a framework for rule processing in reconfigurable network
play

A Framework for Rule Processing in Reconfigurable Network Systems - PDF document

Nov 25, 2023 •34 likes •154 views

A Framework for Rule Processing in Reconfigurable Network Systems Michael Attig and John Lockwood Washington University in Saint Louis Applied Research Laboratory Department of Computer Science and Engineering May 1, 2005 Rule Processing

  1. A Framework for Rule Processing in Reconfigurable Network Systems Michael Attig and John Lockwood Washington University in Saint Louis Applied Research Laboratory Department of Computer Science and Engineering May 1, 2005 Rule Processing Framework – FCCM 2005 1 Outline • Overview • Background • Architecture • Results • Summary Rule Processing Framework – FCCM 2005 2

  2. Rule Processing Overview • Rule processing & intrusion detection • TCP Flow Processing • Header Processing • Payload Scanning alert tcp any 110 � any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"myromeo.exe"; nocase; classtype:misc- activity; sid:723; rev:6;) • Snort Rules (version 2.2 Sept 2004) – 2464 Rules – 292 Headers – 2107 Signatures – 233 Regular Expressions Rule Processing Framework – FCCM 2005 3 Rule Characteristics • 2464 unique rules Unique Signature Distribution • 292 unique header rules 180 160 – 168 are “header-only” Number of Occurrences 140 • 2107 unique signatures 120 100 – 97% less than 32 bytes 80 60 – Spread across 2296 of rules 40 • 233 regular expressions 20 0 – Snort rules always contain 1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 Signature Length (bytes) static signature also Unique Signature Occurences • Few signatures associated 160 with many rules 140 Number of occurrences 120 – 83% found in single rule 100 – Only 18 associated with 80 more than 10 rules 60 40 • 10 header rules can match at 20 once (pessimistic) 0 1 151 301 451 601 751 901 1051 1201 1351 1501 1651 1801 1951 2101 signature number Snort version 2.2 (Sept 2004) Rule Processing Framework – FCCM 2005 4

  3. Fully Functional Rule Processing String Matching Comparators [Sourdis fccm’04] ? Partitioning [Baker fccm’04] TCAMs [Yu hoti’04] ? ? Bloom Filters [Attig fccm’04] Complete Rule ? DFAs [Moscola fccm’03] Processing Header Classification BV-TCAM [Song fpga’05] NFAs [Clark fccm’04] ? ? TCP Flow Rule Processor Reconstruction [Schuehler fpl’04] Pipelining [Cho fccm’04] Rule Processing Framework – FCCM 2005 5 Rule Processing Framework Overview TCP/IP Data Local Order TCP flows Local Internet Area Internet Area Network for inspection by Network payload scanner(s) Intrusion Detection System h header modules determine matching Local Area Internet header rules Local Area Internet Network Matching header Network and string IDs sent to rule p payload modules search for static processor using signatures and standard interface Intrusion Detection regular expressions System Rule processor uses Focus of this header and payload Talk match criteria to determine rule matches Rule Processing Framework – FCCM 2005 6

  4. Rule Processor FPGA (1) (2) (3) (5) (6) (7) Software Communication Wrapper Matching Criteria Communication Wrapper Rule Processing Framework – FCCM 2005 7 Example R1: Alert tcp any 80 � any 125 (content:“string1”; content:“string2”;) Algorithmically: R1: H1 Λ C1 Λ C2 Rule Processing Framework – FCCM 2005 8

  5. Rule Processing Example TCP/IP Data flow H1 C1 C2 C1 Rule Processing Framework – FCCM 2005 9 Rule Processor FPGA (1) (2) (3) (5) (6) (7) Software Communication Wrapper Rule X Header flow H1 H1 R1 R1 H1 C1 C2 Headers +1 C1 Reset Matching Criteria Communication Wrapper Rule Processing Framework – FCCM 2005 10

