free research papers-Reconfigurable Networking Group-05
SIFT: Snort Intrusion Filter for TCP, by Michael Attig and John W. Lockwood, 13th Annual Proceedings of Hot Interconnects (HotI-13), Stanford, CA, August 17-19, 2005.
Abstract: Intrusion rule processing in reconfigurable hardware enables intrusion detection and prevention services to run at multi Gigabit/second rates. High-level intrusion rules mapped directly into hardware separate malicious content from benign content in network traffic. Hardware parallelism allows intrusion systems to scale to support fast network links, such as OC-192 and 10 Gbps Ethernet. In this paper, a Snort Intrusion Filter for TCP (SIFT) is presented that operates as a preprocessor to prevent benign traffic from being inspected by an intrusion monitor running Snort. Snort is a popular open-source rule-processing intrusion system. SIFT selectively forwards IP packets that contain questionable headers or defined signatures to a PC where complete rule processing is performed. SIFT alleviates the need for most network traffic from being inspected by software. Statistics, like how many packets match rules, are used to optimize rule processing systems. SIFT has been implemented and tested in FPGA hardware and used to process Internet traffic from a campus Internet backbone with live data.
A Modular System for FPGA-based TCP Flow Processing in High-Speed Networks; by David Schuehler, John Lockwood; 14th International Conference on Field Programmable Logic and Applications (FPL), Springer LNCS 3203, Antwerp, Belgium, August 2004, pp. 301-310.
Abstract: Field Programmable Gate Arrays (FPGAs) can be used in Intrusion Prevention Systems (IPS) to inspect application data contained within network flows. An IPS operating on high-speed network traffic can be used to stop the propagation of Internet worms and to protect networks from Denial of Services (DoS) attacks. When used in the backbone of a core network, the device will be exposed to millions of active flows simultaneously. In order to protect the data in each connection, network devices will need to track the state of every flow. This must be done at multi-gigabit line rates without introducing significant delays. This paper describes a high performance TCP processing system called TCP-Processor which supports flow processing in high-speed networks utilizing multiple devices. This circuit provides stateful flow tracking, TCP stream reassembly, context storage, and flow manipulation services for applications which process TCP data streams. A simple client interface eases the complexities associated with processing TCP data streams. In addition, a set of encoding and decoding circuits has been developed which efficiently transports this interface between multiple FPGA devices. The circuit has been implemented in FPGA hardware and tested using live Internet traffic.
Architecture for a Hardware-Based, TCP/IP Content-Processing System, by David V. Schuehler, James Moscola, John W. Lockwood; research Micro, Vol. 24, No. 1, Jan 2004, pp. 62-69
Abstract: A new architecture performs content scanning of TCP flows in high-speed networks. Combining a TCP processing engine, a per-flow state store, and a content-scanning engine, this architecture permits complete payload inspections on 8 million TCP flows at 2.5 Gbps.
Architecture for a Hardware Based, TCP/IP Content Scanning System, by David V. Schuehler, James Moscola, and John W. Lockwood; Hot Interconnects 11 (HotI), Stanford, CA, USA, pp. 89-94, Aug. 2003.
Abstract Hardware assisted intrusion detection systems and content scanning engines are needed to process data at multigigabit line rates. These systems, when placed within the core of the Internet, are subject to millions of simultaneous flows, with each flow potentially containing data of interest. Existing IDS systems are not capable of processing millions of flows at gigabit-per-second data rates. This paper describes an architecture which is capable of performing complete, stateful, payload inspections on 8 million TCP flows at 2.5 gigabits-per-second. To accomplish this task, a hardware circuit is used to combine a TCP protocol processing engine, a per flow state store, and a content scanning engine.
TCP-Splitter: A TCP/IP Flow Monitor in Reconfigurable Hardware, by David V. Schuehler, John Lockwood; Hot Interconnects 10 (HotI-10), Stanford, CA, Aug 21-23, 2002, pp. 127-131.
Abstract TCP/IP is the most commonly-used protocol on the internet. It provides a reliable transport for nearly all applications that utilize a network. These include Web browsers, FTP, Telnet, Secure Shell and other applications. New types of routers require the examination of TCP/IP flows transiting this networking equipment. This paper describes TCP-Splitter, a reconfigurable hardware based solution for analyzing and processing TCP/IP flows at multi-gigabit line rates. A consistent byte stream is delivered to a client application for every TCP/IP connection processed by TCP-Splitter. In order to maintain a design that is lightweight, efficient, and able to process a nearly unlimited number of flows at gigabit line rates, the system uses a non-passive flow processing algorithm.
Protocol Wrappers for Layered Network Packet Processing in Reconfigurable Hardware, research Micro, Volume 22, Number 3, Feb 2002, by Florian Braun, John Lockwood, and Marcel Waldvogel, pp. 66-74.
Click here for free