Byoung-Koo Kim

Memory-efficient content filtering hardware for high-speed intrusion detection systems

Content filtering-based Intrusion Detection Systems have been widely deployed in enterprise networks, and have become a standard measure to protect networks and network users from cyber attacks. Although several solutions have been proposed recently, finding an efficient solution is considered as a difficult problem due to the limitations in resources such as a small memory size, as well as the growing link speed. In this paper, we present a novel content filtering technique called Table-driven Bottom-up Tree (TBT), which was designed i) to fully exploit hardware parallelism to achieve real-time packet inspection, ii) to require a small memory for storing signatures, iii) to be flexible in modifying the signature database, and iv) to support complex signature representation such as regular expressions. We configured TBT considering the hardware specifications and limitations, and implemented it using a FPGA. Simulation based performance evaluations showed that the proposed technique used only 350 Kilobytes of memory for storing the latest version of SNORT rule consisting of 2770 signatures. In addition, unlike many other hardware-based solutions, modification to signature database does not require hardware re-compilation in TBT.

Design of Network Security Control System for Cooperative Intrusion Detection

As intrusions and other attacks become more widespread and more sophisticated, it becomes more difficult to detect them at a single intrusion detection system(IDS). Therefore, IDSs have become focused on various intrusions (and/or attacks) in large scale network environments. But, it is not easy to detect various intrusions, since the design of early IDSs are based on analyzing the audit trails supported just a single host. Here we have made effort to design and implement IDS which can detect more complex attacks as well as support security management through cooperating each others. In this paper, we present the architecture of our system that detects various intrusions in large scale network environments as well as supports flexibility, portability, and extensibility for policy based security management.

Cyber threats and defence approaches in SCADA systems

The use of SCADA systems has been increased since the 1960s as a need arose to more efficiently monitor and control the status of remote equipment. And they are becoming more and more susceptible to cyber-attacks due to utilize standard protocols and increase connectivity. The objective of this paper is to introduce our on-going work and discuss challenges and opportunities for preventing network and application protocol attacks on SCADA systems.

High performance session state management scheme for stateful packet inspection

This paper relates to a method for performing Stateful Packet Inspection(SPI) in real time using a session table management scheme that allows more efficient generation of session state information. SPI is an important technique to reduce false positive alerts in network intrusion detection system(NIDS). As the number of session increases, this technique requires a higher processing speed, thereby causing performance problems. However, existing software-based solutions cannot perform real-time packet inspection ensuring the wire speed. To guarantee both performance and functionality with respect to statefulness, we designed and implemented SPI-based intrusion detection module in a FPGA to help alleviating a bottleneck in network intrusion detection systems in this paper.

High-Performance Stateful Intrusion Detection System

This paper is related with a stateful intrusion detection technology which is based on session state tracking in network intrusion detection systems (NIDSs). Todays network security systems are required high-performance as well as good functionality since the speed of the Internet is increasing. But most of the software-based NIDSs (e.g. Snort) show inefficiency and even fail to perform for the faster Internet. In this paper, we provide hardware-based stateful intrusion detection module to overcome these shortcomings of software-based solutions. By implementing stateful intrusion detection module in FPGA, we can solve the problem of performance and has capability of intrusion detection in future multi-gigabit network environment. In addition, we can improve the accuracy of intrusion detection with reducing false positive alerts

Implementation of GESNIC for Web Server Protection against HTTP GET Flooding Attacks

Distributed Denial-of-Service (DDoS) attacks are made in such a way that a plurality of zombie computers infected with malicious code simultaneously makes Denial-of-Service (DoS) attacks. These DDoS attacks still dominate the ranking of cyber threats. It is a great challenge to accurately detect and intercept the DDoS attacks on high speed network. Most of all, HTTP GET flooding attacks increase day by day. Therefore, we propose the web server protection scheme against HTTP GET flooding attacks. The proposed technique easily can detect HTTP GET flooding attacks. Most of all, it was implemented in our Gigabit Ethernet Secure Network Interface Controller (GESNIC) for the high performance DDoS prevention. Our GESNIC let IT administrators protect their Internet servers against various DDoS attacks. GESNIC provides the high performance secure logics, which is a kind of security offload engine against TCP and HTTP related DDoS attacks on network interface card. Besides, the secure offload engine has robustness against various DDoS attacks itself and it is independent on server’s OS and external network configuration. Its performance is almost a carrier-class level as latency time of 7x10 −6 seconds. In summary, installing our GESNIC can make the more secure, highly available, and easier to manage - which is exactly the kind of innovation.

