Hardware Architecture of a Behavior Modeling Coprocessor for Network Intrusion Detection System

Show simple item record

dc.contributor.advisor Paul D. Franzon, Committee Chair en_US
dc.contributor.advisor Michael A Rappa, Committee Member en_US
dc.contributor.advisor Yannis Viniotis, Committee Member en_US
dc.contributor.advisor Gregory T. Byrd, Committee Member en_US
dc.contributor.author Yadav, Meeta en_US
dc.date.accessioned 2010-04-02T19:16:26Z
dc.date.available 2010-04-02T19:16:26Z
dc.date.issued 2009-03-26 en_US
dc.identifier.other etd-03142007-232554 en_US
dc.identifier.uri http://www.lib.ncsu.edu/resolver/1840.16/5601
dc.description.abstract YADAV, MEETA. Hardware Architecture of a Behavior Modeling Coprocessor for Network Intrusion Detection. (Under the direction of Professor Paul D. Franzon). Intrusion detection systems protect a network against exploitation and manipulation by monitoring the incoming and outgoing traffic and classifying it as normal or malicious. The task of classifying network traffic is difficult and is made more complex by growing performance pressures of increasing traffic rates, the need to detect stealthy attacks by performing sophisticated analysis, the requirement of in-line processing and the inability of software based systems to keep up with the line-speeds. Most current intrusion detection systems make trade-offs between one or more performance requirements. For instance, software based systems are scalable and can perform more complex algorithmic analysis on the network traffic but are incapable of keeping up with the line speeds. Hardware based systems can process packets in real-time but are not scalable or configurable, and they are limited to rule based packet filtering. These growing performance pressures on network security devices have redefined the issues to be addressed in the design of a security system, underlining the need for a scalable and configurable hardware system that has the ability to effectively detect intrusions by performing sophisticated analysis at line-speeds while keeping up with the increasing traffic rate and attack sophistication. The focus of this dissertation is to design a hardware based intrusion detection system that is scalable, configurable, and capable of analyzing traffic to detect various categories of attacks at linespeeds. Specifically, we address four important issues with the design of hardware based systems: - A behavior based technique was implemented in hardware to detect attacks embedded in the different protocol layers, across layers and in the payload of the packet. The technique monitors the traffic deeply, recovers-higher layer semantics, understands the flow of commands, requests, responses and detect attacks embedded across packets and across connections. The technique checks the network traffic for behavioral compliance using configurable, parametric data structures called theories that can model simple as well as complex behavior. Theories translate themselves into hardware using configurable functional units called assertion blocks. - Theories and assertion blocks are parametric and configurable in nature and can be configured to translate any behavior description to hardware. The ability of individual theories and assertion blocks to be configured lends the configurability aspect to the entire system. To enable the system to scale with an increase in behavior modules a configurable fabric of assertion blocks has been developed. The configurable assertion block fabric contains pre-synthesized assertion modules that are triggered by theories to perform the operation specified by the theories. - A Multi-Level Fractional Hash Algorithm was developed to effectively manage the traffic information gathered by inserting and querying a connection record with average case of O(1). The technique uses associative memory arranged in different levels, an on-chip bit vector array to insert records and the tag based technique of caches to query a record. - To block pre-defined and user defined malicious content a high speed, Trie based pattern matching algorithm was designed. The algorithm splits the pattern set into tries that are stored in the on-chip memory and pruned patterns that are stored in the off-chip SRAM. The streaming data is split into into sub-streams that can lead to a possible match. The sub-streams are searched in parallel for malicious content by traversing the on-chip tries and comparing the pruned patterns stored off-chip using dedicated comparators. The throughput of the pattern matching algorithm is 14 Gbps and is independent of length of the patterns, location of the malicious content in streaming data and the number of patterns in the pattern set. The architectural and algorithmic enhancements that addressed the performance issues with security systems were integrated to architect The Hardware Architecture of a Behavior Modeling Coprocessor for Network Intrusion Detection, called Behavioral Intrusion Prevention and Detection System (BIPDS). BIPDS is designed to carry out threat detection with dedicated hardware accelerators by monitoring all communication layers, extracting relevant data, and enabling highly efficient operation. The designed system supports a large number of protocols and applications, and allows for extensibility to new applications and services. Different aspects of security have been handled with behavioral modeling which enable the system to detect attack and pre-attack behavior. A key accomplishment of BIPDS is its scalable architecture, and flexibility to be updated which enables the system to adapt to various network configurations, and scale with an increase in network traffic and behavior models. The main contribution of this dissertation is the identification of an efficient hardware architecture that can parallel process one million simultaneous data connections at 11Gbps and has a die area of 17.3 sq mm (TSMC 0.25 μ library), and has a morphable data path to accommodate changes in network sizes and configurations. en_US
dc.rights I hereby certify that, if appropriate, I have obtained and attached hereto a written permission statement from the owner(s) of each third party copyrighted matter to be included in my thesis, dis sertation, or project report, allowing distribution as specified below. I certify that the version I submitted is the same as that approved by my advisory committee. I hereby grant to NC State University or its agents the non-exclusive license to archive and make accessible, under the conditions specified below, my thesis, dissertation, or project report in whole or in part in all forms of media, now or hereafter known. I retain all other ownership rights to the copyright of the thesis, dissertation or project report. I also retain the right to use in future works (such as articles or books) all or part of this thesis, dissertation, or project report. en_US
dc.subject Network Intrusion Prevention en_US
dc.subject Hardware Architecture en_US
dc.subject Security en_US
dc.subject Network Intrusion Detection en_US
dc.title Hardware Architecture of a Behavior Modeling Coprocessor for Network Intrusion Detection System en_US
dc.degree.name PhD en_US
dc.degree.level dissertation en_US
dc.degree.discipline Computer Engineering en_US

Files in this item

Files Size Format View
etd.pdf 5.994Mb PDF View/Open

This item appears in the following Collection(s)

Show simple item record