A Scalable High Throughput Firewall in FPGA

High end network security applications demand high speed operation and large rule set support. Packet classification is the core functionality that demands high throughput in such applications. This paper proposes a packet classification architecture to meet such high throughput. We have implemented a Firewall with this architecture in reconflgurable hardware. We propose an extension to Distributed Crossproducting of Field Labels (DCFL) technique to achieve scalable and high performance architecture. The implemented Firewall takes advantage of inherent structure and redundancy of rule set by using our DCFL Extended (DCFLE) algorithm. The use of DCFLE algorithm results in both speed and area improvement when it is implemented in hardware. Although we restrict ourselves to standard 5-tuple matching, the architecture supports additional fields. High throughput classification invariably uses Ternary Content Addressable Memory (TCAM) for prefix matching, though TCAM fares poorly in terms of area and power efficiency. Use of TCAM for port range matching is expensive, as the range to prefix conversion results in large number of prefixes leading to storage inefficiency. Extended TCAM (ETCAM) is fast and the most storage efficient solution for range matching. We present for the first time a reconfigurable hardware implementation of ETCAM. We have implemented our Firewall as an embedded system on Virtex-II Pro FPGA based platform, running Linux with the packet classification in hardware. The Firewall was tested in real time with 1 Gbps Ethernet link and 128 sample rules. The packet classification hardware uses a quarter of logic resources and slightly over one third of memory resources of XC2VP30 FPGA. It achieves a maximum classification throughput of 50 million packet/s corresponding to 16 Gbps link rate for the worst case packet size. The Firewall rule update involves only memory re-initialization in software without any hardware change.

A Scalable High Throughput Firewall in FPGA

High end network security applications demand high speed operation and large rule set support. Packet classification is the core functionality that demands high throughput in such applications. This paper proposes a packet classification architecture to meet such high throughput. We have Implemented a Firewall with this architecture in reconfigurable hardware. We propose an extension to Distributed Crossproducting of Field Labels (DCFL) technique to achieve scalable and high performance architecture. The implemented Firewall takes advantage of inherent structure and redundancy of rule set by using, our DCFL Extended (DCFLE) algorithm. The use of DCFLE algorithm results In both speed and area Improvement when It is Implemented in hardware. Although we restrict ourselves to standard 5-tuple matching, the architecture supports additional fields.High throughput classification Invariably uses Ternary Content Addressable Memory (TCAM) for prefix matching, though TCAM fares poorly In terms of area and power efficiency. Use of TCAM for port range matching is expensive, as the range to prefix conversion results in large number of prefixes leading to storage inefficiency. Extended TCAM (ETCAM) is fast and the most storage efficient solution for range matching. We present for the first time a reconfigurable hardware Implementation of ETCAM. We have implemented our Firewall as an embedded system on Virtex-II Pro FPGA based platform, running Linux with the packet classification in hardware. The Firewall was tested in real time with 1 Gbps Ethernet link and 128 sample rules. The packet classification hardware uses a quarter of logic resources and slightly over one third of memory resources of XC2VP30 FPGA. It achieves a maximum classification throughput of 50 million packet/s corresponding to 16 Gbps link rate for file worst case packet size. The Firewall rule update Involves only memory re-initialiization in software without any hardware change.

On the nature of power flow equations in security analysis

The power system network is assumed to be in steady-state even during low frequency transients. However, depending on generator dynamics, and toad and control characteristics, the system model and the nature of power flow equations can vary The nature of power flow equations describing the system during a contingency is investigated in detail. It is shown that under some mild assumptions on load-voltage characteristics, the power flow equations can be decoupled in an exact manner. When the generator dynamics are considered, the solutions for the load voltages are exact if load nodes are not directly connected to each other

The Linker Region in Receptor Guanylyl Cyclases Is a Key Regulatory Module MUTATIONAL ANALYSIS OF GUANYLYL CYCLASE C

Receptor guanylyl cyclases are multidomain proteins, and ligand binding to the extracellular domain increases the levels of intracellular cGMP. The intracellular domain of these receptors is composed of a kinase homology domain (KHD), a linker of similar to 70 amino acids, followed by the C-terminal guanylyl cyclase domain. Mechanisms by which these receptors are allosterically regulated by ligand binding to the extracellular domain and ATP binding to the KHD are not completely understood. Here we examine the role of the linker region in receptor guanylyl cyclases by a series of point mutations in receptor guanylyl cyclase C. The linker region is predicted to adopt a coiled coil structure and aid in dimerization, but we find that the effects of mutations neither follow a pattern predicted for a coiled coil peptide nor abrogate dimerization. Importantly, this region is critical for repressing the guanylyl cyclase activity of the receptor in the absence of ligand and permitting ligand-mediated activation of the cyclase domain. Mutant receptors with high basal guanylyl cyclase activity show no further activation in the presence of non-ionic detergents, suggesting that hydrophobic interactions in the basal and inactive conformation of the guanylyl cyclase domain are disrupted by mutation. Equivalent mutations in the linker region of guanylyl cyclase A also elevated the basal activity and abolished ligand-and detergent-mediated activation. We, therefore, have defined a key regulatory role for the linker region of receptor guanylyl cyclases which serves as a transducer of information from the extracellular domain via the KHD to the catalytic domain.

