A Network Processor-based In-Line Mode Intrusion Detection System for High-Speed Networks

고속 망에 적합한 네트워크 프로세서 기반 인-라인 모드 침입탐지 시스템

  • 강구홍 (서원대학교 컴퓨터정보통신공학부) ;
  • 김익균 (한국전자통신연구원 보안게이트웨이연구) ;
  • 장종수 (한국전자통신연구원 보안게이트웨이연구팀)
  • Published : 2004.08.01

Abstract

In this paper, we propose an in-line mode NIDS using network processors(NPs) that achieve performance comparable to ASIC and flexibility comparable to general-purpose processors. Even if many networking applications using NPs have been proposed, we cannot find any NP applications to NIDS in the literature. The proposed NIDS supports packet payload inspection detecting attacks, as well as packet filtering and traffic metering. In particular, we separate the filtering and metering functions from the complicated and time-consuming operations of the deep packet inspection function using two-level searching scheme, thus we can improve the performance, stability, and scalability of In-line mode system. We also implement a proto-type based on a PC platform and the Agere PayloadPlus (APP) 2.5G NP solution, and present a payload inspection algorithm to apply APP NP.

본 논문은 ASIC에 상응하는 성능을 가지며 일반 프로세서에 상응하는 유연성을 지닌 네트워크 프로세서(NP: Network Processor)를 사용하여 인-라인 모드 네트워크 기반 침입탐지시스템(NIDS: Network-based Intrusion Detection System)을 제안한다. NP를 이용한 다양한 네트워크 응용들이 제안되고 있으나, NIDS에 직접 적용한 예는 아직 없다. 제안된 NIDS는 패킷 차단과 트래픽 미터링 뿐만 아니라 공격을 검출하기 위해 패킷 내용을 검색한다. 특히, 2-레벨 탐색 기법은 패킷 차단과 트래픽 미터링 기능을 복잡하고 많은 시간을 요하는 패킷 내용 검색 기능과 분리시킴으로서 인-라인 모드 시스템의 성능, 안전성, 그리고 확장성을 향상시켰다. 한편 PC 플랫폼과 Agere PayloadPlus (APP) 2.5G NP를 사용한 프로토-타입을 구현하였고, APP NP에 적용될 패킷 내용 검색 알고리즘을 제안하였다.

Keywords

References

  1. McHugh, J. Christie, A. and Allen, J., 'Defending Yourself: The Role of Intrusion Detection Systems,' IEEE Software Magazine, Sept./Oct. 2000 https://doi.org/10.1109/52.877859
  2. Debar, H. Dacier, M. and Wespi, A., 'Towards a taxonomy of intrusion-detection systems,' Computer Networks, Vol.31, No.8, pp. 805-822, 1990 https://doi.org/10.1016/S1389-1286(98)00017-6
  3. Gong, F., 'Next Generation Intrusion Detection System (IDS),' IntruVert Networks Report, 2002
  4. Memik, G. and Maggion-Smith, W.H., 'NEPAL: A Framework for Efficiently Structuring Applications for Network Processor,' Proc. Second Workshop on Network Processors, 2003
  5. Memik, G. Mangion-Smith, W.H. and Hu, W. 'NetBench; A Benchmarking Suite for Network Processor,' Proc. ICCAD, pp. 39-42, 2001 https://doi.org/10.1109/ICCAD.2001.968595
  6. Allen, J.R., 'IBM PowerNP network processor: Hardware, software, and applications,' IBM J. RES. & DEV. vol. 47, No. 2/3, 2003
  7. Kruegel, C. Valeur, F. Vigna, G. and Kemmerer, R., 'Stateful Intrusion Detection for High-Speed Networks,' Proc. IEEE Symposium on Security and Privacy, 2002 https://doi.org/10.1109/SECPRI.2002.1004378
  8. Cho, Y.H. Navab, S. and Maggione-Smith, W.H., 'Specialized Hardware for Deep Network Packet Filtering,' Proc. Field Programmable Logic and Applications (FPL), 2002
  9. Ranum, M.J., 'Thinking about Firewalls,' Proc. SANS-II, 1994
  10. Roesch, M., 'Snort Lightweight Intrusion Detection for Networks,' Proc. USENIX LISA'99, pp. 101-109, 1999
  11. Roesch, M., Snort Users Manual Snort Release:1.8, Snort, 2001
  12. Ferguson, P. and Senie, D., 'Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing,' RFC 2267, http://www.ietf.org. 1998
  13. Wang, H. Zhang, D. and Shin, K.G., 'Detecting SYN Flooding Attacks,' Proc IEEE INFOCOM 2002, 2002 https://doi.org/10.1109/INFCOM.2002.1019404
  14. Moore, D. Voelker, G. and Savage, S., 'Inferring Internet Denial of Service Activity,' Proc. USENIX Security Symposium' 2001, 2001
  15. Stevens, W.R, TCP/IP Illustrated, Volume 1, Addision-Wesley, Massachusetts 1994
  16. Hartanto F. and Carle, G., 'Policy-Based Billing Architecture for Internet Differentiated Services,' Proc. IFlP Fifth Int. Conference on Broadband Communications, 1999
  17. Agere Systems Inc., PayloadPlus Fast Pattern Processor, http://www.agere.com, 2001
  18. Agere Systems Inc., PayloadPlus Routing Switch Processor, http://www.agere.com, 2001
  19. Agere System Inc., PayloadPlus Agere System Interface, http://www.agere.com, 2001
  20. Agere Systems Inc., Functional Programming Language User's and Reference Guides for SDE Version 3.0, 2001
  21. Agere Systems Inc., PayloadPlus Simulator User's Guide, 2001
  22. Agere System Inc., PayloadPlus Application Programming Interface User's Guide, 2001
  23. Aagere System Inc., Technical Guide to the APP550 and APP530 Network Processors, 2003
  24. Agere Systems Inc., Technical Guide to the APP750TM Preliminary Data Book, 2003
  25. A Finisar Company, Shomiti THGs; Distributed 10/100/1Gb Network QoS System, http://www.shomiti.net/shomiti/thgs.html