Skip to main content
SpringerLink
Log in

UNITE: Uniform Hardware-Based Network Intrusion deTection Engine

  • Conference paper
Reconfigurable Computing: Architectures and Applications (ARC 2006)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 3985))

Included in the following conference series:

Abstract

Current software implementations of network intrusion detection reach a maximum network connection speed of about 1Gbps (Gigabits per second). This paper analyses the Snort software network intrusion detection system to highlight the bottlenecks of such systems. It proposes a novel packet processing engine called UNITE that deploys a uniform hardware architecture to perform both header classification and payload signature extraction utilising a Content Addressable Memory (CAM) which is optimised by techniques based on Binary Decision Diagrams (BDDs). The proposed design has been implemented on an XC2VP30 FPGA, and we achieve an operating frequency of 350MHz and a processing speed in excess of 2.8Gbps. The area resource usage for UNITE is also shown to be efficient, with a Look Up Tables (LUTs) per character ratio of 0.82 for a rule set of approximately 20,000 characters.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Sourcefire, Snort - The Open Source Network Intrusion Detection System (2005), http://www.snort.org

  2. Xilinx Inc, Virtex II Pro Platform FPGA (2005), http://www.xilinx.com/products/silicon_solutions/fpgas/virtex

  3. Fenlason, J., Stallman, R.: The GNU Profiler (2005), http://www.gnu.org/software/binutils/manual/gprof-2.9.1/html_mono

  4. Cheswick, W.R., Bellovin, S.M.: Firewalls and Internet Security. Addison-Wesley Professional, Reading (1994)

    MATH  Google Scholar 

  5. Zwicky, E.D., Cooper, S., Chapman, B.D.: Building Internet Firewalls, 2nd edn. O’Reilly, Sebastopol (2000)

    Google Scholar 

  6. Boyer, S.R., Moore, S.J.: A Fast String Searching Algorithm, pp. 762–772. ACM Press, New York (1977)

    MATH  Google Scholar 

  7. Knuth, D., Morris, J., Pratt, V.: Fast Pattern Matching in Strings. SIAM Journal on Compting, 323–350 (1977)

    Google Scholar 

  8. Stephen, G.A.: String Searching Algorithms. World Scientific Publishing Co., Inc, Singapore (1974)

    Google Scholar 

  9. Yusuf, S., Luk, W.: Bitwise Optimised CAM for Network Intrusion Detection Systems. In: Field Programmable Logic Conference Proceedings, pp. 444–449 (2005)

    Google Scholar 

  10. Attig, M.E., Lockwood, J.: A Framework for Rule Processing in Reconfigurable Network Systems. In: Proc. IEEE Symp. on Field Programmable Custom Computing Machines (2005)

    Google Scholar 

  11. Song, H., Lockwood, J.: Efficient Packet Classification for Network Intrusion Detection using FPGA. In: Proc. IEEE Symp. on Field Programmable Custom Computing Machines (2005)

    Google Scholar 

  12. Bounds, D.: Packit - Network Injection and Capture (2005), http://packit.sourceforge.net/

  13. Xilinx Inc., OPB EMAC (2005), http://www.xilinx.com

  14. Massachusetts Institute of Technology Lincoln Laboratory, DARPA Intrusion Detection Evaluations, http://www.ll.mit.edu/IST/ideval/data/data_index.html

  15. Xilinx Inc., Xilinx University Program (2005), http://www.xilinx.com/univ/

Download references

Author information

Authors and Affiliations

  1. Department of Computing, Imperial College London, 180 Queen’s Gate, London, SW7 2BZ, UK

    S. Yusuf, W. Luk, M. K. N. Szeto & W. Osborne

Authors
  1. S. Yusuf
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. W. Luk
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. M. K. N. Szeto
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. W. Osborne
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. TU Delft, Computer Engineering Laboratory, EEMCS, The Netherlands

    Koen Bertels

  2. IST/INESC-ID, Lisboa, Portugal

    João M. P. Cardoso

  3. TUDelft., Computer Engineering Lab, Postbus 5031, 2600 GA, Delft, The Netherlands

    Stamatis Vassiliadis

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Yusuf, S., Luk, W., Szeto, M.K.N., Osborne, W. (2006). UNITE: Uniform Hardware-Based Network Intrusion deTection Engine. In: Bertels, K., Cardoso, J.M.P., Vassiliadis, S. (eds) Reconfigurable Computing: Architectures and Applications. ARC 2006. Lecture Notes in Computer Science, vol 3985. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11802839_47

Download citation

  • DOI: https://doi.org/10.1007/11802839_47

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-36708-6

  • Online ISBN: 978-3-540-36863-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation