Internet Worm and Virus Protection for Very High-Speed Networks
`John Lockwood
`Washington University in Saint Louis
`lockwood@arl.wustl.edu - (314) 935-4460 - http://www.arl.wustl.edu/~lockwood
`
`
`Abstract
`The security of the Internet can be improved using reconfigurable hardware. A platform has been
`implemented that actively scans and filters Internet traffic at multi-Gigabit/second rates using
`reconfigurable hardware. Modular components implemented in FPGA logic process packet
`headers and scan for signatures of malicious software (malware) carried in packet payloads.
`Additional FPGA circuits track the state of Transmission Control Protocol (TCP) flows. Regular
`Expressions and fixed-string scanning circuits are implemented in parallel hardware. Dynamic
`reconfiguration enables remote modules to be reconfigured to scan for new signatures. Network-
`wide protection is achieved by the deployment of multiple systems throughout the Internet.
`
`Introduction
`Computer viruses and Internet worms cause billions of dollars in lost productivity. Well-known
`Internet worms like Nimda, Code Red and Slammer contain strings of malicious code that can be
`detected as they flow through the network. By processing the content of Internet traffic in real-
`time, a computer virus or Internet worm can be detected and prevented from propagating. Our
`system scans the full payload of packets to route, block, and account for the content in the flow.
`One challenge in implementing the system was that the location of a signature in the packet
`payload was not deterministic--it could appear at any position within the traffic flow. Another
`challenge to implementing the system was that signatures could span multiple packets and be
`interleaved among multiple traffic flows. The paper will describe how these challenges were met
`and overcome.
`
`Related Work
`A common requirement for network intrusion detection and prevention systems is the
`requirement to search for predefined signatures in the packet payload. Since conventional
`software-based algorithms for deep packet inspection have not kept pace with high-speed
`networks, hardware-based solutions are desirable. Hence, important building blocks of these
`systems include fast signature matching and protocol processing circuits. Most systems in this
`class have a common requirement for string matching. For example, a media file can be
`characterized by the presence of a string of bytes (for the rest of the paper, a string is synonymous
`to a signature) and its transmission across a link can be monitored by looking for the presence of
`this string on the link.
`
`Key Contribution
`Our key contribution is to envision, design and develop a cohesive malware protection system
`that includes an FPGA-based network platform, Internet protocol processing circuits, content
`matching modules, and automated design tools to enable the implementation and timely updating
`of network security applications in reconfigurable hardware. The system allows for the
`immediate blocking of known viruses and may be rapidly reprogrammed to recognize and block
`new threats. These upgrades are system-driven, and are not dependant upon actions by the end
`users to assure that the protection remains up to date.
`
`
`
`Blue Coat Systems - Exhibit 1029 Page 1
`
`

`
`Report Documentation Page
`
`Form Approved
`OMB No. 0704-0188
`
`Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and
`maintaining the data needed, and completing and reviewing the collection of information Send comments regarding this burden estimate or any other aspect of this collection of information,
`including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington
`VA 22202-4302 Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it
`does not display a currently valid OMB control number
`
`1. REPORT DATE
`20 AUG 2004
`
`2. REPORT TYPE
`N/A
`
`4. TITLE AND SUBTITLE
`Internet Worm and Virus Protection for Very High-Speed Networks
`
`6. AUTHOR(S)
`
`7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES)
`Washington University in Saint Louis
`
`3. DATES COVERED
` -
`
`5a. CONTRACT NUMBER
`5b. GRANT NUMBER
`5c. PROGRAM ELEMENT NUMBER
`5d. PROJECT NUMBER
`5e. TASK NUMBER
`5f. WORK UNIT NUMBER
`
`8. PERFORMING ORGANIZATION
`REPORT NUMBER
`
`9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES)
`
`10. SPONSOR/MONITOR’S ACRONYM(S)
`
`12. DISTRIBUTION/AVAILABILITY STATEMENT
`Approved for public release, distribution unlimited
`
`13. SUPPLEMENTARY NOTES
`See also ADM001694, HPEC-6-Vol 1 ESC-TR-2003-081; High Performance Embedded Computing
`(HPEC) Workshop (7th)., The original document contains color images.
`
`11. SPONSOR/MONITOR’S REPORT
`NUMBER(S)
`
`14. ABSTRACT
`15. SUBJECT TERMS
`16. SECURITY CLASSIFICATION OF:
`a REPORT
`b ABSTRACT
`unclassified
`unclassified
`
`c THIS PAGE
`unclassified
`
`17. LIMITATION OF
`ABSTRACT
`UU
`
`18. NUMBER
`OF PAGES
`35
`
`19a. NAME OF
`RESPONSIBLE PERSON
`
`Standard Form 298 (Rev. 8-98)
`Prescribed by ANSI Std Z39-18
`
`
`
`Blue Coat Systems - Exhibit 1029 Page 2
`
`

