ics-forth wisdom workpackage 3: new security algorithm design forth-ics the next six months cork, 29...
TRANSCRIPT
ICS-FORTH
WISDOM
Workpackage 3:New security algorithm design
FORTH-ICS
The next six months
Cork, 29 January 2007
ICS-FORTH
WISDOM WP3: New security algorithm design
Objectives • Identify critical security application components which can be
efficiently implemented in the optical domain. • Characterise constraints to algorithmic components and develop
novel analytical techniques for simplified pattern matching.• Design a Security Application Programming Interface (SAPI) which
will be the interface between high-level security applications and low-level optical implementation
Tasks - Deliverables• WP 3.1: Security Applications partitioning (M12)• WP 3.2: Identification of simplified Security Algorithms Components
(M24)• WP 3.3: Definition of a Security Application Programming Interface:
SAPI (M27)
ICS-FORTH
WP3.1 Security Applications Partitioning
• Identify components which can be effectively and efficiently implemented in the optical domaine.g., optical bit filtering, simple optical bit pattern matching
• Partitioning of security-related applications (Firewalls, DoS attacks detection, IDS/IPS) into - high-level part (electronic) - low-level part (optical)
WP2 outcome crucial to WP3restrictions from optical hardware
D3.1 report M12 (not M24 or M30 as initially stated)
ICS-FORTH
WP3.1 Security Applications Partitioning
Identify efficient operations in optical domain by considering• optical hardware
optical bit filtering, pattern matching (order of a hundred bits)
variable delays?
• optical data format
RZ pulses
• packet structure and decoding
TCP/IP, UDP/IP, etc
• basic firewall functionalityprevent communication for specific servers and services
• basic IDS/IPS functionality: signature, anomaly detection simple pattern matching, stateful pattern matching, protocol decode-based detection, heuristic-based detection, anomaly-based detection
ICS-FORTH
WP3.1 Security Applications Partitioning
Packet structure• Header (fixed length)• Payload (variable length)
Optical processing for headersonly
Optical filtering to extract specific
fields from headersComplication: options field betweendifferent protocols, need to check options length. TCP/IP headers
16-bit total length
16-bit header checksum
32-bit source IP address
32-bit destination IP address
TOS4 IHL
16-bit identification
TTL protocol
flags 13-bit fragment offset
options (if any)
16-bit source port 16-bit destination port
32-bit sequence number
32-bit acknowledgment number
Offset Reserved Flags 16-bit window
16-bit checksum urgent pointer
Options (if any)
Application data
ICS-FORTH
WP3.1 Security Applications Partitioning
Basic firewall functionality• Look at port numbersBlock incoming traffic to specific ports
Optical filtering, optical pattern matching
• Look at IP addressesBlock incoming traffic from specific IP addresses
Optical filtering, optical/electronic pattern matching
Headers onlyWhat happens to payload in the meantime?
(sampling, randomized, heuristic…)
ICS-FORTH
WP3.1 Security Applications Partitioning
Basic NIDS/NIPS functionality• Simple pattern matching
optical for packet header, electronic for payload
• Stateful pattern matchingno obvious implementation in the optical
• Protocol decode detectionno obvious implementation in the optical
• Heuristic detectionpossibilities to combine optical with electronic
• Anomaly detectionoptical (e.g. simple DoS attacks) and electronic
ICS-FORTH
WP3.1 Security Applications Partitioning
WISDOM firewall/NIDS/NIPS at the moment:• Header-based rules only in the optical
more than 90% of actual NIDS rules involve full packet inspectionmore than 90% of alerts in actual NIDS are header-based
• Conventional NIDS throughput
ICS-FORTH
WP3.2 Identification of Simplified Security Algorithms Components
• Optical pre-processing for more complex pattern recognition
Restrictions in optical domain (buffering, level of integration, etc)
Scalability of security pattern matching algorithms, optimum balance between optical and electronic processing (WP6)
D3.2 Identification of Simplified Security Algorithms Components that
may be implemented within optical bit-serial processing elements
(M24)
ICS-FORTH
WP 3.3 Definition of a Security Application Programming Interface (SAPI)
• SAPI will bridge the gap between optical execution of
key components and programming of security
applications• High-level programming, abstract all low-level details
Monitoring Application
Programming Interface
(MAPI)
D3.3 Definition of SAPI (M27)
ICS-FORTH
Scalability
• Parallel use of optical devicesup to a dozen “on a chip”
• Parallel/Distributed ArchitecturesMultiple sensors operating in parallel coupled with suitable load balancing traffic splitters
Many issues, e.g., not trivial to split packets, to distribute traffic evenly, specialized sensors