Skip to main content
SpringerLink
Log in
Book cover

International Conference on Embedded Software and Systems

ICESS 2007: Embedded Software and Systems pp 604–614Cite as

Multilevel Pattern Matching Architecture for Network Intrusion Detection and Prevention System

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 4523))

Abstract

Pattern matching is one of the most performance critical components in network intrusion detection and prevention system, which needs to be accelerated by carefully designed architectures. In this paper, we present a highly parameterized multilevel pattern matching architecture (MPM), which is implemented on FPGA by exploiting redundant resources among patterns for less chip area. In practice, MPM can be partitioned to several pipelines for high frequency. This paper also presents a pattern set compiler that can generate RTL codes of MPM with the given pattern set and predefined parameters. One MPM architecture is generated by our compiler based on Snort rules on Xilinx FPGA. The results show that MPM can achieve 4.3Gbps throughput with only 0.22 slices per character, about one half chip area than the most area-efficient architecture in literature. MPM can be parameterized potential for more than 100 Gbps throughput.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Roesch, M.: Snort - Lightweight Intrusion Detection for Networks. In: USENIX LISA Conference (1999)

    Google Scholar 

  2. Xilinx: http://www.xilinx.com

  3. Fisk, M., Varghese, G.: An analysis of fast string matching applied to content-based forwarding and intrusion detection. Techical Report CS2001- 0670, University of California, San Diego (2002)

    Google Scholar 

  4. Dharmapurikar, S., et al.: Implementation of a Deep Packet Inspection Circuit using Parallel Bloom Filters in Reconfigurable Hardware. In: Hot Interconnects (2003)

    Google Scholar 

  5. Sidhu, R., Prasanna, V.K.: Fast Regular Expression Matching using FPGAs. In: Proceedings of 9th IEEE Symposium on Field-Programmable Custom Computing Machines (April 2001)

    Google Scholar 

  6. Sourdis, I., Pnevmatikatos, D.: Pre-decoded CAMs for Efficient and High-Speed NIDS Pattern Matching. In: IEEE Symposium on Field- Programmable Custom Computing Machines (2004)

    Google Scholar 

  7. Sourdis, I., Pnevmatikatos, D.: Fast, Large-Scale string matching for a 10Gbps FPGA-based network intrusion detection system. In: Y. K. Cheung, P., Constantinides, G.A. (eds.) FPL 2003. LNCS, vol. 2778, Springer, Heidelberg (2003)

    Google Scholar 

  8. Clark, C.R., Schimmel, D.E.: Scalable Pattern Matching for High Speed Networks. In: IEEE Symposium on Field-Programmable Custom Computing Machines, Napa, CA, USA (April 2004)

    Google Scholar 

  9. Cho, Y.H., Mangione-Smith, W.H.: Deep packet filter with dedicated logic and read only memories. In: IEEE Symposium on Field-Programmable Custom Computing Machines, USA (2004)

    Google Scholar 

  10. Sutton, P.: Partial Character Decoding for Improved Regular Expression Matching in FPGAs. In: Proceedings of International Conference on Field-Programmable Technology (2004)

    Google Scholar 

  11. Clark, C., Lee, W., et al.: A Hardware Platform for Network Intrusion Detection and Prevention. In: Proceedings of 3rd Workshop on Network Processors and Applications, Spain (February 2004)

    Google Scholar 

  12. Dharmapurikar, S., Krishnamurthy, P., et al.: Deep packet inspection using bloom filters. In: Hot Interconnects, Stanford (August 2003)

    Google Scholar 

  13. Sidhu, R., Prasanna, V.K.: Fast Regular Expression Matching using FPGAs. In: IEEE Symposium on Field-Programmable Custom Computing Machines, Napa Valley, CA, April 2001, IEEE Computer Society Press, Los Alamitos (2001)

    Google Scholar 

  14. Moscola, J., Lockwood, J., Loui, R.P., Pachos, M.: Implementation of a content-scanning module for an internet firewall. In: IEEE Symposium on Field- Programmable Custom Computing Machines, Napa, CA, USA (April 2003)

    Google Scholar 

  15. Song, T., Zhang, W., Tang, Z., Wang, D.: Alphabet Based Selected Character Decoding for Area Efficient Pattern Matching Architecture on FPGAs. In: The 2nd International Conference on Embedded Software and Systems (ICESS-05), Xian, P.R.China (2005)

    Google Scholar 

  16. van Lunteren, J.: High-Performance Pattern-Matching for Intrusion Detection. In: 25th Conference of IEEE INFOCOM (Apr. 2006)

    Google Scholar 

  17. Tan, L., Sherwood, T.: A High Throughput String Matching Architecture for Intrusion Detection and Prevention. In: 32nd Annual ISCA (June 2005)

    Google Scholar 

  18. Boyer, R.S., Moore, J.S.: A Fast String Searching Algorithm. Communications of the ACM 20(10), 762–772 (1977)

    Article  Google Scholar 

  19. Knuth, D.E., Morris, J.H., Pratt, V.R.: Fast pattern matching in strings. SIAM Journal on Computing 6(1), 323–350 (1977)

    Article  MATH  MathSciNet  Google Scholar 

  20. Aho, A., Corasick, M.: Efficient string matching: An aid to bibliographic search. Communications of the ACM 18(6), 333–343 (1975)

    Article  MATH  MathSciNet  Google Scholar 

  21. Wu, S., Manber, U.: A fast algorithm for multi-pattern searching. Tech. Rep. TR94-17, Department of Computer Science, University of Arizona (May 1994)

    Google Scholar 

  22. Baker, Z.K., Prasanna, V.K.: High-throughput linked-pattern matching for intrusion detection systems. In: Symposium on Architecture for Networking and Communications Systems, ANCS (Oct. 2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Technology, Tsinghua University, Beijing, P.R. China

    Tian Song, Zhizhong Tang & Dongsheng Wang

Authors
  1. Tian Song
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Zhizhong Tang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dongsheng Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Yann-Hang Lee Heung-Nam Kim Jong Kim Yongwan Park Laurence T. Yang Sung Won Kim

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer Berlin Heidelberg

About this paper

Cite this paper

Song, T., Tang, Z., Wang, D. (2007). Multilevel Pattern Matching Architecture for Network Intrusion Detection and Prevention System. In: Lee, YH., Kim, HN., Kim, J., Park, Y., Yang, L.T., Kim, S.W. (eds) Embedded Software and Systems. ICESS 2007. Lecture Notes in Computer Science, vol 4523. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-72685-2_56

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-72685-2_56

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-72684-5

  • Online ISBN: 978-3-540-72685-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation