2016 IEEE Computer Society Annual Symposium on VLSI
Hardware/Software Isolation and Protection Architecture for Transparent Security Enforcement in Networked Devices Festus Hategekimana, Pierre Nardin, Christophe Bobda Computer Science and Computer Engineering Department University of Arkansas Fayetteville, Arkansas, USA
[email protected],
[email protected],
[email protected]
and firewalls are complex tools with stringent computational requirements which can sometimes dampen the overall system performance. This can be an acceptable cost in workstation systems, but problematic for systems with strictly limited resources and computational capacities. In this regard, the advent of new protocols, such as IPv6, whose fundamental goal is to allow every networked device to have a globally unique IP address is making embedded devices such as printers, microscopes, sensors and other lab devices directly available on the Internet. Most of these devices lack adequate protection mechanisms since they were designed with price, efficiency and power constraints in mind. Also, they have a very limited capability to run complex protections tools such as antivirus software and firewalls. As a result, billions of devices are being made available in the Internet without protection from attackers. The second key issue of Figure 1b’s protection model is that current security models assume a secure operating system for proper protection. Malwares (botnets, Trojan horses, etc) exploit vulnerabilities to gain privileged access to the operating system (or hide from it) and disable all software protection mechanisms. Traditional malware protection, such as Intrusion Detection Systems (IDSs), firewalls [6] and blackholing [7] , some of which were implemented in FPGAs, are failing at DDoS defense and mitigation [7],[8]. IDSs are tailored for detection of classic intrusion activities and cannot mitigate long-lasting attacks [7]. Blackholing forwards traffic from certain sources to a “black hole” to save the network bandwidth. Because the process can also discard legitimate packets, blackholing may achieve the goal of attackers and is therefore not an entirely viable solution. Firewalls operate too far down at the network’s Internet gateway and lack anomaly detection, since they are intended primarily for controlling access to private networks. DDoS-specific defense solutions use access control lists (ACLs) to filter out suspicious traffic. While ACLs can protect against simple and known DDoS attacks such as ping attacks, the difficulty to identify IP, DNS, Border Gateway Protocol (BGP) and Proxy from legitimate sources [7] makes it very challenging to defend against SYN Flood attacks, IP spoofing and applicationlevel attacks. While lower-layer DDoS attacks attempt to
Abstract—We present an integrated hardware/software architecture to enforce security in networked workstations and embedded devices such as printers and microscopes. These devices are usually connected to the Internet without protection, so they are exposed to attack. Our solution operates as an intermediate isolation and protection module (IPM) between the network and the device to be protected. The IPM can be implemented as a dedicated IP on a system-onchip, or as a separate chip to analyze incoming and outgoing traffic for malicious activities, in a transparent way to the device under protection. Security enforcement is performed in two stages. A deep packet inspection module is used in the first stage to detect and drop packets originating from known blacklisted domains or carrying malware patterns, simultaneously important features from protocol-conforming packets are extracted and sent to a binary classifier for further processing and decision making. The second stage uses a binary classifier to make decisions on seemingly protocol-conforming packets. We designed and implemented a prototype of the IPM as a system-on-FPGA, with packet filtering and analysis accelerated in hardware, and binary classification and decision making in software. The IPM operates at high-speed with a very small footprint, suitable for embedded devices with fewer resources. Evaluation of our prototype using the 1999 Knowledge Discovery in Databases (KDD Cup 1999 dataset) benchmarks shows a high detection rate on various distributed denial-of-service (DDoS) attacks such as Neptune DoS (99.3%), Smurf DoS (100%), and Teardrop DoS (98.90%). Keywords-Hardware-Based Isolation and Protection, Field Programmable Gate Arrays (FPGAs), Distributed Denial-ofService (DDoS), Support Vector Machines (SVMs), Signaturebased Detection, Pattern Matching, Receiver-Operating Characteristics (ROC).
