optimising the resource utilisation in high speed network
play

Optimising the resource utilisation in high-speed network intrusion - PowerPoint PPT Presentation

Oct 11, 2023 •139 likes •260 views

Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald Tripp www.kent.ac.uk Network intrusion detection Network intrusion detection systems are provided to detect the presence of various security

  1. Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald Tripp www.kent.ac.uk

  2. Network intrusion detection • Network intrusion detection systems are provided to detect the presence of various security attacks. • This could be a virus or an attack that takes advantage of some form of weakness in the system. • Typically operates by searching for various patterns or strings within each network packet. • Difficult for software to keep up with traffic rate for high speed networks. • Can build custom hardware for this within a Field Programmable Gate Array (FPGA) • Implement string matching using an 'automata' based design 2

  3. FPGA based implementation • One common method is to implement an automata as a series of comparator, flip flops and gates. • Good resource utilisation • But: need to rebuild the design if we change the search strings • Can use a table based automata implementation. • Dynamically update-able at run time. • Use internal memory to avoid pipeline delays to external RAM • But: limited numbers of Block RAM primitives within FPGAs. 3

  4. Using Logic ... • We can instead use logic cells (LUTs – Look Up Tables) as small blocks of memory. • But: they are rather small (16-bits each in Xilinx FPGAs) • However, there are plenty of them ... • The basic single LUT memory is also single port … • We can however use these as shift registers ... • SR16 primitive – implemented as a single LUT. • Use the shift data operation to load them with information • Use a selective shift out port to read out particular bits 4

  5. Standard shift register: SR16 Shift Shift in D Q15 out and enable CE clock A Q • The 'programmable length' facility enables Q to output the shift register bit selected by A 5

  6. Generic Memory Block of size: 2 N x W bits • Instantiate number of shift registers as required. • Link shift registers together inside the memory block • Serial load data and enable, in and out • Daisy chain to link memory blocks together for loading. Address Data out A D N W SDI SDO Serial Serial SEI SEO load out load in Clock 6

  7. Basic string matching engine. Generic design: Match Data in vector state compress automata out 8 A S decoder N • A – bus width of compressed input • S – number of bits in state variable • N – number of different match strings 7

  8. Basic Matching 'engine'. • Use a compacted table for the automata based on “row displacement with state marking” • This is a traditional parser technique. • New variable P: address bus width into main automata table • Use a similar technique for the compression system. • Variable CL: address bus width into main compression table • Build state decoder as two stages: • First: compress current state into a value (width K bits) indicating one of the terminal states or that its a non-terminal. • Secondly: decode this into a match vector. 8

  9. Determining resource utilisation • Now have a completely parametrised design ... • Build a rough (mathematical) model of resource utilisation for an 'matching engine' dependent on these parameters. • For each valid set of parameters: • Process a set of Intrusion Detection rules to see how many 'engines' are needed • Determine the approximate per search byte resource utilisation. • Pick the most likely candidates and plot a graph • Pick an optimal candidate and build an FPGA design for it ... 9

  10. Search engine resource utilisation Parameter key: 5.0 CL,A,S,P 4.8 C:6,6,6,6 LUTs/search byte 4.6 C:6,6,7,7 C:7,6,7,7 4.4 C:7,7,7,7 4.2 C:7,7,8,8 C:8,6,7,7 4.0 C:8,7,8,8 3.8 3.6 0 5 10 15 20 25 30 ( ) ⎡ ⎤ = + Maximum strings per engine (N) K log 2 N 1

  11. Results – Target device: Xilinx XC2VP7-7 Parameters: CL=7, A=6, S=7, P=7, K=4, N=15 • Max. of 15 search strings / engine (average of about 10 to 11) • Resources for each engine: • LUTs: 410 out of 9856 (4% of XC2VP7) • Can probably fit about 215 engines into a larger XC2VP100 • i.e. Search for around 2200 strings in parallel • Search rate: 1.2 Gbps • Independent of search strings or input data. • Tested by simulation as a VHDL model … 11

  12. Conclusions & Further work • Flexible VHDL model for a string matching system • Using just FPGA LUTs. • Dynamically update-able at run time. • Only byte at a time string matching so far • Can look at incorporating in existing work with multi-byte input matching systems and regular expression matching. • This design uses just LUT primitives ... • Can look at how this might be used in conjunction with the larger BRAM primitives for more optimal implementations. 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges &

High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges &

High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges & Approaches Security: Challenges & Approaches C-DAC Asia-Pacific Advanced Network 32 nd Meeting, India Habitat Centre, New Delhi APAN 32nd Meeting,

647 views • 28 slides
UKLIGHT: projects at UCL Saleem Bhatti http://www.cs.ucl.ac.uk/staff/S.Bhatti/ 1 Challenges

UKLIGHT: projects at UCL Saleem Bhatti http://www.cs.ucl.ac.uk/staff/S.Bhatti/ 1 Challenges

