Efficient Reconfigurable Logic Circuits for Matching Complex Network Intrusion Detection Patterns

  • Christopher R. Clark
  • David E. Schimmel
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2778)


This paper presents techniques for designing pattern matching circuits for complex regular expressions, such as those found in network intrusion detection patterns. We have developed a pattern-matching co-processor that supports all the pattern matching functions of the Snort rule language [3]. In order to achieve maximum pattern capacity and throughput, the design focuses on minimizing circuit area while maintaining high clock speed. Using our approach, we are able to store the entire current Snort rule database consisting of over 1,500 rules and 17,000 characters into a single one-million-gate FPGA while comparing all patterns against traffic at gigabit rates.


Intrusion Detection Pattern Match Regular Expression Logic Element Network Intrusion Detection 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Allen, J., et al.: State of the Practice of Intrusion Detection Technologies. Technical Report CMU/SEI-99-TR-028 (1999)Google Scholar
  2. 2.
    Roberts, L.G.: Beyond Moore’s Law: Internet Growth Trends. IEEE Computer, 117–119 (January 2000)Google Scholar
  3. 3.
    Martin Roesch and Chris Green. Snort User’s Manual,
  4. 4.
    Fisk, M., Varghese, G.: Fast Content-Based Packet Handling for Intrusion Detection, Technical Report UCSD CS2001-0670 (May 2001)Google Scholar
  5. 5.
    Jason Coit, C., Staniford, S., McAlerney, J.: Towards Faster String Matching for Intrusion Detection. In: DARPA Information Survivability Conference (June 2001)Google Scholar
  6. 6.
    Sidhu, R., Prasanna, V.K.: Fast Regular Expression Matching using FPGAs. In: Proceedings of IEEE FCCM 2001 (April 2001)Google Scholar
  7. 7.
    Franklin, R., Carver, D., Hutchings, B.L.: Assisting Network Intrusion Detection with Reconfigurable Hardware. In: Proceedings of IEEE FCCM 2002, April 2002, pp. 111–120 (2002)Google Scholar
  8. 8.
    Bellows, P., Hutchings, B.L.: JHDL—An HDL for Reconfigurable Systems. In: Proceedings of IEEE FCCM 1998, April 1998, pp. 175–184 (1998)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Christopher R. Clark
    • 1
  • David E. Schimmel
    • 1
  1. 1.School of Electrical and Computer EngineeringGeorgia Institute of TechnologyAtlantaUSA

Personalised recommendations