Skip to main content
SpringerLink
Log in

SoK - Network Intrusion Detection on FPGA

  • Conference paper
  • First Online:
Security, Privacy, and Applied Cryptography Engineering (SPACE 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13162))

  • 638 Accesses

Abstract

The amount of Internet traffic is ever increasing. With a well maintained network infrastructure, people find their way to Internet forums, video streaming services, social media and webshops on a day-to-day basis. With the growth of the online world, criminal activities have also spread out to the Internet. Security researchers and system administrators develop and maintain infrastructures to control these possible threats. This work focuses on one aspect of network security: intrusion detection. An Intrusion Detection System (IDS) is only one of the many components in the security engineer’s toolbox. An IDS is a passive component that tries to detect malicious activities. With the increase of Internet traffic and bandwidth, the detection speed of IDSs needs to be improved accordingly. This work focuses on how Field-programmable Gate Arrays (FPGA) are used as hardware accelerators to assist the IDS in keeping up with high network speed. We give an overview of three approaches: Intrusion detection based on machine learning, pattern matching, and large flow detection. This work is concluded with a comparison between the three approaches on the most relevant metrics.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://www.snort.org/.

  2. 2.

    https://zeek.org/.

  3. 3.

    https://suricata.io/.

  4. 4.

    https://datatracker.ietf.org/doc/html/rfc9000.

References

  1. KDD Cup 1999 Data (1999). http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html

  2. AbuHmed, T., Mohaisen, A., Nyang, D.: A survey on deep packet inspection for intrusion detection systems. arXiv preprint arXiv:0803.0037 (2008)

  3. Al-Dalky, R., Salah, K., Otrok, H., Al-Qutayri, M.: Accelerating snort NIDS using NetFPGA-based Bloom filter. In: 2014 International Wireless Communications and Mobile Computing Conference (IWCMC). IEEE (2014)

    Google Scholar 

  4. Al-Hisnawi, M., Ahmadi, M.: Deep packet inspection using cuckoo filter. In: 2017 NTICT. IEEE (2017)

    Google Scholar 

  5. Al-Qatf, M., Lasheng, Y., Al-Habib, M., Al-Sabahi, K.: Deep learning approach combining sparse autoencoder with SVM for network intrusion detection. IEEE Access 6, 52843–52856 (2018)

    Article  Google Scholar 

  6. Al-Yaseen, W.L., Othman, Z.A., Nazri, M.Z.A.: Multi-level hybrid support vector machine and extreme learning machine based on modified K-means for intrusion detection system. Expert Syst. Appl. 67, 296–303 (2017)

    Article  Google Scholar 

  7. Alrawashdeh, K., Purdy, C.: Reducing calculation requirements in FPGA implementation of deep learning algorithms for online anomaly intrusion detection. In: 2017 IEEE National Aerospace and Electronics Conference (NAECON) (2017)

    Google Scholar 

  8. Maciel, L.A., Souza, M.A., de Freitas, H.C.: Reconfigurable FPGA-based K-means/K-modes architecture for network intrusion detection. IEEE Trans. Circ. Syst. II: Express Briefs 67(8), 459–1463 (2020)

    Google Scholar 

  9. Artan, N.S., Chao, H.J.: Multi-packet signature detection using prefix bloom filters. In: GLOBECOM 2005, vol. 3. IEEE (2005)

    Google Scholar 

  10. Artan, N.S., Sinkar, K., Patel, J., Chao, H.J.: Aggregated bloom filters for intrusion detection and prevention hardware. In: IEEE GLOBECOM 2007-IEEE Global Telecommunications Conference. IEEE (2007)

    Google Scholar 

  11. Barrera, D., Chuat, L., Perrig, A., Reischuk, R.M., Szalachowski, P.: The scion internet architecture. Commun. ACM 60(6), 56–65 (2017)

    Article  Google Scholar 

  12. Bloom, B.H.: Space/time trade-offs in hash coding with allowable errors. Commun. ACM 13(7), 422–426 (1970)

    Article  Google Scholar 

  13. Blott, M., et al.: FINN-R: an end-to-end deep-learning framework for fast exploration of quantized neural networks. ACM TRETS 11(3), 1–23 (2018)

