Tran Ngoc Thinh

Applying Cuckoo Hashing for FPGA-based Pattern Matching in NIDS/NIPS

Pattern matching for network intrusion/prevention detection requires extremely high throughput with frequent updates to support new attack patterns. Most of current hardware implementations have outstanding performance over software implementations. However, the requirement for dynamic update pattern set is still challenging for hardware researchers. This paper describes a novel FPGA-based pattern matching architecture using a recent hashing algorithm called Cuckoo Hashing. The proposed architecture features on-the-fly pattern updates without reconfiguration, more efficient hardware utilization, and higher performance. Through various algorithmic changes of Cuckoo Hashing, we can implement parallel pattern matching on SRAM-based FPGA. Our system can accommodate the latest Snort rule-set, an open source network intrusion detection/prevention system, and achieve the highest utilization in terms of SRAM per character and logic cells per character at 17 bits/character and 0.043 logic cells/character, respectively on major Xilinx Virtex architectures. Compared to others, ours is much more efficient than any other Xilinx FPGA architectures.

Optimization of Regular Expression Processing Circuits for NIDS on FPGA

Recent Network Intrusion Detection System (NIDS) utilizes more and more Regular Expression to describe malicious patterns existing in the content payload of packets. Many researches are investigated and several techniques are introduced to optimize performance and support all functions of regular expression on hardware platform. However there is very few researches in the minimization of multiple regular expressions. This paper takes in account of compiling multiple regular expressions with respect to optimize hardware resources. We take advantage of block memory to implement character matching and present a novel sharing architecture which completely supports sharing common parts among given set of regular expressions. Experimental results show that our optimization can reduce 46% area circuits compared with previous approaches and achieve throughput of 1.5-2.1 Gbps on Snort malicious database.

Massively Parallel Cuckoo Pattern Matching Applied for NIDS/NIPS

This paper describes a Cuckoo-based Pattern Matching (CPM) engine based on a recently developed hashing algorithm called Cuckoo Hashing. We implement the improved parallel Cuckoo Hashing suitable for hardware-based multi-pattern matching with arbitrary length. CPM can rapidly update the static pattern set without reconfiguration while consuming the lowest amount of hardware. With the power of massively parallel processing, the speedup of CPM is up to 128X as compared with serial Cuckoo implementation. Compared to other hardware systems, CPM is far better in performance and saves 30% of the area.

An anomaly-based network intrusion detection system using Deep learning

Recently, anomaly-based intrusion detection techniques are valuable methodology to detect both known as well as unknown/new attacks, so they can cope with the diversity of the attacks and the constantly changing nature of network attacks. There are many problems need to be considered in anomaly-based network intrusion detection system (NIDS), such as ability to adapt to dynamic network environments, unavailability of labeled data, false positive rate. This paper, we use Deep learning techniques to implement an anomaly-based NIDS. These techniques show the sensitive power of generative models with good classification, capabilities to deduce part of its knowledge from incomplete data and the adaptability. Our experiments with KDDCup99 network traffic connections show that our work is effective to exact detect in anomaly-based NIDS and classify intrusions into five groups with the accuracy based on network data sources.

Accelerating Anomaly-Based IDS Using Neural Network on GPU

Recently, anomaly-based intrusion detection system (IDS) is valuable methodology to protect target systems and networks against attacks. Modeling normal system/network behaviors enables anomaly-based IDS (Intrusion Detection System) to be extremely effective methodology to detect both known as well as unknown/new attacks. However, current software-based methods are difficult to process a large amount of data in anomaly-based IDSs and cannot keep up the high-link speeds. The implementations of anomaly-based IDSs on parallel processing platforms are considered as necessary to accelerate speed of the systems. Neural Networks are a good example of parallel computing. In this paper, we used Neural Network technology to classify normal or abnormal behaviors. The parallel nature of Neural Networks has been implemented on GPUs that allows the system to meet a set of requirements such as time constraints management, robustness, high processing speed and re-configurability. Experiments with KDD Cup 1999 network traffic connections which have been preprocessed with methods of features selection and normalization have shown that our work is effective to accelerate intrusion detection in anomaly-based IDS. The result shows that our implementation on GPU is much faster than the implementation on CPU up to 32x.

