Author : Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis Vassiliadis...
-
Upload
domenic-arnold -
Category
Documents
-
view
215 -
download
0
Transcript of Author : Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis Vassiliadis...
![Page 1: Author : Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis Vassiliadis Publisher : ANCS’06 Presenter : Zong-Lin Sie Date : 2011/01/05.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649f325503460f94c4eb5d/html5/thumbnails/1.jpg)
Author : Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis VassiliadisPublisher : ANCS’06Presenter : Zong-Lin SieDate : 2011/01/05
1
![Page 2: Author : Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis Vassiliadis Publisher : ANCS’06 Presenter : Zong-Lin Sie Date : 2011/01/05.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649f325503460f94c4eb5d/html5/thumbnails/2.jpg)
Observe that it is very rare for a single incoming packet to fully or partially match more than a few tens of IDS rules.
Select a small portion from each IDS rule to be matched in the pre-filtering step.
We also propose and evaluate the cost and performance of a reconfigurable architecture that uses multiple processing engines in order to exploit the benefits of pre-filtering. 2
![Page 3: Author : Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis Vassiliadis Publisher : ANCS’06 Presenter : Zong-Lin Sie Date : 2011/01/05.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649f325503460f94c4eb5d/html5/thumbnails/3.jpg)
In the past years, many researchers have worked on reconfigurable IDS focusing mostly on the payload scan. [3,4,7,9-11,15,16]
In this paper we introduce a packet pre-filtering approach that header matching and a relatively low-cost pattern matching module can filter out the majority of the Snort rules and point out a small subset to be fully matched.
3
![Page 4: Author : Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis Vassiliadis Publisher : ANCS’06 Presenter : Zong-Lin Sie Date : 2011/01/05.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649f325503460f94c4eb5d/html5/thumbnails/4.jpg)
Most hardware-based techniques suffer from the limitation that they search the payload for all patterns in the entire rule set while ignoring rule headers.
In essence, they search for thousands of patterns while the packet header might specify that we are interested in only a few tens or so patterns.
4
![Page 5: Author : Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis Vassiliadis Publisher : ANCS’06 Presenter : Zong-Lin Sie Date : 2011/01/05.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649f325503460f94c4eb5d/html5/thumbnails/5.jpg)
Our key observation in packet pre-filtering is that matching a small part of each rule’s payload combined with matching the header information can substantially reduce the set of the possibly matching rules compared to using only header matching as in previously proposed approaches [5].
The pre-filtering module is designed for reconfigurable hardware and therefore can update its supported IDS rule set via reconfiguration. 5
![Page 6: Author : Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis Vassiliadis Publisher : ANCS’06 Presenter : Zong-Lin Sie Date : 2011/01/05.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649f325503460f94c4eb5d/html5/thumbnails/6.jpg)
6
depend on rule’s definition
![Page 7: Author : Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis Vassiliadis Publisher : ANCS’06 Presenter : Zong-Lin Sie Date : 2011/01/05.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649f325503460f94c4eb5d/html5/thumbnails/7.jpg)
Header Matching : ( using simple comparator ) Performs a more fine-grained grouping than Snort. source and destination ports : additional parameters for TCP/UDP rules and the ICMP type for ICMP rules.
The header fields are registered and forwarded to a pipelined comparator module. This module discovers all active rule sets and can also be used to inform the software of the best applicable rule set
7
sourceIP
destinationIP
protocol
sourcePort
destinationPort
Field Extractor
Header
Payload
Incoming Packets
Partial PayloadMatching Rule 0
Rule 1
Rule 2
Rule N
Priority Encoder
Header Matching
Bitmask
Candidate rules IDs
![Page 8: Author : Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis Vassiliadis Publisher : ANCS’06 Presenter : Zong-Lin Sie Date : 2011/01/05.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649f325503460f94c4eb5d/html5/thumbnails/8.jpg)
Partial Pattern Matching : Packet payload is scanned using partial
search patterns. We select the first pattern and match a constant number of its prefix bytes.
If the pattern is shorter than the selected number of prefix bytes then the full pattern is matched.
