Presentation is loading. Please wait.

Presentation is loading. Please wait.

RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by.

Published byOswald Daniels Modified over 8 years ago

Similar presentations

Presentation on theme: "RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by."— Presentation transcript:

1 RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by Willem de Bruijn

2 RAID2005 IDS is insufficient intrusion prevention is preferable over detection active guarding nullifies evasion & insertion attemps but, prevention problematic at traditional firewalls performance issues lack of knowledge internal nodes expected safe rigid, leading to circumvention

3 RAID2005 Move IPS to the edge using a software based solution on the network card full payload scanning,at line-rate* to create a (crude) cost-effective local IPS CardGuard implements

4 RAID2005 Introduction Architecture Implementation Results

5 RAID2005 distributed firewalling signature detection is easier at the network edge can overwhelm CPU 69Mbps max on 1.8 Ghz P4 a solution is to offload to the NIC: unobtrusive & difficult to subverge

6 RAID2005 Network Processors Programmable NICs that combine cheap software with fast hardware they contain ● stream processors ● asynchronous memory ● hardware assist (e.g., CAM)

7 RAID2005 Efficient Pattern Matching snort ruleset >28.000 pattern-based rules requires parallel processing Aho Corasick pattern-matching algorithm single-pass complexity independent of #patterns

8 RAID2005 Aho Corasick Example a deterministic finite automaton (DFA) for the Slammer worm identifies 5 different patterns

9 RAID2005 Introduction Architecture Implementation Results

10 RAID2005 IXP1200 PCI daughterboard or stand-alone box two 1Gbps ports 6 stream µEngines 4 HW threads/engine 1 StrongARM CPU @ 200Mhz IXP 2XXX

11 RAID2005 software mapping Cp Rx Tx ToE AC ToE RegEx =

12 RAID2005 Flow handling TCP reconstruction light: basic flow-accounting datastream sanitisation Out-of-order handling: put on hold, or two-pass scan Cp Rx ACToETx Cp ACToE

13 RAID2005 efficient memory use size latency Scratch, 16KB, 12..14 cycles SRAM : 8 MB, 16..20 cycles SDRAM : 256 MB, 30...40 cycles Istore, 1KB, 1 cycle Registers, 512B, 1 cycle; shared inline DFA in-memory DFA memory access is the bottleneck

14 RAID2005 Introduction Architecture Implementation Results

15 RAID2005 inline DFA in-memory DFA

16 RAID2005 benchmarks processing costs scale linearly with datarate, not packetrate Full TCP scan sustainable at 100Mbit

17 RAID2005 conclusions intrusion prevention is feasible at the network edge NP-based solutions are cheap and unobtrusive caveat CardGuard is only a crude prototype lacks a sophisticated management plane

Download ppt "RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by."

Similar presentations

Deep Packet Inspection: Where are We? CCW08 Michela Becchi.

Deep Packet Inspection: Where are We? CCW08 Michela Becchi.
Using Network Processors in Genomics Herbert Bos * † Kaiming Huang * * Leiden Universiteit, Netherlands † Vrije Universiteit,

Using Network Processors in Genomics Herbert Bos * † Kaiming Huang * * Leiden Universiteit, Netherlands † Vrije Universiteit,
Philips Research ICS 252 class, February 3, 2000 1 The Trimedia CPU64 VLIW Media Processor Kees Vissers Philips Research Visiting Industrial Fellow

Philips Research ICS 252 class, February 3, The Trimedia CPU64 VLIW Media Processor Kees Vissers Philips Research Visiting Industrial Fellow
Fast and Scalable Pattern Matching for Content Filtering Sarang Dharmapurikar John Lockwood.

Fast and Scalable Pattern Matching for Content Filtering Sarang Dharmapurikar John Lockwood.
Authors: Wei Lin, Bin Liu Publisher: ICPADS, 2008 (IEEE International Conference on Parallel and Distributed Systems) Presenter: Chia-Yi, Chu Date: 2014/03/05.