`
`The system’s foundation is the Field-programmable Port Extender (FPX), which is implemented
`with two FPGAs, five banks of memory and two high-speed (OC-48 rate) network interfaces. The
`network interfaces connect to one of several types of Gigabit-speed line card interface cards,
`including several types of Gigabit Ethernet and ATM interfaces. On the FPX, one FPGA is used
`to route individual traffic flows through the device, while the other is dynamically reconfigured
`over the network to perform customized packet processing functions. Using the latest FPGA
`technology, the system could easily scale to process 10 Gigabit/second OC-192 flows.
`
`
` A
`
` TCP/IP wrapper, implemented in FPGA logic, reconstructs the flow of transmitted data by
`tracking sequence numbers of consecutive packets to provide a byte-ordered data stream to the
`content scanning engines. This means that even if a malware signature has been fragmented
`across multiple packets, it still will be detected and blocked. In order to maintain the state of
`multiple traffic flows, the system architecture has been designed to store the state of a TCP/IP
`flow in memory. Given that each flow occupies 64 bytes of memory, one 512 Mbyte SDRAM
`(about half of the memory on the FPX) module can track 8 million simultaneous traffic flows.
`
`Two methods are used to search for signatures: a finite automata scans for regular expressions
`and a Bloom filter scans for fixed strings. The number of regular expressions that can be
`searched grows with the amount of the FPGA logic on the device, while the number of fixed
`strings that can be searched grow with the size of on-chip RAM. A Bloom filter allows a
`scanning engine to identify up to 1,700 fixed-length strings. Both types of our engines can scan
`traffic at traffic at 600 Mbps. By implementing four engines that run in parallel, the FPX can
`process data at a rate of 2.4 Gigabits per second using a single Xilinx Virtex 2000E FPGA.
`
`An automated design flow builds packet scanning circuits in hardware. Custom circuits are built
`by an automated program that reads a list of signatures from a database table, optimizes each
`finite automata, integrates Internet protocol processing hardware, compiles the circuit into gates,
`routes and places the circuit into a FPGA, and then reconfigures remote devices over the network.
`
`Conclusions
`We have designed and developed a system that blocks the spread of Internet worms and computer
`viruses. Our system uses reconfigurable hardware to scan Internet traffic for malware. Malware
`is identified by signatures that may consist of either fixed strings or regular expressions. TCP/IP
`flows are tracked so that signatures spanning multiple packets can be detected. An automated
`design flow allows new circuits to be rapidly deployed to protect the network against new attacks.
`
`References
`•
`J. W. Lockwood. An open platform for development of Network processing modules in
`reprogrammable hardware. In IEC DesignCon’01, pages WB–19, Santa Clara, CA, Jan. 2001.
`• R. Sidhu and V. K. Prasanna. Fast Regular Expression Matching using FPGAs. Field-
`Programmable Custom Computing Machines (FCCM), Rohnert Park, CA, Apr. 2001.
`• R. Fanklin, D. Caraver, and B. Hutchings. Assisting network intrusion detection with
`reconfigurable hardware. Field Programmable Custom Computing Machines (FCCM), Apr. 2002.
`• M. Fisk and G. Varghese. Fast content-based packet handling for intrusion detection. Technical
`Report CS2001-0670, University of California, San Diego, 2001.
`J. W. Lockwood, N. Naufel, J. S. Turner, and D. E. Taylor. Reprogrammable Network Packet
`Processing on the Field Programmable Port Extender (FPX). In ACM International Symposium
`on Field Programmable Gate Arrays (FPGA), pages 87–93, Monterey, CA, USA, Feb. 2001.
`J. Moscola, J. Lockwood, and R. P. Loui. Implementation of a Content-Scanning Module for an
`Internet Firewall. Field-Programmable Custom Computing Machines (FCCM), Apr. 2003.
`• M. Necker, D. Contis, and D. Schimmel. TCP-Stream Poster on Reassembly and State Tracking in
`Hardware. Field-Programmable Custom Computing Machines (FCCM), Apr 2002.
`• D. V. Schuehler and J. W. Lockwood. TCP-Splitter: A TCP/IP Flow Monitor in Reconfigurable
`Hardware. Symposium on High Performance Interconnects (HotI), pages 127–131, Stanford, CA,
`USA, Aug. 2002.
`
`•
`
`•
`
`
`
`Blue Coat Systems - Exhibit 1029 Page 3
`
`

