Hardware architecture of a behavior modeling coprocessor for network intrusion detection.

摘要

Intrusion detection systems protect a network by classifying traffic as normal or malicious. The task of classifying network traffic is difficult and is made more complex by growing performance pressures of increasing traffic rates, the need to detect stealthy attacks by performing sophisticated analysis, the requirement of in-line processing and the inability of software based systems to keep up with the line-speeds. In this dissertation we specifically address four important issues with the design of security systems.;(1) A behavior based technique was implemented in hardware to detect attacks. The technique checks the network traffic for behavioral compliance using configurable, parametric data structures called theories that can model simple as well as complex behavior. Theories translate themselves into hardware using configurable functional units called assertion blocks.;(2) To enable the system to scale with an increase in behavior modules a configurable fabric of assertion blocks has been developed. The configurable assertion block fabric contains pre-synthesized assertion modules that are triggered by theories.;(3) A Multi-Level Fractional Hash Algorithm was developed to effectively manage the traffic information gathered by inserting and querying a connection record with average case of O(1).;(4) To block pre-defined malicious content a high speed Trie based pattern matching algorithm was designed. The throughput of the algorithm is 14 Gbps and is independent of length of the patterns, location of the malicious content in streaming data and the number of patterns in the pattern set.;The architectural and algorithmic enhancements presented above were integrated to architect The Hardware Architecture of a Behavior Modeling Coprocessor for Network Intrusion Detection, called Behavioral Intrusion Prevention and Detection System (BIPDS). BIPDS is designed to carry out threat detection with dedicated hardware accelerators by monitoring all communication layers, extracting relevant data, and enabling highly efficient operation. The designed system supports large number of protocols and applications, and allows for extensibility to new applications and services. BIPDS can parallel process one million simultaneous data connections at 11Gbps and has a die area of 17.3 mm2 (TSMC 0.25 micro library), and has a morphable data path to accommodate changes in network sizes and configurations.