UNITE: Uniform Hardware-Based Network Intrusion deTection Engine

  • S. Yusuf
  • W. Luk
  • M. K. N. Szeto
  • W. Osborne
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3985)


Current software implementations of network intrusion detection reach a maximum network connection speed of about 1Gbps (Gigabits per second). This paper analyses the Snort software network intrusion detection system to highlight the bottlenecks of such systems. It proposes a novel packet processing engine called UNITE that deploys a uniform hardware architecture to perform both header classification and payload signature extraction utilising a Content Addressable Memory (CAM) which is optimised by techniques based on Binary Decision Diagrams (BDDs). The proposed design has been implemented on an XC2VP30 FPGA, and we achieve an operating frequency of 350MHz and a processing speed in excess of 2.8Gbps. The area resource usage for UNITE is also shown to be efficient, with a Look Up Tables (LUTs) per character ratio of 0.82 for a rule set of approximately 20,000 characters.


Hardware Implementation Binary Decision Diagram Network Intrusion Detection FPGA Chip Network Intrusion Detection System 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Sourcefire, Snort - The Open Source Network Intrusion Detection System (2005), http://www.snort.org
  2. 2.
    Xilinx Inc, Virtex II Pro Platform FPGA (2005), http://www.xilinx.com/products/silicon_solutions/fpgas/virtex
  3. 3.
    Fenlason, J., Stallman, R.: The GNU Profiler (2005), http://www.gnu.org/software/binutils/manual/gprof-2.9.1/html_mono
  4. 4.
    Cheswick, W.R., Bellovin, S.M.: Firewalls and Internet Security. Addison-Wesley Professional, Reading (1994)MATHGoogle Scholar
  5. 5.
    Zwicky, E.D., Cooper, S., Chapman, B.D.: Building Internet Firewalls, 2nd edn. O’Reilly, Sebastopol (2000)Google Scholar
  6. 6.
    Boyer, S.R., Moore, S.J.: A Fast String Searching Algorithm, pp. 762–772. ACM Press, New York (1977)MATHGoogle Scholar
  7. 7.
    Knuth, D., Morris, J., Pratt, V.: Fast Pattern Matching in Strings. SIAM Journal on Compting, 323–350 (1977)Google Scholar
  8. 8.
    Stephen, G.A.: String Searching Algorithms. World Scientific Publishing Co., Inc, Singapore (1974)Google Scholar
  9. 9.
    Yusuf, S., Luk, W.: Bitwise Optimised CAM for Network Intrusion Detection Systems. In: Field Programmable Logic Conference Proceedings, pp. 444–449 (2005)Google Scholar
  10. 10.
    Attig, M.E., Lockwood, J.: A Framework for Rule Processing in Reconfigurable Network Systems. In: Proc. IEEE Symp. on Field Programmable Custom Computing Machines (2005)Google Scholar
  11. 11.
    Song, H., Lockwood, J.: Efficient Packet Classification for Network Intrusion Detection using FPGA. In: Proc. IEEE Symp. on Field Programmable Custom Computing Machines (2005)Google Scholar
  12. 12.
    Bounds, D.: Packit - Network Injection and Capture (2005), http://packit.sourceforge.net/
  13. 13.
    Xilinx Inc., OPB EMAC (2005), http://www.xilinx.com
  14. 14.
    Massachusetts Institute of Technology Lincoln Laboratory, DARPA Intrusion Detection Evaluations, http://www.ll.mit.edu/IST/ideval/data/data_index.html
  15. 15.
    Xilinx Inc., Xilinx University Program (2005), http://www.xilinx.com/univ/

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • S. Yusuf
    • 1
  • W. Luk
    • 1
  • M. K. N. Szeto
    • 1
  • W. Osborne
    • 1
  1. 1.Department of ComputingImperial College LondonLondonUK

Personalised recommendations