Network Intrusion Detection Systems on FPGAs with On-Chip Network Interfaces

Christopher Clark Georgia Institute of TechnologyCraig Ulmer Sandia National Laboratories, California

Craig Ulmercdulmer@sandia.gov

February 22, 2005

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company,for the United States Department of Energy’s National Nuclear Security Administration

under contract DE-AC04-94AL85000.

Network Intrusion Detection Systems on FPGAs with On-Chip Network Interfaces

Note: This work was not performed by SNL’s network security group and is independent of SNL’s network security policy or infrastructure.

Packet

Good

Malicious

NIDS

Chris Clark / Georgia Tech Craig Ulmer / SNL

+

NI

NI

FPGA Network

Outline

• Background: An evolution of NIDS and FPGAs

• Single-Chip NIDS: An integrated approach

• Example: A Multi-Filter Bridge NIDS– Implementation details and measurements

• Concluding remarks and future work

Background: An Evolution of NIDS and FPGAs

Network Intrusion Detection Systems (NIDS)

• There are many malicious users on the Internet– Unprotected home PCs hijacked within 10 minutes

– Even if protected- still fighting denial of service

• Network Intrusion Detection Systems (NIDS)– Monitor network and react to attacks

• Example: Snort (www.snort.org)– Large database of malicious packet signatures

– 1,305 rules with 1,512 patterns

– Pattern matching on 17,537 characters

Host-based NIDS Implementations

NIC

CPU

NIC

CPU

FPGA

NIC

CPU

FPGA

Software FPGA Card FPGA-enabled NIC

I/O I/OI/O

• Multiple architectures proposed for NIDS– Separation of Network Interface and Intrusion Detection

ID

IDID

Single-Chip NIDS: An Integrated Approach

Evolution: An Integrated Approach

• New FPGAs have network transceivers– FPGAs interact directly with network

• Build complete NIDS in an FPGA– NI and ID units under one roof

• Integration benefits– Customization of units and topology– Portability– New applications

• Describe our integration experiences

NI

NI

Network

FPGA

IntrusionDetection

FPGA

IntrusionDetection Network

NetworkInterface

Chip

Network Interface: Gigabit Ethernet

• Xilinx Virtex II/Pro FPGA has Rocket I/O modules

• We developed a simplified GigE network interface– Stripped down to essentials: move data between network and FIFOs– Roughly same size as FIFO-less Xilinx GigE core

• FIFOs enable data rate changes between FPGA and Network

Rx Control

Tx Control

Rx Packet FIFO

16bAlign

CRCFilter

Tx Packet FIFO

GigE Network Interface Core

Rocket I/OTransceiver

GigENetwork

Framer

FPGAInternals

Intrusion Detection Unit

HeaderDecoder

HeaderAnalysis

Header

PayloadAnalysis

MatchDecision

Logic

Drop

Match

Match Vector

EthernetFrameData

• Snort rules translated to structural JHDL intrusion detection unit– Compile time select 16/32/64b data width– Both header/payload analysis units

• Payload analysis unit performs large-scale pattern matching– Non-deterministic finite state automata (NFA)– Previously described in FCCM 2004 (Clark and Schimmel)

AlignedPayload

PayloadMatch

HeaderMatch

Integrated Example: A Multi-Filter Bridge NIDS

Filtering Network Connections

• Desire a NIDS that we can insert on a network link– Detect and filter out attacks

– Transparent to users

– Single bi-directional link: Filter Bridge

– Can extend to support multiple filter bridges per FPGA

NI NI

ID Unit

FPGA

Single Filter Bridge

NI NI

Data Rates in Multi-Filter Bridge NIDS

• ID data rate > Aggregate network rate

• Increase ID data rate– Data path: 16/32/64 bits

– Clock: 62.5–125 MHz

• Example: 2 Bridges– ID needs 4x data rate

– 1x = 16b / 62.5 MHz

– 4x = 32b / 125 MHz

ID Unit

NI NI

OK Drop Scheduler

Multi-Filter Bridge:Implementation Details and Measurements

Multi-Filter Bridge Implementation

• Parameterized design– Number of bridges: 1-4

– ID bitwidth:16b/32b/64b

– NI FIFO depth: 2-16 KB

• Xilinx ML300 Reference Board– Virtex II/Pro-7 FPGA (-6)

– Four optical GigE ports

• Pair of Intel hosts– Packet Engines GigE cards

Latency Measurements

• Internal measurements – Used ChipScope Pro

– Counted clock cycles

• External measurements– Host-to-Host

– Round-trip timings

– Long and short messages

Topology 43 bytes 1024 bytes

No NIDS 119 µs 224 µs

Single NIDS 123 µs 244 µs

Dual NIDS 128 µs 291 µs

Operation Latency

Transceiver 0.64 µs

1x ID 2.4 µs

2x ID 1.6 µs

Percentage of Maximum Rule Setfor Single Filter Bridge

V2P100V2P70V2P50V2P30V2P20V2P7

16-bit32-bit64-bit

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

16-bit

32-bit

64-bit

FPGA Utilization for Multi-Filter Bridges

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

1 2 3 4

16-Bit

32-Bit

64-Bit

Number of Filter Bridges

V2P50 Slice Utilization • Constant FPGA size and rule set– Virtex II/Pro 50 (-6)

– 2,001 Chars (10% of Max)

• Increases in Bitwidth– Large jumps

– 32b to 64b > 16b to 32b

• Increases in Number of Bridges– ID unit unaffected

Density Observations

• Largest parts unappealing– Significant compile times

– Limited routing resources

• Medium parts more economical– Chain multiple NIDS bridges

• Virtex-4 parts– More affordable

– Prices are more linear 0x

5x

10x

15x

20x

25x

30x

0 10,000 20,000 30,000 40,000 50,000

FPGA Price (Relative to V2P7)

FPGA Density (Relative to V2P7)

FPGA Slices

Relative V2P Price & Density

V2P100

V2P70

V2P7

V2P40

Conclusions and Future Work

Conclusions and Future Work

• Integrated NIDS appealing– Customize individual components and overall design– Good portability because does not depend on external chips

• Multi-filter bridge design– Demonstrated transparent in-line filter– Support a low number of filter bridges at link speeds

• Future work to explore larger parts in greater detail– Better results with floor planning and early placement

16% Improvement in Clock Rate

Constrain to top 65% of V2P100

Backup Slides

Network Interface Characteristics

• Flexible packet FIFO– 16/32/64b width to user

– 2-16 KB (each direction)

– Can handle 185 MHz clock rate

– Separate reader/writer clocks

• Small size– GigE with 4KB FIFOs: 749 slices

– Xilinx GigE core (no FIFO): 763 slices

ID Payload Analysis Unit

• Large-scale pattern matching– Non-deterministic finite state automata (NFA)– Previously described in FCCM 2004 (Clark and Schimmel)

• Decode incoming symbol and route to necessary stages

abcd..

8

Match “abb”

Match “dcb”

Match ‘a’

Match ‘b’Match ‘c’

Match ‘d’