Xiang Wang,Yaxuan Qi,Baohua Yang,Yibo Xue,Jun Li

DOI: https://doi.org/10.1109/icpads.2009.109

2009-01-01

Abstract:Network intrusion prevention system (NIPS) becomes more complex due to the rapid growth of network bandwidth and requirement of network security. However existing solutions, either hardware-based or software-based cannot obtain a good tradeoff between performance and flexibility. In this paper, we propose a parallel NIPS architecture using emerging network services processor. To resolve the problems and bottlenecks of high-speed processing, we investigate the main design aspects which have dramatic impacts on most parallel network security system implementations: efficient and flexible pipeline and parallel processing, flow-level packet-order preserving, and latency hiding of deep packet inspection. To these key points, we address several optimizations and modifications with an architecture-aware design principle to guarantee high performance and flexibility of the NIPS on a network services processor implementation. Performance evaluation shows that, our prototype NIPS on Cavium OCTEON3860 processor can reach line-rate stateful inspection and multi-Gbps deep inspection performance.

Yueming Hu

DOI: https://doi.org/10.1007/1-4020-4933-1_10

2006-01-01

Abstract:One of the challenges on Internet intrusion detection (ID) is detecting the intrusion on high-speed networks. To cope with the intrusion on gigabit Ethernet or higher network links, the ID devices must utilize high-speed hardware, parallel structure and efficient algorithms. This paper presents a parallel approach of ID scheme based on network processor, the embedded processor for network devices. In this approach, packets from the network flow through multiple network processors. Within the network processor, multiple network processing engines are used to process the network data in parallel, each network processor/processing engine detect the packet flow for a subset of intrusion signature. The ID scheme is a MISD parallel mode. Data flow from the network is a single packet flow, and the detection device is a multiprocessor structure with different programs.

Fei Yu,XiaoPing Dai,Yue Shen,Huang Huang,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICSSSM.2005.1500110

2005-01-01

Abstract:The problem in network security presently is how to get real-time intrusion detection and alert. In the paper, we design Intrusion Detection System architecture and arithmetic again, meanwhile put forward an improved pattern matching arithmetic based on protocol analysis and theorization machine on Frete. New architecture can use network processor to collect and analyze data in network bottom, which enhance the speed and efficiency in Detection System.

Hai-guang LAI,Hao HUANG,Jun-yuan XIE

2005-01-01

Journal of Computer Applications

Abstract:Network-based intrusion detection system (NIDS) detects attacks by capturing and analyzing network packets. As network band increases, NIDS can hardly keep up with the speed of networks. A method of improving NIDS' process ability using symmetric multi-processor (SMP) was proposed in the paper. Several CPUs of the system were used to process network packets in parallel to improve the performance. After analyzing NIDS' process procedure, an effective parallel processing structure was devised, which guaranteed threads on different CPUs running in parallel. Moreover, the synchronization method of threads proposed avoided the mutually exclusive access to the shared resource, which further increased the parallelity of threads, and guaranteed the correctness of the functionality of the program. Experiments show that the NIDS implemented on a SMP system with dual CPUs is almost 80% faster than the one based on a system with unique CPU.

T.M.R.L.B. Abeysinghe,N. Hassan,R. G. Ragel

DOI: https://doi.org/10.48550/arXiv.1412.7692

2014-12-24

Abstract:ASIPs are designed in order to execute instructions of a particular domain of applications. The designing of ASIPs addresses the major challenges faced by a system on chip such as size, cost, performance and energy consumption. The higher the number of similar instructions within the domain to be mapped the lesser the energy consumption, the smaller the size and the higher the performance of the ASIP. Thus, designing processors for domains with more similar programs would overcome these issues. This paper describes the investigation of whether the domains of programmer specific programs have any significance like application specific program domains and thus, whether the approach of designing processors known as Programmer Specific Instruction Set Processors is worthwhile. We performed the evaluation at the instruction level by using four different measures to obtain the similarity of programs: (1) by the existence of each instruction, (2) by the frequency of each instruction, (3) by two consecutive instruction patterns and (4) by three consecutive instruction patterns of application specific and programmer specific programs. We found that although programmer specific instructions show some impact on the similarity measures, they are much smaller and therefore insignificant compared to the impact from application specific programs.

