Abstract
Intrusion Detection Systems such as Snort scan incoming packets for evidence of security threats. The computation-intensive part of these systems is a text search of packet data against hundreds of patterns, and must be performed at wire-speed. FPGAs are particularly well suited for this task and several such systems have been proposed. In this paper we expand on previous work, in order to achieve and exceed OC192 processing bandwidth (10 Gbps).We employ a scalable architecture, and use extensive fine-grained pipelining to tackle the fan-out, match, and encode bottlenecks and achieve operating frequencies in excess of 340 MHz for fast Virtex devices. To increase throughput, we use multiple comparators and allow for parallel matching of multiple search strings. We evaluate the area and latency cost of our approach and find that the match cost per search pattern character is between 4 and 5 logic cells.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
SNORT official web site: (http://www.snort.org)
Roesch, M.: Snort—lightweight intrusion detection for networks. In: Proceedings of LISA'99: 13th Administration Conference. (1999) Seattle Washington, USA.
Desai, N.: Increasing performance in high speed NIDS. In: www.linuxsecurity.com. (2002)
Coit, C.J., Staniford, S., McAlerney, J.: Towards faster string matching for intrusion detection or exceeding the speed of snort. In: DISCEXII, DAPRA Information Survivability conference and Exposition. (2001) Anaheim, California, USA.
Gokhale, M., Dubois, D., Dubois, A., Boorman, M., Poole, S., Hogsett, V.: Granidt: Towards gigabit rate network intrusion detection technology. In: Proceedings of 12th International Conference on Field Programmable Logic and Applications. (2002) France.
Moscola, J., Lockwood, J., Loui, R.P., Pachos, M.: Implementation of a content-scanning module for an internet firewall. In: Proceedings of IEEE Workshop on FPGAs for Custom Computing Machines. (2003) Napa, CA, USA.
Young, H. Cho, S.N., Mangione-Smith, W.: Specialized hardware for deep network packet filtering. In: Proceedings of 12th International Conference on Field Programmable Logic and Applications. (2002) France.
Franklin, R., Carver, D., Hutchings, B.: Assisting network intrusion detection with reconfigurable hardware. In: IEEE Symposium on Field-Programmable Custom Computing Machines. (2002)
Sidhu, R., Prasanna, V.K.: Fast regular expression matching using fpgas. In: IEEE Symposium on Field-Programmable Custom Computing Machines. (2001) Rohnert Park, CA, USA.
Lockwood, J.W.: An open platform for development of network processing modules in reconfigurable hardware. In: IEC DesignCon’ 01. (2001) Santa Clara, CA, USA.
Pryor, D.V., Thistle, M.R., Shirazi, N.: Text searching on splash 2. In: Proceedings of IEEE Workshop on FPGAs for Custom Computing Machines. (1993) 172–177.
Clark, C.R., Schimmel, D.E.: Efficient Reconfigurable Logic Circuit for Matching Complex Network Intrusion Detection Patterns. In: Proceedings of 13th International Conference on Field Programmable Logic and Applications (Short Paper). (2003), Lisbon, Portugal.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer
About this chapter
Cite this chapter
Sourdis, I., Pnevmatikatos, D. (2005). Fast, Large-scale String Match for a 10 Gbps FPGA-based NIDS. In: Lysaght, P., Rosenstiel, W. (eds) New Algorithms, Architectures and Applications for Reconfigurable Computing. Springer, Boston, MA. https://doi.org/10.1007/1-4020-3128-9_16
Download citation
DOI: https://doi.org/10.1007/1-4020-3128-9_16
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4020-3127-4
Online ISBN: 978-1-4020-3128-1
eBook Packages: EngineeringEngineering (R0)