workpackage 3 new security algorithm design ics-forth paris, 30 th june 2008
TRANSCRIPT
WISDOMWISDOMWorkpackage 3
New security algorithm design
ICS-FORTH
Paris, 30th June 2008
WISDOMWISDOMWISDOM WP3: New security
algorithm designObjectives • Identify critical security application components which can be
efficiently implemented in the optical domain. • Characterise constraints to algorithmic components and
develop novel analytical techniques for simplified pattern matching.
• Design a Security Application Programming Interface (SAPI) which will be the interface between high-level security applications and low-level optical implementation
Tasks - Deliverables• WP 3.1: Security Applications Partitioning (M12)• WP 3.2: Identification of simplified Security Algorithm
Components (M24)• WP 3.3: Definition of a Security Application Programming
Interface: SAPI (M27)
WISDOMWISDOMWP3.1 Security Applications
Partitioning
Critical security operations in the optical domain Basic firewall functionality, inspect packet headersLess than 10% of rules, more than 90% of alerts
Look at specific packet header field• Block or filter traffic for specific protocols, ports, etc
Optical filtering, optical pattern matching, optical routing
• Block or filter traffic for specific IP addressesOptical possible but not efficient
Combined inspections of two header fields• From specific IP addresses to specific ports
Optical possible but combination of optical and electronic more efficient
WISDOMWISDOMWP3.1 Security Applications
Partitioning
Firewall rule example Inspection• Deny all incoming traffic with IP matching internal IP source IP address• Deny incoming from black-listed IP addresses source IP address• Deny all incoming ICMP traffic IP protocol• Deny incoming TCP/UDP 135/445 (RPC, Windows Sharing) destination port• Deny incoming/outgoing TCP 6666/6667 destination port
• Allow incoming TCP 80, 443 (http, https) destination port
to internal web server (destination IP address)• Deny incoming TCP 25 to SMTP server destination port
from external IP addresses (destination)/source IP address
• Allow UDP 53 to internal destination portDNS server (destination IP address)
typical port assignments for some services/applicationsftp TCP 21, ssh TCP 22, telnet TCP 23, POP3 TCP 110, IMAP TCP 143
WISDOMWISDOMWP3.1 Security Applications
Partitioning
Security Operation Inspection Application Example
Match network packet targeting a specific service
Destination Port Number
Filtering out e-mail traffic
Match network packet originating from a specific service
Source Port Number
Filtering out a Web server’s response
Match network packet targeting specific computer(s)
Destination IP Address
Preventing contact with a computer
Match network packet originating from specific computer(s)
SourceIP Address
Preventing access from a computer
Match network packet with specificproperties
IP protocol header fieldFiltering out ICMP
traffic
Match network packet targeting a specific service and originating
from specific computers
Destination Port Number and Source
IP AddressSPAM filter
Denial of Service attack detection SYN flagPreventing TCP SYN
flood attacks
WISDOMWISDOM
WP3.2 Identification of Simplified Security Algorithms
Components
• Optical pre-processing for more complex pattern recognition Restrictions in optical domain (buffering, level of integration, etc)Scalability of security pattern matching algorithms, optimum balance between optical and electronic processing (WP6)
Develop algorithms that will allow optical bit-serial processing subsystems to operate as a pre-processor to more complex pattern recognition techniques in the electronic domain.
D3.2 Identification of simplified Security Algorithms Components
(M24)
WISDOMWISDOM
WP3.2 Identification of Simplified Security Algorithms
Components
• Identify feasible and efficient all-optical operationsExtraction of specific fields in packet headers (protocol number, port number, etc)
Pattern matching
Routing
• Keep all options for conventional (electronic) IDSDesign high speed optical pre-processing that makes electronic processing more efficient
• Demonstration of key security functions Example applications with efficient and reliable operation of a hybrid
system consisting of both all-optical and electronic components
WISDOMWISDOM
WP3.2 Identification of Simplified Security Algorithms
Components
Combine optical and electronic signature-based detection• Optical traffic splitter
optical header processinggroup packets, e.g., according to port number
• Multiple “specialized” (electronic) processorsless packets to inspect per processor
more efficient payload inspection by performing same operations to same type of packets A lot of issues to consider, such as load balancing, parallel/distributed configurations, anomaly-based detection, etc.
