W ISDO M W ISDO M Workpackage 3 New security algorithm design ICS-FORTH Heraklion, 3 rd June 2009
Dec 25, 2015
WISDOMWISDOMWorkpackage 3
New security algorithm design
ICS-FORTH
Heraklion, 3rd June 2009
WISDOMWISDOMWISDOM WP3: New security
algorithm designObjectives• Identify critical security application components which
can be efficiently implemented in the optical domain• Characterise constraints to algorithmic components and
develop novel techniques for simplified pattern matching• Design a Security Application Programming Interface
(SAPI) which will be the interface between high-level security applications and low-level optical implementation
Tasks – Deliverables• WP3.1: Security Applications Partitioning (M12)• WP3.2: Identification of Simplified Security Algorithm
Components (M24)• WP3.3: Definition of a Security Application Programming
Interface: SAPI (M30)
WISDOMWISDOMWP3.1 Security Applications
Partitioning
Identify efficient operations inoptical domain by considering• basic firewall functionality
prevents communication for specific servers and services
• basic IDS/IPS functionality signature, anomaly based detection
• packet structure and decodingheader (fixed length) payload (variable length)
• optical hardwareoptical data format, optical bit filtering,optical pattern matching,
buffer (delays)
16-bit total length
16-bit header checksum
32-bit source IP address
32-bit destination IP address
TOS4 IHL
16-bit identification
TTL protocol
flags 13-bit fragment offset
options (if any)
16-bit source port 16-bit destination port
32-bit sequence number
32-bit acknowledgment number
Offset Reserved Flags 16-bit window
16-bit checksum urgent pointer
Options (if any)
Application data
WISDOMWISDOMWP3.1 Security Applications
Partitioning
Critical security operations in the optical domain Basic firewall functionality, inspect packet headers
Less than 10% of rules, more than 90% of alerts
Look at specific packet header field• Block or filter traffic for specific protocols, ports, etc
Optical filtering, optical pattern matching, optical routing• Block or filter traffic for specific IP addresses
Optical possible but not efficient
Combined inspections of several header fields• Specific IP protocols and ports• From specific IP addresses to specific ports
Optical possible but combination of optical and electronic more efficient
WISDOMWISDOMWP3.1 Security Applications
Partitioning
Firewall rule example Inspection• Deny all incoming traffic with IP matching internal IP source IP address• Deny incoming from black-listed IP addresses source IP address• Deny all incoming ICMP traffic IP protocol• Deny incoming TCP/UDP 135/445 (RPC, Windows Sharing) destination port• Deny incoming/outgoing TCP 6666/6667 (IRC) destination port
• Allow incoming TCP 80, 443 (http, https) destination port
to internal web server (destination IP address)• Deny incoming TCP 25 to SMTP server destination port
from external IP addresses (destination)/source IP address
• Allow UDP 53 to internal destination portDNS server (destination IP address)
typical port assignments for some other services/applicationsftp TCP 21, ssh TCP 22, telnet TCP 23, POP3 TCP 110, IMAP 143
WISDOMWISDOM
WP3.2 Identification of Simplified Security Algorithms
Components
• Optical pre-processing for more ‘traditional’ IDS– Restrictions in optical domain (buffering, level of integration, etc)– Scalability of security pattern matching algorithms, optimum
balance between optical and electronic processing (WP6)– Develop algorithms that will allow optical bit-serial processing
subsystems to operate as a pre-processor to more complex pattern recognition techniques in the electronic domain.
D3.2 Identification of Simplified Security Algorithms
Components
WISDOMWISDOM
WP3.2 Identification of Simplified Security Algorithms
Components
• Identify feasible and efficient all-optical operations– Inspection of specific fields in packet headers (protocol number,
port number, etc)– Pattern matching– Routing
• Keep all options for conventional (electronic) IDS– Design high speed optical pre-processing that makes electronic
processing more efficient
• Demonstration of key security functions – Example applications with efficient and reliable operation of a
hybrid system consisting of both all-optical and electronic components
WISDOMWISDOM
WP3.2 Identification of Simplified Security Algorithms
Components
Combine optical and electronic signature-based detection
• Optical traffic splitters– optical header processing– split high speed network traffic – group packets, e.g., according to port number
• Multiple “specialized” (electronic) processors– less packets to inspect per processor– more efficient payload inspection by performing same operations
to same type of packets
WISDOMWISDOM
WP3.2 Identification of Simplified Security Algorithms
Components
Approach for Hybrid Optical – Electrical Platform
• All-optical inspection of packet headers only
• A few well chosen useful rules optically implemented – Restrictions in memory and level of integration imply small
number of selected rules can be implemented in optical domain– Reconfigurable optical systems– Analysis and statistics of network security threats
• Seamless coupling of optics with electronics– Electronic processing enhanced by optical preprocessing – Security applications (including payload inspection) in electronic
domain with more conventional NIDS tools– Take advantage of “conventional” NIDS/NIPS methods
continuously developed
WISDOMWISDOM
WP3.2 Identification of Simplified Security Algorithms
Components
Use network traffic monitoring and classification appmon
WISDOMWISDOM
WP3.2 Identification of Simplified Security Algorithms
