The HSS/SNiC : a conceptual framework for collapsing security down to the physical layer

This work details the concept of a novel network security model called the Super NIC (SNIC) and a Hybrid Super Switch (HSS). The design will ultimately incorporate deep packet inspection (DPI), intrusion detection and prevention (IDS/IPS) functions, as well as network access control technologies therefore making all end-point network devices inherently secure. The SNIC and HSS functions are modelled using a transparent GNU/Linux Bridge with the Netfilter framework

Ultra-high throughput string matching for deep packet inspection

Deep Packet Inspection (DPI) involves searching a packet's header and payload against thousands of rules to detect possible attacks. The increase in Internet usage and growing number of attacks which must be searched for has meant hardware acceleration has become essential in the prevention of DPI becoming a bottleneck to a network if used on an edge or core router. In this paper we present a new multi-pattern matching algorithm which can search for the fixed strings contained within these rules at a guaranteed rate of one character per cycle independent of the number of strings or their length. Our algorithm is based on the Aho-Corasick string matching algorithm with our modifications resulting in a memory reduction of over 98% on the strings tested from the Snort ruleset. This allows the search structures needed for matching thousands of strings to be small enough to fit in the on-chip memory of an FPGA. Combined with a simple architecture for hardware, this leads to high throughput and low power consumption. Our hardware implementation uses multiple string matching engines working in parallel to search through packets. It can achieve a throughput of over 40 Gbps (OC-768) when implemented on a Stratix 3 FPGA and over 10 Gbps (OC-192) when implemented on the lower power Cyclone 3 FPGA

The medical science DMZ: a network design pattern for data-intensive medical science

Abstract: Objective We describe a detailed solution for maintaining high-capacity, data-intensive network flows (eg, 10, 40, 100 Gbps+) in a scientific, medical context while still adhering to security and privacy laws and regulations. Materials and Methods High-end networking, packet-filter firewalls, network intrusion-detection systems. Results We describe a “Medical Science DMZ” concept as an option for secure, high-volume transport of large, sensitive datasets between research institutions over national research networks, and give 3 detailed descriptions of implemented Medical Science DMZs. Discussion The exponentially increasing amounts of “omics” data, high-quality imaging, and other rapidly growing clinical datasets have resulted in the rise of biomedical research “Big Data.” The storage, analysis, and network resources required to process these data and integrate them into patient diagnoses and treatments have grown to scales that strain the capabilities of academic health centers. Some data are not generated locally and cannot be sustained locally, and shared data repositories such as those provided by the National Library of Medicine, the National Cancer Institute, and international partners such as the European Bioinformatics Institute are rapidly growing. The ability to store and compute using these data must therefore be addressed by a combination of local, national, and industry resources that exchange large datasets. Maintaining data-intensive flows that comply with the Health Insurance Portability and Accountability Act (HIPAA) and other regulations presents a new challenge for biomedical research. We describe a strategy that marries performance and security by borrowing from and redefining the concept of a Science DMZ, a framework that is used in physical sciences and engineering research to manage high-capacity data flows. Conclusion By implementing a Medical Science DMZ architecture, biomedical researchers can leverage the scale provided by high-performance computer and cloud storage facilities and national high-speed research networks while preserving privacy and meeting regulatory requirements

Hardware Acceleration of Network Intrusion Detection System Using FPGA

This thesis presents new algorithms and hardware designs for Signature-based Network Intrusion Detection System (SB-NIDS) optimisation exploiting a hybrid hardwaresoftware co-designed embedded processing platform. The work describe concentrates on optimisation of a complete SB-NIDS Snort application software on a FPGA based hardware-software target rather than on the implementation of a single functional unit for hardware acceleration. Pattern Matching Hardware Accelerator (PMHA) based on Bloom filter was designed to optimise SB-NIDS performance for execution on a Xilinx MicroBlaze soft-core processor. The Bloom filter approach enables the potentially large number of network intrusion attack patterns to be efficiently represented and searched primarily using accesses to FPGA on-chip memory. The thesis demonstrates, the viability of hybrid hardware-software co-designed approach for SB-NIDS. Future work is required to investigate the effects of later generation FPGA technology and multi-core processors in order to clearly prove the benefits over conventional processor platforms for SB-NIDS. The strengths and weaknesses of the hardware accelerators and algorithms are analysed, and experimental results are examined to determine the effectiveness of the implementation. Experimental results confirm that the PMHA is capable of performing network packet analysis for gigabit rate network traffic. Experimental test results indicate that our SB-NIDS prototype implementation on relatively low clock rate embedded processing platform performance is approximately 1.7 times better than Snort executing on a general purpose processor on PC when comparing processor cycles rather than wall clock time

Towards transparent and secure IoT: Device intents declaration, and user privacy self awareness and control

