Return to search

Toward hardware-oriented defensive network infrastructure

<p> The prosperity of the Internet has made it attractive to hackers and malicious attackers. Distributed attacks, such as: DDoS attacks and Internet worms have become major threats towards the network infrastructure. Collaborating existent single-point-deployed security applications over multi-domains for distributed defense is promising. Taking advantage of the small-world network model, a three-layered network modeling platform was developed for exploring behaviors of collaborative defense under the scope of a complex system. Using this platform, a comparison study between two major collaborative defense schemes was conducted. Their performance and eectiveness against signature-embedded worm attacks were evaluated accordingly. </p><p> Given the rapid evolution of attack methods and toolkits, software-based solutions to secure the network infrastructure have become overburdened. The performance gap between the execution speed of security software and the amount of data to be processed is ever widening. A common solution to close this performance gap is through hardware implementation of security functions. After a comprehensive survey on major recongurable hardware-based approaches application on network infrastructure security area, an optimized design of FPGA-based Power Spectral Density (PSD) data converter for online Shrew DDoS attack detection was proposed and prototyped. Combining an innovative component-reusable Auto-Correlation (AC) algorithm and the adapted 2N-point real-valued Discrete Fourier Transform (DFT) algorithm, a maximum reduction of 61.8% processing time from 27471.4 us to 10504.8 us was achieved. These ecient hardware realization enabled the implementation of this design to a Xilinx Virtex2 Pro FGPA. </p><p> The scalability issue against continuously expanding signature databases is another major impediment aecting hardware application for network intrusion detection. With the observation that signature patterns are constructed from combinations of a limited number of primary patterns, a two-stage decomposition approach was developed to solve this issue. The evaluation results show that a reduction in size of over 77% can be achieved on top of signature patterns extracted from the Snort rule database after decomposition.</p>

Identiferoai:union.ndltd.org:PROQUEST/oai:pqdtoai.proquest.com:3713553
Date24 July 2015
CreatorsChen, Hao
PublisherState University of New York at Binghamton
Source SetsProQuest.com
LanguageEnglish
Detected LanguageEnglish
Typethesis

Page generated in 0.0022 seconds