A. Das , S. Misra, S. Joshi*, J. Zambreno + , G. Memik, and A. Choudhary
description
Transcript of A. Das , S. Misra, S. Joshi*, J. Zambreno + , G. Memik, and A. Choudhary
DATE 2008
An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion
Detection System
A. Das , S. Misra, S. Joshi*, J. Zambreno+, G. Memik, and A. Choudhary
Electrical Engineering and Computer Science Department
*Indian Institute of Technology, Kharagpur, + Iowa State University
Design, Automation & Test in Europe (DATE) 2008
DATE 2008
An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System
A. Das, S. Misra, S. Joshi, J. Zambreno, G. Memik and A. Choudhary04/21/23 2
Contributions Novel architecture for Principal Component Analysis
(PCA) used in Network Intrusion Detection
Parallel implementation of PCA on an FPGA platform
Achieving a throughput of 24.72 Gbps with up to 99.9% accuracy and as low as 1.95% false alarm rate
OverviewPrincipal Component Analysis
PCA FrameworkResults
DATE 2008
An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System
A. Das, S. Misra, S. Joshi, J. Zambreno, G. Memik and A. Choudhary
04/21/23 3
Network Attacks / Intrusions Malicious Code (virus,
worms, Trojan horses, malware)
Approximately $70 B economic losses a year (and increasing)
Example attacks:• Denial of Service (DoS)• Port scanning
SYN Flood by exploiting TCP 3-way handshake
Overview: Network Intrusions
OverviewPrincipal Component Analysis
PCA FrameworkResults
DATE 2008
An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System
A. Das, S. Misra, S. Joshi, J. Zambreno, G. Memik and A. Choudhary
04/21/23 4
Network Attacks / Intrusions Malicious Code (virus,
worms, Trojan horses, malware)
Approximately $70 B economic losses a year (and increasing)
Example attacks:• Denial of Service (DoS)• Port scanning Smurf attack
Overview: Network Intrusions
OverviewPrincipal Component Analysis
PCA FrameworkResults
DATE 2008
An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System
A. Das, S. Misra, S. Joshi, J. Zambreno, G. Memik and A. Choudhary
04/21/23 5
Overview: NIDS Network Intrusion Detection System
Suspicious Activity Monitoring both inbound and outbound Identify attacks and alert the System Administrator/User
NIDS techniques: Signature Detection
• less false alarms, new attacks undetected (e.g. SNORT) Anomaly Detection
• more false alarms, detection of new attacks
Popular Anomaly Detection Methods: Data Mining, Genetic algorithms, Statistical analysis Performance Bottlenecks: S/W methods cannot match Gigabit
Ethernet rates
OverviewPrincipal Component Analysis
PCA FrameworkResults
DATE 2008
An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System
A. Das, S. Misra, S. Joshi, J. Zambreno, G. Memik and A. Choudhary04/21/23 6
NIDS: Challenges Problems with Signature IDS
Can only detect known intrusion types Problems with Anomaly IDS
Need to have “sufficient” training data that covers as much variation of the normal behavior as possible
Too much dependence over training data set False positives Slow due to high dimensional network data
OverviewPrincipal Component Analysis
PCA FrameworkResults
DATE 2008
An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System
A. Das, S. Misra, S. Joshi, J. Zambreno, G. Memik and A. Choudhary04/21/23 7
NIDS: Challenges Problems with Signature IDS
Can only detect known intrusion types Problems with Anomaly IDS
Need to have “sufficient” training data that covers as much variation of the normal behavior as possible
Too much dependence over training data set False positives Slow due to high dimensional network data
Offline PhaseOffline Phase
Online PhaseOnline Phase
Labeled Training DataLearningLearning
PreprocessingPreprocessingLive Network Stream
DeviationDeviation Attack Detection
OverviewPrincipal Component Analysis
PCA FrameworkResults
Normal BehaviorNormal Behavior
DATE 2008
An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System
A. Das, S. Misra, S. Joshi, J. Zambreno, G. Memik and A. Choudhary
Overall NIDS Framework
04/21/23 8
OverviewPrincipal Component Analysis
PCA FrameworkResults
DATE 2008
An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System
A. Das, S. Misra, S. Joshi, J. Zambreno, G. Memik and A. Choudhary04/21/23 9
