Real-time Regular Expression Matching

This paper is devoted to finite state automata, regular expression matching, pattern recognition, and the exponential blow-up problem, which is the growing complexity of automata exponentially depending on regular expression length. This paper presents a theoretical and hardware solution to the exponential blow-up problem for some complicated classes of regular languages, which caused severe limitations in Network Intrusion Detection Systems work. The article supports the solution with theorems on correctness and complexity.Comment: 17 pages, 11 figure

Hardware acceleration for power efficient deep packet inspection

The rapid growth of the Internet leads to a massive spread of malicious attacks like viruses and malwares, making the safety of online activity a major concern. The use of Network Intrusion Detection Systems (NIDS) is an effective method to safeguard the Internet. One key procedure in NIDS is Deep Packet Inspection (DPI). DPI can examine the contents of a packet and take actions on the packets based on predefined rules. In this thesis, DPI is mainly discussed in the context of security applications. However, DPI can also be used for bandwidth management and network surveillance. DPI inspects the whole packet payload, and due to this and the complexity of the inspection rules, DPI algorithms consume significant amounts of resources including time, memory and energy. The aim of this thesis is to design hardware accelerated methods for memory and energy efficient high-speed DPI. The patterns in packet payloads, especially complex patterns, can be efficiently represented by regular expressions, which can be translated by the use of Deterministic Finite Automata (DFA). DFA algorithms are fast but consume very large amounts of memory with certain kinds of regular expressions. In this thesis, memory efficient algorithms are proposed based on the transition compressions of the DFAs. In this work, Bloom filters are used to implement DPI on an FPGA for hardware acceleration with the design of a parallel architecture. Furthermore, devoted at a balance of power and performance, an energy efficient adaptive Bloom filter is designed with the capability of adjusting the number of active hash functions according to current workload. In addition, a method is given for implementation on both two-stage and multi-stage platforms. Nevertheless, false positive rates still prevents the Bloom filter from extensive utilization; a cache-based counting Bloom filter is presented in this work to get rid of the false positives for fast and precise matching. Finally, in future work, in order to estimate the effect of power savings, models will be built for routers and DPI, which will also analyze the latency impact of dynamic frequency adaption to current traffic. Besides, a low power DPI system will be designed with a single or multiple DPI engines. Results and evaluation of the low power DPI model and system will be produced in future

Big data analytics for time critical maritime and aerial mobility forecasting

The correlated exploitation of heterogeneous data sources offering very large archival and streaming data is important to increase the accuracy of computations when analysing and predicting future states of moving entities. Aiming to significantly advance the capacities of systems to improve safety and effectiveness of critical operations involving a large number of moving entities in large geographical areas, this paper describes progress achieved towards time critical big data analytics solutions to user-defined challenges in the air-traffic management and maritime domains. Besides, this paper presents further research challenges concerning data integration and management, predictive analytics for trajectory and events forecasting, and visual analytics

