Internet Worm and
Virus Protection in Dynamically Reconfigurable Hardware
Abstract. The
security of the Internet can be improved using Programmable
Logic Devices (PLDs). A platform has been implemented
that actively scans and filters Internet traffic for
Internet worms and viruses at multi-Gigabit/second rates
using the Field-programmable Port Extender (FPX). Modular
components implemented with Field Programmable Gate Array
(FPGA) logic on the FPX process packet headers and scan
for signatures of malicious software (malware) carried
in packet payloads. FPGA logic is used to implement circuits
that track the state of Internet flows and search for
regular expressions and fixed-strings that appear in
the content of packets. The FPX contains logic that allows
modules to be dynamically reconfigured to scan for new
signatures. Network-wide protection is achieved by the
deployment of multiple systems throughout the Internet.
Introduction. Computer
viruses and Internet worms cause billions of dollars in lost
productivity. Well-known Internet worms, such as Nimda, Code
Red, Slammer and most-recently MSBlast, contain strings of
malicious code that can be detected as they flow through
the network. By processing the content of Internet traffic
in real-time, a system with programmable logic devices can
detect data containing computer viruses or Internet worms,
and prevent them from propagating. A complete system has
been designed and implemented that scans the full payload
of packets to route, block, and track the packets in the
flow, based on their content. One challenge in implementing
this system was that the location of a targeted signature
in the packet payload could appear at any position within
the traffic flow. Another challenge to implementing the system
was that signatures could span multiple packets and be interleaved
among multiple traffic flows. The paper will describe how
these challenges were met and overcome. The result is an
intelligent gateway that provides Internet worm and virus
protection in both local and wide area networks.
On tomorrow’s virtual
battlefield, foreign agents could bait public networks with
content containing malware specifically designed to damage
crucial counterintelligence or military information systems.
These foreign agents could introduce malignant worms or viruses
disguised as benign data to attack information technology
(IT) resources known to be located within secure networks.
As of August 16, 2003, for example, the MSBlast worm infected
more than 350,000 hosts worldwide, demonstrating once again
the ineffectiveness of current protection mechanisms.
Today, most anti-virus solutions
run in software on end systems. To ensure an entire network
is secure from known attacks, it is required that every host
within the network be running the latest version of an operating
systems and virusprotection software. Should any machine
in the network not be fully up-to-date, or should the software
on the end systems contain any security flaws, the security
of the overall network can be compromised.
By inserting data scanning
and filtering devices throughout a network, rather than just
at the end systems, Internet worms and computer viruses can
be quarantined to
just the segment of the network where they are introduced.
Such a system of intelligent gateway devices recognizes and
blocks malware at localized levels to dramatically limit
the spread of the worm or virus. To provide a complete solution,
there is a need for devices which can scan data quickly,
reconfigure the scanning devices to search for new attack
patterns, and take immediate action when attacks occur.
|
