ICS-FORTH

WISDOM

Workpackage 3:New security algorithm design

FORTH-ICS

The next six months

Cork, 29 January 2007

ICS-FORTH

WISDOM WP3: New security algorithm design

Objectives • Identify critical security application components which can be

efficiently implemented in the optical domain. • Characterise constraints to algorithmic components and develop

novel analytical techniques for simplified pattern matching.• Design a Security Application Programming Interface (SAPI) which

will be the interface between high-level security applications and low-level optical implementation

Tasks - Deliverables• WP 3.1: Security Applications partitioning (M12)• WP 3.2: Identification of simplified Security Algorithms Components

(M24)• WP 3.3: Definition of a Security Application Programming Interface:

SAPI (M27)

ICS-FORTH

WP3.1 Security Applications Partitioning

• Identify components which can be effectively and efficiently implemented in the optical domaine.g., optical bit filtering, simple optical bit pattern matching

• Partitioning of security-related applications (Firewalls, DoS attacks detection, IDS/IPS) into - high-level part (electronic) - low-level part (optical)

WP2 outcome crucial to WP3restrictions from optical hardware

D3.1 report M12 (not M24 or M30 as initially stated)

ICS-FORTH

WP3.1 Security Applications Partitioning

Identify efficient operations in optical domain by considering• optical hardware

optical bit filtering, pattern matching (order of a hundred bits)

variable delays?

• optical data format

RZ pulses

• packet structure and decoding

TCP/IP, UDP/IP, etc

• basic firewall functionalityprevent communication for specific servers and services

• basic IDS/IPS functionality: signature, anomaly detection simple pattern matching, stateful pattern matching, protocol decode-based detection, heuristic-based detection, anomaly-based detection

ICS-FORTH

WP3.1 Security Applications Partitioning

Packet structure• Header (fixed length)• Payload (variable length)

Optical processing for headersonly

Optical filtering to extract specific

fields from headersComplication: options field betweendifferent protocols, need to check options length. TCP/IP headers

16-bit total length

16-bit header checksum

32-bit source IP address

32-bit destination IP address

TOS4 IHL

16-bit identification

TTL protocol

flags 13-bit fragment offset

options (if any)

16-bit source port 16-bit destination port

32-bit sequence number

32-bit acknowledgment number

Offset Reserved Flags 16-bit window

16-bit checksum urgent pointer

Options (if any)

Application data

ICS-FORTH

WP3.1 Security Applications Partitioning

Basic firewall functionality• Look at port numbersBlock incoming traffic to specific ports

Optical filtering, optical pattern matching

• Look at IP addressesBlock incoming traffic from specific IP addresses

Optical filtering, optical/electronic pattern matching

Headers onlyWhat happens to payload in the meantime?

(sampling, randomized, heuristic…)

ICS-FORTH

WP3.1 Security Applications Partitioning

Basic NIDS/NIPS functionality• Simple pattern matching

optical for packet header, electronic for payload

• Stateful pattern matchingno obvious implementation in the optical

• Protocol decode detectionno obvious implementation in the optical

• Heuristic detectionpossibilities to combine optical with electronic

• Anomaly detectionoptical (e.g. simple DoS attacks) and electronic

ICS-FORTH

WP3.1 Security Applications Partitioning

WISDOM firewall/NIDS/NIPS at the moment:• Header-based rules only in the optical

more than 90% of actual NIDS rules involve full packet inspectionmore than 90% of alerts in actual NIDS are header-based

• Conventional NIDS throughput

ICS-FORTH

WP3.2 Identification of Simplified Security Algorithms Components

• Optical pre-processing for more complex pattern recognition

Restrictions in optical domain (buffering, level of integration, etc)

Scalability of security pattern matching algorithms, optimum balance between optical and electronic processing (WP6)

D3.2 Identification of Simplified Security Algorithms Components that

may be implemented within optical bit-serial processing elements

(M24)

ICS-FORTH

WP 3.3 Definition of a Security Application Programming Interface (SAPI)

• SAPI will bridge the gap between optical execution of

key components and programming of security

applications• High-level programming, abstract all low-level details

Monitoring Application

Programming Interface

(MAPI)

D3.3 Definition of SAPI (M27)

ICS-FORTH

Scalability

• Parallel use of optical devicesup to a dozen “on a chip”

• Parallel/Distributed ArchitecturesMultiple sensors operating in parallel coupled with suitable load balancing traffic splitters

Many issues, e.g., not trivial to split packets, to distribute traffic evenly, specialized sensors

ICS-FORTH

Modeling and simulation

• Physical models of optical hardwarefrom WP4 but useful for WP3

• Functional models of optical devices and simulators

Optical bit matching Conventional electronics