Outline Overview of Network Intrusions Detection Principal Component Analysis (PCA)
Distance Calculation Methodology
PCA Framework PCA architecture FPGA implementation
Results FPGA performance Accuracy H/W Speedup
Conclusions
OverviewPrincipal Component Analysis
PCA FrameworkResults
DATE 2008
An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System
A. Das, S. Misra, S. Joshi, J. Zambreno, G. Memik and A. Choudhary04/21/23 10
Principal Component Analysis (PCA) Express variation in multivariate data in
uncorrelated variables Input data dimension consists of p correlated
variables x1,x2,…xp PCA looks for a transformation of the xi into p
new variables yi that are uncorrelatedy1 f1(x1,x2,…xp)y2 f2 (x1,x2,…xp) ……… yp fp(x1,x2,…xp)
Eigenvalues (λi)
Eigenvectors (ei)
OverviewPrincipal Component Analysis
PCA FrameworkResults
DATE 2008
An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System
A. Das, S. Misra, S. Joshi, J. Zambreno, G. Memik and A. Choudhary
PCA: An Example
Original Variable A
Orig
inal
Var
iabl
e B
PC 1PC 2
PC 1 is the direction of maximum variance (major) PC 2 uncorrelated (orthogonal) to PC 1 (minor)
OverviewPrincipal Component Analysis
PCA FrameworkResults
04/21/23 11
DATE 2008
An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System
A. Das, S. Misra, S. Joshi, J. Zambreno, G. Memik and A. Choudhary04/21/23 12
PCA: Properties Principal components are arranged in descending
order indicating the amount of variation it encompasses
Keep the q most important ones and discard the others
Some deviation may not follow the same correlation model May want to keep the r least important components
Calculate distance in the new set of axes Outlier if distance far from normal
OverviewPrincipal Component Analysis
PCA FrameworkResults
DATE 2008
An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System
A. Das, S. Misra, S. Joshi, J. Zambreno, G. Memik and A. Choudhary
04/21/23 13
y1
y2
..yq
..
..yp-r+1
..yp
Major principal components
Minor principal components
PCA
OverviewPrincipal Component Analysis
PCA FrameworkResults
?1
2
M
q
i i
i ty
MajC
?1
2
m
r
i i
i ty
MinC
DATE 2008
An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System
A. Das, S. Misra, S. Joshi, J. Zambreno, G. Memik and A. Choudhary04/21/23 14
PCA: Steps involved Distance Calculation: Map the input data into
suitable axes; calculate the distance using principal components Euclidian Distance (equal weight for each dimension) Mahalanobis Distance (uses correlation matrix)
Outlier Detection: Distance exceeding a pre-defined threshold tM and tm with Major and Minor components,
respectively
OverviewPrincipal Component Analysis
PCA FrameworkResults
DATE 2008
An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System
A. Das, S. Misra, S. Joshi, J. Zambreno, G. Memik and A. Choudhary
04/21/23 15
Offline Phase
Online Phase
PCA Framework: Phases
OverviewPrincipal Component Analysis
PCA FrameworkResults
DATE 2008
An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System
A. Das, S. Misra, S. Joshi, J. Zambreno, G. Memik and A. Choudhary04/21/23 16
PCA Framework: PhasesOffline Phase: Step 1: Mean vector of the sample data (training
data) created Step 2: Correlation Matrix R created Step 3: Eigen-analysis performed on R; extraction of
<ei, λi> pairs Step 4: Pairs are sorted according to λi to determine
the major and minor principal components Step 5: Thresholds are calculated
OverviewPrincipal Component Analysis
PCA FrameworkResults
DATE 2008
An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System
A. Das, S. Misra, S. Joshi, J. Zambreno, G. Memik and A. Choudhary04/21/23 17
PCA Framework: PhasesOnline Phase: Step 1: Online data (test data) are mapped to the
eigenspace of q & r principal components Step 2: MajC and MinC scores are computed in
parallel Step 3: Threshold comparison is performed
OverviewPrincipal Component Analysis
PCA FrameworkResults
DATE 2008
An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System
A. Das, S. Misra, S. Joshi, J. Zambreno, G. Memik and A. Choudhary04/21/23 18
PCA: Advantages Reduces the dimensionality of network data with little or
no information loss Analyses different network TCP parameters (features)