    Article  Google Scholar 

  14. Češka, M., Havlena, V., Holík, L., Lengál, O., Vojnar, T.: Approximate reduction of finite automata for high-speed network intrusion detection. In: Beyer, Dirk, Huisman, Marieke (eds.) TACAS 2018. LNCS, vol. 10806, pp. 155–175. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89963-3_9

    Chapter  Google Scholar 

  15. Ceška, M., et al.: Deep packet inspection in FPGAs via approximate nondeterministic automata. In: 2019 IEEE 27th Annual International Symposium on Field-Programmable Custom Computing Machines (FCCM) (2019)

    Google Scholar 

  16. CISCO: CISCO IOS NetFlow Version 9 (2015). http://www.cisco.com/c/en/us/products/ios-nx-os-software/netflow-version-9/index.html

  17. Cormode, G., Muthukrishnan, S.: An improved data stream summary: the count-min sketch and its applications. J. Algorithms 55(1), 58–75 (2005)

    Article  MathSciNet  Google Scholar 

  18. Das, A., Nguyen, D., Zambreno, J., Memik, G., Choudhary, A.: An FPGA-based network intrusion detection architecture. IEEE Trans. Inf. Forensics Secur. 3(1), 118–132 (2008)

    Article  Google Scholar 

  19. Dharmapurikar, S., Krishnamurthy, P., Sproull, T., Lockwood, J.: Deep packet inspection using parallel bloom filters. In: 11th Symposium on High Performance Interconnects, 2003. Proceedings. IEEE (2003)

    Google Scholar 

  20. Dharmapurikar, S., Krishnamurthy, P., Taylor, D.E.: Longest prefix matching using bloom filters. In: Proceedings of the 2003 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (2003)

    Google Scholar 

  21. Dharmapurikar, S., Lockwood, J.W.: Fast and scalable pattern matching for network intrusion detection systems. IEEE J. Sel. Areas Commun. 24(10), 1781–1792 (2006)

    Article  Google Scholar 

  22. Dreger, H., Feldmann, A., Paxson, V., Sommer, R.: Operational experiences with high-volume network intrusion detection. In: ACM CCS (2004)

    Google Scholar 

  23. Fan, B., Andersen, D.G., Kaminsky, M., Mitzenmacher, M.D.: Cuckoo filter: practically better than bloom. In: Proceedings of the 10th ACM International on Conference on Emerging Networking Experiments and Technologies (2014)

    Google Scholar 

  24. Flajolet, P., Martin, G.N.: Probabilistic counting algorithms for data base applications. J. Comput. Syst. Sci. 31(2), 182–209 (1985)

    Article  MathSciNet  Google Scholar 

  25. Gordon, H., Park, C., Tushir, B., Liu, Y., Dezfouli, B.: An efficient SDN architecture for smart home security accelerated by FPGA. In: 2021 IEEE International Symposium on Local and Metropolitan Area Networks (LANMAN) (2021)

    Google Scholar 

  26. Harwayne-Gidansky, J., Stefan, D., Dalal, I.: FPGA-based SoC for real-time network intrusion detection using counting Bloom filters. In: IEEE Southeastcon 2009. IEEE (2009)

    Google Scholar 

  27. Ho, T., Cho, S.J., Oh, S.R.: Parallel multiple pattern matching schemes based on cuckoo filter for deep packet inspection on graphics processing units. IET Inf. Secur. 12(4), 381–388 (2018)

    Article  Google Scholar 

  28. Ioannou, L., Fahmy, S.A.: Network intrusion detection using neural networks on FPGA SoCs. In: 2019 29th International Conference on Field Programmable Logic and Applications (FPL) (2019)

    Google Scholar 

  29. Kang, J., Kim, T., Park, J.: FPGA-based real-time abnormal packet detector for critical industrial network. In: 2019 IEEE Symposium on Computers and Communications (ISCC) (2019)

    Google Scholar 

  30. Kefu, X., Deyu, Q., Zhengping, Q., Weiping, Z.: Fast dynamic pattern matching for deep packet inspection. In: 2008 IEEE ICNSC. IEEE (2008)

    Google Scholar 

  31. Khan, M.A.: HCRNNIDS: hybrid convolutional recurrent neural network-based network intrusion detection system. Processes 9(5), 834 (2021)

