Project Summary

A wide variety of network security application (malware detection, rule-based network intrusion detection, covert channel detection, etc.) require packet inspection and processing. The processing is required not only on individual packets but also on sequences of packets and across flows to detect security policy breaches and attacks. Performing these functions at very high network line rates (10 Gbps now and soon scaling up to 40 to 100 Gbps) is critical to safeguarding enterprise networks. Solutions based on the use of Field Programmable Gate Arrays (FPGA’s) and/or multi-core CPUs have limitations with regards to performance, flexibility, power, and programmability. In this research project, we propose to investigate the applicability of MPPA (Massively Parallel Processing Array) architectures to scale packet processing and analysis tasks to meet the security challenges presented by next generation high-speed networks. MPPA based parallel processing devices have a number of advantages that make them particularly attractive for parallelizing stream-based data-intensive computation. For example, they use a large number of low clock rate processors, which allows them to provide significant computing capability while consuming relatively little power. Furthermore, these devices provide a processor interconnection topology that guarantees bounded communication delays between processors. Additionally, since the interconnection network is programmable, it enables optimizing the parallel implementation of algorithms by programming the interconnection to match the parallelism in the algorithm. Finally, the MPPA devices provide high-level language support that can make programming these devices much easier than FPGA based systems.

In this NSF funded project,  we will build upon our preliminary work and design parallel implementations of algorithms that are required in many different network security applications. These include 1) the K-means clustering algorithm used in traffic classification, 2) the entropy computation algorithm used in anomaly detection, 3) pattern matching used in rule-based network intrusion detection, and 4) encryption and decryption acceleration engines. We will investigate how these algorithms can be parallelized in a MPPA architecture and study the scalability issues. A key constraint in the current generation MPPA devices is the amount of local memory — thus we will design implementations that can tolerate a limited amount of memory. We will consider different implementations of the network security applications and compare their performance in terms of throughput and the accuracy of detection.

People

Rennie Archibald
Blake C. Mason
Matthew Farrens
Dipak Ghosal

Publications

1. Blake C. Mason, Cherita Corbett, and Dipak Ghosal, "Evaluation of a Massively Parallel Architecture for Network Security Applications," in Proceedings 2010 18th Euromicro International Conference on Parallel, Distributed and Network-Based Processing (PDP), Pisa, 17-19 Feb. 2010
   
2. Yali Liu, Ahmad-Reza Sadeghi, Dipak Ghosal, Biswanath Mukherjee: Video Streaming Forensic - Content Identification with Traffic Snooping. in Proceedings 13 International Conference on Information Security (ISC) 2010: 129-135, Boca Raton, FL, USA, October 25-28, 2010 [Also in Lecture Notes in Computer Science 6531 Springer 2011, ISBN 978-3-642-18177-1]

Thesis/Dissertation

1. Blake C. Mason.  Evaluation of a massively parallel architecture for network security applications. MS Thesis, 2010.

To request reprints and/or information about this project, please contact
Dipak Ghosal: ghosal@cs.ucdavis.edu  dghosal@ucdavis.ed