Cyber Security in Turbulent Times Part I of 2Tuesday April 28, 2020
By Julie DiBene
Director, Marketing Communications
It has been estimated that by 2027, global spending on cyber security will reach $10 billion. And during these turbulent times, it is no surprise that nearly 60 percent of all companies have experienced cyber-attacks which run the gamut from DDoS attacks, phishing, and social engineering. These attacks will result in an estimated $6 trillion in damages by 2021. And even more disheartening, a mere 10% of cybercrimes are reported in the U.S each year
So, as cyber-attacks continue to increase in strength and frequency, this trend poses a new challenge for both the government and commercial entities across many industries – from finance and health care to the automotive and energy industries – to rapidly address these threats in a real-time manner.
The sheer volume of network traffic that needs to be tracked has increased and is increasing all the time so a new solution is needed. In the case of anomaly detection in cyber network traffic, keeping statistics on these anomalies is an important function needed to support detection, which in turn requires using a high random-access rate memory, in support of performing millions of memory reads in order to develop thousands of histograms related to the traffic profiles.
The data-intensive nature of these types of applications becomes especially challenging in situations where real-time detection is paramount for making strategic decisions that could impact national security, energy infrastructure, or prevent the leakage of personal and financial data.
Traditionally, security has been done with stateful fire walls in which the header is inspected, and the packet is classified with some sort of filtering data structure. The stateful aspect comes from tracking changes in the state of the connection requiring rapid updates to memory. When packets arrive every 6ns (100GE to 150Mpps), memory like DRAM is challenged because it is limited to 50ns access rates, resulting in the need to use SRAM tables to be accessed and potentially updated at line rates.
For traffic that is encrypted only a portion of the packet features can be inspected, thus other aspects like packet size, rate, spectral aspects can be analyzed. Recently, Random Forest of Trees (RFT) algorithms are being used to support classification of traffic flows and in some cases even individual packet classes. In order to effectively identify and address attacks, it is important to perform detection in real-time and accurately flag specific malicious data patterns. In this application, a monitor-detect-classify sequence is required. If available, it is crucial to monitor the distribution of packet features, including: sIP, dIP, sPort, dPort, package type, size, intervals, etc., and detect correlation in the distribution of the packet features by using classifiers (such as a random forest of trees) to identify and classify attack type. The goal is to raise awareness of a possible event in as short a time as possible between monitoring and detection such that the potential threat or intrusion can be eradicated before it infiltrates an organization’s networks.
Random Forest of Trees (RFT) is a very powerful technique, but it is limited by the random performance nature of the underlying memory. DRAM for example, can limit the performance of even the most powerful multi-core CPU because in the worst case the read bank cycle time is 50ns and the latency can be >100ns. When an algorithm like RFT is used, each read is dependent on the results of the previous read. Memory technology like MoSys 1T SRAM and its in-memory-compute can greatly reduce the time to process the serial nature of tree structures.
In Part 2 of this blog, we will explore how MoSys (Graph Memory Engine) GME utilizes a proprietary high random-access rate memory with in-memory-compute functionality for searching and classifying in network security.
If you are looking for more technical information or need to discuss your technical challenges with an expert, we are happy to help. Email us and we will arrange to have one of our technical specialists speak with you. You can also sign up for updates. Finally, please follow us on social media so we can keep in touch.