This document discusses application-specific instruction-set processors (ASIPs) for network intrusion detection systems (NIDS). It evaluates the performance of running Snort, an open-source NIDS software, on various microprocessors including V850, OR1K, MIPS32, ARM7TDMI and PowerPC32. Optimization techniques like compiler optimizations can improve performance by up to 30% on some processors. ARM7TDMI performance improved most with offered optimization levels focusing on loops and jumps. ASIPs provide flexibility over ASICs for updating attack signatures. Future work includes optimizing compilers and designing custom processors.

1. What is ASIP ?

2. By growing and development of computer networks and generalizing the use of
modern services on the information platform, the importance of
communication and information security is considered more than the other
times by network representations and users. Presented reports by response
computer incident different groups show the wide growth of computer attacks
in the recent years. In this case Network Intrusion Detection Systems (NIDS) as
one of the Intrusion Detection System (IDS) types, are be transformed to the
utilization systems for establishing the security levels and detecting the illegal
activities in the network. This research includes an IDS which is written in C
programming language that uses 15597 Snort rules and MIT Lincoln Lab
network traffic. By running this security application on the V850, OR1K,
MIPS32, ARM7TDMI and PowerPC32 microprocessors
Abstract

3. Introduction
One of the main reasons for using the IDS even with firewall on the network is
less security of firewalls against the attacks that occur by the different soft-
wares to organization data and information.
For example Nimda, Code red and Slammer worms.
In this research, using the expandable and efficient microprocessors for
implementation of NIDS is for two reasons: one for flexibility in system
reconfiguration and the other is for performance. Note that the networks
are vulnerable to new attack patterns, so updating the attack patterns in
NIDS is inevitable. In the other hand achieving to high performance
seems possible because of microprocessor hardware architectures.

4. Software Works
Since many NIDS software systems have been introduced in the form of open
source or commercial but none of them have found the popularity and
universality of Snort. (snort.org)
Snort is open source software and a network packet sniffer
with a packet log recorder and IDS that attempts to
detect the complex attacks to the network.
• Snort has a huge database of attack patterns.
• Snort compares character patterns in the network traffic with its own set of
defined rules by pattern matching algorithms
• detection engine for improving the pattern searching such as Boyer-Moore,
AhoCorasick and combination methods such as AC-BM.

5. Software intrusion detection on a conventional is executed on
the General Purpose Processors (GPP) and therefore being
slow of this method is its most important disadvantages.
Challenge

6. This section considers performance evaluation of V850, OR1K, MIPP32 from MIPS
series, ARM7TDMI from ARM series and PowerPC32 from PowerPC
microprocessors for execution of written network intrusion detection application.
Performance Evaluation

7. First standard work
The Cyber Systems and Technology Group of MIT Lincoln Laboratory,
under Defense Advanced Research Projects Agency (DARPA) and Air
Force Research Laboratory sponsorship
find the strength and weaknesses of existing approaches and lead to
large performance improvements and valid assessments of intrusion
detection systems.
This research uses five hundred thousand packets from simulation output traffic

8. Implementation
 Snort
 How run and test snort in different types of processors?
Open Virtual Platform
OVP uses libraries of processor and behavioral models, and APIs for
building the own processors, peripherals and platforms.
OVP is flexible and is free for noncommercial usages.

9. simulation
version 2/23/2011 of OVP simulator program is used on a laptop with Windows XP SP2, 1.60 GHz CPU and
512 MB RAM. The simulation has used the basic microprocessors without cache.
All microprocessors have the same nominal speed, and are equal to 100MHz.

10. Run-time of intrusion detection application for five hundred thousand packets

11. Optimization
A compiler is likely to perform many or all of the following operations:
lexical analysis, preprocessing, parsing, semantic analysis (Syntax-
directed translation), code generation, and code optimization.
 the frontend: syntax and semantics
 the middle-end: optimization
 and the backend: assembly code

12. GCC
The GCC is a compiler system produced by the GNU Project supporting
various programming languages.(C++, JAVA, Ada, Pascal,…)
The GCC also has its own predefined levels of optimization which begin with –O and include: –O or –O1, –
O2, –O3, –O0 and Os. (https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html)
Performance increase percent of microprocessors by using predefined optimization levels for five hundred thousand packets

13. Optimization with Offered Optimization Level
focusing on ARM7TDMI
too loops
many iteration
long jumps
-O2 -freduce-all-givs -fmove-all-movables -mcpu=arm7 -fnew-ra
-fno-expensive-optimizations -fno-force-mem
-fno-guess-branch-probability -fno-if-conversion2 -fno-crossjumping
Offered solution (https://gcc.gnu.org/onlinedocs/gcc-4.1.0/gcc/Optimize-Options.html)

14. Performance increase percent of ARM7TDMI microprocessor in O2 and offered level

15. Using microprocessor for performing intrusion detection led to the
problems such as attack signature updating are resolved which is in
ASICs, because of the flexibility of microprocessors.
This flexibility is related to the software which is run by microprocessor.
Conclusion
Future works
Optimize complier's back-end for generate appropriate assembly
codes for different types of CPUs
Design specific processors for specific operations or functions.