SlideShare a Scribd company logo

Application of hardware accelerated extensible network nodes for internet worm and virus protection

U
UltraUploader

This document proposes a hardware-accelerated system that uses field-programmable gate arrays (FPGAs) to actively detect and block internet worms and viruses at multi-gigabit speeds. It scans packet payloads in real-time to search for signatures of malicious software and can dynamically reconfigure to detect new threats. The system is designed to be incrementally deployed throughout the internet to quarantine infections locally and limit global spread. It aims to provide faster and more effective protection than software-based solutions by processing packet content directly in network hardware.

1 of 14
Download to read offline
Application of Hardware Accelerated Extensible Network Nodes for Internet Worm and Virus Protection John W. Lockwood , James Moscola, David Reddick, Matthew Kulig, and Tim Brooks Applied Research Laboratory Washington University in Saint Louis 1 Brookings Drive, Campus Box 1045 St. Louis, MO 63130 USA Global Velocity Bandwidth Exchange Building 210 North Tucker Blvd., Suite 315 St. Louis, MO 63101 USA {lockwood, jmm5}@arl.wustl.edu, {dreddick, mkulig, tbrooks}@globalvelocity.info http://www.arl.wustl.edu/arl/projects/fpx/reconfig.htm http://www.globalvelocity.info/ Abstract. Today’s crucial information networks are vulnerable to fast- moving attacks by Internet worms and computer viruses. These attacks have the potential to cripple the Internet and compromise the integrity of the data on the end-user machines. Without new types of protec- tion, the Internet remains susceptible to the assault of increasingly ag- gressive attacks. A platform has been implemented that actively detects and blocks worms and viruses at multi-Gigabit/second rates. It uses the Field-programmable Port Extender (FPX) to scan for signatures of ma- licious software (malware) carried in packet payloads. Dynamically re- configurable Field Programmable Gate Array (FPGA) logic tracks the state of Internet flows and searches for regular expressions and fixed- strings that appear in the content of packets. Protection is achieved by the incremental deployment of systems throughout the Internet. This research was supported by a grant from Global Velocity. John Lockwood is a co- founder and consultant for Global Velocity and an Assistant Professor at Washington University in St. Louis. Washington University and John Lockwood may receive income based on a license of related technology by the University to Global Velocity. Published in: International Working Conference on Active Networks (IWAN), Kyoto, Japan, December, 2003. Lecture Notes in Computer Science (LCIS), ISBN 3-540-21250-7
1 Introduction Computer virus and Internet worm attacks are pervasive, aggravating, and ex- pensive, both in terms of lost productivity and consumption of network band- width. Attacks by Nimba, Code Red, Slammer, SoBig.F, and MSBlast have infected computers globally, clogged large computer networks, and degraded cor- porate productivity [1]. It can take weeks to months for Information Technology staff to sanitize infected computers throughout a network after an outbreak. The direct cost to recover from just the Code Red Version 2 worm was $2.6 billion. In much the same way that a human virus spreads between people that come in contact, computer viruses and Internet worms spread when computers commu- nicate electronically. Once a few systems are compromised, they proceed to infect other machines, which in turn quickly spread the infection throughout a network [2]. As is the case with the spread of a contagious disease like SARS, the num- ber of infected computers will grow exponentially unless contained. Computer systems spread contagion much more quickly than humans because they can communicate nearly instantly over large geographical distances. “The Blaster worm infected over 400,000 computers in less than five days. In fact, about one in three Internet users are infected with some type of virus or worm every year. The speed at which worms and viruses can spread is astonishing. What’s equally astonishing is the lethargic pace at which people deploy the patches that can prevent infection in the first place”, Congressman Adam Putnam said recently when he opened a congressional hearing [3]. Malicious software (malware) can propagate as a computer virus, an Inter- net worm or a hybrid that contains elements of both. Viruses spread when a computer user downloads unsafe software, opens a malicious attachment, or ex- changes infected computer programs over a network. An Internet Worm spreads over the network automatically when malicious software exploits one or more vulnerabilities in an operating system, a web server, a database application, or an email exchange system. Malware can appear as a virus embedded in software that a user has downloaded. It also can take the form of a trojan that is em- bedded in what appears to be benign freeware. Alternatively, it can spread as content attached to an email message, as content downloadable from a website, or in files transferred over peer-to-peer systems. Modern attacks typically use multiple mechanisms to execute their attacks. Malware can spoof messages to lure users to submit personal financial information to cloaked servers. In the future, malware is likely to spread much faster and do much more damage [4]. 1.1 Weakness of End-System Protection Today, most anti-virus solutions run in software on end systems. To ensure that an entire network is secure from known attacks, some system administrators mandate that every host within the network: (1) run only trusted Operating Systems, system tools, and application software; (2) have a full suite of virus- protection software loaded; (3) have the latest updates and patches installed for all of the programs that might run on the machine; and (4) be carefully
configured to guard against running unauthorized software. Should any machine in the network be missed, the security of the overall network can be compromised. It is difficult for companies, universities, and government agencies to maintain network-wide security. Most Internet worms and viruses go undetected until they cause harm on an end-user’s computer. Placing the burden of detection on the end user is neither efficient nor trustworthy because individuals tend to ignore warnings about installing new protection software and the latest security updates. New vulnerabilities are discovered daily, but not all users take the time to download new patches the moment they are posted. It can take weeks for an IT department to eradicate old versions of vulnerable software running on end-system computers. A recent Gartner study predicts that by the year 2005, 90 percent of cyber attacks will attempt to exploit vulnerabilities for which a patch is available or a solution known. But systems are not always patched immediately, and anti- virus programs are not kept up to date. “System administrators are often times overwhelmed with simply maintaining all the systems they have responsibility for overseeing. Challenges that organizations face in maintaining their systems are significant: with an estimated 4,000 vulnerabilities being discovered each year, it is an enormous challenge for any but the best-resourced organizations to install all of the software patches that are released by the manufacturer. Not only is the sheer quantity of patches overwhelming for administrators to keep up with, but patches can be difficult to apply and also have potentially unexpected side effects on other system components that administrators must then evaluate and address. As a result, after a security patch is released, system administrators often take a long time to fix all their vulnerable computer systems. Obviously, small organizations and home users, who lack the skills of system administrators, are even less likely to be able to keep up with the flow of patches” said the congressman [3]. 1.2 A Global Threat Due to the global expansion of high speed networks and the proliferation of a dominant, monolithic operating system, a large portion of the Internet can be easily and quickly subverted. For SoBig.F, more than 1 million computers were infected within the first 24 hours, 100 million systems within the first five days, and an excess of 200 million computers within a week. The virus accounted for 70 percent of all email traffic on August 20, 2003. Existing firewalls that examine only the packet headers do little to protect against many types of attack. Many new worms transport their malware over trusted services and cannot be detected without examining the payload. Intru- sion Detection Systems (IDSs) that scan the payload can detect malware, but do nothing to impede the attack because they only operate passively. An Intrusion Prevention System (IPS), on the other hand, can intervene and stop malware from spreading. The problem is that current IPS devices cannot keep pace with the volume of traffic that transits high-speed networks. Existing systems that
implement IPS functions in software limit the bandwidth of the network and delay the end-to-end connection. There is a need for devices which can scan data quickly, reconfigure to search for new attack patterns, and take immediate action when attacks occur. By pro- cessing the content of Internet traffic in real-time within an extensible network, data containing computer viruses or Internet worms can be detected and pre- vented from propagating. Inserting a few data scanning and filtering devices at a few key Network Aggregation Points (NAPs) enables Internet worms and com- puter viruses to be quarantined to the subnetworks where they were introduced. Such a system of intelligent gateway devices recognizes and blocks malware lo- cally to dramatically limit the spread of the worm or virus globally. According to the director of CERT, “It is critical to maintain a long-term view and invest in research toward systems and operational techniques that yield networks capable of surviving attacks while protecting sensitive data. In doing so, it is essential to seek fundamental technological solutions and to seek proactive, preventive approaches, not just reactive, curative approaches” [5]. A complete system has been designed and implemented that scans the full payload of packets to route, block, and track the packets in the flow, based on their content [6]. The result is an intelligent gateway that provides Internet worm and virus protection in both local and wide area networks. 2 Related Work A common prerequisite for network intrusion detection and prevention systems is the ability to search for predefined signatures in network traffic flows. A virus or Internet worm can be detected by the presence of a string of bytes (for the rest of the paper, a string is synonymous with a signature) in traffic that passes through a network link. Such signatures can be loaded into the system manually by an operator or automatically by a signature detection system. 2.1 Obtaining Signatures There are many ways to obtain malware signatures. One way to learn about a new Internet worm or computer virus is to participate in group forums that share information about new attacks. When a new virus is encountered, infor- mation about it is collected, analyzed, and reported to the group. Agencies like the CERT Coordination Center provide alerts regarding potential threats and provide information about how to avoid, minimize, or recover from the damage [7]. Incident reports on vulnerabilities are collected and distributed once they are found. This data can be used by others to avoid and recover from an attack. New methods of detecting outbreaks can streamline the recognition and analysis of new threats and shorten the time needed to obtain a new signature. One new way that worms and computer viruses can be automatically detected is with a Honeypot or a Honeynet. Honeynets gather information by monitoring all traffic going to and from a non-production network. All captured activity
