Intrusion detection system FPGA

[mihai5]

An answer will be very usefull for me to know in which direction to take.

I want to make an IDS on Zedboard. I want to get the payload from each TCP/IP packet received throught eth interface and sent it to PL from PS part.

In the PL part i also need a data base of payloads' s signature already known as malicious for comparing each payload received from PS part.

First of all i dont know if this a good ideea and then I don't know how to manage the data base of signatures in PL part(maybe through a new stream connected directly through eth interface to an external data base, since the date base will be quite large in size).

Do you think it is suitable for me to make my project in the way described above?

[D@n]

@mihai5,

Good idea?  Well ... it's not how I would approach an IDS problem.  Gosh ... brings back memories too ... my first job was  for the gov't was building an IDS system ...

Personally, I'd keep it all in the PS.  Data bases of signatures are ... hard to do in PL side.  As it is, you have to touch every byte in the packet *anyway*, so ... why not keep it in the PS?

Were I to build an IDS system, I'd consider focusing my efforts on building a better ethernet controller or some such.  While I don't know about the ZedBoard's ethernet controller, I do know that the one I built personally for my OpenArty design could ... use some optimization in case I ever wished to do this sort of thing with it.  In particular, you'd like to be able to hold on to as many packets as possible while waiting for the PS side to "catch up", and only drop packets if your buffer got too full for the PS to keep up with.

Dan

[Notarobot]

@mihai5

It is impossible to make a reasonable advice based on very little information you provided. The decision to go should be based on constraints/ resources of the project, including, how much time to you have for developing this project, is it a production or an educational project, how big is the signature database, what is the TCP/IP data rate, how much time should signature identification take to make the device usable, what is expected gain in performance, etc.

 

[mihai5]

Thank you for your answers.

@D@n

      I really want to involve PL part in this project because my project must be a proof of concept for acceleration of string matching in hardware.

@Notarobot
     I want to develop an educational project for a full 1 month term. Being a school project, the signature database(string database) will be a not very big one, just to prove that the hardware implementation is faster in term of time than software implementation.

[D@n]

@mihai5,

I'll just say that wouldn't be my approach to the problem.  If the data stream has to go through the CPU, you've already lost most of the benefit of the PL.

As for being a 1-month project, be careful what you are getting into.  The project could easily be a two year project depending upon your goals.  If it's going to be 1-month only, make sure you start in an office that has all the tools in place and that is already successfully doing development on the board.  Otherwise those nit-picking little items will kill your project,

Dan

[Notarobot]

@mihai5

In my personal opinion one month seems to be very unadequite. I think that just going from the vague concept to development of requirements and testing might take one month. There are a lot of design choices you need to make and learn how to implement them.

Perhaps, you can try to use HLS and simulate the concept.

Good luck!