massively parallel cuckoo pattern matching applied for nids/nips
DESCRIPTION
Massively Parallel Cuckoo Pattern Matching Applied For NIDS/NIPS. Author: Tran Ngoc Thinh , Surin Kittitornkun Publisher: Electronic Design, Test and Application, 2010. DELTA '10. Fifth IEEE International Symposium on Presenter: Yuen- Shuo Li Date : 2013/04/09. Background. - PowerPoint PPT PresentationTRANSCRIPT
1
Massively Parallel Cuckoo Pattern Matching Applied For NIDS/NIPS Author: Tran Ngoc Thinh, Surin Kittitornkun Publisher: Electronic Design, Test and Application, 2010.
DELTA '10. Fifth IEEE International Symposium on Presenter: Yuen-Shuo Li Date: 2013/04/09
2
Background
Nowadays, illegal intrusion is one of the most serious threats to network security. Network Intrusion Detection/Prevention Systems (NIDS/NIPSs) are designed to examine not only the headers but also the payload of the packets to match and identify intrusions. However, checking thousands of patterns to see whether it matches becomes a computationally intensive task as the highest network speed increases to several gigabits per second (Gbps).
3
Introduction
In this paper, we implement a massively parallel architecture of variable-length pattern matching best suited for hardware, naming Cuckoo-based Pattern Matching (CPM). CPM is the application of a recently developed algorithm called Cuckoo Hashing [12] for pattern matching in NIDS/NIPS. With the parallel lookup, our improved system is more efficient in terms of performance as applied on hardware. Unlike most previous FPGA-based systems, CPM is also very flexible in terms of update the static pattern set without reconfiguration.
4
Hashing with Chaining
The main idea in hashing based dictionaries is to let the hash functions decide where to store each item. However, it is highly likely that there will be collisions. An obvious idea is to make a pointer from position a in the array to a data structure holding the set.
5
Cuckoo Hashing
Cuckoo hashing is a scheme for resolving hash collisions of values of hash functions in a table, with worst-case constant lookup time. The name derives from the behavior of some species of cuckoo, where the cuckoo chick pushes the other eggs or young out of the nest when it hatches; analogously, inserting a new key into a cuckoo hashing table may push an older key to a different location in the table.
6
Cuckoo Hashing(Cont.)
Instead of requiring that x should be stored at position h1(x), we give two alternatives: Position h1(x) and position h2(x). When inserting a new element x it may of course still happen that there is no space. This is resolved by imitating the nesting habits of the European cuckoo: Throw out the current occupant y of position h1(x) to make room!
7
Cuckoo Hashing(Cont.)
8
FPGA-based Cuckoo Hasingsingle-port
SRAMdouble-port
SRAM
9
Cuckoo Hasing - lookup
10
Cuckoo Hasing - insert
11
CPM - Architecture
On Dec 15, 2006, there were 4,748 unique patterns which contain 64,873 characters in Snorts rule set. Fig.5 shows the distribution of the pattern lengths in Snort database of from 1 up to 109 characters. We can see that 65% of total numbers of patterns are up to 16 characters.
12
CPM – Architecture(Cont.)
Therefore, we build the Cuckoo Hashing modules for short patterns which are less than or equal 16 characters according to this fact. For longer patterns, we can break them into shorter segments so that we can insert those segments to the Cuckoo modules of short patterns.
input: ABCDEFGHIJKLMNOP
ABCDEFGHIJKLMNOP
...ABCDABCABA
13
CPM – Architecture(Cont.)
Shift-Add-XOR(SAX) utilizes only the simple and fast operations of shift, XOR and add.
) + )+
SL and SR: shift left and rightCi :the character ith of stringHi : an intermediate hash value after examination of i characters.
14
CPM – Architecture(Cont.)
input: ABCDEFGHIJKLMNOP
ABCDEFGHIJKLMNOP
...ABCDABCABA
15
CPM – Architecture(Cont.)
16
Performance
17
Performance(Cont.)