Professional Documents
Culture Documents
Outasdads
Outasdads
by
Benfano Soewito
W
Southern Illinois University, 2004
IE
EV
PR
A Dissertation
Submitted in Partial Fulfillment of the Requirements for the
Doctor of Philosophy Degree in Electrical and Computer Engineering
INFORMATION TO USERS
The quality of this reproduction is dependent upon the quality of the copy
submitted. Broken or indistinct print, colored or poor quality illustrations and
W
photographs, print bleed-through, substandard margins, and improper
alignment can adversely affect reproduction.
IE
In the unlikely event that the author did not send a complete manuscript
and there are missing pages, these will be noted. Also, if unauthorized
copyright material had to be removed, a note will indicate the deletion.
EV
PR
______________________________________________________________
ProQuest LLC
789 East Eisenhower Parkway
P.O. Box 1346
Ann Arbor, MI 48106-1346
DISSERTATION APPROVAL
By
Benfano Soewito
W
Fulfillment of the Requirements
IE
for the Degree of
Doctor of Philosophy
EV
in Electrical and Computer Engineering
PR
Approved by:
Graduate School
Southern Illinois University Carbondale
June 19, 2009
AN ABSTRACT OF THE DISSERTATION OF
Benfano Soewito, for the Doctor of Philosophy degree in Electrical and Computer
W
confidentiality, availability, and integrity for diverse system connected through them. If
network security system could be dynamically reconfigured for new attacks, techniques
IE
and algorithms, computer networks would be able to provide better protection. The key
challenge to achieve this adaptability is due to the lacking adaptive framework which can
EV
simultaneously consider underlying hardware platform, algorithms processing
adding network analyzers and interdisciplinary several network security techniques into
a system. The network analyzers analyze network traffic to know the characteristic of the
network traffic over the time by analyzing the packets header and payload. Using this
network characteristic information, a suitable intrusion detection system will be
constructed.
FPGA, the methodology to construct a high performance string matching engine was
introduced. Various techniques, including multi-threading FSM design, partitioning
ii
FSM, and a novel high-speed FSM interface circuit, are developed to improve the
W
methodology, it will be very difficult if not impossible.
IE
EV
PR
iii
ACKNOWLEDGMENTS
I would like to thank Dr. Ning Weng for providing excellent guidance and opportunities
to engage in intense discussions and especially his great assistance and insights leading
to the writing of this dissertation. I am grateful to Dr. Haibo Wang‘s co-supervision for
one part of the research on this dissertation and serving as members in my dissertation
committee. My sincere thanks also goes to Dr. Nazeih M. Botros, Dr. Ramanarayanan
Viswanathan, and Dr. Garth Crosby for being a member of my dissertation committee.
I am very thankful to my parents for providing me this level of education, support
W
and for their immense confidence in me. Finally, I would like to acknowledge Lucas
iv
TABLE OF CONTENTS
Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii
List of Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1 Network Application . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
W
1.4 Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.5 Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.6
IE
Problem Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.7 contribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
EV
1.8 Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.1 Analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.2 Pre-filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
v
3.2.3 Filter Cost Characterization . . . . . . . . . . . . . . . . . . . 22
W
3.6 Encryption/Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . 41
4 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
4.1
IE
Multi-cores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
4.1.3 Scalability . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
4.5 Encryption/Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . 68
5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
5.1 Multi-cores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
vi
5.3 High Performance IDS on FPGA . . . . . . . . . . . . . . . . . . . . . 76
Vita . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
W
IE
EV
PR
vii
LIST OF TABLES
W
4.4 False Positive Special Snort Rules . . . . . . . . . . . . . . . . . . . . . . 54
viii
LIST OF FIGURES
W
3.6 Levelization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
ix
4.13 FPGA Resource Utilization for Different FSM Design. . . . . . . . . . . . 63
W
4.22 Storage requirement in encryption processing . . . . . . . . . . . . . . . . 71
x
CHAPTER 1
INTRODUCTION
The information technology based on internet has been used widely all over the world.
The internet has evolved to include a simple application such as information system to
important to balancing the security system in the future network. The future network
W
security system should have flexibility which is easy to update, adaptable to network
traffics, changeable to the attack, reconfigurable to the new security technology, can
IE
detect new attacks, and energy efficient. The question is how do we construct it.
However, to construct the NIDS that considers the requirements above is very difficult
EV
for network engineer. This dissertation will present a methodology framework to address
this challenge.
PR
as examples.
administrator
1
• Content Delivery Networks. An application that overcomes the inadequacies of
and uses a radix tree structure to store entries of the routing table
• Flow Classification. An application that classifies the incoming packets into the
flows based on packet protocol fields
• IPSec Encryption. An application that encrypts the packet payload using the
W
Rijndael algorithm
payload packet. Packets are the fundamental unit of information transport in all modern
each packet consists of three main parts: a header, the body, also called the payload, and
a trailer. Below are some of the fields in the packet that can be inputs to monitor network
traffic.
