Cyber Security Processor (CYSEP)

As the need for cost-effective, ubiquitous secure communications continue to rise, corporations are turning to virtual private networks (VPNs) to eliminate expensive leased lines to provide secure access of sensitive data for both intra and inter-organization communications. As these institutions increasingly rely on web-based applications to interface with customers, clients and business partners alike, they also place their sensitive information and databases at greater risk of attack at the web application level. Conventional solutions such as firewalls, VPN gateways and intrusion detection systems do not completely solve the problem. They only analyze packet headers and cannot detect threats embedded in network content, because they lack the processing power necessary to analyze content in real time to detect viruses, worms, or inappropriate content – and therefore leave the network edge open to a wide range of costly, content-borne threats. We plan to enhance the network security in four aspects by implementing a Cyber-Security Processor (CYSEP) to perform the functions of firewall/intrusion detection, encryption/decryption, authentication, and distributed denial of service (DDoS) attack protection, as shown in the Figure 1. The CYSEP, consisting of four engines, will be implemented on application-specific integrated circuits (ASIC) with the state-of-art CMOS 0.18-mircron technology and expected to operate at 10 Gbps or higher. .

The firewall and intrusion detection engine (FIDE) detects and prevents possible attacks from outside or inside of an enterprise network. The FIDE implements the functions of finite automata based signature detection and packet classification at 10 Gbps.

The encryption/decryption engine implements the message confidentiality primitives necessary to establish VPN over the public Internet. Our preliminary field-programmable-gate-array (FPGA) implementation of the optimized Advanced Encryption Standard (AES) block and stream cipher operates at about 5 Gbps. We expect to achieve 10 Gbps or higher throughput with ASIC implementation.

The authentication and authorization engine implements the message integrity primitive necessary to establish VPNs. The engine will implement a universal hash function based Message Authentication Code with extremely small collision probability. Based on the throughput estimates obtained from our synthesis experiments, we expect the throughput for the ASIC implementation to be >70 Gbps.

The DDoS protection engine uses our proposed PacketScore scheme, which determines the legitimacy of a suspicious packet according to the score assigned to the packet. By taking a score-based filtering approach, we avoid the problems of conventional binary rule-based filtering and achieve great scalability in speed (e.g., 10 Gbps or higher) and the number of potential victims.


Massive parallelism and pipelining technique is to be employed in the ASIC to achieve the 10 Gbps wire-speed operation. The CYSEP can be deployed at various places in the network, e.g., at high-performance end-systems, data centers, enterprise networks, and the Internet service provider’s backbone network to enhance cyber security and to increase bandwidth efficiency of the network, as shown in Figure 2.



Participating Faculty: H. Jonathan Chao
[1] H. J. Chao, R. Karri, and W.C. Lau, CYSEP - a Cyber-Security Processor for 10 GbpsNetworks and Beyond, IEEE MILCOM 2004, Monterey, CA, Nov. 2004.
[2] M. C. Chuah, W. Lau, Y. Kim, and H. J. Chao, Transient Performance of PacketScore for blocking DDoS attack, IEEE ICC 2004, Paris, June 2004.
[3] W. Lau, M. C. Chuah, Y. Kim, and H. J. Chao, Distributed architecture for statistical overload control against distributed denial of service attacks, patent application filed on Nov. 26, 2003.
[4] Y. Kim, W. Lau, M. C. Chuah, and H. J. Chao, PacketScore: statistical-based overload control against distributed denial-of-service, IEEE Proc. INFOCOM, Hong Kong, March 2004.
[5] Y. Kim, J.-Y. Jo, H. J. Chao, and F. L. Merat, High-speed router filter for blocking TCP flooding under distributed denial of service attack, International Performance, Computing and Communications Conference, Phoenix, Arizona, April 2003.