Skip to main content
SpringerLink
Log in
Book cover

International Conference on Architecture of Computing Systems

ARCS 2006: Architecture of Computing Systems - ARCS 2006 pp 407–421Cite as

A High-Throughput System Architecture for Deep Packet Filtering in Network Intrusion Prevention

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 3894))

Abstract

Pattern matching is one of critical parts of Network Intrusion Prevention Systems (NIPS). Pattern matching hardware for NIPS should find a matching pattern at wire speed. However, that alone is not good enough. First, pattern matching hardware should be able to generate sufficient pattern match information including the pattern index number and the location of the match found at wire speed. Second, it should support pattern grouping to reduce unnecessary pattern matches. Third, it should show constant worst-case performance even if the number of patterns is increased. Finally it should be able to update patterns in a few minutes or seconds without stopping its operations. We modify Shift-OR hardware accelerator and propose a system architectures to meet the above requirement. Using Xilinx FPGA simulation, we show the new system scaled well to achieve a high speed over 10Gbps and satisfies all of the above requirements.

This work was supported by 2005 Korea Sanhank Foundation Research Fund.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Code Red worm exploiting buffer overflow in IIS indexing service DLL. CERT Advisory CA-2001-19 (2002)

    Google Scholar 

  2. MS-SQL Server Worm. CERT Advisory CA-2003-04 (2003)

    Google Scholar 

  3. Zhang, X., Li, C., Zheng, W.: Intrusion Prevention System Design. In: The Fourth International Conference on Computer and Information Technology (CIT 2004) (2004)

    Google Scholar 

  4. Snort, http://www.snort.org

  5. Antonatos, S., Anagnostakis, K.G., Markatos, E.P.: Generating Realistic Workloads for Network Intrusion Detection Systems. In: Proceedings of ACM Workshop on Software and Performance (2004)

    Google Scholar 

  6. Tuck, N., Sherwood, T., Calder, B., Varghese, G.: Deterministic Memory-Efficient String Matching Algorithms for Intrusion Detection. In: Proceedings of the 23rd Conference of the IEEE Communication Society (INFOCOM 2004) (2004)

    Google Scholar 

  7. Liu, R., Huang, N., Chen, C., Kao, C.: A Fast String Matching Algorithm for Network Processor Based Intrusion Detection System. ACM Transaction on Embedded Computing Systems 3, 614–633 (2004)

    Article  Google Scholar 

  8. Kim, S.: Pattern Matching Acceleration for Network Intrusion Detection Systems. In: Hämäläinen, T.D., Pimentel, A.D., Takala, J., Vassiliadis, S. (eds.) SAMOS 2005. LNCS, vol. 3553, pp. 289–298. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  9. Tan, L., Sherwood, T.: A High Throughput String Matching Architecture for Intrusion Detection and Prevention. In: The 32nd Annual International Symposium on Computer Architecture (2005)

    Google Scholar 

  10. Moore, D., Shannon, C., Voelker, G.M., Savage, S.: Internet Quarantine: Requirements for Containing Self-Propagating Code. In: IEEE INFOCOM (2003)

    Google Scholar 

  11. Dharmapurikar, S., Krishnamurthy, P., Sproull, T., Lockwood, J.: Deep Packet Inspection Using Parallel Bloom Filters. In: Proceedings of the Symposium on High Performance Interconnects (HotI), pp. 44–51 (2003)

    Google Scholar 

  12. Hutchings, B.L., Franklin, R., Carver, D.: Assisting Network Intrusion Detection with Reconfigurable Hardware. In: Proceedings of the 10th Annual IEEE Symposium on Field-Programmable Custom Computing Machines (2002)

    Google Scholar 

  13. Moscola, J., Lockwood, J., Loui, R.P., Pachos, M.: Implementation of a Content-Scanning Module for an Internet Firewall. In: Proceedings of the IEEE Symposium on Field-Programmable Custom Computing Machines (2003)

    Google Scholar 

  14. Gokhale, M., Dubois, D., Dubois, A., Boorman, M., Poole, S., Hogsett, V.: Granidt: Towards Gigabit Rate Network Intrusion Detection Technology. In: Glesner, M., Zipf, P., Renovell, M. (eds.) FPL 2002. LNCS, vol. 2438, p. 404. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  15. Sourdis, I., Pnevmatikatos, D.: Pre-decoded CAMs for Efficient and High-Speed NIDS Pattern Matching. In: Proceeding of the 12th Annual IEEE Symposium on Field Programmable Custom Computing Machines (2004)

    Google Scholar 

  16. Cho, Y.H., Mangione-Smith, W.H.: Programmable Hardware for Deep Packet Filtering on a Large Signature Set. In: Workshop on Architectural Support for Security and Anti-Virus (2004)

    Google Scholar 

  17. Cho, Y.H., Mangione-Smith, W.H.: Deep Packet Filter with Dedicated Logic and Read Only Memories. In: Proceedings of the 12th IEEE Symposium of Field-Programmable Custom Computing Machines (2004)

    Google Scholar 

  18. Aho, A.V., Corasick, M.J.: Efficient String Matching: An Aid to Bibliographic Search. Communications of the ACM 18, 333–340 (1975)

    Article  MathSciNet  MATH  Google Scholar 

  19. Baeza-Yates, R.A., Gonnet, G.H.: A New Approach to Text Searching. In: Proceedings of ACM 12th International Conference on Research and Development in Information Retrieval (1989)

    Google Scholar 

  20. Xilinx, Inc., http://www.xilinx.com

Download references

Author information

Authors and Affiliations

  1. School of Information and Computer Engineering, Hongik University, 72-1 Sangsu-Dong, Mapo-Gu, Seoul, Korea

    Dae Y. Kim & Sunil Kim

  2. The Department of Electronics and Computer Engineering, Korea University, Anam-Dong, Sungbuk-Ku, Seoul, Korea

    Lynn Choi & Hyogon Kim

Authors
  1. Dae Y. Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sunil Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Lynn Choi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Hyogon Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. University of Passau, Innstr. 33, 94032, Passau, Germany

    Werner Grass

  2. Faculty of Computer Science and Mathematics – Institute of Computer Architectures, University of Passau, Innstrasse 33, 94032, Passau, Germany

    Bernhard Sick

  3. University of Frankfurt/Main, Robert-Mayer-Str. 11-15, 60325, Frankfurt, Germany

    Klaus Waldschmidt

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Kim, D.Y., Kim, S., Choi, L., Kim, H. (2006). A High-Throughput System Architecture for Deep Packet Filtering in Network Intrusion Prevention. In: Grass, W., Sick, B., Waldschmidt, K. (eds) Architecture of Computing Systems - ARCS 2006. ARCS 2006. Lecture Notes in Computer Science, vol 3894. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11682127_29

Download citation

  • DOI: https://doi.org/10.1007/11682127_29

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-32765-3

  • Online ISBN: 978-3-540-32766-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation