Network Intrusion Detection and Prevention Systems

Through

8-bit Microprocessor

Click on the picture for full resolution

Harmful codes over the Net, also known as malicious software, can be classified as viruses and worms. A virus needs an existing program to attach to it and releases its harmful code as soon as the program executes in the system. A worm, however, is independent and can release its harmful content without the need for a host program.

To detect these malicious codes, a virus scanner searches for signatures in a form of patterns that are present in each copy of the virus. These patterns are identified by specialists who work for security companies/organizations and store them in lists, which are downloadable from their websites to be used as dictionary or source of detection. The process of detecting these harmful codes is called "Patterns Matching", which takes a piece from the network data stream and matches it with the known virus signature. Although many sophisticated Network Intrusion Detection and Prevention Systems (NIDPS) ,including anti-viruses software, are available in the market and offer flexibility, their Patterns Matching Algorithms cannot handle the high-speed network traffic and, therefore,  compromising the speed. Most of NIDPS performances are on the scale of hundreds of megabytes only versus hardware (microprocessors) computations of thousands of signatures at gigabit rates.  Sourdis, Ioannis, and Dionisios Pnevmatikatos achieved 10 Gbps using parallelism (refer to the paper for more information).

Dedicated micprocessor for approximate content matching with k=1

To identify a threat in the network packets, an inspection of all single bits/bytes must be done through a "Deep Package Inspection" (DPI) that is the foundation of firewalls and NIDPS. However, the paper presents an 8-bit dedicated microprocessor approach for an exact string matching in an attempt to maintain speed and flexibility. Its architecture is based on two parts a Datapath and a Control unit. The Datapath consists of a registry file and one or more 8-bit comparators. The virus signature to be identified is in the form of (L * 8) represented as binary values (0s and 1s) where L is the length of the pattern (the signature). Characters in the incoming streams are presented at the Input of the Datapath during each clock cycle to be tested against the information in the registry file stored in the Comparators. The results are sent to the "status signal" to the Control Unit and if matched, a true value is forwarded to the Datapath, which outputs a binary value "1" signaling the recognition of the pattern. The paper mentions the use of a simulator known as "Xilinx ISE WebPack software".

Example:

Let's say we have a file of a dimention of (16*8) and as stated above 16 is L that is the length of the signature or the patter. So 16 =2^4 that is the pattern that will be recognized as four characters "abcd" and the address will be in a form of "0000". During the comparison process, the address will change as "0001", "0010", and "0011"; the sequence will end with "0100" that is a NULL value or a value that the programmer sets to indicate the end of the sequence.

The variations that occur in the memory addresses are based on the loaded characters "abcd". If the comparator finds "abcd", the result is true and then sends "1" to signal that. If it finds "axcd", "aybc", or "bxac"... this means a modification happened, but still the pattern has some pieces such as "a", "b", and "c" characters! Thus, based on my understanding the Control unit classifies it as a potential threat (Quarantine) and that needs more research on my side.

Cisco Intrusion Prevention System

Peer Reviewed Paper Citation:

Georgiev, D. R. (2014). Design of 8-bit dedicated microprocessor for content matching in NIDPS. International Journal of Information Security Science, 3(3), 209–215.