A CAM-based intrusion detection system for single-packet attack detection

Many telecommunications devices such as network switches contain content addressable memories (CAMs) for uses such as routing tables. CAMs, a class of associative memories, contain considerable logic for various forms of content matching and can be considered a class of reconfigurable logic engines. This paper demonstrates how a commercial ternary CAM and traditional RAM can be used with minimal additional logic to implement over 90% of the Snort 2.0 intrusion detection system (IDS) at line speeds of or exceeding 1 Gbs. In addition to simple matching techniques, sophisticated matching operations required by Snort can be implemented by levering an iterative approach that leverages a post processing action RAM. Additionally, a novel range encoding algorithm allows range matching required in the CAM for which other encodings either exceed the width provided by a CAM entry, or require excessive number of CAM entries to be scalable. The system was implemented for verification and performance evaluation in cycle accurate simulation using SystemC.

[1]  Yuebin Bai,et al.  New string matching technology for network security , 2003, 17th International Conference on Advanced Information Networking and Applications, 2003. AINA 2003..

[2]  Richard P. Lippmann,et al.  1999 DARPA Intrusion Detection Evaluation: Design and Procedures , 2001 .

[3]  Robert K. Cunningham,et al.  The 1998 DARPA/AFRL Off-line Intrusion Detection Evaluation , 1998 .

[4]  Tao Wan,et al.  IntruDetector: a software platform for testing network intrusion detection algorithms , 2001, Seventeenth Annual Computer Security Applications Conference.

[5]  John McHugh,et al.  Defending Yourself: The Role of Intrusion Detection Systems , 2000, IEEE Software.

[6]  Alex K. Jones,et al.  A hybrid encoding scheme for efficient single-cycle range matching in content addressable memory , 2006, 2006 IEEE International Symposium on Circuits and Systems.

[7]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[8]  William L. Fithen,et al.  State of the Practice of Intrusion Detection Technologies , 2000 .

[9]  Dionisios N. Pnevmatikatos,et al.  Pre-decoded CAMs for efficient and high-speed NIDS pattern matching , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[10]  William H. Mangione-Smith,et al.  Specialized Hardware for Deep Network Packet Filtering , 2002, FPL.

[11]  Viktor K. Prasanna,et al.  A methodology for synthesis of efficient intrusion detection systems on FPGAs , 2004, 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[12]  Jim Tørresen,et al.  Exploiting reconfigurable hardware for network security , 2003, 11th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, 2003. FCCM 2003..

[13]  Lawrence Chisvin,et al.  Content-addressable and associative memory: alternatives to the ubiquitous RAM , 1989, Computer.

[14]  Laxmi N. Bhuyan,et al.  Compiling PCRE to FPGA for accelerating SNORT IDS , 2007, ANCS '07.

[15]  John McHugh,et al.  Intrusion and intrusion detection , 2001, International Journal of Information Security.

[16]  Joseph S. Sherif,et al.  Intrusion detection: systems and models , 2002, Proceedings. Eleventh IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[17]  Steve Poole,et al.  Granidt: Towards Gigabit Rate Network Intrusion Detection Technology , 2002, FPL.