A Framework for Rule Processing in Reconfigurable Network ... · – 233 Regular Expressions Rule...
Transcript of A Framework for Rule Processing in Reconfigurable Network ... · – 233 Regular Expressions Rule...
Rule Processing Framework – FCCM 2005 1
A Framework for Rule Processing in Reconfigurable Network Systems
Michael Attig and John Lockwood
Washington University in Saint LouisApplied Research Laboratory
Department of Computer Science and EngineeringMay 1, 2005
Rule Processing Framework – FCCM 2005 2
Outline
• Overview• Background• Architecture• Results• Summary
Rule Processing Framework – FCCM 2005 3
Rule Processing Overview
• Rule processing & intrusion detection
• TCP Flow Processing• Header Processing• Payload Scanning
alert tcp any 110 any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"myromeo.exe"; nocase; classtype:misc-activity; sid:723; rev:6;)
• Snort Rules (version 2.2 Sept 2004)– 2464 Rules– 292 Headers– 2107 Signatures– 233 Regular Expressions
Rule Processing Framework – FCCM 2005 4
Rule Characteristics
• 2464 unique rules• 292 unique header rules
– 168 are “header-only”• 2107 unique signatures
– 97% less than 32 bytes– Spread across 2296 of rules
• 233 regular expressions– Snort rules always contain
static signature also
• Few signatures associated with many rules– 83% found in single rule– Only 18 associated with
more than 10 rules• 10 header rules can match at
once (pessimistic)
Unique Signature Distribution
0
20
40
60
80
100
120
140
160
180
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41
Signature Length (bytes)
Num
ber o
f Occ
urre
nces
Unique Signature Occurences
0
20
40
60
80
100
120
140
160
1 151 301 451 601 751 901 1051 1201 1351 1501 1651 1801 1951 2101
signature number
Num
ber o
f occ
urre
nces
Snort version 2.2 (Sept 2004)
Rule Processing Framework – FCCM 2005 5
Fully Functional Rule Processing
Rule Processor
Complete Rule Processing
String Matching
Bloom Filters [Attig fccm’04]
TCAMs [Yu hoti’04]
BV-TCAM [Song fpga’05]
Comparators [Sourdis fccm’04]
NFAs [Clark fccm’04]
DFAs [Moscola fccm’03]
?
?
? ?
?
Partitioning [Baker fccm’04]
TCP Flow Reconstruction [Schuehler fpl’04]
Header Classification
?
Pipelining [Cho fccm’04]
Rule Processing Framework – FCCM 2005 6
Rule Processing Framework Overview
TCP/
IP D
ata
h header modules determine matching
header rules
Order TCP flows for inspection by
payload scanner(s)
p payload modules search for static signatures and
regular expressions
Matching header and string IDs
sent to rule processor using
standard interface
Rule processor uses header and payload
match criteria to determine rule matches
Focus of this Talk
Local Area Network
Local Area Network
InternetInternet
Intrusion Detection System
Local Area
Network
Local Area
NetworkInternetInternet
Intrusion Detection System
Rule Processing Framework – FCCM 2005 7
Software Communication Wrapper
Matching Criteria Communication Wrapper
Rule Processor
FPGA (1) (2) (3) (5) (6) (7)
Rule Processing Framework – FCCM 2005 8
Example
R1: Alert tcp any 80 any 125(content:“string1”; content:“string2”;)
Algorithmically:R1: H1 Λ C1 Λ C2
Rule Processing Framework – FCCM 2005 9
Rule Processing Example
TCP/
IP D
ata
H1
C1C2C1
flow
Rule Processing Framework – FCCM 2005 10
Software Communication Wrapper
Matching Criteria Communication Wrapper
Headers
Header
Rule
FPGA
Rule Processor
H1C1C2C1
R1X R1 H1H1
+1Reset
(1) (2) (3) (5) (6) (7)
flow
Rule Processing Framework – FCCM 2005 11
Implementation Environment
• Xilinx Virtex 2000E FPGA– 12% LUTs– 25% Slices– 93% of Block RAMs– 80.6 MHz
• Stacked configuration allows chaining processing
Rule Processing Framework – FCCM 2005 12
Worst Case Throughput
• Worst case when signature associated with many rules detected
• Only 18 signatures in more than 10 rules• Worst case signature
– |00 00 00 00| in135 rules
• Scenario:– Back-to-back 44