`
`Internet Worm and Virus Protection
`for Very High-Speed Networks
`
`John W. Lockwood
`
`Professor of Computer Science and Engineering
`
`
`
`
`
`lockwood@arl.wustl.edu
`http://www.arl.wustl.edu/~lockwood
`
`Research Sponsor:
`
`
`
`http://www.globalvelocity.info/
`
`
`
`Blue Coat Systems - Exhibit 1029 Page 4
`
`

`
`
`
`Internet Worms and Viruses
`
`
`
`• The problem with worms and virus attacks
`– Annoyance to users
`– Costly to businesses (lost productivity)
`– Security threat to government (compromised data)
`
`• Recent Attacks
`– Nimda, Code Red, Slammer
`– MSBlast
`•
`Infected over 350,000 hosts in Aug. 16, 2003
`– SoBigF
`•
`Infected 1 million users in first 24 hours
`•
`Infected > 200 million in the first week
`• Caused an estimated $1 billion in damages to repair.
`
`• Detectable by a Signature in Content
`– Pattern of bytes
`– Regular Expression
`– Morphable pattern
`
`
`
`
`
`
`
`
`
`
`Blue Coat Systems - Exhibit 1029 Page 5
`
`

`
`
`
`
`
`Challenges to Stopping
`Worm and Virus Attacks
`
`• End-systems difficult to maintain
`– Operating systems become outdated
`– Users introduce new machines on network
`
`•
`
`Internet contains several types of traffic
`– Web, file transfers, telnet
`– Data may appear anywhere in the packet
`
`• Networks process High Speed Data
`– Multi Gigabit/second data transmission rates now commonplace
`in campus, corporate, and backbone networks
`– Peer-to-Peer protocols dominate
`current and future traffic
`– Need Real-time gathering
`• No latency can be tolerated
`
`
`
`
`
`
`
`
`
`
`Blue Coat Systems - Exhibit 1029 Page 6
`
`

`
`
`
`
`
`Virus/Worm/Data Spread in
`Unprotected Networks
`
`Carrier NAP
`
`Carrier NAP
`
`Small Town U.S.A.
`
`NAP
`
`Carrier NAP
`
`Carrier NAP
`
`Los Angeles
`
`NAP
`
`University X
`
`Location
`
`A
`
`Location
`
`B
`
`Location
`
`C
`
`Carrier NAP
`
`Carrier NAP
`
`St. Louis
`
`NAP
`
`Dept
`
`A
`
`Dept
`
`C
`
`Dept
`
`A
`
`Dept
`
`B
`
`Dept
`
`B
`
`
`
`
`
`
`
`
`
`
`Blue Coat Systems - Exhibit 1029 Page 7
`
`

