A High Throughput String Matching Architecture for Intrusion Detection and Prevention

Tan, Lin; Sherwood, Timothy

doi:10.1145/1080695.1069981

Cited by 178 publications

(146 citation statements)

References 31 publications

Supporting

Mentioning

146

Contrasting

Order By: Relevance

“…Since Cho's [2] is an ASIC implementation, it has a large clock frequency at the cost of rigidity to updates. Also, another ASIC solution in [18] involves memory tiles where a 2-bit input selects one of four finite state machines. Although [18] does not list the number of patterns in the implementation, it contains a comparison with the design proposed in [11] that assumes 1466 rules with 18,031 characters.…”

Section: Comparison With Earlier Approachesmentioning

confidence: 99%

“…Also, another ASIC solution in [18] involves memory tiles where a 2-bit input selects one of four finite state machines. Although [18] does not list the number of patterns in the implementation, it contains a comparison with the design proposed in [11] that assumes 1466 rules with 18,031 characters. The work in [18] uses 3200 Kbits of memory, yielding a memory consumption ratio of 181.7 bits per character which is quite high compared to our design (see Table II).…”

Section: Comparison With Earlier Approachesmentioning

confidence: 99%

“…Although [18] does not list the number of patterns in the implementation, it contains a comparison with the design proposed in [11] that assumes 1466 rules with 18,031 characters. The work in [18] uses 3200 Kbits of memory, yielding a memory consumption ratio of 181.7 bits per character which is quite high compared to our design (see Table II). Also, our updating process is very simple as it does not require intricate knowledge of our design.…”

Section: Comparison With Earlier Approachesmentioning

confidence: 99%

See 2 more Smart Citations

Efficient hardware support for pattern matching in network intrusion detection

Guinde

Ziavras

2010

Computers & Security

View full text Add to dashboard Cite

Abstract-Deep packet inspection forms the backbone of any Network Intrusion Detection (NID) system. It involves matching known malicious patterns against the incoming traffic payload. Pattern matching in software is prohibitively slow in comparison to current network speeds. Due to the high complexity of matching, only FPGA (Field-Programmable Gate Array) or ASIC (Application-Specific Integrated Circuit) platforms can provide efficient solutions. FPGAs facilitate target architecture specialization due to their field programmability. Costly ASIC designs, on the other hand, are normally resilient to pattern updates. Our FPGA-based solution performs high-speed pattern matching while permitting pattern updates without resource reconfiguration. To its advantage, our solution can be adopted by software and ASIC realizations, however at the expense of much lower performance and higher price, respectively. Our solution permits the NID system to function while pattern updates occur. An off-line optimization method first finds common subpatterns across all the patterns in the SNORT database of signatures [14]. A novel technique then compresses each pattern into a bit vector, where each bit represents such a sub-pattern. This approach reduces drastically the required on-chip storage as well as the complexity of pattern matching. The bit vectors for newly discovered patterns can be generated easily using a simple high-level language program before storing them into the on-chip RAM. Compared to earlier approaches, not only is our strategy very efficient while supporting runtime updates but it also results in impressive area savings; it utilizes just 0.052 logic cells for processing and 17.77 bits for storage per character in the current SNORT database of 6455 patterns. Also, the total number of logic cells for processing the traffic payload does not change with pattern updates.

show abstract

Section: Comparison With Earlier Approachesmentioning

confidence: 99%

Section: Comparison With Earlier Approachesmentioning

confidence: 99%

Section: Comparison With Earlier Approachesmentioning

confidence: 99%

See 1 more Smart Citation

Efficient hardware support for pattern matching in network intrusion detection

Guinde

Ziavras

2010

Computers & Security

View full text Add to dashboard Cite

show abstract

“…A large number of comparisons are required for dealing with multiple characters, as shown in Figure 1, because all possible combinations of characters are compared against the input string in parallel. The deterministic finite automata (DFA) approach [2,7,10] uses a state machine to track partial pattern matches across clock cycles. A DFA will take in a string of input character.…”

Section: B Fpga Solutionsmentioning

confidence: 99%

Multi-Character Processor Array for Pattern Matching in Network Intrusion Detection System

Chang

Tsai

Chung

2008

22nd International Conference on Advanced Information Networking and Applications (Aina 2008)

View full text Add to dashboard Cite

Abstract-Network Intrusion Detection System (NIDS) is a system developed for identifying attacks by using a set of rules. NIDS is an efficient way to provide the security protection for today's internet. Pattern match algorithm plays an important role in NIDS that performs searches against multiple patterns for a string match. Pattern matching is a computationally expensive task. Traditional software-based NIDS solutions usually can not achieve a high-speed required for ever growing Internet attacks. In order to satisfy high-speed packet content inspection, hardware-implementable pattern match algorithm is required. In this paper, we propose a hardware-based pattern match architecture that employs a multi-character processor array. The proposed multi-character processor array is a parallel and pipelined architecture which can process multiple characters of the input stream per cycle. The proposed architecture can reduce a lot of unnecessary computations and thus it is power efficient. We use Snort pattern sets and DEFCON packet traces to perform our simulations. Our experiment results show that, with a 3-character processor array, we can reduce 83% of the computations compared with the brute force approach.

show abstract

“…FPGA-based work in this regard has investigated the use of non-deterministic finite automata to match regular expressions [28,29], compiling regular expressions into deterministic finite automata [30], and then quickly generating new, compiled FPGA binaries [31]. Other custom hardware efforts, not specific to FPGAs, have investigated building optimized Aho-Corasick trees for sets of strings [32] and specialized architectures based on collections of highly optimized tiny state machines, each of which looks for a portion of a string [33].…”

Section: Related Workmentioning

confidence: 99%

An architecture for exploiting multi-core processors to parallelize network intrusion prevention

Paxson

Sommer

Weaver³

2007

2007 IEEE Sarnoff Symposium

View full text Add to dashboard Cite

SUMMARYIt is becoming increasingly difficult to implement effective systems for preventing network attacks, due to the combination of the rising sophistication of attacks requiring more complex analyses to detect; the relentless growth in the volume of network traffic that we must analyze; and, critically, the failure in recent years for uniprocessor performance to sustain the exponential gains that for so many years CPUs have enjoyed. For commodity hardware, tomorrow's performance gains will instead come from multi-core architectures in which a whole set of CPUs executes concurrently. Taking advantage of the full power of multi-core processors for network intrusion prevention requires an in-depth approach. In this work we frame an architecture customized for parallel execution of network attack analysis. At the lowest layer of the architecture is an 'Active Network Interface', a custom device based on an inexpensive FPGA platform. The analysis itself is structured as an event-based system, which allows us to find many opportunities for concurrent execution, since events introduce a natural asynchrony into the analysis while still maintaining good cache locality. A preliminary evaluation demonstrates the potential of this architecture. Copyright

show abstract

A High Throughput String Matching Architecture for Intrusion Detection and Prevention

Cited by 178 publications

References 31 publications

Efficient hardware support for pattern matching in network intrusion detection

Efficient hardware support for pattern matching in network intrusion detection

Multi-Character Processor Array for Pattern Matching in Network Intrusion Detection System

An architecture for exploiting multi-core processors to parallelize network intrusion prevention

Contact Info

Product

Resources

About