^{1}

^{*}

^{2}

The tremendous growth in the field of modern communication and network systems places demands on the security. As the network complexity grows, the need for the automated detection and timely alert is required to detect the abnormal activities in the network. To diagnose the system against the malicious signatures, a high speed Network Intrusion Detection System is required against the attacks. In the network security applications, Bloom Filters are the key building block. The packets from the high speed link can be easily processed by Bloom Filter using state- of-art hardware based systems. As Bloom Filter and its variant Counting Bloom Filter suffer from False Positive Rate, Multi Hash Counting Bloom Filter architecture is proposed. The proposed work, constitute parallel signature detection improves the False Positive Rate, but the throughput and hardware complexity suffer. To resolve this, a Multi-Level Ranking Scheme is introduced which deduces the 13% - 16% of the power and increases the throughput to 23% - 30%. This work is best suited for signature detection in high speed network.

The technology development and innovation have become part of our life. An ever-increasing dependence on technology consolidates itself as a powerful platform that has revolutionized the way we do business and communicate with people, leaving us in the open to threats of cyber crime. KPMG in India is one of the chief providers of risk, tax & regulatory services, financial & business advisory, internal audit, and corporate governance. KPMG was established in September 1993 in India, and they conducted the KPMG: Cybercrime survey report 2014 [

Many algorithms were proposed earlier which was not suited for the growing line rate of Gbps. Aho and Corasick algorithm has been widely adapted for string matching [

An algorithm matches a block of character instead of matching a single character at a time. Based on the scanning of the right most block of the character in the window, a shift process is followed [

To enhance the through researches are being done in hardware based Intrusion Detection System (IDS). For hardware-based solutions, FPGA (Field Programmable Array Gates) and TCAM (Ternary Content Addressable Memory) are implemented for their parallelism capabilities and find that 87% of Snort rules have patterns. So he proposed a hardware accelerator for the pattern matching [

Even though intrusion detection has progressed rapidly in the past few decades, many issues remain unsolved. The first and foremost criteria are that it should be effective and should detect a wide range of attacks with minimal false positives. Second, the intrusion detection should keep up with the increasing Giga bit per second (Gbps) speed. The system should be dynamic to handle new attacks in real future. The detection system takes care of the host, but additionally it should protect the network too.

The rest of the paper is organized as follows: Section 2 describes the background and related work of Bloom Filter. Section 3 illustrates the existing Counting Bloom Filter architecture. Multi Hash Counting Bloom Filter is proposed in Section 4. Section 5 enumerates the Single and Multi-Level Ranking Scheme and finally Section 6 gives the Validation for the proposed work. Section 7 deals with conclusion.

A Set-Wise Boyer-Moore-Horspool (SBMH) proposed the first hybrid SB-NIDS that adapts the specific pattern matching Horspool variant of the Boyer-Moore algorithm (BM) and AC algorithm [

AC and SBMH algorithm is verified for various snort attack rules. The number of rules selected in the evaluation process will decide the choice of algorithm for implementation. SBMH is selected if there is only 1 rule, SBMH is selected if there are 2 to 100 rules and AC algorithm is selected when the rule is above 100. SBMH algorithm is much better and improves the overall Snort performance by a factor of 5 for web traffic applications.

An algorithm named Aho-Corasick-Boyer-Moore (AC-BM) which combines the multi-pattern search of Aho- Corasick and character skip feature of Boyer-Moore [

BM algorithm achieved better performance than AC-BM algorithm. However, AC-BM algorithm shows outstanding performance when the test was skewed by the elimination of the non-content attack rules. When tested by Snort content attack rules of about 200 AC-BM found 1.31 times faster than Boyer Moore and 3.32 times faster with 786 rules.

Further HIDS can be classified based on Memory, State Machine, Hashing and Brute Force search. A hybrid hardware model is where Content addressable Memory (CAM) is employed for checking the packet header and payload [

Lin Tan and Timothy Sherwood developed an approach that solves the difficulties in transferring a bulk database of strings into a small state machine. These state machines are employed in searching the rule set [

A function that takes up any function of random length and produces a digital data of fixed length, then it is termed as the hash function. Normally a value that is obtained as the output from hash function is named a hash value, hash code, sometimes simply hashes. It is often used in data structures for querying the data. One such technique is a Bloom filter. After the introduction of Bloom Filter by Burton Howard Bloom in 1970, the hardware based IDS thrived a lot [

So, IDS has to detect the attacks, in addition it should be space/time efficient. As it has been proven that the Bloom Filter provides a better solution for designing IDS, this review focus mainly on Bloom Filter based Hardware based IDS.