Hardware Architecture

Mehdi Bahrami,Mohammad Bahrami

DOI: https://doi.org/10.48550/arXiv.1205.4385

2012-05-20

Software Engineering

Abstract:Today by growing network systems, security is a key feature of each network infrastructure. Network Intrusion Detection Systems (IDS) provide defense model for all security threats which are harmful to any network. The IDS could detect and block attack-related network traffic. The network control is a complex model. Implementation of an IDS could make delay in the network. Several software-based network intrusion detection systems are developed. However, the model has a problem with high speed traffic. This paper reviews of many type of software architecture in intrusion detection systems and describes the design and implementation of a high-performance network intrusion detection system that combines the use of software-based network intrusion detection sensors and a network processor board. The network processor which is a hardware-based model could acts as a customized load balancing splitter. This model cooperates with a set of modified content-based network intrusion detection sensors rather than IDS in processing network traffic and controls the high-speed.

Xinbing Zhou,Yi Man,Peng Hao,Wei Chen,Bo Yang,Baoguo Ding,Dake Liu

DOI: https://doi.org/10.3390/mi15111287

IF: 3.4

2024-10-24

Micromachines

Abstract:The application-specific instruction set processor (ASIP) has been gradually accepted in AI, communication, media, game and industry control. The digital signal processor (DSP) is a typical ASIP, whose benefits include high performance in specific domains, low power consumption, high flexibility and low silicon consumption. One of the challenges for DSP design is to handle problems induced by datapath acceleration. The datapath acceleration (instruction fusion, black box instructions) induces control complexities. To most efficiently utilize hardware, control challenges can be summarized as RAW (Read-After-Write) handling, hardware hazard handling, and WAW (Write-After-Write) handling. Both an advanced compiler and hardware hazard handler can be used as solutions. In this paper, we introduced both solutions and exposed the benefits from the hardware solution. The benefits include utilizing low silicon to achieve higher performance and program memory reduction on chip. In summary, our solution only uses 0.91% extra silicon area yet achieves 32.75% performance improvement. So, the overall performance-to-cost ratio could be evaluated as 32%.

chemistry, analytical,nanoscience & nanotechnology,instruments & instrumentation,physics, applied

Wei LIU,Quan-lin LI,Li RUI

DOI: https://doi.org/10.3969/j.issn.1671-1122.2015.09.011

2015-01-01

Abstract:Intrusion prevention system (IPS) is a crucial defensive measure against malicious attacks to information system. However, the improper IPS conifguration can have a negative impact on network performances in terms of end-to-end delay or packets loss. Most researchers mainly focus on putting forward new IPS and analyzing the different methodologies, but ignoring the research of quantitative analysis on IPS. By analyzing the system as a quasi-birth-and –death process, this paper obtains the steady probabilities distribution to compute some important indices by establishing a two-dimensional Markov chain model. The experimental results prove that the general analytical method can effectively evaluate the performances of IPS, and also testify the correctness of the model indirectly.

Wadid Foudhaili,Anouar Nechi,Celine Thermann,Mohammad Al Johmani,Rainer Buchty,Mladen Berekovic,Saleh Mulhem

DOI: https://doi.org/10.1007/978-3-031-55673-9_4

2024-04-14

Abstract:Intrusion detection systems (IDS) are crucial security measures nowadays to enforce network security. Their task is to detect anomalies in network communication and identify, if not thwart, possibly malicious behavior. Recently, machine learning has been deployed to construct intelligent IDS. This approach, however, is quite challenging particularly in distributed, highly dynamic, yet resource-constrained systems like Edge setups. In this paper, we tackle this issue from multiple angles by analyzing the concept of intelligent IDS (I-IDS) while addressing the specific requirements of Edge devices with a special focus on reconfigurability. Then, we introduce a systematic approach to constructing the I-IDS on reconfigurable Edge hardware. For this, we implemented our proposed IDS on state-of-the-art Field Programmable Gate Arrays (FPGAs) technology as (1) a purely FPGA-based dataflow processor (DFP) and (2) a co-designed approach featuring RISC-V soft-core as FPGA-based soft-core processor (SCP). We complete our paper with a comparison of the state of the art (SoA) in this domain. The results show that DFP and SCP are both suitable for Edge applications from hardware resource and energy efficiency perspectives. Our proposed DFP solution clearly outperforms the SoA and demonstrates that required high performance can be achieved without prohibitively high hardware costs. This makes our proposed DFP suitable for Edge-based high-speed applications like modern communication technology.

