Fast, Large-Scale String Match for a 10Gbps FPGA-Based Network Intrusion Detection System

  • Ioannis Sourdis
  • Dionisios Pnevmatikatos
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2778)

Abstract

Intrusion Detection Systems such as Snort scan incoming packets for evidence of security threats. The most computation-intensive part of these systems is a text search against hundreds of patterns, and must be performed at wire-speed. FPGAs are particularly well suited for this task and several such systems have been proposed. In this paper we expand on previous work, in order to achieve and exceed a processing bandwidth of 11Gbps. We employ a scalable, low-latency architecture, and use extensive fine-grain pipelining to tackle the fan-out, match, and encode bottlenecks and achieve operating frequencies in excess of 340MHz for fast Virtex devices. To increase throughput, we use multiple comparators and allow for parallel matching of multiple search strings. We evaluate the area and latency cost of our approach and find that the match cost per search pattern character is between 4 and 5 logic cells.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    SNORT official web site, http://www.snort.org
  2. 2.
    Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of LISA 1999: 13th Administration Conference, Seattle Washington, USA (1999)Google Scholar
  3. 3.
    Desai, N.: Increasing performance in high speed NIDS. In (2002), http://www.linuxsecurity.com
  4. 4.
    Coit, C.J., Staniford, S., McAlerney, J.: Towards faster string matching for intrusion detection or exceeding the speed of snort. In: DISCEXII, DAPRA Information Survivability conference and Exposition, Anaheim, California, USA (2001)Google Scholar
  5. 5.
    Gokhale, M., Dubois, D., Dubois, A., Boorman, M., Poole, S., Hogsett, V.: Granidt: Towards gigabit rate network intrusion detection technology. In: Proceedings of 12th International Conference on Field Programmable Logic and Applications, France (2002)Google Scholar
  6. 6.
    Moscola, J., Lockwood, J., Loui, R.P., Pachos, M.: Implementation of a contentscanning module for an internet firewall. In: Proceedings of IEEE Workshop on FPGAs for Custom Computing Machines, Napa, CA, USA (2003)Google Scholar
  7. 7.
    Young, H., Cho, S.N., Mangione-Smith, W.: Specialized hardware for deep network packet filtering. In: Proceedings of 12th International Conference on Field Programmable Logic and Applications, France (2002)Google Scholar
  8. 8.
    Franklin, R., Carver, D., Hutchings, B.: Assisting network intrusion detection with reconfigurable hardware. In: IEEE Symposium on Field-Programmable Custom Computing Machines (2002)Google Scholar
  9. 9.
    Sidhu, R., Prasanna, V.K.: Fast regular expression matching using fpgas. In: IEEE Symposium on Field-Programmable Custom Computing Machines, Rohnert Park, CA, USA (2001)Google Scholar
  10. 10.
    Lockwood, J.W.: An open platform for development of network processing modules in reconfigurable hardware. In: IEC DesignCon 2001, Santa Clara, CA, USA (2001)Google Scholar
  11. 11.
    Pryor, D.V., Thistle, M.R., Shirazi, N.: Text searching on splash 2. In: Proceedings of IEEE Workshop on FPGAs for Custom Computing Machines, pp. 172–177 (1993)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Ioannis Sourdis
    • 1
  • Dionisios Pnevmatikatos
    • 1
    • 2
  1. 1.Microprocessor and Hardware Laboratory, Electronic and Computer Engineering DepartmentTechnical University of CreteChaniaGreece
  2. 2.Institute of Computer Science (ICS)Foundation for Research and Technology-Hellas (FORTH)HeraklionGreece

Personalised recommendations