Authors: Wei Lin, Bin Liu Publisher: ICPADS, 2008 (IEEE International Conference on Parallel and Distributed Systems) Presenter: Chia-Yi, Chu Date: 2014/03/05.
New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.

New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.
Multi-dimensional Packet Classification on FPGA: 100Gbps and Beyond

Multi-dimensional Packet Classification on FPGA: 100Gbps and Beyond
Berlin – November 10th, 2011 NetFPGA Programmable Networking for High-Speed Network Prototypes, Research and Teaching Presented by: Andrew W. Moore (University.

Berlin – November 10th, 2011 NetFPGA Programmable Networking for High-Speed Network Prototypes, Research and Teaching Presented by: Andrew W. Moore (University.
Efficient Memory Utilization on Network Processors for Deep Packet Inspection Piti Piyachon Yan Luo Electrical and Computer Engineering Department University.

Efficient Memory Utilization on Network Processors for Deep Packet Inspection Piti Piyachon Yan Luo Electrical and Computer Engineering Department University.
CSC457 Seminar YongKang Zhu December 6 th, 2001 About Network Processor.

CSC457 Seminar YongKang Zhu December 6 th, 2001 About Network Processor.
Authors: Raphael Polig, Kubilay Atasu, and Christoph Hagleitner Publisher: FPL, 2013 Presenter: Chia-Yi, Chu Date: 2013/10/30 1.

Authors: Raphael Polig, Kubilay Atasu, and Christoph Hagleitner Publisher: FPL, 2013 Presenter: Chia-Yi, Chu Date: 2013/10/30 1.
Nick Duffield, Patrick Haffner, Balachander Krishnamurthy, Haakon Ringberg Rule-Based Anomaly Detection on IP Flows.

Nick Duffield, Patrick Haffner, Balachander Krishnamurthy, Haakon Ringberg Rule-Based Anomaly Detection on IP Flows.
Reviewer: Jing Lu Gigabit Rate Packet Pattern- Matching Using TCAM Fang Yu, Randy H. Katz T. V. Lakshman UC Berkeley Bell Labs, Lucent ICNP’2004.

Reviewer: Jing Lu Gigabit Rate Packet Pattern- Matching Using TCAM Fang Yu, Randy H. Katz T. V. Lakshman UC Berkeley Bell Labs, Lucent ICNP’2004.
Real-Time Video Analysis on an Embedded Smart Camera for Traffic Surveillance Presenter: Yu-Wei Fan.

Real-Time Video Analysis on an Embedded Smart Camera for Traffic Surveillance Presenter: Yu-Wei Fan.
Pipelined Parallel AC-based Approach for Multi-String Matching Department of Computer Science and Information Engineering National Cheng Kung University,

Pipelined Parallel AC-based Approach for Multi-String Matching Department of Computer Science and Information Engineering National Cheng Kung University,
Extensible Networking Platform 1 1 - IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood

Extensible Networking Platform IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood
Using Cell Processors for Intrusion Detection through Regular Expression Matching with Speculation Author: C˘at˘alin Radu, C˘at˘alin Leordeanu, Valentin.

Using Cell Processors for Intrusion Detection through Regular Expression Matching with Speculation Author: C˘at˘alin Radu, C˘at˘alin Leordeanu, Valentin.
1 An Evolution of Pattern Matching within Network Intrusion Detection Systems Erik Anderson 9 November 2006.

1 An Evolution of Pattern Matching within Network Intrusion Detection Systems Erik Anderson 9 November 2006.
Efficient Multi-match Packet Classification with TCAM Fang Yu Randy H. Katz EECS Department, UC Berkeley {fyu,

Efficient Multi-match Packet Classification with TCAM Fang Yu Randy H. Katz EECS Department, UC Berkeley {fyu,
Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.

Modified Data Structure of Aho-Corasick Project ECE-526 Spring 2006 Benfano Soewito, Ed Flanigan and John Pangrazio Southern Illinois University Carbondale.

Similar presentations

Ads by Google