Stateful, in-depth, inline traffic analysis for intrusion detection and prevention is growing increasingly more difficult as the data rates of modern networks rise. Yet it remains the case that in many environments, much of the traffic comprising a high-volume stream can, after some initial analysis, be qualified as of "likely uninteresting." We present a combined hardware/software architecture, Shunting, that provides a lightweight mechanism for an intrusion prevention system (IPS) to take advantage of the "heavy-tailed" nature of network traffic to offload work from software to hardware.

The primary innovation of Shunting is the introduction of a simple in-line hardware element that caches rules for IP addresses and connection 5-tuples, as well as fixed rules for IP/TCP flags. The caches, using a highest-priority match, yield a per-packet decision: forward the packet; drop it; or divert it through the IPS. By manipulating cache entries, the IPS can specify what traffic it no longer wishes to examine, including directly blocking malicious sources or cutting through portions of a single flow once the it has had an opportunity to "vet" them, all on a fine-grained basis.

We have implemented a prototype Shunt hardware design using the NetFPGA 2 platform, capable of Gigabit Ethernet operation. In addition, we have adapted the Bro intrusion detection system to utilize the Shunt framework to offload less-interesting traffic. We evaluate the effectiveness of the resulting system using traces from three sites, finding that the IDS can use this mechanism to offload 55%-90% of the traffic, as well as gaining intrusion prevention functionality.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Burton H. Bloom, Space/time trade-offs in hash coding with allowable errors, Communications of the ACM, v.13 n.7, p.422-426, July 1970  [doi>10.1145/362686.362692]
	2	C. Clark, W. Lee, D. Schimmel, D. Contis, M. Kone, and A. Thomas. A hardware platform for network intrusion detection and prevention. In Proceedings of The 3rd Workshop on Network Processors and Applications (NP3), 2004.
	3	J. Cleary, S. Donnelly, I. Graham, A. McGregor, and M. Pearson. Design principles for accurate passive measurement. In Proceedings of the Passive and Active Measurement Conference, 2000.
	4	J. Coppens, S. Van den Berghe, H. Bos, E. Markatos, F. De Turck, A. Oslebo, and S. Ubik. Scampi - a scaleable and programmable architecture for monitoring gigabit networks. In Proceedings of E2EMON Workshop, September 2003.
	5	J. Coppens, E. P. Markatos, J. Novotny, M. Polychronakis, V. Smotlacha, and S. Ubik. Scampi - a scaleable monitoring platform for the internet. In Proceedings of the 2nd International Workshop on Inter-Domain Performance and Simulation (IPS 2004), March 2004.
	6	Scott A. Crosby , Dan S. Wallach, Denial of service via algorithmic complexity attacks, Proceedings of the 12th conference on USENIX Security Symposium, p.3-3, August 04-08, 2003, Washington, DC
	7	Mark Crovella, Performance Evaluation with Heavy Tailed Distributions, Revised Papers from the 7th International Workshop on Job Scheduling Strategies for Parallel Processing, p.1-10, June 16, 2001
	8	Mark E. Crovella , Azer Bestavros, Self-similarity in World Wide Web traffic: evidence and possible causes, ACM SIGMETRICS Performance Evaluation Review, v.24 n.1, p.160-169, May 1996
	9	L. Deri. Passively monitoring networks at gigabit speeds using commodity hardware and open source software. In Proceedings of the Passive and Active Measurement Conference, 2003.
	10	Holger Dreger , Anja Feldmann , Michael Mai , Vern Paxson , Robin Sommer, Dynamic application-layer protocol analysis for network intrusion detection, Proceedings of the 15th conference on USENIX Security Symposium, p.18-18, July 31-August 04, 2006, Vancouver, B.C., Canada
	11	Mark Handley , Vern Paxson , Christian Kreibich, Network intrusion detection: evasion, traffic normalization, and end-to-end protocol semantics, Proceedings of the 10th conference on USENIX Security Symposium, p.9-9, August 13-17, 2001, Washington, D.C.
