WISDOMWISDOMWorkpackage 3

New security algorithm design

ICS-FORTH

Ipswich 19th December 2007

WISDOMWISDOMWISDOM WP3: New security

algorithm designObjectives • Identify critical security application components which can

be efficiently implemented in the optical domain. • Characterise constraints to algorithmic components and

develop novel analytical techniques for simplified pattern matching.

• Design a Security Application Programming Interface (SAPI) which will be the interface between high-level security applications and low-level optical implementation

Tasks - Deliverables• WP 3.1: Security Applications Partitioning (M12)• WP 3.2: Identification of simplified Security Algorithm

Components (M24)• WP 3.3: Definition of a Security Application Programming

Interface: SAPI (M27)

WISDOMWISDOMWP3.1 Security Applications

Partitioning

• Identify components which can be effectively and efficiently implemented in the optical domain

• Partitioning of security-related applications (Firewalls, DoS attacks detection, IDS/IPS) into - high-level part (electronic) - low-level part (optical)

D3.1 report M12

WISDOMWISDOMWP3.1 Security

Applications Partitioning

Basic firewall functionality in the optical domain• Look at port numbersBlock traffic for specific portsOptical filtering, optical pattern matching

• Look at IP addressesBlock traffic for specific IP addressesOptical filtering, optical/electronic pattern matching

• Look at IP protocolBlock traffic for certain protocols

Headers onlyLess than 10% of rules, more than 90% of alerts

WISDOMWISDOMWP3.1 Security Applications

Partitioning

Firewall rule example Inspection• Deny all incoming traffic with IP matching internal IP source IP address• Deny incoming from black-listed IP addresses source IP address• Deny all incoming ICMP traffic IP protocol• Deny incoming TCP/UDP 135/445 (RPC, Windows Sharing) destination port• Deny incoming/outgoing TCP 6666/6667 destination port

• Allow incoming TCP 80, 443 (http, https) destination port

to internal web server (destination IP address)• Deny incoming TCP 25 to SMTP server destination port

from external IP addresses (destination)/source IP address

• Allow UDP 53 to internal destination portDNS server (destination IP address)

typical port assignments for some other services/applicationsftp TCP 21, ssh TCP 22, telnet TCP 23, POP3 TCP 110, IMAP 143

WISDOMWISDOMWP3.1 Security Applications

Partitioning

Filtering out e-mail traffic

WISDOMWISDOMWP3.1 Security Applications

Partitioning

DoS attacks

SYN bit optical counter

proposed optical DoS attack detection

WISDOMWISDOMWP3.1 Security Applications

Partitioning

Security Operation Inspection Application Example

Match network packet targeting a specific service

Destination Port Number

Filtering out e-mail traffic

Match network packet originating from a specific service

Source Port Number

Filtering out a Web server’s response

Match network packet targeting specific computer(s)

Destination IP Address

Preventing contact with a computer

Match network packet originating from specific computer(s)

SourceIP Address

Preventing access from a computer

Match network packet with specificproperties

IP protocol header fieldFiltering out ICMP

traffic

Match network packet targeting a specific service and originating

from specific computers

Destination Port Number and Source

IP AddressSPAM filter

Denial of Service attack detection SYN flagPreventing TCP SYN

flood attacks

WISDOMWISDOM

WP3.2 Identification of Simplified Security Algorithms

Components

• Optical pre-processing for more complex pattern recognition Restrictions in optical domain (buffering, level of integration, etc)Scalability of security pattern matching algorithms, optimum balance between optical and electronic processing (WP6)

Develop algorithms that will allow optical bit-serial processing subsystems to operate as a pre-processor to more complex pattern recognition techniques.

D3.2 Identification of simplified Security Algorithms Components

(M24)

WISDOMWISDOM

WP3.2 Identification of Simplified Security Algorithms

Components

• Tree-like structures• Hash functions• Bloom filters• Heuristics • Parallel use of optical devices

up to a dozen “on a chip”

• Parallel/Distributed Architectures

WISDOMWISDOM

WP3.2 Identification of Simplified Security Algorithms

Components

Combine optical and electronic signature-based detection• Optical traffic splitter

optical header processing for load balancing

e.g., group packets according to port number, IP, etc

• Multiple “specialized” (electronic) processors

parallel operation

possibly more efficient payload inspection by performing same

operations to same type of packets

Many issues, such as even distribution of load to sensors, anomaly-based detection, etc.

WISDOMWISDOM

WP3.2 Identification of Simplified Security Algorithms

Components

Specifications for optical hardware:

•Optical Bit Filter Coarse “sift” of packet header

•Optical Routing Switch

•Optical Pattern Matching Circuit

•Optical Buffer Memory Embedded in Bit Filter and Pattern Matching?

•Optical PRBS generator

•XOR, AND gates

WISDOMWISDOM

WP3.2 Identification of Simplified Security Algorithms

Components

Functional models of optical devices and simulator

1) Very simple, basic building blocks are logic gatesUseful for testing efficiency of more complex algorithms, hybrid optical/electronic detection, etc.

2) Include physical models for actual optical componentsUseful in device development.Much more demanding…

Build simulator starting with (1) and expand to (2), when necessary.Commercial solutions (Virtual Photonics, etc).

WISDOMWISDOM

WP 3.3 Definition of a Security Application Programming

Interface (SAPI)

• SAPI will bridge the gap between optical execution ofkey components and programming of securityapplications

• High-level programming, abstract all low-level details

Monitoring ApplicationProgramming Interface(MAPI)

D3.3 Definition of SAPI (M27)

WISDOMWISDOMWP 3.3 Definition of a Security

Application Programming Interface (SAPI)

Hardware - Software InterfaceFrequency of user interventions small compared to frequency of optical

recognitions

Electronics – Optics InterfaceLabview, Agilent Vee (HPV)

Start with

Software – Electronics - Optics