`
`
`
`
`
`Virus/Worm/Data Spread in
`Unprotected Networks
`
`Carrier NAP
`
`Carrier NAP
`
`Small Town U.S.A.
`
`NAP
`
`Carrier NAP
`
`Carrier NAP
`
`Los Angeles
`
`NAP
`
`University X
`
`Location
`
`A
`
`Location
`
`B
`
`Location
`
`C
`
`Carrier NAP
`
`Carrier NAP
`
`St. Louis
`
`NAP
`
`Dept
`
`A
`
`Dept
`
`C
`
`Dept
`
`A
`
`Dept
`
`B
`
`Dept
`
`B
`
`
`
`
`
`
`
`
`
`
`Blue Coat Systems - Exhibit 1029 Page 8
`
`

`
`
`
`
`
`Virus/Worm/Data Spread in
`Unprotected Networks
`
`Carrier NAP
`
`Carrier NAP
`
`Small Town U.S.A.
`
`NAP
`
`Carrier NAP
`
`Carrier NAP
`
`Los Angeles
`
`NAP
`
`University X
`
`Location
`
`A
`
`Location
`
`B
`
`Location
`
`C
`
`Carrier NAP
`
`Carrier NAP
`
`St. Louis
`
`NAP
`
`Dept
`
`A
`
`Dept
`
`C
`
`Dept
`
`A
`
`Dept
`
`B
`
`Dept
`
`B
`
`
`
`
`
`
`
`
`
`
`Blue Coat Systems - Exhibit 1029 Page 9
`
`

`
`
`
`
`
`Virus/Worm/Data Spread in
`Unprotected Networks
`
`Carrier NAP
`
`Carrier NAP
`
`Small Town U.S.A.
`
`NAP
`
`Carrier NAP
`
`Carrier NAP
`
`Los Angeles
`
`NAP
`
`University X
`
`Location
`
`A
`
`Location
`
`B
`
`Location
`
`C
`
`Carrier NAP
`
`Carrier NAP
`
`St. Louis
`
`NAP
`
`Dept
`
`A
`
`Dept
`
`C
`
`Dept
`
`A
`
`Dept
`
`B
`
`Dept
`
`B
`
`
`
`
`
`
`
`
`
`
`Blue Coat Systems - Exhibit 1029 Page 10
`
`

`
`Virus/Worm/Data Containment
`in Protected Networks
`
`los Angeles
`NAP
`
`St.Louis
`
`NAP
`
`1
`
`Content
`Scanning
`and
`Protection
`Device
`
`13 Washington
`University in St.louis
`
`Blue Coat Systems - Exhibit 1029 Page 11
`
`

`
`
`
`
`
`Content Scanning Technology
`• Fiber optic Line Cards
`– Gigabit Ethernet
`– ATM OC-3 to OC-48
`
`• Reconfigurable Hardware
`– Uses Field Programmable
`Port Extender (FPX) Platform
`– Protocol processing and content
`scanning performed in hardware
`– Reconfigurable over the network
`
`• Chassis / Motherboard
`– Allows Modules to Stack
`
`
`
`
`
`
`
`
`
`
`Blue Coat Systems - Exhibit 1029 Page 12
`
`

`
`Off-chip
`Memories
`
`ZBT
`SRAM
`
`RAD
`Program
`SRAM
`
`~-+-
`
`NID
`Program
`PROM ~------'
`
`Subnet A
`
`Subnet B
`
`Field-programmable
`Port Extender (FPX)
`
`Off-chip
`Memories
`
`ZBT
`SRAM
`
`Reconfigurable
`Application
`
`Device --
`
`(RAD)
`FPGA
`
`.,..~...._-Network _ __.
`Interface
`Device
`(NID)
`FPGA
`
`4-2.4 Gigabit/sec
`Network
`Interfaces
`
`g washington
`University in St.louis
`
`Blue Coat Systems - Exhibit 1029 Page 13
`
`

`
`Remotely reprogramming
`hardware over the network
`
`New
`module
`developed
`
`Content Matching
`Server generates
`New module in
`programmable
`Logic
`
`Module
`Bitfile
`transmitted
`over network
`
`New module
`deployed into
`FPX hardware
`
`13 Washington
`University in St.louis
`
`Blue Coat Systems - Exhibit 1029 Page 14
`
`