is assumed to be unauthorized or malicious. Any connection initiated inbound to a Honeynet is most likely a probe, scan, or attack. Data that is captured is analyzed to gain insight into threatening activities. New tools can be discovered, attack patterns determined, and attacker motives studied by monitoring and logging all activities within the Honeynet [8]. Unlike a Honeypot, a Honeynet is an entire network of systems that runs real applications and services. An attacker can interact with operating systems and execute tools on what appears to be a legitimate production network, but is not. It is through this extensive interaction that information on threats is obtained and analyzed. Signatures are obtained from captured traffic that is determined to be malware. These signatures, in turn, can be used to program a data scanning device to block attacks into real systems. Another automated method for detecting new worms is based on traffic char- acteristics. The method tracks traffic to detect highly repetitive packet content sent from an increasing population of sources to an increasing number of destina- tions. The method generates content signatures for the worm without any human intervention. The method can quickly identify the signatures of new worms [9]. As with a Honeynet, these signatures can be used by the system we propose to block worms from attacking other legitimate systems. 2.2 Signature Scanning with Software, Hardware, or FPGAs Once a signature is found, an IDP can use this signature to block traffic con- taining infected data from spreading throughout a network. To perform this operation on a high-speed network, the signature scanning and data blocking must operate quickly. Software-based scanners are not capable of monitoring all traffic passing through fast network links. Due to the sequential nature of code execution, software-based systems can perform only a limited number of operations within the time period of a packet transmission. A comparison of a variety of systems running the Snort [10] rule-based NIDS sensor reveals that most general-purpose computer systems are inadequate as NIDS sensor platforms even for moderate- speed networks. The analysis shows that factors that include the microprocessor, operating system, and main memory bandwidth and latency all limit the per- formance achievable by a NIDS sensor platform. General-purpose computers, including the Intel Pentium-III and Pentium-4, were found to be inadequate to act as sensors even on a 100 Mbit per second network link. The best-performing system could support only a maximum of 720 header rules without losing pack- ets. For larger numbers of rules, a significant percentage of packets are dropped, thus degrading the NIDS effectiveness in detecting security breaches [11]. Hardware-based systems use parallelism to perform deep packet inspection with high throughput [12]. FortiNet and Intruvert, for example, use Applica- tion Specific Integrated Circuits (ASICs) to provide virus protection [13] [14]. TippingPoint also uses hardware for the line of UnityOne systems. Its Threat Suppression Engine (TSE) enables intrusion is a blend of ASICs and network
processors [15]. Packeteer monitors traffic flows to perform traffic shaping with- out good hardware acceleration. The maximum throughput of its system is listed as 200 Mbps [16]. FPGAs provide the flexibility and performance to scan for regular expressions within a high-speed network [17] [18]. In previous work, the Field-programmable Port Extender (FPX) platform was implemented to process Asynchronous Trans- fer Mode (ATM) cells, Internet Protocol (IP) packets, and Transmission Control Protocol (TCP) flows at OC48 (2.4 Gigabit/second) rates using FPGAs [19] [20] [21] [22]. Several mechanisms were developed to perform exact matching and longest prefix matching for header fields [23] [24] [25]. An automated design flow was created to scan the payload traffic for regular expressions [26] [27]. In addi- tion, a Bloom filter was developed to enable large numbers of fixed-length strings to be scanned in hardware [28]. Web-based tools were developed to enable easy remote monitoring, control, and configuration of the hardware [29]. 3 System Architecture A complete system has been implemented that uses the FPX to protect net- works from Internet worm and virus attacks. The system is comprised of three interconnected components: a Data Enabling Device (DED), a Content Match- ing Server (CMS), and a Regional Transaction Processor (RTP). A diagram of the DED, CMS, and RTP appears at the right side of Figure 1. These systems work together to provide network-wide protection. FPGA synthesis Enabling Data = Subnet tools Potentially Infected Host =or SONET OCx = Gigabit Ethernet= VLAN Switch Concentrator = Data Enabling Device (DED) Router = Internet and virus signatures Database of worm VLAN Switch Gigabit Ethernet / Concentrator Gigabit Ethernet (RTP) Processor Transaction Regional Potentially Infected Hosts ... Core Network Subnet 1 Subnet N ... ... Content Matching Server (CMS) (DED) Device S S S S S SS S S S R V H H R HH H H R H H H V HH R H R H H V H H H H R RR HH R R Field−programmable Port Extender (FPX) DED DED DED DED DED DED DED Fig. 1. Example topology of a Network Aggregation Point (NAP) with DEDs added to provide worm and virus protection
Packets in our system are scanned by the Data Enabling Device (DED). At the heart of the DED is the FPX module which scans the content of Internet packets at Gigabit per second rates. DEDs can be installed incrementally at key traffic aggregation points of commercial, academic or governmental networks, as well as on the network core. The more DEDs that are deployed, the better is the granularity of protection between different subnetworks. In order to reprogram the DEDs to search for new strings, a Content Matching Server (CMS) has been implemented. Custom circuits are com- piled and synthesized on the CMS by an automated design flow. The CMS reads a table of Internet worm and virus signatures from a database, converts each into an optimized finite automata, instantiates parallel hardware to perform a data scanning function, embeds this hardware into logic that parses Internet protocol messages, synthesizes the entire circuit into logic gates, routes, places the circuit into a FPGA, and reconfigures the hardware. The Regional Transaction Processor (RTP) is contacted by the DED when matching content is found to be passing through the network. The RTP consults the database to provide detailed information about the reason that a certain data flow was blocked. The RTP maintains information about users, agents, properties, owners, and access rights in a MySQL database. Common Gateway Interface (CGI) programs provide a network administrator with an easy-to-use, web-based interface to modify the database tables and to run the scripts that build new hardware. A single RTP can remotely coordinate the activities of up to 100 DEDs. RTPs can be co-located on the same site as the DEDs and be managed by a local site administrator, or they can be located remotely and be administered by a trusted authority. 3.1 System Operation When a new virus appears, an administrator or an automated process adds the signature of the malware to a database table on the Content Matching Server (CMS). The CMS then synthesizes a new FPGA circuit and reconfigures the FPGA hardware on the Data Enabling Device (DED) to scan Internet traffic for the updated signatures. A targeted signature in the packet payload can appear at any position within the traffic flow. The DED uses parallel hardware circuits to scan all bytes of the traffic. Whenever matching content is found, the DED generates a message that is forward to the intended recipient of the message. The system can also actively block the malware from passing through the network. To detect an Internet worm, the system would be programmed to look for a signature that contained a portion of the binary executable program that implements the worm. Inadvertent matches can be nearly eliminated by using long and distinct strings that are highly unlikely to appear in normal traffic content. For random data with a signature length of 16 bytes (16 ∗ 8 = 128 bits), the odds that a signature will find a match in random traffic is only one in 2128 = 3.4 ∗ 1038 . On a 1 Gigabit/second link, this corresponds to finding a match only once in (3.4 ∗ 1038 bytes ) ∗ (8 bits/byte )/(1 ∗ 109 bits/sec ) = 2.72 ∗ 1030 seconds . This is equivalent to finding a stray match just once in
2.72 ∗ 1030 sec /(60 sec/min ∗ 60 min/hr ∗ 24 hr/day ∗ 365 day/year ) = 86 billion billion years, which is an amount of time likely to be far greater than the lifetime of the Internet. In a typical installation, as shown at the left of Figure 1, Data Enabling Devices (DEDs) are installed at network aggregation points. Traffic flows from end-system hosts attached to subnets are concentrated into high-speed links that are then fed into a router. The DED scans traffic which would otherwise simply be routed back to other subnets or to the Internet. So long as at least one DED is positioned along the path between any two endpoints, the virus signature will be detected. The system allows for the immediate blocking of known viruses and may be rapidly reprogrammed to recognize and block new threats. These upgrades are system-driven, and do not require that actions be taken by end users to assure protection. Copyright 2003, John W Lockwood Flow Switching RE:2 RE:3 DFA DFA DFA RE:n DFA RE:1 RE:2 RE:3 DFA DFA DFA RE:n DFA RE:1 RE:2 RE:3 DFA DFA DFA RE:n DFA RE:1 RE:2 RE:3 RE:n Configuration Cache Reconfigurable Application Device (RAD) Network Interface Device (NID) [Xilinx XCV600E FPGA] [Xilinx XCV2000E FPGA] FPGA Dynamic Reconfiguration Control Port Field−programmable Port Extender (FPX) 2.4GbpsNetworkInterface 2.4GbpsNetworkInterfaceCell Processor Frame Protocol Processor (UDP/TCP Prototol Processor) Dispatcher FlowCollector IP Protocol Processor (Application−Level Protocol Processors) DFA DFA DFADFA RE:1 Data In Static Static Data Out Static RAM Packets Incoming Packets Outgoing DRAM Synchronous RAM Synchronous DRAM RAM Deterministic Finite Expression (RE) Alert Packet Generator Parallel Regular Scanning Engines Automata (DFA) Fig. 2. Field-programmable Port Extender (FPX) with Protocol Wrappers and Regular Expression (RE) Deterministic Finite Automata (DFA) scanning engines