  6. Implementation Environment • Xilinx Virtex 2000E FPGA – 12% LUTs – 25% Slices – 93% of Block RAMs – 80.6 MHz • Stacked configuration allows chaining processing Rule Processing Framework – FCCM 2005 11 Worst Case Throughput • Worst case when signature associated with many rules detected • Only 18 signatures in more than 10 rules • Worst case signature – |00 00 00 00| in 135 rules Framework Throughput • Scenario: 3000 – Back-to-back 44 byte TCP packets 2500 from different Throughput (Mbps) 2000 flows and |00 00 00 00| as 1500 payload 1000 – Worst case assumes Worst-case 7 million attack 500 Average Case packets per second 0 0 250 500 750 1000 1250 1500 Packet Size (Bytes) Rule Processing Framework – FCCM 2005 12

  7. Intrusion Detection of WashU’s Backbone Network Matching 12+ Byte Signatures Matching 4 Byte Signatures • Observe ~10,000 total string matches per second on WashU’s backbone network (~250-300 Mbps) • Scaling to 2.5 Gbps, only ~100,000 string matches per second Rule Processing Framework – FCCM 2005 13 Next Generation FPGA Projections • More block RAM • Faster place & route • Parallel copies of pipeline – Multiple IDs per clock cycle • QDR SRAMs Rule Processor Relative Improvement 7 • 6x improvement 6 to throughput 5 VirtexE 4 Virtex2 3 Virtex4 2 1 0 Rule Frequency Throughput Rule Processing Framework – FCCM 2005 14

  8. Related Work Throughput Function Group and Component Device Logic Cells (Gbps) Flow GaTech Stream Assembler Virtex 1000 876 (10%) 3.2 Monitoring Northwestern U. Flow Monitor Virtex2-8000 - 48.3 WashU TCP Processor Virtex4 140 22,100 (35%) 10.3 Header Processing WashU BV-TCAM Virtex4 100 4,200 (10%) 10 Payload Crete Pre-decoded CAMs Virtex2-6000 64,268 (95%) 9.7 Scanning GaTech Decoder Trees Virtex2-8000 54,890 (81%) 7 Tokyo Trie-based Hash Virtex2-6000 2,365 (7%) 10 UCLA Packet Filters Spartan 3 2000 15,202 (37%) 3.2 USC Partitioning Virtex2 Pro 15,010 (15%) 4.5 WashU Bloom Filters Virtex4 100 35,850 (85%) 20.4 Correlation WashU Rule Processor Virtex4 100 40,200 (95%) 15.9 Rule Processing Framework – FCCM 2005 15 Contributions • Development of large-scale Rule Processing Framework – Bridge between component processing and rule processing – Supports up to 32,768 rules • Rule processing framework capable of 2.5 Gbps throughput on FPX – Projected to 15.9 on latest Virtex 4 • Rule processor operated on TCP flows – Context information stored for over 2 million simultaneous flows Rule Processing Framework – FCCM 2005 16

  9. Acknowledgments • Research Sponsors – Global Velocity – Boeing • ARL Faculty & Students http://arl.wustl.edu/projects/fpx/reconfig.htm Rule Processing Framework – FCCM 2005 17 Questions? Rule Processing Framework – FCCM 2005 18

  10. Communication Wrapper Interface Between Devices Between Software/Hardware Rule Processing Framework – FCCM 2005 19 Example R1: Alert tcp any 80 � any 125 (content:“string1”; content:“string2”;) R2: Alert tcp any 8080 � any 1024 (content:“string1”;) R1: H1 Λ C1 Λ C2 R2: H2 Λ C1 Rule Processing Framework – FCCM 2005 20

  11. Rule Processor FPGA Communication Wrapper X X CIDs RIDs CIDs BRAM H2 H1 H1 R1 R1 R2 H1 C1 +1 C2 C1 Reset Communication Wrapper Rule Processing Framework – FCCM 2005 21 Adding Modules • Accept and act upon IP packets • Communicate match criteria using communication wrapper interface – Provide deterministic interfaces – Abstract transport protocol • Software Configuration using communication wrapper • Represent matching criteria as ID numbers • Allows combination of techniques – Take advantage of best characteristics • General classifiers vs. field-specific headers • Static strings vs. regular expressions Rule Processing Framework – FCCM 2005 22