Cryptography and Security,Hardware Architecture,Machine Learning,Networking and Internet Architecture

Muhammad Sheeraz,Muhammad Hanif Durad,Shahzaib Tahir,Hasan Tahir,Saqib Saeed,Abdullah M. Almuhaideb

DOI: https://doi.org/10.1109/access.2024.3395123

IF: 3.9

2024-05-07

IEEE Access

Abstract:Intrusion Prevention Systems (IPS), capable of preventing the organizational network from a cyber-attack in addition to detecting it, are widely adopted by organizations to protect their networks from unauthorized access, attacks, and malicious activities. Similarly, Snort an open-source IPS is extensively used for effective network security monitoring and analysis. When functioning as an IPS, Snort can be deployed in inline mode within an organizational network, so that all the organizational network traffic travels through it, hence actively blocking or preventing malicious traffic in real-time. This requires Snort to process the network traffic fast enough to match the network traffic line rate. But the Snort IPS default data acquisition module i.e. advanced packet filtering (AF_PACKET) cannot process network traffic at the line rate that causes packet loss and network services disturbance. This research work discusses the technologies available to make Snort IPS process network traffic at line rate. Packet filtering framework (PF_RING) and data plane development kit (DPDK) are the most effective and widely used software technologies, whereas the Napatech smart network interface card (smartNIC) is a very efficient hardware technology for achieving line rate traffic processing. A throughput comparison shows that PF_RING and DPDK achieve a throughput close to 1G with 100% CPU utilization whereas Napatech smartNIC achieves full 1G throughput with CPU utilization of less than 5%. Furthermore, the integration of Snort IPS with the security information and event management (SIEM) system has been discussed for better attack detection in an organizational network.

computer science, information systems,telecommunications,engineering, electrical & electronic

Chao Wang,Xi Li,Huizhen Zhang,Aili Wang,Xuehai Zhou

DOI: https://doi.org/10.1016/j.jss.2016.07.025

IF: 3.5

2017-03-01

Journal of Systems and Software

Abstract:In the past decades, instruction set extension problem has been a key research area for state-of-the-art design automation of Very Large Scale Integration (VLSI) systems. Meanwhile, recently there is a renewed interest for hot spot profiling and dataflow analysis in custom instruction set processors. This paper proposes HOTISE, an architecture framework for adaptive reconfigurable instruction set processors (RISP) with dynamic profiling and dataflow analysis. A dynamic profiler is employed to obtain hot spots for each application at run-time. Then the selected hot spots will be considered as custom instructions and implemented in reconfigurable logic arrays. An instruction generator based on dataflow generation provides a mapping scheme from each selected instruction to hardware processing element in the array. To demonstrate the accuracy and feasibility of HOTISE, we have implemented a profiler prototype using simulator-based RTL codes. Experimental results show that the profiling results can cover more than 97% hot spots of MiBench and NetBench applications. In particular, the custom instruction of CRC and MD5 application proves the effectiveness of the mapping mechanism, the code sizes of CRC and MD5 could decrease to 32.5% and 37%, while achieving the speedup at 4.7x and 5.1x, respectively.

computer science, theory & methods, software engineering

Rafael Oliveira,Tiago Pedrosa,José Rufino,Rui Pedro Lopes

DOI: https://doi.org/10.3390/systems12040126

2024-04-07

Systems

Abstract:The rapid evolution of technology has fostered an exponential rise in the number of individuals and devices interconnected via the Internet. This interconnectedness has prompted companies to expand their computing and communication infrastructures significantly to accommodate the escalating demands. However, this proliferation of connectivity has also opened new avenues for cyber threats, emphasizing the critical need for Intrusion Detection Systems (IDSs) to adapt and operate efficiently in this evolving landscape. In response, companies are increasingly seeking IDSs characterized by horizontal, modular, and elastic attributes, capable of dynamically scaling with the fluctuating volume of network data flows deemed essential for effective monitoring and threat detection. Yet, the task extends beyond mere data capture and storage; robust IDSs must integrate sophisticated components for data analysis and anomaly detection, ideally functioning in real-time or near real-time. While Machine Learning (ML) techniques present promising avenues for detecting and mitigating malicious activities, their efficacy hinges on the availability of high-quality training datasets, which in turn poses a significant challenge. This paper proposes a comprehensive solution in the form of an architecture and reference implementation for (near) real-time capture, storage, and analysis of network data within a 1 Gbps network environment. Performance benchmarks provided offer valuable insights for prototype optimization, demonstrating the capability of the proposed IDS architecture to meet objectives even under realistic operational scenarios.