`
`
`
`Data Scanning Technologies
`
`
`
`• Protocol Processing
`– Layered Protocol Wrappers
`– Process Cells/frames/packets/flows in hardware
`
`• Regular Expression Matching
`– Deterministic Finite Automata (DFA)
`– Dynamically programmed into FPGA logic
`
`• Fixed String Matching
`– Bloom Filters
`– Dynamically programmed
`into BlockRAMs
`
`
`
`
`
`
`
`
`
`
`Blue Coat Systems - Exhibit 1029 Page 15
`
`

`
`Regular Expression Matching
`with Finite Automata
`
`0 -· en,
`-
`""0
`Q) 0
`--:e
`(")
`=:1'"
`
`......,
`3: u
`0 Q) -o
`
`IJ..()
`
`~------------------~* w~~n
`University in St.louis
`
`Mascola et al.
`
`Blue Coat Systems - Exhibit 1029 Page 16
`
`

`
`String Matching
`with Bloom Filters
`
`False Positive Resolver
`
`-.1
`
`I
`
`I
`
`I
`
`I
`
`I
`
`I
`
`-.1
`
`~------------------~ w~~n
`in St.louis
`
`Dharmapulikar et al.
`
`Blue Coat Systems - Exhibit 1029 Page 17
`
`

`
`Complete Protection System
`
`Network Aggregation Point
`(NA.~--
`
`• a
`-. • a a
`a
`-~oooooooo
`
`I)
`
`Switch/
`Concentrator
`
`Global Velocity
`OED
`
`Router/
`Switch
`
`Regional
`Transaction
`Processor (RTP)
`
`Content Matching
`Server (CMS)/
`Central Storage
`and Backup System
`(CSBS)
`
`....... .__, ... Washington
`in St.louis
`
`Blue Coat Systems - Exhibit 1029 Page 18
`
`

`
`
`
`
`
`System Components
`
`• Hardware-based Data Processing
`– FPGA bitfile transferred over network
`to reconfigurable hardware
`– Content scanned in hardware with
`parallel Finite State Machines (FSMs)
`– Control messages sent over network
`allow blocking/unblocking of data
`
`• Software-based System Generation
`– Web-based control and configuration
`– SQL Database stores signature patterns
`– Finite State Machines created with JLEX
`– VHDL-specified circuits generated, Instantiated, and
`integrated with Internet protocol processing wrappers
`
`
`
`
`
`
`
`
`
`
`Blue Coat Systems - Exhibit 1029 Page 19
`
`

`
`Selecting the Search Strings
`
`() eack •
`
`0 ~ G / ') search *
`
`Address
`
`168.50.
`
`Favorites " Media e ~ ·
`
`'"I 1]3
`
`A'
`
`Otlne
`
`ld
`
`Search String
`!HEX(6c744e5076)
`
`ViRuS
`
`S.lecc Ed•t
`I EDIT I I DELETE I 17
`0
`I EDIT I I DELETE I 6
`0
`I EDIT I I DELETE I 13 Copyright • WashU
`0
`[@ I DELETE I 128
`0
`I EDIT I I DELET_!] 127
`0
`I EDIT I DElETE I 112 Patient (ConfidentiaiJRecord)
`0
`I EDIT I DELETE I 113 Me do cal (lnformaHonJRecord)
`0
`I EDIT I DELETE I 114 Do Not (DistnbuteJRelease)
`0
`I EDIT I DELETE I 129
`0
`IHEX(1 B688E6D)
`I EDIT I DELETE I 130 NASA(Cic)
`0
`(onfidentiaiiONFIDENTIAL)
`I EDIT I I DELETE I 133
`0
`IHEX(683063423739)
`
`(Lji)(AJaKDid)(EJe)(NJn)
`
`(OJo)sama
`
`O..Jcriptton
`Clear and Present Danger
`
`An Email Virus
`
`WashU Copyright
`
`Terrorist Last Name
`
`Terrorist First Name
`
`Confidential Information
`
`Medocat Record
`
`Confidential Information
`
`Internet Worm
`
`Confidential Information
`
`SoBigF Internet Worm (MIME64)
`
`9
`
`15
`
`12
`
`5
`5
`
`17
`
`17
`
`17
`
`19
`
`20
`
`16
`
`3.00
`
`5.00
`
`tOO
`100.00
`
`5.00
`
`5.00
`
`5.00
`
`5.00
`
`6.00
`
`5.00
`
`11 00
`
`•
`
`Internet
`
`
`
`Blue Coat Systems - Exhibit 1029 Page 20
`
`

