Martin Zadnik

Experience with high-speed automated application-identification for network-management

AtoZ, an automatic traffic organizer, provides control of how network-resources are used by applications. It does this by combining the high-speed packet processing of the NetFPGA with an efficient method for application-behavior labeling. AtoZ can control network resources by prohibiting certain applications and controlling the resources available to others. We discuss deployment experience and use real traffic to illustrate how such an architecture enables several distinct features: high accuracy, high throughput, minimal delay, and efficient packet labeling --- all in a low-cost, robust configuration that works alongside the enterprise access-router.

Evolution of cache replacement policies to track heavy-hitter flows

Flow-based network traffic processing, that is, processing packets based on some state information associated to the flows to which the packets belong, is a key enabler for a variety of network services and applications. This form of stateful traffic processing is used in modern switches [1] and routers that contain flow tables to implement forwarding, firewalls, NAT, QoS, and collect measurements.

Tracking elephant flows in internet backbone traffic with an FPGA-based cache

This paper presents an FPGA-friendly approach to tracking elephant flows in network traffic. Our approach, Single Step Segmented Least Recently Used (S3-LRU) policy, is a network traffic-friendly replacement policy for maintaining flow states in a Naïive Hash Table (NHT). We demonstrate that our S3-LRU approach preserves elephant flows: conservatively promoting potential elephants and evicting lowrate flows in LRU manner. Our approach keeps flow-state of any elephant since start-of-day and provides a significant improvement over filtering approaches proposed in previous work. Our FPGA-based implementation of the S3-LRU in combination with an NHT suites well the parallel access to block memories while capitalising on the retuning of parameters through dynamic-reprogramming.

Netflow probe intended for high-speed networks

With growing speed of communication over the Internet there is a need for a reliable monitoring devices which are able to provide information about spectrum of traffic mix, attacks, applications, etc. This paper proposes architecture of network flow monitoring adapter based on hardware platform COMBO6. With use of field programmable gate arrays (FPGA) placed on these cards it is possible to monitor flows in high-speed environment. Component parts of the architecture and implementation platform are described. Several different models have been created to analyze and prove important characteristics of the architecture and results are derived. The probe is able to monitor 1 million simultaneous flows on an 2Gbps network link.

NFA reduction for regular expressions matching using FPGA

Many algorithms have been proposed to accelerate regular expression matching via mapping of a nondeterministic finite automaton into a circuit implemented in an FPGA. These algorithms exploit unique features of the FPGA to achieve high throughput. On the other hand the FPGA poses a limit on the number of regular expressions by its limited resources. In this paper, we investigate applicability of NFA reduction techniques - a formal aparatus to reduce the number of states and transitions in NFA prior to its mapping into FPGA. The paper presents several NFA reduction techniques, each with a different reduction power and time complexity. The evaluation utilizes regular expressions from Snort and L7 decoder. The best NFA reduction algorithms achieve more than 66% reduction in the number of states for a Snort ftp module. Such a reduction translates directly into 66% LUT-FF pairs saving in the FPGA.

Fast lookup for dynamic packet filtering in FPGA

Rapidly growing speed and complexity of computer networks impose new requirements on fast lookup structures which are utilized in many networking applications (SDN, firewalls, NATs, etc.). We propose a novel lookup concept based on the well-known cuckoo hashing, which can achieve good memory utilization, supplemented by a binary search tree for offloading the colliding keys and supporting LPM lookup. We also propose a hardware architecture implementing this lookup concept in the FPGA. Our solution is suitable for lookup of the variable-length keys in 100+ Gbps networks. Memory utilization of the proposed concept is thoroughly evaluated and it is shown that the concept is scalable to external memory components.

An analysis of correlations of intrusion alerts in an NREN

An ever increasing impact and amount of network attacks have driven many organizations to deploy various network monitoring and analysis systems such as honeypots, intrusion detection systems, log analyzers and flow monitors. Besides improving these systems a logical next step is to collect and correlate alerts from multiple systems distributed across organizations. The idea is to leverage a joint effect of multiple monitoring systems to build a more robust and efficient system, ideally, lacking the shortcomings of the individual contributing systems. This paper presents an analysis of alert reports gathered from several such detectors deployed in national research and education network (NREN). The analysis focuses on the correlations of reported events in temporal domain as well as on the correlations of different event types.

A new embedded platform for rapid development of network applications

This paper proposed a platform for rapid prototyping of high-speed and low-power embedded applications in networking. The concept utilizes the FPGA with the embedded processor to benefit from software flexibility and high performance of hardware processing. In comparison with the NetFPGA-cube, the proposed uG4-150 platform has significantly lower power consumption, cost and size.

Evaluation and design of cache replacement policies under flooding attacks

A flow cache is a fundamental building block for flow-based traffic processing. Its efficiency is critical for the overall performance of a number of networked devices and systems. However, if not properly managed, the flow cache can be easily filled up and rendered ineffective by traffic patterns such as flooding attacks and scanning activities which, unfortunately, commonly occur in the Internet. In this paper, we show that popular cache replacement policies such as LRU cause the flow caches to evict the so called heavy-hitter flows during flooding attacks. To address this shortcoming, we build upon our recent work [1] and construct a replacement policy that is more resilient to floods and yet performs similarly to other policies under common network traffic conditions.

Hacking NetCOPE to Run on NetFPGA-10G

This paper describes the Net COPE platform porting issues to the new generation of the Net FPGA(-10G) cards. Achieved throughput and CPU utilization for various length of packets was measured. It was shown that we are able to reach maximum throughput of 12Gbps without any significant processor load. Xilinx ISE reports approximately 30% of the Net FPGA chip utilization for design running on 200MHz.