Abstract
The amount of Internet traffic is ever increasing. With a well maintained network infrastructure, people find their way to Internet forums, video streaming services, social media and webshops on a day-to-day basis. With the growth of the online world, criminal activities have also spread out to the Internet. Security researchers and system administrators develop and maintain infrastructures to control these possible threats. This work focuses on one aspect of network security: intrusion detection. An Intrusion Detection System (IDS) is only one of the many components in the security engineer’s toolbox. An IDS is a passive component that tries to detect malicious activities. With the increase of Internet traffic and bandwidth, the detection speed of IDSs needs to be improved accordingly. This work focuses on how Field-programmable Gate Arrays (FPGA) are used as hardware accelerators to assist the IDS in keeping up with high network speed. We give an overview of three approaches: Intrusion detection based on machine learning, pattern matching, and large flow detection. This work is concluded with a comparison between the three approaches on the most relevant metrics.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
KDD Cup 1999 Data (1999). http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html
AbuHmed, T., Mohaisen, A., Nyang, D.: A survey on deep packet inspection for intrusion detection systems. arXiv preprint arXiv:0803.0037 (2008)
Al-Dalky, R., Salah, K., Otrok, H., Al-Qutayri, M.: Accelerating snort NIDS using NetFPGA-based Bloom filter. In: 2014 International Wireless Communications and Mobile Computing Conference (IWCMC). IEEE (2014)
Al-Hisnawi, M., Ahmadi, M.: Deep packet inspection using cuckoo filter. In: 2017 NTICT. IEEE (2017)
Al-Qatf, M., Lasheng, Y., Al-Habib, M., Al-Sabahi, K.: Deep learning approach combining sparse autoencoder with SVM for network intrusion detection. IEEE Access 6, 52843–52856 (2018)
Al-Yaseen, W.L., Othman, Z.A., Nazri, M.Z.A.: Multi-level hybrid support vector machine and extreme learning machine based on modified K-means for intrusion detection system. Expert Syst. Appl. 67, 296–303 (2017)
Alrawashdeh, K., Purdy, C.: Reducing calculation requirements in FPGA implementation of deep learning algorithms for online anomaly intrusion detection. In: 2017 IEEE National Aerospace and Electronics Conference (NAECON) (2017)
Maciel, L.A., Souza, M.A., de Freitas, H.C.: Reconfigurable FPGA-based K-means/K-modes architecture for network intrusion detection. IEEE Trans. Circ. Syst. II: Express Briefs 67(8), 459–1463 (2020)
Artan, N.S., Chao, H.J.: Multi-packet signature detection using prefix bloom filters. In: GLOBECOM 2005, vol. 3. IEEE (2005)
Artan, N.S., Sinkar, K., Patel, J., Chao, H.J.: Aggregated bloom filters for intrusion detection and prevention hardware. In: IEEE GLOBECOM 2007-IEEE Global Telecommunications Conference. IEEE (2007)
Barrera, D., Chuat, L., Perrig, A., Reischuk, R.M., Szalachowski, P.: The scion internet architecture. Commun. ACM 60(6), 56–65 (2017)
Bloom, B.H.: Space/time trade-offs in hash coding with allowable errors. Commun. ACM 13(7), 422–426 (1970)
Blott, M., et al.: FINN-R: an end-to-end deep-learning framework for fast exploration of quantized neural networks. ACM TRETS 11(3), 1–23 (2018)
Češka, M., Havlena, V., Holík, L., Lengál, O., Vojnar, T.: Approximate reduction of finite automata for high-speed network intrusion detection. In: Beyer, Dirk, Huisman, Marieke (eds.) TACAS 2018. LNCS, vol. 10806, pp. 155–175. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89963-3_9
Ceška, M., et al.: Deep packet inspection in FPGAs via approximate nondeterministic automata. In: 2019 IEEE 27th Annual International Symposium on Field-Programmable Custom Computing Machines (FCCM) (2019)
CISCO: CISCO IOS NetFlow Version 9 (2015). http://www.cisco.com/c/en/us/products/ios-nx-os-software/netflow-version-9/index.html