FPGA-based Multicore Architecture for Integrating Multiple DDoS Defense Mechanisms

This paper proposes an FPGA-based multicore architecture to integrate multiple DDoS defense mechanisms for DDoS protection. The architecture allows multiple cooperating DDoS mitigation techniques to classify incoming network packets. The proposed architecture consists of two separate partitions static and dynamic. The static partition includes packet pre-processing and post-processing modules while the DDoS filtering techniques are implemented within the dynamic partition. These filtering techniques can be implemented by either hardware custom computing cores or general purpose soft processors or both. In all cases, these DDoS filtering computing cores can be updated or changed at runtime or design time. We implement our first prototype system with the Hop-count filtering and Ingress/Engress filtering techniques using the Xilinx Virtex 5 xc5vtx240t FPGA device. The synthesis results show that the system can work at up to 116.782MHz while utilizing about 41% LUTs, 47% Registers, and 53% Block Memory of the available hardware resources. Experimental results show that our system achieves a 100% detection rate (true positive) with a 0% false negative rate and the maximum 0.74% false positive rate. Moreover, the prototype system obtains packet processing throughput by up to 9.869 Gbps in half-duplex mode and 19.738 Gbps in full-duplex mode.

Memory-efficient TCP reassembly using FPGA

Nowadays, networking plays a very important role in businesses. The network infrastructure has been developing rapidly. Moreover, the invention of TCP protocol motivates a lot of network applications. Many of these applications require line rate processing of packets and reassembly of TCP packets for stateful processing. Several techniques are introduced to reassemble TCP packets on FPGA. However, they have some disadvantages such as inefficient memory, unscalable system, and unsupported complex TCP connections. In this paper, we propose a multi-linked-list approach for TCP reassembly. Our architecture not only supports TCP connections with multiple out-of-sequence data segments but also uses memory more efficiently than others. The experimental results show that our system can hold about 256K connections simultaneously and support up to 46K out-of-sequence connections with only 64MB DRAM.

An efficient runtime adaptable floating-point Gaussian filtering core

With the fast increasingly use of image and video processing in many aspects, the requirements for high performance and high-quality systems lead to the use of reconfigurable computing to accelerate traditional image processing platforms. In this work, an efficient runtime adaptable floating-point Gaussian filtering core is proposed to achieve not only high performance and quality but also kernel runtime adaptability. The architecture allows both filtering kernel size and values to be redefined on-the-fly. Moreover, the core can process up to one pixel per cycle with a 1D Gaussian filtering. The core is developed with Verilog-HDL and can be built on various FPGA families. Experimental results with multiple images at different resolutions show that the core is able to perform a 2D Gaussian filtering for 48 1080 × 1920-pixel or 313 512 × 512-pixel images per second with an 11 × 11 floating-point kernel.

A reconfigurable heterogeneous multicore architecture for DDoS protection

This paper proposes a reconfigurable heterogeneous multicore architecture to integrate multiple DDoS defense mechanisms for DDoS protection. The architecture allows multiple cooperating DDoS mitigation techniques to classify incoming network packets. The proposed architecture consists of two separated partitions: static and dynamic. The static partition includes packet pre-processing and post-processing modules while the DDoS filtering techniques are implemented on the dynamic partition. These filtering techniques can be implemented by either hardware custom computing cores or general purpose soft processors or both. In all cases, these DDoS filtering computing cores can be updated or changed at runtime or design time. We implement our first prototype system with Hop-count filtering and Ingress/Engress filtering techniques using Xilinx Virtex 5xc5vtx240t FPGA device. The synthesis results show that the system can work at up to 116.782MHz while utilizing about 41% LUTs, 47% Registers, and 53% Block Memory of the available hardware resources. The system achieves the detection rate of 100% with the false negative rate at 0% and false positive rate closed to 0.74%. The prototype system achieves packet decoding throughput at 9.869 Gbps in half-duplex mode and 19.738 Gbps in full-duplex mode.

A Secured OpenFlow-Based Switch Architecture

In this paper, we propose a secured OpenFlow-based switch architecture. The architecture is a combination of OpenFlow Processing that routes packets according to the OpenFlow protocol and Security Processing that defends against network attacks. Therefore, the proposed switch can work not only as a OpenFlow-based forwarding device but also as a network protection system. We implement our prototype switch on a Xilinx Virtex 5 xc5vtx240t FPGA device. In this prototype version, we integrate two different DDoS countermeasure techniques, the Hop-Count filtering and Port Ingress/Egress filtering. The experimental results show that the switch achieves packet processing throughput by up to 19.7 Gbps while a 100% DDoS detection rate with up to a 2.9% false positive rate and a 0% false negative rate is obtained. Our prototype system uses up to 36% Look-Up Tables, 38% Registers, and 62% Block RAM of the FPGA device.