Smart Architecture for High-Speed Intrusion Detection and Prevention Systems

  • Chih-Chiang Wu
  • Sung-Hua Wen
  • Nen-Fu Huang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4301)


The overall performance of an intrusion protection system depends not only on the packet header classification and pattern matching, but also on the post-operative determination of correlative patterns of matched rules. An increasing number of patterns associated with a rule heighten the importance of correlative pattern matching. This work proposes a TCAM-based smart architecture that supports both deep pattern-matching and correlative pattern-matching. The proposed architecture overcomes the difficulties in implementing TCAM when the patterns are very deep and the rules for packet payload involve many patterns whose positions lie within a range. A real case payload is simulated using a Snort 2.3 rule set and simulation results demonstrate the feasibility of the proposed architecture in supporting a high-speed and robust intrusion detection and prevention system.


Clock Cycle Intrusion Detection Pattern Match Correlative Pattern Bloom Filter 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    SNORT official web site,
  2. 2.
    ClamAV database,
  3. 3.
    Sidhu, R., Prasanna, V.K.: Fast Regular Expression Matching using FPGAs. In: Proc. of the 9th annual IEEE Symposium on Field-Progammable Custom Computing Machines (FCCM 2001), Rohnert Park, California, USA, pp. 223–232 (April 2001)Google Scholar
  4. 4.
    Moscola, J., Lockwood, J., Loui, R.P., Pachos, M.: Implementation of a Content-scanning Module for an Internet Firewall. In: Proc. of the 11th annual IEEE Symposium on Field-Progammable Custom Computing Machines (FCCM 2003), Napa, California, USA, pp. 31–38 (April 2003)Google Scholar
  5. 5.
    Sourdis, et al.: Fast, Large-scale String Match for 10Gbps FPGA-based Network Intrusion Detection System. In: Cheung, P.Y.K., Constantinides, G.A. (eds.) FPL 2003. LNCS, vol. 2778, pp. 880–889. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  6. 6.
    Young, et al.: Deep Network Packet Filter Design for Reconfigurable Devices. In: Glesner, M., Zipf, P., Renovell, M. (eds.) FPL 2002. LNCS, vol. 2438. Springer, Heidelberg (2002)Google Scholar
  7. 7.
    Gokhale, M., et al.: Granidt: Towards Gigabit Rate Network Intrusion Detection Technology. In: Glesner, M., Zipf, P., Renovell, M. (eds.) FPL 2002. LNCS, vol. 2438, pp. 404–413. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  8. 8.
    Bu, L., Chandy, J.A.: FPGA Based Network Intrusion Detection using Content Addressable Memories. In: Proc. of the 12th annual IEEE Symposium on Field-Progammable Custom Computing Machines (FCCM 2004), Napa, California, USA, pp. 316–317 (April 2004)Google Scholar
  9. 9.
    Silberstein, M., et al.: Designing a CAM-based Coprocessor for Boosting Performance of Antivirus Software. Technion technique report (March 2004)Google Scholar
  10. 10.
    Dharmapurikarup, S., et al.: Deep Packet Inspection using Parallel Bloom Filters. IEEE Micro 24(1), 52–61 (2004)CrossRefGoogle Scholar
  11. 11.
    DEFCON web site,
  12. 12.
    Yu, F., Katz, R.H., Lakshman, T.V.: Gigabit Rate Packet Pattern-Matching Using TCAM. In: Proc. of the 12th IEEE International Conference on Network Protocols (ICNP 2004), Berlin, Germany, pp. 147–183 (October 2004)Google Scholar
  13. 13.
    Wu, C.-C., Wen, S.-H., Huang, N.-F., Kao, C.N.: A Pattern Matching Coprocessor for Deep and Large Signature Set in Network Security System. In: IEEE Globecom 2005, St. Louis, USA (November 2005)Google Scholar
  14. 14.
    Attig, M.E., Lockwood, J.: A Framework for Rule Processing in Reconfigurable Network Systems. In: Proc. of the 13th annual IEEE Symposium on Field-Progammable Custom Computing Machines (FCCM 2005), Napa, California, USA (April 2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Chih-Chiang Wu
    • 1
  • Sung-Hua Wen
    • 2
  • Nen-Fu Huang
    • 2
    • 3
  1. 1.Computer and Communication Research Center (CCRC)National Tsing Hua UniversityTaiwan
  2. 2.Institute of Communication EngineeringNational Tsing Hua UniversityTaiwan
  3. 3.Department of Computer ScienceNational Tsing Hua UniversityTaiwan

Personalised recommendations