Cormode, G., Muthukrishnan, S.: An improved data stream summary: the count-min sketch and its applications. J. Algorithms 55(1), 58–75 (2005)
Das, A., Nguyen, D., Zambreno, J., Memik, G., Choudhary, A.: An FPGA-based network intrusion detection architecture. IEEE Trans. Inf. Forensics Secur. 3(1), 118–132 (2008)
Dharmapurikar, S., Krishnamurthy, P., Sproull, T., Lockwood, J.: Deep packet inspection using parallel bloom filters. In: 11th Symposium on High Performance Interconnects, 2003. Proceedings. IEEE (2003)
Dharmapurikar, S., Krishnamurthy, P., Taylor, D.E.: Longest prefix matching using bloom filters. In: Proceedings of the 2003 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (2003)
Dharmapurikar, S., Lockwood, J.W.: Fast and scalable pattern matching for network intrusion detection systems. IEEE J. Sel. Areas Commun. 24(10), 1781–1792 (2006)
Dreger, H., Feldmann, A., Paxson, V., Sommer, R.: Operational experiences with high-volume network intrusion detection. In: ACM CCS (2004)
Fan, B., Andersen, D.G., Kaminsky, M., Mitzenmacher, M.D.: Cuckoo filter: practically better than bloom. In: Proceedings of the 10th ACM International on Conference on Emerging Networking Experiments and Technologies (2014)
Flajolet, P., Martin, G.N.: Probabilistic counting algorithms for data base applications. J. Comput. Syst. Sci. 31(2), 182–209 (1985)
Gordon, H., Park, C., Tushir, B., Liu, Y., Dezfouli, B.: An efficient SDN architecture for smart home security accelerated by FPGA. In: 2021 IEEE International Symposium on Local and Metropolitan Area Networks (LANMAN) (2021)
Harwayne-Gidansky, J., Stefan, D., Dalal, I.: FPGA-based SoC for real-time network intrusion detection using counting Bloom filters. In: IEEE Southeastcon 2009. IEEE (2009)
Ho, T., Cho, S.J., Oh, S.R.: Parallel multiple pattern matching schemes based on cuckoo filter for deep packet inspection on graphics processing units. IET Inf. Secur. 12(4), 381–388 (2018)
Ioannou, L., Fahmy, S.A.: Network intrusion detection using neural networks on FPGA SoCs. In: 2019 29th International Conference on Field Programmable Logic and Applications (FPL) (2019)
Kang, J., Kim, T., Park, J.: FPGA-based real-time abnormal packet detector for critical industrial network. In: 2019 IEEE Symposium on Computers and Communications (ISCC) (2019)
Kefu, X., Deyu, Q., Zhengping, Q., Weiping, Z.: Fast dynamic pattern matching for deep packet inspection. In: 2008 IEEE ICNSC. IEEE (2008)
Khan, M.A.: HCRNNIDS: hybrid convolutional recurrent neural network-based network intrusion detection system. Processes 9(5), 834 (2021)
Kim, D.S., Park, J.S.: Network-based intrusion detection with support vector machines. In: Kahng, H.-K. (ed.) ICOIN 2003. LNCS, vol. 2662, pp. 747–756. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45235-5_73
Lai, Y.K., et al.: Real-time DDoS attack detection using sketch-based entropy estimation on the NetFPGA SUME platform. In: 2020 Asia-Pacific Signal and Information Processing Association Annual Summit and Conference (APSIPA ASC). IEEE (2020)
Le Jeune, L., Goedemé, T., Mentens, N.: Towards real-time deep learning-based network intrusion detection on FPGA. In: ACNS Workshops (2021)
Li, C., Li, J., Yang, J., Lin, J.: A novel workload scheduling framework for intrusion detection system in NFV scenario. Comput. Secur. 106, 102271 (2021)
Li, Y.Z.: Memory efficient parallel bloom filters for string matching. In: 2009 International Conference on Networks Security, Wireless Communications and Trusted Computing, vol. 1. IEEE (2009)
Lin, P.C., Lin, Y.D., Lai, Y.C., Zheng, Y.J., Lee, T.H.: Realizing a sub-linear time string-matching algorithm with a hardware accelerator using bloom filters. IEEE Trans. Very. Large. Scale. Integr. (VLSI) Syst. 17(8), 1008–1020 (2009)
Liu, L., Wang, P., Lin, J., Liu, L.: Intrusion detection of imbalanced network traffic based on machine learning and deep learning. IEEE Access 9, 7550–7563 (2021)
