Improved TCAM-based Pre-Filtering forNetwork Intrusion Detection Systems

Department of Computer Science and Information Engineering National Cheng Kung University, Taiwan R.O.C.

Authors: Yeim-Kuan Chang, Ming-Li Tsai and Cheng-Chien Su

Publisher: 22nd International Conference on Advanced Information Networking and Applications

Present: Chia-Ming ,Chuang Date: 1, 7, 2008

1

Outline

1. INTRODUCTION 2. RELATED WORKS 3. PROPOSED ALGORITHMS 4. EXPERIMENTS 5. CONCLUSION

2

Introduction (1/2)

Networks have been protected using firewalls that monitor and filter network traffic. Firewalls usually examine the packet headers to determine whether the packets are allowed to go through or dropped.

Network intrusion detection systems (NIDS) are utilized to detect malicious attacks and protect Internet

A NIDS differs from a firewall in that it needs to scan both the headers and the payloads of each incoming packet for thousands of suspicious patterns. By inspecting both packet headers and payloads to identify attack signatures,

3

Introduction (2/2)

Current NIDS pattern databases contain thousands of patterns, resulting in a difficult computational task. Traditionally, software-based NIDS may be overloaded when the packet arrival rate becomes high.

To keep up with the high-speed networks, hardware-based NIDS implementation is needed.

4

Outline

1. INTRODUCTION 2. RELATED WORKS 3. PROPOSED ALGORITHMS 4. EXPERIMENTS 5. CONCLUSION

5

RELATED WORKS (1/3)

A. Software-based solutions

(一 )single-pattern matching

Boyer-Moore

(二 )multiple-pattern matching

Aho-Corasick(AC)

6

RELATED WORKS (2/3)

The first comparison d-c at position 4 produces a mismatch. The text symbol d does not occur in the pattern. Therefore, the pattern cannot match at any of the positions 0, ..., 4, since all corresponding windows contain a d. The pattern can be shifted to position 5.

Comparison b-c causes a mismatch. Text symbol b occurs in the pattern at positions 0 and 2. The pattern can be shifted so that the rightmost b in the pattern is aligned to text symbol b.

7

RELATED WORKS (3/3)

B. FPGA-based solutions• Many hardware-based algorithms have been proposed,

where many solutions are based on Field Programmable Gate Arrays (FPGAs).

C. Parallel Bloom filters• Bloom filter is a space-efficient probabilistic data structu

re that is used to test whether an element or string is a member of a set. False positives are possible, but false negatives are not.

D. TCAM solutions• Ternary Content Addressable Memory (TCAM) is a type

of memory that consists of a set of entries. A TCAM allows fully parallel search of entries per TCAM lookup.

8

Outline

1. INTRODUCTION 2. RELATED WORKS 3. PROPOSED ALGORITHMS 4. EXPERIMENTS 5. CONCLUSION

9

PROPOSED ALGORITHMS(1/6)

introduction to FTSEThe basic concept of FTSE is described as follows:

10

w bytes of the data stream as the input called the sliding window.

If any I byte suffix of sliding window does not match the i-byte prefix of pattern P for all i = 1 to w, we can advance the sliding window by skipping the current w bytes of the data stream and continue the search with the next w bytes.

if the i-byte suffix of the sliding window does match the i-byte prefix of pattern P for all i = 1 to w – 1, then we only skip w – i bytes to get the sliding window for the next cycle and repeat the search process

PROPOSED ALGORITHMS(2/6)

11

PROPOSED ALGORITHMS(3/6)

Suppose we have a total of N patternsand the number of prefix-patterns in group Gi is Ni. Thetotal number of TCAM entries is ΣNi. So the total TCAMmemory requirement is w×ΣNi bytes.

the don’t-care bytes in TCAM entriesincrease the probability of finding a match in TCAM. Forexample, the probability of matching an entry '***A' inone TCAM lookup is ½^8 which is large. 12

PROPOSED ALGORITHMS(4/6)

13

PROPOSED ALGORITHMS(5/6)

14

PROPOSED ALGORITHMS (6/6)

The controller determines the shift value of sliding window according to lookup results in TCAM.

which consists of two parts: TCAM pre-filter module and exact matching module.

The incoming data stream is first filtered through TCAM pre-filter module, which matches w-byte prefixes of patterns. If a match occurs in group G0, the corresponding ID of the partial matching pattern is sent to the exact matching module for performing the exact matching between the potential pattern and input data stream.

15

Outline

1. INTRODUCTION 2. RELATED WORKS 3. PROPOSED ALGORITHMS 4. EXPERIMENTS 5. CONCLUSION

16

EXPERIMENTS (1/3)

17

EXPERIMENTS (2/3)

18

EXPERIMENTS (3/3)

19

Outline

1. INTRODUCTION 2. RELATED WORKS 3. PROPOSED ALGORITHMS 4. EXPERIMENTS 5. CONCLUSION

20

Conclusion (1/1) Our TCAM-based approach provides two techniques to

improve the performance of FTSE. The first technique matches the w-byte suffixes of patterns

instead of w-byte prefixes. The second technique finds the final partial matching results

from all the groups instead of only G0. The second proposed scheme can process multi characters per TCAM lookup.

The results showed that our two techniques can are better than the original FTSE

21