Efficient packet classification for network intrusion detection using FPGA

Using FPGA technology for real-time network intrusion detection has gained many research efforts recently. In this paper, a novel packet classification architecture called BV-TCAM is presented, which is implemented for an FPGA-based Network Intrusion Detection System (NIDS). The classifier can report multiple matches at gigabit per second network link rates. The BV-TCAM architecture combines the Ternary Content Addressable Memory (TCAM) and the Bit Vector (BV) algorithm to effectively compress the data representations and boost throughput. A tree-bitmap implementation of the BV algorithm is used for source and destination port lookup while a TCAM performs the lookup of the other header fields, which can be represented as a prefix or exact value. The architecture eliminates the requirement for prefix expansion of port ranges. With the aid of a small embedded TCAM, packet classification can be implemented in a relatively small part of the available logic of an FPGA. The design is prototyped and evaluated in a Xilinx FPGA XCV2000E on the FPX platform. Even with the most difficult set of rules and packet inputs, the circuit is fast enough to sustain OC48 traffic throughput. Using larger and faster FPGAs, the system can work at speeds greater than OC192.

[1]  John W. Lockwood,et al.  Scalable IP lookup for Internet routers , 2003, IEEE J. Sel. Areas Commun..

[2]  T. V. Lakshman,et al.  High-speed policy-based packet forwarding using efficient multi-dimensional range matching , 1998, SIGCOMM '98.

[3]  William H. Mangione-Smith,et al.  Deep packet filter with dedicated logic and read only memories , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[4]  George Varghese,et al.  Scalable packet classification , 2001, SIGCOMM '01.

[5]  Martin Roesch,et al.  SNORT: The Open Source Network Intrusion Detection System 1 , 2002 .

[6]  Huan Liu,et al.  Efficient mapping of range classifier into ternary-CAM , 2002, Proceedings 10th Symposium on High Performance Interconnects.

[7]  Viktor K. Prasanna,et al.  A methodology for synthesis of efficient intrusion detection systems on FPGAs , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[8]  Christopher R. Clark,et al.  Efficient Reconfigurable Logic Circuits for Matching Complex Network Intrusion Detection Patterns , 2003, FPL.

[9]  Brad L. Hutchings,et al.  Assisting network intrusion detection with reconfigurable hardware , 2002, Proceedings. 10th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[10]  Randy H. Katz,et al.  Efficient multi-match packet classification with TCAM , 2004, Proceedings. 12th Annual IEEE Symposium on High Performance Interconnects.

[11]  George Varghese,et al.  Faster IP lookups using controlled prefix expansion , 1998, SIGMETRICS '98/PERFORMANCE '98.

[12]  Wayne Luk,et al.  Irregular Reconfigurable CAM Structures for Firewall Applications , 2003, FPL.

[13]  Viktor K. Prasanna,et al.  Time and area efficient pattern matching on FPGAs , 2004, FPGA '04.

[14]  T. V. Lakshman,et al.  Efficient multimatch packet classification and lookup with TCAM , 2005, IEEE Micro.

[15]  Will Eatherton Hardware-based internet protocol prefix lookups , 1998 .

[16]  Antonius P. J. Engbersen,et al.  Fast and scalable packet classification , 2003, IEEE J. Sel. Areas Commun..

[17]  Viktor K. Prasanna,et al.  Automatic Synthesis of Efficient Intrusion Detection Systems on FPGAs , 2004, IEEE Transactions on Dependable and Secure Computing.

[18]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[19]  David E. Taylor Survey and taxonomy of packet classification techniques , 2005, CSUR.

[20]  Jonathan S. Turner,et al.  Packet classification using extended TCAMs , 2003, 11th IEEE International Conference on Network Protocols, 2003. Proceedings..