2
• Version. The first header field in an IP packet is the four-bit version field. For
• IP Address. The source and destination address of the computer that sent and
receive packet frames. (This address is a unique hexadecimal (or base-16) number
• Port Number. The channel for network communication. Port numbers allow
different applications on the same computer to utilize network resources without
W
• Total Length. This 16-bit field defines the entire datagram size, including header
• Protocol. The standard rules for communication between two devices. This field
defines the protocol used in the data portion of the IP datagram. The Internet
PR
• Data. Data is packet payload. This is the last field that is not a part of the header
and, consequently, not included in the checksum field. The contents of the data
field are specified in the protocol header field and can be any one of the transport
layer protocols.
The heart of almost every Intrusion Detection System (IDS) is a string matching
algorithm, which is a very computational intensive task. The basic operation of string
3
32
%& !'$"
Number of Unique Patterns
Number of Characters
16
8
8 !"#$
78
*5 6
*4 8
3,
)/2
.
*1
0 4
,/
- ).
+,
*
() 2
1
W
Figure 1.1: Network Attack Pattern Increase from 2000 to 2008.
matching is to search for predefined patterns (attack signatures) in the packet. However,
IE
this simple operation can be easily the bottleneck of IDSs. This is caused by three
EV
factors: tens to hundreds Gigabit per second traffic rate, hundreds to thousands possible
attack patterns and the starting position of predefined pattern is probabilistic, hence it is
PR
necessary to scan every byte of a packet. I utilize SNORT for the attack signature
database.
1.4 CHALLENGES
The problem with current intrusion detection system is that it does not efficiently
utilize the available signature database, and the updating yet manually done by a network
system administrator. For example, in a network that does not have a UDP packet, we do
not need to include the security rule for UDP packet into the NIDS. If in some other time
the characteristic of network changed and we find the UDP packet in the network then
the security rule for UDP need to be included in NIDS. Basically, we only included the
security rule in NIDS base on the characteristic of network traffic and automatically add
4
or take out the security rule base on the characteristic of the network traffic. This concept
will reduce workload and increase the performance of NIDS. There are several challenge
to solve this problem.
• Number of Signature. The number of signature attack growth very fast, and
many new signature attack frequently have to be added to the database . Figure 1.1
shows how the size of the Snort rule database [58] has grown over time. It can be
seen that the number of unique patterns is increasing dramatically, and we are
expecting this trend will continue. Therefore, NIDS must easily update to new
attack patterns.
W
• Dynamic Network Traffic. The characteristic of network traffic will not the same
between one and others networks. One of the most key issue in network security is
IE
the characteristic of network traffic never stay the same over the time.
EV
• Hardware Reconfigurable. Beside many new signatures have to be added, also
technologies.
1.5 OBSERVATIONS
analyzer and integrate several security techniques as shown in figure 1.2 This can be
obtained by the following observations:
network is normally only has small variation. This make it shorter time to
5
• Available Reconfigurable Hardware. There are several promising reconfigurable
W
• The methodology to evaluate string matching algorithms on multi-core.
IE
• The hardware accelerator for string matching.
EV
1.7 CONTRIBUTION
• Run-time Workload Adaption. The system is able to adapt the network traffic
variation by re-mapping the workload. Also, the system can easily update new
6
Security
Technologies
Attacks Packets
Mapping Mapping
W
Performance:
Throughput, memory
size, delay
IE
Figure 1.2: Analyzer block diagram
EV
1.8 ORGANIZATION
related work on signatured based IDS, optimization IDS, memory efficient for pattern
methodology in this dissertation. Chapter 4 shows the results and few observations made
in this work and finally Chapter 5 presents conclusion.
7
CHAPTER 2
RELATED WORK
NIDS have been studied in different forms since Dennings classic statistical analysis of
host intrusions [38]. The main task of NIDS are to detect and thwart attacks in computer
systems and networks. The traditional NIDS rely on signature detection to find attack
pattern in incoming packets. A string matching is one of technique to detect signature in
the packet. The traditional NIDS can not detect new patterns attack or unknown patterns.
In order to prevent attack from unknown pattern, the modern NIDS include the anomaly
W
detection to detect unknown signature.
String matching has been one of the major operations in network processing
PR
etc. Intrusion detection system (IDS) are more difficult than other applications in that it
has to scan the packet payload and packet header. In IDS, the basic operation of string
matching is to search for known attack (predefined patterns) in the packet. However, this
simple operation can be easily the bottleneck of IDSs. This is caused by three factors:
tens to hundreds Gigabit per second traffic rate, hundreds to thousands possible attack
necessary to scan every byte of a packet. Therefore it is vital to design an efficient string
matching based IDSs.