byte TCP packets from different flows and|00 00 00 00| as payload
– Worst case assumes7 million attack packets per second
Framework Throughput
0
500
1000
1500
2000
2500
3000
0 250 500 750 1000 1250 1500
Packet Size (Bytes)
Thro
ughp
ut (M
bps)
Worst-caseAverage Case
Rule Processing Framework – FCCM 2005 13
Intrusion Detection of WashU’s Backbone Network
Matching 4 Byte Signatures Matching 12+ Byte Signatures
• Observe ~10,000 total string matches per second on WashU’s backbone network (~250-300 Mbps)
• Scaling to 2.5 Gbps, only ~100,000 string matches per second
Rule Processing Framework – FCCM 2005 14
Next Generation FPGA Projections
• More block RAM• Faster place & route• Parallel copies of pipeline
– Multiple IDs per clock cycle• QDR SRAMs
• 6x improvementto throughput
Rule Processor Relative Improvement
0
1
2
3
4
5
6
7
Rule Frequency Throughput
VirtexEVirtex2Virtex4
Rule Processing Framework – FCCM 2005 15
Related Work
15.940,200 (95%)Virtex4 100WashU Rule ProcessorCorrelation
20.435,850 (85%)Virtex4 100WashU Bloom Filters
4.515,010 (15%)Virtex2 ProUSC Partitioning
3.215,202 (37%)Spartan 3 2000UCLA Packet Filters
102,365 (7%)Virtex2-6000Tokyo Trie-based Hash
754,890 (81%)Virtex2-8000GaTech Decoder TreesScanning
9.764,268 (95%)Virtex2-6000Crete Pre-decoded CAMsPayload
104,200 (10%)Virtex4 100WashU BV-TCAMHeader
Processing
10.322,100 (35%)Virtex4 140WashU TCP Processor
48.3-Virtex2-8000Northwestern U. Flow MonitorMonitoring
3.2876 (10%)Virtex 1000GaTech Stream AssemblerFlow
Throughput (Gbps)Logic CellsDeviceGroup and ComponentFunction
Rule Processing Framework – FCCM 2005 16
Contributions
• Development of large-scale Rule Processing Framework– Bridge between component processing and
rule processing– Supports up to 32,768 rules
• Rule processing framework capable of 2.5 Gbps throughput on FPX– Projected to 15.9 on latest Virtex 4
• Rule processor operated on TCP flows– Context information stored for over 2 million
simultaneous flows
Rule Processing Framework – FCCM 2005 17
Acknowledgments
• Research Sponsors– Global Velocity– Boeing
• ARL Faculty & Studentshttp://arl.wustl.edu/projects/fpx/reconfig.htm
Rule Processing Framework – FCCM 2005 18
Questions?
Rule Processing Framework – FCCM 2005 19
Communication Wrapper Interface
Between Devices
Between Software/Hardware
Rule Processing Framework – FCCM 2005 20
Example
R1: Alert tcp any 80 any 125(content:“string1”; content:“string2”;)
R2: Alert tcp any 8080 any 1024(content:“string1”;)
R1: H1 Λ C1 Λ C2R2: H2 Λ C1
Rule Processing Framework – FCCM 2005 21
FPGA
Communication Wrapper
Communication Wrapper
BRA
M
Rule Processor
CIDs CIDs RIDs
H1 C1C2 C1
R1R2X R1 H1H2 X
+1
H1
Reset
Rule Processing Framework – FCCM 2005 22
Adding Modules
• Accept and act upon IP packets• Communicate match criteria using communication
wrapper interface– Provide deterministic interfaces– Abstract transport protocol
• Software Configuration using communication wrapper• Represent matching criteria as ID numbers
• Allows combination of techniques – Take advantage of best characteristics
• General classifiers vs. field-specific headers• Static strings vs. regular expressions
Rule Processing Framework – FCCM 2005 23
Throughput versus Rule Look-ups per Second
0
500
1000
1500
2000
2500
3000
1.E+00 1.E+02 1.E+04 1.E+06 1.E+08
Rule Look-ups per Second
Thro
ughp
ut (M
bps)
Evaluation
• Recall Rule IDs are inserted into pipeline based on matching signatures
80 Million rule IDs per
second
Rule Processing Framework – FCCM 2005 24
Additional Rules Supported
• Virtex 2– 120 of 144 Block RAMs (18 Kbits each)– 2 copies of pipeline
• 10 BRAM in stage 2• 10 BRAM in stage 5• 40 BRAM in stage 6
– 184,320 rules supported• Virtex 4
– 216 of 240 Block RAMs (18 Kbits each)– 4 copies of pipeline
• 9 BRAM in stage 2• 9 BRAM in stage 5• 36 BRAM in stage 6
– 165,888 rules supported