Network Immunization
Real-Time Network Security
Raymond R. Hoare, Assistant Professor
Department of Electrical Engineering
University of Pittsburgh
hoare@pitt.edu
(412) 624-5836
Cyber Damage: $55 Billion in 2003
50% of Damage Occurs within 6
Hours
Half the
Damage
is Done
Software Updates
are to Slow
Viruses Compromise Our Computers
Routers
Routers
Internet
Internet
Email Attachment
Mail
Mail
Server
Server
Switches
Switches
...
Workgroup
Workgroup
Server
Server
Work Statations
Statations
$55 Billion in
Damage in 2003
Network Immunization adds Protection
Fortified
Routers
Routers
Internet
Internet
Email Attachment
Mail
Mail
Server
Server
Fortified
Switches
Switches
...
Workgroup
Workgroup
Server
Server
WorkStatations
Statations
Work
Real-Time
Protection
and Detection
Key Technology: HW Search Memory
Searching
using a
Existing Solutions
are
Softwre Based
Pentium
/ ARM
 Poor
Peformance
Processor
20,000 -40,000 ns
for 10k words
Searching using a
NetworkAddressable
Immunization
Content
 Real Time Performance
Memory
20-40 ns
for 10k words
IDS Performance Declines as the
Number of Rules Increases
1 - 10 Gb/s Expected Performance for Network Immunization
Snort Performance
Number of Packet per
250000
Peak Rate over 100Mb/s Ethernet
200000
150000
100000
Existing Solutions
50000
0
0
200
Analysis Result from Packet2.log
400
600
800
1000
Number of Rules
1200
1400
1600
1800
Network Immunization




Dr. Raymond R. Hoare, EE Dept., U. Pittsburgh, hoare@pitt.edu
 Network Immunization
Cost of Computer Crimes
augments switches and
> $400 Billion/yr
routers
50% of damage in first 6hrs
Infected computers infect the  Adds intrusion detection and
prevention hardware
entire network
 Infections are stopped
Firewalls are insufficient
Fortified
Routers
Routers
Internet
Internet
Mail
Server
Mail
Server
Switches
...
...
Workgroup
Server
Work Statations
Fortified
Switches
Workgroup
Server
Work Statations