    Article  Google Scholar 

  32. Kim, D.S., Park, J.S.: Network-based intrusion detection with support vector machines. In: Kahng, H.-K. (ed.) ICOIN 2003. LNCS, vol. 2662, pp. 747–756. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45235-5_73

    Chapter  Google Scholar 

  33. Lai, Y.K., et al.: Real-time DDoS attack detection using sketch-based entropy estimation on the NetFPGA SUME platform. In: 2020 Asia-Pacific Signal and Information Processing Association Annual Summit and Conference (APSIPA ASC). IEEE (2020)

    Google Scholar 

  34. Le Jeune, L., Goedemé, T., Mentens, N.: Towards real-time deep learning-based network intrusion detection on FPGA. In: ACNS Workshops (2021)

    Google Scholar 

  35. Li, C., Li, J., Yang, J., Lin, J.: A novel workload scheduling framework for intrusion detection system in NFV scenario. Comput. Secur. 106, 102271 (2021)

    Article  Google Scholar 

  36. Li, Y.Z.: Memory efficient parallel bloom filters for string matching. In: 2009 International Conference on Networks Security, Wireless Communications and Trusted Computing, vol. 1. IEEE (2009)

    Google Scholar 

  37. Lin, P.C., Lin, Y.D., Lai, Y.C., Zheng, Y.J., Lee, T.H.: Realizing a sub-linear time string-matching algorithm with a hardware accelerator using bloom filters. IEEE Trans. Very. Large. Scale. Integr. (VLSI) Syst. 17(8), 1008–1020 (2009)

    Article  Google Scholar 

  38. Liu, L., Wang, P., Lin, J., Liu, L.: Intrusion detection of imbalanced network traffic based on machine learning and deep learning. IEEE Access 9, 7550–7563 (2021)

    Article  Google Scholar 

  39. Liu, Z., Manousis, A., Vorsanger, G., Sekar, V., Braverman, V.: One sketch to rule them all: Rethinking network flow monitoring with UnivMon. In: Proceedings of the ACM Special Interest Group Data Communication (SIGCOMM) (2016)

    Google Scholar 

  40. Liu, Z., et al.: Jaqen: a high-performance switch-native approach for detecting and mitigating volumetric DDoS attacks with programmable switches. In: 30th (USENIX Security 21) (2021)

    Google Scholar 

  41. Lopez-Martin, M., Carro, B., Sanchez-Esguevillas, A., Lloret, J.: Shallow neural network with kernel approximation for prediction problems in highly demanding data networks. Expert Syst. Appl. 124, 196–208 (2019)

    Article  Google Scholar 

  42. Luinaud, T., Savaria, Y., Langlois, J.P.: An FPGA coarse grained intermediate fabric for regular expression search. In: GLSVLSI 2017. ACM (2017)

    Google Scholar 

  43. Morris, R.: Counting large numbers of events in small registers. ACM Commun. (1978)

    Google Scholar 

  44. Moustafa, N., Slay, J.: UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set). In: 2015 Military Communications and Information Systems Conference (MilCIS) (2015)

    Google Scholar 

  45. Mukkamala, S., Janoski, G., Sung, A.: Intrusion detection using neural networks and support vector machines. In: Proceedings of the 2002 International Joint Conference on Neural Networks. IJCNN 2002 (Cat. No.02CH37290), vol. 2 (2002)

    Google Scholar 

  46. Murovič, T., Trost, A.: Massively parallel combinational binary neural networks for edge processing. Electrotechnical Rev. 86, 47–53 (01 2019)

    Google Scholar 

  47. Murovič, T., Trost, A.: Resource-optimized combinational binary neural network circuits. Microelectron. J. 97, 104724 (2020)

    Article  Google Scholar 

  48. Murovič, T., Trost, A.: Genetically optimized massively parallel binary neural networks for intrusion detection systems. Comput. Commun. 179, 1–10 (2021)

    Article  Google Scholar 

  49. Ngo, D.-M., Pham-Quoc, C., Thinh, T.N.: Heterogeneous hardware-based network intrusion detection system with multiple approaches for SDN. Mob. Netw. Appl. 25(3), 1178–1192 (2019). https://doi.org/10.1007/s11036-019-01437-x

    Article  Google Scholar 

  50. Ngo, D.-M., Tran-Thanh, B., Dang, T., Tran, T., Thinh, T.N., Pham-Quoc, C.: High-throughput machine learning approaches for network attacks detection on FPGA. In: Vinh, P.C., Rakib, A. (eds.) ICCASA/ICTCC -2019. LNICST, vol. 298, pp. 47–60. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34365-1_5

