Аппаратное распознавание строк в интеллектуальных системах защиты информации

При создании интеллектуальных систем противодействия таким угрозам информационной безопасности, как сетевые вторжения, вирусы и спам, необходимо анализировать интенсивный поток данных на наличие одновременно нескольких тысяч эталонных последовательностей символов. Для достижения требуемой производительности часто используют аппаратные решения на базе программируемых интегральных схем. В настоящей работе исследован зарубежный опыт подобных разработок, предложено применение унифицированных изделий.При створенні інтелектуальних систем протидії таким загрозам інформаційній безпеці, як мережні вторгнення, віруси та спам, необхідно аналізувати інтенсивний потік даних на наявність одночасно декількох тисяч еталонних послідовностей символів. Для досягнення необхідної продуктивності часто використовують апаратні рішення на базі програмованих інтегральних схем. У даній роботі досліджений зарубіжний досвід подібних розробок, запропоновано застосування уніфікованих виробів.In order to protect information systems from security threats such as intrusion, virus and spam it is necessary to match all occurrences of a predefined set of string-based patterns containing several thousands of strings. To provide required throughput, the hardware solutions based on programmable logic are widely used. In this paper, the world experiences of such works are investigated and unified solution is proposed

Security Applications of GPUs

Despite the recent advances in software security hardening techniques, vulnerabilities can always be exploited if the attackers are really determined. Regardless the protection enabled, successful exploitation can always be achieved, even though admittedly, today, it is much harder than it was in the past. Since securing software is still under ongoing research, the community investigates detection methods in order to protect software. Three of the most promising such methods are monitoring the (i) network, (ii) the filesystem, and (iii) the host memory, for possible exploitation. Whenever a malicious operation is detected then the monitor should be able to terminate it and/or alert the administrator. In this chapter, we explore how to utilize the highly parallel capabilities of modern commodity graphics processing units (GPUs) in order to improve the performance of different security tools operating at the network, storage, and memory level, and how they can offload the CPU whenever possible. Our results show that modern GPUs can be very efficient and highly effective at accelerating the pattern matching operations of network intrusion detection systems and antivirus tools, as well as for monitoring the integrity of the base computing systems

Методи побудови оптимальних схем розпізнавання для реконфігуровних засобів інформаційної безпеки

Signature-based security tools such as network intrusion detection systems, anti-virus scanners, filters against network worms and other similar systems perform in real time computation-intensive task of multi-pattern string matching against tens of thousands or even millions of predefined malicious patterns. Due to rising traffic rates, increasing number and sophistication of attacks and the collapse of Moore's law for sequential processing, traditional software solutions can no longer meet the high requirements of today’s security challenges. Therefore, designers pay more attention to hardware approaches to accelerate pattern matching. The reconfigurable devices based on Field Programmable Gate Arrays (FPGA) combining the flexibility of software and the near-ASIC performance, have become increasingly popular for this purpose. The state-of-the-art solutions made in this area around the world were analyzed. There are three main approaches to fulfill the pattern matching using FPGA. The techniques (and underlying technologies) of these approaches are: content addressable memory (based on digital comparators), Bloom filter (based on hash-functions) and Aho-Corasick algorithm (based on finite automata). But none of them shows clear advantages over others. In this article, we propose a set of methods to increase the effectiveness of reconfigurable security tools by synthesizing optimal recognition modules that maximize the benefits of each approach. The Parallel Combination Method divides a set of patterns between several matching blocks that use different approaches to better fit each of them. The Sequential Cascading Method processes patterns in parts: if the first fragment does not match, the rest can be ignored. The Vertical Join Method couples together different approaches or techniques in a single unit to provide higher efficiency of the resulting device. The optimization procedure maximizes efficiency gains for each method. The methods and methodologies presented in this study will allow developers to create more efficient reconfigurable tools for information security systems.В связи с постоянным ростом объема сетевого трафика, количества и сложности атак программные решения уже не успевают в реальном времени распознавать сигнатуры для таких средств технической защиты, как сетевые системы обнаружения вторжений, антивирусные сканеры, фильтры противодействия сетевым червям и т.п. Поэтому разработчики все чаще обращают внимание на реконфигурируемые (на базе ПЛИС) аппаратные решения, совмещающие производительность спецпроцессоров с гибкостью как у программного обеспечения. На сегодняшний день известны несколько подходов к построению сигнатурных средств информационной защиты с использованием программируемой логики. Но ни один из них не демонстрирует явных преимуществ перед другими. В данной статье предложены методы повышения эффективности реконфигурируемых средств технической защиты посредством синтеза оптимальных схем распознавания, которые наилучшим образом используют преимущества каждого из подходов и отдельных технических решений.Через сталий зріст об’єму мережевого трафіку, кількості та складності атак програмні рішення вже не встигають в реальному часі розпізнавати сигнатури для таких засобів технічного захисту, як мережеві системи виявлення вторгнень, антивірусні сканери, фільтри протидії мережевим хробакам, тощо. Тому розробники все частіше звертають увагу на реконфігуровні (на базі ПЛІС) апаратні рішення, що поєднують в собі продуктивність спецпроцесорів із гнучкістю майже як у програмного забезпечення. На сьогоднішній день відомі декілька підходів до побудови сигнатурних засобів інформаційного захисту з використання програмованої логіки. Але жоден з них не демонструє явних переваг перед іншими. У даній статті запропоновані методи підвищення ефективності реконфігуровних засобів технічного захисту шляхом синтезу оптимальних схем розпізнавання, які найкращим чином використовують переваги кожного з підходів та окремих технічних рішень.

