Network security is essential for safe and nondisruptive utilization of network and its services. Network security includes monitoring of threats, anomalies and complience with network usage policy. We investigate various anomaly detection (AD) methods in terms of their detection quality and computational complexity. We also design our own algorithms for anomaly detection. To this end, we evolve and publish:
Framework for Anomaly Detection Experiments
Novel AD algorithms
Acceleration of AD algorithms
We have accelerated entropy computation and hierarchical clustering on various platforms such as mutlicores, GPU, FPGA. Both algorithms are essential for several AD methods as they allow to reveal deviations from normal traffic.
Network traffic processing speed is crucial in most of the network devices, because any packet drop can lead to lower quality of network services, affect precise monitoring or disallow detection of security threats. We focus on networks with 1, 10, 40 and 100 Gbps throughput and use FPGAs and MultiCORES to accelerate time critical operations for network security and monitoring appliances:
We have created framework (Netbench) for evaluation of existing algorithms and architectures, which have been designed to accelerate these time critical operations. Moreover, we have developed benchmarking tool (Procbench-toolset) to evaluate processor performance in these operations.
NetCOPE is a platform dedicated for acceleration of network applications using FPGA acceleation card. Such an accelerated network application is usually composed of two parts:
Acceleration core – which is placed inside the FPGA chip and implements time critical parts of application such as header field extraction, classification process, patter matching etc.;
Software part of application – usually provides management and control function. NetCOPE covers both – hardware and software part of the platform and precisely defines the general interface between them.
For hardware acceleration on 1 Gbps networks, we use different FPGA-based platforms:
These ones are solutions for use with standard personal computer. Together with standard networking cards as a commodity hardware they are used in PC configurations with powerful processors.
Another type of not only networking hardware accelerator is the Embedded development platform - uG4-150. This is a stand- alone FPGA board with quite interesting equipment such as USB 3.0 interface and many others. Complete firmware for the FPGA is based on MicroBlaze processor running Linux based operating system. Moreover, desing is quickly prototyped using EDK/SDK.
NetCOPE platform enables rapid development of new network applications on both FPGA-based acceleration cards. We use also Myricom and Intel networking cards as a commodity hardware for high performance low cost 10Gb applications with multicore processors.