Journal of KIISE:Information Networking (한국정보과학회논문지:정보통신)

Korean Institute of Information Scientists and Engineers (한국정보과학회)
권호 표지

An Implementation of Network Intrusion Detection Engines on Network Processors

네트워크 프로세서 기반 고성능 네트워크 침입 탐지 엔진에 관한 연구

  • 조혜영 (한국과학기술정보연구원 슈퍼컴퓨팅센터) ;
  • 김대영 (한국정보통신대학교 공학부)
  • Published : 2006.04.01
Download PDF
⟨ Previous Next ⟩

Abstract

Recently with the explosive growth of Internet applications, the attacks of hackers on network are increasing rapidly and becoming more seriously. Thus information security is emerging as a critical factor in designing a network system and much attention is paid to Network Intrusion Detection System (NIDS), which detects hackers' attacks on network and handles them properly However, the performance of current intrusion detection system cannot catch the increasing rate of the Internet speed because most of the NIDSs are implemented by software. In this paper, we propose a new high performance network intrusion using Network Processor. To achieve fast packet processing and dynamic adaptation of intrusion patterns that are continuously added, a new high performance network intrusion detection system using Intel's network processor, IXP1200, is proposed. Unlike traditional intrusion detection engines, which have been implemented by either software or hardware so far, we design an optimized architecture and algorithms, exploiting the features of network processor. In addition, for more efficient detection engine scheduling, we proposed task allocation methods on multi-processing processors. Through implementation and performance evaluation, we show the proprieties of the proposed approach.

초고속 인터넷 망이 빠른 속도로 구축이 되고, 네트워크에 대한 해커나 침입자들의 수가 급증함에 따라, 실시간 고속 패킷 처리가 가능한 네트워크 침입 탐지 시스템이 요구되고 있다. 본 논문에서는 일반적으로 소프트웨어 방식으로 구현된 침입 탐지 시스템을 고속의 패킷 처리에 뛰어난 성능을 가지고 있는 네트워크 프로세서를 이용하여 재설계 및 구현하였다. 제한된 자원과 기능을 가지는 다중 처리 프로세서(Multi-processing Processor)로 구성된 네트워크 프로세서에서 고성능 침입 탐지 시스템을 실현하기 위하여, 최적화된 자료구조와 알고리즘을 설계하였다. 그리고 더욱 효율적으로 침입 탐지 엔진을 스케줄링(scheduling)하기 위한 침입 탐지 엔진 할당 기법을 제안하였으며, 구현과 성능 분석을 통하여 제안된 기법의 적절성을 검증하였다.

Keywords

References

  1. N. Desai, 'Increasing Performance In High Speed NIDS,' A look at Snort's Internals, 2002
  2. I. Charitakis, K. Anagnostakis, and E. Markatos 'An Active Traffic Splitter Architecture for Intrusion Detection,' Proceedings of the IEEE/ACM International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems, pp.238-241, Orlando Florida, October 2003 https://doi.org/10.1109/MASCOT.2003.1240665
  3. H. Debar, M. Dacier, and A. Wespi, 'Towards a taxonomy of intrusion detection system,' Computer Networks, Vol.31 , No.8, pp.805-822, 1990 https://doi.org/10.1016/S1389-1286(98)00017-6
  4. R. Sidhu and V. K. Prasanna, 'Fast Regular Expression Matching using FPGAs,' IEEE Symposium on Field-Programmable Custom Computing Machines(FCCM01), 2001
  5. B. Mukherjee, L. T. Heberlein, and K. N. Levitt, 'Network Intrusion Detection,' IEEE Network, Volume 8, Issue 3, pp.26-41, 1994 https://doi.org/10.1109/65.283931
  6. Korea Information Security Agency, available at http://www.kisa.or.kr
  7. COAST(Computer Operations, Audit, and Security Technology), available at http://www.cerias.purdue. edu /coast/coast.html
  8. Snort 홈페이지, available at http://www.snort.org
  9. R. S. Boyer, and J. S. Moore, 'A Fast String Searching Algorithm,' Comm. ACM 20, 10, pp. 761-772, 1977 https://doi.org/10.1145/359842.359859
  10. Intel corporation homepage, available at http://www.intel.com
  11. Agere systems, 'PyaloadPlus Routing Switch Processor,' 2002
  12. Agere systems, 'NP-Complete Fore agere System PayloadPlus Family of Network Processor,' 2002
  13. Motorola corporation, 'C-port Documentation,' 2002
  14. IBM homepage, available at http://www.ibm.com
  15. Network Processing Forum hornepage, available at http://www.npforum.org
  16. Y. Tang, L. Qian, B. Bou-Diab, A. Krishnamurthy, G. Damm, and Y. Wang, 'High-Performance Implementation for Graph-Based Packet Classification Algorithm on Network Processor,' IEEE International Conference on Communications (ICC2004), vol.2, pp.1268-1272, 2004
  17. Y. Chen and S. Lee, 'An Efficient Packet Classification Algorithm for Network Processors,' IEEE International Conference on Communications (ICC2003), vol.3, pp.1596-1600, 2003 https://doi.org/10.1109/ICC.2003.1203871
  18. C. Sheng, Z. Xu, C. Yingxin and D. Wei, 'Implementation of 10Gigabit Packet Switching Using IXP Network Processors,' IEEE International Conference on Communications Technology (ICCT2003), vol.1 , pp.532-535, 2003 https://doi.org/10.1109/ICCT.2003.1209133
  19. E. Grosse and L. Y. N., 'Network Processors Applied to IPv4/IPv6 Transition,' IEEE Network, vol.17, 2003 https://doi.org/10.1109/MNET.2003.1220694
  20. E. Yeh, H. Chao, V. Mannem, J. Gervais, and B. Booth, 'Introduction to TCP/IP Offload Engine,' April 2002
  21. Teja Technologies, Inc, available at http://www. teja.com
  22. X. Nie, U. Nordqvkt, L. Gazsi and D. Liu, 'Network Processors for Access Network(NP4AN): Trends and Challenges,' IEEE International Symposium on System-on-chip(SOC2004), 2004 https://doi.org/10.1109/SOCC.2004.1362430
  23. Z. Tan, C. Lin, H. Yin and B. Li, 'Optimization and benchmark of cryptographic algorithms on network processors,' IEEE Micro vol.24, pp.55-69, 2004 https://doi.org/10.1109/MM.2004.54
  24. Intel corporation, Intel Network Processors product information
  25. H. Cho, D. Kim, J. Kim, Y. Doh and J. Jang, 'Network Processor based High-speed Network Intrusion Detection System,' LNCS 3090, pp. 973-982, 2004
  26. M. Roesch, snort source, version 1.8.6, available at www.snort.org, 2002
  27. MIT Lincoln Lab homepage, DARPA Intrusion Detection Evaluation, available at http://www.ll. mit.edu
  28. RadiSys corporation, 'ENP-2506 Hardware Reference,' 2002
  29. Jitsu, Packet Excalibur, version 1.0. GPL, 2002