33
Automatic
Compilation of Firewall and Intrusion Detection Rules for High-Speed
Network
Dr. Kenneth
Mackenzie,
Dr. Richard
Lethin, Business Official, lethin@reservior.com
DOE Grant No.
DE-FG02-04ER84062
Amount: $750,000
As networks move to 10 Gbps
and beyond (including scientific networks within the Department of Energy) the
need arises for high-speed security solutions capable of defending these
networks from cyberattacks. The current
market supplies no solutions that operate at these speeds. To address this problem, this project will develop
a toolchain for automatically rendering signatures from an intrusion detection
system (IDS) into high-speed signature detection engines that run on network
processors. Phase I demonstrated the
feasbility of applying mapping
technology to the problem of rendering intrusion detection rulesets onto
network processors. A technique was
identified for selecting the signature from the space of possible problem
framings at compilation-time. Phase II will develop a prototype toolchain for
rendering IDS signatures into high-speed signature detection engines that run
on network processors. The toolchain,
which will target 10 Gbps on next-generation network processors and will be
fully automatic, will be validated and verified.
Commercial Applications And Other Benefits as described by the awardee: The high-speed signature-detection technology should find use in multiple network applications, especially intrusion detection, spam detection, and deep-inspection firewalls. Because the system will run on network processors rather than fixed-function hardware, the product will have advantages in time-to-market, time-in-market, and price-performance.