Simone Teofili

Traffic-Aware Design of a High-Speed FPGA Network Intrusion Detection System

Security of todays networks heavily rely on network intrusion detection systems (NIDSs). The ability to promptly update the supported rule sets and detect new emerging attacks makes field-programmable gate arrays (FPGAs) a very appealing technology. An important issue is how to scale FPGA-based NIDS implementations to ever faster network links. Whereas a trivial approach is to balance traffic over multiple, but functionally equivalent, hardware blocks, each implementing the whole rule set (several thousands rules), the obvious cons is the linear increase in the resource occupation. In this work, we promote a different, traffic-aware, modular approach in the design of FPGA-based NIDS. Instead of purely splitting traffic across equivalent modules, we classify and group homogeneous traffic, and dispatch it to differently capable hardware blocks, each supporting a (smaller) rule set tailored to the specific traffic category. We implement and validate our approach using the rule set of the well-known Snort NIDS, and we experimentally investigate the emerging trade-offs and advantages, showing resource savings up to 80 percent based on real-world traffic statistics gathered from an operators backbone.

The SPARTA pseudonym and authorization system

This paper deals with privacy-preserving (pseudonymized) access to a service resource. In such a scenario, two opposite needs seem to emerge. On one side, the service provider may want to control, in first place, the user accessing its resources, i.e., without being forced to delegate the issuing of access permissions to third parties to meet privacy requirements. On the other side, it should be technically possible to trace back the real identity of a user upon dishonest behavior, and of course, this must be necessary accomplished by an external authority distinct from the provider itself. The framework described in this paper aims at coping with these two opposite needs. This is accomplished through (i) a distributed third-party-based infrastructure devised to assign and manage pseudonym certificates, decoupled from (ii) a two-party procedure, devised to bind an authorization permission to a pseudonym certificate with no third-party involvement. The latter procedure is based on a novel blind signature approach which allows the provider to blindly verify, at service subscription time, that the user possesses the private key of the still undisclosed pseudonym certificate, thus avoiding transferability of the authorization permission.

Traffic Flow Confidentiality in IPsec: Protocol and Implementation

Traffic Flow Confidentiality (TFC) mechanisms are techniques devised to hide/masquerade the traffic pattern to prevent statistical traffic analysis attacks. Their inclusion in widespread security protocols, in conjunction with the ability for deployers to flexibly control their operation, might boost their adoption and improve privacy of future networks. This paper describes a TFC protocol integrated, as a security protocol, in the IPsec security architecture. A Linux-based implementation has been developed, supporting a variety of perpacket treatments (padding, fragmentation, dummy packet generation, and artificial alteration of the packet forwarding delay), in an easily combinable manner. Experimental results are reported to demonstrate the flexibility and the effectiveness of the TFC implementation.

Measurement Data Reduction through Variation Rate Metering

We present an efficient network measurement primitive that measures the rate of variations, or unique values for a given characteristic of a traffic flow. The primitive is widely applicable to a variety of data reduction and pre-analysis tasks at the measurement interface, and we show it to be particularly useful for building data-reducing preanalysis stages for scan detection within a multistage network analysis architecture. The presented approach is based upon data structures derived from Bloom filters, and as such yields high performance with probabilistic accuracy and controllable worst-case time and memory complexity. This predictability makes it suitable for hardware implementation in dedicated network measurement devices. One key innovation of the present work is that it is self-tuning, adapting to the characteristics of the measured traffic.

Exploiting Dynamic Reconfiguration for FPGA Based Network Intrusion Detection Systems

A Network Intrusion Detection System (NIDS) inspects the traffic flowing in a network to detect malicious content such as spam, viruses, and so on. Hardware based solutions appear necessary to face the performance requirements emerging when the goal is to deploy such systems in high speed network scenarios. However, the appropriate choice of the hardware platform is believed to be subject to at least two requirements, usually considered independent each other: i) it needs to be reprogrammable, in order to update the intrusion detection rules each time a new threat arises, and ii) it must be capable of containing the typically very large set of rules of existing NIDSs. The goal of this paper is to show that reprogrammability can be further exploited to reduce the resource requirements for the chosen platform. Specifically, we propose an FPGA-based solution that classifies and dispatches traffic to elastic buffers, connecting one buffer at a time to a dynamically reconfigurable rule matching core. This core supports only the appropriate subset of detection rules. A worst-case analysis shows that the saving in hardware resources is achieved with a relatively small buffer space, currently available in cheap, low end, FPGA boards, with no impairment on the resulting throughput.

An FPGA based architecture for complex rule matching with stateful inspection of multiple TCP connections

In this paper a novel architecture for string matching is presented. It is oriented to an FPGA implementation and, differently from other similar works, it is particularly suitable for rules matching in multiple streams. The paper presents our developed architecture able to efficiently manage different streams, discusses how to optimize the design to limit the number of FPGA logic resources and shows the obtained results.

