Shunting: a hardware/software architecture for flexible, high-performance network intrusion prevention

Authors:
Jose M. Gonzalez;Vern Paxson;Nicholas Weaver
Affiliations:
International Computer Science Institute, Berkeley, CA;International Computer Science Institute, Berkeley, CA;International Computer Science Institute, Berkeley, CA
Venue:
Proceedings of the 14th ACM conference on Computer and communications security
Year:
2007

Citing 20
Cited 18

A case for two-way skewed-associative caches

ISCA '93 Proceedings of the 20th annual international symposium on computer architecture
Empirically derived analytic models of wide-area TCP connections

IEEE/ACM Transactions on Networking (TON)
Wide area traffic: the failure of Poisson modeling

IEEE/ACM Transactions on Networking (TON)
Self-similarity in World Wide Web traffic: evidence and possible causes

Proceedings of the 1996 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Self-similarity through high-variability: statistical analysis of Ethernet LAN traffic at the source level

IEEE/ACM Transactions on Networking (TON)
Self-similarity and heavy tails: structural modeling of network traffic

A practical guide to heavy tails
Bro: a system for detecting network intruders in real-time

Computer Networks: The International Journal of Computer and Telecommunications Networking
Space/time trade-offs in hash coding with allowable errors

Communications of the ACM
Monitoring very high speed links

IMW '01 Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement
Performance Evaluation with Heavy Tailed Distributions

JSSPP '01 Revised Papers from the 7th International Workshop on Job Scheduling Strategies for Parallel Processing
Stateful Intrusion Detection for High-Speed Networks

SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Enhancing byte-level network intrusion detection signatures with context

Proceedings of the 10th ACM conference on Computer and communications security
Characteristics of internet background radiation

Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Fast hash table lookup using extended bloom filter: an aid to network processing

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
The shunt: an FPGA-based accelerator for network intrusion prevention

Proceedings of the 2007 ACM/SIGDA 15th international symposium on Field programmable gate arrays
Building a time machine for efficient recording and retrieval of high-volume network traffic

IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Network intrusion detection: evasion, traffic normalization, and end-to-end protocol semantics

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Denial of service via algorithmic complexity attacks

SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Dynamic application-layer protocol analysis for network intrusion detection

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
The NIDS cluster: scalable, stateful network intrusion detection on commodity hardware

RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection

Swift: a fast dynamic packet filter

NSDI'08 Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation
Enriching network security analysis with time travel

Proceedings of the ACM SIGCOMM 2008 conference on Data communication
Correlation-based load balancing for network intrusion detection and prevention systems

Proceedings of the 4th international conference on Security and privacy in communication netowrks
Performance Improvement by Means of Collaboration between Network Intrusion Detection Systems

CNSR '09 Proceedings of the 2009 Seventh Annual Communication Networks and Services Research Conference
Software cannot protect software: an argument for dedicated hardware in security and a categorization of the trustworthiness of information

WISTP'08 Proceedings of the 2nd IFIP WG 11.2 international conference on Information security theory and practices: smart devices, convergence and next generation networks
Experience with high-speed automated application-identification for network-management

Proceedings of the 5th ACM/IEEE Symposium on Architectures for Networking and Communications Systems
A cost comparison of datacenter network architectures

Proceedings of the 6th International COnference
Network-wide deployment of intrusion detection and prevention systems

Proceedings of the 6th International COnference
OFRewind: enabling record and replay troubleshooting for networks

USENIXATC'11 Proceedings of the 2011 USENIX conference on USENIX annual technical conference
MIDeA: a multi-parallel intrusion detection architecture

Proceedings of the 18th ACM conference on Computer and communications security
Intrusion detection at 100G

State of the Practice Reports
Design and implementation of a fast dynamic packet filter

IEEE/ACM Transactions on Networking (TON)
Intrusion Detection: Towards scalable intrusion detection

Network Security
Dismantling intrusion prevention systems

Proceedings of the ACM SIGCOMM 2012 conference on Applications, technologies, architectures, and protocols for computer communication
Dismantling intrusion prevention systems

ACM SIGCOMM Computer Communication Review - Special october issue SIGCOMM '12
Deep packet inspection tools and techniques in commodity platforms: Challenges and trends

Journal of Network and Computer Applications
Re-examining the performance bottleneck in a NIDS with detailed profiling

Journal of Network and Computer Applications
Overcoming performance collapse for 100Gbps cyber security

Proceedings of the first workshop on Changing landscapes in HPC security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Stateful, in-depth, inline traffic analysis for intrusion detection and prevention is growing increasingly more difficult as the data rates of modern networks rise. Yet it remains the case that in many environments, much of the traffic comprising a high-volume stream can, after some initial analysis, be qualified as of "likely uninteresting." We present a combined hardware/software architecture, Shunting, that provides a lightweight mechanism for an intrusion prevention system (IPS) to take advantage of the "heavy-tailed" nature of network traffic to offload work from software to hardware. The primary innovation of Shunting is the introduction of a simple in-line hardware element that caches rules for IP addresses and connection 5-tuples, as well as fixed rules for IP/TCP flags. The caches, using a highest-priority match, yield a per-packet decision: forward the packet; drop it; or divert it through the IPS. By manipulating cache entries, the IPS can specify what traffic it no longer wishes to examine, including directly blocking malicious sources or cutting through portions of a single flow once the it has had an opportunity to "vet" them, all on a fine-grained basis. We have implemented a prototype Shunt hardware design using the NetFPGA 2 platform, capable of Gigabit Ethernet operation. In addition, we have adapted the Bro intrusion detection system to utilize the Shunt framework to offload less-interesting traffic. We evaluate the effectiveness of the resulting system using traces from three sites, finding that the IDS can use this mechanism to offload 55%-90% of the traffic, as well as gaining intrusion prevention functionality.