    Chapter  Google Scholar 

  51. Pappalardo, A.: Xilinx/brevitas. https://doi.org/10.5281/zenodo.3333552

  52. Pati, S., Narayanan, R., Memik, G., Choudhary, A., Zambreno, J.: Design and implementation of an FPGA architecture for high-speed network feature extraction. In: ICFPT. IEEE (2007)

    Google Scholar 

  53. Pfahringer, B.: Winning the KDD99 classification cup: bagged boosting. SIGKDD Explor. Newsl. 1(2), 65–66 (2000)

    Article  Google Scholar 

  54. Roh, J.h., Lee, S.k., Son, C.W., Hwang, C., Kang, J., Park, J.: Cyber security system with FPGA-based network intrusion detector for nuclear power plant. In: IECON 2020 The 46th Annual Conference of the IEEE Industrial Electronics Society. IEEE (2020)

    Google Scholar 

  55. Saavedra, A., Hernández, C., Figueroa, M.: Heavy-hitter detection using a hardware sketch with the countmin-cu algorithm. In: 2018 21st Euromicro Conference on Digital System Design (DSD). IEEE (2018)

    Google Scholar 

  56. Sateesan, A., Vliegen, J., Daemen, J., Mentens, N.: Novel bloom filter algorithms and architectures for ultra-high-speed network security applications. In: 2020 23rd Euromicro Conference on Digital System Design (DSD). IEEE (2020)

    Google Scholar 

  57. Sateesan, A., Vliegen, J., Scherrer, S., Hsiao, H.C., Perrig, A., Mentens, N.: Speed records in network flow measurement on FPGA. In: Proceedings of the International Conference on Field-Programmable Logic (FPL) (2021)

    Google Scholar 

  58. Scherrer, S., et al.: Low-rate Overuse Flow tracer (LOFT): an efficient and scalable algorithm for detecting overuse flows. arXiv preprint arXiv:2102.01397 (2021)

  59. Schweller, R., et al.: Reversible sketches: enabling monitoring and analysis over high-speed data streams. IEEE/ACM Trans. Netw. 15(5), 1059–1072 (2007)

    Article  Google Scholar 

  60. sFlow: Traffic Monitoring using sFlow (2003). http://www.sflow.org/sFlowOverview.pdf

  61. Sharafaldin, I., Lashkari, A.H., Ghorbani, A.: (2018)

    Google Scholar 

  62. Song, H., Lockwood, J.W.: Multi-pattern signature matching for hardware network intrusion detection systems. In: GLOBECOM 2005, vol. 3. IEEE (2005)

    Google Scholar 

  63. Tavallaee, M., Bagheri, E., Lu, W., Ghorbani, A.A.: A detailed analysis of the KDD CUP 99 data set. In: 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications (2009)

    Google Scholar 

  64. Tong, D., Prasanna, V.: High throughput sketch based online heavy hitter detection on FPGA. ACM SIGARCH Comput. Architect. News 43(4), 70–75 (2016)

    Article  Google Scholar 

  65. Tong, D., Prasanna, V.K.: Sketch acceleration on FPGA and its applications in network anomaly detection. IEEE TPDS 29(4), 929–942 (2017)

    Google Scholar 

  66. Tran, C., Vo, T.N., Thinh, T.N.: HA-IDS: A heterogeneous anomaly-based intrusion detection system. In: NAFOSTED NICS 2017 (2017)

    Google Scholar 

  67. Umuroglu, Y., Akhauri, Y., Fraser, N.J., Blott, M.: LogicNets: co-designed neural networks and circuits for extreme-throughput applications. In: FPL 2020 (2020)

    Google Scholar 

  68. Umuroglu, Y., et al.: FINN: a framework for fast, scalable binarized neural network inference. In: Proceedings of the 2017 ACM/SIGDA FPGA. ACM (2017)

    Google Scholar 

  69. Wada, T., Matsumura, N., Nakano, K., Ito, Y.: Efficient byte stream pattern test using bloom filter with rolling hash functions on the FPGA. In: 2018 Sixth CANDAR. IEEE (2018)