In recent years, we have seen a growing wave of integration of new IoT (Internet of Things) technologies into society. The massive integration of these technologies has led to the emergence of several critical issues which have consequently created new challenges, for which no obvious answers have yet been found. One of the main challenges has to do with the security and privacy of information processed by IoT devices present in our daily life. At present there are no guarantees from the manufacturers of such IoT devices, which are connected on our networks, as regards the collection and sending of personal information, nor an expected behavior. Thus, in this work, we developed and tested a solution that aims to increase the privacy and security of information in Networks of IoT devices, from the perspective of controlling the communication of smart devices on the network. To include one tool capable of analyzing packets sent by IoT devices and another capable of defining and allowing the application of network traffic control rules to the packets in question. These tools were indispensable for investigation of the two central aspects of this dissertation, which are investigating how the declarations of communication intentions of the IoT devices specified by the manufacturers are used, in order to facilitate control of communication by consumers and enable them to detect violations of those intentions, and how to give users/consumers control over IoT communication, so that they can define what they do and do not want their devices to communicate.Nos últimos anos, assistimos a uma onda de crescimento da integração de novas tecnologias IoT (Internet Of Things) na sociedade. A integração massiva destas tecnologias levou ao aparecimento de vários aspetos críticos que, consequentemente, criou novos desafios, para os quais ainda não foram dadas respostas óbvias. Um dos principais desafios diz respeito à segurança e privacidade da informação dos dispositivos IoT presentes no nosso dia-a-dia. Atualmente, não existem quaisquer garantias por parte dos fabricantes destes equipamentos IoT, que estão conectados nas nossas redes, relativamente à recolha e envio de informação pessoal realizada pelos mesmos, bem como um comportamento expectável. Assim, neste trabalho, desenvolvemos e testamos uma solução que cujo objetivo é aumentar a privacidade e segurança da informação em redes de dispositivos IoT, na perspetiva do controlo da comunicação dos dispositivos inteligentes na rede. Para incluir-se uma ferramenta capaz de efetuar análise dos pacotes enviados pelos dispositivos IoT e uma outra capaz de definir e permitir a aplicação de regras de controlo de tráfego de rede aos pacotes mencionados. Estas ferramentas foram indispensáveis para a investigação dos dois aspetos centrais desta dissertação, que são a investigação de como as declarações de intenções de comunicação dos dispositivos IoT especificados pelos fabricantes são utilizadas, para facilitarem o controlo de comunicação destes pelos consumidores e permitir-lhes detetar violações dessas intenções e como atribuir ao utilizador/consumidor controlo sobre a comunicação IoT, para que este possa explicitar o pretende e não pretende que os seus dispositivos comuniquem

Investigation of Efficient Unified Threat Management in Enterprise Security

This thesis explores the problems that exist today with perimeter security in data communications specifically the disparate architecture that exists to mitigate risk. Currently there are many different components to the enterprise security perimeter that are not cohesive and do not collaborate well to form an efficient, scalable, operationally supportable gateway design. The thesis breaks down this problem by illustrating the shortcomings of current technologies. These illustrations are used in conjunction with published research and authored research to provide solid footing for the idea of a unified threat management or UTM model. In this model, threat prevention techniques are consolidated into a single logical operating environment that leverages advances in next generation firewalls, intrusion prevention systems, content filtering and antivirus technologies. The results of this investigation are provided in a matrix that shows strengths and weaknesses with a consolidated unified model

MULTI-GIGABIT PATTERN FOR DATA IN NETWORK SECURITY

In the current scenario network security is emerging the world. Matching large sets of patterns against an incoming stream of data is a fundamental task in several fields such as network security or computational biology. High-speed network intrusion detection systems (IDS) rely on efficient pattern matching techniques to analyze the packet payload and make decisions on the significance of the packet body. However, matching the streaming payload bytes against thousands of patterns at multi-gigabit rates is computationally intensive. Various techniques have been proposed in past but the performance of the system is reducing because of multi-gigabit rates.Pattern matching is a significant issue in intrusion detection systems, but by no means the only one. Handling multi-content rules, reordering, and reassembling incoming packets are also significant for system performance. We present two pattern matching techniques to compare incoming packets against intrusion detection search patterns. The first approach, decoded partial CAM (DpCAM), pre-decodes incoming characters, aligns the decoded data, and performs logical AND on them to produce the match signal for each pattern. The second approach, perfect hashing memory (PHmem), uses perfect hashing to determine a unique memory location that contains the search pattern and a comparison between incoming data and memory output to determine the match. The suggested methods have implemented in vhdl coding and we use Xilinx for synthesis

Implementation of Multipattern String Matching Accelerated with GPU for Intrusion Detection System

Abstract. As Internet-related  security threats continue to increase  in terms of volume and sophistication,  existing  Intrusion Detection System  is also  being challenged to cope with the current Internet  development. Multi Pattern String Matching algorithm accelerated with Graphical  Processing Unit  is  being  utilized  to improve  the packet scanning performance  of the  IDS. This paper implements a Multi Pattern String Matching algorithm, also called Parallel Failureless Aho  Corasick  accelerated with  GPU to  improve the  performance of IDS.  OpenCL library  is  used  to  allow  the  IDS  to  support  various GPU, including  popular GPU such  as NVIDIA and AMD, used  in our research. The  experiment result  shows that the application of Multi  Pattern String Matching using GPU  accelerated platform provides  a speed up,  by up  to 141% in term of throughput compared to the  previous  research

Self-Addressable Memory-Based FSM: A Scalable Intrusion Detection Engine

One way to detect and thwart a network attack is to compare each incoming packet with predefined patterns, also called an attack pattern database, and raise an alert upon detecting a match. This article presents a novel pattern-matching engine that exploits a memory-based, programmable state machine to achieve deterministic processing rates that are independent of packet and pattern characteristics. Our engine is a self-addressable memory-based finite state machine (SAMFSM), whose current state coding exhibits all its possible next states. Moreover, it is fully reconfigurable in that new attack patterns can be updated easily. A methodology was developed to program the memory and logic. Specifically, we merge non-equivalent states by introducing super characters on their inputs to further enhance memory efficiency without adding labels. SAM-FSM is one of the most storage-efficient machines and reduces the memory requirement by 60 times. Experimental results are presented to demonstrate the validity of SAM-FSM