Increasing the Efficiency of IDS Systems by Hardware Implementation of Packet Capturing

Full Text (PDF, 908KB), PP.30-36

Views: 0 Downloads: 0

Author(s)

Zeinab Latifi 1,* Kamal Jamshidi 1 Ali Bohlooli 1

1. Department of Computer Engineering, University of Isfahan, Isfahan, Iran

* Corresponding author.

DOI: https://doi.org/10.5815/ijcnis.2013.10.05

Received: 11 Jan. 2013 / Revised: 7 Apr. 2013 / Accepted: 20 May 2013 / Published: 8 Aug. 2013

Index Terms

Packet capture, load balancing, hashing, IDS, FPGA

Abstract

Capturing is the first step in intrusion detection system (IDS). Having wire speed, omitting the OS from capturing process and no need for making a copy of packets from the system’s environment to the user’s environment are some of the system characteristics. If these requirements are not met, packet capture system is considered as the main bottleneck of IDS and the overall efficiency of this system will be influenced. Presence of all these three characteristics calls for utilization of hardware methods. In this paper, by using of FPGA, a line sniffing and load balancing system are designed in order to be applied in IDS systems. The main contribution of our work is the feasibility of attaching labels to the beginning part of each packet, aiming at quick easy access of other IDS modules to information of each packet and also reducing workload of these modules. Packet classification in the proposed system can be configured to 2, 3, and 5 tuple, which can also be applied in IDS detection module in addition to load balancing part of this system. Load balancing module uses Hash table and its Hash function has the least flows collisions. This system is implemented on a set of virtex 6 and 7 families and is able to capture packets 100% and perform the above mentioned processes by speed of 12 Gbit/s.

Cite This Paper

Zeinab Latifi, Kamal Jamshidi, Ali Bohlooli, "Increasing the Efficiency of IDS Systems by Hardware Implementation of Packet Capturing", International Journal of Computer Network and Information Security(IJCNIS), vol.5, no.10, pp.30-36, 2013. DOI:10.5815/ijcnis.2013.10.05

Reference

[1]K. Scarlone and P. Mell, Guide to Intrusion Detection and Prevention Systems (IDPS).U.S: NIST, 2007.
[2]S. Li, J. Torresen and O. Serrisen, "Improving a Network Security System by Reconfigurable Hardware," in Proc. 2004 Norchip Conf. ,Oslo, Norway, pp. 135-138.
[3]L. Deri. "Improving Passive Packet Capture Beyond Device Polling," in 4th Int. Conf. System Administration and Network Engineering (SANE), Amsterdam, The Netherlands, 2004.
[4]W. Jiang and V. Prasanna, "Scalable Packet Classification on FPGA," IEEE Trans. Very Large Scale Integr. (VLSI) Syst. ,vol. PP, pp. 1 – 13, June 2011.
[5]J. Wang, Y. Xie, Ch. Zhu, Z. Zhao and Ch. Han, "An Embedded Load Balancing System for High Speed OC192 Networks," in 2009 Int. Conf. Embedded Software and Syst. , Zhejiang, pp. 587-592.
[6]"Introducing PF_RING DNA (Direct NIC Access)," Feb. 21, 2010. [Online]. Available:http://www.ntop.org/pf_ring/introducing-pf_ring-dna-direct-nic-access.html.[Accessed: 10 November 2011].
[7]L. Deri and F. Fusco. "Exploiting Commodity Multi core Systems for Network Traffic Analysis," July 2009.[Online]. Available: http://luca.ntop.org/MulticorePacketCapture.pdf [Accessed: 10 November 2011].
[8]"Intel ®I/O Acceleration Technology," Aug. 29, 2011. [online]. Available: http://www.intel.com/content/www/us/en/wireless-network/accel-technology.html. [Accessed: 10 November 2011].
[9]L. Deri, "nCAP: wire-speed packet capture and transmission," in 2005 Workshop on End-to-End Monitoring Techniques and Services, pp. 47-55.
[10]"Enterprise Network Monitoring Tools - Network Security System - Application Performance Monitoring," 2005 [online]. Available: http://www.endace.com/dag-high-speedpacket-capture-functions-and-features.html. [Accessed: 15 October 2011].
[11]J. Novotný, M. Žádník, "COMBOv2 - Hardware Accelerators for High-Speed Networking," 2008. [online]. Available: http://www.cesnet.cz. [Accessed: 20 October 2011].
[12]"COMBO Cards - Development and Commercial FPGA boards," 2008. [online]. Available: http://www.invea-tech.com/products-and-services/combo-fpga-boards. [Accessed: 20 October 2011].
[13]M. Scott, "A Wire-speed Packet Classification and Capture Module for NetFPGA," in First European NetFPGA Developers, Cambridge, UK, 2010.
[14]J. Shafer, "NetFPGA Hardware Architecture," Des. 2008. [online]. Available: http://comp519.cs.rice.edu. [Accessed: 20 October 2011].
[15]D. E. Taylor, "Survey & Taxonomy of Packet Classification Techniques," J. acm Computing Surveys(CSUR), vol. 37, pp. 238 – 275,Sep. 2005.
[16]Yu Fang, R.H. Katz and T.V. Lakshman, "Gigabit rate packet pattern-matching using TCAM," in Proc. 12th Int. Conf. IEEE Network Protocols (ICNP), 2004, pp. 174 - 183.
[17]M. Singh and D. Garg, "Choosing Best Hashing Strategies and Hash Functions," in 2009 IEEE Int. Conf. Advance Computing (IACC), pp. 50-55.
[18]K. Pati, H. Cheng, H.Sunt Kim and H. Ali Agha, "Data Structures and Algorithms-Topic 12: Hashing by Changing," May 4, 1999. [online]. Available: http://cgm.cs.mcgill.ca/~hagha/topic12/topic12.html. [Accessed: 10 November 2011].
[19]S. Kumar, J. Turner and P. Crowley, "Peacock Hashing: Deterministic and Updatable Hashing for High Performance Networking, " in Proc. 27th IEEE Conf. comput. Commun. , 2008, pp. 101-105.
[20]H. Song and J.W. Lockwood, "Efficient Packet Classification for Network Intrusion Detection using FPGA, " in Proc. 13th ACM/SIGDA Int. Symp. Field programmable gate arrays (FPGA),New York,2005, Pages 238-245.
[21]M. Roesch,"SNORT - lightweight intrusion detection for networks, "in 13th USENIX Conf. Systems Administration, Berkeley, 1999, pp. 229-238.