David E. Schimmel

Scalable pattern matching for high speed networks

In this paper, we present a scalable FPGA design methodology for searching network packet payloads for a large number of patterns, including complex regular expressions. The efficiency of the technique enables a current-generation FPGA device to support pattern-matching at network rates from 1 Gbps to 100 Gbps and beyond. It offers flexible trade-offs between character capacity, throughput, and data bus width and rate. This allows the approach to be used in a wide range of devices from low-end home network appliances to high-end backbone routers. Suitable network applications for the FPGA pattern-matcher include firewalls, network intrusion detection, email virus scanning, and junk-email identification. In this work, we use a standard set of patterns from an intrusion detection system to demonstrate the performance and scalability of our design with a real-world application.

Efficient Reconfigurable Logic Circuits for Matching Complex Network Intrusion Detection Patterns

This paper presents techniques for designing pattern matching circuits for complex regular expressions, such as those found in network intrusion detection patterns. We have developed a pattern-matching co- processor that supports all the pattern matching functions of the Snort rule language (3). In order to achieve maximum pattern capacity and throughput, the design focuses on minimizing circuit area while maintaining high clock speed. Using our approach, we are able to store the entire current Snort rule database consisting of over 1,500 rules and 17,000 characters into a single one- million-gate FPGA while comparing all patterns against traffic at gigabit rates.

Power constrained design of multiprocessor interconnection networks

The paper considers the power constrained design of orthogonal multiprocessor interconnection networks. The authors present a detailed model of message latency as a function of topology, technology architecture, and power. This model is then used to analyze a number of interesting scenarios, providing a sound engineering basis for interconnection network design in these cases. For example, they have observed that under a fixed power constraint, the network dimension which achieves minimal latency is a slowly growing function of system size. In addition, as they increase the available power per node for a fixed system size, the dimension at which message latency is minimized shifts towards higher dimensional networks.

TCP-Stream reassembly and state tracking in hardware

In this paper we consider a new approach to network intrusion detection. Conventional network intrusion detection systems (NIDS) are software based. We propose to selectively implement portions of the functionality of a state-of-the-art software NIDS in reconfigurable hardware. This increases performance even under hostile loads and will enable efficient intrusion detection in future multi-gigabit networks. Specifically, we consider the problem of TCP-stream reassembly. We present a high-performance TCP stream reassembly and state tracking module targeted for incorporation into an agile reconfigurable network interface based on Xilinx Virtex technology.

A hardware platform for network intrusion detection and prevention

The need for building high-speed NIDS that can reliably generate alerts as intrusions occur and have the intrinsic ability to scale as network infrastructure and attack sophistication evolves has been discussed in this chapter. The key design principles are analyzed and it has been argued that network intrusion-detection functions should be carried out by distributed and collaborative NNIDS at the end hosts. It is shown that an NNIDS running on the network interface instead of the host operating system can provide increased protection, reduced vulnerability to circumvention, and much lower overhead. The chapter also describes the experience in implementing a prototype NNIDS, based on Snort, an Intel IXP 1200, and a Xilinx Virtex-1000 FPGA. These experiments help to identify the performance bottlenecks and give insights on how to improve the design. System stress tests shows that the embedded NNIDS can handle high-speed traffic without packet drops and achieve the same performance as the Snort software running on a dedicated high-end computer system. Ongoing work includes optimizing the performance of NNIDS, developing strategies for sustainable operation of the NNIDS under attacks through adaptation and active countermeasures, studying algorithms for distributed and collaborative intrusion detection, and further developing the analytical models for buffer and processor allocation. Also tested were FPGA pattern-matching designs that approach 10 Gbps throughput with the entire Snort ruleset using a Xilinx Virtex2 device. A better understanding of the design principles and implementation techniques for building high-speed has been provided, along with reliable, and scalable network intrusion detection systems.

Distributed, deadlock-free routing in faulty, pipelined, direct interconnection networks

This paper focuses on designing high performance pipelined networks that can operate in the presence of dynamic component failures. A general, rigorous framework for deadlock-free communication in faulty, pipelined networks is developed. A mechanism is also proposed for recovering from dynamic link and node failures. The recovery mechanism (1) is fully distributed, (2) does not require timeouts, (3) prevents fault-induced deadlock, and (4) is integrated into the virtual channel flow control mechanisms. This recovery mechanism is used to develop a new pipelined communication mechanism-acknowledged pipelined circuit-switching (APCS). This mechanism supports existing routing protocols that can tolerate a maximal number of static link failures, i.e., one less than the number of ports on a node. An implementation of a novel router architecture is described and the results of detailed flit level simulations are presented. Finally, the proposed recovery mechanism is shown to be applicable to existing adaptive wormhole routing protocols which are prone to deadlock in the presence of dynamic faults.

Ariadne—an adaptive router for fault-tolerant multicomputers

Adaptive routing has been proposed as a means of improving performance and fault-tolerance in multicomputer networks. While a number of algorithms have been proposed, few adaptive routers have been implemented in hardware. This paper presents the design and implementation of Ariadne --- a prototype single chip, hardware router. The primary motivation is tolerance to link and router failures, while reconciling conflicting demands on performance. This is achieved by implementing the m-misroute backtracking protocol (MB-m) using the pipelined circuitswitching (PCS) communication mechanism[17]. Ariadne implements two virtual data channels and one virtual control channel per physical link. The router is self-timed with single flit buffering at the input and output ports, and is fully adaptive.

Issues in the design of high performance SIMD architectures

In this paper, we consider the design of high performance SIMD architectures. We examine three mechanisms by which the performance of this class of machines may be improved, and which have been largely unexplored by the SIMD community. The mechanisms are pipelined instruction broadcast, pipelining of the PE architecture, and the introduction of a novel memory hierarchy in the PE address space which we denote the direct only data cache, (dod-cache). For each of the performance improvements, we develop analytical models of the potential speedup, and apply those models to real program traces obtained on a MasPar MP-2 system. In addition, we consider the impact of all improvements taken together.

A novel low-cost approach to MCM interconnect test

This paper describes a novel and low-cost technique for detecting process-related interconnect faults in MCMs. This method is an alternative to existing test methods such as TDR, TDT electron beam, and capacitance techniques which are either expensive in terms of test equipment, are cumbersome due to the requirement of multiple probes, or provide poor fault coverage. The proposed technique applies a stimulus through a tuned load and a single probe at one end of the interconnect. By measuring the attenuation of the test stimulus due to pole movement relative to known attenuation measurements, interconnect faults such as near-opens, near-shorts, opens, and shorts can be detected. The total test time is small and the hardware cost of test equipment is low. Extensive simulations have been performed to show the validity of the method.

Energy-efficient network memory for ubiquitous devices

Energy and delay tradeoffs occur when a design moves some or all local storage out of the embedded device and into a remote server. Using the network to access remote storage in lieu of local memory can result in significant power savings.