Douglas H. Summerville

A Survey on the Application of FPGAs for Network Infrastructure Security

Given the rapid evolution of attack methods and toolkits, software-based solutions to secure the network infrastructure have become overburdened. The performance gap between the execution speed of security software and the amount of data to be processed is ever widening. A common solution to close this performance gap is through hardware implementation of security functions. Possessing the flexibility of software and high parallelism of hardware, reconfigurable hardware devices, such as Field Programmable Gate Arrays (FPGAs), have become increasingly popular for this purpose. FPGAs support the performance demands of security operations as well as enable architectural and algorithm innovations in the future. This paper presents a survey of the state-of-art in FPGA-based implementations that have been used in the network infrastructure security area, categorizing currently existing diverse implementations. Combining brief descriptions with intensive case-studies, we hope this survey will inspire more active research in this area.

Enhancing cloud storage security against roll-back attacks with a new fair multi-party non-repudiation protocol

Along with variant advantages, cloud storage also poses new security challenges. Potential users are reluctant to move important and sensitive data to cloud unless security challenges have been well addressed. This paper reports our on-going efforts to address three data security issues in cloud storage: repudiation, fairness, and roll-back attacks. We proposed a novel fair multi-party non-repudiation (MPNR) protocol, which provide a fair non-repudiation storage cloud and is capable of preventing roll-back attacks.

A flexible bit-pattern associative router for interconnection networks

A programmable associative approach to execute implicit routing algorithms is presented. Algorithms are mapped onto a set of bit-patterns that are matched in parallel. We have studied and mapped a large number of routing algorithms for a wide range of interconnection network topologies. Here we report three cases that illustrate the capabilities of the router scheme. For the studied topologies, the number of required bit-patterns is of the same order as the topology degree. The proposed approach is one of the fastest routers and requires a very small amount of hardware.

A fair multi-party non-repudiation scheme for storage clouds

Data storage is one of the most profitable applications in Clouds. Although a transparent service model is convenient, it may be subject to the loss of data integrity. Our study revealed vulnerabilities in some commercial Cloud storage services. We analyzed the repudiation problem in a Cloud environment. In this paper, we propose a new multi-party non-repudiation (MPNR) scheme to fix the issue. Rationale behind the new scheme and a description of its operation are provided. We also discussed its robustness against typical network attacks.

Detecting Malicious Codes by the Presence of Their “Gene of Self-replication”

A high percentage of information attacks are perpetrated by deploying computer viruses and worms, which result in very costly and destructive “epidemics”. Spread of malicious codes is achieved by the built-in ability to self-replicate through the Internet and computer media. Since most legitimate codes do not self-replicate, and the number of ways to achieve self-replication is limited to the order of fifty, the detection of malicious codes could be reduced to the detection of the “gene of self-replication” in the code in question. This paper present the analysis of the self-replication mechanism of one of the recent computer viruses and discusses the ways to detect the ability of a computer code to self-replicate before the execution.

Detection of anomalous network packets using lightweight stateless payload inspection

A real-time packet-level anomaly detection approach for high-speed network intrusion prevention is described. The approach is suitable for small and fast hardware implementation and was designed to be embedded in network appliances. Each network packet is characterized using a novel technique that efficiently maps the payload histogram onto a simple pair of features using hypercube hash functions, which were chosen for their implementation efficiency in both hardware and software. This two-dimensional feature space is quantized into a binary bitmap representing the normal and anomalous feature regions. The potential loss of accuracy due to the reduction in feature space is countered by the ability of the bitmaps to capture nearly arbitrary shaped regions in the feature space. These bitmaps are used as the classifiers for real-time detection. The proposed method is extremely efficient in both the offline machine learning and real-time detection components. Results using the 1999 DARPA Intrusion Detection Evaluation Data Set yield a 100% detection of all applicable attacks, with extremely low false positive rate. The approach is also evaluated on real traffic captures.

Two-stage decomposition of SNORT rules towards efficient hardware implementation

The performance gap between the execution speed of security software and the amount of data to be processed is ever widening. A common solution is to close the performance gap through hardware implementation of security functions. However, continuously expanding signature databases have become a major impediment to achieving scalable hardware based pattern matching. Additionally, evolutionary rule databases have necessitated real time online updating for reconfigurable hardware implementations. Based on the observation that signature patterns are constructed from combinations of a limited number of primary patterns, we propose to decompose the Snort signature patterns. These smaller primary pattern sets can be stored along with their associations to allow dynamic signature pattern reconstruction. Not only does the matching operation potentially become more scalable, but the real time online updating task is simplified. The approach is verified with patterns from the latest version of the Snort rule database. The experimental results show that after decomposition, a reduction in size of over 77% can be achieved on Snort signature patterns.

A VLSI interconnection network router using a D-CAM with hidden refresh

A VLSI implementation of a programmable router scheme for parallel interconnection network architectures is presented in this paper. The router executes routing algorithms in 1.5 clock cycles, this being the fastest approach for flexible routers. To further increase throughput, the router operation has been made pipelined, achieving 1 routing decision per cycle. The implementation is based on a content addressable memory (CAM) that supports per entry unique bit masking. This programmable CAM requires few entries; this in turn makes it possible to implement a dynamic approach in order to reduce the transistor count. We have provided circuitry and arranged timing to achieve refreshing of the stored data in a hidden fashion. In addition to the CAM, we have incorporated a fast priority scheme that allows only one entry to be selected and a memory that stores the port assignment. The number of required CAM entries is extremely small; it is of the same order as the output ports.

Anomalous packet identification for network intrusion detection

A packet-level anomaly detection system for network intrusion detection in high-bandwidth network environments is described. The approach is intended for hardware implementation and could be included in the network interface, switch or firewall. Efficient implementation in software on a network host is also possible. Network traffic is characterized using a novel technique that maps packet-level payloads onto a set of counters using bit-pattern hash functions, which were chosen for their implementation efficiency in both hardware and software. Machine learning is accomplished by mapping unlabelled training data onto a set of two-dimensional grids and forming a set of bitmaps that identify anomalous and normal regions. These bitmaps are used as the classifiers for real-time detection. The proposed method is extremely efficient in both the offline machine learning and real-time detection components and has the potential to provide accurate detection performance due to the ability of the bitmaps to capture nearly arbitrary shaped regions in the feature space. Results of a preliminary study are presented that demonstrate the effectiveness of the technique.

Prevention of information attacks by run-time detection of self-replication in computer codes

This paper describes a novel approach for preventative protection from both known and previously unknown malicious executable codes. It does not rely on screening the code for signatures of known viruses, but instead it detects attempts of the executable code in question to self-replicate during run time. Self-replication is the common feather of most malicious codes, allowing them to maximize their impact. This approach is an extension of the earlier developed method for detecting previously unknown viruses in script based computer codes. The paper presents a software tool implementing this technique for behavior-based run-time detection and suspension of self-replicating functionality in executable codes for Microsoft Windows operating systems.