Basically a Bloom Filter allows false positive, but never False Negative. This feature tracks the Intrusion Detection System designers to use Bloom Filter for their designs. Bloom gave an example of a hyphenation algorithm for a dictionary of 500,000 words; out of which 90% follow simple hyphenation rules, but the residual 10% require expensive disk accesses to repossess specific hyphenation patterns. With sufficient core memory, an error-free hash could be used to purge all unnecessary disk accesses. Conversely, Bloom technique uses little hash area, but still eliminates most unnecessary accesses. For example, a hash requires only 15% of the size needed by an ideal error-free hash thereby it reduces the 85% of the disk accesses [

Burton H. Bloom introduced a new hash coding. This method is suggested for application in which the great majority of messages to be tested will not belong to the large set. First, the average time required for classifying the element as a non-member of large set is high. Second, the probability of error should be minimized (i.e.) the false identification of the member to be in the set will create a small error. Third, computation time and space should be efficient to meet the practical applications [

Bloom Filter (BF) is a compact space efficient algorithm. Consider a set _{1 }will range from

To solve this problem Fan et al. introduced CBF [

Still the False positive remains the same as that of the BF. To overcome this drawback a Multi-Hash Technique is proposed. Next, to improve the speed and to reduce the power a Multi-level Ranking scheme is used in the proposed work.

The Counting Bloom Filter (CBF) is organized as an array of counter indexed by the hash function. This is depicted in

Pattern matching using CBF begins with the hash function, where the incoming address or pattern of n-bit can be mapped to a fixed m-bit length. Simple hash function helps to index the array of large size, where the data has to be stored. While querying, the same hash index is used to check whether the pattern is present or not. Ramakrishna et al. described a class of universal hash functions that are suitable for this hardware implementation [_{3} class hash function is performed.

The class H_{3} is defined as follows:

Let Q denotes the set of all _{k} the k^{th} bit of x. The hashing function h_{q}(x): A → B is defined (Ramakrishna et al. 1994) by Equation (1),

Above universal hash function can be presented with different notations as follows. Consider an input address whose bits are

FPR of CBF is given by assuming n as the number of elements; m is the number of bit-vector; and k is the total number of hash functions.

The probability that any particular bit H_{i} = 0 is

The probability that a particular bit H_{i} = 1 is

For an element x, if the query result in a false positive which means that each of the k hash values must be the index of a bit that is set to 1. The probability that this happens is

which is claimed to be

Equation (5) found in many papers is incorrect. Consider an example, to prove the incorrect statement. Assume

In almost all the applications the value of k chosen and hence FPR is constant and its value is nearly equal to 1/2 as shown in Equation (8).

If

There are few applications that require multiple or simultaneous CBF accesses to memory locations. In the single hash implementation, there is a chance of collision if multiple accesses take place. To overcome this problem a Multi-Hash Function architecture is proposed as shown in

The proposed architecture takes the input signature and multiple hash functions are used to index the counter array. In traditional CBF only single hash function is employed. This single hash may index the same counter location for different inputs. While querying this leads to collision, multiple hash function is employed in the proposed architecture to have multiple checking which reduces the occurrence of false positive.

For example, if an element is hashed to h_{1}(x) = 5 and if another element is hashed to the same location h_{1}(y) = 5, then the CBF in the 5^{th} location will be incremented to two. If a deletion operation has to be performed, the CBF will be decremented based on the hash output. So in this typical case the decrement may lead to false positive as the two element hash to the same location. If query is made on the CBF, the result may end up with false positives. To avoid multihash CBF can be employed as depicted in

For the traditional CBF, the decoder module, multiplexer and the zero detectors have to be replicated for performing multiple accesses. In case of multiple accesses in CBF, the multi-porting as in SRAM cells are not a straight forward solution. A simple and easiest solution is to detect the output from different hash function and then serializing them to access the CBF. An extra circuitry is added to determine the collective effect of all the accesses. For example, if the h_{1}(x) = 5 and h_{2}(x) = 3, then the CBF has to increment both the location by 1. On querying the element x, the membership test is carried out by checking 5^{th} and 3^{rd} locations. On the other hand, if h_{1}(x) = 5 and h_{2}(x) = 5, then the CBF increments the 5th location and query operation on this will provide an answer “Is a Member”. In the query process, the input signature is compared with the stored signature. The ouput is either logic 1 (is present or is a member) or logic 0 (is absent or not a member). The capability of the circuit to access multiple hash function in a single clock cycle is required. Further, the false positive rate improves but the hardware complexity grows with the increase in the number of hash function and in turn power consumption also increases. To resolve this, a Multi-Level Ranking scheme is introduced in the multi hash architecture to reduce the power and to improve the throughput.

The Single Level Ranking scheme is performed as shown above, using the single array of counter for maintaining the hash entries. The multi hash function is performed for the element X and its hash values are stored in Bloom Filter as shown in

In multi level hash technique, the memory array (counter) or vector is arranged in a multilevel configuration to reduce the lookup. This partitioning technique increases the accuracy of the counting Bloom filter. A basic hierarchical structure for multi level scheme is shown in

CBF has a ranked structure which is composed of r-levels _{i}. The CBF uses k hash functions _{1} is employed to substantiate membership query, _{i} is utilized for insertion of new signatures into the dataset. The first level b_{1} has the same size as that of CBF. Since m is 10, the size of _{i}. Assume, l_{1} is the bit size of b_{1}.

