Yueming Hu

DOI: https://doi.org/10.1007/1-4020-4933-1_10

2006-01-01

Abstract:One of the challenges on Internet intrusion detection (ID) is detecting the intrusion on high-speed networks. To cope with the intrusion on gigabit Ethernet or higher network links, the ID devices must utilize high-speed hardware, parallel structure and efficient algorithms. This paper presents a parallel approach of ID scheme based on network processor, the embedded processor for network devices. In this approach, packets from the network flow through multiple network processors. Within the network processor, multiple network processing engines are used to process the network data in parallel, each network processor/processing engine detect the packet flow for a subset of intrusion signature. The ID scheme is a MISD parallel mode. Data flow from the network is a single packet flow, and the detection device is a multiprocessor structure with different programs.

Fei Yu,XiaoPing Dai,Yue Shen,Huang Huang,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICSSSM.2005.1500110

2005-01-01

Abstract:The problem in network security presently is how to get real-time intrusion detection and alert. In the paper, we design Intrusion Detection System architecture and arithmetic again, meanwhile put forward an improved pattern matching arithmetic based on protocol analysis and theorization machine on Frete. New architecture can use network processor to collect and analyze data in network bottom, which enhance the speed and efficiency in Detection System.

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

Wadid Foudhaili,Anouar Nechi,Celine Thermann,Mohammad Al Johmani,Rainer Buchty,Mladen Berekovic,Saleh Mulhem

DOI: https://doi.org/10.1007/978-3-031-55673-9_4

2024-04-14

Abstract:Intrusion detection systems (IDS) are crucial security measures nowadays to enforce network security. Their task is to detect anomalies in network communication and identify, if not thwart, possibly malicious behavior. Recently, machine learning has been deployed to construct intelligent IDS. This approach, however, is quite challenging particularly in distributed, highly dynamic, yet resource-constrained systems like Edge setups. In this paper, we tackle this issue from multiple angles by analyzing the concept of intelligent IDS (I-IDS) while addressing the specific requirements of Edge devices with a special focus on reconfigurability. Then, we introduce a systematic approach to constructing the I-IDS on reconfigurable Edge hardware. For this, we implemented our proposed IDS on state-of-the-art Field Programmable Gate Arrays (FPGAs) technology as (1) a purely FPGA-based dataflow processor (DFP) and (2) a co-designed approach featuring RISC-V soft-core as FPGA-based soft-core processor (SCP). We complete our paper with a comparison of the state of the art (SoA) in this domain. The results show that DFP and SCP are both suitable for Edge applications from hardware resource and energy efficiency perspectives. Our proposed DFP solution clearly outperforms the SoA and demonstrates that required high performance can be achieved without prohibitively high hardware costs. This makes our proposed DFP suitable for Edge-based high-speed applications like modern communication technology.

Cryptography and Security,Hardware Architecture,Machine Learning,Networking and Internet Architecture

Baojun Zhang,Xuezeng Pan,Jiebing Wang

DOI: https://doi.org/10.1109/fskd.2007.348

2007-01-01

Abstract:The current network is complicated due to the high- throughput and the multiformity of actions. A hybrid intru- sion detection system (HIDSFCN) is proposed in this study to satisfy the current network. It combines the advantages of all kinds of IDS and put forwards our own solvents to those key problems in current research. Experiment results demonstrate that our HIDSFCN is of high performance and good practicability.

Zhongqiang Chen,Yuan Zhang,Zhongrong Chen,Alex Delis

DOI: https://doi.org/10.1093/comjnl/bxp026

2009-01-01

The Computer Journal

Abstract:Intrusion detection/prevention systems (IDSs/IPSs) heavily rely on signature databases and pattern matching (PM) techniques to identify network attacks. The engines of such systems often employ traditional PM algorithms to search for telltale patterns in network flows. The observations that real-world network traffic is largely legitimate and that telltales manifested by exploits rarely appear in network streams lead us to the proposal of Fingerprinter. This framework integrates fingerprinting and PM methods to rapidly distinguish well-behaved from malicious traffic. Fingerprinter produces concise digests or fingerprints for attack signatures during its programming phase. In its querying phase, the framework quickly identifies attack-free connections by transforming input traffic into its fingerprint space and matching its digest against those of attack signatures. If the legitimacy of a stream cannot be determined by fingerprints alone, our framework uses the Boyer–Moore algorithm to ascertain whether attack signatures appear in the stream. To reduce false matches, we resort to multiple fingerprinting techniques including Bloom–Filter and Rabin–Fingerprint. Experimentation with a prototype and a variety of traces has helped us establish that Fingerprinter significantly accelerates the attack detection process.