Complete breakdown into offline and online phase Eigen-analysis and sorting performed in offline phase
Major and minor components chosen define two thresholds Better coverage
Faster compared to software implementation Hardware level parallelism to compute PC score
OverviewPrincipal Component Analysis
PCA FrameworkResults
DATE 2008
An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System
A. Das, S. Misra, S. Joshi, J. Zambreno, G. Memik and A. Choudhary04/21/23 19
Principal Component Score Pipeline for FPGA
OverviewPrincipal Component Analysis
PCA FrameworkResults
DATE 2008
An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System
A. Das, S. Misra, S. Joshi, J. Zambreno, G. Memik and A. Choudhary04/21/23 20
FPGA Implementation
Design synthesis using VHDL Place and route using Xilinx ISE 8.1 Target Platform Xilinx XC2VP30 # of pipeline stages = F(p, q, r) Training and testing dataset :
KDD Cup 1999 100,000-125,000 training data samples Up to 12 of 32 principal components used Speedup limited by I/O bandwidth of FPGA board
OverviewPrincipal Component Analysis
PCA FrameworkResults
DATE 2008
An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System
A. Das, S. Misra, S. Joshi, J. Zambreno, G. Memik and A. Choudhary04/21/23 21
Outline Overview of Network Intrusions Detection Principal Component Analysis (PCA)
Distance Calculation Methodology
PCA Framework PCA architecture FPGA implementation
Results FPGA performance Accuracy H/W Speedup
Conclusions
OverviewPrincipal Component Analysis
PCA FrameworkResults
DATE 2008
An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System
A. Das, S. Misra, S. Joshi, J. Zambreno, G. Memik and A. Choudhary04/21/23 22
Results: FPGA Performance # fields (p) = 32
Maximum throughput = 24.72 Gbps
OverviewPrincipal Component Analysis
PCA FrameworkResults
DATE 2008
An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System
A. Das, S. Misra, S. Joshi, J. Zambreno, G. Memik and A. Choudhary
Results: PCA Accuracy
Detection and False Alarm Rates vs. q
OverviewPrincipal Component Analysis
PCA FrameworkResults
04/21/23 23
DATE 2008
An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System
A. Das, S. Misra, S. Joshi, J. Zambreno, G. Memik and A. Choudhary04/21/23 24
0
50
100
150
200
250
300
350
400
450
0 1 2 4
No. of minor principal components (r)
Sp
eed
up
q = 4 q = 8
PCA hardware Speedup Compared with sequential software code
System: AMD Opteron 2.4GHZ with 2GB memory
OverviewPrincipal Component Analysis
PCA FrameworkResults
DATE 2008
An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System
A. Das, S. Misra, S. Joshi, J. Zambreno, G. Memik and A. Choudhary04/21/23 25
Conclusions High Ethernet throughput demands efficient anomaly
detection in networks High dimensional network data becomes a bottleneck for
anomaly detection Hardware implementation of NIDS based on Principal
Component Analysis can be effective Parallelism is exploited using reconfigurable hardware
(FPGAs) Attack detection up to 99% with false alarm rates as low
as 1.95% Significant speedup compared to software
OverviewPrincipal Component Analysis
PCA FrameworkResults
DATE 2008
An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System
A. Das, S. Misra, S. Joshi, J. Zambreno, G. Memik and A. Choudhary
Acknowledgements
This work was supported by NSF grants NSF-ITR CCR-0325207, CNS-0406341, CNS-0551639, IIS-0536994, CCR-0325207, by Air Force Office of Scientific Research (AFOSR) award FA9550-06-1-0152 and DoE CAREER Award DE-FG02-05ER25691
04/21/23 26
DATE 2008
An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System
A. Das, S. Misra, S. Joshi, J. Zambreno, G. Memik and A. Choudhary04/21/23 27
Thank You !
Questions?
Contact Info:Electrical Engineering and Computer Science DepartmentNorthwestern University2145 Sheridan RoadEvanston, IL 60208Phone: (847) 467-4610Fax: (847) 467-4144Email: [email protected]: http://www.ece.northwestern.edu/~ada829
DATE 2008
An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System
A. Das, S. Misra, S. Joshi, J. Zambreno, G. Memik and A. Choudhary04/21/23 28
[1] M. E. Attig and J. Lockwood. A framework for rule processing in reconfigurable network systems. In IEEE Symposium on Field-Programmable Custom Computing Machines,(FCCM), Napa, CA, Apr. 2005.