  12. Evaluation • Recall Rule IDs are inserted into pipeline based on matching signatures 80 Million Throughput versus Rule Look-ups per Second rule IDs per second 3000 2500 Throughput (Mbps) 2000 1500 1000 500 0 1.E+00 1.E+02 1.E+04 1.E+06 1.E+08 Rule Look-ups per Second Rule Processing Framework – FCCM 2005 23 Additional Rules Supported • Virtex 2 – 120 of 144 Block RAMs (18 Kbits each) – 2 copies of pipeline • 10 BRAM in stage 2 • 10 BRAM in stage 5 • 40 BRAM in stage 6 – 184,320 rules supported • Virtex 4 – 216 of 240 Block RAMs (18 Kbits each) – 4 copies of pipeline • 9 BRAM in stage 2 • 9 BRAM in stage 5 • 36 BRAM in stage 6 – 165,888 rules supported Rule Processing Framework – FCCM 2005 24

Recommend

Play Framework One Web Framework to rule them all Felix Mller Agenda Yet another web

Play Framework One Web Framework to rule them all Felix Mller Agenda Yet another web

Play Framework One Web Framework to rule them all Felix Mller Agenda Yet another web framework? Introduction for Java devs Demo Summary Yet another web framework? Yet another web framework? Why do we need another web framework?

656 views • 31 slides
An Architectural Framework for Accelerating Dynamic Parallel Algorithms on Reconfigurable

An Architectural Framework for Accelerating Dynamic Parallel Algorithms on Reconfigurable

An Architectural Framework for Accelerating Dynamic Parallel Algorithms on Reconfigurable Hardware Tao Chen, Shreesha Srinath Christopher Batten , G. Edward Suh Computer Systems Laboratory School of Electrical and Computer Engineering Cornell

546 views • 36 slides
Baseband Signal Processing Framework Baseband Signal Processing Framework for the OsmocomBB GSM

Baseband Signal Processing Framework Baseband Signal Processing Framework for the OsmocomBB GSM

Baseband Signal Processing Framework Baseband Signal Processing Framework for the OsmocomBB GSM Protocol Stack Harald Krll, Christian Benkeser, Stefan Zwicky, Benjamin Weber, Qiuting Huang Integrated Systems Laboratory, ETH Zurich d S b i h

306 views • 26 slides
CollaboVR: A Reconfigurable Framework for Creative Collaboration in Virtual Reality Zhenyi He *

CollaboVR: A Reconfigurable Framework for Creative Collaboration in Virtual Reality Zhenyi He *

CollaboVR: A Reconfigurable Framework for Creative Collaboration in Virtual Reality Zhenyi He * Ken Perlin * Ruofei Du * Future Reality Lab, New York University Google LLC The best layout and interaction mode? Research Questions: -

506 views • 34 slides
RiceNIC A Reconfigurable Network Interface for Experimental Research and Education Jeffrey

RiceNIC A Reconfigurable Network Interface for Experimental Research and Education Jeffrey

RiceNIC A Reconfigurable Network Interface for Experimental Research and Education Jeffrey Shafer Scott Rixner Introduction Networking is critical to modern computer systems Role of the network interface is changing New

851 views • 25 slides
FRED: A Framework for Supporting Real-Time Applications on Dynamic Reconfigurable FPGAs Marco

FRED: A Framework for Supporting Real-Time Applications on Dynamic Reconfigurable FPGAs Marco

FRED: A Framework for Supporting Real-Time Applications on Dynamic Reconfigurable FPGAs Marco Pagani, Alessandro Biondi, Mauro Marinoni, and Giorgio Buttazzo ReTiS Lab, TeCIP Institute Scuola superiore SantAnna - Pisa Italian Workshop on

865 views • 34 slides
Reconfigurable Computing Reconfigurable Computing Reconfigurable Architectures Reconfigurable

Reconfigurable Computing Reconfigurable Computing Reconfigurable Architectures Reconfigurable

Reconfigurable Computing Reconfigurable Computing Reconfigurable Architectures Reconfigurable Architectures Chapter 3.2 Chapter 3.2 Prof. Dr.- -Ing. Jrgen Teich Ing. Jrgen Teich Prof. Dr. Lehrstuhl fr Hardware- -Software Software-

