forth_wisdom_ipswich07

Download Report

Transcript forth_wisdom_ipswich07

Workpackage 3
WISDOM
New security algorithm design
ICS-FORTH
Ipswich 19th December 2007
WISDOM WP3: New security
algorithm design
WISDOM
Objectives
• Identify critical security application components which
can be efficiently implemented in the optical domain.
• Characterise constraints to algorithmic components and
develop novel analytical techniques for simplified pattern
matching.
• Design a Security Application Programming Interface
(SAPI) which will be the interface between high-level
security applications and low-level optical
implementation
Tasks - Deliverables
• WP 3.1: Security Applications Partitioning (M12)
• WP 3.2: Identification of simplified Security Algorithm
Components (M24)
• WP 3.3: Definition of a Security Application Programming
Interface: SAPI (M27)
WP3.1 Security Applications
Partitioning
WISDOM
• Identify components which can be effectively and
efficiently implemented in the optical domain
• Partitioning of security-related applications (Firewalls,
DoS attacks detection, IDS/IPS) into
- high-level part (electronic)
- low-level part (optical)
D3.1 report M12
WP3.1 Security
Applications Partitioning
WISDOM
Basic firewall functionality in the optical domain
• Look at port numbers
Block traffic for specific ports
Optical filtering, optical pattern matching
• Look at IP addresses
Block traffic for specific IP addresses
Optical filtering, optical/electronic pattern matching
• Look at IP protocol
Block traffic for certain protocols
Headers only
Less than 10% of rules, more than 90% of alerts
WP3.1 Security Applications
Partitioning
Firewall rule example
WISDOM
Inspection
•
•
•
•
•
•
Deny all incoming traffic with IP matching internal IP
source IP address
Deny incoming from black-listed IP addresses
source IP address
Deny all incoming ICMP traffic
IP protocol
Deny incoming TCP/UDP 135/445 (RPC, Windows Sharing) destination port
Deny incoming/outgoing TCP 6666/6667
destination port
Allow incoming TCP 80, 443 (http, https)
destination port
to internal web server
(destination IP address)
• Deny incoming TCP 25 to SMTP server
destination port
from external IP addresses
(destination)/source IP address
• Allow UDP 53 to internal
destination port
DNS server
(destination IP address)
typical port assignments for some other services/applications
ftp TCP 21, ssh TCP 22, telnet TCP 23, POP3 TCP 110, IMAP 143
WP3.1 Security Applications
Partitioning
Filtering out e-mail traffic
WISDOM
WP3.1 Security Applications
Partitioning
WISDOM
DoS attacks
SYN bit optical counter
proposed optical DoS attack detection
WP3.1 Security Applications
Partitioning
WISDOM
Security Operation
Inspection
Application Example
Match network packet targeting a
specific service
Destination Port
Number
Filtering out e-mail
traffic
Match network packet originating from
a specific service
Source
Port Number
Filtering out a Web
server’s response
Match network packet targeting
specific computer(s)
Destination
IP Address
Preventing contact
with a computer
Match network packet originating from
specific computer(s)
Source
IP Address
Preventing access
from a computer
Match network packet with specific
properties
IP protocol header field
Filtering out ICMP
traffic
Match network packet targeting a
specific service and originating
from specific computers
Destination Port
Number and Source
IP Address
SPAM filter
Denial of Service attack detection
SYN flag
Preventing TCP SYN
flood attacks
WP3.2 Identification of
Simplified Security Algorithms
Components
WISDOM
• Optical pre-processing for more complex pattern
recognition
Restrictions in optical domain (buffering, level of integration, etc)
Scalability of security pattern matching algorithms, optimum balance
between optical and electronic processing (WP6)
Develop algorithms that will allow optical bit-serial processing
subsystems to operate as a pre-processor to more complex pattern
recognition techniques.
D3.2 Identification of simplified Security Algorithms
Components
(M24)
WP3.2 Identification of
Simplified Security Algorithms
Components
•
•
•
•
•
Tree-like structures
Hash functions
Bloom filters
Heuristics
Parallel use of optical devices
up to a dozen “on a chip”
• Parallel/Distributed Architectures
WISDOM
WP3.2 Identification of
Simplified Security Algorithms
Components
WISDOM
Combine optical and electronic signature-based detection
• Optical traffic splitter
optical header processing for load balancing
e.g., group packets according to port number, IP, etc
• Multiple “specialized” (electronic) processors
parallel operation
possibly more efficient payload inspection by performing same
operations to same type of packets
Many issues, such as even distribution of load to sensors,
anomaly-based detection, etc.
WP3.2 Identification of
Simplified Security Algorithms
Components
Specifications for optical hardware:
•Optical Bit Filter
Coarse “sift” of packet header
•Optical Routing Switch
•Optical Pattern Matching Circuit
•Optical Buffer Memory
Embedded in Bit Filter and Pattern Matching?
•Optical PRBS generator
•XOR, AND gates
WISDOM
WP3.2 Identification of
Simplified Security Algorithms
Components
WISDOM
Functional models of optical devices and simulator
1) Very simple, basic building blocks are logic gates
Useful for testing efficiency of more complex algorithms, hybrid
optical/electronic detection, etc.
2) Include physical models for actual optical components
Useful in device development.
Much more demanding…
Build simulator starting with (1) and expand to (2), when necessary.
Commercial solutions (Virtual Photonics, etc).
WP 3.3 Definition of a Security
Application Programming
Interface (SAPI)
WISDOM
• SAPI will bridge the gap between optical execution of
key components and programming of security
applications
• High-level programming, abstract all low-level details
Monitoring Application
Programming Interface
(MAPI)
D3.3 Definition of SAPI
(M27)
WP 3.3 Definition of a Security
Application Programming Interface
(SAPI)
WISDOM
Hardware - Software Interface
Frequency of user interventions small compared to frequency of optical
recognitions
Electronics – Optics Interface
Labview, Agilent Vee (HPV)
Start with
Software – Electronics - Optics