SPANIDS Project Description

The goal of the SPANIDS Project is to develop a scalable architecture for a network intrusion detection platform that can reliably monitor a gigabit link running at saturation. In network intrusion detection systems (IDS), all network traffic is diverted to a sensor which inspects every packet to detect intrusion attempts and issue alerts. The challenge of high-speed network intrusion detection is to apply sophisticated algorithms that minimize the number of false alerts without dropping packets.

Current software-based network intrusion detection systems offer a flexible and inexpensive way to protect networks from outside attacks. Unfortunately, most general-purpose systems used as host machines are not able to process network traffic at or above gigabit rates. The I/O subsystem and main memory of current systems is nearing saturation when handling network traffic of over 100 Mbyte/s, and the host CPU is often overloaded just processing interrupts for incoming packets. Putting the additional burden of an IDS software on such systems is impractical.

On the other hand, special-purpose hardware designed for high-speed network intrusion detection is usually expensive and inflexible. Unlike software, it can not be changed easily to adapt to new IDS algorithms or techniques.

We have completed a comparative study of the performance of Snort on various Intel-based platforms. The methodology and results of this work are summarized in the paper "Characterizing the Performance of Network Intrusion Detection Sensors," published in the Proceedings of RAID 2003.

The goal of the SPANIDS project is to develop an architecture that combines the flexibility of software with the performance of special-purpose hardware while maintaining most of the cost-advantage of off-the-shelf technology. We are designing and evaluating techniques to distribute network traffic across a number of sensors, thus minimizing overall packet loss. At the same time, the load balancing scheme should forward all packets belonging to a connection to the same sensor to facilitate stateful stream-level analysis. Our approach, based on multi-level hashing with dynamic feedback, is described in a Computing Frontiers paper.

We have recently completed the implemention of a functional prototype system consisting of an FPGA-based loadbalancer and a set of commodity PC/Linux sensors. We are currently in the process of characterizing the system to demonstrate the ability of our approach to reliably process Gigabit network traffic with minimal packet loss. Below are a few recent pictures of our system in progress.

Our testbed: the FPGA board on a PCI riser card on the host's PCI bus.	16 dual-processor AMD Opteron sensor nodes that will be part of the final prototype.
A closer look of our board, made by The Dini Group. Notice the two Gigabit Ethernet PHY daughter cards.
The Xilinx Virtex-II FPGA is hidden under the left daughtercard. The yellow cable provides the input from the network tap, while the blue cable forwards packets to the external switch for routing.	Screenshot of the control and performance monitoring software running on the host.
The FPGA is programmed upon power-up from the SmartMedia card seen in front. The LEDs provide basic status information.	Various configuration and control options provided by the GUI.

Copyright ND SPANIDS 2002-2004.
For questions regarding this web page contact SPANIDS.
Last updated: 05/25/2005.