FPGA implementation of naive bayes classifier for network security

Abstract

In the vast usage of internet nowadays, the rate of cybercrime such as fraud, hacking, identity theft, network intrusion, software piracy and espionage are becoming more critical. Malware code writers used this chance to create malware that able to breach the security and gain access to the information. Hence, the importance of malware detection system becoming more significant as the users need the protection from the malware threats. Most of malware detection systems implement signature based classification where only known malware can be detected. Nowadays, new malwares are able to change its signature sequence regularly in order to avoid detection. This polymorphic malware becomes the limitation for signature based detection approach. This project aim is to proposed signature-based detection approach that able to detect polymorphic malware by using Naïve Bayes algorithm. The integration of the classifier architecture onto FPGA board in order to measures the performances of the system. The feature from network traffic subset to Snort signature detection of known malware and benign samples are extracted using overlapping Ngram string format. The data set is then being used for training and testing for the classifier. The classifier for the malware detection used Naïve Bayes algorithm that using Bayesian Theorem probability for the features in the data set to determine types of the flow. The model is then being implemented into hardware FPGA architecture and being coded in RTL. The target FPGA that being used in Vivado software is Xilinx Virtex-7 VC709 that able to support the system requirements. The hardware performance of the model was analyzed and compared with the Naïve Bayes software classifier for the performance evaluation. The proposed hardware NB malware detection classifier has managed to achieve 96.3% accuracy and improved FPR rate of 3.1%. The hardware NB malware detection classifier on FPGA architecture also able to achieve better resource utilization and improved detection speed of 0.13 μs per flow.