655 views • 29 slides
Reconfigurable Computing Computing Reconfigurable Reconfigurable Architectures Architectures

Reconfigurable Computing Computing Reconfigurable Reconfigurable Architectures Architectures

Reconfigurable Computing Computing Reconfigurable Reconfigurable Architectures Architectures Reconfigurable Chapter 3.1 3.1 Chapter Prof. Dr.- -Ing. Jrgen Teich Ing. Jrgen Teich Prof. Dr. Lehrstuhl fr Hardware- -Software

488 views • 45 slides
Multiband RF-Interconnect for Reconfigurable Network-on-Chip Communications Jason Cong

Multiband RF-Interconnect for Reconfigurable Network-on-Chip Communications Jason Cong

Multiband RF-Interconnect for Reconfigurable Network-on-Chip Communications Jason Cong (cong@cs.ucla.edu) Joint work with Frank Chang, Glenn Reinman and Sai-Wang Tam UCLA 1 Communication Challenges On-Chip Issues # Cores in

521 views • 18 slides
Towards a Reconfigurable Bit-Serial/Bit-Parallel Vector Accelerator Using In-Situ

Towards a Reconfigurable Bit-Serial/Bit-Parallel Vector Accelerator Using In-Situ

2020 IEEE International Symposium on Circuits and Systems Virtual, October 10-21, 2020 Towards a Reconfigurable Bit-Serial/Bit-Parallel Vector Accelerator Using In-Situ Processing-in-SRAM Khalid Al-Hawaj , Olalekan Afuye, Shady Agwa, Alyssa

964 views • 58 slides
Regular Expression Matching in Reconfigurable Hardware IOANNIS SOURDIS AND STAMATIS VASSILIADIS

Regular Expression Matching in Reconfigurable Hardware IOANNIS SOURDIS AND STAMATIS VASSILIADIS

Journal of Signal Processing Systems 51, 99121, 2008 * 2007 Springer Science + Business Media, LLC Manufactured in The United States. DOI: 10.1007/s11265-007-0131-0 Regular Expression Matching in Reconfigurable Hardware IOANNIS SOURDIS AND

545 views • 23 slides
Rules of Processing Short-Circuiting Rules The last rule of evaluation (for now) (define (f x)

Rules of Processing Short-Circuiting Rules The last rule of evaluation (for now) (define (f x)

Rules of Processing Short-Circuiting Rules The last rule of evaluation (for now) (define (f x) x) (f 4) The goal of the proc-app-expr rule Subtle questions Didnt you say we couldnt define things twice? Isnt that what the

323 views • 17 slides
Limited Adaptive Histogram Equalization Burak nal, Ali Akoglu Reconfigurable Computing Lab

Limited Adaptive Histogram Equalization Burak nal, Ali Akoglu Reconfigurable Computing Lab

Resource Efficient Real-Time Processing of Contrast Limited Adaptive Histogram Equalization Burak nal, Ali Akoglu Reconfigurable Computing Lab Department of Electrical and Computer Engineering The University of Arizona 1 Outline

980 views • 22 slides
High-Throughput Multi-Threaded Sum-Product Network Inference in the Reconfigurable Cloud Micha

High-Throughput Multi-Threaded Sum-Product Network Inference in the Reconfigurable Cloud Micha

High-Throughput Multi-Threaded Sum-Product Network Inference in the Reconfigurable Cloud Micha Ober, Jaco A. Hofmann, Lukas Sommer, Lukas Weber, Andreas Koch Embedded Systems and Applications Group, TU Darmstadt 20.11.2019 | TU Darmstadt |

623 views • 36 slides
ASX Listing Rule Amendments Reporting Requirements for Oil and Gas Companies ASX Presentation

ASX Listing Rule Amendments Reporting Requirements for Oil and Gas Companies ASX Presentation

ASX Listing Rule Amendments Reporting Requirements for Oil and Gas Companies ASX Presentation 2013 1 AGENDA ASX presentation listing rule framework RISC presentation PRMS and how it applies in the listing rule framework

279 views • 25 slides
The Bayesian Network Framework 89 / 384 The network formalism, informal A Bayesian network

The Bayesian Network Framework 89 / 384 The network formalism, informal A Bayesian network