	12	Gianluca Iannaccone , Christophe Diot , Ian Graham , Nick McKeown, Monitoring very high speed links, Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, November 01-02, 2001, San Francisco, California, USA  [doi>10.1145/505202.505235]
	13	Intel. Intel(r) network infrastructure processors: Extending intelligence in the network, 2005.
	14	S. Kornexl, V. Paxson, H. Dreger, A. Feldmann, and R. Sommer. Building a time machine for efficient recording and retrieval of high-volume network traffic. In Proceedings of the ACM Internet Measurement Conference, 2005.
	15	Christopher Kruegel , Fredrik Valeur , Giovanni Vigna , Richard Kemmerer, Stateful Intrusion Detection for High-Speed Networks, Proceedings of the 2002 IEEE Symposium on Security and Privacy, p.285, May 12-15, 2002
	16	E. Markatos. Scampi detailed architecture design. http://www.ist-scampi.org/publications/deliverables/D1.3.pdf, 2005.
	17	N. McKeown and G. Watson. Netfpga 2.0, http://klamath.stanford.edu/nf2/.
	18	Ruoming Pang , Vinod Yegneswaran , Paul Barford , Vern Paxson , Larry Peterson, Characteristics of internet background radiation, Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, October 25-27, 2004, Taormina, Sicily, Italy  [doi>10.1145/1028788.1028794]
	19	Vern Paxson, Empirically derived analytic models of wide-area TCP connections, IEEE/ACM Transactions on Networking (TON), v.2 n.4, p.316-336, Aug. 1994  [doi>10.1109/90.330413]
	20	Vern Paxson, Bro: a system for detecting network intruders in real-time, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.31 n.23-24, p.2435-2463, Dec. 1999  [doi>10.1016/S1389-1286(99)00112-7]
	21	Vern Paxson , Sally Floyd, Wide area traffic: the failure of Poisson modeling, IEEE/ACM Transactions on Networking (TON), v.3 n.3, p.226-244, June 1995  [doi>10.1109/90.392383]
	22	T. H. Ptacek and T. N. Newsham. Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical report, Secure Networks, Inc., Calgary, Alberta, Canada, 1998.
	23	André Seznec, A case for two-way skewed-associative caches, Proceedings of the 20th annual international symposium on Computer architecture, p.169-178, May 16-19, 1993, San Diego, California, United States
	24	Robin Sommer , Vern Paxson, Enhancing byte-level network intrusion detection signatures with context, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA  [doi>10.1145/948109.948145]
	25	Haoyu Song , Sarang Dharmapurikar , Jonathan Turner , John Lockwood, Fast hash table lookup using extended bloom filter: an aid to network processing, Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications, August 22-26, 2005, Philadelphia, Pennsylvania, USA
	26	M. Vallentin, R. Sommer, J. Lee, C. Leres, V. Paxson, and B. Tierney. The NIDS cluster: Scalable, stateful network intrusion detection on commodity hardware. In RAID 2007 (to appear).
	27	Nicholas Weaver , Vern Paxson , Jose M. Gonzalez, The shunt: an FPGA-based accelerator for network intrusion prevention, Proceedings of the 2007 ACM/SIGDA 15th international symposium on Field programmable gate arrays, February 18-20, 2007, Monterey, California, USA  [doi>10.1145/1216919.1216952]
	28	Walter Willinger , Vern Paxson , Murad S. Taqqu, Self-similarity and heavy tails: structural modeling of network traffic, A practical guide to heavy tails: statistical techniques and applications, Birkhauser Boston Inc., Cambridge, MA, 1998
	29	Walter Willinger , Murad S. Taqqu , Robert Sherman , Daniel V. Wilson, Self-similarity through high-variability: statistical analysis of Ethernet LAN traffic at the source level, IEEE/ACM Transactions on Networking (TON), v.5 n.1, p.71-86, Feb. 1997  [doi>10.1109/90.554723]