3.2 Field-programmable Port Extender (FPX) Platform The Field-programmable Port Extender (FPX) card implements the core func- tionality of the DED. In order to provide sufficient space to store the state of multiple traffic flows, an FPX can be equipped with up to 1 Gigabyte of SDRAM and 6 Megabytes of pipelined Zero-Bus-Turnaround (ZBT) SRAM. Each FPX contains two FPGAs, five banks of memory and two high-speed (OC-48 rate) network interfaces. On the FPX, one FPGA called the Network Interface Device (NID), is used to route individual traffic flows through the device and process control packets, while the other FPGA, called the Reconfigurable Application Device (RAD), is dynamically reconfigured over the network to perform cus- tomized packet processing functions [12]. A diagram of the FPX is shown in Figure 2. The FPX can process traffic on a wide variety of networks. Line cards have been developed that interface the DED to both Gigabit Ethernet and Asyn- chronous Transfer Mode (ATM) networks. For Gigabit Ethernet, a GBIC is used to interface with either fiber or copper network ports. The Gigabit Ethernet line card extracts the data from MAC frames and can use VLANs to identify which traffic flows packets should be processed. For ATM networks, a Synchronous Op- tical NETwork (SONET) line card interfaces to the physical network. Virtual paths and circuits determine which traffic flows are processed. 3.3 Protocol Wrappers Layered Internet Protocol (IP) wrappers break out the header fields that include the protocol field, source IP address, and destination IP address. The IP wrap- pers also compute the checksums over the header and process the Time-to-Live field [20]. Internet headers can be processed in many ways, such as with ternary content addressable memories [23], longest-prefix matching tries [24], or with Bloom-based header-matching circuits [25]. For transport protocols, including the User Datagram Protocol (UDP) and Transmission Control Protocol (TCP), the wrappers track the source and desti- nation port of the packet. The wrappers also compute checksums over the entire packet. The TCP wrapper, implemented in FPGA logic, reconstructs the flow of transmitted data by tracking sequence numbers of consecutive packets to provide a byte-ordered data stream to the content scanning engines [30]. This means that even if a malware signature has been fragmented across multiple packets, it still can be detected and blocked. Synchronous Dynamic Random Access Memory (SDRAM) allows the state of multiple traffic flows to be tracked. By allocating 64 bytes of memory for each flow, one 512 Mbyte SDRAM can track 8 million simultaneous TCP/IP flows [22]. Higher-level protocol processing can be implemented above the transport- layer wrappers. For web traffic, a payload processing wrapper could parse HTTP headers to perform filtering on URLs. For email traffic, the payload processing wrapper could parse SMTP headers to block traffic to or from specific email addresses. For peer-to-peer traffic, the payload processing wrapper could scan for signatures of specific content.
3.4 Signature Detection Many types of Internet traffic can be classified only by deep content inspec- tion [31]. Dynamically reconfigurable hardware can perform content classifica- tion functions effectively. Two types of scanning modules have been developed to search for signatures on the FPX: those that use finite automata to scan for regular expressions [26] [27] and those that use Bloom filters to scan for fixed- length strings [28]. With a Bloom filter, a single FPX card can scan for up to 10,000 different, fixed-length strings. In order to scan packet payloads for regular expressions, a matching circuit was implemented that dynamically generates finite automata. The architecture of the payload scanner with four parallel content scanners searching for n Reg- ular Expressions, RE:1-RE:n, is illustrated in Figure 2. A match is detected when a sequence of incoming data causes a state machine to reach an accept- ing state. For example, to detect the presence of the SoBig.F Internet worm as it appears when encapsulated in a Mime64-encoded email, the expression: “!HEX(683063423739)” would be specified. In order to achieve high through- put, parallel machines are instantiated. When data arrives, a flow dispatcher sends a packet to an available buffer which then streams data though the se- quence of regular expression search engines. A flow collector combines the traffic into a single outgoing stream. The result of the circuit is the identification of which regular expressions were present in each data flow. 3.5 Performance Both the finite automata and the Bloom filter scan traffic at speeds of up to 600 Mbps. By implementing four modules in parallel, the FPX can process data at a rate of 2.4 Gigabits per second using a single Xilinx Virtex 2000E FPGA. The parallel hardware enables the FPX to maintain full-speed processing of packets. Data throughput is unaffected by the number of terms that are subject of the search. So long as the working set of signatures fits into the resources on the FPGA and the circuit synthesizes to meet the necessary timing constraints, the throughput remains constant. This is significantly different than software-based solutions, which slow down as the CPU processor becomes fully utilized. 3.6 Web-based Control Interface and Automated Design Flow A web-based user interface allows new search strings to be entered remotely. A database tracks the list of search strings, their corresponding description, and a risk value assigned to each virus. When a single ‘Build’ button is pressed, the design flow is run and the new circuit is deployed on the remote DED [6]. To rapidly generate new hardware that performs the specified searches, a fully automated design flow was developed. The design flow begins when the CMS reads a set of signatures from its database. Finite automaton are dynamically created for each regular expression then optimized to have a minimal number of states. Very-High-Speed Integrated Circuit (VHSIC) Hardware Description
Language (VHDL) code is generated to instantiate parallel automaton that scan the packets passing through the layered Internet protocol wrappers. The VHDL code is synthesized into logic using the Synplicity computer aided design tool. Input and Output (I/O) pins of the circuit are mapped to I/O pins of the RAD. This circuit is then placed and routed with Xilinx tools and a FPGA bitstream is generated. The resulting bitstream is then deployed into a remote FPX platform using the NCHARGE tools [29]. 3.7 End-System Applications The virus protection works for many types of live Internet traffic. Network-wide protection is provided, so long as there is at least one DED in the path from the content sender to the recipient. The DED scans all packets going through the network link and recognizes those that contain a virus signature. In the passive mode, the DED will detect a virus signature embedded within network traffic and generate a UDP/IP packet that is forwarded to the recipient’s computer. An application running on that computer, in turn, is directed to query the RTP to retrieve a full-text description that alerts them to the potential danger that the content represents. This warning message is currently presented to the user via a popup window from a Java application. In the active mode, the DED not only detects a virus signature, but also blocks the flow of traffic. When a match is found, the DED hardware sends a UDP/IP packet to the intended recipient’s network address. The machine that receives that message queries the RTP server using data in that message to retrieve a full-text description that explains why the content was blocked. An example that shows processing of email traffic is shown in Figure 3. If at least one DED is located along the path between an email server and the intended recipient of the malware, then an infected message can be blocked before it has a chance to reach that end-system. A system protected by a DED will receive an immediate notice whenever a virus-infected message targets the machine. For example, if a DED recognizes that a malware signature is being carried within a POP3 email message, then that inbound data is blocked and a notification is forwarded to the intended recipient’s host. to display verbose Regional Transaction Processor (RTP) malware Intended recipient of malware Data Enabling Device (DED) 5 : Alert message 4 : Data blocked transmitted in POP3 message by DED 3 : Malware Email Server 6 : End system contacts RTP message (optional) SMTP message transmitted in 1 : Malware recipient checks email until recipient received and held sent to intended 2 : SMTP message Copyright 2003, John W Lockwood Sender of S S R R R R R Fig. 3. Example that shows how malware can be blocked by a DED as it attempts to transit from an email server to an end-system
Another example of processing email traffic is shown in Figure 4. If at least one DED is located along the path between the sender and the targeted email server, then an infected message can be blocked before that message even has a chance to reach that email server. Further, the DED can generate a message that alerts the operator on the sending machine that some process on their machine attempted to transmit an infected message. Regional Processor (RTP) Transaction recipient Copyright 2003, John W Lockwood malware Email Server Data Enabling Device (DED) Intended of malware Sender of (optional) message transmitted to 3 : Data blocked and alert sender and/or administrator (optional) error message display verbose contacts RTP to 4 : End−station 2 : Malware blocked by DEDtransmitted in SMTP message 1 : Malware SS R RR R Fig. 4. Example that shows how malware can be blocked by a DED as it attempts to transit from the sender to an email server The system described here is effective not only against the spread of computer viruses and worms, but also can perform many other functions. Because the system operates at Gigabit speeds and has near-zero latency, it can process live web traffic and scan data sent over peer-to-peer networks. For example, the DED can be configured to detect the unauthorized release of confidential, classified or otherwise sensitive data, and block its distribution. Corporations could scan for proprietary documents passing through a network, and block them before they leave a secure network; and healthcare providers could assure compliance with privacy regulations such as the Health Insurance Portability and Accountability Act. The flexibility of the system to be quickly and remotely reconfigured enables it to meet new needs and perform new tasks. Additional modules can be loaded into the FPX to encrypt and decrypt data, filter packets, and schedule transmission of data over a link to preserve Quality of Service [23]. 4 Conclusions An extensible networking system has been developed that not only blocks the spread of Internet worms and computer viruses, but also can be used to support a wide range of active networking applications. This system uses programmable logic devices to scan Internet traffic for malware at high speeds. Malware is iden- tified by signatures that may consist of either fixed strings or regular expressions. Through the use of layered protocol wrappers, application-level Internet traffic flows can be tracked, with targeted data acted upon before it has an opportunity to damage networks. An automated design flow allows new FPGA circuits to be rapidly deployed to protect the network against new attacks.
