Abstract
Signature based network intrusion detection systems (NIDS) rely on an underlying string matching engine that inspects each network packet against a known malicious pattern database. Traditional static pattern descriptions may not efficiently represent sophisticated attack signatures. Recently, most NIDSs have adopted regular expressions such as Perl compatible regular expressions (PCREs) to describe an attack signature, especially for polymorphic worms. PCRE is a superset of traditional regular expression, in which no counters are involved. However, this overloads the performance of software-based NIDSs, causing a big portion of their execution time to be dedicated to pattern matching. Over the past decade, hardware acceleration for the pattern matching has been studied extensively and a marginal performance has been achieved. Among hardware approaches, FPGA-based acceleration engines provide great flexibility because new signatures can be compiled and programmed into their reconfigurable architecture. As more and more malicious signatures are discovered, it becomes harder to map a complete set of malicious signatures specified in PCREs to an FPGA chip. Even worse is that the counters used in PCREs typically take a great deal of hardware resources. Therefore, we propose a space efficient SelectRAM counter for PCREs that involve counting. The design takes advantage of components that consist of a configurable logic block, and thus optimizes space usage. A set of PCRE blocks has been built in hardware to implement PCREs used in Snort/Bro. Experimental results show that the proposed sheme outperforms existing designs by at least 5-fold. Performance results are reported in this paper.
This project is partially supported by the Center for Infrastructure Assurance and Security at UTSA and US Air Force under grant #26-0202-10.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Snort: Snort intrusion detection system (2007), http://snort.org
Bro: Intrusion detection system (2007), http://www.bro-ids.org
PCRE: Perl compatible regular expressions (2007), http://www.pcre.org
Lo, C.T.D., Tai, Y.G., Psarris, K., Hwang, W.J.: Super fast hardware string matching. In: Proc. of the 2006 IEEE International Conference on Field Programmable Technology, Bangkok, Thailand (December 2006)
Roan, H.C., Hwang, W.J., Lo, C.T.D.: Shift-or circuit for efficient network intrusion detection pattern matching. In: Proc. of the 16th International Conference on Field Programmable Logic and Applications (FPL 2006), Madrid, SPAIN (August 2006), pp. 785–790 (2006)
Aho, A., Sethi, R., Ullman, J.: Compilers - Principles, Techniques, and Tools, pp. 117–123 (1988)
Floyd, R., Ullman, J.: The compilation of regular expressions into integrated circuits. Journal of the ACM (JACM) 29, 603–622 (1982)
McNaughton, R., Yamada, H.: Regular expressions and state graphs for automata. IEEE Transactions on Electronic Computers 9, 39–47 (1960)
Hutchings, B.L., Franklin, R., Carver, D.: Assisting network intrusion detection with reconfigurable hardware. In: Porc. of the 10th Annual IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM 2002), Napa, CA (April 2002), pp. 111–120 (2002)
Clark, C., Schimmel, D.: Scalable parallel pattern-matching on high-speed networks. In: Proc. of IEEE Symposium on Field-Programmable Custom Computing Machines (2004)
Sutton, P.: Partial character decoding for improved regular expression matching in fpgas. In: Proceedings of IEEE International Conference on Field-Programmable Technology (FPT), pp. 25–32 (2004)
Lin, C.H., Huang, C.T., Jiang, C.P., Chang, S.C.: Optimization of regular expression pattern matching circuits on fpga. In: DATE 2006: Proceedings of the Conference on Design, Automation and Test in Europe, pp. 12–17 (2006)
Brodie, B., Taylor, D., Cytron, R.: A scalable architecture for high-throughput regular-expression pattern matching. In: the 33rd International Symposium on Computer Architecture (ISCA 2006), pp. 191–202 (2006)
Baker, Z., Prasanna, V., Jung, H.J.: Regular expression software deceleration for intrusion detection systems. In: The 16th International Conference on Field Programmable Logic and Applications (August 2006), pp. 1–8 (2006)
Yusuf, S., Luk, W., Szeto, M.K.N., Osborne, W.: Unite: Uniform hardware-based network intrusion detection engine. In: Reconfigurable Computing: Architectures and Applications, pp. 389–400 (2006)
Bispo, J., Sourdis, I., Cardoso, J., Vassiliadis, S.: Regular expression matching for reconfigurable packet inspection. In: Proc. of the 16th International Conference on Field Programmable Logic and Applications (FPL 2006), Madrid, SPAIN (August 2006), pp. 119–126 (2006)
Bispo, J., Sourdis, I., Cardoso, J., Vassiliadis, S.: Synthesis of regular expressions targeting fpgas: Current status and open issues. In: Reconfigurable Computing: Architectures, Tools and Applicatins (June 2007), pp. 179–190 (2007)
Moscola, J., Lockwood, J., Loui, R., Pachos, M.: Implementation of a content-scanning module for an internet firwall. In: Proc. of IEEE Workshop on FPGAs for Custom Computing Machines, Napa, CA (April 2003), pp. 31–38 (2003)
Sidhu, R., Prasanna, V.K.: Fast regular expression matching using fpgas. In: Proceedings of the IEEE Symposium on Field-Programmable Custom Computing Machines (April 2001), pp. 227–238 (2001)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Lo, CT.D., Tai, YG. (2008). Highly Space Efficient Counters for Perl Compatible Regular Expressions in FPGAs. In: Woods, R., Compton, K., Bouganis, C., Diniz, P.C. (eds) Reconfigurable Computing: Architectures, Tools and Applications. ARC 2008. Lecture Notes in Computer Science, vol 4943. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-78610-8_8
Download citation
DOI: https://doi.org/10.1007/978-3-540-78610-8_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-78609-2
Online ISBN: 978-3-540-78610-8
eBook Packages: Computer ScienceComputer Science (R0)