WISDOMWISDOM
WP3.2 Identification of Simplified Security Algorithms
Components
“Pragmatic” approach• All-optical inspection of packet headers only• A few well chosen rules optically implemented
Restrictions in memory and level of integration imply small number of selected rules can be implemented in optical domain
Reconfigurable optical systems
• Seamless coupling of optics with electronics
Security applications (including payload inspection) in electronic domain with more conventional NIDS tools
Several NIDS/NIPS approaches and methods, as described in previous project deliverables
WISDOMWISDOM
WP3.2 Identification of Simplified Security Algorithms
Components
Select rules through network traffic monitoring
Monitoring ApplicationProgramming Interface(MAPI
WISDOMWISDOM
WP3.2 Identification of Simplified Security Algorithms
Components
Network traffic monitoring and classification
WISDOMWISDOM
WP3.2 Identification of Simplified Security Algorithms
ComponentsStatistics on suspect packets
NoAH honeypots statisticsProtocolPort
WISDOMWISDOM
182062.1.223.32
1857195.113.147.61
191562.1.180.164
2022200.243.156.5
203060.222.231.188
2087221.130.198.244
225058.255.150.159
2286218.57.24.97
250062.1.60.51
271862.1.19.19
286462.1.131.43
308162.1.51.100
316862.1.179.230
333361.134.43.254
422462.1.249.141
453658.20.15.126
456762.1.178.45
4585139.91.100.101
461884.244.147.70
542072.51.18.124
CountryPacket Count
Source IP
13885900
141023657
153625
1568620
1917704
1984637
22972967
329821
366823
41381433
41531027
430322
4669443
48891026
628480
9092137
130221434
15014135
16289139
57843445
TrendPacket Count
Destination Port
WISDOMWISDOM
WP3.2 Identification of Simplified Security Algorithms
Components
• Network traffic monitoring
Deployment of network of sensors
for global view
• ProtocolsICMP often used in attacks
TCP most popular, UDP also heavily used
• Ports HEAnet
Some high level applications use TCP/IP with pre-assigned port numbers
Others use dynamically assigned port numbers, different for different connections
Some attacks work on specific ports
WISDOMWISDOM
WP3.2 Identification of Simplified Security Algorithms
Components
Benefits from optical splitting for electronic processing
Similar approaches already proved successful in intensive
NIDS applications • Early filtering and forwarding• Packets of the same type are grouped by the splitter and forwarded
to specialized electronic processors• Performance benefits (about 20%) with the use of digital network
processors• Clustering of packets with same destination port number improves
performance of conventional IDS
40% increase in packet processing throughput
60% improvement in packet loss rate
WISDOMWISDOM
WP3.2 Identification of Simplified Security Algorithms
Components
Available hybrid integrated optical circuits:•XOR, AND logic gates•buffer memory (limited)•routing switch•Bit pattern matching circuit•Target pattern generator•Pseudo random bit sequence generator•Header sampler (proposal)•CRC (proposal)
WISDOMWISDOM
WP3.2 Identification of Simplified Security Algorithms
Components
Input: flux of packets, consisting of RZ pulses TOutput: packets dropped or allowed to proceed
Box: Header sampler
Bit pattern matching
Routing switch
Buffer memory
Latency approx. 150 T
Preamble TCP Port # Payload Guard bandHeader Header
Preamble TCP Port # Payload Guard bandHeader HeaderPreamble TCP Port # Payload Guard bandHeader Header
MZI1Preamble TCP Port # Payload Guard bandHeader Header CRC
WISDOMWISDOM
WP3.2 Identification of Simplified Security Algorithms
Components
Same components, simplistic pipelined configurationLatency approx. 150 T (8 bit pattern matching) left box 450 T (16 bit pattern matching) center, right boxes
Packet collisions, bottleneck
WISDOMWISDOM
WP3.2 Identification of Simplified Security Algorithms
Components
“router”:round-robin, CRC
WISDOMWISDOM
WP3.2 Identification of Simplified Security Algorithms
Components
Functional models of optical devices and simulator
1) Simple, basic building blocks are logic gatesUseful for design and testing efficiency of proposed configurations, more complex algorithms, hybrid optical/electronic detection, etc.
2) Include physical models for actual optical componentsUseful in device development.Much more demanding…
Building simulator starting with (1) and expand to (2), when necessary.
WISDOMWISDOM
WP 3.3 Definition of a Security Application Programming
Interface (SAPI)
• SAPI will bridge the gap between optical execution of
key components and programming of security
applications• High-level programming, abstract all low-level details
operate independent of system modifications, allow for integration
of additional software and hardware components of increasing complexity
• Hardware – software interfacefast optical processing, reconfigurable at much slower rates
user interventions rare, at conventional speed of electronics
D3.3 Definition of SAPI (M27)