Intrusion Detection Operations at the Edge Network using FPGAs
In this blog, I present my work towards accelerating intrusion detection operations at the edge network using FPGAs. Cloud computing and network function virtualization have led to a new appealing paradigm for service delivery and management. Unfortunately, this paradigm fails to correctly support IoT applications and services that seek better communication platforms. Security as a Service can also be seen as a cloud-based model that needs to be accommodated to fulfill these services requirements. Again, one of the main issues to be addressed in this context is how to improve the performance of such systems or services in order to make them capable of coping with the huge amount of data while remaining reliable. A potential solution is the FPGA-based edge computing, which is a powerful combination offering FPGA acceleration capabilities together with edge and fog benefits.
Virtual Network Functions are network services or capabilities that are softwarized and can also run on commodity hardware. Contrary to functions running on dedicated hardware, virtual functions offer flexibility and easy deployment. The services that can be softwarized include firewalls, Domain Name System (DNS), Network Address Translation (NAT), and Intrusion Detection/Prevention Systems (IPS/IDS). It can be fairly said that virtualization enabled moving a huge number of services and applications to the cloud. However, the related performance was not always as expected. This is the case for instance for Internet of Things (IoT). The latter is being used in a variety of systems and services in our daily life
In this blog, We discuss our research towards specifying and prototyping an Intrusion Prevention System (IPS) that can be used in Edge computing scenarios. Our solution, called FORTISEC (or simply 40SEC), resembles to a Virtual Security Appliance (vSA) that is composed of a firewall and an IDS. Although, the focus in this paper is on edge computing, our solution can be utilized in a variety of other scenarios (e.g. enterprise security). One of the main characteristics of our vSA is the fact that the parts of the IDS that need intensive processing are implemented on Field Programmable Gate Arrays (FPGAs) that are known for their potential for accelerating computational intensive workloads. It was mentioned for instance in that convolutional Neural Networks (CNN) can be improved for image classification on AlexNet up to 2,0/2,5 times in terms of processing time — i.e. when utilizing FPGAs in comparison to CPUs.
THE 40SEC SYSTEM
The edge gateway platform, on which our virtual Security Appliance (40SEC) runs, is a XILINX KRM-3Z7030 50mm x 70mm module composed of an ARM processor and an FPGA part and carried by a KRC3701 Carrier Kit. It is worth mentioning that virtualizing security appliances has to deal intrinsically with performance restrictions. In the past, optimal performance was provided through a dedicated hardware. In virtualized environments, applications and services running on an operating system compete for the same hardware computing resource, which might slow down the performance. One of the main objectives of this work is to investigate how the performance behaves when the 40SEC entirely runs on the ARM processor and when some of the related security parts — that require more processing — are moved to FPGA. For this reason, we decided to have the 40SEC architecture in two different versions. In the first one, the entire 40SEC appliance runs on the ARM processor. However, in the second version, the parts that require intense processing are moved to the FPGA part, in order to speed up the detection operations.
THE ARM BASED ARCHITECTURE
The above Figure depicts the main components of the ARM based 40SEC architecture as well as the interfaces in between. As previously mentioned, the entire 40SEC appliance is implemented on the ARM processor in the first version. For that purpose, various related components were dockerized and made available. Since some existing Intrusion Detection Systems — such as Snort — are available as open-source and offer a security level comparable to commercial security solutions, we decided to explore their capability of running on the ARM processor and measure their performance. Within the 40SEC architecture, Snort was utilized due to its popularity.
