- Immediate blocking of harmful websites, network intrusions, and computer viruses -
Kenji Toda (Senior Research Scientist), RT-Synthesis Research Group (Leader: Tetsuo Kotoku), the Intelligent Systems Research Institute (Director: Hirohisa Hirukawa) of the National Institute of Advanced Industrial Science and Technology (AIST; President: Tamotsu Nomakuchi), and Eiichi Takahashi (Leader), Sensor Communications Group, the Information Technology Research Institute (Director: Satoshi Sekiguchi) of AIST, have developed a security device compatible with super-high-speed networks having speeds from tens of Giga (109) to several Tera (1012) bits per second (bps) in collaboration with KDDI R&D Laboratories Inc. (President and CEO: Shigeyuki Akiba) (Fig. 1).
This device is based on an FPGA board (Fig. 2) with specially developed 60-Gbps optical communication function (10-Gbit Ethernet port × 6). Further, it can be implemented with functions for blocking harmful websites, network intrusions, and computer viruses, and packet capture. Since this FPGA board is of the peripheral component interconnect express (PCI-Express) type, more than one board can be used in one PC, and the scale of operation can be expanded easily. Therefore, security measures can be implemented for communication speeds between tens of Gbps and several Tbps. Further, as an example of the applications of this device, a system for automatic creation and distribution of a filtering list of harmful websites by combining the communication data collected by packet capture and the external information on reliability has been developed.
Figure 1: Developed network security device
|
Figure 2: Expandable FPGA board with 60-Gbps optical communication
(15 cm × 27 cm)
|
Today, information communication infrastructure has become an important part of society. However, damages caused by "malicious communications" such as tampering of websites, leaking of information, phishing by sites to deceitfully obtain bank accounts and credit card information by spoofing, stopping of services by denial-of-service (DoS) attacks, and computer viruses, have become serious social issues. In the future, it is expected that there will be higher-speed and wider-band communications including the distribution of high-definition image- and video-contents, and widespread use of smart phones and tablet-type devices. It is also expected that information and communication technology will be used in energy control. Therefore, it is imperative to ensure the safety of communications along with high communication speeds. With increasing volume of information, personal security measures using software have limitations, since the security measures need most of the capability of PCs. In order to deal with such a situation, it is necessary to develop technology for blocking "malicious communications" in the super-high-speed networks of information communications services and data centers before end users receive such communications. Moreover, since harmful websites repeatedly appear and disappear over short periods of time, conventional manual checks cannot cope. Hence, the collection and updating of instantaneous filtering lists have become a challenging task.
AIST has developed devices for blocking network intrusions or computer viruses in order to enhance the security of large-scale networks. This research and development was conducted as part of the "Research and Development of Technology Compatible with Super-High-Speed Networks for Blocking Malicious Communications (072003008)" (FY2007–FY2009) under the Strategic Information and Communications R&D Promotion Programme (SCOPE) of the Ministry of Internal Affairs and Communications.
The hardware of the developed network security device consists of newly developed expandable FPGA boards with 60-Gbps optical communication function (Fig. 2) and a PC. The developed FPGA board mainly aimed at applications to high-speed networks for blocking harmful websites, network intrusions, and computer viruses. It is equipped with six 10-Gbit Ethernet ports and two sockets for the dynamic random access memory (DRAM) to store processing data such as filtering lists. In addition, it has eight serial advanced technology attachment (SATA) ports to store data on hard disks or other storage devices. The board is connected to a PC via a PCI-Express interface and is used as a built-in card. Figure 1 shows a test of the network security device; the board is attached to the PCI-Express socket of the PC. The network security device can load the respective circuits for blocking harmful websites, intrusions, and computer viruses, and for packet capture. In addition, software for the automatic generation of filtering lists can be installed (Fig. 3).
|
Figure 3: Outline of network security device |
-
Blocking of harmful websites
Currently, the Internet has many harmful websites including those that spread computer viruses and phishing sites. Under the circumstances, it is essential to block these sites in company networks including intranets. However, since harmful websites often repeatedly appear and disappear over short periods, collection and updating of a blacklist for filtering poses a challenge. To overcome this, AIST developed a system for automatically generating and distributing candidate URLs by combining the information obtained from packet capture and external information on reliability.
As the engine for high-speed matching with filtering lists, a method combining hash with binary search to reduce the necessary memory bandwidth was invented; performance exceeding 60 Gbps was demonstrated. The filtering list contains 34,000 URLs obtained from the experiment for the above-mentioned system and the memory storing the list is 4 Gbytes. As binary search is used when hash values overlap, it can be sufficiently applied to large-scale data.
-
Blocking of network intrusions
The signatures on which information on attacks was registered are compared with packet information, and every packet matching with the signatures is detected or blocked. 1,200 subsets of signatures in software for network intrusion detection system (Snort) were used, and a speed of 10 Gbps was achieved on one port by nondeterministic finite automaton and parallel processing. It is expected that speeds of 30 Gbps will be achieved by parallel processing of three ports.
-
Blocking of computer viruses
After comparing the signatures of computer viruses with packets, every packet matching these signatures will be detected or blocked. The signatures of ClamAV, a piece of antivirus software, can be used; a processing speed of 6.4 Gbps was realized on the board of the earlier model, which had parallel placement of circuits for determining the conformity of packet and signature. In the case of the newly developed board, a speed of 10 Gbps per port was confirmed in simulations. It is expected that a speed of 30 Gbps will be realized by parallel processing of three ports.
This function is for recording the packets going through the communication channel onto a memory medium such as hard disks. Since one board can simultaneously access eight units of hard disks through SATA ports, the board is expected to have sufficient recording speed. If high-speed disks such as RAID and SSD are used, recording at 10 Gbps will be realized.
-
Flexible enhancement in the function and performance by combination of boards
Since the developed board has a 60-Gbps wide bandwidth for optical communications, the flexibility of connection among boards is high. Therefore, a combination of multiple boards realizes high expandability that can provide necessary functions and performance. If three functions—blocking of harmful websites, blocking of network intrusions, and blocking of computer viruses—are required, they can be easily achieved by serial connection of the three boards with each function implemented in one desktop computer. If only blocking of harmful websites is required, the parallel use of 17 boards with a processing speed of 60 Gbps per board can achieve a capacity of 1 Tbps. If a motherboard capable of having six PCI-Express is used, 1 Tbps can be processed on three desktop computers. Furthermore, this board allows simultaneous access to eight hard disks through SATA. A number of boards can be used together by utilizing PCI-Express and 10-Gb Ethernet.
It was demonstrated that the network security device developed in this research was capable of supporting super-high-speed networks operating at Tbps, while the device is compact and energy-saving. Because this device can be easily installed, it is expected to enhance the security of large-scale networks and make great contributions to the realization of a safe and secure IT society. In the future, we will conduct experiments simulating practical conditions, and will aim at the commercialization of the device. A wide range of high-speed network applications such as in routers, switches, network cards, and network storages can be expected by rewriting the circuits of FPGA of the board.