[2] Z. K. Baker and V. K. Prasanna. Time and Area Efficient Pattern Matching on FPGAs. In The Twelfth Annual ACM International Symposium on Field-Programmable Gate Arrays (FPGA ’04), 2004
[3] Z. K. Baker and V. K. Prasanna. Efficient Hardware Data Mining with the Apriori Algorithm on FPGAs. In Proceedings of the Thirteenth Annual IEEE Sym. on Field Programmable Custom Computing Machines 2005
[4] S. Dharmapurikar, P. Krishnamurthy, T. Sproull, and J. W. Lockwood. Deep packet inspection using parallel bloom filters. In Symp. on High Performance Interconnects, August 2003.
[5] M. Fleury, B. Self, and A. C. Downton. A fine-grained parallel pipelined karhunen-loeve transform. In 17th International Parallel and Distributed Processing Symposium, Nice, France, April 2003.
[6] J. D. Jobson. Applied Multivariate Data Analysis, Volume II: Categorical and Multivariate Methods. Springer-Verlag, NY, 1992.
[7] I. T. Jolliffe. Principal Component Analysis. Springer-Verlag, NY, 2002.
References
DATE 2008
An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System
A. Das, S. Misra, S. Joshi, J. Zambreno, G. Memik and A. Choudhary04/21/23 29
[8] Jungsuk Song and Hiroki Takakura and yasuo Okabe. A proposal of new benchmark data to evaluate mining algorithms for intrusion detection. In 23rd Asia Pacific Advanced Networking Meeting, 2007.
[9] KDD Cup 1999 Data. http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html, August 1999.
[10] Nicholas Athanasiades and Randal Abler and John Levine and Henry Owen and George Riley. Intrusion detection testing and benchmarking methodologies. In IEEE International Information Assurance Workshop, 2003.
[11] R. Sidhu and V. Prasanna. Fast regular expression matching FPGAs. In IEEE Symposium on Field-Programmable Custom Computing Machines, April 2001.
[12] D. V. Schuehler, J. Moscola, and J.W. Lockwood. Architecture for a hardware-based, tcp/ip content-processing system. In IEEE Micro, January 2004.
[13] M.-L. Shyu, S.-C. Chen, K. Sarinnapakorn, and L. Chang. A novel anomaly detection scheme based on principal component classifier. In IEEE Foundations and New Directions of Data Mining Workshop, pages 172–179, November 2003.
[14] H. Song and J. W. Lockwood. Efficient packet classification for network intrusion detection using fpga. In Intl. Symp. On Field-Programmable Gate Arrays, February 2005.
References
DATE 2008
An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System
A. Das, S. Misra, S. Joshi, J. Zambreno, G. Memik and A. Choudhary04/21/23 30
Backups
DATE 2008
An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System
A. Das, S. Misra, S. Joshi, J. Zambreno, G. Memik and A. Choudhary04/21/23 31
NIDS FPGA Architecture
Feature Extraction
Principal Component
Analysis
OverviewPrincipal Component Analysis
PCA FrameworkResults
DATE 2008
An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System
A. Das, S. Misra, S. Joshi, J. Zambreno, G. Memik and A. Choudhary04/21/23 32
Feature Extraction Module
HF(2)
HF(1)
HF(H)
Estimate Block
HashControlBlock
32
32
16
16
Src IP
Dst IP
Dst port
Src port
Sketch table H
Sketch table 2
Sketch table 1
Estimated value
:
:
:
:
:
:
:Flags 6
Feature Sketch
Architecture
DATE 2008
A. Das, S. Misra, S. Joshi, J. Zambreno, G. Memik and A. Choudhary
An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System04/21/23 33
?1
2
M
q
i i
i ty
MajC
?1
2
m
r
i i
i ty
MinC
DATE 2008
An Efficient FPGA Implementation of Principal Component Analysis based Network Intrusion Detection System
A. Das, S. Misra, S. Joshi, J. Zambreno, G. Memik and A. Choudhary04/21/23 34
Results: PCA Accuracy
Detection and False alarm Rates vs. q
OverviewPrincipal Component Analysis
PCA FrameworkResults