Liu, Z., Manousis, A., Vorsanger, G., Sekar, V., Braverman, V.: One sketch to rule them all: Rethinking network flow monitoring with UnivMon. In: Proceedings of the ACM Special Interest Group Data Communication (SIGCOMM) (2016)
Liu, Z., et al.: Jaqen: a high-performance switch-native approach for detecting and mitigating volumetric DDoS attacks with programmable switches. In: 30th (USENIX Security 21) (2021)
Lopez-Martin, M., Carro, B., Sanchez-Esguevillas, A., Lloret, J.: Shallow neural network with kernel approximation for prediction problems in highly demanding data networks. Expert Syst. Appl. 124, 196–208 (2019)
Luinaud, T., Savaria, Y., Langlois, J.P.: An FPGA coarse grained intermediate fabric for regular expression search. In: GLSVLSI 2017. ACM (2017)
Morris, R.: Counting large numbers of events in small registers. ACM Commun. (1978)
Moustafa, N., Slay, J.: UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set). In: 2015 Military Communications and Information Systems Conference (MilCIS) (2015)
Mukkamala, S., Janoski, G., Sung, A.: Intrusion detection using neural networks and support vector machines. In: Proceedings of the 2002 International Joint Conference on Neural Networks. IJCNN 2002 (Cat. No.02CH37290), vol. 2 (2002)
Murovič, T., Trost, A.: Massively parallel combinational binary neural networks for edge processing. Electrotechnical Rev. 86, 47–53 (01 2019)
Murovič, T., Trost, A.: Resource-optimized combinational binary neural network circuits. Microelectron. J. 97, 104724 (2020)
Murovič, T., Trost, A.: Genetically optimized massively parallel binary neural networks for intrusion detection systems. Comput. Commun. 179, 1–10 (2021)
Ngo, D.-M., Pham-Quoc, C., Thinh, T.N.: Heterogeneous hardware-based network intrusion detection system with multiple approaches for SDN. Mob. Netw. Appl. 25(3), 1178–1192 (2019). https://doi.org/10.1007/s11036-019-01437-x
Ngo, D.-M., Tran-Thanh, B., Dang, T., Tran, T., Thinh, T.N., Pham-Quoc, C.: High-throughput machine learning approaches for network attacks detection on FPGA. In: Vinh, P.C., Rakib, A. (eds.) ICCASA/ICTCC -2019. LNICST, vol. 298, pp. 47–60. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34365-1_5
Pappalardo, A.: Xilinx/brevitas. https://doi.org/10.5281/zenodo.3333552
Pati, S., Narayanan, R., Memik, G., Choudhary, A., Zambreno, J.: Design and implementation of an FPGA architecture for high-speed network feature extraction. In: ICFPT. IEEE (2007)
Pfahringer, B.: Winning the KDD99 classification cup: bagged boosting. SIGKDD Explor. Newsl. 1(2), 65–66 (2000)
Roh, J.h., Lee, S.k., Son, C.W., Hwang, C., Kang, J., Park, J.: Cyber security system with FPGA-based network intrusion detector for nuclear power plant. In: IECON 2020 The 46th Annual Conference of the IEEE Industrial Electronics Society. IEEE (2020)
Saavedra, A., Hernández, C., Figueroa, M.: Heavy-hitter detection using a hardware sketch with the countmin-cu algorithm. In: 2018 21st Euromicro Conference on Digital System Design (DSD). IEEE (2018)
Sateesan, A., Vliegen, J., Daemen, J., Mentens, N.: Novel bloom filter algorithms and architectures for ultra-high-speed network security applications. In: 2020 23rd Euromicro Conference on Digital System Design (DSD). IEEE (2020)
Sateesan, A., Vliegen, J., Scherrer, S., Hsiao, H.C., Perrig, A., Mentens, N.: Speed records in network flow measurement on FPGA. In: Proceedings of the International Conference on Field-Programmable Logic (FPL) (2021)
Scherrer, S., et al.: Low-rate Overuse Flow tracer (LOFT): an efficient and scalable algorithm for detecting overuse flows. arXiv preprint arXiv:2102.01397 (2021)
Schweller, R., et al.: Reversible sketches: enabling monitoring and analysis over high-speed data streams. IEEE/ACM Trans. Netw. 15(5), 1059–1072 (2007)
sFlow: Traffic Monitoring using sFlow (2003). http://www.sflow.org/sFlowOverview.pdf