Chapter 4: The Bayesian Network Framework 89 / 384 The network formalism, informal A Bayesian network combines two types of domain knowledge to represent a joint probability distribution: qualitative knowledge: a (minimal) directed I-map

1.63k views • 134 slides
ReNoC: A Network-on-Chip Architecture with Reconfigurable Topology Mikkel B. Stensgaard and Jens

ReNoC: A Network-on-Chip Architecture with Reconfigurable Topology Mikkel B. Stensgaard and Jens

ReNoC: A Network-on-Chip Architecture with Reconfigurable Topology Mikkel B. Stensgaard and Jens Spars Technical University of Denmark Technical University of Denmark ReNoC, NoCS 2008 1 Outline Motivation ReNoC Basic Concepts

499 views • 29 slides
Dynamically Reconfigurable Galileo IoT Testbed Intermediate talk for the Bachelors Thesis by

Dynamically Reconfigurable Galileo IoT Testbed Intermediate talk for the Bachelors Thesis by

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Dynamically Reconfigurable Galileo IoT Testbed Intermediate talk for the Bachelors Thesis by Kostiantyn Redko advised by Stefan Liebald M.

134 views • 10 slides
When In Network Processing Meets Time: When In-Network Processing Meets Time: Complexity and

When In Network Processing Meets Time: When In-Network Processing Meets Time: Complexity and

When In Network Processing Meets Time: When In-Network Processing Meets Time: Complexity and Effects of Joint Optimization in Wireless Sensor Networks Department of Computer Science Wayne State University Department of Computer Science, Wayne

617 views • 23 slides
GraVF: GraVF: A Vertex-Centric A Vertex-Centric Graph Processing Graph Processing Framework

GraVF: GraVF: A Vertex-Centric A Vertex-Centric Graph Processing Graph Processing Framework

GraVF: GraVF: A Vertex-Centric A Vertex-Centric Graph Processing Graph Processing Framework Framework on FPGA on FPGA Nina Engelhardt August 31, 2016 Graphs and Graph Traversal Algorithms 1 Vertex-centric Programming Model: From POV of

262 views • 9 slides
Rule #1: Have a takeaway. Rule #2: Keep It Simple. Rule #3: Repetition is Good. Rule #4: Be

Rule #1: Have a takeaway. Rule #2: Keep It Simple. Rule #3: Repetition is Good. Rule #4: Be

The 4 Rules of Public Speaking Rule #1: Have a takeaway. Rule #2: Keep It Simple. Rule #3: Repetition is Good. Rule #4: Be Prepared! But at the end of the day, we can have the most dedicated teachers, the most supportive parents, the best

395 views • 12 slides
Using Reconfigurable Logic Using Reconfigurable Logic to Simulate Computer Systems Derek Chiou

Using Reconfigurable Logic Using Reconfigurable Logic to Simulate Computer Systems Derek Chiou

Using Reconfigurable Logic Using Reconfigurable Logic to Simulate Computer Systems Derek Chiou University of Texas at Austin Electrical and Computer Engineering Supported in part by DOE NSF SRC Supported in part by DOE, NSF, SRC, Bluespec,

719 views • 17 slides
Biscuit: A Framework for Near-Data Processing of Big Data Workloads Oct 21, 2016 Duck-Ho Bae

Biscuit: A Framework for Near-Data Processing of Big Data Workloads Oct 21, 2016 Duck-Ho Bae

Biscuit: A Framework for Near-Data Processing of Big Data Workloads Oct 21, 2016 Duck-Ho Bae Memory Business, Samsung Electronics Outline Biscuit: A Framework for Near-Data Processing of Big Data Workloads, ISCA16 YourSQL: A

893 views • 47 slides
Ligra: A Lightweight Graph Processing Framework for Shared Memory Whats it hoping to achieve?

Ligra: A Lightweight Graph Processing Framework for Shared Memory Whats it hoping to achieve?

Ligra: A Lightweight Graph Processing Framework for Shared Memory Whats it hoping to achieve? 1. A simple, concise framework 2. High-performance for shared-memory machines Why? An abundance of graph processing applications Problems

534 views • 17 slides

More recommend