Fast and flexible intrusion detection and traffic analysis

Lorenzo De Carli
University of Wisconsin-Madison


Abstract

Intrusion detection systems (IDSs), which analyze network traffic to discover signs of malicious activity, are a long-standing cornerstone of network security. Nowadays, the combination of increasing bandwidth usage and complex, tailored attacks calls for tools that offer both flexibility and high throughput, introducing a fundamental tension in IDS design. Parallel, high-throughput IDSs are easier to architect if they perform a set of simple, standardized analyses, matching each packet or each flow against a set of attack signatures. However, this approach is fragile and limited in expressiveness; signatures can oftentimes be evaded by small tweaks in the attack strategy, and fail to capture various classes of attacks altogether. In my talk I will describe the design of a flexible IDS platform, which supports the deployment of complex threat detection algorithms while enabling automatic parallelization across multiple processing nodes. My work tackles the issue of IDS parallelization by developing a domain-specific concurrency model based on the notion of detection scope: a unit for partitioning network events such that the events contained in each resulting subset are independent for detection purposes. A novel program analysis technique is used to automatically infer the appropriate scope given a threat detection algorithm. This information then guides an event scheduler that ensures that concurrent threads always process independent events, making synchronization and inter-thread communication unnecessary. In the second part of my talk I will provide an overview of another relevant contribution of my Ph.D. work: a programmable dataflow-based hardware accelerator for packet forwarding and inspection.