`
`Edit Search strings
`
`j) Search rtJ Favorites
`
`Media
`
`€)
`
`d
`I,T)o •
`
`1:\
`'-...;t i"li"1
`
`))
`
`http:/1192. 168. so. 50/aed_property .pl1p?key•133&op•l
`
`v ;) Go
`
`Lri:s ,
`
`SYSTEM OVERVIEW PROGRAM OED MANAGE ACCOUNTS ONLINE SUPPORT
`
`Manage OED Library
`
`Manage OED Library
`
`Click "ADO to generatate a new entry_
`
`search_string: I!HEX(683063423739)
`
`description:
`
`lsoBigF Internet Worm (MIME64)
`
`Author:
`
`Value:
`
`l16
`~=-=========:
`Ll1-'1 .-'-00' - - - - - - - - - - - '
`
`Updoto Entry
`
`Done
`
`•
`
`Internet
`
`~ Washington
`University in Stlouis
`
`
`
`Blue Coat Systems - Exhibit 1029 Page 21
`
`

`
`Program the Hardware
`
`~ @ ~ fJ Search *
`
`Favorites
`
`>>
`
`v I] Go
`
`Links »
`
`Define which device will be modified
`j 192 . j 168 . f5'0""". [5o'"
`l m~ .. j u;a . [5o'". rz-
`Server Address:
`OED IP Address:
`Port~ Stack~
`
`Click "Program OED Now" below to modJfy the
`predefined hardware devices.
`This process can take about 10 minutes.
`
`Program OED Now J -.......... ~ ~
`~~_.. ~
`
`•
`
`Internet
`
`~ Washington
`University in Stlouis
`
`
`
`Blue Coat Systems - Exhibit 1029 Page 22
`
`

`
`Modular Design Flow
`(our contribution)
`
`Front End:
`Specify Regular
`Expression
`(Web, PHP)
`
`Back End (1):
`Extract Search
`r ... ..,.~ from SQL
`database
`
`.... 8
`
`New, 2 Million-gate
`Packet Scanner:
`9 Minutes
`
`Place and
`Route with
`constraints
`(Xilinx)
`
`Set Boundry
`1/0 &
`Routing
`Constraints
`(DHP)
`
`Back End (2):
`Generate
`Finite State
`Machines in
`VHDL
`..__
`
`Synthesize
`Logic to gates
`& flops
`(Synplicity Pro)
`
`13 Washington
`University in St.louis
`
`In-system,
`Data Scanning
`on FPX Platform
`
`Install and deploy
`modules over Internet
`to remote scanners
`(NCHARGE)
`
`Generate
`bitstream
`(Xilinx)
`
`Blue Coat Systems - Exhibit 1029 Page 23
`
`

`
`Gigabit Ethernet
`
`PC
`
`PC
`
`Network Configuration
`with Gigabit Ethernet
`
`Data Enabling Device (OED)
`with FPX Processing Modules
`
`PC
`
`PC
`
`13 Washington
`University in St.louis
`
`Blue Coat Systems - Exhibit 1029 Page 24
`
`

`
`Passive Virus Protection
`
`INTERNET
`
`Virus Agent
`
`Content
`returns from
`Internet
`through FPX
`
`~
`
`II-
`
`Content is
`processed in
`the FPX
`
`Gaaa 1- D
`
`FPgrep Module
`
`Content containing
`virus is forwarded
`from FPX
`
`Alert packet is sent
`to user to let them
`know of the virus
`
`Internet User
`requests
`information
`from Internet
`
`The message you are downloading may contain a viru~
`
`Internet User
`
`To ensure the protection of your S)IStem, you should
`J~Se c·aution when viewing the .messag~.
`
`13 Washington
`University in St.louis
`
`Blue Coat Systems - Exhibit 1029 Page 25
`
`