Securing Network Processors with Hardware Monitors

As an essential part of modern society, the Internet has fundamentally changed our lives during the last decade. Novel applications and technologies, such as online shopping, social networking, cloud computing, mobile networking, etc, have sprung up at an astonishing pace. These technologies not only influence modern life styles but also impact Internet infrastructure. Numerous new network applications and services require better programmability and flexibility for network devices, such as routers and switches. Since traditional fixed function network routers based on application specific integrated circuits (ASICs) have difficulty keeping pace with the growing demands of next-generation Internet applications, there is an ongoing shift in the industry toward implementing network devices using programmable network processors (NPs). While network processors offer great benefits in terms of flexibility, their reprogrammable nature exposes potential security risks. Similar to network end-systems, such as general-purpose computers, software-based network processors have security vulnerabilities that can be attacked remotely. Recent research has shown that a new type of data plane attack is able to modify the functionality of a network processor and cause a denial-of-service (DoS) attack by sending a single malformed UDP packet. Since this attack relies solely on data plane access and does not need access to the control plane, it can be particularly difficult to control. Hardware security monitors have been introduced to identify and eliminate these malicious packets before they can propagate and cause devastating effects in the network. However, previous work on hardware monitors only focus on single core systems with static (or very slowly changing) workloads. In network processors that use up to hundreds of parallel processor cores and have processing workloads that can change dynamically based on the network traffic, the realization of a complete multicore hardware monitoring system remains a critical challenge. Our research work in this thesis provides a comprehensive solution to this problem. Our first contribution is the design and prototype implementation of a Scalable Hardware Monitoring Grid (SHMG). This scalable architecture balances area cost and performance overhead by using a clustered approach for multicore NP systems. In order to adapt to dynamically changing network traffic, a resource reallocation algorithm is designed to reassign the processing resources in SHMG to different network applications at runtime. An evaluation of the prototype SHMG on an Altera DE4 board demonstrates low resource and performance overheads. The functionality and performance of a runtime resource reallocation algorithm are tested using a simulation environment. A second significant contribution of this work is a network system-level security solution for multicore network processors with hardware monitors. It addresses two key problems: (1) how to securely manage and reprogram processor cores and monitors in a deployed router in the network, and (2) how to prevent the large number of identical router devices in the network from an attack that can circumvent one specific monitoring system and lead to Internet-scale failures. A Secure Dynamic Multicore Hardware Monitoring System (SDMMon) is designed based on cryptographic principles and suitable key management to ensure the secure installation of processor binaries and monitor graphs. We present a Merkle tree based parameterizable high performance hash function that can be configured to perform a variety of functions in different devices via a 32-bit configuration parameter. A prototype system composed of both the SDMMon and the parameterizable hash is implemented and evaluated on an Altera DE4 board. Finally, a fully-functional, comprehensive Multicore NP Security Platform, which integrates both the SHMG and the SDMMon security features, has been implemented on an Altera DE5 board

Faster Compression of Deterministic Finite Automata

Deterministic finite automata (DFA) are a classic tool for high throughput matching of regular expressions, both in theory and practice. Due to their high space consumption, extensive research has been devoted to compressed representations of DFAs that still support efficient pattern matching queries. Kumar~et~al.~[SIGCOMM 2006] introduced the \emph{delayed deterministic finite automaton} (\ddfa{}) which exploits the large redundancy between inter-state transitions in the automaton. They showed it to obtain up to two orders of magnitude compression of real-world DFAs, and their work formed the basis of numerous subsequent results. Their algorithm, as well as later algorithms based on their idea, have an inherent quadratic-time bottleneck, as they consider every pair of states to compute the optimal compression. In this work we present a simple, general framework based on locality-sensitive hashing for speeding up these algorithms to achieve sub-quadratic construction times for \ddfa{}s. We apply the framework to speed up several algorithms to near-linear time, and experimentally evaluate their performance on real-world regular expression sets extracted from modern intrusion detection systems. We find an order of magnitude improvement in compression times, with either little or no loss of compression, or even significantly better compression in some cases

Are Intrusion Detection Studies Evaluated Consistently? A Systematic Literature Review

Cyberinfrastructure is increasingly becoming target of a wide spectrum of attacks from Denial of Service to large-scale defacement of the digital presence of an organization. Intrusion Detection System (IDSs) provide administrators a defensive edge over intruders lodging such malicious attacks. However, with the sheer number of different IDSs available, one has to objectively assess the capabilities of different IDSs to select an IDS that meets specific organizational requirements. A prerequisite to enable such an objective assessment is the implicit comparability of IDS literature. In this study, we review IDS literature to understand the implicit comparability of IDS literature from the perspective of metrics used in the empirical evaluation of the IDS. We identified 22 metrics commonly used in the empirical evaluation of IDS and constructed search terms to retrieve papers that mention the metric. We manually reviewed a sample of 495 papers and found 159 of them to be relevant. We then estimated the number of relevant papers in the entire set of papers retrieved from IEEE. We found that, in the evaluation of IDSs, multiple different metrics are used and the trade-off between metrics is rarely considered. In a retrospective analysis of the IDS literature, we found the the evaluation criteria has been improving over time, albeit marginally. The inconsistencies in the use of evaluation metrics may not enable direct comparison of one IDS to another