Sharafaldin, I., Lashkari, A.H., Ghorbani, A.: (2018)
Song, H., Lockwood, J.W.: Multi-pattern signature matching for hardware network intrusion detection systems. In: GLOBECOM 2005, vol. 3. IEEE (2005)
Tavallaee, M., Bagheri, E., Lu, W., Ghorbani, A.A.: A detailed analysis of the KDD CUP 99 data set. In: 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications (2009)
Tong, D., Prasanna, V.: High throughput sketch based online heavy hitter detection on FPGA. ACM SIGARCH Comput. Architect. News 43(4), 70–75 (2016)
Tong, D., Prasanna, V.K.: Sketch acceleration on FPGA and its applications in network anomaly detection. IEEE TPDS 29(4), 929–942 (2017)
Tran, C., Vo, T.N., Thinh, T.N.: HA-IDS: A heterogeneous anomaly-based intrusion detection system. In: NAFOSTED NICS 2017 (2017)
Umuroglu, Y., Akhauri, Y., Fraser, N.J., Blott, M.: LogicNets: co-designed neural networks and circuits for extreme-throughput applications. In: FPL 2020 (2020)
Umuroglu, Y., et al.: FINN: a framework for fast, scalable binarized neural network inference. In: Proceedings of the 2017 ACM/SIGDA FPGA. ACM (2017)
Wada, T., Matsumura, N., Nakano, K., Ito, Y.: Efficient byte stream pattern test using bloom filter with rolling hash functions on the FPGA. In: 2018 Sixth CANDAR. IEEE (2018)
Wang, X., et al.: Hyperscan: a fast multi-pattern regex matcher for modern CPUs. In: USENIX NSDI (2019)
Wang, Z., Zeng, Y., Liu, Y., Li, D.: Deep belief network integrating improved kernel-based extreme learning machine for network intrusion detection. IEEE Access 9, 16062–16091 (2021)
Wellem, T., Lai, Y.K., Huang, C.Y., Chung, W.Y.: A hardware-accelerated infrastructure for flexible sketch-based network traffic monitoring. In: IEEE 17th HPSR. IEEE (2016)
Yang, T., et al.: A generic technique for sketches to adapt to different counting ranges. In: IEEE INFOCOM (2019)
Yang, T., et al.: Elastic sketch: Adaptive and fast network-wide measurements. In: Proceedings of the ACM Special Interest Group Data Communication (SIGCOMM) (2018)
Yu, Y., Long, J., Cai, Z.: Session-based network intrusion detection using a deep learning architecture. In: Torra, V., Narukawa, Y., Honda, A., Inoue, S. (eds.) MDAI 2017. LNCS (LNAI), vol. 10571, pp. 144–155. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-67422-3_13
Zazo, J.F., Lopez-Buedo, S., Ruiz, M., Sutter, G.: A single-FPGA architecture for detecting heavy hitters in 100 Gbit/s ethernet links. In: 2017 International Conference on ReConFigurable Computing and FPGAs (ReConFig). IEEE (2017)
Zhang, J., Zulkernine, M., Haque, A.: Random-forests-based network intrusion detection systems. IEEE Trans. Syst. Man Cybern. Part C (Appl. Rev.) 38(5), 649–659 (2008)
Zhao, Z., Sadok, H., Atre, N., Hoe, J.C., Sekar, V., Sherry, J.: Achieving 100Gbps intrusion prevention on a single server. In: 14th USENIX OSDI20 (2020)
Zhou, Y., Zhang, Y., Ma, C., Chen, S., Odegbile, O.O.: Generalized sketch families for network traffic measurement. POMACS 3(3), 1–34 (2019). Kindly provide year of the publication for the Ref. [51]
Acknowledgements
This work is supported by CORNET and funded by VLAIO under grant number HBC.2018.0491. This work is also supported by the ESCALATE project, funded by FWO and SNSF (G0E0719N), and by Cybersecurity Initiative Flanders (VR20192203).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Le Jeune, L., Sateesan, A., Rabbani, M.M., Goedemé, T., Vliegen, J., Mentens, N. (2022). SoK - Network Intrusion Detection on FPGA. In: Batina, L., Picek, S., Mondal, M. (eds) Security, Privacy, and Applied Cryptography Engineering. SPACE 2021. Lecture Notes in Computer Science(), vol 13162. Springer, Cham. https://doi.org/10.1007/978-3-030-95085-9_13
Download citation
DOI: https://doi.org/10.1007/978-3-030-95085-9_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-95084-2
Online ISBN: 978-3-030-95085-9
eBook Packages: Computer ScienceComputer Science (R0)