Hongbin Lu,Kai Zheng,Bin Liu,Xin Zhang,Yunhao Liu

DOI: https://doi.org/10.1109/jsac.2006.877221

IF: 16.4

2006-01-01

IEEE Journal on Selected Areas in Communications

Abstract:The ability to inspect both packet headers and payloads to identify attack signatures makes network intrusion detection system (NIDS) a promising approach to protect Internet systems. Since most of the known attacks can be represented with strings or combinations of multiple substrings, string matching is a key component, as well as the bottleneck in NIDS to address the requirement of constantly increasing capacity. We propose a memory-efficient multiple-character-approaching architecture consisting of multiple parallel deterministic finite automata (DFAs), called TDP-DFA. By employing efficient representations for the transition rules in each DFA, TDP-DFA significantly reduces the complexity. We also present a novel scheme to share the storage of transition rules among multiple DFAs, substantially decreasing the total storage cost, and avoiding the cost increase being proportional to the number of DFAs. We evaluate this design through theoretical analysis and comprehensive experiments. Results show that TDP-DFA is able to meet the critical requirement of OC-768 wirespeed processing, as well as constituting a promising way for scaling up to cope with throughput over 100 Gb/s in the future

Mehdi Bahrami,Mohammad Bahrami

DOI: https://doi.org/10.48550/arXiv.1205.4385

2012-05-20

Software Engineering

Abstract:Today by growing network systems, security is a key feature of each network infrastructure. Network Intrusion Detection Systems (IDS) provide defense model for all security threats which are harmful to any network. The IDS could detect and block attack-related network traffic. The network control is a complex model. Implementation of an IDS could make delay in the network. Several software-based network intrusion detection systems are developed. However, the model has a problem with high speed traffic. This paper reviews of many type of software architecture in intrusion detection systems and describes the design and implementation of a high-performance network intrusion detection system that combines the use of software-based network intrusion detection sensors and a network processor board. The network processor which is a hardware-based model could acts as a customized load balancing splitter. This model cooperates with a set of modified content-based network intrusion detection sensors rather than IDS in processing network traffic and controls the high-speed.

Chao Wang,Jinhong Zhou,Lei Gong,Xi Li,Aili Wang,Xuehai Zhou

DOI: https://doi.org/10.1109/ICWS.2017.74

2017-01-01

Abstract:The Intrusion Detection Systems (IDS) is becoming important and quite timing/space consuming due to the increasing volume of explosive data flood. During the past decades, there have been plenty of studies proposing software mechanisms to exploit the temporal locality in the IDS systems. However, it requires considerable memory blocks to store the redundancy table, therefore, the performance as well as the memory utilization is still worth pursuing. To tackle the above weakness, in this paper, we present xFilter, which explores the temporal locality to capture the redundancy, and propose a novel architecture to store and operate the redundancy table on FPGA. To demonstrate the performance of the xFilter structure, we designed a high efficient accelerator for Aho-Corasick (AC) algorithm used in Snort to detect the attack strings. To show the performance of xFilter, we implement a hardware prototype using Xilinx Zynq FPGA platform. Experimental results show that the xFilter accelerator can achieve 5.1x speedup against software implementation with insignificant hardware cost. Furthermore, the proposed hardware redundancy table mechanism can achieve 1.6x speedup against the traditional hardware accelerator.

Danai Chasaki,Tilman Wolf

DOI: https://doi.org/10.1145/1872007.1872022

2010-01-01

Abstract:The development of Network Intrusion Detection Systems (NIDS) is nowadays a powerful solution to defend against various network security threats. There has been a lot of research effort devoted to hardware-based NIDS, because of (1) the massive amount of computation performed by regular expression matching algorithms and (2) the gigabit per second performance requirement of modern NIDS. Hardware-based NIDS take advantage of parallelization inherent in FPGAs, ASICs or network processors to support very high network speeds, while software approaches fail to do so.

Ziming Zhao,Zhaoxuan Li,Zhuoxue Song,Fan Zhang,Binbin Chen

DOI: https://doi.org/10.1109/infocom52122.2024.10621290

2024-01-01

Abstract:Existing Deep Learning (DL)-based network Intrusion Detection System (IDS) is able to characterize sequence semantics of traffic and discover malicious behaviors. Yet DL models are often nonlinear and highly non-convex functions that are difficult for in-network deployment. In this paper, we present RIDS, a hardware-friendly Recurrent Neural Network (RNN) model that is co-designed with programmable switches. As its core, RIDS is powered by two tightly-coupled components: (i) rLearner, the RNN learning module with in-network deployability as the first-class requirement; and (ii) rEnforcer, the concrete pipeline design to realize rLearner-generated models inside the network dataplane. We implement a prototype of RIDS and evaluate it on our physical testbed. The experiments show that RIDS could satisfy both detection performance and high-speed bandwidth adaptation simultaneously, when none of the other existing approaches could do so. Inspiringly, RIDS realizes remarkable intrusion/malware detection effect (e.g., similar to 99% F1 score) and model deployment (e.g., 100 Gbps per port), while only imposing nanoseconds of latency.