Design and Implementation of High-Performance Intrusion Detection System

The fast extension of inexpensive computer networks has increased the problem of unauthorized access and tampering with data. As a response to increased threats, many Network-based Intrusion Detection Systems (NIDSs) have been developed, but current NIDSs are barely capable of real-time traffic analysis on Fast Ethernet links. As network technology presses forward, Gigabit Ethernet has become the actual standard for large network installations. Therefore, there is an emerging need for security analysis techniques that can keep up with the increased network throughput. We have made effort to design and implement high-speed IDS that is run as a lower branch of our system named ‘Network Security Control System (NSCS)’. Our IDS named ‘Security Gateway System (SGS)’ has a pattern matching approach through the FPGA (Field Programmable Gate Array) logic and kernel logic as detection mechanism that can be applied to Gigabit-Ethernet links. In this paper, we briefly introduce the whole architecture of our system designed to perform intrusion detection on high-speed links. And then, we present the efficient detection mechanism that is run by cooperation of FPGA logic and kernel logic. In other words, we focus on the network intrusion detection mechanism applied in a lower branch of our system.

FPGA based intrusion detection system against unknown and known attacks

Network intrusion detection systems often rely on matching patterns that are gleaned from known attacks. While this method is reliable and rarely produces false alarms, it has the obvious disadvantage that it cannot detect novel attacks. Accordingly, an alternative approach which can be a combination with pattern matching approach is needed. We have made effort to design and implement high speed protocol anomaly and signature based intrusion detection approach to detect known and unknown attacks. This approach extracts a set of service fields from the application payload where many attacks occur and analyzes the value of fields to verify attack. This approach is implemented on the FPGA (Xilinx Virtex II pro) device to process packet at gigabit-per-second data rates.

A design of unidirectional security gateway for enforcement reliability and security of transmission data in industrial control systems

Recently, targeted attacks are increased against industrial control system facilities. In order to protect these facilities from attacks, defence-in-depth strategy can be applied to industrial control systems. It separates control network and business network, and uses a one-way data transmission technology for data transfer between higher security area and lower security area. But most of the current unidirectional security gateway system is just only data transmission without considering the reliability and security. In this paper, to guarantee the reliability and security of transmitted data, we design a unidirectional security gateway system, UNIWAY, which provides forward error correction, session management, packet sequence number, IP/Port filter, content filter, and protocol break.

ATPS: adaptive threat prevention system for high-performance intrusion detection and response

The fast extension of inexpensive computer networks has increased the problem of unauthorized access and tampering with data. Many NIDSs are developed till now to respond these network attacks. As network technology presses forward, Gigabit Ethernet has become the actual standard for large network installations. Therefore, software solutions in developing high-speed NIDSs are increasingly impractical. It thus appears well motivated to investigate the hardware-based solutions. Although several solutions have been proposed recently, finding an efficient solution is considered as a difficult problem due to the limitations in resources such as a small memory size, as well as the growing link speed. In this paper, we propose the FPAG-based intrusion detection technique to detect and respond variant attacks on high-speed links. It is possible through novel pattern matching mechanism and heuristic analysis mechanism that is processed on FPGA-based reconfiguring hardware. Most of all, It was designed to fully exploit hardware parallelism to achieve real-time packet inspection, to require a small memory for storing signature. The technique is a part of our proposed system, called ATPS(Adaptive Threat Prevention System) recently developed. That is, the proposed system has hardware architecture that can be capable of provide the high-performance detection mechanism.