High-speed discrete content sensitive pattern match algorithm for deep packet filtering

Network security has long been a spotlight that draws increasing attention from all sides of society. Against this backdrop, deep processing of network packets has become an important subject for researchers. Since malicious packets often disguise their sensitive information in one way or another in order to bypass the packet filter, this paper proposes a high-speed discrete content sensitive pattern match algorithm for imperceptible deep packet filtering. The filter sets up and manages (including lookup and update) a sensitive information database, monitors both packet header and payload at line speed with hardware-based discrete content sensitive pattern match, and then executes the corresponding action. The paper mainly discusses a TCAM (ternary content addressable memory)-based pattern match algorithm as well as the architecture and performance analysis of a packet filtering system based on this algorithm. We present a totally new idea of hardware-based discrete content sensitive pattern match. Based on the result of algorithm evaluation and performance analysis, such a packet filtering system can achieve optimal functionality and efficiency that makes network monitoring much easier to work.

[1]  Zheng Wang,et al.  An Architecture for Differentiated Services , 1998, RFC.

[2]  William H. Mangione-Smith,et al.  Specialized Hardware for Deep Network Packet Filtering , 2002, FPL.

[3]  Brad L. Hutchings,et al.  Assisting network intrusion detection with reconfigurable hardware , 2002, Proceedings. 10th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[4]  H. Jonathan Chao,et al.  Multiprotocol Label Switching , 2002 .

[5]  Feliks J. Welfeld Network processing in content inspection applications , 2001, International Symposium on System Synthesis (IEEE Cat. No.01EX526).

[6]  David L. Black,et al.  An Architecture for Differentiated Service , 1998 .

[7]  S. Wasti Hardware Assisted Packet Filtering Firewall , 2001 .

[8]  Nick McKeown,et al.  Algorithms for packet classification , 2001, IEEE Netw..

[9]  Carey L. Williamson,et al.  Internet Traffic Measurement , 2001, IEEE Internet Comput..

[10]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[11]  Peter Newman,et al.  IP switching and gigabit routers , 1997, IEEE Commun. Mag..

[12]  Nick McKeown,et al.  Packet classification on multiple fields , 1999, SIGCOMM '99.

[13]  George Varghese,et al.  Fast Content-Based Packet Handling for Intrusion Detection , 2001 .

[14]  Paul Francis,et al.  Fast routing table lookup using CAMs , 1993, IEEE INFOCOM '93 The Conference on Computer Communications, Proceedings.

[15]  Venkatachary Srinivasan,et al.  A packet classification and filter management system , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[16]  Luca Deri Passively Monitoring Networks at Gigabit Speeds Using Commodity Hardware and Open Source Software , 2003 .

[17]  George Varghese,et al.  Applying Fast String Matching to Intrusion Detection , 2001 .

[18]  David Waitzman,et al.  A 50-Gb/s IP router , 1998, TNET.