Hardware implementation for network intrusion detection rules with regular expression support

Authors:
Chia-Tien Dan Lo;Yi-Gang Tai;Kleanthis Psarris
Affiliations:
University of Texas at San Antonio, San Antonio, TX;University of Texas at San Antonio, San Antonio, TX;University of Texas at San Antonio, San Antonio, TX
Venue:
Proceedings of the 2008 ACM symposium on Applied computing
Year:
2008

Citing 8
Cited 2

A new approach to text searching

Communications of the ACM
A fast string searching algorithm

Communications of the ACM
Efficient string matching: an aid to bibliographic search

Communications of the ACM
Specialized Hardware for Deep Network Packet Filtering

FPL '02 Proceedings of the Reconfigurable Computing Is Going Mainstream, 12th International Conference on Field-Programmable Logic and Applications
Assisting Network Intrusion Detection with Reconfigurable Hardware

FCCM '02 Proceedings of the 10th Annual IEEE Symposium on Field-Programmable Custom Computing Machines
Implementation of a Content-Scanning Module for an Internet Firewall

FCCM '03 Proceedings of the 11th Annual IEEE Symposium on Field-Programmable Custom Computing Machines
A High Throughput String Matching Architecture for Intrusion Detection and Prevention

Proceedings of the 32nd annual international symposium on Computer Architecture
Introduction to the Design and Analysis of Algorithms (2nd Edition)

Introduction to the Design and Analysis of Algorithms (2nd Edition)

Space Optimization on Counters for FPGA-Based Perl Compatible Regular Expressions

ACM Transactions on Reconfigurable Technology and Systems (TRETS)
Selective regular expression matching

ISC'10 Proceedings of the 13th international conference on Information security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Signature-based network intrusion detection systems (NIDSs), such as Snort and Bro, rely on a rule database that describes traffic patterns for known attacks. They examine each packets flowing through a network segment and report suspicious packets to assure security. An attack signature may be represented in terms of fields in a packet such as source/destination IP addresses, source/destination ports, protocols, specific contents in payload, etc. Typically, a Perl Compatible Regular Expression (PCRE) is used to describe a specific content in the payload which may identify an attack. Our study shows that over 60% of the execution time in an NIDS is found to perform string comparisons against a signature database of over 5,950 tokens and over 1,763 PCREs. This paper proposes to extend a bit-parallel algorithm to support multi-byte processing and PCRE. This design takes a segment of bytes from the payload of a packet and detects all possible tokens including those crossing text segment boundaries. A tool is designed to generate VHDL code from a rule set automatically. Performance results are reported.