A wide variety of network security application (malware detection, rule-based network intrusion detection, covert channel detection, etc.) require packet inspection and processing. The processing is required not only on individual packets but also on sequences of packets and across flows to detect security policy breaches and attacks. Performing these functions at very high network line rates (10 Gbps now and soon scaling up to 40 to 100 Gbps) is critical to safeguarding enterprise networks. Solutions based on the use of Field Programmable Gate Arrays (FPGA’s) and/or multi-core CPUs have limitations with regards to performance, flexibility, power, and programmability. In this research project, we propose to investigate the applicability of MPPA (Massively Parallel Processing Array) architectures to scale packet processing and analysis tasks to meet the security challenges presented by next generation high-speed networks. MPPA based parallel processing devices have a number of advantages that make them particularly attractive for parallelizing stream-based data-intensive computation. For example, they use a large number of low clock rate processors, which allows them to provide significant computing capability while consuming relatively little power. Furthermore, these devices provide a processor interconnection topology that guarantees bounded communication delays between processors. Additionally, since the interconnection network is programmable, it enables optimizing the parallel implementation of algorithms by programming the interconnection to match the parallelism in the algorithm. Finally, the MPPA devices provide high-level language support that can make programming these devices much easier than FPGA based systems.
In this NSF funded project, we will build upon our preliminary work and design parallel implementations of algorithms that are required in many different network security applications. These include 1) the K-means clustering algorithm used in traffic classification, 2) the entropy computation algorithm used in anomaly detection, 3) pattern matching used in rule-based network intrusion detection, and 4) encryption and decryption acceleration engines. We will investigate how these algorithms can be parallelized in a MPPA architecture and study the scalability issues. A key constraint in the current generation MPPA devices is the amount of local memory — thus we will design implementations that can tolerate a limited amount of memory. We will consider different implementations of the network security applications and compare their performance in terms of throughput and the accuracy of detection.
Blake C. Mason
- Blake C. Mason, Cherita Corbett, and Dipak Ghosal, "Evaluation of a Massively Parallel Architecture for Network Security Applications," in Proceedings 2010 18th Euromicro International Conference on
Parallel, Distributed and Network-Based Processing (PDP), Pisa, 17-19 Feb. 2010
- Yali Liu,
Video Streaming Forensic - Content Identification with Traffic Snooping.
in Proceedings 13 International Conference on Information Security (ISC) 2010: 129-135, Boca Raton, FL, USA, October 25-28, 2010 [Also in
Lecture Notes in Computer Science 6531 Springer 2011, ISBN 978-3-642-18177-1]
Liu, Guangjie Liu, Jiangtao Zhai, Yuewei Dai, and Dipak Ghosal, “Designing
Analog Fountain Timing Channels: Undetectability, Robustness and Model-Adaptation,”
IEEE Transactions on Information Forensics and Security – Under review.
Archibald and Dipak Ghosal, “Design and
performance evaluation of a covert timing channel, Accepted for publication in Security
Comm. Networks (2015).
Gegan, Rennie Archibald, Matthew Farrens, Dipak Ghosal, “Performance Analysis
of Real-Time Covert Timing Channel Detection using a Parallel System,” 9th
International Conference on Network and System Security, November 3-5, 2015,New
York City, USA
Archibald and Dipak Ghosal, Design and Analysis of a Model-Based Covert Timing
Channel for Skype Traffic, 2015 IEEE Conference on Communications and Network
Security (CNS) - IEEE CNS 2015, Florence, Italy, September/October 2015
Archibald, Dipak Ghosal, A comparative analysis of detection metrics for covert
timing channels, Computers & Security, May 2014,
Rennie, and Dipak Ghosal. "A covert timing channel based on fountain
codes." Trust, Security and Privacy in Computing and Communications
(TrustCom), 2012 IEEE 11th International Conference on. IEEE, 2012.3.
Kirchner, Dipak Ghosal: Information Hiding - 14th International Conference, IH
2012, Berkeley, CA, USA, May 15-18, 2012, Revised Selected Papers. Lecture
Notes in Computer Science 7692, Springer 2013, ISBN 978-3-642-36372-6
Rennie, et al. "Disambiguating HTTP: classifying web applications."
Wireless Communications and Mobile Computing Conference (IWCMC), 2011 7th
International. IEEE, 2011.
Liu, Dipak Ghosal, Biswanath Mukherjee and Ahmad-Reza Sadeghi. Video Streaming
Forensic - Content Identification with Traffic Snooping, 13th Information
Security Conference (ISC 2010), Boca-Raton, Florida, October 25-28, 2010
Liu, F. Armknecht, D. Ghosal, S. Katzenbeisser, A. Sadeghi, S. Schulz, “Robust
and Undetectable Covert Timing Channels for i.i.d. Traffic,” 12th Information Hiding Conferences (IH10),
Liu, Frederik Armknecht, Dipak Ghosal, Stefan Katzenbeisser, Ahmad-Reza Sadeghi, Steffen Schulz, Hide and Seek in Time - Robust Covert Timing
Channels, 14th European Symposium on Research in Computer Security Saint Malo, France |
September 21-25, 2009
- Ross Gegan, Design and Analysis of Parallel Implementation of Covert Timing Channel Detection Methods on a Massively Parallel Processing Array Architectures, 2015.
- Blake C. Mason. Evaluation of a massively parallel architecture for network security applications. MS Thesis, 2010.
- Rennie Achibald
- Yali Liu