`
`1$ Eudora - [In]
`~ Eile
`t;dit Mailbol!. Message T[ansfer ~cial Iools ~indow .t!.e!p
`
`11 I • ~ I ~ I ~ ~Ef\~
`~ ~ ~ I [QJ I * I ~ ~rl
`
`Passive
`Virus
`Example
`
`110K/2K
`
`To: victim@globaJvelocity.info
`Subject: V irus
`
`Attached is a ViRuS
`
`from Eudora
`with step-by-step
`inm ud ions and
`helpful tips in
`a ha ndy, quick
`reference guide
`
`~ Trash
`
`-- -_j~_•o 1es: s :::::=41! ~Washington
`
`IWJ-:
`
`fl ; ='==, ~=sk ~~:Statu=s _ _ -
`~http~=l~1www~.eudor~~a.com~t~tech~suwor~tJtu~tor~ials~=======:::bl~l'~l~l====:!:r====:!:r-~.a University in St.louis
`
`Blue Coat Systems - Exhibit 1029 Page 26
`
`

`
`Active Virus Protection
`
`Content containing
`virus is dropped at
`FPX
`
`Content is
`processed in
`the FPX
`
`Content
`returns from
`infected host
`
`INTER1NET
`
`Scanning
`Module
`
`Virus Agent
`
`ll
`
`0
`
`The message you are attempting to download contains
`a virus and has been halted.
`
`To ensure the protection of your system, you should
`click the stop button on your browser and
`click OK.
`
`Alert packet is sent
`to user to let them
`know of the virus
`
`(1)Data
`requested from
`public Internet
`
`y·-
`
`Internet User
`
`13 Washington
`University in St.louis
`
`Blue Coat Systems - Exhibit 1029 Page 27
`
`

`
`1$ Eudora - [In]
`ll!lai!bol{ ~l!ssage Ttansfer ~al Iools ~mow !:!elp
`~ E~ t2,dit
`
`~~ ~ ~ ~ ~ ~ ~~
`·· ~mJ ~~ ~q
`0 Wh.Q
`~ Qate
`~_:1~
`·~~~~~~~--~~~--~~~
`...... ~ ........................................................................ _., ................................................................................................................ ..1
`
`@]~Eud~a
`
`. Out
`·
`Trash
`
`Active
`Virus
`Example
`
`OJOKI3K
`
`(j)Trash
`
`ll(j) In
`
`Task
`f' Checking
`
`I_;;;;P.rog.re.ss·~~---------~
`I Status
`1 message(s) left to downlo ... •
`
`http://www .l!udora.com/techsupportftutorials
`
`13 Washington
`University in St.louis
`
`Blue Coat Systems - Exhibit 1029 Page 28
`
`

`
`
`
`
`
`Other Applications
`
`• Prevent unauthorized release of data
`– Secure Classified documents
`– Lock medical documents for Health Insurance
`Portability and Accountability Act (HIPAA)
`
`• Avoid liability for misuse of network
`– Copyright infringement
`– Pornography in the workplace
`
`
`
`
`
`
`
`
`
`
`Blue Coat Systems - Exhibit 1029 Page 29
`
`

`
`Content Scanning Technologies
`
`• General Purpose Microprocessors
`RS Fully Reprogrammable
`.JC Sequential Processing
`
`• Custom Packet Processing Hardware
`• Highly concurrent processing
`.JC Static Functionality
`
`• Network Processors
`-f6 Mostly Reprogrammable
`• Some concurrent processing (8-32 cores)
`
`~···i~
`orrRYH ... mo
`
`• Reconfigurable Hardware
`-f6 Fully Programmable
`Ji6 Highly concurrent processing
`
`13 Washington
`University in St.louis
`
`Blue Coat Systems - Exhibit 1029 Page 30
`
`

