Security measures are urgently required to mitigate the recent rapid increase in network security attacks.Although methods employing machine learning have been researched and developed to detect various network attack...Security measures are urgently required to mitigate the recent rapid increase in network security attacks.Although methods employing machine learning have been researched and developed to detect various network attacks effectively,these are passive approaches that cannot protect the network from attacks,but detect them after the end of the session.Since such passive approaches cannot provide fundamental security solutions,we propose an active approach that can prevent further damage by detecting and blocking attacks in real time before the session ends.The proposed technology uses a two-level classifier structure:the first-stage classifier supports real-time classification,and the second-stage classifier supports accurate classification.Thus,the proposed approach can be used to determine whether an attack has occurred with high accuracy,even under heavy traffic.Through extensive evaluation,we confirm that our approach can provide a high detection rate in real time.Furthermore,because the proposed approach is fast,light,and easy to implement,it can be adopted in most existing network security equipment.Finally,we hope to mitigate the limitations of existing security systems,and expect to keep networks faster and safer from the increasing number of cyber-attacks.展开更多
Pattern matching is one of the most performance-critical components for the content inspection based applications of network security, such as network intrusion detection and prevention.To keep up with the increasing ...Pattern matching is one of the most performance-critical components for the content inspection based applications of network security, such as network intrusion detection and prevention.To keep up with the increasing speed network, this component needs to be accelerated by well designed custom coprocessor.This paper presents a parameterized multilevel pattern matching architecture (MPM) which is used on FPGAs.To achieve less chip area, the architecture is designed based on the idea of selected character decoding (SCD) and multilevel method which are analyzed in detail.This paper also proposes an MPM generator that can generate RTL-level codes of MPM by giving a pattern set and predefined parameters.With the generator, the efficient MPM architecture can be generated and embedded to a total hardware solution.The third contribution is a mathematical model and formula to estimate the chip area for each MPM before it is generated, which is useful for choosing the proper type of FPGAs.One example MPM architecture is implemented by giving 1785 patterns of Snort on Xilinx Virtex 2 Pro FPGA.The results show that this MPM can achieve 4.3 Gbps throughput with 5 stages of pipelines and 0.22 slices per character, about one half chip area of the most area-efficient architecture in literature.Other results are given to show that MPM is also efficient for general random pattern sets.The performance of MPM can be scalable near linearly, potential for more than 100 Gbps throughput.展开更多
基金This work was supported in part by the Information Technology Research Center(ITRC)Support Program supervised by the Institute for Information and Communications Technology Planning and Evaluation(IITP)(IITP-2020-2016-0-00313),and in part by and the 2021 Yeungnam University Research Grant.
文摘Security measures are urgently required to mitigate the recent rapid increase in network security attacks.Although methods employing machine learning have been researched and developed to detect various network attacks effectively,these are passive approaches that cannot protect the network from attacks,but detect them after the end of the session.Since such passive approaches cannot provide fundamental security solutions,we propose an active approach that can prevent further damage by detecting and blocking attacks in real time before the session ends.The proposed technology uses a two-level classifier structure:the first-stage classifier supports real-time classification,and the second-stage classifier supports accurate classification.Thus,the proposed approach can be used to determine whether an attack has occurred with high accuracy,even under heavy traffic.Through extensive evaluation,we confirm that our approach can provide a high detection rate in real time.Furthermore,because the proposed approach is fast,light,and easy to implement,it can be adopted in most existing network security equipment.Finally,we hope to mitigate the limitations of existing security systems,and expect to keep networks faster and safer from the increasing number of cyber-attacks.
基金Supported by the National Natural Science Foundation of China (Grant No 60803002)the Excellent Young Scholars Research Fund of Beijing Institute of Technology
文摘Pattern matching is one of the most performance-critical components for the content inspection based applications of network security, such as network intrusion detection and prevention.To keep up with the increasing speed network, this component needs to be accelerated by well designed custom coprocessor.This paper presents a parameterized multilevel pattern matching architecture (MPM) which is used on FPGAs.To achieve less chip area, the architecture is designed based on the idea of selected character decoding (SCD) and multilevel method which are analyzed in detail.This paper also proposes an MPM generator that can generate RTL-level codes of MPM by giving a pattern set and predefined parameters.With the generator, the efficient MPM architecture can be generated and embedded to a total hardware solution.The third contribution is a mathematical model and formula to estimate the chip area for each MPM before it is generated, which is useful for choosing the proper type of FPGAs.One example MPM architecture is implemented by giving 1785 patterns of Snort on Xilinx Virtex 2 Pro FPGA.The results show that this MPM can achieve 4.3 Gbps throughput with 5 stages of pipelines and 0.22 slices per character, about one half chip area of the most area-efficient architecture in literature.Other results are given to show that MPM is also efficient for general random pattern sets.The performance of MPM can be scalable near linearly, potential for more than 100 Gbps throughput.
