Abstract
Pattern matching is one of the most performance critical components in network intrusion detection and prevention system, which needs to be accelerated by carefully designed architectures. In this paper, we present a highly parameterized multilevel pattern matching architecture (MPM), which is implemented on FPGA by exploiting redundant resources among patterns for less chip area. In practice, MPM can be partitioned to several pipelines for high frequency. This paper also presents a pattern set compiler that can generate RTL codes of MPM with the given pattern set and predefined parameters. One MPM architecture is generated by our compiler based on Snort rules on Xilinx FPGA. The results show that MPM can achieve 4.3Gbps throughput with only 0.22 slices per character, about one half chip area than the most area-efficient architecture in literature. MPM can be parameterized potential for more than 100 Gbps throughput.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Roesch, M.: Snort - Lightweight Intrusion Detection for Networks. In: USENIX LISA Conference (1999)
Xilinx: http://www.xilinx.com
Fisk, M., Varghese, G.: An analysis of fast string matching applied to content-based forwarding and intrusion detection. Techical Report CS2001- 0670, University of California, San Diego (2002)
Dharmapurikar, S., et al.: Implementation of a Deep Packet Inspection Circuit using Parallel Bloom Filters in Reconfigurable Hardware. In: Hot Interconnects (2003)
Sidhu, R., Prasanna, V.K.: Fast Regular Expression Matching using FPGAs. In: Proceedings of 9th IEEE Symposium on Field-Programmable Custom Computing Machines (April 2001)
Sourdis, I., Pnevmatikatos, D.: Pre-decoded CAMs for Efficient and High-Speed NIDS Pattern Matching. In: IEEE Symposium on Field- Programmable Custom Computing Machines (2004)
Sourdis, I., Pnevmatikatos, D.: Fast, Large-Scale string matching for a 10Gbps FPGA-based network intrusion detection system. In: Y. K. Cheung, P., Constantinides, G.A. (eds.) FPL 2003. LNCS, vol. 2778, Springer, Heidelberg (2003)
Clark, C.R., Schimmel, D.E.: Scalable Pattern Matching for High Speed Networks. In: IEEE Symposium on Field-Programmable Custom Computing Machines, Napa, CA, USA (April 2004)
Cho, Y.H., Mangione-Smith, W.H.: Deep packet filter with dedicated logic and read only memories. In: IEEE Symposium on Field-Programmable Custom Computing Machines, USA (2004)
Sutton, P.: Partial Character Decoding for Improved Regular Expression Matching in FPGAs. In: Proceedings of International Conference on Field-Programmable Technology (2004)
Clark, C., Lee, W., et al.: A Hardware Platform for Network Intrusion Detection and Prevention. In: Proceedings of 3rd Workshop on Network Processors and Applications, Spain (February 2004)
Dharmapurikar, S., Krishnamurthy, P., et al.: Deep packet inspection using bloom filters. In: Hot Interconnects, Stanford (August 2003)
Sidhu, R., Prasanna, V.K.: Fast Regular Expression Matching using FPGAs. In: IEEE Symposium on Field-Programmable Custom Computing Machines, Napa Valley, CA, April 2001, IEEE Computer Society Press, Los Alamitos (2001)
Moscola, J., Lockwood, J., Loui, R.P., Pachos, M.: Implementation of a content-scanning module for an internet firewall. In: IEEE Symposium on Field- Programmable Custom Computing Machines, Napa, CA, USA (April 2003)
Song, T., Zhang, W., Tang, Z., Wang, D.: Alphabet Based Selected Character Decoding for Area Efficient Pattern Matching Architecture on FPGAs. In: The 2nd International Conference on Embedded Software and Systems (ICESS-05), Xian, P.R.China (2005)
van Lunteren, J.: High-Performance Pattern-Matching for Intrusion Detection. In: 25th Conference of IEEE INFOCOM (Apr. 2006)
Tan, L., Sherwood, T.: A High Throughput String Matching Architecture for Intrusion Detection and Prevention. In: 32nd Annual ISCA (June 2005)
Boyer, R.S., Moore, J.S.: A Fast String Searching Algorithm. Communications of the ACM 20(10), 762–772 (1977)
Knuth, D.E., Morris, J.H., Pratt, V.R.: Fast pattern matching in strings. SIAM Journal on Computing 6(1), 323–350 (1977)
Aho, A., Corasick, M.: Efficient string matching: An aid to bibliographic search. Communications of the ACM 18(6), 333–343 (1975)
Wu, S., Manber, U.: A fast algorithm for multi-pattern searching. Tech. Rep. TR94-17, Department of Computer Science, University of Arizona (May 1994)
Baker, Z.K., Prasanna, V.K.: High-throughput linked-pattern matching for intrusion detection systems. In: Symposium on Architecture for Networking and Communications Systems, ANCS (Oct. 2005)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer Berlin Heidelberg
About this paper
Cite this paper
Song, T., Tang, Z., Wang, D. (2007). Multilevel Pattern Matching Architecture for Network Intrusion Detection and Prevention System. In: Lee, YH., Kim, HN., Kim, J., Park, Y., Yang, L.T., Kim, S.W. (eds) Embedded Software and Systems. ICESS 2007. Lecture Notes in Computer Science, vol 4523. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-72685-2_56
Download citation
DOI: https://doi.org/10.1007/978-3-540-72685-2_56
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-72684-5
Online ISBN: 978-3-540-72685-2
eBook Packages: Computer ScienceComputer Science (R0)