An FPGA-based network intrusion detection architecture

IEEE Transactions on Information Forensics and Security

Volumn 3, Issue 1, 2008, Pages 118-132

  Das, Abhishek ^a,b   Nguyen, David ^c   Zambreno, Joseph ^a,d   Memik, Gokhan ^a,b   Choudhary, Alok ^a,b  

^a IEEE

^b Northwestern University   (United States)

^c SanDisk Corporation   (United States)

^d IOWA STATE UNIVERSITY   (United States)

Author keywords

Feature extraction; Field programmable gate arrays (FPGA); Network intrusion detection system (NIDS); Principal component analysis (PCA)

Indexed keywords

COMPUTER SOFTWARE; FIELD PROGRAMMABLE GATE ARRAYS (FPGA); FINITE ELEMENT METHOD; TELECOMMUNICATION TRAFFIC;

FALSE ALARMS RATES; HARDWARE PARALLELISM; NETWORK INTRUSION DETECTION SYSTEM (NIDS);

INTRUSION DETECTION;

EID: 39449120804     PISSN: 15566013     EISSN: None     Source Type: Journal    
DOI: 10.1109/TIFS.2007.916288     Document Type: Article

References (39)

1. C. C. Aggarwal and P. S. Yu, "Outlier detection for high dimensional data," presented at the ACM SIGMOD Conf., Santa Barbara, CA, May 2001.
2. R. Agrawal, T. Imielinski, and A. Swami, "Mining association rules between sets of items in large databases," in Proc. ACM SIGMOD Int. Conf. Management Databases, 1993, pp. 207-216.
3. D. Anderson, T. Lunt, H. Javits, A. Tamaru, and A. Valdes, "Detecting unusual program behavior using the statistical components of NIDES," May 1995.
4. M. E. Attig and J. Lockwood, "A framework for rule processing in reconfigurable network systems," presented at the IEEE Symp. Field-Programmable Custom Computing Machines, Napa, CA, Apr. 2005.
5. Z. K. Baker and V. K. Prasanna, "Time and area efficient pattern matching on FPGAs," presented at the ACM Int. Symp. Field-Programmable Gate Arrays (FPGA), Monterey, CA, 2004.
6. Z. K. Baker and V. K. Prasanna, "Efficient hardware data mining with the apriori algorithm on FPGAs," presented at the IEEE Symp. Field Programmable Custom Computing Machines, Napa, CA, 2005.
7. M. M. Breunig, H.-P. Kriegel, R. T. Ng, and J. Sander, "LOF: Identifying density-based local outliers," presented at the ACM SIGMOD Conf., Dallas, TX, May 2000.
8. Bro, Bro Intrusion Detection System 2002.
9. DARPA Intrusion Detection Evaluation. [Online]. Available: http://www.ll.mit.edu/IST/ideval. 1998
10. S. Dharmapurikar, M. Attig, and J. W. Lockwood, "Design and implementation of a string matching system for network intrusion detection using FPGA-based bloom filters" 2004.
11. S. Dharmapurikar, P. Krishnamurthy, T. Sproull, and J. W. Lockwood, "Deep packet inspection using parallel bloom filters," presented at the Symp. High Performance Interconnects, Stanford, CA, Aug. 2003.
12. A. Dollas, D. Pnevmatikatos, N. Asianides, S. Kawadias, E. Sotiriades, S. Zogopoulos, and K. Papademetriou, "Architecture and applications of PLATO, a reconfigurable active network platform," presented at the IEEE Symp. Field-Programmable Custom Computing Machines, Rohnert Park, CA, 2001.
13. S. M. Emran and N. Ye, "Robustness of Canberra metric in computer intrusion detection," presented at the IEEE Workshop on Information Assurance and Security, West Point, NY 2001, U.S. Military Academy.
14. C. Estan and G. Varghese, "New directions in traffic measurement and accounting," presented at the ACM SIGCOMM Conf. Applications, Technologies, Architectures, Protocols for Computer Communication, Pittsburgh, PA, 2002.
15. M. Fleury, B. Self, and A. C. Downton, "A fine-grained parallel pipelined Karhunen-Loeve transform," presented at the Int. Parallel and Distributed Processing Symp., Nice, France, Apr. 2003.
