Discussion Summary
Paper: Automatic
Synthesis of Efficient Intrusion Detection
Systems on FPGAs
Authors: Zachary K.
Baker and Viktor K. Prasanna
Presenter: Jack Meier
Discussion Leader:
Editor:
Paper Overview:
This paper presents:
1.) A software algorithm to perform high-level optimizations on rule sets before generating hardware.
2.) A procedure for creating a space efficient and high-throughput Intrusion Detection hardware device based off of the optimized rule set.
The objective of the software algorithm is to group rules in such a way to minimize redundancy between groups of rules and maximize the redundancy within a group of rules. Which in turn helps to create a more compact and efficient representation of the rule set in hardware. This algorithm is heavily based off graph theory.
Once high-level grouping is performed a hardware circuit is created made up of two major construct types; a predecoding unit and a shift-and-compare pipeline for each group of rules. These constructs take advantage of redundancies that exist within a group of rules.
The major topics
discussed were:
1. Need for creating a new Metric
2. Scalability and Selection of Rules
1. Need for creating
a new Metric:
This was one of the most criticized aspects of the paper. The metric used was Throughput/Area (i.e. Mb/s/cell). At one extreme reviewers commented that this metric was made up just to show good results. Others made a good argument for the validity of such a metric. However they felt that the formulation of the Metric was a bit too simplistic and did not convey the fact that most people in the field of Intrusion Detection are much more concerned about throughput than chip area. It was suggested that adding a weighting would make this metric more realistic. One example from the data contained in Table 4 sited to support this argument is that a system with a throughput of 1.79 Gb/s was given nearly a 2x performance rating over a system with a throughput of 9.7 Gb/s.
2.) Scalability and
Selection of Rules
There was concern for why only a subset of the rules from an Intrusion detection database was used, though the paper does state that the number of rules selected filled up the FPGA available to the authors. However reviewers commented that the run-time associated with the software algorithm used to partition the rules could have still been performed on the complete snort data base. There was a majority feeling that the software algorithm would run into scaling issues if the rule set were increased by a order of magnitude
Another concern was brought up about how the subsets of rules were selected. If just the first 1000 rules were chose, then it was pointed out that since rules are typically placed in databases in chronological order and that later rules a more difficult to group with other rules (therefore showing less redundancy), then the algorithm presented and procedure for creating hardware may not be as effective if more recent rules were used.
Final ranking of Paper:
The discussion group voted this paper to be among the middle 3rd of the papers reviewed this semester.