Jia Ni,Chuang Lin,Zhen Chen,Peter Ungsunan

DOI: https://doi.org/10.1109/ICPP.2007.7

2007-01-01

Abstract:Deep Packet Inspection (DPI) is a critical function in network security applications such as Firewalls and Intrusion Detection Systems (IDS). Signature based scanners used in DPI apply multi-pattern matching algorithms to check whether the packet payload or flow content contains a specified signature in a signature set. Existing multi-pattern matching algorithms sacrifice memory space to achieve better performance. In this paper a novel fast multi-pattern matching algorithm, the Hash Boyer-Moore (HBM) Algorithm, is presented, which reduces the memory footprint of the heuristic table using a hash function and adds another heuristic table to reduce the false-positive ratio. Analyses and simulations show HBM offers higher speed and lower memory cost than some existing algorithms. The HBM algorithm was implemented on the Intel IXP 2400 Network Processor (NP) platform and experiments show suitable performance results in a Gigabit Ethernet LAN environment.

Xu Bo,He Fei,Xue Yibo,Li Jun

DOI: https://doi.org/10.1016/s1007-0214(09)70003-3

2009-01-01

Abstract:Today's firewalls and security gateways are required to not only block unauthorized accesses by authenticating packet headers, but also inspect flow payloads against malicious intrusions. Deep inspection emerges as a seamless integration of packet classification for access control and pattern matching for intrusion prevention. The two function blocks are linked together via well-designed session lookup schemes. This paper presents an architecture-aware session lookup scheme for deep inspection on network processors (NPs). Test results show that the proposed session data structure and integration approach can achieve the OC-48 line rate (2.5 Gbps) with inline stateful content inspection on the Intel IXP2850 NP. This work provides an insight into application design and implementation on NPs and principles for performance tuning of NP-based programming such as data allocation, task partitioning, latency hiding, and thread synchronization.

Yun Niu,Liji Wu,Xiangmin Zhang

DOI: https://doi.org/10.4304/jcp.8.2.319-325

2013-01-01

Journal of Computers

Abstract:The IP security protocol (IPSec) is an important and widely used security protocol in the IP layer. But the implementation of the IPSec is a computing intensive work which greatly limits the performance of the high speed network. In this paper, a high performance IPSec accelerator used in a 10Gbps in-line network security processor (NSP) is presented. The design integrates the protocol processing and the cryptographic processing; the transport/tunnel mode of the AH, ESP security protocols and the AES, HMAC-SHA-1 cryptographic algorithms are realized by hardware. An efficient partial crossbar data transfer skeleton with iSLIP scheduling algorithm is adopted to realize the maximum utilization of the computation resources in the accelerator. The number of AH, ESP, AES, HMAC-SHA-1 cores in the design can be configured to meet the different applications. By simulation, with 8 protocol IP-cores and 24 crypto IP-cores connected to the crossbar in the IPSec accelerator, the design gives a peak throughput for the AH protocol transport mode of 11.28Gbps at the average of 512 bytes packet length under a clock rate of 300MHz. The hardware verification is implemented on a Virtex-5 XC5VSX95T based FPGA board. Low power design methods are also used in the design to reduce the power dissipation.

JM Yu,J Li

2005-01-01

Abstract:At the heart of almost every modern Network Intrusion Detection System (NIDS), there is a pattern matching engine (PME). As pattern matching is the most time consuming operation in NIDS, it is highly desired to reduce the pattern matching time of each packet or flow. This paper proposed a parallel pattern matching algorithm based on Aho-Corasick (AC) algorithm and an efficient load balance policy for it. The method is implemented on Intel's IXP2850 Network Processor (NP). Experimental results show that when using eight processors, the pattern matching time of each packet or flow can decrease to 60.44%similar to 14.42%. Based on the parallel algorithm, a PME utilizing parallel processing on three levels is proposed. Experimental results on IXP2850 show that the throughput speedup of pattern matching is 13.34 similar to 55.48 times.

