AntiWorm NPU-based Parallel Bloom filters in Giga-Ethernet LAN

In this paper, an AntiWorm system based on the Intel IXP Network Processor was implemented using the Parallel Bloom filters technique. The AntiWorm system consists of two components: Bloom filters and Exact Matching engines. The Parallel Bloom filters can identify the suspicious traffic quickly and effectively, and then dispatch them to Exact Matching engines for further investigation. Both the principles and the implementation of the AntiWorm system are introduced in detail. With the consideration of the system performance parameters, two feasible implementation solutions are investigated and the advantages and disadvantages are also compared. The selections of configuration parameters of the AntiWorm system are also discussed. A hash scheme based on MD5´s function is proposed for implementing fast hash functions. To test the performance of the AntiWorm system, such as throughput and delay, some experiments are carried out with different simulated traffic condition. The internal statistics of IXP network processor are also collected and analyzed for optimizing the system performance. To demonstrate the operation of the AntiWorm system, assaults by Worm Blaster are used in the test bed, and the experimental results prove the effectiveness of the AntiWorm system. The Software Package WormDetector1.0 is also provided as a software release from the research.