Workpackage 3 New security algorithm design ICS-FORTH Ipswich 19 th December 2007

WISDOM WP3: New security algorithm design Objectives Identify critical security application components which can be efficiently implemented in the optical domain. Characterise constraints to algorithmic components and develop novel analytical techniques for simplified pattern matching. Design a Security Application Programming Interface (SAPI) which will be the interface between high-level security applications and low-level optical implementation Tasks - Deliverables WP 3.1: Security Applications Partitioning (M12) WP 3.2: Identification of simplified Security Algorithm Components (M24) WP 3.3: Definition of a Security Application Programming Interface: SAPI (M27)

WP3.1 Security Applications Partitioning Identify components which can be effectively and efficiently implemented in the optical domain Partitioning of security-related applications (Firewalls, DoS attacks detection, IDS/IPS) into -high-level part (electronic) -low-level part (optical) D3.1 report M12

WP3.1 Security Applications Partitioning Basic firewall functionality in the optical domain Look at port numbers Block traffic for specific ports Optical filtering, optical pattern matching Look at IP addresses Block traffic for specific IP addresses Optical filtering, optical/electronic pattern matching Look at IP protocol Block traffic for certain protocols Headers only Less than 10% of rules, more than 90% of alerts

WP3.1 Security Applications Partitioning Firewall rule example Inspection Deny all incoming traffic with IP matching internal IP source IP address Deny incoming from black-listed IP addresses source IP address Deny all incoming ICMP traffic IP protocol Deny incoming TCP/UDP 135/445 (RPC, Windows Sharing) destination port Deny incoming/outgoing TCP 6666/6667 destination port Allow incoming TCP 80, 443 (http, https) destination port to internal web server (destination IP address) Deny incoming TCP 25 to SMTP server destination port from external IP addresses (destination)/source IP address Allow UDP 53 to internal destination port DNS server (destination IP address) typical port assignments for some other services/applications ftp TCP 21, ssh TCP 22, telnet TCP 23, POP3 TCP 110, IMAP 143

WP3.1 Security Applications Partitioning Filtering out traffic

WP3.1 Security Applications Partitioning DoS attacks SYN bit optical counter proposed optical DoS attack detection

WP3.1 Security Applications Partitioning Security OperationInspectionApplication Example Match network packet targeting a specific service Destination Port Number Filtering out traffic Match network packet originating from a specific service Source Port Number Filtering out a Web server’s response Match network packet targeting specific computer(s) Destination IP Address Preventing contact with a computer Match network packet originating from specific computer(s) Source IP Address Preventing access from a computer Match network packet with specific properties IP protocol header field Filtering out ICMP traffic Match network packet targeting a specific service and originating from specific computers Destination Port Number and Source IP Address SPAM filter Denial of Service attack detectionSYN flag Preventing TCP SYN flood attacks

WP3.2 Identification of Simplified Security Algorithms Components Optical pre-processing for more complex pattern recognition Restrictions in optical domain (buffering, level of integration, etc) Scalability of security pattern matching algorithms, optimum balance between optical and electronic processing (WP6 ) Develop algorithms that will allow optical bit-serial processing subsystems to operate as a pre-processor to more complex pattern recognition techniques. D3.2 Identification of simplified Security Algorithms Components (M24)

WP3.2 Identification of Simplified Security Algorithms Components Tree-like structures Hash functions Bloom filters Heuristics Parallel use of optical devices up to a dozen “on a chip” Parallel/Distributed Architectures

WP3.2 Identification of Simplified Security Algorithms Components Combine optical and electronic signature-based detection Optical traffic splitter optical header processing for load balancing e.g., group packets according to port number, IP, etc Multiple “specialized” (electronic) processors parallel operation possibly more efficient payload inspection by performing same operations to same type of packets Many issues, such as even distribution of load to sensors, anomaly-based detection, etc.

WP3.2 Identification of Simplified Security Algorithms Components Specifications for optical hardware: Optical Bit Filter Coarse “sift” of packet header Optical Routing Switch Optical Pattern Matching Circuit Optical Buffer Memory Embedded in Bit Filter and Pattern Matching? Optical PRBS generator XOR, AND gates

WP3.2 Identification of Simplified Security Algorithms Components Functional models of optical devices and simulator 1) Very simple, basic building blocks are logic gates Useful for testing efficiency of more complex algorithms, hybrid optical/electronic detection, etc. 2) Include physical models for actual optical components Useful in device development. Much more demanding… Build simulator starting with (1) and expand to (2), when necessary. Commercial solutions (Virtual Photonics, etc).

WP 3.3 Definition of a Security Application Programming Interface (SAPI) SAPI will bridge the gap between optical execution of key components and programming of security applications High-level programming, abstract all low-level details Monitoring Application Programming Interface (MAPI) D3.3 Definition of SAPI (M27)

WP 3.3 Definition of a Security Application Programming Interface (SAPI) Hardware - Software Interface Frequency of user interventions small compared to frequency of optical recognitions Electronics – Optics Interface Labview, Agilent Vee (HPV) Start with Software – Electronics - Optics