Dissertation/Thesis Abstract

Toward hardware-oriented defensive network infrastructure
by Chen, Hao, Ph.D., State University of New York at Binghamton, 2015, 194; 3713553
Abstract (Summary)

The prosperity of the Internet has made it attractive to hackers and malicious attackers. Distributed attacks, such as: DDoS attacks and Internet worms have become major threats towards the network infrastructure. Collaborating existent single-point-deployed security applications over multi-domains for distributed defense is promising. Taking advantage of the small-world network model, a three-layered network modeling platform was developed for exploring behaviors of collaborative defense under the scope of a complex system. Using this platform, a comparison study between two major collaborative defense schemes was conducted. Their performance and eectiveness against signature-embedded worm attacks were evaluated accordingly.

Given the rapid evolution of attack methods and toolkits, software-based solutions to secure the network infrastructure have become overburdened. The performance gap between the execution speed of security software and the amount of data to be processed is ever widening. A common solution to close this performance gap is through hardware implementation of security functions. After a comprehensive survey on major recongurable hardware-based approaches application on network infrastructure security area, an optimized design of FPGA-based Power Spectral Density (PSD) data converter for online Shrew DDoS attack detection was proposed and prototyped. Combining an innovative component-reusable Auto-Correlation (AC) algorithm and the adapted 2N-point real-valued Discrete Fourier Transform (DFT) algorithm, a maximum reduction of 61.8% processing time from 27471.4 us to 10504.8 us was achieved. These ecient hardware realization enabled the implementation of this design to a Xilinx Virtex2 Pro FGPA.

The scalability issue against continuously expanding signature databases is another major impediment aecting hardware application for network intrusion detection. With the observation that signature patterns are constructed from combinations of a limited number of primary patterns, a two-stage decomposition approach was developed to solve this issue. The evaluation results show that a reduction in size of over 77% can be achieved on top of signature patterns extracted from the Snort rule database after decomposition.

Indexing (document details)
Advisor: Chen, Yu
Commitee: Jin, Zhanpeng, Lewis, Michael, Polunchenko, Aleksey S., Summerville, Douglas H.
School: State University of New York at Binghamton
Department: Electrical and Computer Engineering
School Location: United States -- New York
Source: DAI-B 76/11(E), Dissertation Abstracts International
Subjects: Computer Engineering
Keywords: Collaborative defense, Network infrastructure security, Network intrusion detection, Pattern decomposition, Power spectral density data converter, Reconfigurable hardware application
Publication Number: 3713553
ISBN: 9781321901146
Copyright © 2019 ProQuest LLC. All rights reserved. Terms and Conditions Privacy Policy Cookie Policy