Acceleration unit for HTTP headers identification in FPGA

Táto bakalárska práca sa zaoberá hardvérovou akceleráciou identifikácie hlavičiek HTTP protokolu, ktorý je na internete veľmi rozšírený. Cieľom je navrhnúť a implementovať hardvérovú architektúru, ktorá bude slúžiť na detekciu prítomnosti HTTP protokolu v pakete a bude dosahovať priepustnosť potrebnú k monitorovaniu na 100-gigabitových sieťach. V architektúre bol využitý nedeterministický stavový automat a vysoký stupeň paralelizmu na detekciu regulárnych výrazov.The bachelor thesis deals with hardware accelerated identification of HTTP protocol headers, since HTTP is the most used protocol on the Internet. The goal is to design and implement a hardware architecture which will be used for detection of HTTP header in packet, and to achieve the throughput needed for monitoring of 100 Gbps networks. Nondeterministic finite automata and massive parallelism has been used for pattern match detection.

A framework for correlation and aggregation of security alerts in communication networks. A reasoning correlation and aggregation approach to detect multi-stage attack scenarios using elementary alerts generated by Network Intrusion Detection Systems (NIDS) for a global security perspective.

The tremendous increase in usage and complexity of modern communication and network systems connected to the Internet, places demands upon security management to protect organisations¿ sensitive data and resources from malicious intrusion. Malicious attacks by intruders and hackers exploit flaws and weakness points in deployed systems through several sophisticated techniques that cannot be prevented by traditional measures, such as user authentication, access controls and firewalls. Consequently, automated detection and timely response systems are urgently needed to detect abnormal activities by monitoring network traffic and system events. Network Intrusion Detection Systems (NIDS) and Network Intrusion Prevention Systems (NIPS) are technologies that inspect traffic and diagnose system behaviour to provide improved attack protection. The current implementation of intrusion detection systems (commercial and open-source) lacks the scalability to support the massive increase in network speed, the emergence of new protocols and services. Multi-giga networks have become a standard installation posing the NIDS to be susceptible to resource exhaustion attacks. The research focuses on two distinct problems for the NIDS: missing alerts due to packet loss as a result of NIDS performance limitations; and the huge volumes of generated alerts by the NIDS overwhelming the security analyst which makes event observation tedious. A methodology for analysing alerts using a proposed framework for alert correlation has been presented to provide the security operator with a global view of the security perspective. Missed alerts are recovered implicitly using a contextual technique to detect multi-stage attack scenarios. This is based on the assumption that the most serious intrusions consist of relevant steps that temporally ordered. The pre- and post- condition approach is used to identify the logical relations among low level alerts. The alerts are aggregated, verified using vulnerability modelling, and correlated to construct multi-stage attacks. A number of algorithms have been proposed in this research to support the functionality of our framework including: alert correlation, alert aggregation and graph reduction. These algorithms have been implemented in a tool called Multi-stage Attack Recognition System (MARS) consisting of a collection of integrated components. The system has been evaluated using a series of experiments and using different data sets i.e. publicly available datasets and data sets collected using real-life experiments. The results show that our approach can effectively detect multi-stage attacks. The false positive rates are reduced due to implementation of the vulnerability and target host information

Rethinking Hardware Support for Network Analysis and Intrusion Prevention

The performance pressures on implementing effective network security monitoring are growing fiercely due to rising traffic rates, the need to perform much more sophisticated forms of analysis, the requirement for inline processing, and the collapse of Moore's law for sequential processing. Given these growing pressures, we argue that it is time to fundamentally rethink the nature of using hardware to support network security analysis. Clearly, to do so we must leverage massively parallel computing elements, as only these can provide the necessary performance. The key, however, is to devise an abstraction of parallel processing that will allow us to expose the parallelism latent in semantically rich, stateful analysis algorithms; and that we can then further compile to hardware platforms with different capabilities

Rethinking Hardware Support for Network Analysis and Intrusion Prevention

The performance pressures on implementing effective network security monitoring are growing fiercely due to rising traffic rates, the need to perform much more sophisticated forms of analysis, the requirement for inline processing, and the collapse of Moore’s law for sequential processing. Given these growing pressures, we argue that it is time to fundamentally rethink the nature of using hardware to support network security analysis. Clearly, to do so we must leverage massively parallel computing elements, as only these can provide the necessary performance. The key, however, is to devise an abstraction of parallel processing that will allow us to expose the parallelism latent in semantically rich, stateful analysis algorithms; and that we can then further compile to hardware platforms with different capabilities