A. Das , S. Misra, S. Joshi*, J. Zambreno + , G. Memik, and A. Choudhary

DATE 2008

An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion

Detection System

A. Das , S. Misra, S. Joshi*, J. Zambreno+, G. Memik, and A. Choudhary

Electrical Engineering and Computer Science Department

*Indian Institute of Technology, Kharagpur, + Iowa State University

Design, Automation & Test in Europe (DATE) 2008

DATE 2008

An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System

A. Das, S. Misra, S. Joshi, J. Zambreno, G. Memik and A. Choudhary04/21/23 2

Contributions Novel architecture for Principal Component Analysis

(PCA) used in Network Intrusion Detection

Parallel implementation of PCA on an FPGA platform

Achieving a throughput of 24.72 Gbps with up to 99.9% accuracy and as low as 1.95% false alarm rate

OverviewPrincipal Component Analysis

PCA FrameworkResults

DATE 2008


A. Das, S. Misra, S. Joshi, J. Zambreno, G. Memik and A. Choudhary

04/21/23 3

Network Attacks / Intrusions Malicious Code (virus,

worms, Trojan horses, malware)

Approximately $70 B economic losses a year (and increasing)

Example attacks:• Denial of Service (DoS)• Port scanning

SYN Flood by exploiting TCP 3-way handshake

Overview: Network Intrusions



DATE 2008



04/21/23 4

Network Attacks / Intrusions Malicious Code (virus,

worms, Trojan horses, malware)

Approximately $70 B economic losses a year (and increasing)

Example attacks:• Denial of Service (DoS)• Port scanning Smurf attack

Overview: Network Intrusions



DATE 2008



04/21/23 5

Overview: NIDS Network Intrusion Detection System

Suspicious Activity Monitoring both inbound and outbound Identify attacks and alert the System Administrator/User

NIDS techniques: Signature Detection

• less false alarms, new attacks undetected (e.g. SNORT) Anomaly Detection

• more false alarms, detection of new attacks

Popular Anomaly Detection Methods: Data Mining, Genetic algorithms, Statistical analysis Performance Bottlenecks: S/W methods cannot match Gigabit

Ethernet rates



DATE 2008



NIDS: Challenges Problems with Signature IDS

Can only detect known intrusion types Problems with Anomaly IDS

Need to have “sufficient” training data that covers as much variation of the normal behavior as possible

Too much dependence over training data set False positives Slow due to high dimensional network data



DATE 2008



NIDS: Challenges Problems with Signature IDS

Can only detect known intrusion types Problems with Anomaly IDS

Need to have “sufficient” training data that covers as much variation of the normal behavior as possible

Too much dependence over training data set False positives Slow due to high dimensional network data

Offline PhaseOffline Phase

Online PhaseOnline Phase

Labeled Training DataLearningLearning

PreprocessingPreprocessingLive Network Stream

DeviationDeviation Attack Detection



Normal BehaviorNormal Behavior

DATE 2008



Overall NIDS Framework

04/21/23 8



DATE 2008



Outline Overview of Network Intrusions Detection Principal Component Analysis (PCA)

Distance Calculation Methodology

PCA Framework PCA architecture FPGA implementation

Results FPGA performance Accuracy H/W Speedup

Conclusions



DATE 2008



Principal Component Analysis (PCA) Express variation in multivariate data in

uncorrelated variables Input data dimension consists of p correlated

variables x1,x2,…xp PCA looks for a transformation of the xi into p

new variables yi that are uncorrelatedy1 f1(x1,x2,…xp)y2 f2 (x1,x2,…xp) ……… yp fp(x1,x2,…xp)

Eigenvalues (λi)

Eigenvectors (ei)



DATE 2008



PCA: An Example

Original Variable A

Orig

inal

Var

iabl

e B

PC 1PC 2

PC 1 is the direction of maximum variance (major) PC 2 uncorrelated (orthogonal) to PC 1 (minor)



04/21/23 11

DATE 2008



PCA: Properties Principal components are arranged in descending

order indicating the amount of variation it encompasses

Keep the q most important ones and discard the others

Some deviation may not follow the same correlation model May want to keep the r least important components

Calculate distance in the new set of axes Outlier if distance far from normal



DATE 2008



04/21/23 13

y1

y2

..yq

..