References 1. E. Skoudis and L. Ziltser, Malware: Fighting Malicious Code. New Jersey: Prentice Hall, first ed., 2003. 2. D. Moore, C. Shannon, G. Voelker, and S. Savage, “Internet quarantine: Require- ments for containing self-propagating code,” in IEEE INFOCOM, (San Francisco, CA), Mar. 2003. 3. US Congressman Adam Putnam, Chairman, Subcommittee on Technology, In- formation Policy, Intergovernmental Relations and the Census, “Oversight Hear- ing: Opening statement, Worm and Virus Defense: How Can We Protect the Na- tions Computers from These Serious Threats.” http://reform.house.gov/TIPRC/- Hearings/EventSingle.aspx?EventID=526, Sept. 2003. 4. V. Paxson, S. Staniford, and N. Weaver, “How to 0wn the internet in your spare time,” in Proceedings of the 11th Usenix Security Symposium, Aug. 2002. 5. Richard D. Pethia, Director of CERT Coordination Center, “Subcommit- tee on Technology, Information Policy, Intergovernmental Relations and the Census: Oversight Hearing, Worm and Virus Defense: Viruses and Worms: What can we do about them.” http://reform.house.gov/UploadedFiles/- Pethia testimony Sept2003-v7.pdf, Sept. 2003. 6. J. W. Lockwood, J. Moscola, M. Kulig, D. Reddick, and T. Brooks, “Internet worm and virus protection in dynamically reconfigurable hardware,” in Military and Aerospace Programmable Logic Device (MAPLD), (Washington DC), p. E10, Sept. 2003. 7. “CERT coordination center.” http://www.cert.org/, 2003. 8. “Know your enemy: Honeynets.” http://www.honeynet.org/papers/honeynet, Nov. 2003. 9. S. Singh, C. Estan, G. Varghese, and S. Savage, “The EarlyBird system for real- time detection of unknown worms.” UCSD Tech Report CS2003-0761, Aug. 2003. 10. M. Roesch, “SNORT - lightweight intrusion detection for networks,” in LISA ’99: USENIX 13th Systems Administration Conference, (Seattle, Washington), Nov. 1999. 11. L. Schaelicke, T. Slabach, B. Moore, and C. Freeland, “Characterizing the perfor- mance of network intrusion detection sensors,” in Proceedings of the Sixth Interna- tional Symposium on Recent Advances in Intrusion Detection (RAID 2003), Lec- ture Notes in Computer Science, (Berlin–Heidelberg–New York), Springer-Verlag, September 2003. 12. J. W. Lockwood, “Evolvable Internet hardware platforms,” in The Third NASA/DoD Workshop on Evolvable Hardware (EH’2001), pp. 271–279, July 2001. 13. FortiNet, “Product overview.” http://www.fortinet.com/products/, Nov. 2003. 14. IntruVert, “Press release.” http://www.networkassociates.com/us/about/- press/corporate/2003/20030401 173857.htm, Apr. 2003. 15. TippingPoint, “UnityOne 2000.” http://www.tippingpoint.com- /resource library/pdfs/2000 Data Sheet.pdf, Nov. 2003. 16. Packeteer, “Shaping your network for business.” http://www.packeteer.- com/resources/prod-sol/PacketeerBroFinal2.pdf, Nov. 2003. 17. R. Sidhu and V. Prasanna, “Fast regular expression matching using FPGAs,” in IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM), Apr. 2001. 18. R. Franklin, D. Carver, and B. L. Hutchings, “Assisting network intrusion detec- tion with reconfigurable hardware,” in IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM), (Napa, CA), Apr. 2002.
19. J. W. Lockwood, N. Naufel, J. S. Turner, and D. E. Taylor, “Reprogrammable Network Packet Processing on the Field Programmable Port Extender (FPX),” in ACM International Symposium on Field Programmable Gate Arrays (FPGA’2001), (Monterey, CA, USA), pp. 87–93, Feb. 2001. 20. F. Braun, J. Lockwood, and M. Waldvogel, “Protocol wrappers for layered network packet processing in reconfigurable hardware,” IEEE Micro, vol. 22, pp. 66–74, Jan. 2002. 21. D. V. Schuehler and J. Lockwood, “TCP-Splitter: A TCP/IP flow monitor in reconfigurable hardware,” in Hot Interconnects, (Stanford, CA), pp. 127–131, Aug. 2002. 22. D. V. Schuehler, J. Moscola, and J. W. Lockwood, “Architecture for a hardware based, tcp/ip content scanning system,” in Hot Interconnects, (Stanford, CA), pp. 89–94, Aug. 2003. 23. J. W. Lockwood, C. Neely, C. Zuver, J. Moscola, S. Dharmapurikar, and D. Lim, “An extensible, system-on-programmable-chip, content-aware Internet firewall,” in Field Programmable Logic and Applications (FPL), (Lisbon, Portugal), p. 14B, Sept. 2003. 24. D. E. Taylor, J. S. Turner, J. W. Lockwood, T. S. Sproull, and D. B. Parlour, “Scalable IP lookup for Internet routers,” IEEE Journal on Selected Areas in Com- munications (JSAC), vol. 21, pp. 522–534, May 2003. 25. S. Dharmapurikar, P. Krishnamurthy, and D. E. Taylor, “Longest prefix matching using Bloom filters,” in SIGCOMM, (Karlsruhe, Germany), Aug. 2003. 26. J. Moscola, J. Lockwood, R. P. Loui, and M. Pachos, “Implementation of a content- scanning module for an Internet firewall,” in FCCM, (Napa, CA), Apr. 2003. 27. J. Moscola, M. Pachos, J. W. Lockwood, and R. P. Loui, “Implementation of a streaming content search-and-replace module for an Internet firewall,” in Hot Interconnects, (Stanford, CA, USA), pp. 122–129, Aug. 2003. 28. S. Dharmapurikar, P. Krishnamurthy, T. Sproull, and J. W. Lockwood, “Deep packet inspection using parallel Bloom filters,” in Hot Interconnects, (Stanford, CA), pp. 44–51, Aug. 2003. 29. T. Sproull, J. W. Lockwood, and D. E. Taylor, “Control and configuration software for a reconfigurable networking hardware platform,” in IEEE Symposium on Field- Programmable Custom Computing Machines, (FCCM), (Napa, CA), Apr. 2002. 30. D. V. Schuehler and J. W. Lockwood, “TCP splitter: A TCP/IP flow monitor in reconfigurable hardware,” IEEE Micro, vol. 23, pp. 54–59, Jan. 2003. 31. Y. Cho, S. Nahab, and W. H. Mangione-Smith, “Specialized hardware for deep network packet filtering,” in Field Programmable Logic and Applications (FPL), (Montpellier, France), Sept. 2002.