Xiaofei Wang,Yang Xu,Junchen Jiang,Olga Ormond,Bin Liu,Xiaojun Wang

DOI: https://doi.org/10.1109/JSYST.2013.2244791

IF: 4.802

2013-01-01

IEEE Systems Journal

Abstract:Deep packet inspection has become a key component in network intrusion detection systems (NIDSes), where every packet in the incoming data stream needs to be compared with patterns in an attack database, byte-by-byte, using either string matching or regular expression matching. Regular expression matching, despite its flexibility and efficiency in attack identification, brings significantly high computation and storage complexities to NIDSes, making line-rate packet processing a challenging task. In this paper, we present stride finite automata (StriFA), a novel finite automata family, to accelerate both string matching and regular expression matching. Different from conventional finite automata, which scan the entire traffic stream to locate malicious information, a StriFA only needs to scan a partial traffic stream to find suspicious information. The presented StriFA technique has been implemented in software and evaluated based on different traces. The simulation results show that the StriFA acceleration scheme offers an increased speed over traditional nondeterministic finite automaton/deterministic finite automaton, while at the same time reducing the memory requirement.

Ziming Zhao,Zhaoxuan Li,Zhuoxue Song,Fan Zhang

DOI: https://doi.org/10.1109/rtss59052.2023.00045

2023-01-01

Abstract:Existing Deep Learning (DL)-based network Intrusion Detection System (IDS) is able to characterize sequence semantics of traffic and discover malicious behaviors. Yet DL models are often nonlinear and highly non-convex functions that are difficult for in-network real-time deployment, i.e., existing DL solutions are essentially offline analysis. In this paper, we present RIDS, a hardware-friendly Recurrent Neural Network (RNN) model that is co-designed with programmable switches. As its core, RIDS is powered by two tightly-coupled components: (i) rLearner, the RNN learning module with in-network deployability as the first-class requirement; and (ii) rEnforcer, the concrete pipeline design to realize rLearner-generated models inside the network dataplane. We implement a prototype of RIDS and evaluate it on our physical testbed. The experiments show that RIDS could satisfy both detection performance and high-speed bandwidth adaptation simultaneously, when none of the other existing approaches could do so. Inspiringly, RIDS realizes remarkable intrusion/malware detection effect (e.g., ∽99% F1 score) and model deployment (e.g., 100 Gbps per port), while only imposing nanoseconds of latency.

Alan Kennedy,Xiaojun Wang,Zhen Liu,Bin Liu

DOI: https://doi.org/10.1109/date.2010.5457172

2010-01-01

Abstract:Deep Packet Inspection (DPI) involves searching a packet's header and payload against thousands of rules to detect possible attacks. The increase in Internet usage and growing number of attacks which must be searched for has meant hardware acceleration has become essential in the prevention of DPI becoming a bottleneck to a network if used on an edge or core router. In this paper we present a new multi-pattern matching algorithm which can search for the fixed strings contained within these rules at a guaranteed rate of one character per cycle independent of the number of strings or their length. Our algorithm is based on the Aho-Corasick string matching algorithm with our modifications resulting in a memory reduction of over 98% on the strings tested from the Snort ruleset. This allows the search structures needed for matching thousands of strings to be small enough to fit in the on-chip memory of an FPGA. Combined with a simple architecture for hardware, this leads to high throughput and low power consumption. Our hardware implementation uses multiple string matching engines working in parallel to search through packets. It can achieve a throughput of over 40 Gbps (OC-768) when implemented on a Stratix 3 FPGA and over 10 Gbps (OC-192) when implemented on the lower power Cyclone 3 FPGA.