UKLIGHT: projects at UCL Saleem Bhatti http://www.cs.ucl.ac.uk/staff/S.Bhatti/ 1 Challenges High-speed (multi-Gb/s) operation: network engineering for high-speed QoS at high speed within the core network QoS for individual

493 views • 16 slides
CBCN4103 CBCN4103 A LAN LAN is a high-speed data network that covers a relatively small

CBCN4103 CBCN4103 A LAN LAN is a high-speed data network that covers a relatively small

CBCN4103 CBCN4103 A LAN LAN is a high-speed data network that covers a relatively small geographic area. It typically connects workstations, personal computers, k l printers, servers, and other devices. LANs offer computer users many

742 views • 26 slides
Firewall Architectures for High-Speed Networks Errin W. Fulp DOE Network Research PI Meeting

Firewall Architectures for High-Speed Networks Errin W. Fulp DOE Network Research PI Meeting

Firewall Architectures for High-Speed Networks Errin W. Fulp DOE Network Research PI Meeting September 28, 2005 1 Project Objectives Methods that improve network firewall performance 1. Develop policy optim ization techniques Formal

221 views • 9 slides
Operationalizing Yarrp: High-Speed Active Network Topology Mapping from AWS

Operationalizing Yarrp: High-Speed Active Network Topology Mapping from AWS

Operationalizing Yarrp: High-Speed Active Network Topology Mapping from AWS https://yarrp.nps.tancad.net/ Justin P. Rohrer (jprohrer@nps.edu) Department of Computer Science US Naval Postgraduate School AIMS-KISMET, February 28, 2020 1

538 views • 16 slides
Statewide High Speed Network networkMaryland TM Advisory Group Meeting January 15, 2008

Statewide High Speed Network networkMaryland TM Advisory Group Meeting January 15, 2008

Statewide High Speed Network networkMaryland TM Advisory Group Meeting January 15, 2008 Annapolis, MD Meeting Agenda Welcome & Introductions State of the Network Status of Project Pricing Model Discussion Other Business 2

423 views • 29 slides
Statewide High Speed Network networkMaryland Advisory Group Meeting September 19, 2006

Statewide High Speed Network networkMaryland Advisory Group Meeting September 19, 2006

Statewide High Speed Network networkMaryland Advisory Group Meeting September 19, 2006 Annapolis, Maryland MEETING AGENDA Welcome & Introductions State of the Network Status of Project Other Business 2 Welcome

421 views • 22 slides
Complex network planning methodology and framework Mitcsenkov Attila (BME TMIT, High Speed

Complex network planning methodology and framework Mitcsenkov Attila (BME TMIT, High Speed

Image: Sumitomo Electric Lightwave Computer aided network planning and techno-economic assessment of next generation optical access networks Complex network planning methodology and framework Mitcsenkov Attila (BME TMIT, High Speed Networks

851 views • 51 slides
ROBOTICS at Carleton the core in-situ resource utilisation (ISRU) technology Prof Alex Ellery

ROBOTICS at Carleton the core in-situ resource utilisation (ISRU) technology Prof Alex Ellery

ROBOTICS at Carleton the core in-situ resource utilisation (ISRU) technology Prof Alex Ellery Space Exploration Engineering Group (SEEG) Dept Mechanical & Aerospace Engineering Carleton University RESOLVE PAYLOAD In-situ resource

427 views • 28 slides
Statewide High Speed Network networkMaryland Advisory Group Meeting March 21, 2006 Annapolis,

Statewide High Speed Network networkMaryland Advisory Group Meeting March 21, 2006 Annapolis,

Statewide High Speed Network networkMaryland Advisory Group Meeting March 21, 2006 Annapolis, Maryland MEETING AGENDA Welcome & Introductions State of the Network Status of Project Rural Broadband Cooperatives Other

268 views • 25 slides
Slow Speed Network Slow Speed Network Strategic Plan for the Strategic Plan for the South Bay

Slow Speed Network Slow Speed Network Strategic Plan for the Strategic Plan for the South Bay

Slow Speed Network Slow Speed Network Strategic Plan for the Strategic Plan for the South Bay South Bay Sustainability Demonstration Project SBCCOG Board of Directors Meeting September 28, 2017 Project Goals Network strategy for low speed

293 views • 25 slides
Statewide High Speed Network networkMaryland TM Advisory Group Meeting May 20, 2008 Annapolis, MD

Statewide High Speed Network networkMaryland TM Advisory Group Meeting May 20, 2008 Annapolis, MD

Statewide High Speed Network networkMaryland TM Advisory Group Meeting May 20, 2008 Annapolis, MD Meeting Agenda Welcome & Introductions State of the Network Status of Project networkMaryland TM Transition Other Business

722 views • 25 slides
Statewide High Speed Network networkMaryland Advisory Group Meeting March 20, 2007 Annapolis,

Statewide High Speed Network networkMaryland Advisory Group Meeting March 20, 2007 Annapolis,

Statewide High Speed Network networkMaryland Advisory Group Meeting March 20, 2007 Annapolis, Maryland MEETING AGENDA Welcome & Introductions State of the Network Status of Project Other Business 2 Welcome