Mapping the Swiss Public Administration: Challenges and First Research Steps

In the present paper, we argue that the existing data collections fail to map specific features of modern public administration in Switzerland, namely new modes of governance with hybrid state structures. After presenting the Swiss federal administration in a nutshell, we discuss the challenge of mapping hybrid state structures based on different studies focusing on four different aspects: first, quasi-state bodies; second, joined up government; third, emerging new institutions for problems not adequately captured by existing political geography, most prominently seen in the case of functional urban regions; and fourth, new modes of governance with co-production of public goods by state and non-state actors. We then present newer studies and ongoing research (which could be coupled with the mapping of public administration in Switzerland), namely the "agenda setting"-project, research on independent regulatory bodies and, finally, the courts' impact on public administration. In further conceptual work, we may discuss in more depth how the challenge of new modes of governance and cooperative government can be addressed by focusing on the transformation of state structures rather than by adopting a static view.

Rethinking Deep Packet Inspection design and deployment in the era of SDN and NFV

With the advent of Software-Defined Networking (SDN) and Network Functions Virtualization (NFV), the design and deployment of DPI (Deep Packet Inspection) must be reconsidered. The programmability, global visibility and centralized control of SDN, as well as the NFV enabled lightweight service creation and migration, have potential to empower the capability of DPI tools. On the other hand, dynamic environments make the deployment of DPI challenging. Although it has been validated that some security functions like firewall, and Intrusion Detection System (IDS) can be implemented in SDN controllers or NFV, it remains unclear whether or not DPI can be done in the similar way considering its sophisticated interactions with the network traffic packets, especially for the stateful protocols and encrypted traffic. In other words, the design and deployment of DPI in an SDN and NFV architecture would not be as straightforward. Therefore, this paper aims to shed the light on the challenges facing DPI design and deployment in the context of SDN and NFV and propose a solution to overcome them

Exploiting phasor measurement units for enhanced transmission network operation and control

This thesis was submitted for the degree of Doctor of Engineering and awarded by Brunel UniversityIn order to achieve binding Government targets towards the decarbonisation of the electricity network, the GB power system is undergoing an unprecedented amount of change. A series of new technologies designed to integrate massive volumes of renewable generation, predominantly in the form of offshore wind, asynchronously connecting to the periphery of the transmission system, are transforming the requirements of the network. This displacement of traditional thermal generation is leading to a significant reduction in system inertia, thus making the task of system operation more challenging. It is therefore deemed necessary to develop tools and technologies that provide far greater insight into the state of the power system in real-time and give rise to methods for improving offline modelling practices through an enhanced understanding of the systems performance. To that extent PMUs are seen as one of the key enablers of the Smart Grid, providing accurate time-synchronised measurements on the state of the power system, allowing the true dynamics of the power system to be captured and analysed. This thesis provides an analysis of the existing PMU deployment on the GB transmission system with a view to the future system monitoring requirements. A critical evaluation and comparison is also provided on the suitability of a University based Low Voltage PMU network to further enhance the visibility of the GB system. In addition a novel event detection algorithm based on Detrended Fluctuation Analysis is developed and demonstrated, designed to determine the exact start time of a transmission event, as well as the suitability of such an event for additional transmission system analysis, namely inertia estimation. Finally, a reliable method for the estimation of total system inertia is proposed that includes an estimate of the contribution from residual sources, of which there is currently no visibility. The proposed method identifies the importance of regional inertia and its impact to the operation of the GB transmission system.Engineering and Physical Sciences Research Council (EPSRC) and National Grid