Click here to load reader

Assisting Network Intrusion Detection with rexlei86/hardwareSecurity/intrusion_detection... · PDF file.Snort[ 10] , an open-source NIDS that provided the test data for performance

  • View

  • Download

Embed Size (px)

Text of Assisting Network Intrusion Detection with...

  • Assisting Network Intrusion Detection with Reconfigurable Hardware

    B. L. Hutchings and R. Franklin and D. Carverpepartment of Electrical and Computer Engineering

    Brigham Young University, Provo, UT 84602hutch

    1 Abstract

    String matching is used by Network Intrusion Detec-tion Systems (Nms) to inspect incoming packet pay-loads for hostile data. String-matching speed is oftenthe main factor limiting NIDS performance. String-matching performance can be dramatically improved byusing Field-Programmable Gate Arrays (FPGAs); accord-ingly, a "regular-expression to FPGA circuit" module gen-erator has been developed. The module generator extractsstrings from the Snort Nms rule-set, generates a regu-lar expression that matches all extracted strings, synthe-sizes a FPGA-based string matching circuit, and generatesan EDIF netlist that can be processed by Xilinx softwareto create an FPGA bitstream. The feasibility of this ap-proach is demonstrated by comparing the performance ofthe FPGA-based string matcher against the software-basedGNU reg ex program. The FPGA-based string matcher ex-ceeds the performance of the software-based system by600x for large patterns.

    malicious packet may be overlooked. This paper exploresthe feasibility of using reconfigurable FPGAs to performstring matching for NIDS with the end goal of performingstring matching on all packets at network rates.

    This paper discusses the design and performance of anFPGA-based regular-expression module generator that wasdeveloped entirely in Java using JHDL [1, 7]. The mod-ule generator automatically: (1) extracts strings from theSnort rule database[10], (2) generates a regular expressionthat matches all extracted strings, (3) synthesizes a circuitthat will match the generated regular expression, and (4),generates an Emf netlist that can be processed by Xilinxplace and route software to create an FPGA bitstrearn.

    3 Background

    2 Introduction

    Three topic areas are relevant to this project:

    .past work in FPGA-based string matching,

    .Snort[ 10] , an open-source NIDS that provided the testdata for performance comparisons, and

    .JHDL, the Java-based hardware design tool kit thatwas used to implement the module generator.Network intrusion detection systems (NIDS) monitor

    network traffic for predefined suspicious activity or datapatterns and notify system administrators when malicioustraffic is detected so that appropriate action may be taken.NIDSs often rely on exact string matching of packet pay-loads to detect hostile packets and string matching is themost computationally expensive step of the detection pro-cess [2]. Accordingly, NIDS typically apply string match-ing only to those packets that are most suspect, and only tothose sections of the packet most likely to contain the of-fending data. For example, Snort (a popular NIDS found [10] checks port numbers, packet headersand flags, etc., to ensure a given packet has a high likeli-hood of containing hostile data before performing stringmatching on the packet data. Unfortunately, while thisstrategy of data reduction makes the problem of detectinghostile packets tractable, it also means that it is likely that a

    String matching with FPGAs String matching is not anew application area for FPGA-based systems. Indeed,some of the earliest papers in FPGA-related research areasreport efforts to accelerate string matching in a variety ofareas. Several references [8,9,4,5,3] describe a few of themany string-matching efforts that have been reported overthe last ten years. These efforts cover the broad range oftext searching, from searching general text-based databasesto similarity matching of DNA databases.

    Most relevant to this effort is recent work by Sidhuand Prasanna [ II] to accelerate grep regular expressionsearches with FPGAs. Because of the need for a rapid in-teractive response, their approach focused on compilationstrategies that could quickly convert a regular expressioninto an FPGA circuit. As is commonly done in software,

    Proceedings of the 10 th Annual IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM02) 1082-3409/02 $17.00 2002 IEEE