16. B. Jenkins, Jenkins, Hash Functions and Block Ciphers.
17. J. D. Jobson, Applied Multivariate Data Analysis, Volume II: Categorical and Multivariate Methods. New York: Springer-Verlag, 1992.
18. I. T. Jolliffe, Principal Component Analysis. New York: Springer-Verlag, 2002.
19. KDD Cup 1999 data. [Online]. Available: http://www.kdd.ics.uci.edu/ databases/kddcup99/kddcup-99.html. Aug. 1999
20. B. Krishnamurthy, S. Sen, Y. Zhang, and Y. Chen, "Sketch based change detection: Methods, evaluation, and applications," presented at the ACM SIGCOMM Internet Measurement Conf., Miami, FL, 2003.
21. A. Lazarevic, L. Ertoz, V. Kumar, A. Ozgur, and J. Srivastava, "A comparative study of anomaly detection schemes in network intrusion detection," presented at the SIAM Conf. Data Mining, Minneapolis, MN, May 2003.
22. M. V. Mahoney and P. K. Chan, "Learning nonstationary models of normal network traffic for detecting novel attacks," presented at the ACM SIGKDD Int. Conf. Knowledge Discovery and Data Mining, AB, Canada, Jul. 2002.
23. J. McHenry, P. W. Dowd, F. A. Pellegrino, T. M. Carrozzi, and W. B. Cocks, "An FPGA-based coprocessor for ATM firewalls," presented at the IEEE Symp. FCCM, Napa, CA, Apr. 1997.
24. MIT Lincoln Laboratory, DARPA Intrusion Detection Evaluation.
25. S. Muthukrishnan, Data streams: Algorithms and applications 2003.
26. NetFilter/IPtables: Firewalling, NAT and Packet Mangling for Linux 2.4.
27. D. Nguyen, A. Das, G. Memik, and A. Choudhary, "A reconfigurable architecture for network intrusion detection using principal component analysis," presented at the IEEE Symp. Field-Programmable Custom Computing Machines, Napa, CA, Apr. 2006.
28. D. Nguyen, G. Memik, S. Memik, and A. Choudhary, "Real-time feature extraction for high speed networks," presented at the Int. Conf. Field Programmable Logic and Applications, Monterey, CA, 2005.
29. D. V. Schuehler and J. W. Lockwood, "TCP splitter: A TCP/IP flow monitor in reconfigurable hardware," presented at the Hot Interconnects 10 (HotI-10), Stanford, CA, 2002.
30. D. V. Schuehler, J. Moscola, and J. W. Lockwood, "Architecture for a hardware-based, TCP/IP content-processing system," IEEE Micro., vol. 24, no. 1, pp. 62-69, Jan./Feb. 2004.
31. M. Shyu, S. Chen, K. Sarinnapakorn, and L. Chang, "A novel anomaly detection scheme based on principal component classifier," in Proc. IEEE Foundations New Directions of Data Mining Work., in Conjunction With 3rd IEEE Int. Conf. Data Mining, 2003, pp. 172-179.
32. R. Sidhu and V. Prasanna, "Fast regular expression matching using FPGAs," presented at the IEEE Symp. Field-Programmable Custom Computing Machines, Rohnert Park, CA, Apr. 2001.
33. SNORT, SNORT: The open source network intrusion detection system 2002.
34. H. Song and J. W. Lockwood, "Efficient packet classification for network intrusion detection using FPGA," presented at the Int. Symp. Field-Programmable Gate Arrays, Monterey, CA, Feb. 2005.
35. SPADE, Stealthy Portscan Intrusion Correlation Engine 2002.
36. Tcpdump Utility. [Online]. Available: http://www.tcpdump.org.
37. Tcptrace Utility. [Online]. Available: http://www.jarok.cs.ohiou.edu/ software/tcptrace/index.html.
38. Xilinx Virtex-IIPro-Datasheet [Online]. Available: http://www.direct. xilinx.com/bvdocs/publications/ds083.pdf.
39. V. Yegneswaran, P. Barford, and J. Ullrich, "Internet intrusions: Global characteristics and prevalence," presented at the ACM SIGMETRICS, San Diego, CA, 2003.