Kairo Tavares,Tiago Ferreto

DOI: https://doi.org/10.5753/sbrc.2021.16738

2021-08-16

Abstract:Network Intrusion Detection Systems (NIDS) are one of the key defense mechanisms employed to detect and mitigate network-based threats. Several works explored the ability to offload NIDS pre-filtering capabilities to hardware platforms in order to reduce resource usage saturation and improve detection accuracy. Among them, network data plane solutions in SDN aim to leverage the hardware speed and the recent flexibility of programmable switches. However, those solutions are designed without considering a constrained data plane with limited table sizes and memory space, thus reducing accuracy detection and vulnerability buffer saturation attacks. This paper proposes P4- ONIDS, a solution that improves the parsing and compilation of NIDS rules for the data plane alongside sketch-based solutions for suspicious flow pre-filtering while maintaining a low usage of resources and leveraging the hardware speed of the data plane. We evaluate the compiler and our pre-filtering data plane capabilities in an emulated environment using Mininet with Snort NIDS. Results have shown more than 400x reduction on generated P4 rules. Some experiments reach an accuracy of approximately 90% with 40% of packets filtering.

Ren Yue,Chen Miao,Li Bo,Wang Xueyuan,Li Xingzhi,Liao Zijun

DOI: https://doi.org/10.1109/cac53003.2021.9727422

2021-10-22

Abstract:With the rapid development of the Internet, network traffic is becoming more complex and diverse. At the same time, malicious traffic is growing. This seriously threatens the security of networks and information. However, the current DPI (Deep Packet Inspect) engine based on x86 architecture is slow in monitoring speed, which cannot meet the needs. Generally, two factors affect the detection rate: CPU and memory; The efficiency of data packet acquisition, and multi regular expression matching. Under these circumstances, this paper presents an efficient implementation of the DPI engine based on a generic x86 platform. DPDK is used as the platform of network data packets acquisition and processing. Using the multi-queue of the NIC (network interface controller) and the customized symmetric RSS key, the network traffic is divided and reorganized in the form of conversation. The core of traffic identification is hyperscan, which uses a flow pattern to match the packets load of a single conversation efficiently. It greatly reduces memory requirements. The method makes full use of the system resources and takes into account the advantages of high efficiency of hardware implementation. And it has a remarkable improvement in the efficiency of recognition.

Shi Qingsong,Chen Du,Nan Zhang,Jijun Ma,Tianzhou Chen

DOI: https://doi.org/10.1109/sec.2008.16

2008-01-01

Abstract:Security of embedded systems is becoming more and more important. IDS (instrusion detection system) has been designed to protect systems from being compromised by network attacks. A lot of researches have been done on it. However, most of them focus on complex and time-consuming detection methods to improve accuracy of the system, with assumption that IDS is running under control of general purpose operating systems (GPOS). In this way, the IDS itself will depress overall performance and cannot be guaranteed secure. In this paper, we present an embedded architecture of SPMOS-based IDS. SPMOS, located in SPM, is a little OS running under GPOS. Experiment results show that the architecture is fast. Based on this, we also design a simple IDS and conduct tests by integrating it into SPMOS and GPOS. The former consumes the latter's 8.3% time only, with less than 6.2% overhead, which verifies the architecture proposed is practical and efficient.

Maho Kajiura,Junya Nakamura

2024-05-21

Abstract:Network Intrusion Detection Systems (NIDSs) detect intrusion attacks in network traffic. In particular, machine-learning-based NIDSs have attracted attention because of their high detection rates of unknown attacks. A distributed processing framework for machine-learning-based NIDSs employing a scalable distributed stream processing system has been proposed in the literature. However, its performance, when machine-learning-based classifiers are implemented has not been comprehensively evaluated. In this study, we implement five representative classifiers (Decision Tree, Random Forest, Naive Bayes, SVM, and kNN) based on this framework and evaluate their throughput and latency. By conducting the experimental measurements, we investigate the difference in the processing performance among these classifiers and the bottlenecks in the processing performance of the framework.

Cryptography and Security,Distributed, Parallel, and Cluster Computing,Machine Learning,Networking and Internet Architecture