Rule Processing Framework – FCCM 2005 1

A Framework for Rule Processing in Reconfigurable Network Systems

Michael Attig and John Lockwood

Washington University in Saint LouisApplied Research Laboratory

Department of Computer Science and EngineeringMay 1, 2005

Rule Processing Framework – FCCM 2005 2

Outline

• Overview• Background• Architecture• Results• Summary

Rule Processing Framework – FCCM 2005 3

Rule Processing Overview

• Rule processing & intrusion detection

• TCP Flow Processing• Header Processing• Payload Scanning

alert tcp any 110 any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"myromeo.exe"; nocase; classtype:misc-activity; sid:723; rev:6;)

• Snort Rules (version 2.2 Sept 2004)– 2464 Rules– 292 Headers– 2107 Signatures– 233 Regular Expressions

Rule Processing Framework – FCCM 2005 4

Rule Characteristics

• 2464 unique rules• 292 unique header rules

– 168 are “header-only”• 2107 unique signatures

– 97% less than 32 bytes– Spread across 2296 of rules

• 233 regular expressions– Snort rules always contain

static signature also

• Few signatures associated with many rules– 83% found in single rule– Only 18 associated with

more than 10 rules• 10 header rules can match at

once (pessimistic)

Unique Signature Distribution

0

20

40

60

80

100

120

140

160

180

1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41

Signature Length (bytes)

Num

ber o

f Occ

urre

nces

Unique Signature Occurences

0

20

40

60

80

100

120

140

160

1 151 301 451 601 751 901 1051 1201 1351 1501 1651 1801 1951 2101

signature number

Num

ber o

f occ

urre

nces

Snort version 2.2 (Sept 2004)

Rule Processing Framework – FCCM 2005 5

Fully Functional Rule Processing

Rule Processor

Complete Rule Processing

String Matching

Bloom Filters [Attig fccm’04]

TCAMs [Yu hoti’04]

BV-TCAM [Song fpga’05]

Comparators [Sourdis fccm’04]

NFAs [Clark fccm’04]

DFAs [Moscola fccm’03]

?

?

? ?

?

Partitioning [Baker fccm’04]

TCP Flow Reconstruction [Schuehler fpl’04]

Header Classification

?

Pipelining [Cho fccm’04]

Rule Processing Framework – FCCM 2005 6

Rule Processing Framework Overview

TCP/

IP D

ata

h header modules determine matching

header rules

Order TCP flows for inspection by

payload scanner(s)

p payload modules search for static signatures and

regular expressions

Matching header and string IDs

sent to rule processor using

standard interface

Rule processor uses header and payload

match criteria to determine rule matches

Focus of this Talk

Local Area Network

Local Area Network

InternetInternet

Intrusion Detection System

Local Area

Network

Local Area

NetworkInternetInternet

Intrusion Detection System

Rule Processing Framework – FCCM 2005 7

Software Communication Wrapper

Matching Criteria Communication Wrapper

Rule Processor

FPGA (1) (2) (3) (5) (6) (7)

Rule Processing Framework – FCCM 2005 8

Example

R1: Alert tcp any 80 any 125(content:“string1”; content:“string2”;)

Algorithmically:R1: H1 Λ C1 Λ C2

Rule Processing Framework – FCCM 2005 9

Rule Processing Example

TCP/

IP D

ata

H1

C1C2C1

flow

Rule Processing Framework – FCCM 2005 10

Software Communication Wrapper

Matching Criteria Communication Wrapper

Headers

Header

Rule

FPGA

Rule Processor

H1C1C2C1

R1X R1 H1H1

+1Reset

(1) (2) (3) (5) (6) (7)

flow

Rule Processing Framework – FCCM 2005 11

Implementation Environment

• Xilinx Virtex 2000E FPGA– 12% LUTs– 25% Slices– 93% of Block RAMs– 80.6 MHz

• Stacked configuration allows chaining processing

Rule Processing Framework – FCCM 2005 12

Worst Case Throughput

• Worst case when signature associated with many rules detected

• Only 18 signatures in more than 10 rules• Worst case signature

– |00 00 00 00| in135 rules

• Scenario:– Back-to-back 44

byte TCP packets from different flows and|00 00 00 00| as payload

– Worst case assumes7 million attack packets per second

Framework Throughput

0

500

1000

1500

2000

2500

3000

0 250 500 750 1000 1250 1500

Packet Size (Bytes)

Thro

ughp

ut (M

bps)