More Related Content

Application of hardware accelerated extensible network nodes for internet worm and virus protection

  • 1. Application of Hardware Accelerated Extensible Network Nodes for Internet Worm and Virus Protection John W. Lockwood , James Moscola, David Reddick, Matthew Kulig, and Tim Brooks Applied Research Laboratory Washington University in Saint Louis 1 Brookings Drive, Campus Box 1045 St. Louis, MO 63130 USA Global Velocity Bandwidth Exchange Building 210 North Tucker Blvd., Suite 315 St. Louis, MO 63101 USA {lockwood, jmm5}@arl.wustl.edu, {dreddick, mkulig, tbrooks}@globalvelocity.info http://www.arl.wustl.edu/arl/projects/fpx/reconfig.htm http://www.globalvelocity.info/ Abstract. Today’s crucial information networks are vulnerable to fast- moving attacks by Internet worms and computer viruses. These attacks have the potential to cripple the Internet and compromise the integrity of the data on the end-user machines. Without new types of protec- tion, the Internet remains susceptible to the assault of increasingly ag- gressive attacks. A platform has been implemented that actively detects and blocks worms and viruses at multi-Gigabit/second rates. It uses the Field-programmable Port Extender (FPX) to scan for signatures of ma- licious software (malware) carried in packet payloads. Dynamically re- configurable Field Programmable Gate Array (FPGA) logic tracks the state of Internet flows and searches for regular expressions and fixed- strings that appear in the content of packets. Protection is achieved by the incremental deployment of systems throughout the Internet. This research was supported by a grant from Global Velocity. John Lockwood is a co- founder and consultant for Global Velocity and an Assistant Professor at Washington University in St. Louis. Washington University and John Lockwood may receive income based on a license of related technology by the University to Global Velocity. Published in: International Working Conference on Active Networks (IWAN), Kyoto, Japan, December, 2003. Lecture Notes in Computer Science (LCIS), ISBN 3-540-21250-7
  • 2. 1 Introduction Computer virus and Internet worm attacks are pervasive, aggravating, and ex- pensive, both in terms of lost productivity and consumption of network band- width. Attacks by Nimba, Code Red, Slammer, SoBig.F, and MSBlast have infected computers globally, clogged large computer networks, and degraded cor- porate productivity [1]. It can take weeks to months for Information Technology staff to sanitize infected computers throughout a network after an outbreak. The direct cost to recover from just the Code Red Version 2 worm was $2.6 billion. In much the same way that a human virus spreads between people that come in contact, computer viruses and Internet worms spread when computers commu- nicate electronically. Once a few systems are compromised, they proceed to infect other machines, which in turn quickly spread the infection throughout a network [2]. As is the case with the spread of a contagious disease like SARS, the num- ber of infected computers will grow exponentially unless contained. Computer systems spread contagion much more quickly than humans because they can communicate nearly instantly over large geographical distances. “The Blaster worm infected over 400,000 computers in less than five days. In fact, about one in three Internet users are infected with some type of virus or worm every year. The speed at which worms and viruses can spread is astonishing. What’s equally astonishing is the lethargic pace at which people deploy the patches that can prevent infection in the first place”, Congressman Adam Putnam said recently when he opened a congressional hearing [3]. Malicious software (malware) can propagate as a computer virus, an Inter- net worm or a hybrid that contains elements of both. Viruses spread when a computer user downloads unsafe software, opens a malicious attachment, or ex- changes infected computer programs over a network. An Internet Worm spreads over the network automatically when malicious software exploits one or more vulnerabilities in an operating system, a web server, a database application, or an email exchange system. Malware can appear as a virus embedded in software that a user has downloaded. It also can take the form of a trojan that is em- bedded in what appears to be benign freeware. Alternatively, it can spread as content attached to an email message, as content downloadable from a website, or in files transferred over peer-to-peer systems. Modern attacks typically use multiple mechanisms to execute their attacks. Malware can spoof messages to lure users to submit personal financial information to cloaked servers. In the future, malware is likely to spread much faster and do much more damage [4]. 1.1 Weakness of End-System Protection Today, most anti-virus solutions run in software on end systems. To ensure that an entire network is secure from known attacks, some system administrators mandate that every host within the network: (1) run only trusted Operating Systems, system tools, and application software; (2) have a full suite of virus- protection software loaded; (3) have the latest updates and patches installed for all of the programs that might run on the machine; and (4) be carefully
  • 3. configured to guard against running unauthorized software. Should any machine in the network be missed, the security of the overall network can be compromised. It is difficult for companies, universities, and government agencies to maintain network-wide security. Most Internet worms and viruses go undetected until they cause harm on an end-user’s computer. Placing the burden of detection on the end user is neither efficient nor trustworthy because individuals tend to ignore warnings about installing new protection software and the latest security updates. New vulnerabilities are discovered daily, but not all users take the time to download new patches the moment they are posted. It can take weeks for an IT department to eradicate old versions of vulnerable software running on end-system computers. A recent Gartner study predicts that by the year 2005, 90 percent of cyber attacks will attempt to exploit vulnerabilities for which a patch is available or a solution known. But systems are not always patched immediately, and anti- virus programs are not kept up to date. “System administrators are often times overwhelmed with simply maintaining all the systems they have responsibility for overseeing. Challenges that organizations face in maintaining their systems are significant: with an estimated 4,000 vulnerabilities being discovered each year, it is an enormous challenge for any but the best-resourced organizations to install all of the software patches that are released by the manufacturer. Not only is the sheer quantity of patches overwhelming for administrators to keep up with, but patches can be difficult to apply and also have potentially unexpected side effects on other system components that administrators must then evaluate and address. As a result, after a security patch is released, system administrators often take a long time to fix all their vulnerable computer systems. Obviously, small organizations and home users, who lack the skills of system administrators, are even less likely to be able to keep up with the flow of patches” said the congressman [3]. 1.2 A Global Threat Due to the global expansion of high speed networks and the proliferation of a dominant, monolithic operating system, a large portion of the Internet can be easily and quickly subverted. For SoBig.F, more than 1 million computers were infected within the first 24 hours, 100 million systems within the first five days, and an excess of 200 million computers within a week. The virus accounted for 70 percent of all email traffic on August 20, 2003. Existing firewalls that examine only the packet headers do little to protect against many types of attack. Many new worms transport their malware over trusted services and cannot be detected without examining the payload. Intru- sion Detection Systems (IDSs) that scan the payload can detect malware, but do nothing to impede the attack because they only operate passively. An Intrusion Prevention System (IPS), on the other hand, can intervene and stop malware from spreading. The problem is that current IPS devices cannot keep pace with the volume of traffic that transits high-speed networks. Existing systems that
  • 4. implement IPS functions in software limit the bandwidth of the network and delay the end-to-end connection. There is a need for devices which can scan data quickly, reconfigure to search for new attack patterns, and take immediate action when attacks occur. By pro- cessing the content of Internet traffic in real-time within an extensible network, data containing computer viruses or Internet worms can be detected and pre- vented from propagating. Inserting a few data scanning and filtering devices at a few key Network Aggregation Points (NAPs) enables Internet worms and com- puter viruses to be quarantined to the subnetworks where they were introduced. Such a system of intelligent gateway devices recognizes and blocks malware lo- cally to dramatically limit the spread of the worm or virus globally. According to the director of CERT, “It is critical to maintain a long-term view and invest in research toward systems and operational techniques that yield networks capable of surviving attacks while protecting sensitive data. In doing so, it is essential to seek fundamental technological solutions and to seek proactive, preventive approaches, not just reactive, curative approaches” [5]. A complete system has been designed and implemented that scans the full payload of packets to route, block, and track the packets in the flow, based on their content [6]. The result is an intelligent gateway that provides Internet worm and virus protection in both local and wide area networks. 2 Related Work A common prerequisite for network intrusion detection and prevention systems is the ability to search for predefined signatures in network traffic flows. A virus or Internet worm can be detected by the presence of a string of bytes (for the rest of the paper, a string is synonymous with a signature) in traffic that passes through a network link. Such signatures can be loaded into the system manually by an operator or automatically by a signature detection system. 2.1 Obtaining Signatures There are many ways to obtain malware signatures. One way to learn about a new Internet worm or computer virus is to participate in group forums that share information about new attacks. When a new virus is encountered, infor- mation about it is collected, analyzed, and reported to the group. Agencies like the CERT Coordination Center provide alerts regarding potential threats and provide information about how to avoid, minimize, or recover from the damage [7]. Incident reports on vulnerabilities are collected and distributed once they are found. This data can be used by others to avoid and recover from an attack. New methods of detecting outbreaks can streamline the recognition and analysis of new threats and shorten the time needed to obtain a new signature. One new way that worms and computer viruses can be automatically detected is with a Honeypot or a Honeynet. Honeynets gather information by monitoring all traffic going to and from a non-production network. All captured activity