ComponentsSelect rules using statistics on suspect packets
NoAH honeypots statisticsProtocolsPorts
WISDOMWISDOM
WP3.2 Identification of Simplified Security Algorithms
Components
WISDOMWISDOM
WP3.2 Identification of Simplified Security Algorithms
Components
• Network traffic monitoring– Deployment of network of sensors for
global view
• Protocols– ICMP often used in attacks – TCP most popular, UDP also heavily used
• Ports HEAnet
– Some high level applications use TCP/IP with pre-assigned port numbers
– Others use dynamically assigned port numbers, different for different connections
– Some attacks work on specific ports
WISDOMWISDOM
WP3.2 Identification of Simplified Security Algorithms
Components
Benefits from optical splitting for electronic processing
Similar approaches already proved successful in intensive
NIDS applications • Early filtering and forwarding• Packets of the same type are grouped by the splitter and forwarded
to specialized electronic processors• Performance benefits (50-90/%) with the use of digital network
processors• Clustering of packets with same destination port number improves
performance of conventional IDS
40% increase in packet processing throughput
60% improvement in packet loss rate
WISDOMWISDOM
WP3.2 Identification of Simplified Security Algorithms
Components
Available hybrid integrated optical circuits:
• XOR, AND logic gates• buffer memory (limited)• routing switch• Bit pattern matching circuit• Target pattern generator• Pseudo random bit sequence generator• Header sampler (proposal)• CRC (proposal)
WISDOMWISDOM
WP3.2 Identification of Simplified Security Algorithms
Components
Input: flux of packets, consisting of RZ pulses TOutput: packets dropped or allowed to proceed
Box: Header sampler
Bit pattern matching
Routing switch
Buffer memory
Preamble TCP Port # Payload Guard bandHeader Header
Preamble TCP Port # Payload Guard bandHeader HeaderPreamble TCP Port # Payload Guard bandHeader Header
MZI1Preamble TCP Port # Payload Guard bandHeader Header CRC
WISDOMWISDOM
WP3.2 Identification of Simplified Security Algorithms
Components
Same components, simple pipelined configuration8 bit pattern matching at left boxes16 bit pattern matching at right boxes
Possible packet collisions, bottleneck
WISDOMWISDOM
WP3.2 Identification of Simplified Security Algorithms
Components
“router”:round-robin, CRC
WISDOMWISDOM
WP3.2 Identification of Simplified Security Algorithms
Components
Simulator of optical device operation
Basic building blocks are logic gatesUseful for circuit design, testing efficiency of proposed configurations, analysis of more complex algorithms, hybrid optical-electronic detection, load balancing, parallel/distributed configurations, anomaly-based detection, etc.
WISDOMWISDOM
WP 3.3 Definition of a Security Application Programming
Interface (SAPI)
• Software platform – “mini” operating system bridges the gap between optical execution of key components and programming of security applications
• High-level programming, abstract all low-level detailsoperates independent of system modifications, allows for integrationof additional software and hardware components of increasing complexity
• Hardware – software interfacefast optical processing, reconfigurable at much slower ratesuser interventions rare, at conventional speed of electronics
• Front-end for SAPI and WSIMHardware and simulator run under same environment
D3.3 Definition of SAPI (M30)
WISDOMWISDOM
WP 3.3 Definition of a Security Application Programming
Interface (SAPI)• Device configuration
hardware control• Set security application rules
predefined filters custom filters• System monitoring
visualization of security operations outcome• Easy to use GUI at front-end
user friendly control panelsame for actual operation and simulation
• Testbed and more complex systems designed to support any hybrid optical-electronic architecture
WISDOMWISDOMWP3: SAPI
Interface with hardware and simulator (details coming up)
WISDOMWISDOMWP3: SAPI
WSIM tool
WISDOMWISDOMWP3: SAPI
WSIM tool …more to follow…
WISDOMWISDOMWP3: New security algorithm
design• Basic Firewall functionality in the optical domain (D3.1)
– Feasible, useful, and efficient packet header fields inspection • Optical pre-processing for electronic NIDS/NIPS (D3.2)
– Actual security threats taken into account through network monitoring and attack statistics
– All-optical header inspection and packet classification combined with electronic processing of payload
– Proposal for hybrid systems with optimum balance between optical and electrical processing: optical enhances electrical, benefits from conventional electronic
NIDS/NIPS preserved• SAPI (D3.3)
– High-level programming of security applications running over optical and electronic hardware
• Functional optical device simulator– Complex algorithm design– Development that may be of more general interest
WISDOMWISDOMWP3 concluded: What next?
• Prepare SAPI for (upcoming) demonstrator/hardware• Quantify benefits from optical pre-processing
Extensive processing of actual traces with simulatorTest different scenarios, DoS attacks, etcConstant improvement of simulation tools
• Include physical models of optical devices in simulationsPerhaps not essential to this project, but overall very important…
• Details on high performance commercial NIDS Endace, Crossbeam, etc., simple parallelization, dumb load balancers, or more? Convince about advantages of all-optical pre-processing
• Future‘Green’ aspects of project (e.g., low power consumption)Think again about payload inspection (partially in optical domain)
What is feasible in terms of optical components and devices?