..yp-r+1

..yp

Major principal components

Minor principal components

PCA



?1

2

M

q

i i

i ty

MajC

?1

2

m

r

i i

i ty

MinC

DATE 2008



PCA: Steps involved Distance Calculation: Map the input data into

suitable axes; calculate the distance using principal components Euclidian Distance (equal weight for each dimension) Mahalanobis Distance (uses correlation matrix)

Outlier Detection: Distance exceeding a pre-defined threshold tM and tm with Major and Minor components,

respectively



DATE 2008



04/21/23 15

Offline Phase

Online Phase

PCA Framework: Phases



DATE 2008



PCA Framework: PhasesOffline Phase: Step 1: Mean vector of the sample data (training

data) created Step 2: Correlation Matrix R created Step 3: Eigen-analysis performed on R; extraction of

<ei, λi> pairs Step 4: Pairs are sorted according to λi to determine

the major and minor principal components Step 5: Thresholds are calculated



DATE 2008



PCA Framework: PhasesOnline Phase: Step 1: Online data (test data) are mapped to the

eigenspace of q & r principal components Step 2: MajC and MinC scores are computed in

parallel Step 3: Threshold comparison is performed



DATE 2008



PCA: Advantages Reduces the dimensionality of network data with little or

no information loss Analyses different network TCP parameters (features)

Complete breakdown into offline and online phase Eigen-analysis and sorting performed in offline phase

Major and minor components chosen define two thresholds Better coverage

Faster compared to software implementation Hardware level parallelism to compute PC score



DATE 2008



Principal Component Score Pipeline for FPGA



DATE 2008



FPGA Implementation

Design synthesis using VHDL Place and route using Xilinx ISE 8.1 Target Platform Xilinx XC2VP30 # of pipeline stages = F(p, q, r) Training and testing dataset :

KDD Cup 1999 100,000-125,000 training data samples Up to 12 of 32 principal components used Speedup limited by I/O bandwidth of FPGA board



DATE 2008



Outline Overview of Network Intrusions Detection Principal Component Analysis (PCA)

Distance Calculation Methodology

PCA Framework PCA architecture FPGA implementation

Results FPGA performance Accuracy H/W Speedup

Conclusions



DATE 2008



Results: FPGA Performance # fields (p) = 32

Maximum throughput = 24.72 Gbps



DATE 2008



Results: PCA Accuracy

Detection and False Alarm Rates vs. q



04/21/23 23

DATE 2008



0

50

100

150

200

250

300

350

400

450

0 1 2 4

No. of minor principal components (r)

Sp

eed

up

q = 4 q = 8

PCA hardware Speedup Compared with sequential software code

System: AMD Opteron 2.4GHZ with 2GB memory



DATE 2008



Conclusions High Ethernet throughput demands efficient anomaly

detection in networks High dimensional network data becomes a bottleneck for

anomaly detection Hardware implementation of NIDS based on Principal

Component Analysis can be effective Parallelism is exploited using reconfigurable hardware

(FPGAs) Attack detection up to 99% with false alarm rates as low

as 1.95% Significant speedup compared to software



DATE 2008



Acknowledgements

This work was supported by NSF grants NSF-ITR CCR-0325207, CNS-0406341, CNS-0551639, IIS-0536994, CCR-0325207, by Air Force Office of Scientific Research (AFOSR) award FA9550-06-1-0152 and DoE CAREER Award DE-FG02-05ER25691

04/21/23 26

DATE 2008



Thank You !

Questions?

