FPGA-Based Cuckoo Hashing for Pattern Matching in NIDS/NIPS

Tran, Thinh Ngoc; Kittitornkun, Surin

doi:10.1007/978-3-540-75476-3_34

Thinh Ngoc Tran¹ &
Surin Kittitornkun¹

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 4773))

Included in the following conference series:

Asia-Pacific Network Operations and Management Symposium

1113 Accesses
2 Citations

Abstract

Pattern matching for network intrusion/prevention detection demands exceptionally high throughput with recent updates to support new attack patterns. This paper describes a novel FPGA-based pattern matching architecture using a recent hashing algorithm called Cuckoo Hashing. The proposed architecture features on-the-fly pattern updates without reconfiguration, more efficient hardware utilization, and higher throughput. Through various algorithmic changes of Cuckoo Hashing, we can implement parallel pattern matching on SRAM-based FPGA. Our system can accommodate the newest Snort rule-set, an open source Network Intrusion Detection/Prevention System, and achieve the highest utilization in terms of SRAM per character and Logic Cells per character at 15.63 bits/character and 0.033 Logic Cells/character, respectively on major Xilinx Virtex FPGA architectures. Compared to others, ours is more efficient than any other Xilinx FPGA architectures.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 84.99; Price excludes VAT (USA)

Softcover Book: USD 109.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

SNORT: The Open Source Network Intrusion Detection System. http://www.snort.org
Pagh, R., Rodler, F.F.: Cuckoo hashing. Journal of Algorithms 51, 122–144 (2004)
Article MATH MathSciNet Google Scholar
Moscola, J., Lockwood, J., Loui, R.P., Pachos, M.: Implementation of a content-scanning module for an internet firewall. In: Proceedings of the 11th IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM), pp. 31–38. IEEE Computer Society Press, Los Alamitos (2003)
Google Scholar
Clark, C.R., Schimmel, D.E.: Scalable pattern matching for high speed networks. In: Proceedings of the 12th IEEE Symposium on FCCM, pp. 249–257. IEEE Computer Society Press, Los Alamitos (2004)
Google Scholar
Sourdis, I., Pnevmatikatos, D.: Pre-decoded cams for efficient and high-speed NIDS pattern matching. In: Proceedings of the 12th IEEE Symposium on FCCM, pp. 258–267. IEEE Computer Society Press, Los Alamitos (2004)
Google Scholar
Dharmapurikar, S., Krishnamurthy, P., Spoull, T., Lockwood, J.: Deep Packet Inspection using Bloom Filters. In: Hot Interconnects, pp. 44–51 (2003)
Google Scholar
Cho, Y.H., M-Smith, W.H.: Fast reconfiguring deep packet filter for 1+ gigabit network. In: Proceedings of the 13th IEEE Symposium on FCCM, pp. 215–224. IEEE Computer Society Press, Los Alamitos (2005)
Google Scholar
Papadopoulos, G., Pnevmatikatos, D.: Hashing + memory = low cost, exact pattern matching. In: Proceedings of the 15th International Conference on Field Programmable Logic and Applications, pp. 39–44 (2005)
Google Scholar
Pnevmatikatos, D., Arelakis, A.: Variable-length hashing for exact pattern matching. In: Proceedings of the 16th International Conference on Field Programmable Logic and Applications, pp. 1–6 (2006)
Google Scholar
Sourdis, I., Pnevmatikatos, D., Wong, S., Vassiliadis, S.: A reconfigurable perfect-hashing scheme for packet inspection. In: Proceedings of the 15th International Conference on Field Programmable Logic and Applications, pp. 644–647 (2005)
Google Scholar
Siegel, A.: On universal classes of fast high performance hash functions, their time–space tradeoff, and their applications. In: Proceedings of the 30th Annual Symposium on Foundations of Computer Science, pp. 20–25. IEEE Computer Society Press, Los Alamitos (1989)
Chapter Google Scholar
Carter, J.L., Wegman, M.N.: Universal classes of hash functions. Journal of Computer System Sci. 18, 143–154 (1979)
Article MATH MathSciNet Google Scholar
Ramakrishna, M.V., Zobel, J.: Performance in Practice of String Hashing Functions. In: Proceedings of the Fifth International Conference on Database Systems for Advanced Applications, vol. 6, pp. 215–224 (1997)
Google Scholar
Xilinx Application Note. http://www.xilinx.com/bvdocs/appnotes/xapp211.pdf

Download references

Author information

Authors and Affiliations

Dept.of Computer Engineering, Faculty of Engineering, King Mongkut’s Institute of Technology Ladkrabang, Bangkok, 10520, Thailand
Thinh Ngoc Tran & Surin Kittitornkun

Authors

Thinh Ngoc Tran
View author publications
You can also search for this author in PubMed Google Scholar
Surin Kittitornkun
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Shingo Ata Choong Seon Hong

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Tran, T.N., Kittitornkun, S. (2007). FPGA-Based Cuckoo Hashing for Pattern Matching in NIDS/NIPS. In: Ata, S., Hong, C.S. (eds) Managing Next Generation Networks and Services. APNOMS 2007. Lecture Notes in Computer Science, vol 4773. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-75476-3_34

Download citation

DOI: https://doi.org/10.1007/978-3-540-75476-3_34
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-75475-6
Online ISBN: 978-3-540-75476-3
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics