A pattern-matching co-processor for network intrusion detection systems

This paper explores the design and analysis of an FPGA module that implements pattern-matching functionality for the network intrusion detection problem. The specific features of the pattern-matcher include support for complex regular expressions and approximate matching with bounded substitutions, insertions, and deletions. A module generator is presented that utilizes non-deterministic finite automata to dynamically create efficient circuits for matching patterns specified with a standard rule language. The logic complexity and performance of the generated circuits is measured and analyzed. Results indicate our techniques yield circuits that are more than twice as dense as other reported designs, while maintaining the throughput necessary for processing at gigabit line speeds and beyond. The FPGA pattern-matching processor is integrated with other hardware and software components to form a complete network intrusion detection system.

[1]  Stuart Staniford,et al.  Towards Faster String Matching for Intrusion Detection , 2001 .

[2]  John W. Lockwood,et al.  Implementation of a content-scanning module for an Internet firewall , 2003, 11th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, 2003. FCCM 2003..

[3]  Brad L. Hutchings,et al.  Assisting network intrusion detection with reconfigurable hardware , 2002, Proceedings. 10th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[4]  William L. Fithen,et al.  State of the Practice of Intrusion Detection Technologies , 2000 .

[5]  Gonzalo Navarro,et al.  Faster Approximate String Matching , 1999, Algorithmica.

[6]  Gonzalo Navarro,et al.  Fast multipattern search algorithms for intrusion detection , 2000, Proceedings Seventh International Symposium on String Processing and Information Retrieval. SPIRE 2000.

[7]  Marc Necker,et al.  TCP-Stream reassembly and state tracking in hardware , 2002, Proceedings. 10th Annual IEEE Symposium on Field-Programmable Custom Computing Machines.

[8]  Viktor K. Prasanna,et al.  Fast Regular Expression Matching Using FPGAs , 2001, The 9th Annual IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM'01).

[9]  C.J. Coit,et al.  Towards faster string matching for intrusion detection or exceeding the speed of Snort , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[10]  George Varghese,et al.  Fast Content-Based Packet Handling for Intrusion Detection , 2001 .

[11]  Christopher R. Clark,et al.  Efficient Reconfigurable Logic Circuits for Matching Complex Network Intrusion Detection Patterns , 2003, FPL.

[12]  Lawrence G. Roberts,et al.  Beyond Moore's Law: Internet Growth Trends , 2000, Computer.