I. I NTRODUCTION Global annual economic loss attributed to exploits in current systems and network layer security architectures vulnerabilities is estimated at more than $10 Billion [1]. To mitigate these exploits, standard network layer protection mechanisms such as anti-virus applications or firewalls are deployed at the application-level with some privileged access to the operating system (OS) [2],[3],[4],[5] as illustrated in Figure 1 b). This protection model plays a critical role as a security solution in today’s (less resources-constrained) systems such as workstations and servers. However, it suffers from 2 key issues. The first issue: anti-virus applications 978-1-4673-9039-2/16 $31.00 © 2016 IEEE DOI 10.1109/ISVLSI.2016.32
140
$SSOLFDWLRQV
'HYLFH ,30
'HYLFH
'HYLFH
,30
'HYLFH ,30
,30
,QWHUQHW 1HWZRUNWUDIILF
,30
2SHUDWLQJ6\VWHP 3URFHVVRU+DUGZDUH
The rest of this paper is organized as follows: In Section II, we provide a background on DDoS attacks; in Section III, we describe the architecture of our FPGA SoC-based IPM and describe its detection and mitigation framework; and implementation details and tests results are presented in Section IV. Section V offers our concluding remarks and presents the areas of future work.
E 7UDGLWLRQDO VRIWZDUHEDVHG SURWHFWLRQ
,30'HYLFH
$SSOLFDWLRQV ,30
,30
'HYLFH
3URWHFWLRQ
'HYLFH
'HYLFH
D 'HYLFH3URWHFWLRQZLWK,30
2SHUDWLQJ6\VWHP 3URFHVVRU+Z
,QIHUHQFH 0RGXOH
1HWZRUN ,QWHUIDFH
,30 +DUGZDUH%DVHG :RUG5HFRJQL]HU
II. DD O S ATTACKS OVERVIEW
F ,30&RQFHSWV
A DDoS attack is a computer security threat aimed at preventing hosts from using a service. Depending on their operating procedures, DDoS attack can be categorized into 2 groups: flooding DoS attacks and vulnerability DoS attacks [11], [10]. In flooding DoS attacks, the attacker: infects computers with malware, turns them into zombies, and recruits them to generate a high traffic volume directed toward a new target. The success of this attack depends on the scale (the number of infected computers) and obfuscation using the hijacked hosts [11]. Security mechanisms installed on potential bots, but inaccessible to the attacker, can significantly reduce the level of threat in the network. Vulnerability DoS attacks take advantage of the expected behavior of protocols such as TCP and HTTP. A HTTP GET DoS [10] is a prime example of this. In such attacks, the attacker’s zombie clients each request a HTTP connection to the target server, and upon success the clients send HTTP GET header requests as a series of segments to the server. Within a timeout interval known by the attacker (usually 300ms for Apache Servers [10]), the server expects to receive a message for each of these HTTP GET headers from the zombies. At the time limit, the attacker overcomes the timeouts by sending messages from each of the zombies, which exhausts the server’s resources [10].
Figure 1. a) Overall device protection concept; b) traditional software-based approach; c) proposed hardware-based isolation module.
overwhelm the victim server with bogus requests, attackers are increasingly relying on legitimate requests [7] to launch complex DDoS attacks, thus making them difficult to detect by existing defense technologies [9]. Application layer DDoS attacks exploit vulnerabilities of protocols (Hypertext Transfer Protocol (HTTP), Voice Over Internet Protocol (VoIP), or Domain Name System (DNS)) at the application layer to circumvent detection [10]. Other DDoS attacks do not attempt to overwhelm the bandwidth with a flood of message; instead they attempt to take down a server with a long-lasting and slow connection that ties up resources by exploiting time-out and resource allocation mechanisms in the operating system, to eventually exhaust CPU, communication and memory resources. The above exploits underscore the need to monitor and analyze ongoing communications over a long time interval to detect activities that deviate from normal behavior. This process must be done in a transparent way so that the system under protection avoids potential disconnection by malware in the event of an attack. In this work, we propose an isolation module placed between the CPU and the network, that performs continuous monitoring and analysis of network activities. Figure 1 illustrates the concept. The IPM is the interfaces for devices connected to the Internet (Figure 1 a)) and operates at a level not accessible by the operating system or any malicious software running on the device under protection (Figure 1 c)). This approach presents the following distinct advantages: 1) the IPM allows the protected device to dedicate resources to perform tasks other than traffic analysis; 2) the IPM is invisible to the attacker as opposed to traditional protection mechanisms (Figure 1 b)), thus preventing potential hijacking of a device under its protection; and 3) the IPM can dynamically disconnect infected devices from the rest of the network, thus increasing network agility. To illustrate the feasibility of our idea, the IPM was prototyped as a systemon-chip (SoC) on FPGA, leveraging hardware performance and software flexibility, and was applied to detecting and mitigating DDoS attacks such as Neptune DoS, Smurf DoS, and Teardrop DoS with detection rates of 99.3%, 100%, and 98.90% respectively.
