High Throughput Signature Based Platform for Network Intrusion Detection
In this work we propose the intensive use of embedded memory blocks and logic blocks of the FPGA device for signature matching. In our approach we arrange signatures in memory arrays (MA) of embedded memory blocks, so that every signature is matched in one clock cycle. The matching logic is shared among all the signatures in one MA. In addition, we propose a character recodification method that allows memory bits savings, leading to a low byte/character cost. For fast memory addressing we employ the unique substring detection, in doing so we process four bytes per clock cycle while hardware replication is significantly reduced.
KeywordsNIDS string matching content scanning FPGA unique substrings
- 1.Endorf, C., Schultz, E., Mellander, J.: Intrusion detection and prevention. Mc-Graw-Hill (2004)Google Scholar
- 2.Ghorbani, A., Lu, W., Tavallaee, M.: Network intrusion detection and prevention: concepts and techniques, vol. 47. Springer (2010)Google Scholar
- 5.Kennedy, A., Wang, X., Liu, Z., Liu, B.: Ultra-high throughput string matching for deep packet inspection. In: Proceedings of the Conference on Design, Automation and Test in Europe, DATE 2010, pp. 399–404 (2010)Google Scholar
- 10.Serrano, J.M.B., Palancar, J.H., Cumplido, R.: Multi-character cost-effective and high throughput architecture for content scanning. In: Microprocessors and Microsystems (in press, 2013) (accepted manuscript), available online August 22: http://authors.elsevier.com/sd/article/S0141933113000999
- 12.Snort, http://www.snort.org