Massively Parallel Cuckoo Pattern Matching Applied For NIDS/NIPS ο΅ Author: Tran Ngoc Thinh, Surin Kittitornkun ο΅ Publisher: Electronic Design, Test and Application, 2010. DELTA '10. Fifth IEEE International Symposium on ο΅ Presenter: Yuen-Shuo Li ο΅ Date: 2013/04/09 1 Background Nowadays, illegal intrusion is one of the most serious threats to network security. Network Intrusion Detection/Prevention Systems (NIDS/NIPSs) are designed to examine not only the headers but also the payload of the packets to match and identify intrusions. However, checking thousands of patterns to see whether it matches becomes a computationally intensive task as the highest network speed increases to several gigabits per second (Gbps). 2 Introduction In this paper, we implement a massively parallel architecture of variable-length pattern matching best suited for hardware, naming Cuckoo-based Pattern Matching (CPM). CPM is the application of a recently developed algorithm called Cuckoo Hashing [12] for pattern matching in NIDS/NIPS. With the parallel lookup, our improved system is more efficient in terms of performance as applied on hardware. Unlike most previous FPGA-based systems, CPM is also very flexible in terms of update the static pattern set without reconfiguration. 3 Hashing with Chaining The main idea in hashing based dictionaries is to let the hash functions decide where to store each item. However, it is highly likely that there will be collisions. An obvious idea is to make a pointer from position a in the array to a data structure holding the set. 4 Cuckoo Hashing Cuckoo hashing is a scheme for resolving hash collisions of values of hash functions in a table, with worst-case constant lookup time. The name derives from the behavior of some species of cuckoo, where the cuckoo chick pushes the other eggs or young out of the nest when it hatches; analogously, inserting a new key into a cuckoo hashing table may push an older key to a different location in the table. 5 Cuckoo Hashing(Cont.) Instead of requiring that x should be stored at position h1(x), we give two alternatives: Position h1(x) and position h2(x). When inserting a new element x it may of course still happen that there is no space. This is resolved by imitating the nesting habits of the European cuckoo: Throw out the current occupant y of position h1(x) to make room! 6 Cuckoo Hashing(Cont.) 7 FPGA-based Cuckoo Hasing single-port SRAM double-port SRAM 8 Cuckoo Hasing - lookup 9 Cuckoo Hasing - insert 10 CPM - Architecture On Dec 15, 2006, there were 4,748 unique patterns which contain 64,873 characters in Snorts rule set. Fig.5 shows the distribution of the pattern lengths in Snort database of from 1 up to 109 characters. We can see that 65% of total numbers of patterns are up to 16 characters. 11 CPM – Architecture(Cont.) Therefore, we build the Cuckoo Hashing modules for short patterns which are less than or equal 16 characters according to this fact. For longer patterns, we can break them into shorter segments so that we can insert those segments to the Cuckoo modules of short patterns. input: ABCDEFGHIJKLMNOP ABCDEFGHIJKLMNOP ... ABCD ABC AB A 12 CPM – Architecture(Cont.) Shift-Add-XOR(SAX) utilizes only the simple and fast operations of shift, XOR and add. π»π = π»π−1 ⊕ (ππΏ (π»π−1 ) + ππ (π»π−1 )+ πΆπ SL and SR: shift left and right Ci :the character ith of string Hi : an intermediate hash value after examination of i characters. 13 CPM – Architecture(Cont.) input: ABCDEFGHIJKLMNOP ABCDEFGHIJKLMNOP ... ABCD ABC AB A 14 CPM – Architecture(Cont.) 15 Performance 16 Performance(Cont.) 17