1 / 40

A High Throughput String Matching Architecture for Intrusion Detection and Prevention

This research presents a novel string matching architecture for intrusion detection systems, ensuring real-time network traffic analysis with non-interruptible updates and high throughput. The architecture includes a reconfigurable string matching engine, rule compiler, and partitioned rule modules for efficient processing. The algorithm mapping utilizes the Aho-Corasick algorithm, split state machines, and optimized rule partitioning to enhance performance and reduce processing overhead. The analysis of design covers theoretical and practical optimal partitioning for effective implementation.

cbrennan
Download Presentation

A High Throughput String Matching Architecture for Intrusion Detection and Prevention

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSCE 713 A High Throughput String Matching Architecture for Intrusion Detection and Prevention • Authors: Lin Tan and Timothy Sherwood • Presented by: Jamie Huenefeld

  2. CSCE 713 Introduction • Intrusion Detection Systems (IDS) • desire real-time network traffic analysis • use a set of rules to identify known attacks, which contain: • packet type • identifier string • location • resultant action, if all rule conditions are satisfied

  3. CSCE 713 Introduction • IDS implementations require adequate: • Processing Time • Storage Space

  4. CSCE 713 Introduction • The string matching engine must have bounded performance in the worst case • prevents performance based attack • Updates must be rolled out with minimal service interruptions • prevents attacks while the system is updating

  5. CSCE 713 Outline • Research Contributions • Architecture • Algorithm Mapping • Analysis of Design • Related Work • Conclusions

  6. CSCE 713 Research Contributions • Novel, Reconfigurable String Matching Architecture • .4 Mb storage space • 10 Gbit/sec processing • Conjunction of many state machines with a reduced number of edges

  7. CSCE 713 Research Contributions • Rule Compiler • Partitions and Bit-Splits FSM into a set of small state table transitions • Replacement update module that allows non-interruptible updates

  8. CSCE 713 Outline • Research Contributions • Architecture • Algorithm Mapping • Analysis of Design • Related Work • Conclusions

  9. CSCE 713 Architecture • IDS require deep packet inspection • Stringent worst case performance • Non-interrupting rule update • High throughput per area

  10. CSCE 713 Architecture • String Match Engine • Breaks strings into set of smaller state machines • Can recognize a subset of strings from the rule set

  11. CSCE 713 Architecture • Rule Module • Acts as large state machine • Outputs string matches • Full set of rules is partitioned between rule modules • Composed of set of tiles • State machine is partitioned into a set of state machines, recognizing parts of the input stream

  12. CSCE 713 Architecture • Tiles • Tables containing entries • Row contains one state • Each state has: • Next Pointers • Partial Match Vector

  13. CSCE 713 Architecture

  14. CSCE 713 Architecture • Non-Interrupting Updates • Utilizes temporary tiles • To compile new rule: • New rule stored in temporary state machine, and compiled • Temporary state machine is copied to a module, after compilation is complete

  15. CSCE 713 Architecture

  16. CSCE 713 Outline • Research Contributions • Architecture • Algorithm Mapping • Analysis of Design • Related Work • Conclusions

  17. CSCE 713 Algorithm Mapping • Searches for a match amongst a set of possible strings • Aho-Corasick Algorithm • Encodes search strings • Use of tree, edge traversal • Insertion of failure edges • Suffix to Prefix

  18. CSCE 713 Algorithm Mapping • Implementation Issues: • Too many edges • Storage and processing issues • Use of Snort • 1000 Suspicious Strings • 10,000 Nodes

  19. CSCE 713 Algorithm Mapping • Split State Machines • Desire less next pointers, regular behaviour • 2 Next States • State Machines execute independantly • Increase speed by traversing more than one edge at a time

  20. CSCE 713 Algorithm Mapping

  21. CSCE 713 Algorithm Mapping • Split State Machines • Responsible for 1 of 8 bits • Indicate “potential” match • No mapping to non-output states • Bit vector • Used to track all potential matches • All bit vectors must agree to verify match

  22. CSCE 713 Algorithm Mapping • Take the AND of bit vectors to find matches

  23. CSCE 713 Algorithm Mapping • Partition Rules • Partially matching 1000 bits per vector = wasteful • Divide strings into smaller groups containing a few strings • Partial Vector is 16 bits

  24. CSCE 713 Algorithm Mapping • Partition Rules • Optimize number of strings pertaining to both partial vectors and state entries • Without exceeding 16 strings or 256 states • Sort strings lexicographically • Common prefixes share states therefore using less states in total

  25. CSCE 713 Algorithm Mapping • Filling Tables • Next state and partial match vectors stored in entries • Partial match vector are produced by each tile • AND all partial match vectors • Output only after entire packet is scanned

  26. CSCE 713 Analysis of Design

  27. CSCE 713 Analysis of Design

  28. CSCE 713 Outline • Research Contributions • Architecture • Algorithm Mapping • Analysis of Design • Related Work • Conclusions

  29. CSCE 713 Analysis of Design • Theoretical Optimal Partitioning • Combination of 2 parameters: • Module size n • Group size s • More state machines = less fan out

  30. CSCE 713 Analysis of Design • Practical Optimal Partitioning • Major Issues: • Longest string is longer than the approximation • More groups imply more overhead

  31. CSCE 713 Analysis of Design • Optimal Group Size • Traditional implementation utilizing 256 pointers uses more storage than the idea. • Group size of 8 still requires 3.74 Mb • Optimal • Fanout of 4 with group size 8 or 16 • Requires .4 Mb to store Snort rule set

  32. CSCE 713 Analysis of Design

  33. CSCE 713 Analysis of Design • Detailed throughput and Area Comparison • Worst case throughput is 10 Gbit/sec • Alternatives can only guarantee 3 Gbit/sec • Efficiency • Design achieves 320.972 characters/mm2 • 4 times more than the best FPGA design examined

  34. CSCE 713 Analysis of Design

  35. CSCE 713 Outline • Research Contributions • Architecture • Algorithm Mapping • Analysis of Design • Related Work • Conclusions

  36. CSCE 713 Related Work • Software • Reduce common case performance • FPGA

  37. CSCE 713 Related Work

  38. CSCE 713 Outline • Research Contributions • Architecture • Algorithm Mapping • Analysis of Design • Related Work • Conclusions

  39. CSCE 713 Conclusions • Improve string matching by splitting larger problem into manageable sub-problems • 2 states/node • more string to be read at once generates more throughput • Reasonable storage increase • Simple, yet scaleable

  40. CSCE 713

More Related