781 views • 28 slides
Statewide High Speed Network networkMaryland Advisory Group Meeting January 17, 2006 Annapolis,

Statewide High Speed Network networkMaryland Advisory Group Meeting January 17, 2006 Annapolis,

Statewide High Speed Network networkMaryland Advisory Group Meeting January 17, 2006 Annapolis, Maryland MEETING AGENDA Welcome & Introductions State of the Network Status of Project Other Business 2 Welcome

352 views • 23 slides
Statewide High Speed Network networkMaryland Advisory Group Meeting January 16, 2007 Annapolis,

Statewide High Speed Network networkMaryland Advisory Group Meeting January 16, 2007 Annapolis,

Statewide High Speed Network networkMaryland Advisory Group Meeting January 16, 2007 Annapolis, Maryland MEETING AGENDA Welcome & Introductions State of the Network Status of Project Other Business 2 Welcome

413 views • 24 slides
Approximate Reduction of Finite Automata for High-Speed Network Intrusion Detection Milan

Approximate Reduction of Finite Automata for High-Speed Network Intrusion Detection Milan

Approximate Reduction of Finite Automata for High-Speed Network Intrusion Detection Milan Ce Vojt Luk a ska ech Havlena s Hol k Ond rej Leng al Tom a s Vojnar Brno University of Technology Czech Republic 18

789 views • 65 slides
OpenSolaris ARM Port and its future Vineeth Pillai Solaris Revenue Product Engineering Sun

OpenSolaris ARM Port and its future Vineeth Pillai Solaris Revenue Product Engineering Sun

OpenSolaris ARM Port and its future Vineeth Pillai Solaris Revenue Product Engineering Sun Microsystems, Czech Agenda Introduction OpenSolaris ARM Port Technical Details Try the arm port howto Developing applications Future Possible

479 views • 29 slides
11/05/2016 R3TOS IN A N UTSHELL R3TOS is a Reliable Reconfigurable Real-Time Operating System.

11/05/2016 R3TOS IN A N UTSHELL R3TOS is a Reliable Reconfigurable Real-Time Operating System.

11/05/2016 R3TOS IN A N UTSHELL R3TOS is a Reliable Reconfigurable Real-Time Operating System. R3TOS O VERVIEW AND A RCHITECTURE It ease the exploitation of online specialization offered by partially reconfigurable FPGAs, combining computation

651 views • 21 slides
Sorting and Other Distributed Set Operations T-79.4001 Seminar on Theoretical Computer Science

Sorting and Other Distributed Set Operations T-79.4001 Seminar on Theoretical Computer Science

Sorting a Distributed Set Distributed Set Operations Sorting and Other Distributed Set Operations T-79.4001 Seminar on Theoretical Computer Science Spring 2007 Distributed Computation Eero Hkkinen 2007-04-18 Based on sections 5.3-5.4 of

513 views • 28 slides
Built-In Self- Test (BIST) Virendra Singh Associate Professor C omputer A rchitecture and D

Built-In Self- Test (BIST) Virendra Singh Associate Professor C omputer A rchitecture and D

Built-In Self- Test (BIST) Virendra Singh Associate Professor C omputer A rchitecture and D ependable S ystems L ab Department of Electrical Engineering Indian Institute of Technology Bombay http://www.ee.iitb.ac.in/~viren/ E-mail:

528 views • 32 slides
Data and Processes: A Challenging, though Necessary, Marriage . . KRDB 1 Marco Montali Free

Data and Processes: A Challenging, though Necessary, Marriage . . KRDB 1 Marco Montali Free

Data and Processes: A Challenging, though Necessary, Marriage . . KRDB 1 Marco Montali Free University of Bozen-Bolzano 1 2 Our Starting Point Marrying processes and data is a must if we want to really understand how complex dynamic

1.07k views • 85 slides
Java Generics Generics n Since JDK 1.5 (Java 5), the Collections framework has been

Java Generics Generics n Since JDK 1.5 (Java 5), the Collections framework has been

Java Generics Generics n Since JDK 1.5 (Java 5), the Collections framework has been parameterized. n A class that is defined with a parameter for a type is called a generic or a parameterized class. In C++, there were referred to as

300 views • 12 slides
Generic Programming Department of Computer Science University of Maryland, College Park Generic

Generic Programming Department of Computer Science University of Maryland, College Park Generic

CMSC 132: Object-Oriented Programming II Generic Programming Department of Computer Science University of Maryland, College Park Generic Programming Generic programming Defining constructs that can be used with different data types

333 views • 9 slides
Generic types Paint design Please sit with your Paint project partner Solutions to HW6

Generic types Paint design Please sit with your Paint project partner Solutions to HW6

Generic types Paint design Please sit with your Paint project partner Solutions to HW6 written problems and DotsUML should be in the usual place on ANGEL: Lessons > Assignments > Solutions Today: Statics revisited

622 views • 16 slides

More recommend