Journal in Computer Virology

, Volume 2, Issue 1, pp 21–34 | Cite as

A Parallel “String Matching Engine” for use in High Speed Network Intrusion Detection Systems

Original Paper

Abstract

This paper describes a finite state machine approach to string matching for an intrusion detection system. To obtain high performance, we typically need to be able to operate on input data that is several bytes wide. However, finite state machine designs become more complex when operating on large input data words, partly because of needing to match the starts and ends of a string that may occur part way through an input data word. Here we use finite state machines that each operate on only a single byte wide data input. We then provide a separate finite state machine for each byte wide data path from a multi-byte wide input data word. By splitting the search strings into multiple interleaved substrings and by combining the outputs from the individual finite state machines in an appropriate way we can perform string matching in parallel across multiple finite state machines. A hardware design for a parallel string matching engine has been generated, built for implementation in a Xilinx Field Programmable Gate Array and tested by simulation. The design is capable of operating at a search rate of 4.7 Gbps with a 32-bit input word size.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Abbes, T., Bouhoula, A., Rusinowitch, M.: Protocol analysis in intrusion detection using decision tree. In: Proceedings of international conference on information technology: coding and computing (ITCC’04), Volume 1 (pp. 404–408). Las Vegas, Nevada (2004)Google Scholar
  2. 2.
    Aho A.V., Corasick M.J. (1975). Efficient string matching: an aid to bibliographic search. Commun ACM 18(6):333–340MATHCrossRefMathSciNetGoogle Scholar
  3. 3.
    Attig, M., Lockwood, J.W.: SIFT: snort intrusion filter for TCP. In: Proceedings of IEEE symposium on high performance interconnects (Hot Interconnects-13). Stanford, California (2005)Google Scholar
  4. 4.
    Baker, Z.K., Prasanna, V.K.: A methodology for synthesis of efficient intrusion detection systems on FPGAs. In: Proceedings of IEEE symposium on field-programmable custom computing machines FCCM ’04. Napa, California (2004)Google Scholar
  5. 5.
    Boyer R.S., Moore J.S. (1977). A fast string searching algorithm. commun. assoc. comput. mach. 20(10):762–772Google Scholar
  6. 6.
    Cho, Y., Mangione-Smith, W.: Deep packet filter with dedicated logic and read only memories. In: Proceedings of IEEE symposium on field-programmable custom computing machines FCCM ’04. Napa, California (2004)Google Scholar
  7. 7.
    Clark, C., Schimmel, D.: Scalable multi-pattern matching on high-speed networks. In: Proceedings of IEEE symposium on field-programmable custom computing machines FCCM ’04. Napa, California (2004)Google Scholar
  8. 8.
    Fisk, M., Varghese, G.: An analysis of fast string matching applied to content-based forwarding and intrusion detection (2001) (successor to UCSD TR CS2001-0670, UC San Diego, 2001). Retrieved 9 March 2006, from http://public.lanl.gov/mfisk/papers/setmatch-raid.pdfGoogle Scholar
  9. 9.
    Franklin, R., Carver, D., Hutchings, B.L.: Assisting network intrusion detection with reconfigurable hardware. In: Proceedings of IEEE symposium on field-programmable custom computing machines FCCM ’02, pp.111-120. Napa, California, USA (2002)Google Scholar
  10. 10.
    Hopcroft J.E., Motwani R., Ullman J.D. (2001). Introduction to automata theory, languages and computation, 2nd edition. Addison-Wesley, ReadingMATHGoogle Scholar
  11. 11.
    Iyer S., Rao Kompella R., Shelat A. (2001). ClassiPi: an architecture for fast and flexible packet classification. IEEE Network 15(2):33–41CrossRefGoogle Scholar
  12. 12.
    Knuth D.E., Morris J.H., Pratt V.B. (1977). Fast pattern matching in strings. SIAM J Comput 6(2):323–350MATHCrossRefMathSciNetGoogle Scholar
  13. 13.
    Kruegel, C., Toth, T.: Using decision trees to improve signature-based intrusion detection. In: Proceedings of the 6th symposium on recent advances in intrusion detection (RAID2003), Lecture Notes in Computer Science, LNCS 2820, pp. 173–191. Springer Berlin Heidelberg New York (2003)Google Scholar
  14. 14.
    Larsen, J., Haile, J.: Securing an unpatchable webserver ... HogWash. Retrieved 9 March 2006, (2001) from http://www.securityfocus.com/infocus/1208Google Scholar
  15. 15.
    Moscola, J., Lockwood, J., Loui, R.P., Pachos, M.: Implementation of a content-scanning module for an internet firewall. In: Proceedings of IEEE symposium on field-programmable custom computing machines FCCM ’03. Napa, California (2003)Google Scholar
  16. 16.
    Paul, O.: Improving distributed firewalls performance through vertical load balancing. In: Proceedings of third IFIP-TC6 networking conference, NETWORKING 2004, Lecture Notes in Computer Science, LNCS 3042 pp. 25–37. Springer Berlin Heidelberg New York (2004)Google Scholar
  17. 17.
    Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of LISA ’99: 13th systems administration conference, pp. 229–238. Seattle, WA : USENIX (1999)Google Scholar
  18. 18.
    Sidhu, R. Prasanna, V.K.: Fast regular expression matching using FPGAs. In: Proceedings of the 9th international IEEE symposium on FPGAs for custom computing machines, FCCM’01. Rohnert Park, California, USA (2001)Google Scholar
  19. 19.
    Sugawara, Y., Inaba, M., Hiraki, K.: Over 10 Gbps string matching mechanism for multi-stream packet scanning systems. In: Proceedings of field programmable logic and applications, 14th international conference, FPL 2004, pp. 484–493. Springer Berlin Heidelberg New York (2004)Google Scholar
  20. 20.
    Tan, L., Sherwood, T.: A high throughput string matching architecture for intrusion detection and prevention. In: The proceedings of the 32nd annual international symposium on computer architecture (ISCA 2005). Madison, Wisconsin, USA (2005)Google Scholar
  21. 21.
    Tripp, G.: A finite-state-machine based string matching system for intrusion detection on high-speed networks. In: Paul Turner, Vlasti Broucek (eds) EICAR conference best paper proceedings, pp. 26–40. Saint Julians, Malta (2005)Google Scholar
  22. 22.
    Xilinx Virtex-II Platform FPGAs: complete data sheet – product specification. (2005). Xilinx Inc. Retrieved 9 March 2006 from http://direct.xilinx.com/bvdocs/publications/ds031.pdfGoogle Scholar

Copyright information

© Springer-Verlag France 2006

Authors and Affiliations

  1. 1.The Computing LaboratoryUniversity of KentCanterburyUK

Personalised recommendations