The hashed positions are incremented by 1 initially. If the same position is indexed second time, then the counter stages are utilized instead of incrementing the same location once again. The offset index for next level is given by the number of one’s present below the current location. Assume if the location 5 is hashed for the first time by an element x and upon insertion if it is hashed again by another, element say y, under this circumstance the counter should have incremented to 2 as in CBF. But in ranked structure, the first entry is made as in

CBF and for further entries the rest of the levels are involved. For second time hash entry, the entries in below the active location are counted. If it returns a value 2, then second stage b_{2} is indexed at 2. As the position 5 is hashed only two elements x and y, the further levels are not involved. They remain at zero value. For query process the first level b_{1} is monitored. If it returns a value zero, then the element is not a member. If it returns one, then the element is a member. Since the first level counter array is only involved in query process the throughput increases. The false positive rate of the Multi-level ranking scheme is given by Equation (9),

where, n is the maximum number of elements;

The False Positive rate of the proposed techniques is compared with the existing techniques as shown in

Hardware optimized architecture entitled as Multi Hash CBF and Multi-Level scheme is explored in this paper. As single Hash CBF has high False Positive Rate, Multi Hash CBF is proposed which will check for multiple hashes to improve the FPR. But still, this proposed work has low throughput and power. To enhance a hierarchical counter array vector is employed. The simulation and implementation results depict the deduction in the

Existing Techniques | Proposed Techniques | ||||
---|---|---|---|---|---|

CBF | Spectral BF | dl-CBF | Multi Hash CBF | Multi-Level Ranking CBF | |

False Positive Rate | 10^{−3}^{ } | 10^{−3}^{ } | 1.5 × 10^{−3} | 0.7 × 10^{−3} | 0.7 × 10^{−3}^{ } |

Parameters | Multi Hash CBF Architecture | Multi-Level Ranking CBF Architecture | |||||
---|---|---|---|---|---|---|---|

1 MHz | 20 MHz | 100 MHz | 1 MHz | 20 MHz | 100 MHz | ||

K = 2 | No. of 6-input LUTs | 49 | 49 | 49 | 50 | 50 | 50 |

Power (mW) | 73.55 | 73.53 | 73.53 | 63.9 | 63.9 | 63.7 | |

Throughput (MHZ) | 309 | 309 | 307 | 407 | 407 | 407 | |

Delay (ns) | 3.236 | 3.236 | 3.257 | 2.457 | 2.457 | 2.457 | |

Power-Delay-Product (PDP) | 238.01 | 237.9 | 239.49 | 157 | 157 | 156.5 | |

K = 3 | No. of 6-input LUTs | 61 | 61 | 61 | 62 | 62 | 62 |

Power (mW) | 76.32 | 76.36 | 76.56 | 65.3 | 65.32 | 65.25 | |

Throughput (MHZ) | 301 | 301 | 301 | 399 | 398 | 398 | |

Delay (ns) | 3.322 | 3.322 | 3.322 | 2.506 | 2.512 | 2.512 | |

Power-Delay-Product (PDP) | 253.53 | 253.67 | 254.33 | 163.64 | 163.64 | 163.9 | |

K = 4 | No. of 6-input LUTs | 74 | 74 | 74 | 75 | 75 | 75 |

Power (mW) | 79.34 | 79.45 | 79.44 | 68.5 | 68.51 | 68.5 | |

Throughput (MHZ) | 291 | 290 | 286 | 387 | 387 | 387 | |

Delay (ns) | 3.436 | 3.448 | 3.496 | 2.583 | 2.583 | 2.583 | |

Poer-Delay-Product (PDP) | 272.61 | 273.94 | 277.72 | 176.93 | 176.96 | 176.93 | |

K = 5 | No. of 6-input LUTs | 89 | 89 | 89 | 91 | 91 | 91 |

Power (mW) | 83.12 | 83.11 | 83.2 | 72.6 | 72.6 | 72.6 | |

Throughput (MHZ) | 284 | 284 | 279 | 365 | 365 | 363 | |

Delay (ns) | 3.52 | 3.52 | 3.58 | 2.739 | 2.739 | 2.754 | |

Power-Delay-Product (PDP) | 292.58 | 292.54 | 297.85 | 198.85 | 198.85 | 199.94 |

13% - 16% of the power and shows better performance in terms of throughput and PDP. Further, the sidon sequence can be employed in this proposed architecture to enhance the FPR. The sidon sequence provides variable increment for the counter, which helps in reducing the FPR. The proposed architecture is well suited for signature matching applications.

Palanisamy Brindha,Athappan Senthilkumar, (2016) High Speed and Low Power Architecture for Network Intrusion Detection System. Circuits and Systems,07,1324-1333. doi: 10.4236/cs.2016.78115