On-line Dynamic Security Assessment: Determination of Critical Transmission Lines

The main objective of on-line dynamic security assessment is to take preventive action if required or decide remedial action if a contingency actually occurs. Stability limits are obtained for different contingencies. The mode of instability is one of the outputs of dynamic security analysis. When a power system becomes unstable, it splits initially into two groups of generators, and there is a unique cutset in the transmission network known as critical cutset across which the angles become unbounded. The knowledge of critical cutset is additional information obtained from dynamic security assessment, which can be used for initiating preventive control actions, deciding emergency control actions, and adaptive out-of-step relaying. In this article, an analytical technique for the fast prediction of the critical cutset by system simulation for a short duration is presented. Case studies on the New England ten-generator system are presented. The article also suggests the applications of the identification of critical cutsets.

Random security scheme selection for mobile transactions

Security in a mobile communication environment is always a matter for concern, even after deploying many security techniques at device, network, and application levels. The end-to-end security for mobile applications can be made robust by developing dynamic schemes at application level which makes use of the existing security techniques varying in terms of space, time, and attacks complexities. In this paper we present a security techniques selection scheme for mobile transactions, called the Transactions-Based Security Scheme (TBSS). The TBSS uses intelligence to study, and analyzes the security implications of transactions under execution based on certain criterion such as user behaviors, transaction sensitivity levels, and credibility factors computed over the previous transactions by the users, network vulnerability, and device characteristics. The TBSS identifies a suitable level of security techniques from the repository, which consists of symmetric, and asymmetric types of security algorithms arranged in three complexity levels, covering various encryption/decryption techniques, digital signature schemes, andhashing techniques. From this identified level, one of the techniques is deployed randomly. The results shows that, there is a considerable reduction in security cost compared to static schemes, which employ pre-fixed security techniques to secure the transactions data.

Dynamic security assessment of power systems using structure-preserving energy functions

An application of direct methods to dynamic security assessment of power systems using structure-preserving energy functions (SPEF) is presented. The transient energy margin (TEM) is used as an index for checking the stability of the system as well as ranking the contigencies based on their severity. The computation of the TEM requires the evaluation of the critical energy and the energy at fault clearing. Usually this is done by simulating the faulted trajectory, which is time-consuming. In this paper, a new algorithm which eliminates the faulted trajectory estimation is presented to calculate the TEM. The system equations and the SPEF are developed using the centre-of-inertia (COI) formulation and the loads are modelled as arbitrary functions of the respective bus voltages. The critical energy is evaluated using the potential energy boundary surface (PEBS) method. The method is illustrated by considering two realistic power system examples.

Minimal set of generators for the derivation module of certain monomial curves

Let K be a field of characteristic zero and let m(0),..., m(e-1) be a sequence of positive integers. Let C be an algebroid monomial curve in the affine e-space A(K)(e) defined parametrically by X-0 = T-m0,..., Xe-1 = Tme-1 and let A be the coordinate ring of C. In this paper, we assume that some e - 1 terms of m(0),..., m(e-1) form an arithmetic sequence and construct a minimal set of generators for the derivation module Der(K)(A) of A and write an explicit formula for mu (Der(K)(A)).

Fuzzy logic intelligent system for gas turbine module and system fault isolation

A fuzzy logic intelligent system is developed for gas-turbine fault isolation. The gas path measurements used for fault isolation are exhaust gas temperature, low and high rotor speed, and fuel flow. These four measurements are also called the cockpit parameters and are typically found in almost all older and newer jet engines. The fuzzy logic system uses rules developed from a model of performance influence coefficients to isolate engine faults while accounting for uncertainty in gas path measurements. It automates the reasoning process of an experienced powerplant engineer. Tests with simulated data show that the fuzzy system isolates faults with an accuracy of 89% with only the four cockpit measurements. However, if additional pressure and temperature probes between the compressors and before the burner, which are often found in newer jet engines, are considered, the fault isolation accuracy rises to as high as 98%. In addition, the additional sensors are useful in keeping the fault isolation system robust as quality of the measured data deteriorates.

Application of UPFC for system security improvement under normal and network contingencies

Electric power systems are exposed to various contingencies. Network contingencies often contribute to over-loading of network branches, unsatisfactory voltages and also leading to problems of stability/voltage collapse. To maintain security of the systems, it is desirable to estimate the effect of contingencies and plan suitable measures to improve system security/stability. This paper presents an approach for selection of unified power flow controller (UPFC) suitable locations considering normal and network contingencies after evaluating the degree of severity of the contingencies. The ranking is evaluated using composite criteria based fuzzy logic for eliminating masking effect. The fuzzy approach, in addition to real power loadings and bus voltage violations, voltage stability indices at the load buses also used as the post-contingent quantities to evaluate the network contingency ranking. The selection of UPFC suitable locations uses the criteria on the basis of improved system security/stability. The proposed approach for selection of UPFC suitable locations has been tested under simulated conditions on a few power systems and the results for a 24-node real-life equivalent EHV power network and 39-node New England (modified) test system are presented for illustration purposes.