Science, ETH Z urich Increasing

800 views • 60 slides
FPGA What is a FPGA? How FPGAs work How do they work? Manufacturers

FPGA What is a FPGA? How FPGAs work How do they work? Manufacturers

2/21/2012 Content FPGA What is a FPGA? How FPGAs work How do they work? Manufacturers Distributed RAM History FPGA vs ASIC FPGA and Microprocessors Alternatives to FPGAs ETI135, Advanced Digital IC Design

123 views • 10 slides
WWW.FPGA What is an FPGA? Field Programmable Gate Array Introduction to FPGA designs

WWW.FPGA What is an FPGA? Field Programmable Gate Array Introduction to FPGA designs

WWW.FPGA What is an FPGA? Field Programmable Gate Array Introduction to FPGA designs Generic logic cells + Programmable switches Why do we use it? High performance &amp; Flexible Shorter time to market Joachim Rodrigues

308 views • 8 slides
A Reconfigurable Fabric for Accelerating Large-Scale Datacenter Services 1. Overview 2.

A Reconfigurable Fabric for Accelerating Large-Scale Datacenter Services 1. Overview 2.

A Reconfigurable Fabric for Accelerating Large-Scale Datacenter Services 1. Overview 2. Challenges and Solution. 3. Introduction to FPGA 4. Requirement and Architecture. 5.Infrastructure and Platform architecture. 5.1 Debugging support. 5.2

786 views • 36 slides
An introduction to FPGA-based acceleration of neural networks Marco Pagani 1 What is an FPGA?

An introduction to FPGA-based acceleration of neural networks Marco Pagani 1 What is an FPGA?

An introduction to FPGA-based acceleration of neural networks Marco Pagani 1 What is an FPGA? Field-programmable gate array (FPGA) are integrated circuits designed to be con fi gured after manufacturing for implementing arbitrary logic

429 views • 15 slides
FPGA language ( HDL ). Overview 3 4 Component-Based Software Design LMES Component-Based

FPGA language ( HDL ). Overview 3 4 Component-Based Software Design LMES Component-Based

11/05/2016 Agenda The topics that will be addressed are: Overview on basic characteristics of the FPGA; Scheduling tasks on Reconfigurable FPGA reconfiguration capabilities; FPGA architectures Timing analysis for reconfigurable

299 views • 10 slides
Tips about an FPGA 02/09/2018 J.C. special topic FPGA ( field-programmable gate array ) FPGA :

Tips about an FPGA 02/09/2018 J.C. special topic FPGA ( field-programmable gate array ) FPGA :

Tips about an FPGA 02/09/2018 J.C. special topic FPGA ( field-programmable gate array ) FPGA : An integrated circuit (IC) designed to be configured by customer or designer after manufacturing -- Developed in ~80s -- Widely used (customer

303 views • 7 slides
Compiling &amp; Debugging FF Compiling &amp; Running FF (Linux &amp; Mac) System Requirement:

Compiling &amp; Debugging FF Compiling &amp; Running FF (Linux &amp; Mac) System Requirement:

Compiling &amp; Debugging FF Compiling &amp; Running FF (Linux &amp; Mac) System Requirement: 4GB of RAM &amp; 6.4 GB HD $ wget -q https://hg.mozilla.org/mozilla-central/raw- file/default/python/mozboot/bin/bootstrap.py &amp;&amp; python

453 views • 6 slides
Introduction to Compiling Chapter 1 1 Compiler Construction Introduction to Compiling To Do

Introduction to Compiling Chapter 1 1 Compiler Construction Introduction to Compiling To Do

Introduction to Compiling Chapter 1 1 Compiler Construction Introduction to Compiling To Do Read Chapter 1 of the Dragon book Begin work on Assignment 1 2 Compiler Construction Introduction to Compiling What is a compiler? A

624 views • 16 slides
FPGA-Enabled Cloud Miriam Leeser, Mehmet Gungor, Kai Huang, Stratis Ioannidis Dept. of Electrical

FPGA-Enabled Cloud Miriam Leeser, Mehmet Gungor, Kai Huang, Stratis Ioannidis Dept. of Electrical

Accelerating Large Garbled Circuits on an FPGA-Enabled Cloud Miriam Leeser, Mehmet Gungor, Kai Huang, Stratis Ioannidis Dept. of Electrical and Computer Engineering Northeastern University Boston, MA Introduction and Motivation More and

496 views • 22 slides
A Flexible Design Automation Tool for Accelerating Quantized Spectral CNNs Rachit Rajat, Hanqing

A Flexible Design Automation Tool for Accelerating Quantized Spectral CNNs Rachit Rajat, Hanqing

A Flexible Design Automation Tool for Accelerating Quantized Spectral CNNs Rachit Rajat, Hanqing Zeng, Viktor Prasanna University of Southern California fpga.usc.edu FPL 2019, Barcelona 1 Outline Introduction Background Tool