N. Zeeni,N. Nadkarni,Jimmy D Bell,P. Even,G. Fromentin,D. Tomé,N. Darcel

DOI: https://doi.org/10.1016/j.neuroimage.2010.01.065

IF: 5.7

2010-05-01

NeuroImage

Abstract:

Monther Aldwairi,Yahya Flaifel,Khaldoon Mhaidat

DOI: https://doi.org/10.48550/arXiv.2003.00405

2020-03-01

Cryptography and Security

Abstract:Network intrusion detection systems and antivirus software are essential in detecting malicious network traffic and attacks such as denial-of-service and malwares. Each attack, worm or virus has its own distinctive signature. Signature-based intrusion detection and antivirus systems depend on pattern matching to look for possible attack signatures. Pattern matching is a very complex task, which requires a lot of time, memory and computing resources. Software-based intrusion detection is not fast enough to match high network speeds and the increasing number of attacks. In this paper, we propose special purpose hardware for Wu-Manber pattern matching algorithm. FPGAs form an excellent choice because of their massively parallel structure, reprogrammable logic and memory resources. The hardware is designed in Verilog and implemented using Xilinx ISE. For evaluation, we dope network traffic traces collected using Wireshark with 2500 signatures from the ClamAV virus definitions database. Experimental results show high speed that reaches up to 216 Mbps. In addition, we evaluate time, device usage, and power consumption.

Wei Zhang,Tian Song,Dongsheng Wang

DOI: https://doi.org/10.1109/CHINACOM.2008.4685118

2008-01-01

Abstract:Regular expressions tire increasingly used in network security applications. Multiple regular expressions matching is one of the most important: performance bottlenecks in those systems. This paper proposes a new hardware-based multiple regular-expressions matching architecture, called MRM, for network intrusion detection system. It shows that traditional algorithm, such as AC, has to face the serious spatial explosion problem when simultaneously detecting a large number of regular expressions because of constrained repetitions. MRM utilizes hardware RAM modules to share matching signals and exploits hardware register counting to implement constrained repetitions. This paper also proposes a software compiler to construct the hardware architecture and generate information in MRM's RAMs for the given regular expressions. Experiments in actual snort and bro regular expression sets show that MRM can achieve the high throughput of 2.1Gbps and 2.8Gbps on Virtex2 and Virtex4 devices respectively.

Tian Song,Zhizhong Tang,Dongsheng Wang

DOI: https://doi.org/10.1007/978-3-540-72685-2_56

2007-01-01

Abstract:Pattern matching is one of the most performance critical components in network intrusion detection and prevention system, which needs to be accelerated by carefully designed architectures. In this paper, we present a highly parameterized multilevel pattern matching architecture (MPM), which is implemented on FPGA by exploiting redundant resources among patterns for less chip area. In practice, MPM can be partitioned to several pipelines for high frequency. This paper also presents a pattern set compiler that can generate RTL codes of MPM with the given pattern set and predefined parameters. One MPM architecture is generated by our compiler based on Snort rules on Xilinx FPGA. The results show that MPM can achieve 4.3Gbps throughput with only 0.22 slices per character, about one half chip area than the most area-efficient architecture in literature. MPM can be parameterized potential for more than 100 Gbps throughput.

Shi Qingsong,Chen Du,Nan Zhang,Jijun Ma,Tianzhou Chen

DOI: https://doi.org/10.1109/sec.2008.16

2008-01-01

Abstract:Security of embedded systems is becoming more and more important. IDS (instrusion detection system) has been designed to protect systems from being compromised by network attacks. A lot of researches have been done on it. However, most of them focus on complex and time-consuming detection methods to improve accuracy of the system, with assumption that IDS is running under control of general purpose operating systems (GPOS). In this way, the IDS itself will depress overall performance and cannot be guaranteed secure. In this paper, we present an embedded architecture of SPMOS-based IDS. SPMOS, located in SPM, is a little OS running under GPOS. Experiment results show that the architecture is fast. Based on this, we also design a simple IDS and conduct tests by integrating it into SPMOS and GPOS. The former consumes the latter's 8.3% time only, with less than 6.2% overhead, which verifies the architecture proposed is practical and efficient.

Wei Zhang,Yibo Xue,Dongsheng Wang,Tian Song

DOI: https://doi.org/10.1109/apcsac.2008.4625475

2008-01-01

Abstract:Pattern matching and regular expression matching are all the critical components for content inspection based applications. But current regular expression matching algorithms or architecture cannot provide a perfect solution for whole matching problem. In some real network security applications, exact strings are the biggest part of rule set, and the second part is simple regular expressions (dot-star and AND-logic), and the other complex regular expressions only occupy a very small part. So, we propose a new hardware-based multiple simple regular expression matching architecture, called MSRM, for Dot-Star and AND-logic regular expressions. Firstly, software compiler splits simple regular expressions into exact strings and relations. Multi-string-matching module judges whether strings match and outputs the matched ID. Based on these matched information and pre-generated RAM data, MSRM can judge whether dot-star and AND-logic regular expressions are satisfied easily and quickly. Experiments with random test data and ClamAV rule set show that MSRM can achieve a high throughput of 2.1 and 2.8 Gbps using Virtex2 and Virtex4 devices respectively which is much higher than software algorithms.