Skip to main content
SpringerLink
Log in

A parameterized multilevel pattern matching architecture on FPGAs for network intrusion detection and prevention

  • Published:
Science in China Series F: Information Sciences Aims and scope Submit manuscript

Abstract

Pattern matching is one of the most performance-critical components for the content inspection based applications of network security, such as network intrusion detection and prevention. To keep up with the increasing speed network, this component needs to be accelerated by well designed custom coprocessor. This paper presents a parameterized multilevel pattern matching architecture (MPM) which is used on FPGAs. To achieve less chip area, the architecture is designed based on the idea of selected character decoding (SCD) and multilevel method which are analyzed in detail. This paper also proposes an MPM generator that can generate RTL-level codes of MPM by giving a pattern set and predefined parameters. With the generator, the efficient MPM architecture can be generated and embedded to a total hardware solution. The third contribution is a mathematical model and formula to estimate the chip area for each MPM before it is generated, which is useful for choosing the proper type of FPGAs. One example MPM architecture is implemented by giving 1785 patterns of Snort on Xilinx Virtex 2 Pro FPGA. The results show that this MPM can achieve 4.3 Gbps throughput with 5 stages of pipelines and 0.22 slices per character, about one half chip area of the most area-efficient architecture in literature. Other results are given to show that MPM is also efficient for general random pattern sets. The performance of MPM can be scalable near linearly, potential for more than 100 Gbps throughput.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Roesch M. Snort-Lightweight intrusion detection for networks. In: Proceedings of the 13th USENIX Conference on System Administration, Seattle, Washington, 1999. 299–238

  2. Fisk M, Varghese G. An analysis of fast string matching applied to content-based forwarding and intrusion detection. Techical Report CS2001-0670, University of California-San Diego, 2002

  3. Aho A, Corasick M. Efficient string matching: An aid to bibliographic search. Commun ACM, 1975, 18(6): 333–343

    Article  MathSciNet  MATH  Google Scholar 

  4. van Lunteren J. High-performance pattern-matching for intrusion detection. In: Proceedings of the 25th IEEE International Conference on Computer Communications, INFOCOM 2006, Barcelona, Spain, April, 2006. 1–13

    Chapter  Google Scholar 

  5. Tan L, Sherwood T. A high throughput string matching architecture for intrusion detection and prevention. In: Proceedings of the 32nd Annual International Symposium on Computer Architectare, Madison, Wisconsin, USA, June, 2005. 112–122

  6. Lu H B, Zheng K, Liu B, et al. A memory-efficient parallel string matching architecture for high speed intrusion detection. IEEE J Select Areas Commun, 2006, 24(10): 1793–1804

    Article  Google Scholar 

  7. Baker Z K, Prasanna V K. High-throughput linked-pattern matching for intrusion detection systems. In: Proceedings of the 2005 ACM Symposium on Architecture for Networking and Communications System, Princeton, NJ, USA, Oct. 2005. 193–202

  8. Dharmapurikar S, Krishnamurthy P, Sproull T, et al. Implementation of a Deep Packet Inspection Circuit using Parallel Bloom Filters in Reconfigurable Hardware. Palo Alto, CA, August 20–22, 2003

  9. Sourdis I, Pnevmatikatos D. Pre-decoded CAMs for efficient and high-speed NIDS pattern matching. In: Proceedings of the 12th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, FCCM. 2004, Napa, CA, 2004. 258–267

  10. Sourdis I, Pnevmatikatos D. Fast large-scale string matching for a 10 Gbps FPGA-based network intrusion detection system. In: 13th International Conference on Field Programmable Logic and Applications, Lisbon, Portugal, 2003

  11. Clark C R, Schimmel D E. Scalable pattern matching for high speed networks. In: IEEE Symposium on Field-Programmable Custom Computing Machines, Napa, CA, USA, April 2004

  12. Baker Z K, Prasanna V K. High-throughput linked-pattern matching for intrusion detection systems. In: Proceedings of the 2005 ACMSymposium on Architecture for Networking and Communication Systems, Princeton, NJ, USA, 2005. 193–202

  13. Cho Y H, Mangione-Smith W H. Deep packet filter with dedicated logic and read only memories. In: IEEE Symposium on Field-Programmable Custom Computing Machines, Napa, USA, April 2004

  14. Sutton P. Partial character decoding for improved regular expression matching in FPGAs. In: Proceedings of the 2004 IEEE International Conference on Field-Programmable Technology, Brisbane, Australia, Dec. 2004. 25–32

  15. Moscola J, Lockwood J, Loui R P, et al. Implementation of a content-scanning module for an internet firewall. In: IEEE Symposium on Field-Programmable Custom Computing Machines, Napa, CA, USA, April 2003

  16. Song T, Zhang W, Tang Z Z, et al. Alphabet based selected character decoding for area efficient pattern matching architecture on FPGAs. In: The 2nd International Conference on Embedded Software and Systems (ICESS-05), Xi’an, China

  17. Song T, Tang Z Z, Wang D S. Multilevel pattern matching architecture for network intrusion detection and prevention. In: International Conference on Embedded Software and Systems (ICESS-07), Daegu, Republic of Korea. 2007

  18. Sidhu R, Prasanna V K. Fast regular expression matching using FPGAs. In: IEEE Symposium on Field-Programmable Custom Computing Machines, Napa Valley, CA, April, 2001

  19. Boyer R S, Moore J S. A fast string searching algorithm. Commun ACM, 1977, 20(10): 762–772

    Article  Google Scholar 

  20. Knuth D E, Morris J H, Pratt V R. Fast pattern matching in strings. SIAM J Comput, 1977, 6(1): 323–350

    Article  MathSciNet  MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Computer Science and Technology, Beijing Institute of Technology, Beijing, 100081, China

    Tian Song

  2. Department of Computer Science and Technology, Tsinghua University, Beijing, 100084, China

    DongSheng Wang & ZhiZhong Tang

Authors
  1. Tian Song
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. DongSheng Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. ZhiZhong Tang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tian Song.

Additional information

Supported by the National Natural Science Foundation of China (Grant No. 60803002), and the Excellent Young Scholars Research Fund of Beijing Institute of Technology

Rights and permissions

Reprints and permissions

About this article

Cite this article

Song, T., Wang, D. & Tang, Z. A parameterized multilevel pattern matching architecture on FPGAs for network intrusion detection and prevention. Sci. China Ser. F-Inf. Sci. 52, 949–963 (2009). https://doi.org/10.1007/s11432-009-0024-x

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11432-009-0024-x

Keywords

Search

Navigation