Contact Info:Electrical Engineering and Computer Science DepartmentNorthwestern University2145 Sheridan RoadEvanston, IL 60208Phone: (847) 467-4610Fax: (847) 467-4144Email: [email protected]: http://www.ece.northwestern.edu/~ada829

DATE 2008



[1] M. E. Attig and J. Lockwood. A framework for rule processing in reconfigurable network systems. In IEEE Symposium on Field-Programmable Custom Computing Machines,(FCCM), Napa, CA, Apr. 2005.

[2] Z. K. Baker and V. K. Prasanna. Time and Area Efficient Pattern Matching on FPGAs. In The Twelfth Annual ACM International Symposium on Field-Programmable Gate Arrays (FPGA ’04), 2004

[3] Z. K. Baker and V. K. Prasanna. Efficient Hardware Data Mining with the Apriori Algorithm on FPGAs. In Proceedings of the Thirteenth Annual IEEE Sym. on Field Programmable Custom Computing Machines 2005

[4] S. Dharmapurikar, P. Krishnamurthy, T. Sproull, and J. W. Lockwood. Deep packet inspection using parallel bloom filters. In Symp. on High Performance Interconnects, August 2003.

[5] M. Fleury, B. Self, and A. C. Downton. A fine-grained parallel pipelined karhunen-loeve transform. In 17th International Parallel and Distributed Processing Symposium, Nice, France, April 2003.

[6] J. D. Jobson. Applied Multivariate Data Analysis, Volume II: Categorical and Multivariate Methods. Springer-Verlag, NY, 1992.

[7] I. T. Jolliffe. Principal Component Analysis. Springer-Verlag, NY, 2002.

References

DATE 2008



[8] Jungsuk Song and Hiroki Takakura and yasuo Okabe. A proposal of new benchmark data to evaluate mining algorithms for intrusion detection. In 23rd Asia Pacific Advanced Networking Meeting, 2007.

[9] KDD Cup 1999 Data. http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html, August 1999.

[10] Nicholas Athanasiades and Randal Abler and John Levine and Henry Owen and George Riley. Intrusion detection testing and benchmarking methodologies. In IEEE International Information Assurance Workshop, 2003.

[11] R. Sidhu and V. Prasanna. Fast regular expression matching FPGAs. In IEEE Symposium on Field-Programmable Custom Computing Machines, April 2001.

[12] D. V. Schuehler, J. Moscola, and J.W. Lockwood. Architecture for a hardware-based, tcp/ip content-processing system. In IEEE Micro, January 2004.

[13] M.-L. Shyu, S.-C. Chen, K. Sarinnapakorn, and L. Chang. A novel anomaly detection scheme based on principal component classifier. In IEEE Foundations and New Directions of Data Mining Workshop, pages 172–179, November 2003.

[14] H. Song and J. W. Lockwood. Efficient packet classification for network intrusion detection using fpga. In Intl. Symp. On Field-Programmable Gate Arrays, February 2005.

References

DATE 2008



Backups

DATE 2008



NIDS FPGA Architecture

Feature Extraction

Principal Component

Analysis



DATE 2008



Feature Extraction Module

HF(2)

HF(1)

HF(H)

Estimate Block

HashControlBlock

32

32

16

16

Src IP

Dst IP

Dst port

Src port

Sketch table H

Sketch table 2

Sketch table 1

Estimated value

:

:

:

:

:

:

:Flags 6

Feature Sketch

Architecture

DATE 2008


An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System04/21/23 33

?1

2

M

q

i i

i ty

MajC

?1

2

m

r

i i

i ty

MinC

DATE 2008



Results: PCA Accuracy

Detection and False alarm Rates vs. q



A. Das , S. Misra, S. Joshi*, J. Zambreno + , G. Memik, and A. Choudhary

Documents

Transcript of A. Das , S. Misra, S. Joshi*, J. Zambreno + , G. Memik, and A. Choudhary