Young H. Cho

Deep packet filter with dedicated logic and read only memories

Searching for multiple string patterns in a stream of data is a computationally expensive task. The speed of the search pattern module determines the overall performance of deep packet inspection firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS). For example, one open source IDS configured for 845 patterns, can sustain a throughput of only 50 Mbps running on a dual 1-GHz Pentium III system. Using such systems would not be practical for filtering high speed networks with over 1 Gbps traffic. Some of these systems are implemented with field programmable gate arrays (FPGA) so that they are fast and programmable. However, such FPGA filters tend to be too large to be mapped on to a single FPGA. By sharing the common sublogic in the design, we can effectively shrink the footprint of the filter. Then, for a large subset of the patterns, the logic area can be further reduced by using a memory based architecture. These design methods allow our filter for 2064 attack patterns to map onto a single Xilinx Spartan 3-XC3S2000 FPGA with a filtering rate of over 3 Gbps of network traffic.

Specialized Hardware for Deep Network Packet Filtering

Many computer network provide limited security through simple firewall feature in router and switch. Some networks that require higher security use deep packet filter to capture packets that can not be detected by simple firewall. Deep packet filters use list of rules for determining safety of packets. There is a high degree of parallelism in processing these rules because each rule represent independent pattern matching process. We find that the underlying architecture for existing software and hardware firewalls do not fully take advantage of this parallelism. Thus, we design a deep packet filtering firewall on a field programmable gate array (FPGA) to take advantage of the parallelism while retaining its programmability. Our implementation is capable of processing over 2.88 gigabits per second of network stream on an Altera EP20K series FPGA without manual optimization.

Fast reconfiguring deep packet filter for 1+ gigabit network

Due to increasing number of network worms and virus, many computer network users are vulnerable to attacks. Unless network security systems use more advanced methods of content filtering such as deep packet inspection, the problem get worse. However, searching for patterns at multiple offsets in entire content of network packet requires more processing power than most general purpose processor can provide. Thus, researchers have developed high performance parallel deep packet filters for reconfigurable devices. Although some reconfigurable systems can be generated automatically from pattern database, obtaining high performance result from each subsequent reconfiguration can be a time consuming process. We present a novel architecture for programmable parallel pattern matching coprocessor. By combining a scalable coprocessor with the compact reconfigurable filter, we produce a hybrid system that is able to update the rules immediate during the time the new filter is being compiled. We mapped our hybrid filter for the latest Snort rule set on January 13, 2005, containing 2,044 unique patterns byte make up 32,384 bytes, onto a single Xilinx Virtex 4LX-XC4VLX15 FPGA with a filtering rate of 2 Gbps.

A pattern matching coprocessor for network security

It has been estimated that computer network worms and virus caused the loss of over

On the interaction of clocks, power, and synchronization in duty-cycled embedded sensor nodes

55B in 2003. Network security system use techniques such as deep packet inspection to detect the harmful packets. While software intrusion detection system running on general purpose processors can be updated in response to new attacks. They lack the processing power to monitor gigabit networks. We present a high performance pattern matching co-processor architecture that can be used to monitor and identify a large number of intrusion signature. The design consists of a bank of pattern matchers that are used to implement a highly concurrent filter. The pattern matchers can be programmed to match multiple patterns of various lengths, and are able to leverage the existing databases of threat signatures. We have been able to program the filters to match all the payload patterns defined in the widely used Snort network intrusion detection system at a rate above 7 Gbps, with memory space left to accommodate threat signatures that become available in the future.

A pattern matching co-processor for network security

The efficiency of the time synchronization service in wireless sensor networks is tightly connected to the design of the radio, the quality of the clocking hardware, and the synchronization algorithm employed. While improvements can be made on all levels of the system, over the last few years most work has focused on the algorithmic level to minimize message exchange and in radio architectures to provide accurate time-stamping mechanisms. Surprisingly, the influences of the underlying clock system and its impact on the overall synchronization accuracy has largely been unstudied. In this work, we investigate the impact of the clocking subsystem on the time synchronization service and address, in particular, the influence of changes in environmental temperature on clock drift in highly duty-cycled wireless sensor nodes. We also develop formulas that help the system architect choose the optimal resynchronization period to achieve a given synchronization accuracy. We find that the synchronization accuracy has a two region behavior. In the first region, the synchronization accuracy is limited by quantization error, while int he second region changes in environmental temperature impact the achievable accuracy. We verify our analytic results in simulation and real hardware experiments.

Deep network packet filter design for reconfigurable devices

It has been estimated that computer network worms and virus caused the loss of over

Efficient PMU networking with software defined networks

55B in 2003. Network security system use techniques such as deep packet inspection to detect the harmful packets. While software intrusion detection system running on general purpose processors can be updated in response to new attacks. They lack the processing power to monitor gigabit networks. We present a high performance pattern matching co-processor architecture that can be used to monitor and identify a large number of intrusion signature. The design consists of a bank of pattern matchers that are used to implement a highly concurrent filter. The pattern matchers can be programmed to match multiple patterns of various lengths, and are able to leverage the existing databases of threat signatures. We have been able to program the filters to match all the payload patterns defined in the widely used Snort network intrusion detection system at a rate above 7 Gbps, with memory space left to accommodate threat signatures that become available in the future.

Angle-of-arrival assisted Radio Interferometry (ARI) target localization

Most network routers and switches provide some protection against the network attacks. However, the rapidly increasing amount of damages reported over the past few years indicates the urgent need for tougher security. Deep-packet inspection is one of the solutions to capture packets that can not be identified using the traditional methods. It uses a list of signatures to scan the entire content of the packet, providing the means to filter harmful packets out of the network. Since one signature does not depend on the other, the filtering process has a high degree of parallelism. Most software and hardware deep-packet filters that are in use today execute the tasks under Von Neuman architecture. Such architecture can not fully take advantage of the parallelism. For instance, one of the most widely used network intrusion-detection systems, Snort, configured with 845 patterns, running on a dual 1-GHz Pentium III system, can sustain a throughput of only 50 Mbps. The poor performance is because of the fact that the processor is programmed to execute several tasks sequentially instead of simultaneously. We designed scalable deep-packet filters on field-programmable gate arrays (FPGAs) to search for all data-independent patterns simultaneously. With FPGAs, we have the ability to reprogram the filter when there are any changes to the signature set. The smallest full-pattern matcher implementation for the latest Snort NIDS fits in a single 400k Xilinx FPGA (Spartan 3-XC3S400) with a sustained throughput of 1.6 Gbps. Given a larger FPGA, the design can scale linearly to support a greater number of patterns, as well as higher data throughput.

Reconfigurable content-based router using hardware-accelerated language parser

An important goal for the smart grid is to give power grid operators like utilities a global view of the health of the power grid. As the smart grid is built-out, the size and complexity of the required communications network is increasing. In this paper we propose using software defined networks (SDN) for the smart grid, as SDN allow for a flexibly defined network (through programmability) along with superior performance and implementations based on industry standards. To demonstrate that SDN can be used as the underlying technology for power grid networking we have implemented a multi-rate, multicast network for phasor measurement unit (PMU) data. We compare the SDN solution to the conventional approach as well as two other advanced PMU networking methods, IP Multicast and GridStat and show that our method achieves lower latency and optimal network utilization.