III. FPGA S O C- BASED IPM S YSTEM OVERVIEW The IPM operates in two stages and performs two complementary traffic inspection tasks as illustrated in Figure 2. The first stage is a signature-based inspection that uses a high speed pattern matching algorithm to mine non-encrypted TCP/IP connections for known blacklisted domains and URLs. In this phase, the IPM is capable of identifying malicious packets and terminating the connection as long as the received packet possesses any of the signatures under surveillance. This model does not perform well against unknown signatures. To complement this deficit, a behavioral analysis of ongoing connections is performed to detect malicious activitiesregardless of the missing signatures. To this end, important features of TCP/IP packets are extracted and sent to a binary classification engine for further processing. Our binary classification engine is based on a modified version of the support vector machine (SVM) algorithm. The goal of SVM is to find some weighted reference plane that can separate two classes of elements [12].
141
B. Anomaly-based Detection
+$5':$5(6WDJH 3DFNHW/HYHO)HDWXUHV_ 3D\ORDG
%ODFNOLVWHG 'RPDLQV DQG 0DOZDUH 3RRO
)HDWXUHV([WUDFWLRQ
/LYH7&33DFNHWV6WUHDP?3XEOLF $YDLODEOH'DWDVHWV
3DWWHUQ0DWFKLQJ$XWRPDWRQ
1) Features selection: Identifying a useful feature set for the (binary classification) detector remains a key challenge to the design of efficient machine learning-based DoS mitigation solutions. Choosing features should rely solely on the features’ significance and their capacity to reveal the presence of the targeted attack [14]. Kayacik et al did an extensive work on DoS activities and were able to point out 27+ network traffic features that, if carefully analyzed, would most likely reveal the presence of DDoS activity [15]. A detailed explanation on the significance of these features in the context of DDoS detection is given in [15]. 2) Understanding our Binary Classification Approach: We first replace string values of extracted traffic features, such as TCP flags, with numerical values to make the data manipulation process easier. Numerical values can be any real number as suggested in Table I.
(0%(''('62)7:$5(6WDJH ([WUDFWHG7UDIILF )HDWXUHV 9HFWRUV 9HFWRUV¶ :HLJKWV &DOFXODWLRQ
/HDUQHG7UDIILF )HDWXUHV 9HFWRUV¶ :HLJKWV
9HFWRUV¶:HLJKWV&RPSDULVRQ
7UDIILF $UELWUDWLRQ
Figure 2.
Hardware/Software partitioning of the packet inspection process.
A. Signature-based Detection 1) Pattern Matching Module: A pattern matching problem can be defined as finding a pattern P of length M in a text T of length N where M Z(k) ) AND (W(k) > Z(k) ), then the corresponding feature X(k) is a normal traffic feature (assign -1 score). Otherwise, • if (X(k) < Z(k) ) AND (W(k) < Z(k) ), then the corresponding feature X(k) is a DoS traffic feature (assign +1 score). The more a traffic vector scores towards -N, the likelihood that the vector belongs to normal traffic increases. The more it scores towards +N, the likelihood that the vector belongs to a DoS traffic increases. The algorithm’s pseudocode is shown below.
3RZHU3&3URFHVVRU )LQG:N=N