The static pattern matching is performed
utilizing DCAM, a pre-decoding technique [15]. 8
Field Extractor
Header
Payload
Incoming Packets
Partial PayloadMatching Rule 0
Rule 1
Rule 2
Rule N
Priority Encoder
Header Matching
Bitmask
Candidate rules IDs
![Page 9: Author : Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis Vassiliadis Publisher : ANCS’06 Presenter : Zong-Lin Sie Date : 2011/01/05.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649f325503460f94c4eb5d/html5/thumbnails/9.jpg)
Basic CAM
9
![Page 10: Author : Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis Vassiliadis Publisher : ANCS’06 Presenter : Zong-Lin Sie Date : 2011/01/05.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649f325503460f94c4eb5d/html5/thumbnails/10.jpg)
DCAM :
10
![Page 11: Author : Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis Vassiliadis Publisher : ANCS’06 Presenter : Zong-Lin Sie Date : 2011/01/05.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649f325503460f94c4eb5d/html5/thumbnails/11.jpg)
DCAM detail :
11
![Page 12: Author : Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis Vassiliadis Publisher : ANCS’06 Presenter : Zong-Lin Sie Date : 2011/01/05.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649f325503460f94c4eb5d/html5/thumbnails/12.jpg)
Increase performance :
12
![Page 13: Author : Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis Vassiliadis Publisher : ANCS’06 Presenter : Zong-Lin Sie Date : 2011/01/05.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649f325503460f94c4eb5d/html5/thumbnails/13.jpg)
Bitmask : Each bit of the mask corresponds to a
single rule.
When the header and pattern matching performed in pre-filtering module is equivalent to a complete IDS rule, this rule should be directly reported and no further matching is required.
13
Field Extractor
Header
Payload
Incoming Packets
Partial PayloadMatching Rule 0
Rule 1
Rule 2
Rule N
Priority Encoder
Header Matching
Bitmask
Candidate rules IDs
![Page 14: Author : Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis Vassiliadis Publisher : ANCS’06 Presenter : Zong-Lin Sie Date : 2011/01/05.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649f325503460f94c4eb5d/html5/thumbnails/14.jpg)
Priority Encoder : Outputs sequentially all the positions of
the active bits in the bitmask (possibly matching rules IDs).
14
Field Extractor
Header
Payload
Incoming Packets
Partial PayloadMatching Rule 0
Rule 1
Rule 2
Rule N
Priority Encoder
Header Matching
Bitmask
Candidate rules IDs
![Page 15: Author : Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis Vassiliadis Publisher : ANCS’06 Presenter : Zong-Lin Sie Date : 2011/01/05.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649f325503460f94c4eb5d/html5/thumbnails/15.jpg)
Priority Encoder :
15
In0: 0In1: 1
In2: 2In3: 3 2
In0: 0 0In1: 1
In2: 0In3: 3
0
2
In0: 0 11In1: 0
In2: 0In3: 3
1
2
In0: 0In1: 0
In2: 02
3
In0: 0In1: 0
In2: 0In3: 0
3
In0: 0In1: 0
In2: 0In3: 0
#1 #2 #3 #4 #5 #60
2
0
2
1
1
2In3: 3
23
3
NEncd_1
Valid_1
NEncd_0
Valid_0
Valid_out
Encd_out (N+1)-bits
NN
MU
X
}
Load_En
Load_En
Load_En BASIC BLOCK
Stage N
Stage N+1 Fixed priority
Pipelined→ scales well as the #inputs increases Encodes/outputs every SET bit of the bitmask
Binary tree like structure Bitmask → leafs of the tree
![Page 16: Author : Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis Vassiliadis Publisher : ANCS’06 Presenter : Zong-Lin Sie Date : 2011/01/05.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649f325503460f94c4eb5d/html5/thumbnails/16.jpg)
Pre-filtering points out the rules to be fully matched Specialized Engines: For each candidate rule:
A PE is reserved A firmware is transferred to the PE PE released rule match , rule mismatch or End of packet
Coprocessors (Static patterns & Regular expression matching) perform payload scan
PEs select the coprocessor info and decide whether a rule matches or not
16
Pre-Filtering Specialized Engines
PE PE PE PE
PE PE PE PE
PE PE PE PE
FirmwareMemory
Coprocessors
OUTPUT: MATCHING rule ID
Header Matching
Partial PayloadMatch
Priority Encoder Possible Match
Rules
Static Patterns
Regular Expressions
INCOMINGPackets
MATCHING rule ID
Output I/F
MATCHING rule ID
![Page 17: Author : Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis Vassiliadis Publisher : ANCS’06 Presenter : Zong-Lin Sie Date : 2011/01/05.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649f325503460f94c4eb5d/html5/thumbnails/17.jpg)
If ( candidate rules > PEs ) ?
