Content monitoring breaks 10gpbs barrier

Researchers at Queens University in Belfast are working on a content filtering system capable of scanning internet traffic at more than 10 gigabits per...

Researchers at Queens University in Belfast are working on a content filtering system capable of scanning internet traffic at more than 10 gigabits per second (gbps).

The project, based at the new £25m Centre for Secure Information Technologies (CSIT), aims to develop ground-breaking computer hardware to tackle cybercrime.

The technology could revolutionise internet security by enabling internet service providers to disinfect users' broadband connections, which could potentially eliminate the need to use desktop anti-malware software.

The researchers say that current data processing hardware cannot analyse interenet traffic fast enough to enable every suspicious online conversation, virus-bearing e-mail and request to visit a "bad" website, to be detected and blocked automatically and immediately.

The way security is managed today is impractical if services based on cloud computing are to thrive. Users are expected to keep their PCs fully patched - not only the operating system, but every installed application poses a potential threat. Project leader Sakir Sezer says, "Eighty per cent of a PC's computational power is used on anti-virus scanning, and firewalls are no longer effective at stopping cybercrime. We need to secure the network." He adds that real-time analysis provides early detection of distributed denial of service attacks.

"Because conventional processor technology can only deal with information character by character, it is far too slow to analyse internet traffic in real time, We are developing parallel processors which can be scaled to process up to 32 characters (256-bit) at once, making real-time inspection of huge data volumes possible for the first time. Network providers will be able to install and use this technology to provide much better protection for internet users, an advanced user experience (ie, quality of service), and efficient utilisation/management of network resources."

A field programmable gate array (FPGA) is used to program content filtering rules The project will eventually use a custom chip that can be programmed to analyse internet content in real time. The application-specific integrated circuit (Asic) uses a 64-bit data path. Rules can be programmed in using the Perl Compatible Regular Expressions (PCRE) scripting language.

Sezer's team also aims to use PCRE to optimise rules that enable processing hardware to decide, based on the nature of the internet traffic, which website requests to block, which word sequences may indicate threatening behaviour, which traffic may be generated by malicious software (malware, adware, spyware, botware), and which unsolicited e-mails may carry damaging content (viruses, worms, spam).

The team has built a 10gbps prototype using an FPGA chip. A 128-bit design based on an Asic is on the drawing board, which would double the bandwidth to 20gbps. This architecture has the potential to run at 400MHz, which could enable content filtering at 40gbps.

On the buses

Network monitoring has other applications beyond cleansing internet traffic. CSIT is also running a video analytics project to help combat anti-social behaviour on buses.

A prototype system is attempting to perform behavioural analysis on the video stream from a bus's cameras. "By the end of the six-year project we would like to demonstrate real-time alerts," says research director Paul Miller.

The system is designed to identify trouble-makers or potentially volatile situations automatically, and decide when to flag up the situation to an operator. The techniques used are analogous to tracking events using networking monitoring software.

Read more on Antivirus, firewall and IDS products