1 / 23

Using Cell Processors for Intrusion Detection through Regular Expression Matching with Speculation

Using Cell Processors for Intrusion Detection through Regular Expression Matching with Speculation. Author : C˘at˘alin Radu , C˘at˘alin Leordeanu , Valentin Cristea Publisher : 2011 International Conference on Complex, Intelligent, and Software Intensive Systems Presenter: Ye- Zhi Chen

hop-foreman
Download Presentation

Using Cell Processors for Intrusion Detection through Regular Expression Matching with Speculation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Using Cell Processors for Intrusion Detection through Regular Expression Matching with Speculation Author: C˘at˘alinRadu, C˘at˘alinLeordeanu, ValentinCristea Publisher: 2011 International Conference on Complex, Intelligent, and Software Intensive Systems Presenter: Ye-Zhi Chen Date: 2011/9/7

  2. Introduction • Main purpose :determine whether incoming network traffic matches known attack signatures • Bottleneck : existing signature matching algorithms can scan only one byte at a time • Intrusion Detection System (IDS) : an effective way to provide a degree of security to computers connected to network based on string matching. • An Internet worm in an incoming network packet is usually identified by a string representing the executable program’s name in the packet payload

  3. Introduction • Hardware based solutions :FPGA implement specific string matching algorithms, making use of the high parallelism available Ex : Bloom filters , DFA • Run an adapted Speculative Parallel Pattern Matching(SPPM) Algorithm on IBM Cell Broadband Engine (Cell BE)

  4. Intrusion Detection System • Three methodologies :signature-based、anomaly-based、stateful protocol analysis A. DFA matching : • Most signature databases contain several regular expressions which can be combined together into a single large DFA • DFAs for distinct signatures are combined into a single DFA that simultaneously represents all the signatures • A DFA is a quintuple (Σ; S; s0; δ ; F):Σis the input alphabet ; S is a finite set of states; s0 is the initial state belonging to S ; δis the transition function ; F is the set of final or accepting states . If an accepting state has been reached then an attack signature has been found.

  5. Intrusion Detection System

  6. Intrusion Detection System • In the algorithm, the memory accessto read the value at for a certain input character for acertain current statewould take several processor cycles • In the worst case, when the entire input string is scanned,the performance of the serial algorithm is at least M * |I|cycles, where|I | is the length of the input string and M is the number of processor cycles needed to read an input character • multi-byte matching methods : In the ideal case, consuming B bytes of the input string at a time can result in a performance of M * | I | / B

  7. Intrusion Detection System B. Regular Expression Matching with Speculation • The main idea behind SPPM is to divide the input string into several chunks of the same size and process them in parallel • Initialization stage : the input string is split into two chunks and the state variables for the Primary and Secondary threads are initialized. • Parallel processing stage : they scan their private chunks in lockstep. If a match is found by either one of them then the algorithm terminates • Validation stage : the Primary continues to scan the Secondary’s chunk

  8. Intrusion Detection System Three possible outcomes arise: • A match is found and the algorithm returns success • Coupling occurs before the end of the second chunk • The entire second chunk is traversed again and no match is found Found at Parallel processing stage Found at Validation processing stage Not Found

  9. Intrusion Detection System • This paper adapted the SPPM algorithm to make use of parallel hardware, using all the processing units available. • The most favorable case : speedup factor would be K , which K is total number of processing units(in parallel stage) • If a match is not found in the parallel processing stage, then a possible speedup gain could occur in the validation stage if the coupling between two right neighbors occurs. • The least favorable case : when a match is not found and the entire input buffer is scanned, the complexity of the SPPM algorithm is the same with the one of the serial algorithm.

  10. Intrusion Detection System

  11. Cell Intrusion Detection Cell processor can be split into four components: • External input and output structures • Power Processing Element (PPE) : main processor • Synergistic Processing Elements (SPEs) : Eight coprocessors • Element Interconnect Bus (EIB) :A specialized high bandwidth circular data bus connecting the PPE, input / output elements and the SPEs

  12. Cell Intrusion Detection PPE : • A 64 bit PowerPC architecture based microprocessor • It runs at a clock speed of 3.2 GHz. • Running the O.S and coordinating the SPEs • It has 32KB L1 cache 512KB L2 cache

  13. Cell Intrusion Detection SPE : • Each SPE contains a Synergistic Processing Unit (SPU) , memory flow controller, a memory management unit, a bus interface and an atomic unit • RISC processor • Each SPE has 128 128-bits registers • Support forSingle Instruction Multiple Data (SIMD) instructions • Suitable for efficient loop unrolling and instruction scheduling. • Each SPE has 256 KB of local store memory (LS), which the SPU can access it directly • Use DMA transfers , because SPEs can’t access directly the main memory of the PPE.

  14. Cell Intrusion Detection • Three different programs to perform DFA matching: • single-threaded DFA • Using the speculative parallelpattern matching solution (2 SPEs) • Using the speculativeparallel pattern matching solution(8 SPEs)

  15. Cell Intrusion Detection

  16. Cell Intrusion Detection Implement Step 1 :Scan and Parse the input file and then bring the DFA Step 2 :Divide input string into several chunks of a specified length by an input string divider Step 3 :These chunks are then matched through the DFA

  17. Cell Intrusion Detection if the state is an accepting one, that fact is shown by the presence of the string a() after the state number

  18. Cell Intrusion Detection The parser uses three buffers to scan and parse the input file : • The first one is used to store an entire line from the file. • The second buffer is used to hold the state transition part of the line read • The third buffer is used to hold each element of this state transition array and we store this value in the corresponding position in the DFA data structure.

  19. Cell Intrusion Detection DFA data structure : four main fields : • States • Final : an array of STATES_NO rows and SYMBOLS_NO_MIN columns • Start : starting state of DFA • STATES_NO : total number of states Additional field • dummy :Because the DFA has a size greater than one maximum DMA transfer (16KB), we choose this field to have the remaining number of bytes to make the entire size of the structure multiple of 16KB

  20. Cell Intrusion Detection DFA matching for 2 Cell SPUs : • PPU waits for strings to process and divides them into two chunks • PPU passes the two chunks to the two SPUs(called Primary and Secondary) • SPUs run DFA matching algorithm and return the results to PPU. • Based on the result , PPU decides whether the Primary SPU should begin the validation stage. Parallel approach for 8 processing units : • divide the eight SPUs into four pairs of two which run the two-threaded speculative algorithm • Do the same thing described above

  21. Cell Intrusion Detection • A DFA with more than 1500 states won’t fit into the local store of the SPUs Solution for large DFAs : • Made several input files containing smaller DFAs (550 states is sufficient) • By combining together these smaller DFAs, we obtain the large DFA • Used the double-buffering technique which consists in issuing a DMA transfer and not waiting for its completion

  22. Result

  23. Result

More Related