  • 5. is assumed to be unauthorized or malicious. Any connection initiated inbound to a Honeynet is most likely a probe, scan, or attack. Data that is captured is analyzed to gain insight into threatening activities. New tools can be discovered, attack patterns determined, and attacker motives studied by monitoring and logging all activities within the Honeynet [8]. Unlike a Honeypot, a Honeynet is an entire network of systems that runs real applications and services. An attacker can interact with operating systems and execute tools on what appears to be a legitimate production network, but is not. It is through this extensive interaction that information on threats is obtained and analyzed. Signatures are obtained from captured traffic that is determined to be malware. These signatures, in turn, can be used to program a data scanning device to block attacks into real systems. Another automated method for detecting new worms is based on traffic char- acteristics. The method tracks traffic to detect highly repetitive packet content sent from an increasing population of sources to an increasing number of destina- tions. The method generates content signatures for the worm without any human intervention. The method can quickly identify the signatures of new worms [9]. As with a Honeynet, these signatures can be used by the system we propose to block worms from attacking other legitimate systems. 2.2 Signature Scanning with Software, Hardware, or FPGAs Once a signature is found, an IDP can use this signature to block traffic con- taining infected data from spreading throughout a network. To perform this operation on a high-speed network, the signature scanning and data blocking must operate quickly. Software-based scanners are not capable of monitoring all traffic passing through fast network links. Due to the sequential nature of code execution, software-based systems can perform only a limited number of operations within the time period of a packet transmission. A comparison of a variety of systems running the Snort [10] rule-based NIDS sensor reveals that most general-purpose computer systems are inadequate as NIDS sensor platforms even for moderate- speed networks. The analysis shows that factors that include the microprocessor, operating system, and main memory bandwidth and latency all limit the per- formance achievable by a NIDS sensor platform. General-purpose computers, including the Intel Pentium-III and Pentium-4, were found to be inadequate to act as sensors even on a 100 Mbit per second network link. The best-performing system could support only a maximum of 720 header rules without losing pack- ets. For larger numbers of rules, a significant percentage of packets are dropped, thus degrading the NIDS effectiveness in detecting security breaches [11]. Hardware-based systems use parallelism to perform deep packet inspection with high throughput [12]. FortiNet and Intruvert, for example, use Applica- tion Specific Integrated Circuits (ASICs) to provide virus protection [13] [14]. TippingPoint also uses hardware for the line of UnityOne systems. Its Threat Suppression Engine (TSE) enables intrusion is a blend of ASICs and network
  • 6. processors [15]. Packeteer monitors traffic flows to perform traffic shaping with- out good hardware acceleration. The maximum throughput of its system is listed as 200 Mbps [16]. FPGAs provide the flexibility and performance to scan for regular expressions within a high-speed network [17] [18]. In previous work, the Field-programmable Port Extender (FPX) platform was implemented to process Asynchronous Trans- fer Mode (ATM) cells, Internet Protocol (IP) packets, and Transmission Control Protocol (TCP) flows at OC48 (2.4 Gigabit/second) rates using FPGAs [19] [20] [21] [22]. Several mechanisms were developed to perform exact matching and longest prefix matching for header fields [23] [24] [25]. An automated design flow was created to scan the payload traffic for regular expressions [26] [27]. In addi- tion, a Bloom filter was developed to enable large numbers of fixed-length strings to be scanned in hardware [28]. Web-based tools were developed to enable easy remote monitoring, control, and configuration of the hardware [29]. 3 System Architecture A complete system has been implemented that uses the FPX to protect net- works from Internet worm and virus attacks. The system is comprised of three interconnected components: a Data Enabling Device (DED), a Content Match- ing Server (CMS), and a Regional Transaction Processor (RTP). A diagram of the DED, CMS, and RTP appears at the right side of Figure 1. These systems work together to provide network-wide protection. FPGA synthesis Enabling Data = Subnet tools Potentially Infected Host =or SONET OCx = Gigabit Ethernet= VLAN Switch Concentrator = Data Enabling Device (DED) Router = Internet and virus signatures Database of worm VLAN Switch Gigabit Ethernet / Concentrator Gigabit Ethernet (RTP) Processor Transaction Regional Potentially Infected Hosts ... Core Network Subnet 1 Subnet N ... ... Content Matching Server (CMS) (DED) Device S S S S S SS S S S R V H H R HH H H R H H H V HH R H R H H V H H H H R RR HH R R Field−programmable Port Extender (FPX) DED DED DED DED DED DED DED Fig. 1. Example topology of a Network Aggregation Point (NAP) with DEDs added to provide worm and virus protection
  • 7. Packets in our system are scanned by the Data Enabling Device (DED). At the heart of the DED is the FPX module which scans the content of Internet packets at Gigabit per second rates. DEDs can be installed incrementally at key traffic aggregation points of commercial, academic or governmental networks, as well as on the network core. The more DEDs that are deployed, the better is the granularity of protection between different subnetworks. In order to reprogram the DEDs to search for new strings, a Content Matching Server (CMS) has been implemented. Custom circuits are com- piled and synthesized on the CMS by an automated design flow. The CMS reads a table of Internet worm and virus signatures from a database, converts each into an optimized finite automata, instantiates parallel hardware to perform a data scanning function, embeds this hardware into logic that parses Internet protocol messages, synthesizes the entire circuit into logic gates, routes, places the circuit into a FPGA, and reconfigures the hardware. The Regional Transaction Processor (RTP) is contacted by the DED when matching content is found to be passing through the network. The RTP consults the database to provide detailed information about the reason that a certain data flow was blocked. The RTP maintains information about users, agents, properties, owners, and access rights in a MySQL database. Common Gateway Interface (CGI) programs provide a network administrator with an easy-to-use, web-based interface to modify the database tables and to run the scripts that build new hardware. A single RTP can remotely coordinate the activities of up to 100 DEDs. RTPs can be co-located on the same site as the DEDs and be managed by a local site administrator, or they can be located remotely and be administered by a trusted authority. 3.1 System Operation When a new virus appears, an administrator or an automated process adds the signature of the malware to a database table on the Content Matching Server (CMS). The CMS then synthesizes a new FPGA circuit and reconfigures the FPGA hardware on the Data Enabling Device (DED) to scan Internet traffic for the updated signatures. A targeted signature in the packet payload can appear at any position within the traffic flow. The DED uses parallel hardware circuits to scan all bytes of the traffic. Whenever matching content is found, the DED generates a message that is forward to the intended recipient of the message. The system can also actively block the malware from passing through the network. To detect an Internet worm, the system would be programmed to look for a signature that contained a portion of the binary executable program that implements the worm. Inadvertent matches can be nearly eliminated by using long and distinct strings that are highly unlikely to appear in normal traffic content. For random data with a signature length of 16 bytes (16 ∗ 8 = 128 bits), the odds that a signature will find a match in random traffic is only one in 2128 = 3.4 ∗ 1038 . On a 1 Gigabit/second link, this corresponds to finding a match only once in (3.4 ∗ 1038 bytes ) ∗ (8 bits/byte )/(1 ∗ 109 bits/sec ) = 2.72 ∗ 1030 seconds . This is equivalent to finding a stray match just once in
  • 8. 2.72 ∗ 1030 sec /(60 sec/min ∗ 60 min/hr ∗ 24 hr/day ∗ 365 day/year ) = 86 billion billion years, which is an amount of time likely to be far greater than the lifetime of the Internet. In a typical installation, as shown at the left of Figure 1, Data Enabling Devices (DEDs) are installed at network aggregation points. Traffic flows from end-system hosts attached to subnets are concentrated into high-speed links that are then fed into a router. The DED scans traffic which would otherwise simply be routed back to other subnets or to the Internet. So long as at least one DED is positioned along the path between any two endpoints, the virus signature will be detected. The system allows for the immediate blocking of known viruses and may be rapidly reprogrammed to recognize and block new threats. These upgrades are system-driven, and do not require that actions be taken by end users to assure protection. Copyright 2003, John W Lockwood Flow Switching RE:2 RE:3 DFA DFA DFA RE:n DFA RE:1 RE:2 RE:3 DFA DFA DFA RE:n DFA RE:1 RE:2 RE:3 DFA DFA DFA RE:n DFA RE:1 RE:2 RE:3 RE:n Configuration Cache Reconfigurable Application Device (RAD) Network Interface Device (NID) [Xilinx XCV600E FPGA] [Xilinx XCV2000E FPGA] FPGA Dynamic Reconfiguration Control Port Field−programmable Port Extender (FPX) 2.4GbpsNetworkInterface 2.4GbpsNetworkInterfaceCell Processor Frame Protocol Processor (UDP/TCP Prototol Processor) Dispatcher FlowCollector IP Protocol Processor (Application−Level Protocol Processors) DFA DFA DFADFA RE:1 Data In Static Static Data Out Static RAM Packets Incoming Packets Outgoing DRAM Synchronous RAM Synchronous DRAM RAM Deterministic Finite Expression (RE) Alert Packet Generator Parallel Regular Scanning Engines Automata (DFA) Fig. 2. Field-programmable Port Extender (FPX) with Protocol Wrappers and Regular Expression (RE) Deterministic Finite Automata (DFA) scanning engines