    Google Scholar 

  70. Wang, X., et al.: Hyperscan: a fast multi-pattern regex matcher for modern CPUs. In: USENIX NSDI (2019)

    Google Scholar 

  71. Wang, Z., Zeng, Y., Liu, Y., Li, D.: Deep belief network integrating improved kernel-based extreme learning machine for network intrusion detection. IEEE Access 9, 16062–16091 (2021)

    Article  Google Scholar 

  72. Wellem, T., Lai, Y.K., Huang, C.Y., Chung, W.Y.: A hardware-accelerated infrastructure for flexible sketch-based network traffic monitoring. In: IEEE 17th HPSR. IEEE (2016)

    Google Scholar 

  73. Yang, T., et al.: A generic technique for sketches to adapt to different counting ranges. In: IEEE INFOCOM (2019)

    Google Scholar 

  74. Yang, T., et al.: Elastic sketch: Adaptive and fast network-wide measurements. In: Proceedings of the ACM Special Interest Group Data Communication (SIGCOMM) (2018)

    Google Scholar 

  75. Yu, Y., Long, J., Cai, Z.: Session-based network intrusion detection using a deep learning architecture. In: Torra, V., Narukawa, Y., Honda, A., Inoue, S. (eds.) MDAI 2017. LNCS (LNAI), vol. 10571, pp. 144–155. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-67422-3_13

    Chapter  Google Scholar 

  76. Zazo, J.F., Lopez-Buedo, S., Ruiz, M., Sutter, G.: A single-FPGA architecture for detecting heavy hitters in 100 Gbit/s ethernet links. In: 2017 International Conference on ReConFigurable Computing and FPGAs (ReConFig). IEEE (2017)

    Google Scholar 

  77. Zhang, J., Zulkernine, M., Haque, A.: Random-forests-based network intrusion detection systems. IEEE Trans. Syst. Man Cybern. Part C (Appl. Rev.) 38(5), 649–659 (2008)

    Article  Google Scholar 

  78. Zhao, Z., Sadok, H., Atre, N., Hoe, J.C., Sekar, V., Sherry, J.: Achieving 100Gbps intrusion prevention on a single server. In: 14th USENIX OSDI20 (2020)

    Google Scholar 

  79. Zhou, Y., Zhang, Y., Ma, C., Chen, S., Odegbile, O.O.: Generalized sketch families for network traffic measurement. POMACS 3(3), 1–34 (2019). Kindly provide year of the publication for the Ref. [51]

    Google Scholar 

Download references

Acknowledgements

This work is supported by CORNET and funded by VLAIO under grant number HBC.2018.0491. This work is also supported by the ESCALATE project, funded by FWO and SNSF (G0E0719N), and by Cybersecurity Initiative Flanders (VR20192203).

Author information

Authors and Affiliations

  1. ES&S - imec-COSIC, ESAT, KU Leuven, Leuven, Belgium

    Laurens Le Jeune, Arish Sateesan, Md Masoom Rabbani, Jo Vliegen & Nele Mentens

  2. EAVISE - PSI, ESAT, KU Leuven, Leuven, Belgium

    Laurens Le Jeune & Toon Goedemé

  3. LIACS, Leiden University, Leiden, The Netherlands

    Nele Mentens

Authors
  1. Laurens Le Jeune
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Arish Sateesan
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Md Masoom Rabbani
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Toon Goedemé
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Jo Vliegen
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Nele Mentens
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nele Mentens .

Editor information

Editors and Affiliations

  1. Radboud University, Nijmegen, The Netherlands

    Lejla Batina

  2. TU Delft, Delft, The Netherlands

    Stjepan Picek

  3. Indian Institute of Technology Kharagpur, Kharagpur, India

    Mainack Mondal

Rights and permissions

Reprints and permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Le Jeune, L., Sateesan, A., Rabbani, M.M., Goedemé, T., Vliegen, J., Mentens, N. (2022). SoK - Network Intrusion Detection on FPGA. In: Batina, L., Picek, S., Mondal, M. (eds) Security, Privacy, and Applied Cryptography Engineering. SPACE 2021. Lecture Notes in Computer Science(), vol 13162. Springer, Cham. https://doi.org/10.1007/978-3-030-95085-9_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-95085-9_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-95084-2

  • Online ISBN: 978-3-030-95085-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation