Hardware/Software Isolation and Protection Architecture for Transparent Security Enforcement in Networked Devices

Abstract

We present an integrated hardware/software architectureto enforce security in networked workstations andembedded devices such as printers and microscopes. Thesedevices are usually connected to the Internet without protection, so they are exposed to attack. Our solution operatesas an intermediate isolation and protection module (IPM) between the network and the device to be protected. TheIPM can be implemented as a dedicated IP on a system-onchip, or as a separate chip to analyze incoming and outgoingtraffic for malicious activities, in a transparent way to thedevice under protection. Security enforcement is performedin two stages. A deep packet inspection module is used inthe first stage to detect and drop packets originating fromknown blacklisted domains or carrying malware patterns, simultaneously important features from protocol-conformingpackets are extracted and sent to a binary classifier for furtherprocessing and decision making. The second stage uses a binaryclassifier to make decisions on seemingly protocol-conformingpackets. We designed and implemented a prototype of theIPM as a system-on-FPGA, with packet filtering and analysisaccelerated in hardware, and binary classification and decisionmaking in software. The IPM operates at high-speed witha very small footprint, suitable for embedded devices withfewer resources. Evaluation of our prototype using the 1999Knowledge Discovery in Databases (KDD Cup 1999 dataset) benchmarks shows a high detection rate on various distributeddenial-of-service (DDoS) attacks such as Neptune DoS (99.3%),Smurf DoS (100%), and Teardrop DoS (98.90%).