Performance Evaluation of a Field Programmable Gate Array-Based System for Detecting and Tracking Peer-to-Peer Protocols on a Gigabit Ethernet Network

Author

Brennon D. Thomas

Date of Award

6-17-2010

Document Type

Thesis

Degree Name

Master of Science

Department

Department of Electrical and Computer Engineering

First Advisor

Barry E. Mullins, PhD

Abstract

Recent years have seen a massive increase in illegal, suspicious, and malicious traffic traversing government and military computer networks. Some examples include illegal file distribution and disclosure of sensitive information using the BitTorrent file sharing protocol, criminals and terrorists using Voice over Internet Protocol (VoIP) technologies to communicate, and foreign entities exfiltrating sensitive data from government, military, and Department of Defense contractor networks. As a result of these growing threats, the TRacking and Analysis for Peer-to-Peer (TRAPP) system was developed in 2008 to detect BitTorrent and VoIP traffic of interest. The TRAPP system, designed on a Xilinx Virtex-II Pro Field Programmable Gate Array (FPGA) proved valuable and effective in detecting traffic of interest on a 100 Mbps network. Using concepts and technology developed for the TRAPP system, the TRAPP-2 system is developed on a Xilinx ML510 FPGA. The goals of this research are to evaluate the performance of the TRAPP-2 system as a solution to detect and track malicious packets traversing a gigabit Ethernet network. The TRAPP-2 system detects a BitTorrent, Session Initiation Protocol (SIP), or Domain Name System (DNS) packet, extracts the payload, compares the data against a hash list, and if the packet is suspicious, logs the entire packet for future analysis. Results show that the TRAPP-2 system captures 95.56% of BitTorrent, 20.78% of SIP INVITE, 37.11% of SIP BYE, and 91.89% of DNS packets of interest while under a 93.7% network utilization (937 Mbps). For another experiment, the contraband hash list size is increased from 1,000 to 131,072,000 unique items. The experiment reveals that each doubling of the hash list size results in a mean increase of approximately 16 central processing unit cycles. These results demonstrate the TRAPP-2 system’s ability to detect traffic of interest under a saturated network utilization while maintaining large contraband hash lists.

AFIT Designator

AFIT-GCO-ENG-10-20

DTIC Accession Number

ADA522701

Recommended Citation

Thomas, Brennon D., "Performance Evaluation of a Field Programmable Gate Array-Based System for Detecting and Tracking Peer-to-Peer Protocols on a Gigabit Ethernet Network" (2010). Theses and Dissertations. 1995.
https://scholar.afit.edu/etd/1995