  • programmatic structural design [7]. In its current state,JHDL is a complete structural design environment thatin-cludes debugging, netlisting and other design aids. Cir-cuits are described by writing Java code that programmat-ically builds the circuit via JHDL libraries. Each circuitelement in JHDL is represented as an object; these objectsinherit from core classes that setup the net-Iist and simula-tion models. Circuits are created by calling the construc-tor for the corresponding JHDL object and passing Wireobjects as constructor arguments that are connected to theports of the circuit. Once constructed, these circuits can bedebugged and verified with the JHDL simulator and designbrowser. JHDL emits EDIF net-Iists that can be passedto Xilinx place and route software for bit-stream genera-tion. Finally, JHDL provides run-time support for debug-ging the running hardware in the context of the originaldesign using the same GUI as the JHDL simulator. JHDLis suitable for this project because it can be used to writemodule generators [6] that are much more complex thancan be accomplished with VHDL. For example, complexcircuit-generation algorithms and data structures that aremuch more amenable to general-purpose languages can bewritten in Java and combined with JHDL circuit librariesto create sophisticated module generators.

    Sidhu and Prasanna compile the regular expression into aNondeterministic Finite Automata (NFA); however, unlikesoftware approaches, they skip the usual step of deriving aDeterministic Finite Automata (DFA) from the NFA, anddirectly implement the NFA with FPGA hardware. Thissimplifies and speeds up the compilation process ofcreat-ing regular-expression matching hardware. Each NFA usesa single FF to implement the accepting state of the preced-ing stage. Flip-flop-rich FPGAs provide logic and flip-flopresources well suited for this arrangement.

    The module generator discussed In this paper uses theNFA-based hardware implementation strategy of Sidhuand Prasanna because of its inherent modularity. With theNFA approach, each character and metacharacter of thesupported reg-ex syntax can have a corresponding, pre-compiled circuit element in a related circuit library. Us-ing a syntax-directed approach, the module generator in-stances a circuit element that corresponds to each charac-ter/metacharacter it finds in the regular expression and theninterconnects these elements according to the structure ofthe expression. The module generator also extends the pre-vious work by automating it and augmenting it with addi-tional metacharacters, including: "?", ".", and "0". Over-all contributions of this work include: (I) development ofa fully automated module generator that can generate cir-cuits that match arbitrarily large regular expressions, (2)exploration of various circuit optimizations that improvespeed and area utilization, and finally, (3) application ofthis module generator to prove feasibility of using FPGAsto accelerate string matching in network security applica-tions.

    4 Technical Approach

    The technical approach was to create a JHDL-basedmodule generator capable of handling a wide range of reg-ular expression operators, based on standard reg-ex syn-taX. Supporting several reg-ex operators makes the modulegenerator easier to adapt to future research and also makesit usable for other string-matching tasks apart from net-work intrusion detection. However, for this project, onlytwo regular expression operators were absolutely neces-sary: concatenation (implicit) and alternation ( I ). Themodule generator uses concatenation to create strings fromsingle characters and alternation to create one large regu-lar expression from all of the individual strings extractedfrom the Snort rule-set. This section will provide a briefoverview of regular expression syntax and the general formof the strings that were used to test the system, will dis-cuss how the module generator was developed in JHDLand will discuss some of the circuit optimizations that were


    Snort, An Open Source Nms Snort[10] is a popularNIDS that runs under most versions of Linux and Win-dows. Snort's basic operation is to examine all networktraffic, and log intrusion events. Pattern-matching tech-niques are used to compare network traffic to known at-tacks that are specified in a rule-set. Snort is very popularbecause it is open-source and because of the control it af-fords the user over rule-set configuration. A user can easilymodify the rule-set, for example, to reduce the number ofpatterns to improve performance or to add patterns to de-tect new attacks. For this project, Snort provided a modelof NIDS function and, more importantly, a default rule-set that contained the test data that were used to test theautomatic module generator and the ci~cuits that it gener-ates. The default rule-set contains patterns for detectingvarious attacks as well as viral exploits such as Code Redand NIMDA.

    4. Regular Expression Syntax

    Regular expressions are a common way to express

    string matching patterns. The atomic elements of a reg-

    ular expression are the single characters to be matched.

    JHDL, a Java-based Design Tool JHDL [ 1, 7] con-

    sists of a set of Java libraries that can be used to perfoIlD

    Proceedings of the 10 th Annual IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM02) 1082-3409/02 $17.00 2002 IEEE

  • Figure I: A Matching Circuit for a(blc)?

    ed together with the output from the 'a' character matcheroutput and generates a true value on the Match output (theregular expression matches "ab"). For additional exam-ples, please see the paper by Sid