  • 9. 3.2 Field-programmable Port Extender (FPX) Platform The Field-programmable Port Extender (FPX) card implements the core func- tionality of the DED. In order to provide sufficient space to store the state of multiple traffic flows, an FPX can be equipped with up to 1 Gigabyte of SDRAM and 6 Megabytes of pipelined Zero-Bus-Turnaround (ZBT) SRAM. Each FPX contains two FPGAs, five banks of memory and two high-speed (OC-48 rate) network interfaces. On the FPX, one FPGA called the Network Interface Device (NID), is used to route individual traffic flows through the device and process control packets, while the other FPGA, called the Reconfigurable Application Device (RAD), is dynamically reconfigured over the network to perform cus- tomized packet processing functions [12]. A diagram of the FPX is shown in Figure 2. The FPX can process traffic on a wide variety of networks. Line cards have been developed that interface the DED to both Gigabit Ethernet and Asyn- chronous Transfer Mode (ATM) networks. For Gigabit Ethernet, a GBIC is used to interface with either fiber or copper network ports. The Gigabit Ethernet line card extracts the data from MAC frames and can use VLANs to identify which traffic flows packets should be processed. For ATM networks, a Synchronous Op- tical NETwork (SONET) line card interfaces to the physical network. Virtual paths and circuits determine which traffic flows are processed. 3.3 Protocol Wrappers Layered Internet Protocol (IP) wrappers break out the header fields that include the protocol field, source IP address, and destination IP address. The IP wrap- pers also compute the checksums over the header and process the Time-to-Live field [20]. Internet headers can be processed in many ways, such as with ternary content addressable memories [23], longest-prefix matching tries [24], or with Bloom-based header-matching circuits [25]. For transport protocols, including the User Datagram Protocol (UDP) and Transmission Control Protocol (TCP), the wrappers track the source and desti- nation port of the packet. The wrappers also compute checksums over the entire packet. The TCP wrapper, implemented in FPGA logic, reconstructs the flow of transmitted data by tracking sequence numbers of consecutive packets to provide a byte-ordered data stream to the content scanning engines [30]. This means that even if a malware signature has been fragmented across multiple packets, it still can be detected and blocked. Synchronous Dynamic Random Access Memory (SDRAM) allows the state of multiple traffic flows to be tracked. By allocating 64 bytes of memory for each flow, one 512 Mbyte SDRAM can track 8 million simultaneous TCP/IP flows [22]. Higher-level protocol processing can be implemented above the transport- layer wrappers. For web traffic, a payload processing wrapper could parse HTTP headers to perform filtering on URLs. For email traffic, the payload processing wrapper could parse SMTP headers to block traffic to or from specific email addresses. For peer-to-peer traffic, the payload processing wrapper could scan for signatures of specific content.
  • 10. 3.4 Signature Detection Many types of Internet traffic can be classified only by deep content inspec- tion [31]. Dynamically reconfigurable hardware can perform content classifica- tion functions effectively. Two types of scanning modules have been developed to search for signatures on the FPX: those that use finite automata to scan for regular expressions [26] [27] and those that use Bloom filters to scan for fixed- length strings [28]. With a Bloom filter, a single FPX card can scan for up to 10,000 different, fixed-length strings. In order to scan packet payloads for regular expressions, a matching circuit was implemented that dynamically generates finite automata. The architecture of the payload scanner with four parallel content scanners searching for n Reg- ular Expressions, RE:1-RE:n, is illustrated in Figure 2. A match is detected when a sequence of incoming data causes a state machine to reach an accept- ing state. For example, to detect the presence of the SoBig.F Internet worm as it appears when encapsulated in a Mime64-encoded email, the expression: “!HEX(683063423739)” would be specified. In order to achieve high through- put, parallel machines are instantiated. When data arrives, a flow dispatcher sends a packet to an available buffer which then streams data though the se- quence of regular expression search engines. A flow collector combines the traffic into a single outgoing stream. The result of the circuit is the identification of which regular expressions were present in each data flow. 3.5 Performance Both the finite automata and the Bloom filter scan traffic at speeds of up to 600 Mbps. By implementing four modules in parallel, the FPX can process data at a rate of 2.4 Gigabits per second using a single Xilinx Virtex 2000E FPGA. The parallel hardware enables the FPX to maintain full-speed processing of packets. Data throughput is unaffected by the number of terms that are subject of the search. So long as the working set of signatures fits into the resources on the FPGA and the circuit synthesizes to meet the necessary timing constraints, the throughput remains constant. This is significantly different than software-based solutions, which slow down as the CPU processor becomes fully utilized. 3.6 Web-based Control Interface and Automated Design Flow A web-based user interface allows new search strings to be entered remotely. A database tracks the list of search strings, their corresponding description, and a risk value assigned to each virus. When a single ‘Build’ button is pressed, the design flow is run and the new circuit is deployed on the remote DED [6]. To rapidly generate new hardware that performs the specified searches, a fully automated design flow was developed. The design flow begins when the CMS reads a set of signatures from its database. Finite automaton are dynamically created for each regular expression then optimized to have a minimal number of states. Very-High-Speed Integrated Circuit (VHSIC) Hardware Description
  • 11. Language (VHDL) code is generated to instantiate parallel automaton that scan the packets passing through the layered Internet protocol wrappers. The VHDL code is synthesized into logic using the Synplicity computer aided design tool. Input and Output (I/O) pins of the circuit are mapped to I/O pins of the RAD. This circuit is then placed and routed with Xilinx tools and a FPGA bitstream is generated. The resulting bitstream is then deployed into a remote FPX platform using the NCHARGE tools [29]. 3.7 End-System Applications The virus protection works for many types of live Internet traffic. Network-wide protection is provided, so long as there is at least one DED in the path from the content sender to the recipient. The DED scans all packets going through the network link and recognizes those that contain a virus signature. In the passive mode, the DED will detect a virus signature embedded within network traffic and generate a UDP/IP packet that is forwarded to the recipient’s computer. An application running on that computer, in turn, is directed to query the RTP to retrieve a full-text description that alerts them to the potential danger that the content represents. This warning message is currently presented to the user via a popup window from a Java application. In the active mode, the DED not only detects a virus signature, but also blocks the flow of traffic. When a match is found, the DED hardware sends a UDP/IP packet to the intended recipient’s network address. The machine that receives that message queries the RTP server using data in that message to retrieve a full-text description that explains why the content was blocked. An example that shows processing of email traffic is shown in Figure 3. If at least one DED is located along the path between an email server and the intended recipient of the malware, then an infected message can be blocked before it has a chance to reach that end-system. A system protected by a DED will receive an immediate notice whenever a virus-infected message targets the machine. For example, if a DED recognizes that a malware signature is being carried within a POP3 email message, then that inbound data is blocked and a notification is forwarded to the intended recipient’s host. to display verbose Regional Transaction Processor (RTP) malware Intended recipient of malware Data Enabling Device (DED) 5 : Alert message 4 : Data blocked transmitted in POP3 message by DED 3 : Malware Email Server 6 : End system contacts RTP message (optional) SMTP message transmitted in 1 : Malware recipient checks email until recipient received and held sent to intended 2 : SMTP message Copyright 2003, John W Lockwood Sender of S S R R R R R Fig. 3. Example that shows how malware can be blocked by a DED as it attempts to transit from an email server to an end-system
  • 12. Another example of processing email traffic is shown in Figure 4. If at least one DED is located along the path between the sender and the targeted email server, then an infected message can be blocked before that message even has a chance to reach that email server. Further, the DED can generate a message that alerts the operator on the sending machine that some process on their machine attempted to transmit an infected message. Regional Processor (RTP) Transaction recipient Copyright 2003, John W Lockwood malware Email Server Data Enabling Device (DED) Intended of malware Sender of (optional) message transmitted to 3 : Data blocked and alert sender and/or administrator (optional) error message display verbose contacts RTP to 4 : End−station 2 : Malware blocked by DEDtransmitted in SMTP message 1 : Malware SS R RR R Fig. 4. Example that shows how malware can be blocked by a DED as it attempts to transit from the sender to an email server The system described here is effective not only against the spread of computer viruses and worms, but also can perform many other functions. Because the system operates at Gigabit speeds and has near-zero latency, it can process live web traffic and scan data sent over peer-to-peer networks. For example, the DED can be configured to detect the unauthorized release of confidential, classified or otherwise sensitive data, and block its distribution. Corporations could scan for proprietary documents passing through a network, and block them before they leave a secure network; and healthcare providers could assure compliance with privacy regulations such as the Health Insurance Portability and Accountability Act. The flexibility of the system to be quickly and remotely reconfigured enables it to meet new needs and perform new tasks. Additional modules can be loaded into the FPX to encrypt and decrypt data, filter packets, and schedule transmission of data over a link to preserve Quality of Service [23]. 4 Conclusions An extensible networking system has been developed that not only blocks the spread of Internet worms and computer viruses, but also can be used to support a wide range of active networking applications. This system uses programmable logic devices to scan Internet traffic for malware at high speeds. Malware is iden- tified by signatures that may consist of either fixed strings or regular expressions. Through the use of layered protocol wrappers, application-level Internet traffic flows can be tracked, with targeted data acted upon before it has an opportunity to damage networks. An automated design flow allows new FPGA circuits to be rapidly deployed to protect the network against new attacks.