# of PEs is the threshold defined by the system designer. ( i.e. 32 PEs in this design )
In order to guarantee performance, the packet is reported, Admin policies determine the next step (i.e. drop)
17
![Page 18: Author : Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis Vassiliadis Publisher : ANCS’06 Presenter : Zong-Lin Sie Date : 2011/01/05.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649f325503460f94c4eb5d/html5/thumbnails/18.jpg)
18
Defcon11 traces 9 trace files ~10 millions packets 4.6 million packets have
payload payload length:
Mean 698 bytes Max 1460 bytes
SNORT v2.4 3,191 rules
2,271 rules with payload description
( 71.2% ) 920 only header ( 28.8% ) rules grouped into 381 rule
sets
![Page 19: Author : Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis Vassiliadis Publisher : ANCS’06 Presenter : Zong-Lin Sie Date : 2011/01/05.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649f325503460f94c4eb5d/html5/thumbnails/19.jpg)
Pre-Filtering setup: Header matching Scr/dest IP+Port, Protocol Payload Pattern match 2-10 chars prefix match
For prefix>2 chars: Average Candidate rules per packet= 1~3 ( per trace )
Overall average: 1.8 rules per packet Only header match ~45 rules per packet 19
![Page 20: Author : Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis Vassiliadis Publisher : ANCS’06 Presenter : Zong-Lin Sie Date : 2011/01/05.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649f325503460f94c4eb5d/html5/thumbnails/20.jpg)
20
Payload prefix match= 2 chars: max 63 candidate rules per packets Payload prefix match>=4 chars: max 32 candidate rules per
packets
What does this mean: Max number of rules for further processing1% or 32 out of 3,200 rules The Max degree of parallelism needed (processing engines, threads
etc.)
![Page 21: Author : Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis Vassiliadis Publisher : ANCS’06 Presenter : Zong-Lin Sie Date : 2011/01/05.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649f325503460f94c4eb5d/html5/thumbnails/21.jpg)
Present the implementation results of two packet pre-filtering designs.
21Xilinx Virtex4 FPGA devices contain up to 90,000 slices
![Page 22: Author : Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis Vassiliadis Publisher : ANCS’06 Presenter : Zong-Lin Sie Date : 2011/01/05.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649f325503460f94c4eb5d/html5/thumbnails/22.jpg)
All the packet pre-filtering sub-modules are fine-grain pipelined and therefore the operating frequency of the designs is relatively high:
22
Datapath 8 bits/cycle: Virtex2: 2.7 Gbps Virtex4: 4 Gbps Area 11K slices (medium-small
FPGA)
Datapath 32 bits/cycle:
Virtex2: 9.7 Gbps Virtex4: 14 Gbps Area 15K slices (medium-small
FPGA)
Priority encoder takes most of the area
0 2K 4K 6K 8K 10K 12K 14K 16K
8-bit
32-bit
Dat
apat
h w
idth
Slices
field extractor Pattern matching header matching Priority Encoder Control
Packet Prefiltering Area Cost
![Page 23: Author : Ioannis Sourdis, Vasilis Dimopoulos, Dionisios Pnevmatikatos and Stamatis Vassiliadis Publisher : ANCS’06 Presenter : Zong-Lin Sie Date : 2011/01/05.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649f325503460f94c4eb5d/html5/thumbnails/23.jpg)
Performance : 99% of the IDS rules per incoming packet do
not need further processing (in Defcon11 traces), without loosing detection precision.
Requirements : (1) Lightweight system, requires 10-15K slices,
can fit in a medium-sized FPGA (2) Can be integrated in both HW or SW based
systems
23