User plane security alternatives in the 3G evolved Multimedia Broadcast Multicast Service (e-MBMS)

The multimedia broadcast multicast service (MBMS) has been included in the 3GGP architecture to provide broadcast/multicast services. In the 3GPP Long Term Evolution, the evolved MBMS (e-MBMS) architecture is currently being standardized. This position paper discusses the security issues currently being considered for the e-MBMS IP multicast user plane. Currently proposed security architectures ldquolimitrdquo themselves to include group security associations (GSA). In this paper we raise the position that GSA might not be a sufficiently secure solution in the long run. In sight of this, we propose to adopt a secure multicast overlay approach as a possible short-term solution, thanks to its straightforward deployment. To prove this latter point we overview how to set-up a proof-of-concept implementation over public domain linux routers. We functionally compare GSA with the proposed secure multicast overlay approach, showing that the overlay approach provides not only the same level of security, but also a reduced risk of denial of service attacks. We preliminarily (qualitatively) discuss the pros and cons of the two solutions in terms of performance. Ongoing work is targeted to complement these preliminary considerations with a quantitative investigation.

The SPARTA Pseudonym and Authorization System

This paper deals with privacy-preserving (pseudonymized) access to a service resource. In such a scenario, two opposite needs seem to emerge. On one side, the service provider may want to control in first place the user accessing its resources, i.e., without being forced to delegate the management of access permissions to third parties to meet privacy requirements. On the other side, it should be technically possible to trace back the real identity of an user upon dishonest behavior, and of course this must be necessary accomplished by an external authority distinct from the provider itself. The framework described in this paper aims at coping with these two opposite needs. This is accomplished through i) a distributed third-party-based instrastructure devised to assign and manage pseudonym certificates, decoupled from ii) a two-party procedure, devised to bind an authorization permission to a pseudonym certificate with no third-party involvement. The latter procedure is based on a novel blind signature approach which allows the provider to blindly verify, at registration time, that the user possesses the private key of the still undisclosed pseudonym certificate, thus avoiding transferability of the authorization permission.

Hardware-based on-the-fly per-flow scan detector pre-filter

Pre-filtering monitoring tasks, directly running over traffic probes, may accomplish a significant degree of data reduction by isolating a relatively small number of flows (likely to be of interest for the monitoring application) from the rest of the traffic. As these filtering mechanisms are conveniently run as close as possible to the data gathering devices (traffic probes), and must scale to multi-gigabit speed, the feasibility of their implementation in hardware is a key requirement. In this paper, we document a hardware FPGA implementation of a recently proposed network scan pre-filter. It leverages processing stages based on Bloom filters and Counting Bloom Filters, and it is devised to detect, through on-the-fly per-packet analysis, the flows which potentially exhibit a network/port scanning behaviour. The framework has been implemented in a modular manner. It suitably combines two different general-purpose modules (a rate meter and a variation detector) likely to be reused as building blocks for other monitoring tasks. In the following presentation, we further discuss some lessons learned and general implementation guidelines which emerge when the goal is to efficiently implement run-time updated (i.e., dynamic) Bloom-filter-based data structures in hardware

IDS Rules Adaptation for Packets Pre-filtering in Gbps Line Rates

The enormous growth of network traffic, in conjunction with the need to monitor even larger and more capillary network deployments, poses a significant scalability challenge to the network monitoring process. We believe that a promising way to address this challenge consists in rethinking monitoring tasks as partially performed inside the network itself. Indeed, in-network monitoring devices, such as traffic capturing probes, may be instructed to perform intelligent processing and filtering mechanisms, so that the amount of data ultimately delivered to central monitoring entities can be significantly reduced to that strictly necessary for a more careful and fine-grained data inspection. In such a direction, this chapter focuses on the design and implementation of an hardware-based front-end pre-filter for the topmost known Snort Intrusion Detection System (IDS). Motivated by the practical impossibility to pack a large amount of legacy Snort rules over a resource-constrained hardware device, we specifically address the question on how Snort rules should be adapted and simplified so that they can be supported over a commercial, low-end, Field Programmable Gate Array (FPGA) board, meanwhile providing good filtering performance. Focusing on about one thousand Snort rules randomly drawn from the complete rule set, we experimentally determine how these rules can be simplified meanwhile retaining a comparable detection performance with respect to the original, non adapted, rules, when applied over a “training” dataset composed of a relatively large traffic trace collected from a regional ISP backbone link. We then validate the performance of the adapted rules against additional collected traffic traces. We show that about 1000 adapted Snort rules can be supported over a low-end FPGA based Snort pre-filter, with 93% data reduction efficiency.