Journal of KIISE:Computer Systems and Theory (한국정보과학회논문지:시스템및이론)

Korean Institute of Information Scientists and Engineers (한국정보과학회)
권호 표지

A High-speed Packet Filtering System Architecture in Signature-based Network Intrusion Prevention

시그내쳐 기반의 네트워크 침입 방지에서 고속의 패킷 필터링을 위한 시스템 구조

  • 김대영 (홍익대학교 컴퓨터공학과) ;
  • 김선일 (홍익대학교 컴퓨터공학과) ;
  • 이준용 (홍익대학교 컴퓨터공학과)
  • Published : 2007.02.28
Download PDF
⟨ Previous Next ⟩

Abstract

In network intrusion prevention, attack packets are detected and filtered out based on their attack signatures. Pattern matching is extensively used to find attack signatures and the most time-consuming execution part of Network Intrusion Prevention Systems(NIPS). Pattern matching is usually accelerated by hardware and should be performed at wire speed in NIPS. However, that alone is not good enough. First, pattern matching hardware should be able to generate sufficient pattern match information including the pattern index number and the location of the match found at wire speed. Second, it should support pattern grouping to reduce unnecessary pattern matches. Third, it should always have a constant worst-case performance even if the number of patterns is increased. Finally it should be able to update patterns in a few minutes or seconds without stopping its operations, We propose a system architecture to meet the above requirement. The system architecture can process multiple pattern characters in parallel and employs a pipeline architecture to achieve high speed. Using Xilinx FPGA simulation, we show that the new system stales well to achieve a high speed oner 10Gbps and satisfies all of the above requirements.

네트워크 침입 방지에서 공격 패킷은 시그내쳐에 기반을 둔 방법에 의해 발견되어 제거된다. 패턴 매칭(Pattem Matching)은 공격 시그내쳐를 발견하기 위해 광범위하게 사용되고 있고, 또한 네트워크 침입방지 시스템에서 시간적으로 가장 많이 수행되는 부분이다. 네트워크 침입방지 시스템에 사용되는 패턴 매칭은 주로 하드웨어를 사용하여 가속화되며 회선 속도로 수행되어야 한다. 그러나 이것만으로는 충분치 않고 다음과 같은 조건들이 더 요구된다. 첫째, 패턴 매칭 하드웨어는 패턴 인덱스 번호와 패턴 발견위치를 포함한 충분한 패턴 매칭 정보를 회선 속도에 맞게 제공해야 한다. 둘째, 불필요한 패턴 매칭을 줄이기 위한 패턴 그룹을 지원할 수 있어야 한다. 셋째, 패턴의 개수가 증가하더라도 최저 성능을 보장 할 수 있어야 한다. 마지막으로, 수행 중단 없이 몇분 또는 몇초 이내에 패턴 업데이트가 가능해야 한다. 본 논문에서는 위의 요구사항을 만족하는 시스템 구조를 제안한다. 이 시스템은 여러 개의 패턴 문자를 동시에 처리하고 파이프라인 구조를 사용하여 고속의 처리를 가능케 한다. Xilinx FPGA 시뮬레이션을 통해 제안된 시스템이 10Gbps 이상의 속도에서 동작하며 위의 모든 요구사항을 만족시킴을 보였다.

Keywords

References

  1. Code Red worm exploiting buffer overflow in IIS indexing service DLL. CERT Advisory CA -2001-19, Jan 2002
  2. MS-SQL Server Worm. CERT Advisory CA2003-04, Jan 2003
  3. Xinyou Zhang, et al. Intrusion Prevention System Design. The Fourth International Conference on Computer and Information Technology. Sept 2004
  4. Snort, urI http://www.snort.org/
  5. S. Antonatos, K. G. Anagnostakis, and E. P. Markatos. Generating realistic workloads for network intrusion detection systems. ACM Workshop on Software and Performance, 2004
  6. N. Tuck, T. Sherwood, B. Calder, G. Varghese: Deterministic Memory- Efficient StringMatching Algorithms for Intrusion Detection. IEEE INFOCOM 2004
  7. Rong- Tai Liu, et al. A Fast String Matching Algorithm for Network Processor Based IntrusionDetection System. ACM Transaction on Embedded Computing Systems, Vol. 3, No.3, August 2004
  8. Sunil Kim. Pattern Matching Acceleration for Network Intrusion Detection Systems. SAMOS V. July 2005
  9. Lin Tan, Timothy Sherwood. A High Throughput String Matching Architecture for Intrusion Detection and Prevention. ISCA June 2005
  10. D. Moore, et al. Internet Quarantine: Requirements for Containing Self-Propagating Code. Proceedings of the IEEE INFOCOM Conference, April 2003
  11. S. Dharmapurikar, et al. Deep Packet Inspection Using Parallel Bloom Filters. Symposium on High Performance Interconnects, Aug. 2003
  12. B. L. Hutchings, and R. Franklin, D. Carver. Assisting Network Intrusion Detection with Reconfigurable Hardware. Proceedings of the 10th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, September 2002
  13. Reetinder Sidhu, and Viktor K. Prasanna. Fast Regular Expression Matching using FPGAs. Proceedings of The 9th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, May 2001
  14. James Moscola, et al. Implementation of a Content-Scanning Module for an Internet Firewall. Proceedings of the 11th Annual IEEE Symposium on Field-Programmable Custom Computing Machines April, 2003
  15. Maya Gokhale, et al. Granidt: Towards Gigabit Rate Network Intrusion Detection Technology. Proceedings of the Field-Programmable Logic and Applications, 12th International Conference, September 2002
  16. Young H. Cho, et al. Specialized Hardware for Deep Network Packet Filtering. Proceedings of the International Conference on Field Programmable Logic and Applications, September 2002
  17. Ioannis Sourdis, and Dionisios Pnevmatikatos. Fast, Large-Scale String Match for a 10Gbps FPGA-based Network Intrusion Detection System. Proceedings of the 13th International Conference on Field Programmable Logic and Applications, September 2003
  18. Ioannis Sourdis, and Dionisios Pnevmatikatos. Pre-decoded CAMs for Efficient and High-Speed NIDS Pattern Matching. Proceedings of the Twelfth Annual IEEE Symposium on Field Programmable Custom Computing Machines April 2004
  19. Young H. Cho, W. H. Mangione-Smith. Programmable Hardware for Deep Packet Filtering on a Large Signature Set. Workshop on Architectural Support for Security and Anti-Virus. 2004
  20. Young H. Cho, W. H. Mangione-Smith. Deep Packet Filter with Dedicated Logic and Read Only Memories. Proceedings of the 12th IEEE Symposium of Field-Programmable Custom Computing Machines, 2004
  21. A. V. Aho, M. J. Corasick: E_cient String Matching: An Aid to Bibliographic Search. Communications of the ACM 18 (1975)
  22. Ricardo A. Baeza-Yates, and Gaston H. Gonnet. A New Approach to Text Searching. In the Proceedings of the Communications of the ACM, October 1992
  23. David E. Taylor. Survey and Taxonomy of Packet Classification Techiniques. ACM Computing Survey, Vol 37, 2005
  24. Xilinx, Inc. url http://www.xilinx.com/