  • 13. References 1. E. Skoudis and L. Ziltser, Malware: Fighting Malicious Code. New Jersey: Prentice Hall, first ed., 2003. 2. D. Moore, C. Shannon, G. Voelker, and S. Savage, “Internet quarantine: Require- ments for containing self-propagating code,” in IEEE INFOCOM, (San Francisco, CA), Mar. 2003. 3. US Congressman Adam Putnam, Chairman, Subcommittee on Technology, In- formation Policy, Intergovernmental Relations and the Census, “Oversight Hear- ing: Opening statement, Worm and Virus Defense: How Can We Protect the Na- tions Computers from These Serious Threats.” http://reform.house.gov/TIPRC/- Hearings/EventSingle.aspx?EventID=526, Sept. 2003. 4. V. Paxson, S. Staniford, and N. Weaver, “How to 0wn the internet in your spare time,” in Proceedings of the 11th Usenix Security Symposium, Aug. 2002. 5. Richard D. Pethia, Director of CERT Coordination Center, “Subcommit- tee on Technology, Information Policy, Intergovernmental Relations and the Census: Oversight Hearing, Worm and Virus Defense: Viruses and Worms: What can we do about them.” http://reform.house.gov/UploadedFiles/- Pethia testimony Sept2003-v7.pdf, Sept. 2003. 6. J. W. Lockwood, J. Moscola, M. Kulig, D. Reddick, and T. Brooks, “Internet worm and virus protection in dynamically reconfigurable hardware,” in Military and Aerospace Programmable Logic Device (MAPLD), (Washington DC), p. E10, Sept. 2003. 7. “CERT coordination center.” http://www.cert.org/, 2003. 8. “Know your enemy: Honeynets.” http://www.honeynet.org/papers/honeynet, Nov. 2003. 9. S. Singh, C. Estan, G. Varghese, and S. Savage, “The EarlyBird system for real- time detection of unknown worms.” UCSD Tech Report CS2003-0761, Aug. 2003. 10. M. Roesch, “SNORT - lightweight intrusion detection for networks,” in LISA ’99: USENIX 13th Systems Administration Conference, (Seattle, Washington), Nov. 1999. 11. L. Schaelicke, T. Slabach, B. Moore, and C. Freeland, “Characterizing the perfor- mance of network intrusion detection sensors,” in Proceedings of the Sixth Interna- tional Symposium on Recent Advances in Intrusion Detection (RAID 2003), Lec- ture Notes in Computer Science, (Berlin–Heidelberg–New York), Springer-Verlag, September 2003. 12. J. W. Lockwood, “Evolvable Internet hardware platforms,” in The Third NASA/DoD Workshop on Evolvable Hardware (EH’2001), pp. 271–279, July 2001. 13. FortiNet, “Product overview.” http://www.fortinet.com/products/, Nov. 2003. 14. IntruVert, “Press release.” http://www.networkassociates.com/us/about/- press/corporate/2003/20030401 173857.htm, Apr. 2003. 15. TippingPoint, “UnityOne 2000.” http://www.tippingpoint.com- /resource library/pdfs/2000 Data Sheet.pdf, Nov. 2003. 16. Packeteer, “Shaping your network for business.” http://www.packeteer.- com/resources/prod-sol/PacketeerBroFinal2.pdf, Nov. 2003. 17. R. Sidhu and V. Prasanna, “Fast regular expression matching using FPGAs,” in IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM), Apr. 2001. 18. R. Franklin, D. Carver, and B. L. Hutchings, “Assisting network intrusion detec- tion with reconfigurable hardware,” in IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM), (Napa, CA), Apr. 2002.
  • 14. 19. J. W. Lockwood, N. Naufel, J. S. Turner, and D. E. Taylor, “Reprogrammable Network Packet Processing on the Field Programmable Port Extender (FPX),” in ACM International Symposium on Field Programmable Gate Arrays (FPGA’2001), (Monterey, CA, USA), pp. 87–93, Feb. 2001. 20. F. Braun, J. Lockwood, and M. Waldvogel, “Protocol wrappers for layered network packet processing in reconfigurable hardware,” IEEE Micro, vol. 22, pp. 66–74, Jan. 2002. 21. D. V. Schuehler and J. Lockwood, “TCP-Splitter: A TCP/IP flow monitor in reconfigurable hardware,” in Hot Interconnects, (Stanford, CA), pp. 127–131, Aug. 2002. 22. D. V. Schuehler, J. Moscola, and J. W. Lockwood, “Architecture for a hardware based, tcp/ip content scanning system,” in Hot Interconnects, (Stanford, CA), pp. 89–94, Aug. 2003. 23. J. W. Lockwood, C. Neely, C. Zuver, J. Moscola, S. Dharmapurikar, and D. Lim, “An extensible, system-on-programmable-chip, content-aware Internet firewall,” in Field Programmable Logic and Applications (FPL), (Lisbon, Portugal), p. 14B, Sept. 2003. 24. D. E. Taylor, J. S. Turner, J. W. Lockwood, T. S. Sproull, and D. B. Parlour, “Scalable IP lookup for Internet routers,” IEEE Journal on Selected Areas in Com- munications (JSAC), vol. 21, pp. 522–534, May 2003. 25. S. Dharmapurikar, P. Krishnamurthy, and D. E. Taylor, “Longest prefix matching using Bloom filters,” in SIGCOMM, (Karlsruhe, Germany), Aug. 2003. 26. J. Moscola, J. Lockwood, R. P. Loui, and M. Pachos, “Implementation of a content- scanning module for an Internet firewall,” in FCCM, (Napa, CA), Apr. 2003. 27. J. Moscola, M. Pachos, J. W. Lockwood, and R. P. Loui, “Implementation of a streaming content search-and-replace module for an Internet firewall,” in Hot Interconnects, (Stanford, CA, USA), pp. 122–129, Aug. 2003. 28. S. Dharmapurikar, P. Krishnamurthy, T. Sproull, and J. W. Lockwood, “Deep packet inspection using parallel Bloom filters,” in Hot Interconnects, (Stanford, CA), pp. 44–51, Aug. 2003. 29. T. Sproull, J. W. Lockwood, and D. E. Taylor, “Control and configuration software for a reconfigurable networking hardware platform,” in IEEE Symposium on Field- Programmable Custom Computing Machines, (FCCM), (Napa, CA), Apr. 2002. 30. D. V. Schuehler and J. W. Lockwood, “TCP splitter: A TCP/IP flow monitor in reconfigurable hardware,” IEEE Micro, vol. 23, pp. 54–59, Jan. 2003. 31. Y. Cho, S. Nahab, and W. H. Mangione-Smith, “Specialized hardware for deep network packet filtering,” in Field Programmable Logic and Applications (FPL), (Montpellier, France), Sept. 2002.