`
`Performance
`
`FPGA-based Regular Expression
`Matching with Parallel Engines
`
`Software-based Regular Expression
`Matching Systems {Snort, etc)
`
`·-
`
`·(cid:173)-·-.c
`ca .c
`0
`~ a..
`
`Throughput
`
`13 Washington
`University in St.louis
`
`Blue Coat Systems - Exhibit 1029 Page 31
`
`

`
`
`
`
`
`Actual Software Performance
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`From: Network Intrusion
`Detection Systems:
`Important IDS Network
`Security Vulnerabilities by
`Simon Edwards
`(TopLayer.com)
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Blue Coat Systems - Exhibit 1029 Page 32
`
`

`
`
`
`
`
`Throughput Comparison
`
`• Sed was run on different Linux PCs
`– Dual Intel Pentium III @ 1 GHz
`• 13.7 Mbps when data is read from disk
`• 32.72 Mbps when data is read from memory
`
`– Alpha 21364 @ 667 MHz
`• 36 Mbps when data is read from disk
`• 50.4 Mbps when data is read from memory
`
`• Software results are 40x
`slower than FPsed
`
`
`
`
`
`
`
`
`
`
`Blue Coat Systems - Exhibit 1029 Page 33
`
`

`
`String Processing Benchmarks
`(measured results for SED)
`
`2500
`
`~ s. 2000
`
`-'1
`
`0.
`.c 1500
`Cl
`
`::E --::s
`::s e .c ...
`
`~- -
`
`1-
`
`1-
`
`~ B 1ooo
`"C
`ell
`~
`
`Cl c u;
`
`500
`
`1-
`
`0
`
`Ouad·FPsed at
`64 MHz trom
`NETWORK
`
`FPsed at64
`fvliz h-om
`NETWORK
`
`r-1
`AMD Athlon
`1.2GHz trom
`MEivORY
`
`~
`
`r -1
`
`i>MD Athlon
`1.2GHz from
`DISK
`
`DEC Alpha
`2 1364 .7GHz
`from MEM:lRY
`
`,...-----,
`
`.....----.
`..------.
`DEC Alpha AMDK 7 .9GHz
`NTEL dual P3 AlvD K7 .9GHz
`1GHz from
`b·om WEMORY 2 1364 .7GHz
`from DISK
`trom DISK
`~'EMORY
`
`INTEL dualP3
`1GHz trom
`DISK
`
`~ Washington
`University in Stlouis
`
`
`
`Blue Coat Systems - Exhibit 1029 Page 34
`
`

`
`
`
`
`
`Results
`• Content Scanning Platform Implemented
`– Scans Internet packets for virus or Internet worm
`signatures using reconfigurable hardware
`– Generates prompts when matching content is found
`
`• Content Matching Server Implemented
`– Automatically generates FPGA from regular
`expressions selected from database
`
`• Regional Transaction Processor implemented
`– Tracks propagation of Internet
`worms and viruses
`
`• Reduces the spread of malware
`from months to minutes
`
`
`
`
`
`
`
`
`
`
`Blue Coat Systems - Exhibit 1029 Page 35
`
`

`
`Acknowledgements
`
`
`
`
`
`• Washington University
`– Faculty
`• John Lockwood
`• Ronald Loui
`• Jon Turner
`– Graduate Students
`• Mike Attig
`• Sarang Dharmapurikar
`• David Lim
`• Jing Lu
`• Bharath Madhusudan
`• James Moscola
`• Chris Neely
`• David Schuehler
`• Todd Sproull
`• David Taylor
`• Haoyu Song
`• Chris Zuver
`
`•
`
`Industry Research Partners
`– Matthew Kulig (Global Velocity)
`– David Reddick (Global Velocity)
`– Tim Brooks (Global Velocity)
`
`• Government Partners
`– National Science Foundation
`
`• Hardware Vendors
`– David Parlour (Xilinx)
`
`• Visiting Faculty
`and Students
`– Edson Horta
`– Florian Braun
`– Carlos Macian
`
`
`
`
`
`
`
`
`
`
`Blue Coat Systems - Exhibit 1029 Page 36