258 views • 22 slides
GRVI Phalanx Update: A Massively Parallel RISC-V FPGA Accelerator Framework Jan Gray |

GRVI Phalanx Update: A Massively Parallel RISC-V FPGA Accelerator Framework Jan Gray |

GRVI Phalanx Update: A Massively Parallel RISC-V FPGA Accelerator Framework Jan Gray | jan@fpga.org | http://fpga.org CARRV2017: 2017/10/14 FPGA Datacenter Accelerators Are Almost Mainstream Catapult v2. Intel += Altera. OpenPOWER CAPI. AWS

508 views • 28 slides
Support of Cross Calls between Microprocessor and FPGA in CPU-FPGA Coupling Architecture G.

Support of Cross Calls between Microprocessor and FPGA in CPU-FPGA Coupling Architecture G.

Support of Cross Calls between Microprocessor and FPGA in CPU-FPGA Coupling Architecture G. NguyenThiHuong and Seon Wook Kim Microarchitecture and Compiler Laboratory School of Electrical Engineering Korea University Motivation

416 views • 19 slides
FPGA vs GPU Performance Comparison on the Implementation of FIR Filters FPGA. While comparing the

FPGA vs GPU Performance Comparison on the Implementation of FIR Filters FPGA. While comparing the

FPGA vs GPU Performance Comparison on the Implementation of FIR Filters FPGA. While comparing the performance of them, we Abstract choose different models for each platform to get fairer FIR filters find place in digital signal processing

569 views • 7 slides
The Spartan 3e FPGA The Spartan 3e FPGA Whats inside the chip? How does it implement

The Spartan 3e FPGA The Spartan 3e FPGA Whats inside the chip? How does it implement

The Spartan 3e FPGA The Spartan 3e FPGA Whats inside the chip? How does it implement random logic? What other features can you use? What do all these things mean? LUT, Slice, BRAM, DCM, IOB, CLB... Two important documents

278 views • 11 slides
Lab 7: Firewalls &amp; Intrusion Detection Systems Fengwei Zhang SUSTech CS 315 Computer

Lab 7: Firewalls &amp; Intrusion Detection Systems Fengwei Zhang SUSTech CS 315 Computer

Lab 7: Firewalls &amp; Intrusion Detection Systems Fengwei Zhang SUSTech CS 315 Computer Security 1 Firewall &amp; IDS Firewall A device or application that analyzes packet headers and enforces policy based on protocol type, source

465 views • 20 slides
Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion Detection Systems Tripwire Snort 2 IDS (Definition) Intrusion Detection is the process of monitoring the events occurring in a computer

571 views • 30 slides
Sample Snort Signature alert tcp $EXTERNAL_NET any -&gt; $HOME_NET 139

Sample Snort Signature alert tcp $EXTERNAL_NET any -&gt; $HOME_NET 139

Sample Snort Signature alert tcp $EXTERNAL_NET any -&gt; $HOME_NET 139 flow:to_server,established content:&quot;|eb2f 5feb 4a5e 89fb 893e 89f2|&quot; msg:&quot;EXPLOIT x86 linux samba overflow&quot; reference:bugtraq,1816

436 views • 4 slides
FRACTALS OUTLINE Chaotic Systems Strange Attractors Newton-Raphson Diffusion

FRACTALS OUTLINE Chaotic Systems Strange Attractors Newton-Raphson Diffusion

FRACTALS OUTLINE Chaotic Systems Strange Attractors Newton-Raphson Diffusion Limited Aggregation Fractal Geometry L-Systems Iterative Function Systems (IFS) WHAT IS A FRACTAL? Geometric A rough or

499 views • 23 slides
Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion Detection Systems Detect malicious Raise alarms activities/attacks Alert administrators Hacking/ unauthorized access Trigger defense

217 views • 21 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 7 Intrusion Detection Topics Fundamentals Network IDS Snort Host-based IDS

1.03k views • 72 slides
Automated Translation Automated Translation Between Attack Languages Between Attack Languages

Automated Translation Automated Translation Between Attack Languages Between Attack Languages

Automated Translation Automated Translation Between Attack Languages Between Attack Languages (Translating Snort rules to STATL scenarios) (Translating Snort rules to STATL scenarios) Steven T. Eckmann Eckmann Steven T. Reliable Software

296 views • 27 slides
Tracking and Detecting Trojan Command and Control Servers Ryan Olson FIRST 2008 Outline + What

Tracking and Detecting Trojan Command and Control Servers Ryan Olson FIRST 2008 Outline + What

Tracking and Detecting Trojan Command and Control Servers Ryan Olson FIRST 2008 Outline + What do we Track and Why? + Overview of Information Stealing Trojans How/What they steal Phoning Home Popular Kits + Detecting C&amp;C

378 views • 25 slides

More recommend