Title: Internet Worm and Virus Protection in Dynamically Reconfigurable Hardware By John W' Lockwood, et al
1Internet Worm and Virus Protection in Dynamically
Reconfigurable HardwareBy John W. Lockwood, et al
- Course CS895
- Advisor Dr. Ravi Mukkamala
- Speaker Weiying Zhu
- Date 03/17/2004
2Table of Contents
- Introduction
- Intelligent Gateway Devices
- System Architecture
- Reprogrammable Logic
- Conclusions
- References
3Introduction
- Malicious software (malware) a computer virus,
an Internet worm, or a hybrid that contains
elements of both. - Weakness of End-System Protection
- Most malwares go undetected until they cause harm
on an en-users computer. - Individuals tend to ignore warnings about
installing new protection software and the latest
security updates. - Systems are not always patched immediately, and
anti-virus programs are not kept up to date.
4Intelligent Gateway Devices
- Existing Firewalls.
- They examine only the packet headers. However,
many malwares transport over trusted services. - Intrusion detection prevention systems.
- They search for predefined signatures belonging
to malwares by scanning the packet payloads. - Software-based scanners not fast-enough to
monitor all traffic on a high-speed link. - Hardware-based scanners can make use of
parallelism to perform deep packet inspection
with high throughput. - Programmable Logic Devices (PLDs) provide the
flexibility and performance to scan for regular
expressions within a high-speed network.
5System Architecture
- System components
- Data Enabling Device (DED) Scan packets.
- Its heart is FPX, which consists of a module
implemented in FPGA hardware that scans the
content of Internet packets at Gigabit per second
rates. - Its installed at key traffic aggregation points
of networks, as well as on the backbone. - Content Matching Server (CMS) Reprogram DED.
- It compiles and synthesizes custom circuits to
reconfigure DEDs over the network. - Regional Transaction Processor (RTP) Determine
action. - It consults a database to determine actions when
matching content is found by a DED. - A single RTP can be used to remotely coordinates
the activities of up to 100 DEDs.
6System Architecture (Cont.)
Fig. 1. Example topology of a Network Aggregation
Point (NAP) with DEDs added to provide worm and
virus protection
7System Architecture (Cont.)
Fig. 2. How the system works.
8Reprogrammable Logic
- A DED contains two network line cards, a
backplane, two or more FPX cards. - FPX card implements the core function of DED. It
consists of - two FPGAs (one is NID and the other is RAD)
- NID is used to route individual traffic flows
through the device and process control packets. - RAS is dynamically reconfigured over the network
to perform customized packet processing
functions. - five banks of memory
- two high-speed (OC-48 rate) network interfaces.
9Reprogrammable Logic (Cont.)
Fig. 3. The FPX card.
10Reprogrammable Logic (Cont.)
- Line cards
- SONET line card adapter for ATM networks
- GBIC for Gigabit Ethernet.
- Protocol processing wrappers
- ATM wrapper
- Gigabit Ethernet wrapper
- IP wrapper
- UDP wrapper
- TCP wrapper
11Reprogrammable Logic (Cont.)
- Performance
- By implementing four modules in parallel, the FPX
can process data at a rate of 2.4 Gigabits per
second. - By performing the network scanning with parallel
hardware, all packets can be examined even at
high throughput.
Fig. 4. Performance of FPGA-based matching v.s.
Software-based matching.
12Conclusions
- The system scans data quickly.
- The scanning devices can be reconfigured to
search for new attack patterns. - The system takes immediate action when attacks
occur.
13References
- Internet Worm and Virus Protection in Dynamically
Reconfigurable Hardware by John W. Lockwood,
James Moscola, Matthew Kulig, David Reddick, Tim
Brooks, Military and Aerospace Programmable Logic
Device (MAPLD), Washington DC, 2003, Paper E10,
Sep 9-11, 2003. - http//www.arl.wustl.edu/lockwood/publications/M
APLD_2003_e10_lockwood_p.pdf - Application of Hardware Accelerated Extensible
Network Nodes for Internet Worm and Virus
Protection by John W. Lockwood, James Moscola,
David Reddick, Matthew Kulig, and Tim Brooks,
International Working Conference on Active
Networks (IWAN), Kyoto, Japan, December, 2003. - http//www.arl.wustl.edu/lockwood/publications/l
ockwood_IWAN_2003.pdf