Researchers at Queens University in Belfast are working on a
content filtering system capable of scanning internet traffic at
more than 10 gigabits per second (gbps).
The project, based at the new £25m Centre for Secure Information
Technologies (CSIT), aims to develop ground-breaking computer
hardware to tackle cybercrime.
The technology could revolutionise internet security by enabling
internet service providers to disinfect users' broadband
connections, which could potentially eliminate the need to use
desktop anti-malware software.
The researchers say that current data processing hardware cannot
analyse interenet traffic fast enough to enable every suspicious
online conversation, virus-bearing e-mail and request to visit a
"bad" website, to be detected and blocked automatically and
immediately.
The way security is managed today is impractical if services
based on cloud computing are to thrive. Users are expected to keep
their PCs fully patched - not only the operating system, but every
installed application poses a potential threat. Project leader
Sakir Sezer says, "Eighty per cent of a PC's computational power is
used on anti-virus scanning, and firewalls are no longer effective
at stopping cybercrime. We need to secure the network." He adds
that real-time analysis provides early detection of distributed
denial of service attacks.
"Because conventional processor technology can only deal with
information character by character, it is far too slow to analyse
internet traffic in real time, We are developing parallel
processors which can be scaled to process up to 32 characters
(256-bit) at once, making real-time inspection of huge data volumes
possible for the first time. Network providers will be able to
install and use this technology to provide much better protection
for internet users, an advanced user experience (ie, quality of
service), and efficient utilisation/management of network
resources."
A field programmable gate array (FPGA) is used to program
content filtering rules The project will eventually use a custom
chip that can be programmed to analyse internet content in real
time. The application-specific integrated circuit (Asic) uses a
64-bit data path. Rules can be programmed in using the
Perl Compatible Regular Expressions
(PCRE) scripting language.
Sezer's team also aims to use PCRE to optimise rules that enable
processing hardware to decide, based on the nature of the internet
traffic, which website requests to block, which word sequences may
indicate threatening behaviour, which traffic may be generated by
malicious software (malware, adware, spyware, botware), and which
unsolicited e-mails may carry damaging content (viruses, worms,
spam).
The team has built a 10gbps prototype using an FPGA chip. A
128-bit design based on an Asic is on the drawing board, which
would double the bandwidth to 20gbps. This architecture has the
potential to run at 400MHz, which could enable content filtering at
40gbps.
On the buses
Network monitoring has other applications beyond cleansing
internet traffic. CSIT is also running a video analytics project to
help combat anti-social behaviour on buses.
A prototype system is attempting to perform behavioural analysis
on the video stream from a bus's cameras. "By the end of the
six-year project we would like to demonstrate real-time alerts,"
says research director Paul Miller.
The system is designed to identify trouble-makers or potentially
volatile situations automatically, and decide when to flag up the
situation to an operator. The techniques used are analogous to
tracking events using networking monitoring software.