Memory-efficient content filtering hardware for high-speed intrusion detection systems

Authors:
Sungwon Yi;Byoung-koo Kim;Jintae Oh;Jongsoo Jang;George Kesidis;Chita R. Das
Affiliations:
Electronics and Telecommunications Research Institute;Electronics and Telecommunications Research Institute;Electronics and Telecommunications Research Institute;Electronics and Telecommunications Research Institute;Pennsylvania State University;Pennsylvania State University
Venue:
Proceedings of the 2007 ACM symposium on Applied computing
Year:
2007

Citing 17
Cited 6

An improvement to bottom-up tree pattern matching

POPL '87 Proceedings of the 14th ACM SIGACT-SIGPLAN symposium on Principles of programming languages
A fast string searching algorithm

Communications of the ACM
Efficient string matching: an aid to bibliographic search

Communications of the ACM
Granidt: Towards Gigabit Rate Network Intrusion Detection Technology

FPL '02 Proceedings of the Reconfigurable Computing Is Going Mainstream, 12th International Conference on Field-Programmable Logic and Applications
Specialized Hardware for Deep Network Packet Filtering

FPL '02 Proceedings of the Reconfigurable Computing Is Going Mainstream, 12th International Conference on Field-Programmable Logic and Applications
Performance in Practice of String Hashing Functions

Proceedings of the Fifth International Conference on Database Systems for Advanced Applications (DASFAA)
Implementation of a Content-Scanning Module for an Internet Firewall

FCCM '03 Proceedings of the 11th Annual IEEE Symposium on Field-Programmable Custom Computing Machines
Generating realistic workloads for network intrusion detection systems

WOSP '04 Proceedings of the 4th international workshop on Software and performance
Pre-Decoded CAMs for Efficient and High-Speed NIDS Pattern Matching

FCCM '04 Proceedings of the 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines
Gigabit Rate Packet Pattern-Matching Using TCAM

ICNP '04 Proceedings of the 12th IEEE International Conference on Network Protocols
Configurable string matching hardware for speeding up intrusion detection

ACM SIGARCH Computer Architecture News - Special issue: Workshop on architectural support for security and anti-virus (WASSA)
Fast Regular Expression Matching Using FPGAs

FCCM '01 Proceedings of the the 9th Annual IEEE Symposium on Field-Programmable Custom Computing Machines
Polygraph: Automatically Generating Signatures for Polymorphic Worms

SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits

Proceedings of the 12th ACM conference on Computer and communications security
Polymorphic worm detection and defense: system design, experimental methodology, and data resources

Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense
Automated worm fingerprinting

OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Deep Packet Inspection using Parallel Bloom Filters

IEEE Micro

An efficient multi-hash pattern matching scheme for intrusion detection in FPGA-based reconfiguring hardware

ACS'08 Proceedings of the 8th conference on Applied computer scince
Machine learning algorithms for accurate flow-based network traffic classification: Evaluation and comparison

Performance Evaluation
Software cannot protect software: an argument for dedicated hardware in security and a categorization of the trustworthiness of information

WISTP'08 Proceedings of the 2nd IFIP WG 11.2 international conference on Information security theory and practices: smart devices, convergence and next generation networks
ATPS: adaptive threat prevention system for high-performance intrusion detection and response

APNOMS'07 Proceedings of the 10th Asia-Pacific conference on Network Operations and Management Symposium: managing next generation networks and services
A scalable high-performance virus detection processor against a large pattern set for embedded network security

IEEE Transactions on Very Large Scale Integration (VLSI) Systems
High-performance architecture for dynamically updatable packet classification on FPGA

ANCS '13 Proceedings of the ninth ACM/IEEE symposium on Architectures for networking and communications systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

Content filtering-based Intrusion Detection Systems have been widely deployed in enterprise networks, and have become a standard measure to protect networks and network users from cyber attacks. Although several solutions have been proposed recently, finding an efficient solution is considered as a difficult problem due to the limitations in resources such as a small memory size, as well as the growing link speed. In this paper, we present a novel content filtering technique called Table-driven Bottom-up Tree (TBT), which was designed i) to fully exploit hardware parallelism to achieve real-time packet inspection, ii) to require a small memory for storing signatures, iii) to be flexible in modifying the signature database, and iv) to support complex signature representation such as regular expressions. We configured TBT considering the hardware specifications and limitations, and implemented it using a FPGA. Simulation based performance evaluations showed that the proposed technique used only 350 Kilobytes of memory for storing the latest version of SNORT rule consisting of 2770 signatures. In addition, unlike many other hardware-based solutions, modification to signature database does not require hardware re-compilation in TBT.