FPGA-based encrypted network traffic identification at 100 Gbit/s

Abstract

Network traffic monitoring is becoming increasingly hard to manage due to the ever-growing speed of network links. At 100 Gbit/s, the huge volume of data makes it very difficult to perform online analyses or to store traffic for subsequent forensic investigations. It is therefore mandatory to carry out some kind of filtering and/or capping in the network traffic to be analyzed. Additionally, the fraction of encrypted traffic is relentlessly increasing. For such encrypted traffic, storing the payload is most times useless. In this paper we present an FPGA implementation of a method to identify plain text (that is, human readable) in the network packet payload. The method is based on both detecting bursts of printable ASCII characters and calculating the fraction of these printable characters in the packet payload. This method has proven to be very effective in reducing the amount of information used in traffic analysis, by saving only the headers of packets with encrypted payloads. We leveraged the advantages of high-level languages to reduce development time, though traditional HDL languages were also used to optimize critical areas of the design. The design targets the 100 Gbit/s Ethernet interfaces of Xilinx Virtex UltraScale devices and it is able to detect human-readable packet payloads at line rate, with a high accuracy.