Worst-caseAverage Case

Rule Processing Framework – FCCM 2005 13

Intrusion Detection of WashU’s Backbone Network

Matching 4 Byte Signatures Matching 12+ Byte Signatures

• Observe ~10,000 total string matches per second on WashU’s backbone network (~250-300 Mbps)

• Scaling to 2.5 Gbps, only ~100,000 string matches per second

Rule Processing Framework – FCCM 2005 14

Next Generation FPGA Projections

• More block RAM• Faster place & route• Parallel copies of pipeline

– Multiple IDs per clock cycle• QDR SRAMs

• 6x improvementto throughput

Rule Processor Relative Improvement

0

1

2

3

4

5

6

7

Rule Frequency Throughput

VirtexEVirtex2Virtex4

Rule Processing Framework – FCCM 2005 15

Related Work

15.940,200 (95%)Virtex4 100WashU Rule ProcessorCorrelation

20.435,850 (85%)Virtex4 100WashU Bloom Filters

4.515,010 (15%)Virtex2 ProUSC Partitioning

3.215,202 (37%)Spartan 3 2000UCLA Packet Filters

102,365 (7%)Virtex2-6000Tokyo Trie-based Hash

754,890 (81%)Virtex2-8000GaTech Decoder TreesScanning

9.764,268 (95%)Virtex2-6000Crete Pre-decoded CAMsPayload

104,200 (10%)Virtex4 100WashU BV-TCAMHeader

Processing

10.322,100 (35%)Virtex4 140WashU TCP Processor

48.3-Virtex2-8000Northwestern U. Flow MonitorMonitoring

3.2876 (10%)Virtex 1000GaTech Stream AssemblerFlow

Throughput (Gbps)Logic CellsDeviceGroup and ComponentFunction

Rule Processing Framework – FCCM 2005 16

Contributions

• Development of large-scale Rule Processing Framework– Bridge between component processing and

rule processing– Supports up to 32,768 rules

• Rule processing framework capable of 2.5 Gbps throughput on FPX– Projected to 15.9 on latest Virtex 4

• Rule processor operated on TCP flows– Context information stored for over 2 million

simultaneous flows

Rule Processing Framework – FCCM 2005 17

Acknowledgments

• Research Sponsors– Global Velocity– Boeing

• ARL Faculty & Studentshttp://arl.wustl.edu/projects/fpx/reconfig.htm

Rule Processing Framework – FCCM 2005 18

Questions?

Rule Processing Framework – FCCM 2005 19

Communication Wrapper Interface

Between Devices

Between Software/Hardware

Rule Processing Framework – FCCM 2005 20

Example

R1: Alert tcp any 80 any 125(content:“string1”; content:“string2”;)

R2: Alert tcp any 8080 any 1024(content:“string1”;)

R1: H1 Λ C1 Λ C2R2: H2 Λ C1

Rule Processing Framework – FCCM 2005 21

FPGA

Communication Wrapper

Communication Wrapper

BRA

M

Rule Processor

CIDs CIDs RIDs

H1 C1C2 C1

R1R2X R1 H1H2 X

+1

H1

Reset

Rule Processing Framework – FCCM 2005 22

Adding Modules

• Accept and act upon IP packets• Communicate match criteria using communication

wrapper interface– Provide deterministic interfaces– Abstract transport protocol

• Software Configuration using communication wrapper• Represent matching criteria as ID numbers

• Allows combination of techniques – Take advantage of best characteristics

• General classifiers vs. field-specific headers• Static strings vs. regular expressions

Rule Processing Framework – FCCM 2005 23

Throughput versus Rule Look-ups per Second

0

500

1000

1500

2000

2500

3000

1.E+00 1.E+02 1.E+04 1.E+06 1.E+08

Rule Look-ups per Second

Thro

ughp

ut (M

bps)

Evaluation

• Recall Rule IDs are inserted into pipeline based on matching signatures

80 Million rule IDs per

second

Rule Processing Framework – FCCM 2005 24

Additional Rules Supported

• Virtex 2– 120 of 144 Block RAMs (18 Kbits each)– 2 copies of pipeline

• 10 BRAM in stage 2• 10 BRAM in stage 5• 40 BRAM in stage 6

– 184,320 rules supported• Virtex 4

– 216 of 240 Block RAMs (18 Kbits each)– 4 copies of pipeline

• 9 BRAM in stage 2• 9 BRAM in stage 5• 36 BRAM in stage 6

– 165,888 rules supported