Abstract
Deep packet inspection forms the backbone of any Network Intrusion Detection (NID) system. It involves matching known malicious patterns against the incoming traffic payload. Pattern matching in software is prohibitively slow in comparison to current network speeds. Thus, only FPGA (Field-Programmable Gate Array) or ASIC (Application-Specific Integrated Circuit) solutions could be efficient for this problem. Our FPGA-based solution performs high-speed matching while permitting pattern updates without resource reconfiguration. An off-line optimization method first finds sub-pattern similarities across all the patterns in the SNORT database of signatures [17]. A novel technique then compresses each pattern into a bit vector where each bit represents such a sub-pattern. Our approach reduces drastically the required on-chip storage as well as the complexity of matching, utilizing just 0.05 logic cells for processing and 17.74 bits for storage per character in the current SNORT database of 6456 patterns.
Chapter PDF
References
Dharmapurikar, S., Lockwood, J.: Fast and Scalable Pattern Matching for Network Intrusion Detection Systems. IEEE Journal on Selected Areas in Comm. 24, 1781–1792 (2006)
Cho, Y., Mangione-Smith, W.: Pattern Matching Co-processor for Network Security. In: Annual ACM/IEEE Design Automation Conference (2005)
Pnevmatikatos, D., Arelakis, A.: Variable-Length Hashing for Exact Pattern Matching. In: International Conference on Field Programmable Logic and Application, pp. 1–6 (2006)
Wu, C., Wen, S., Huang, N., Kao, C.: A Pattern Matching Coprocessor for Deep and Large Signature Set in Network Security System. In: IEEE GlobeComm (2005)
Sidhu, R., Prasanna, V.K.: Fast Regular Expression Matching using FPGAs. In: IEEE Symposium on Field-Programmable Custom Computing Machines (2001)
Baker, Z., Prasanna, V.K.: Automatic Synthesis of Efficient Intrusion Detection systems on FPGAs. In: 14th International conference on Field Programmable Logic and Applications (2004)
Baker, Z., Prasanna, V.K.: A Methodology for Synthesis of Efficient Intrusion Detection Systems on FPGAs. In: 12th IEEE Symposium on Field-Programmable Custom Computing Machines (2004)
Hutchings, B.L., Franklin, R., Carver, D.: Assisting Network Intrusion Detection with Reconfigurable Hardware. In: IEEE Symp. Field-Programmable Custom Computing Machines (2002)
Sourdis, I., Pnevmatikatos, D.: Fast, Large-Scale String Match for a 10Gbps FPGA-based Network Intrusion Detection System. In: International Conference on Field Programmable Logic and Applications, Lisbon, Portugal (2003)
Clark, C.R., Schimmel, D.E.: Scalable Parallel Pattern-Matching on High-Speed Networks. In: IEEE Symp. on Field-Programmable Custom Computing Machines, Napa Valley, CA (2004)
Cho, Y.H., Navab, S., Mangione-Smith, W.H.: Specialized Hardware for Deep Network Packet Filtering. In: 12th International Conference on Field Programmable Logic and Applications, Montpellier, France, pp. 452–461 (2002)
Gokhale, M., Dubois, D., Dubois, A., Boorman, M., Poole, S., Hogsett, V.: Granidt: Towards Gigabit Rate Network Intrusion Detection Technology. In: 12th Conference on Field Programmable Logic and Applications, Montpellier, France, pp. 404–413 (2002)
Lockwood, J.W., Moscola, J., Kulig, M., Reddick, D., Brooks, T.: Internet Worm and Virus protection in Dynamically Reconfigurable Hardware. In: Military and Aerospace Programmable Logic Devices Conference, E10.M (2003)
Sourdis, I., Pnevmatikatos, D.: Pre-decoded CAMs for Efficient and High-speed NIDS Pattern Matching. In: 12th Annual IEEE Symposium on Field Programmable Custom Computing Machines, pp. 258–267 (2004)
Yu, F., Katz, R.H., Lakshman, T.V.: Gigabit Rate Packet Pattern Matching using TCAM. In: 12th IEEE International Conference on Network Protocols, pp. 174–183 (2004)
Lin, C., Huang, C., Jiang, C., Chang, S.: Optimization of Pattern Matching Circuits for Regular Expression on FPGA. IEEE Transactions on Very Large Scale Integration Systems 15 (2007)
SNORT® Open Source Network Intrusion Prevention and Detection System, http://www.snort.org
Roan, H., Hwang, W., Dan Lo, C.: Shift-Or Circuit for Efficient Network Intrusion Detection Pattern Matching. In: International Conference on Field Programmable Logic and Applications (2006)
Papadopoulos, G., Pnevmatikatos, D.: Hashing + Memory = Low Cost, Exact Pattern Matching. In: International Conference on Field Programmable Logic and Applications, pp. 39–44 (2005)
Tan, L., Sherwood, T.: A High Throughput String Matching Architecture for Intrusion Detection and Prevention. In: 32nd Annual International Symposium on Computer Architecture, pp. 112–122 (2005)
Christodorescu, M., Jha, S.: Static Analysis of Executables to Detect Malicious Patterns. In: 12th USENIX Security Symposium, vol. 12 (2003)
Thinh, T.N., Kittitornkun, S., Tomiyama, S.: Applying Cuckoo Hashing for FPGA-based Pattern Matching in NIDS/NIPS. In: International Conference on Field-Programmable Technology, pp. 121–128 (2007)
Lee, T.: Hardware Architecture for High-Performance Regular Expression Matching. IEEE Transactions on Computers 58(7), 984–993 (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 IFIP International Federation for Information Processing
About this paper
Cite this paper
Guinde, N.B., Ziavras, S.G. (2010). Novel FPGA-Based Signature Matching for Deep Packet Inspection. In: Samarati, P., Tunstall, M., Posegga, J., Markantonakis, K., Sauveron, D. (eds) Information Security Theory and Practices. Security and Privacy of Pervasive Systems and Smart Devices. WISTP 2010. Lecture Notes in Computer Science, vol 6033. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-12368-9_21
Download citation
DOI: https://doi.org/10.1007/978-3-642-12368-9_21
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-12367-2
Online ISBN: 978-3-642-12368-9
eBook Packages: Computer ScienceComputer Science (R0)