Large-Throughput Anomaly Prevention Mechanism Implemented in Dynamic Reconfigurable Processor

Takashi ISOBE  

Publication
IEICE TRANSACTIONS on Communications   Vol.E89-B   No.9   pp.2440-2447
Publication Date: 2006/09/01
Online ISSN: 1745-1345
DOI: 10.1093/ietcom/e89-b.9.2440
Print ISSN: 0916-8516
Type of Manuscript: Special Section PAPER (Special Section on Networking Technologies for Overlay Networks)
Category: 
Keyword: 
network security,  DDoS,  worm,  P2P,  anomaly prevention,  DRP,  IDS,  IPS,  

Full Text: PDF>>
Buy this Article




Summary: 
Large-throughput anomaly prevention mechanism in the upstream side of high-speed (over 10-Gbps) networks is required to prevent various anomalies such as distributed denial of service (DDoS) from causing various network problems. This mechanism requests the processors achieving not only high-speed response for analyzing many packets in a short time but also the flexibility to update the anomaly prevention algorithm. In this research, I assumed a dynamic reconfigurable processor (DRP) was most effective in achieving this anomaly prevention mechanism, for processors used in nodes with the mechanism, and I designed an anomaly prevention mechanism using DRPs. The mechanism can shorten anomaly prevention time in high-speed (10 Gbps) lines using an all-packet analysis. Through a simulation, I achieved the goal of the mechanism achieving a throughput of 83-M packets per second using three DRPs (432 execution elements used). Moreover, with the prototype, it was confirmed that the proposed mechanism prevented anomalies in a short time (constant 0.01 second), which was 3000 times faster than that of a legacy mechanism using a packet sampling method. I also proposed integrated prevention, which was able to reduce the number of execution elements comprising anomaly prevention algorithm against various kinds of anomalies. It was achieved with a simulation that the proposed integrated prevention against three kinds of anomalies (DDoS, worm, and peer to peer (P2P)) reduced the number of execution elements by 24% compared to legacy prevention. In addition, non-stop update was proposed to maintain throughput when updating an anomaly prevention algorithm without packet loss. It was confirmed with a simulation that there was enough time for non-stop update in 10 Gbps 4 lines.